ExtremeWare 7.3e Installation and User Guide - Extreme Networks
ExtremeWare 7.3e Installation and User Guide - Extreme Networks
ExtremeWare 7.3e Installation and User Guide - Extreme Networks
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong><br />
<strong>User</strong> <strong>Guide</strong><br />
Software Version <strong>7.3e</strong><br />
<strong>Extreme</strong> <strong>Networks</strong>, Inc.<br />
3585 Monroe Street<br />
Santa Clara, California 95051<br />
(888) 257-3000<br />
http://www.extremenetworks.com<br />
Published: March 18, 2005<br />
Part number: 100166-00 Rev 02
Alpine, Altitude, BlackDiamond, EPICenter, Ethernet Everywhere, <strong>Extreme</strong> Ethernet Everywhere, <strong>Extreme</strong> <strong>Networks</strong>,<br />
<strong>Extreme</strong> Turbodrive, <strong>Extreme</strong> Velocity, <strong><strong>Extreme</strong>Ware</strong>, <strong>Extreme</strong>Works, GlobalPx Content Director, the Go Purple <strong>Extreme</strong><br />
Solution Partners Logo, ServiceWatch, Summit, the Summit7i Logo, <strong>and</strong> the Color Purple, among others, are trademarks<br />
or registered trademarks of <strong>Extreme</strong> <strong>Networks</strong>, Inc. or its subsidiaries in the United States <strong>and</strong> other countries. Other<br />
names <strong>and</strong> marks may be the property of their respective owners.<br />
© 2004 <strong>Extreme</strong> <strong>Networks</strong>, Inc. All Rights Reserved.<br />
Specifications are subject to change without notice.<br />
Adobe <strong>and</strong> Reader are registered trademarks of Adobe Systems Incorporated. NetWare <strong>and</strong> Novell are registered<br />
trademarks of Novell, Inc. Merit is a registered trademark of Merit Network, Inc. Solaris is a trademark of Sun<br />
Microsystems, Inc. F5, BIG/ip, <strong>and</strong> 3DNS are registered trademarks of F5 <strong>Networks</strong>, Inc. see/IT is a trademark of F5<br />
<strong>Networks</strong>, Inc.<br />
“Data Fellows”, the triangle symbol, <strong>and</strong> Data Fellows product names <strong>and</strong> symbols/logos are<br />
trademarks of Data Fellows.<br />
F-Secure SSH is a registered trademark of Data Fellows.<br />
All other registered trademarks, trademarks <strong>and</strong> service marks are property of their respective owners.<br />
Authors: Hugh Bussell, Julie Laccabue, Megan Mahar, Jeanine Healy, Richard Small<br />
Production: Jeanine Healy<br />
2
Contents<br />
Preface<br />
Introduction 17<br />
Conventions 17<br />
Related Publications 18<br />
Using <strong><strong>Extreme</strong>Ware</strong> Publications Online 18<br />
Chapter 1<br />
<strong><strong>Extreme</strong>Ware</strong> Overview<br />
Summary of Features 23<br />
Virtual LANs (VLANs) 24<br />
Spanning Tree Protocol 24<br />
Quality of Service 25<br />
Unicast Routing 25<br />
For more information on IP unicast routing, see Chapter 17. 25<br />
IP Multicast Routing 25<br />
Load Sharing 25<br />
Software Licensing 25<br />
Router Licensing 26<br />
Security Licensing 27<br />
Software Factory Defaults 27<br />
Chapter 2<br />
Accessing the Switch<br />
Underst<strong>and</strong>ing the Comm<strong>and</strong> Syntax 29<br />
Syntax Helper 30<br />
Comm<strong>and</strong> Shortcuts 30<br />
Summit 300-48 Numerical Ranges 31<br />
Summit 200, Summit 300-24 <strong>and</strong> Summit 400 Numerical Ranges 31<br />
Names 31<br />
Symbols 31<br />
Limits 32<br />
Line-Editing Keys 32<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 3
Contents<br />
Comm<strong>and</strong> History 33<br />
Common Comm<strong>and</strong>s 33<br />
Configuring Management Access 35<br />
<strong>User</strong> Account 35<br />
Administrator Account 36<br />
Default Accounts 36<br />
Creating a Management Account 37<br />
Domain Name Service Client Services 38<br />
Checking Basic Connectivity 38<br />
Ping 38<br />
Traceroute 39<br />
Chapter 3<br />
Managing the Switch<br />
Overview 41<br />
Using the Console Interface 42<br />
Using the 10/100/1000 Ethernet Management Port (Summit 400 only) 42<br />
Using Telnet 42<br />
Connecting to Another Host Using Telnet 43<br />
Configuring Switch IP Parameters 43<br />
Disconnecting a Telnet Session 45<br />
Controlling Telnet Access 45<br />
Using Secure Shell 2 (SSH2) 46<br />
Using SNMP 46<br />
Enabling <strong>and</strong> Disabling SNMPv1/v2c <strong>and</strong> SNMPv3 46<br />
Accessing Switch Agents 47<br />
Supported MIBs 47<br />
Configuring SNMPv1/v2c Settings 47<br />
Displaying SNMP Settings 49<br />
SNMP Trap Groups 49<br />
SNMPv3 51<br />
SNMPv3 Overview 51<br />
Message Processing 52<br />
SNMPv3 Security 52<br />
MIB Access Control 55<br />
Notification 56<br />
Authenticating <strong>User</strong>s 58<br />
RADIUS Client 58<br />
TACACS+ 59<br />
Configuring RADIUS Client <strong>and</strong> TACACS+ 59<br />
Using Network Login 59<br />
Using the Simple Network Time Protocol 59<br />
4 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Contents<br />
Configuring <strong>and</strong> Using SNTP 59<br />
SNTP Example 62<br />
Using EAPOL Flooding 63<br />
Chapter 4<br />
Configuring Ports<br />
Port Numbering 65<br />
Summit 200, Summit 300-24, <strong>and</strong> Summit 400 Switches 65<br />
Summit 300-48 Switch 65<br />
Enabling <strong>and</strong> Disabling Switch Ports 66<br />
Configuring Switch Port Speed <strong>and</strong> Duplex Setting 66<br />
Turning Off Autonegotiation for a Gigabit Ethernet Port 67<br />
Turning Off Autopolarity Detection for an Ethernet Port—Summit 200 <strong>and</strong> Summit<br />
300-24 Switches Only 67<br />
Configuring Interpacket Gap for Gigabit Ethernet Ports—Summit 400 Switch Only 68<br />
Jumbo Frames—Summit 400 Switch Only 68<br />
Enabling Jumbo Frames 69<br />
Jumbo Frames Example 69<br />
Path MTU Discovery 69<br />
IP Fragmentation with Jumbo Frames 70<br />
IP Fragmentation within a VLAN 70<br />
Load Sharing on the Switch 71<br />
Dynamic Versus Static Load Sharing 71<br />
Load-Sharing Algorithm 71<br />
Configuring Switch Load Sharing 72<br />
Load Sharing Examples 74<br />
Verifying the Load-Sharing Configuration 74<br />
Switch Port-Mirroring 75<br />
Port-Mirroring Examples 76<br />
<strong>Extreme</strong> Discovery Protocol 76<br />
Software-Controlled Redundant Port <strong>and</strong> Smart Redundancy 77<br />
Software-Controlled Redundant Load-Shared Port Groups 78<br />
Limitations of Software-Controlled Redundant Ports <strong>and</strong> Port Groups 78<br />
Configuring Software-Controlled Redundant Ports 79<br />
Configuring Automatic Failover for Combination Ports 79<br />
Summit 200 Automatic Failover 79<br />
Summit 300 Automatic Failover 80<br />
Summit 400 Automatic Failover 80<br />
Automatic Failover Examples 81<br />
Chapter 5<br />
Virtual LANs (VLANs)<br />
Overview of Virtual LANs 83<br />
Benefits 83<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 5
Contents<br />
Types of VLANs 84<br />
Port-Based VLANs 84<br />
Tagged VLANs 86<br />
Protocol-Based VLANs—Summit 400 only 88<br />
Precedence of Tagged Packets Over Protocol Filters 90<br />
VLAN Names 90<br />
Default VLAN 91<br />
Renaming a VLAN 91<br />
Configuring VLANs on the Switch 91<br />
VLAN Configuration Examples 92<br />
Displaying VLAN Settings 93<br />
MAC-Based VLANs 93<br />
MAC-Based VLAN <strong>Guide</strong>lines 93<br />
MAC-Based VLAN Limitations 94<br />
MAC-Based VLAN Example 94<br />
Timed Configuration Download for MAC-Based VLANs 95<br />
Chapter 6<br />
Forwarding Database (FDB)<br />
Overview of the FDB 97<br />
FDB Contents 97<br />
How FDB Entries Get Added 97<br />
FDB Entry Types 98<br />
Disabling MAC Address Learning 99<br />
Associating QoS Profiles with an FDB Entry 99<br />
FDB Configuration Examples 100<br />
Displaying FDB Entries 101<br />
Chapter 7<br />
Quality of Service (QoS)<br />
Overview of Policy-Based Quality of Service 104<br />
Applications <strong>and</strong> Types of QoS 104<br />
Voice Applications 104<br />
Video Applications 104<br />
Critical Database Applications 105<br />
Web Browsing Applications 105<br />
File Server Applications 105<br />
Configuring QoS 106<br />
QoS Profiles 106<br />
Traffic Groupings 107<br />
IP-Based Traffic Groupings 108<br />
MAC-Based Traffic Groupings 108<br />
Explicit Class of Service (802.1p <strong>and</strong> DiffServ) Traffic Groupings 109<br />
6 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Contents<br />
Configuring DiffServ 111<br />
Verifying Configuration <strong>and</strong> Performance 113<br />
QoS Monitor 113<br />
Displaying QoS Profile Information 114<br />
Modifying a QoS Configuration 115<br />
Traffic Rate-Limiting 115<br />
Chapter 8<br />
Network Address Translation (NAT)<br />
Overview 117<br />
Internet IP Addressing 118<br />
Configuring VLANs for NAT 118<br />
NAT Modes 119<br />
Configuring NAT 120<br />
Creating NAT Rules 120<br />
Creating Static <strong>and</strong> Dynamic NAT Rules 120<br />
Creating Portmap NAT Rules 121<br />
Creating Auto-Constrain NAT Rules 121<br />
Advanced Rule Matching 122<br />
Configuring Time-outs 122<br />
Displaying NAT Settings 122<br />
Disabling NAT 123<br />
Chapter 9<br />
Status Monitoring <strong>and</strong> Statistics<br />
Status Monitoring 125<br />
Port Statistics 125<br />
Port Errors 126<br />
Port Monitoring Display Keys 127<br />
Setting the System Recovery Level 128<br />
Event Management System/Logging 128<br />
Sending Event Messages to Log Targets 129<br />
Filtering Events Sent to Targets 129<br />
Formatting Event Messages 135<br />
Displaying Real-Time Log Messages 136<br />
Displaying Events Logs 136<br />
Uploading Events Logs 137<br />
Displaying Counts of Event Occurrences 137<br />
Displaying Debug Information 138<br />
Compatibility with previous <strong><strong>Extreme</strong>Ware</strong> comm<strong>and</strong>s 139<br />
Logging Configuration Changes 140<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 7
Contents<br />
RMON 140<br />
About RMON 140<br />
RMON Features of the Switch 140<br />
Configuring RMON 141<br />
Event Actions 142<br />
Chapter 10<br />
Security<br />
Security Overview 143<br />
Network Access Security 143<br />
MAC-Based VLANs 144<br />
IP Access Lists (ACLs) 144<br />
Access Masks 144<br />
Access Lists 145<br />
Rate Limits 146<br />
How Access Control Lists Work 147<br />
Access Mask Precedence Numbers 147<br />
Specifying a Default Rule 147<br />
The permit-established Keyword 147<br />
Adding Access Mask, Access List, <strong>and</strong> Rate Limit Entries 147<br />
Deleting Access Mask, Access List, <strong>and</strong> Rate Limit Entries 148<br />
Verifying Access Control List Configurations 148<br />
Access Control List Examples 149<br />
MAC Address Security 153<br />
Limiting Dynamic MAC Addresses 153<br />
MAC Address Lock Down 155<br />
Network Login 156<br />
Web-Based <strong>and</strong> 802.1x Authentication 156<br />
Campus <strong>and</strong> ISP Modes 158<br />
Interoperability Requirements 158<br />
Multiple Supplicant Support 159<br />
Exclusions <strong>and</strong> Limitations 160<br />
Configuring Wired Network Login 160<br />
Configuring Wireless Network Login 161<br />
Web-Based Authentication <strong>User</strong> Login Using Campus Mode 163<br />
DHCP Server on the Switch 165<br />
Displaying DHCP Information 165<br />
Displaying Network Login Settings 165<br />
Disabling Network Login 165<br />
Additional Configuration Details 166<br />
Displaying Network Login Settings 167<br />
Wireless Network Login Considerations 167<br />
Trusted Organizational Unique Identifier 168<br />
Switch Protection 168<br />
8 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Contents<br />
Unified Access Security 168<br />
Wireless <strong>User</strong> Access Security 169<br />
Wireless <strong>User</strong> Access Security 169<br />
Network Security Policies for Wireless Interfaces 172<br />
Security Profiles 174<br />
Secure Web Login Access 174<br />
Creating Certificates <strong>and</strong> Private Keys 175<br />
Example Wireless Configuration Processes 177<br />
Wireless Management Configuration Example 178<br />
Security Configuration Examples 179<br />
Profile Assignment Example 194<br />
Switch Protection 195<br />
Routing Access Profiles 195<br />
Using Routing Access Profiles 195<br />
Creating an Access Profile 195<br />
Configuring an Access Profile Mode 195<br />
Adding an Access Profile Entry 196<br />
Deleting an Access Profile Entry 198<br />
Applying Access Profiles 198<br />
Routing Profiles for RIP 198<br />
Routing Access Profiles for OSPF 199<br />
Routing Access Profiles for PIM 201<br />
Denial of Service Protection 202<br />
Configuring Denial of Service Protection 202<br />
Enabling Denial of Service Protection 203<br />
Disabling Denial of Service Protection 204<br />
Displaying Denial of Service Settings 204<br />
How to Deploy DoS Protection 205<br />
configure cpu-dos-protect alert-threshold 205<br />
Blocking SQL Slammer DoS Attacks 206<br />
Improving Performance with Enhanced DoS Protection 206<br />
Duplicate IP Protection 210<br />
Management Access Security 211<br />
Authenticating <strong>User</strong>s Using RADIUS or TACACS+ 211<br />
RADIUS Client 211<br />
Configuring TACACS+ 217<br />
RADIUS Authentication Decoupling 217<br />
Secure Shell 2 (SSH2) 221<br />
Enabling SSH2 for Inbound Switch Access 222<br />
Using SCP2 from an External SSH2 Client 223<br />
SSH2 Client Functions on the Switch 224<br />
Unified Access MAC RADIUS 224<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 9
Contents<br />
Chapter 11<br />
Software Upgrade <strong>and</strong> Boot Options<br />
Downloading a New Image 225<br />
Selecting a Primary or a Secondary Image 226<br />
Underst<strong>and</strong>ing the Image Version String 226<br />
Software Signatures 228<br />
Rebooting the Switch 228<br />
Saving Configuration Changes 228<br />
Returning to Factory Defaults 229<br />
Using TFTP to Upload the Configuration 229<br />
Using TFTP to Download the Configuration 230<br />
Downloading a Complete Configuration 230<br />
Downloading an Incremental Configuration 230<br />
Scheduled Incremental Configuration Download 231<br />
Remember to Save 231<br />
Upgrading <strong>and</strong> Accessing BootROM 231<br />
Upgrading BootROM (Summit 200, Summit 300-24, Summit 400) 231<br />
Upgrading BootROM (Summit 300-48) 232<br />
Accessing the BootROM Menu 232<br />
Chapter 12<br />
Troubleshooting<br />
LEDs 235<br />
Cable Diagnostics 236<br />
Using the Comm<strong>and</strong>-Line Interface 237<br />
Port Configuration 238<br />
VLANs 239<br />
STP 240<br />
Debug Tracing/Debug Mode 240<br />
TOP Comm<strong>and</strong> 241<br />
System Odometer 241<br />
Reboot Loop Protection 241<br />
Minimal Mode 241<br />
Contacting <strong>Extreme</strong> Technical Support 242<br />
Chapter 13<br />
Ethernet Automatic Protection Switching<br />
Overview of the EAPS Protocol 245<br />
EAPS Terms 247<br />
Fault Detection <strong>and</strong> Recovery 248<br />
Link Down Message Sent by a Transit Node 249<br />
Ring Port Down Event Sent by Hardware Layer 249<br />
Polling 249<br />
10 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Contents<br />
Restoration Operations 249<br />
Summit “e” Series Switches in Multi-ring Topologies 250<br />
Configuring EAPS on a Switch 251<br />
Creating <strong>and</strong> Deleting an EAPS Domain 251<br />
Defining the EAPS Mode of the Switch 252<br />
Configuring EAPS Polling Timers 252<br />
Configuring the Primary <strong>and</strong> Secondary Ports 253<br />
Configuring the EAPS Control VLAN 253<br />
Configuring the EAPS Protected VLANs 254<br />
Enabling <strong>and</strong> Disabling an EAPS Domain 255<br />
Enabling <strong>and</strong> Disabling EAPS 255<br />
Unconfiguring an EAPS Ring Port 255<br />
Displaying EAPS Status Information 255<br />
Configuring EAPS Shared Ports 258<br />
Steady State 259<br />
Common Link Failures 260<br />
Multiple Common Link Failures 260<br />
Creating <strong>and</strong> Deleting a Shared Port 261<br />
Defining the Mode of the Shared Port 261<br />
Configuring the Link ID of the Shared Port 262<br />
Unconfiguring an EAPS Shared Port 262<br />
Displaying EAPS Shared-Port Status Information 262<br />
EAPS Shared Port Configuration Rules 263<br />
Chapter 14<br />
Spanning Tree Protocol (STP)<br />
Overview of the Spanning Tree Protocol 265<br />
Spanning Tree Domains 266<br />
STPD Modes 266<br />
Port Modes 267<br />
Rapid Root Failover 267<br />
STP Configurations 268<br />
Basic STP Configuration 268<br />
EMISTP <strong>and</strong> PVST+ Deployment Constraints 270<br />
Per-VLAN Spanning Tree 271<br />
Rapid Spanning Tree Protocol 271<br />
RSTP Terms 271<br />
RSTP Concepts 272<br />
RSTP Operation 274<br />
STP Rules <strong>and</strong> Restrictions 281<br />
Configuring STP on the Switch 281<br />
STP Configuration Examples 282<br />
Displaying STP Settings 283<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 11
Contents<br />
Chapter 15<br />
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol<br />
Overview of ESRP 285<br />
Reasons to Use ESRP 285<br />
ESRP Terms 286<br />
ESRP Concepts 287<br />
ESRP-Aware Switches 287<br />
Linking ESRP Switches 288<br />
Determining the ESRP Master 288<br />
Master Switch Behavior 289<br />
Pre-Master Switch Behavior 289<br />
Slave Switch Behavior 289<br />
Electing the Master Switch 289<br />
Failover Time 290<br />
ESRP Election Algorithms 290<br />
Advanced ESRP Features 291<br />
ESRP Tracking 291<br />
ESRP Port Restart 295<br />
ESRP Host Attach 295<br />
ESRP Don’t Count 296<br />
ESRP Domains 296<br />
ESRP Groups 297<br />
Selective Forwarding 298<br />
Displaying ESRP Information 299<br />
Using ELRP with ESRP 300<br />
ELRP Terms 300<br />
Using ELRP with ESRP to Recover Loops 301<br />
Configuring ELRP 301<br />
Displaying ELRP Information 303<br />
ESRP Examples 303<br />
Single VLAN Using Layer 2 <strong>and</strong> Layer 3 Redundancy 303<br />
Multiple VLANs Using Layer 2 Redundancy 305<br />
ESRP Cautions 306<br />
Configuring ESRP <strong>and</strong> Multinetting 306<br />
ESRP <strong>and</strong> Spanning Tree 306<br />
Chapter 16<br />
Virtual Router Redundancy Protocol<br />
Overview 307<br />
Determining the VRRP Master 308<br />
VRRP Tracking 308<br />
Electing the Master Router 311<br />
Additional VRRP Highlights 311<br />
VRRP Port Restart 312<br />
12 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Contents<br />
VRRP Operation 312<br />
Simple VRRP Network Configuration 312<br />
Fully-Redundant VRRP Network 313<br />
VRRP Configuration Parameters 315<br />
VRRP Examples 316<br />
Configuring the Simple VRRP Network 316<br />
Configuring the Fully-Redundant VRRP Network 317<br />
Chapter 17<br />
IP Unicast Routing<br />
Overview of IP Unicast Routing 319<br />
Router Interfaces 320<br />
Populating the Routing Table 321<br />
Subnet-Directed Broadcast Forwarding 322<br />
Proxy ARP 322<br />
ARP-Incapable Devices 323<br />
Proxy ARP Between Subnets 323<br />
Relative Route Priorities 323<br />
Configuring IP Unicast Routing 324<br />
Verifying the IP Unicast Routing Configuration 325<br />
Routing Configuration Example 325<br />
ICMP Packet Processing 326<br />
Configuring DHCP/BOOTP Relay 327<br />
Configuring the DHCP Relay Agent Option (Option 82) 328<br />
Verifying the DHCP/BOOTP Relay Configuration 328<br />
UDP-Forwarding 329<br />
Configuring UDP-Forwarding 329<br />
UDP-Forwarding Example 329<br />
UDP Echo Server 330<br />
Chapter 18<br />
Interior Gateway Protocols<br />
Overview 332<br />
RIP Versus OSPF 332<br />
Overview of RIP 333<br />
Routing Table 333<br />
Split Horizon 333<br />
Poison Reverse 333<br />
Triggered Updates 334<br />
Route Advertisement of VLANs 334<br />
RIP Version 1 Versus RIP Version 2 334<br />
Overview of OSPF 334<br />
Link-State Database 335<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 13
Contents<br />
Areas 336<br />
Point-to-Point Support 339<br />
Route Re-Distribution 340<br />
Configuring Route Re-Distribution 340<br />
RIP Configuration Example 341<br />
Configuring OSPF 342<br />
Configuring OSPF Wait Interval 342<br />
OSPF Configuration Example 343<br />
Configuration for ABR1 344<br />
Configuration for IR1 344<br />
Displaying OSPF Settings 345<br />
OSPF LSDB Display 345<br />
Authentication 345<br />
Summarizing Level 1 IP Routing Information 346<br />
Filtering Level 1 IP Routing Information 346<br />
Originating Default Route 346<br />
Overload Bit 346<br />
Default Routes to Nearest Level 1/2 Switch for Level 1 Only Switches 347<br />
Chapter 19<br />
IP Multicast Routing<br />
IP Multicast Routing Overview 349<br />
PIM Sparse Mode (PIM-SM) Overview 350<br />
Configuring PIM-SM 350<br />
Enabling <strong>and</strong> Disabling PIM-SM 351<br />
IGMP Overview 352<br />
IGMP Snooping 352<br />
Static IGMP 352<br />
IGMP Snooping Filters 353<br />
Multicast Tools 353<br />
Mrinfo 353<br />
Mtrace 354<br />
Configuring IP Multicasting Routing 354<br />
Example—Configuration for IR1 354<br />
Chapter 20<br />
Wireless Networking<br />
Overview of Wireless Networking 359<br />
Summary of Wireless Features 360<br />
Wireless Devices 360<br />
Altitude Antennas 361<br />
Bridging 361<br />
Managing the Altitude 300 362<br />
14 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Contents<br />
Wireless Show Comm<strong>and</strong>s 362<br />
Configuring RF Properties 363<br />
Creating an RF Profile 363<br />
Deleting an RF Profile 364<br />
Configuring an RF Profile 364<br />
Viewing RF Profile Properties 365<br />
Configuring RF Monitoring 366<br />
AP Detection 367<br />
Performing Client Scanning 370<br />
Enabling <strong>and</strong> Disabling Client Scanning 370<br />
Configuring Client Scanning 370<br />
Viewing Client Scanning Properties <strong>and</strong> Results 371<br />
Collecting Client History Statistics 372<br />
Client Current State 372<br />
Client History Information 373<br />
Client Aging 375<br />
Configuring Wireless Switch Properties 375<br />
Configuring Country Codes 375<br />
Configuring the Default Gateway 376<br />
Configuring the Management VLAN 376<br />
Configuring Wireless Ports 377<br />
Enabling <strong>and</strong> Disabling Wireless Ports 377<br />
Configuring Wireless Port Properties 377<br />
Configuring Wireless Interfaces 378<br />
Enabling <strong>and</strong> Disabling Wireless Interfaces 378<br />
Configuring Wireless Interfaces 378<br />
Configuring Inter-Access Point Protocol (IAPP) 380<br />
Event Logging <strong>and</strong> Reporting 380<br />
Enabling SVP to Support Voice Over IP 381<br />
Chapter 21<br />
Power Over Ethernet<br />
Overview 383<br />
Summary of PoE Features 383<br />
Port Power Management384<br />
Port Power Operator Limit 384<br />
Power Budget Management 384<br />
Port Power Events 387<br />
Supporting Legacy Devices on the Summit 300-24 388<br />
Using Power Supplies 388<br />
Per-Port LEDs 391<br />
Configuring Power Over Ethernet 391<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 15
Contents<br />
Controlling <strong>and</strong> Monitoring System <strong>and</strong> Slot Power 392<br />
Controlling <strong>and</strong> Monitoring Port Power 394<br />
Chapter A<br />
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
<strong><strong>Extreme</strong>Ware</strong> Vista Overview 403<br />
Setting Up Your Browser 403<br />
Accessing <strong><strong>Extreme</strong>Ware</strong> Vista 404<br />
Navigating within <strong><strong>Extreme</strong>Ware</strong> Vista 406<br />
Browser Controls 407<br />
Status Messages 407<br />
Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong> Vista 407<br />
IP Forwarding 408<br />
License 409<br />
OSPF 410<br />
Ports 415<br />
RIP 417<br />
SNMP 419<br />
Spanning Tree 420<br />
Switch 423<br />
<strong>User</strong> Accounts 424<br />
Virtual LAN 425<br />
Access List 427<br />
Reviewing <strong><strong>Extreme</strong>Ware</strong> Vista Statistical Reports 429<br />
Event Log 430<br />
FDB 431<br />
IP ARP 432<br />
IP Configuration 433<br />
IP Route 435<br />
IP Statistics 436<br />
Ports 439<br />
Port Collisions 440<br />
Port Errors 441<br />
Port Utilization 441<br />
RIP 442<br />
Switch 443<br />
Locating Support Information 444<br />
Help 445<br />
TFTP Download 445<br />
Logging Out of <strong><strong>Extreme</strong>Ware</strong> Vista 448<br />
Appendix B<br />
Technical Specifications<br />
Supported Protocols, MIBs, <strong>and</strong> St<strong>and</strong>ards 449<br />
16 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Preface<br />
This preface provides an overview of this guide, describes guide conventions, <strong>and</strong> lists other<br />
publications that might be useful.<br />
Introduction<br />
This guide provides the required information to configure <strong><strong>Extreme</strong>Ware</strong> ® software running on the<br />
Summit 200, Summit 300 or Summit 400 family of switches from <strong>Extreme</strong> <strong>Networks</strong>.<br />
This guide is intended for use by network administrators who are responsible for installing <strong>and</strong> setting<br />
up network equipment. It assumes a basic working knowledge of:<br />
• Local area networks (LANs)<br />
• Ethernet concepts<br />
• Ethernet switching <strong>and</strong> bridging concepts<br />
• Routing concepts<br />
• Internet Protocol (IP) concepts<br />
• Routing Information Protocol (RIP) <strong>and</strong> Open Shortest Path First (OSPF).<br />
• IP Multicast concepts<br />
• Protocol Independent Multicast (PIM) concepts<br />
• Simple Network Management Protocol (SNMP)<br />
NOTE<br />
If the information in the release notes shipped with your switch differs from the information in this guide,<br />
follow the release notes.<br />
Conventions<br />
Table 1 <strong>and</strong> Table 2 list conventions that are used throughout this guide.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 17
Preface<br />
Table 1: Notice Icons<br />
Icon Notice Type Alerts you to...<br />
Note<br />
Important features or instructions.<br />
Caution<br />
Risk of personal injury, system damage, or loss of data.<br />
Warning<br />
Risk of severe personal injury.<br />
Table 2: Text Conventions<br />
Convention<br />
Screen displays<br />
The words “enter”<br />
<strong>and</strong> “type”<br />
[Key] names<br />
Words in italicized type<br />
Description<br />
This typeface indicates comm<strong>and</strong> syntax, or represents information as it appears on the<br />
screen.<br />
When you see the word “enter” in this guide, you must type something, <strong>and</strong> then press<br />
the Return or Enter key. Do not press the Return or Enter key when an instruction<br />
simply says “type.”<br />
Key names are written with brackets, such as [Return] or [Esc].<br />
If you must press two or more keys simultaneously, the key names are linked with a<br />
plus sign (+). Example:<br />
Press [Ctrl]+[Alt]+[Del].<br />
Italics emphasize a point or denote new terms at the place where they are defined in<br />
the text.<br />
Related Publications<br />
The publications related to this one are:<br />
• <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> Release Notes<br />
• <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> Comm<strong>and</strong> Reference <strong>Guide</strong><br />
Documentation for <strong>Extreme</strong> <strong>Networks</strong> products is available on the World Wide Web at the following<br />
location:<br />
http://www.extremenetworks.com/<br />
Using <strong><strong>Extreme</strong>Ware</strong> Publications Online<br />
You can access <strong><strong>Extreme</strong>Ware</strong> publications by downloading them from the <strong>Extreme</strong> <strong>Networks</strong> World<br />
Wide Web location or from your <strong><strong>Extreme</strong>Ware</strong> product CD. Publications are provided in Adobe ®<br />
Portable Document Format (PDF). Displaying or printing PDF files requires that your computer be<br />
equipped with Adobe ® Reader ® software, which is available free of charge from Adobe Systems<br />
Incorporated.<br />
18 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Related Publications<br />
The following two <strong><strong>Extreme</strong>Ware</strong> publications are available as PDF files that are designed to be used<br />
online together:<br />
• <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong><br />
• <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> Comm<strong>and</strong> Reference <strong>Guide</strong><br />
The user guide PDF file provides links that connect you directly to relevant comm<strong>and</strong> information in<br />
the comm<strong>and</strong> reference guide PDF file. This quick-referencing capability enables you to easily find<br />
detailed information in the comm<strong>and</strong> reference guide for any comm<strong>and</strong> mentioned in the user guide.<br />
To ensure that the quick-referencing feature functions properly, follow these steps:<br />
1 Download both the user guide PDF file <strong>and</strong> the comm<strong>and</strong> reference guide PDF file to the same<br />
destination directory on your computer.<br />
2 You may open one or both PDF files <strong>and</strong> to enable cross-referenced linking between the user guide<br />
<strong>and</strong> comm<strong>and</strong> reference guide; however, it is recommended that for ease of use, you keep both files<br />
open concurrently on your computer desktop.<br />
NOTE<br />
If you activate a cross-referencing link from the <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> PDF file to the comm<strong>and</strong><br />
reference PDF file when the comm<strong>and</strong> reference PDF file is closed (that is, not currently open on your<br />
computer desktop), the system will close the user guide PDF file <strong>and</strong> open the comm<strong>and</strong> reference PDF<br />
file. To keep both PDF files open when you activate a cross-reference link, open both PDF files before<br />
using the link.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 19
Preface<br />
20 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Part 1<br />
Using <strong><strong>Extreme</strong>Ware</strong>
1 <strong><strong>Extreme</strong>Ware</strong> Overview<br />
This chapter covers the following topics:<br />
• Summary of Features on page 23<br />
• Software Factory Defaults on page 27<br />
<strong><strong>Extreme</strong>Ware</strong> is the full-featured software operating system that is designed to run on the <strong>Extreme</strong><br />
<strong>Networks</strong> families of modular <strong>and</strong> st<strong>and</strong>-alone Gigabit Ethernet switches.<br />
NOTE<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> only supports <strong>Extreme</strong> <strong>Networks</strong> products that contain the “e” series chipset. The<br />
Summit “e” series platforms are comprised of the Summit 200, Summit 300 <strong>and</strong> Summit 400 switches.<br />
Summary of Features<br />
The features of <strong><strong>Extreme</strong>Ware</strong> include:<br />
• Virtual local area networks (VLANs) including support for IEEE 802.1Q <strong>and</strong> IEEE 802.1p<br />
• Spanning Tree Protocol (STP) (IEEE 802.1D) with multiple STP domains<br />
• Quality of Service (QoS) including support for IEEE 802.1P, MAC QoS, <strong>and</strong> eight hardware queues<br />
on the Summit 300-24 <strong>and</strong> Summit 400 switches. There are four hardware queues available on the<br />
Summit 200 <strong>and</strong> Summit 300-48 switches.<br />
• Policy-Based Quality of Service (PB-QoS)<br />
• Wire-speed Internet Protocol (IP) routing<br />
• Network Address Translation (NAT)<br />
• <strong>Extreme</strong> St<strong>and</strong>by Router Protocol (ESRP)<br />
• Ethernet Automated Protection Switching (EAPS) support<br />
• Jumbo frame support<br />
• DHCP/BOOTP Relay<br />
• Virtual Router Redundancy Protocol (VRRP)<br />
• Routing Information Protocol (RIP) version 1 <strong>and</strong> RIP version 2<br />
• Open Shortest Path First (OSPF) routing protocol<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 23
<strong><strong>Extreme</strong>Ware</strong> Overview<br />
• Wire-speed IP multicast routing support<br />
• Ethernet Automated Protection Switching (EAPS) support<br />
• Simple Network Time Protocol (SNTP)<br />
• Diffserv support<br />
• Access-policy support for routing protocols<br />
• Access list support for packet filtering<br />
• Access list support for rate-limiting<br />
• IGMP snooping to control IP multicast traffic<br />
• Protocol Independent Multicast-Sparse Mode (PIM-SM)<br />
• Load sharing on multiple ports, across all blades (modular switches only)<br />
• RADIUS client <strong>and</strong> per-comm<strong>and</strong> authentication support<br />
• TACACS+ support<br />
• Console comm<strong>and</strong> line interface (CLI) connection<br />
• Telnet CLI connection<br />
• SSH2 connection<br />
• <strong><strong>Extreme</strong>Ware</strong> Vista Web-based management interface<br />
• Simple Network Management Protocol (SNMP) support<br />
• Remote Monitoring (RMON)<br />
• Traffic mirroring for ports by port number<br />
• Network Login—Web<br />
• Network Login—IEEE 802.1X<br />
Virtual LANs (VLANs)<br />
<strong><strong>Extreme</strong>Ware</strong> has a VLAN feature that enables you to construct your broadcast domains without being<br />
restricted by physical connections. A VLAN is a group of location- <strong>and</strong> topology-independent devices<br />
that communicate as if they were on the same physical local area network (LAN).<br />
Implementing VLANs on your network has the following three advantages:<br />
• VLANs help to control broadcast traffic. If a device in VLAN Marketing transmits a broadcast frame,<br />
only VLAN Marketing devices receive the frame.<br />
• VLANs provide extra security. Devices in VLAN Marketing can only communicate with devices on<br />
VLAN Sales using routing services.<br />
• VLANs ease the change <strong>and</strong> movement of devices on networks.<br />
For more information on VLANs, see Chapter 5.<br />
Spanning Tree Protocol<br />
The Summit “e” series switches support the IEEE 802.1D Spanning Tree Protocol (STP), which is a<br />
bridge-based mechanism for providing fault tolerance on networks. STP enables you to implement<br />
parallel paths for network traffic, <strong>and</strong> ensure that:<br />
• Redundant paths are disabled when the main paths are operational.<br />
24 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Software Licensing<br />
• Redundant paths are enabled if the main traffic paths fail.<br />
A single spanning tree can span multiple VLANs.<br />
For more information on STP, see Chapter 14.<br />
Quality of Service<br />
<strong><strong>Extreme</strong>Ware</strong> has Policy-Based Quality of Service (QoS) features that enable you to specify service levels<br />
for different traffic groups. By default, all traffic is assigned the normal QoS policy profile. If needed,<br />
you can create other QoS policies <strong>and</strong> apply them to different traffic types so that they have different<br />
guaranteed minimum b<strong>and</strong>width, maximum b<strong>and</strong>width, <strong>and</strong> priority.<br />
For more information on Quality of Service, see Chapter 7.<br />
Unicast Routing<br />
The switch can route IP traffic between the VLANs that are configured as virtual router interfaces. Both<br />
dynamic <strong>and</strong> static IP routes are maintained in the routing table. The following routing protocols are<br />
supported:<br />
• RIP version 1<br />
• RIP version 2<br />
• OSPF version 2<br />
For more information on IP unicast routing, see Chapter 17.<br />
IP Multicast Routing<br />
The switch can use IP multicasting to allow a single IP host to transmit a packet to a group of IP hosts.<br />
<strong><strong>Extreme</strong>Ware</strong> supports multicast routes that are learned by way of the Protocol Independent Multicast<br />
(sparse mode).<br />
For more information on IP multicast routing, see Chapter 19.<br />
Load Sharing<br />
Load sharing allows you to increase b<strong>and</strong>width <strong>and</strong> resiliency by using a group of ports to carry traffic<br />
in parallel between systems. The load sharing algorithm allows the switch to use multiple ports as a<br />
single logical port. For example, VLANs see the load-sharing group as a single virtual port. The<br />
algorithm also guarantees packet sequencing within the defined flow.<br />
For information on load sharing, see Chapter 4.<br />
Software Licensing<br />
Some <strong>Extreme</strong> <strong>Networks</strong> products have capabilities that are enabled by using a license key. Keys are<br />
typically unique to the switch, <strong>and</strong> are not transferable. Keys are stored in NVRAM <strong>and</strong>, once entered,<br />
persist through reboots, software upgrades, <strong>and</strong> reconfigurations. The following sections describe the<br />
features that are associated with license keys.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 25
<strong><strong>Extreme</strong>Ware</strong> Overview<br />
Router Licensing<br />
Some switches support software licensing for different levels of router functionality. In <strong><strong>Extreme</strong>Ware</strong> for<br />
“e” series switches, routing protocol support is separated into two sets: Edge <strong>and</strong> Advanced Edge. Edge<br />
is a subset of Advanced Edge.<br />
Edge Functionality<br />
Edge functionality requires no license key. <strong>Extreme</strong> switches that ship with an Edge license, do not<br />
require a license key. Edge functionality includes all switching functions, <strong>and</strong> also includes all available<br />
layer 3 QoS, access list, <strong>and</strong> ESRP functions. L3 routing functions include support for:<br />
• IP routing using RIP version 1 <strong>and</strong>/or RIP version 2<br />
• IP routing between directly attached VLANs<br />
• IP routing using static routes<br />
• Layer 3 QoS<br />
• Access Lists, except rate limiting<br />
• Network Login, both web-based <strong>and</strong> 802.1X<br />
• EAPS-Edge<br />
• ESRP-aware<br />
Advanced Edge Functionality<br />
The Advanced Edge license enables support of additional routing protocols <strong>and</strong> functions, including:<br />
• IP routing using OSPF<br />
• IP multicast routing using PIM (Sparse Mode)<br />
• NAT<br />
• VRRP<br />
• Rate Limiting<br />
• ESRP/ELRP<br />
• Cable Diagnostics<br />
• Wireless<br />
Product Support<br />
Summit “e” series switches can support Advanced Edge functionality. However, these switches are<br />
enabled <strong>and</strong> shipped with an Edge license.<br />
Verifying the Router License<br />
To verify the router license, use the show switch comm<strong>and</strong>.<br />
Obtaining an Advanced Edge License Voucher<br />
You can order the desired functionality from the factory, using the appropriate model of the desired<br />
product. If you order licensing from the factory, the license arrives in a separate package from the<br />
switch. After the license key is installed, it should not be necessary to enter the information again.<br />
However, we recommend keeping the certificate for your records.<br />
26 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Software Factory Defaults<br />
You can upgrade the router licensing of an existing product by purchasing a voucher for the desired<br />
product <strong>and</strong> functionality. Please contact your supplier to purchase a voucher.<br />
The voucher contains information <strong>and</strong> instructions on obtaining a license key for the switch using the<br />
<strong>Extreme</strong> <strong>Networks</strong> Support website at:<br />
http://www.extremenetworks.com/support/techsupport.asp<br />
or by phoning <strong>Extreme</strong> <strong>Networks</strong> Technical Support at:<br />
• (800) 998-2408<br />
• (408) 579-2826<br />
Security Licensing<br />
Certain additional <strong><strong>Extreme</strong>Ware</strong> security features, such as the use of Secure Shell (SSH2) encryption,<br />
may be under United States export restriction control. <strong>Extreme</strong> <strong>Networks</strong> ships these security features in<br />
a disabled state. You can obtain information on enabling these features at no charge from <strong>Extreme</strong><br />
<strong>Networks</strong>.<br />
Obtaining a Security License<br />
To obtain information on enabling features that require export restriction, access the <strong>Extreme</strong> <strong>Networks</strong><br />
Support website at:<br />
http://www.extremenetworks.com/go/security.htm<br />
Fill out a contact form to indicate compliance or noncompliance with the export restrictions. If you are<br />
in compliance, you will be given information that will allow you to enable security features.<br />
Security Features Under License Control<br />
All versions of <strong><strong>Extreme</strong>Ware</strong> for “e” series support the SSH2 protocol. SSH2 allows the encryption of<br />
Telnet session data between an SSH2 client <strong>and</strong> an <strong>Extreme</strong> <strong>Networks</strong> switch. <strong><strong>Extreme</strong>Ware</strong> version 6.2.1<br />
<strong>and</strong> later also enables the switch to function as an SSH2 client, sending encrypted data to an SSH2<br />
server on a remote system. <strong><strong>Extreme</strong>Ware</strong> for “e” series also supports the Secure Copy Protocol (SCP).<br />
The encryption methods used are under U.S. export restriction control.<br />
Software Factory Defaults<br />
Table 3 shows factory defaults for global <strong><strong>Extreme</strong>Ware</strong> features.<br />
Table 3: <strong><strong>Extreme</strong>Ware</strong> Global Factory Defaults<br />
Item<br />
Serial or Telnet user account<br />
Web network management<br />
Telnet<br />
SSH2<br />
SNMP<br />
SNMP read community string<br />
Default Setting<br />
admin with no password <strong>and</strong> user with no password<br />
Enabled<br />
Enabled<br />
Disabled<br />
Enabled<br />
public<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 27
<strong><strong>Extreme</strong>Ware</strong> Overview<br />
Table 3: <strong><strong>Extreme</strong>Ware</strong> Global Factory Defaults (Continued)<br />
Item<br />
SNMP write community string<br />
RMON<br />
BOOTP<br />
QoS<br />
QoS monitoring<br />
private<br />
Disabled<br />
Enabled on the default VLAN (default)<br />
All traffic is part of the default queue<br />
Automatic roving<br />
802.1p priority Recognition enabled<br />
802.3x flow control Enabled on Gigabit Ethernet ports<br />
Virtual LANs<br />
Three VLANs predefined. VLAN named default contains all<br />
ports <strong>and</strong> belongs to the STPD named s0. VLAN mgmt<br />
exists only on switches that have an Ethernet management<br />
port, <strong>and</strong> contains only that port. The Ethernet<br />
management port is DTE only, <strong>and</strong> is not capable of<br />
switching or routing. VLAN MacVLanDiscover is used only<br />
when using the MAC VLAN feature.<br />
802.1Q tagging All packets are untagged on the default VLAN (default).<br />
Spanning Tree Protocol<br />
Forwarding database aging period<br />
IP Routing<br />
RIP<br />
OSPF<br />
IP multicast routing<br />
IGMP<br />
IGMP snooping<br />
PIM-SM<br />
NTP<br />
DNS<br />
Port mirroring<br />
MPLS<br />
Default Setting<br />
Disabled for the switch; enabled for each port in the STPD.<br />
300 seconds (5 minutes)<br />
Disabled<br />
Disabled<br />
Disabled<br />
Disabled<br />
Enabled<br />
Enabled<br />
Disabled<br />
Disabled<br />
Disabled<br />
Disabled<br />
Disabled<br />
NOTE<br />
For default settings of individual <strong><strong>Extreme</strong>Ware</strong> features, see the individual chapters in this guide.<br />
28 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
2 Accessing the Switch<br />
This chapter covers the following topics:<br />
• Underst<strong>and</strong>ing the Comm<strong>and</strong> Syntax on page 29<br />
• Line-Editing Keys on page 32<br />
• Comm<strong>and</strong> History on page 33<br />
• Common Comm<strong>and</strong>s on page 33<br />
• Configuring Management Access on page 35<br />
• Domain Name Service Client Services on page 38<br />
• Checking Basic Connectivity on page 38<br />
Underst<strong>and</strong>ing the Comm<strong>and</strong> Syntax<br />
This section describes the steps to take when entering a comm<strong>and</strong>. Refer to the sections that follow for<br />
detailed information on using the comm<strong>and</strong> line interface.<br />
<strong><strong>Extreme</strong>Ware</strong> comm<strong>and</strong> syntax is described in detail in the <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> Comm<strong>and</strong> Reference <strong>Guide</strong>.<br />
Some comm<strong>and</strong>s are also described in this user guide, in order to describe how to use the features of<br />
the <strong><strong>Extreme</strong>Ware</strong> software. However, only a subset of comm<strong>and</strong>s are described here, <strong>and</strong> in some cases<br />
only a subset of the options that a comm<strong>and</strong> supports. The <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> Comm<strong>and</strong> Reference <strong>Guide</strong><br />
should be considered the definitive source for information on <strong><strong>Extreme</strong>Ware</strong> comm<strong>and</strong>s.<br />
When entering a comm<strong>and</strong> at the prompt, ensure that you have the appropriate privilege level. Most<br />
configuration comm<strong>and</strong>s require you to have the administrator privilege level. To use the comm<strong>and</strong> line<br />
interface (CLI), follow these steps:<br />
1 Enter the comm<strong>and</strong> name.<br />
If the comm<strong>and</strong> does not include a parameter or values, skip to step 3. If the comm<strong>and</strong> requires<br />
more information, continue to step 2.<br />
2 If the comm<strong>and</strong> includes a parameter, enter the parameter name <strong>and</strong> values.<br />
3 The value part of the comm<strong>and</strong> specifies how you want the parameter to be set. Values include<br />
numerics, strings, or addresses, depending on the parameter.<br />
4 After entering the complete comm<strong>and</strong>, press [Return].<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 29
Accessing the Switch<br />
NOTE<br />
If an asterisk (*) appears in front of the comm<strong>and</strong>-line prompt, it indicates that you have outst<strong>and</strong>ing<br />
configuration changes that have not been saved. For more information on saving configuration changes,<br />
see “Saving Configuration Changes” on page 228.<br />
Syntax Helper<br />
The CLI has a built-in syntax helper. If you are unsure of the complete syntax for a particular comm<strong>and</strong>,<br />
enter as much of the comm<strong>and</strong> as possible <strong>and</strong> press [Tab]. The syntax helper provides a list of options<br />
for the remainder of the comm<strong>and</strong>, <strong>and</strong> places the cursor at the end of the comm<strong>and</strong> you have entered<br />
so far, ready for the next option.<br />
If the comm<strong>and</strong> is one where the next option is a named component, such as a VLAN, access profile, or<br />
route map, the syntax helper will also list any currently configured names that might be used as the<br />
next option. In situations where this list might be very long, the syntax helper will list only one line of<br />
names, followed by an ellipses to indicate that there are more names than can be displayed.<br />
The syntax helper also provides assistance if you have entered an incorrect comm<strong>and</strong>.<br />
Abbreviated Syntax<br />
Abbreviated syntax is the shortest unambiguous allowable abbreviation of a comm<strong>and</strong> or parameter.<br />
Typically, this is the first three letters of the comm<strong>and</strong>. If you do not enter enough letters to allow the<br />
switch to determine which comm<strong>and</strong> you mean, the syntax helper will provide a list of the options<br />
based on the portion of the comm<strong>and</strong> you have entered.<br />
NOTE<br />
When using abbreviated syntax, you must enter enough characters to make the comm<strong>and</strong> unambiguous<br />
<strong>and</strong> distinguishable to the switch.<br />
Comm<strong>and</strong> Shortcuts<br />
All named components of the switch configuration must have a unique name. Components are typically<br />
named using one of the create comm<strong>and</strong>s. When you enter a comm<strong>and</strong> to configure a named<br />
component, you do not need to use the keyword of the component. For example, to create a VLAN, you<br />
must enter a unique VLAN name:<br />
create vlan engineering<br />
After you have created the VLAN with a unique name, you can then eliminate the keyword vlan from<br />
all other comm<strong>and</strong>s that require the name to be entered. For example, instead of entering the following<br />
comm<strong>and</strong> on a Summit 300 switch:<br />
configure vlan engineering delete port 1:3,4:6<br />
you could enter the following shortcut:<br />
configure engineering delete port 1:3,4:6<br />
Similarly, on a Summit 200 or Summit 300 switch, instead of entering the comm<strong>and</strong><br />
configure vlan engineering delete port 1-3,6<br />
30 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Underst<strong>and</strong>ing the Comm<strong>and</strong> Syntax<br />
you could enter the following shortcut:<br />
configure engineering delete port 1-3,6<br />
Summit 300-48 Numerical Ranges<br />
Comm<strong>and</strong>s that require you to enter one or more port numbers use the parameter in the<br />
syntax. A can be one port on a particular slot. For example,<br />
port 1:1<br />
A can be a range of numbers. For example,<br />
port 1:1-1:3<br />
You can add additional slot <strong>and</strong> port numbers to the list, separated by a comma:<br />
port 1:1,1:8,1:10<br />
You can specify all ports on a particular slot. For example,<br />
port 1:*<br />
indicates all ports on slot 13.<br />
You can specify a range of slots <strong>and</strong> ports. For example,<br />
port 1:3-2:5<br />
indicates slot 1, port 3 through slot 2, port 5.<br />
Summit 200, Summit 300-24 <strong>and</strong> Summit 400 Numerical Ranges<br />
Comm<strong>and</strong>s that require you to enter one or more port numbers on either Summit 200, Summit 300-24,<br />
or Summit 400 switches use the parameter in the syntax. A portlist can be a range of<br />
numbers, for example:<br />
port 1-3<br />
You can add additional port numbers to the list, separated by a comma:<br />
port 1-3,6,8<br />
Names<br />
All named components of the switch configuration must have a unique name. Names must begin with<br />
an alphabetical character <strong>and</strong> are delimited by whitespace, unless enclosed in quotation marks. Names<br />
are not case-sensitive. Names cannot be tokens used on the switch.<br />
Symbols<br />
You may see a variety of symbols shown as part of the comm<strong>and</strong> syntax. These symbols explain how to<br />
enter the comm<strong>and</strong>, <strong>and</strong> you do not type them as part of the comm<strong>and</strong> itself. Table 4 summarizes<br />
comm<strong>and</strong> syntax symbols.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 31
Accessing the Switch<br />
Table 4: Comm<strong>and</strong> Syntax Symbols<br />
Symbol<br />
angle brackets < ><br />
square brackets [ ]<br />
vertical bar |<br />
braces { }<br />
Description<br />
Enclose a variable or value. You must specify the variable or value. For example, in the<br />
syntax<br />
configure vlan ipaddress <br />
you must supply a VLAN name for <strong>and</strong> an address for <br />
when entering the comm<strong>and</strong>. Do not type the angle brackets.<br />
Enclose a required value or list of required arguments. One or more values or arguments<br />
can be specified. For example, in the syntax<br />
use image [primary | secondary]<br />
you must specify either the primary or secondary image when entering the comm<strong>and</strong>. Do<br />
not type the square brackets.<br />
Separates mutually exclusive items in a list, one of which must be entered. For example, in<br />
the syntax<br />
configure snmp community [read-only | read-write] <br />
you must specify either the read or write community string in the comm<strong>and</strong>. Do not type the<br />
vertical bar.<br />
Enclose an optional value or a list of optional arguments. One or more values or arguments<br />
can be specified. For example, in the syntax<br />
reboot { | cancel}<br />
you can specify either a particular date <strong>and</strong> time combination, or the keyword cancel to<br />
cancel a previously scheduled reboot. If you do not specify an argument, the comm<strong>and</strong> will<br />
prompt, asking if you want to reboot the switch now. Do not type the braces.<br />
Limits<br />
The comm<strong>and</strong> line can process up to 200 characters, including spaces. If you enter more than 200<br />
characters, the switch generates a stack overflow error <strong>and</strong> processes the first 200 characters.<br />
Line-Editing Keys<br />
Table 5 describes the line-editing keys available using the CLI.<br />
Table 5: Line-Editing Keys<br />
Key(s)<br />
Backspace<br />
Delete or [Ctrl] + D<br />
[Ctrl] + K<br />
Insert<br />
Left Arrow<br />
Right Arrow<br />
Home or [Ctrl] + A<br />
End or [Ctrl] + E<br />
Description<br />
Deletes character to left of cursor <strong>and</strong> shifts remainder of line to left.<br />
Deletes character under cursor <strong>and</strong> shifts remainder of line to left.<br />
Deletes characters from under cursor to end of line.<br />
Toggles on <strong>and</strong> off. When toggled on, inserts text <strong>and</strong> shifts previous<br />
text to right.<br />
Moves cursor to left.<br />
Moves cursor to right.<br />
Moves cursor to first character in line.<br />
Moves cursor to last character in line.<br />
32 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Comm<strong>and</strong> History<br />
Table 5: Line-Editing Keys (Continued)<br />
Key(s)<br />
[Ctrl] + L<br />
[Ctrl] + P or<br />
Up Arrow<br />
[Ctrl] + N or<br />
Down Arrow<br />
[Ctrl] + U<br />
[Ctrl] + W<br />
Description<br />
Clears screen <strong>and</strong> movers cursor to beginning of line.<br />
Displays previous comm<strong>and</strong> in comm<strong>and</strong> history buffer <strong>and</strong> places cursor at end of<br />
comm<strong>and</strong>.<br />
Displays next comm<strong>and</strong> in comm<strong>and</strong> history buffer <strong>and</strong> places cursor at end of comm<strong>and</strong>.<br />
Clears all characters typed from cursor to beginning of line.<br />
Deletes previous word.<br />
Comm<strong>and</strong> History<br />
<strong><strong>Extreme</strong>Ware</strong> “remembers” the last 49 comm<strong>and</strong>s you entered. You can display a list of these<br />
comm<strong>and</strong>s by using the following comm<strong>and</strong>:<br />
history<br />
Common Comm<strong>and</strong>s<br />
Table 6 describes some of the common comm<strong>and</strong>s used to manage the switch. Comm<strong>and</strong>s specific to a<br />
particular feature may also be described in other chapters of this guide. For a detailed description of the<br />
comm<strong>and</strong>s <strong>and</strong> their options, see the <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> Comm<strong>and</strong> Reference <strong>Guide</strong>.<br />
Table 6: Common Comm<strong>and</strong>s<br />
Comm<strong>and</strong><br />
clear session <br />
configure account <br />
{encrypted} {}<br />
configure banner<br />
configure banner netlogin<br />
configure ports [ | all |<br />
mgmt] auto off {speed [10 | 100 |<br />
1000]} duplex [half | full]<br />
configure ssh2 key {pregenerated}<br />
Description<br />
Terminates a Telnet session from the switch.<br />
Configures a user account password.<br />
The switch will interactively prompt for a new password, <strong>and</strong><br />
for reentry of the password to verify it. Passwords must have<br />
a minimum of 1 character <strong>and</strong> can have a maximum of 30<br />
characters. Passwords are case-sensitive; user names are<br />
not case sensitive.<br />
Configures the banner string. You can enter up to 24 rows<br />
of 79-column text that is displayed before the login prompt of<br />
each session. Press [Return] at the beginning of a line to<br />
terminate the comm<strong>and</strong> <strong>and</strong> apply the banner. To clear the<br />
banner, press [Return] at the beginning of the first line.<br />
Configures the network login banner string. You can enter<br />
up to 1024 characters to be displayed before the login<br />
prompt of each session.<br />
Manually configures the port speed <strong>and</strong> duplex setting of<br />
one or more ports on a switch.<br />
Generates the SSH2 host key.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 33
Accessing the Switch<br />
Table 6: Common Comm<strong>and</strong>s (Continued)<br />
Comm<strong>and</strong><br />
configure sys-recovery-level [none |<br />
[all | critical] [ reboot ]]<br />
configure time <br />
configure timezone {name<br />
} <br />
{autodst {name }<br />
{} {begins [every<br />
| on ] {at<br />
} {ends [every<br />
| on ] {at<br />
}}} | noautodst}<br />
configure vlan ipaddress<br />
{ | }<br />
create account [admin | user]<br />
{encrypted} {}<br />
create vlan <br />
delete account <br />
delete vlan<br />
disable bootp vlan [ |<br />
all]<br />
disable cli-config-logging<br />
disable clipaging<br />
disable idletimeouts<br />
disable ports [ | all<br />
|{vlan} ]<br />
disable ssh2<br />
disable telnet<br />
disable web<br />
enable bootp vlan [ | all]<br />
enable cli-config-logging<br />
Description<br />
Configures a recovery option for instances where an<br />
exception occurs in <strong><strong>Extreme</strong>Ware</strong>.<br />
• none — Recovery without system reboot.<br />
• critical — <strong><strong>Extreme</strong>Ware</strong> logs an error to the syslog,<br />
<strong>and</strong> reboots the system after critical exceptions.<br />
• all — <strong><strong>Extreme</strong>Ware</strong> logs an error to the syslog, <strong>and</strong><br />
reboots the system after any exception.<br />
The default setting is none.<br />
Configures the system date <strong>and</strong> time. The format is as<br />
follows:<br />
mm/dd/yyyy hh:mm:ss<br />
The time uses a 24-hour clock format. You cannot set the<br />
year past 2036.<br />
Configures the time zone information to the configured offset<br />
from GMT time. The format of gmt_offset is +/- minutes<br />
from GMT time. The autodst <strong>and</strong> noautodst options<br />
enable <strong>and</strong> disable automatic Daylight Saving Time change<br />
based on the North American st<strong>and</strong>ard.<br />
Additional options are described in the <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong><br />
Comm<strong>and</strong> Reference <strong>Guide</strong>.<br />
Configures an IP address <strong>and</strong> subnet mask for a VLAN.<br />
Creates a user account. This comm<strong>and</strong> is available to<br />
admin-level users <strong>and</strong> to users with RADIUS comm<strong>and</strong><br />
authorization. The username is between 1 <strong>and</strong> 30<br />
characters, the password is between 0 <strong>and</strong> 30 characters.<br />
Creates a VLAN.<br />
Deletes a user account.<br />
Deletes a VLAN.<br />
Disables BOOTP for one or more VLANs.<br />
Disables logging of CLI comm<strong>and</strong>s to the Syslog.<br />
Disables pausing of the screen display when a show<br />
comm<strong>and</strong> output reaches the end of the page.<br />
Disables the timer that disconnects all sessions. Once<br />
disabled, console sessions remain open until the switch is<br />
rebooted or you logoff. Telnet sessions remain open until<br />
you close the Telnet client.<br />
Disables a port on the switch.<br />
Disables SSH2 Telnet access to the switch.<br />
Disables Telnet access to the switch.<br />
Disables web access to the switch.<br />
Enables BOOTP for one or more VLANs.<br />
Enables the logging of CLI configuration comm<strong>and</strong>s to the<br />
Syslog for auditing purposes. The default setting is enabled.<br />
34 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring Management Access<br />
Table 6: Common Comm<strong>and</strong>s (Continued)<br />
Comm<strong>and</strong><br />
enable clipaging<br />
enable idletimeouts<br />
enable license [ advanced-edge ]<br />
<br />
enable ssh2 {access-profile [ | none]} {port<br />
}<br />
enable telnet {access-profile<br />
[ | none]} {port<br />
}<br />
enable web {access-profile<br />
[ | none]} {port<br />
}<br />
history<br />
show banner<br />
unconfigure switch {all}<br />
Description<br />
Enables pausing of the screen display when show<br />
comm<strong>and</strong> output reaches the end of the page. The default<br />
setting is enabled.<br />
Enables a timer that disconnects all sessions (both Telnet<br />
<strong>and</strong> console) after 20 minutes of inactivity. The default<br />
setting is disabled.<br />
Enables a particular software feature license. Specify<br />
as an integer.<br />
The comm<strong>and</strong> unconfigure switch {all} does not<br />
clear licensing information. This license cannot be disabled<br />
once it is enabled on the switch.<br />
Enables SSH2 sessions. By default, SSH2 is enabled with<br />
no access profile, <strong>and</strong> uses TCP port number 22. To cancel<br />
a previously configured access-profile, use the none option.<br />
Enables Telnet access to the switch. By default, Telnet is<br />
enabled with no access profile, <strong>and</strong> uses TCP port number<br />
23. To cancel a previously configured access-profile, use the<br />
none option.<br />
Enables <strong><strong>Extreme</strong>Ware</strong> Vista web access to the switch. By<br />
default, web access is enabled with no access profile, using<br />
TCP port number 80. Use the none option to cancel a<br />
previously configured access-profile.<br />
Displays the previous 49 comm<strong>and</strong>s entered on the switch.<br />
Displays the user-configured banner.<br />
Resets all switch parameters (with the exception of defined<br />
user accounts, <strong>and</strong> date <strong>and</strong> time information) to the factory<br />
defaults.<br />
If you specify the keyword all, the switch erases the<br />
currently selected configuration image in flash memory <strong>and</strong><br />
reboots. As a result, all parameters are reset to default<br />
settings.<br />
Configuring Management Access<br />
<strong><strong>Extreme</strong>Ware</strong> supports the following two levels of management:<br />
• <strong>User</strong><br />
• Administrator<br />
In addition to the management levels, you can optionally use an external RADIUS server to provide CLI<br />
comm<strong>and</strong> authorization checking for each comm<strong>and</strong>. For more information on RADIUS, see “RADIUS<br />
Client” in Chapter 3.<br />
<strong>User</strong> Account<br />
A user-level account has viewing access to all manageable parameters, with the exception of:<br />
• <strong>User</strong> account database.<br />
• SNMP community strings.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 35
Accessing the Switch<br />
A user-level account can use the ping comm<strong>and</strong> to test device reachability, <strong>and</strong> change the password<br />
assigned to the account name. If you have logged on with user capabilities, the comm<strong>and</strong>-line prompt<br />
ends with a (>) sign. For example:<br />
Summit200-24:2><br />
Administrator Account<br />
An administrator-level account can view <strong>and</strong> change all switch parameters. It can also add <strong>and</strong> delete<br />
users, <strong>and</strong> change the password associated with any account name. The administrator can disconnect a<br />
management session that has been established by way of a Telnet connection. If this happens, the user<br />
logged on by way of the Telnet connection is notified that the session has been terminated.<br />
If you have logged on with administrator capabilities, the comm<strong>and</strong>-line prompt ends with a (#) sign.<br />
For example:<br />
Summit200-24:18#<br />
Prompt Text<br />
The prompt text is taken from the SNMP sysname setting. The number that follows the colon indicates<br />
the sequential line/comm<strong>and</strong> number.<br />
If an asterisk (*) appears in front of the comm<strong>and</strong>-line prompt, it indicates that you have outst<strong>and</strong>ing<br />
configuration changes that have not been saved. For example:<br />
*Summit400-48:19#<br />
Default Accounts<br />
By default, the switch is configured with two accounts, as shown in Table 7.<br />
Table 7: Default Accounts<br />
Account Name<br />
admin<br />
user<br />
Access Level<br />
This user can access <strong>and</strong> change all manageable parameters. The admin account cannot<br />
be deleted.<br />
This user can view (but not change) all manageable parameters, with the following<br />
exceptions:<br />
• This user cannot view the user account database.<br />
• This user cannot view the SNMP community strings.<br />
Changing the Default Password<br />
Default accounts do not have passwords assigned to them. Passwords can have a minimum of zero<br />
characters <strong>and</strong> can have a maximum of 30 characters.<br />
NOTE<br />
Passwords are case-sensitive; user names are not case-sensitive.<br />
To add a password to the default admin account, follow these steps:<br />
36 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring Management Access<br />
1 Log in to the switch using the name admin.<br />
2 At the password prompt, press [Return].<br />
3 Add a default admin password by entering the following comm<strong>and</strong>:<br />
configure account admin<br />
4 Enter the new password at the prompt.<br />
5 Re-enter the new password at the prompt.<br />
To add a password to the default user account, follow these steps:<br />
1 Log in to the switch using the name admin.<br />
2 At the password prompt, press [Return], or enter the password that you have configured for the<br />
admin account.<br />
3 Add a default user password by entering the following comm<strong>and</strong>:<br />
configure account user<br />
4 Enter the new password at the prompt.<br />
5 Re-enter the new password at the prompt.<br />
NOTE<br />
If you forget your password while logged out of the comm<strong>and</strong> line interface, contact your local technical<br />
support representative, who will advise on your next course of action.<br />
Creating a Management Account<br />
The switch can have a total of 16 management accounts. You can use the default names (admin <strong>and</strong><br />
user), or you can create new names <strong>and</strong> passwords for the accounts. Passwords can have a minimum of<br />
0 characters <strong>and</strong> can have a maximum of 30 characters.<br />
To create a new account, follow these steps:<br />
1 Log in to the switch as admin.<br />
2 At the password prompt, press [Return], or enter the password that you have configured for the<br />
admin account.<br />
3 Add a new user by using the following comm<strong>and</strong>:<br />
create account [admin | user] <br />
4 Enter the password at the prompt.<br />
Viewing Accounts<br />
To view the accounts that have been created, you must have administrator privileges. Use the following<br />
comm<strong>and</strong> to see the accounts:<br />
show accounts<br />
Deleting an Account<br />
To delete a account, you must have administrator privileges. To delete an account, use the following<br />
comm<strong>and</strong>:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 37
Accessing the Switch<br />
delete account <br />
NOTE<br />
Do not delete the default administrator account. If you do, it is automatically restored, with no password,<br />
the next time you download a configuration. To ensure security, change the password on the default<br />
account, but do not delete it. The changed password will remain intact through configuration uploads<br />
<strong>and</strong> downloads. If you must delete the default account, first create another administrator-level account.<br />
Remember to manually delete the default account again every time you download a configuration.<br />
Domain Name Service Client Services<br />
The Domain Name Service (DNS) client in <strong><strong>Extreme</strong>Ware</strong> augments the following comm<strong>and</strong>s to allow<br />
them to accept either IP addresses or host names:<br />
• telnet<br />
• download bootrom<br />
• download configuration<br />
• download image<br />
• upload configuration<br />
• ping<br />
• traceroute<br />
In addition, the nslookup utility can be used to return the IP address of a hostname.<br />
You can specify up to eight DNS servers for use by the DNS client using the following comm<strong>and</strong>:<br />
configure dns-client add <br />
You can specify a default domain for use when a host name is used without a domain. Use the<br />
following comm<strong>and</strong>:<br />
configure dns-client default-domain <br />
For example, if you specify the domain “xyz-inc.com” as the default domain, then a comm<strong>and</strong> such as<br />
ping accounting1 will be taken as if it had been entered ping accounting1.xyz-inc.com.<br />
Checking Basic Connectivity<br />
The switch offers the following comm<strong>and</strong>s for checking basic connectivity:<br />
• ping<br />
• traceroute<br />
Ping<br />
The ping comm<strong>and</strong> enables you to send Internet Control Message Protocol (ICMP) echo messages to a<br />
remote IP device. The ping comm<strong>and</strong> is available for both the user <strong>and</strong> administrator privilege level.<br />
38 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Checking Basic Connectivity<br />
The ping comm<strong>and</strong> syntax is:<br />
ping {udp} {continuous} {start-size {-
Accessing the Switch<br />
40 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
3 Managing the Switch<br />
This chapter covers the following topics:<br />
• Overview on page 41<br />
• Using the Console Interface on page 42<br />
• Using the 10/100/1000 Ethernet Management Port (Summit 400 only) on page 42<br />
• Using Telnet on page 42<br />
• Using Secure Shell 2 (SSH2) on page 46<br />
• Using SNMP on page 46<br />
• Authenticating <strong>User</strong>s on page 58<br />
• Using Network Login on page 59<br />
• Using the Simple Network Time Protocol on page 59<br />
Overview<br />
Using <strong><strong>Extreme</strong>Ware</strong>, you can manage the switch using the following methods:<br />
• Access the CLI by connecting a terminal (or workstation with terminal-emulation software) to the<br />
console port.<br />
• Access the switch remotely using TCP/IP through one of the switch ports or through the dedicated<br />
10/100/1000 unshielded twisted pair (UTP) Ethernet management port (on switches that are so<br />
equipped). Remote access includes:<br />
— Telnet using the CLI interface.<br />
— SSH2 using the CLI interface.<br />
— <strong><strong>Extreme</strong>Ware</strong> Vista web access using a st<strong>and</strong>ard web browser.<br />
— SNMP access using EPICenter or another SNMP manager.<br />
• Download software updates <strong>and</strong> upgrades. For more information, see Chapter 11, Software Upgrade<br />
<strong>and</strong> Boot Options.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 41
Managing the Switch<br />
The switch supports up to the following number of concurrent user sessions:<br />
• One console session<br />
• Eight Telnet sessions<br />
• Eight SSH2 sessions<br />
• One web session<br />
Using the Console Interface<br />
The CLI built into the switch is accessible by way of the 9-pin, RS-232 port labeled console. The console<br />
is located on the front of Summit “e” series switches. For more information on the console port pinouts,<br />
see the Consolidated “e” Series Hardware <strong>Installation</strong> <strong>Guide</strong>.<br />
After the connection has been established, you will see the switch prompt <strong>and</strong> you can log in.<br />
Using the 10/100/1000 Ethernet Management Port<br />
(Summit 400 only)<br />
The Summit 400 provides a dedicated 10/100/1000 Ethernet management port. This port, located on the<br />
back panel of the Summit 400, provides dedicated remote access to the switch using TCP/IP. It supports<br />
the following management methods:<br />
Telnet using the CLI interface<br />
• <strong><strong>Extreme</strong>Ware</strong> Vista web access using a st<strong>and</strong>ard web browser<br />
• SNMP access using EPICenter or another SNMP manager<br />
The management port is a DTE port, <strong>and</strong> is not capable of supporting switching or routing functions.<br />
The TCP/IP configuration for the management port is done using the same syntax as used for VLAN<br />
configuration. The VLAN mgmt comes pre configured with only the 10/100/1000 UTP management<br />
port as a member.<br />
You can configure the IP address, subnet mask, <strong>and</strong> default router for the VLAN mgmt, using the<br />
configure vlan ipaddress <strong>and</strong> the configure iproute add default comm<strong>and</strong>s:<br />
for example:<br />
configure vlan mgmt ipaddress 105.211.39.55/24<br />
configure iproute add default 123.45.67.1<br />
Using Telnet<br />
Any workstation with a Telnet facility should be able to communicate with the switch over a TCP/IP<br />
network using VT-100 terminal emulation.<br />
Up to eight active Telnet sessions can access the switch concurrently. If idletimeouts are enabled, the<br />
Telnet connection will time out after 20 minutes of inactivity. If a connection to a Telnet session is lost<br />
inadvertently, the switch terminates the session within two hours.<br />
42 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using Telnet<br />
Before you can start a Telnet session, you must set up the IP parameters described in “Configuring<br />
Switch IP Parameters” later in this chapter. Telnet is enabled by default.<br />
NOTE<br />
Maximize the Telnet screen so that automatically updating screens display correctly.<br />
To open the Telnet session, you must specify the IP address of the device that you want to manage.<br />
Check the user manual supplied with the Telnet facility if you are unsure of how to do this.<br />
After the connection is established, you will see the switch prompt <strong>and</strong> you may log in.<br />
Connecting to Another Host Using Telnet<br />
You can Telnet from the current CLI session to another host using the following comm<strong>and</strong>:<br />
telnet [ | ] {}<br />
If the TCP port number is not specified, the Telnet session defaults to port 23. Only VT100 emulation is<br />
supported.<br />
Configuring Switch IP Parameters<br />
To manage the switch by way of a Telnet connection or by using an SNMP Network Manager, you must<br />
first configure the switch IP parameters.<br />
Using a BOOTP Server<br />
If you are using IP <strong>and</strong> you have a Bootstrap Protocol (BOOTP) server set up correctly on your network,<br />
you must provide the following information to the BOOTP server:<br />
• Switch Media Access Control (MAC) address, found on the rear label of the switch, or from a show<br />
switch comm<strong>and</strong><br />
• IP address<br />
• Subnet address mask (optional)<br />
After this is done, the IP address <strong>and</strong> subnet mask for the switch will be downloaded automatically.<br />
You can then start managing the switch using this addressing information without further<br />
configuration.<br />
You can enable BOOTP on a per-VLAN basis by using the following comm<strong>and</strong>:<br />
enable bootp vlan [ | all]<br />
By default, BOOTP is enabled on the default VLAN.<br />
To enable the forwarding of BOOTP <strong>and</strong> Dynamic Host Configuration Protocol (DHCP) requests, use<br />
the following comm<strong>and</strong>:<br />
enable bootprelay<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 43
Managing the Switch<br />
If you configure the switch to use BOOTP, the switch IP address is not retained through a power cycle,<br />
even if the configuration has been saved. To retain the IP address through a power cycle, you must<br />
configure the IP address of the VLAN using the comm<strong>and</strong>-line interface, Telnet, or web interface.<br />
All VLANs within a switch that are configured to use BOOTP to get their IP address use the same MAC<br />
address. Therefore, if you are using BOOTP relay through a router, the BOOTP server relays packets<br />
based on the gateway portion of the BOOTP packet.<br />
NOTE<br />
For more information on DHCP/BOOTP relay, see Chapter 17.<br />
Manually Configuring the IP Settings<br />
If you are using IP without a BOOTP server, you must enter the IP parameters for the switch in order<br />
for the SNMP Network Manager, Telnet software, or web interface to communicate with the device. To<br />
assign IP parameters to the switch, you must perform the following tasks:<br />
• Log in to the switch with administrator privileges using the console interface.<br />
• Assign an IP address <strong>and</strong> subnet mask to a VLAN.<br />
The switch comes configured with a default VLAN named default. To use Telnet or an SNMP<br />
Network Manager, you must have at least one VLAN on the switch, <strong>and</strong> it must be assigned an IP<br />
address <strong>and</strong> subnet mask. IP addresses are always assigned to each VLAN. The switch can be<br />
assigned multiple IP addresses.<br />
NOTE<br />
For information on creating <strong>and</strong> configuring VLANs, see Chapter 5.<br />
To manually configure the IP settings, follow these steps:<br />
1 Connect a terminal or workstation running terminal-emulation software to the console port, as<br />
detailed in “Using the Console Interface” on page 42.<br />
2 At your terminal, press [Return] one or more times until you see the login prompt.<br />
3 At the login prompt, enter your user name <strong>and</strong> password. Note that they are both case-sensitive.<br />
Ensure that you have entered a user name <strong>and</strong> password with administrator privileges.<br />
— If you are logging in for the first time, use the default user name admin to log in with<br />
administrator privileges. For example:<br />
login: admin<br />
Administrator capabilities enable you to access all switch functions. The default user names have<br />
no passwords assigned.<br />
— If you have been assigned a user name <strong>and</strong> password with administrator privileges, enter them at<br />
the login prompt.<br />
4 At the password prompt, enter the password <strong>and</strong> press [Return].<br />
When you have successfully logged in to the switch, the comm<strong>and</strong>-line prompt displays the name of<br />
the switch in its prompt.<br />
5 Assign an IP address <strong>and</strong> subnetwork mask for the default VLAN by using the following comm<strong>and</strong>:<br />
configure vlan ipaddress { | }<br />
For example:<br />
44 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using Telnet<br />
configure vlan default ipaddress 123.45.67.8 255.255.255.0<br />
Your changes take effect immediately.<br />
NOTE<br />
As a general rule, when configuring any IP addresses for the switch, you can express a subnet mask<br />
by using dotted decimal notation, or by using classless inter-domain routing notation (CIDR). CIDR<br />
uses a forward slash plus the number of bits in the subnet mask. Using CIDR notation, the<br />
comm<strong>and</strong> identical to the one above would be:<br />
configure vlan default ipaddress 123.45.67.8 / 24<br />
6 Configure the default route for the switch using the following comm<strong>and</strong>:<br />
configure iproute add default {}<br />
For example:<br />
configure iproute add default 123.45.67.1<br />
7 Save your configuration changes so that they will be in effect after the next switch reboot, by using<br />
the following comm<strong>and</strong>:<br />
save configuration {primary | secondary}<br />
8 When you are finished using the facility, log out of the switch by typing:<br />
logout or quit<br />
Disconnecting a Telnet Session<br />
An administrator-level account can disconnect a Telnet management session. If this happens, the user<br />
logged in by way of the Telnet connection is notified that the session has been terminated.<br />
To terminate a Telnet session, follow these steps:<br />
1 Log in to the switch with administrator privileges.<br />
2 Determine the session number of the session you want to terminate by using the following<br />
comm<strong>and</strong>:<br />
show management<br />
3 Terminate the session by using the following comm<strong>and</strong>:<br />
clear session <br />
Controlling Telnet Access<br />
By default, Telnet services are enabled on the switch. Telnet access can be restricted by the use of an<br />
access profile. An access profile permits or denies a named list of IP addresses <strong>and</strong> subnet masks. To<br />
configure Telnet to use an access profile, use the following comm<strong>and</strong>:<br />
enable telnet {access-profile [ | none]} {port }<br />
Use the none option to remove a previously configured access profile.<br />
To display the status of Telnet, use the following comm<strong>and</strong>:<br />
show management<br />
You can choose to disable Telnet by using the following comm<strong>and</strong>:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 45
Managing the Switch<br />
disable telnet<br />
To re-enable Telnet on the switch, at the console port use the following:<br />
enable telnet {access-profile [ | none]} {port }<br />
You must be logged in as an administrator to enable or disable Telnet.<br />
NOTE<br />
For more information on Access Profiles, see Chapter 10.<br />
Using Secure Shell 2 (SSH2)<br />
Secure Shell 2 (SSH2) is a feature of <strong><strong>Extreme</strong>Ware</strong> that allows you to encrypt Telnet session data<br />
between a network administrator using SSH2 client software <strong>and</strong> the switch, or to send encrypted data<br />
from the switch to an SSH2 client on a remote system. Image <strong>and</strong> configuration files may also be<br />
transferred to the switch using the Secure Copy Protocol 2 (SCP2). The <strong><strong>Extreme</strong>Ware</strong> CLI provides a<br />
comm<strong>and</strong> that enable the switch to function as an SSH2 client, sending comm<strong>and</strong>s to a remote system<br />
via an SSH2 session. It also provides comm<strong>and</strong>s to copy image <strong>and</strong> configuration files to the switch<br />
using the SCP2.<br />
For detailed information about SSH2 <strong>and</strong> SCP2, see Chapter 10, “Security”.<br />
Using SNMP<br />
Any Network Manager running the Simple Network Management Protocol (SNMP) can manage the<br />
switch, provided the Management Information Base (MIB) is installed correctly on the management<br />
station. Each Network Manager provides its own user interface to the management facilities.<br />
The following sections describe how to get started if you want to use an SNMP manager. It assumes<br />
you are already familiar with SNMP management. If not, refer to the following publication:<br />
The Simple Book<br />
by Marshall T. Rose<br />
ISBN 0-13-8121611-9<br />
Published by Prentice Hall.<br />
Enabling <strong>and</strong> Disabling SNMPv1/v2c <strong>and</strong> SNMPv3<br />
<strong><strong>Extreme</strong>Ware</strong> versions since 7.2e can concurrently support SNMPv1/v2c <strong>and</strong> SNMPv3. The default for<br />
the switch is to have both types of SNMP enabled. Network managers can access the device with either<br />
SNMPv1/v2c methods or SNMPv3. To enable concurrent support, use the following comm<strong>and</strong>:<br />
enable snmp access<br />
To prevent any type of SNMP access, use the following comm<strong>and</strong>:<br />
disable dhcp ports vlan <br />
46 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using SNMP<br />
To prevent access using SNMPv1/v2c methods <strong>and</strong> allow access using SNMPv3 methods only, use the<br />
following comm<strong>and</strong>s:<br />
enable snmp access<br />
disable snmp access {snmp-v1v2c}<br />
There is no way to configure the switch to allow SNMPv1/v2c access <strong>and</strong> prevent SNMPv3 access.<br />
Most of the comm<strong>and</strong>s that support SNMPv1/v2c use the keyword snmp, most of the comm<strong>and</strong>s that<br />
support SNMPv3 use the keyword snmpv3.<br />
Accessing Switch Agents<br />
To have access to the SNMP agent residing in the switch, at least one VLAN must have an IP address<br />
assigned to it.<br />
By default, SNMP access <strong>and</strong> SNMPv1/v2c traps are enabled. SNMP access <strong>and</strong> SNMP traps can be<br />
disabled <strong>and</strong> enabled independently—you can disable SNMP access but still allow SNMP traps to be<br />
sent, or vice versa.<br />
Supported MIBs<br />
In addition to private MIBs, the switch supports the st<strong>and</strong>ard MIBs listed in Appendix B.<br />
NOTE<br />
The SNMP ifAdminStatus MIB value is not saved after a reboot. Ports set to down in the SNMP<br />
ifAdminStatus MIB come back after rebooting. However, if you save the configuration using the CLI or<br />
SNMP after changing the port status to down in the ifAdminStatus MIB, then the change is saved after<br />
a reboot.<br />
Configuring SNMPv1/v2c Settings<br />
The following SNMPv1/v2c parameters can be configured on the switch:<br />
• Authorized trap receivers—An authorized trap receiver can be one or more network management<br />
stations on your network. The switch sends SNMPv1/v2c traps to all trap receivers. You can have a<br />
maximum of 16 trap receivers configured for each switch, <strong>and</strong> you can specify a community string<br />
<strong>and</strong> UDP port for individually for each trap receiver. All community strings must also be added to<br />
the switch using the configure snmp add community comm<strong>and</strong>.<br />
To configure a trap receiver on a switch, use the following comm<strong>and</strong>:<br />
configure snmp add trapreceiver {port } community {hex } {from } {mode [enhanced | st<strong>and</strong>ard]}<br />
trap-group {auth-traps{,}} {extreme-traps{,}} {link-up-down-traps{,}}<br />
{ospf-traps{,} {ping-traceroute-traps{,}} {rmon-traps{,}} {security-traps{,}}<br />
{smart-traps{,}} {stp-traps{,}} {system-traps{,}} {vrrp-traps{,}}<br />
See the Comm<strong>and</strong> Reference for a listing of the available traps.<br />
You can delete a trap receiver using the configure snmp delete trapreceiver [{<br />
{port }} | {all}] comm<strong>and</strong>.<br />
Entries in the trap receiver list can also be created, modified, <strong>and</strong> deleted using the RMON2<br />
trapDestTable MIB variable, as described in RFC 2021.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 47
Managing the Switch<br />
• SNMP read access—The ability to read SNMP information can be restricted through the use of an<br />
access profile. An access profile permits or denies a named list of IP addresses <strong>and</strong> subnet masks.<br />
To configure SNMPv1/v2c read access to use an access profile, use the following comm<strong>and</strong>:<br />
configure snmp access-profile readonly [ | none]<br />
Use the none option to remove a previously configured access profile.<br />
• SNMP read/write access—The ability to read <strong>and</strong> write SNMP information can be restricted through<br />
the use of an access profile. An access profile permits or denies a named list of IP addresses <strong>and</strong><br />
subnet masks.<br />
To configure SNMPv1/v2c read/write access to use an access profile, use the following comm<strong>and</strong>:<br />
configure snmp access-profile readwrite [ | none]<br />
Use the none option to remove a previously configured access-profile.<br />
• Community strings—The community strings allow a simple method of authentication between the<br />
switch <strong>and</strong> the remote Network Manager. There are three types of community strings on “e” series<br />
switches:<br />
— Read community strings provide read-only access to the switch. The default read-only<br />
community string is public.<br />
— Read-write community strings provide read <strong>and</strong> write access to the switch. The default<br />
read-write community string is private.<br />
— Encrypted community strings provide encryption <strong>and</strong> are only used when uploading or<br />
downloading a configuration.<br />
To configure a community string, use the following comm<strong>and</strong>:<br />
configure snmp add community [readonly | readwrite] {encrypted} <br />
• System contact (optional)—The system contact is a text field that enables you to enter the name of<br />
the person(s) responsible for managing the switch.<br />
To configure this optional field, enter this comm<strong>and</strong>:<br />
configure snmp syscontact <br />
• System name—The system name is the name that you have assigned to this switch. The default<br />
name is the model name of the switch (for example, Summit200 switch).<br />
To configure the system name, enter this comm<strong>and</strong>:<br />
configure snmp sysname <br />
• System location (optional)—Using the system location field, you can enter an optional location for<br />
this switch.<br />
To configure the system location, enter this comm<strong>and</strong>:<br />
configure snmp syslocation <br />
• Enabling/disabling link up <strong>and</strong> link down traps (optional)—By default, link up <strong>and</strong> link down<br />
traps (also called port-up-down traps) are enabled on the switch for all ports. SNMPv1 traps for link<br />
up <strong>and</strong> link down are not supported; <strong><strong>Extreme</strong>Ware</strong> uses SNMPv2 traps.<br />
You can disable or re-enable the sending of these traps on a per port basis, by using the following<br />
comm<strong>and</strong>s:<br />
disable snmp traps port-up-down ports [all | mgmt | ]<br />
enable snmp traps {port-up-down ports [all | mgmt | ]}<br />
The mgmt option will only appear on platforms having a management port.<br />
48 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using SNMP<br />
• Enabling/disabling MAC-security traps (optional)—MAC-security traps are sent on ports when<br />
limit-learning is configured <strong>and</strong> a new MAC address appears on the port after the port has already<br />
learned MAC addresses up to the configured limit. At such instants, a log message is generated in<br />
the syslog, a trap is sent out <strong>and</strong> the port is blackholed. By default, MAC-security traps are disabled<br />
on the switch. To enable or re-disable them, the following comm<strong>and</strong>s must be used:<br />
enable snmp traps mac-security<br />
disable snmp traps mac-security<br />
• Enabling/disabling cable diagnostics—These diagnostic comm<strong>and</strong>s allow you to find problems<br />
with Ethernet cables. For full details on using this feature, see “Cable Diagnostics” on page 236.<br />
NOTE<br />
To configure learning limits on a set of ports, the comm<strong>and</strong> configure ports limit-learning can<br />
be used.<br />
Displaying SNMP Settings<br />
To display the SNMP settings configured on the switch, use the following comm<strong>and</strong>:<br />
show management<br />
This comm<strong>and</strong> displays the following information:<br />
• Enable/disable state for Telnet, SSH2, SNMP, <strong>and</strong> web access, along with access profile information<br />
• SNMP community strings<br />
• Authorized SNMP station list<br />
• SNMP MAC-security traps<br />
• Link up/ link down traps enabled on ports<br />
• SNMP trap receiver list<br />
• SNMP trap groups<br />
• RMON polling configuration<br />
• Login statistics<br />
• Enable/disable status of link up <strong>and</strong> link down traps<br />
• Enable/disable status of MAC-security traps<br />
• CLI idle timeouts<br />
• CLI paging<br />
• CLI configuration logging<br />
• CLI prompt number<br />
SNMP Trap Groups<br />
SNMP trap groups allow you to specify which SNMP traps to send to a particular trap receiver. This<br />
functionality was made possible by the underlying support for SNMPv3. Essentially, a number of<br />
predefined filters are associated with a trap receiver, so that only those traps are sent. If you have<br />
already been using SNMPv1/v2c trap receivers, trap groups are very easy to incorporate into your<br />
network. You cannot define your own trap groups. If you need to define more selectively which<br />
notifications to receive, you will need to use the notification filter capabilities available in SNMPv3.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 49
Managing the Switch<br />
To configure trap groups, use the following comm<strong>and</strong>:<br />
configure snmp add trapreceiver {port } community {hex } {from } {mode [enhanced | st<strong>and</strong>ard]}<br />
trap-group {auth-traps{,}} {extreme-traps{,}} {link-up-down-traps{,}} {ospf-traps{,}<br />
{ping-traceroute-traps{,}} {rmon-traps{,}} {security-traps{,}} {smart-traps{,}}<br />
{stp-traps{,}} {system-traps{,}} {vrrp-traps{,}}<br />
For example, to send system <strong>and</strong> link up/link down traps to the receiver at 10.20.30.44 port 9347 with<br />
the community string private, use the following comm<strong>and</strong>:<br />
configure snmp add trapreceiver 10.20.30.44 port 9347 community private trap-group<br />
link-up-down-traps , system-traps<br />
Table 9 lists the currently defined SNMP trap groups. From time to time, new trap groups may be<br />
added to this comm<strong>and</strong>.<br />
Table 9: SNMP Trap Groups<br />
Trap Group Notifications MIB Subtree<br />
stp-traps<br />
newRoot<br />
dot1dBridge, 1.3.6.1.2.1.17<br />
topologyChange<br />
ospf-traps<br />
ospfIfStateChange<br />
ospfTraps, 1.3.6.1.2.1.14.16.2<br />
ospfVirtIfStateChange<br />
ospfNbrStateChange<br />
ospfVirtNbrStateChange<br />
ospfIfConfigError<br />
ospfVirtIfConfigError<br />
ospfIfAuthFailure<br />
ospfVirtIfAuthFailure<br />
ospfIfRxBadPacket<br />
ospfVirtIfRxBadPacket<br />
ospfTxRetransmit<br />
ospfVirtIfTxRetransmit<br />
ospfOriginateLsa<br />
ospfMaxAgeLsa<br />
ospfLsdbOverflow<br />
ospfLsdbApproachingOverflow<br />
ping-traceroute-traps pingTestFailed<br />
pingNotifications, 1.3.6.1.2.1.80.0<br />
pingTestCompleted<br />
tracerouteTestFailed<br />
traceRouteNotifications, 1.3.6.1.2.1.81.0<br />
tracerouteTestCompleted<br />
vrrp-traps<br />
vrrpTrapNewMaster<br />
vrrpNotifications, 1.3.6.1.2.1.68.0<br />
vrrpTrapAuthFailure<br />
system-traps extremeOverheat<br />
extremeFanFailed<br />
extremeFanOK<br />
extremePowerSupplyFail<br />
extremePowerSupplyGood<br />
extremeModuleStateChange<br />
extremeHealthCheckFailed<br />
extremeCpuUtilizationRisingTrap<br />
extremeCpuUtilizationFallingTrap<br />
coldStart<br />
warmStart<br />
1.3.6.1.4.1.1916.0.6<br />
1.3.6.1.4.1.1916.0.7<br />
1.3.6.1.4.1.1916.0.8<br />
1.3.6.1.4.1.1916.0.10<br />
1.3.6.1.4.1.1916.0.11<br />
1.3.6.1.4.1.1916.0.15<br />
1.3.6.1.4.1.1916.4.1.0.1<br />
1.3.6.1.4.1.1916.4.1.0.2<br />
1.3.6.1.4.1.1916.4.1.0.3<br />
1.3.6.1.6.3.1.1.5.1<br />
1.3.6.1.6.3.1.1.5.2<br />
50 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using SNMP<br />
Table 9: SNMP Trap Groups (Continued)<br />
Trap Group Notifications MIB Subtree<br />
extreme-traps extremeEsrpStateChange<br />
extremeEdpNeighborAdded<br />
extremeEdpNeighborRemoved<br />
extremeSlbUnitAdded<br />
extremeSlbUnitRemoved<br />
1.3.6.1.4.1.1916.0.17<br />
1.3.6.1.4.1.1916.0.20<br />
1.3.6.1.4.1.1916.0.21<br />
1.3.6.1.4.1.1916.0.18<br />
1.3.6.1.4.1.1916.0.19<br />
smart-traps extremeSmartTrap 1.3.6.1.4.1.1916.0.14<br />
auth-traps<br />
link-up-down-traps<br />
rmon-traps<br />
security-traps<br />
AuthenticationFailure<br />
extremeInvalidLoginAttempt<br />
linkDown<br />
linkUp<br />
risingAlarm<br />
fallingAlarm<br />
extremeMacLimitExceeded<br />
extremeUnauthorizedPortForMacDetected<br />
extremeMacDetectedOnLockedPort<br />
extremeNetlogin<strong>User</strong>Login<br />
extremeNetlogin<strong>User</strong>Logout<br />
extremeNetloginAuthFailure<br />
1.3.6.1.6.3.1.1.5.5<br />
1.3.6.1.4.1.1916.0.9<br />
1.3.6.1.6.3.1.1.5.3<br />
1.3.6.1.6.3.1.1.5.4<br />
rmon-traps, 1.3.6.1.2.1.16.0<br />
1.3.6.1.4.1.1916.4.3.0.1<br />
1.3.6.1.4.1.1916.4.3.0.2<br />
1.3.6.1.4.1.1916.4.3.0.3<br />
1.3.6.1.4.1.1916.4.3.0.4<br />
1.3.6.1.4.1.1916.4.3.0.5<br />
1.3.6.1.4.1.1916.4.3.0.6<br />
SNMPv3<br />
Beginning in <strong><strong>Extreme</strong>Ware</strong> version 7.1.0, support was added for SNMPv3. SNMPv3 is an enhanced<br />
st<strong>and</strong>ard for SNMP that improves the security <strong>and</strong> privacy of SNMP access to managed devices, <strong>and</strong><br />
provides sophisticated control of access to the device MIB. The prior st<strong>and</strong>ard versions of SNMP,<br />
SNMPv1 <strong>and</strong> SNMPv2c provided no privacy <strong>and</strong> little (or no) security.<br />
The following six RFCs provide the foundation for <strong>Extreme</strong> <strong>Networks</strong> implementation of SNMPv3:<br />
• RFC 3410, Introduction to version 3 of the Internet-st<strong>and</strong>ard Network Management Framework, provides an<br />
overview of SNMPv3.<br />
• RFC 3411, An Architecture for Describing SNMP Management Frameworks, talks about SNMP<br />
architecture, especially the architecture for security <strong>and</strong> administration.<br />
• RFC 3412, Message Processing <strong>and</strong> Dispatching for the Simple Network Management Protocol (SNMP),<br />
talks about the message processing models <strong>and</strong> dispatching that can be a part of an SNMP engine.<br />
• RFC 3413, SNMPv3 Applications, talks about the different types of applications that can be associated<br />
with an SNMPv3 engine.<br />
• RFC 3414, The <strong>User</strong>-Based Security Model for Version 3 of the Simple Network Management Protocol<br />
(SNMPv3), describes the <strong>User</strong>-Based Security Model (USM).<br />
• RFC 3415, View-based Access Control Model (VACM) for the Simple Network Management Protocol<br />
(SNMP), talks about VACM as a way to access the MIB.<br />
SNMPv3 Overview<br />
The SNMPv3 st<strong>and</strong>ards for network management were primarily driven the need for greater security<br />
<strong>and</strong> access control. The new st<strong>and</strong>ards use a modular design <strong>and</strong> model management information by<br />
cleanly defining a message processing subsystem, a security subsystem, <strong>and</strong> an access control<br />
subsystem.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 51
Managing the Switch<br />
The message processing (MP) subsystem helps identify the MP model to be used when processing a<br />
received Protocol Data Unit (PDU), the packets used by SNMP for communication. This layer helps in<br />
implementing a multi-lingual agent, so that various versions of SNMP can coexist simultaneously in the<br />
same network.<br />
The security subsystem features the use of various authentication <strong>and</strong> privacy protocols with various<br />
timeliness checking <strong>and</strong> engine clock synchronization schemes. SNMPv3 is designed to be secure<br />
against:<br />
• Modification of information, where an in-transit message is altered.<br />
• Masquerades, where an unauthorized entity assumes the identity of an authorized entity.<br />
• Message stream modification, where packets are delayed <strong>and</strong>/or replayed.<br />
• Disclosure, where packet exchanges are sniffed (examined) <strong>and</strong> information is learned about the<br />
contents.<br />
The access control subsystem provides the ability to configure whether access to a managed object in a<br />
local MIB is allowed for a remote principal. The access control scheme allows you to define access<br />
policies based on MIB views, groups, <strong>and</strong> multiple security levels.<br />
In addition, the SNMPv3 target <strong>and</strong> notification MIBs provide a more procedural approach for the<br />
generation <strong>and</strong> filtering of notifications.<br />
SNMPv3 objects are stored in non-volatile memory unless specifically assigned to volatile storage.<br />
Objects defined as permanent cannot be deleted or modified.<br />
NOTE<br />
In SNMPv3, many objects can be identified by a human-readable string or by a string of hex octets. In<br />
many comm<strong>and</strong>s, you can use either a character string, or a colon separated string of hex octets to<br />
specify objects. This is indicated by the keyword hex used in the comm<strong>and</strong>.<br />
Message Processing<br />
A particular network manager may require messages that conform to a particular version of SNMP. The<br />
choice of the SNMPv1, SNMPv2, or SNMPv3 message processing model can be configured for each<br />
network manager as its target address is configured. The selection of the message processing model is<br />
configured with the mp-model keyword in the following comm<strong>and</strong>:<br />
configure snmpv3 add target-params [hex | ] user [hex | ] mp-model [snmpv1 | snmpv2c | snmpv3] sec-model [snmpv1 |<br />
snmpv2c | usm] {sec-level [noauth | authnopriv | priv]} {volatile}<br />
SNMPv3 Security<br />
In SNMPv3 the <strong>User</strong>-Based Security Model (USM) for SNMP was introduced. USM deals with security<br />
related aspects like authentication, encryption of SNMP messages <strong>and</strong> defining users <strong>and</strong> their various<br />
access security levels. This st<strong>and</strong>ard also encompass protection against message delay <strong>and</strong> message<br />
replay.<br />
USM Timeliness Mechanisms<br />
There is one SNMPv3 engine on an <strong>Extreme</strong> switch, identified by its snmpEngineID. The first four octets<br />
are fixed to 80:00:07:7C, which represents the <strong>Extreme</strong> <strong>Networks</strong> Vendor ID. By default, the additional<br />
52 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using SNMP<br />
octets for the snmpEngineID are generated from the device MAC address. Every SNMPv3 engine<br />
necessarily maintains two objects: SNMPEngineBoots, which is the number of reboots the agent has<br />
experienced <strong>and</strong> SNMPEngineTime, which is the engine local time since reboot. It has a local copy of<br />
these objects <strong>and</strong> the latestReceivedEngineTime for every authoritative engine it wants to communicate<br />
with. Comparing these objects with the values received in messages <strong>and</strong> then applying certain rules to<br />
decide upon the message validity accomplish protection against message delay or message replay.<br />
In a chassis, the snmpEngineID will be generated using the MAC address of the MSM with which the<br />
switch boots first. For MSM hitless failover, the same snmpEngineID will be propagated to both of the<br />
MSMs.<br />
The snmpEngineID can be configured from the comm<strong>and</strong> line, but once the snmpEngineID is changed,<br />
default users will be reverted back to their original passwords/keys, while non-default users will be<br />
reset to the security level of no authorization, no privacy. Use the following comm<strong>and</strong> to set the<br />
snmpEngineID:<br />
configure snmpv3 engine-id <br />
SNMPEngineBoots can also be configured from the comm<strong>and</strong> line. SNMPEngineBoots can be set to any<br />
desired value but will latch on its maximum, 2147483647. Use the following comm<strong>and</strong> to set the<br />
SNMPEngineBoots:<br />
configure snmpv3 engine-boots <br />
<strong>User</strong>s, Groups, <strong>and</strong> Security<br />
SNMPv3 controls access <strong>and</strong> security using the concepts of users, groups, security models, <strong>and</strong> security<br />
levels.<br />
<strong>User</strong>s. <strong>User</strong>s are created by specifying a user name. Depending on whether the user will be using<br />
authentication <strong>and</strong>/or privacy, you would also specify an authentication protocol (MD5 or SHA) with<br />
password or key, <strong>and</strong>/or privacy (DES) password or key. To create a user, use the following comm<strong>and</strong>:<br />
configure snmpv3 add user [hex | ] {authentication [md5 | sha]<br />
[hex | ]} {privacy [hex | ]} {volatile}<br />
There are a number of default, permanent users initially available.The default user names are: admin,<br />
initial, initialmd5, initialsha, initialmd5Priv, initialshaPriv. The default password for admin is password. For<br />
the other default users, the default password is the user name.<br />
To display information about a user, or all users, use the following comm<strong>and</strong>:<br />
show snmpv3 user {{hex } }<br />
To delete a user, use the following comm<strong>and</strong>:<br />
configure snmpv3 delete user [all-non-defaults | {hex } ]<br />
NOTE<br />
In the SNMPv3 specifications there is the concept of a security name. In the <strong><strong>Extreme</strong>Ware</strong><br />
implementation, the user name <strong>and</strong> security name are identical. In this manual we use both terms to<br />
refer to the same thing.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 53
Managing the Switch<br />
Groups. Groups are used to manage access for the MIB. You use groups to define the security model,<br />
the security level, <strong>and</strong> the portion of the MIB that members of the group can read or write. To<br />
underscore the access function of groups, groups are defined using the following comm<strong>and</strong>:<br />
configure snmpv3 add access [hex | ] {sec-model [snmpv1 |<br />
snmpv2 | usm]} {sec-level [noauth | authnopriv | authpriv]} {read-view [hex | ] { write-view [hex | ] {notify-view [hex<br />
| ]} {volatile}<br />
The security model <strong>and</strong> security level are discussed in the section labeled “Security Models <strong>and</strong> Levels”.<br />
The view names associated with a group define a subset of the MIB (subtree) that can be accessed by<br />
members of the group. The read view defines the subtree that can be read, write view defines the<br />
subtree that can be written to, <strong>and</strong> notify view defines the subtree that notifications can originate from.<br />
MIB views are discussed in the section “MIB Access Control”.<br />
There are a number of default (permanent) groups already defined. These groups are: admin, initial,<br />
initialmd5, initialsha, initialmd5Priv, initialshaPriv, v1v2c_ro, v1v2c_rw. Use the following comm<strong>and</strong> to<br />
display information about the access configuration of a group or all groups:<br />
show snmpv3 access {hex } | }<br />
<strong>User</strong>s are associated with groups using the following comm<strong>and</strong>:<br />
configure snmpv3 add group [hex | ] user [ hex
Using SNMP<br />
• AuthnoPriv—Authentication, no privacy. Messages are tested only for authentication.<br />
• AuthPriv—Authentication, privacy. This represents the highest level of security <strong>and</strong> requires every<br />
message exchange to pass the authentication <strong>and</strong> encryption tests.<br />
When a user is created, an authentication method is selected, <strong>and</strong> the authentication <strong>and</strong> privacy<br />
passwords or keys are entered.<br />
When MD5 authentication is specified, HMAC-MD5-96 is used to achieve authentication with a 16-octet<br />
key, which generates an 128-bit authorization code. This code is inserted in<br />
msgAuthenticationParameters field of SNMPv3 PDUs when the security level is specified as either<br />
AuthnoPriv or AuthPriv. Specifying SHA authentication uses the HMAC-SHA protocol with a 20-octet<br />
key for authentication.<br />
For privacy, a 16-octet key is provided as input to DES-CBS encryption protocol, which generates an<br />
encrypted PDU to be transmitted. DES uses bytes 1-7 to make a 56 bit key. This key (encrypted itself) is<br />
placed in msgPrivacyParameters of SNMPv3 PDUs when the security level is specified as AuthPriv.<br />
MIB Access Control<br />
SNMPv3 provides a fine-grained mechanism for defining which parts of the MIB can be accessed. This<br />
is referred to as the View-Based Access Control Model (VACM).<br />
MIB views represent the basic building blocks of VACM. They are used to define a subset of the<br />
information in the MIB. Access to read, to write, <strong>and</strong> to generate notifications is based on the<br />
relationship between a MIB view <strong>and</strong> an access group. The users of the access group can then read,<br />
write, or receive notifications from the part of the MIB defined in the MIB view as configured in the<br />
access group.<br />
A view name, a MIB subtree/mask, <strong>and</strong> an inclusion or exclusion define every MIB view. For example,<br />
there is a System group defined under the MIB-2 tree. The Object Identifier (OID) for MIB-2 is 1.3.6.1.2,<br />
<strong>and</strong> the System group is defined as MIB-2.1.1, or directly as 1.3.6.1.2.1.1.<br />
To define a MIB view which includes only the System group, use the following subtree/mask<br />
combination:<br />
1.3.6.1.2.1.1 / 1.1.1.1.1.1.1.0<br />
The mask can also be expressed in hex notation (this is used for the <strong><strong>Extreme</strong>Ware</strong> CLI):<br />
1.3.6.1.2.1.1 / fe<br />
To define a view that includes the entire MIB-2, use the following subtree/mask:<br />
1.3.6.1.2.1.1 / 1.1.1.1.1.0.0.0<br />
which, on the comm<strong>and</strong> line, is:<br />
1.3.6.1.2.1.1 / f8<br />
When you create the MIB view, you can choose to include the MIB subtree/mask, or to exclude the MIB<br />
subtree/mask. To create a MIB view, use the following comm<strong>and</strong>:<br />
configure snmpv3 add mib-view [{hex } | subtree {/} {type [included | excluded]} {volatile}<br />
Once the view is created, you can repeatedly use the configure snmpv3 add mib-view comm<strong>and</strong> to<br />
include <strong>and</strong>/or exclude MIB subtree/mask combinations to precisely define the items you wish to<br />
control access to.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 55
Managing the Switch<br />
In addition to the user created MIB views, there are three default views. They are of storage type<br />
permanent <strong>and</strong> cannot be deleted, but they can be modified. The default views are: default<strong>User</strong>View,<br />
defaultAdminView, <strong>and</strong> defaultNotifyView. To show MIB views, use the following comm<strong>and</strong>:<br />
show snmpv3 mib-view {{hex } | } {subtree }<br />
To delete a MIB view, use the following comm<strong>and</strong>:<br />
configure snmpv3 delete mib-view [all-non-defaults | {{hex } | <br />
{subtree }]<br />
MIB views which are being used by security groups cannot be deleted.<br />
Notification<br />
SNMPv3 notification is an enhancement to the concept of SNMP traps. Notifications are messages sent<br />
from an agent to the network manager, typically in response to some state change on the agent system.<br />
With SNMPv3, you can define precisely which traps you want sent, to which receiver by defining filter<br />
profiles to use for the notification receivers.<br />
To configure notifications, you will configure a target address for the process that receives the<br />
notification, a target parameters name, <strong>and</strong> a list of notification tags. The target parameters specify the<br />
security <strong>and</strong> message processing models to use for the notifications to the target. The target parameters<br />
name also points to the filter profile used to filter the notifications. Finally, the notification tags are<br />
added to a notification table so that any target addresses using that tag will receive notifications.<br />
Target Addresses<br />
A target address is similar to the earlier concept of a trap receiver. To configure a target address, use the<br />
following comm<strong>and</strong>:<br />
configure snmpv3 add target-addr [{hex } | ] param [{hex } | ] ipaddress {/} {transport-port<br />
} {from } {tag-list {hex } , {hex } , ...} {volatile}<br />
In configuring the target address you will supply an address name that will be used to identify the<br />
target address, a parameters name that will indicate the message processing model <strong>and</strong> security for the<br />
messages sent to the target address, <strong>and</strong> the IP address <strong>and</strong> port for the receiver. The parameters name<br />
also is used to indicate the filter profile used for notifications. The target parameters are discussed in the<br />
section “Target Parameters” on page 57.<br />
The from option sets the source IP address in the notification packets.<br />
The tag-list option allows you to associate a list of tags with the target address. The tag defaultNotify<br />
is set by default. Tags are discussed in the section “Notification Tags”.<br />
To display target addresses, use the following comm<strong>and</strong>:<br />
show snmpv3 target-addr {{hex } | }<br />
To delete a single target address or all target addresses, use the following comm<strong>and</strong>:<br />
configure snmpv3 delete target-addr [{{hex } | | all}]<br />
56 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using SNMP<br />
Target Parameters<br />
Target parameters specify the message processing model, security model, security level, <strong>and</strong> user name<br />
(security name) used for messages sent to the target address. See the sections “Message Processing” on<br />
page 52 <strong>and</strong> “<strong>User</strong>s, Groups, <strong>and</strong> Security” on page 53 for more details on these topics. In addition, the<br />
target parameter name used for a target address points to a filter profile used to filter notifications.<br />
When you specify a filter profile, you associate it with a parameter name, so you need to create different<br />
target parameter names if you use different filters for different target addresses.<br />
Use the following comm<strong>and</strong> to create a target parameter name, <strong>and</strong> set the message processing <strong>and</strong><br />
security settings associated with it:<br />
configure snmpv3 add target-params [hex | ] user [hex | ] mp-model [snmpv1 | snmpv2c | snmpv3] sec-model [snmpv1 | snmpv2c<br />
| usm] {sec-level [noauth | authnopriv | priv]} {volatile}<br />
To display the options associated with a target parameters name, or all target parameters names, use the<br />
following comm<strong>and</strong>:<br />
show snmpv3 target-params [{{hex } | }]<br />
To delete one or all the target parameters, use the following comm<strong>and</strong>:<br />
configure snmpv3 delete target-params [{{hex } } | all]<br />
Filter Profiles <strong>and</strong> Filters<br />
A filter profile is a collection of filters that specifies which notifications should be sent to a target<br />
address. A filter is defined by a MIB subtree <strong>and</strong> mask, <strong>and</strong> by whether that subtree <strong>and</strong> mask is<br />
included or excluded from notification.<br />
When you create a filter profile, you are only associating a filter profile name with a target parameter<br />
name. The filters that make up the profile are created <strong>and</strong> associated with the profile using a different<br />
comm<strong>and</strong>. To create a filter profile, use the following comm<strong>and</strong>:<br />
configure snmpv3 add filter-profile {hex } param {hex } {volatile}<br />
Once the profile name is created, you can associate filters with it using the following comm<strong>and</strong>:<br />
configure snmpv3 add filter {hex } subtree {/} type [included | excluded] {volatile}<br />
The MIB subtree <strong>and</strong> mask are discussed in the section “MIB Access Control” on page 55, as filters are<br />
closely related to MIB views. You can add filters together, including <strong>and</strong> excluding different subtrees of<br />
the MIB until your filter meets your needs.<br />
To display the association between parameter names <strong>and</strong> filter profiles, use the following comm<strong>and</strong>:<br />
show snmpv3 filter-profile {{hex } } {param {hex } }<br />
To display the filters that belong a filter profile, use the following comm<strong>and</strong>:<br />
show snmpv3 filter {{hex } {{subtree} }<br />
To delete a filter or all filters from a filter profile, use the following comm<strong>and</strong>:<br />
configure snmpv3 delete filter [all | [{hex } {subtree<br />
}]]<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 57
Managing the Switch<br />
To remove the association of a filter profile or all filter profiles with a parameter name, use the<br />
following comm<strong>and</strong>:<br />
configure snmpv3 delete filter-profile [all |[{hex }<br />
{param {hex }}]]<br />
Notification Tags<br />
When you create a target address, you associate a list of notification tags with the target, or by default,<br />
the defaultNotify tag is associated with the target. When notifications are generated, only targets<br />
associated with tags currently in an internal structure, called snmpNotifyTable, will be notified. To add an<br />
entry to the table, use the following comm<strong>and</strong>:<br />
configure snmpv3 add notify {hex } tag {hex }<br />
{volatile}<br />
Any targets associated with tags in the snmpNotifyTable will be notified, based on the filter profile<br />
associated with the target.<br />
To display the notifications that are set, use the following comm<strong>and</strong>:<br />
show snmpv3 notify {{hex } }<br />
To delete an entry from the snmpNotifyTable, use the following comm<strong>and</strong>:<br />
configure snmpv3 delete notify [{{hex } } |<br />
all-non-defaults]<br />
You cannot delete the default entry from the table, so any targets configured with the defaultNotify tag<br />
will always receive notifications consistent with any filter profile specified.<br />
Configuring Notifications<br />
Since the target parameters name is used to point to a number of objects used for notifications,<br />
configure the target parameter name entry first. You can then configure the target address, filter profiles<br />
<strong>and</strong> filters, <strong>and</strong> any necessary notification tags.<br />
Authenticating <strong>User</strong>s<br />
<strong><strong>Extreme</strong>Ware</strong> provides two methods to authenticate users who login to the switch:<br />
• RADIUS client<br />
• TACACS+<br />
NOTE<br />
You cannot configure RADIUS <strong>and</strong> TACACS+ at the same time.<br />
RADIUS Client<br />
Remote Authentication Dial In <strong>User</strong> Service (RADIUS, RFC 2138) is a mechanism for authenticating <strong>and</strong><br />
centrally administrating access to network nodes. The <strong><strong>Extreme</strong>Ware</strong> RADIUS client implementation<br />
allows authentication for Telnet, Vista, or console access to the switch.<br />
58 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using Network Login<br />
TACACS+<br />
Terminal Access Controller Access Control System Plus (TACACS+) is a mechanism for providing<br />
authentication, authorization, <strong>and</strong> accounting on a centralized server, similar in function to the RADIUS<br />
client. The <strong><strong>Extreme</strong>Ware</strong> version of TACACS+ is used to authenticate prospective users who are<br />
attempting to administer the switch. TACACS+ is used to communicate between the switch <strong>and</strong> an<br />
authentication database.<br />
Configuring RADIUS Client <strong>and</strong> TACACS+<br />
For detailed information about configuring a RADIUS client or TACACS+, see Chapter 10.<br />
Using Network Login<br />
Network login is a feature designed to control the admission of user packets into a network by giving<br />
addresses only to users that have been properly authenticated. Network login is controlled by an<br />
administrator on a per port, per VLAN basis <strong>and</strong> uses an integration of DHCP, user authentication over<br />
the web interface, <strong>and</strong>, sometimes, a RADIUS server to provide a user database or specific configuration<br />
details.<br />
When network login is enabled on a port in a VLAN, that port will not forward any packets until<br />
authentication takes place.<br />
For detailed information about using Network login, see Chapter 10.<br />
Using the Simple Network Time Protocol<br />
<strong><strong>Extreme</strong>Ware</strong> supports the client portion of the Simple Network Time Protocol (SNTP) Version 3 based<br />
on RFC1769. SNTP can be used by the switch to update <strong>and</strong> synchronize its internal clock from a<br />
Network Time Protocol (NTP) server. When enabled, the switch sends out a periodic query to the<br />
indicated NTP server, or the switch listens to broadcast NTP updates. In addition, the switch supports<br />
the configured setting for Greenwich Mean time (GMT) offset <strong>and</strong> the use of Daylight Saving Time.<br />
These features have been tested for year 2000 compliance.<br />
Configuring <strong>and</strong> Using SNTP<br />
To use SNTP, follow these steps:<br />
1 Identify the host(s) that are configured as NTP server(s). Additionally, identify the preferred method<br />
for obtaining NTP updates. The options are for the NTP server to send out broadcasts, or for<br />
switches using NTP to query the NTP server(s) directly. A combination of both methods is possible.<br />
You must identify the method that should be used for the switch being configured.<br />
2 Configure the Greenwich Mean Time (GMT) offset <strong>and</strong> Daylight Saving Time preference. The<br />
comm<strong>and</strong> syntax to configure GMT offset <strong>and</strong> usage of Daylight Saving Time is as follows:<br />
configure timezone {name } {autodst {name<br />
} {} {begins [every | on ]<br />
{at } {ends [every | on ] {at<br />
}}} | noautodst}<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 59
Managing the Switch<br />
By default, Daylight Saving Time is assumed to begin on the first Sunday in April at 2:00 AM, <strong>and</strong><br />
end the last Sunday in October at 2:00 AM, <strong>and</strong> be offset from st<strong>and</strong>ard time by one hour. If this is<br />
the case in your timezone, you can set up automatic daylight savings adjustment with the comm<strong>and</strong>:<br />
configure timezone autodst<br />
If your timezone uses starting <strong>and</strong> ending dates <strong>and</strong> times that differ from the default, you can<br />
specify the starting <strong>and</strong> ending date <strong>and</strong> time in terms of a floating day, as follows:<br />
configure timezone name MET 60 autodst name MDT begins every last sunday march at<br />
1 ends every last sunday october at 1<br />
You can also specify a specific date <strong>and</strong> time, as shown in the following comm<strong>and</strong>.<br />
configure timezone name NZST 720 autodst name NZDT 60 begins every first sunday<br />
october at 2 ends on 3/16/2002 at 2<br />
The optional timezone IDs are used to identify the timezone in display comm<strong>and</strong>s such as show<br />
switch.<br />
Table 10 describes the comm<strong>and</strong> options in detail:<br />
Table 10: Time Zone Configuration Comm<strong>and</strong> Options<br />
GMT_offset<br />
Specifies a Greenwich Mean Time (GMT) offset, in + or - minutes.<br />
std-timezone-ID Specifies an optional name for this timezone specification. May be up to six characters in<br />
length. The default is an empty string.<br />
autodst<br />
Enables automatic Daylight Savings Time.<br />
dst-timezone-ID Specifies an optional name for this DST specification. May be up to six characters in<br />
length. The default is an empty string.<br />
dst_offset Specifies an offset from st<strong>and</strong>ard time, in minutes. Value is in the range of 1 to 60.<br />
Default is 60 minutes.<br />
floating_day<br />
Specifies the day, week, <strong>and</strong> month of the year to begin or end DST each year. Format is:<br />
absolute_day<br />
time_of_day<br />
noautodst<br />
where:<br />
• is specified as [first | second | third | fourth | last] or 1-5<br />
• is specified as [sunday | monday | tuesday | wednesday | thursday | friday |<br />
saturday] or 1-7 (where 1 is Sunday)<br />
• is specified as [january | february | march | april | may | june | july | august |<br />
september | october | november | december] or 1-12<br />
Default for beginning is first sunday april; default for ending is last sunday october.<br />
Specifies a specific day of a specific year on which to begin or end DST. Format is:<br />
// where:<br />
• is specified as 1-12<br />
• is specified as 1-31<br />
• is specified as 1970 - 2035<br />
The year must be the same for the begin <strong>and</strong> end dates.<br />
Specifies the time of day to begin or end Daylight Savings Time. May be specified as an<br />
hour (0-23) or as hour:minutes. Default is 2:00.<br />
Disables automatic Daylight Savings Time.<br />
Automatic Daylight Savings Time (DST) changes can be enabled or disabled. The default setting is<br />
enabled. To disable automatic DST, use the comm<strong>and</strong>:<br />
configure timezone {name } noautodst<br />
60 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using the Simple Network Time Protocol<br />
3 Enable the SNTP client using the following comm<strong>and</strong>:<br />
enable sntp-client<br />
Once enabled, the switch sends out a periodic query to the NTP servers defined later (if configured)<br />
or listens to broadcast NTP updates from the network. The network time information is<br />
automatically saved into the on-board real-time clock.<br />
4 If you would like this switch to use a directed query to the NTP server, configure the switch to use<br />
the NTP server(s). If the switch listens to NTP broadcasts, skip this step. To configure the switch to<br />
use a directed query, use the following comm<strong>and</strong>:<br />
configure sntp-client [primary | secondary] server ]<br />
NTP queries are first sent to the primary server. If the primary server does not respond within 1<br />
second, or if it is not synchronized, the switch queries the secondary server (if one is configured). If<br />
the switch cannot obtain the time, it restarts the query process. Otherwise, the switch waits for the<br />
sntp-client update interval before querying again.<br />
5 Optionally, the interval for which the SNTP client updates the real-time clock of the switch can be<br />
changed using the following comm<strong>and</strong>:<br />
configure sntp-client update-interval <br />
The default sntp-client update-interval value is 64 seconds.<br />
6 You can verify the configuration using the following comm<strong>and</strong>s:<br />
— show sntp-client<br />
This comm<strong>and</strong> provides configuration <strong>and</strong> statistics associated with SNTP <strong>and</strong> its connectivity to<br />
the NTP server.<br />
— show switch<br />
This comm<strong>and</strong> indicates the GMT offset, the Daylight Savings Time configuration <strong>and</strong> status, <strong>and</strong><br />
the current local time.<br />
NTP updates are distributed using GMT time. To properly display the local time in logs <strong>and</strong> other<br />
timestamp information, the switch should be configured with the appropriate offset to GMT based on<br />
geographical location. Table 11 describes GMT offsets.<br />
Table 11: Greenwich Mean Time Offsets<br />
GMT<br />
Offset in<br />
Hours<br />
GMT Offset<br />
in Minutes Common Time Zone References Cities<br />
London, Engl<strong>and</strong>; Dublin, Irel<strong>and</strong>;<br />
UT or UTC - Universal (Coordinated)<br />
Edinburgh, Scotl<strong>and</strong>; Lisbon, Portugal;<br />
Reykjavik, Icel<strong>and</strong>; Casablanca, Morocco<br />
WET - Western European<br />
+0:00 +0 GMT - Greenwich Mean<br />
-1:00 -60 WAT - West Africa Azores, Cape Verde Isl<strong>and</strong>s<br />
-2:00 -120 AT - Azores<br />
-3:00 -180 Brasilia, Brazil; Buenos Aires, Argentina;<br />
Georgetown, Guyana;<br />
-4:00 -240 AST - Atlantic St<strong>and</strong>ard Caracas; La Paz<br />
-5:00 -300 EST - Eastern St<strong>and</strong>ard Bogota, Columbia; Lima, Peru; New York,<br />
NY, Trevor City, MI USA<br />
-6:00 -360 CST - Central St<strong>and</strong>ard Mexico City, Mexico<br />
-7:00 -420 MST - Mountain St<strong>and</strong>ard Saskatchewan, Canada<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 61
Managing the Switch<br />
Table 11: Greenwich Mean Time Offsets (Continued)<br />
GMT<br />
Offset in<br />
Hours<br />
-8:00 -480 PST - Pacific St<strong>and</strong>ard Los Angeles, CA, Cupertino, CA, Seattle,<br />
WA USA<br />
-9:00 -540 YST - Yukon St<strong>and</strong>ard<br />
-10:00 -600 AHST - Alaska-Hawaii St<strong>and</strong>ard<br />
CAT - Central Alaska<br />
HST - Hawaii St<strong>and</strong>ard<br />
-11:00 -660 NT - Nome<br />
-12:00 -720 IDLW - International Date Line West<br />
+1:00 +60 CET - Central European<br />
FWT - French Winter<br />
MET - Middle European<br />
MEWT - Middle European Winter<br />
Paris, France; Berlin, Germany;<br />
Amsterdam, The Netherl<strong>and</strong>s; Brussels,<br />
Belgium; Vienna, Austria; Madrid, Spain;<br />
Rome, Italy; Bern, Switzerl<strong>and</strong>; Stockholm,<br />
Sweden; Oslo, Norway<br />
SWT - Swedish Winter<br />
+2:00 +120 EET - Eastern European, Russia Zone 1 Athens, Greece; Helsinki, Finl<strong>and</strong>;<br />
Istanbul, Turkey; Jerusalem, Israel;<br />
Harare, Zimbabwe<br />
+3:00 +180 BT - Baghdad, Russia Zone 2 Kuwait; Nairobi, Kenya; Riyadh, Saudi<br />
Arabia; Moscow, Russia; Tehran, Iran<br />
+4:00 +240 ZP4 - Russia Zone 3 Abu Dhabi, UAE; Muscat; Tblisi;<br />
Volgograd; Kabul<br />
+5:00 +300 ZP5 - Russia Zone 4<br />
+5:30 +330 IST – India St<strong>and</strong>ard Time New Delhi, Pune, Allahabad, India<br />
+6:00 +360 ZP6 - Russia Zone 5<br />
+7:00 +420 WAST - West Australian St<strong>and</strong>ard<br />
+8:00 +480 CCT - China Coast, Russia Zone 7<br />
+9:00 +540 JST - Japan St<strong>and</strong>ard, Russia Zone 8<br />
+10:00 +600 EAST - East Australian St<strong>and</strong>ard<br />
+11:00 +660<br />
GMT Offset<br />
in Minutes Common Time Zone References Cities<br />
GST - Guam St<strong>and</strong>ard<br />
Russia Zone 9<br />
+12:00 +720 IDLE - International Date Line East<br />
NZST - New Zeal<strong>and</strong> St<strong>and</strong>ard<br />
NZT - New Zeal<strong>and</strong><br />
Wellington, New Zeal<strong>and</strong>; Fiji, Marshall<br />
Isl<strong>and</strong>s<br />
SNTP Example<br />
In this example, the switch queries a specific NTP server <strong>and</strong> a backup NTP server. The switch is<br />
located in Cupertino, CA, <strong>and</strong> an update occurs every 20 minutes. The comm<strong>and</strong>s to configure the<br />
switch are as follows:<br />
configure timezone -480 autodst<br />
configure sntp-client update interval 1200<br />
enable sntp-client<br />
62 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using EAPOL Flooding<br />
configure sntp-client primary server 10.0.1.1<br />
configure sntp-client secondary server 10.0.1.2<br />
Using EAPOL Flooding<br />
Port-based Network Access Control (IEEE 802.1x) uses Extensible Authentication Protocol (EAP) as the<br />
underlying mechanism for transferring information between the three network entities engaged in the<br />
IEEE 802.1x port authentication access control process: the supplicant, the authenticator, <strong>and</strong> the<br />
authenticating server. The encapsulating mechanism used for communication between the supplicant<br />
<strong>and</strong> the authenticator is referred to as EAP Over LANs, or EAPOL.<br />
By default (per IEEE 802.1D), Summit 200, Summit 300, <strong>and</strong> Summit 400 series switches do not forward<br />
EAPOL frames. Also, if network login is enabled, EAPOL flooding cannot be enabled. However, under<br />
certain conditions, you might opt to change this behavior to support an upstream central authenticator<br />
by enabling the switch to flood the EAPOL frame on the VLAN associated with the ingress port.<br />
The following example enables EAPOL frame flooding on a Summit 200, Summit 300, or Summit 400<br />
series switch that does not have Network login enabled:<br />
enable eapol-flooding<br />
When EAPOL flooding is enabled on the switch, you can verify that status by using the comm<strong>and</strong>:<br />
show configuration<br />
The following example disables EAPOL frame flooding on a Summit 200, Summit 300, or Summit 400<br />
series switch:<br />
disable eapol-flooding<br />
You can verify the current EAPOL flooding state by using the comm<strong>and</strong>:<br />
show eapol-flooding<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 63
Managing the Switch<br />
64 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
4 Configuring Ports<br />
This chapter covers the following topics:<br />
• Port Numbering on page 65<br />
• Enabling <strong>and</strong> Disabling Switch Ports on page 66<br />
• Configuring Switch Port Speed <strong>and</strong> Duplex Setting on page 66<br />
• Jumbo Frames—Summit 400 Switch Only on page 68<br />
• Load Sharing on the Switch on page 71<br />
• Switch Port-Mirroring on page 75<br />
• <strong>Extreme</strong> Discovery Protocol on page 76<br />
Port Numbering<br />
Summit 200, Summit 300-24, <strong>and</strong> Summit 400 Switches<br />
Ports on the Summit 200, Summit 300-24 <strong>and</strong> Summit 400 switches are simply noted by their physical<br />
port number. When entering comm<strong>and</strong>s that require you to enter one or more port numbers, you can<br />
enter the the port number separated by a comma. You can also enter a range of numbers, for example:<br />
port 1-3,6,8<br />
Summit 300-48 Switch<br />
On a Summit 300-48 switch, the port number is a combination of the slot number <strong>and</strong> the port number.<br />
The nomenclature for the port number is as follows:<br />
slot:port<br />
You can use wildcard combinations (*) to specify multiple slot <strong>and</strong> port combinations. The following<br />
wildcard combinations are allowed:<br />
• slot:* — Specifies all ports on a particular I/O module.<br />
• slot:x-slot:y — Specifies a contiguous series of ports on a particular I/O module.<br />
• slota:x-slotb:y — Specifies a contiguous series of ports that begin on one I/O module <strong>and</strong> end<br />
on another I/O module.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 65
Configuring Ports<br />
Enabling <strong>and</strong> Disabling Switch Ports<br />
By default, all ports are enabled. To enable or disable one or more ports, use the following comm<strong>and</strong>:<br />
enable ports [ | all | {vlan} ]<br />
disable ports [ | all |{vlan} ]<br />
For example, to disable slot 7, ports 3, 5, <strong>and</strong> 12 through 15 on a modular switch, use the following<br />
comm<strong>and</strong>:<br />
disable ports 7:3,7:5,7:12-7:15<br />
Likewise, to disable ports 3, 5, <strong>and</strong> 12 through 15 on a st<strong>and</strong>-alone switch, use the following comm<strong>and</strong>:<br />
disable ports 3,5,12-15<br />
Even though a port is disabled, the link remains enabled for diagnostic purposes. Disabling of load<br />
sharing ports is not supported.<br />
Configuring Switch Port Speed <strong>and</strong> Duplex Setting<br />
When configuring the speed <strong>and</strong> duplex setting for a port, autonegotiation plays a significant role. By<br />
default, the switch is configured to use autonegotiation to determine the port speed <strong>and</strong> duplex setting<br />
for each port.<br />
10BASE-T <strong>and</strong> 100BASE-TX ports can connect to either 10BASE-T or 100BASE-T networks. By default,<br />
the ports autonegotiate port speed. You can also configure each port for a particular speed (either 10<br />
Mbps or 100 Mbps). Gigabit Ethernet ports are statically set to 1 Gbps, <strong>and</strong> their speed cannot be<br />
modified.<br />
If you plan on running the copper ports at 1000 Mbps, it is recommended that you keep autonegotiation<br />
on. For ports running at slower speeds, you can manually configure the speed of 10/100/1000 Mbps<br />
ports <strong>and</strong> disable autonegotiation.<br />
To configure port speed <strong>and</strong> duplex setting, use the following comm<strong>and</strong>:<br />
configure ports [ | all | mgmt] auto off {speed [10 | 100 | 1000]} duplex<br />
[half | full]<br />
The mgmt option is only available on the Summit 400.<br />
To configure the system to autonegotiate, use the following comm<strong>and</strong>:<br />
configure ports [ | mgmt | all] auto on<br />
The mgmt option is only available on the Summit 400.<br />
Gigabit Ethernet fiber ports only run at full-duplex but you must specify the duplex setting. The<br />
10/100/1000 copper ports, however, can be either be configured for half-duplex or full-duplex<br />
operation. These 10/100/1000 Mbps ports are supported only through autonegotiation.<br />
Summit 200 <strong>and</strong> Summit 300-24 only. Flow control is supported only on Gigabit Ethernet ports. It is<br />
enabled or disabled as part of autonegotiation. If autonegotiation is set to off, flow control is disabled.<br />
When autonegotiation is turned on, flow control is enabled.<br />
66 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring Switch Port Speed <strong>and</strong> Duplex Setting<br />
Summit 400 only. The Summit 400-48t has four 1000 Mbps fiber <strong>and</strong> 48 copper 10/100/1000 Mbps<br />
ports. All of the fiber ports can be configured for automatic failover using the first four copper ports.<br />
These ports are called combination ports because either the fiber port or the copper port is active, but<br />
they are never active concurrently. For a description of cabling for combination ports, see<br />
“Software-Controlled Redundant Port <strong>and</strong> Smart Redundancy” on page 77. For information on<br />
configuring combination ports, see “Configuring Automatic Failover for Combination Ports” on<br />
page 79. If you plan to use the automatic failover feature, ensure that port settings are set correctly for<br />
autonegotiation. Summit 400 ports do not advertise or support flow control frames.<br />
Turning Off Autonegotiation for a Gigabit Ethernet Port<br />
In certain interoperability situations, you may need to turn autonegotiation off on a Gigabit Ethernet<br />
port. Even though a Gigabit Ethernet port runs only at full duplex, you must specify the duplex setting.<br />
NOTE<br />
1000BASE-T ports support only autonegotiation.<br />
The following example turns autonegotiation off for port 4 (a combination port):<br />
configure ports 4 auto off duplex full speed 1000<br />
Turning Off Autopolarity Detection for an Ethernet Port—Summit 200<br />
<strong>and</strong> Summit 300-24 Switches Only<br />
The autopolarity feature on the Summit 200 <strong>and</strong> Summit 300-24 switches allows the system to detect<br />
<strong>and</strong> respond to the Ethernet cable type (straight-through vs. crossover cable) used to make the<br />
connection to the switch port. When the autopolarity feature is enabled, the system causes the Ethernet<br />
link to come up regardless of the cable type connected to the port. When the autopolarity feature is<br />
disabled, the link will come up only when a crossover cable is connected to the port. The autopolarity<br />
feature is supported only on the 10BASE-T <strong>and</strong> 100BASE-TX switch ports, <strong>and</strong> enabled by default.<br />
To disable or enable autopolarity detection, use the following comm<strong>and</strong>:<br />
configure ports [ | all] auto-polarity [off | on]<br />
where the following is true:<br />
• portlist—Specifies one or more ports on the switch<br />
• all—Specifies all of the ports on the switch<br />
• off—Disables the autopolarity detection feature on the specified ports<br />
• on—Enables the autopolarity detection feature on the specified ports<br />
Under certain conditions, you might opt to turn autopolarity off on one or more 10BASE-T <strong>and</strong><br />
100BASE-TX ports. The following example turns autopolarity off for ports 3-5 either on a Summit 200 or<br />
Summit 300-24 switch:<br />
configure ports 3-5 auto-polarity off<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 67
Configuring Ports<br />
NOTE<br />
If you attempt to invoke this comm<strong>and</strong> on a Gigabit Ethernet switch port, the system displays a<br />
message indicating that the specified port is not supported by this feature.<br />
When autopolarity is disabled on one or more Ethernet ports, you can verify that status by using the<br />
comm<strong>and</strong>:<br />
show configuration<br />
This comm<strong>and</strong> lists the ports for that have the feature disabled.<br />
You can also verify the current autopolarity status by using the comm<strong>and</strong>:<br />
show ports {mgmt | | vlan } info {detail}<br />
The mgmt option is only available on the Summit 400 switch.<br />
Configuring Interpacket Gap for Gigabit Ethernet Ports—Summit 400<br />
Switch Only<br />
You can configure the Interpacket Gap for 1 or 10 Gigabit Ethernet ports. The Interpacket Gap,<br />
sometimes referred to as the Interframe Gap, is the transmit packet byte-time delay between successive<br />
data packets m<strong>and</strong>ated by the IEEE for Ethernet networks. Byte-time is the amount of time it takes to<br />
transmit one byte on the link at the specified or negotiated link speed. The configured Interpacket Gap<br />
value has no effect on received packets. The default value is 12. The minimum <strong>and</strong> maximum allowed<br />
values range between 12 <strong>and</strong> 1023.<br />
The st<strong>and</strong>ard effective Interpacket Gap for Gigabit Ethernet interfaces ranges between 12 <strong>and</strong> 1023.<br />
Some vendors' 10 Gigabit Ethernet interfaces drop packets when packets are transmitted using a value<br />
of 12. Thus, by increasing the Interpacket Gap, packet transmission is slowed <strong>and</strong> packet loss can be<br />
minimized or prevented. The Interpacket Gap value need not be modified when interconnecting<br />
<strong>Extreme</strong> <strong>Networks</strong> switches over 10 Gigabit Ethernet links. Use the following comm<strong>and</strong> to modify the<br />
Interpacket Gap:<br />
configure port interpacket-gap <br />
Jumbo Frames—Summit 400 Switch Only<br />
Jumbo frames are Ethernet frames that are larger than 1522 bytes, including four bytes used for the cyclic<br />
redundancy check (CRC). <strong>Extreme</strong> products support switching <strong>and</strong> routing of jumbo frames at<br />
wire-speed on all ports.<br />
Jumbo frames are used between endstations that support larger frame sizes for more efficient transfers<br />
of bulk data. Both endstations involved in the transfer must be capable of supporting jumbo frames.<br />
The switch only performs IP fragmentation, or participates in maximum transmission unit (MTU)<br />
negotiation on behalf of devices that support jumbo frames.<br />
68 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Jumbo Frames—Summit 400 Switch Only<br />
Enabling Jumbo Frames<br />
To enable jumbo frame support, enable jumbo frames on the desired ports. To set the maximum jumbo<br />
frame size, use the following comm<strong>and</strong>:<br />
configure jumbo-frame size <br />
The jumbo frame size range is 1523 to 9216. This value describes the maximum size of the frame in<br />
transit (on the wire), <strong>and</strong> includes 4 bytes of CRC plus another 4 bytes if 802.1Q tagging is being used.<br />
Set the MTU size for the VLAN, using the following comm<strong>and</strong>:<br />
configure ip-mtu vlan <br />
The IP MTU default is 1500. The range is 1500-9194.<br />
Next, enable support on the physical ports that will carry jumbo frames using the following comm<strong>and</strong>:<br />
enable jumbo-frame ports [ | all]<br />
NOTE<br />
Some network interface cards (NICs) have a configured maximum MTU size that does not include the<br />
additional 4 bytes of CRC. Ensure that the NIC maximum MTU size is at or below the maximum MTU<br />
size configured on the switch. Frames that are larger than the MTU size configured on the switch are<br />
dropped at the ingress port.<br />
Jumbo Frames Example<br />
The following example create two VLANs sw1 <strong>and</strong> sw2. It adds port 12 to sw1 <strong>and</strong> port 13 to sw2. It<br />
configures port 12 <strong>and</strong> 13 for jumbo frames up to 9216 bytes (including CRC). It also configures VLANs<br />
sw1 <strong>and</strong> sw2 to accept IP packets up to 9194 bytes.<br />
* Summit400-48t:48 # create vlan sw1<br />
* Summit400-48t:49 # create vlan sw2<br />
* Summit400-48t:50 # configure vlan sw1 add port 12<br />
* Summit400-48t:51 # configure vlan sw2 add port 13<br />
* Summit400-48t:52 # configure jumbo-frame size 9216<br />
* Summit400-48t:53 # enable jumbo-frame ports 12,13<br />
* Summit400-48t:54 # configure ip-mtu 9194 vlan vlansw1<br />
* Summit400-48t:55 # configure ip-mtu 9194 vlan vlansw2<br />
Path MTU Discovery<br />
Using path MTU discovery, a source host assumes that the path MTU is the MTU of the first hop<br />
(which is known). The host sends all datagrams on that path with the “don’t fragment” (DF) bit set,<br />
which restricts fragmentation. If any of the datagrams must be fragmented by an <strong>Extreme</strong> switch along<br />
the path, the <strong>Extreme</strong> switch discards the datagrams <strong>and</strong> returns an ICMP Destination Unreachable<br />
message to the sending host, with a code meaning “fragmentation needed <strong>and</strong> DF set”. When the<br />
source host receives the message (sometimes called a “Datagram Too Big” message), the source host<br />
reduces its assumed path MTU <strong>and</strong> retransmits the datagrams.<br />
The path MTU discovery process ends when one of the following is true:<br />
• The source host sets the path MTU low enough that its datagrams can be delivered without<br />
fragmentation.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 69
Configuring Ports<br />
• The source host does not set the DF bit in the datagram headers.<br />
If it is willing to have datagrams fragmented, a source host can choose not to set the DF bit in datagram<br />
headers. Normally, the host continues to set DF in all datagrams, so that if the route changes <strong>and</strong> the<br />
new path MTU is lower, the host can perform path MTU discovery again.<br />
IP Fragmentation with Jumbo Frames<br />
<strong><strong>Extreme</strong>Ware</strong> supports the fragmenting of IP packets. If an IP packet originates in a local network that<br />
allows large packets <strong>and</strong> those packets traverse a network that limits packets to a smaller size, the<br />
packets are fragmented instead of discarded.<br />
This feature is designed to be used in conjunction with jumbo frames. Frames that are fragmented are<br />
not processed at wire-speed within the switch fabric.<br />
NOTE<br />
Jumbo frame-to-jumbo frame fragmentation is not supported. Only jumbo frame-to-normal frame<br />
fragmentation is supported.<br />
To configure VLANs for IP fragmentation, follow these steps:<br />
1 Enable jumbo frames on the incoming port.<br />
2 Add the port to a VLAN.<br />
3 Assign an IP address to the VLAN.<br />
4 Enable ipforwarding on the VLAN.<br />
5 Set the MTU size for the VLAN, using the following comm<strong>and</strong>:<br />
configure ip-mtu vlan <br />
The ip-mtu value can be 1500 - 9194, with 1500 the default.<br />
NOTE<br />
To set the MTU size greater than 1500, all ports in the VLAN must have jumbo frames enabled.<br />
IP Fragmentation within a VLAN<br />
<strong><strong>Extreme</strong>Ware</strong> supports IP fragmentation within a VLAN. This feature does not require you to configure<br />
the MTU size. To use IP fragmentation within a VLAN, follow these steps:<br />
1 Enable jumbo frames on the incoming port.<br />
2 Add the port to a VLAN.<br />
3 Assign an IP address to the VLAN.<br />
4 Enable ipforwarding on the VLAN.<br />
If you leave the MTU size configured to the default value, when you enable jumbo frame support on a<br />
port on the VLAN you receive a warning that the ip-mtu size for the VLAN is not set at maximum<br />
jumbo frame size. You can ignore this warning if you want IP fragmentation within the VLAN, only.<br />
70 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Load Sharing on the Switch<br />
However, if you do not use jumbo frames, IP fragmentation can only be used for traffic that stays<br />
within the same VLAN. To use IP fragmentation for traffic that is set to other VLANs, you must<br />
configure all ports in the VLAN for jumbo frame support.<br />
Load Sharing on the Switch<br />
Load sharing allows you to increase b<strong>and</strong>width <strong>and</strong> availability by using a group of ports to carry<br />
traffic in parallel between switches. Load sharing allows the switch to use multiple ports as a single<br />
logical port. For example, VLANs see the load-sharing group as a single logical port. Most load-sharing<br />
algorithms guarantee packet sequencing between clients.<br />
If a port in a load-sharing group fails, traffic is redistributed to the remaining ports in the load-sharing<br />
group. If the failed port becomes active again, traffic is redistributed to include that port.<br />
NOTE<br />
Load sharing must be enabled on both ends of the link or a network loop may result. The load-sharing<br />
types algorithms do not need to be the same on both ends.<br />
Dynamic Versus Static Load Sharing<br />
The two broad categories of load sharing supported on <strong>Extreme</strong> Network switches are dynamic load<br />
sharing <strong>and</strong> static load sharing:<br />
• Dynamic load sharing—A grouping of ports that use IEEE 802.3ad load sharing to dynamically<br />
determine if load sharing is possible, <strong>and</strong> automatically configure load sharing when possible. Uses<br />
Link Aggregation Control Protocol (LACP), part of the IEEE 802.3ad st<strong>and</strong>ard, to allow the switch to<br />
dynamically reconfigure the sharing groups. The group is only enabled when LACP detects that the<br />
other side is also using LACP, <strong>and</strong> wants these ports to be in a group.<br />
• Static load sharing—A grouping of ports specifically configured to load share. The switch ports at<br />
each end must be configured as part of a load-sharing group. Additionally, you can choose the<br />
load-sharing algorithm used by the group. This feature is supported between <strong>Extreme</strong> <strong>Networks</strong><br />
switches only, but may be compatible with third-party trunking or link-aggregation algorithms.<br />
Check with an <strong>Extreme</strong> <strong>Networks</strong> technical representative for more information.<br />
Load-Sharing Algorithm<br />
Summit “e” series switches support only an address-based load-sharing algorithm as the distribution<br />
technique to determine the output port selection. Algorithm selection is not intended for use in<br />
predictive traffic engineering. The algorithm uses addressing information to determine which physical<br />
port in the load-sharing group to use for forwarding traffic out of the switch. Addressing information is<br />
based on the packet protocol, as follows:<br />
—IP packets—Uses the source <strong>and</strong> destination MAC <strong>and</strong> IP addresses.<br />
—All other packets—Uses the source <strong>and</strong> destination MAC address.<br />
Configured IP Address-Based Load Sharing<br />
When you configure load sharing, the switch examines a specific place in the packet to determine which<br />
egress port to use for forwarding traffic.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 71
Configuring Ports<br />
Summit 200 <strong>and</strong> 300. The switch uses these areas of the packet:<br />
Layer 2 Layer 3<br />
MAC source address X X<br />
MAC destination address X X<br />
IP source address<br />
IP destination address X X<br />
Summit 400. The switch uses these areas of the packet:<br />
Layer 2 Layer 3<br />
MAC source address X X<br />
MAC destination address X X<br />
IP source address X X<br />
IP destination address X X<br />
You can control the field examined by the switch for IP address-based load sharing, using the following<br />
comm<strong>and</strong>:<br />
configure sharing address-based [ip-dest| ip-source| ip-source-dest |mac-dest |<br />
mac-source | mac-source-dest]<br />
where:<br />
ip-dest<br />
ip-source<br />
ip-source-dest<br />
mac-dest<br />
mac-source<br />
mac-dest<br />
mac-source<br />
mac-source-dest<br />
Indicates that the switch should examine the IP destination address.<br />
Indicates that the switch should examine the IP source address.<br />
Indicates that the switch should examine the IP source <strong>and</strong> destination<br />
addresses.<br />
Indicates that the switch should examine the MAC source <strong>and</strong> destination<br />
address.<br />
Indicates that the switch should examine the MAC source address.<br />
Indicates that the switch should examine the MAC destination address.<br />
Indicates that the switch should examine the MAC source address.<br />
Indicates that the switch should examine the MAC source <strong>and</strong> destination<br />
addresses.<br />
This feature is available for the address-based load-sharing algorithm, only.<br />
To verify your configuration, use the following comm<strong>and</strong>:<br />
show sharing address-based<br />
Configuring Switch Load Sharing<br />
To set up a switch to load share among ports, you must create a load-sharing group of ports. The first<br />
port in the load-sharing group is configured to be the “master” logical port. This is the reference port<br />
used in configuration comm<strong>and</strong>s. It can be thought of as the logical port representing the entire port<br />
group.<br />
72 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Load Sharing on the Switch<br />
All the ports in a load-sharing group must have the same exact configuration, including auto<br />
negotiation, duplex setting, ESRP host attach or don’t-count, <strong>and</strong> so on. All the ports in a load-sharing<br />
group must also be of the same b<strong>and</strong>width class.<br />
To define a load-sharing group, you assign a group of ports to a single, logical port number. To enable<br />
or disable a load-sharing group, use the following comm<strong>and</strong>s:<br />
enable sharing grouping {dynamic | algorithm address-based }<br />
disable sharing []<br />
The following rules apply to Summit 200 <strong>and</strong> Summit 300-24.<br />
• Ports on the switch must be of the same port type. For example, if you use 100 Mbps ports, all ports<br />
on the switch must be 100 Mbps ports.<br />
• Ports on the switch are divided into a maximum of six groups. One group can contain up to eight<br />
ports.<br />
• Ports on the switch are divided into a maximum of 25 groups.<br />
• Port-based <strong>and</strong> round-robin load sharing algorithms do not apply.<br />
The following rules apply to Summit 300-48.<br />
• Ports on the switch must be of the same port type. For example, if you use 100 Mbps ports, all ports<br />
on the switch must be 100 Mbps ports.<br />
• Ports on the switch are divided into a maximum of five group.<br />
• Port-based <strong>and</strong> round-robin load sharing algorithms do not apply.<br />
• A redundant load share group can only include ports from the following ranges: 1:1-1:24, 1:25-1:48,<br />
1:49-1:52.<br />
The following rules apply to Summit 400.<br />
• Ports on the switch are divided into a maximum of 25 groups. One group can contain up to 8 ports.<br />
• The ports in the group do not need to be contiguous.<br />
• A load share group must use ports that are all of the same maximum b<strong>and</strong>width capability.<br />
• When using load sharing with the ESRP host attach feature, configure all ports in the same<br />
load-sharing group as host attach ports. When using load sharing with the ESRP don’t count feature,<br />
configure all ports in the same load-sharing group as don’t count ports. For further information<br />
about the ESRP host attach feature, see the <strong><strong>Extreme</strong>Ware</strong> Software <strong>User</strong> <strong>Guide</strong>.<br />
NOTE<br />
Disabling a port that is part of a load-sharing group is not supported.<br />
Loopback Detection<br />
Each port may enable loop detection. This optional feature detects that a port has been looped back to<br />
the local system. If a loopback is detected, the port is disabled. Note that loopbacks may exist between<br />
different ports. The feature will disable any port that both has the feature enabled, <strong>and</strong> receives an<br />
LACP message that was sent from the local system.<br />
To enable or disable loopback detection, use the following comm<strong>and</strong>s:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 73
Configuring Ports<br />
enable lbdetect port [retry-timeout]<br />
disable lbdetect port <br />
Load Sharing Examples<br />
This section provides examples of how to define load-sharing onvarious Summit switches.<br />
Load Sharing on a Summit 300-48 Switch<br />
The following example defines a load sharing group that contains ports 1:9 through 1:12, <strong>and</strong> uses the<br />
first port in the group as the master logical port 1:9:<br />
enable sharing 1:9 grouping 1:9-1:12<br />
In this example, logical port 1:9 represents physical ports 1:9 through 1:12.<br />
When using load sharing, you must reference the master logical port of the load-sharing group (port 1:9<br />
in the previous example) when configuring or viewing VLANs. Configuration of member ports is not<br />
permitted. VLANs configured to use other ports in the load-sharing group will have those ports deleted<br />
from the VLAN when load sharing becomes enabled.<br />
Load Sharing on Summit 200, Summit 300-24 <strong>and</strong> Summit 400 Switches<br />
The following example defines a load-sharing group that contains ports 9 through 12, <strong>and</strong> uses the first<br />
port in the group as the master logical port 9:<br />
enable sharing 9 grouping 9-12<br />
In this example, logical port 9 represents physical ports 9 through 12.<br />
When using load sharing, you must reference the master logical port of the load-sharing group (port 1:9<br />
in the previous example) when configuring or viewing VLANs. Configuration of member ports is not<br />
permitted. VLANs configured to use other ports in the load-sharing group will have those ports deleted<br />
from the VLAN when load sharing becomes enabled.<br />
Verifying the Load-Sharing Configuration<br />
The screen output resulting from the show ports sharing comm<strong>and</strong> lists the ports that are involved in<br />
load sharing <strong>and</strong> the master logical port identity.<br />
-----------------------------------<br />
* Summit400-48t:46 # show ports sharing<br />
Load Sharing Monitor<br />
Config Current Ld Share Ld Share Link Link<br />
Master Master Type Group Status Ups<br />
==========================================================<br />
37 37 a 37 A 1<br />
a 38 R 0<br />
a 39 A 1<br />
a 40 A 1<br />
a 41 A 1<br />
74 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Switch Port-Mirroring<br />
a 42 A 1<br />
Link Status: (A) Active, (D) Disabled, (LB) Loopback, (ND) Not Distributing<br />
(NP) Not Present, (R) Ready<br />
Ld Share Type: (a) address based<br />
Switch Port-Mirroring<br />
Port-mirroring configures the switch to copy all traffic associated with one or more ports. The monitor<br />
port can be connected to a network analyzer or RMON probe for packet analysis. The system uses a<br />
traffic filter that copies a group of traffic to the monitor port.<br />
NOTE<br />
Port mirroring is not supported with CPU-generated traffic.<br />
You can define the traffic filter based on the physical port. All data that traverses the port, regardless of<br />
VLAN configuration, is copied to the monitor port.<br />
Up to eight mirroring filters <strong>and</strong> one monitor port can be configured. Once a port is specified as a<br />
monitor port, it cannot be used for any other function.<br />
For optimum performance, mirror three or fewer ports at any given time.<br />
NOTE<br />
Frames that contain errors are not mirrored.<br />
The mirrored port always transmits tagged frames. The default port tag is added to any untagged<br />
packets as they are mirrored. Because frames are always tagged, you can mirror multiple ports or<br />
VLANs to a mirror port, while preserving the ability of a single protocol analyzer to track <strong>and</strong><br />
differentiate traffic within a broadcast domain (VLAN) <strong>and</strong> across broadcast domains (for example,<br />
across VLANs when routing).<br />
On the Summit 200-48 switch, all ports specified by mirror filters as well as the mirror output port must<br />
belong to the same port group. Port group 1 consists of ports 1 through 24 <strong>and</strong> port 49; port group 2<br />
consists of ports 25 through 48 <strong>and</strong> port 50.<br />
On the Summit 300, mirror ports <strong>and</strong> monitor ports should both be confined to the following ranges:<br />
1:1-1:24, 1:25-1:48, 1:49-1:52.<br />
To enable port mirroring, use the following comm<strong>and</strong>:<br />
enable mirroring to port [] tagged<br />
To configure the switch for port mirroring, use the following comm<strong>and</strong>:<br />
configure mirroring add ports <br />
When a mirrored port is configured, the forwarding database for items being mirrored (e.g., ports or<br />
VLANs) is automatically cleared if the link status on the mirrored port changes. This clearing results in<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 75
Configuring Ports<br />
some temporary flooding until the normal learning process completes. Removing or inserting a probe<br />
device into the mirror port may appear to cause flooding, but this temporary condition is normal. The<br />
same packet cannot be mirrored twice. The mirrored port output of layer 3 forwarding shows the packet<br />
state from the switch to the next hop.<br />
Port-Mirroring Examples<br />
This section provides port-mirroring examples on various Summit switches.<br />
Summit 300 Example<br />
The following example selects port 1:3 as the mirror port <strong>and</strong> sends all traffic coming into or out of the<br />
switch on port 1:1 to the mirror port:<br />
enable mirroring to port 1:3 tagged<br />
config mirroring add port 1:1<br />
Summit 200 <strong>and</strong> 400 Example<br />
The following example selects port 3 as the mirror port <strong>and</strong> sends all traffic coming into or out of the<br />
switch on port 1 to the mirror port:<br />
enable mirroring to port 3 tagged<br />
configure mirroring add port 1<br />
<strong>Extreme</strong> Discovery Protocol<br />
The <strong>Extreme</strong> Discovery Protocol (EDP) is used to gather information about neighbor <strong>Extreme</strong> <strong>Networks</strong><br />
switches. EDP is used by the switches to exchange topology information. EDP is also used by the<br />
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol (ESRP), described in Chapter 15. Information communicated using<br />
EDP includes:<br />
• Switch MAC address (switch ID).<br />
• Switch software version information.<br />
• Switch IP address.<br />
• Switch VLAN-IP information.<br />
• Switch port number.<br />
CAUTION<br />
EDP is enabled on all ports by default. With EDP enabled, none of the wireless ports will be able to<br />
participate in the Access Adapt protocol which is based on EDP. For more information about wireless<br />
ports, see Chapter 6.<br />
To disable EDP on one or more ports, use the following comm<strong>and</strong>:<br />
disable edp ports [ | all]<br />
To enable EDP on specified ports, use the following comm<strong>and</strong>:<br />
enable edp ports [ | all]<br />
76 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
1<br />
4<br />
17<br />
20<br />
5 21<br />
Software-Controlled Redundant Port <strong>and</strong> Smart Redundancy<br />
To view EDP port information on the switch, use the following comm<strong>and</strong>:<br />
show edp {vlan }<br />
Software-Controlled Redundant Port <strong>and</strong><br />
Smart Redundancy<br />
Using the software-controlled redundant port feature you can back up a specified Ethernet port<br />
(primary) with a redundant, dedicated Ethernet port (backup). If the primary port fails, the switch will<br />
establish a link on the backup port <strong>and</strong> the backup port becomes active.<br />
Smart Redundancy is a feature that allows control over how the failover from a backup port to the<br />
primary port is managed. If this feature is enabled, the switch will attempt to revert to the primary port<br />
as soon as it can be recovered. If the feature is disabled, the switch will only attempt to reset the<br />
primary port active if the backup port fails.<br />
NOTE<br />
Smart redundancy is not supported in switches using software redundant ports <strong>and</strong> load sharing.<br />
Typical configurations of software-controlled redundant ports include dual-homing from a single switch<br />
to two different switches (shown in Figure 1) <strong>and</strong> redundant links between two switches (shown in<br />
Figure 2).<br />
Figure 1: Dual-homed redundant link<br />
1<br />
2<br />
3<br />
4<br />
5<br />
6<br />
7<br />
8<br />
9<br />
10<br />
11<br />
12<br />
13<br />
14<br />
15<br />
16<br />
17<br />
18<br />
19<br />
20<br />
21<br />
22<br />
23<br />
24<br />
25<br />
26<br />
27<br />
28<br />
29 30 31 32<br />
Primary<br />
Backup<br />
1 2 3 4 A B 5 6 7 8<br />
ES4K003<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 77
1<br />
4<br />
17<br />
20<br />
5 21<br />
Configuring Ports<br />
Figure 2: Redundant link between two switches<br />
Primary<br />
Backup<br />
1 2 3 4 A B 5 6 7 8<br />
Only one side of the link needs to be configured as redundant, since the redundant port link is held in<br />
st<strong>and</strong>by state on both sides of the link.<br />
ES4K004<br />
Software-Controlled Redundant Load-Shared Port Groups<br />
A load-shared group of Ethernet ports (primary group) can be backed up with a set of load-shared<br />
redundant Ethernet ports (backup group) similar to configuring individual redundant ports. If the<br />
primary load-shared group is active <strong>and</strong> any link in the group fails, the entire group fails over to the<br />
backup group.<br />
Smart Redundancy is not available for software-controlled redundant load-shared groups, so the switch<br />
will only attempt to revert to the primary group if a port in the backup group fails <strong>and</strong> the associated<br />
link in the primary group can be re-established.<br />
Limitations of Software-Controlled Redundant Ports <strong>and</strong> Port Groups<br />
Software-controlled redundant ports <strong>and</strong> port groups have the following limitations:<br />
• Software-controlled redundant ports can only cover failures where both the TX <strong>and</strong> RX paths fail.<br />
For example, if only one optical fiber was damaged or disconnected, the software-controlled<br />
redundant port would not recognize this as a port failure, <strong>and</strong> no switch to the backup would occur.<br />
• Auto-negotiation must be enabled on all ports that are associated with the redundant links. This<br />
includes the primary <strong>and</strong> backup ports or load-shared port groups, <strong>and</strong> the associated ports on the<br />
far-end switch(es). For 10 Gigabit Ethernet ports auto-negotiation is not supported, nor is it required<br />
for this feature to work.<br />
• The primary port configuration is not automatically applied to the backup port., so you must<br />
separately configure both the primary <strong>and</strong> backup ports. This includes items such as VLANs, QoS,<br />
<strong>and</strong> access control lists.<br />
• The port speeds of software controlled redundant ports must be identical.<br />
• You can configure only one redundant port for each primary port.<br />
• You cannot load share two physical ports that are configured as software-controlled redundant ports.<br />
• Members of the same load sharing trunk cannot be configured as software-controlled redundant<br />
ports.<br />
78 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring Automatic Failover for Combination Ports<br />
• Dual-homing of load-shared, software-controlled redundant port groups is not supported.<br />
Configuring Software-Controlled Redundant Ports<br />
When provisioning software-controlled redundant ports, configure only one side of the link as<br />
redundant. In Figure 1 <strong>and</strong> Figure 2 only the ports on the lower switch would be configured as<br />
redundant.<br />
In order to enable the software-controlled redundant port feature the primary <strong>and</strong> backup ports must be<br />
set up identically. This will include VLAN configuration, QoS settings, <strong>and</strong> any Access Control List<br />
configurations. Finally, all ports (primary, secondary, <strong>and</strong> both of the associated far-end ports) must be<br />
configured to have auto-negotiation enabled.<br />
To configure a software-controlled redundant port, use the following comm<strong>and</strong>:<br />
configure ports [ | ] redundant [ | ]<br />
The first port specified is the primary port. The second port specified is the redundant port.<br />
To unconfigure a software-controlled redundant port, use the following comm<strong>and</strong>:<br />
unconfigure ports [ | ] redundant<br />
To configure the switch for the Smart Redundancy feature, use the following comm<strong>and</strong>:<br />
enable smartredundancy <br />
To disable the Smart Redundancy feature, use the following comm<strong>and</strong>:<br />
disable smartredundancy []<br />
Configuring Automatic Failover for Combination Ports<br />
All Summit “e” series allow for automatic failover on combination ports. However, the implementation<br />
of the failover behavior varies somewhat by Summit model.<br />
Summit 200 Automatic Failover<br />
The Summit 200 supports an automatic failover from an active fiber port to a copper back up or from an<br />
active copper port to a fiber port. If one of the uplink connections fails, then the Summit 200 uplink<br />
connection automatically fails over to the second connection. The preferred medium is fiber <strong>and</strong> cannot<br />
be configured.<br />
On the Summit 200-24, ports 25 <strong>and</strong> 26 are the Gigabit Ethernet ports that have the redundant PHY<br />
interfaces. On the Summit 200-48, it is ports 49 <strong>and</strong> 50. Each port has one mini-GBIC <strong>and</strong> 1000BASE-T<br />
connection.<br />
To set up a redundant link on either port 25 or on port 49, connect the active fibre <strong>and</strong> 1000BASE-T<br />
links to both the RJ-45 <strong>and</strong> mini-GBIC interfaces of that port.<br />
Summit 200-24 Switch Uplink Redundancy<br />
Gigabit Ethernet uplink redundancy on the Summit 200-24 switch follows these rules:<br />
• Ports 25 <strong>and</strong> 26 are Gigabit Ethernet ports that have redundant PHY interfaces, one mini-GBIC <strong>and</strong><br />
one 1000BASE-T connection for each port.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 79
Configuring Ports<br />
• Each of the uplink Gigabit Ethernet ports (25 <strong>and</strong> 26) can use either the mini-GBIC or the<br />
1000BASE-T interface, but not both simultaneously.<br />
• Only one interface on each port can be active at a time. For example, on port 25, with both the<br />
mini-GBIC <strong>and</strong> 1000BASE-T interfaces connected, only one interface can be activated. The other is<br />
inactive. If both interfaces are connected, the switch defaults to the fiber interface (mini-GBIC) <strong>and</strong><br />
deactivates the 1000BASE-T interface.<br />
• If only one interface is connected, the switch activates the connected interface.<br />
• To set up a redundant link on port 25, connect the active fibre <strong>and</strong> 1000BASE-T links to both the<br />
RJ-45 <strong>and</strong> mini-GBIC interfaces of port 25. The switch defaults to the fiber link. If the fiber link fails<br />
during operation, the switch automatically activates the redundant 1000BASE-T link.<br />
Summit 200-48 Switch Uplink Redundancy<br />
Gigabit Ethernet uplink redundancy on the Summit 200-48 switch follows these rules:<br />
• Ports 49 <strong>and</strong> 50 are Gigabit Ethernet ports that have redundant PHY interfaces, one mini-GBIC <strong>and</strong><br />
one 1000BASE-T connection for each port.<br />
• Each of the uplink Gigabit Ethernet ports (49 <strong>and</strong> 50) can use either the mini-GBIC or<br />
the1000BASE-T interface, but not both simultaneously.<br />
• Only one interface on each port can be active at a time. For example, on port 49, with both the<br />
mini-GBIC <strong>and</strong> 1000BASE-T interfaces connected, only one interface can be activated. The other is<br />
inactive. If both interfaces are connected, the switch defaults to the fiber interface (mini-GBIC) <strong>and</strong><br />
deactivates the 1000BASE-T interface.<br />
• If only one interface is connected, the switch activates the connected interface.<br />
• To set up a redundant link on port 49, connect the active fibre <strong>and</strong> 1000BASE-T links to both the<br />
RJ-45 <strong>and</strong> mini-GBIC interfaces of port 49. The switch defaults to the fiber link. If the fiber link fails<br />
during operation, the switch automatically activates the redundant 1000BASE-T link.<br />
Summit 300 Automatic Failover<br />
The Summit 300 switches provides dual-media support on GigE ports. On the Summit 300-24, ports 24<br />
<strong>and</strong> 25 are Gigabit Ethernet ports that have redundant PHY interfaces, one mini-GBIC <strong>and</strong> one<br />
1000BASE-T connection for each port. On the Summit 300-48 it is ports 49-52 that are dual-mode<br />
redundant ports. Only one media type (fiber or copper) can be active at the same time. The Summit<br />
models follow the same failover behavior as the Summit 400. For details of that behavior, see “Summit<br />
400 Automatic Failover”.<br />
Summit 400 Automatic Failover<br />
Allows you to configure all of the 1 Gigabit fiber ports <strong>and</strong> the first four 10/100/1000 copper ports for<br />
redundancy.<br />
The four fiber ports <strong>and</strong> the first four of the 10/100/1000BASE-T ports are designed as combination<br />
ports for uplink redundancy. When sharing ports, only the fiber medium or only the copper medium<br />
can be active at the same time. If copper medium 1 goes down while transmitting packets, fiber<br />
medium 1X activates <strong>and</strong> becomes the primary link. See Figure 3 for a diagram of these combination<br />
ports.<br />
80 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring Automatic Failover for Combination Ports<br />
Figure 3: Redundancy cabling<br />
1<br />
3<br />
1<br />
3<br />
2<br />
4<br />
2<br />
4<br />
ES4K019<br />
The switch determines whether the port uses the primary or redundant media is based upon the order<br />
in which the connectors are inserted into the switch. When the switch senses a mini-GBIC <strong>and</strong> a copper<br />
connector are inserted, the switch enables the uplink redundancy feature. For example, if you insert<br />
mini-GBICs into ports 1X <strong>and</strong> 3X first, <strong>and</strong> then connect copper ports 1 <strong>and</strong> 3, the switch assigns ports 1<br />
<strong>and</strong> 3 as redundant ports.<br />
The switch determines the selection of a copper or fiber medium by the order in which the connectors<br />
are first inserted into the switch. For example, if you inserted a SFP connector into 1X <strong>and</strong> then a<br />
Ethernet cable connector into port 1, fiber becomes the primary uplink port <strong>and</strong> port 1 becomes the<br />
redundant port.<br />
Hardware determines when a link is lost <strong>and</strong> swaps the primary <strong>and</strong> redundant ports to maintain<br />
stability. After a failover occurs, the switch keeps or sticks with the current port assignment until there<br />
is another failure or a user changes the assignment using the CLI. To change the uplink failover<br />
assignment, use the following comm<strong>and</strong>:<br />
configure ports preferred-medium {copper} | {fiber} |[force]<br />
The default preferred-medium is fiber. If you use the force option, it disables automatic failover. If you<br />
force the preferred-medium to fiber <strong>and</strong> the fiber link goes away, the copper link is not used, even if<br />
available.<br />
Automatic Failover Examples<br />
If we can establish port 4 as the primary uplink <strong>and</strong> port 4X as the redundant uplink port using the<br />
CLI:<br />
configure ports 4 preferred-medium copper<br />
Port 4 becomes the primary uplink until a failure occurs on that link. At that time, fiber port 4X<br />
becomes the primary uplink <strong>and</strong> port 4 becomes the redundant port. This assignment stays in place<br />
until the next failure. However, if the 4X port is currently the primary medium when the comm<strong>and</strong> is<br />
issued, the comm<strong>and</strong> does not have an immediate effect.<br />
In the next example, we force the switch to immediately start using the fiber port (if it currently has a<br />
link):<br />
configure ports 3 preferred-medium fiber force<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 81
Configuring Ports<br />
In this example, port 3X becomes the only uplink port. If the preferred-medium was copper when the<br />
comm<strong>and</strong> is issued, the switch immediately switches over <strong>and</strong> begins using the fiber port. If a failure<br />
occurs on the fiber port, the switch does not use the copper port as a redundant link. To allow the<br />
redundant uplink feature to be used again, issue this comm<strong>and</strong>:<br />
configure ports 3 preferred-medium fiber<br />
82 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
5 Virtual LANs (VLANs)<br />
This chapter covers the following topics:<br />
• Overview of Virtual LANs on page 83<br />
• Types of VLANs on page 84<br />
• VLAN Names on page 90<br />
• Configuring VLANs on the Switch on page 91<br />
• Displaying VLAN Settings on page 93<br />
• MAC-Based VLANs on page 93<br />
Setting up Virtual Local Area <strong>Networks</strong> (VLANs) on the switch eases many time-consuming tasks of<br />
network administration while increasing efficiency in network operations.<br />
Overview of Virtual LANs<br />
The term VLAN is used to refer to a collection of devices that communicate as if they were on the same<br />
physical LAN. Any set of ports (including all ports on the switch) is considered a VLAN. LAN<br />
segments are not restricted by the hardware that physically connects them. The segments are defined by<br />
flexible user groups you create with the comm<strong>and</strong> line interface.<br />
Benefits<br />
Implementing VLANs on your networks has the following advantages:<br />
• VLANs help to control traffic—With traditional networks, congestion can be caused by broadcast<br />
traffic that is directed to all network devices, regardless of whether they require it. VLANs increase<br />
the efficiency of your network because each VLAN can be set up to contain only those devices that<br />
must communicate with each other.<br />
• VLANs provide extra security—Devices within each VLAN can only communicate with member<br />
devices in the same VLAN. If a device in VLAN Marketing must communicate with devices in VLAN<br />
Sales, the traffic must cross a routing device.<br />
• VLANs ease the change <strong>and</strong> movement of devices—With traditional networks, network<br />
administrators spend much of their time dealing with moves <strong>and</strong> changes. If users move to a<br />
different subnetwork, the addresses of each endstation must be updated manually.<br />
<strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong> 83
Virtual LANs (VLANs)<br />
Types of VLANs<br />
VLANs can be created according to the following criteria:<br />
• Physical port<br />
• 802.1Q tag<br />
• Ethernet, LLC SAP, or LLC/SNAP Ethernet protocol type<br />
• MAC address<br />
• A combination of these criteria<br />
Port-Based VLANs<br />
In a port-based VLAN, a VLAN name is given to a group of one or more ports on the switch. All ports<br />
are members of the port-based VLAN default. Before you can add any port to another port-based VLAN,<br />
you must remove it from the default VLAN, unless the new VLAN uses a protocol other than the<br />
default protocol any. A port can be a member of only one port-based VLAN.<br />
The Summit 200, Summit 300, <strong>and</strong> Summit 400 series of switches support L2 port-based VLANs.<br />
The following example in Figure 4 shows a Summit 200-24 switch. Ports 1 through 8 <strong>and</strong> port 26 are<br />
part of VLAN Sales; ports 9 through 16, <strong>and</strong> port 25 are part of VLAN Finance; <strong>and</strong> ports 17 through 24<br />
are part of VLAN Marketing.<br />
Figure 4: Example of a port-based VLAN on the Summit 200-24 switch<br />
Marketing<br />
Finance<br />
Sales<br />
LC24004<br />
For the members of the different IP VLANs to communicate, the traffic must be routed by the switch.<br />
This means that each VLAN must be configured as a router interface with a unique IP address.<br />
Spanning Switches with Port-Based VLANs<br />
To create a port-based VLAN that spans two switches, you must do two things:<br />
1 Assign the port on each switch to the VLAN.<br />
2 Cable the two switches together using one port on each switch per VLAN.<br />
Figure 5 illustrates a single VLAN that spans a BlackDiamond switch <strong>and</strong> a Summit 300-48 switch. All<br />
ports on the BlackDiamond switch belong to VLAN Sales. Ports 1:1 through 1:24, <strong>and</strong> port 1:26 on the<br />
Summit 300-48 switch also belong to VLAN Sales. The two switches are connected using slot 8, port 4<br />
on system 1 (the BlackDiamond switch), <strong>and</strong> port 1:26 on system 2 (the Summit 300-48 switch).<br />
84 <strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
1<br />
2<br />
3<br />
4<br />
1<br />
2<br />
3<br />
4<br />
1<br />
2<br />
3<br />
4<br />
Types of VLANs<br />
Figure 5: Single port-based VLAN spanning two switches<br />
System 1<br />
Sales<br />
1 2 3 4 A B 5 6 7 8<br />
System 2<br />
LB48006<br />
To create multiple VLANs that span two switches in a port-based VLAN, a port on system 1 must be<br />
cabled to a port on system 2 for each VLAN you want to have span across the switches. At least one<br />
port on each switch must be a member of the corresponding VLANs, as well.<br />
Figure 6 illustrates two VLANs spanning two switches. On system 2, port 1X <strong>and</strong> ports 25 through 28<br />
are part of VLAN Accounting; ports 21 through 24 <strong>and</strong> ports 2X through 4X are part of VLAN<br />
Engineering. On system 1, all ports on slot 1 are part of VLAN Accounting; all ports on slot 8 are part of<br />
VLAN Engineering.<br />
Figure 6: Two port-based VLANs spanning two switches<br />
System 1<br />
1 2 3 4 A B 5 6 7 8<br />
Accounting<br />
System 2<br />
Engineering<br />
ES4K007A<br />
VLAN Accounting spans system 1 <strong>and</strong> system 2 by way of a connection between system 2, port 1X <strong>and</strong><br />
system 1, slot 1, port 6. VLAN Engineering spans system 1 <strong>and</strong> system 2 by way of a connection between<br />
system 2, port 2X, <strong>and</strong> system 1, slot 8, port 6.<br />
<strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong> 85
Virtual LANs (VLANs)<br />
Using this configuration, you can create multiple VLANs that span multiple switches, in a<br />
daisy-chained fashion. Each switch must have a dedicated port for each VLAN. Each dedicated port<br />
must be connected to a port that is a member of its VLAN on the next switch.<br />
Tagged VLANs<br />
Tagging is a process that inserts a marker (called a tag) into the Ethernet frame. The tag contains the<br />
identification number of a specific VLAN, called the VLANid. The Summit 200, Summit 300, <strong>and</strong><br />
Summit 400 series of switches support tagged VLANs.<br />
NOTE<br />
The use of 802.1Q tagged packets may lead to the appearance of packets slightly bigger than the<br />
current IEEE 802.3/Ethernet maximum of 1,518 bytes. This may affect packet error counters in other<br />
devices, <strong>and</strong> may also lead to connectivity problems if non-802.1Q bridges or routers are placed in the<br />
path. The tag also carries the 802.1 (802.1p) priority bits. This is the only way priority information can<br />
be shared between seperate devices (hosts, switches/routers <strong>and</strong> so on).<br />
Uses of Tagged VLANs<br />
Tagging is most commonly used to create VLANs that span switches. The switch-to-switch connections<br />
are typically called trunks. Using tags, multiple VLANs can span multiple switches using one or more<br />
trunks. In a port-based VLAN, each VLAN requires its own pair of trunk ports, as shown in Figure 6.<br />
Using tags, multiple VLANs can span two switches with a single trunk.<br />
Another benefit of tagged VLANs is the ability to have a port be a member of multiple VLANs. This is<br />
particularly useful if you have a device (such as a server) that must belong to multiple VLANs. The<br />
device must have a NIC that supports 802.1Q tagging.<br />
A single port can be a member of only one port-based VLAN. All additional VLAN membership for the<br />
port must be accompanied by tags. In addition to configuring the VLAN tag for the port, the server<br />
must have a Network Interface Card (NIC) that supports 802.1Q tagging.<br />
Assigning a VLAN Tag<br />
Each VLAN may be assigned an 802.1Q VLAN tag. As ports are added to a VLAN with an 802.1Q tag<br />
defined, you decide whether each port will use tagging for that VLAN. The default mode of the switch<br />
is to have all ports assigned to the VLAN named default with an 802.1Q VLAN tag (VLANid) of 1<br />
assigned.<br />
Not all ports in the VLAN must be tagged. As traffic from a port is forwarded out of the switch, the<br />
switch determines (in real time) if each destination port should use tagged or untagged packet formats<br />
for that VLAN. The switch adds <strong>and</strong> strips tags, as required, by the port configuration for that VLAN.<br />
NOTE<br />
Packets arriving tagged with a VLANid that is not configured on a port will be discarded.<br />
Figure 7 illustrates the physical view of a network that uses tagged <strong>and</strong> untagged traffic.<br />
86 <strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Types of VLANs<br />
Figure 7: Physical diagram of tagged <strong>and</strong> untagged traffic<br />
M = Marketing<br />
S = Sales<br />
= Tagged port<br />
Marketing & Sales<br />
System 1<br />
S<br />
M<br />
S<br />
802.1Q<br />
Tagged server<br />
1 2 3 4 A B 5 6 7 8<br />
50015<br />
M<br />
M<br />
1<br />
M<br />
2<br />
S<br />
3<br />
S<br />
4<br />
S<br />
S<br />
System 2<br />
ES4K008<br />
Figure 8 is a logical diagram of the same network.<br />
Figure 8: Logical diagram of tagged <strong>and</strong> untagged traffic<br />
System 1<br />
Ports 1-8<br />
Marketing<br />
System 2<br />
Slot 1, Port 2<br />
Slot 2, Ports 1-8 & 17-24<br />
System 1<br />
Port 33 *<br />
Port 1X *<br />
System 2<br />
Slot 1, Port 1 *<br />
Sales<br />
System 1<br />
Ports 25-32 & 4X<br />
System 2<br />
Slot 1, Port 3<br />
Slot 1, Port 4<br />
Slot 2, Ports 9-16 & 25-32<br />
*Tagged Ports<br />
ES4K020<br />
In Figure 7 <strong>and</strong> Figure 8:<br />
• The trunk port on each switch carries traffic for both VLAN Marketing <strong>and</strong> VLAN Sales.<br />
• The trunk port on each switch is tagged.<br />
• The server connected to port 33 on system 1 has a NIC that supports 802.1Q tagging.<br />
<strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong> 87
Virtual LANs (VLANs)<br />
• The server connected to port 33 on system 1 is a member of both VLAN Marketing <strong>and</strong> VLAN Sales.<br />
• All other stations use untagged traffic.<br />
As data passes out of the switch, the switch determines if the destination port requires the frames to be<br />
tagged or untagged. All traffic coming from <strong>and</strong> going to the server is tagged. Traffic coming from <strong>and</strong><br />
going to the trunk ports is tagged. The traffic that comes from <strong>and</strong> goes to the other stations on this<br />
network is not tagged.<br />
Mixing Port-Based <strong>and</strong> Tagged VLANs<br />
You can configure the switch using a combination of port-based <strong>and</strong> tagged VLANs. A given port can<br />
be a member of multiple VLANs, with the stipulation that only one of its VLANs uses untagged traffic.<br />
In other words, a port can simultaneously be a member of one port-based VLAN <strong>and</strong> multiple<br />
tag-based VLANs.<br />
NOTE<br />
For the purposes of VLAN classification, packets arriving on a port with an 802.1Q tag containing a<br />
VLANid of zero are treated as untagged.<br />
Protocol-Based VLANs—Summit 400 only<br />
Protocol-based VLANs enable you to define a packet filter that the switch uses as the matching criteria<br />
to determine if a particular packet belongs to a particular VLAN.<br />
Protocol-based VLANs are most often used in situations where network segments contain hosts running<br />
multiple protocols. For example, in Figure 9, the hosts are running both the IP <strong>and</strong> NetBIOS protocols.<br />
The IP traffic has been divided into two IP subnets, 192.207.35.0 <strong>and</strong> 192.207.36.0. The subnets are<br />
internally routed by the switch. The subnets are assigned different VLAN names, Finance <strong>and</strong> Personnel,<br />
respectively. The remainder of the traffic belongs to the VLAN named MyCompany. All ports are<br />
members of the VLAN MyCompany.<br />
88 <strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Types of VLANs<br />
Figure 9: Protocol-based VLANs<br />
1 2 3 4 A B 5 6 7 8<br />
192.207.35.1<br />
192.207.36.1<br />
192.207.35.0<br />
Finance<br />
My Company<br />
192.207.36.0<br />
Personnel<br />
1<br />
2 3 4<br />
= IP traffic<br />
= All other traffic<br />
BD_007<br />
Predefined Protocol Filters<br />
The following protocol filters are predefined on the switch:<br />
• IP<br />
• IPX<br />
• NetBIOS<br />
• DECNet<br />
• IPX_8022<br />
• IPX_SNAP<br />
• AppleTalk<br />
Defining Protocol Filters<br />
If necessary, you can define a customized protocol filter based on EtherType, Logical Link Control<br />
(LLC), <strong>and</strong>/or Subnetwork Access Protocol (SNAP). Up to six protocols may be part of a protocol filter.<br />
To define a protocol filter, follow these steps:<br />
1 Create a protocol using the following comm<strong>and</strong>:<br />
create protocol <br />
For example:<br />
create protocol fred<br />
<strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong> 89
Virtual LANs (VLANs)<br />
The protocol name can have a maximum of 32 characters.<br />
2 Configure the protocol using the following comm<strong>and</strong>:<br />
configure protocol add <br />
{ } ...<br />
Supported protocol types include:<br />
— etype—EtherType.<br />
The values for etype are four-digit hexadecimal numbers taken from a list maintained by the<br />
IEEE. This list can be found at the following URL:<br />
http://st<strong>and</strong>ards.ieee.org/regauth/ethertype/index.html<br />
— llc—LLC Service Advertising Protocol (SAP).<br />
The values for llc are four-digit hexadecimal numbers that are created by concatenating a<br />
two-digit LLC Destination SAP (DSAP) <strong>and</strong> a two-digit LLC Source SAP (SSAP).<br />
— snap—Ethertype inside an IEEE SNAP packet encapsulation.<br />
The values for snap are the same as the values for etype, described previously.<br />
For example:<br />
configure protocol fred add llc feff<br />
configure protocol fred add snap 9999<br />
A maximum of 15 protocol filters, each containing a maximum of six protocols, can be defined. On<br />
products that use the Inferno chip set, all 15 protocol filters can be active <strong>and</strong> configured for use. On all<br />
other platforms, no more than seven protocols can be active <strong>and</strong> configured for use.<br />
NOTE<br />
or more information on SNAP for Ethernet protocol types, see TR 11802-5:1997 (ISO/IEC) [ANSI/IEEE<br />
std. 802.1H, 1997 Edition].<br />
Deleting a Protocol Filter<br />
If a protocol filter is deleted from a VLAN, the VLAN is assigned a protocol filter of none. You can<br />
continue to configure the VLAN. However, no traffic is forwarded to the VLAN until a protocol is<br />
assigned to it.<br />
Precedence of Tagged Packets Over Protocol Filters<br />
If a VLAN is configured to accept tagged packets on a particular port, incoming packets that match the<br />
tag configuration take precedence over any protocol filters associated with the VLAN.<br />
VLAN Names<br />
Each VLAN is given a name that can be up to 32 characters. VLAN names can use st<strong>and</strong>ard<br />
alphanumeric characters. The following characters are not permitted in a VLAN name:<br />
• Space<br />
• Comma<br />
• Quotation mark<br />
90 <strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Configuring VLANs on the Switch<br />
VLAN names must begin with an alphabetical letter. Quotation marks can be used to enclose a VLAN<br />
name that includes special characters, including single quotation marks or commas. Spaces may not be<br />
included, even within quotation marks. For example, the names test, test1, <strong>and</strong> test_15 are acceptable<br />
VLAN names. The names “test&5” <strong>and</strong> “joe’s” may be used if enclosed in quotation marks. Names such<br />
as “5test” or “test 5” are not permitted.<br />
VLAN names can be specified using the tab key for comm<strong>and</strong> completion.<br />
VLAN names are locally significant. That is, VLAN names used on one switch are only meaningful to<br />
that switch. If another switch is connected to it, the VLAN names have no significance to the other<br />
switch.<br />
NOTE<br />
You should use VLAN names consistently across your entire network.<br />
Default VLAN<br />
The switch ships with one default VLAN that has the following properties:<br />
• The VLAN name is default.<br />
• It contains all the ports on a new or initialized switch.<br />
• The default VLAN is untagged on all ports. It has an internal VLANid of 1.<br />
Renaming a VLAN<br />
To rename an existing VLAN, use the following comm<strong>and</strong>:<br />
configure vlan name <br />
The following rules apply to renaming VLANs:<br />
• Once you change the name of the default VLAN, it cannot be changed back to default.<br />
• You cannot create a new VLAN named default.<br />
• You cannot change the VLAN name MacVlanDiscover. Although the switch accepts a name change,<br />
once it is rebooted, the original name is recreated.<br />
Configuring VLANs on the Switch<br />
This section describes the comm<strong>and</strong>s associated with setting up VLANs on the switch. Configuring a<br />
VLAN involves the following steps:<br />
1 Create <strong>and</strong> name the VLAN.<br />
2 Assign an IP address <strong>and</strong> mask (if applicable) to the VLAN, if needed.<br />
NOTE<br />
Each IP address <strong>and</strong> mask assigned to a VLAN must represent a unique IP subnet. You cannot<br />
configure the same IP subnet on different VLANs.<br />
<strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong> 91
Virtual LANs (VLANs)<br />
NOTE<br />
If you plan to use this VLAN as a control VLAN for an EAPS domain, do NOT assign an IP address to<br />
the VLAN.<br />
3 Assign a VLANid, if any ports in this VLAN will use a tag.<br />
4 Assign one or more ports to the VLAN.<br />
As you add each port to the VLAN, decide if the port will use an 802.1Q tag.<br />
VLAN Configuration Examples<br />
The following example creates a port-based VLAN named accounting, assigns the IP address<br />
132.15.121.1, <strong>and</strong> assigns ports 1, 2, 3, <strong>and</strong> 6:<br />
create vlan accounting<br />
configure accounting ipaddress 132.15.121.1<br />
configure default delete port 1-3,6<br />
configure accounting add port 1-3,6<br />
NOTE<br />
Because VLAN names are unique, you do not need to enter the keyword vlan after you have created<br />
the unique VLAN name. You can use the VLAN name alone.<br />
The following example creates a tag-based VLAN named video on either a Summit 200 or Summit 400<br />
series switch. It assigns the VLANid 1000. Ports 4 through 8 are added as tagged ports to the VLAN.<br />
create vlan video<br />
configure video tag 1000<br />
configure video add port 4-8 tagged<br />
On the Summit 300-48 switch, you would code this example as:<br />
create vlan video<br />
config video tag 1000<br />
config video add port 1:4-1:8 tagged<br />
The following example creates a VLAN named sales, with the VLANid 120 on either a Summit 200 or<br />
Summit 400 series switch. The VLAN uses both tagged <strong>and</strong> untagged ports. Ports 1 through 3 are<br />
tagged, <strong>and</strong> ports 4 <strong>and</strong> 7 are untagged. Note that when not explicitly specified, ports are added as<br />
untagged.<br />
create vlan sales<br />
configure sales tag 120<br />
configure sales add port 1-3 tagged<br />
configure default delete port 4,7<br />
configure sales add port 4,7<br />
On the Summit 300-48 switch, you would code this example as:<br />
create vlan sales<br />
config sales tag 120<br />
config sales add port 1:1-1:3 tagged<br />
92 <strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Displaying VLAN Settings<br />
config sales add port 1:4,1:7<br />
Displaying VLAN Settings<br />
To display VLAN settings, use the following comm<strong>and</strong>:<br />
show vlan {} }<br />
The show comm<strong>and</strong> displays summary information about a specific VLAN, which includes:<br />
• Name.<br />
• VLANid.<br />
• How the VLAN was created.<br />
• IP address.<br />
• STPD information.<br />
• Protocol information.<br />
• QoS profile information.<br />
• Ports assigned.<br />
• Tagged/untagged status for each port.<br />
• How the ports were added to the VLAN.<br />
• Number of VLANs configured on the switch.<br />
Use the detail option to display the detailed format.<br />
MAC-Based VLANs<br />
MAC-based VLANs allow physical ports to be mapped to a VLAN based on the source MAC address<br />
learned in the FDB. This feature allows you to designate a set of ports that have their VLAN<br />
membership dynamically determined by the MAC address of the end station that plugs into the<br />
physical port. You can configure the source MAC address-to-VLAN mapping either offline or<br />
dynamically on the switch. For example, you could use this application for a roaming user who wants<br />
to connect to a network from a conference room. In each room, the user plugs into one of the designated<br />
ports on the switch <strong>and</strong> is mapped to the appropriate VLAN. Connectivity is maintained to the network<br />
with all of the benefits of the configured VLAN in terms of QoS, routing, <strong>and</strong> protocol support.<br />
MAC-Based VLAN <strong>Guide</strong>lines<br />
When using the MAC-to-VLAN mapping, consider the following guidelines:<br />
• A port can only accept connections from an endstation/host <strong>and</strong> should not be connected to a<br />
layer-2 repeater device. Connecting to a layer-2 repeater device can cause certain addresses to not be<br />
mapped to their respective VLAN if they are not correctly configured in the MAC-VLAN<br />
configuration database. If a repeater device is connected to a MAC-Based VLAN port, <strong>and</strong> the<br />
configured MAC-to-VLAN mapped station enters on the repeater, any endstation that is attached to<br />
the repeater can be mapped to that VLAN while the configured endstation is active in that VLAN.<br />
Upon removal of the configured MAC-to-VLAN endstation, all other endstations lose connectivity.<br />
<strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong> 93
Virtual LANs (VLANs)<br />
• Groups are used as a security measure to allow a MAC address to enter into a VLAN only when the<br />
group mapping matches the port mapping.<br />
As an example, the following configuration allows MAC 00:00:00:00:00:aa to enter into the VLAN<br />
only on ports 10 <strong>and</strong> 11 because of membership in group 100:<br />
* Summit400 # show mac-vlan<br />
Port Vlan Group State<br />
10 MacVlanDiscover 100 Discover<br />
11 MacVlanDiscover 100 Discover<br />
12 MacVlanDiscover any Discover<br />
13 MacVlanDiscover any Discover<br />
14 MacVlanDiscover any Discover<br />
Total Entries in Database:2<br />
Mac Vlan Group<br />
00:00:00:00:00:aa sales 100<br />
00:00:00:00:00:01 sales any<br />
2 matching entries<br />
• The group “any” is equivalent to the group “0”. Ports that are configured as “any” allow any MAC<br />
address to be assigned to a VLAN, regardless of group association.<br />
• Partial configurations of the MAC to VLAN database can be downloaded to the switch using the<br />
timed download configuration feature.<br />
MAC-Based VLAN Limitations<br />
The following list contains the limitations of MAC-based VLANs:<br />
• Ports participating in MAC VLANs must first be removed from any static VLANs.<br />
• The MAC- to-VLAN mapping can only be associated with VLANs that exist on the switch.<br />
• A MAC address cannot be configured to associate with more than 1 VLAN. If this is attempted, the<br />
MAC address is associated with the most recent VLAN entry in the MAC-to-VLAN database.<br />
• The feature is intended to support one client per physical port. Once a client MAC address has<br />
successfully registered, the VLAN association remains until the port connection is dropped or the<br />
FDB entry ages out.<br />
• The MAC-to-VLAN database is stored in memory, only. It is not stored in NVRAM. As a result, the<br />
the VLAN associations are lost during a reboot <strong>and</strong> you must perform an incremental download of<br />
the MAC-to-VLAN database to recover the VLAN associations.<br />
MAC-Based VLAN Example<br />
In this following example, three VLANs are created: engineering, marketing, <strong>and</strong> sales. A single MAC<br />
address is associated with each VLAN. The MAC address 00:00:00:00:00:02 has a group number of<br />
“any” or “0” associated with it, allowing it to be plugged into any port that is in MacVlanDiscover<br />
mode (ports 10-15 in this case). The MAC address 00:00:00:00:00:01 has a group number of 10 associated<br />
with it, <strong>and</strong> can only be assigned to a VLAN if inserted into ports 16 or 17. The MAC address<br />
00:00:00:00:00:03 has a group number of 200 associated with it <strong>and</strong> can only be inserted into ports 18<br />
through 20.<br />
enable mac-vlan mac-group any ports 10-15<br />
enable mac-vlan mac-group 10 ports 16-17<br />
enable mac-vlan mac-group 200 ports 18-20<br />
configure mac-vlan add mac-address 00:00:00:00:00:01 mac-group 10 engineering<br />
94 <strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
MAC-Based VLANs<br />
configure mac-vlan add mac-address 00:00:00:00:00:02 mac-group any marketing<br />
configure mac-vlan add mac-address 00:00:00:00:00:03 mac-group 200 sales<br />
Timed Configuration Download for MAC-Based VLANs<br />
To allow centralized control of MAC-based VLANs over multiple switches, a timed TFTP configuration<br />
download allows you to download incremental configuration files from a primary or secondary server<br />
at specified time intervals. The timed downloads are configurable in 24 hour intervals. When a switch<br />
reboots, the configuration is automatically downloaded immediately after booting, per the configured<br />
primary <strong>and</strong> secondary servers.<br />
To configure the primary <strong>and</strong>/or secondary server <strong>and</strong> file name, use the following comm<strong>and</strong>:<br />
configure download server [primary | secondary] [ | ]<br />
<br />
To enable timed interval downloads, use the following comm<strong>and</strong>:<br />
download configuration every <br />
To display timed download information, use the following comm<strong>and</strong>:<br />
show switch<br />
Example<br />
In relation to MAC-based VLANs, the downloaded file is an ASCII file that consists of CLI comm<strong>and</strong>s<br />
used to configure the most recent MAC-to-VLAN database. This feature is different from the normal<br />
download configuration comm<strong>and</strong> in that it allows incremental configuration without the automatic<br />
rebooting of the switch.<br />
The following example shows an incremental configuration file for MAC-based VLAN information that<br />
updates the database <strong>and</strong> saves changes:<br />
configure mac-vlan add mac-address 00:00:00:00:00:01 mac-group any engineering<br />
configure mac-vlan add mac-address 00:00:00:00:ab:02 mac-group any engineering<br />
configure mac-vlan add mac-address 00:00:00:00:cd:04 mac-group any sales<br />
.<br />
.<br />
configure mac-vlan add mac-address 00:00:00:00:ab:50 mac-group any sales<br />
configure mac-vlan add mac-address 00:00:00:00:cd:60 mac-group any sales<br />
save<br />
<strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong> 95
Virtual LANs (VLANs)<br />
96 <strong><strong>Extreme</strong>Ware</strong> 7.2e <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
6 Forwarding Database (FDB)<br />
This chapter describes the following topics:<br />
• Overview of the FDB on page 97<br />
• Associating QoS Profiles with an FDB Entry on page 99<br />
• FDB Configuration Examples on page 100<br />
• Displaying FDB Entries on page 101<br />
Overview of the FDB<br />
The switch maintains a database of all media access control (MAC) addresses received on all of its ports.<br />
It uses the information in this database to decide whether a frame should be forwarded or filtered.<br />
FDB Contents<br />
Each FDB entry consists of:<br />
• The MAC address of the device<br />
• An identifier for the port <strong>and</strong> VLAN on which it was received<br />
• The age of the entry<br />
• The number of IP FDB entries that use this MAC address as a next hop or last hop<br />
• Flags<br />
Frames destined for MAC addresses that are not in the FDB are flooded to all members of the VLAN.<br />
How FDB Entries Get Added<br />
Entries are added into the FDB in the following ways:<br />
• The switch can learn entries by examining packets it receives. The system updates its FDB with the<br />
source MAC address from a packet, the VLAN, <strong>and</strong> the port identifier on which the source packet is<br />
received.<br />
The ability to learn MAC addresses can be enabled or disabled on a port-by-port basis. You can also<br />
limit the number of addresses that can be learned, or you can “lock down” the current entries <strong>and</strong><br />
prevent additional MAC address learning.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 97
Forwarding Database (FDB)<br />
• You can enter <strong>and</strong> update entries using the comm<strong>and</strong> line interface (CLI).<br />
• Certain static entries are added by the system upon switch boot up.<br />
FDB Entry Types<br />
FDB entries may be dynamic or static, <strong>and</strong> may be permanent or non-permanent. The Summit “e” series<br />
of switches support at least 8,191 layer 2 FDB entries <strong>and</strong> 2,047 layer 3 FDB entries.<br />
The following describes the types of entries that can exist in the FDB:<br />
• Dynamic entries—A dynamic entry is learned by the switch by examining packets to determine the<br />
source MAC address, VLAN, <strong>and</strong> port information. The switch then creates or updates an FDB entry<br />
for that MAC address. Initially, all entries in the database are dynamic, except for certain entries<br />
created by the switch at boot up.<br />
Entries in the database are removed (aged-out) if, after a period of time (aging time), if the device<br />
has not transmitted. This prevents the database from becoming full with obsolete entries by ensuring<br />
that when a device is removed from the network, its entry is deleted from the database. Dynamic<br />
entries are deleted from the database if the switch is reset or a power off/on cycle occurs. Dynamic<br />
entries are flushed <strong>and</strong> relearned (updated) when any of the following take place:<br />
— A VLAN is deleted.<br />
— A VLAN identifier (VLANid) is changed.<br />
— A port mode is changed (tagged/untagged).<br />
— A port is deleted from a VLAN.<br />
— A port is disabled.<br />
— A port enters blocking state.<br />
— A port QoS setting is changed.<br />
— A port goes down (link down).<br />
A non-permanent dynamic entry is initially created when the switch identifies a new source MAC<br />
address that does not yet have an entry in the FDB. The entry may then be updated as the switch<br />
continues to encounter the address in the packets it examines. These entries are identified by the “d”<br />
flag in show fdb output.<br />
A permanent dynamic entry is created by comm<strong>and</strong> through the CLI, but may then be updated as the<br />
switch encounters the MAC address in the packets that it examines. A permanent dynamic entry is<br />
typically used to associate QoS profiles with the FDB entry. Permanent dynamic entries are identified<br />
by the “p” <strong>and</strong> “d” flags in the show fdb output.<br />
Both types of dynamic entries age—a dynamic entry will be removed from the FDB (aged-out) if the<br />
device does not transmit for a specified period of time (the aging time). This prevents the database<br />
from becoming full with obsolete entries by ensuring that when a device is removed from the<br />
network, its entry is deleted from the database. The aging time is configurable. For more information<br />
about setting the aging time, see “Configuring the FDB Aging Time” on page 101 later in this<br />
chapter.<br />
• Static entries—A static entry does not age, <strong>and</strong> does not get updated through the learning process. It<br />
is maintained exactly as it was created. Conditions that cause dynamic entries to be updated, such as<br />
VLAN or port configuration changes, do not affect static entries.<br />
If the same MAC address is detected on another virtual port that is not defined in the static FDB<br />
entry for the MAC address, it is h<strong>and</strong>led as a blackhole entry.<br />
98 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Associating QoS Profiles with an FDB Entry<br />
A permanent static entry is created through the comm<strong>and</strong> line interface, <strong>and</strong> can be used to associate<br />
QoS profiles with a non-aging FDB entry. Permanent static entries are identified by the “s” <strong>and</strong> “p”<br />
flags in show fdb output.<br />
A locked static entry is an entry that was originally learned dynamically, but has been made static<br />
(locked) using the MAC address lock-down feature. It is identified by the “s” <strong>and</strong> “l” flags in show<br />
fdb output. See “Network Login” on page 156 for more information about MAC address lock-down.<br />
Non-permanent static entries are created by the switch software for various reasons, typically upon<br />
switch boot up. They are identified by the “s” flag in show fdb output.<br />
If the FDB entry aging time is set to zero, all entries in the database are considered static, non-aging<br />
entries. This means that they do not age, but they are still deleted if the switch is reset.<br />
• Permanent entries—Permanent entries are retained in the database if the switch is reset or a power<br />
off/on cycle occurs. Permanent entries must be created by the system administrator through the<br />
comm<strong>and</strong> line interface. A permanent entry can either be a unicast or multicast MAC address.<br />
Permanent entries may be static, meaning they do not age or get updated, or they may be dynamic,<br />
meaning that they do age <strong>and</strong> can be updated via learning.<br />
Permanent entries can have QoS profiles associated with the MAC address. A different QoS profiles<br />
may be associated with the MAC address when it is a destination address (an egress QoS profile)<br />
than when it is a source address (ingress QoS profile). Once created, permanent entries stay the same<br />
as when they were created.<br />
All entries entered by way of the comm<strong>and</strong>-line interface are stored as permanent.<br />
The Summit 300-48 can support a maximum of 128 permanent entries.<br />
The Summit 200, Summit 300-24 <strong>and</strong> the Summit 400-48t can support a maximum of 64 permanent<br />
entries.<br />
• Blackhole entries—A blackhole entry configures the switch to discard packets with a specified MAC<br />
destination address. Blackhole entries are useful as a security measure or in special circumstances<br />
where a specific source or destination address must be discarded. Blackhole entries may be created<br />
through the CLI, or they may be created by the switch when a port’s learning limit has been<br />
exceeded.<br />
Blackhole entries are treated like permanent entries in the event of a switch reset or power off/on<br />
cycle. Blackhole entries are never aged out of the database.<br />
Disabling MAC Address Learning<br />
By default, MAC address learning is enabled on all ports. You can disable learning on specified ports<br />
using the following comm<strong>and</strong>:<br />
disable learning ports <br />
If MAC address learning is disabled, only broadcast traffic, EDP traffic, <strong>and</strong> packets destined to a<br />
permanent MAC address matching that port number, are forwarded. Use this comm<strong>and</strong> in a secure<br />
environment where access is granted via permanent forwarding databases (FDBs) per port.<br />
Associating QoS Profiles with an FDB Entry<br />
You can associate QoS profiles with a MAC address (<strong>and</strong> VLAN) of a device by creating a permanent<br />
FDB entry <strong>and</strong> specifying QoS profiles for ingress or egress, or both. The permanent FDB entry can be<br />
either dynamic (it is learned <strong>and</strong> can be aged out) or static.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 99
Forwarding Database (FDB)<br />
To associate a QoS profile with a dynamic FDB entry, use the following comm<strong>and</strong>:<br />
create fdbentry [ | any-mac] vlan dynamic<br />
[ingress-qosprofile {ingress-qosprofile }]<br />
This comm<strong>and</strong> associates QoS profiles with packets received from or destined for the specified MAC<br />
address, while still allowing the FDB entry to be dynamically learned. If you specify only the ingress<br />
QoS profile, the egress QoS profile defaults to none, <strong>and</strong> vice-versa. If both profiles are specified, the<br />
source MAC address of an ingress packet <strong>and</strong> the destination MAC address of an egress packet are<br />
examined for QoS profile assignment.<br />
The FDB entry is not actually created until the MAC address is encountered as the source MAC address<br />
in a packet. Thus, initially the entry may not appear in the show fdb output. Once the entry has been<br />
learned, it is created as a permanent dynamic entry, designated by “dpm” in the flags field of the show<br />
fdb output.<br />
You can display permanent FDB entries, including their QoS profile associations by using the<br />
permanent option in the following comm<strong>and</strong>:<br />
show fdb { | permanent | ports | vlan }<br />
To associate a QoS profile with a permanent FDB entry, use the following comm<strong>and</strong>:<br />
create fdbentry vlan ports [ | all] {qosprofile<br />
}{ingress-qosprofile }<br />
This entry will not be aged out, <strong>and</strong> no learning will occur. If the same MAC address is encountered<br />
through a virtual port not specified in the portlist, it will be h<strong>and</strong>led as a blackhole entry.<br />
Using the any-mac keyword, you can enable traffic from a QoS VLAN to have higher priority than<br />
802.1p traffic. Normally, an 802.1p packet has a higher priority over the VLAN classification. In order to<br />
use this feature, you must create a wildcard permanent FDB entry named any-mac <strong>and</strong> apply the QoS<br />
profile to the individual MAC entry.<br />
NOTE<br />
For more information on QoS profiles, see Chapter 7.<br />
FDB Configuration Examples<br />
The following example adds a permanent static entry to the FDB on a Summit 300-48:<br />
create fdbentry 00:E0:2B:12:34:56 vlan marketing port 1:4<br />
The permanent entry has the following characteristics:<br />
• MAC address is 00:E0:2B:12:34:56.<br />
• VLAN name is marketing.<br />
• Port number for this device is 1:4.<br />
If the MAC address 00:E0:2B:12:34:56 is encountered on any port/VLAN other than VLAN marketing,<br />
port 1:4, it will be h<strong>and</strong>led as a blackhole entry, <strong>and</strong> packets from that source will be dropped.<br />
100 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Displaying FDB Entries<br />
This example associates the QoS profile qp2 with a dynamic entry for the device at MAC address<br />
00:A0:23:12:34:56 on VLAN net34 that will be learned by the FDB:<br />
create fdbentry 00:A0:23:12:34:56 vlan net34 dynamic qosprofile qp2<br />
This entry has the following characteristics:<br />
• MAC address is 00:A0:23:12:34:56.<br />
• VLAN name is net34.<br />
• The entry will be learned dynamically.<br />
• QoS profile qp2 will be applied as an egress QoS profile when the entry is learned.<br />
Overriding 802.1p Priority<br />
This example associates the QoS profile qp5 with the wildcard permanent FDB entry any-mac on VLAN<br />
v110:<br />
create fdbentry any-mac vlan v110 dynamic ingress-qosprofile qp5<br />
Configuring the FDB Aging Time<br />
You can configure the again time for dynamic FDB entries using the following comm<strong>and</strong>:<br />
configure fdb agingtime <br />
If the aging time is set to zero, all aging entries in the database are defined as static, nonaging entries.<br />
This means they will not age out, but non-permanent static entries can be deleted if the switch is reset.<br />
Displaying FDB Entries<br />
To display FDB entries, use the following comm<strong>and</strong>:<br />
show fdb { | permanent | ports | vlan }<br />
where the following is true:<br />
• mac_address—Displays the entry for a particular MAC address.<br />
• broadcast-mac—Specifies the broadcast MAC address. May be used as an alternate to the<br />
colon-separated byte form of the address ff:ff:ff:ff:ff:ff<br />
• permanent—Displays all permanent entries, including the ingress <strong>and</strong> egress QoS profiles.<br />
• ports —Displays the entries for a set of ports or slots <strong>and</strong> ports.<br />
• vlan —Displays the entries for a VLAN.<br />
With no options, the comm<strong>and</strong> displays all FDB entries.<br />
See the <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> Comm<strong>and</strong> Reference <strong>Guide</strong> for details of the comm<strong>and</strong>s related to the FDB.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 101
Forwarding Database (FDB)<br />
102 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
7 Quality of Service (QoS)<br />
This chapter covers the following topics:<br />
• Overview of Policy-Based Quality of Service on page 104<br />
• Applications <strong>and</strong> Types of QoS on page 104<br />
• Configuring QoS on page 106<br />
• QoS Profiles on page 106<br />
• Traffic Groupings on page 107<br />
— IP-Based Traffic Groupings on page 108<br />
— MAC-Based Traffic Groupings on page 108<br />
— Explicit Class of Service (802.1p <strong>and</strong> DiffServ) Traffic Groupings on page 109<br />
— Configuring DiffServ on page 111<br />
— Verifying Configuration <strong>and</strong> Performance on page 113<br />
• Verifying Configuration <strong>and</strong> Performance on page 113<br />
• Verifying Configuration <strong>and</strong> Performance on page 113<br />
• Modifying a QoS Configuration on page 115<br />
• on page 115<br />
• on page 115<br />
Policy-based Quality of Service (QoS) is a feature of <strong><strong>Extreme</strong>Ware</strong> <strong>and</strong> the <strong>Extreme</strong> switch architecture<br />
that allows you to specify different service levels for traffic traversing the switch. Policy-based QoS is an<br />
effective control mechanism for networks that have heterogeneous traffic patterns. Using Policy-based<br />
QoS, you can specify the service level that a particular traffic type receives.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 103
Quality of Service (QoS)<br />
Overview of Policy-Based Quality of Service<br />
Policy-based QoS allows you to protect b<strong>and</strong>width for important categories of applications or<br />
specifically limit the b<strong>and</strong>width associated with less critical traffic. For example, if voice–over-IP traffic<br />
requires a reserved amount of b<strong>and</strong>width to function properly, using policy-based QoS, you can reserve<br />
sufficient b<strong>and</strong>width critical to this type of application. Other applications deemed less critical can be<br />
limited so as to not consume excessive b<strong>and</strong>width. The switch contains separate hardware queues on<br />
every physical port. The prioritization parameters that modify the forwarding behavior of the switch<br />
affect how the switch transmits traffic for a given hardware queue on a physical port. Up to eight<br />
physical queues per port are available on the Summit 400 <strong>and</strong> four queues on the Summit 200 <strong>and</strong><br />
Summit 300 switches. On all series “e” switches, QoS is enforced at the ingress port.<br />
NOTE<br />
Policy-based QoS has no impact on switch performance. Using even the most complex traffic groupings<br />
has no cost in terms of switch performance.<br />
Applications <strong>and</strong> Types of QoS<br />
Different applications have different QoS requirements. The following applications are ones that you<br />
will most commonly encounter <strong>and</strong> need to prioritize:<br />
• Voice applications<br />
• Video applications<br />
• Critical database applications<br />
• Web browsing applications<br />
• File server applications<br />
General guidelines for each traffic type are given below <strong>and</strong> summarized in Table 12. Consider them as<br />
general guidelines <strong>and</strong> not strict recommendations. Once QoS parameters are set, you can monitor the<br />
performance of the application to determine if the actual behavior of the applications matches your<br />
expectations. It is very important to underst<strong>and</strong> the needs <strong>and</strong> behavior of the particular applications<br />
you wish to protect or limit. Behavioral aspects to consider include b<strong>and</strong>width needs, sensitivity to<br />
latency <strong>and</strong> jitter, <strong>and</strong> sensitivity <strong>and</strong> impact of packet loss.<br />
Voice Applications<br />
Voice applications typically dem<strong>and</strong> small amounts of b<strong>and</strong>width. However, the b<strong>and</strong>width must be<br />
constant <strong>and</strong> predictable because voice applications are typically sensitive to latency (inter-packet delay)<br />
<strong>and</strong> jitter (variation in inter-packet delay). The most important QoS parameter to establish for voice<br />
applications is minimum b<strong>and</strong>width, followed by priority.<br />
Video Applications<br />
Video applications are similar in needs to voice applications, with the exception that b<strong>and</strong>width<br />
requirements are somewhat larger, depending on the encoding. It is important to underst<strong>and</strong> the<br />
behavior of the video application being used. For example, in the playback of stored video streams,<br />
some applications can transmit large amounts of data for multiple streams in one “spike,” with the<br />
expectation that the end-stations will buffer significant amounts of video-stream data. This can present a<br />
104 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Applications <strong>and</strong> Types of QoS<br />
problem to the network infrastructure, because it must be capable of buffering the transmitted spikes<br />
where there are speed differences (for example, going from Gigabit Ethernet to Fast Ethernet). Key QoS<br />
parameters for video applications include minimum b<strong>and</strong>width, priority, <strong>and</strong> possibly buffering<br />
(depending upon the behavior of the application).<br />
Critical Database Applications<br />
Database applications, such as those associated with ERP, typically do not dem<strong>and</strong> significant<br />
b<strong>and</strong>width <strong>and</strong> are tolerant of delay. You can establish a minimum b<strong>and</strong>width using a priority less than<br />
that of delay-sensitive applications.<br />
Web Browsing Applications<br />
QoS needs for Web browsing applications cannot be generalized into a single category. For example,<br />
ERP applications that use a browser front-end may be more important than retrieving daily news<br />
information. Traffic groupings can typically be distinguished from each other by their server source <strong>and</strong><br />
destinations. Most browser-based applications are distinguished by the dataflow being asymmetric<br />
(small dataflows from the browser client, large dataflows from the server to the browser client).<br />
An exception to this may be created by some Java -based applications. In addition, Web-based<br />
applications are generally tolerant of latency, jitter, <strong>and</strong> some packet loss, however small packet-loss<br />
may have a large impact on perceived performance due to the nature of TCP. The relevant parameter<br />
for protecting browser applications is minimum b<strong>and</strong>width. The relevant parameter for preventing<br />
non-critical browser applications from overwhelming the network is maximum b<strong>and</strong>width.<br />
File Server Applications<br />
With some dependencies on the network operating system, file serving typically poses the greatest<br />
dem<strong>and</strong> on b<strong>and</strong>width, although file server applications are very tolerant of latency, jitter, <strong>and</strong> some<br />
packet loss, depending on the network operating system <strong>and</strong> the use of TCP or UDP.<br />
NOTE<br />
Full-duplex links should be used when deploying policy-based QoS. Half-duplex operation on links can<br />
make delivery of guaranteed minimum b<strong>and</strong>width impossible.<br />
Table 12 summarizes QoS guidelines for the different types of network traffic.<br />
Table 12: Traffic Type <strong>and</strong> QoS <strong>Guide</strong>lines<br />
Traffic Type<br />
Voice<br />
Video<br />
Database<br />
Web browsing<br />
File server<br />
Key QoS Parameters<br />
Minimum b<strong>and</strong>width, priority<br />
Minimum b<strong>and</strong>width, priority, buffering (varies)<br />
Minimum b<strong>and</strong>width<br />
Minimum b<strong>and</strong>width for critical applications, maximum b<strong>and</strong>width for non-critical<br />
applications<br />
Minimum b<strong>and</strong>width<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 105
Quality of Service (QoS)<br />
Configuring QoS<br />
To configure QoS, you define how your switch responds to different categories of traffic by creating <strong>and</strong><br />
configuring QoS profiles. You then group traffic into categories (according to application, as previously<br />
discussed) <strong>and</strong> assign each category to a QoS profile. Configuring QoS is a three-step process:<br />
1 Configure the QoS profile.<br />
QoS profile—A class of service that is defined through prioritization settings. The level of service<br />
that a particular type of traffic or traffic grouping receives is determined by assigning it to a QoS<br />
profile.<br />
2 Create traffic groupings.<br />
Traffic grouping—A classification or traffic type that has one or more attributes in common, such as<br />
a physical port. You assign traffic groupings to QoS profiles to modify switch forwarding behavior.<br />
Traffic groupings transmitting out the same port that are assigned to a particular QoS profile share<br />
the assigned prioritization characteristics, <strong>and</strong> hence share the class of service.<br />
3 Monitor the performance of the application with the QoS monitor to determine whether the policies<br />
are meeting the desired results.<br />
The next sections describe each of these QoS components in detail.<br />
QoS Profiles<br />
A QoS profile defines a class of service by specifying traffic behavior attributes, such as b<strong>and</strong>width. The<br />
parameters that make up a QoS profile include:<br />
• Priority—The level of priority assigned to a hardware queue on a physical port. There are eight<br />
different available priority settings for Summit 400 <strong>and</strong> four for Summit 200 <strong>and</strong> Summit 300. By<br />
default, each of the default QoS profiles is assigned a unique priority. You would use prioritization<br />
when two or more hardware queues on the same physical port are contending for transmission on<br />
the same physical port, only after their respective b<strong>and</strong>width management parameters have been<br />
satisfied.<br />
— When configured to do so, the priority of a QoS profile can determine the 802.1p bits used in the<br />
priority field of a transmitted packet (described later).<br />
— The priority of a QoS profile determines the DiffServ code point value used in an IP packet when<br />
the packet is transmitted (described later).<br />
A QoS profile does not alter the behavior of the switch until it is assigned to a traffic grouping. Recall<br />
that QoS profiles are linked to hardware queues. There are multiple hardware queues per physical port.<br />
The default QoS profiles cannot be deleted. Administrators do not have the authority to create a QoS<br />
profile. Also by default, a QoS profile maps directly to a specific hardware queue across all physical<br />
ports. The settings for the default QoS parameters are summarized in Table 13.<br />
Table 13: QoS Parameters<br />
Profile Name Hardware Queue Priority Buffer<br />
Maximum<br />
B<strong>and</strong>width<br />
Qp1 Q0 Low 0 100%<br />
Qp2 Q1 Lowhi 0 100%<br />
106 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Traffic Groupings<br />
Table 13: QoS Parameters (Continued)<br />
Qp3 Q2 Normal 0 100%<br />
Qp4 Q3 Normalhi 0 100%<br />
Qp5 Q4 Medium 0 100%<br />
Qp6 Q5 Mediumhi 0 100%<br />
Qp7 Q6 High 0 100%<br />
Qp8 Q7 Highhi 0 100%<br />
The maximum b<strong>and</strong>width percentage you specify is rounded up to the hardware specific rate limit in<br />
incremental values.<br />
Traffic Groupings<br />
A traffic grouping is a classification of traffic that has one or more attributes in common. Traffic is<br />
typically grouped based on the applications discussed starting on page 104.<br />
Traffic groupings are separated into the following categories for discussion:<br />
• IP-based information, such as IP source/destination <strong>and</strong> TCP/UDP port information<br />
• Destination MAC (MAC QoS groupings)<br />
• Explicit packet class of service information, such as 802.1p or DiffServ (IP TOS)<br />
• Physical/logical configuration (physical source port or VLAN association)<br />
In the event that a given packet matches two or more grouping criteria, there is a predetermined<br />
precedence for which traffic grouping will apply. In general, the more specific traffic grouping takes<br />
precedence. By default, all traffic groupings are placed in the QoS profile Qp1. The supported traffic<br />
groupings are listed in Table 14. The groupings are listed in order of precedence (highest to lowest). The<br />
four types of traffic groupings are described in detail on the following pages.<br />
Table 14: Traffic Groupings by Precedence<br />
IP Information (Access Lists) Groupings<br />
• Access list precedence determined by user configuration<br />
Destination Address MAC-Based Groupings<br />
• Permanent<br />
• Dynamic<br />
• Blackhole<br />
Explicit Packet Class of Service Groupings<br />
• DiffServ (IP TOS)<br />
• 802.1P<br />
Physical/Logical Groupings<br />
• VLAN<br />
• Source port<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 107
Quality of Service (QoS)<br />
IP-Based Traffic Groupings<br />
IP-based traffic groupings are based on any combination of the following items:<br />
• IP source or destination address<br />
• TCP or UDP protocols<br />
• TCP/UDP port information<br />
IP-based traffic groupings are defined using access lists. Access lists are discussed in detail in “IP Access<br />
Lists (ACLs)” on page 144. By supplying a named QoS profile at the end of the access list comm<strong>and</strong><br />
syntax, you can prescribe the b<strong>and</strong>width management <strong>and</strong> priority h<strong>and</strong>ling for that traffic grouping.<br />
This level of packet filtering has no impact on performance.<br />
For example, to create an IP-based traffic grouping, use the following comm<strong>and</strong>s:<br />
create access-mask amask source-ip / 24 dest-ip / 24 precedence 2000<br />
create access-list alist "amask" dest-ip 10.1.2.1/24 source-ip 10.1.1.1/24 permit<br />
qosprofile qp3<br />
To create a MAC-based traffic grouping, use this comm<strong>and</strong>:<br />
create fdbentry 00 : 11 : 22 : 33 : 44 : 55 vlan "Default" dynamic qosprofile "QP3"<br />
MAC-Based Traffic Groupings<br />
QoS profiles can be assigned to destination MAC addresses. MAC-based traffic groupings are<br />
configured using the create fdb... comm<strong>and</strong>:<br />
The MAC address options, defined below, are as follows:<br />
• Permanent<br />
• Dynamic<br />
• Blackhole<br />
NOTE<br />
On the Summit 400 broadcast MAC entries may not be associated with a QoS.<br />
Permanent MAC addresses<br />
Permanent MAC addresses can be assigned a QoS profile whenever traffic is destined to the MAC<br />
address. This can be done when you create a permanent FDB entry using the following comm<strong>and</strong>:<br />
create fdbentry vlan ports [ | all] {qosprofile<br />
}{ingress-qosprofile }<br />
For example:<br />
create fdbentry 00:11:22:33:44:55 vlan default port 4:1 qosprofile qp2<br />
108 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Traffic Groupings<br />
Dynamic MAC Addresses<br />
Dynamic MAC addresses can be assigned a QoS profile whenever traffic is coming from or going to the<br />
MAC address. This is done using the following comm<strong>and</strong>:<br />
create fdbentry [ | any-mac] vlan dynamic [ingress-qosprofile<br />
{ingress-qosprofile }]<br />
For any port on which the specified MAC address is learned in the specified VLAN, the port is assigned<br />
the specified QoS profile. For example:<br />
create fdbentry 00 : 11 : 22 : 33 : 44 : 55 vlan "Default" dynamic ingress-qosprofile<br />
"QP1" qosprofile qp2<br />
The QoS profile is assigned when the MAC address is learned. If a client's location moves, the assigned<br />
QoS profile moves with the device. If the MAC address entry already exists in the FDB, you can clear<br />
the forwarding database so that the QoS profile can be applied when the entry is added again. Use the<br />
following comm<strong>and</strong> to clear the FDB:<br />
clear fdb { | blackhole | ports | vlan }<br />
Blackhole MAC Address<br />
Using the blackhole option configures the switch to not forward any packets to the destination MAC<br />
address on any ports for the VLAN specified. The blackhole option is configured using the following<br />
comm<strong>and</strong>:<br />
create fdbentry vlan blackhole {source-mac | dest-mac |<br />
both}<br />
For example:<br />
create fdbentry 00:11:22:33:44:55 vlan default blackhole<br />
Verifying MAC-Based QoS Settings<br />
To verify any of the MAC-based QoS settings, use either the comm<strong>and</strong><br />
show fdb permanent<br />
or the comm<strong>and</strong><br />
show qosprofile {} {port }<br />
Explicit Class of Service (802.1p <strong>and</strong> DiffServ) Traffic Groupings<br />
This category of traffic groupings describes what is sometimes referred to as explicit packet marking, <strong>and</strong><br />
refers to information contained within a packet intended to explicitly determine a class of service. That<br />
information includes:<br />
• IP DiffServ code points, formerly known as IP TOS bits<br />
• Prioritization bits used in IEEE 802.1p packets<br />
An advantage of explicit packet marking is that the class of service information can be carried<br />
throughout the network infrastructure, without repeating what can be complex traffic grouping policies<br />
at each switch location. Another advantage is that end stations can perform their own packet marking<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 109
Quality of Service (QoS)<br />
on an application-specific basis. <strong>Extreme</strong> switch products have the capability of observing <strong>and</strong><br />
manipulating packet marking information with no performance penalty.<br />
The documented capabilities for 802.1p priority markings or DiffServ capabilities (if supported) are not<br />
impacted by the switching or routing configuration of the switch. For example, 802.1p information can<br />
be preserved across a routed switch boundary <strong>and</strong> DiffServ code points can be observed or overwritten<br />
across a layer 2 switch boundary.<br />
Configuring 802.1p Priority<br />
<strong>Extreme</strong> switches support the st<strong>and</strong>ard 802.1p priority bits that are part of a tagged Ethernet packet.<br />
The 802.1p bits can be used to prioritize the packet, <strong>and</strong> assign it to a particular QoS profile.<br />
When a packet arrives at the switch, the switch examines the 802.1p priority field maps it to a specific<br />
hardware queue when subsequently transmitting the packet. The 802.1p priority field is located directly<br />
following the 802.1Q type field, <strong>and</strong> preceding the 802.1Q VLAN ID, as shown in Figure 10.<br />
Figure 10: Ethernet packet encapsulation<br />
802.1Q<br />
type<br />
802.1p<br />
priority<br />
802.1Q<br />
VLAN ID<br />
8100<br />
Destination<br />
address<br />
Source<br />
address<br />
IP packet<br />
CRC<br />
EW_024<br />
Observing 802.1p Information<br />
When ingress traffic that contains 802.1p prioritization information is detected by the switch, the traffic<br />
is mapped to various hardware queues on the egress port of the switch. Eight hardware queues are<br />
supported on the Summit 400, while four queues are supported on the Summit 200 <strong>and</strong> Summit 300<br />
switches. The transmitting hardware queue determines the priority characteristics used when<br />
transmitting packets. In platforms where ther are only 4 hardware queues, two consecutives piority<br />
values map to a single QoS profile. For example, priority 0 <strong>and</strong> 1 would map to QoS profile Qp1.<br />
To control the mapping of 802.1p prioritization values to hardware queues, 802.1p prioritization values<br />
can be mapped to a QoS profile. The default mapping of each 802.1p priority value to QoS profile is<br />
shown in Table 15.<br />
Table 15: 802.1p Priority Value-to-QoS Profile Default Mapping<br />
Priority Value QoS Profile for Summit 400 QoS Profile for Summit 200 <strong>and</strong> Summit 300<br />
0 Qp1 Qp1<br />
1 Qp2<br />
2 Qp3 Qp2<br />
3 Qp4<br />
110 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Traffic Groupings<br />
Table 15: 802.1p Priority Value-to-QoS Profile Default Mapping (Continued)<br />
Priority Value QoS Profile for Summit 400 QoS Profile for Summit 200 <strong>and</strong> Summit 300<br />
4 Qp5 Qp3<br />
5 Qp6<br />
6 Qp7 Qp4<br />
7 Qp8<br />
Configuring 802.1p Priority For Slow Path Traffic<br />
Some traffic can originate on the switch, for example Ping or Telnet packets. This traffic comes from the<br />
switch CPU <strong>and</strong> is referred to as slow path traffic. This traffic is internally tagged with an 802.1p<br />
priority of 7, by default, <strong>and</strong> egresses the VLAN through the highest queue. If you want to set a<br />
different tag (<strong>and</strong> priority) use the following comm<strong>and</strong> to set the priority to a number between 0 <strong>and</strong> 7:<br />
configure vlan priority <br />
Other traffic transported across the switch <strong>and</strong> VLAN will not be changed, in other words, the 802.1p<br />
values will not be affected by the VLAN priority setting.<br />
Replacing 802.1p Priority Information<br />
By default, 802.1p priority information is not replaced or manipulated, <strong>and</strong> the information observed on<br />
ingress is preserved when transmitting the packet. This behavior is not affected by the switching or<br />
routing configuration of the switch.<br />
However, the switch is capable of replacing the 802.1p priority information. To replace 802.1p priority<br />
information, you will use an access list to set the 802.1p value. See “IP Access Lists (ACLs)” on<br />
page 144, for more information on using access lists. You will use the set dot1p <br />
parameter of the create access-list comm<strong>and</strong> to replace the value. The packet is then placed on the<br />
queue that corresponds to the new 802.1p value.<br />
Configuring DiffServ<br />
Contained in the header of every IP packet is a field for IP Type of Service (TOS), now also called the<br />
DiffServ field. The TOS field is used by the switch to determine the type of service provided to the<br />
packet.<br />
Observing DiffServ code points as a traffic grouping mechanism for defining QoS policies <strong>and</strong><br />
overwriting the Diffserv code point fields are supported.<br />
Figure 11 shows the encapsulation of an IP packet header.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 111
Quality of Service (QoS)<br />
Figure 11: IP packet header encapsulation<br />
0 1 2 3 4 5 6 7<br />
DiffServ code point<br />
0 bits 31<br />
Version<br />
IHL<br />
Type-of-service<br />
Total length<br />
Identification<br />
Flags<br />
Fragment offset<br />
Time-to-live<br />
Protocol<br />
Source address<br />
Destination address<br />
Options (+ padding)<br />
Data (variable)<br />
Header checksum<br />
EW_023<br />
Observing DiffServ Information<br />
When a packet arrives at the switch on an ingress port, the switch examines the first six of eight TOS<br />
bits, called the code point. The switch can assign the QoS profile used to subsequently transmit the<br />
packet based on the code point. The QoS profile controls a hardware queue used when transmitting the<br />
packet out of the switch, <strong>and</strong> determines the forwarding characteristics of a particular code point.<br />
Viewing DiffServ information can be enabled or disabled; by default it is disabled.<br />
To enable DiffServ information, use the following comm<strong>and</strong>:<br />
enable diffserv examination ports [ | all]<br />
To disable DiffServ information, use the following comm<strong>and</strong>:<br />
disable diffserv examination ports [ | all]<br />
NOTE<br />
After DiffServ information is enabled, the ACL router cannot apply for the same port.<br />
Changing DiffServ Code point assignments in the Q0S Profile<br />
Because the code point uses six bits, it has 64 possible values (2 6 = 64). For Summit 200 <strong>and</strong> Summit 300<br />
switches that have four QoS profile queues, two consecutive ranges of code points map to a single QoS<br />
profile. By default, the values are grouped <strong>and</strong> assigned to the default QoS profiles listed in Table 16.<br />
112 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Verifying Configuration <strong>and</strong> Performance<br />
Table 16: Default Code Point-to-QoS Profile Mapping<br />
Code Point QoS Profile for Summit 400 QoS Profile for Summit 200 <strong>and</strong> Summit 300<br />
0-7 Qp1 Qp1<br />
8-15 Qp2<br />
16-23 Qp3 Qp2<br />
24-31 Qp4<br />
32-39 Qp5 Qp3<br />
40-47 Qp6<br />
48-55 Qp7 Qp4<br />
56-63 Qp8<br />
Once assigned, the rest of the switches in the network prioritize the packet using the characteristics<br />
specified by the QoS profile.<br />
Replacing DiffServ Code Points<br />
An access list can be used to change the DiffServ code point in the packet prior to the packet being<br />
transmitted by the switch. This is done with no impact on switch performance.<br />
To replace the DiffServ code point, you will use an access list to set the new code point value. See “IP<br />
Access Lists (ACLs)” on page 144, for more information on using access lists. Use the set code-point<br />
parameter of the create access-list comm<strong>and</strong> to replace the value.<br />
To display the DiffServ configuration, use the following comm<strong>and</strong>:<br />
show ports {mgmt | | vlan } info {detail}<br />
NOTE<br />
The show ports comm<strong>and</strong> displays only the default code point mapping.<br />
Verifying Configuration <strong>and</strong> Performance<br />
Once you have created QoS policies that manage the traffic through the switch, you can use the QoS<br />
monitor to determine whether the application performance meets your expectations.<br />
QoS Monitor<br />
The QoS monitor is a utility that monitors the eight hardware queues (QP1-QP8) associated with any<br />
port(s). The QoS monitor keeps track of the number of frames <strong>and</strong> the frames per second that a specific<br />
ingress queue is responsible for transmitting on a physical port.<br />
Real-Time Performance Monitoring<br />
The real-time display scrolls through the given portlist to provide statistics. You can choose screens for<br />
packet count <strong>and</strong> packets per second. The specific port being monitored is indicated by an asterisk (*)<br />
appearing after the port number in the display.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 113
Quality of Service (QoS)<br />
The view real-time switch per-port performance, use the following comm<strong>and</strong>:<br />
show ports {mgmt | } qosmonitor<br />
QoS monitor sampling is configured as follows:<br />
• The port is monitored for 10 seconds before the switch moves on to the next port in the list.<br />
• A port is sampled for five seconds before the packets per second (pps) value is displayed on the<br />
screen.<br />
QoS Monitor Behavior<br />
The QoS monitor on the “e” series of switches behaves slightly different than “i” series switches. The<br />
QoS monitor captures the statistics at the ingress port but displays the statistics unchanged at the egress<br />
port. Data is captured for a specified port <strong>and</strong> aggregated over all other ports in the system. The data<br />
leaving the QoS monitor port does reflect the aggregate, but it also reflects the original data captured at<br />
the ingress ports. Even if you attempt to change the priority using an access-list, the QoS monitor still<br />
reflects the statistics before the access-list changed the traffic at the egress port.<br />
For example, incoming traffic on a Summit 400-48t is set as follows:<br />
• Port 2 with 802.1p priority set to 0<br />
• Port 4 with 802.1p priority set to 2<br />
• Port 6 with 802.1p priority set to 4<br />
The traffic is designated to exit the switch at port 24.<br />
Displaying QoS Profile Information<br />
The QoS monitor can also be used to verify the QoS configuration <strong>and</strong> monitor the use of the QoS<br />
policies that are in place. To display QoS information on the switch, use the following comm<strong>and</strong>:<br />
show qosprofile {} {port }<br />
Displayed information includes:<br />
• QoS profile name<br />
• Priority<br />
• A list of all ports to which the QoS profile is applied<br />
• A list of all VLANs to which the QoS profile is applied<br />
Additionally, QoS information can be displayed from the traffic grouping perspective by using one or<br />
more of the following comm<strong>and</strong>s:<br />
• show fdb permanent—Displays destination MAC entries <strong>and</strong> their QoS profiles.<br />
• show switch—Displays hardware information.<br />
• show vlan—Displays the QoS profile assignments to the VLAN.<br />
• show ports {mgmt | | vlan } info {detail} — Displays<br />
information including QoS information for the port.<br />
114 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Modifying a QoS Configuration<br />
Modifying a QoS Configuration<br />
If you make a change to the parameters of a QoS profile after implementing your configuration, the<br />
timing of the configuration change depends on the traffic grouping involved. The following rules apply:<br />
• For destination MAC-based grouping (other than permanent), clear the MAC FDB using the<br />
comm<strong>and</strong> clear fdb. This comm<strong>and</strong> should also be issued after a configuration is implemented, as<br />
the configuration must be in place before an entry is made in the MAC FDB. For permanent<br />
destination MAC-based grouping, re-apply the QoS profile to the static FDB entry. You can also save<br />
<strong>and</strong> reboot the switch.<br />
• For physical <strong>and</strong> logical groupings of a source port or VLAN, clear the MAC FDB using the<br />
comm<strong>and</strong> clear fdb, then re-apply the QoS profile to the source port or VLAN. You can also save<br />
<strong>and</strong> reboot the switch.<br />
Traffic Rate-Limiting<br />
The Summit 400 switch rate-limiting method is based on creating a rate limit, a specific type of access<br />
control list. Traffic that matches a rate limit is constrained to the limit set in the access control list. Rate<br />
limits are discussed in “Rate Limits” on page 146.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 115
Quality of Service (QoS)<br />
116 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
8 Network Address Translation (NAT)<br />
This chapter covers the following topics:<br />
• Overview on page 117<br />
• Internet IP Addressing on page 118<br />
• Configuring VLANs for NAT on page 118<br />
• Configuring NAT on page 120<br />
• Creating NAT Rules on page 120<br />
• Displaying NAT Settings on page 122<br />
• Disabling NAT on page 123<br />
Overview<br />
NAT is a feature that allows one set of IP addresses, typically private IP addresses, to be converted to<br />
another set of IP addresses, typically public Internet IP addresses. This conversion is done transparently<br />
by having a NAT device rewrite the source IP address <strong>and</strong> Layer 4 port of the packets.<br />
Figure 12: NAT Overview<br />
Inside<br />
NAT<br />
switch<br />
Outside<br />
Private<br />
Network<br />
Outgoing<br />
Outgoing<br />
Internet<br />
Incoming<br />
Incoming<br />
EW_078<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 117
Network Address Translation (NAT)<br />
You can configure NAT to conserve IP address space by mapping a large number of inside (private)<br />
addresses to a much smaller number of outside (public) addresses.<br />
In implementing NAT, you must configure at least two separate VLANs involved. One VLAN is<br />
configured as inside, <strong>and</strong> corresponds to the private IP addresses you would like to translate into other<br />
IP addresses. The other type of VLAN is configured as outside, which corresponds to the public<br />
(probably Internet) IP addresses you want the inside addresses translated to. The mappings between<br />
inside <strong>and</strong> outside IP addresses are done via rules that specify the IP subnets involved <strong>and</strong> the<br />
algorithms used to translate the addresses.<br />
NOTE<br />
The NAT modes in <strong><strong>Extreme</strong>Ware</strong> support translating traffic that initiates only from inside addresses.<br />
NAT rules are associated with a single outside VLAN. Multiple rules per outside VLAN are allowed.<br />
The rules take effect in the order they are displayed using the show nat comm<strong>and</strong>. Any number of<br />
inside VLANs can use a single outside VLAN, assuming that you have created proper rules. Similarly, a<br />
single inside VLAN can use any number of different outside VLANs, assuming that the rules <strong>and</strong><br />
routing are set up properly.<br />
Both TCP <strong>and</strong> UDP have layer 4 port numbers ranging from 1 to 65535. These layer 4 ports, in<br />
combination with the IP addresses, form a unique identifier which allows hosts (as well as the NAT<br />
switch) to distinguish between separate conversations. NAT operates by replacing the inside IP packet’s<br />
source IP <strong>and</strong> layer 4 port with an outside IP <strong>and</strong> layer 4 port. The NAT switch maintains a connection<br />
table to map the return packets on the outside VLAN back into their corresponding inside sessions.<br />
Internet IP Addressing<br />
When implementing NAT in an Internet environment, it is strongly recommended that you use one of<br />
the reserved private IP address ranges for your inside IP addresses. These ranges have been reserved<br />
specifically for networks not directly attached to the Internet. Using IP addresses within these ranges<br />
prevents addressing conflicts with public Internet sites to which you want to connect. The ranges are as<br />
follows:<br />
• 10.0.0.0/8—Reserved Class A private address space<br />
• 172.16.0.0/12—Reserved Class B private address space<br />
• 192.168.0.0/16—Reserved Class C private address space<br />
Configuring VLANs for NAT<br />
You must configure each VLAN participating in NAT as either an inside or outside VLAN. To configure<br />
a VLAN as an inside or outside VLAN, use the following comm<strong>and</strong>:<br />
configure nat vlan [inside | outside | none]<br />
When a VLAN is configured to be inside, traffic from that VLAN destined for an outside VLAN is<br />
translated only if it has a matching NAT rule. Any unmatched traffic will be routed normally <strong>and</strong> not be<br />
translated. Because all traffic destined for an outside VLAN runs through the central processing unit<br />
(CPU), it cannot run at line-rate.<br />
118 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring VLANs for NAT<br />
When a VLAN is configured to be outside, it routes all traffic destined for inside VLANs. Because the<br />
traffic runs through the CPU, it cannot run at line-rate.<br />
When a VLAN is configured to be none, all NAT functions are disabled <strong>and</strong> the VLAN operates<br />
normally.<br />
Below is a set of example ACL rules to deny outside traffic. These examples assume the inside network<br />
is 192.168.1.0/24 <strong>and</strong> the outside VLAN is on port 1.<br />
create access-list deny_ip ip destination 192.168.1.0/24 source any deny ports 1<br />
create access-list deny_icmp icmp destination 192.168.1.0/24 source any type any code<br />
any deny ports 1<br />
NAT Modes<br />
There are 4 different modes used to determine how the outside IP addresses <strong>and</strong> layer 4 ports are<br />
assigned.<br />
• Static mapping<br />
• Dynamic mapping<br />
• Port-mapping<br />
• Auto-constraining<br />
Static Mapping<br />
When static mapping is used, each inside IP address uses a single outside IP address. The layer 4 ports<br />
are not changed, only the IP address is rewritten. Because this mode requires a 1:1 mapping of internal<br />
to external addresses, it does not make efficient use of the external address space. However, it is useful<br />
when you have a small number of hosts that need to have their IP addresses rewritten without<br />
conflicting with other hosts. Because this mode does not rely on layer 4 ports, ICMP traffic is translated<br />
<strong>and</strong> allowed to pass.<br />
Dynamic Mapping<br />
Dynamic mapping is similar to static mapping in that the layer 4 ports are not rewritten during<br />
translation. Dynamic mapping is different in that the number of inside hosts can be greater than the<br />
number of outside hosts. The outside IP addresses are allocated on a first-come, first-serve basis to the<br />
inside IP addresses. When the last session for a specific inside IP address closes, that outside IP address<br />
can be used by other hosts. Since this mode does not rely on layer 4 ports, ICMP traffic is translated <strong>and</strong><br />
allowed to pass.<br />
Port-mapping<br />
Port-mapping gives you the most efficient use of the external address space. As each new connection is<br />
initiated from the inside, the NAT device picks the next available source layer 4 port on the first<br />
available outside IP address. When all ports on a given IP address are in use, the NAT device uses ports<br />
off of the next outside IP address. Some systems reserve certain port ranges for specific types of traffic,<br />
so it is possible to map specific source layer 4 port ranges on the inside to specific outside source<br />
ranges. However, this may cause a small performance penalty. In this case, you would need to make<br />
several rules using the same inside <strong>and</strong> outside IP addresses, one for each layer 4 port range. ICMP<br />
traffic is not translated in this mode. You must add a dynamic NAT rule for the same IP address range<br />
to allow for ICMP traffic.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 119
Network Address Translation (NAT)<br />
Auto-constraining<br />
The auto-constraining algorithm for port-mapping limits the number of outside layer 4 ports a single<br />
inside host can use simultaneously. The limitation is based on the ratio of inside to outside IP addresses.<br />
The outside IP address <strong>and</strong> layer 4 port space is evenly distributed to all possible inside hosts. This<br />
guarantees that no single inside host can prevent other traffic from flowing through the NAT device.<br />
Because of the large number of simultaneous requests that can be made from a web browser, it is not<br />
recommended that this mode be used when a large number of inside hosts are being translated to a<br />
small number of outside IP addresses. ICMP traffic is not translated in this mode. You must add a<br />
dynamic NAT rule for the same IP address range to allow for ICMP traffic.<br />
Configuring NAT<br />
The behavior of NAT is determined by the rules you create to translate the IP addresses. You must<br />
attach each rule to a specific VLAN. All rules are processed in order. The options specified on the NAT<br />
rule determine the algorithm used to translate the inside IP addresses to the outside IP addresses. For<br />
outgoing (inside to outside) packets, the first rule to match is processed. All following rules are ignored.<br />
All return packets must arrive on the same outside VLAN on which the session went out. For most<br />
configurations, make sure that the outside IP addresses specified in the rule are part of the outside<br />
VLAN’s subnet range, so that the switch can proxy the address resolution protocol (ARP) for those<br />
addresses.<br />
To enable NAT functionality, use the following comm<strong>and</strong>:<br />
enable nat<br />
Creating NAT Rules<br />
This section describes how to configure the various types of NAT (static, dynamic, portmap, <strong>and</strong><br />
auto-constrain). In the examples in this section, advanced port <strong>and</strong> destination matching options have<br />
been removed. For information on how to use some of the more advanced rule matching features, see<br />
“Advanced Rule Matching” on page 122.<br />
Creating Static <strong>and</strong> Dynamic NAT Rules<br />
To create static or dynamic NAT rules, use this comm<strong>and</strong>:<br />
configure nat add vlan map source [any | /]<br />
{l4-port [any | {- }]} {destination / {l4-port [any<br />
| {- }]}} to [/ | - ] [tcp | udp | both]<br />
[portmap { - } | auto-constrain]<br />
This is the simplest NAT rule. You specify the outside vlan name, <strong>and</strong> a subnet of inside IP addresses,<br />
which get translated to the outside IP address using the specified mode (static in this case). For the<br />
outside IP addresses, you can either specify an IP address <strong>and</strong> netmask or a starting <strong>and</strong> ending IP<br />
range to determine the IP addresses the switch will translate the inside IP addresses to. If the netmask<br />
for both the source <strong>and</strong> NAT addresses is /32, the switch will use static NAT translation. If the netmask<br />
for both the source <strong>and</strong> NAT addresses are not both /32, the switch will use dynamic NAT translation.<br />
120 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Creating NAT Rules<br />
Static NAT Rule Example<br />
configure nat add out_vlan_1 map source 192.168.1.12/32 to 216.52.8.32/32<br />
Dynamic NAT Rule Example<br />
configure nat add out_vlan_1 map source 192.168.1.0/24 to 216.52.8.1 - 216.52.8.31<br />
Creating Portmap NAT Rules<br />
To configure portmap NAT rules, use this comm<strong>and</strong>:<br />
configure nat add vlan map source [any | /]<br />
{l4-port [any | {- }]} {destination / {l4-port<br />
[any | {- }]}} to [/ | - ] [tcp | udp |<br />
both] [portmap { - } | auto-constrain]<br />
The addition of an L4 protocol name <strong>and</strong> the portmap keyword tells the switch to use portmap mode.<br />
Optionally, you may specify the range of L4 ports the switch chooses on the translated IP addresses, but<br />
there is a performance penalty for doing this. Remember that portmap mode will only translate TCP<br />
<strong>and</strong>/or UDP, so a dynamic NAT rule must be specified after the portmap rule in order to allow ICMP<br />
packets through without interfering with the portmapping.<br />
Portmap NAT Rule Example<br />
configure nat add out_vlan_2 map source 192.168.2.0/25 to 216.52.8.32 /28 both portmap<br />
Portmap Min-Max Example<br />
configure nat add out_vlan_2 map source 192.168.2.128/25 to 216.52.8.64/28 tcp portmap<br />
1024 - 8192<br />
Creating Auto-Constrain NAT Rules<br />
To create auto-constrain NAT rules, use the following comm<strong>and</strong>:<br />
configure nat add vlan map source [any | /]<br />
{l4-port [any | {- }]} {destination / {l4-port [any<br />
| {- }]}} to [/ | - ] [tcp | udp | both]<br />
[portmap { - } | auto-constrain]<br />
This rule uses auto-constrain NAT. Remember that each inside IP address will be restricted in the<br />
number of simultaneous connections. Most installations should use portmap mode.<br />
Auto-Constrain Example<br />
configure nat add out_vlan_3 map source 192.168.3.0/24 to 216.52.8.64/32 both<br />
auto-constrain<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 121
Network Address Translation (NAT)<br />
Advanced Rule Matching<br />
By default, NAT rules only match connections based on the source IP address of the outgoing packets.<br />
Using the L4-port <strong>and</strong> destination keywords, you can further limit the scope of the NAT rule so that<br />
it only applied to specific TCP/UDP layer 4 port numbers, or specific outside destination IP addresses.<br />
NOTE<br />
Once a single rule is matched, no other rules are processed.<br />
Destination Specific NAT<br />
configure nat add vlan map source [any | /]<br />
{l4-port [any | {- }]} {destination / {l4-port [any<br />
| {- }]}} to [/ | - ] [tcp | udp | both]<br />
[portmap { - } | auto-constrain]<br />
The addition of the destination optional keyword after the source IP address <strong>and</strong> mask allows the<br />
NAT rule to be applied to only packets with a specific destination IP address.<br />
L4-Port Specific NAT<br />
The addition of the L4-port optional keyword after the source IP address <strong>and</strong> mask allows the NAT<br />
rule to be applied to only packets with a specific L4 source or destination port. If you use the L4-port<br />
comm<strong>and</strong> after the source IP/mask, the rule will only match if the port(s) specified are the source<br />
L4-ports. If you use the L4-port comm<strong>and</strong> after the destination IP/mask, the rule will only match if the<br />
port(s) specified are the destination L4-ports. Both options may be used together to further limit the<br />
rule.<br />
Configuring Time-outs<br />
When an inside host initiates a session, a session table entry is created. Depending on the type of traffic<br />
or the current TCP state, the table entries time out after the configured time-out expires.<br />
Displaying NAT Settings<br />
To display NAT rules, use the following comm<strong>and</strong>:<br />
show nat {timeout | stats | connections | rules {vlan }}<br />
This comm<strong>and</strong> displays the NAT rules for a specific VLAN. Rules are displayed in the order they are<br />
processed, starting with the first one.<br />
To display NAT traffic statistics, use the following comm<strong>and</strong>:<br />
show nat stats<br />
This comm<strong>and</strong> displays statistics for the NAT traffic, <strong>and</strong> includes:<br />
• The number of rules<br />
• The number of current connections<br />
• The number of translated packets on the inside <strong>and</strong> outside VLANs<br />
122 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Disabling NAT<br />
• Information on missed translations<br />
To display NAT connection information, use the following comm<strong>and</strong>:<br />
show nat connections<br />
This comm<strong>and</strong> displays the current NAT connection table, including source IP/layer 4 port mappings<br />
from inside to outside.<br />
Disabling NAT<br />
To disable NAT, use the following comm<strong>and</strong>:<br />
disable nat<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 123
Network Address Translation (NAT)<br />
124 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
9 Status Monitoring <strong>and</strong> Statistics<br />
This chapter describes the following topics:<br />
• Status Monitoring on page 125<br />
• Port Statistics on page 125<br />
• Port Errors on page 126<br />
• Port Monitoring Display Keys on page 127<br />
• Setting the System Recovery Level on page 128<br />
• Event Management System/Logging on page 128<br />
• RMON on page 140<br />
Viewing statistics on a regular basis allows you to see how well your network is performing. If you<br />
keep simple daily records, you will see trends emerging <strong>and</strong> notice problems arising before they cause<br />
major network faults. In this way, statistics can help you get the best out of your network.<br />
Status Monitoring<br />
The status monitoring facility provides information about the switch. This information may be useful<br />
for your technical support representative if you have a problem. <strong><strong>Extreme</strong>Ware</strong> includes many show<br />
comm<strong>and</strong>s that display information about different switch functions <strong>and</strong> facilities.<br />
NOTE<br />
For more information about show comm<strong>and</strong>s for a specific <strong><strong>Extreme</strong>Ware</strong> feature, see the appropriate<br />
chapter in this guide.<br />
Port Statistics<br />
<strong><strong>Extreme</strong>Ware</strong> provides a facility for viewing port statistic information. The summary information lists<br />
values for the current counter against each port on each operational module in the system, <strong>and</strong> it is<br />
refreshed approximately every 2 seconds. Values are displayed to nine digits of accuracy.<br />
To view port statistics, use the following comm<strong>and</strong>:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 125
Status Monitoring <strong>and</strong> Statistics<br />
show ports {mgmt | | vlan } stats {cable-diagnostics}<br />
The following port statistic information is collected by the switch:<br />
• Link Status—The current status of the link. Options are:<br />
— Ready (the port is ready to accept a link).<br />
— Active (the link is present at this port).<br />
— Chassis (the link is connected to a Summit Virtual Chassis). This status is available on the Summit<br />
200 <strong>and</strong> 300 models.<br />
• Transmitted Packet Count (Tx Pkt Count)—The number of packets that have been successfully<br />
transmitted by the port.<br />
• Transmitted Byte Count (Tx Byte Count)—The total number of data bytes successfully transmitted<br />
by the port.<br />
• Received Packet Count (Rx Pkt Count)—The total number of good packets that have been received<br />
by the port.<br />
• Received Byte Count (RX Byte Count)—The total number of bytes that were received by the port,<br />
including bad or lost frames. This number includes bytes contained in the Frame Check Sequence<br />
(FCS), but excludes bytes in the preamble.<br />
• Received Broadcast (RX Bcast)—The total number of frames received by the port that are addressed<br />
to a broadcast address.<br />
• Received Multicast (RX Mcast)—The total number of frames received by the port that are addressed<br />
to a multicast address.<br />
Port Errors<br />
The switch keeps track of errors for each port.<br />
To view port transmit errors, use the following comm<strong>and</strong>:<br />
show ports {mgmt | | vlan } txerrors<br />
The managment port option (mgmt) is only available on switches with a managment port, such as the<br />
Summit 400.<br />
The following port transmit error information is collected by the system:<br />
• Port Number<br />
• Link Status—The current status of the link. Options are:<br />
— Ready (the port is ready to accept a link).<br />
— Active (the link is present at this port).<br />
• Transmit Collisions (TX Coll)—The total number of collisions seen by the port, regardless of<br />
whether a device connected to the port participated in any of the collisions.<br />
• Transmit Late Collisions (TX Late Coll)—The total number of collisions that have occurred after the<br />
port’s transmit window has expired.<br />
• Transmit Deferred Frames (TX Deferred)—The total number of frames that were transmitted by the<br />
port after the first transmission attempt was deferred by other network traffic.<br />
• Transmit Errored Frames (TX Error)—The total number of frames that were not completely<br />
transmitted by the port because of network errors (such as late collisions or excessive collisions).<br />
126 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Port Monitoring Display Keys<br />
• Transmit Parity Frames (TX Parity)—The bit summation has a parity mismatch.<br />
To view port receive errors, use the following comm<strong>and</strong>:<br />
show ports {mgmt | | vlan } rxerrors<br />
The managment port option (mgmt) is only available on switches with a managment port, such as the<br />
Summit 400.<br />
The following port receive error information is collected by the switch:<br />
• Link Status — The current status of the link. Options are:<br />
— Ready (the port is ready to accept a link).<br />
— Active (the link is present at this port).<br />
• Receive Bad CRC Frames (RX CRC)—The total number of frames received by the port that were of<br />
the correct length, but contained a bad FCS value.<br />
• Receive Oversize Frames (RX Over)—The total number of good frames received by the port greater<br />
than the supported maximum length of 1,522 bytes. .<br />
• Receive Undersize Frames (RX Under)—The total number of frames received by the port that were<br />
less than 64 bytes long.<br />
• Receive Fragmented Frames (RX Frag)—The total number of frames received by the port were of<br />
incorrect length <strong>and</strong> contained a bad FCS value.<br />
• Receive Jabber Frames (RX Jab)—The total number of frames received by the port that was of<br />
greater than the support maximum length <strong>and</strong> had a Cyclic Redundancy Check (CRC) error.<br />
• Receive Alignment Errors (RX Align)—The total number of frames received by the port that occurs<br />
if a frame has a CRC error <strong>and</strong> does not contain an integral number of octets.<br />
• Receive Frames Lost (RX Lost)—The total number of frames received by the port that were lost<br />
because of buffer overflow in the switch.<br />
Port Monitoring Display Keys<br />
Table 17 describes the keys used to control the displays that appear when you issue any of the show<br />
port comm<strong>and</strong>s.<br />
Table 17: Port Monitoring Display Keys<br />
Key(s)<br />
Description<br />
U<br />
Displays the previous page of ports.<br />
D<br />
Displays the next page of ports.<br />
[Esc] or [Return] Exits from the screen.<br />
0 Clears all counters.<br />
[Space]<br />
Cycles through the following screens:<br />
• Packets per second<br />
• Bytes per second<br />
• Percentage of b<strong>and</strong>width<br />
Available using the show ports utilization comm<strong>and</strong> only.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 127
Status Monitoring <strong>and</strong> Statistics<br />
Setting the System Recovery Level<br />
You can configure the system to automatically reboot after a software task exception, using the<br />
following comm<strong>and</strong>:<br />
configure sys-recovery-level [none | [all | critical] [ reboot ]]<br />
Where the following is true:<br />
• none—Configures the level to no recovery.<br />
• all—Configures <strong><strong>Extreme</strong>Ware</strong> to log an error into the syslog <strong>and</strong> automatically reboot the system<br />
after any task exception.<br />
• critical—Configures <strong><strong>Extreme</strong>Ware</strong> to log an error into the syslog <strong>and</strong> automatically reboot the<br />
system after a critical task exception.<br />
• reboot—Reboots the switch.<br />
The default setting is none.<br />
Event Management System/Logging<br />
The system responsible for logging <strong>and</strong> debugging was updated <strong>and</strong> enhanced. We use the general<br />
term, event, for any type of occurrence on a switch which could generate a log message, or require an<br />
action. For example, a link going down, a user logging in, a comm<strong>and</strong> entered on the comm<strong>and</strong> line, or<br />
the software executing a debugging statement, are all events that might generate a log message. The<br />
new system for saving, displaying, <strong>and</strong> filtering events is called the Event Management System (EMS).<br />
With EMS, you have a lot more options about which events generate log messages, where the messages<br />
are sent, <strong>and</strong> how they are displayed. Using EMS you can:<br />
• send event messages to a number of logging targets (for example, syslog host <strong>and</strong> NVRAM)<br />
• filter events on a per-target basis<br />
— by component, subcomponent, or specific condition (for example, IGMP.Snooping messages, or the<br />
IP.Forwarding.SlowPathDrop condition)<br />
— by match expression (for example, any messages containing the string “user5”)<br />
— by matching parameters (for example, only messages with source IP addresses in the 10.1.2.0/24<br />
subnet)<br />
— by severity level (for example, only messages of severity critical, error, or warning)<br />
• change the format of event messages (for example, display the date as “12-May-2003” or<br />
“2003-05-12”)<br />
• display log messages in real-time, <strong>and</strong> filter the messages that are displayed, both on the console <strong>and</strong><br />
from telnet sessions<br />
• display stored log messages from the memory buffer or NVRAM<br />
• upload event logs stored in memory to a TFTP server<br />
• display counts of event occurrences, even those not included in filter<br />
• display debug information, using a consistent configuration method<br />
128 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Event Management System/Logging<br />
Sending Event Messages to Log Targets<br />
There are five types of targets that can receive log messages:<br />
• console display<br />
• current session (telnet or console display)<br />
• memory buffer (can contain 200-20,000 messages)<br />
• NVRAM (messages remain after reboot)<br />
• syslog host<br />
The first four types of targets exist by default, but before enabling any syslog host, the host’s<br />
information needs to be added to the switch using the configure syslog comm<strong>and</strong>. <strong>Extreme</strong><br />
<strong>Networks</strong> EPICenter can be a syslog target.<br />
By default, the memory buffer <strong>and</strong> NVRAM targets are already enabled <strong>and</strong> receive messages. To start<br />
sending messages to the targets, use the following comm<strong>and</strong>:<br />
enable log target [console-display | memory-buffer | nvram | session | syslog [ {:} [local0 ... local7]]]<br />
Once enabled, the target receives the messages it is configured for. See the section “Target<br />
Configuration” for information on viewing the current configuration of a target. The memory buffer can<br />
only contain the configured number of messages, so the oldest message is lost when a new message<br />
arrives, <strong>and</strong> the buffer is full.<br />
Use the following comm<strong>and</strong> to stop sending messages to the target:<br />
disable log target [console-display | memory-buffer | nvram | session | syslog<br />
[ {:} [local0 ... local7]]]<br />
NOTE<br />
Refer to your UNIX documentation for more information about the syslog host facility.<br />
Filtering Events Sent to Targets<br />
Not all event messages are sent to every enabled target. Each target receives only the messages that it is<br />
configured for.<br />
Target Configuration<br />
To specify the messages to send to a enabled target, you will set a message severity level, a filter name,<br />
<strong>and</strong> a match expression. These items determine which messages are sent to the target. You can also<br />
configure the format of the messages in the targets. Each target has a default configuration that mimics<br />
the expected behavior of prior <strong><strong>Extreme</strong>Ware</strong> releases. For example, the console display target is<br />
configured to get messages of severity info <strong>and</strong> greater, the NVRAM target gets messages of severity<br />
warning <strong>and</strong> greater, <strong>and</strong> the memory buffer target gets messages of severity debug-data <strong>and</strong> greater.<br />
All the targets are associated by default with a filter named DefaultFilter, that passes all events at or<br />
above the default severity threshold, like the behavior of earlier releases (the earlier releases had no<br />
filters). All the targets are also associated with a default match expression that matches any messages<br />
(the expression that matches any message is displayed as Match: (none) from the comm<strong>and</strong> line). And<br />
finally, each target has a format associated with it.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 129
Status Monitoring <strong>and</strong> Statistics<br />
To display the current log configuration of the targets, use the following comm<strong>and</strong>:<br />
show log configuration target {console-display | memory-buffer | nvram | session |<br />
syslog {: }[local0 ... local7]}<br />
To configure a target, there are specific comm<strong>and</strong>s for filters, formats, <strong>and</strong> severity that are discussed in<br />
the following sections.<br />
Severity<br />
Messages are issued with one of the severity level specified by the st<strong>and</strong>ard BSD syslog values<br />
(RFC 3164), critical, error, warning, notice, <strong>and</strong> info, plus three severity levels for extended<br />
debugging, debug-summary, debug-verbose, <strong>and</strong> debug-data. Note that RFC 3164 syslog values<br />
emergency <strong>and</strong> alert are not needed since critical is the most severe event in the system.<br />
The three severity levels for extended debugging, debug-summary, debug-verbose, <strong>and</strong> debug-data,<br />
require that debug mode be enabled (which may cause a performance degradation). See the section<br />
“Displaying Debug Information” for more information about debugging.<br />
Table 18: Severity Levels Assigned by the Switch<br />
Level<br />
Critical<br />
Error<br />
Warning<br />
Notice<br />
Info (Informational)<br />
Debug-Summary<br />
Debug-Verbose<br />
Debug-Data<br />
Description<br />
A serious problem has been detected which is compromising the operation of the<br />
system <strong>and</strong> that the system can not function as expected unless the situation is<br />
remedied. The switch may need to be reset.<br />
A problem has been detected which is interfering with the normal operation of the<br />
system <strong>and</strong> that the system is not functioning as expected.<br />
An abnormal condition, not interfering with the normal operation of the system, has<br />
been detected which may indicate that the system or the network in general may not<br />
be functioning as expected.<br />
A normal but significant condition has been detected, which signals that the system is<br />
functioning as expected.<br />
A normal but potentially interesting condition has been detected, which signals that the<br />
system is functioning as expected <strong>and</strong> simply provides potentially detailed information<br />
or confirmation.<br />
A condition has been detected that may interest a developer determining the reason<br />
underlying some system behavior.<br />
A condition has been detected that may interest a developer analyzing some system<br />
behavior at a more verbose level than provided by the debug summary information.<br />
A condition has been detected that may interest a developer inspecting the data<br />
underlying some system behavior.<br />
To configure the severity level of the messages sent to a target, there is more than one comm<strong>and</strong> that<br />
you can use. The most direct way to set the severity level of all the sent messages is to use the following<br />
comm<strong>and</strong>:<br />
configure log target [console-display | memory-buffer | nvram | session |<br />
syslog [ {: } [local0 ... local7]]] match [any<br />
|]<br />
When you specify a severity level, messages of that severity <strong>and</strong> greater will be sent to the target. If you<br />
want only messages of the specified severity to be sent to the target, use the keyword only. For<br />
example, specifying severity warning will send warning, error, <strong>and</strong> critical messages, but specifying<br />
severity warning only will just send warning messages.<br />
130 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Event Management System/Logging<br />
Another comm<strong>and</strong> that can be used to configure severity levels is the comm<strong>and</strong> used to associate a<br />
filter with a target:<br />
configure log target [console-display | memory-buffer | nvram | session |<br />
syslog [ {: } [local0 ... local7]]]<br />
filter {severity {only}}<br />
When you specify a severity level as you associate a filter with a target, you further restrict the<br />
messages reaching the target. The filter may only allow certain categories of messages to pass. Only the<br />
messages that pass the filter, <strong>and</strong> then pass the specified severity level will reach the target.<br />
Finally, you can specify the severity levels of messages that reach the target by associating a filter with a<br />
target. The filter can specify exactly which message it will pass. Constructing a filter is discussed in the<br />
section “Filtering By Components <strong>and</strong> Conditions”.<br />
Components <strong>and</strong> Conditions<br />
Beginning with the introduction of EMS in release 7.1.0, the event conditions detected by <strong><strong>Extreme</strong>Ware</strong><br />
were organized into components <strong>and</strong> subcomponents. This is somewhat similar to the fault log<br />
subsystems used in previous versions. Not all conditions have been placed in the<br />
component/subcomponent structure of EMS, but all the conditions will be moved over time into this<br />
structure. To get a listing of the components <strong>and</strong> subcomponents in your release of <strong><strong>Extreme</strong>Ware</strong>, use<br />
the following comm<strong>and</strong>:<br />
show log components { | all}<br />
For example, to get a listing of the subcomponents that make up the STP component, use the following<br />
comm<strong>and</strong>:<br />
show log components stp<br />
The output produced by the comm<strong>and</strong> is similar to the following:<br />
Severity<br />
Component Title Threshold<br />
------------------- ---------------------------------------------- ----------<br />
STP Spanning-Tree Protocol (STP) Error<br />
InBPDU STP In BPDU subcomponent Warning<br />
OutBPDU STP Out BPDU subcomponent Warning<br />
System STP System subcomponent Error<br />
In the display above is listed the component, the subcomponents that make up that component, <strong>and</strong> the<br />
default severity threshold assigned to that component. A period (.) is used to separate component,<br />
subcomponent, <strong>and</strong> condition names in EMS. For example, you can refer to the InBPDU subcomponent<br />
of the STP component as STP.InBPDU. On the CLI, you can abbreviate or TAB complete any of these.<br />
A component or subcomponent will often have several conditions associated with it. To see the<br />
conditions associated with a component, use the following comm<strong>and</strong>:<br />
show log events { | [all | ] {severity <br />
{only}}} {detail}<br />
For example, to see the conditions associated with the STP.InBPDU subcomponent, use the following<br />
comm<strong>and</strong>:<br />
show log events stp.inbpdu<br />
The output produced by the comm<strong>and</strong> is similar to the following:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 131
Status Monitoring <strong>and</strong> Statistics<br />
Comp SubComp Condition Severity Parameters<br />
------- ----------- ----------------------- ------------- ----------<br />
STP InBPDU<br />
Drop Error 3<br />
Dump Debug-Data 3<br />
Ign Debug-Summary 2<br />
Trace Info 2<br />
In the display above is listed the four conditions contained in the STP.InBPDU component, the severity<br />
of the condition, <strong>and</strong> the number of parameters in the event message. In this example, the severities of<br />
the events in the STP.InBPDU subcomponent range from error to debug-summary.<br />
When you use the detail keyword you will see the message text associated with the conditions. For<br />
example, if you want to see the message text <strong>and</strong> the parameters for the event condition<br />
STP.InBPDU.Trace, use the following comm<strong>and</strong>:<br />
show log events stp.inbpdu.trace detail<br />
The output produced by the comm<strong>and</strong> is similar to the following:<br />
Comp SubComp Condition Severity Parameters<br />
------- ----------- ----------------------- ------------- ----------<br />
STP InBPDU Trace Info 2 Total<br />
0 - ports<br />
1 - string<br />
"Port=%0%: %1%"<br />
The Comp heading shows the component name, the SubComp heading shows the subcomponent (if any),<br />
the Condition heading shows the event condition, the Severity heading shows the severity assigned<br />
to this condition, the Parameters heading shows the parameters for the condition, <strong>and</strong> the text string<br />
shows the message that the condition will generate. The parameters in the text string (for example,%0%<br />
<strong>and</strong>%1% above) will be replaced by the values of these parameters when the condition is encountered,<br />
<strong>and</strong> output as the event message.<br />
Filtering By Components <strong>and</strong> Conditions. You may want to send the messages that come from a<br />
specific component that makes up <strong><strong>Extreme</strong>Ware</strong>, or send the message generated by a specific condition.<br />
For example, you might want to send only the messages that come from the STP component, or send<br />
the message that occurs when the IP.Forwarding.SlowPathDrop condition occurs. Or you may want to<br />
exclude messages from a particular component or event. To do this, you will construct a filter that<br />
passes only the items of interest, <strong>and</strong> associate that filter with a target.<br />
The first step is to create the filter using the create log filter comm<strong>and</strong>. You can create a filter<br />
from scratch, or copy another filter to use as a starting point. It may be easiest to copy an existing filter<br />
<strong>and</strong> modify it. Use the following comm<strong>and</strong> to create a filter:<br />
create log filter {copy }<br />
If you create a filter from scratch, it will initially block all events until you add events (either the events<br />
from a component or a specific event condition) to pass. You might create a filter from scratch if you<br />
wanted to pass a small set of events, <strong>and</strong> block most. If you want to exclude a small set of events, there<br />
is a default filter that passes events at or above the default severity threshold (unless the filter has been<br />
modified), named DefaultFilter, that you can copy to use as a starting point for your filter.<br />
Once you have created your filter, you can then configure filter items that include or exclude events<br />
from the filter. Included events are passed, excluded events are blocked. Use the following comm<strong>and</strong> to<br />
configure your filter:<br />
132 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Event Management System/Logging<br />
configure log filter [add | delete] {exclude} events [<br />
| [all | ] {severity {only}}]<br />
For example, if you create the filter myFilter from scratch, then issue the following comm<strong>and</strong>:<br />
configure log filter myFilter add events stp<br />
all STP events will pass myFilter of at least the default threshold severity (for the STP component, the<br />
default severity threshold is error). You can further modify this filter by specifying additional<br />
conditions. For example, assume that myFilter is configured as before, <strong>and</strong> assume that you want to<br />
exclude any events from the STP subcomponent, STP.OutBPDU. Use the following comm<strong>and</strong> to add<br />
that condition:<br />
configure log filter myFilter add exclude events stp.outbpdu<br />
You can continue to modify this filter by adding more filter items. The filters process events by<br />
comparing the event with the most recently configured filter item first. If the event matches this filter<br />
item, the incident is either included or excluded, depending on whether the exclude keyword was<br />
used. Subsequent filter items on the list are compared if necessary. If the list of filter items has been<br />
exhausted with no match, the event is excluded, <strong>and</strong> is blocked by the filter.<br />
To examine the configuration of a filter, use the following comm<strong>and</strong>:<br />
show log configuration filter {}<br />
The output produced by the comm<strong>and</strong> (for the earlier filter) is similar to the following:<br />
Log Filter Name : myFilter<br />
I/ Severity<br />
E Comp SubComp Condition CEWNISVD<br />
- ------- ----------- ----------------------- --------<br />
E STP OutBPDU * CEWNI+++<br />
I STP * * ********<br />
Include/Exclude: (I) Include, (E) Exclude<br />
Severity Values: (C) Critical, (E) Error, (W) Warning, (N) Notice, (I) Info<br />
(*) Pre-assigned severities in effect for each subcomponent<br />
Debug Severity : (S) Debug-Summary, (V) Debug-Verbose, (D) Debug-Data<br />
(+) Debug Severity requested, but log debug-mode not enabled<br />
If Match parameters present:<br />
Parameter Flags: (S) Source, (D) Destination (as applicable)<br />
(I) Ingress, (E) Egress,<br />
Parameter Types: Port - Physical Port list, Slot - Physical Slot #<br />
MAC - MAC address, IP - IP Address/netmask, Mask - Netmask<br />
VID - Virtual LAN ID (tag), VLAN - Virtual LAN name<br />
Nbr - Neighbor, Rtr - Routerid, EAPS - EAPS Domain<br />
Strict Match : (Y) every match parameter entered must be present in the event<br />
(N) match parameters need not be present in the event<br />
The show log configuration filter comm<strong>and</strong> shows each filter item, in the order that it will be applied<br />
<strong>and</strong> whether it will be included or excluded. The above output shows the two filter items, one<br />
excluding events from the STP.OutBPDU component, the next including the remaining events from the<br />
STP component. The severity value is shown as “*”, indicating that the component’s default severity<br />
threshold controls which messages are passed. The Parameter(s) heading is empty for this filter, since<br />
no match was configured for this filter. Matches are discussed in the section, “Matching Expressions”.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 133
Status Monitoring <strong>and</strong> Statistics<br />
Each time a filter item is added to or deleted from a given filter, the events specified are compared<br />
against the current configuration of the filter to try to logically simplify the configuration. Existing items<br />
will be replaced by logically simpler items if the new item enables rewriting the filter. If the new item is<br />
already included or excluded from the currently configured filter, the new item is not added to the filter.<br />
Matching Expressions<br />
You can specify that messages that reach the target match a specified match expression. The message<br />
text is compared with the match expression to determine whether to pass the message on. To require<br />
that messages match a match expression, is to use the following comm<strong>and</strong>:<br />
configure log target [console-display | memory-buffer | nvram | session |<br />
syslog [ {: } [local0 ... local7]]] match [any<br />
|]<br />
The messages reaching the target will match the match-expression, a simple regular expression. The<br />
formatted text string that makes up the message is compared with the match expression, <strong>and</strong> is passed<br />
to the target if it matches. This comm<strong>and</strong> does not affect the filter in place for the target, so the match<br />
expression is only compared with the messages that have already passed the target’s filter. For more<br />
information on controlling the format of the messages, see the section, “Formatting Event Messages”.<br />
Simple Regular Expressions. A simple regular expression is a string of single characters including<br />
the dot character (.), which are optionally combined with quantifiers <strong>and</strong> constraints. A dot matches any<br />
single character while other characters match only themselves (case is significant). Quantifiers include<br />
the star character (*) that matches zero or more occurrences of the immediately preceding token.<br />
Constraints include the caret character (^) that matches at the beginning of a message, <strong>and</strong> the currency<br />
character ($) that matches at the end of a message. Bracket expressions are not supported. There are a<br />
number of sources available on the Internet <strong>and</strong> in various language references describing the operation<br />
of regular expressions. Table 19 shows some examples of regular expressions.<br />
Table 19: Simple Regular Expressions<br />
Regular Expression Matches Does not match<br />
port port 2:3<br />
import cars<br />
portable structure<br />
.ar<br />
baar<br />
bazaar<br />
rebar<br />
port.*vlan<br />
port 2:3 in vlan test<br />
add ports to vlan<br />
port/vlan<br />
myvlan$<br />
delete myvlan<br />
error in myvlan<br />
poor<br />
por<br />
pot<br />
bar<br />
myvlan port 2:3<br />
ports 2:4,3:4 myvlan link down<br />
Matching Parameters<br />
Rather than using a text match, <strong><strong>Extreme</strong>Ware</strong>’s EMS allows you to filter more efficiently based on the<br />
message parameter values. In addition to event components <strong>and</strong> conditions <strong>and</strong> severity levels, each<br />
filter item can also use parameter values to further limit which messages are passed or blocked. The<br />
process of creating, configuring, <strong>and</strong> using filters has already been described in the section, “Filtering<br />
By Components <strong>and</strong> Conditions”, so this section will discuss matching parameters with a filter item. To<br />
configure a parameter match filter item, use the following comm<strong>and</strong>:<br />
134 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Event Management System/Logging<br />
configure log target [console-display | memory-buffer | nvram | session |<br />
syslog [ {: } [local0 ... local7]]]<br />
filter {severity {only}}<br />
Each event in <strong><strong>Extreme</strong>Ware</strong> is defined with a message format <strong>and</strong> zero or more parameter types. The<br />
show log events detail comm<strong>and</strong> can be used to display event definitions (the event text <strong>and</strong><br />
parameter types). Only those parameter types that are applicable given the events <strong>and</strong> severity specified<br />
are exposed on the CLI. The depends on the parameter type specified. As an example, an event<br />
may contain a physical port number, a source MAC address, <strong>and</strong> a destination MAC address. To allow<br />
only those Bridging incidents, of severity notice <strong>and</strong> above, with a specific source MAC address, use<br />
the following comm<strong>and</strong>:<br />
configure log filter myFilter add events bridge severity notice match source<br />
mac-address 00:01:30:23:C1:00<br />
The string type is used to match a specific string value of an event parameter, such as a user name. A<br />
string can be specified as a simple regular expression.<br />
Use the <strong>and</strong> keyword to specify multiple parameter type/value pairs that must match those in the<br />
incident. For example, to allow only those events with specific source <strong>and</strong> destination MAC addresses,<br />
use the following comm<strong>and</strong>:<br />
configure log filter myFilter add events bridge severity notice match source<br />
mac-address 00:01:30:23:C1:00 <strong>and</strong> destination mac-address 01:80:C2:00:00:02<br />
Match Versus Strict-Match. The match <strong>and</strong> strict-match keywords control the filter behavior for<br />
incidents whose event definition does not contain all the parameters specified in a configure log<br />
filter events match comm<strong>and</strong>. This is best explained with an example. Suppose an event in the<br />
XYZ component, named XYZ.event5, contains a physical port number, a source MAC address, but no<br />
destination MAC address. If you configure a filter to match a source MAC address <strong>and</strong> a destination<br />
MAC address, XYZ.event5 will match the filter when the source MAC address matches regardless of the<br />
destination MAC address, since the event contains no destination MAC address. If you specify the<br />
strict-match keyword, then the filter will never match event XYZ.event5, since this event does not<br />
contain the destination MAC address.<br />
In other words, if the match keyword is specified, an incident will pass a filter so long as all parameter<br />
values in the incident match those in the match criteria, but all parameter types in the match criteria<br />
need not be present in the event definition.<br />
Formatting Event Messages<br />
Event messages are made up of a number of items. The individual items can be formatted, however,<br />
EMS does not allow you to vary the order of the items. To format the messages for a particular target,<br />
use the following comm<strong>and</strong>:<br />
configure log target [console-display | memory-buffer | nvram | session |<br />
syslog [ {:} [local0 ... local7]]]<br />
format [timestamp [seconds | hundredths | none]<br />
| date [dd-mm-yyyy | dd-Mmm-yyyy | mm-dd-yyyy | Mmm-dd | yyyy-mm-dd | none]<br />
| severity [on | off]<br />
| event-name [component | condition | none | subcomponent]<br />
| host-name [on | off]<br />
| priority [on | off]<br />
| tag-id [on | off]<br />
| tag-name [on | off]<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 135
Status Monitoring <strong>and</strong> Statistics<br />
| sequence-number [on | off]<br />
| process-name [on | off]<br />
| process-id [on | off]<br />
| source-function [on | off]<br />
| source-line [on | off]]<br />
Using the default format for the session target, an example log message might appear as:<br />
05/29/2003 12:15:25.00 The SNTP server parameter value<br />
(TheWrongServer.example.com) can not be resolved.<br />
If you set the current session format using the following comm<strong>and</strong>:<br />
configure log target session format date mm-dd-yyy timestamp seconds event-name<br />
component<br />
The same example would appear as:<br />
05/29/2003 12:16:36 The SNTP server parameter value<br />
(TheWrongServer.example.com) can not be resolved.<br />
In order to provide some detailed information to technical support, you set the current session format<br />
using the following comm<strong>and</strong>:<br />
configure log target session format date mmm-dd timestamp hundredths event-name<br />
condition source-line on process-name on<br />
The same example would appear as:<br />
May 29 12:17:20.11 SNTP: tSntpc: (sntpcLib.c:606) The SNTP<br />
server parameter value (TheWrongServer.example.com) can not be resolved.<br />
Displaying Real-Time Log Messages<br />
You can configure the system to maintain a running real-time display of log messages on the console<br />
display or on a (telnet) session. To turn on the log display on the console, use the console-display<br />
option in the following comm<strong>and</strong>:<br />
enable log target [console-display | memory-buffer | nvram | session | syslog [ {:} [local0 ... local7]]]<br />
This setting may be saved to the FLASH configuration <strong>and</strong> will be restored on boot up (to the<br />
console-display session).<br />
To turn on log display for the current session:<br />
enable log target session<br />
This setting only affects the current session, <strong>and</strong> is lost when you log off the session.<br />
The messages that are displayed depend on the configuration <strong>and</strong> format of the target. See the section,<br />
“Filtering Events Sent to Targets”, for information on message filtering, <strong>and</strong> the section, “Formatting<br />
Event Messages”, for information on message formatting.<br />
Displaying Events Logs<br />
The log stored in the memory buffer <strong>and</strong> the NVRAM can be displayed on the current session (either<br />
the console display or telnet). Use the following comm<strong>and</strong> to display the log:<br />
136 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Event Management System/Logging<br />
show log {messages [memory-buffer | nvram]} {severity {only}}<br />
{starting [date time | date | time ]} {ending [date<br />
time | date | time ]} {match }<br />
{format } {chronological}<br />
There are many options you can use to select the log entries of interest. You can select to display only<br />
those messages that conform to the specified:<br />
• severity<br />
• starting <strong>and</strong> ending date <strong>and</strong> time<br />
• match expression<br />
The displayed messages can be formatted differently from the format configured for the targets, <strong>and</strong><br />
you can choose to display the messages in order of newest to oldest, or in chronological order (oldest to<br />
newest).<br />
Uploading Events Logs<br />
The log stored in the memory buffer <strong>and</strong> the NVRAM can be uploaded to a TFTP server. Use the<br />
following comm<strong>and</strong> to upload the log:<br />
upload log {messages [memory-buffer | nvram]}<br />
{severity {only}} {starting [date time | date <br />
| time ]} {ending [date time | date | time ]}<br />
{match } {format } {chronological}<br />
You must specify the TFTP host <strong>and</strong> the filename to use in uploading the log. There are many options<br />
you can use to select the log entries of interest. You can select to upload only those messages that<br />
conform to the specified:<br />
• severity<br />
• starting <strong>and</strong> ending date <strong>and</strong> time<br />
• match expression<br />
The uploaded messages can be formatted differently from the format configured for the targets, <strong>and</strong> you<br />
can choose to upload the messages in order of newest to oldest, or in chronological order (oldest to<br />
newest).<br />
Displaying Counts of Event Occurrences<br />
EMS adds the ability to count the number of occurrences of events. Even when an event is filtered from<br />
all log targets, the event is counted. (The exception to this is events of any of the debug severities,<br />
which are only counted when the log debug mode is enabled.) To display the event counters, use the<br />
following comm<strong>and</strong>:<br />
show log counters { | [all | ] {severity <br />
{only}}}<br />
Two counters are displayed. One counter displays the number of times an event has occurred, <strong>and</strong> the<br />
other displays the number of times that notification for the event was made to the system for further<br />
processing. Both counters reflect totals accumulated since reboot or since the counters were cleared<br />
using the clear log counters or clear counters comm<strong>and</strong>.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 137
Status Monitoring <strong>and</strong> Statistics<br />
This comm<strong>and</strong> also displays an included count (the column titled In in the output). The reference<br />
count is the number of enabled targets receiving notifications of this event without regard to matching<br />
parameters.<br />
The keywords included, notified, <strong>and</strong> occurred only display events with non-zero counter values for<br />
the corresponding counter.<br />
Output of the comm<strong>and</strong>:<br />
show log counters stp.inbpdu severity debug-summary<br />
will be similar to the following:<br />
Comp SubComp Condition Severity Occurred In Notified<br />
------- ----------- ----------------------- ------------- -------- -- --------<br />
STP InBPDU<br />
Drop Error 0 1 0<br />
Ign Debug-Summary 0+ 0 0<br />
Trace Info 0 0 0<br />
Occurred : # of times this event has occurred since last clear or reboot<br />
Flags : (+) Debug events are not counted while log debug-mode is disabled<br />
In(cluded): # of enabled targets whose filter includes this event<br />
Notified : # of times this event has occurred when 'Included' was non-zero<br />
Output of the comm<strong>and</strong>:<br />
show log counters stp.inbpdu.drop<br />
will be similar to the following:<br />
Comp SubComp Condition Severity Occurred In Notified<br />
------- ----------- ----------------------- ------------- -------- -- --------<br />
STP InBPDU<br />
Drop Error 0 1 0<br />
Displaying Debug Information<br />
By default, a switch will not generate events of severity Debug-Summary, Debug-Verbose, <strong>and</strong><br />
Debug-Data unless the switch is in debug mode. Debug mode causes a performance penalty, so it<br />
should only be enabled for specific cases where it is needed. To place the switch in debug mode, use the<br />
following comm<strong>and</strong>:<br />
enable log debug-mode<br />
Once debug mode is enabled, any filters configured for your targets will still affect which messages are<br />
passed on or blocked.<br />
NOTE<br />
Previous versions of <strong><strong>Extreme</strong>Ware</strong> used the debug-trace comm<strong>and</strong> to enable debugging. Not all<br />
systems in <strong><strong>Extreme</strong>Ware</strong> were converted to use EMS in the initial release. As a result, some debug<br />
information still requires you to use the corresponding debug-trace comm<strong>and</strong>. The show log component<br />
comm<strong>and</strong> displays the systems in your image that are part of EMS. Any systems in EMS will not have<br />
debug-trace comm<strong>and</strong>s, <strong>and</strong> vice-versa<br />
138 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Event Management System/Logging<br />
Compatibility with previous <strong><strong>Extreme</strong>Ware</strong> comm<strong>and</strong>s<br />
Since EMS provides much more functionality, there are a number of new comm<strong>and</strong>s introduced to<br />
support it. However, if you do not require the enhanced capabilities provided by EMS, you can continue<br />
to use many of the logging comm<strong>and</strong>s that existed in earlier versions of <strong><strong>Extreme</strong>Ware</strong>. For consistency,<br />
the earlier comm<strong>and</strong>s are still supported. Listed below are earlier comm<strong>and</strong>s with their new comm<strong>and</strong><br />
equivalents.<br />
Enable / disable log display<br />
The following comm<strong>and</strong>s related to the serial port console:<br />
enable log display<br />
disable log display<br />
are equivalent to using the console-display option in the following comm<strong>and</strong>s:<br />
enable log target [console-display | memory-buffer | nvram | session | syslog [ {:} [local0 ... local7]]]<br />
disable log target [console-display | memory-buffer | nvram | session | syslog<br />
[ {:} [local0 ... local7]]]<br />
Note that the existing comm<strong>and</strong> enable log display applies only to the serial port console. Since the<br />
ability to display log messages on other sessions was added, the target name session was chosen. For<br />
clarity, the target name console-display was chosen to refer to the serial port console, previously<br />
referred to as simply display.<br />
Configure log display<br />
The following comm<strong>and</strong> related to the serial port console:<br />
configure log display {}<br />
is equivalent to:<br />
configure log target console-display severity <br />
Remote syslog comm<strong>and</strong>s<br />
The following comm<strong>and</strong> related to remote syslog hosts:<br />
configure syslog {add} {: } [local0 ... local7] {}<br />
is equivalent to the following two comm<strong>and</strong>s:<br />
configure syslog add {: } [local0 ... local7]<br />
configure log target syslog {: } [local0 ... local7] severity<br />
<br />
NOTE<br />
Refer to your UNIX documentation for more information about the syslog host facility.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 139
Status Monitoring <strong>and</strong> Statistics<br />
Logging Configuration Changes<br />
<strong><strong>Extreme</strong>Ware</strong> allows you to record all configuration changes <strong>and</strong> their sources that are made using the<br />
CLI by way of telnet or the local console. The changes cause events that are logged to the target logs.<br />
Each log entry includes the user account name that performed the change <strong>and</strong> the source IP address of<br />
the client (if telnet was used). Configuration logging applies only to comm<strong>and</strong>s that result in a<br />
configuration change. To enable configuration logging, use the following comm<strong>and</strong>:<br />
enable cli-config-logging<br />
To disable configuration logging, use the following comm<strong>and</strong>:<br />
disable cli-config-logging<br />
CLI configuration logging is enabled by default.<br />
RMON<br />
Using the Remote Monitoring (RMON) capabilities of the switch allows network administrators to<br />
improve system efficiency <strong>and</strong> reduce the load on the network.<br />
The following sections explain more about the RMON concept <strong>and</strong> the RMON features supported by<br />
the switch.<br />
NOTE<br />
You can only use the RMON features of the system if you have an RMON management application, <strong>and</strong><br />
have enabled RMON on the switch.<br />
About RMON<br />
RMON is the common abbreviation for the Remote Monitoring Management Information Base (MIB)<br />
system defined by the Internet Engineering Task Force (IETF) documents RFC 1271 <strong>and</strong> RFC 1757,<br />
which allows you to monitor LANs remotely.<br />
A typical RMON setup consists of the following two components:<br />
• RMON probe—An intelligent, remotely controlled device or software agent that continually collects<br />
statistics about a LAN segment or VLAN. The probe transfers the information to a management<br />
workstation on request, or when a predefined threshold is crossed.<br />
• Management workstation—Communicates with the RMON probe <strong>and</strong> collects the statistics from it.<br />
The workstation does not have to be on the same network as the probe, <strong>and</strong> can manage the probe<br />
by in-b<strong>and</strong> or out-of-b<strong>and</strong> connections.<br />
RMON Features of the Switch<br />
The IETF defines nine groups of Ethernet RMON statistics. The switch supports the following four of<br />
these groups:<br />
• Statistics<br />
• History<br />
• Alarms<br />
140 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
RMON<br />
• Events<br />
This section describes these groups <strong>and</strong> discusses how they can be used.<br />
Statistics<br />
The RMON Ethernet Statistics group provides traffic <strong>and</strong> error statistics showing packets, bytes,<br />
broadcasts, multicasts, <strong>and</strong> errors on a LAN segment or VLAN.<br />
Information from the Statistics group is used to detect changes in traffic <strong>and</strong> error patterns in critical<br />
areas of the network.<br />
History<br />
The History group provides historical views of network performance by taking periodic samples of the<br />
counters supplied by the Statistics group. The group features user-defined sample intervals <strong>and</strong> bucket<br />
counters for complete customization of trend analysis.<br />
The group is useful for analysis of traffic patterns <strong>and</strong> trends on a LAN segment or VLAN, <strong>and</strong> to<br />
establish baseline information indicating normal operating parameters.<br />
Alarms<br />
The Alarms group provides a versatile, general mechanism for setting threshold <strong>and</strong> sampling intervals<br />
to generate events on any RMON variable. Both rising <strong>and</strong> falling thresholds are supported, <strong>and</strong><br />
thresholds can be on the absolute value of a variable or its delta value. In addition, alarm thresholds can<br />
be autocalibrated or set manually.<br />
Alarms inform you of a network performance problem <strong>and</strong> can trigger automated action responses<br />
through the Events group.<br />
Events<br />
The Events group creates entries in an event log <strong>and</strong>/or sends SNMP traps to the management<br />
workstation. An event is triggered by an RMON alarm. The action taken can be configured to ignore it,<br />
to log the event, to send an SNMP trap to the receivers listed in the trap receiver table, or to both log<br />
<strong>and</strong> send a trap. The RMON traps are defined in RFC 1757 for rising <strong>and</strong> falling thresholds.<br />
Effective use of the Events group saves you time. Rather than having to watch real-time graphs for<br />
important occurrences, you can depend on the Event group for notification. Through the SNMP traps,<br />
events can trigger other actions, which provides a mechanism for an automated response to certain<br />
occurrences.<br />
Configuring RMON<br />
RMON requires one probe per LAN segment, <strong>and</strong> st<strong>and</strong>alone RMON probes traditionally have been<br />
expensive. Therefore, <strong>Extreme</strong>’s approach has been to build an inexpensive RMON probe into the agent<br />
of each system. This allows RMON to be widely deployed around the network without costing more<br />
than traditional network management. The switch accurately maintains RMON statistics at the<br />
maximum line rate of all of its ports.<br />
For example, statistics can be related to individual ports. Also, because a probe must be able to see all<br />
traffic, a st<strong>and</strong>-alone probe must be attached to a nonsecure port. Implementing RMON in the switch<br />
means that all ports can have security features enabled.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 141
Status Monitoring <strong>and</strong> Statistics<br />
To enable or disable the collection of RMON statistics on the switch, use one of the following<br />
comm<strong>and</strong>s:<br />
enable rmon<br />
disable rmon<br />
By default, RMON is disabled. However, even in the disabled state, the switch responds to RMON<br />
queries <strong>and</strong> sets for alarms <strong>and</strong> events. By enabling RMON, the switch begins the processes necessary<br />
for collecting switch statistics.<br />
Event Actions<br />
The actions that you can define for each alarm are shown in Table 20.<br />
Table 20: Event Actions<br />
Action<br />
No action<br />
Notify only<br />
Notify <strong>and</strong> log<br />
High Threshold<br />
Send trap to all trap receivers.<br />
Send trap; place entry in RMON log.<br />
To be notified of events using SNMP traps, you must configure one or more trap receivers, as described<br />
in Chapter 3.<br />
142 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
10 Security<br />
This chapter describes the following topics:<br />
• Security Overview on page 143<br />
• Network Access Security on page 143<br />
— MAC-Based VLANs on page 144<br />
— IP Access Lists (ACLs) on page 144<br />
— MAC Address Security on page 153<br />
— Network Login on page 156<br />
— Unified Access Security on page 168<br />
— Trusted Organizational Unique Identifier on page 168<br />
• Trusted Organizational Unique Identifier on page 168<br />
— Profile Assignment Example on page 194<br />
— Denial of Service Protection on page 202<br />
• Duplicate IP Protection on page 210<br />
— Authenticating <strong>User</strong>s Using RADIUS or TACACS+ on page 211<br />
— Configuring Timeout on page 219<br />
• Unified Access MAC RADIUS on page 224<br />
Security Overview<br />
<strong>Extreme</strong> <strong>Networks</strong> products incorporate a number of features designed to enhance the security of your<br />
network. No one feature can insure security, but by using a number of features in concert, you can<br />
substantially improve the security of your network. The features described in this chapter are part of an<br />
overall approach to network security<br />
Network Access Security<br />
Network access security features control devices accessing your network. In this category are the<br />
following features:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 143
Security<br />
• MAC-Based VLANs<br />
• IP Access Lists (ACLs)<br />
• MAC Address Security<br />
• Network Login<br />
• Unified Access Security<br />
MAC-Based VLANs<br />
MAC-Based VLANs allow physical ports to be mapped to a VLAN based on the source MAC address<br />
learned in the FDB. This feature allows you to designate a set of ports that have their VLAN<br />
membership dynamically determined by the MAC address of the end station that plugs into the<br />
physical port. You can configure the source MAC address-to-VLAN mapping either offline or<br />
dynamically on the switch. For example, you could use this application for a roaming user who wants<br />
to connect to a network from a conference room. In each room, the user plugs into one of the designated<br />
ports on the switch <strong>and</strong> is mapped to the appropriate VLAN. Connectivity is maintained to the network<br />
with all of the benefits of the configured VLAN in terms of QoS, routing, <strong>and</strong> protocol support.<br />
Detailed information about configuring <strong>and</strong> using MAC-based VLANs can be found in Chapter 5.<br />
IP Access Lists (ACLs)<br />
Each access control list (ACL) consists of an access mask that selects which fields of each incoming<br />
packet to examine, <strong>and</strong> a list of values to compare with the values found in the packet. Access masks<br />
can be shared multiple access control lists, using different lists of values to examine packets. The<br />
following sections describe how to use access control lists.<br />
Access Masks<br />
There are sixteen access masks available in the Summit 400-48t, depending on which features are<br />
enabled on the switch. Each access mask is created with a unique name <strong>and</strong> defines a list of fields that<br />
will be examined by any access control list that uses that mask (<strong>and</strong> by any rate limit that uses the<br />
mask).<br />
To create an access mask, use the following comm<strong>and</strong>:<br />
create access-mask {dest-mac} {source-mac} {vlan} {tos<br />
|code-point} {ethertype} {ipprotocol} {dest-ip/} {source-L4port |<br />
{icmp-type} {icmp-code}} {permit-established} {egresport} {ports} {precedence<br />
}{vlan-pri}{vlan-pri-2bits}<br />
You can also display or delete an access mask. To display information about an access mask, use the<br />
following comm<strong>and</strong>:<br />
show access-mask {}<br />
To delete an access mask, use the following comm<strong>and</strong>:<br />
delete access-mask <br />
144 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
IP Access Lists (ACLs)<br />
Access Lists<br />
Access control lists are used to perform packet filtering <strong>and</strong> forwarding decisions on incoming traffic.<br />
Each packet arriving on an ingress port is compared to the access list in sequential order <strong>and</strong> is either<br />
forwarded to a specified QoS profile or dropped. These forwarded packets can also be modified by<br />
changing the 802.1p value <strong>and</strong>/or the DiffServ code point. Using access lists has no impact on switch<br />
performance.<br />
The Summit “e” series switches support up to 16 access lists. Each entry that makes up an access list<br />
contains a unique name <strong>and</strong> specifies a previously created access mask. The access list also includes a<br />
list of values to compare with the incoming packets, <strong>and</strong> an action to take for packets that match. When<br />
you create an access list, you must specify a value for each of the fields that make up the access mask<br />
used by the list.<br />
To create an access list, use the following comm<strong>and</strong>:<br />
create access-list access-mask {dest-mac
Security<br />
Rate Limits<br />
Rate limits are almost identical to access control lists. Incoming packets that match a rate limit access<br />
control list are allowed as long as they do not exceed a pre-defined rate. Excess packets are either<br />
dropped, or modified by resetting their DiffServ code point.<br />
Each entry that makes up a rate limit contains a unique name <strong>and</strong> specifies a previously created access<br />
mask. Like an access list, a rate limit includes a list of values to compare with the incoming packets <strong>and</strong><br />
an action to take for packets that match. Additionally, a rate limit specifies an action to take when<br />
matching packets arrive at a rate above the limit you set. When you create a rate limit, you must specify<br />
a value for each of the fields that make up the access mask used by the list.<br />
To create a rate limit rule, use the following comm<strong>and</strong>:<br />
create rate-limit access-mask {dest-mac }<br />
{source-mac } {vlan } {ethertype [IP | ARP | ]} {tos<br />
| code-point } {ipprotocol [tcp | udp | icmp | igmp |<br />
]} {dest-ip /} {dest-L4port }<br />
{source-ip /} {source-L4port [permit {qosprofile<br />
} {set code-point } {set dot1p
IP Access Lists (ACLs)<br />
How Access Control Lists Work<br />
When a packet arrives on an ingress port, the fields of the packet corresponding to an access mask are<br />
compared with the values specified by the associated access lists to determine a match.<br />
It is possible that a packet can match more than one access control list. If the resulting actions of all the<br />
matches do not conflict, they are all be carried out. If there is a conflict, the actions of the access list<br />
using the higher precedence access mask are applied. When a match is found, the packet is processed. If<br />
the access list is of type deny, the packet is dropped. If the list is of type permit, the packet is<br />
forwarded. A permit access list can also apply a QoS profile to the packet <strong>and</strong> modify the packet’s<br />
802.1p value <strong>and</strong> the DiffServ code point.<br />
Access Mask Precedence Numbers<br />
The access mask precedence number determines the order in which each rule is examined by the switch<br />
<strong>and</strong> is optional. Access control list entries are evaluated from highest precedence to lowest precedence.<br />
Precedence numbers range from 1 to 25,600, with the number 1 having the highest precedence, but an access<br />
mask without a precedence specified has a higher precedence than any access mask with a precedence<br />
specified. The first access mask defined without a specified precedence has the highest precedence.<br />
Subsequent masks without a specified precedence have a lower precedence, <strong>and</strong> so on.<br />
Specifying a Default Rule<br />
You can specify a default access control list to define the default access to the switch. You should use an<br />
access mask with a low precedence for the default rule access control list. If no other access control list<br />
entry is satisfied, the default rule is used to determine whether the packet is forwarded or dropped. If<br />
no default rule is specified, the default behavior is to forward the packet.<br />
NOTE<br />
If your default rule denies traffic, you should not apply this rule to the Summit 400-48t port used as a<br />
management port.<br />
Once the default behavior of the access control list is established, you can create additional entries using<br />
precedence numbers.<br />
The permit-established Keyword<br />
The permit-established keyword is used to directionally control attempts to open a TCP session.<br />
Session initiation can be explicitly blocked using this keyword.<br />
The permit-established keyword denies the access control list. Having a permit-established access<br />
control list blocks all traffic that matches the TCP source/destination, <strong>and</strong> has the SYN=1 <strong>and</strong> ACK=0<br />
flags set.<br />
Adding Access Mask, Access List, <strong>and</strong> Rate Limit Entries<br />
Entries can be added to the access masks, access lists, <strong>and</strong> rate limits. To add an entry, you must supply<br />
a unique name using the create comm<strong>and</strong>, <strong>and</strong> supply a number of optional parameters. For access<br />
lists <strong>and</strong> rate limits, you must specify an access mask to use. To modify an existing entry, you must<br />
delete the entry <strong>and</strong> retype it, or create a new entry with a new unique name.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 147
Security<br />
To add an access mask entry, use the following comm<strong>and</strong>:<br />
create access-mask ...<br />
To add an access list entry, use the following comm<strong>and</strong>:<br />
create access-list ...<br />
To add a rate limit entry, use the following comm<strong>and</strong>:<br />
create rate-limit ...<br />
Maximum Entries<br />
If you try to create an access mask when no more are available, the system will issue a warning<br />
message. Three access masks are constantly used by the system, leaving a maximum of 13<br />
user-definable access masks. However, enabling some features causes the system to use additional<br />
access masks, reducing the number available.<br />
For each of the following features that you enable, the system will use one access mask. When the<br />
feature is disabled, the mask will again be available. The features are:<br />
• RIP<br />
• IGMP or OSPF (both would share a single mask)<br />
• DiffServ examination<br />
• QoS monitor<br />
The maximum number of access list allowed by the hardware is 254 for each block of eight<br />
10/100 Mbps Ethernet ports <strong>and</strong> 126 for each Gbps Ethernet port, for a total of 1014 rules (254*3+126*2).<br />
Most user entered access list comm<strong>and</strong>s will require multiple rules on the hardware. For example, a<br />
global rule (an access control list using an access mask without “ports” defined), will require 5 rules,<br />
one for each of the 5 blocks of ports on the hardware.<br />
The maximum number of rate-limiting rules allowed is 315 (63*5). This number is part of the total<br />
access control list rules (1014).<br />
Deleting Access Mask, Access List, <strong>and</strong> Rate Limit Entries<br />
Entries can be deleted from access masks, access lists, <strong>and</strong> rate limits. An access mask entry cannot be<br />
deleted until all the access lists <strong>and</strong> rate limits that reference it are also deleted.<br />
To delete an access mask entry, use the following comm<strong>and</strong>:<br />
delete access-mask <br />
To delete an access list entry, use the following comm<strong>and</strong>:<br />
delete access-list <br />
To delete a rate limit entry, use the following comm<strong>and</strong>:<br />
delete rate-limit <br />
Verifying Access Control List Configurations<br />
To verify access control list settings, you can view the access list configuration.<br />
To view the access list configuration use the following comm<strong>and</strong>:<br />
148 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
IP Access Lists (ACLs)<br />
show access-list { | port }<br />
To view the rate limit configuration use the following comm<strong>and</strong>:<br />
show rate-limit { | ports }<br />
To view the access mask configuration use the following comm<strong>and</strong>:<br />
show access-mask {}<br />
Access Control List Examples<br />
This section presents three access control list examples:<br />
• Using the permit-establish keyword<br />
• Filtering ICMP packets<br />
• Using a rate limit<br />
Using the Permit-Established Keyword<br />
This example uses an access list that permits TCP sessions (Telnet, FTP, <strong>and</strong> HTTP) to be established in<br />
one direction.<br />
The switch, shown in Figure 13, is configured as follows:<br />
• Two VLANs, NET10 VLAN <strong>and</strong> NET20 VLAN, are defined.<br />
• The NET10 VLAN is connected to port 2 <strong>and</strong> the NET20 VLAN is connected to port 10<br />
• The IP addresses for NET10 VLAN is 10.10.10.1/24.<br />
• The IP address for NET20 VLAN is 10.10.20.1/24.<br />
• The workstations are configured using addresses 10.10.10.100 <strong>and</strong> 10.10.20.100.<br />
• IP Forwarding is enabled.<br />
Figure 13: Permit-established access list example topology<br />
10.10.10.1<br />
10.10.20.1<br />
10.10.10.100 10.10.20.100<br />
NET10 VLAN<br />
NET20 VLAN<br />
ES4K009<br />
The following sections describe the steps used to configure the example.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 149
Security<br />
Step 1—Deny IP Traffic.<br />
First, create an access-mask that examines the IP protocol field for each packet. Then create two<br />
access-lists, one that blocks all TCP, one that blocks UDP. Although ICMP is used in conjunction with IP,<br />
it is technically not an IP data packet. Thus, ICMP data traffic, such as ping traffic, is not affected.<br />
The following comm<strong>and</strong>s creates the access mask <strong>and</strong> access lists:<br />
create access-mask ipproto_mask ipprotocol ports precedence 25000<br />
create access-list denytcp ipproto_mask ipprotocol tcp ports 2,10 deny<br />
create access-list denyudp ipproto_mask ipprotocol udp ports 2,10 deny<br />
Figure 14 illustrates the outcome of the access control list.<br />
Figure 14: Access control list denies all TCP <strong>and</strong> UDP traffic<br />
10.10.10.1<br />
10.10.20.1<br />
10.10.10.100 10.10.20.100<br />
NET10 VLAN<br />
NET20 VLAN<br />
TCP<br />
UDP<br />
ICMP<br />
ES4K010<br />
Step 2—Allow TCP traffic.<br />
The next set of access list comm<strong>and</strong>s permits TCP-based traffic to flow. Because each session is<br />
bi-directional, an access list must be defined for each direction of the traffic flow. UDP traffic is still<br />
blocked.<br />
The following comm<strong>and</strong>s create the access control list:<br />
create access-mask ip_addr_mask ipprotocol dest-ip/32 source-ip/32 ports precedence<br />
20000<br />
create access-list tcp1_2 ip_addr_mask ipprotocol tcp dest-ip 10.10.20.100/32<br />
source-ip 10.10.10.100/32 ports 2 permit qp1<br />
create access-list tcp2_1 ip_addr_mask ipprotocol tcp dest-ip 10.10.10.100/32<br />
source-ip 10.10.20.100/32 ports 10 permit qp1<br />
Figure 15 illustrates the outcome of this access list.<br />
150 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
IP Access Lists (ACLs)<br />
Figure 15: Access list allows TCP traffic<br />
TCP<br />
UDP<br />
ICMP<br />
10.10.10.100 10.10.20.100<br />
EW_035<br />
Step 3 - Permit-Established Access List.<br />
When a TCP session begins, there is a three-way h<strong>and</strong>shake that includes a sequence of a SYN,<br />
SYN/ACK, <strong>and</strong> ACK packets. Figure 16 shows an illustration of the h<strong>and</strong>shake that occurs when host A<br />
initiates a TCP session to host B. After this sequence, actual data can be passed.<br />
Figure 16: Host A initiates a TCP session to host B<br />
Host A<br />
SYN<br />
SYN / ACK<br />
ACK<br />
Host B<br />
EW_036<br />
An access list that uses the permit-established keyword filters the SYN packet in one direction.<br />
Use the permit-established keyword to allow only host A to be able to establish a TCP session to host B<br />
<strong>and</strong> to prevent any TCP sessions from being initiated by host B, as illustrated in Figure 16. The<br />
comm<strong>and</strong>s for this access control list is as follows:<br />
create access-mask tcp_connection_mask ipprotocol dest-ip/32 dest-L4port<br />
permit-established ports precedence 1000<br />
create access-list telnet-deny tcp_connection_mask ipprotocol tcp dest-ip<br />
10.10.10.100/32 dest-L4port 23 ports 10 permit-established<br />
NOTE<br />
This step may not be intuitive. Pay attention to the destination <strong>and</strong> source address, the ingress port that<br />
the rule is applied to, <strong>and</strong> the desired affect.<br />
NOTE<br />
This rule has a higher precedence than the rule “tcp2_1” <strong>and</strong> “tcp1_2”.<br />
Figure 17 shows the final outcome of this access list.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 151
Security<br />
Figure 17: Permit-established access list filters out SYN packet to destination<br />
SYN<br />
SYN<br />
10.10.10.100 10.10.20.100<br />
EW_037<br />
Example 2: Filter ICMP Packets<br />
This example creates an access list that filters out ping (ICMP echo) packets. ICMP echo packets are<br />
defined as type 8 code 0.<br />
The comm<strong>and</strong>s to create this access control list is as follows:<br />
create access-mask icmp_mask ipprotocol icmp-type icmp-code<br />
create access-list denyping icmp_mask ipprotocol icmp icmp-type 8 icmp-code 0 deny<br />
The output for this access list is shown in Figure 18.<br />
Figure 18: ICMP packets are filtered out<br />
10.10.10.1<br />
10.10.20.1<br />
10.10.10.100 10.10.20.100<br />
NET10 VLAN<br />
NET20 VLAN<br />
ICMP<br />
ES4K011<br />
Example 3: Rate-limiting Packets<br />
This example creates a rate limit to limit the incoming traffic from the 10.10.10.x subnet to 10 Mbps on<br />
ingress port 2. Ingress traffic on port 2 below the rate limit is sent to QoS profile qp1 with its DiffServ<br />
code point set to 7. Ingress traffic on port 2 in excess of the rate limit will be dropped.<br />
The comm<strong>and</strong>s to create this rate limit is as follows:<br />
create access-mask port2_mask source-ip/24 ports precedence 100<br />
create rate-limit port2_limit port2_mask source-ip 10.10.10.0/24 port 2 permit qp1 set<br />
code-point 7 limit 10 exceed-action drop<br />
152 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
MAC Address Security<br />
MAC Address Security<br />
The switch maintains a database of all media access control (MAC) addresses received on all of its ports.<br />
It uses the information in this database to decide whether a frame should be forwarded or filtered.<br />
MAC address security allows you to control the way the Forwarding Database (FDB) is learned <strong>and</strong><br />
populated. By managing entries in the FDB, you can block, assign priority (queues), <strong>and</strong> control packet<br />
flows on a per-address basis.<br />
MAC address security allows you to limit the number of dynamically-learned MAC addresses allowed<br />
per virtual port. You can also “lock” the FDB entries for a virtual port, so that the current entries will<br />
not change, <strong>and</strong> no additional addresses can be learned on the port.<br />
NOTE<br />
You can either limit dynamic MAC FDB entries, or lock down the current MAC FDB entries, but not both.<br />
You can also prioritize or stop packet flows based on the source MAC address of the ingress VLAN or<br />
the destination MAC address of the egress VLAN.<br />
Limiting Dynamic MAC Addresses<br />
You can set a predefined limit on the number of dynamic MAC addresses that can participate in the<br />
network. After the FDB reaches the MAC limit, all new source MAC addresses are blackholed at both<br />
the ingress <strong>and</strong> egress points. These dynamic blackhole entries prevent the MAC addresses from<br />
learning <strong>and</strong> responding to Internet control message protocol (ICMP) <strong>and</strong> address resolution protocol<br />
(ARP) packets.<br />
To limit the number of dynamic MAC addresses that can participate in the network, use the following<br />
comm<strong>and</strong>:<br />
configure ports [ vlan | all] limit-learning <br />
This comm<strong>and</strong> specifies the number of dynamically-learned MAC entries allowed for these ports in this<br />
VLAN. The range is 0 to 500,000 addresses.<br />
When the learned limit is reached, all new source MAC addresses are blackholed at the ingress <strong>and</strong><br />
egress points. This prevent these MAC addresses from learning <strong>and</strong> responding to Internet control<br />
message protocol (ICMP) <strong>and</strong> address resolution protocol (ARP) packets.<br />
Dynamically learned entries still get aged <strong>and</strong> can be cleared. If entries are cleared or aged out after the<br />
learning limit has been reached, new entries will then be able to be learned until the limit is reached<br />
again.<br />
Permanent static <strong>and</strong> permanent dynamic entries can still be added <strong>and</strong> deleted using the create<br />
fdbentry vlan dynamic <strong>and</strong> delete fdbentry comm<strong>and</strong>s. These override any dynamically learned<br />
entries.<br />
For ports that have a learning limit in place, the following traffic will still flow to the port:<br />
• Packets destined for permanent MAC addresses <strong>and</strong> other non-blackholed MAC addresses<br />
• Broadcast traffic<br />
• EDP traffic<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 153
Security<br />
Traffic from the permanent MAC <strong>and</strong> any other non-blackholed MAC addresses will still flow from the<br />
virtual port.<br />
To remove the learning limit, use the following comm<strong>and</strong>:<br />
configure ports [ vlan | all] unlimited-learning<br />
To verify the configuration, use the following comm<strong>and</strong>s:<br />
show vlan security<br />
This comm<strong>and</strong> displays the MAC security information for the specified VLAN.<br />
show ports info<br />
This comm<strong>and</strong> displays detailed information, including MAC security information, for the specified<br />
port.<br />
SNMP Traps <strong>and</strong> Syslog Messages For MAC Address Limits<br />
To generate a syslog message <strong>and</strong> an SNMP trap when the limit is reached <strong>and</strong> a new source MAC<br />
address attempts to participate in the network, use the following comm<strong>and</strong>:<br />
enable snmp traps mac-security<br />
The information generated should help detect unauthorized devices that attempt to access the network.<br />
Enabling the trap also enables the syslog; there is no separate comm<strong>and</strong> for that. The comm<strong>and</strong> is a<br />
global comm<strong>and</strong>; there is no per port or per VLAN control.<br />
To disable the generation of MAC address limit SNMP traps <strong>and</strong> syslog messages, use the following<br />
comm<strong>and</strong>:<br />
disable snmp traps mac-security<br />
For more information about configuring SNMP <strong>and</strong> the MAC limit SNMP trap, see “Using SNMP” on<br />
page 46,.<br />
Limiting MAC Addresses with ESRP Enabled<br />
If you configure a MAC address limit on VLANS that have ESRP enabled, you should add an<br />
additional back-to-back link (that has no MAC address limit on these ports) between the ESRP-enabled<br />
switches. Doing so prevents ESRP PDU from being dropped due to MAC address limit settings.<br />
Figure 19 is an example of configuring a MAC address limit on an ESRP-enabled VLAN.<br />
154 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
MAC Address Security<br />
Figure 19: MAC address limits <strong>and</strong> ESRP-enabled VLANs<br />
ESRP<br />
vlan<br />
10.1.2.1<br />
S2<br />
20.1.1.1<br />
20.1.2.2<br />
S1<br />
S4<br />
192.10.1.1<br />
10.1.2.2<br />
30.1.1.2<br />
10.1.2.100 192.10.1.100<br />
S3<br />
10.1.2.1<br />
30.1.1.1<br />
n Figure 19, S2 <strong>and</strong> S3 are ESRP-enabled switches, while S1 is an ESRP-aware (regular layer 2) switch.<br />
Configuring a MAC address limit on all S1 ports might prevent ESRP communication between S2 <strong>and</strong><br />
S3. To resolve this, you should add a back-to-back link between S2 <strong>and</strong> S3. This link is not needed if<br />
MAC address limiting is configured only on S2 <strong>and</strong> S3, but not on S1.<br />
ES4K012<br />
MAC Address Lock Down<br />
In contrast to limiting learning on virtual ports, you can lock down the existing dynamic FDB entries<br />
<strong>and</strong> prevent any additional learning using the following comm<strong>and</strong>:<br />
configure ports [ vlan | all] lock-learning<br />
This comm<strong>and</strong> causes all dynamic FDB entries associated with the specified VLAN <strong>and</strong> ports to be<br />
converted to locked static entries. It also sets the learning limit to zero, so that no new entries can be<br />
learned. All new source MAC addresses are blackholed.<br />
Locked entries do not get aged, but can be deleted like a regular permanent entry.<br />
For ports that have lock-down in effect, the following traffic will still flow to the port:<br />
• Packets destined for the permanent MAC <strong>and</strong> other non-blackholed MAC addresses<br />
• Broadcast traffic<br />
• EDP traffic<br />
Traffic from the permanent MAC will still flow from the virtual port.<br />
To remove MAC address lock down, use the following comm<strong>and</strong>:<br />
configure ports [ vlan | all] unlock-learning<br />
When you remove the lock down using the unlock-learning option, the learning-limit is reset to<br />
unlimited, <strong>and</strong> all associated entries in the FDB are flushed.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 155
Security<br />
Network Login<br />
Network login controls the admission of user packets into a network by giving addresses only to users<br />
that are properly authenticated. Network login is controlled on a per port, per VLAN basis. When<br />
network login is enabled on a port in a VLAN, that port does not forward any packets until<br />
authentication takes place.<br />
Network login is compatible with two types of authentication, web-based <strong>and</strong> 802.1x, <strong>and</strong> two different<br />
modes of operation, Campus mode <strong>and</strong> ISP mode. The authentication types <strong>and</strong> modes of operation can<br />
be used in any combination.<br />
When web-based network login is enabled on a switch port, that port is placed into a non-forwarding<br />
state until authentication takes place. To authenticate, a user (supplicant) must open a web browser <strong>and</strong><br />
provide the appropriate credentials. These credentials are either approved, in which case the port is<br />
placed in forwarding mode, or not approved, in which case the port remains blocked. Three failed login<br />
attempts disables the port for a configured length of time. <strong>User</strong> logout can be initiated by submitting a<br />
logout request or closing the logout window.<br />
The following capabilities are included in network login:<br />
• Web-based login using http <strong>and</strong> https available on each wired <strong>and</strong> wireless port<br />
• 802.1x <strong>and</strong> web based network login supported on the same wired ports<br />
• Multiple supplicants on each wired 10/100 <strong>and</strong> wireless port<br />
• Single VLAN assignment for all users authenticated on a wired port<br />
• Per-user VLAN support for all users authenticated on a wireless port<br />
Web-Based <strong>and</strong> 802.1x Authentication<br />
Authentication is h<strong>and</strong>led as a web-based process, or as described in the IEEE 802.1x specification.<br />
Web-based network login does not require any specific client software <strong>and</strong> can work with any<br />
HTTP-compliant web browser. By contrast, 802.1x authentication may require additional software<br />
installed on the client workstation, making it less suitable for a user walk-up situation, such as a<br />
cyber-café or coffee shop. 1 <strong>Extreme</strong> <strong>Networks</strong> supports a smooth transition from web-based to 802.1x<br />
authentication.<br />
DHCP is required for web-based network login because the underlying protocol used to carry<br />
authentication request-response is HTTP. The client requires an IP address to send <strong>and</strong> receive HTTP<br />
packets. Before the client is authenticated, however, the only connection exists is to the authenticator. As<br />
a result, the authenticator must be furnished with a temporary DHCP server to distribute the IP<br />
address.<br />
The switch responds to DHCP requests for unauthenticated clients when DHCP parameters such as<br />
dhcp-address-range <strong>and</strong> dhcp-options are configured on the Netlogin VLAN. The switch can also<br />
answer DHCP requests following authentication if DHCP is enabled on the specified VLAN. If netlogin<br />
clients are required to obtain DHCP leases from an external DHCP server elsewhere on the network,<br />
DHCP should not be enabled on the VLAN.<br />
The DHCP allocation for network login has a short time default duration of 10 seconds <strong>and</strong> is intended<br />
to perform web-based network login only. As soon as the client is authenticated, it is deprived of this<br />
1. A workstation running Windows XP supports 802.1x natively <strong>and</strong> does not require additional authentication<br />
software.<br />
156 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Network Login<br />
address. The client must obtain a operational address from another DHCP server in the network. DHCP<br />
is not required for 802.1x, because 802.1x uses only Layer 2 frames (EAPOL).<br />
URL redirection (applicable to web-based mode only) is a mechanism to redirect any HTTP request to<br />
the base URL of the authenticator when the port is in unauthenticated mode. In other words, when the<br />
user tries to log in to the network using the browser, the user is first redirected to the network login<br />
page. Only after a successful login is the user connected to the network.<br />
Web-based <strong>and</strong> 802.1x authentication each have advantages <strong>and</strong> disadvantages, as summarized next.<br />
Advantages of 802.1x Authentication:<br />
• In cases where the 802.1x is natively supported, login <strong>and</strong> authentication happens transparently.<br />
• Authentication happens at Layer 2. It does not involve getting a temporary IP address <strong>and</strong><br />
subsequent release of the address to obtain a more permanent IP address.<br />
• Allows for periodic, transparent, re-authorization of supplicants.<br />
Disadvantages of 802.1x Authentication:<br />
• 802.1x native support is available only on newer operating systems, such as Windows XP or<br />
Windows 2000 with service pack 4.<br />
• 802.1x requires an EAP-capable RADIUS Server. Most current RADIUS servers support EAP.<br />
Advantages of Web-based Authentication:<br />
• Works with any operating system. There is need for special client side software.; only a web browser<br />
is needed.<br />
Disadvantages of Web-based Authentication:<br />
• The login process involves manipulation of IP addresses <strong>and</strong> must be done outside the scope of a<br />
normal computer login process. It is not tied to Windows login. The client must bring up a login<br />
page <strong>and</strong> initiate a login.<br />
• Supplicants cannot be re-authenticated transparently. They cannot be re-authenticated from the<br />
authenticator side.<br />
• Since wireless web-based network login supports only static WEP encryption, it is vulnerable to<br />
attack. Therefore, care should be taken when deploying this authentication mechanism. Using a<br />
secure web server (HTTP with SSL) alleviates some of this problem.<br />
• This method is not as effective in maintaining privacy protection.<br />
802.1x Authentication Methods<br />
802.1x authentication methods govern interactions between the supplicant (client) <strong>and</strong> the<br />
authentication server. The most commonly used methods are Transport Layer Security (TLS) <strong>and</strong><br />
Tunneled TLS (TTLS), which is a Funk/Certicom st<strong>and</strong>ards proposal.<br />
TLS is the most secure of the currently available protocols, although TTLS is advertised to be as strong<br />
as TLS. Both TLS <strong>and</strong> TTLS are certificate-based <strong>and</strong> require a Public Key Infrastructure (PKI) that can<br />
issue, renew, <strong>and</strong> revoke certificates. TTLS is easier to deploy, as it requires only server certificates, by<br />
contrast with TLS, which requires client <strong>and</strong> server certificates. With TTLS, the client can use the MD5<br />
mode of username/password authentication.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 157
Security<br />
If you plan to use 802.1x authentication, refer to the documentation for your particular RADIUS server,<br />
<strong>and</strong> 802.1x client on how to set up a PKI configuration.<br />
Campus <strong>and</strong> ISP Modes<br />
Network login supports two modes of operation, Campus <strong>and</strong> ISP. Campus mode is intended for<br />
mobile users who tend to move from one port to another <strong>and</strong> connect at various locations in the<br />
network. ISP mode is meant for users who connect through the same port <strong>and</strong> VLAN each time (the<br />
switch functions as an ISP).<br />
In campus mode, the clients are placed into a permanent VLAN following authentication with access to<br />
network resources. For wired ports, the port is moved from the temporary to the permanent VLAN.<br />
In ISP mode, the port <strong>and</strong> VLAN remain constant. Before the supplicant is authenticated, the port is in<br />
an unauthenticated state. After authentication, the port forwards packets.<br />
<strong>User</strong> Accounts<br />
You can create two types of user accounts for authenticating network login users: netlogin-only enabled<br />
<strong>and</strong> netlogin-only disabled. A netlogin-only disabled user can log in using network login <strong>and</strong> can also<br />
access the switch using Telnet, SSH, or HTTP. A netlogin-only enabled user can only log in using<br />
network login <strong>and</strong> cannot access the switch using the same login.<br />
Add the following line to the RADIUS server dictionary file for netlogin-only disabled users:<br />
<strong>Extreme</strong>:<strong>Extreme</strong>-Netlogin-Only = Disabled<br />
Add the following line to the RADIUS server dictionary file for netlogin-only enabled users:<br />
<strong>Extreme</strong>:<strong>Extreme</strong>-Netlogin-Only = Enabled<br />
Table 21 contains the Vendor Specific Attribute (VSA) definitions for web-based network login. The<br />
<strong>Extreme</strong> Network Vendor ID is 1916.<br />
Table 21: VSA Definitions for Web-based <strong>and</strong> 802.1x Network Login<br />
VSA<br />
Attribute<br />
Value Type Sent-in Description<br />
<strong>Extreme</strong>-Netlogin-VLAN 203 String Access-Accept Name of destination VLAN after successful<br />
authentication (must already exist on switch).<br />
<strong>Extreme</strong>-Netlogin-URL 204 String Access-Accept Destination web page after successful<br />
authentication.<br />
<strong>Extreme</strong>-Netlogin-URL- 205 String Access-Accept Text description of network login URL attribute.<br />
Desc<br />
<strong>Extreme</strong>-Netlogin-Only 206 Integer Access-Accept Indication of whether the user can authenticate<br />
using other means, such as telnet, console,<br />
SSH, or Vista. A value of “1” (enabled)<br />
indicates that the user can only authenticate<br />
via network login. A value of zero (disabled)<br />
indicates that the user can also authenticate<br />
via other methods.<br />
Interoperability Requirements<br />
For network login to operate, the user (supplicant) software <strong>and</strong> the authentication server must support<br />
common authentication methods. Not all combinations provide the appropriate functionality.<br />
158 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Network Login<br />
Supplicant Side<br />
On the client or supplicant side, the following platforms natively support 802.1x <strong>and</strong> perform MD5<br />
<strong>and</strong> TLS:<br />
• Windows XP<br />
• Windows 2000 Professional with Service Pack 4<br />
• Mac OS 10.3<br />
802.1x clients can be obtained for other operating systems <strong>and</strong> may support a combination of<br />
authentication methods.<br />
A Windows XP 802.1x supplicant can be authenticated as a computer or as a user. Computer<br />
authentication requires a certificate installed in the computer certificate store, <strong>and</strong> user authentication<br />
requires a certificate installed in the individual user's certificate store.<br />
By default, the Windows XP machine performs computer authentication as soon as the computer is<br />
powered on, or at link-up when no user is logged into the machine. <strong>User</strong> authentication is performed at<br />
link-up when the user is logged in.<br />
Windows XP also supports guest authentication, but this is disabled by default. Refer to relevant<br />
Microsoft documentation for further information. The Windows XP machine can be configured to<br />
perform computer authentication at link-up even if user is logged in.<br />
Authentication Server Side<br />
The RADIUS server used for authentication must be EAP-capable. Consider the following when<br />
choosing a RADIUS server:<br />
• Types of authentication methods supported on RADIUS, as mentioned previously.<br />
• Need to support Vendor Specific Attributes (VSA). Parameters such as <strong>Extreme</strong>-Netlogin-Vlan<br />
(destination vlan for port movement after authentication) <strong>and</strong> <strong>Extreme</strong>-NetLogin-only<br />
(authorization for network login only) are brought back as VSAs.<br />
• Need to support both EAP <strong>and</strong> traditional username-password authentication. These are used by<br />
network login <strong>and</strong> switch console login respectively.<br />
Multiple Supplicant Support<br />
An important enhancement over the IEEE 802.1x st<strong>and</strong>ard, is that <strong><strong>Extreme</strong>Ware</strong> supports multiple<br />
clients (supplicants) to be individually authenticated on the same port. This feature makes it possible for<br />
two client stations to be connected to the same port, with one being authenticated <strong>and</strong> the other not. A<br />
port's authentication state is the logical “OR” of the individual MAC's authentication states. In other<br />
words, a port is authenticated if any of its connected clients is authenticated. Multiple clients can be<br />
connected to a single port of authentication server through a hub or layer-2 switch.<br />
Multiple supplicants are supported in ISP mode for both web-based <strong>and</strong> 802.1x authentication. Multiple<br />
supplicants are not supported in Campus mode. Versions of <strong><strong>Extreme</strong>Ware</strong> previous to version 7.1.0 did<br />
not support multiple supplicants.<br />
The choice of web-based versus 802.1x authentication is again on a per-MAC basis. Among multiple<br />
clients on the same port, it is possible that some clients use web-based mode to authenticate, <strong>and</strong> some<br />
others use 802.1x.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 159
Security<br />
There are certain restrictions for multiple supplicant support:<br />
• Web-based mode will not support Campus mode for multiple supplicant because once the first MAC<br />
gets authenticated, the port is moved to a different VLAN <strong>and</strong> therefore other unauthenticated<br />
clients (which are still in the original VLAN), cannot have layer 3 message transactions with the<br />
authentication server.<br />
• Once the first MAC is authenticated, the port is transitioned to the authenticated state <strong>and</strong> other<br />
unauthenticated MACs can listen to all data destined for the first MAC. This could raise some<br />
security concerns as unauthenticated MACs can listen to all broadcast <strong>and</strong> multicast traffic directed<br />
to a Network Login-authenticated port.<br />
Exclusions <strong>and</strong> Limitations<br />
The following are limitations <strong>and</strong> exclusions for Network Login:<br />
• For wired netlogin ports, all unauthenticated MACs see broadcasts <strong>and</strong> multicasts sent to the port if<br />
even a single MAC is authenticated on that port.<br />
• Network Login must be disabled on a port before that port can be deleted from a VLAN.<br />
• In Campus mode, once the port moves to the destination VLAN, the original VLAN for that port is<br />
not displayed.<br />
• A Network Login VLAN port should be an untagged Ethernet port <strong>and</strong> should not be a part of<br />
following protocols:<br />
— ESRP<br />
— STP<br />
— VLAN Translation<br />
• Network Login is not supported for T1, E1, T3, ATM, PoS <strong>and</strong> MPLS TLS interfaces.<br />
• No Hitless Failover support has been added for Network Login.<br />
• Rate-limiting is not supported on Network Login ports (both web-based <strong>and</strong> 802.1x).<br />
• Network Login <strong>and</strong> MAC-limits cannot be used together on the same switch (see “MAC Address<br />
Security” on page 153).<br />
• EAP-NAK cannot be used to negotiate 802.1x authentication types.<br />
• You cannot enable wired netlogin on a port that has been enabled for wireless access.<br />
• Enabling a port for wireless access automatically disables wired netlogin on that port.<br />
Configuring Wired Network Login<br />
The following configuration example demonstrates how users can initially log in using web-based<br />
authentication, allowing them limited access to the network in order to download the 802.1x client <strong>and</strong><br />
a certificate. After the client is configured, the user is then able to access the network by using 802.1x.<br />
The example illustrates the following configuration steps:<br />
1 Create a VLAN on all edge switches called “temp,” which is the initial VLAN to which users will<br />
connect before they are authenticated.<br />
2 Create a VLAN on all edge <strong>and</strong> core switches called “guest,” which is the VLAN from which users<br />
will access the Certificate Authority <strong>and</strong> be able to download the 802.1x software.<br />
The following example demonstrates the first network login configuration step for a Summit 48si edge<br />
switch:<br />
160 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Network Login<br />
create vlan temp<br />
configure temp ipaddress 192.168.1.1/24<br />
configure temp add port 1-48<br />
configure vlan temp dhcp-address-range 192.168.1.11 - 192.168.1.200<br />
configure vlan temp dhcp-options default-gateway 192.168.1.1<br />
enable netlogin port 1-48 vlan temp<br />
enable dhcp ports 1-48 vlan temp<br />
Note that the 192.168 IP address range can be used on all switches because the user is on the VLAN<br />
only long enough to log in to the network. After the login is complete, the user is switched to a<br />
permanent VLAN with a real IP address delivered from a real DHCP server.<br />
The following example demonstrates the second network login configuration step for a Summit 48si<br />
edge switch, in which the guest VLAN is created:<br />
create vlan guest<br />
configure guest ipa 45.100.1.101/16<br />
configure guest tag 100<br />
configure guest add port 49-50 tagged<br />
enable bootp relay<br />
configure bootp relay add 45.100.2.101<br />
These comm<strong>and</strong>s create the special VLAN called “guest” on the real area of the network. Special<br />
configuration is needed on the RADIUS server to place users on to the appropriate VLAN when they<br />
log in as guests. By using network login in this way, the user goes from unauthenticated to a guest<br />
authentication with limited access to resources.<br />
Note that the 45.100.x.x VLAN does not need to be able to route. Extra authentication can be enabled on<br />
the Certificate Authority server to more firmly verify the identity of users. The 45.100.x.x VLAN will<br />
have the Certificate Authority located on it as well as an HTTP/FTP server to allow the user to<br />
download the needed files.<br />
Once the user has installed the certificate from the Certificate Authority <strong>and</strong> downloaded the 802.1x<br />
client, the user can reconnect to the network using 802.1x without the need to authenticate via a web<br />
browser. The authentication is h<strong>and</strong>led using PEAP <strong>and</strong> certificates. The user will be placed in the<br />
VLAN that is appropriate for that user’s group.<br />
Configuring Wireless Network Login<br />
The following configuration example shows the <strong>Extreme</strong> <strong>Networks</strong> switch configuration <strong>and</strong> the<br />
associated RADIUS server entries for network login. VLAN corp is assumed to be a corporate subnet<br />
with connections to DNS, WINS servers, <strong>and</strong> network routers. For wired network login, VLAN temp is a<br />
temporary VLAN created to provide connections to unauthenticated network login clients.<br />
For wireless network login, VLAN wlan-mgmt is the wireless management VLAN. It is also the VLAN<br />
used by unauthenticated network login clients. In this security model, unauthenticated clients do not<br />
connect to the corporate subnet <strong>and</strong> are not able to send or receive data. They must be authenticated in<br />
order to gain access to the network.<br />
NOTE<br />
A wireless interface can be in web-based netlogin mode or 802.1x netlogin mode, but not both, at one<br />
time. A wired port can support both web-based <strong>and</strong> 802.1x simultaneously.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 161
Security<br />
ISP Mode: Wireless clients connected to ports 1:15-1:20, interfaces 1 <strong>and</strong> 2, are logged into the network<br />
in ISP mode using web-based network login. This is controlled by the VLAN in which they reside in<br />
unauthenticated mode <strong>and</strong> the RADIUS server Vendor Specific Attributes (VSA)<br />
<strong>Extreme</strong>-Netlogin-Vlan. Since the VLAN, wlan-mgmt, is the same, there will be no port movement.<br />
When missing VSA, the port will stay at the same VLAN. If VSA returns the same VLAN as current,<br />
there will be no port movement.<br />
Campus Mode: Wireless clients connected to ports 1:6 - 1:9, interfaces 1 <strong>and</strong> 2, are logged into the<br />
network in campus mode using web-based network login. This is because the clients are placed in the<br />
VLAN corp following authentication.<br />
ISP <strong>and</strong> Campus modes are not tied to ports, but rather to a user profile. In other words, if the VSA<br />
<strong>Extreme</strong>:<strong>Extreme</strong>-Netlogin-Vlan represents a VLAN different from the one in which user currently<br />
resides, then for wired network login, VLAN movement occurs after login <strong>and</strong> after logout. For wireless<br />
network login, the clients are placed in the specified VLAN. The ports should already be added as<br />
tagged ports in the VLAN.<br />
The example that follows uses these assumptions:<br />
• Wired ISP users are connected to ports 1:10-1:14.<br />
• Wireless campus users using web-based network login are connected to ports 1:6-1:9, interfaces 1<br />
or 2.<br />
• Wireless ISP users using web-based network login are connected to ports 1:15-1:20, interfaces 1 or 2.<br />
ISP <strong>and</strong> Campus modes are not tied to ports, but rather to a user profile. In other words, if the VSA<br />
<strong>Extreme</strong>:<strong>Extreme</strong>-Netlogin-Vlan represents a VLAN different from the one in which user currently<br />
resides, then for wired network login, VLAN movement occurs after login <strong>and</strong> after logout. For wireless<br />
network login, the clients are placed in the specified VLAN. The ports should already be added as<br />
tagged ports in the VLAN.<br />
The example that follows uses these assumptions:<br />
• Wired ISP users are connected to ports 1:10-1:14.<br />
• Wireless campus users using web-based network login are connected to ports 1:6-1:9, interfaces 1 or<br />
2.<br />
• Wireless ISP users using web-based network login are connected to ports 1:15-1:20, interfaces 1 or 2.<br />
NOTE<br />
In the following configuration, any lines marked (Default) represent default settings <strong>and</strong> do not need to<br />
be explicitly configured.<br />
create vlan "temp"<br />
create vlan "corp"<br />
create vlan wlan-mgmt<br />
# Configure the wireless network.<br />
configure vlan wlan-mgmt ipaddress 192.168.0.1<br />
configure wireless management-vlan wlan-mgmt<br />
configure vlan wlan-mgmt add ports 1:6-1:9 untagged<br />
configure vlan wlan-mgmt add ports 1:15-1:20 untagged<br />
enable wireless ports 1:6-1:9<br />
enable wireless ports 1:15-1:20<br />
162 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Network Login<br />
# Configuration information for VLAN corp.<br />
configure vlan "corp" ipaddress 10.203.0.224 255.255.255.0<br />
configure vlan "corp" add port 1:15 - 1:20 tagged<br />
configure vlan "corp" add port 1:6 - 1:9 tagged<br />
# Configuration of generic web-based netlogin parameters<br />
config netlogin base-url "network-access.net" (Default)<br />
config netlogin redirect-page http://www.extremenetworks.com (Default)<br />
enable netlogin Session-Refresh 3 (Default)<br />
# Configuration information for wireless web-based campus network login.<br />
configure vlan temp dhcp-address-range 192.168.32.20 - 192.168.32.80<br />
configure vlan temp dhcp-options default-gateway 192.168.10.255<br />
configure vlan temp dhcp-options dns-server 10.0.1.1<br />
configure vlan temp dhcp-options wins-server 10.0.1.85<br />
enable netlogin port 1:10 - 1:14 vlan corp<br />
enable netlogin port 1:2 - 1:5 vlan temp<br />
# Configuration information for wireless campus network login.<br />
configure vlan wlan-mgmt dhcp-address-range 192.168.0.100 - 192.168.0.200<br />
configure vlan wlan-mgmt dhcp-options default-gateway 192.168.0.1<br />
configure vlan wlan-mgmt dhcp-options dns-server 10.0.1.1<br />
configure vlan wlan-mgmt dhcp-options wins-server 10.0.1.85<br />
# Configuration of security profiles for wireless network login<br />
create security-profile web-based-netlogin<br />
configure security-profile web-based-netlogin dot11-auth none network-auth web-based<br />
encryption none<br />
configure wireless port 1:6 - 1:9 interface 1 security-profile web-based-netlogin<br />
configure wireless port 1:6 - 1:9 interface 2 security-profile web-based-netlogin<br />
configure wireless port 1:15 - 1:20 interface 1 security-profile web-based-netlogin<br />
configure wireless port 1:15 - 1:20 interface 2 security-profile web-based-netlogin<br />
# DNS Client Configuration<br />
configure dns-client add name-server 10.0.1.1<br />
configure dns-client add name-server 10.0.1.85<br />
The following is a sample of the settings for the RADIUS server:<br />
#RADIUS server setting (VSAs)(optional)<br />
session-Timeout = 60 (timeout for 802.1x reauthentication)<br />
<strong>Extreme</strong>:<strong>Extreme</strong>-Netlogin-Only = Enabled (if no CLI authorization)<br />
<strong>Extreme</strong>:<strong>Extreme</strong>-Netlogin-Vlan = "corp" (destination vlan for CAMPUS mode network<br />
login)<br />
Web-Based Authentication <strong>User</strong> Login Using Campus Mode<br />
When web-based authentication is used in Campus mode, the user will follow these steps:<br />
1 Set up the Windows IP configuration for DHCP.<br />
2 Plug into the port that has network login enabled.<br />
3 Log in to Windows.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 163
Security<br />
4 Release any old IP settings <strong>and</strong> renew the DHCP lease.<br />
This is done differently depending on the version of Windows the user is running:<br />
— Windows 9x—use the winipcfg tool. Choose the Ethernet adapter that is connected to the port<br />
on which network login is enabled. Use the buttons to release the IP configuration <strong>and</strong> renew the<br />
DHCP lease.<br />
— Windows NT/2000—use the ipconfig comm<strong>and</strong> line utility. Use the comm<strong>and</strong><br />
ipconfig/release to release the IP configuration <strong>and</strong> ipconfig/renew to get the temporary IP<br />
address from the switch. If you have more than one Ethernet adapter, specify the adapter by<br />
using a number for the adapter following the ipconfig comm<strong>and</strong>. You can find the adapter<br />
number using the comm<strong>and</strong> ipconfig/all.<br />
At this point, the client will have its temporary IP address. In this example, the client should have<br />
obtained the an IP address in the range 198.162.32.20 - 198.162.32.80.<br />
NOTE<br />
The idea of explicit release/renew is required to bring the network login client machine in the same<br />
subnet as the connected VLAN. In Campus Mode using web-based authentication, this requirement is<br />
m<strong>and</strong>atory after every logout <strong>and</strong> before login again as the port moves back <strong>and</strong> forth between the<br />
temporary <strong>and</strong> permanent VLANs. On other h<strong>and</strong> in ISP Mode, release/renew of IP address is not<br />
required, as the network login client machine stays in the same subnet as the network login VLAN. In<br />
ISP mode, when the network login client connects for the first time, it has to make sure that the<br />
machine IP address is in the same subnet as the VLAN to which it is connected.<br />
5 Bring up the browser <strong>and</strong> enter any URL as http://www.123.net or http://1.2.3.4 or switch IP<br />
address as http:///login (where IP address could be either temporary or Permanent<br />
VLAN Interface for Campus Mode). URL redirection redirects any URL <strong>and</strong> IP address to the<br />
network login page This is significant where security matters most, as no knowledge of VLAN<br />
interfaces is required to be provided to network login users, as they can login using a URL or IP<br />
address.<br />
A page opens with a link for Network Login.<br />
6 Click the Network Login link.<br />
A dialog box opens requesting a username <strong>and</strong> password.<br />
7 Enter the username <strong>and</strong> password configured on the RADIUS server.<br />
After the user has successfully logged in, the user will be redirected to the URL configured on the<br />
RADIUS server.<br />
During the user login process, the following takes place:<br />
• Authentication is done through the RADIUS server.<br />
• After successful authentication, the connection information configured on the RADIUS server is<br />
returned to the switch:<br />
— the permanent VLAN<br />
— the URL to be redirected to (optional)<br />
— the URL description (optional)<br />
• The port is moved to the permanent VLAN.<br />
You can verify this using the show vlan comm<strong>and</strong>. For more information on the show vlan<br />
comm<strong>and</strong>, see “Displaying VLAN Settings” on page 93.<br />
164 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Network Login<br />
After a successful login has been achieved, there are several ways that a port can return to a<br />
non-authenticated, non-forwarding state:<br />
• The user successfully logs out using the logout web browser window.<br />
• The link from the user to the switch’s port is lost.<br />
• There is no activity on the port for 20 minutes.<br />
• An administrator changes the port state.<br />
NOTE<br />
Because network login is sensitive to state changes during the authentication process, <strong>Extreme</strong><br />
<strong>Networks</strong> recommends that you do not log out until the login process is complete. The login process is<br />
complete when you receive a permanent address.<br />
DHCP Server on the Switch<br />
A DHCP server with limited configuration capabilities is included in the switch to provide IP addresses<br />
to clients. The DHCP server is not supported as a st<strong>and</strong>alone feature. It is used only as part of the<br />
Network Login feature.<br />
DHCP is enabled on a per port, per VLAN basis. To enable or disable DHCP on a port in a VLAN, use<br />
one of the following comm<strong>and</strong>s:<br />
enable dhcp ports vlan <br />
disable dhcp ports vlan <br />
configure vlan netlogin-lease-timer <br />
The switch responds to DHCP requests for unauthenticated clients when DHCP parameters such as<br />
dhcp-address-range <strong>and</strong> dhcp-options are configured on the network login VLAN. The switch can<br />
also answer DHCP requests after authentication if DHCP is enabled on the specified port. If you want<br />
network login clients to obtain DHCP leases from an external DHCP server elsewhere on the network,<br />
then do not enable DHCP on the switch ports.<br />
Displaying DHCP Information<br />
To display the DHCP configuration, including the DHCP range, DHCP lease timer, network login lease<br />
timer, DHCP-enabled ports, IP address, MAC address, <strong>and</strong> time assigned to each end device, use the<br />
following comm<strong>and</strong>:<br />
show vlan dhcp-address-allocation<br />
Displaying Network Login Settings<br />
To display the network login settings, use the following comm<strong>and</strong>:<br />
show netlogin {port vlan }<br />
Disabling Network Login<br />
Network login must be disabled on a port before you can delete a VLAN that contains that port. To<br />
disable network login, use the following comm<strong>and</strong>:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 165
Security<br />
disable netlogin ports vlan <br />
Additional Configuration Details<br />
This section discusses additional configuration details such as switch DNS names, a default redirect<br />
page, session refresh, <strong>and</strong> logout-privilege.<br />
URL redirection requires the switch to be assigned a DNS name. The default name is<br />
network-access.net. Any DNS query coming to the switch to resolve switch DNS name in<br />
unauthenticated mode is resolved by the DNS server on the switch in terms of the interface (to which<br />
the network login port is connected) IP-address.<br />
To configure the network login base URL, use the following comm<strong>and</strong>:<br />
configure netlogin base-url<br />
Where is the DNS name of the switch. For example, configure netlogin base-url<br />
network-access.net makes the switch send DNS responses back to the netlogin clients when a DNS<br />
query is made for network-access.net.<br />
To configure the network login redirect page, use the following comm<strong>and</strong>:<br />
configure netlogin redirect-page<br />
Where defines the redirection information for the users once logged in. This redirection<br />
information is used only in case the redirection info is missing from RADIUS server. For example,<br />
configure netlogin base-url http://www.extremenetworks.com redirects all users to this URL<br />
after they get logged in.<br />
To enable or disable the network login session refresh, use one of the following comm<strong>and</strong>s:<br />
enable netlogin session-refresh {}<br />
disable netlogin session-refresh<br />
Where ranges from 1 - 255. The default setting is 3 minutes. enable netlogin<br />
session-refresh {} makes the logout window refresh itself at every configured time<br />
interval. The purpose of this comm<strong>and</strong> is to log out users who are indirectly connected to the switch,<br />
such as through a hub. The comm<strong>and</strong> also monitors <strong>and</strong> logs out users who are indirectly connected to<br />
the switch, such as through a hub. The comm<strong>and</strong> also monitors <strong>and</strong> logs out users who have<br />
disconnected the computer or have closed the logout window.<br />
Session -refresh is disabled by default.<br />
To enable or disable network login logout privilege, use one of the following comm<strong>and</strong>s:<br />
enable netlogin logout-privilege<br />
disable netlogin logout-privilege<br />
This comm<strong>and</strong> turns the privilege for netlogin users to logout by popping up (or not popping up) the<br />
logout window. Logout-privilege is enabled by default.<br />
To enable or disable network login, use one of the following comm<strong>and</strong>s:<br />
enable netlogin [web-based | dot1x]<br />
disable netlogin [web-based |dot1x]<br />
By default netlogin is enabled.<br />
166 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Network Login<br />
Displaying Network Login Settings<br />
To display network login settings, use the following comm<strong>and</strong>:<br />
show netlogin {port vlan }<br />
This comm<strong>and</strong> displays the netlogin configuration along with wired network login clients. To view the<br />
wireless network login clients, use the following comm<strong>and</strong>:<br />
show wireless ports [ | all] interface [1 | 2] clients <br />
{detail}<br />
Example<br />
#show netlogin info ports 1:13 vlan corp<br />
Port 1:13: VLAN: corp<br />
Port State: Authenticated<br />
DHCP: Not Enabled<br />
MAC IP address Auth Type ReAuth-Timer <strong>User</strong><br />
-------------------------------------------------------<br />
00:08:A1:5F:9B:30 10.36.11.191 Yes 802.1x 34 dot1xcampus<br />
Quiet Period Timer : 0 Num. Authentication Attempt Failed : 1<br />
-------------------------------------------------------<br />
In this example, the user is using campus mode <strong>and</strong> no authentication has taken place. Therefore, the<br />
port state displays as not authenticated. No packets sent by the user on port nine pass the port until<br />
authentication takes place. After authentication has taken place <strong>and</strong> the permanent IP address is<br />
obtained, the show comm<strong>and</strong> displays the port state as authenticated.<br />
#show netlogin info ports 1:26 vlan corp<br />
Port 1:26: VLAN: corp<br />
Port State: Not Authenticated<br />
Temp IP: Unknown<br />
DHCP: Not Enabled<br />
MAC IP address Auth Type ReAuth-Timer <strong>User</strong><br />
-------------------------------------------------------<br />
To show all network login parameters, use the following comm<strong>and</strong>:<br />
show netlogin<br />
Wireless Network Login Considerations<br />
As an authentication framework, network login is equivalent to MAC RADIUS authentication <strong>and</strong> does<br />
not directly support encryption (see “Unified Access MAC RADIUS” on page 224). Since MAC spoofing<br />
is easy in wireless networks, care is recommended when deploying web based network login.<br />
Each wireless port must be manually configured as a tagged port for every VLAN in which it may be<br />
necessary to connect a client. If no RADIUS VSA is present, then the traffic is assigned to the untagged<br />
VLAN on the port.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 167
Security<br />
NOTE<br />
During authentication the RADIUS packets use the Summit switch address as the client IP address. The<br />
Altitude 300 address is not disclosed.<br />
Trusted Organizational Unique Identifier<br />
The Trusted Organizational Unique Identifier (OUI) feature allows devices, such as IP phones, without<br />
802.1x (Network Login) capability to obtain IP addresses through DHCP on a network login enabled<br />
port.<br />
A trusted OUI configuration requires an IP phone <strong>and</strong> a desktop PC, both of which are connected to a<br />
single wired port on an <strong>Extreme</strong> <strong>Networks</strong> switch. The desktop PC must use untagged 802.1x<br />
authentication. The IP phone must be capable of sending DHCP requests after booting up to obtain IP<br />
address <strong>and</strong> VLAN ID through the DHCP response. The phone then configures itself to be tagged for<br />
the VLAN ID obtained through the DHCP response.<br />
Switch Protection<br />
Switch protection features enhance the robustness of switch performance. In this category are the<br />
following features:<br />
• Profile Assignment Example<br />
• Denial of Service Protection<br />
Unified Access Security<br />
The <strong>Extreme</strong> Unified Access Security architecture provides secure access for all wired <strong>and</strong> wireless<br />
stations within the unified network. You can maintain the network with a single, unified security policy,<br />
provide service to all stations without requiring upgrades, <strong>and</strong> take advantage of integrated policy <strong>and</strong><br />
management capabilities not available in overlay networks or those with “thick” access points. Unified<br />
Access Security provides the following capabilities:<br />
• Consolidated management — Up to 16 wireless ports from a single switch, greater network support<br />
with reduced management overhead<br />
• Scalable encryption — ASIC based AES encryption, WPA with TKIP support, <strong>and</strong> RC4 based WEP<br />
support on the Altitude 300 wireless port<br />
• 802.1x Authentication — 802.1x authentication (PEAP, EAP-TTLS, EAP-TLS)<br />
• Web-based network login—http <strong>and</strong> https based user authentication<br />
The unified structure simplifies security policies without compromising protection <strong>and</strong> provides the<br />
following benefits:<br />
• Single user experience — Same authentication procedures for wired <strong>and</strong> wireless users<br />
• Unified management — Single management platform for wired <strong>and</strong> wireless networks<br />
• Unified configuration — Consistent CLI for wired <strong>and</strong> wireless functions<br />
• Single authentication infrastructure — Single set of policies, RADIUS, <strong>and</strong> certificate servers<br />
168 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Unified Access Security<br />
Table 22 summarizes the wireless security options available with the Summit 300 switches. Campus<br />
mode refers to a network with multiple users who connect at different places. ISP mode refers to a<br />
network with stationary users who access the network through the same port each time. The per user<br />
VLANs assignment column indicates whether users can be placed in a VLAN when they are<br />
authenticated according to the given method.<br />
Table 22: Wireless Security Options<br />
Wireless Security Feature Campus Mode ISP Mode<br />
Per <strong>User</strong> VLANs<br />
Assignment<br />
802.1x - Single Supplicant X X X<br />
802.1x - Multiple Supplicants X X X<br />
Web-based Netlogin Single<br />
X X X<br />
Supplicants<br />
Web-based Netlogin Multiple<br />
X X X<br />
Supplicants<br />
MAC Radius - Single Client X X X<br />
MAC Radius - Multiple Clients X X X<br />
Wireless <strong>User</strong> Access Security<br />
Effective user security meets the following objectives:<br />
• Authentication — Assuring that only approved users are connected to the network at permitted<br />
locations <strong>and</strong> times.<br />
• Privacy — Assuring that user data is protected.<br />
Table 22 summarizes the wireless security options available with the Summit switch. Campus mode<br />
refers to a network with multiple users who connect at different places. ISP mode refers to a network<br />
with stationary users who access the network through the same port each time. The per user VLANs<br />
assignment column indicates whether users can be placed in a VLAN when they are authenticated<br />
according to the given method.<br />
Table 23: Wireless Security Options<br />
Wireless Security Feature Campus Mode ISP Mode<br />
Per <strong>User</strong> VLANs<br />
Assignment<br />
802.1x - Single Supplicant X X X<br />
802.1x - Multiple Supplicants X X X<br />
Web-based Netlogin Single<br />
X X X<br />
Supplicants<br />
Web-based Netlogin Multiple<br />
X X X<br />
Supplicants<br />
MAC Radius - Single Client X X X<br />
MAC Radius - Multiple Clients X X X<br />
Wireless <strong>User</strong> Access Security<br />
Effective user security meets the following objectives:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 169
Security<br />
• Authentication — Assuring that only approved users are connected to the network at permitted<br />
locations <strong>and</strong> times.<br />
• Privacy — Assuring that user data is protected.<br />
Authentication<br />
The authentication process is responsible for screening users who attempt to connect to the network <strong>and</strong><br />
granting or denying access based on the identity of the user, <strong>and</strong> if needed, the location of the client<br />
station <strong>and</strong> the time of day. The authentication function also includes secure encryption of passwords<br />
for user screening.<br />
For an authentication scheme to be practical <strong>and</strong> effective, it must be compatible with the<br />
currently-installed client software base. That requires accommodating multiple versions of software,<br />
including legacy systems with older-generation security support. Effective authentication is mutual,<br />
from client-to-network <strong>and</strong> network-to-client. Finally, authentication requires the appropriate<br />
authentication servers.<br />
The Unified Access Architecture provides authentication methods that meet all these requirements,<br />
while also permitting flexibility for individual network environments.<br />
Authentication Method: Open. The Summit switch <strong>and</strong> associated Altitude 300 wireless ports,<br />
support 802.11 open system authentication, in which the station identifies the SSID. Although open<br />
authentication can be acceptable for wired networks, it is not effective on the wireless side, <strong>and</strong> is<br />
therefore not recommended for the enterprise wireless network.<br />
Authentication Method: WEP. Wired Equivalency Privacy (WEP) is the first generation security option<br />
for 802.11 networks <strong>and</strong> includes both an authentication <strong>and</strong> encryption (privacy) mechanism.<br />
Unfortunately, weaknesses in the RC4 encryption scheme have left the WEP method open to theft of<br />
login <strong>and</strong> password information <strong>and</strong>, consequently, to compromise of the authentication process. WEP<br />
is best used as part of a multi-tiered security scheme <strong>and</strong> in legacy environments.<br />
Authentication Method: 802.1x/EAP. Extensible Authentication Protocol (EAP) provides numerous<br />
improvements over earlier generation WEP authentication methods. The 802.1x specification<br />
incorporates EAP as implemented directly on Ethernet. In 802.1X/EAP authentication, the user’s<br />
identity, not MAC address, is the basis for authentication. When the user requests access to the wireless<br />
port, the access point forces the user’s station into an unauthorized state. In this state, the client station<br />
sends an EAP start message. The switch responds with a request for user identity, which it passes to a<br />
central authentication server. The server software authenticates the user <strong>and</strong> returns an permit or deny<br />
message to the switch, which then extends or denies access as instructed, <strong>and</strong> passes along<br />
configuration information such as VLAN <strong>and</strong> priority.<br />
802.1x supports several EAP-class advanced authentication protocols, which differ in the specific<br />
identification types <strong>and</strong> encryption methods for the authentication:<br />
• EAP-TLS (Transport Layer Security) — Performs mutual authentication using security certificates.<br />
Good for wired <strong>and</strong> wireless networks<br />
• EAP-TTLS (Tunneled TLS) — Extends TLS flexibility <strong>and</strong> is compatible with a wide range of<br />
authentication algorithms. Good for wired <strong>and</strong> wireless networks<br />
• PEAP (protected EAP) — Is compatible with a wide range of authentication algorithms <strong>and</strong> is<br />
effective for wired <strong>and</strong> wireless networks<br />
802.1x security is compatible with legacy 802.1x <strong>and</strong> with newer clients that support Wi-Fi Protected<br />
Access (WPA) based 802.1x. It is possible to configure both versions (legacy <strong>and</strong> WPA) on the same<br />
170 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Unified Access Security<br />
Summit switch port. When a client associates to the Summit switch port, it indicates 802.11 open<br />
authentication. Then if 802.1x is enabled on the port, the client is able to associate, <strong>and</strong> further<br />
authentication is performed. If the authentication is successful, a backend RADIUS server optionally<br />
specifies a VLAN tag using Vendor Specific Attributes in the Access Accept message.<br />
Location Based Authentication. Location-based authentication restricts access to users in specific<br />
buildings. The Summit switch sends the user’s location information to the RADIUS server, which then<br />
determines whether or not to permit user access. When you configure a location field, the information is<br />
sent out in RADIUS access request packets as a VSA <strong>and</strong> can be used to enforce location-based policies.<br />
Time-Based Authentication. Time-based authentication restricts access to users to certain dates or<br />
times. The RADIUS server can determine policies based on the time of day when the authentication<br />
request is received from the Summit switch.<br />
Encryption<br />
Encryption is used to protect the privacy <strong>and</strong> integrity of user data sent over the network. It is a major<br />
concern in wireless networks, since physical security is not possible for data sent over wireless links.<br />
While encryption is the major component of a privacy solution, an effective approach also requires<br />
management of encryption keys, integrity checks to protect against packet tampering, <strong>and</strong> ability to<br />
scale as the network grows.<br />
Cipher Suites<br />
Table 24 lists several cipher suites that st<strong>and</strong>ards organizations have identified to group security<br />
capabilities under a common umbrella. The <strong>Extreme</strong> Unified Security Architecture supports or will<br />
incorporate each of these suites, <strong>and</strong> the Altitude 300 wireless port supports hardware-based AES <strong>and</strong><br />
RC4 encryption.<br />
Table 24: Wi-Fi Security Cipher Suites<br />
Name Authentication Privacy<br />
Sponsoring<br />
Organization<br />
WEP None or MAC WEP/RC4 IEEE<br />
WPA 802.1x TKIP/RC4 Wi-Fi Alliance<br />
WPA 802.1x CCMP/AES/TKIP IEEE<br />
WPA-Only Support. To support WPA clients, the Summit switch port sets the privacy bit in the beacon<br />
frames it advertises. The switch also advertises the set of supported unicast <strong>and</strong> multicast cipher suites<br />
<strong>and</strong> the configured <strong>and</strong> supported authentication modes as part of the association request.<br />
WPA support is compatible with 802.1x authentication <strong>and</strong> with pre-shared keys. With pre-shared keys,<br />
key derivation <strong>and</strong> distribution are done using the EAPOL-KEY messages. All clients that indicate PSK<br />
are assigned to the default user VLAN, which is configured on the Summit switch port.<br />
Legacy <strong>and</strong> WPA 802.1x Support. When network authentication is set to dot1x, WPA clients can use<br />
TKIP for their unicast data exchange <strong>and</strong> the specified WEP64 or WEP128 cipher for multicast traffic.<br />
Legacy 802.1x clients should use the specified WEP64 or WEP128 cipher for both their unicast <strong>and</strong><br />
multicast cipher.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 171
Security<br />
Network Security Policies for Wireless Interfaces<br />
Network security policy refers to a set of network rules that apply to user access. You can base the rules<br />
on a variety of factors, including user identification, time <strong>and</strong> location, <strong>and</strong> method of authentication. It<br />
is possible to design network security policies to do all of the following:<br />
• Permit or deny network access based on location <strong>and</strong> time of day.<br />
• Place the user into a VLAN based on identity or authentication method.<br />
• Limit where the user is permitted to go on the network based on identity or authentication method.<br />
Policy Design<br />
When designing a security policy for your network, keep the following objectives in mind:<br />
• Make each wired <strong>and</strong> wireless client as secure as possible.<br />
• Protect company resources.<br />
• Make the network infrastructure as secure as possible.<br />
• Be able to track <strong>and</strong> identify wired <strong>and</strong> wireless rogues.<br />
To achieve these objectives, it is necessary to work within the constraints of your environment:<br />
• Technology of all the clients<br />
— 802.11 radio technology (b, a, g, a/b, a/g)<br />
— Operating system (W2K, XP, Pocket PC, ….)<br />
— Client readiness for 802.1x; client upgrades<br />
• Authentication servers available or planned<br />
— Operating System Login only (i.e. Domain Access, LDAP)<br />
— RADIUS for <strong>User</strong>s<br />
— PKI Infrastructure<br />
• Nature of the user population<br />
• Ability to divide users into meaningful groups<br />
• Network resources required by users<br />
• Desired access restrictions based on resources, locations, times, <strong>and</strong> security level<br />
• Acceptable level of network management <strong>and</strong> user training<br />
• Anticipated changes in the network<br />
Policy Examples<br />
The following examples suggest typical uses of network security policies.<br />
Example. You want to give employees complete network access but limit access to visitors. The<br />
solution is to base network access on the authentication method, as indicated in Table 25.<br />
Table 25: Authentication-Based Network Access Example<br />
Authentication Method<br />
<strong>User</strong> Placement<br />
802.1x with dynamic WEP Internal VLAN<br />
TKIP with pre-shared keys<br />
PSK VLAN<br />
172 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Unified Access Security<br />
Table 25: Authentication-Based Network Access Example<br />
Authentication Method<br />
WEP<br />
Fails 802.1x authentication<br />
<strong>User</strong> Placement<br />
WEP VLAN<br />
Deny access<br />
NOTE<br />
Not all methods can be used at the same time on the same interface.<br />
Example. You want to restrict user access to certain locations or times. The solution is to include the<br />
Altitude 300 as a component of network access <strong>and</strong> include time restrictions for certain locations.<br />
Policies <strong>and</strong> RADIUS Support<br />
The authentication features of the Summit switch are tightly integrated with RADIUS. You can specify<br />
the following types of RADIUS access control policies:<br />
• <strong>User</strong>-based — 802.1x requests provide the RADIUS server with the user name <strong>and</strong> password. Based<br />
on the user name, the RADIUS server sends back authentication information, including allow/deny,<br />
assigned VLAN, <strong>and</strong> VLAN tag.<br />
• Location-based — You can configure a location string for each wireless port. The location is sent to<br />
the RADIUS server as a vendor-specific attribute. The RADIUS server uses this information to<br />
determine the access policy.<br />
RADIUS Attributes<br />
Table 26 lists the attributes included in each request for access:<br />
Table 26: RADIUS Request Attributes<br />
Attribute<br />
<strong>User</strong>-Name<br />
<strong>User</strong>-Password<br />
Description<br />
<strong>User</strong> name for dot1x or MAC address<br />
<strong>User</strong>-specified for dot1x or blank<br />
Service-Type Value is login (1)<br />
Vendor-Specific<br />
Contains EXTREME_USER_LOCATION, <strong>and</strong> the value is as configured<br />
by the user for the location of each wireless port<br />
Vendor-Specific Attributes. Table 27 lists the supported vendor-specific attributes (VSAs). The<br />
<strong>Extreme</strong> vendor is 1916.<br />
Table 27: Vendor-Specific Attributes<br />
VSA<br />
Attribute<br />
Value Type Sent In<br />
EXTREME_NETLOGIN_VLAN 203 String Access-accept<br />
EXTREME_NETLOGIN_VLAN_TAG 209 Integer Access-accept<br />
EXTREME_USER_LOCATION 208 String Access-request<br />
The following rules apply for VSAs:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 173
Security<br />
• For locations, the switch receives <strong>Extreme</strong> VSA containing the location of the Altitude 300. The<br />
RADIUS server uses the location VSA to determine whether to allow or deny access.<br />
• For WPA <strong>and</strong> legacy 802.1 clients, the RADIUS server sends the VLAN value to use for the client.<br />
Security Profiles<br />
A security profile is the mechanism that prevents persons who do not have proper access authority or<br />
the proper credentials from accessing a wireless network. A security profile also helps:<br />
• Establish access levels for different groups<br />
• Regulate the flow of user data traffic after authentication using VLANs<br />
• Manage users<br />
• Stop access for some users by setting time or date limits.<br />
Security profiles can have different authentication <strong>and</strong> encryption methods such as static WEP, 802.1x,<br />
WPA-PSK, <strong>and</strong> WPA-Dynamic. A radio interface may only have one security profile, however, the same<br />
security profile can be attached to multiple interfaces.<br />
The security profile is configured on the switch <strong>and</strong> its downloaded to the AP after it is powers up. The<br />
following security profile comm<strong>and</strong>s are described in the <strong><strong>Extreme</strong>Ware</strong> Comm<strong>and</strong> Reference <strong>Guide</strong>:<br />
• configure security-profile default-user-vlan <br />
• configure security-profile use-dynamic-vlan {y | n}<br />
• configure security-profile dot11-auth network-auth encryption <br />
• configure security-profile dot1x-wpa-timers pairwise-update-timer <br />
• configure security-profile ssid-in-beacon {on | off}<br />
• configure security-profile wep key add hex | plaintext<br />
<br />
• configure security-profile wep key delete <br />
• configure security-profile ess-name <br />
• configure security-profile wpa-psk [hex | passphrase<br />
]<br />
• create security-profile {copy }<br />
• delete security-profile <br />
• show security-profile {}<br />
Secure Web Login Access<br />
The existing web server in <strong>Extreme</strong>ware allows HTTP clients to access the VISTA pages (for<br />
management) <strong>and</strong> access the network login page (for network login users). By using HTTPS on the web<br />
server, wireless clients can securely access the network login page using a HTTPS enabled web<br />
browser. 1<br />
1. HTTPS is allowed only in an SSH build with the appropriate license enabled.<br />
174 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Secure Web Login Access<br />
HTTPS access is provided through Secure Socket Layer (SSLv3) <strong>and</strong> Transport Layer Security (TLS1.0).<br />
These protocols enable clients to verify the authenticity of the server to which they are connecting,<br />
thereby ensuring that wireless users are not compromised by intruders. SSL supports encryption of the<br />
data exchanged between the server <strong>and</strong> the client, preventing the network login credentials from<br />
exposure on the wireless channel.<br />
A default server certificate is provided in the factory default configuration. The following security<br />
algorithms are supported:<br />
• RSA for public key cryptography (generation of certificate <strong>and</strong> public-private key pair, certificate<br />
signing). RSA key size between 1024 <strong>and</strong> 4096 bits<br />
• Symmetric ciphers (for data encryption): RC4, DES <strong>and</strong> 3DES<br />
• Message Authentication Code (MAC) algorithms: MD5 <strong>and</strong> SHA<br />
To enable both HTTP <strong>and</strong> HTTPS access, enter the following comm<strong>and</strong>:<br />
enable web<br />
To disable both HTTP <strong>and</strong> HTTPS access, enter the following comm<strong>and</strong>:<br />
The following comm<strong>and</strong> enables HTTP on the the default port (80):<br />
enable web http<br />
To disable HTTP on the web, enter the following comm<strong>and</strong>:<br />
disable web http<br />
To enable secure HTTP (HTTPS) on the default port (443), enter the following comm<strong>and</strong>:<br />
enable web https<br />
To disable HTTPS, enter the following comm<strong>and</strong>:<br />
enable web https<br />
However, if you want to enable HTTP on a non-default port, use the following comm<strong>and</strong>:<br />
enable web http access-profile
Security<br />
To create a self-signed certificate <strong>and</strong> private key that can be saved in NVRAM, enter the following<br />
comm<strong>and</strong>:<br />
configure ssl certificate prikeylen country organization <br />
common-name <br />
Be sure to specify the following:<br />
• Country code (exactly 2 characters),<br />
• Organization name (max size of 64 characters) <strong>and</strong><br />
• Common Name (max size of 64 chars) in the comm<strong>and</strong>.<br />
Any existing certificate <strong>and</strong> private key is overwritten.<br />
Most web browsers check whether the common-name field in the received server certificate is the same<br />
as the URL used to reach the site, otherwise they give a warning.<br />
The size of the certificate generated depends on the RSA Key length (privkeylen) <strong>and</strong> the length of the<br />
other parameters (country, organization name etc.) supplied by the user. If the RSA key length is 1024,<br />
then the certificate size is ~ 1kb <strong>and</strong> the private key length is ~1kb. For RSA Key length of 4096, the<br />
certificate length is ~2kb <strong>and</strong> the private key length is ~3kb<br />
Downloading a Certificate Key from a TFTP Server<br />
You can download a certificate key from friles stored in a TFTP server. If the operation is successful, any<br />
existing certificate is overwritten. After a successful download, the software attempts to match the<br />
public key in the certificate matches the private key stored. If the private <strong>and</strong> public keys do not match,<br />
a warning message is displayed (“Warning: The Priate Key does not match with the Public Key in the<br />
certificate.”). This warning acts as a reminder to the user to also download the private key.<br />
The certificate <strong>and</strong> private key should be in PEM format <strong>and</strong> generated using RSA as the cryptography<br />
alorithm.<br />
Use the following comm<strong>and</strong> to download a certificate key from files stored in a TFTP server:<br />
download ssl certificate <br />
To see whether the private key matches with the public key stored in the certificate, use the following<br />
comm<strong>and</strong>:<br />
show ssl<br />
This comm<strong>and</strong> also displays:<br />
• HTTPS port configured. This is the port on which the clients will connect.<br />
• Length of RSA key (number of bits used to generate the private key)<br />
• Basic information about the stored certificate<br />
To also see the full certificate, use the detail keyword:<br />
show ssl {detail}<br />
Downloading a Private Key from a TFTP Server<br />
To download a private key from files stores in a TFTP server, use the following comm<strong>and</strong>:<br />
176 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Example Wireless Configuration Processes<br />
download ssl privkey <br />
When this comm<strong>and</strong> is executed, if the private key is encrypted, the user is prompted to enter the<br />
passphrase that was used to encrypt the private key when the private key was generated. Only DES<br />
<strong>and</strong> 3DES encryption mechanisms are supported for private key encryption. If the operation is<br />
successful the existing private key is overwritten.<br />
After the download is successful, a check is performed to find out whether the private key downloaded<br />
matches with the public key stored in the certificate. If they do not match, a warning message is<br />
displayed (“Warning: The Private Key does not match with the Public Key in the certificate.”). This<br />
warning acts as a reminder to the user to download the corresponding certificate.<br />
The certificate <strong>and</strong> private key file should be in PEM format <strong>and</strong> generated using RSA as the<br />
cryptography algorithm.<br />
Configuring Pre-generated Certificates <strong>and</strong> Keys<br />
Use the following comm<strong>and</strong> to get the pre-generated certificate from the user:<br />
configure ssl certificate pregenerated<br />
This comm<strong>and</strong> is also used when downloading/ uploading the configuration. The certificate<br />
information stored in the uploaded configuration file should not be modified, because it is signed using<br />
the issuer’s private key.<br />
The certificate <strong>and</strong> private key file should be in PEM format <strong>and</strong> generated using RSA as the<br />
cryptography algorithm.<br />
To get a pre-generated private key from the user, user the following comm<strong>and</strong>:<br />
configure ssl privkey pregenerated<br />
This comm<strong>and</strong> will also be used when downloading/uploading the configuration. The private key will<br />
be stored in the uploaded configuration file in an encrypted format using a hard coded passphrase.<br />
Hence the private key information in the configuration file should not be modified.<br />
The certificate <strong>and</strong> private key file should be in PEM format <strong>and</strong> generated using RSA as the<br />
cryptography algorithm.<br />
Example Wireless Configuration Processes<br />
This section provides examples of configuration processes. In the first example, the wireless<br />
management VLAN is configured, IP addresses are assigned, <strong>and</strong> RF profiles are created <strong>and</strong><br />
configured. Next, security profile examples are given for a variety of security options. Finally, example<br />
steps are provided for assigning profiles to ports.<br />
NOTE<br />
The comm<strong>and</strong>s provided in each step are examples.<br />
Security reference options used in the configuration examples are provided for reference in Table 28.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 177
Security<br />
Table 28: Security Configuration Options<br />
Dot11 Authentication Network Authentication Encryption<br />
open none Choices:<br />
• none<br />
• wep64<br />
• wep128<br />
open web-based Choices:<br />
• none<br />
• wep64<br />
• wep128<br />
open mac-radius Choices:<br />
• none<br />
• wep64<br />
• wep128<br />
open dot1x Choices:<br />
• wep64<br />
• wep128<br />
open wpa Choices:<br />
• wep64<br />
• wep128<br />
• tkip<br />
• aes<br />
open wpa-psk Choices:<br />
• wep64<br />
• wep128<br />
• tkip<br />
• aes<br />
shared none Choices:<br />
• wep64<br />
• wep128<br />
shared web-based Choices:<br />
• wep64<br />
• wep128<br />
shared mac-radius Choices:<br />
• wep64<br />
• wep128<br />
Wireless Management Configuration Example<br />
Refer to the following example when configuring VLAN, IP addresses, <strong>and</strong> RF profiles.<br />
NOTE<br />
Any addition, deletion or movement of wireless ports from vlan to vlan must be preceded by disabling<br />
the wireless port(s).<br />
Configure the VLAN, Wireless Port IP Addresses <strong>and</strong> RF-profiles:<br />
1 Create a vlan to be use as the wireless management VLAN.<br />
create vlan manage-wireless<br />
178 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Example Wireless Configuration Processes<br />
2 Remove the wireless port from the default VLAN.<br />
config vlan default delete ports 1:5<br />
NOTE<br />
NOTE: Following warning message may be displayed as a result of the above comm<strong>and</strong>. This will<br />
not prevent the port from being deleted from the default vlan:<br />
WARNING: Security profile applied to port 1:5 refers to the VLAN Default. Removing<br />
the port from the VLAN will cause incorrect behavior<br />
3 Add the wireless port to the management VLAN as an untagged port.<br />
config vlan manage-wireless add ports 1:5 untagged.<br />
4 Assign an IP address to the VLAN.<br />
config vlan manage-wireless ipaddress 10.211.37.1/24<br />
5 Configure this VLAN as the management VLAN.<br />
config wireless management-vlan manage-wireless<br />
NOTE<br />
Following warning message may occur as a result of the above comm<strong>and</strong>. This will not prevent the<br />
comm<strong>and</strong> from executing.<br />
Warning: Changing the management VLAN can cause access points to loose contact with<br />
LAC.<br />
6 Assign a management IP address for each wireless port (port 1:5 in the example). Be sure that the<br />
address is in the same network as the wireless management-vlan.<br />
config wireless port 1:5 ip-address 10.211.37.105<br />
7 Create an RF profile for the A interfaces by copying from the default profile.<br />
create rf-profile RF_A copy DEFAULT_A<br />
8 Create an RF profile for the G interfaces by copying from the default profile.<br />
create rf-profile RF_G copy DEFAULT_G<br />
Security Configuration Examples<br />
Refer to the examples in this section when configuring any of the available wireless security options for<br />
the Summit 300-48 switch. The examples encompass most typical security scenarios.<br />
NOTE<br />
Because of the requirement to add potential wireless ports to the wireless management-vlan as<br />
untagged ports, adding a wireless port to a data/client vlan requires that the port be added as a tagged<br />
port.<br />
NOTE<br />
The “default-user-vlan” parameter is NOT used as a destination vlan in the case of an authentication<br />
failure. For this parameter, if the client authentication succeeds, the client will be placed into the VLAN<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 179
Security<br />
indicated in the parameter or into the VLAN indicated by a Vendor Specific Attribute (VSA) VLAN-ID or<br />
VLAN Name. Any authentication failures will deny the client access to the network.<br />
NOTE<br />
In the following examples, the heading of each example is formatted as follows:<br />
Dot11 Authentication – Network Authentication – Encryption/Multicast Cipher<br />
Open - None - None<br />
1 Create a security profile (open-auth) by copying from the default unsecure profile.<br />
create security-profile open-auth copy unsecure<br />
2 Create a VLAN (open-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan open-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan open-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan open-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile open-auth dot11-auth open network-auth none encryption none<br />
config security-profile open-auth default-user-vlan open-vlan<br />
6 Configure the name of the ESS<br />
config security-profile open-auth ess-name open-ess<br />
Open - None - Wep 64<br />
1 Create a security profile (wep-secure) by copying from the default unsecure profile.<br />
create security-profile wep-secure copy unsecure<br />
2 Create a VLAN (wep-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan wep-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan wep-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan wep-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile wep-secure dot11-auth open network-auth none encryption<br />
wep64<br />
config security-profile wep-secure default-user-vlan wep-vlan<br />
180 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Example Wireless Configuration Processes<br />
NOTE<br />
If you attach this security-profile to a port before configure at least 1 WEP key, an error message will<br />
be generated:<br />
Warning: At least one WEP key has to be specified before applying this security<br />
profile to the interface<br />
6 Configure the security profile with WEP key to match the encryption length indicated in Step 5.<br />
config security-profile wep-secure wep key add 0 hex abcdefaaaa<br />
NOTE<br />
If you enter the wrong number of characters for the code, a message similar to the following<br />
appears.<br />
Invalid number of bytes in key. Expected bytes, got bytes.<br />
7 Configure the security profile to use the 0 key you just defined as the default encryption key.<br />
config security-profile wep-secure wep default-key-index 0<br />
8 Configure the name of the ESS<br />
config security-profile wep-secure ess-name open-wep64-ess<br />
Open - None - WEP 128<br />
1 Create a security profile (wep-secure) by copying from the default unsecure profile.<br />
create security-profile wep-secure copy unsecure<br />
2 Create a VLAN (wep-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan wep-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan wep-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan wep-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile wep-secure dot11-auth open network-auth none encryption<br />
wep128<br />
config security-profile wep-secure default-user-vlan wep-vlan<br />
NOTE<br />
If you attach this security-profile to a port before configure at least 1 WEP key, an error message will<br />
be generated:<br />
Warning: At least one WEP key has to be specified before applying this security<br />
profile to the interface<br />
6 Configure the security profile with WEP key to match the encryption length indicated in Step 5.<br />
config security-profile wep-secure wep key add 0 hex aaaaaaaaaaaaaccccccccccccc<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 181
Security<br />
NOTE<br />
If you enter the wrong number of characters for the code, a message similar to the following<br />
appears.<br />
Invalid number of bytes in key. Expected bytes, got bytes.<br />
7 Configure the security profile to use the 0 key you just defined as the default encryption key.<br />
config security-profile wep-secure wep default-key-index 0<br />
8 Configure the name of the ESS<br />
config security-profile wep-secure ess-name open-wep128-ess<br />
Open - Web Based Network Login - None<br />
1 Create a security profile (web-based-open) by copying from the default unsecure profile.<br />
create security-profile web-based-open copy unsecure<br />
2 Create a VLAN (web-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan web-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan web-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan web-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile web-based-open dot11-auth open network-auth web-based<br />
encryption none<br />
config security-profile web-based-open default-user-vlan web-vlan<br />
6 Configure the name of the ESS<br />
config security-profile web-based-open ess-name open-web-ess<br />
Open - Web Based Network Login - WEP 64<br />
1 Create a security profile (web-based-64) by copying from the default unsecure profile.<br />
create security-profile web-based-64 copy unsecure<br />
2 Create a VLAN (web-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan web-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan web-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan web-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
182 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Example Wireless Configuration Processes<br />
config security-profile web-based-64 dot11-auth open network-auth web-based<br />
encryption wep64<br />
config security-profile web-based-64 default-user-vlan web-vlan<br />
6 Configure the security profile with a WEP key of encryption length 64.<br />
config Security-profile web-based-64 wep key add 0 hex abcdefaaaa<br />
NOTE<br />
If you enter the wrong number of characters for the code, a message similar to the following<br />
appears.<br />
Invalid number of bytes in key. Expected bytes, got bytes.<br />
7 Configure the security profile to use the 0 key you just defined as the default encryption key.<br />
config security-profile web-based-64 wep default-key-index 0<br />
8 Configure the name of the ESS<br />
config security-profile web-based-64 ess-name web-based-64-ess<br />
Open - Web Based Network Login - WEP 128<br />
1 Create a security profile (web-based-128) by copying from the default unsecure profile.<br />
create security-profile web-based-128 copy unsecure<br />
2 Create a VLAN (web-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan web-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan web-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan web-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile web-based-128 dot11-auth open network-auth web-based<br />
encryption wep128<br />
config security-profile web-based-128 default-user-vlan web-vlan<br />
6 Configure the security profile with a WEP key of encryption length 128<br />
config security-profile web-based-128 wep key add 0 hex abcdefaaaaaaaaaaaaaaaaaaaa<br />
NOTE<br />
If you enter the wrong number of characters for the code, a message similar to the following<br />
appears.<br />
Invalid number of bytes in key. Expected bytes, got bytes.<br />
7 Configure the security profile to use the 0 key you just defined as the default encryption key.<br />
config security-profile web-based-128 wep default-key-index 0<br />
8 Configure the name of the ESS<br />
config security-profile web-based-128 ess-name web-based-128-ess<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 183
Security<br />
Open - MAC Radius - None<br />
1 Create a security profile (mac-radius-open) by copying from the default unsecure profile.<br />
create security-profile mac-radius-open copy unsecure<br />
2 Create a VLAN (mac-radius-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan mac-radius-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan mac-radius-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan mac-radius-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile mac-radius-open dot11-auth open network-auth mac-radius<br />
encryption none<br />
config security-profile mac-radius-open default-user-vlan mac-radius-vlan<br />
6 Configure the name of the ESS<br />
config security-profile mac-radius-open ess-name mac-radius-open-ess<br />
Open - MAC Radius - WEP 64<br />
1 Create a security profile (mac-radius-64) by copying from the default unsecure profile.<br />
create security-profile mac-radius-64 copy unsecure<br />
2 Create a VLAN (mac-radius-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan mac-radius-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan mac-radius-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan mac-radius-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile mac-radius-64 dot11-auth open network-auth mac-radius<br />
encryption wep64<br />
config security-profile mac-radius-64 default-user-vlan mac-radius-vlan<br />
6 Configure the security profile with a WEP key of encryption length 64.<br />
config security-profile mac-radius-64 wep key add 0 hex abcdefaaaa<br />
NOTE<br />
If you enter the wrong number of characters for the code, a message similar to the following<br />
appears.<br />
Invalid number of bytes in key. Expected bytes, got bytes.<br />
7 Configure the security profile to use the 0 key you just defined as the default encryption key.<br />
184 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Example Wireless Configuration Processes<br />
config security-profile mac-radius-64 wep default-key-index 0<br />
8 Configure the name of the ESS<br />
config security-profile mac-radius-64 ess-name mac-radius-64-ess<br />
Open - MAC Radius - WEP 128<br />
1 Create a security profile (mac-radius-128) by copying from the default unsecure profile.<br />
create security-profile mac-radius-128 copy unsecure<br />
2 Create a VLAN (mac-radius-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan mac-radius-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan mac-radius-vlan tag 10<br />
Add the wireless port to the VLAN.<br />
config vlan mac-radius-vlan add ports 1:5 tagged<br />
4 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile mac-radius-128 dot11-auth open network-auth mac-radius<br />
encryption wep128<br />
config security-profile mac-radius-128 default-user-vlan mac-radius-vlan<br />
5 Configure the security profile with a WEP key of encryption length 128<br />
config security-profile mac-radius-128 wep key add 0 hex abcdefaaaaaaaaaaaaaaaaaaaa<br />
NOTE<br />
If you enter the wrong number of characters for the code, a message similar to the following<br />
appears.<br />
Invalid number of bytes in key. Expected bytes, got bytes.<br />
6 Configure the security profile to use the 0 key you just defined as the default encryption key.<br />
config security-profile mac-radius-128 wep default-key-index 0<br />
7 Configure the name of the ESS<br />
config security-profile mac-radius-128 ess-name mac-radius-128-ess<br />
Open - Dot1x - WEP 64<br />
1 Create a security profile (open-dot1x-64) by copying from the default unsecure profile.<br />
create security-profile open-dot1x-64 copy unsecure<br />
2 Create a VLAN (dot1x-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan dot1x-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan dot1x-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan dot1x-vlan add ports 1:5 tagged<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 185
Security<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile open-dot1x-64 dot11-auth open network-auth dot1x encryption<br />
wep64<br />
config security-profile open-dot1x-64 default-user-vlan dot1x-vlan<br />
6 Configure the name of the ESS<br />
config security-profile open-dot1x-64 ess-name open-dot1x-64-ess<br />
Open - Dot1x - WEP 128<br />
1 Create a security profile (open-dot1x-128) by copying from the default unsecure profile.<br />
create security-profile open-dot1x-128 copy unsecure<br />
2 Create a VLAN (dot1x-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan dot1x-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan dot1x-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan dot1x-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile open-dot1x-128 dot11-auth open network-auth dot1x encryption<br />
wep128<br />
config security-profile open-dot1x-128 default-user-vlan dot1x-vlan<br />
6 Configure the name of the ESS<br />
config security-profile open-dot1x-128 ess-name open-dot1x-128-ess<br />
Open - WPA (Dynamic) - WEP 64<br />
1 Create a security profile (open-wpa-64) by copying from the default unsecure profile.<br />
create security-profile open-wpa-64 copy unsecure<br />
2 Create a VLAN (wpa-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan wpa-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan wpa-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan wpa-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile open-wpa-64 dot11-auth open network-auth wpa encryption<br />
wep64<br />
config security-profile open-wpa-64 default-user-vlan wpa-vlan<br />
6 Configure the name of the ESS<br />
186 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Example Wireless Configuration Processes<br />
config security-profile open-wpa-64 ess-name open-wpa-64-ess<br />
Open - WPA (Dynamic) - WEP 128<br />
1 Create a security profile (open-wpa-128) by copying from the default unsecure profile.<br />
create security-profile open-wpa-128 copy unsecure<br />
2 Create a VLAN (wpa-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan wpa-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan wpa-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan wpa-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile open-wpa-128 dot11-auth open network-auth wpa encryption<br />
wep128<br />
config security-profile open-wpa-128 default-user-vlan wpa-vlan<br />
6 Configure the name of the ESS<br />
config security-profile open-wpa-128 ess-name open-wpa-128-ess<br />
Open - WPA (Dynamic) - TKIP<br />
1 Create a security profile (open-wpa-tkip) by copying from the default unsecure profile.<br />
create security-profile open-wpa-tkip copy unsecure<br />
2 Create a VLAN (wpa-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan wpa-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan wpa-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan wpa-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile open-wpa-tkip dot11-auth open network-auth wpa encryption<br />
tkip<br />
config security-profile open-wpa-tkip default-user-vlan wpa-vlan<br />
6 Configure the name of the ESS<br />
config security-profile open-wpa-tkip ess-name open-wpa-tkip-ess<br />
Open - WPA (Dynamic) - AES<br />
1 Create a security profile (open-wpa-aes) by copying from the default unsecure profile.<br />
create security-profile open-wpa-aes copy unsecure<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 187
Security<br />
2 Create a VLAN (wpa-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan wpa-vlan<br />
3 Configure the tag for the VLAN<br />
config vlan wpa-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan wpa-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile open-wpa-aes dot11-auth open network-auth wpa encryption aes<br />
config security-profile open-wpa-aes default-user-vlan wpa-vlan<br />
6 Configure the name of the ESS<br />
config security-profile open-wpa-aes ess-name open-wpa-aes-ess<br />
Open - WPA PSK (Pre-Shared Key) - WEP 64<br />
1 Create a security profile (open-wpapsk-64) by copying from the default unsecure profile.<br />
create security-profile open-wpapsk-64 copy unsecure<br />
2 Create a VLAN (wpa-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan wpa-vlan<br />
3 Configure the tag for the wpa-vlan<br />
config vlan wpa-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan wpa-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile open-wpapsk-64 dot11-auth open network-auth wpa-psk<br />
encryption wep64<br />
config security-profile open-wpapsk-64 default-user-vlan wpa-vlan<br />
6 Configure the pre-shared key (PSK) for the security-profile.<br />
config security-profile open-wpapsk-64 wpa-psk hex <br />
…or…<br />
config security-profile open-wpapsk-64 wpa-psk passphrase <br />
7 Configure the name of the ESS<br />
config security-profile open-wpapsk-64 ess-name open-wpapsk-64-ess<br />
Open - WPA PSK (Pre-Shared Key) - WEP 128<br />
1 Create a security profile (open-wpapsk-128) by copying from the default unsecure profile.<br />
create security-profile open-wpapsk-128 copy unsecure<br />
2 Create a VLAN (wpa-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan wpa-vlan<br />
188 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Example Wireless Configuration Processes<br />
3 Configure the tag for the wpa-vlan<br />
config vlan wpa-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan wpa-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile open-wpapsk-128 dot11-auth open network-auth wpa-psk<br />
encryption wep128<br />
config security-profile open-wpapsk-128 default-user-vlan wpa-vlan<br />
6 Configure the pre-shared key (PSK) for the security-profile.<br />
config security-profile open-wpapsk-128 wpa-psk hex <br />
…or…<br />
config security-profile open-wpapsk-128 wpa-psk passphrase <br />
7 Configure the name of the ESS<br />
config security-profile open-wpapsk-128 ess-name open-wpapsk-128-ess<br />
Open - WPA PSK (Pre-Shared Key) - TKIP<br />
1 Create a security profile (open-wpapsk-tkip) by copying from the default unsecure profile.<br />
create security-profile open-wpapsk-tkip copy unsecure<br />
2 Create a VLAN (wpa-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan wpa-vlan<br />
3 Configure the tag for the wpa-vlan<br />
config vlan wpa-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan wpa-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile open-wpapsk-tkip dot11-auth open network-auth wpa-psk<br />
encryption tkip<br />
config security-profile open-wpapsk-tkip default-user-vlan wpa-vlan<br />
6 Configure the pre-shared key (PSK) for the security-profile.<br />
config security-profile open-wpapsk-tkip wpa-psk hex <br />
…or…<br />
config security-profile open-wpapsk-tkip wpa-psk passphrase <br />
7 Configure the name of the ESS<br />
config security-profile open-wpapsk-tkip ess-name open-wpapsk-tkip-ess<br />
Open - WPA PSK (Pre-Shared Key) - AES<br />
1 Create a security profile (open-wpapsk-aes) by copying from the default unsecure profile.<br />
create security-profile open-wpapsk-aes copy unsecure<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 189
Security<br />
2 Create a VLAN (wpa-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan wpa-vlan<br />
3 Configure the tag for the wpa-vlan<br />
config vlan wpa-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan wpa-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile open-wpapsk-aes dot11-auth open network-auth wpa-psk<br />
encryption aes<br />
config security-profile open-wpapsk-aes default-user-vlan wpa-vlan<br />
6 Configure the pre-shared key (PSK) for the security-profile.<br />
config security-profile open-wpapsk-aes wpa-psk hex <br />
…or…<br />
config security-profile open-wpapsk-aes wpa-psk passphrase <br />
7 Configure the name of the ESS<br />
config security-profile open-wpapsk-aes ess-name open-wpapsk-aes-ess<br />
Shared - None - WEP 64<br />
1 Create a security profile (shared-none-64) by copying from the default unsecure profile.<br />
create security-profile shared-none-64 copy unsecure<br />
2 Create a VLAN (wep-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan wep-vlan<br />
3 Configure the tag for the wep-vlan<br />
config vlan wep-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan wep-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile shared-none-64 dot11-auth shared network-auth none<br />
encryption wep64<br />
config security-profile shared-none-64 default-user-vlan wep-vlan<br />
6 Configure the security profile for WEP encryption length of 64.<br />
config security-profile shared-none-64 wep key add 0 hex abcdefaaaa<br />
NOTE<br />
If you enter the wrong number of characters for the code, a message similar to the following<br />
appears.<br />
Invalid number of bytes in key. Expected bytes, got bytes.<br />
7 Configure the security profile to use the 0 key you just defined as the default encryption key.<br />
190 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Example Wireless Configuration Processes<br />
config security-profile shared-none-64 wep default-key-index 0<br />
8 Configure the name of the ESS<br />
config security-profile shared-none-64 ess-name shared-none-64-ess<br />
Shared - None - WEP 128<br />
1 Create a security profile (shared-none-128) by copying from the default unsecure profile.<br />
create security-profile shared-none-128 copy unsecure<br />
2 Create a VLAN (wep-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan wep-vlan<br />
3 Configure the tag for the wep-vlan<br />
config vlan wep-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan wep-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile shared-none-128 dot11-auth shared network-auth none<br />
encryption wep128<br />
config security-profile shared-none-128 default-user-vlan wep-vlan<br />
6 Configure the security profile for WEP encryption length of 128.<br />
config security-profile shared-none-128 wep key add 0 hex abcdefaaaaaaaaaaaaaaaaaaaa<br />
NOTE<br />
If you enter the wrong number of characters for the code, a message similar to the following<br />
appears.<br />
Invalid number of bytes in key. Expected bytes, got bytes.<br />
7 Configure the security profile to use the 0 key you just defined as the default encryption key.<br />
config security-profile shared-none-128 wep default-key-index 0<br />
8 Configure the name of the ESS<br />
config security-profile shared-none-128 ess-name shared-none-128-ess<br />
Shared - Web Based Network Login - WEP 64<br />
1 Create a security profile (shared-web-64) copying from the default unsecure profile.<br />
create security-profile shared-web-64 copy unsecure<br />
2 Create a VLAN (web-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan web-vlan<br />
3 Configure the tag for the web-vlan<br />
config vlan web-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 191
Security<br />
config vlan web-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile shared-web-64 dot11-auth shared network-auth web-based<br />
encryption wep64<br />
config security-profile shared-web-64 default-user-vlan web-vlan<br />
6 Configure the security profile for WEP encryption length of 64.<br />
config security-profile shared-web-64 wep key add 0 hex abcdefaaaa<br />
NOTE<br />
If you enter the wrong number of characters for the code, a message similar to the following<br />
appears.<br />
Invalid number of bytes in key. Expected bytes, got bytes.<br />
7 Configure the security profile to use the 0 key you just defined as the default encryption key.<br />
config security-profile shared-web-64 wep default-key-index 0<br />
8 Configure the name of the ESS<br />
config security-profile shared-web-64 ess-name shared-web-64-ess<br />
Shared - Web Based Network Login - WEP 128<br />
1 Create a security profile (shared-web-128) by copying from the default unsecure profile.<br />
create security-profile shared-web-128 copy unsecure<br />
2 Create a VLAN (web-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan web-vlan<br />
3 Configure the tag for the web-vlan<br />
config vlan web-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan web-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile shared-web-128 dot11-auth shared network-auth web-based<br />
encryption wep128<br />
config security-profile shared-web-128 default-user-vlan web-vlan<br />
6 Configure the security profile for WEP encryption length of 128.<br />
config security-profile shared-web-128 wep key add 0 hex abcdefaaaaaaaaaaaaaaaaaaaa<br />
NOTE<br />
If you enter the wrong number of characters for the code, a message similar to the following<br />
appears.<br />
Invalid number of bytes in key. Expected bytes, got bytes.<br />
7 Configure the security profile to use the 0 key you just defined as the default encryption key.<br />
192 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Example Wireless Configuration Processes<br />
config security-profile shared-web-128 wep default-key-index 0<br />
8 Configure the name of the ESS<br />
config security-profile shared-web-128 ess-name shared-web-128-ess<br />
Shared - MAC Radius - WEP 64<br />
1 Create a security profile (shared-macradius-64) by copying from the default unsecure profile.<br />
create security-profile shared-macradius-64 copy unsecure<br />
2 Create a VLAN (mac-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan mac-vlan<br />
3 Configure the tag for the mac-vlan<br />
config vlan mac-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
config vlan mac-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile shared-macradius-64 dot11-auth shared network-auth<br />
mac-radius encryption wep64<br />
config security-profile shared-macradius-64 default-user-vlan mac-vlan<br />
6 Configure the security profile for WEP encryption length of 128.<br />
config security-profile shared-macradius-64 wep key add 0 hex abcdefaaaa<br />
NOTE<br />
If you enter the wrong number of characters for the code, a message similar to the following<br />
appears.<br />
Invalid number of bytes in key. Expected bytes, got bytes.<br />
7 Configure the security profile to use the 0 key you just defined as the default encryption key.<br />
config security-profile shared-macradius-64 wep default-key-index 0<br />
8 Configure the name of the ESS<br />
config security-profile shared-marcradius-64 ess-name shared-macradius-64-ess<br />
Shared - MAC Radius - WEP 128<br />
1 Create a security profile (shared-macradius-128) by copying from the default unsecure profile.<br />
create security-profile shared-macradius-128 copy unsecure<br />
2 Create a VLAN (mac-vlan) for the potential clients that will connect to the network using this<br />
security-profile.<br />
create vlan mac-vlan<br />
3 Configure the tag for the mac-vlan<br />
config vlan mac-vlan tag 10<br />
4 Add the wireless port to the VLAN.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 193
Security<br />
config vlan mac-vlan add ports 1:5 tagged<br />
5 Configure the Dot11 Authentication, Network Authentication <strong>and</strong> Multicast Cipher/Encryption <strong>and</strong><br />
also assign the “default-user-vlan” parameter.<br />
config security-profile shared-macradius-128 dot11-auth shared network-auth<br />
mac-radius encryption wep128<br />
config security-profile shared-macradius-128 default-user-vlan mac-vlan<br />
6 Configure the security profile for WEP encryption length of 128.<br />
config security-profile shared-macradius-128 wep key add 0 hex<br />
abcdefaaaaaaaaaaaaaaaaaaaa<br />
NOTE<br />
If you enter the wrong number of characters for the code, a message similar to the following<br />
appears.<br />
Invalid number of bytes in key. Expected bytes, got bytes.<br />
7 Configure the security profile to use the 0 key you just defined as the default encryption key.<br />
config security-profile shared-macradius-128 wep default-key-index 0<br />
8 Configure the name of the ESS<br />
config security-profile shared-macradius-128 ess-name shared-macradius-128-ess<br />
Profile Assignment Example<br />
Refer to the following example when assigning <strong>and</strong> RF profile or security profile to a wireless interface.<br />
Assign Profiles to Wireless Interfaces:<br />
1 Configure interface 1 on port 1:5 to use the RF profile RF_A.<br />
config wireless ports 1:5 interface 1 rf-profile RF_A<br />
2 Configure interface 2 on port 1:5 to use the RF profile RF_G.<br />
config wireless ports 1:5 interface 2 rf-profile RF_G<br />
3 Configure interfaces 1 <strong>and</strong> 2 on port 1:5 to use the wep-secure security profile or the dotx1x-secure<br />
security profile.<br />
config wireless ports 1:5 interface 1 security-profile wep-secure<br />
config wireless ports 1:5 interface 2 security-profile wep-secure<br />
OR<br />
config wireless port 1:5 interface 1 security-profile dot1x-secure<br />
config wireless port 1:5 interface 2 security-profile dot1x-secure<br />
4 Configure the channel on wireless port interface 1 <strong>and</strong>/or 2. Specifying “0” means that the channel<br />
will be “auto-selected”. Using a channel assignment of “0” will usually result in the selection of a<br />
channel with the least interference for that radio mode. Available non-auto select channels will vary<br />
depending upon the regulatory limitations of the country in which the AP is being operated (i.e. The<br />
selected “country-code” global wireless parameter).<br />
config wireless ports 1:5 interface 1 channel 0<br />
config wireless ports 1:5 interface 2 channel 11<br />
194 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Switch Protection<br />
Switch Protection<br />
Switch protection features enhance the robustness of switch performance. In this category are the<br />
following features:<br />
• Profile Assignment Example<br />
• Denial of Service Protection<br />
Routing Access Profiles<br />
Routing access profiles are used to control the advertisement or recognition of routing protocols, such as<br />
RIP or OSPF. Routing access profiles can be used to ‘hide’ entire networks, or to trust only specific<br />
sources for routes or ranges of routes. The capabilities of routing access profiles are specific to the type<br />
of routing protocol involved, but are sometimes more efficient <strong>and</strong> easier to implement than access lists.<br />
Using Routing Access Profiles<br />
To use routing access profiles, you must perform the following steps:<br />
1 Create an access profile.<br />
2 Configure the access profile to be of type permit, deny, or none.<br />
3 Add entries to the access profile. Entries can be one of the following types:<br />
— IP addresses <strong>and</strong> subnet masks<br />
— VLAN<br />
4 Apply the access profile.<br />
Creating an Access Profile<br />
The first thing to do when using routing access profiles is to create an access profile. An access profile has<br />
a unique name <strong>and</strong> contains one of the following entry types:<br />
• A list of IP addresses <strong>and</strong> associated subnet masks<br />
• A VLAN<br />
You must give the access profile a unique name (in the same manner as naming a VLAN, protocol filter,<br />
or Spanning Tree Domain). To create an access profile, use the following comm<strong>and</strong>:<br />
create access-profile type [ipaddress | ipx-node | ipx-net |<br />
ipx-sap | as-path]<br />
Configuring an Access Profile Mode<br />
After the access profile is created, you must configure the access profile mode. The access profile mode<br />
determines whether the items in the list are to be permitted access or denied access.<br />
Three modes are available:<br />
• Permit—The permit access profile mode permits the operation, as long as it matches any entry in the<br />
access profile. If the operation does not match any entries in the list, the operation is denied.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 195
Security<br />
• Deny—The deny access profile mode denies the operation, as long as it matches any entry in the<br />
access profile. If it does not match all specified entries in the list, the operation is permitted.<br />
• None—Using the none mode, the access profile can contain a combination of permit <strong>and</strong> deny<br />
entries. Each entry must have a permit or deny attribute. The operation is compared with each entry<br />
in the list. Once a match is found, the operation is either permitted or denied, depending on the<br />
configuration of the matched entry. If no match is found, the operation is implicitly denied.<br />
To configure the access profile mode, use the following comm<strong>and</strong>:<br />
configure access-profile mode [permit | deny | none]<br />
Adding an Access Profile Entry<br />
Next, configure the access profile, using the following comm<strong>and</strong>:<br />
configure access-profile add {} {permit | deny}<br />
[ipaddress {exact} | as-path | | ipxnet <br />
| ipxsap | vlan]<br />
The following sections describe the configure access-profile add comm<strong>and</strong>.<br />
Specifying Subnet Masks<br />
The subnet mask specified in the access profile comm<strong>and</strong> is interpreted as a reverse mask. A reverse<br />
mask indicates the bits that are significant in the IP address. In other words, a reverse mask specifies the<br />
part of the address that must match the IP address to which the profile is applied.<br />
If you configure an IP address that is an exact match that is specifically denied or permitted, use a mask<br />
of /32 (for example, 141.251.24.28/32). If the IP address represents all addresses in a subnet address that<br />
you want to deny or permit, then configure the mask to cover only the subnet portion (for example,<br />
141.251.10.0/24). The keyword exact can be used when you wish to match only against the subnet<br />
address, <strong>and</strong> ignore all addresses within the subnet.<br />
If you are using off-byte boundary subnet masking, the same logic applies, but the configuration is<br />
more tricky. For example, the network address 141.251.24.128/27 represents any host from subnet<br />
141.251.24.128.<br />
Sequence Numbering<br />
You can specify the sequence number for each access profile entry. If you do not specify a sequence<br />
number, entries are sequenced in the order they are added. Each entry is assigned a value of 5 more<br />
than the sequence number of the last entry.<br />
Permit <strong>and</strong> Deny Entries<br />
If you have configured the access profile mode to be none, you must specify each entry type as either<br />
‘permit’ or ‘deny’. If you do not specify the entry type, it is added as a permit entry. If you have<br />
configured the access profile mode to be permit or deny, it is not necessary to specify a type for each<br />
entry.<br />
196 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Switch Protection<br />
Autonomous System Expressions<br />
The AS-path keyword uses a regular expression string to match against the AS path. Regular expression<br />
notation can include any of the characters listed in Table 29.<br />
Table 29: Regular Expression Notation<br />
Character<br />
N<br />
Definition<br />
As number<br />
N 1 - N 2 Range of AS numbers, where N 1 <strong>and</strong> N 2 are AS numbers <strong>and</strong> N 1 < N 2<br />
[N x ... N y ] Group of AS numbers, where N x <strong>and</strong> N y are AS numbers or a range of AS numbers<br />
[^N x ... N y ] Any AS numbers other than the ones in the group<br />
. Matches any number<br />
^<br />
Matches the beginning of the AS path<br />
$ Matches the end of the AS path<br />
– Matches the beginning or end, or a space<br />
- Separates the beginning <strong>and</strong> end of a range of numbers<br />
* Matches 0 or more instances<br />
+ Matches 1 or more instances<br />
Matches 0 or 1 instance<br />
{ Start of AS SET segment in the AS path<br />
} End of AS SET segment in the AS path<br />
( Start of a confederation segment in the AS path<br />
) End of a confederation segment in the AS path<br />
Autonomous System Expression Example<br />
The following example uses combinations of the autonomous system expressions to create a<br />
complicated access profile:<br />
create access-profile AS1 type as-path<br />
configure access-profile AS1 mode none<br />
These comm<strong>and</strong>s create the access profile.<br />
configure access-profile AS1 add 5 permit as-path “^65535$”<br />
This comm<strong>and</strong> configures the access profile to permit AS paths that contain only (begin <strong>and</strong> end with)<br />
AS number 65535.<br />
configure access-profile AS1 add 10 permit as-path “^65535 14490$”<br />
This comm<strong>and</strong> configures the access profile to permit AS paths beginning with AS number 65535,<br />
ending with AS number 14490, <strong>and</strong> containing no other AS paths.<br />
configure access-profile AS1 add 15 permit as-path “^1 2-8 [11 13 15]$”<br />
This comm<strong>and</strong> configures the access profile to permit AS paths beginning with AS number 1, followed<br />
by any AS number from 2 - 8, <strong>and</strong> ending with either AS number 11, 13, or 15.<br />
configure access-profile AS1 add 20 deny as-path “111 [2-8]”<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 197
Security<br />
This comm<strong>and</strong> configures the access profile to deny AS paths beginning with AS number 111 <strong>and</strong><br />
ending with any AS number from 2 - 8.<br />
configure access-profile AS1 add 25 permit as-path “111 .”<br />
This comm<strong>and</strong> configures the access profile to permit AS paths beginning with AS number 111 <strong>and</strong><br />
ending with any additional AS number, or beginning <strong>and</strong> ending with AS number 111.<br />
Deleting an Access Profile Entry<br />
To delete an access profile entry, use the following comm<strong>and</strong>:<br />
configure access-profile delete <br />
Applying Access Profiles<br />
Once the access profile is defined, apply it to one or more routing protocols or VLANs. When an access<br />
profile is applied to a protocol function (for example, the export of RIP routes) or a VLAN, this forms an<br />
access policy. A profile can be used by multiple routing protocol functions or VLANs, but a protocol<br />
function or VLAN can use only one access profile.<br />
Routing Profiles for RIP<br />
If you are using the RIP protocol, the switch can be configured to use an access profile to determine:<br />
• Trusted Neighbor—Use an access profile to determine trusted RIP router neighbors for the VLAN<br />
on the switch running RIP. To configure a trusted neighbor policy, use the following comm<strong>and</strong>:<br />
configure rip vlan [ | all] trusted-gateway [ | none]<br />
• Import Filter—Use an access profile to determine which RIP routes are accepted as valid routes. This<br />
policy can be combined with the trusted neighbor policy to accept selected routes only from a set of<br />
trusted neighbors. To configure an import filter policy, use the following comm<strong>and</strong>:<br />
configure rip vlan [ | all] import-filter [ | none]<br />
• Export Filter—Use an access profile to determine which RIP routes are advertised into a particular<br />
VLAN, using the following comm<strong>and</strong>:<br />
configure rip vlan [ | all] export-filter [ | none]<br />
Examples<br />
In the example shown in Figure 20, a switch is configured with two VLANs, Engsvrs <strong>and</strong> Backbone. The<br />
RIP protocol is used to communicate with other routers on the network. The administrator wants to<br />
allow all internal access to the VLANs on the switch, but no access to the router that connects to the<br />
Internet. The remote router that connects to the Internet has a local interface connected to the corporate<br />
backbone. The IP address of the local interface connected to the corporate backbone is 10.0.0.10/24.<br />
198 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Switch Protection<br />
Figure 20: RIP access policy example<br />
Internet<br />
Internet<br />
10.0.0.10 / 24<br />
Backbone (RIP)<br />
Switch being<br />
configured<br />
Engsvrs<br />
10.0.0.11 / 24<br />
Sales<br />
10.0.0.12 / 24<br />
10.1.1.1 / 24 10.2.1.1 / 24<br />
Engsvrs<br />
Sales<br />
ES4K013<br />
Assuming the backbone VLAN interconnects all the routers in the company (<strong>and</strong>, therefore, the Internet<br />
router does not have the best routes for other local subnets), the comm<strong>and</strong>s to build the access policy<br />
for the switch would be:<br />
create access-profile nointernet ipaddress<br />
configure access-profile nointernet mode deny<br />
configure access-profile nointernet add 10.0.0.10/32<br />
configure rip vlan backbone trusted-gateway nointernet<br />
In addition, if the administrator wants to restrict any user belonging to the VLAN Engsvrs from<br />
reaching the VLAN Sales (IP address 10.2.1.0/24), the additional access policy comm<strong>and</strong>s to build the<br />
access policy would be:<br />
create access-profile nosales ipaddress<br />
configure access-profile nosales mode deny<br />
configure access-profile nosales add 10.2.1.0/24<br />
configure rip vlan backbone import-filter nosales<br />
This configuration results in the switch having no route back to the VLAN Sales.<br />
Routing Access Profiles for OSPF<br />
Because OSPF is a link-state protocol, the access profiles associated with OSPF are different in nature<br />
than those associated with RIP. Access profiles for OSPF are intended to extend the existing filtering <strong>and</strong><br />
security capabilities of OSPF (for example, link authentication <strong>and</strong> the use of IP address ranges). If you<br />
are using the OSPF protocol, the switch can be configured to use an access profile to determine any of<br />
the following:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 199
Security<br />
• Inter-area Filter—For switches configured to support multiple OSPF areas (an ABR function), an<br />
access profile can be applied to an OSPF area that filters a set of OSPF inter-area routes from being<br />
sourced from any other areas. To configure an inter-area filter policy, use the following comm<strong>and</strong>:<br />
configure ospf area interarea-filter [ | none]<br />
• External Filter—For switches configured to support multiple OSPF areas (an ABR function), an<br />
access profile can be applied to an OSPF area that filters a set of OSPF external routes from being<br />
advertised into that area. To configure an external filter policy, use the following comm<strong>and</strong>:<br />
configure ospf area external-filter [ |none]<br />
NOTE<br />
If any of the external routes specified in the filter have already been advertised, those routes will remain<br />
until the associated LSAs in that area time-out.<br />
• ASBR Filter—For switches configured to support RIP <strong>and</strong> static route re-distribution into OSPF, an<br />
access profile can be used to limit the routes that are advertised into OSPF for the switch as a whole.<br />
To configure an ASBR filter policy, use the following comm<strong>and</strong>:<br />
configure ospf asbr-filter [ | none]<br />
• Direct Filter—For switches configured to support direct route re-distribution into OSPF, an access<br />
profile can be used to limit the routes that are advertised into OSPF for the switch as a whole. To<br />
configure a direct filter policy, use the following comm<strong>and</strong>:<br />
configure ospf direct-filter [ | none]<br />
Example<br />
Figure 21 illustrates an OSPF network that is similar to the network used previously in the RIP example.<br />
In this example, access to the Internet is accomplished by using the ASBR function on the switch labeled<br />
Internet. As a result, all routes to the Internet will be done through external routes. Suppose the<br />
network administrator wishes to only allow access to certain internet addresses falling within the range<br />
192.1.1.0/24 to the internal backbone.<br />
200 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Switch Protection<br />
Figure 21: OSPF access policy example<br />
Internet<br />
Switch being<br />
configured<br />
Internet<br />
10.0.0.10 / 24<br />
Backbone (OSPF)<br />
area 0.0.0.0<br />
10.0.0.11 / 24<br />
Engsvrs<br />
10.0.0.12 / 24<br />
Sales<br />
10.1.1.1 / 24 10.2.1.1 / 24<br />
Engsvrs<br />
area 0.0.0.1<br />
Sales<br />
area 0.0.0.2<br />
ES4K014<br />
To configure the switch labeled Internet, the comm<strong>and</strong>s would be as follows:<br />
create access-profile okinternet ipaddress<br />
configure access-profile okinternet mode permit<br />
configure access-profile okinternet add 192.1.1.0/24<br />
configure ospf asbr-filter okinternet<br />
Routing Access Profiles for PIM<br />
Because PIM leverages the unicast routing capability that is already present in the switch, the access<br />
policy capabilities are, by nature, different. If you are using the PIM protocol for routing IP multicast<br />
traffic, you can configure the switch to use an access profile to determine:<br />
Trusted Neighbor—Use an access profile to determine trusted PIM router neighbors for the VLAN on<br />
the switch running PIM. To configure a trusted neighbor policy, use the following comm<strong>and</strong>:<br />
configure pim vlan [ | all] trusted-gateway [ | none]<br />
Example<br />
Using PIM, the unicast access profiles can be used to restrict multicast traffic. In this example, a network<br />
similar to the example used in the previous RIP example is also running PIM. The network<br />
administrator wants to disallow Internet access for multicast traffic to users on the VLAN Engsvrs. This<br />
is accomplished by preventing the learning of routes that originate from the switch labeled Internet by<br />
way of PIM on the switch labeled Engsvrs.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 201
Security<br />
Denial of Service Protection<br />
A Denial-of-Service (DoS) attack occurs when a critical network or computing resource is overwhelmed<br />
<strong>and</strong> rendered inoperative in a way that legitimate requests for service cannot succeed. In its simplest<br />
form, a Denial of Service attack is indistinguishable from normal heavy traffic. <strong>Extreme</strong> Network<br />
switches are not vulnerable to this simple attack because they are all designed to process packets in<br />
hardware at wire speed. However, there are some operations in any switch or router that are more<br />
costly than others, <strong>and</strong> although normal traffic is not a problem, exception traffic must be h<strong>and</strong>led by<br />
the switch’s CPU in software.<br />
Some packets that the switch processes in the CPU software include:<br />
• Learning new traffic<br />
• Routing <strong>and</strong> control protocols including ICMP <strong>and</strong> OSPF<br />
• Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, etc...)<br />
• Other packets directed to the switch that must be discarded by the CPU<br />
If any one of these functions is overwhelmed, the CPU can be too busy to service other functions <strong>and</strong><br />
cause switch performance to suffer. Even with the fast CPU of the Summit “e” series, there are ways to<br />
overwhelm the CPU with packets requiring costly processing.<br />
DoS Protection is designed to help prevent this degraded performance by attempting to characterize the<br />
problem <strong>and</strong> filter out the offending traffic so that other functions can continue.<br />
NOTE<br />
DoS Protection can create an ACL at any one time for only one specific source. Only one ACL can be<br />
active at any time, so when the switch is suffering an attack from multiple hosts, the CPU will still get<br />
flooded.<br />
Summit 200 <strong>and</strong> Summit 300. When a flood of packets is received from the switch, DoS Protection<br />
will count these packets. When the packet count nears the alert threshold, packets headers are saved. If<br />
the threshold is reached, then these headers are analyzed, <strong>and</strong> a hardware access control list (ACL) is<br />
created to limit the flow of these packets to the CPU. This ACL remains in place to provide relief to the<br />
CPU. Periodically, the ACL expires, <strong>and</strong> if the attack is still occurring, it is re-enabled. With the ACL in<br />
place, the CPU will have the cycles to process legitimate traffic <strong>and</strong> continue other services.<br />
Summit 200 <strong>and</strong> Summit 300 users should configure per port DoS alert thresholds <strong>and</strong> time intervals to<br />
block the port against broadcast storms or learned packets.<br />
Summit 400 only. When the number of packets entering the CPU reaches the alert threshold, the<br />
headers of the packets are analyzed <strong>and</strong> an ACL is created to limit the flow of these packets to the CPU.<br />
An ACL still cannot stop the packets from reaching the CPU because of conditions such as a layer 3<br />
miss to the CPU or because of an unknown IP multicast error. The Summit 400 uses port-level blocking<br />
in conjunction with the ACL to block the packets.<br />
Configuring Denial of Service Protection<br />
To configure denial of service protection on a system-wide basis, use the following comm<strong>and</strong>:<br />
202 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Denial of Service Protection<br />
configure cpu-dos-protect [alert-threshold ] [notice-threshold<br />
] [timeout ] [messages [on | off]] [filter-precedence<br />
] [filter-type-allowed {destination | source | destination source} {protocol}]<br />
The default values for the parameters are as follows:<br />
• alert-threshold—4000 packets per second<br />
• notice-threshold—4000 packets per second<br />
• timeout—15 seconds<br />
• messages—on (messages are sent to syslog)<br />
• filter-precedence—10<br />
• filter-type-allowed—destination<br />
• trusted ports—none<br />
If you wish to set all the parameters back to their default values, use the following comm<strong>and</strong>:<br />
unconfigure cpu-dos-protect<br />
NOTE<br />
If you set the filter-precedence to 0, the ACLs created by DoS protection will be overwritten by the<br />
default VLAN QoS profile.<br />
To start protecting the switch from attack on a port-basis, first determine what ports are at risk <strong>and</strong> set<br />
limits for the traffic on those ports. Use the following comm<strong>and</strong> to identify those ports <strong>and</strong> to configure<br />
the alert-threshold, also known as the disable threshold:<br />
configure cpu-dos-protect [ports |all] alert-threshold <br />
interval-time <br />
You can also configure all the ports on the switch to globally implement DoS using the following<br />
default values:<br />
• alert-threshold—150 packets per second<br />
• interval-time—1 seconds<br />
Enabling Denial of Service Protection<br />
Enable denial of service protection using the following comm<strong>and</strong>:<br />
enable cpu-dos-protect<br />
Once enabled, denial of service protection creates an access list for packets when the receive packet on a<br />
port is greater than the alert level. For example, if cpu-dos-protect is enabled on a switch <strong>and</strong> the<br />
threshold alert level is set to 3000 packets per second, an access list is created if one of the ports on the<br />
switch receives 3000 or more packets per second. The precedence is set at 10 for the duration of the<br />
timeout.<br />
For example, if you set the timeout to 15 seconds, the ACL is created for 15 seconds. The switch<br />
continues to create access lists for the duration of the timeout until the packet rate declines to less than<br />
the configured threshold alert level.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 203
Security<br />
Disabling Denial of Service Protection<br />
To disable denial of service protection, use the following comm<strong>and</strong>:<br />
disable cpu-dos-protect<br />
Displaying Denial of Service Settings<br />
To display denial of service settings <strong>and</strong> the status of the access list, use the following comm<strong>and</strong>:<br />
show cpu-dos-protect [ports ]CPU DoS Protection must be enabled for the show<br />
comm<strong>and</strong> to have valid values.<br />
For example, to review the DoS traffic for port 1, issue this comm<strong>and</strong>:<br />
sh cpu-dos-protect ports 1<br />
The output from this comm<strong>and</strong> follows:<br />
* ex160:22 # sh cpu-dos-protect ports 1<br />
Cpu dos protect: enabled<br />
Port L3Miss L3Err Bcast IpUnkMcast Learn Curr Int Cfg Thr Cfg Int Pass<br />
______________________________________________________________________<br />
1 150 150 150 150 150 1 150 1 3<br />
Trusted ports: none<br />
The output of this show comm<strong>and</strong> displays the following information, which can help you analyze the<br />
type of activity coming across the port to the CPU:<br />
• The status of DoS Protection on the port<br />
• Layer 3 miss to the CPU<br />
These are packets that do not have corresponding IPFDB entries on VLANs, which are enabled for IP<br />
forwarding. Packets that are unicasted to the CPU IP are also considered in this category.<br />
• Layer 3 error<br />
These are IP packets with options, IPMC packets (but not class D address) with checksum errors,<br />
<strong>and</strong> non-IP packets.<br />
• Broadcast traffic<br />
• IP multicast unknown<br />
These are IPMC packets that do not have corresponding IPMC FDB entries.<br />
• Learning packets<br />
These are packets that do not have a corresponding FDB entries.<br />
• Current interval<br />
The current time interval, less than or equal to the configured interval.<br />
• Configured alert threshold<br />
The maximum number of packets that can be sent to the CPU during the configured interval. This<br />
variable is equal to the configured interval parameter in seconds for each traffic category.<br />
• Configured interval<br />
204 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Denial of Service Protection<br />
This variable is equal to the configured interval parameter in seconds for each traffic category.<br />
• Free pass indicator (Zero in this field indicates a free pass for three intervals after the port comes<br />
up.)<br />
• Trusted port status<br />
How to Deploy DoS Protection<br />
The conservative way to deploy DoS Protection is to use the simulated mode first. In simulated mode,<br />
DoS Protection is enabled, but no ACLs are generated. To enable the simulated mode, use the<br />
comm<strong>and</strong>:<br />
enable cpu-dos-protect simulated<br />
Next, configure the notice threshold. This will help determine the actual traffic received by the CPU by<br />
logging when the traffic exceeds the threshold. This can help underst<strong>and</strong> the types of traffic<br />
encountered, <strong>and</strong> evaluate whether legitimate traffic may be accidentally blocked. Some examples of<br />
heavy legitimate traffic to the cpu include:<br />
• route loss—during this period, the switch may receive lots of routing updates that cause heavy<br />
traffic processing loads on the CPU.<br />
• configuration or image upload/download<br />
To configure the notice threshold, use the following comm<strong>and</strong>:<br />
configure cpu-dos-protect notice-threshold <br />
Next, configure the alert threshold. If the alert threshold is reached, a simulated ACL is put in place.<br />
Although packets will not be dropped, this provides good information about the heavy traffic, which<br />
might be legitimate or might be an attack. The Ethernet address of the source <strong>and</strong> the type of traffic can<br />
be characterized by the type of ACL put in place. This is another way to judge if legitimate traffic<br />
would have been cut off. To configure the alert threshold, use the following comm<strong>and</strong>:<br />
configure cpu-dos-protect alert-threshold <br />
After normal traffic is characterized, steps should be taken to set:<br />
• the appropriate notice level if some warning is desired<br />
• the appropriate alert level at which an ACL is put in place<br />
• trusted ports from which traffic won’t be blocked<br />
In some cases, traffic from a switch port or group of ports will never cause an attack. These ports can be<br />
configured as trusted port <strong>and</strong> will never be considered for traffic that will generate an ACL. This can<br />
prevent innocent hosts from being blocked, or ensure that when an innocent host responds to an attack<br />
that the flood of response packets is not mistaken for the attack. To configure a trusted port on a<br />
system-wide basis, use the following comm<strong>and</strong>:<br />
configure cpu-dos-protect trusted-ports [add | delete |<br />
all | none]<br />
To configure a trusted port on a port-basis, use the following comm<strong>and</strong>:<br />
configure cpu-dos-protect trusted-ports <br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 205
Security<br />
The last step is to enable DoS Protection. At this point, only attack traffic should be blocked <strong>and</strong><br />
legitimate traffic should pass through. To enable the creation of ACLs for DoS Protection, use the<br />
following comm<strong>and</strong>:<br />
enable cpu-dos-protect<br />
Blocking SQL Slammer DoS Attacks<br />
You can block the SQL Slammer DoS attack. SQL Slammer causes high CPU utilization on the next-hop<br />
switch serving multicast requests as ICMP sender entries are quickly populated into the multicast<br />
sender list. This leads to a high number of multicast entries in the IGMP snooping entry table, <strong>and</strong> a<br />
message similar to the following in the system log:<br />
tBGTask: Reached maximum otp ExtraMC index allocation<br />
To block <strong>and</strong> clean up after this task:<br />
1 Block the attack by creating an ACL to block port 1434 using the following comm<strong>and</strong>:<br />
create access-mask udp-mask ip-protocol dest-L4port<br />
create access-list udp-acl udp-mask ip-protocol udp dest-L4port 1434 deny<br />
2 Remove affected SQL servers from the network<br />
You can simply disable the port connecting the server.<br />
3 Clean up the existing IGMP snooping entries <strong>and</strong> IPMC cache using the following comm<strong>and</strong>s:<br />
igmp snooping<br />
clear ipmc cache<br />
4 Disable IGMP snooping on the affected switches.<br />
Disabling IGMP snooping affects routing protocols using multicast addresses <strong>and</strong> multicast traffic on<br />
that switch.<br />
Improving Performance with Enhanced DoS Protection<br />
St<strong>and</strong>ard DoS Protection installs an Access Control List (ACL) to protect against Internet Control<br />
Message Protocol (ICMP) attacks. To counter the reduced CPU time for processing real data <strong>and</strong> control<br />
packets as a result of an ICMP attack, DoS Protection creates an ACL based on the number of ICMP<br />
packets being h<strong>and</strong>led by the CPU. ACLs can also affect real traffic, resulting in a performance cost.<br />
Enhanced DoS Protection provides a complimentary level of security that allows detection <strong>and</strong><br />
protection against attacks that have an address sweep signature. It does this in two ways:<br />
• First, Enhanced DoS Protection allows you to limit the rate of unresolved IP packets that reach the<br />
CPU in case of a DoS attack.<br />
• Second, Enhanced DoS Protection identifies valid streams before installing IPFDB entries, reducing<br />
IPFDB thrashing.<br />
To enable Enhanced DoS Protection globally, use the following comm<strong>and</strong> without any keywords:<br />
enable enhanced-dos-protect {rate-limit | ipfdb} {ports [ | all]}<br />
To disable Enhanced DoS Protection globally, use the following comm<strong>and</strong> without any keywords:<br />
disable enhanced-dos-protect {rate-limit | ipfdb} {ports [ | all]}<br />
206 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Denial of Service Protection<br />
Configuring Ports as Trusted or Untrusted. Rate limiting is applied to packets arriving on untrusted<br />
ports. You can configure each port as trusted or untrusted. A trusted port behaves as a normal port. An<br />
untrusted port behaves according to the configuration parameter used in IPFDB thrashing. To configure<br />
a port as trusted or untrusted, use the following comm<strong>and</strong>:<br />
configure enhanced-dos-protect ports [trusted | untrusted] <br />
Setting <strong>and</strong> Verifying Threshold Values. Rate limit threshold values can be configured for selected<br />
ports. If the number of packets received on an untrusted port reaches the configured threshold limit, the<br />
packets are r<strong>and</strong>omly dropped. The number of packets dropped is proportional to the configured drop<br />
probability rate. For example, if the drop probability rate is set to 60%, then 60% of packets received<br />
after the configured threshold within the time duration to be considered (the learning window) will be<br />
dropped.<br />
Use the threshold keyword in the following comm<strong>and</strong> to set rate limit thresholds:<br />
configure enhanced-dos-protect rate-limit [threshold | drop-probability<br />
| learn-window | protocol [all | icmp]] ports<br />
<br />
Use the following comm<strong>and</strong> to verify the rate limit threshold configuration:<br />
show enhanced-dos-protect [rate-limit | ipfdb] ports [ | all]<br />
Use the threshold keyword in the following comm<strong>and</strong> to remove selected ports from the rate limit<br />
threshold configuration:<br />
unconfigure enhanced-dos-protect rate-limit [threshold | drop-probability |<br />
learn-window | protocol] ports <br />
Setting <strong>and</strong> Verifying Learn Window Values. You can specify learn window values for selected ports<br />
by using the learn-window keyword in the following comm<strong>and</strong>:<br />
configure enhanced-dos-protect rate-limit [threshold | drop-probability<br />
| learn-window | protocol [all | icmp]] ports<br />
<br />
Use the following comm<strong>and</strong> to verify the learn window configuration:<br />
show enhanced-dos-protect [rate-limit | ipfdb] ports [ | all]<br />
Use the learn-window keyword in the following comm<strong>and</strong> to remove selected ports from the rate limit<br />
learn window configuration:<br />
unconfigure enhanced-dos-protect rate-limit [threshold | drop-probability |<br />
learn-window | protocol] ports <br />
Setting <strong>and</strong> Verifying Drop Probability Rates. You can specify the percentage of slow-path traffic to<br />
be dropped by using the drop-probability keyword in the following comm<strong>and</strong>:<br />
configure enhanced-dos-protect rate-limit [threshold | drop-probability<br />
| learn-window | protocol [all | icmp]] ports<br />
<br />
Use the following comm<strong>and</strong> to verify the drop probability configuration:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 207
Security<br />
show enhanced-dos-protect [rate-limit | ipfdb] ports [ | all]<br />
Use the drop-probability keyword in the following comm<strong>and</strong> to remove selected ports from the rate<br />
limit drop probability configuration:<br />
unconfigure enhanced-dos-protect rate-limit [threshold | drop-probability |<br />
learn-window | protocol] ports <br />
Setting <strong>and</strong> Verifying Protocol Types. To change the rate limit protocol type, use the protocol<br />
keyword in the following comm<strong>and</strong>:<br />
configure enhanced-dos-protect rate-limit [threshold | drop-probability<br />
| learn-window | protocol [all | icmp]] ports<br />
<br />
Use the following comm<strong>and</strong> to verify the drop probability configuration:<br />
show enhanced-dos-protect [rate-limit | ipfdb] ports [ | all]<br />
Use the protocol keyword in the following comm<strong>and</strong> to remove selected ports from the rate limit<br />
protocol configuration:<br />
unconfigure enhanced-dos-protect rate-limit [threshold | drop-probability |<br />
learn-window | protocol] ports <br />
Configuring the IPFDB Learning Qualifier<br />
Enhanced DoS Protection lets you configure an IPFDB learning qualifier to identify valid IP streams<br />
before installing IPFDB entries. IPFDB entries are installed only for valid IP flows, which reduces IPFDB<br />
thrashing. An IP stream is considered valid only if it meets the qualification criteria, which include a<br />
defined learning threshold <strong>and</strong> aging time. If the number of packets received for a given IP stream is<br />
greater than the defined learning threshold during the defined aging time, the stream is considered<br />
valid <strong>and</strong> the entry is installed.<br />
Enabling <strong>and</strong> Disabling the IPFDB Learning Qualifier. To globally enable reduced IPFDB thrashing,<br />
use the ipfdb keyword without any port qualification in the following comm<strong>and</strong>:<br />
enable enhanced-dos-protect {rate-limit | ipfdb} {ports [ | all]}<br />
To globally disable reduced IPFDB thrashing, use the ipfdb keyword without any port qualification in<br />
the following comm<strong>and</strong>:<br />
disable enhanced-dos-protect {rate-limit | ipfdb} {ports [ | all]}<br />
To enable reduced IPFDB thrashing for specific ports, use the ipfdb <strong>and</strong> port keywords in the<br />
following comm<strong>and</strong>:<br />
enable enhanced-dos-protect {rate-limit | ipfdb} {ports [ | all]}<br />
To disable reduced IPFDB thrashing for specific ports, use the ipfdb <strong>and</strong> port keywords in the<br />
following comm<strong>and</strong>:<br />
disable enhanced-dos-protect {rate-limit | ipfdb} {ports [ | all]}<br />
To verify that reduced IPFDB thrashing is enabled or disabled, use the ipfdb keyword in the following<br />
comm<strong>and</strong>:<br />
208 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Denial of Service Protection<br />
show enhanced-dos-protect [rate-limit | ipfdb] ports [ | all]<br />
Configuring Ports as Trusted or Untrusted. You can configure each port as trusted or untrusted. A<br />
trusted port behaves as a normal port. An untrusted port behaves according to the configuration<br />
parameter used in IPFDB thrashing. To configure a port as trusted or untrusted, use the following<br />
comm<strong>and</strong>:<br />
configure enhanced-dos-protect ports [trusted | untrusted] <br />
Setting <strong>and</strong> Verifying the Learning Limit. You can configure a learning limit value to define the<br />
number of packets to be counted before <strong><strong>Extreme</strong>Ware</strong> can create an IPFDB entry in the hardware. To<br />
configure the learning limit, use the following comm<strong>and</strong>:<br />
configure enhanced-dos-protect ipfdb learn-limit ports <br />
To verify the status of reduced IPFDB thrashing for each port, use the ipfdb keyword in the following<br />
comm<strong>and</strong> <strong>and</strong> view data in the Learn-Limit column:<br />
show enhanced-dos-protect [rate-limit | ipfdb] ports [ | all]<br />
Setting <strong>and</strong> Verifying the Learn Window. You can set a learn window value used by the switch to<br />
wait for a certain amount of time to reach the threshold value. Use the following comm<strong>and</strong> to set the<br />
learn window for the IPFDB learning qualifier:<br />
configure enhanced-dos-protect ipfdb learn-window ports <br />
To verify the status of reduced IPFDB thrashing for each port, use the ipfdb keyword in the following<br />
comm<strong>and</strong> <strong>and</strong> view data in the Learn-Window column:<br />
show enhanced-dos-protect [rate-limit | ipfdb] ports [ | all]<br />
Setting <strong>and</strong> Verifying the Aging Value. You can set an aging value that defines the software cache<br />
timeout period that the switch will wait to delete an IPFDB entry. To set the aging value, use the<br />
following comm<strong>and</strong>:<br />
configure enhanced-dos-protect ipfdb agingtime ports <br />
To verify the aging value status of reduced IPFDB thrashing for each port, use the ipfdb keyword in the<br />
following comm<strong>and</strong> <strong>and</strong> view data in the Aging column:<br />
show enhanced-dos-protect [rate-limit | ipfdb] ports [ | all]<br />
Configuring the IPFDB Cache Size. Enhanced DoS Protection maintains the number of IPFDB entries<br />
according to the cache-size limit. To set the cache size, use the following comm<strong>and</strong>:<br />
configure enhanced-dos-protect ipfdb cache-size <br />
To verify the cache-size status of the IPFDB learning qualifier, use the ipfdb keyword in the following<br />
comm<strong>and</strong>:<br />
show enhanced-dos-protect [rate-limit | ipfdb] ports [ | all]<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 209
Security<br />
Duplicate IP Protection<br />
Duplicate IP protection is designed to allow only those hosts whose IP addresses are assigned by a<br />
DHCP server to access the network. The process works by disabling ARP learning. Hosts with manually<br />
configured IP addresses are not able to access the network because the switch does not follow the ARP<br />
procedures to create its ARP table. Since all clients’ IP addresses can be centrally managed <strong>and</strong><br />
allocated, duplicate IP protection can increase network security, provide better user management, keep<br />
network operation from being interrupted by IP address duplication, <strong>and</strong> benefit IP address based<br />
accounting <strong>and</strong> billing. By default, arp-learning is enabled on all ports <strong>and</strong> vlans.<br />
When a packet is forwarded through routing, the destination IP address is generally compared with<br />
information in the hardware forwarding entry. The information used for comparison enables<br />
classification into two categories: host lookup <strong>and</strong> network lookup<br />
To enable the ARP-learning feature on the switch, use the following comm<strong>and</strong>:<br />
enable arp-learning<br />
To disable the ARP-learning feature, use the following comm<strong>and</strong>.<br />
disable arp-learning<br />
To enable arp-learning on a port, use the following comm<strong>and</strong>:<br />
enable arp-learning ports <br />
To disable arp-learning on a port, use the following comm<strong>and</strong>:<br />
disable arp-learning ports <br />
To display the arp-learning configuration on ports, use the following comm<strong>and</strong>:<br />
show arp-learning vlan port <br />
To enable arp-learning on a vlan, use the following comm<strong>and</strong>:<br />
enable arp-learning vlan port <br />
To disable arp-learning on a vlan, use the following comm<strong>and</strong>;<br />
disable arp-learning vlan <br />
To display the arp-learning configuration on this vlan, use the following comm<strong>and</strong>:<br />
show arp-learning vlan port <br />
To enable arp-learning on a port in the given vlan, use the following comm<strong>and</strong>:<br />
enable arp-learning vlan port <br />
To disable arp-learning on a port in the given vlan, use the following comm<strong>and</strong>:<br />
disable arp-learning vlan port <br />
To display the arp-learning configuration a port in the given vlan, use the following comm<strong>and</strong>:<br />
show arp-learning vlan port <br />
210 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Management Access Security<br />
Management Access Security<br />
Management access security features control access to the management functions available on the<br />
switch. These features help insure that any configuration changes to the switch can only be done by<br />
authorized users. In this category are the following features:<br />
• Authenticating <strong>User</strong>s Using RADIUS or TACACS+<br />
• Configuring Timeout<br />
Authenticating <strong>User</strong>s Using RADIUS or TACACS+<br />
<strong><strong>Extreme</strong>Ware</strong> provides two methods to authenticate users who login to the switch:<br />
• RADIUS client<br />
• TACACS+<br />
RADIUS Client<br />
Remote Authentication Dial In <strong>User</strong> Service (RADIUS, RFC 2138) is a mechanism for authenticating <strong>and</strong><br />
centrally administrating access to network nodes. The <strong><strong>Extreme</strong>Ware</strong> RADIUS client implementation<br />
allows authentication for Telnet, Vista, or console access to the switch.<br />
You can define a primary <strong>and</strong> secondary RADIUS server for the switch to contact. When a user<br />
attempts to login using Telnet, http, or the console, the request is relayed to the primary RADIUS server,<br />
<strong>and</strong> then to the secondary RADIUS server, if the primary does not respond. If the RADIUS client is<br />
enabled, but access to the RADIUS primary <strong>and</strong> secondary server fails, the switch uses its local database<br />
for authentication.<br />
The privileges assigned to the user (admin versus nonadmin) at the RADIUS server take precedence<br />
over the configuration in the local switch database.<br />
To configure the RADIUS servers, use the following comm<strong>and</strong>:<br />
configure radius [primary | secondary] server [ | ] {}<br />
client-ip []<br />
To configure the timeout if a server fails to respond, use the following comm<strong>and</strong>:<br />
configure radius {[primary | secondary] {server []|}} timeout<br />
<br />
Configuring the Shared Secret Password<br />
In addition to specifying the RADIUS server IP information, RADIUS also contains a means to verify<br />
communication between network devices <strong>and</strong> the server. The shared secret is a password configured on<br />
the network device <strong>and</strong> RADIUS server, used by each to verify communication.<br />
To configure the shared secret for RADIUS servers, use the following comm<strong>and</strong>:<br />
configure radius [primary | secondary] {server |} shared-secret<br />
{encrypted} []<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 211
Security<br />
Enabling <strong>and</strong> Disabling RADIUS<br />
After server information is entered, you can start <strong>and</strong> stop RADIUS authentication as many times as<br />
necessary without needing to reconfigure server information.<br />
To enable RADIUS authentication, use the following comm<strong>and</strong>:<br />
enable radius<br />
To disable RADIUS authentication, use the following comm<strong>and</strong>:<br />
disable radius<br />
Configuring RADIUS Accounting<br />
<strong>Extreme</strong> switches are capable of sending RADIUS accounting information. As with RADIUS<br />
authentication, you can specify two servers for receipt of accounting information. You can configure<br />
RADIUS accounting servers to be the same as the authentication servers, but this is not required.<br />
To specify RADIUS accounting servers, use the following comm<strong>and</strong>:<br />
configure radius-accounting [primary | secondary] server [ | ]<br />
{} client-ip []<br />
To configure the timeout if a server fails to respond, use the following comm<strong>and</strong>:<br />
configure radius-accounting {[primary | secondary] {server | }}<br />
timeout <br />
RADIUS accounting also makes use of the shared secret password mechanism to validate<br />
communication between network access devices <strong>and</strong> RADIUS accounting servers.<br />
To specify shared secret passwords for RADIUS accounting servers, use the following comm<strong>and</strong>:<br />
configure radius-accounting [primary | secondary] {server |}<br />
shared-secret {encrypted} []<br />
After you configure RADIUS accounting server information, you must enable accounting before the<br />
switch begins transmitting the information. You must enable RADIUS authentication for accounting<br />
information to be generated. You can enable <strong>and</strong> disable accounting without affecting the current state<br />
of RADIUS authentication.<br />
To enable RADIUS accounting, use the following comm<strong>and</strong>:<br />
enable radius-accounting<br />
To disable RADIUS accounting, use the following comm<strong>and</strong>:<br />
disable radius-accounting<br />
Per-Comm<strong>and</strong> Authentication Using RADIUS<br />
The RADIUS implementation can be used to perform per-comm<strong>and</strong> authentication. Per-comm<strong>and</strong><br />
authentication allows you to define several levels of user capabilities by controlling the permitted<br />
comm<strong>and</strong> sets based on the RADIUS username <strong>and</strong> password. You do not need to configure any<br />
additional switch parameters to take advantage of this capability. The RADIUS server implementation<br />
212 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Authenticating <strong>User</strong>s Using RADIUS or TACACS+<br />
automatically negotiates the per-comm<strong>and</strong> authentication capability with the switch. For examples on<br />
per-comm<strong>and</strong> RADIUS configurations, see the next section.<br />
Configuring RADIUS Client<br />
You can define primary <strong>and</strong> secondary server communication information, <strong>and</strong> for each RADIUS server,<br />
the RADIUS port number to use when talking to the RADIUS server. The default port value is 1645. The<br />
client IP address is the IP address used by the RADIUS server for communicating back to the switch.<br />
RADIUS RFC 2138 Attributes<br />
The RADIUS RFC 2138 optional attributes supported are as follows:<br />
• <strong>User</strong>-Name<br />
• <strong>User</strong>-Password<br />
• Service-Type<br />
• Login-IP-Host<br />
Using RADIUS Servers with <strong>Extreme</strong> Switches<br />
<strong>Extreme</strong> <strong>Networks</strong> switches have two levels of user privilege:<br />
• Read-only<br />
• Read-write<br />
Because there are no CLI comm<strong>and</strong>s available to modify the privilege level, access rights are<br />
determined when you log in. For a RADIUS server to identify the administrative privileges of a user,<br />
<strong>Extreme</strong> switches expect a RADIUS server to transmit the Service-Type attribute in the Access-Accept<br />
packet, after successfully authenticating the user.<br />
<strong>Extreme</strong> switches grant a RADIUS-authenticated user read-write privilege if a Service-Type value of 6 is<br />
transmitted as part of the Access-Accept message from the Radius server. Other Service-Type values, or<br />
no value, result in the switch granting read-only access to the user. Different implementations of<br />
RADIUS h<strong>and</strong>le attribute transmission differently. You should consult the documentation for your<br />
specific implementation of RADIUS when you configure users for read-write access.<br />
Cistron RADIUS<br />
Cistron RADIUS is a popular server, distributed under GPL. Cistron RADIUS can be found at:<br />
http://www.miquels.cistron.nl/radius/<br />
When you configure the Cistron server for use with <strong>Extreme</strong> switches, you must pay close attention to<br />
the users file setup. The Cistron RADIUS dictionary associates the word Administrative-<strong>User</strong> with<br />
Service-Type value 6, <strong>and</strong> expects the Service-Type entry to appear alone on one line with a leading tab<br />
character.<br />
The following is a user file example for read-write access:<br />
adminuser<br />
Auth-Type = System<br />
Service-Type = Administrative-<strong>User</strong>,<br />
Filter-Id = “unlim”<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 213
Security<br />
Livingston (Lucent) RADIUS<br />
Livingston RADIUS is produced by Lucent Technologies primarily for use with their portmaster<br />
products. Version 2.1 is released under a BSD license agreement <strong>and</strong> can be found at<br />
ftp://ftp.livingston.com/pub/le/radius/radius21.tar.Z. As with Cistron RADIUS, the Livingston server<br />
default dictionary associates Administrative-<strong>User</strong> with Service-Type value 6. The administrative users<br />
file entry example for Cistron RADIUS also works with Livingston RADIUS.<br />
RSA Ace<br />
For users of their SecureID product, RSA offers RADIUS capability as part of their ACE server software.<br />
With some versions of ACE, the RADIUS shared-secret is incorrectly sent to the switch resulting in an<br />
inability to authenticate. As a work around, do not configure a shared-secret for RADIUS accounting<br />
<strong>and</strong> authentication servers on the switch.<br />
Limiting Max-Concurrent Sessions with Funk Software’s Steel Belted Radius<br />
For users who have Funk Software’s Steel Belted Radius (SBR) server, it is possible to limit the number<br />
of concurrent login sessions using the same user account. This feature allows the use of shared user<br />
accounts, but limits the number of simultaneous logins to a defined value. Using this feature requires<br />
Funk Software Steel-Belted-Radius for Radius Authentication & Accounting.<br />
Complete the following two steps to limit the maximum concurrent login sessions under the same user<br />
account:<br />
1 Configure Radius <strong>and</strong> Radius-Accounting on the switch<br />
The Radius <strong>and</strong> Radius-Accounting servers used for this feature must reside on the same physical<br />
Radius server. St<strong>and</strong>ard Radius <strong>and</strong> Radius-Accounting configuration is required as described earlier<br />
in this chapter.<br />
2 Modify the Funk SBR ‘vendor.ini’ file <strong>and</strong> user accounts<br />
To configure the Funk SBR server, the file ‘vendor.ini’ must be modified to change the <strong>Extreme</strong><br />
<strong>Networks</strong> configuration value of ‘ignore-ports’ to yes as shown in the example below:<br />
vendor-product = <strong>Extreme</strong> <strong>Networks</strong><br />
dictionary<br />
= <strong>Extreme</strong><br />
ignore-ports<br />
= yes<br />
port-number-usage = per-port-type<br />
help-id = 2000<br />
After modifying the ‘vendor.ini’ file, the desired user accounts must be configured for the<br />
Max-Concurrent connections. Using the SBR Administrator application, enable the check box for<br />
‘Max-Concurrent connections’ <strong>and</strong> fill in the desired number of maximum sessions.<br />
<strong>Extreme</strong> RADIUS<br />
<strong>Extreme</strong> <strong>Networks</strong> provides its users, free of charge, a radius server based on Merit RADIUS. <strong>Extreme</strong><br />
RADIUS provides per-comm<strong>and</strong> authentication capabilities in addition to the st<strong>and</strong>ard set of radius<br />
features. Source code for <strong>Extreme</strong> RADIUS can be obtained from the <strong>Extreme</strong> <strong>Networks</strong> Technical<br />
Assistance Center <strong>and</strong> has been tested on Red Hat Linux <strong>and</strong> Solaris.<br />
When <strong>Extreme</strong> RADIUS is up <strong>and</strong> running, the two most commonly changed files will be users <strong>and</strong><br />
profiles. The users file contains entries specifying login names <strong>and</strong> the profiles used for per-comm<strong>and</strong><br />
authentication after they have logged in. Sending a HUP signal to the RADIUS process is sufficient to<br />
get changes in the users file to take place. <strong>Extreme</strong> RADIUS uses the file named profiles to specify<br />
214 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Authenticating <strong>User</strong>s Using RADIUS or TACACS+<br />
comm<strong>and</strong> lists that are either permitted or denied to a user based on their login identity. Changes to the<br />
profiles file require the RADIUS server to be shutdown <strong>and</strong> restarted. Sending a HUP signal to the<br />
RADIUS process is not enough to force changes to the profiles file to take effect.<br />
When you create comm<strong>and</strong> profiles, you can use an asterisk to indicate any possible ending to any<br />
particular comm<strong>and</strong>. The asterisk cannot be used as the beginning of a comm<strong>and</strong>. Reserved words for<br />
comm<strong>and</strong>s are matched exactly to those in the profiles file. Due to the exact match, it is not enough to<br />
simply enter “sh” for “show” in the profiles file, the complete word must be used. Comm<strong>and</strong>s can still<br />
be entered in the switch in partial format.<br />
When you use per-comm<strong>and</strong> authentication, you must ensure that communication between the<br />
switch(es) <strong>and</strong> radius server(s) is not lost. If the RADIUS server crashes while users are logged in, they<br />
will have full administrative access to the switch until they log out. Using two RADIUS servers <strong>and</strong><br />
enabling idle timeouts on all switches will greatly reduce the chance of a user gaining elevated access<br />
due to RADIUS server problems.<br />
RADIUS Server Configuration Example (Merit)<br />
Many implementations of RADIUS server use the publicly available Merit © AAA server application,<br />
available on the World Wide Web at:<br />
http://www.merit.edu/aaa<br />
Included below are excerpts from relevant portions of a sample Merit RADIUS server implementation.<br />
The example shows excerpts from the client <strong>and</strong> user configuration files. The client configuration file<br />
(ClientCfg.txt) defines the authorized source machine, source name, <strong>and</strong> access level. The user<br />
configuration file (users) defines username, password, <strong>and</strong> service type information.<br />
ClientCfg.txt<br />
#Client Name Key [type] [version] [prefix]<br />
#---------------- --------------- -------------- --------- --------<br />
#10.1.2.3:256 test type = nas v2 pfx<br />
#pm1 %^$%#*(&!(*&)+ type=nas pm1.<br />
#pm2 :-):-(;^):-}! type nas pm2.<br />
#merit.edu/homeless hmoemreilte.ses<br />
#homeless testing type proxy v1<br />
#xyz.merit.edu moretesting type=Ascend:NAS v1<br />
#anyoldthing:1234 whoknows type=NAS+RAD_RFC+ACCT_RFC<br />
10.202.1.3 <strong>and</strong>rew-linux type=nas<br />
10.203.1.41 eric type=nas<br />
10.203.1.42 eric type=nas<br />
10.0.52.14 samf type=nas<br />
users<br />
user Password = ""<br />
Filter-Id = "unlim"<br />
admin Password = "", Service-Type = Administrative<br />
Filter-Id = "unlim"<br />
eric<br />
Password = "", Service-Type = Administrative<br />
Filter-Id = "unlim"<br />
albert Password = "password", Service-Type = Administrative<br />
Filter-Id = "unlim"<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 215
Security<br />
samuel Password = "password", Service-Type = Administrative<br />
Filter-Id = "unlim"<br />
RADIUS Per-Comm<strong>and</strong> Configuration Example<br />
Building on this example configuration, you can use RADIUS to perform per-comm<strong>and</strong> authentication<br />
to differentiate user capabilities. To do so, use the <strong>Extreme</strong>-modified RADIUS Merit software that is<br />
available from the <strong>Extreme</strong> <strong>Networks</strong> by contacting <strong>Extreme</strong> <strong>Networks</strong> technical support. The software<br />
is available in compiled format for Solaris or Linux operating systems, as well as in source code<br />
format. For all clients that use RADIUS per-comm<strong>and</strong> authentication, you must add the following type<br />
to the client file:<br />
type:extreme:nas + RAD_RFC + ACCT_RFC<br />
Within the users configuration file, additional keywords are available for Profile-Name <strong>and</strong><br />
<strong>Extreme</strong>-CLI-Authorization. To use per-comm<strong>and</strong> authentication, enable the CLI authorization<br />
function <strong>and</strong> indicate a profile name for that user. If authorization is enabled without specifying a valid<br />
profile, the user is unable to perform any comm<strong>and</strong>s.<br />
Next, define the desired profiles in an ASCII configuration file called profiles. This file contains<br />
named profiles of exact or partial strings of CLI comm<strong>and</strong>s. A named profile is linked with a user<br />
through the users file. A profile with the permit on keywords allows use of only the listed comm<strong>and</strong>s.<br />
A profile with the deny keyword allows use of all comm<strong>and</strong>s except the listed comm<strong>and</strong>s.<br />
CLI comm<strong>and</strong>s can be defined easily in a hierarchal manner by using an asterisk (*) to indicate any<br />
possible subsequent entry. The parser performs exact string matches on other text to validate<br />
comm<strong>and</strong>s. Comm<strong>and</strong>s are separated by a comma (,) or newline.<br />
Looking at the following example content in profiles for the profile named PROFILE1, which uses the<br />
deny keyword, the following attributes are associated with the user of this profile:<br />
• Cannot use any comm<strong>and</strong> starting with enable.<br />
• Cannot issue the disable ipforwarding comm<strong>and</strong>.<br />
• Cannot issue a show switch comm<strong>and</strong>.<br />
• Can perform all other comm<strong>and</strong>s.<br />
We know from the users file that this applies to the users albert <strong>and</strong> lulu. We also know that eric is<br />
able to log in, but is unable to perform any comm<strong>and</strong>s, because he has no valid profile assigned.<br />
In PROFILE2, a user associated with this profile can use any enable comm<strong>and</strong>, the clear counters<br />
comm<strong>and</strong> <strong>and</strong> the show management comm<strong>and</strong>, but can perform no other functions on the switch. We<br />
also know from the users file that gerald has these capabilities.<br />
The following lists the contents of the file users with support for per-comm<strong>and</strong> authentication:<br />
user Password = ""<br />
Filter-Id = "unlim"<br />
admin<br />
Password = "", Service-Type = Administrative<br />
Filter-Id = "unlim"<br />
eric Password = "", Service-Type = Administrative, Profile-Name = ""<br />
Filter-Id = "unlim"<br />
<strong>Extreme</strong>:<strong>Extreme</strong>-CLI-Authorization = Enabled<br />
216 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Authenticating <strong>User</strong>s Using RADIUS or TACACS+<br />
albert Password = "", Service-Type = Administrative, Profile-Name =<br />
"Profile1"<br />
Filter-Id = "unlim"<br />
<strong>Extreme</strong>:<strong>Extreme</strong>-CLI-Authorization = Enabled<br />
lulu Password = "", Service-Type = Administrative, Profile-Name =<br />
"Profile1"<br />
Filter-Id = "unlim"<br />
<strong>Extreme</strong>:<strong>Extreme</strong>-CLI-Authorization = Enabled<br />
gerald<br />
Password = "", Service-Type = Administrative, Profile-Name "Profile2"<br />
Filter-Id = "unlim"<br />
<strong>Extreme</strong>:<strong>Extreme</strong>-CLI-Authorization = Enabled<br />
Contents of the file “profiles”:<br />
PROFILE1 deny<br />
{<br />
enable *, disable ipforwarding<br />
show switch<br />
}<br />
PROFILE2<br />
{<br />
enable *, clear counters<br />
show management<br />
}<br />
PROFILE3 deny<br />
{<br />
create vlan *, configure iproute *, disable *, show fdb<br />
delete *, configure rip add<br />
}<br />
Configuring TACACS+<br />
Terminal Access Controller Access Control System Plus (TACACS+) is a mechanism for providing<br />
authentication, authorization, <strong>and</strong> accounting on a centralized server, similar in function to the RADIUS<br />
client. The <strong><strong>Extreme</strong>Ware</strong> version of TACACS+ is used to authenticate prospective users who are<br />
attempting to administer the switch. TACACS+ is used to communicate between the switch <strong>and</strong> an<br />
authentication database.<br />
NOTE<br />
You cannot use RADIUS <strong>and</strong> TACACS+ at the same time.<br />
You can configure two TACACS+ servers, specifying the primary server address, secondary server<br />
address, <strong>and</strong> UDP port number to be used for TACACS+ sessions.<br />
RADIUS Authentication Decoupling<br />
It is possible to decouple the RADIUS <strong>and</strong> TACAS authentication mechanisms, thereby allowing use of<br />
TACACS+ for device management authentication while employing RADIUS for network login. This is<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 217
Security<br />
accomplished by permitting user choice of RADIUS <strong>and</strong> TACACS+ for device management<br />
authentication.You can configure separate RADIUS servers for device management authentication<br />
(switch login) <strong>and</strong> network access authentication (Network Login, web based or 802.1x based).<br />
RADIUS <strong>and</strong> TACACS can be enabled simultaneously. A RADIUS or TACACS client is invoked,<br />
depending on the configuration. If no association is configured for management/netlogin sessions, then<br />
the switch looks first for RADIUS servers <strong>and</strong> then for TACACS servers for authentication/accounting.<br />
Remote RADIUS/TACACS authentication is also used by PPP sessions. PPP calls remote_authentication<br />
with the session type SESSION_HTTP <strong>and</strong> can be authenticated with authentication servers configured<br />
for HTTP sessions. If remote authentication is disabled for HTTP sessions, PPP sessions will be locally<br />
authenticated.<br />
RADIUS authentication decoupling cannot be disabled. If you upgrade to a new software image with an<br />
old configuration, all the session types are automatically configured to use the configured<br />
RADIUS/TACACS server. This is done to make the switch behave similar to the older version on<br />
start-up.<br />
Primary/Secondary Server Configuration<br />
The following CLI comm<strong>and</strong>s can be used to configure single primary/secondary server <strong>and</strong> additional<br />
primary/secondary servers.<br />
To configure RADIUS primary or secondary servers, use the following comm<strong>and</strong>:<br />
configure radius [primary | secondary] server [ | ] {}<br />
client-ip []<br />
To configure RADIUS accounting on primary or secondary servers, use the following comm<strong>and</strong>:<br />
configure radius-accounting [primary | secondary] server [ | ]<br />
{} client-ip []<br />
To configure TACACS primary or secondary servers, use the following comm<strong>and</strong>:<br />
configure tacacs [primary | secondary] server [ | ]<br />
{} client-ip []<br />
configure tacacs [primary | secondary] {server | }<br />
shared-secret {encrypted} []<br />
To configure a TACACS accounting primary or secondary servers, use the following comm<strong>and</strong>:<br />
configure tacacs-accounting [primary | secondary] server [ | ]<br />
{} client-ip <br />
Shared Secret Configuration<br />
The following CLI comm<strong>and</strong>s configure the RADIUS shared-secret for the primary/secondary servers.<br />
To configure the shared-secret for all the configured primary or secondary RADIUS servers, use the<br />
following comm<strong>and</strong>:<br />
configure radius [primary | secondary] {server |} shared-secret<br />
{encrypted} []<br />
To configure the shared-secret of all the configured primary or secondary RADIUS accounting servers,<br />
use the following comm<strong>and</strong>:<br />
218 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Authenticating <strong>User</strong>s Using RADIUS or TACACS+<br />
configure radius-accounting [primary | secondary] {server |}<br />
shared-secret {encrypted} []<br />
To configure the shared-secret of all the configured primary or secondary TACACS servers, use the<br />
following comm<strong>and</strong>:<br />
configure tacacs [primary | secondary] {server | } shared-secret<br />
{encrypted} []<br />
To configure the shared-secret of all the configured primary or secondary TACACS accounting servers,<br />
use the following comm<strong>and</strong>:<br />
configure tacacs-accounting [primary | secondary] {server | }}<br />
shared-secret {encrypted} [}<br />
To list the configuration statistics pertaining to all the configured authentication <strong>and</strong> accounting servers,<br />
use the following comm<strong>and</strong>s:<br />
show radius { | }<br />
show radius-accounting {[ | ]}<br />
show tacacs {[ | ]}<br />
show tacacs-accounting {[ | ]}<br />
Configuring Timeout<br />
Use the following comm<strong>and</strong>s to configure RADIUS <strong>and</strong> TACACS timeouts for the primary/secondary<br />
servers.<br />
To configure the timeout interval for RADIUS authentication requests:<br />
configure radius {[primary | secondary] {server []|}} timeout<br />
<br />
To configure the timeout interval for the RADIUS accounting server, use the following comm<strong>and</strong>:<br />
configure radius-accounting {[primary | secondary] {server | }}<br />
timeout <br />
To configure the timeout interval for the TACACS server, use the following comm<strong>and</strong>:<br />
configure tacacs [primary | secondary] {server | }} timeout<br />
<br />
To configure the timeout interval for the TACACS accounting server, use the following comm<strong>and</strong>:<br />
configure tacacs-accounting {[primary | secondary] {server [] |<br />
}} timeout <br />
Display Comm<strong>and</strong>s<br />
Use the following comm<strong>and</strong>s to display information about specific RADIUS or TACACS servers.<br />
To display the configuration <strong>and</strong> statistics of the radius server determined by , use the<br />
following comm<strong>and</strong>:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 219
Security<br />
show radius { | }<br />
To display the configuration <strong>and</strong> statistics of the radius-accounting server determined by<br />
, use the following comm<strong>and</strong>:<br />
show radius-accounting {[ | ]}<br />
To display the configuration <strong>and</strong> statistics of the TACACS server determined by , use<br />
the following comm<strong>and</strong>:<br />
show tacacs {[ | ]}<br />
To display the configuration <strong>and</strong> statistics of the tacacs-accounting server determined by<br />
, use the following comm<strong>and</strong>:<br />
show tacacs-accounting {[ | ]}<br />
To display the authentication servers configured for mgmt-access/netlogin type of sessions, use the<br />
following comm<strong>and</strong>:<br />
show auth<br />
Mgmt Sessions<br />
Use the following CLI comm<strong>and</strong>s to configure management sessions for primary/secondary<br />
authentication servers.<br />
NOTE<br />
The RADIUS or TACACS servers must be configured before using the management session<br />
configuration comm<strong>and</strong>s. The comm<strong>and</strong>s fail if the given primary <strong>and</strong> secondary radius servers are not<br />
configured.<br />
To configure management sessions for RADIUS servers, use the following comm<strong>and</strong>s:<br />
configure auth mgmt-access [radius | radius-accounting] primary [ |<br />
} {secondary [ | ]}<br />
To configure management sessions for RADIUS accounting, use the following comm<strong>and</strong>s. These<br />
comm<strong>and</strong> returns an error if the given primary <strong>and</strong> secondary RADIUS servers are not configured or if<br />
radius authentication is not configured for management sessions:<br />
configure auth mgmt-access [radius | radius-accounting] primary [ |<br />
} {secondary [ | ]}<br />
To authenticate management sessions through TACACS servers, use the following comm<strong>and</strong>s. By<br />
default, remote authentication will remain disabled for the given session type:<br />
configure auth mgmt-access [tacacs | tacacs-accounting] primary [ |<br />
] {secondary [ | ]}<br />
To use TACACS-accounting servers for management session accounting, use the following comm<strong>and</strong>s.<br />
These comm<strong>and</strong> returns an error if the given primary <strong>and</strong> secondary TACACS servers are not<br />
configured or if TACACS authentication is not configured for management sessions:<br />
220 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Secure Shell 2 (SSH2)<br />
configure auth mgmt-access [tacacs | tacacs-accounting] primary [ |<br />
] {secondary [ | ]}<br />
To use the default configuration for management sessions, use the following comm<strong>and</strong>:<br />
unconfigure auth mgmt-access<br />
4.3.5Netlogin Sessions<br />
The following CLI comm<strong>and</strong>s configure primary/secondary authentication servers for all the netlogin<br />
sessions. These comm<strong>and</strong>s are equivalent to configuring dot1x-netlogin <strong>and</strong> http-netlogin sessions.<br />
To configure authentication for all the netlogin sessions by way of RADIUS servers, use the following<br />
comm<strong>and</strong>s. This comm<strong>and</strong> will fail if the given primary <strong>and</strong> secondary RADIUS servers are not<br />
configured:<br />
configure auth netlogin [radius | radius-accounting] primary { |<br />
} {secondary [ | ]}<br />
To configure RADIUS-accounting servers to account for netlogin sessions, use the following comm<strong>and</strong>s.<br />
These comm<strong>and</strong>s return an error if the given primary <strong>and</strong> secondary radius servers are not configured<br />
or if RADIUS authentication is not configured for netlogin sessions.<br />
configure auth netlogin [radius | radius-accounting] primary { |<br />
} {secondary [ | ]}<br />
To authenticate the netlogin sessions by way of TACACS servers, use the following comm<strong>and</strong>s. The<br />
comm<strong>and</strong> will fail if the given primary <strong>and</strong> secondary TACACS servers are not configured. By default,<br />
remote authentication will remain disabled for the given session type:<br />
configure auth netlogin [tacacs | tacacs-accounting] primary [ |<br />
} {secondary [ | ]}<br />
To configure to TACACS-accounting servers to account for netlogin sessions, use the following<br />
comm<strong>and</strong>s. This comm<strong>and</strong> returns an error if the given primary <strong>and</strong> secondary TACACS servers are not<br />
configured or if TACACS authentication is not configured for netlogin sessions.<br />
configure auth netlogin [tacacs | tacacs-accounting] primary [ |<br />
} {secondary [ | ]}<br />
To use the default configuration for netlogin sessions, use the following comm<strong>and</strong>:<br />
unconfigure auth netlogin<br />
Secure Shell 2 (SSH2)<br />
Secure Shell 2 (SSH2) is a feature of <strong><strong>Extreme</strong>Ware</strong> that allows you to encrypt Telnet session data<br />
between a network administrator using SSH2 client software <strong>and</strong> the switch, or to send encrypted data<br />
from the switch to an SSH2 client on a remote system. Image <strong>and</strong> configuration files may also be<br />
transferred to the switch using the Secure Copy Protocol 2 (SCP2). The <strong><strong>Extreme</strong>Ware</strong> CLI provides a<br />
comm<strong>and</strong> that enable the switch to function as an SSH2 client, sending comm<strong>and</strong>s to a remote system<br />
via an SSH2 session. It also provides comm<strong>and</strong>s to copy image <strong>and</strong> configuration files to the switch<br />
using the SCP2.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 221
Security<br />
The <strong><strong>Extreme</strong>Ware</strong> SSH2 switch application is based on the Data Fellows SSH2 server implementation.<br />
It is highly recommended that you use the F-Secure ® SSH client products from Data Fellows<br />
corporation. These applications are available for most operating systems. For more information, see the<br />
Data Fellows website at:<br />
http://www.datafellows.com.<br />
NOTE<br />
SSH2 is compatible with the Data Fellows SSH2 client version 2.0.12 or above. SSH2 is not compatible<br />
with SSH1.<br />
The <strong><strong>Extreme</strong>Ware</strong> SSH2 switch application also works with SSH2 client <strong>and</strong> server (version 2.x or later)<br />
from SSH Communication Security, <strong>and</strong> the free SSH2 <strong>and</strong> SCP2 implementation (version 2.5 or later)<br />
from OpenSSH. The SFTP file transfer protocol is required for file transfer using SCP2.<br />
Enabling SSH2 for Inbound Switch Access<br />
Because SSH2 is currently under U.S. export restrictions, you must first obtain a security-enabled<br />
version of the <strong><strong>Extreme</strong>Ware</strong> software from <strong>Extreme</strong> <strong>Networks</strong> before you can enable SSH2. The<br />
procedure for obtaining a security-enabled version of the <strong><strong>Extreme</strong>Ware</strong> software is described in<br />
“Security Licensing” on page 27.<br />
You must enable SSH2 on the switch before you can connect to it using an external SSH2 client.<br />
Enabling SSH2 involves two steps:<br />
• Enabling SSH2 access, which may include specifying a list of clients that can access the switch, <strong>and</strong><br />
specifying a TCP port to be used for communication.<br />
By default, if you have a security license, SSH2 is enabled using TCP port 22, with no restrictions on<br />
client access.<br />
• Generating or specifying an authentication key for the SSH2 session.<br />
To enable SSH2, use the following comm<strong>and</strong>:<br />
enable ssh2 {access-profile [ | none]} {port }<br />
You can specify a list of predefined clients that are allowed SSH2 access to the switch. To do this, you<br />
must create an access profile that contains a list of allowed IP addresses.<br />
You can also specify a TCP port number to be used for SSH2 communication. By default the TCP port<br />
number is 22.<br />
The supported ciphers are 3DES-CBC <strong>and</strong> Blowfish. The supported key exchange is DSA.<br />
An authentication key must be generated before the switch can accept incoming SSH2 sessions. This can<br />
be done automatically by the switch, or you can enter a previously generated key. To have the key<br />
generated by the switch, use the following comm<strong>and</strong>:<br />
configure ssh2 key<br />
You are prompted to enter information to be used in generating the key. The key generation process<br />
takes approximately ten minutes. Once the key has been generated, you should save your configuration<br />
to preserve the key.<br />
222 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Secure Shell 2 (SSH2)<br />
To use a key that has been previously created, use the following comm<strong>and</strong>:<br />
configure ssh2 key {pregenerated}<br />
You are prompted to enter the pregenerated key.<br />
The key generation process generates the SSH2 private host key. The SSH2 public host key is derived<br />
from the private host key, <strong>and</strong> is automatically transmitted to the SSH2 client at the beginning of an<br />
SSH2 session.<br />
Before you initiate a session from an SSH2 client, ensure that the client is configured for any nondefault<br />
access list or TCP port information that you have configured on the switch. Once these tasks are<br />
accomplished, you may establish an SSH2-encrypted session with the switch. Clients must have a valid<br />
user name <strong>and</strong> password on the switch in order to log into the switch after the SSH2 session has been<br />
established.<br />
For additional information on the SSH protocol refer to [FIPS-186] Federal Information Processing<br />
St<strong>and</strong>ards Publication (FIPSPUB) 186, Digital Signature St<strong>and</strong>ard, 18 May 1994. This can be download<br />
from: ftp://ftp.cs.hut.fi/pub/ssh. General technical information is also available from:<br />
http://www.ssh.fi<br />
Using SCP2 from an External SSH2 Client<br />
The SCP2 protocol is supported for transferring image <strong>and</strong> configuration files to the switch from the<br />
SSH2 client, <strong>and</strong> for copying the switch configuration from the switch to an SSH2 client.<br />
CAUTION<br />
You can download a configuration to an <strong>Extreme</strong> <strong>Networks</strong> switch using SCP. If you do this, you cannot<br />
save this configuration. If you save this configuration <strong>and</strong> reboot the switch, the configuration will be<br />
corrupted.<br />
The user must have administrator-level access to the switch. The switch can be specified by its switch<br />
name or IP address.<br />
Configuration or image files stored on the system running the SSH2 client may be named as desired by<br />
the user. However, files on the switch have predefined names, as follows:<br />
• configuration.cfg—The current configuration<br />
• incremental.cfg—The current incremental configuration<br />
• primary.img—The primary <strong><strong>Extreme</strong>Ware</strong> image<br />
• secondary.img—The secondary <strong><strong>Extreme</strong>Ware</strong> image<br />
• bootrom.img—The BootROM image<br />
For example, to copy an image file saved as image1.xtr to switch with IP address 10.10.0.5 as the primary<br />
image using SCP2, you would enter the following comm<strong>and</strong> within your SSH2 session:<br />
scp image1.xtr admin@10.20.0.5:primary.img<br />
To copy the configuration from the switch <strong>and</strong> save it in file config1.save using SCP, you would enter the<br />
following comm<strong>and</strong> within your SSH2 session:<br />
scp admin@10.10.0.5:configuration.cfg config1.save<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 223
Security<br />
SSH2 Client Functions on the Switch<br />
In <strong><strong>Extreme</strong>Ware</strong>, an <strong>Extreme</strong> <strong>Networks</strong> switch can function as an SSH2 client. This means you can<br />
connect from the switch to a remote device running an SSH2 server, <strong>and</strong> send comm<strong>and</strong>s to that device.<br />
You can also use SCP2 to transfer files to <strong>and</strong> from the remote device.<br />
You do not need to enable SSH2 or generate an authentication key to use the SSH2 <strong>and</strong> SCP2<br />
comm<strong>and</strong>s from the <strong><strong>Extreme</strong>Ware</strong> CLI.<br />
To send comm<strong>and</strong>s to a remote system using SSH2, use the following comm<strong>and</strong>:<br />
ssh2 {cipher [3des | blowfish]} {port } {compression [on | off]} {user<br />
} {debug } {@} [ | ] {}<br />
The remote comm<strong>and</strong>s can be any comm<strong>and</strong>s acceptable by the remote system. You can specify the<br />
login user name as a separate argument, or as part of the user@host specification. If the login user name<br />
for the remote system is the same as your user name on the switch, you can omit the username<br />
parameter entirely.<br />
To initiate a file copy from a remote system to the switch using SCP2, use the following comm<strong>and</strong>:<br />
scp2 {cipher [3des | blowfish]} {port } {debug } @<br />
[ | ] : [configuration {incremental} | image<br />
[primary | secondary] | bootrom]<br />
To initiate a file copy to a remote system from the switch using SCP2, use the following comm<strong>and</strong>:<br />
scp2 {cipher [3des | blowfish]} {port } {debug } configuration<br />
@ [ | ]:<br />
Unified Access MAC RADIUS<br />
Unified Access MAC RADIUS is a mechanism for authenticating wireless users in a legacy<br />
environment. The RADIUS server is populated with the MAC addresses of all clients, which are used as<br />
the basis of authentication. The Altitude 300 sends out an Access-Request packet to the RADIUS server<br />
with the user name <strong>and</strong> password set to the MAC address of the client. If the Access-Request is<br />
successful, then the client is placed in a forwarding state. If the Access-Request fails then the client is<br />
deauthenticated.<br />
During the authentication process, when the Altitude 300 has sent the request to the RADIUS server<br />
<strong>and</strong> is waiting for a response, any traffic generated by the client is blocked. This means that DHCP <strong>and</strong><br />
DNS packets will be dropped during this time. Since the clients are not aware of MAC RADIUS<br />
authentication, this may possibly cause a problem for the client.<br />
NOTE<br />
MAC RADIUS is an authentication protocol, not a privacy protocol. Due to the ease with which MAC<br />
addresses can be spoofed on a wireless network, MAC RADIUS should be used only for legacy clients<br />
that do not support any other advanced authentication schemes.<br />
224 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
11 Software Upgrade <strong>and</strong> Boot Options<br />
This chapter describes the following topics:<br />
• Downloading a New Image on page 225<br />
• Saving Configuration Changes on page 228<br />
• Using TFTP to Upload the Configuration on page 229<br />
• Using TFTP to Download the Configuration on page 230<br />
• Upgrading <strong>and</strong> Accessing BootROM on page 231<br />
Downloading a New Image<br />
The image file contains the executable code that runs on the switch. It comes preinstalled from the<br />
factory. As new versions of the image are released, you should upgrade the software running on your<br />
system.<br />
The image is upgraded by using a download procedure from either a Trivial File Transfer Protocol<br />
(TFTP) server on the network or from a PC connected to the serial port using the XMODEM protocol.<br />
Downloading a new image involves the following steps:<br />
• Load the new image onto a TFTP server on your network (if you will be using TFTP).<br />
• Load the new image onto a PC (if you will be using XMODEM).<br />
• Download the new image to the switch using the following comm<strong>and</strong>:<br />
download image [ | ] <br />
where the following is true:<br />
{primary | secondary}<br />
hostname—Is the hostname of the TFTP server. (You must enable DNS to use this option.)<br />
ipaddress—Is the IP address of the TFTP server.<br />
filename—Is the filename of the new image.<br />
primary—Indicates the primary image.<br />
secondary—Indicates the secondary image.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 225
Software Upgrade <strong>and</strong> Boot Options<br />
Selecting a Primary or a Secondary Image<br />
The switch can store up to two images: a primary <strong>and</strong> a secondary. When you download a new image,<br />
you must select into which image space (primary or secondary) the new image should be placed. If not<br />
indicated, the next selected boot-up image space is used. This is the primary image space by default,<br />
but it can be changed with the following comm<strong>and</strong>:<br />
use image [primary | secondary]<br />
Underst<strong>and</strong>ing the Image Version String<br />
The image version string contains build information for each version of <strong><strong>Extreme</strong>Ware</strong>. You can use<br />
either the show version or show switch comm<strong>and</strong> to display the <strong><strong>Extreme</strong>Ware</strong> version running on<br />
your switch.<br />
Depending on the CLI comm<strong>and</strong>, the output is structured as follows:<br />
• show version<br />
Version e. . {[branch | beta | tech |<br />
patch]{}.-r}<br />
• show switch<br />
. e. .{[branch | beta | tech |<br />
patch]{}.-r}<br />
Table 30 describes the image version fields.<br />
Table 30: Image version fields<br />
Field<br />
major<br />
sub_major<br />
minor<br />
build<br />
image_version<br />
image_description<br />
branch_revision<br />
Description<br />
Specifies the <strong><strong>Extreme</strong>Ware</strong> Major version number.<br />
Specifies the <strong><strong>Extreme</strong>Ware</strong> Sub-major version number.<br />
Specifies the <strong><strong>Extreme</strong>Ware</strong> Minor version number.<br />
Specifies the <strong><strong>Extreme</strong>Ware</strong> build number. This value is reset to zero for each new Major <strong>and</strong><br />
Minor release.<br />
Identifies the Technology Release or Beta image version.<br />
The image version number is zero for all but Technology Releases <strong>and</strong> Beta releases.<br />
Identifies a specific Patch, Beta Release, Technology Release, or Development Branch<br />
Release.<br />
Indicates an incremental build on a specific branch.<br />
The branch revision number is zero for General Availability <strong>and</strong> Sustaining releases.<br />
The following is sample output from a show version comm<strong>and</strong>:<br />
Summit300-24:1 # show version<br />
System Serial Number: 800138-00-00 PROTO-A0023 CP: 03<br />
Assembly: 8EVT24POE0A1 PoE module: 00 1A1<br />
Image : <strong>Extreme</strong>ware Version <strong>7.3e</strong>.0.33 branch-Fixes8_v73e0b33-r3 [ssh] by Build_<br />
Master on 07/28/04 01:28:52<br />
BootROM : 4.7<br />
226 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Downloading a New Image<br />
The following is sample output from a show switch comm<strong>and</strong>:<br />
Summit300-24:2 # show switch<br />
SysName:<br />
Summit300-24<br />
SysLocation:<br />
SysContact: support@extremenetworks.com, +1 888 257 3000<br />
System MAC: 00:04:96:18:41:04<br />
Platform:<br />
License:<br />
System Mode:<br />
Summit300-24<br />
Advanced Edge + Security<br />
802.1Q EtherType is 8100 (Hex).<br />
Recovery Mode: None<br />
System Watchdog: Enabled<br />
Reboot Loop Prot: Disabled<br />
Current Time: Fri Jul 30 11:43:49 2004<br />
Timezone:<br />
[Auto DST Enabled] GMT Offset: 0 minutes, name is GMT.<br />
DST of 60 minutes is currently in effect, name is not set.<br />
DST begins every first Sunday April at 2:00<br />
DST ends every last Sunday October at 2:00<br />
Boot Time: Thu Jul 29 15:40:59 2004<br />
Config Modified: Unmodified<br />
Next Reboot: None scheduled<br />
Timed Upload: None scheduled<br />
Timed Download: None scheduled<br />
Temperature: Normal. All fans are operational.<br />
Power supply: Internal power supply OK, External power supply not present.<br />
Default Cfg Mode: St<strong>and</strong>ard<br />
Primary EW Ver: <strong>7.3e</strong>.0.33 branch-Fixes8_v73e0b33-r3 [non-ssh] [unknown]<br />
Secondary EW Ver: <strong>7.3e</strong>.0.33 branch-Fixes8_v73e0b33-r3 [ssh] [unknown]<br />
Image Selected: Secondary<br />
Image Booted: Secondary<br />
Config Selected: Primary<br />
Config Booted: Primary<br />
Primary Config: Created by EW Version:<br />
<strong>7.3e</strong>.0.33 [51]<br />
10325 bytes saved on Thu Jul 29 16:01:59 2004<br />
Secondary Config: Created by EW Version:<br />
<strong>7.3e</strong>.0.33 [51]<br />
10382 bytes saved on Thu Jul 29 15:32:57 2004<br />
Table 31 describes the fields in the show version <strong>and</strong> show switch output for various <strong><strong>Extreme</strong>Ware</strong><br />
versions.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 227
Software Upgrade <strong>and</strong> Boot Options<br />
Table 31: Breakdown of show version output<br />
Release Type Show Version Comm<strong>and</strong> Show Switch Comm<strong>and</strong><br />
Major Version 7.0.0 7.3.<br />
Minor Version 7.0.1 7.3.<br />
Sustaining Version 7.0.0 7.3.<br />
Patch Version 7.0.0 patch.030131-01-r1 7.3. 030131-01-r1<br />
Technology Version 7.0.0 tech2.ipv6-r4 7.3. tech2.ipv6-r4<br />
Beta Version 7.0.1 beta1.triumph-r4 7.3. beta1.triumph-r4<br />
Development<br />
Branch<br />
Version 7.0.0 branch.triumph-r5<br />
7.3. branch.triumph-r5<br />
Software Signatures<br />
Each <strong><strong>Extreme</strong>Ware</strong> image contains a unique signature. The BootROM checks for signature compatibility<br />
<strong>and</strong> denies an incompatible software upgrade. In addition, the software checks both the installed<br />
BootROM <strong>and</strong> software <strong>and</strong> also denies an incompatible upgrade.<br />
Rebooting the Switch<br />
To reboot the switch, use the following comm<strong>and</strong>:<br />
reboot {time | cancel}<br />
where date is the date <strong>and</strong> time is the time (using a 24-hour clock format) when the switch will be<br />
rebooted. The values use the following format:<br />
mm/dd/yyyy hh:mm:ss<br />
If you do not specify a reboot time, the reboot occurs immediately following the comm<strong>and</strong>, <strong>and</strong> any<br />
previously schedule reboots are cancelled. To cancel a previously scheduled reboot, use the cancel<br />
option.<br />
Saving Configuration Changes<br />
The configuration is the customized set of parameters that you have selected to run on the switch. As<br />
you make configuration changes, the new settings are stored in run-time memory. Settings that are<br />
stored in run-time memory are not retained by the switch when the switch is rebooted. To retain the<br />
settings, <strong>and</strong> have them load when you reboot the switch, you must save the configuration to<br />
nonvolatile storage.<br />
The switch can store two different configurations: a primary <strong>and</strong> a secondary. When you save<br />
configuration changes, you can select to which configuration you want the changes saved. If you do not<br />
specify, the changes are saved to the configuration area currently in use.<br />
To save the configuration, use the following comm<strong>and</strong>:<br />
save configuration {primary | secondary}<br />
To use the configuration, use the following comm<strong>and</strong>:<br />
228 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using TFTP to Upload the Configuration<br />
use configuration [primary | secondary]<br />
The configuration takes effect on the next reboot.<br />
NOTE<br />
If the switch is rebooted while in the middle of a configuration save, the switch boots to factory default<br />
settings. The configuration that is not in the process of being saved is unaffected.<br />
Returning to Factory Defaults<br />
To return the switch configuration to factory defaults, use the following comm<strong>and</strong>:<br />
unconfigure switch<br />
This comm<strong>and</strong> resets the entire configuration, with the exception of user accounts <strong>and</strong> passwords that<br />
have been configured, <strong>and</strong> the date <strong>and</strong> time.<br />
To erase the currently selected configuration image <strong>and</strong> reset all switch parameters, use the following<br />
comm<strong>and</strong>:<br />
unconfigure switch {all}<br />
Using TFTP to Upload the Configuration<br />
You can upload the current configuration to a TFTP server on your network. The uploaded ASCII file<br />
retains the comm<strong>and</strong>-line interface (CLI) format. This allows you to:<br />
• Modify the configuration using a text editor, <strong>and</strong> later download a copy of the file to the same<br />
switch, or to one or more different switches.<br />
• Send a copy of the configuration file to the <strong>Extreme</strong> <strong>Networks</strong> Technical Support department for<br />
problem-solving purposes.<br />
• Automatically upload the configuration file every day, so that the TFTP server can archive the<br />
configuration on a daily basis. Because the filename is not changed, the configured file stored in the<br />
TFTP server is overwritten every day.<br />
To upload the configuration, use the following comm<strong>and</strong>:<br />
upload configuration [ | ] {every }<br />
where the following is true:<br />
• ipaddress—Is the IP address of the TFTP server.<br />
• hostname—Is the hostname of the TFTP server. (You must enable DNS to use this option.)<br />
• filename—Is the name of the ASCII file. The filename can be up to 255 characters long, <strong>and</strong> cannot<br />
include any spaces, commas, quotation marks, or special characters.<br />
• every —Specifies the time of day you want the configuration automatically uploaded on a<br />
daily basis. If not specified, the current configuration is immediately uploaded to the TFTP server.<br />
To cancel a previously scheduled configuration upload, use the following comm<strong>and</strong>:<br />
upload configuration cancel<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 229
Software Upgrade <strong>and</strong> Boot Options<br />
Using TFTP to Download the Configuration<br />
You can download ASCII files that contain CLI comm<strong>and</strong>s to the switch to modify the switch<br />
configuration. Three types of configuration scenarios that can be downloaded:<br />
• Complete configuration<br />
• Incremental configuration<br />
• Scheduled incremental configuration<br />
If you load a configuration from a different model, you can safely write the correct configuration over<br />
the unsupported configuration.<br />
Downloading a Complete Configuration<br />
Downloading a complete configuration replicates or restores the entire configuration to the switch. You<br />
typically use this type of download in conjunction with the upload configuration comm<strong>and</strong>, which<br />
generates a complete switch configuration in an ASCII format. As part of the complete configuration<br />
download, the switch is automatically rebooted.<br />
To download a complete configuration, use the download configuration comm<strong>and</strong> using the<br />
following syntax:<br />
download configuration [ | ] <br />
After the ASCII configuration is downloaded by way of TFTP, you are prompted to reboot the switch.<br />
The downloaded configuration file is stored in current switch memory during the rebooting process,<br />
<strong>and</strong> is not retained if the switch has a power failure.<br />
When the switch completes booting, it treats the downloaded configuration file as a script of CLI<br />
comm<strong>and</strong>s, <strong>and</strong> automatically executes the comm<strong>and</strong>s. If your CLI connection is through a Telnet<br />
connection (<strong>and</strong> not the console port), your connection is terminated when the switch reboots, but the<br />
comm<strong>and</strong> executes normally.<br />
Downloading an Incremental Configuration<br />
A partial or incremental change to the switch configuration may be accomplished by downloaded<br />
ASCII files that contain CLI comm<strong>and</strong>s. These comm<strong>and</strong>s are interpreted as a script of CLI comm<strong>and</strong>s,<br />
<strong>and</strong> take effect at the time of the download, without requiring a reboot of the switch.<br />
To download an incremental configuration, use the following comm<strong>and</strong>:<br />
download configuration [ | ] {incremental}<br />
Do not download an incremental configuration when you have time-critical applications running. When<br />
you download an incremental configuration, the switch immediately processes the changes, which can<br />
affect the processing of other tasks. We recommend that you either download small incremental<br />
configurations, or schedule downloads during maintenance windows.<br />
230 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Upgrading <strong>and</strong> Accessing BootROM<br />
Scheduled Incremental Configuration Download<br />
You can schedule the switch to download a partial or incremental configuration on a regular basis. You<br />
could use this feature to update the configuration of the switch regularly from a centrally administered<br />
TFTP server. As part of the scheduled incremental download, you can optionally configure a backup<br />
TFTP server.<br />
To configure the primary <strong>and</strong>/or secondary TFTP server <strong>and</strong> filename, use the following comm<strong>and</strong>:<br />
configure download server [primary | secondary] [ | ] <br />
To enable scheduled incremental downloads, use the following comm<strong>and</strong>:<br />
download configuration every <br />
To display scheduled download information, use the following comm<strong>and</strong>:<br />
show switch<br />
To cancel scheduled incremental downloads, use the following comm<strong>and</strong>:<br />
download configuration cancel<br />
Remember to Save<br />
Regardless of which download option is used, configurations are downloaded into switch runtime<br />
memory, only. The configuration is saved only when the save comm<strong>and</strong> is issued, or if the<br />
configuration file, itself, contains the save comm<strong>and</strong>.<br />
If the configuration currently running in the switch does not match the configuration that the switch<br />
used when it originally booted, an asterisk (*) appears before the comm<strong>and</strong> line prompt when using the<br />
CLI.<br />
Upgrading <strong>and</strong> Accessing BootROM<br />
The BootROM of the switch initializes certain important switch variables during the boot process. If<br />
necessary, BootROM can be upgraded, after the switch has booted, using TFTP. In the event the switch<br />
does not boot properly, some boot option functions can be accessed through a special BootROM menu.<br />
Upgrading BootROM (Summit 200, Summit 300-24, Summit 400)<br />
Upgrading BootROM is done using TFTP (from the CLI), after the switch has booted. Upgrade the<br />
BootROM only when asked to do so by an <strong>Extreme</strong> <strong>Networks</strong> technical representative. To upgrade the<br />
BootROM, use the following comm<strong>and</strong>:<br />
download bootrom [ | ] <br />
download bootrom [ | ] ] [ bootstrap | diagnostics |<br />
primary_bootloader | secondary_bootloader]<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 231
Software Upgrade <strong>and</strong> Boot Options<br />
Upgrading BootROM (Summit 300-48)<br />
The Summit 300-48 switch has a two-stage BootROM. The first stage, called bootstrap, does basic<br />
initialization of the switch processor <strong>and</strong> will load one of two second-stage bootloaders (called primary<br />
<strong>and</strong> secondary).<br />
In the event the switch does not boot properly, both bootstrap <strong>and</strong> bootloader will allow the user to<br />
access the boot options using the CLI.<br />
If necessary, the bootloader can be updated, after the switch has booted, using TFTP.<br />
Accessing the Bootstrap CLI on the Summit 300-48<br />
The Bootstrap CLI contains comm<strong>and</strong>s to support the selection of which bootloader to use.<br />
To access the Bootstrap CLI, follow these steps:<br />
1 Attach a serial cable to the serial console port of the switch.<br />
2 Attach the other end of the serial cable to a properly configured terminal or terminal emulator.<br />
3 Power cycle or reboot the switch.<br />
4 As soon as you see the Bootstrap Banner, press the spacebar.<br />
The BOOTSTRAP> prompt will appear on the screen.<br />
Accessing the Bootloader CLI on the Summit 300-48<br />
The Bootloader CLI contains comm<strong>and</strong>s that support the selection of image <strong>and</strong> configuration for the<br />
switch.<br />
To access the Bootloader CLI, follow these steps:<br />
1 Attach a serial cable to the serial console port of the switch.<br />
2 Attach the other end of the serial cable to a properly configured terminal or terminal emulator.<br />
3 Power cycle or reboot the switch.<br />
4 As soon as you see the Bootloader Banner, press the spacebar.<br />
The BOOTLOADER> prompt will appear on the screen.<br />
Accessing the BootROM Menu<br />
Interaction with the BootROM menu is only required under special circumstances, <strong>and</strong> should be done<br />
only under the direction of <strong>Extreme</strong> <strong>Networks</strong> Customer Support. The necessity of using these functions<br />
implies a non-st<strong>and</strong>ard problem which requires the assistance of <strong>Extreme</strong> <strong>Networks</strong> Customer Support.<br />
To access the BootROM menu, follow these steps:<br />
1 Attach a serial cable to the console port of the switch.<br />
2 Attach the other end of the serial cable to a properly configured terminal or terminal emulator,<br />
power cycle the switch while depressing the spacebar on the keyboard of the terminal.<br />
As soon as you see the BootROM-> prompt, release the spacebar. You can see a simple help menu by<br />
pressing h. Options in the menu include<br />
— Selecting the image to boot from<br />
232 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Upgrading <strong>and</strong> Accessing BootROM<br />
— Booting to factory default configuration<br />
— Performing a serial download of an image<br />
For example, to change the image that the switch boots from in flash memory, press 1 for the image<br />
stored in primary or 2 for the image stored in secondary. Then, press the f key to boot from newly<br />
selected on-board flash memory.<br />
To boot to factory default configuration, press the d key for default <strong>and</strong> the f key to boot from the<br />
configured on-board flash.<br />
To perform a serial download, you can optionally change the baud rate to 115200 using the b comm<strong>and</strong>.<br />
Then press the s key to prepare the switch for an image to be sent from your terminal using the<br />
1K XMODEM protocol. (You can use a Windows Hyperterminal program to accomplish this step.) After<br />
the transfer is complete, the switch saves the image to the currently selected image.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 233
Software Upgrade <strong>and</strong> Boot Options<br />
234 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
12 Troubleshooting<br />
If you encounter problems when using the switch, this chapter might be helpful. If you have a problem<br />
not listed here or in the release notes, contact your local technical support representative.<br />
LEDs<br />
Power LED does not light:<br />
Check that the power cable is firmly connected to the device <strong>and</strong> to the supply outlet.<br />
On powering-up, the MGMT LED lights yellow:<br />
The device has failed its Power On Self Test (POST) <strong>and</strong> you should contact your supplier for advice.<br />
A link is connected, but the Status LED does not light:<br />
Check that:<br />
• All connections are secure.<br />
• Cables are free from damage.<br />
• The devices at both ends of the link are powered-up.<br />
• Both ends of the Gigabit link are set to the same autonegotiation state.<br />
The Gigabit link must be enabled or disabled on both sides. If the two sides are different, typically<br />
the side with autonegotiation disabled will have the link LED lit, <strong>and</strong> the side with autonegotiation<br />
enabled will not be lit. The default configuration for a Gigabit port is autonegotiation enabled. This<br />
can be verified by entering the following comm<strong>and</strong>:<br />
show ports {mgmt | | vlan } configuration<br />
Switch does not power up:<br />
All products manufactured by <strong>Extreme</strong> <strong>Networks</strong> use digital power supplies with surge protection. In<br />
the event of a power surge, the protection circuits shut down the power supply. To reset, unplug the<br />
switch for 1 minute, plug it back in, <strong>and</strong> attempt to power up the switch.<br />
If this does not work, try using a different power source (different power strip/outlet) <strong>and</strong> power cord.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 235
Troubleshooting<br />
Cable Diagnostics<br />
If you are having a problem establishing a link, you might have a faulty Ethernet cable. An Ethernet<br />
cable is composed of four pairs of unshielded twisted-pair (UTP). Of those four pairs, two are required<br />
to create the link. In addition to physically inspecting the cable, you can run a CLI comm<strong>and</strong> to test the<br />
cable. Use the following comm<strong>and</strong>s to test an Ethernet cable <strong>and</strong> to display the output of the test:<br />
run diagnostics cable ports <br />
show ports cable diagnostics<br />
The run diagnostics cable ports comm<strong>and</strong> prompts you when the diagnostics are complete to<br />
enter the show ports cable diagnostics comm<strong>and</strong>.<br />
By reviewing the output of the show comm<strong>and</strong> you can determine:<br />
• The length of the cable<br />
• Whether there is a successful termination, or whether there is an open or short<br />
For example, the following comm<strong>and</strong> set tests the Ethernet cable inserted into port 1. The four copper<br />
pairs do not all have the same length, which might indicate a kink in the cable, or a open connection:<br />
Summit400-48t:27 # run diagnostics cable ports 1<br />
Cable Diagnostics has completed, to view results enter<br />
show port cable diagnostics<br />
Summit400-48t:28 # show port 1 cable diagnostics<br />
Port Pair Length Status<br />
1 Pair A 3 meters Terminated<br />
Pair B 2 meters Terminated<br />
Pair C 1 meters Open or Short<br />
Pair D 1 meters Open or Short<br />
The next example shows none of the twisted pairs terminate successfully at port 1, which could indicate<br />
that the cable is not inserted into the port:<br />
Summit400-48t:29 # run diagnostics cable ports 1<br />
Cable Diagnostics has completed, to view results enter<br />
show port cable diagnostics<br />
Summit400-48t:30 # show port 1 cable diagnostics<br />
Port Pair Length Status<br />
1 Pair A 0 meters Open or Short<br />
Pair B 0 meters Open or Short<br />
Pair C 0 meters Open or Short<br />
Pair D 0 meters Open or Short<br />
236 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using the Comm<strong>and</strong>-Line Interface<br />
Using the Comm<strong>and</strong>-Line Interface<br />
The initial welcome prompt does not display:<br />
Check that your terminal or terminal emulator is correctly configured.<br />
For console port access, you may need to press [Return] several times before the welcome prompt<br />
appears.<br />
Check the settings on your terminal or terminal emulator. The settings are 9600 baud, 8 data bits, 1 stop<br />
bit, no parity, no flow control.<br />
The SNMP Network Manager cannot access the device:<br />
Check that the device IP address, subnet mask, <strong>and</strong> default router are correctly configured, <strong>and</strong> that the<br />
device has been reset.<br />
Check that the device IP address is correctly recorded by the SNMP Network Manager (refer to the user<br />
documentation for the Network Manager).<br />
Check that the community strings configured for the system <strong>and</strong> Network Manager are the same.<br />
Check that the SNMPv3 USM, Auth, <strong>and</strong> VACM configured fore the system <strong>and</strong> Network Manager are<br />
the same.<br />
Check that SNMP access was not disabled for the system.<br />
The Telnet workstation cannot access the device:<br />
Check that the device IP address, subnet mask <strong>and</strong> default router are correctly configured, <strong>and</strong> that the<br />
device has been reset. Ensure that you enter the IP address of the switch correctly when invoking the<br />
Telnet facility. Check that Telnet access was not disabled for the switch. If you attempt to log in <strong>and</strong> the<br />
maximum number of Telnet sessions are being used, you should receive an error message indicating so.<br />
Traps are not received by the SNMP Network Manager:<br />
Check that the SNMP Network Manager's IP address <strong>and</strong> community string are correctly configured,<br />
<strong>and</strong> that the IP address of the Trap Receiver is configured properly on the system.<br />
The SNMP Network Manager or Telnet workstation can no longer access the device:<br />
Check that Telnet access or SNMP access is enabled.<br />
Check that the port through which you are trying to access the device has not been disabled. If it is<br />
enabled, check the connections <strong>and</strong> network cabling at the port.<br />
Check that the port through which you are trying to access the device is in a correctly configured<br />
VLAN.<br />
Try accessing the device through a different port. If you can now access the device, a problem with the<br />
original port is indicated. Re-examine the connections <strong>and</strong> cabling.<br />
A network problem may be preventing you accessing the device over the network. Try accessing the<br />
device through the console port.<br />
Check that the community strings configured for the device <strong>and</strong> the Network Manager are the same.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 237
Troubleshooting<br />
Check that SNMP access was not disabled for the system.<br />
Permanent entries remain in the FDB:<br />
If you have made a permanent entry in the FDB (which requires you to specify the VLAN to which it<br />
belongs <strong>and</strong> then delete the VLAN), the FDB entry will remain. Though causing no harm, you must<br />
manually delete the entry from the FDB if you want to remove it.<br />
Default <strong>and</strong> Static Routes:<br />
If you have defined static or default routes, those routes will remain in the configuration independent of<br />
whether the VLAN <strong>and</strong> VLAN IP address that used them remains. You should manually delete the<br />
routes if no VLAN IP address is capable of using them.<br />
You forget your password <strong>and</strong> cannot log in:<br />
If you are not an administrator, another user having administrator access level can log in, delete your<br />
user name, <strong>and</strong> create a new user name for you, with a new password.<br />
Alternatively, another user having administrator access level can log in <strong>and</strong> initialize the device. This<br />
will return all configuration information (including passwords) to the initial values.<br />
In the case where no one knows a password for an administrator level user, contact your supplier.<br />
Port Configuration<br />
No link light on Base port:<br />
If patching from a hub or switch to another hub or switch, ensure that you are using a CAT5 cross-over<br />
cable. This is a CAT5 cable that has pins 1 <strong>and</strong> 2 on one end connected to pins 3 <strong>and</strong>6 on the other end.<br />
Also try running the cable diagnostics, as described in “Cable Diagnostics” on page 236.<br />
Excessive RX CRC errors:<br />
When a device that has auto-negotiation disabled is connected to a <strong>Extreme</strong> switch that has<br />
auto-negotiation enabled, the <strong>Extreme</strong> switch links at the correct speed, but in half duplex mode. The<br />
<strong>Extreme</strong> switch 10/100/1000 physical interface uses a method called parallel detection to bring up the<br />
link. Because the other network device is not participating in auto-negotiation (<strong>and</strong> does not advertise<br />
its capabilities), parallel detection on the <strong>Extreme</strong> switch is only able to sense 10Mbps versus 100Mbps<br />
speed, <strong>and</strong> not the duplex mode. Therefore, the switch establishes the link in half duplex mode using<br />
the correct speed.<br />
The only way to establish a full duplex link is to either force it at both sides, or run auto-negotiation on<br />
both sides (using full duplex as an advertised capability, which is the default setting on the <strong>Extreme</strong><br />
switch).<br />
NOTE<br />
A mismatch of duplex mode between the <strong>Extreme</strong> switch <strong>and</strong> another network device will cause poor<br />
network performance. Viewing statistics using the show ports rxerrors comm<strong>and</strong> on the <strong>Extreme</strong><br />
switch may display a constant increment of CRC errors. This is characteristic of a duplex mismatch<br />
between devices. This is NOT a problem with the <strong>Extreme</strong> switch.<br />
238 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using the Comm<strong>and</strong>-Line Interface<br />
Always verify that the <strong>Extreme</strong> switch <strong>and</strong> the network device match in configuration for speed <strong>and</strong><br />
duplex.<br />
No link light on Gigabit fiber port:<br />
Check to ensure that the transmit fiber goes to the receive fiber side of the other device, <strong>and</strong> vice-versa.<br />
All gigabit fiber cables are of the cross-over type.<br />
The <strong>Extreme</strong> switch has auto-negotiation set to on by default for gigabit ports. These ports need to be<br />
set to auto off (using the comm<strong>and</strong> configure ports [ | all] auto-polarity [off |<br />
on]) if you are connecting it to devices that do not support auto-negotiation.<br />
Ensure that you are using multi-mode fiber (MMF) when using a 1000BASE-SX mini-GBIC, <strong>and</strong> single<br />
mode fiber (SMF) when using a 1000BASE-LX GBIC. 1000BASE-SX does not work with SMF.<br />
1000BASE-LX works with MMF, but requires the use of a mode conditioning patchcord (MCP).<br />
VLANs<br />
You cannot add a port to a VLAN:<br />
If you attempt to add a port to a VLAN <strong>and</strong> get an error message similar to<br />
Summit 300-48:28 # config vlan default add port 1:1<br />
ERROR: There is a protocol conflict with adding port 1:1 untagged to VLAN default<br />
you already have a VLAN using untagged traffic on a port. Only one VLAN using untagged traffic can<br />
be configured on a single physical port.<br />
VLAN configuration can be verified by using the following comm<strong>and</strong>:<br />
show protocol {}<br />
The solution for this error is to remove ports 1 <strong>and</strong> 2 from the VLAN currently using untagged traffic<br />
on those ports. If this were the “default” VLAN, the comm<strong>and</strong> would be<br />
Summit 300-48:30 # configure vlan default del port 1,2<br />
which should now allow you to re-enter the previous comm<strong>and</strong> without error as follows:<br />
Summit 300-48:31 # configure vlan add port 1,2<br />
VLAN names:<br />
There are restrictions on VLAN names. They cannot contain whitespaces <strong>and</strong> cannot start with a<br />
numeric value unless you use quotation marks around the name. If a name contains whitespaces, starts<br />
with a number, or contains non-alphabetical characters, you must use quotation marks whenever<br />
referring to the VLAN name.<br />
802.1Q links do not work correctly:<br />
Remember that VLAN names are only locally significant through the comm<strong>and</strong>-line interface. For two<br />
switches to communicate across a 802.1Q link, the VLAN ID for the VLAN on one switch should have a<br />
corresponding VLAN ID for the VLAN on the other switch.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 239
Troubleshooting<br />
If you are connecting to a third-party device <strong>and</strong> have checked that the VLAN IDs are the same, the<br />
Ethertype field used to identify packets as 802.1Q packets may differ between the devices. The value<br />
used by the switch is 8100.<br />
VLANs, IP Addresses <strong>and</strong> default routes:<br />
The system can have an IP address for each configured VLAN. It is necessary to have an IP address<br />
associated with a VLAN if you intend to manage (Telnet, SNMP, ping) through that VLAN or route IP<br />
traffic. You can also configure multiple default routes for the system. The system first tries the default<br />
route with the lowest cost metric.<br />
STP<br />
You have connected an endstation directly to the switch <strong>and</strong> the endstation fails to boot correctly:<br />
The switch has STP enabled, <strong>and</strong> the endstation is booting before the STP initialization process is<br />
complete. Specify that STP has been disabled for that VLAN, or turn off STP for the switch ports of the<br />
endstation <strong>and</strong> devices to which it is attempting to connect, <strong>and</strong> then reboot the endstation.<br />
The switch keeps aging out endstation entries in the switch Forwarding Database (FDB):<br />
Reduce the number of topology changes by disabling STP on those systems that do not use redundant<br />
paths.<br />
Specify that the endstation entries are static or permanent.<br />
Debug Tracing/Debug Mode<br />
The Event Management System (EMS) facility provides a st<strong>and</strong>ardized way to filter <strong>and</strong> store messages<br />
generated by the switch. Many of the systems in <strong><strong>Extreme</strong>Ware</strong> are moving into EMS. As a system is<br />
converted to EMS, the corresponding debug trace comm<strong>and</strong> associated with that system is removed.<br />
With EMS, you must enable debug mode to display debug information. To enable or disable debug<br />
mode for EMS, use the following comm<strong>and</strong>s:<br />
enable log debug-mode<br />
disable log debug-mode<br />
Once debug mode is enabled, you can configure EMS to capture specific debug information from the<br />
switch. Details of EMS can be found in Chapter 9, “Status Monitoring <strong>and</strong> Statistics” on page 125.<br />
For the systems not yet converted to EMS, <strong><strong>Extreme</strong>Ware</strong> includes a debug tracing facility for the switch.<br />
The show debug-trace comm<strong>and</strong> can be applied to one or all VLANs, as follows:<br />
The debug comm<strong>and</strong>s should only be used under the guidance of <strong>Extreme</strong> <strong>Networks</strong> technical<br />
personnel.<br />
To reset all debug-tracing to the default level, use the following comm<strong>and</strong>:<br />
clear debug-trace<br />
To change the debug tracing facility for a certain system to a specified debug level, use the following<br />
comm<strong>and</strong>:<br />
configure debug-trace vlan <br />
240 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
TOP Comm<strong>and</strong><br />
Some of the debug trace systems comm<strong>and</strong>s can be applied to a particular VLAN, some apply to the<br />
switch as a whole, so the vlan option is not available with all systems.<br />
To display the debug tracing configuration, use the following comm<strong>and</strong>:<br />
show debug-trace vlan <br />
Again, the vlan option is not available with every system.<br />
TOP Comm<strong>and</strong><br />
The top comm<strong>and</strong> is a utility that indicates CPU utilization by process.<br />
System Odometer<br />
Each field replaceable component contains a system odometer counter in EEPROM. You can use the<br />
show switch comm<strong>and</strong> to see how long an individual component has been in service since it was<br />
manufactured.<br />
Reboot Loop Protection<br />
If the system reboots due to a failure that remains after the reboot, it reboots when it detects the failure<br />
again. To protect against continuous reboot loops, you can configure reboot loop protection using the<br />
following comm<strong>and</strong>:<br />
configure reboot-loop-protection threshold <br />
If the switch reboots the specified number of times within the specified time interval, it stops rebooting<br />
<strong>and</strong> comes up in minimal mode. If you reboot the switch manually or run diagnostics comm<strong>and</strong>s,<br />
the time interval <strong>and</strong> count are both reset to 0.<br />
Minimal Mode<br />
In minimal mode, only the CPU, NVRAM, management port, <strong>and</strong> minimal tasks are active. The<br />
following comm<strong>and</strong>s are supported in minimal mode:<br />
• reboot<br />
• unconfigure switch all<br />
• unconfigure switch<br />
• use image<br />
• use configuration<br />
• download bootrom<br />
• download image<br />
• download configuration<br />
• configure iparp<br />
• configure vlan ipaddress<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 241
Troubleshooting<br />
• configure iproute add default<br />
• configure diagnostics<br />
• show iproute<br />
• show iparp<br />
• show vlan<br />
• show version<br />
• show log<br />
• ping<br />
• clear log<br />
• clear log diag-status<br />
Contacting <strong>Extreme</strong> Technical Support<br />
If you have a network issue that you are unable to resolve, contact <strong>Extreme</strong> <strong>Networks</strong> technical support.<br />
<strong>Extreme</strong> <strong>Networks</strong> maintains several Technical Assistance Centers (TACs) around the world to answer<br />
networking questions <strong>and</strong> resolve network problems. You can contact technical support by phone at:<br />
• (800) 998-2408<br />
• (408) 579-2826<br />
or by email at:<br />
• support@extremenetworks.com<br />
You can also visit the support website at:<br />
http://www.extremenetworks.com/services/resources/<br />
to download software updates (requires a service contract) <strong>and</strong> documentation (including a.pdf version<br />
of this manual).<br />
242 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Part 2<br />
Using Switching <strong>and</strong> Routing<br />
Protocols
13 Ethernet Automatic Protection Switching<br />
This chapter describes the use of the Ethernet Automatic Protection Switching (EAPS ) protocol, <strong>and</strong><br />
includes information on the following topics:<br />
• Overview of the EAPS Protocol on page 245<br />
• Fault Detection <strong>and</strong> Recovery on page 248<br />
• Configuring EAPS on a Switch on page 251<br />
• Configuring EAPS Shared Ports on page 258<br />
Overview of the EAPS Protocol<br />
The EAPS protocol provides fast protection switching to layer 2 switches interconnected in an Ethernet<br />
ring topology, such as a Metropolitan Area Network (MAN) or large campuses (see Figure 22).<br />
EAPS protection switching is similar to what can be achieved with the Spanning Tree Protocol (STP),<br />
but offers the advantage of converging in less than a second when a link in the ring breaks.<br />
An Ethernet ring built using EAPS can have resilience comparable to that provided by SONET rings, at<br />
a lower cost <strong>and</strong> with fewer restraints (e.g., ring size). The EAPS technology developed by <strong>Extreme</strong><br />
<strong>Networks</strong> to increase the availability <strong>and</strong> robustness of Ethernet rings is described in RFC 3619: <strong>Extreme</strong><br />
<strong>Networks</strong>’ Ethernet Automatic Protection Switching (EAPS) Version 1.<br />
In order to use EAPS, you must enable EDP on the switch <strong>and</strong> EAPS ring ports. For more information<br />
on EDP, see “<strong>Extreme</strong> Discovery Protocol” on page 76.<br />
EAPS operates by declaring an EAPS domain on a single ring. Any VLAN that warrants fault protection<br />
is configured on all ring ports in the ring, <strong>and</strong> is then assigned to an EAPS domain. On that ring<br />
domain, one switch, or node, is designated the master node (see Figure 23), while all other nodes are<br />
designated as transit nodes.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 245
Ethernet Automatic Protection Switching<br />
Figure 22: Gigabit Ethernet fiber EAPS MAN ring<br />
Transit<br />
node<br />
Transit<br />
node<br />
Transit<br />
node<br />
Gigabit Ethernet Fiber<br />
EAPS MAN ring<br />
Transit<br />
node<br />
Master<br />
node<br />
EW_070<br />
One port of the master node is designated the master node’s primary port (P) to the ring; another port is<br />
designated as the master node’s secondary port (S) to the ring. In normal operation, the master node<br />
blocks the secondary port for all non-control traffic belonging to this EAPS domain, thereby avoiding a<br />
loop in the ring, like STP. Layer 2 switching <strong>and</strong> learning mechanisms operate per existing st<strong>and</strong>ards on<br />
this ring.<br />
NOTE<br />
Like the master node, each transit node is also configured with a primary port <strong>and</strong> a secondary port on<br />
the ring, but the primary/secondary port distinction is ignored as long as the node is configured as a<br />
transit node.<br />
246 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Overview of the EAPS Protocol<br />
Figure 23: EAPS operation<br />
S 4<br />
S 3<br />
S 5<br />
S 2<br />
S 6<br />
Direction of<br />
health-check<br />
message<br />
P<br />
S 1<br />
S<br />
Master<br />
node<br />
Secondary port<br />
is logically blocked<br />
EW_071<br />
If the ring is complete, the master node logically blocks all data traffic in the transmit <strong>and</strong> receive<br />
directions on the secondary port to prevent a loop. If the master node detects a break in the ring, it<br />
unblocks its secondary port <strong>and</strong> allows data traffic to be transmitted <strong>and</strong> received through it.<br />
EAPS Terms<br />
Table 32 describes terms associated with EAPS.<br />
Table 32: EAPS Terms<br />
Term<br />
EAPS domain<br />
EDP<br />
master node<br />
transit node<br />
primary port<br />
secondary port<br />
control VLAN<br />
Description<br />
A domain consists of a series of switches, or nodes, that comprise a single ring in a<br />
network. An EAPS domain consists of a master node, transit nodes, <strong>and</strong> on the<br />
master node, one primary port <strong>and</strong> one secondary port. EAPS operates by declaring<br />
an EAPS domain on a single ring.<br />
<strong>Extreme</strong> Discovery Protocol. A protocol used to gather information about neighbor<br />
<strong>Extreme</strong> switches. <strong>Extreme</strong> switches use EDP to exchange topology information.<br />
A switch, or node, that is designated the master in an EAPS domain ring. The<br />
master node blocks the secondary port for all non-control traffic belonging to this<br />
EAPS domain, thereby avoiding a loop in the ring.<br />
A switch, or node, that is not designated a master in an EAPS domain ring.<br />
A port on the master node that is designated the primary port to the ring. The transit<br />
node ignores the primary port distinction as long as the node is configured as a<br />
transit node.<br />
A port on the master node that is designated the secondary port to the ring. The<br />
transit node ignores the secondary port distinction as long as the node is configured<br />
as a transit node.<br />
A VLAN that sends <strong>and</strong> receives EAPS messages. You must configure one control<br />
VLAN for each EAPS domain.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 247
Ethernet Automatic Protection Switching<br />
Table 32: EAPS Terms (Continued)<br />
Term<br />
protected VLAN<br />
Description<br />
A VLAN that carries data traffic through an EAPS domain. You must configure one<br />
or more protected VLANs for each EAPS domain. (Also known as data VLAN)<br />
Fault Detection <strong>and</strong> Recovery<br />
EAPS fault detection on a ring is based on a single control VLAN per EAPS domain. This EAPS domain<br />
provides protection to one or more data-carrying VLANs called protected VLANs.<br />
The control VLAN is used only to send <strong>and</strong> receive EAPS messages; the protected VLANs carry the<br />
actual data traffic. As long as the ring is complete, the EAPS master node blocks the protected VLANs<br />
from accessing its secondary port.<br />
NOTE<br />
The control VLAN is not blocked. Messages sent on the control VLAN must be allowed into the switch<br />
for the master node to determine whether the ring is complete.<br />
To avoid loops in the network, the control VLAN must be NOT be configured with an IP address, <strong>and</strong><br />
ONLY ring ports may be added to the VLAN.<br />
Figure 24: EAPS fault detection <strong>and</strong> protection switching<br />
Break<br />
in ring<br />
S 4<br />
S4 sends "link down"<br />
message to master node<br />
S 3<br />
S 5<br />
S3 sends "link down"<br />
message to<br />
master node<br />
S 2<br />
S 6<br />
P<br />
S 1<br />
S<br />
Master node opens secondary port<br />
to allow traffic to pass<br />
Master<br />
node<br />
EW_072<br />
A master node detects a ring fault in one of three ways:<br />
• Link-down message sent by a transit node<br />
• Ring port down event sent by hardware layers<br />
248 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Fault Detection <strong>and</strong> Recovery<br />
• Polling response<br />
Link Down Message Sent by a Transit Node<br />
When any transit node detects a loss of link connectivity on any of its ring ports, it immediately sends a<br />
“link down” message on the control VLAN using its good link to the master node.<br />
When the master node receives the “link down” message (see Figure 24), it immediately declares a<br />
“failed” state <strong>and</strong> opens its logically blocked secondary port on all the protected VLANs. Now, traffic<br />
can flow through the master’s secondary port. The master node also flushes its FDB <strong>and</strong> sends a<br />
message on the control VLAN to all of its associated transit nodes to flush their forwarding databases as<br />
well, so that all of the switches can learn the new paths to layer 2 end stations on the reconfigured ring<br />
topology.<br />
Ring Port Down Event Sent by Hardware Layer<br />
When a ring port goes down on a master node switch, it is notified by the lower hardware layer <strong>and</strong><br />
immediately goes into a “failed” state.<br />
If the primary ring port goes down, the secondary port is opened. The normal operation of flushing its<br />
FDB <strong>and</strong> sending a “link-down” message to all transit nodes is performed.<br />
Polling<br />
The master node transmits a health-check packet on the control VLAN at a user-configurable interval<br />
(see Figure 23). If the ring is complete, the master node will receive the health-check packet on its<br />
secondary port (the control VLAN is not blocked on the secondary port). When the master node<br />
receives the health-check packet, it resets its failtimer <strong>and</strong> continues normal operation.<br />
If the master node does not receive the health-check packet before the failtimer interval expires, <strong>and</strong> the<br />
failtime expiry action is set to open the secondary port when the failtimer expires, it declares a “failed”<br />
state. The switch then performs the same steps described above: it unblocks its secondary port for<br />
access by the protected VLANs, flushes its forwarding database (FDB), <strong>and</strong> sends a “flush FDB”<br />
message to its associated transit nodes.<br />
To change the expiry timer action, use the following comm<strong>and</strong>:<br />
configure eaps failtime expiry-action [ open-secondary-port | send-alert]<br />
To change the duration of the failtime, use the following comm<strong>and</strong>:<br />
configure eaps failtime []<br />
Restoration Operations<br />
The master node continues sending health-check packets out its primary port even when the master<br />
node is operating in the failed state. As long as there is a break in the ring, the fail-period timer of the<br />
master node will continue to expire <strong>and</strong> the master node will remain in the failed state.<br />
When the broken link is restored, the master will receive its health-check packet back on its secondary<br />
port, <strong>and</strong> will once again declare the ring to be complete. It will logically block the protected VLANs on<br />
its secondary port, flush its FDB, <strong>and</strong> send a “flush FDB” message to its associated transit nodes.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 249
Ethernet Automatic Protection Switching<br />
During the time between when the transit node detects that the link is operable again <strong>and</strong> when the<br />
master node detects that the ring is complete, the secondary port on the master node is still open <strong>and</strong><br />
data could start traversing the transit node port that just came up. To prevent the possibility of a such a<br />
temporary loop, when the transit node detects that its failed link is up again, it will perform these steps:<br />
1 For the port that just came up, put all the protected VLANs traversing that port into a temporary<br />
blocked state.<br />
2 Remember which port has been temporarily blocked.<br />
3 Set the state to Preforwarding.<br />
When the master node receives its health-check packet back on its secondary port, <strong>and</strong> detects that the<br />
ring is once again complete, it sends a message to all its associated transit nodes to flush their<br />
forwarding databases.<br />
When the transit nodes receive the message to flush their forwarding databases, they perform these<br />
steps:<br />
1 Flush their forwarding databases on the protected VLANs.<br />
2 If the port state is set to Preforwarding, unblock all the previously blocked protected VLANs for the<br />
port.<br />
Summit “e” Series Switches in Multi-ring Topologies<br />
Figure 25 shows how a data VLAN could span two rings having two interconnecting switches in<br />
common.<br />
Figure 25: EAPS data VLAN spanning two rings.<br />
S 4<br />
S 5<br />
(STP root)<br />
S 6<br />
S 3<br />
4 5<br />
1 2 3<br />
S 7<br />
LHS ring<br />
RHS ring<br />
S 2<br />
1 2 3<br />
P S 4 5 S P<br />
S 1<br />
S 10<br />
S 9<br />
S 8<br />
Master<br />
node<br />
Master<br />
node<br />
LC24015<br />
In this example, there is one EAPS domain with its own control VLAN running on the ring labeled LHS<br />
<strong>and</strong> another EAPS domain with its own control VLAN running on the ring labeled RHS. A data VLAN<br />
that spans both rings acts as a protected VLAN to both EAPS domains. Switches S 5 <strong>and</strong> S 10 will have<br />
two instances of EAPS domains running on them: one for each ring.<br />
Summit "e" series switches can be deployed in a multi-ring EAPS topology subject to these guidelines:<br />
250 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring EAPS on a Switch<br />
• Summit "e" series switches can be used as any of the EAPS nodes in the ring except as a node that<br />
interconnects the two rings. For example, in the example shown in Figure 25, nodes S 5 <strong>and</strong> S 10<br />
cannot be Summit "e" series switches. Summit "e" series switches support EAPS Version 1 (EAPSv1)<br />
<strong>and</strong> only support a single EAPS domain per switch.<br />
• Depending on the network topology <strong>and</strong> the versions of EAPS (EAPSv1 vs. EAPSv2) running on the<br />
other EAPS nodes, there might be a requirement to configure STP support for EAPSv1 to prevent<br />
super loops—in the event of a break in the common link between the nodes interconnecting the<br />
rings. On multi-ring topologies, the node interconnecting two rings either needs to be running<br />
EAPSv2 or it must be configured for STP. By having either EAPSv2 or STP on this connecting node,<br />
the Summit 200 has EAPS awareness <strong>and</strong> correctly recovers in the event of a break in the common<br />
link. For example, in the example shown in Figure 25, a break in the link between nodes S 5 <strong>and</strong> S 10<br />
would result in a super loop if they were both running EAPSv1 without STP. The following scenarios<br />
demonstrate the different EAPS configurations.<br />
— Case 1: Summit "e" series switches on a single ring. In this case, EAPSv1 requires no STP<br />
support because it is not interconnecting with another ring.<br />
— Case 2: Summit "e" series switches on a multi-ring network along with ring-connecting<br />
switches not running EAPSv2. In this case, the Summit "e" series switches still cannot be<br />
ring-connecting nodes, <strong>and</strong> this implementation requires configuring EAPSv1 plus STP support to<br />
prevent super loops. This configuration process is described in the EAPS chapter of the<br />
<strong><strong>Extreme</strong>Ware</strong> Software <strong>User</strong> <strong>Guide</strong>, Version 7.1.0.<br />
— Case 3: Summit "e" series switches on a multi-ring network along with ring-connecting<br />
switches running EAPSv2. In this case, the Summit "e" series switches still cannot be<br />
ring-connecting nodes. However, having EAPSv2 running on the node that interconnects the<br />
rings will prevent problems with super-loops without requiring STP. This configuration process is<br />
described in the EAPS chapter of the <strong><strong>Extreme</strong>Ware</strong> Software <strong>User</strong> <strong>Guide</strong>, Version 7.1.0.<br />
Configuring EAPS on a Switch<br />
This section describes how to configure EAPS on a switch.<br />
Creating <strong>and</strong> Deleting an EAPS Domain<br />
Each EAPS domain is identified by a unique domain name.<br />
NOTE<br />
Only a single EAPS domain per switch is supported by Summit "e" series switches.<br />
To create an EAPS domain, use the following comm<strong>and</strong>:<br />
create eaps <br />
The name parameter is a character string of up to 32 characters that identifies the EAPS domain to be<br />
created. EAPS domain names <strong>and</strong> VLAN names must be unique: Do not use the same name string to<br />
identify both an EAPS domain <strong>and</strong> a VLAN.<br />
The following comm<strong>and</strong> example creates an EAPS domain named “eaps_1”:<br />
create eaps eaps_1<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 251
Ethernet Automatic Protection Switching<br />
To delete an EAPS domain, use the following comm<strong>and</strong>:<br />
delete eaps <br />
The following comm<strong>and</strong> example deletes the EAPS domain “eaps_1”:<br />
delete eaps eaps_1<br />
Defining the EAPS Mode of the Switch<br />
To configure the EAPS node type of the switch, use the following comm<strong>and</strong>:<br />
configure eaps mode [master | transit]<br />
One node on the ring must be configured as the master node for the specified domain; all other nodes<br />
on the ring are configured as transit nodes for the same domain.<br />
The following comm<strong>and</strong> example identifies this switch as the master node for the EAPS domain named<br />
eaps_1.<br />
configure eaps eaps_1 mode master<br />
The following comm<strong>and</strong> example identifies this switch as a transit node for the EAPS domain named<br />
eaps_1.<br />
configure eaps eaps_1 mode transit<br />
Configuring EAPS Polling Timers<br />
To set the values of the polling timers the master node uses for the EAPS health-check packet that is<br />
circulated around the ring for an EAPS domain, use the following comm<strong>and</strong>:<br />
configure eaps hellotime <br />
configure eaps failtime []<br />
To configure the action taken if there is a break in the ring, use the following comm<strong>and</strong>:<br />
configure eaps failtime expiry-action [ open-secondary-port | send-alert]<br />
NOTE<br />
These comm<strong>and</strong>s apply only to the master node. If you configure the polling timers for a transit node,<br />
they will be ignored. If you later reconfigure that transit node as the master node, the polling timer<br />
values will be used as the current values.<br />
Use the hellotime keyword <strong>and</strong> its associated seconds parameter to specify the amount of time the<br />
master node waits between transmissions of health-check packets on the control VLAN. seconds must<br />
be greater than 0 when you are configuring a master node. The default value is one second.<br />
NOTE<br />
Increasing the hellotime value keeps the processor from sending <strong>and</strong> processing too many<br />
health-check packets. Increasing the hellotime value should not affect the network convergence time,<br />
because transit nodes are already sending “link down” notifications.<br />
252 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring EAPS on a Switch<br />
Use the failtime keyword <strong>and</strong> seconds parameters to specify the amount of time the master node<br />
waits before the failtimer expires.<br />
The seconds parameter must be greater than the configured value for hellotime. The default value is<br />
three seconds.<br />
You can configure the action taken when the failtimer expires by using the configure eaps failtime<br />
expiry-action comm<strong>and</strong>. Use the send-alert parameter to send an alert when the failtimer expires.<br />
Instead of going into a “failed” state, the master node remains in a “Complete” or “Init” state, maintains<br />
the secondary port blocking, <strong>and</strong> writes a critical error message to syslog warning the user that there is<br />
a fault in the ring. An SNMP trap is also sent.<br />
To use the failtimer expiry action of earlier releases, use the open-secondary-port parameter.<br />
NOTE<br />
Increasing the failtime value provides more protection by waiting longer to receive a health-check packet<br />
when the network is congested.<br />
The following comm<strong>and</strong> examples configure the hellotime value for the EAPS domain “eaps_1” to<br />
2 seconds, the failtime value to 15 seconds, <strong>and</strong> the failtime expiry-action to open the secondary port if<br />
the failtimer expires:<br />
configure eaps eaps_1 hellotime 2<br />
configure eaps eaps_1 failtime 15<br />
configure eaps eaps_1 failtimer expiry-action open-secondary-port<br />
Configuring the Primary <strong>and</strong> Secondary Ports<br />
Each node on the ring connects to the ring through two ring ports. As part of the protection switching<br />
scheme, one port must be configured as the primary port; the other must be configured as the secondary<br />
port.<br />
If the ring is complete, the master node prevents a loop by logically blocking all data traffic in the<br />
transmit <strong>and</strong> receive directions on its secondary port. If the master node subsequently detects a break in<br />
the ring, it unblocks its secondary port <strong>and</strong> allows data traffic to be transmitted <strong>and</strong> received through it.<br />
To configure a node port as primary or secondary, use the following comm<strong>and</strong>:<br />
configure eaps [primary | secondary] port <br />
The following comm<strong>and</strong> example adds port 1 of the switch to the EAPS domain “eaps_1” as the<br />
primary port.<br />
configure eaps eaps_1 primary port 1<br />
Configuring the EAPS Control VLAN<br />
You must configure one control VLAN for each EAPS domain. The control VLAN is used only to send<br />
<strong>and</strong> receive EAPS messages.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 253
Ethernet Automatic Protection Switching<br />
NOTE<br />
If the domain is active, you cannot delete the domain or modify the configuration of the control VLAN.<br />
To configure the EAPS control VLAN for the domain, use the following comm<strong>and</strong>:<br />
configure eaps add control vlan <br />
NOTE<br />
The control VLAN must NOT be configured with an IP address. In addition, only ring ports may be<br />
added to this control VLAN. No other ports can be members of this VLAN. Failure to observe these<br />
restrictions can result in a loop in the network.<br />
NOTE<br />
When you configure the VLAN that will act as the control VLAN, that VLAN must be assigned a QoS<br />
profile of Qp8, <strong>and</strong> the ring ports of the control VLAN must be tagged.<br />
By assigning the control VLAN a QoS profile of Qp8 (with the QoS profile HighHi priority setting), you<br />
ensure that EAPS control VLAN traffic is serviced before any other traffic <strong>and</strong> that control VLAN<br />
messages reach their intended destinations. For example, if the control VLAN is not assigned the<br />
highest priority <strong>and</strong> a broadcast storm occurs in the network, the control VLAN messages might be<br />
dropped at intermediate points. Assigning the control VLAN the highest priority prevents dropped<br />
control VLAN messages.<br />
NOTE<br />
Because the QoS profiles Qp7 <strong>and</strong> Qp8 share the same hardware queue in the Summit "e" series<br />
switch, you must limit the amount of traffic that uses these profiles; otherwise, the Summit "e" series<br />
switch may drop EAPS control packets, preventing EAPS from operating reliably.<br />
Because the QoS profile High priority setting by itself should ensure that the control VLAN traffic gets<br />
through a congested port first, you should not need to set the QoS profile minimum b<strong>and</strong>width (minbw)<br />
or maximum b<strong>and</strong>width (maxbw) settings. However, if you plan to use QoS (profile priority <strong>and</strong><br />
b<strong>and</strong>width settings) for other traffic, you might need to set a minbw value on Qp8 for control VLAN<br />
traffic. Whether you need to do this depends entirely on your configuration.<br />
The following comm<strong>and</strong> example adds the control VLAN “keys” to the EAPS domain “eaps_1”.<br />
configure eaps eaps_1 add control vlan keys<br />
Configuring the EAPS Protected VLANs<br />
You must configure one or more protected VLANs for each EAPS domain. The protected VLANs are the<br />
data-carrying VLANs.<br />
NOTE<br />
When you configure the VLAN that will act as a protected VLAN, the ring ports of the protected VLAN<br />
must be tagged (except in the case of the default VLAN).<br />
254 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring EAPS on a Switch<br />
To configure an EAPS protected VLAN, use the following comm<strong>and</strong>:<br />
configure eaps add protect vlan <br />
NOTE<br />
As long as the ring is complete, the master node blocks the protected VLANs on its secondary port.<br />
The following comm<strong>and</strong> example adds the protected VLAN “orchid” to the EAPS domain “eaps_1.”<br />
configure eaps eaps_1 add protect vlan orchid<br />
NOTE<br />
The configuration of the Superbridge, SubBridge, <strong>and</strong> IP range control VLANs cannot be modified.<br />
Enabling <strong>and</strong> Disabling an EAPS Domain<br />
To enable a specific EAPS domain, use the following comm<strong>and</strong>:<br />
enable eaps {}<br />
To disable a specific EAPS domain, use the following comm<strong>and</strong>:<br />
disable eaps {}<br />
Enabling <strong>and</strong> Disabling EAPS<br />
To enable the EAPS function for the entire switch, use the following comm<strong>and</strong>:<br />
enable eaps<br />
To disable the EAPS function for the entire switch, use the following comm<strong>and</strong>:<br />
disable eaps<br />
Unconfiguring an EAPS Ring Port<br />
Unconfiguring an EAPS port sets its internal configuration state to INVALID, which causes the port to<br />
appear in the Idle state with a port status of Unknown when you use the show eaps {}<br />
{detail} comm<strong>and</strong> to display the status information about the port.<br />
To unconfigure an EAPS primary or secondary ring port for an EAPS domain, use the following<br />
comm<strong>and</strong>:<br />
unconfigure eaps [primary | secondary] port<br />
The following comm<strong>and</strong> example unconfigures this node’s EAPS primary ring port on the domain<br />
“eaps_1”:<br />
unconfigure eaps eaps_1 primary port<br />
Displaying EAPS Status Information<br />
To display EAPS status information, use the following comm<strong>and</strong>:<br />
show eaps summary<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 255
Ethernet Automatic Protection Switching<br />
The results for this comm<strong>and</strong> are as follows:<br />
EAPS Enabled: Yes<br />
Number of EAPS instances: 1<br />
EAPSD-Bridge links: 2<br />
Pri Sec Vlan<br />
Domain State Mo En Port Port Control-Vlan (VID) count<br />
------------ ------------ -- -- ------- ------- ------------------ -----<br />
eaps1 Complete M Y 10 20 cvlan (0100) 1<br />
To display more detailed EAPS status information, use the following comm<strong>and</strong>:<br />
show eaps {} {detail}<br />
If you enter the show eaps comm<strong>and</strong> without an argument or keyword, the comm<strong>and</strong> displays a<br />
summary of status information for all configured EAPS domains. You can use the detail keyword to<br />
display more detailed status information.<br />
NOTE<br />
The output displayed by this comm<strong>and</strong> depends on whether the node is a transit node or a master<br />
node. The display for a transit node contains information fields that are not shown for a master node.<br />
Also, some state values are different on a transit node than on a master node.<br />
The following example of the show eaps {} {detail} comm<strong>and</strong> displays detailed EAPS<br />
information for a transit node. Table 33 describes the fields <strong>and</strong> values in the display.<br />
EAPS Enabled: Yes<br />
Number of EAPS instances: 1<br />
EAPSD-Bridge links: 2<br />
Name: "eaps1" (instance=0)<br />
State: Links-Up [Running: Yes]<br />
Enabled: Yes Mode: Transit<br />
Primary port: 10 Port status: Up Tag status:Tagged<br />
Secondary port: 20 Port status: Up Tag status:Tagged<br />
Hello Timer interval: 1 sec Fail Timer interval: 3 sec<br />
Preforwarding Timer interval: 6 sec<br />
Last update: From Master Id 00:04:96:14:46:B0, at Wed Jan 28 15:38:16<br />
2004<br />
EAPS Domain has following Controller Vlan:<br />
Vlan Name VID QosProfile<br />
"cvlan" 0100 QP8<br />
EAPS Domain has following Protected Vlan(s):<br />
Vlan Name VID QosProfile<br />
"pvlan" 0200 QP1<br />
Number of Protected Vlans: 1<br />
256 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring EAPS on a Switch<br />
Table 33: show eaps Display Fields<br />
Field<br />
EAPS Enabled:<br />
Number of EAPS instances:<br />
EAPSD-Bridge links:<br />
Name:<br />
(Instance= )<br />
State:<br />
Description<br />
Current state of EAPS on this switch:<br />
• Yes—EAPS is enabled on the switch.<br />
• No—EAPS is not enabled.<br />
Number of EAPS domains created. On “e” series switches, the number<br />
of EAPS domains is always one.<br />
The total number of EAPS bridge links in the system. The maximum<br />
count is 4096. Each time a VLAN is added to EAPS, this count<br />
increments by 1.<br />
The configured name for this EAPS domain.<br />
The instance number is created internally by the system.<br />
On a transit node, the comm<strong>and</strong> displays one of the following states:<br />
• Idle—The EAPS domain has been enabled, but the configuration is<br />
not complete.<br />
• Links-Up—This EAPS domain is running, <strong>and</strong> both its ports are up<br />
<strong>and</strong> in the FORWARDING state.<br />
• Links-Down—This EAPS domain is running, but one or both of its<br />
ports are down.<br />
• Preforwarding—This EAPS domain is running, <strong>and</strong> both of its ports<br />
are up, but one of them is in a temporary BLOCKED state.<br />
On a master node, the comm<strong>and</strong> displays one of the following states:<br />
• Idle—The EAPS domain has been enabled, but the configuration is<br />
not complete.<br />
• Init—The EAPS domain has started but has not yet determined the<br />
status of the ring. The secondary port is in a BLOCKED state.<br />
• Complete—The ring is in the COMPLETE state for this EAPS<br />
domain.<br />
• Failed—There is a break in the ring for this EAPS domain.<br />
• [Failtimer Expired]—When the failtimer expires <strong>and</strong> it’s action is set<br />
to send-alert, this flag is set. This flag indicates there is a<br />
misconfiguration or hardware problem in the EAPS ring. The EAPS<br />
master node will continue to remain in COMPLETE or INIT state<br />
with it’s secondary port blocking.<br />
[Running: …] • Yes—This EAPS domain is running.<br />
Enabled:<br />
Mode:<br />
Primary/Secondary port:<br />
• No—This EAPS domain is not running.<br />
Indicates whether EAPS is enabled on this domain.<br />
• Y—EAPS is enabled on this domain.<br />
• N—EAPS is not enabled.<br />
The configured EAPS mode for this switch: transit (T) or master (M).<br />
The port numbers assigned as the EAPS primary <strong>and</strong> secondary ports.<br />
On the master node, the port distinction indicates which port is blocked<br />
to avoid a loop.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 257
Ethernet Automatic Protection Switching<br />
Table 33: show eaps Display Fields (Continued)<br />
Field<br />
Port status: • Unknown—This EAPS domain is not running, so the port status has<br />
not yet been determined.<br />
• Up—The port is up <strong>and</strong> is forwarding data.<br />
Tag status:<br />
Hello Timer interval:<br />
Fail Timer interval:<br />
Failtimer expiry action:<br />
Preforwarding Timer interval: 1<br />
Last update: 1<br />
EAPS Domain has … Controller Vlans:<br />
EAPS Domain has … Protected Vlans: 2<br />
Number of Protected Vlans:<br />
Description<br />
• Down—The port is down.<br />
• Blocked—The port is up, but data is blocked from being forwarded.<br />
Tagged status of the control VLAN:<br />
• Tagged—The control VLAN has this port assigned to it, <strong>and</strong> the port<br />
is tagged in the VLAN.<br />
• Untagged—The control VLAN has this port assigned to it, but the<br />
port is untagged in the control VLAN.<br />
• Undetermined—Either a VLAN has not been added as the control<br />
VLAN to this EAPS domain or this port has not been added to the<br />
control VLAN.<br />
The configured value of the timer in seconds, specifying the time that<br />
the master node waits between transmissions of health-check packets.<br />
The configured value of the timer in seconds, specifying the time that<br />
the master node waits before the failtimer expires.<br />
Displays the action taken when the failtimer expires:<br />
• Send-alert—Sends a critical message to the syslog when the<br />
failtimer expires.<br />
• Open-secondary-port—Opens the secondary port when the failtimer<br />
expires.<br />
Displays only for master nodes.<br />
The configured value of the timer. This value is set internally by the<br />
EAPS software.<br />
Displayed only for transit nodes; indicates the last time the transit node<br />
received a hello packet from the master node (identified by its MAC<br />
address).<br />
Lists the assigned name <strong>and</strong> ID of the control VLAN.<br />
Lists the assigned names <strong>and</strong> VLAN IDs of all the protected VLANs<br />
configured on this EAPS domain.<br />
The count of protected VLANs configured on this EAPS domain.<br />
1. These fields apply only to transit nodes; they are not displayed for a master node.<br />
2. This list is displayed when you use the detail keyword in the show eaps comm<strong>and</strong>.<br />
Configuring EAPS Shared Ports<br />
The physical link between two nodes in a multiple EAPS domain state is the common link. Each node is<br />
configured with a shared port to another node in an EAPS domain to create the common link. To<br />
prevent a superloop from occurring if the common link between the multiple EAPS domains fails, the<br />
switches on either end of the common link must be configured as controller <strong>and</strong> a partner.<br />
If the common link fails, both the controller <strong>and</strong> partner go into a “blocking” state. The partner never<br />
actually does any blocking. Only the controller is responsible for blocking to prevent a superloop, while<br />
at the same time maintaining connectivity. When the common link fails, the controller keeps one of its<br />
258 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring EAPS Shared Ports<br />
ports in the forwarding state <strong>and</strong> mark it as “Active-Open”, <strong>and</strong> the remaining ports will be marked as<br />
“blocked”.<br />
When the common link comes back up again, the controller goes from a “blocking” state to a<br />
”Preforwarding” state; it keeps the ports temporarily blocked to prevent a temporary loop.<br />
NOTE<br />
Series “e” switches, are limited to a single EAPS domain.<br />
Steady State<br />
In steady state when the common link is up, both the controller <strong>and</strong> partner are said to be in the<br />
“ready” state. After EAPS has converged <strong>and</strong> the EAPS master node has blocked its own secondary<br />
ports, the controller puts all its ports into “forwarding”, <strong>and</strong> goes back to “ready” state.<br />
Figure 26: Multiple EAPS Domain Steady State<br />
EAPS1<br />
S3<br />
P2<br />
P3<br />
S1<br />
Controller<br />
P4<br />
S6<br />
S9<br />
EAPS3<br />
S4<br />
P1<br />
P5<br />
EAPS2<br />
Common link<br />
S7<br />
S10<br />
S5<br />
P6<br />
S2<br />
P8<br />
Partner<br />
P7<br />
S8<br />
Master<br />
S11<br />
Master<br />
Master<br />
EW_102a<br />
Figure 26 shows a multiple EAPS domain steady state, where:<br />
• EAPS1 is the EAPS domain for ring S1, S3, S4, S5, <strong>and</strong> S2<br />
• EAPS2 is the EAPS domain for ring S1, S6, S7, S8, <strong>and</strong> S2<br />
• EAPS3 is the EAPS domain for ring S1, S9, S10, S11, <strong>and</strong> S2<br />
• P1, P2, P3, <strong>and</strong> P4 are the ports on switch S1<br />
• P5, P6, P7, <strong>and</strong> P8 are the ports on switch S2<br />
• S5, S8, <strong>and</strong> S11 are the master nodes of their respective EAPS domains<br />
• S3, S4, S6, S7, S9, <strong>and</strong> S10 are the transit nodes of their respective EAPS domains<br />
• S1 <strong>and</strong> S2 are running EAPSv2<br />
• S1 is the controller<br />
• S2 is the partner<br />
• P1 is the EAPS shared port on switch S1<br />
• P5 is the EAPS shared port on switch S2<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 259
Ethernet Automatic Protection Switching<br />
Common Link Failures<br />
When a single common link fails the configured controller (S1) <strong>and</strong> partner (S2) take steps to prevent a<br />
superloop.<br />
Assuming there is a single data VLAN configured on all three EAPS domains, the controller (S1) needs<br />
to keep one port open (called “Active-Open”) to prevent a superloop. The remaining ports would be<br />
“blocked”.<br />
In Figure 27, P2 is the “Active-Open” port on S1. Ports P3 <strong>and</strong> P4 are “blocked”. The master nodes (S5,<br />
S8, <strong>and</strong> S11) will open their secondary ports.<br />
Figure 27: EAPS Common Link Failure<br />
S3<br />
P2<br />
Active-Open<br />
P3<br />
S1<br />
Controller<br />
P4<br />
EAPS3<br />
S6<br />
S9<br />
S4<br />
EAPS1<br />
S5<br />
P1<br />
x<br />
S2<br />
Partner<br />
EAPS2<br />
S8<br />
Master<br />
S7<br />
S10<br />
S11<br />
Master<br />
Master<br />
EW_102b<br />
When the common link is restored, the controller goes into Preforwarding state. After it gets notification<br />
from the master nodes that they have converged <strong>and</strong> blocked their secondary ports, the controller opens<br />
all ports.<br />
Multiple Common Link Failures<br />
When multiple common links fail, both controllers must keep one Active-Open port. To prevent a loop<br />
in the network, a “root blocker” is introduced. There can be only one “root blocker” in the network.<br />
This “root blocker” is the controller with the smallest link ID amongst all the controllers which are in<br />
“Blocking” state.<br />
260 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring EAPS Shared Ports<br />
Figure 28: Multiple EAPS Domain Common Links<br />
S 3<br />
S 4<br />
P2<br />
S 5<br />
Controller<br />
P3<br />
S 7<br />
P2<br />
Active-Open<br />
P3<br />
S 9<br />
Controller<br />
EAPS4<br />
S 12<br />
S 2<br />
EAPS1<br />
S 1<br />
P1<br />
x<br />
link ID=1<br />
S 6<br />
EAPS2<br />
Partner<br />
S 8<br />
P1<br />
x<br />
link ID=2<br />
EAPS3<br />
S 10<br />
Partner<br />
S 11<br />
S 13<br />
EW_096<br />
In the example in Figure 28, there are two common links. If both common links went down, the<br />
controller with the smaller of the two link IDs assumes the role of “root blocker”. In this case, the<br />
controller S5 becomes the “root blocker” because it has a link ID of 1. It blocks port 2, <strong>and</strong> keeps port 3<br />
open, since it receives messages from the other domains on port 1:3.<br />
Creating <strong>and</strong> Deleting a Shared Port<br />
To configure a common link, you must create a shared port on each switch belonging to the common<br />
link. To create a shared port, use the following comm<strong>and</strong>:<br />
create eaps shared-port <br />
where port is the common link port.<br />
NOTE<br />
A switch can have a maximum of two shared ports.<br />
To delete a shared port on the switch, use the following comm<strong>and</strong>:<br />
delete eaps shared-port <br />
Defining the Mode of the Shared Port<br />
The shared port on one end of the common link must be configured to be the controller. This is the end<br />
responsible for blocking ports when the common link fails thereby preventing the superloop.<br />
The shared port on the other end of the common link must be configured to be the partner. This end<br />
does not participate in any form of blocking. It is responsible for only sending <strong>and</strong> receiving<br />
health-check messages.<br />
To configure the mode of the shared port, use the following comm<strong>and</strong>:<br />
configure eaps shared-port mode <br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 261
Ethernet Automatic Protection Switching<br />
CAUTION<br />
The master secondary port cannot be a shared port. If the master primary port is a shared port, you<br />
must configure the partner before you configure the controller.<br />
Configuring the Link ID of the Shared Port<br />
Each common link in the EAPS network must have a unique link ID. The controller <strong>and</strong> partner shared<br />
ports belonging to the same common link must have matching link IDs. No other instance in the<br />
network should have that link ID.<br />
To configure the link ID of the shared port, use the following comm<strong>and</strong>.<br />
configure eaps shared-port link-id <br />
Unconfiguring an EAPS Shared Port<br />
To unconfigure a link ID on a shared port, use the following comm<strong>and</strong>:<br />
unconfigure eaps shared-port link-id<br />
To unconfigure the mode on a shared port, use the following comm<strong>and</strong>:<br />
unconfigure eaps shared-port mode<br />
To delete a shared port, use the following comm<strong>and</strong>:<br />
delete eaps shared-port <br />
Displaying EAPS Shared-Port Status Information<br />
To display EAPS shared port status information, use the following comm<strong>and</strong>:<br />
show eaps {} {detail}<br />
If you enter the show eaps shared-port comm<strong>and</strong> without an argument or keyword, the comm<strong>and</strong><br />
displays a summary of status information for all configured EAPS shared ports. You can use the detail<br />
keyword to display more detailed status information about the segments <strong>and</strong> VLANs associated with<br />
each shared port.<br />
The following examples of the show eaps shared-port comm<strong>and</strong> displays shared port information<br />
when the EAPS domain is in a “ready” state (for example, when the common link is up).<br />
Summit 300-48:7 # show eaps shared-port<br />
EAPS shared-port count: 1<br />
Link Domain Vlan RB RB<br />
Shared-port Mode Id Up State count count Nbr StateId<br />
----------- ---------- ---- -- --------- ------ ----- --- ------------<br />
1:1 Controller 2 Y Ready 1 1 Yes None None<br />
EAPS Domain list: "eaps2" "eaps3" "eaps4"<br />
262 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
EAPS Shared Port Configuration Rules<br />
The following example also displays detailed EAPS shared-port information:<br />
show eaps summary<br />
The results for this comm<strong>and</strong> are as follows:<br />
EAPS Enabled: Yes<br />
Number of EAPS instances: 3<br />
EAPSD-Bridge links: 6<br />
Pri Sec Vlan<br />
Domain State Mo En Port Port Control-Vlan (VID) count<br />
------------ ------------ -- -- ------- ------- ------------------ -----<br />
eaps4 Links-Up T Y 1:1 1:4 cv4 (1004) 1<br />
eaps3 Links-Up T Y 1:1 1:3 cv3 (1003) 1<br />
eaps2 Links-Up T Y 1:1 1:2 cv2 (1002) 1<br />
EAPS shared-port count: 1<br />
Link Domain Vlan RB RB<br />
Shared-port Mode Id Up State count count Nbr State Id<br />
----------- ---------- ---- -- --------- ------ ----- --- ------- -----<br />
1:1 Controller 2 Y Ready 1 1 Yes None None<br />
EAPS Domain list: "eaps2" "eaps3" "eaps4"<br />
EAPS Shared Port Configuration Rules<br />
The following rules apply to EAPS shared port configurations:<br />
• There can only be one EAPS domain<br />
• The controller <strong>and</strong> partner shared ports on either side of a common link must have the same<br />
link ID.<br />
• Each common link must have a unique link ID.<br />
• The modes on either side of a common link must be different from each other; one must be a<br />
controller <strong>and</strong> one must be a partner.<br />
• There can be only up to two shared ports per switch.<br />
• There cannot be more that one controller on a switch.<br />
Valid combinations on any one switch are:<br />
• 1 controller<br />
• 1 partner<br />
• 1 controller <strong>and</strong> 1 partner<br />
• 2 partners<br />
• A shared port cannot be configured on an EAPS master’s secondary port.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 263
Ethernet Automatic Protection Switching<br />
264 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
14 Spanning Tree Protocol (STP)<br />
This chapter covers the following topics:<br />
• Overview of the Spanning Tree Protocol on page 265<br />
• Spanning Tree Domains on page 266<br />
• STP Configurations on page 268<br />
• Rapid Spanning Tree Protocol on page 271<br />
• STP Rules <strong>and</strong> Restrictions on page 281<br />
• Configuring STP on the Switch on page 281<br />
• Displaying STP Settings on page 283<br />
Using the Spanning Tree Protocol (STP) functionality of the switch makes your network more fault<br />
tolerant. The following sections explain more about STP <strong>and</strong> the STP features supported by<br />
<strong><strong>Extreme</strong>Ware</strong>.<br />
NOTE<br />
STP is a part of the 802.1d bridge specification defined by the IEEE Computer Society. To explain STP<br />
in terms used by the 802.1d specification, the switch will be referred to as a bridge.<br />
Overview of the Spanning Tree Protocol<br />
STP is a bridge-based mechanism for providing fault tolerance on networks. STP allows you to<br />
implement parallel paths for network traffic, <strong>and</strong> ensure that:<br />
• Redundant paths are disabled when the main paths are operational.<br />
• Redundant paths are enabled if the main path fails.<br />
NOTE<br />
STP is not supported in conjunction with ESRP.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 269
Spanning Tree Protocol (STP)<br />
Spanning Tree Domains<br />
The switch can be partitioned into multiple virtual bridges. Each virtual bridge can run an independent<br />
Spanning Tree instance. Each Spanning Tree instance is called a Spanning Tree Domain (STPD). Each<br />
STPD has its own root bridge <strong>and</strong> active path. After an STPD is created, one or more VLANs can be<br />
assigned to it.<br />
The key points to remember when configuring VLANs <strong>and</strong> STP are:<br />
• Each VLAN forms an independent broadcast domain.<br />
• STP blocks paths to create a loop-free environment.<br />
• When STP blocks a path, no data can be transmitted or received on the blocked port.<br />
• Within any given STPD, all VLANs belonging to it use the same spanning tree.<br />
If you delete a STPD, the VLANs that were members of that STPD are also deleted. You must remove<br />
all VLANs associated with the STP before deleting the STPD to preserve the VLAN configuration.<br />
Ensure that multiple STPD instances within a single switch do not see each other in the same broadcast<br />
domain. This could happen if, for example, another external bridge is used to connect VLANs<br />
belonging to separate STPDs.<br />
A VLAN can span multiple STPDs. However, on the series “e” switches, there is a hardware limitation<br />
that restricts each physical port to a single STPD. If the port is already a member of an STPD, then that<br />
port cannot be in another VLAN that is in a different STPD, or not in a STPD at all.<br />
STPD Modes<br />
An STPD has two modes of operation<br />
• 802.1d mode<br />
Use this mode for backward compatibility with previous STP versions <strong>and</strong> for compatibility with<br />
third-party switches using IEEE st<strong>and</strong>ard 802.1d. When configured in this mode, all rapid<br />
configuration mechanisms are disabled.<br />
• 802.1w mode<br />
Use this mode for compatibility with Rapid Spanning Tree (RSTP). When configured in this mode,<br />
all rapid configuration mechanisms are enabled. This mode is available for point-to-point links only.<br />
RSTP is enabled or disabled on a per STPD basis only. You do not enable RSTP on a per port basis.<br />
For more information about RSTP <strong>and</strong> RSTP features, see “Rapid Spanning Tree Protocol” on<br />
page 271.<br />
By default, the:<br />
• STPD operates in 802.1d mode<br />
• Default device configuration contains a single STPD called s0<br />
• Default VLAN is a member of STPD s0<br />
To configure the mode of operation of an STPD, use the following comm<strong>and</strong>:<br />
configure stpd mode [dot1d | dot1w]<br />
All STP parameters default to the IEEE 802.1d values, as appropriate.<br />
# <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Running H/F 1<br />
Port Modes<br />
An STP port has these modes of operation:<br />
• 802.1d mode<br />
This mode is used for backward compatibility with previous STP versions <strong>and</strong> for compatibility with<br />
third-party switches using IEEE st<strong>and</strong>ard 802.1d. BPDUs are sent untagged in 1D mode. Because of<br />
this, on any given physical interface there can be only one STPD running in 1D mode.<br />
• Limited support for <strong>Extreme</strong> Multiple Instance Spanning Tree Protocol (EMISTP) mode<br />
Normally EMISTP mode is an extension of STP that allows a physical port to belong to multiple<br />
STPDs by assigning the port to multiple VLANs. BPDUs are sent with an 802.1Q tag having an<br />
STPD instance Identifier (StpdID) in the VLANid field.<br />
EMISTP is limited to supporting a single EMISTP domain per physical port, called Compatibility<br />
Mode. Compatibility mode is supported to allow other switches using the full EMISTP mode to<br />
interoperate with the Summit 400.<br />
• Limited support for PVST+ mode<br />
This mode implements PVST+ in compatibility with third-party switches running this version of STP.<br />
The STPDs running in this mode have a one-to-one relationship with VLANs, <strong>and</strong> send <strong>and</strong> process<br />
packets in PVST+ format.<br />
PVST+ is also limited to supporting a single PVST+ domain per physical port, called Compatibility<br />
Mode. Compatibility mode is supported to allow other switches using the full PVST+ mode to<br />
interoperate with the Summit “e” series switches. These port modes are for STP ports, not for<br />
physical ports. The switch restricts each physical port to a single STPD. When a physical port<br />
belongs to multiple STPDs, it is associated with multiple STP ports. It is possible for the physical<br />
port to run in different modes for different domains to which it belongs.<br />
STPD Identifier<br />
An StpdID is used to identify each STP domain. You assign the StpdID when configuring the domain,<br />
<strong>and</strong> that VLAN cannot belong to another STPD.<br />
An StpdID must be identical to the VLANid of one of the member VLANs in that STP domain.<br />
NOTE<br />
If an STPD contains at least one port not in 1D mode, the STPD must be configured with an StpdID.<br />
Rapid Root Failover<br />
<strong><strong>Extreme</strong>Ware</strong> supports rapid root failover for faster STP failover recovery times in STP 802.1d mode. If<br />
the active root port link goes down <strong><strong>Extreme</strong>Ware</strong> recalculates STP <strong>and</strong> elects a new root port. Rapid root<br />
failover allows the new root port to immediately begin forwarding, skipping the st<strong>and</strong>ard listening <strong>and</strong><br />
learning phases. Rapid root failover occurs only when the link goes down, <strong>and</strong> not when there is any<br />
other root port failure, such as missing BPDUs.<br />
The default setting is disabled. To enable rapid root failover, use the following comm<strong>and</strong>:<br />
enable stpd rapid-root-failover<br />
To display the configuration, use the following comm<strong>and</strong>:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> #
Spanning Tree Protocol (STP)<br />
show stpd {}<br />
STP Configurations<br />
When you assign VLANs to an STPD, pay careful attention to the STP configuration <strong>and</strong> its effect on<br />
the forwarding of VLAN traffic.<br />
This section describes two types of STP configurations:<br />
• Basic STP<br />
• A VLAN that spans multiple STPDs<br />
Basic STP Configuration<br />
This section describes a basic, 802.1D STP configuration. Figure 29 illustrates a network that uses VLAN<br />
tagging for trunk connections. The following four VLANs have been defined:<br />
• Sales is defined on switch A, switch B, <strong>and</strong> switch M.<br />
• Personnel is defined on switch A, switch B, <strong>and</strong> switch M.<br />
• Manufacturing is defined on switch Y, switch Z, <strong>and</strong> switch M.<br />
• Engineering is defined on switch Y, switch Z, <strong>and</strong> switch M.<br />
• Marketing is defined on all switches (switch A, switch B, switch Y, switch Z, <strong>and</strong> switch M).<br />
Two STPDs are defined:<br />
• STPD1 contains VLANs Sales <strong>and</strong> Personnel.<br />
• STPD2 contains VLANs Manufacturing <strong>and</strong> Engineering.<br />
The VLAN Marketing is a member of both STPD1 <strong>and</strong> STPD2.<br />
# <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Running H/F 1<br />
Figure 29: Multiple Spanning Tree Domains<br />
Sales, Personnel, Marketing<br />
Manufacturing, Engineering, Marketing<br />
Switch A<br />
Switch Y<br />
Switch B<br />
Switch Z<br />
Switch M<br />
STPD 1 STPD 2<br />
Sales, Personnel, Manufacturing, Engineering, Marketing<br />
ES4K016<br />
When the switches in this configuration start up, STP configures each STPD such that there are no<br />
active loops in the topology. STP could configure the topology in a number of ways to make it loop-free.<br />
In Figure 29, the connection between switch 1 <strong>and</strong> switch 2 is put into blocking state, <strong>and</strong> the<br />
connection between switch Y <strong>and</strong> switch Z is put into blocking state. After STP converges, all the<br />
VLANs can communicate, <strong>and</strong> all bridging loops are prevented.<br />
The VLAN Marketing, which has been assigned to both STPD1 <strong>and</strong> STPD2, communicates using all five<br />
switches. The topology has no loops, because STP has already blocked the port connection between<br />
switch A <strong>and</strong> switch B, <strong>and</strong> between switch Y <strong>and</strong> switch Z.<br />
Within a single STPD, you must be extra careful when configuring your VLANs. Figure 30 illustrates a<br />
network that has been incorrectly set up using a single STPD so that the STP configuration disables the<br />
ability of the switches to forward VLAN traffic.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> #
Spanning Tree Protocol (STP)<br />
Figure 30: Tag-based STP configuration<br />
Marketing & Sales<br />
Marketing, Sales & Engineering<br />
Switch 1 Switch 3<br />
Switch 2<br />
Sales & Engineering<br />
ES4K023<br />
The tag-based network in Figure 30 has the following configuration:<br />
• Switch 1 contains VLAN Marketing <strong>and</strong> VLAN Sales.<br />
• Switch 2 contains VLAN Engineering <strong>and</strong> VLAN Sales.<br />
• Switch 3 contains VLAN Marketing, VLAN Engineering, <strong>and</strong> VLAN Sales.<br />
• The tagged trunk connections for three switches form a triangular loop that is not permitted in an<br />
STP topology.<br />
• All VLANs in each switch are members of the same STPD.<br />
STP can block traffic between switch 1 <strong>and</strong> switch 3 by disabling the trunk ports for that connection on<br />
each switch.<br />
Switch 2 has no ports assigned to VLAN marketing. Therefore, if the trunk for VLAN marketing on<br />
switches 1 <strong>and</strong> 3 is blocked, the traffic for VLAN marketing will not be able to traverse the switches.<br />
NOTE<br />
If an STPD contains multiple VLANs, all VLANs must be configured on all ports in that domain, except<br />
for ports that connect to hosts (edge ports).<br />
EMISTP <strong>and</strong> PVST+ Deployment Constraints<br />
While EMISTP <strong>and</strong> PVST+ greatly enhances STP capability, these features must be deployed with care.<br />
As stated before, a VLAN can span multiple STPDs. However, on the Summit “e” series, there are<br />
hardware limitations that restrict each physical port to a single STPD. If the port is already a member of<br />
an STPD, then that port cannot be in another VLAN that is in a different STPD, or not in a STPD at all.<br />
EMISTP <strong>and</strong> PVST+ are supported only in compatibility mode.<br />
# <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Running H/F 1<br />
NOTE<br />
Newly created EMISTP VLANs are not associated with STPD s0 by default.<br />
Per-VLAN Spanning Tree<br />
Switching products that implement Per-VLAN Spanning Tree (PVST) have been in existence for many<br />
years <strong>and</strong> are widely deployed. To support STP configurations that use PVST, <strong><strong>Extreme</strong>Ware</strong> has an<br />
operational mode called PVST+. Summit 400 has limited support for PVST+ <strong>and</strong> only operates in<br />
compatibility mode.<br />
Summit “e” series—As stated before, a VLAN can span multiple STPDs. However, on the Summit “e”<br />
series, there is a hardware limitation that restricts each physical port to a single STPD. If the switches<br />
port is already a member of an STPD, then that port cannot be in another VLAN that is in a different<br />
STPD, or not in a STPD at all.<br />
NOTE<br />
In this document, PVST <strong>and</strong> PVST+ are used interchangeably. PVST+ is an enhanced version of PVST<br />
that is interoperable with 802.1Q STP. The following discussions are in regard to PVST+, if not<br />
specifically mentioned.<br />
Rapid Spanning Tree Protocol<br />
The Rapid Spanning Tree Protocol (RSTP; 802.1w) provides an enhanced spanning tree algorithm that<br />
improves the convergence speed of bridged networks. RSTP takes advantage of point-to-point links in<br />
the network <strong>and</strong> actively confirms that a port can safely transition to the forwarding state without<br />
relying on any timer configurations. If a network topology change or failure occurs, RSTP rapidly<br />
recovers network connectivity by confirming the change locally before propagating that change to other<br />
devices across the network. For broadcast links, there is no difference in convergence time between STP<br />
<strong>and</strong> RSTP.<br />
RSTP supersedes legacy STP protocols, supports the existing STP parameters <strong>and</strong> configurations, <strong>and</strong><br />
allows for seamless interoperability with legacy STP.<br />
NOTE<br />
RSTP is not supported in conjunction with ESRP.<br />
RSTP Terms<br />
Table 34 describes the terms associated with RSTP.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> #
Spanning Tree Protocol (STP)<br />
Table 34: RSTP Terms<br />
Term<br />
root port<br />
designated port<br />
alternate port<br />
backup port<br />
edge ports<br />
root bridge<br />
Description<br />
Provides the shortest path to the root bridge. All bridges except the root bridge,<br />
contain one root port. For more information about the root port, see “Port Roles” on<br />
page 272.<br />
Provides the shortest path connection to the root bridge for the attached LAN<br />
segment. There is only one designated port on each LAN segment. For more<br />
information about the designated port, see “Port Roles” on page 272.<br />
Supplies an alternate path to the root bridge <strong>and</strong> the root port. For more information<br />
about the alternate port, see “Port Roles” on page 272.<br />
Supports the designated port on the same attached LAN segment. Backup ports only<br />
exist when the bridge is connected as a self-loop or to a shared-media segment. For<br />
more information about the backup port, see “Port Roles” on page 272.<br />
Ports that connect to non-STP devices such as routers, endstations, <strong>and</strong> other hosts.<br />
Edge ports are not part of the RSTP configuration.<br />
The bridge with the best bridge identifier selected to be the root bridge. There is only<br />
one root bridge in the network. The root bridge is the only bridge in the network that<br />
does not have a root port.<br />
RSTP Concepts<br />
This section describes important RSTP concepts.<br />
Port Roles<br />
RSTP uses information from BPDUs to assign port roles for each LAN segment. Port roles are not<br />
user-configurable. Port role assignments are determined based on the following criteria:<br />
• A unique bridge identifier (MAC address) associated with each bridge<br />
• The path cost associated with each bridge port<br />
• A port identifier associated with each bridge port<br />
RSTP assigns one of four port roles to bridge ports in the network, as described in Table 35.<br />
Table 35: RSTP port roles<br />
Port Role<br />
Root<br />
Designated<br />
Alternate<br />
Backup<br />
Description<br />
Provides the shortest path to the root bridge. There is only one root port per bridge; the root bridge<br />
does not have a root port. If a bridge has two or more ports with the same path cost, the port with<br />
the best port identifier becomes the root port.<br />
Provides the shortest path connection to the root bridge for the attached LAN segment. To prevent<br />
loops in the network, there is only one designated port on each LAN segment. To select the<br />
designated port, all bridges that are connected to a particular segment listen to each other’s<br />
BPDUs <strong>and</strong> agree on the bridge sending the best BPDU. The corresponding port on that bridge<br />
becomes the designated port. If there are two or more ports connected to the LAN, the port with<br />
the best port identifier (lowest MAC address) becomes the designated port.<br />
Provides an alternate path to the root bridge <strong>and</strong> the root port.<br />
Supports the designated port on the same attached LAN segment. Backup ports only exist when<br />
the bridge is connected as a self-loop or to a shared-media segment.<br />
# <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Running H/F 1<br />
When RSTP stabilizes, all:<br />
• Root ports <strong>and</strong> designated ports are in the forwarding state<br />
• Alternate ports <strong>and</strong> backup ports are in the blocking state<br />
RSTP makes the distinction between the alternate <strong>and</strong> backup port roles to describe the rapid transition<br />
of the alternate port to the forwarding state if the root port fails.<br />
Ports that connect to non-STP devices are edge ports. Edge ports do not participate in RSTP, <strong>and</strong> their<br />
role is not confirmed. Edge ports immediately enter the forwarding state.<br />
Link Types<br />
You can configure the link type of a port in an STPD. RSTP tries to rapidly move designated<br />
point-to-point links into the forwarding state when a network topology change or failure occurs. For<br />
rapid convergence to occur, the port must be configured as a point-to-point link.<br />
Table 36 describes the link types.<br />
Table 36: RSTP link types<br />
Port Role<br />
Auto<br />
Edge<br />
Broadcast<br />
Point-to-point<br />
Description<br />
Specifies the switch to automatically determine the port link type. An auto link behaves like a<br />
point-to-point link if the link is in full duplex mode or if link aggregation is enabled on the port.<br />
Otherwise, the link behaves like a broadcast link used for 802.1w configurations.<br />
Specifies a port that does not have a bridge attached. An edge port is placed <strong>and</strong> held in the STP<br />
forwarding state unless a BPDU is received by the port.<br />
Specifies a port attached to a LAN segment with more than two bridges. A port with a broadcast<br />
link type cannot participate in rapid reconfiguration. By default, all ports are broadcast links.<br />
Specifies a port attached to a LAN segment with only two bridges. A port with port-to-port link type<br />
can participate in rapid reconfiguration. Used for 802.1w configurations.<br />
Configuring Link Types. By default, all ports are broadcast links. To configure the ports in an STPD,<br />
use the following comm<strong>and</strong>:<br />
configure stpd ports link-type [auto | edge | broadcast |<br />
point-to-point] <br />
• auto—Configures the ports as auto links. If the link is in full duplex mode, or if link aggregation is<br />
enabled on the port, an auto link behaves like a point-to-point link.<br />
• edge—Configures the ports as edge ports.<br />
• point-to-point—Configures the ports for an RSTP environment.<br />
To display detailed information about the ports in an STPD, use the following comm<strong>and</strong>:<br />
show stpd ports <br />
RSTP Timers<br />
For RSTP to rapidly recover network connectivity, RSTP requires timer expiration. RSTP derives many<br />
of the timer values from the existing configured STP timers to meet its rapid recovery requirements<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> #
Spanning Tree Protocol (STP)<br />
rather than relying on additional timer configurations. Table 37 describes the user configurable timers,<br />
<strong>and</strong> Table 38 describes the timers that are derived from other timers <strong>and</strong> not user configurable.<br />
Table 37: <strong>User</strong> configurable timers<br />
Timer<br />
Hello<br />
Forward delay<br />
Description<br />
The root bridge uses the hello timer to send out configuration BPDUs through all of<br />
its forwarding ports at a pre-determined, regular time interval. The default value is 2<br />
seconds. The range is 1 to 10 seconds.<br />
A port moving from the blocking state to the forwarding state uses the forward delay<br />
timer to transition through the listening <strong>and</strong> learning states. In RSTP, this timer<br />
complements the rapid configuration behavior. If none of the rapid rules are in effect,<br />
the port uses legacy STP rules to move to the forwarding state. The default is 15<br />
seconds. The range is 4 to 30 seconds.<br />
Table 38: Derived timers<br />
Timer<br />
TCN<br />
Topology Change<br />
Message age<br />
Hold<br />
Recent backup<br />
Recent root<br />
Description<br />
The root port uses the TCN timer when it detects a change in the network topology.<br />
The TCN timer stops when the topology change timer expires or upon receipt of a<br />
topology change acknowledgement. The default value is the same as the value for<br />
the bridge hello timer.<br />
The topology change timer determines the total time it takes the forwarding ports to<br />
send configuration BPDUs. The default value for the topology change timer depends<br />
upon the mode of the port.<br />
• 1d mode—The sum of the forward delay timer (default value is 15 seconds;<br />
range of 4 to 30 seconds) <strong>and</strong> the max age timer (default value is 20 seconds;<br />
range of 6 to 40 seconds).<br />
• 1w mode—Double the hello timer (default value is 4 seconds)<br />
A port uses the message age timer to time out receiving BPDUs. When a port<br />
receives a superior or equal BPDU, the timer restarts. When the timer expires, the<br />
port becomes a designated port <strong>and</strong> a configuration update occurs. If the bridge<br />
operates in 1w mode <strong>and</strong> receives an inferior BPDU, the timer expires early. The<br />
default value is the same as the STPD bridge max age parameter.<br />
A port uses the hold timer to restrict the rate that successive BPDUs can be sent.<br />
The default value is the same as the value for the bridge hello timer.<br />
The timer starts when a port leaves the backup role. When this timer is running, the<br />
port cannot become a root port. The default value is double the hello time<br />
(4 seconds).<br />
The timer starts when a port leaves the root port role. When this timer is running,<br />
another port cannot become a root port unless the associated port is put into the<br />
blocking state. The default value is the same as the forward delay time.<br />
The Protocol migration timer is neither user-configurable nor derived; it has a set value of 3 seconds.<br />
The timer starts when a port transitions from STP (802.1d) mode to RSTP (802.1w) mode <strong>and</strong> vice versa.<br />
This timer must expire before further mode transitions can occur.<br />
RSTP Operation<br />
In an RSTP environment, there are two bridges on a point-to-point link LAN segment. A switch that<br />
considers itself the unique, designated bridge for the attached LAN segment sends a “propose” message<br />
to the other bridge to request a confirmation of its role. The other bridge on that LAN segment replies<br />
# <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Running H/F 1<br />
with an “agree” message if they agree with the proposal. The receiving bridge immediately moves its<br />
designated port into the forwarding state.<br />
Before a bridge replies with an “agree” message, it reverts all of its designated ports into the blocking<br />
state. This introduces a temporary partition into the network. The bridge then sends another “propose”<br />
message on all of its designated ports for further confirmation. Since all of the connections are blocked,<br />
the bridge immediately sends an “agree” message to unblock the proposing port without having to wait<br />
for further confirmations to come back or without the worry of temporary loops.<br />
Beginning with the root bridge, each bridge in the network engages in the exchange of “propose” <strong>and</strong><br />
“agree” messages until they reach the edge ports. Edge ports connect to non-STP devices <strong>and</strong> do not<br />
participate in RSTP. Their role does not need to be confirmed. If an edge port receives a BPDU, it enters<br />
an inconsistency state. An inconsistency state puts the edge port into the blocking state <strong>and</strong> starts the<br />
message age timer. Every time the edge port receives a BPDU, the message age timer restarts. The edge<br />
port remains in the blocking state until no further BPDUs are received <strong>and</strong> the message age timer<br />
expires.<br />
RSTP attempts to transition root ports <strong>and</strong> designated ports to the forwarding state <strong>and</strong> alternate ports<br />
<strong>and</strong> backup ports to the blocking state as rapidly as possible.<br />
A port transitions to the forwarding state if any of the following is true. The port:<br />
• Has been in either a root or designated port role long enough that the spanning tree information<br />
supporting this role assignment has reached all of the bridges in the network.<br />
NOTE<br />
RSTP is backward compatible with STP, so if a port does not move to the forwarding state with any<br />
of the RSTP rapid transition rules, a forward delay timer starts <strong>and</strong> STP behavior takes over.<br />
• Is now a root port <strong>and</strong> no other ports have a recent role assignment that contradicts with its root<br />
port role.<br />
• Is a designated port <strong>and</strong> attaches to another bridge by a point-to-point link <strong>and</strong> receives an “agree”<br />
message from the other bridge port.<br />
• Is an edge port.<br />
An edge port is a port connected to a non-STP device <strong>and</strong> is in the forwarding state.<br />
The preceding sections provide more information about RSTP behavior.<br />
Root Port Rapid Behavior<br />
In Figure 31, the diagram on the left displays the initial network topology with a single bridge having<br />
the following:<br />
• Two ports connected to a shared LAN segment<br />
• One port is the designated port<br />
• One port is the backup port<br />
The diagram on the right displays a new bridge that:<br />
• Is connected to the LAN segment<br />
• Has a superior STP bridge priority<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> #
Spanning Tree Protocol (STP)<br />
• Becomes the root bridge <strong>and</strong> sends a BPDU to the LAN that is received by both ports on the old<br />
bridge<br />
Figure 31: Example of root port rapid behavior<br />
EAPS1<br />
S3<br />
S9<br />
EAPS3<br />
S4<br />
S7 S10<br />
S5<br />
P3<br />
P2<br />
S1<br />
Controller<br />
P4 S6<br />
P1<br />
EAPS2<br />
Common link<br />
P5<br />
S2<br />
Partner<br />
P8 S8<br />
P6<br />
Master<br />
P7<br />
S11<br />
Master<br />
Master<br />
EW_102a<br />
If the backup port receives the BPDU first, STP processes this packet <strong>and</strong> temporarily elects this port as<br />
the new root port while the designated port’s role remains unchanged. If the new root port is<br />
immediately put into the forwarding state, there is a loop between these two ports.<br />
To prevent this type of loop from occurring, the recent backup timer starts. The root port transition rule<br />
does not allow a new root port to be in the forwarding state until the recent backup timer expires.<br />
Another situation may arise if you have more than one bridge, <strong>and</strong> you lower the port cost for the<br />
alternate port which makes it the new root port. The previous root port is now an alternate port.<br />
Depending on your STP implementation, STP may set the new root port to the forwarding state before<br />
setting the old root port to the blocking state. This may cause a loop.<br />
To prevent this type of loop from occurring, the recent root timer starts when the port leaves the root<br />
port role. The timer stops if the port enters the blocking state. RSTP requires that the recent root timer<br />
stops on the previous root port before the new root port can enter the forwarding state.<br />
Designated Port Rapid Behavior<br />
When a port becomes a new designated port, or the STP priority changes on an existing designated<br />
port, the port becomes an unsynced designated port. In order for an unsynced designated port to rapidly<br />
move into the forwarding state, the port must propose a confirmation of its role on the attached LAN<br />
segment, unless the port is an edge port. Upon receiving an “agree” message, the port immediately<br />
enters the forwarding state.<br />
If the receiving bridge does not agree <strong>and</strong> it has a superior STP priority, the receiving bridge replies<br />
with its own BPDU. Otherwise, the receiving bridge keeps silent <strong>and</strong> the proposing port enters the<br />
forwarding state <strong>and</strong> starts the forward delay timer.<br />
The link between the new designated port <strong>and</strong> the LAN segment must be a point-to-point link. If there<br />
is a multi-access link, the “propose” message is sent to multiple recipients. If only one of the recipients<br />
agrees with the proposal, it is possible for the port to erroneously enter the forwarding state after<br />
receiving a single “agree” message.<br />
# <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Running H/F 1<br />
Receiving Bridge Behavior<br />
The receiving bridge must decide whether or not to accept a proposal from a port. Upon receiving a<br />
proposal for a root port, the receiving bridge:<br />
• Processes the BPDU <strong>and</strong> computes the new STP topology<br />
• Synchronizes all of the designated ports if the receiving port is the root port of the new topology<br />
• Puts all unsynced, designated ports into the blocking state<br />
• Sends down further “propose” messages<br />
• Sends back an “agree” message through the root port<br />
If the receiving bridge receives a proposal for a designated port, the bridge replies with its own BPDU.<br />
If the proposal is for an alternate or backup port, the bridge keeps silent.<br />
Propagating Topology Change Information<br />
When a change occurs in the topology of the network, such events are communicated through the<br />
network.<br />
In an RSTP environment, only non-edge ports entering the forwarding state cause a topology change. A<br />
loss of network connectivity is not considered a topology change; however, a gain in network<br />
connectivity needs to be communicated. When an RSTP bridge detects a topology change, it starts the<br />
topology change timer, sets the topology change flag on its BPDUs, floods all of the forwarding ports in<br />
the network (including the root ports), <strong>and</strong> flushes the learned MAC address entries.<br />
Rapid Reconvergence<br />
This section describes the RSTP rapid behavior following a topology change. In this example, the bridge<br />
priorities are assigned based on the order of their alphabetical letters; bridge A has a higher priority<br />
than bridge F.<br />
Suppose we have a network, as shown in Figure 32, with six bridges (bridge A through bridge F) where<br />
the following is true:<br />
• Bridge A is the root bridge<br />
• Bridge D contains an alternate port in the blocking state<br />
• All other ports in the network are in the forwarding state<br />
Figure 32: Initial network configuration<br />
A<br />
A , 0<br />
B<br />
A , 1<br />
C<br />
A , 2<br />
F<br />
A , 1<br />
E<br />
A , 2<br />
D<br />
A , 3<br />
Designated<br />
port<br />
Root<br />
port<br />
Blocked<br />
port<br />
EW_103a<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> #
Spanning Tree Protocol (STP)<br />
The preceding steps describe how the network reconverges.<br />
1 If the link between bridge A <strong>and</strong> bridge F goes down, bridge F detects the root port is down. At this<br />
point, bridge F:<br />
• Immediately deletes that port from the STP<br />
• Performs a configuration update<br />
After the configuration update, bridge F:<br />
• Considers itself the new root bridge<br />
• Sends a BPDU message on its designated port to bridge E<br />
Figure 33: Down link detected<br />
A<br />
A , 0<br />
B<br />
A , 1<br />
C<br />
A , 2<br />
Down<br />
link<br />
BPDU<br />
F<br />
F , 0<br />
E<br />
A , 2<br />
D<br />
A , 3<br />
Designated<br />
port<br />
Root<br />
port<br />
EW_103b<br />
2 Bridge E believes that bridge A is the root bridge. When bridge E receives the BPDU on its root port<br />
from bridge F, bridge E:<br />
• Determines that it received an inferior BPDU.<br />
• Immediately begins the max age timer on its root port<br />
• Performs a configuration update<br />
After the configuration update, bridge E:<br />
• Regards itself as the new root bridge<br />
• Sends BPDU messages on both of its root ports to bridges F <strong>and</strong> D, respectively<br />
Figure 34: New root bridge selected<br />
A<br />
A , 0<br />
B<br />
A , 1<br />
C<br />
A , 2<br />
F<br />
F , 0<br />
E<br />
E , 0<br />
Designated<br />
port<br />
D<br />
A , 3<br />
Root<br />
port<br />
BPDU<br />
EW_103c<br />
# <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Running H/F 1<br />
3 When bridge F receives the superior BPDU <strong>and</strong> configuration update from bridge E, bridge F:<br />
• Decides that the receiving port is the root port<br />
• Determines that bridge E is the root bridge.<br />
Figure 35: Communicating new root bridge status to neighbors<br />
A<br />
A , 0<br />
B<br />
A , 1<br />
C<br />
A , 2<br />
F<br />
E , 1<br />
E<br />
E , 0<br />
Designated<br />
port<br />
D<br />
A , 3<br />
Root<br />
port<br />
4 Bridge D believes that bridge A is the root bridge. When bridge D receives the BPDU from bridge E<br />
on its alternate port, bridge D:<br />
• Immediately begins the max age timer on its alternate port<br />
• Performs a configuration update<br />
After the configuration update, bridge D:<br />
• Moves the alternate port to a designated port<br />
• Sends a “propose” message to bridge E to solicit confirmation of its designated role <strong>and</strong> to<br />
rapidly move the port into the designated state<br />
Figure 36: Sending a propose message to confirm a port role<br />
EW_103d<br />
A<br />
A , 0<br />
B<br />
A , 1<br />
C<br />
A , 2<br />
F<br />
E , 1<br />
E<br />
E , 0<br />
Designated<br />
port<br />
D<br />
A , 3<br />
Root<br />
port<br />
Propose BPDU<br />
EW_103e<br />
5 Upon receiving the proposal, bridge E:<br />
• Performs a configuration update<br />
• Changes its receiving port to a root port<br />
The existing designated port enters the blocking state<br />
Bridge E then sends:<br />
• A “propose” message to bridge F<br />
• An “agree” message from its root port to bridge D.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> #
Spanning Tree Protocol (STP)<br />
Figure 37: Communicating port status to neighbors<br />
A<br />
A , 0<br />
B<br />
A , 1<br />
C<br />
A , 2<br />
Designated<br />
port<br />
Root<br />
port<br />
F<br />
E , 1<br />
E<br />
A , 4<br />
D<br />
A , 3<br />
Agree BPDU<br />
EW_103f<br />
6 To complete the topology change, the following occurs:<br />
• Bridge D moves the port that received the agree message into the forwarding state<br />
• Bridge F confirms that its receiving port (the port that received the “propose” message) is the root<br />
port, <strong>and</strong> immediately replies with an “agree” message to bridge E to unblock the proposing port<br />
Figure 38: Completing the topology change<br />
A<br />
A , 0<br />
B<br />
A , 1<br />
C<br />
A , 2<br />
Root<br />
port<br />
Designated<br />
port<br />
F<br />
A , 5<br />
E<br />
A , 4<br />
D<br />
A , 3<br />
EW_103g<br />
Figure 39 displays the new topology.<br />
Figure 39: Final network configuration<br />
A<br />
A , 0<br />
B<br />
A , 1<br />
C<br />
A , 2<br />
Root<br />
port<br />
Designated<br />
port<br />
F<br />
A , 5<br />
E<br />
A , 4<br />
D<br />
A , 3<br />
EW_103h<br />
Compatibility With STP (802.1d)<br />
RSTP interoperates with legacy STP protocols; however, the rapid convergence benefits are lost when<br />
interacting with legacy STP bridges.<br />
# <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Running H/F 1<br />
Each RSTP bridge contains a port protocol migration state machine to ensure that the ports in the STPD<br />
operate in the correct, configured mode. The state machine is a protocol entity within each bridge<br />
configured to run in 802.1w mode. For example, a compatibility issue occurs if you configure 802.1w<br />
mode <strong>and</strong> the bridge receives an 802.1d BPDU on a port. The receiving port starts the protocol<br />
migration timer <strong>and</strong> remains in 802.1d mode until the bridge stops receiving 802.1d BPDUs. Each time<br />
the bridge receives an 802.1d BPDU, the timer restarts. When the port migration timer expires, no more<br />
802.1d BPDUs have been received <strong>and</strong> the bridge returns to its configured setting, 802.1w mode.<br />
STP Rules <strong>and</strong> Restrictions<br />
This section summarizes the rules <strong>and</strong> restrictions for configuring STP.<br />
• EMISTP <strong>and</strong> PVST+ only operates in compatibility mode on the series “e” switches. As stated before,<br />
a VLAN can span multiple STPDs. However, on the switch, there is a hardware limitation that<br />
restricts each physical port to a single STPD. If the port is already a member of an STPD, then that<br />
port cannot be in another VLAN that is in a different STPD, or not in a STPD at all.<br />
• The StpdID must be the VLANid of one of its member VLANs, <strong>and</strong> that VLAN can not be<br />
partitioned.<br />
• A default VLAN can not be partitioned. If a VLAN traverses multiple STP domains, the VLAN must<br />
be tagged.<br />
• If a port supports 802.1w-STPD, then the port must be configured with a default VLAN. If not, the<br />
BPDUs for that STPD are not flooded when the STPD is disabled.<br />
Configuring STP on the Switch<br />
To configure basic STP, follow these steps:<br />
1 Create one or more STP domains using the following comm<strong>and</strong>:<br />
create stpd <br />
NOTE<br />
STPD, VLAN, <strong>and</strong> QoS profile names must all be unique. For example, a name used to identify a<br />
VLAN cannot be used when you create an STPD or a QoS profile.<br />
2 Add one or more VLANs to the STPD using the following comm<strong>and</strong>:<br />
configure stpd add vlan {ports [dot1d<br />
| emistp |pvst-plus]}<br />
3 Enable STP for one or more STP domains using the following comm<strong>and</strong>:<br />
enable stpd {}<br />
After you have created the STPD, you can optionally configure STP parameters for the STPD.<br />
NOTE<br />
You should not configure any STP parameters unless you have considerable knowledge <strong>and</strong> experience<br />
with STP. The default STP parameters are adequate for most networks.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> #
Spanning Tree Protocol (STP)<br />
The following parameters can be configured on each STPD:<br />
• Hello time<br />
• Forward delay<br />
• Max age<br />
• Bridge priority<br />
• StpdID<br />
The following parameters can be configured on each port:<br />
• Path cost<br />
• Port priority<br />
• Port mode<br />
NOTE<br />
The device supports the RFC 1493 Bridge MIB. Parameters of only the s0 default STPD are accessible<br />
through this MIB.<br />
NOTE<br />
If an STPD contains at least one port not in dot1D mode, the STPD must be configured with an StpdID.<br />
STP Configuration Examples<br />
This section provides three configuration examples:<br />
• Basic 802.1d STP<br />
• RSTP 802.1w<br />
Basic 802.1d Configuration Example<br />
The following example creates <strong>and</strong> enables an STPD named Backbone_st. It assigns the Manufacturing<br />
VLAN to the STPD. It disables STP on ports 1 through 7, <strong>and</strong> port 12.<br />
create stpd backbone_st<br />
configure stpd backbone_st add vlan manufacturing<br />
enable stpd backbone_st<br />
disable stpd backbone_st port 1-7,12<br />
RSTP 802.1w Configuration Example<br />
Figure 40 is an example of a network with multiple STPDs that can benefit from RSTP. For RSTP to<br />
work, you need to do the following:<br />
• Create an STPD<br />
• Configure the mode of operation for the STPD<br />
• Create the VLANs <strong>and</strong> assign the ports<br />
• Add the VLANs to the STPD<br />
• Configure the port link types<br />
# <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Running H/F 1<br />
• Enable STP<br />
Figure 40: RSTP example<br />
Sales, Personnel, Marketing<br />
Manufacturing, Engineering, Marketing<br />
Switch A<br />
Switch Y<br />
Switch B<br />
Switch Z<br />
Switch M<br />
STPD 1 STPD 2<br />
Sales, Personnel, Manufacturing, Engineering, Marketing<br />
ES4K016<br />
In this example, the comm<strong>and</strong>s configure switch A in STPD1 for rapid reconvergence. Use the same<br />
comm<strong>and</strong>s to configure each switch <strong>and</strong> STPD in the network.<br />
create stpd stpd1<br />
configure stpd stpd1 mode dot1w<br />
create vlan sales<br />
create vlan personnel<br />
create vlan marketing<br />
configure vlan sales add ports 1,2 tagged<br />
configure vlan personnel add ports 1,2 tagged<br />
configure vlan marketing add ports 1,2 tagged<br />
configure stpd stpd1 add vlan sales<br />
configure stpd stpd1 add vlan personnel<br />
configure stpd stpd1 add vlan marketing<br />
configure stpd stpd1 ports link-type point-to-point 1,2<br />
enable stpd stpd1<br />
Displaying STP Settings<br />
To display STP settings, use the following comm<strong>and</strong>:<br />
show stpd {}<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> #
Spanning Tree Protocol (STP)<br />
This comm<strong>and</strong> displays the following information:<br />
• STPD name<br />
• STPD state<br />
• STPD mode of operation<br />
• Rapid Root Failover<br />
• Tag<br />
• Ports<br />
• Active VLANs<br />
• Bridge Priority<br />
• Bridge ID<br />
• Designated root<br />
• STPD configuration information<br />
To display the STP state of a port, use the following comm<strong>and</strong>:<br />
show stpd ports <br />
This comm<strong>and</strong> displays the following information:<br />
• STPD port configuration<br />
• STPD port mode of operation<br />
• STPD path cost<br />
• STPD priority<br />
• STPD state (root bridge, <strong>and</strong> so on)<br />
• Port role (root bridge, edge port, etc.)<br />
• STPD port state (forwarding, blocking, <strong>and</strong> so on)<br />
• Configured port link type<br />
• Operational port link type<br />
If you have a VLAN that spans multiple STPDs, use the show vlan stpd comm<strong>and</strong> to<br />
display the STP configuration of the ports assigned to that specific VLAN.<br />
The comm<strong>and</strong> displays the following:<br />
• STPD port configuration<br />
• STPD port mode of operation<br />
• STPD path cost<br />
• STPD priority<br />
• STPD state (root bridge, <strong>and</strong> so on)<br />
• Port role (root bridge, edge port, etc.)<br />
• STPD port state (forwarding, blocking, <strong>and</strong> so on)<br />
• Configured port link type<br />
• Operational port link type<br />
# <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
15 <strong>Extreme</strong> St<strong>and</strong>by Router Protocol<br />
This chapter covers the following topics:<br />
• Overview of ESRP on page 285<br />
• ESRP Concepts on page 287<br />
• Determining the ESRP Master on page 288<br />
• Advanced ESRP Features on page 291<br />
• Displaying ESRP Information on page 299<br />
• ESRP Examples on page 303<br />
• ESRP Cautions on page 306<br />
Overview of ESRP<br />
ESRP is a feature of <strong><strong>Extreme</strong>Ware</strong> that allows multiple switches to provide redundant routing services<br />
to users. From the workstation’s perspective, there is only one default router (that has one IP address<br />
<strong>and</strong> one MAC address), so ARP cache entries in client workstations do not need to be refreshed or<br />
aged-out.<br />
In addition to providing layer 3 routing redundancy for IP <strong>and</strong> IPX, ESRP also provides for layer 2<br />
redundancy. These “layered” redundancy features can be used in combination or independently. You do<br />
not have to configure the switch for routing to make valuable use of ESRP. The layer 2 redundancy<br />
features of ESRP offer fast failure recovery <strong>and</strong> provide for dual-homed system design. In some<br />
instances, depending on network system design, ESRP can provide better resiliency than using<br />
Spanning Tree Protocol (STP) or Virtual Router Redundancy Protocol (VRRP).<br />
We recommended that all switches participating in ESRP run the same version of <strong><strong>Extreme</strong>Ware</strong>. Not all<br />
ESRP features are available in all <strong><strong>Extreme</strong>Ware</strong> software releases.<br />
Reasons to Use ESRP<br />
You can use ESRP when working with edge-level or aggregation-level redundancy. Deploying ESRP in<br />
this area of the network allows you to simplify your network design which is important in designing a<br />
stable network. ESRP also works well in meshed networks where layer 2 loop protection <strong>and</strong> layer 3<br />
redundancy are simultaneously required.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 285
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol<br />
ESRP Terms<br />
Table 39 describes terms associated with ESRP.<br />
Table 39: ESRP Terms<br />
Term<br />
ESRP-aware<br />
ESRP-enabled<br />
EDP<br />
master switch<br />
pre-master state<br />
slave switch<br />
election algorithm<br />
priority<br />
tracking<br />
domains<br />
domain master-VLAN<br />
domain member-VLAN<br />
ESRP VLAN<br />
ESRP instance<br />
Description<br />
An <strong>Extreme</strong> switch that is capable of listening to EDP which is the protocol that<br />
ESRP uses to transmit information. For more information see “ESRP Concepts” on<br />
page 287.<br />
An <strong>Extreme</strong> switch with the ESRP feature enabled. ESRP-enabled switches include<br />
the ESRP master <strong>and</strong> slave switches.<br />
<strong>Extreme</strong> Discovery Protocol. A protocol used by ESRP to communicate information<br />
about neighbor <strong>Extreme</strong> switches. The master <strong>and</strong> the slave utilize EDP to send<br />
hello packets that contain timers, port count, <strong>and</strong> other state information pertinent to<br />
ESRP.<br />
The master switch is the device with the highest priority based on the election<br />
algorithm. The master is responsible for responding to clients for layer 3 routing <strong>and</strong><br />
layer 2 switching for the VLAN. For more information about the master switch, see<br />
“Determining the ESRP Master” on page 288.<br />
An ESRP switch that is ready to be master but is going through possible loop<br />
detection prior to transitioning to master. For more information about the behavior of<br />
the pre-master switch, see “Pre-Master Switch Behavior” on page 289.<br />
A switch participating in ESRP that is not elected or configured the master. The<br />
slave switch does not respond to ARP requests, but it does exchange EDP packets<br />
with other switches on the same VLAN. The slave switch is available to assume the<br />
responsibilities of the master switch if the master becomes unavailable or criteria for<br />
ESRP changes. For more information about the behavior of the slave switch, see<br />
“Slave Switch Behavior” on page 289.<br />
A user-defined criteria to determine how the master <strong>and</strong> the slave interact with each<br />
other. The election algorithm also determines which device becomes the master or<br />
the slave <strong>and</strong> how ESRP makes those decisions. For more information about the<br />
election algorithms, see “ESRP Election Algorithms” on page 290.<br />
A user-defined field to set the priority values for ESRP. The range of the priority<br />
value is 0 to 255; a higher number has higher priority. The default priority setting is<br />
0. A priority setting of 255 loses the election <strong>and</strong> the switch remains in slave mode.<br />
To learn more about configuring priority values for ESRP, see “Electing the Master<br />
Switch” on page 289.<br />
ESRP uses tracking mechanisms to determine a master. Should the ESRP master<br />
lose the ability to track a selected mechanism, the ESRP slave assumes master. For<br />
more information about the tracking methods used by ESRP, see “ESRP Tracking”<br />
on page 291.<br />
Domains are a method of increasing scalability for ESRP by creating a domain<br />
master VLAN that controls ESRP election <strong>and</strong> failover criteria for member-VLANs.<br />
The VLAN that ESRP is enabled on <strong>and</strong> controls the member-VLANs.<br />
The VLAN that is controlled by the ESRP domain master-VLAN. ESRP cannot be<br />
enabled on this VLAN.<br />
A VLAN that has ESRP enabled.<br />
You enable ESRP on a per-VLAN basis. Each time you enable ESRP on a VLAN is<br />
an ESRP instance.<br />
286 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
ESRP Concepts<br />
ESRP Concepts<br />
ESRP is configured on a per-VLAN basis on each switch. A maximum of four switches can participate<br />
in providing redundant layer 3 or layer 2 services to a single VLAN. The switches exchange keep-alive<br />
packets for each VLAN independently. Only one switch (the master) can actively provide layer 3<br />
routing <strong>and</strong>/or layer 2 switching for each VLAN. This switch h<strong>and</strong>les the forwarding, ARP requests,<br />
<strong>and</strong> routing for this particular VLAN. Other participating switches for the VLAN are in slave mode<br />
waiting for an ESRP state change.<br />
For a VLAN with ESRP enabled, each participating switch uses the same MAC address <strong>and</strong> must be<br />
configured with the same IP address or IPX NetID. It is possible for one switch to be master for one or<br />
more VLANs while being in slave for others, thus allowing the load to be split across participating<br />
switches.<br />
NOTE<br />
If you configure OSPF <strong>and</strong> ESRP, you must manually configure an OSPF router identifier (ID). Be sure<br />
that you configure a unique OSPF router ID on each switch running ESRP. For more information on<br />
configuring OSPF, see Chapter 18.<br />
To have two or more switches participate in ESRP, the following must be true:<br />
• For each VLAN to be made redundant, the switches must have the ability to exchange packets on<br />
the same layer 2 broadcast domain for that VLAN. Multiple paths of exchange can be used, <strong>and</strong><br />
typically exist in most network system designs that take advantage of ESRP.<br />
• For a VLAN to be recognized as participating in ESRP, the assigned IP address or the IPX NETid for<br />
the separate switches must be identical. Other aspects of the VLAN, including its name, are ignored.<br />
• ESRP must be enabled on the desired VLANs for each switch.<br />
NOTE<br />
ESRP cannot be enabled on the VLAN default.<br />
• <strong>Extreme</strong> Discovery Protocol (EDP) must be enabled on the ports that are members of the ESRP<br />
VLANs (The default setting is enabled.).<br />
NOTE<br />
If you configure a domain master-VLAN for ESRP, the domain master-VLAN must contain all ports<br />
belonging to the domain member-VLANs in order to operate properly as an ESRP VLAN.<br />
ESRP-Aware Switches<br />
<strong>Extreme</strong> switches that are not running ESRP, but are connected on a network that has other <strong>Extreme</strong><br />
switches running ESRP are ESRP-aware. When ESRP-aware switches are attached to ESRP-enabled<br />
switches, the ESRP-aware switches reliably perform fail-over <strong>and</strong> fail-back scenarios in the prescribed<br />
recovery times. No configuration of this feature is necessary.<br />
NOTE<br />
If you disable EDP on the switch, the switch is no longer ESRP-aware.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 287
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol<br />
If <strong>Extreme</strong> switches running ESRP are connected to layer 2 switches that are not manufactured by<br />
<strong>Extreme</strong> <strong>Networks</strong>, the fail-over times seen for traffic local to the segment may appear longer,<br />
depending on the application involved <strong>and</strong> the FDB timer used by the other vendor’s layer 2 switch. As<br />
such, ESRP can be used with layer 2 switches from other vendors, but the recovery times vary.<br />
The VLANs associated with the ports connecting an ESRP-aware switch to an ESRP-enabled switch<br />
must be configured using an 802.1Q tag on the connecting port, or, if only a single VLAN is involved, as<br />
untagged using the protocol filter any. ESRP will not function correctly if the ESRP-aware switch<br />
interconnection port is configured for a protocol-sensitive VLAN using untagged traffic. You can also<br />
use port restart in this scenario. For more information about port restart, see “ESRP Port Restart” on<br />
page 295.<br />
To display ESRP-aware information, use the following comm<strong>and</strong>:<br />
show esrp-aware vlan <br />
The display includes the group number, MAC address for the master of the group, <strong>and</strong> age of the<br />
information.<br />
Linking ESRP Switches<br />
When considering system design using ESRP, <strong>Extreme</strong> <strong>Networks</strong> recommends using a direct link. Direct<br />
links between ESRP switches are useful under the following conditions:<br />
• A direct link can provide a more direct routed path, if the ESRP switches are routing <strong>and</strong> supporting<br />
multiple VLANs where the master/slave configuration is split such that one switch is master for<br />
some VLANs <strong>and</strong> a second switch is master for other VLANs. The direct link can contain a unique<br />
router-to-router VLAN/subnet, so that the most direct routed path between two VLANs with<br />
different master switches uses a direct link, instead of forwarding through another set of connected<br />
routers.<br />
• A direct link can be used as a highly reliable method to exchange ESRP hellos, so that the possibility<br />
of having multiple masters for the same VLAN is lessened, should all downstream layer 2 switches<br />
fail.<br />
• A direct link is necessary for the ESRP HA option. The direct link is used to provide layer 2<br />
forwarding services through an ESRP slave switch.<br />
Direct links may contain a router-to-router VLAN, along with VLANs running ESRP. If multiple VLANs<br />
are used on the direct links, use 802.1Q tagging. The direct links may be aggregated into a load-shared<br />
group, if desired. If multiple ESRP VLANs share a host port, each VLAN must be in a different ESRP<br />
group.<br />
Determining the ESRP Master<br />
The ESRP master switch (providing layer 3 routing <strong>and</strong>/or layer 2 switching services for a VLAN) is<br />
determined by the following default factors:<br />
• Active ports—The switch that has the greatest number of active ports takes highest precedence.<br />
• Tracking information—Various types of tracking are used to determine if the switch performing the<br />
master ESRP function has connectivity to the outside world. <strong><strong>Extreme</strong>Ware</strong> supports the following<br />
types of tracking:<br />
— VLAN—Tracks any active port connectivity to one or more designated VLANs<br />
288 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Determining the ESRP Master<br />
— IP route table entry—Tracks specific learned routes from the IP route table<br />
— Ping—Tracks ICMP ping connectivity to specified devices<br />
— Diagnostics—Tracks the diagnostics of the switch<br />
— Environment (health checks)—Tracks the environment of the switch<br />
If any of the configured tracking mechanisms fail, the master ESRP switch relinquishes status as<br />
master, <strong>and</strong> remains in slave mode for as long as the tracking mechanism continues to fail.<br />
• ESRP priority—This is a user-defined field. The range of the priority value is 0 to 255; a higher<br />
number has higher priority. The default priority setting is 0. A priority setting of 255 makes an ESRP<br />
switch remain in slave mode <strong>and</strong> is the recommended setting for system maintenance. A switch with<br />
a priority setting of 255 will never become the master.<br />
• System MAC address—The switch with the higher MAC address has higher priority.<br />
Master Switch Behavior<br />
If a switch is master, it actively provides layer 3 routing services to other VLANs, <strong>and</strong> layer 2 switching<br />
between all the ports of that VLAN. Additionally, the switch exchanges EDP packets with other<br />
switches that are in slave mode.<br />
Pre-Master Switch Behavior<br />
A pre-master switch is ready to transition to master, but is going through possible loop detection prior<br />
to changing to the master state. This temporary state avoids the possibility of having simultaneous<br />
masters.<br />
Slave Switch Behavior<br />
If a switch is in slave mode, it exchanges EDP packets with other switches on that same VLAN. When a<br />
switch is in slave mode, it does not perform layer 3 routing or layer 2 switching services for the VLAN.<br />
From a layer 3 routing protocol perspective (for example, RIP or OSPF), when in slave mode for the<br />
VLAN, the switch marks the router interface associated with the VLAN as down. From a layer 2<br />
switching perspective, no forwarding occurs between the member ports of the VLAN; this prevents<br />
loops <strong>and</strong> maintains redundancy.<br />
If you configure the switch to use the optional ESRP Host Attach configuration, the switch continues<br />
layer 2 forwarding to the master. For more information, see “ESRP Host Attach” on page 295.<br />
Electing the Master Switch<br />
A new master can be elected in one of the following ways:<br />
• A communicated parameter change<br />
• Loss of communication between master <strong>and</strong> slave(s)<br />
If a parameter that determines the master changes (for example, link loss or priority change), the<br />
election of the new master typically occurs within one timer cycle (2 seconds by default). If a switch in<br />
slave mode loses its connection with the master, a new election (using the same precedence order<br />
indicated previously) occurs. The new election typically takes place in three times the defined timer<br />
cycle (6 seconds by default).<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 289
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol<br />
Before the switch transitions to the master state, the switch enters a temporary pre-master state. While<br />
in the pre-master state the VLAN does not send ESRP PDUs until the pre-master state timeout expires.<br />
When the timeout expires, the slave VLAN operates normally. Traffic is unaffected by the pre-master<br />
state because the master continues to operate normally. The pre-master state avoids the possibility of<br />
having simultaneous masters.<br />
You can configure the pre-master state timeout using the following comm<strong>and</strong>:<br />
configure vlan esrp esrp-premaster-timeout <br />
CAUTION<br />
Configure the pre-master state timeout only with guidance from <strong>Extreme</strong> <strong>Networks</strong> personnel.<br />
Misconfiguration can severely degrade the performance of ESRP <strong>and</strong> your switch.<br />
Failover Time<br />
Failover time is largely determined by the following factors:<br />
• The ESRP timer setting.<br />
• The routing protocol being used for inter-router connectivity if layer 3 redundancy is used. OSPF<br />
failover time is faster than RIP failover time.<br />
The failover time associated with the ESRP protocol is dependent on the timer setting <strong>and</strong> the nature of<br />
the failure. The default timer setting is 2 seconds; the range is 1 to 255 seconds. In most cases, a<br />
non-hardware failover is 2 seconds <strong>and</strong> a hardware failover is 6 seconds.<br />
If routing is configured, the failover of the particular routing protocol (such as RIP V1, RIP V2, or OSPF)<br />
is added to the failover time associated with ESRP.<br />
If you use OSPF, make your OSPF configuration passive. A passive configuration acts as a stub area <strong>and</strong><br />
helps increase the time it takes for recalculating the network. A passive configuration also maintains a<br />
stable OSPF core.<br />
ESRP Election Algorithms<br />
You configure the switch to use one of seven different election algorithms to select the ESRP master.<br />
Each algorithm considers the election factors in a different order of precedence, as follows:<br />
• ports-track-priority-mac—Active ports, tracking information, ESRP priority, MAC address<br />
(Default)<br />
• ports-track-priority—Active ports, tracking information, ESRP priority<br />
• track-ports-priority-mac—Tracking information, active ports, ESRP priority, MAC address<br />
• track-ports-priority—Tracking information, active ports, ESRP priority<br />
• priority-ports-track-mac—ESRP priority, active ports, tracking information, MAC address<br />
• priority-track-ports-mac—ESRP priority, tracking information, active ports, MAC address<br />
• priority-mac-only—ESRP priority, MAC address<br />
290 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Advanced ESRP Features<br />
CAUTION<br />
All switches in the ESRP network must use the same election algorithm, otherwise loss of connectivity,<br />
broadcast storms, or other unpredictable behavior may occur.<br />
Advanced ESRP Features<br />
This section describes the following advanced ESRP features:<br />
• ESRP Tracking on page 291<br />
• ESRP Port Restart on page 295<br />
• ESRP Host Attach on page 295<br />
• ESRP Don’t Count on page 296<br />
• ESRP Domains on page 296<br />
• ESRP Groups on page 297<br />
• Selective Forwarding on page 298<br />
ESRP Tracking<br />
Tracking information is used to track various forms of connectivity from the ESRP switch to the outside<br />
world. This section describes the following ESRP tracking options:<br />
• ESRP Environment <strong>and</strong> Diagnostic Tracking on page 291<br />
• ESRP VLAN Tracking on page 292<br />
• ESRP Route Table Tracking on page 292<br />
• ESRP Ping Tracking on page 292<br />
• OSPF Tracking on page 293<br />
• RIP Tracking on page 293<br />
ESRP Environment <strong>and</strong> Diagnostic Tracking<br />
You can configure ESRP to track hardware status. If a power supply or fan fails, if the chassis is<br />
overheating, if a non-fully loaded power supply is detected, or if the diagnostics fail, the priority for the<br />
ESRP VLAN will change to the failover settings. You can track the environment, diagnostics, or both at<br />
the same time.<br />
To configure the failover priority for ESRP VLAN, follow these steps:<br />
1 Assign a priority to each ESRP VLAN, using the following comm<strong>and</strong>:<br />
configure vlan esrp priority <br />
The range of the priority value is 0 to 254; a higher number has a higher priority. The default priority<br />
setting is 0.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 291
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol<br />
NOTE<br />
If you set the priority to 255, the ESRP VLAN will remain in slave mode even if the master ESRP<br />
VLAN fails.<br />
You will typically configure both ESRP VLANs with the same priority.<br />
2 Assign the priority flag precedence over the active ports count, using the following comm<strong>and</strong>:<br />
configure vlan esrp esrp-election [ports-track-priority |<br />
ports-track-priority-mac | track-ports-priority | track-ports-priority-mac |<br />
priority-ports-track-mac | priority-track-ports-mac | priority-mac-only]<br />
Because the priority of both ESRP VLANs are set to the same value, ESRP will use the active ports<br />
count to determine the master ESRP VLAN.<br />
3 Set the failover priority, using the following comm<strong>and</strong>:<br />
configure vlan add track-diagnostic failover <br />
The range of the priority value is 0 to 254; a higher number has a higher priority. The default priority<br />
setting is 0.<br />
Typically you will set the failover priority lower than the configured priority. Then, if one of the<br />
ESRP VLANs experiences a hardware or diagnostics failure, it will become the st<strong>and</strong>by VLAN.<br />
ESRP VLAN Tracking<br />
You can configure ESRP to track port connectivity to one or more specified VLANs as criteria for<br />
failover. The number of VLAN active ports are tracked. If the switch is no longer connected to the<br />
specified VLANs, the switch automatically relinquishes master status <strong>and</strong> remains in slave mode. You<br />
can track a maximum of four routes per VLAN.<br />
To add or delete a tracked VLAN, use one of the following comm<strong>and</strong>s:<br />
configure vlan add track-vlan ><br />
configure vlan delete track-vlan <br />
ESRP Route Table Tracking<br />
You can configure ESRP to track specified routes in the route table as criteria for failover. If all of the<br />
configured routes are not available within the route table, the switch automatically relinquishes master<br />
status <strong>and</strong> remains in slave mode. You can track a maximum of four routes per route table.<br />
To participate in ESRP route table tracking, all ESRP switches must run either <strong><strong>Extreme</strong>Ware</strong> for “e”<br />
series switches (any version or release) or <strong><strong>Extreme</strong>Ware</strong> for “i” chipsets (version 6.0 or above).<br />
To add or delete a tracked route, use one of the following comm<strong>and</strong>s:<br />
configure vlan add track-iproute /<br />
configure vlan delete track-ospf<br />
ESRP Ping Tracking<br />
You can configure ESRP to track connectivity using a simple ping to any device. This may represent the<br />
default route of the switch, or any device meaningful to network connectivity of the master ESRP<br />
switch. The switch automatically relinquishes master status <strong>and</strong> remains in slave mode if a ping<br />
keepalive fails. You can configure a maximum of four ping tracks.<br />
292 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Advanced ESRP Features<br />
NOTE<br />
The ESRP ping tracking option cannot be configured to ping an IP address within an ESRP VLAN<br />
subnet. It should be configured on some other normal VLAN across the router boundary.<br />
To participate in ESRP ping tracking, all ESRP switches must run either <strong><strong>Extreme</strong>Ware</strong> for “e” series<br />
switches (any version or release) or <strong><strong>Extreme</strong>Ware</strong> for “i” chipsets (version 6.0 or above).<br />
To view the status of tracked devices, use the following comm<strong>and</strong>:<br />
show esrp {detail}<br />
To configure ping tracking, use the following comm<strong>and</strong>:<br />
configure vlan add track-ping frequency miss<br />
<br />
OSPF Tracking<br />
You can configure ESRP to track any available OSPF routes as a criteria for failover. ESRP tracks the<br />
presence or non-presence of the OSPF routes in the route table. If no OSPF routes are detected, the ESRP<br />
VLAN priority steps to the failover-priority value specified.<br />
To configure OSPF tracking, use the following comm<strong>and</strong>:<br />
configure vlan add track-ospf failover <br />
To disable OSPF tracking, use the following comm<strong>and</strong>:<br />
configure vlan delete track-ospf<br />
RIP Tracking<br />
You can configure ESRP to track any available RIP routes as a criteria for failover. ESRP tracks the<br />
presence or non-presence of the RIP routes in the route table. If no RIP routes are detected, the ESRP<br />
VLAN priority steps to the failover-priority value specified.<br />
To configure RIP tracking, use the following comm<strong>and</strong>:<br />
configure vlan add track-rip failover <br />
To disable RIP tracking, use the following comm<strong>and</strong>:<br />
configure vlan delete track-rip<br />
ESRP Tracking Example<br />
Figure 41 is an example of ESRP tracking.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 293
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol<br />
Figure 41: ESRP tracking<br />
Host 2:<br />
200.1.1.14/24<br />
Gateway:<br />
200.1.1.1<br />
ESRP master<br />
200.1.1.1/24<br />
vlan esrp1<br />
(track-vlan)<br />
vlan vlan1<br />
Router<br />
L2 switch<br />
10.10.10.121<br />
Host 1:<br />
200.1.1.13/24<br />
Gateway:<br />
200.1.1.1<br />
ESRP slave<br />
200.1.1.2/24<br />
EW_080<br />
To configure VLAN tracking, use the following comm<strong>and</strong>:<br />
configure vlan esrp1 add track-vlan vlan1<br />
Using the tracking mechanism, if VLAN1 fails, the ESRP master realizes that there is no path to the<br />
upstream router via the Master switch <strong>and</strong> implements a failover to the slave.<br />
To configure route table tracking, use the following comm<strong>and</strong>:<br />
configure vlan esrp1 add track-iproute 10.10.10.0/24<br />
The route specified in this comm<strong>and</strong> must exist in the IP routing table. When the route is no longer<br />
available, the switch implements a failover to the slave.<br />
To configure ping tracking, use the following comm<strong>and</strong>:<br />
configure vlan esrp1 add track-ping 10.10.10.121 2 2<br />
The specified IP address is tracked. If the fail rate is exceeded the switch implements a failover to the<br />
slave.<br />
To configure RIP tracking, use the following comm<strong>and</strong>:<br />
configure vlan esrp1 add track-rip failover 20<br />
The switch tracks RIP routes in its IP routing table. If no RIP routes are available, the switch implements<br />
a failover to failover priority 20.<br />
To configure OSPF tracking, use the following comm<strong>and</strong>:<br />
294 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Advanced ESRP Features<br />
configure vlan esrp1 add track-ospf failover 20<br />
The switch tracks OSPF routes in its IP routing table. If no OSPF routes are available, the switch<br />
implements a failover to failover priority 20.<br />
ESRP Port Restart<br />
You can configure ESRP to restart ports in the ESRP master VLAN when the downstream switch is a<br />
non-<strong>Extreme</strong> switch. This action takes down <strong>and</strong> restarts the port link to clear <strong>and</strong> refresh the<br />
downstream ARP table. To configure port restart, use the following comm<strong>and</strong>:<br />
configure vlan add ports [ | all] restart<br />
To disable port restart, use the following comm<strong>and</strong>:<br />
configure vlan add ports [ | all] no-restart<br />
If a switch becomes a slave, ESRP takes down (disconnects) the physical links of member ports that<br />
have port restart enabled. The disconnection of these ports causes downstream devices to remove the<br />
ports from their FDB tables. This feature allows you to use ESRP in networks that include equipment<br />
from other vendors. After 3 seconds the ports re-establish connection with the ESRP switch.<br />
To remove a port from the restart configuration, delete the port from the VLAN <strong>and</strong> re-add it.<br />
NOTE<br />
The port restart feature is also available for VRRP. For more information on VRRP, see Chapter 16.<br />
ESRP Host Attach<br />
ESRP host attach (HA) is an optional ESRP configuration that allows you to connect active hosts directly<br />
to an ESRP master or slave switch. Normally, the layer 2 redundancy <strong>and</strong> loop prevention capabilities of<br />
ESRP do not allow packet forwarding from the slave ESRP switch. ESRP HA allows configured ports<br />
that do not represent loops to the network to continue layer 2 operation independent of their ESRP<br />
status.<br />
ESRP HA is designed for redundancy for dual-homed server connections. HA allows the network to<br />
continue layer 2 forwarding regardless of the ESRP status. Do not use ESRP HA to interconnect devices<br />
on the slave ESRP switch instead of connecting directly to the ESRP master switch.<br />
The ESRP HA option is useful if you are using dual-homed network interface cards (NICs) for server<br />
farms, <strong>and</strong> in conjunction with high availability server load-balancing (SLB) configurations, as shown in<br />
Figure 42. The ESRP HA option is also useful as a means to allow for high availability security where an<br />
unblocked layer 2 environment is necessary.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 295
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol<br />
Figure 42: ESRP host attach<br />
OSPF/BGP-4<br />
EW_045<br />
ESRP VLANs that share ESRP HA ports must be members of different ESRP groups. Each port can have<br />
a maximum of four VLANs.<br />
When using load sharing with the ESRP HA feature, configure all ports in the same load-sharing group<br />
as host attach ports.<br />
Other applications allow lower cost redundant routing configurations, because hosts can be directly<br />
attached to the switch involved with ESRP. The ESRP HA feature is used only on switches <strong>and</strong> I/O<br />
modules that have the “i” series chipset. It also requires at least one link between the master <strong>and</strong> the<br />
slave ESRP switch for carrying traffic <strong>and</strong> to exchange ESRP hello packets.<br />
NOTE<br />
Do not use the ESRP HA feature with the following protocols: STP, EAPS, or VRRP. A broadcast storm<br />
may occur.<br />
ESRP Don’t Count<br />
ESRP don’t count is an optional ESRP port configuration that allows the port to be part of the VLAN,<br />
but if a link failure occurs, it will not trigger a reconvergence. The don’t count feature has the effect of<br />
not counting the host ports <strong>and</strong> normal ports as active ports. This has the convenience of minimal ESRP<br />
state changes due to frequent client activities like reboots <strong>and</strong> unplugging laptops.<br />
When using load sharing with the ESRP don’t count feature, configure all ports in the same<br />
load-sharing group as don’t count ports.<br />
To configure don’t count on either a host attach port or a normal port, use the following comm<strong>and</strong>:<br />
configure esrp port-mode [host | normal] ports {don’t-count}<br />
ESRP Domains<br />
ESRP domains is an optional ESRP configuration that allows you to configure multiple VLANs under<br />
the control of a single instance of the ESRP protocol. By grouping multiple VLANs under one ESRP<br />
296 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Advanced ESRP Features<br />
domain, the ESRP protocol can scale to provide protection to large numbers of VLANs. All VLANs<br />
within an ESRP domain simultaneously share the same active <strong>and</strong> st<strong>and</strong>by router <strong>and</strong> failover,<br />
providing one port of each member VLAN belongs to the domain master, as shown in Figure 43.<br />
Figure 43: ESRP domains<br />
Software Engineering<br />
(ESRP Domain Master)<br />
Hardware Engineering<br />
(Domain Member)<br />
Mechanical<br />
Engineering<br />
(Domain<br />
Member)<br />
1<br />
9<br />
17<br />
2<br />
10<br />
18<br />
3<br />
11<br />
19<br />
4<br />
12<br />
20<br />
5<br />
13<br />
21<br />
6<br />
14<br />
22<br />
7<br />
15<br />
23<br />
8<br />
16<br />
24<br />
25<br />
26<br />
27<br />
28<br />
29 30 31 32<br />
EW_065<br />
When a port in a member VLAN belongs to the domain master, the member VLAN ports are<br />
considered when determining the ESRP master. You can configure a maximum of 64 ESRP domains in a<br />
network.<br />
ESRP Groups<br />
<strong><strong>Extreme</strong>Ware</strong> supports running multiple instances of ESRP within the same VLAN or broadcast<br />
domain. This functionality is called an ESRP group. Though other uses exist, the most typical<br />
application for multiple ESRP groups is when two or more sets of ESRP switches are providing<br />
fast-failover protection within a subnet. A maximum of four distinct ESRP groups can be supported on<br />
a single ESRP switch. You can configure a maximum of 32 ESRP groups in a network.<br />
For example, two ESRP switches provide L2/L3 connectivity <strong>and</strong> redundancy for the subnet, while<br />
another two ESRP switches provide L2 connectivity <strong>and</strong> redundancy for a portion of the same subnet.<br />
Figure 44 shows ESRP groups.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 297
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol<br />
Figure 44: ESRP groups<br />
ESRP<br />
Group1<br />
Master<br />
ESRP<br />
Group1<br />
St<strong>and</strong>by<br />
ESRP<br />
Group2<br />
Master<br />
(L2 only)<br />
ESRP Group2 St<strong>and</strong>by<br />
(L2 only)<br />
EW_056<br />
NOTE<br />
A switch cannot perform both master <strong>and</strong> slave functions on the same VLAN for separate instances of<br />
ESRP.<br />
An additional user for ESRP groups is ESRP Host Attach (HA), described on page 295.<br />
Selective Forwarding<br />
An ESRP-aware switch floods ESRP PDUs to all ports in an ESRP-aware VLAN <strong>and</strong> the CPU. This<br />
flooding increases the amount of network traffic because all ports, regardless if they are connected to<br />
switches running the same ESRP group or not, receive ESRP PDUs. To reduce the amount of traffic, you<br />
can select the ports that receive ESRP PDUs by configuring selective forwarding on an ESRP-aware<br />
VLAN. By configuring selective forwarding, you create a portlist for the ESRP groups associated with<br />
an ESRP-aware VLAN, <strong>and</strong> that portlist is used for forwarding ESRP PDUs on the relevant ports only.<br />
You configure this feature on a per-VLAN basis, <strong>and</strong> selective forwarding is disabled by default.<br />
NOTE<br />
<strong>Extreme</strong> <strong>Networks</strong> recommends keeping the default settings unless you have considerable knowledge<br />
<strong>and</strong> experience with ESRP.<br />
To configure selective forwarding, use the following comm<strong>and</strong>:<br />
configure vlan esrp group add esrp-aware-ports [all |<br />
]<br />
298 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Displaying ESRP Information<br />
where the following is true:<br />
• vlan name—Specifies an ESRP-aware VLAN name.<br />
• group number—Specifies the ESRP group to which this ESRP-aware VLAN belongs. The ESRP<br />
group number must be the same as the ESRP-aware VLAN number.<br />
• all—Specifies all of the ports to be configured. All of the ports must be connected to switches<br />
running ESRP, <strong>and</strong> the ports must connect to the ESRP master <strong>and</strong> slave switches.<br />
• portlist—Specifies the ports to be configured. The selected ports must be connected to switches<br />
running ESRP, <strong>and</strong> the ports must connect to the ESRP master <strong>and</strong> slave switches. May be in the<br />
form 1, 2, 3-5, 2:*, 2:5, 2:6-2:8.<br />
When an ESRP-aware switch receives an ESRP PDU, the software will lookup the group to which the<br />
PDU belongs <strong>and</strong> will forward the ESRP PDU to the group's portlist <strong>and</strong> the CPU.<br />
You cannot enable selective forwarding on an ESRP-enabled VLAN. If you try to enable selective<br />
forwarding on an ESRP-enabled VLAN, you see the following message:<br />
ERROR: vlan meg is esrp enabled. Cannot enable selective forwarding on esrp vlans<br />
To disable selective forwarding, use the following comm<strong>and</strong>:<br />
configure vlan esrp group delete esrp-aware-ports [all |<br />
]<br />
where the following is true:<br />
• group number—Specifies the ESRP group to which this ESRP-aware VLAN belongs. The ESRP<br />
group number must be the same number as the ESRP-aware VLAN.<br />
• all—Specifies all of the ports to be disabled.<br />
• portlist—Specifies the selected ports to be disabled.<br />
Displaying Selective Forwarding Information<br />
To display the ESRP-aware VLAN(s), the ESRP group(s), <strong>and</strong> the ESRP-aware port(s) that receive ESRP<br />
PDUs, use the following comm<strong>and</strong>:<br />
show esrp-aware-ports {vlan }<br />
Displaying ESRP Information<br />
To verify the operational state of an ESRP VLAN <strong>and</strong> the state of its neighbor, use the following<br />
comm<strong>and</strong>:<br />
show esrp {detail}<br />
If you enter the show esrp comm<strong>and</strong> without a keyword, the comm<strong>and</strong> displays summary ESRP<br />
status information for the VLANs on the switch. Use the detail keyword to display more detailed<br />
status information.<br />
To view tracking information about a particular VLAN, including the VLANs tracked by it <strong>and</strong> a list of<br />
the VLANs tracking it, use the following comm<strong>and</strong>:<br />
show vlan<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 299
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol<br />
To view ESRP configuration information for a specific VLAN, use the following comm<strong>and</strong>:<br />
show esrp vlan<br />
To view ESRP counter information for a specific VLAN, use the following comm<strong>and</strong>:<br />
show esrp vlan {counters}<br />
To view ESRP-aware information for a specific VLAN, including:<br />
• Group number<br />
• MAC address for the master of the group<br />
• Age of the information<br />
use the following comm<strong>and</strong>:<br />
show esrp-aware vlan <br />
For more information about any of the comm<strong>and</strong>s used to enable, disable, or configure ESRP, refer to<br />
the <strong><strong>Extreme</strong>Ware</strong> Software Comm<strong>and</strong> Reference <strong>Guide</strong>.<br />
Using ELRP with ESRP<br />
<strong>Extreme</strong> Loop Recovery Protocol (ELRP) is a feature of <strong><strong>Extreme</strong>Ware</strong> that allows you to prevent, detect,<br />
<strong>and</strong> recover from layer 2 loops in the network. You can use ELRP with other protocols such as ESRP.<br />
With ELRP, each switch, except for the sender, treats the ELRP PDU as a layer 2 multicast packet. The<br />
sender uses the source <strong>and</strong> destination MAC addresses to identify the packet it sends <strong>and</strong> receives.<br />
When the sender receives its original packet back, that triggers loop detection <strong>and</strong> prevention. Once a<br />
loop is detected, the loop recovery agent is notified of the event <strong>and</strong> takes the necessary actions to<br />
recover from the loop. ELRP operates only on the sending switch; therefore, ELRP operates<br />
transparently across the network.<br />
How a loop recovers is dependent upon the protocol that uses the loop detection services provided by<br />
ELRP. If you are using ELRP in an ESRP environment, ESRP may recover by transitioning the VLAN<br />
state from master to slave. This section describes how ESRP uses ELRP to recover from a loop <strong>and</strong> the<br />
switch behavior.<br />
ELRP Terms<br />
Table 40 describes terms associated with ELRP.<br />
Table 40: ELRP Terms<br />
Term<br />
Loop detection<br />
Description<br />
The process ELRP uses to detect a loop in the network. The switch sending the<br />
ELRP PDU waits to receive its original PDU back. If the switch receives the PDU,<br />
there is a loop in the network.<br />
300 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Using ELRP with ESRP<br />
Table 40: ELRP Terms (Continued)<br />
Term<br />
ELRP PDU<br />
Description<br />
<strong>Extreme</strong> Loop Recovery Protocol Protocol Data Unit. A layer 2 multicast packet that<br />
helps the sending switch determine if there is a loop in the network. The sender uses<br />
the source <strong>and</strong> destination MAC addresses to identify the packet it sends <strong>and</strong><br />
receives. When the sender receives its original packet back, that triggers loop<br />
detection <strong>and</strong> prevention. (Also known as loop-detect packets.)<br />
Using ELRP with ESRP to Recover Loops<br />
ELRP sends loop-detect packets to notify ESRP about loops in the network. In an ESRP environment,<br />
when the current master goes down, one of the slaves becomes the master <strong>and</strong> continues to forward<br />
layer 2 <strong>and</strong> layer 3 traffic for the ESRP VLAN. If a situation occurs when a slave incorrectly concludes<br />
that the master is down, the slave incorrectly assumes the role of master. This introduces more than one<br />
master on the VLAN which causes temporary loops <strong>and</strong> disruption in the network.<br />
NOTE<br />
Because ELRP introduces the pre-master state to ESRP, you must upgrade all ESRP-enabled switches<br />
within an ESRP domain to <strong><strong>Extreme</strong>Ware</strong> 6.2.2b134 (or later) for ESRP to operate correctly. Earlier<br />
<strong><strong>Extreme</strong>Ware</strong> releases do not recognize the pre-master state.<br />
ELRP on ESRP Pre-Master Switch Behavior<br />
A pre-master switch is an ESRP switch that is ready to transition to master, but is going through<br />
possible loop detection. A pre-master periodically sends out ELRP loop-detect packets (ELRP PDUs) for<br />
a specified number of times <strong>and</strong> waits to make sure that none of the sent ELRP PDUs are received.<br />
Transition to master occurs only after this additional check is completed. If any of the ELRP PDUs are<br />
received, the switch transitions from pre-master to slave state. You configure pre-master ELRP loop<br />
detection on a per VLAN basis.<br />
ELRP on ESRP Master Switch Behavior<br />
A master switch is an ESRP switch that sends ELRP PDUs on its VLAN ports. If the master switch<br />
receives an ELRP PDU that it sent, the master transitions to the slave. While in the slave state, the<br />
switch transitions to the pre-master state <strong>and</strong> periodically checks for loops prior to transitioning to the<br />
master. The pre-master process is described in “ELRP on ESRP Pre-Master Switch Behavior” on<br />
page 301. You configure the master ELRP loop detection on a per VLAN basis.<br />
Configuring ELRP<br />
This section describes the comm<strong>and</strong>s used to configure ELRP for use with ESRP. By default, ELRP is<br />
disabled.<br />
Configuring the Pre-Master<br />
If you enable the use of ELRP by ESRP in the pre-master state, ESRP requests ELRP packets sent to<br />
ensure that there is no loop in the network prior to changing to the master state. If no packets are<br />
received, there is no loop in the network. By default, the use of ELRP by ESRP in the pre-master state is<br />
disabled.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 301
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol<br />
To enable the use of ELRP by ESRP in the pre-master state on a per-VLAN basis, <strong>and</strong> to configure how<br />
often <strong>and</strong> how many ELRP PDUs are sent in the pre-master state, use the following comm<strong>and</strong>:<br />
configure vlan esrp elrp-premaster-poll enable {count | interval<br />
}<br />
where the following is true:<br />
• vlan name—Specifies an ESRP-enabled VLAN name.<br />
• number—Specifies the number of times the switch sends ELRP PDUs. The default is 3, <strong>and</strong> the range<br />
is 1 to 32.<br />
• seconds—Specifies how often, in seconds, the ELRP PDUs are sent. The default is 1 seconds, <strong>and</strong> the<br />
range is 1 to 32 seconds.<br />
To disable the use of ELRP by ESRP in the pre-master state, use the following comm<strong>and</strong>:<br />
configure vlan esrp elrp-premaster-poll disable<br />
Configuring the Master<br />
If you enable the use of ELRP by ESRP in the master state, ESRP requests that ELRP packets are<br />
periodically sent to ensure that there is no loop in the network while ESRP is in the master state. By<br />
default, the use of ELRP by ESRP in the master state is disabled.<br />
To enable the use of ELRP by ESRP in the master state on a per-VLAN basis, <strong>and</strong> to configure how<br />
often the master checks for loops in the network, use the following comm<strong>and</strong>:<br />
configure vlan esrp elrp-master-poll enable {interval }<br />
where the following is true:<br />
• vlan name—Specifies <strong>and</strong> ESRP-enabled VLAN name.<br />
• seconds—Specifies how often, in seconds, successive ELRP packets are sent. The default is 1 second,<br />
<strong>and</strong> the range is 1 to 32 seconds.<br />
To disable the use of ELRP by ESRP in the master state, use the following comm<strong>and</strong>:<br />
configure vlan esrp elrp-master-poll disable<br />
Configuring Ports<br />
You can configure one or more ports of a VLAN where ELRP packet transmission is requested by ESRP.<br />
This allows the ports in your network that might experience loops, such as ports that connect to the<br />
master, slave, or ESRP-aware switches, to receive ELRP packets. You do not need to send ELRP packets<br />
to host ports.<br />
By default, all ports of the VLAN where ESRP is enabled also has ELRP transmission enabled on the<br />
ports.<br />
If you change your network configuration, <strong>and</strong> a port no longer connects to a master, slave, or<br />
ESRP-aware switch, you can disable ELRP transmission on that port. To disable ELRP transmission, use<br />
the following comm<strong>and</strong>:<br />
configure vlan delete elrp-poll ports [ | all]<br />
302 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
ESRP Examples<br />
To enable ELRP transmission on a port, use the following comm<strong>and</strong>:<br />
configure vlan add elrp-poll ports [ | all]<br />
Displaying ELRP Information<br />
To display summary ELRP information, use the following comm<strong>and</strong>:<br />
show elrp { | detail}<br />
If you enter the show elrp comm<strong>and</strong> without a keyword, the comm<strong>and</strong> displays the total number of:<br />
• Clients registered with ELRP<br />
• ELRP packets transmitted<br />
• ELRP packets received<br />
Use the vlan name parameter to display information specific to a VLAN, <strong>and</strong> the detail keyword to<br />
display more detailed status information for VLANs in the master <strong>and</strong> pre-master states.<br />
For more detailed information about the output associated with the show elrp comm<strong>and</strong>, see the<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> Comm<strong>and</strong> Reference <strong>Guide</strong>.<br />
ESRP Examples<br />
This section provides examples of ESRP configurations.<br />
Single VLAN Using Layer 2 <strong>and</strong> Layer 3 Redundancy<br />
This example, shown in Figure 45, uses a number of Summit switches that perform layer 2 switching for<br />
VLAN Sales. The Summit switches are dual-homed to the BlackDiamond switches. The BlackDiamond<br />
switches perform layer 2 switching between the Summit switches <strong>and</strong> layer 3 routing to the outside<br />
world. Each Summit switch is dual-homed using active ports to two BlackDiamond switches (as many<br />
as four could be used). ESRP is enabled on each BlackDiamond switch only for the VLAN that<br />
interconnects to the Summit switches. Each BlackDiamond switch has the VLAN Sales configured using<br />
the identical IP address. The BlackDiamond switches then connect to the routed enterprise normally,<br />
using the desired routing protocol (for example RIP or OSPF).<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 303
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol<br />
Figure 45: ESRP example using layer 2 <strong>and</strong> layer 3 redundancy<br />
OSPF or RIP<br />
Sales<br />
VLAN<br />
(master)<br />
Sales<br />
VLAN<br />
(st<strong>and</strong>by)<br />
EW_021<br />
The BlackDiamond switch, acting as master for VLAN Sales, performs both layer 2 switching <strong>and</strong> layer<br />
3 routing services for VLAN Sales. The BlackDiamond switch in slave mode for VLAN Sales performs<br />
neither, thus preventing bridging loops in the VLAN. The BlackDiamond switch in slave mode does,<br />
however, exchange EDP packets with the master BlackDiamond switch.<br />
There are four paths between the BlackDiamond switches on VLAN Sales. All the paths are used to send<br />
EDP packets, allowing for four redundant paths for communication. The Summit switches, being<br />
ESRP-aware, allow traffic within the VLAN to fail-over quickly, as they will sense when a master/slave<br />
transition occurs <strong>and</strong> flush FDB entries associated with the uplinks to the ESRP-enabled BlackDiamond<br />
switches.<br />
The following comm<strong>and</strong>s are used to configure both BlackDiamond switches. The assumption is that<br />
the inter-router backbone is running OSPF, with other routed VLANs already properly configured.<br />
Similar comm<strong>and</strong>s would be used to configure a switch on a network running RIP. The primary<br />
requirement is that the IP address for the VLAN(s) running ESRP must be identical. In this scenario, the<br />
master is determined by the programmed MAC address of the switch, because the number of active<br />
links for the VLAN <strong>and</strong> the priority are identical to both switches.<br />
The comm<strong>and</strong>s used to configure the BlackDiamond switches are as follows:<br />
create vlan sales<br />
configure sales add port 1:1-1:4<br />
configure sales ipaddr 10.1.2.3/24<br />
enable ipforwarding<br />
304 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
ESRP Examples<br />
enable esrp sales<br />
enable edp ports all<br />
configure ospf add vlan sales<br />
enable ospf<br />
Multiple VLANs Using Layer 2 Redundancy<br />
The example shown in Figure 46 illustrates an ESRP configuration that has multiple VLANs using layer<br />
2 redundancy.<br />
Figure 46: ESRP example using layer 2 redundancy<br />
Sales master,<br />
Engineering st<strong>and</strong>by<br />
Sales st<strong>and</strong>by,<br />
Engineering master<br />
Sales<br />
Sales<br />
Sales +<br />
Engineering<br />
Engineering<br />
Sales - untagged link<br />
Engineering - untagged link<br />
Sales + Engineering - tagged link<br />
EW_022<br />
This example builds on the previous example, but eliminates the requirement of layer 3 redundancy. It<br />
has the following features:<br />
• An additional VLAN, Engineering, is added that uses layer 2 redundancy.<br />
• The VLAN Sales uses three active links to each BlackDiamond switch.<br />
• The VLAN Engineering has two active links to each BlackDiamond switch.<br />
• The third Summit switch carries traffic for both VLANs.<br />
• The link between the third Summit switch <strong>and</strong> the first BlackDiamond switch uses 802.1Q tagging to<br />
carry traffic from both VLANs traffic on one link. The BlackDiamond switch counts the link active<br />
for each VLAN.<br />
• The second BlackDiamond switch has a separate physical port for each VLAN connected to the third<br />
Summit switch.<br />
In this example, the BlackDiamond switches are configured for ESRP such that the VLAN Sales<br />
normally uses the first BlackDiamond switch <strong>and</strong> the VLAN Engineering normally uses the second<br />
BlackDiamond switch. This is accomplished by manipulating the ESRP priority setting for each VLAN<br />
for the particular BlackDiamond switch.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 305
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol<br />
Configuration comm<strong>and</strong>s for the first BlackDiamond switch are as follows:<br />
create vlan sales<br />
configure sales tag 10<br />
configure sales add port 1:1-1:2<br />
configure sales add port 1:3 tagged<br />
configure sales ipaddr 10.1.2.3/24<br />
create vlan eng<br />
configure eng tag 20<br />
configure eng add port 1:4<br />
configure eng add port 1:3 tagged<br />
configure eng ipaddr 10.4.5.6/24<br />
enable esrp sales<br />
enable esrp eng<br />
enable edp ports all<br />
configure sales esrp priority 5<br />
Configuration comm<strong>and</strong>s for the second BlackDiamond switch are as follows:<br />
create vlan sales<br />
configure sales add port 1:1-1:3<br />
configure sales ipaddr 10.1.2.3/24<br />
create vlan eng<br />
configure eng add port 1:4, 2:1<br />
configure eng ipaddr 10.4.5.6/24<br />
enable esrp sales<br />
enable esrp eng<br />
configure eng esrp priority 5<br />
ESRP Cautions<br />
This section describes important details to be aware of when configuring ESRP.<br />
Configuring ESRP <strong>and</strong> Multinetting<br />
When configuring ESRP <strong>and</strong> IP multinetting on the same switch, the parameters that affect the<br />
determination of the ESRP master must be configured identically for all the VLANs involved with IP<br />
multinetting. For example, the number of links in your configuration, the priority settings, <strong>and</strong> timer<br />
settings must be identical for all affected VLANs.<br />
ESRP <strong>and</strong> Spanning Tree<br />
A switch running ESRP should not simultaneously participate in the Spanning Tree Protocol (STP) for<br />
the same VLAN(s). Other switches in the VLAN being protected by ESRP may run STP <strong>and</strong> the switch<br />
running ESRP forwards, but does not filter, STP BPDUs. Therefore, you can combine ESRP <strong>and</strong> STP on<br />
a network <strong>and</strong> a VLAN, but you must do so on separate devices. You should be careful to maintain<br />
ESRP connectivity between ESRP master <strong>and</strong> slave switches when you design a network that uses ESRP<br />
<strong>and</strong> STP.<br />
306 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
16 Virtual Router Redundancy Protocol<br />
This chapter covers the following topics:<br />
• Overview on page 307<br />
• Determining the VRRP Master on page 308<br />
• Additional VRRP Highlights on page 311<br />
• VRRP Operation on page 312<br />
• VRRP Configuration Parameters on page 315<br />
• VRRP Examples on page 316<br />
This chapter assumes that you are already familiar with the Virtual Router Redundancy Protocol<br />
(VRRP). If not, refer to the following publications for additional information:<br />
• RFC 2338—Virtual Router Redundancy Protocol (VRRP)<br />
• RFC 2787—Definitions of Managed Objects for the Virtual Router Redundancy Protocol<br />
Overview<br />
Like ESRP, VRRP is a protocol that allows multiple switches to provide redundant routing services to<br />
users. VRRP is used to eliminate the single point of failure associated with manually configuring a<br />
default gateway address on each host in a network. Without using VRRP, if the configured default<br />
gateway fails, you must reconfigure each host on the network to use a different router as the default<br />
gateway. VRRP provides a redundant path for the hosts. If the default gateway fails, the backup router<br />
assumes forwarding responsibilities.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 307
Virtual Router Redundancy Protocol<br />
VRRP Terms<br />
Table 41 describes terms associated with VRRP.<br />
Table 41: VRRP Terms<br />
Term<br />
virtual router<br />
VRRP router<br />
IP address owner<br />
master router<br />
backup router<br />
VRID<br />
virtual router MAC<br />
address<br />
Description<br />
A VRRP router is a group of one or more physical devices that acts as the default<br />
gateway for hosts on the network. The virtual router is identified by a virtual router<br />
identifier (VRID) <strong>and</strong> an IP address.<br />
Any router that is running VRRP. A VRRP router can participate in one or more virtual<br />
routers. A VRRP router can be a backup router for one more master routers.<br />
A single VRRP router that has the IP address of the virtual router configured as its real<br />
interface address. The IP address owner responds to TCP/IP packets addressed to the<br />
virtual router IP address. The IP address owner is optional in a VRRP configuration.<br />
The physical device (router) in the virtual router that is responsible for forwarding<br />
packets sent to the virtual router, <strong>and</strong> responding to ARP requests. The master router<br />
sends out periodic advertisements that let backup routers on the network know that it is<br />
alive. If the IP address owner is identified, it always becomes the master.<br />
Any VRRP router in the virtual router that is not elected as the master. The backup<br />
router is available to assume forwarding responsibility if the master becomes<br />
unavailable.<br />
Virtual router identifier. Each virtual router is given a unique VRID. All of the VRRP<br />
routers that participate in the virtual router are assigned the same VRID.<br />
RFC 2338 assigns a static MAC address for the first 5 octets of the virtual router.<br />
These octets are set to 00-00-5E-00-01. When you configure the VRID, the last octet of<br />
the MAC address is dynamically assigned the VRID number.<br />
Determining the VRRP Master<br />
The VRRP master is determined by the following factors:<br />
• IP address—If a router is configured with the IP address of the virtual IP address, it becomes the<br />
master.<br />
• VRRP priority—This is a user-defined field. The range of the priority value is 1 to 254; a higher<br />
number has higher priority. The value of 255 is reserved for a router that is configured with the<br />
virtual router IP address. A value of 0 is reserved for the master router, to indicate it is releasing<br />
responsibility for the virtual router. The default value is 100.<br />
• Higher IP address—If the routers have the same configured priority, the router with the higher IP<br />
address becomes the master.<br />
VRRP Tracking<br />
Tracking information is used to track various forms of connectivity from the VRRP router to the outside<br />
world. This section describes the following VRRP tracking options:<br />
• VRRP VLAN tracking<br />
• VRRP route table tracking<br />
• VRRP ping tracking<br />
308 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Determining the VRRP Master<br />
VRRP VLAN Tracking<br />
You can configure VRRP to track connectivity to one or more specified VLANs as criteria for failover. If<br />
no active ports remain on the specified VLANs, the router automatically relinquishes master status <strong>and</strong><br />
remains in backup mode.<br />
To add or delete a tracked VLAN, use one of the following comm<strong>and</strong>s:<br />
configure vlan add track-vlan <br />
configure vlan delete track-vlan <br />
VRRP Route Table Tracking<br />
You can configure VRRP to track specified routes in the route table as criteria for failover. If any of the<br />
configured routes are not available within the route table, the router automatically relinquishes master<br />
status <strong>and</strong> remains in backup mode.<br />
To add or delete a tracked route, use the following comm<strong>and</strong>:<br />
configure vlan add track-iproute /<br />
VRRP Ping Tracking<br />
You can configure VRRP to track connectivity using a simple ping to any outside responder. The<br />
responder may represent the default route of the router, or any device meaningful to network<br />
connectivity of the master VRRP router. The router automatically relinquishes master status <strong>and</strong><br />
remains in backup mode if a ping keepalive fails three consecutive times.<br />
To add or delete a tracked route, use one of the following comm<strong>and</strong>s:<br />
configure vlan add track-ping frequency miss<br />
<br />
configure vlan delete track-ping <br />
To view the status of tracked devices, use the following comm<strong>and</strong>:<br />
show vrrp [vlan | all] {detail}<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 309
Virtual Router Redundancy Protocol<br />
VRRP Tracking Example<br />
Figure 47 is an example of VRRP tracking.<br />
Figure 47: VRRP tracking<br />
Host 2:<br />
200.1.1.14/24<br />
Gateway:<br />
200.1.1.1<br />
VRRP master<br />
200.1.1.1/24<br />
L2 switch<br />
or hub<br />
(track-vlan)<br />
vlan vlan1<br />
Router<br />
10.10.10.121<br />
Host 1:<br />
200.1.1.13/24<br />
Gateway:<br />
200.1.1.1<br />
VRRP backup<br />
200.1.1.2/24<br />
EW_079<br />
To configure VLAN tracking, as shown in Figure 47, use the following comm<strong>and</strong>:<br />
Configure vlan vrrp1 add track-vlan vlan1<br />
Using the tracking mechanism, if VLAN1 fails, the VRRP master realizes that there is no path to<br />
upstream router via the Master switch <strong>and</strong> implements a failover to the backup.<br />
To configure route table tracking, as shown in Figure 47, use the following comm<strong>and</strong>:<br />
configure vlan vrrp1 add track-iproute 10.10.10.0/24<br />
The route specified in this comm<strong>and</strong> must exist in the IP routing table. When the route is no longer<br />
available, the switch implements a failover to the backup.<br />
To configure ping tracking, as shown in Figure 47, use the following comm<strong>and</strong>:<br />
configure vlan vrrp1 add track-ping 10.10.10.121 2 2<br />
The specified IP address is tracked. If the fail rate is exceeded the switch implements a failover to the<br />
backup.<br />
310 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Additional VRRP Highlights<br />
Electing the Master Router<br />
VRRP uses an election algorithm to dynamically assign responsibility for the master router to one of the<br />
VRRP routers on the network. A VRRP router is elected master if one of the following is true:<br />
• The router is the IP address owner.<br />
• The router is configured with the highest priority (the range is 3 - 255).<br />
If the master router becomes unavailable, the election process provides dynamic failover <strong>and</strong> the backup<br />
router that has the highest priority assumes the role of master.<br />
A new master is elected when one of the following things happen:<br />
• VRRP is disabled on the master router.<br />
• Loss of communication between master <strong>and</strong> backup router(s).<br />
When VRRP is disabled on the master interface, the master router sends an advertisement with the<br />
priority set to 0 to all backup routers. This signals the backup routers that they do not need to wait for<br />
the master down interval to expire, <strong>and</strong> the master election process for a new master can begin<br />
immediately.<br />
The master down interval is set as follows:<br />
3 * advertisement interval + skew time<br />
Where:<br />
• The advertisement interval is a user-configurable option.<br />
• The skew time is (256-priority/256).<br />
NOTE<br />
An extremely busy CPU can create a short dual master situation. To avoid this, increase the<br />
advertisement interval.<br />
Additional VRRP Highlights<br />
The following additional points pertain to VRRP:<br />
• VRRP packets are encapsulated IP packets.<br />
• The VRRP multicast address is 224.0.0.18.<br />
• The virtual router MAC address is 00 00 5E 00 01 <br />
• Duplicate virtual router IDs are allowed on the router, but not on the same interface.<br />
• The maximum number of supported VRIDs per interface is 4.<br />
• An interconnect link between VRRP routers should not be used, except when VRRP routers have<br />
hosts directly attached.<br />
• A maximum of 64 VRID instances are supported on the router.<br />
• Up to 4 unique VRIDs can be configured on the router. VRIDs can be re-used, but not on the same<br />
interface.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 311
Virtual Router Redundancy Protocol<br />
• VRRP <strong>and</strong> Spanning Tree can be simultaneously enabled on the same switch.<br />
• VRRP <strong>and</strong> ESRP cannot be simultaneously enabled on the same switch.<br />
VRRP Port Restart<br />
You can configure VRRP to restart ports if those ports are members of a VLAN that becomes a backup.<br />
To configure port restart, use the following comm<strong>and</strong>:<br />
configure vlan add ports [ | all] restart<br />
To disable port restart, use the following comm<strong>and</strong>:<br />
configure vlan add ports [ | all] no-restart<br />
If a VLAN becomes a backup, VRRP disconnects member ports that have port restart enabled. The<br />
disconnection of these ports causes downstream devices to remove the ports from their FDB tables. This<br />
feature allows you to use VRRP in networks that include equipment from other vendors. After 3<br />
seconds the ports re-establish connection with the VRRP switch.<br />
To remove a port from the restart configuration, delete the port from the VLAN <strong>and</strong> re-add it.<br />
NOTE<br />
The port restart feature is also available for ESRP. For more information on ESRP, see Chapter 15.<br />
VRRP Operation<br />
This section describes two VRRP network configuration:<br />
• A simple VRRP network<br />
• A fully-redundant VRRP network<br />
Simple VRRP Network Configuration<br />
Figure 48 shows a simple VRRP network.<br />
312 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
VRRP Operation<br />
Figure 48: Simple VRRP network<br />
Switch A<br />
Switch A = Master<br />
VRID = 1<br />
IP address = 192.168.1.3<br />
MAC address = 00-00-5E-00-01-01<br />
Priority = 255<br />
Switch B<br />
Switch B = Backup<br />
VRID = 1<br />
IP address = 192.168.1.3<br />
MAC address = 00-00-5E-00-01-01<br />
Priority = 100<br />
192.168.1.3<br />
192.168.1.5<br />
Default Gateway = 192.168.1.3<br />
EW_067<br />
In Figure 48, a virtual router is configured on Switch A <strong>and</strong> Switch B using these parameters:<br />
• VRID is 1.<br />
• MAC address is 00-00-5E-00-01-01.<br />
• IP address is 192.168.1.3.<br />
Switch A is configured with a priority of 255. This priority indicates that it is the master router. Switch B<br />
is configured with a priority of 100. This indicates that it is a backup router.<br />
The master router is responsible for forwarding packets sent to the virtual router. When the VRRP<br />
network becomes active, the master router broadcasts an ARP request that contains the virtual router<br />
MAC address (in this case, 00-00-5E-00-01-01) for each IP address associated with the virtual router.<br />
Hosts on the network use the virtual router MAC address when they send traffic to the default gateway.<br />
The virtual router IP address is configured to be the real interface address of the IP address owner. The<br />
IP address owner is usually the master router. The virtual router IP address is also configured on each<br />
backup router. However, in the case of the backup router, this IP address is not associated with a<br />
physical interface. Each physical interface on each backup router must have a unique IP address. The<br />
virtual router IP address is also used as the default gateway address for each host on the network.<br />
If the master router fails, the backup router assumes forwarding responsibility for traffic addressed to<br />
the virtual router MAC address. However, because the IP address associated with the master router is<br />
not physically located on the backup router, the backup router cannot reply to TCP/IP messages (such<br />
as pings) sent to the virtual router.<br />
Fully-Redundant VRRP Network<br />
You can use two or more VRRP-enabled switches to provide a fully-redundant VRRP configuration on<br />
your network. Figure 49 shows a fully-redundant VRRP configuration.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 313
Virtual Router Redundancy Protocol<br />
Figure 49: Fully-redundant VRRP configuration<br />
Switch A<br />
Master for 192.168.1.3<br />
Master VRID = 1<br />
Backup VRID = 2<br />
MAC address = 00-00-5E-00-01-01<br />
Switch B<br />
Master for 192.168.1.5<br />
Master VRID = 2<br />
Backup VRID = 1<br />
MAC address = 00-00-5E-00-01-02<br />
Default Route<br />
Backup Route<br />
EW_068<br />
In Figure 49, switch A is configured as follows:<br />
• IP address 192.168.1.3<br />
• Master router for VRID 1<br />
• Backup router for VRID 2<br />
• MAC address 00-00-5E-00-01-01<br />
Switch B is configured as follows:<br />
• IP address 192.168.1.5<br />
• Master router for VRID 2<br />
• Backup router for VRID 1<br />
• MAC address 00-00-5E-00-01-02<br />
Both virtual routers are simultaneously operational. The traffic load from the four hosts is split between<br />
them. Host 1 <strong>and</strong> host 2 are configured to use VRID 1 on switch A as their default gateway. Host 3 <strong>and</strong><br />
host 4 are configured to use VRID 2 on switch B as their default gateway. In the event that either switch<br />
fails, the backup router configured is st<strong>and</strong>ing by to resume normal operation.<br />
314 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
VRRP Configuration Parameters<br />
VRRP Configuration Parameters<br />
Table 42 lists the parameters that are configured on a VRRP router.<br />
Table 42: VRRP Configuration Parameters<br />
Parameter<br />
Description<br />
vrid<br />
Virtual router identifier. Configured item in the range of 1- 255. This<br />
parameter has no default value.<br />
priority<br />
Priority value to be used by this VRRP router in the master election<br />
process. A value of 255 is reserved for a router that is configured with<br />
the virtual router IP address. A value of 0 is reserved for the master<br />
router to indicate it is releasing responsibility for the virtual router. The<br />
range is 1 - 254. The default value is 100.<br />
ip_address<br />
One or more IP addresses associated with this virtual router. This<br />
parameter has no default value.<br />
advertisement_interval Time interval between advertisements, in seconds. The range is 1 -<br />
255. The default value is 1 second.<br />
skew_time<br />
Time to skew master_down_interval, in seconds. This value is<br />
calculated as ((256-priority)/256).<br />
master_down_interval<br />
Time interval for backup router to declare master down, in seconds.<br />
This value is calculated as<br />
((3 * advertisement_interval) + skew_time).<br />
preempt_mode<br />
Controls whether a higher priority backup router preempts a lower<br />
priority master. A value of true allows preemption. A value of false<br />
prohibits preemption. The default setting is true.<br />
NOTE<br />
The router that owns the virtual router IP address always<br />
preempts, independent of the setting of this parameter.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 315
Virtual Router Redundancy Protocol<br />
VRRP Examples<br />
This section provides the configuration syntax for the two VRRP networks discussed in this chapter.<br />
Configuring the Simple VRRP Network<br />
The following illustration shows the simple VRRP network described in Figure 48.<br />
Switch A<br />
Switch A = Master<br />
VRID = 1<br />
IP address = 192.168.1.3<br />
MAC address = 00-00-5E-00-01-01<br />
Priority = 255<br />
Switch B<br />
Switch B = Backup<br />
VRID = 1<br />
IP address = 192.168.1.3<br />
MAC address = 00-00-5E-00-01-01<br />
Priority = 100<br />
192.168.1.3<br />
192.168.1.5<br />
Default Gateway = 192.168.1.3<br />
EW_067<br />
The configuration comm<strong>and</strong>s for switch A are as follows:<br />
configure vlan vlan1 ipaddress 192.168.1.3/24<br />
configure vrrp add vlan vlan2<br />
configure vrrp vlan vlan1 add master vrid 1 192.168.1.3<br />
enable vrrp<br />
The configuration comm<strong>and</strong>s for switch B are as follows:<br />
configure vlan vlan1 ipaddress 192.168.1.5/24<br />
configure vrrp add vlan vlan1<br />
configure vrrp vlan vlan1 add backup vrid 1 192.168.1.3<br />
enable vrrp<br />
316 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
VRRP Examples<br />
Configuring the Fully-Redundant VRRP Network<br />
The following illustration shows the fully-redundant VRRP network configuration described in<br />
Figure 49.<br />
Switch A<br />
Master for 192.168.1.3<br />
Master VRID = 1<br />
Backup VRID = 2<br />
MAC address = 00-00-5E-00-01-01<br />
Switch B<br />
Master for 192.168.1.5<br />
Master VRID = 2<br />
Backup VRID = 1<br />
MAC address = 00-00-5E-00-01-02<br />
Default Route<br />
Backup Route<br />
EW_068<br />
The configuration comm<strong>and</strong>s for switch A are as follows:<br />
configure vlan vlan1 ipaddress 192.168.1.3/24<br />
configure vrrp vlan vlan1 add master vrid 1 192.168.1.3<br />
configure vrrp vlan vlan1 add backup vrid 2 192.168.1.5<br />
configure vrrp add vlan vlan1<br />
enable vrrp<br />
The configuration comm<strong>and</strong>s for switch B are as follows:<br />
configure vlan vlan1 ipaddress 192.168.1.5/24<br />
configure vrrp vlan vlan1 add master vrid 2 192.168.1.5<br />
configure vrrp vlan vlan1 add backup vrid 1 192.168.1.3<br />
configure vrrp add vlan vlan1<br />
enable vrrp<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 317
Virtual Router Redundancy Protocol<br />
318 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
17 IP Unicast Routing<br />
This chapter describes the following topics:<br />
• Overview of IP Unicast Routing on page 319<br />
• Proxy ARP on page 322<br />
• Relative Route Priorities on page 323<br />
• Configuring IP Unicast Routing on page 324<br />
• Routing Configuration Example on page 325<br />
• Configuring DHCP/BOOTP Relay on page 327<br />
• UDP-Forwarding on page 329<br />
This chapter assumes that you are already familiar with IP unicast routing. If not, refer to the following<br />
publications for additional information:<br />
• RFC 1256—ICMP Router Discovery Messages<br />
• RFC 1812—Requirements for IP Version 4 Routers<br />
NOTE<br />
For more information on interior gateway protocols, see Chapter 18.<br />
Overview of IP Unicast Routing<br />
The switch provides full layer 3, IP unicast routing. It exchanges routing information with other routers<br />
on the network using either the Routing Information Protocol (RIP) or the Open Shortest Path First<br />
(OSPF) protocol. The switch dynamically builds <strong>and</strong> maintains a routing table, <strong>and</strong> determines the best<br />
path for each of its routes.<br />
Each host using the IP unicast routing functionality of the switch must have a unique IP address<br />
assigned. In addition, the default gateway assigned to the host must be the IP address of the router<br />
interface.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 319
IP Unicast Routing<br />
Router Interfaces<br />
The routing software <strong>and</strong> hardware routes IP traffic between router interfaces. A router interface is<br />
simply a VLAN that has an IP address assigned to it.<br />
As you create VLANs with IP addresses belonging to different IP subnets, you can also choose to route<br />
between the VLANs. Both the VLAN switching <strong>and</strong> IP routing function occur within the switch.<br />
NOTE<br />
Each IP address <strong>and</strong> mask assigned to a VLAN must represent a unique IP subnet. You cannot<br />
configure the IP address belonging to the same subnet on different VLANs.<br />
In Figure 50, a switch is depicted with two VLANs defined; Finance <strong>and</strong> Personnel. Port 8-15 are<br />
assigned to Finance; ports 24-48 are assigned to Personnel. Finance belongs to the IP network 192.207.35.0;<br />
the router interface for Finance is assigned the IP address 192.206.35.1. Personnel belongs to the IP<br />
network 192.207.36.0; its router interface is assigned IP address 192.207.36.1. Traffic within each VLAN<br />
is switched using the Ethernet MAC addresses. Traffic between the two VLANs is routed using the IP<br />
addresses.<br />
Figure 50: Routing between VLANs<br />
192.207.35.1<br />
192.207.36.1<br />
192.207.35.0<br />
Finance<br />
192.207.36.0<br />
Personnel<br />
8 - 15 24 - 48<br />
192.207.35.11 192.207.36.12<br />
ES4K024<br />
320 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Overview of IP Unicast Routing<br />
Populating the Routing Table<br />
The switch maintains an IP routing table for both network routes <strong>and</strong> host routes. The table is<br />
populated from the following sources:<br />
• Dynamically, by way of routing protocol packets or by ICMP redirects exchanged with other routers<br />
• Statically, by way of routes entered by the administrator<br />
— Default routes, configured by the administrator<br />
— Locally, by way of interface addresses assigned to the system<br />
— By other static routes, as configured by the administrator<br />
NOTE<br />
If you define a default route, <strong>and</strong> subsequently delete the VLAN on the subnet associated with the<br />
default route, the invalid default route entry remains. You must manually delete the configured default<br />
route.<br />
Dynamic Routes<br />
Dynamic routes are typically learned by way of RIP or OSPF. Routers that use RIP or OSPF exchange<br />
information in their routing tables in the form of advertisements. Using dynamic routes, the routing<br />
table contains only networks that are reachable.<br />
Dynamic routes are aged out of the table when an update for the network is not received for a period of<br />
time, as determined by the routing protocol.<br />
Static Routes<br />
Static routes are manually entered into the routing table. Static routes are used to reach networks not<br />
advertised by routers.<br />
Static routes can also be used for security reasons, to control which routes you want advertised by the<br />
router. You can decide if you want all static routes to be advertised, using one of the following<br />
comm<strong>and</strong>s:<br />
• enable rip exportstatic or disable rip exportstatic<br />
• enable ospf export direct [cost [ase-type-1 | ase-type-2] {tag }<br />
| ] or disable ospf export [direct | rip | static]<br />
The default setting is disabled. Static routes are never aged out of the routing table.<br />
A static route must be associated with a valid IP subnet. An IP subnet is associated with a single VLAN<br />
by its IP address <strong>and</strong> subnet mask. If the VLAN is subsequently deleted, the static route entries using<br />
that subnet must be deleted manually.<br />
Multiple Routes<br />
When there are multiple, conflicting choices of a route to a particular destination, the router picks the<br />
route with the longest matching network mask. If these are still equal, the router picks the route using<br />
the following criteria (in the order specified):<br />
• Directly attached network interfaces<br />
• ICMP redirects<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 321
IP Unicast Routing<br />
• Static routes<br />
• Directly attached network interfaces that are not active.<br />
NOTE<br />
If you define multiple default routes, the route that has the lowest metric is used. If multiple default<br />
routes have the same lowest metric, the system picks one of the routes.<br />
You can also configure blackhole routes—traffic to these destinations is silently dropped.<br />
IP Route Sharing<br />
IP route sharing allows multiple equal-cost routes to be used concurrently. IP route sharing can be used<br />
with static routes or with OSPF routes. In OSPF, this capability is referred to as equal cost multipath<br />
(ECMP) routing. To use IP route sharing, use the following comm<strong>and</strong>:<br />
enable iproute sharing<br />
Next, configure static routes <strong>and</strong>/or OSPF as you would normally. <strong><strong>Extreme</strong>Ware</strong> supports unlimited<br />
route sharing across static routes <strong>and</strong> up to 12 ECMP routes for OSPF.<br />
Route sharing is useful only in instances where you are constrained for b<strong>and</strong>width. This is typically not<br />
the case using <strong>Extreme</strong> switches. Using route sharing makes router troubleshooting more difficult<br />
because of the complexity in predicting the path over which the traffic will travel.<br />
Subnet-Directed Broadcast Forwarding<br />
You can enable or disable the hardware forwarding of subnet-directed broadcast IP packets. This allows<br />
the switch to forward subnet-directed broadcast packets at wire-speed.<br />
To enable or disable hardware forwarding, use one the following comm<strong>and</strong>s:<br />
[enable | disable] ipforwarding [vlan ]<br />
The entries are added to the IP forwarding table as st<strong>and</strong>ard entries <strong>and</strong> you can view them using the<br />
show ipfdb comm<strong>and</strong>.<br />
You can also configure the VLAN router interface to either forward <strong>and</strong> process all subnet-directed<br />
broadcast packets, or to simply forward these packets after they have been added to the IP forwarding<br />
database. The latter option allows you to improve CPU forwarding performance by having upper<br />
layers, such as UDP <strong>and</strong> TCP, ignore broadcast packet processing (for example, if the packets have<br />
IP-options configured).<br />
To enable or disable broadcast packet processing, use the following comm<strong>and</strong>:<br />
[enable | disable] ipforwarding ignore-broadcast vlan <br />
Using these comm<strong>and</strong>s together, you can achieve a 100% reduction on the Summit switches.<br />
Proxy ARP<br />
Proxy Address Resolution Protocol (ARP) was first invented so that ARP-capable devices could respond<br />
to ARP Request packets on behalf of ARP-incapable devices. Proxy ARP can also be used to achieve<br />
322 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Relative Route Priorities<br />
router redundancy <strong>and</strong> simplify IP client configuration. The switch supports proxy ARP for this type of<br />
network configuration. The section describes some example of how to use proxy ARP with the switch.<br />
ARP-Incapable Devices<br />
To configure the switch to respond to ARP Requests on behalf of devices that are incapable of doing so,<br />
you must configure the IP address <strong>and</strong> MAC address of the ARP-incapable device using the use the<br />
following comm<strong>and</strong>:<br />
configure iparp add proxy {} {} {always}<br />
Once configured, the system responds to ARP Requests on behalf of the device as long as the following<br />
conditions are satisfied:<br />
• The valid IP ARP Request is received on a router interface.<br />
• The target IP address matches the IP address configured in the proxy ARP table.<br />
• The proxy ARP table entry indicates that the system should always answer this ARP Request,<br />
regardless of the ingress VLAN (the always parameter must be applied).<br />
Once all the proxy ARP conditions are met, the switch formulates an ARP Response using the<br />
configured MAC address in the packet.<br />
Proxy ARP Between Subnets<br />
In some networks, it is desirable to configure the IP host with a wider subnet than the actual subnet<br />
mask of the segment. Proxy ARP can be used so that the router answers ARP Requests for devices<br />
outside of the subnet. As a result, the host communicates as if all devices are local. In reality,<br />
communication with devices outside of the subnet are proxied by the router.<br />
For example, an IP host is configured with a class B address of 100.101.102.103 <strong>and</strong> a mask of<br />
255.255.0.0. The switch is configured with the IP address 100.101.102.1 <strong>and</strong> a mask of 255.255.255.0. The<br />
switch is also configured with a proxy ARP entry of IP address 100.101.0.0 <strong>and</strong> mask 255.255.0.0, without<br />
the always parameter.<br />
When the IP host tries to communicate with the host at address 100.101.45.67, the IP hosts<br />
communicates as if the two hosts are on the same subnet, <strong>and</strong> sends out an IP ARP Request. The switch<br />
answers on behalf of the device at address 100.101.45.67, using its own MAC address. All subsequent<br />
data packets from 100.101.102.103 are sent to the switch, <strong>and</strong> the switch routes the packets to<br />
100.101.45.67.<br />
Relative Route Priorities<br />
Table 43 lists the relative priorities assigned to routes depending upon the learned source of the route.<br />
NOTE<br />
Although these priorities can be changed, do not attempt any manipulation unless you are expertly<br />
familiar with the possible consequences.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 323
IP Unicast Routing<br />
Table 43: Relative Route Priorities<br />
Route Origin Priority<br />
Direct 10<br />
BlackHole 50<br />
Static 1100<br />
ICMP 1200<br />
OSPFIntra 2200<br />
OSPFInter 2300<br />
RIP 2400<br />
OSPFExtern1 3200<br />
OSPFExtern2 3300<br />
BOOTP 5000<br />
To change the relative route priority, use the following comm<strong>and</strong>:<br />
configure iproute priority [rip | bootp | icmp | static | ospf-intra | ospf-inter |<br />
ospf-as-external | ospf-extern1 | ospf-extern2] <br />
Configuring IP Unicast Routing<br />
This section describes the comm<strong>and</strong>s associated with configuring IP unicast routing on the switch. To<br />
configure routing, follow these steps:<br />
1 Create <strong>and</strong> configure two or more VLANs.<br />
2 Assign each VLAN that will be using routing an IP address using the following comm<strong>and</strong>:<br />
configure vlan ipaddress { | }<br />
Ensure that each VLAN has a unique IP address.<br />
3 Configure a default route using the following comm<strong>and</strong>:<br />
configure iproute add default {}<br />
Default routes are used when the router has no other dynamic or static route to the requested<br />
destination.<br />
4 Turn on IP routing for one or all VLANs using the following comm<strong>and</strong>:<br />
enable ipforwarding {[broadcast | ignore-broadcast]}{vlan }<br />
5 Turn on RIP or OSPF using one of the following comm<strong>and</strong>s:<br />
enable ripp<br />
enable ospff<br />
For more information on configuring RIPP <strong>and</strong> OSPF, see “Interior Gateway Protocols” on page 331.<br />
324 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Routing Configuration Example<br />
Verifying the IP Unicast Routing Configuration<br />
Use the show iproute comm<strong>and</strong> to display the current configuration of IP unicast routing for the<br />
switch, <strong>and</strong> for each VLAN. The show iproute comm<strong>and</strong> displays the currently configured routes, <strong>and</strong><br />
includes how each route was learned.<br />
Additional verification comm<strong>and</strong>s include:<br />
• show iparp—Displays the IP ARP table of the system.<br />
• show ipfdb—Displays the hosts that have been transmitting or receiving packets, <strong>and</strong> the port <strong>and</strong><br />
VLAN for each host.<br />
• show ipconfig—Displays configuration information for one or more VLANs.<br />
Routing Configuration Example<br />
Figure 51 illustrates a switch that has three VLANs defined as follows:<br />
• Finance<br />
— Contain ports 5 <strong>and</strong> 6.<br />
— IP address 192.207.35.1.<br />
• Personnel<br />
— Contain ports 21 <strong>and</strong> 22.<br />
— IP address 192.207.36.1.<br />
Figure 51: Unicast routing configuration example<br />
192.207.35.1<br />
192.207.36.1<br />
192.207.35.0<br />
Finance<br />
192.207.36.0<br />
Personnel<br />
5<br />
6<br />
21<br />
22<br />
192.207.35.11 192.207.36.12<br />
ES4K025<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 325
IP Unicast Routing<br />
In this configuration, all IP traffic from stations connected to ports 5 <strong>and</strong> 6 have access to the switch by<br />
way of the VLAN Finance. Ports 21 <strong>and</strong> 22 reach the switch by way of the VLAN Personnel..<br />
The example in Figure 51 is configured as follows:<br />
create vlan Finance<br />
create vlan Personnel<br />
config Finance add port 5,6<br />
config Personnel add port 21,22<br />
config Finance ipaddress 192.207.35.1<br />
config Personnel ipaddress 192.207.36.1<br />
config rip add vlan Finance<br />
config rip add vlan Personnel<br />
enable ipforwarding<br />
enable rip<br />
ICMP Packet Processing<br />
As ICMP packets are routed or generated, you can take various actions to control distribution. For<br />
ICMP packets typically generated or observed as part of the routing function, you can assert control on<br />
a per-type, per-VLAN basis. You would alter the default settings for security reasons: to restrict the<br />
success of tools that can be used to find an important application, host, or topology information. The<br />
controls include the disabling of transmitting ICMP messages associated with unreachables,<br />
port-unreachables, time-exceeded, parameter-problems, redirects, time-stamp, <strong>and</strong> address-mask<br />
requests.<br />
To enable or disable the generation of an ICMP address-mask reply on one or all VLANs, use the<br />
following comm<strong>and</strong>s:<br />
enable icmp address-mask {vlan }<br />
disable icmp address-mask {vlan }<br />
To enable or disable the generation of an ICMP parameter-problem message on one or all VLANs, use<br />
the following comm<strong>and</strong>s:<br />
enable icmp parameter-problem {vlan }<br />
disable icmp parameter-problem<br />
To enable or disable the generation of ICMP port unreachable messages on one or all VLANs, use the<br />
following comm<strong>and</strong>s:<br />
enable icmp port-unreachables {vlan }<br />
disable icmp port-unreachables {vlan }<br />
To enable or disable the generation of ICMP redirect messages on one or all VLANs, use the following<br />
comm<strong>and</strong>s:<br />
enable icmp redirects {vlan }<br />
disable icmp redirects {vlan }<br />
326 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring DHCP/BOOTP Relay<br />
To enable or disable the generation of ICMP time exceeded messages on one or all VLANs, use the<br />
following comm<strong>and</strong>s:<br />
enable icmp time-exceeded {vlan }<br />
disable icmp time-exceeded {vlan }<br />
To enable or disable the generation of an ICMP timestamp response on one or all VLANs, use the<br />
following comm<strong>and</strong>s:<br />
enable icmp timestamp {vlan }<br />
disable icmp timestamp {vlan }<br />
To enable or disable the generation of ICMP unreachable messages on one or all VLANs, use the<br />
following comm<strong>and</strong>s:<br />
enable icmp unreachables {vlan }<br />
disable icmp unreachables {vlan }<br />
To enable or disable the modification of route table information when an ICMP redirect message is<br />
received, use the following comm<strong>and</strong>s:<br />
enable icmp useredirects<br />
disable icmp useredirects<br />
To reset all of the ICMP settings to the default values, use the following comm<strong>and</strong>:<br />
unconfigure icmp<br />
For ICMP packets that are typically routed, you can apply access lists to restrict forwarding behavior.<br />
Access lists are described in Chapter 10.<br />
Configuring DHCP/BOOTP Relay<br />
Once IP unicast routing is configured, you can configure the switch to forward Dynamic Host<br />
Configuration Protocol (DHCP) or BOOTP requests coming from clients on subnets being serviced by<br />
the switch <strong>and</strong> going to hosts on different subnets. This feature can be used in various applications,<br />
including DHCP services between Windows NT servers <strong>and</strong> clients running Windows 95. To configure<br />
the relay function, follow these steps:<br />
1 Configure VLANs <strong>and</strong> IP unicast routing.<br />
2 Enable the DHCP or BOOTP relay function, using the following comm<strong>and</strong>:<br />
enable bootprelay<br />
3 Configure the addresses to which DHCP or BOOTP requests should be directed, using the following<br />
comm<strong>and</strong>:<br />
configure bootprelay add <br />
To delete a BOOTP relay entry, use the following comm<strong>and</strong>:<br />
configure bootprelay delete [ | all]<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 327
IP Unicast Routing<br />
Configuring the DHCP Relay Agent Option (Option 82)<br />
After configuring <strong>and</strong> enabling the DHCP/BOOTP relay feature, you can enable the DHCP relay agent<br />
option feature. This feature inserts a piece of information, called option 82, into any DHCP request<br />
packet that is to be relayed by the switch. Similarly, if a DHCP reply received by the switch contains a<br />
valid relay agent option, the option will be stripped from the packet before it is relayed to the client.<br />
The DHCP relay agent option consists of two pieces of data, called sub-options. The first is the agent<br />
circuit ID sub-option, <strong>and</strong> the second is the agent remote ID sub-option. When the DHCP relay agent<br />
option is enabled on switches running <strong><strong>Extreme</strong>Ware</strong>, the value of these sub-options is set as follows:<br />
• Agent circuit ID sub-option: Contains the ID of the port on which the original DHCP request packet<br />
was received. This ID is encoded as (port_number). For example, if the DHCP request were received<br />
on port 12, the agent circuit ID value would be 3012. On non-slot-based switches, the agent circuit ID<br />
value is simply the port number.<br />
• Agent remote ID sub-option: Always contains the Ethernet MAC address of the relaying switch.<br />
You can display the Ethernet MAC address of the switch by issuing the show switch comm<strong>and</strong>.<br />
To enable the DHCP relay agent option, use the following comm<strong>and</strong> after configuring the<br />
DHCP/BOOTP relay function:<br />
configure bootprelay dhcp-agent information option<br />
To disable the DHCP relay agent option, use the following comm<strong>and</strong>:<br />
unconfigure bootprelay dhcp-agent information option<br />
In some instances, a DHCP server may not properly h<strong>and</strong>le a DHCP request packet containing a relay<br />
agent option. To prevent DHCP reply packets with invalid or missing relay agent options from being<br />
forwarded to the client, use the following comm<strong>and</strong>:<br />
configure bootprelay dhcp-agent information check<br />
To disable checking of DHCP replies, use this comm<strong>and</strong>:<br />
unconfigure bootprelay dhcp-agent information check<br />
A DHCP relay agent may receive a client DHCP packet that has been forwarded from another relay<br />
agent. If this relayed packet already contains a relay agent option, then the switch will h<strong>and</strong>le this<br />
packet according to the configured DHCP relay agent option policy. To configure this policy, use the<br />
following comm<strong>and</strong>:<br />
configure bootprelay dhcp-agent information policy <br />
where must be one of the following values: replace, keep, or drop. The default relay policy<br />
is replace. To configure the policy to the default, use this comm<strong>and</strong>:<br />
unconfigure bootprelay dhcp-agent information policy<br />
For more general information about the DHCP relay agent information option, refer to RFC 3046.<br />
Verifying the DHCP/BOOTP Relay Configuration<br />
To verify the DHCP/BOOTP relay configuration, use the following comm<strong>and</strong>:<br />
show ipconfig<br />
328 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
UDP-Forwarding<br />
This comm<strong>and</strong> displays the configuration of the BOOTP relay service, <strong>and</strong> the addresses that are<br />
currently configured.<br />
UDP-Forwarding<br />
UDP-forwarding is a flexible <strong>and</strong> generalized routing utility for h<strong>and</strong>ling the directed forwarding of<br />
broadcast UDP packets. UDP-forwarding allows applications, such as multiple DHCP relay services<br />
from differing sets of VLANs, to be directed to different DHCP servers. The following rules apply to<br />
UDP broadcast packets h<strong>and</strong>led by this feature:<br />
• If the UDP profile includes BOOTP or DHCP, it is h<strong>and</strong>led according to guidelines in RFC 1542.<br />
• If the UDP profile includes other types of traffic, these packets have the IP destination address<br />
modified as configured, <strong>and</strong> changes are made to the IP <strong>and</strong> UDP checksums <strong>and</strong> decrements to the<br />
TTL field, as appropriate.<br />
If the UDP-forwarding is used for BOOTP or DHCP forwarding purposes, do not configure or use the<br />
existing bootprelay function. However, if the previous bootprelay functions are adequate, you may<br />
continue to use them.<br />
NOTE<br />
UDP-forwarding only works across a layer 3 boundary.<br />
Configuring UDP-Forwarding<br />
To configure UDP-forwarding, the first thing you must do is create a UDP-forward destination profile.<br />
The profile describes the types of UDP packets (by port number) that are used, <strong>and</strong> where they are to be<br />
forwarded. You must give the profile a unique name, in the same manner as a VLAN, protocol filter, or<br />
Spanning Tree Domain.<br />
Next, configure a VLAN to make use of the UDP-forwarding profile. As a result, all incoming traffic<br />
from the VLAN that matches the UDP profile is h<strong>and</strong>led as specified in the UDP-forwarding profile.<br />
A maximum of ten UDP-forwarding profiles can be defined. Each named profile may contain a<br />
maximum of eight “rules” defining the UDP port, <strong>and</strong> destination IP address or VLAN. A VLAN can<br />
make use of a single UDP-forwarding profile. UDP packets directed toward a VLAN use an all-ones<br />
broadcast on that VLAN.<br />
UDP-Forwarding Example<br />
In this example, the VLAN Marketing <strong>and</strong> the VLAN Operations are pointed toward a specific backbone<br />
DHCP server (with IP address 10.1.1.1) <strong>and</strong> a backup server (with IP address 10.1.1.2). Additionally, the<br />
VLAN Lab<strong>User</strong> is configured to use any responding DHCP server on a separate VLAN called LabSvrs.<br />
The comm<strong>and</strong>s for this configuration are as follows:<br />
create udp-profile backbonedhcp<br />
create udp-profile labdhcp<br />
configure backbonedhcp add 67 ipaddress 10.1.1.1<br />
configure backbonedhcp add 67 ipaddress 10.1.1.2<br />
configure labdhcp add 67 vlan labsvrs<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 329
IP Unicast Routing<br />
configure marketing udp-profile backbonedhcp<br />
configure operations udp-profile backbonedhcp<br />
configure labuser udp-profile labdhcp<br />
UDP Echo Server<br />
You can use UDP Echo packets to measure the transit time for data between the transmitting <strong>and</strong><br />
receiving end.<br />
To enable UDP echo server support, use the following comm<strong>and</strong>:<br />
enable udp-echo-server<br />
To disable UDP echo server support, use the following comm<strong>and</strong>:<br />
disable udp-echo-server<br />
330 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
18 Interior Gateway Protocols<br />
This chapter describes the following topics:<br />
• Overview on page 332<br />
• Overview of RIP on page 333<br />
• Overview of OSPF on page 334<br />
• Route Re-Distribution on page 340<br />
• RIP Configuration Example on page 341<br />
• Configuring OSPF on page 342<br />
• OSPF Configuration Example on page 343<br />
• Displaying OSPF Settings on page 345<br />
This chapter assumes that you are already familiar with IP unicast routing. If not, refer to the following<br />
publications for additional information:<br />
• RFC 1058—Routing Information Protocol (RIP)<br />
• RFC 1723—RIP Version 2<br />
• RFC 2178—OSPF Version 2<br />
• Interconnections: Bridges <strong>and</strong> Routers<br />
by Radia Perlman<br />
ISBN 0-201-56332-0<br />
Published by Addison-Wesley Publishing Company<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 331
Interior Gateway Protocols<br />
Overview<br />
The switch supports the use of two interior gateway protocols (IGPs); the Routing Information Protocol<br />
(RIP) <strong>and</strong> the Open Shortest Path First (OSPF) protocol.<br />
RIP is a distance-vector protocol, based on the Bellman-Ford (or distance-vector) algorithm. The<br />
distance-vector algorithm has been in use for many years, <strong>and</strong> is widely deployed <strong>and</strong> understood.<br />
OSPF is a link-state protocol, based on the Dijkstra link-state algorithm. OSPF is a newer Interior<br />
Gateway Protocol (IGP), <strong>and</strong> solves a number of problems associated with using RIP on today’s<br />
complex networks.<br />
NOTE<br />
RIP <strong>and</strong> OSPF can be enabled on a single VLAN.<br />
RIP Versus OSPF<br />
The distinction between RIP <strong>and</strong> OSPF lies in the fundamental differences between distance-vector<br />
protocols <strong>and</strong> link-state protocols. Using a distance-vector protocol, each router creates a unique routing<br />
table from summarized information obtained from neighboring routers. Using a link-state protocol,<br />
every router maintains an identical routing table created from information obtained from all routers in<br />
the autonomous system. Each router builds a shortest path tree, using itself as the root. The link-state<br />
protocol ensures that updates sent to neighboring routers are acknowledged by the neighbors, verifying<br />
that all routers have a consistent network map.<br />
The biggest advantage of using RIP is that it is relatively simple to underst<strong>and</strong> <strong>and</strong> implement, <strong>and</strong> it<br />
has been the de facto routing st<strong>and</strong>ard for many years.<br />
RIP has a number of limitations that can cause problems in large networks, including:<br />
• A limit of 15 hops between the source <strong>and</strong> destination networks.<br />
• A large amount of b<strong>and</strong>width taken up by periodic broadcasts of the entire routing table.<br />
• Slow convergence.<br />
• Routing decisions based on hop count; no concept of link costs or delay.<br />
• Flat networks; no concept of areas or boundaries.<br />
OSPF offers many advantages over RIP, including:<br />
• No limitation on hop count.<br />
• Route updates multicast only when changes occur.<br />
• Faster convergence.<br />
• Support for load balancing to multiple routers based on the actual cost of the link.<br />
• Support for hierarchical topologies where the network is divided into areas.<br />
The details of RIP <strong>and</strong> OSPF are explained later in this chapter.<br />
332 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Overview of RIP<br />
Overview of RIP<br />
RIP is an Interior Gateway Protocol (IGP) first used in computer routing in the Advanced Research<br />
Projects Agency Network (ARPAnet) as early as 1969. It is primarily intended for use in homogeneous<br />
networks of moderate size.<br />
To determine the best path to a distant network, a router using RIP always selects the path that has the<br />
least number of hops. Each router that data must traverse is considered to be one hop.<br />
Routing Table<br />
The routing table in a router using RIP contains an entry for every known destination network. Each<br />
routing table entry contains the following information:<br />
• IP address of the destination network<br />
• Metric (hop count) to the destination network<br />
• IP address of the next router<br />
• Timer that tracks the amount of time since the entry was last updated<br />
The router exchanges an update message with each neighbor every 30 seconds (default value), or if<br />
there is a change to the overall routed topology (also called triggered updates). If a router does not receive<br />
an update message from its neighbor within the route timeout period (180 seconds by default), the<br />
router assumes the connection between it <strong>and</strong> its neighbor is no longer available.<br />
Split Horizon<br />
Split horizon is a scheme for avoiding problems caused by including routes in updates sent to the<br />
router from which the route was learned. Split horizon omits routes learned from a neighbor in updates<br />
sent to that neighbor.<br />
To enable split horizon on RIP, issue this comm<strong>and</strong>:<br />
enable rip splithorizon<br />
To disable split horizon on RIP, issue this comm<strong>and</strong>:<br />
disable rip splithorizon<br />
Poison Reverse<br />
Like split horizon, poison reverse is a scheme for eliminating the possibility of loops in the routed<br />
topology. In this case, a router advertises a route over the same interface that supplied the route, but the<br />
route uses a hop count of 16, defining it as unreachable.<br />
To enable poison reverse, issue this comm<strong>and</strong>:<br />
enable rip poisonreverse<br />
To disable poison reverse, issue this comm<strong>and</strong>:<br />
disable rip poisonreverse<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 333
Interior Gateway Protocols<br />
Triggered Updates<br />
Triggered updates occur whenever a router changes the metric for a route, <strong>and</strong> it is required to send an<br />
update message immediately, even if it is not yet time for a regular update message to be sent. This will<br />
generally result in faster convergence, but may also result in more RIP-related traffic.<br />
To enable triggered updates on RIP, issue this comm<strong>and</strong>:<br />
enable rip triggerupdate<br />
To disable triggered updates on RIP, issue this comm<strong>and</strong>:<br />
disable rip triggerupdate<br />
Route Advertisement of VLANs<br />
VLANs that are configured with an IP address, but are configured to not route IP or are not configured<br />
to run RIP, do not have their subnets advertised by RIP. Only those VLANs that are configured with an<br />
IP address <strong>and</strong> are configured to route IP <strong>and</strong> run RIP have their subnets advertised.<br />
RIP Version 1 Versus RIP Version 2<br />
A new version of RIP, called RIP version 2, exp<strong>and</strong>s the functionality of RIP version 1 to include:<br />
• Variable-Length Subnet Masks (VLSMs).<br />
• Support for next-hop addresses, which allows for optimization of routes in certain environments.<br />
• Multicasting.<br />
RIP version 2 packets can be multicast instead of being broadcast, reducing the load on hosts that do<br />
not support routing protocols.<br />
NOTE<br />
If you are using RIP with supernetting/Classless Inter-Domain Routing (CIDR), you must use RIPv2<br />
only. In addition, RIP route aggregation must be turned off.<br />
Overview of OSPF<br />
OSPF is a link-state protocol that distributes routing information between routers belonging to a single<br />
IP domain, also known as an autonomous system (AS). In a link-state routing protocol, each router<br />
maintains a database describing the topology of the autonomous system. Each participating router has<br />
an identical database maintained from the perspective of that router.<br />
From the link-state database (LSDB), each router constructs a tree of shortest paths, using itself as the<br />
root. The shortest path tree provides the route to each destination in the autonomous system. When<br />
several equal-cost routes to a destination exist, traffic can be distributed among them. The cost of a<br />
route is described by a single metric.<br />
334 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Overview of OSPF<br />
NOTE<br />
A Summit 200 series switch can support up to two non-passive OSPF interfaces, <strong>and</strong> cannot be a<br />
designated or a backup designated router.<br />
Link-State Database<br />
Upon initialization, each router transmits a link-state advertisement (LSA) on each of its interfaces.<br />
LSAs are collected by each router <strong>and</strong> entered into the LSDB of each router. Once all LSAs are received,<br />
the router uses the LSDB to calculate the best routes for use in the IP routing table. OSPF uses flooding<br />
to distribute LSAs between routers. Any change in routing information is sent to all of the routers in the<br />
network. All routers within an area have the exact same LSDB. Table 44 describes LSA type numbers.<br />
Table 44: LSA Type Numbers<br />
Type Number Description<br />
1 Router LSA<br />
2 Network LSA<br />
3 Summary LSA<br />
4 AS summary LSA<br />
5 AS external LSA<br />
7 NSSA external LSA<br />
9 Link local—Opaque<br />
10 Area scoping—Opaque<br />
11 AS scoping—Opaque<br />
OSPF passive adds the interface to the Type 1 LSA, but it does not send hellos or establish adjacencies<br />
on that interface.<br />
Database Overflow<br />
The OSPF database overflow feature allows you to limit the size of the LSDB <strong>and</strong> to maintain a<br />
consistent LSDB across all the routers in the domain, which ensures that all routers have a consistent<br />
view of the network.<br />
Consistency is achieved by:<br />
• Limiting the number of external LSAs in the database of each router.<br />
• Ensuring that all routers have identical LSAs.<br />
To configure OSPF database overflow, use the following comm<strong>and</strong>:<br />
configure ospf ase-limit {timeout }<br />
where:<br />
• —Specifies the number of external LSAs that the system supports before it goes into<br />
overflow state. A limit value of zero disables the functionality.<br />
When the LSDB size limit is reached, OSPF database overflow flushes LSAs from the LSDB. OSPF<br />
database overflow flushes the same LSAs from all the routers, which maintains consistency.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 335
Interior Gateway Protocols<br />
• timeout—Specifies the timeout, in seconds, after which the system ceases to be in overflow state. A<br />
timeout value of zero leaves the system in overflow state until OSPF is disabled <strong>and</strong> re-enabled.<br />
Opaque LSAs<br />
Opaque LSAs are a generic OSPF mechanism used to carry auxiliary information in the OSPF database.<br />
Opaque LSAs are most commonly used to support OSPF traffic engineering.<br />
Normally, support for opaque LSAs is auto-negotiated between OSPF neighbors. In the event that you<br />
experience interoperability problems, you can disable opaque LSAs across the entire system using the<br />
following comm<strong>and</strong>:<br />
disable ospf capability opaque-lsa<br />
To re-enable opaque LSAs across the entire system, use the following comm<strong>and</strong>:<br />
enable ospf capability opaque-lsa<br />
If your network uses opaque LSAs, we recommend that all routers on your OSPF network support<br />
opaque LSAs. Routers that do not support opaque LSAs do not store or flood them. At minimum a<br />
well-interconnected subsection of your OSPF network needs to support opaque LSAs to maintain<br />
reliability of their transmission.<br />
On an OSPF broadcast network, the designated router (DR) must support opaque LSAs or none of the<br />
other routers on that broadcast network will reliably receive them. You can use the OSPF priority<br />
feature to give preference to an opaque-capable router, so that it becomes the elected DR.<br />
For transmission to continue reliably across the network, the backup designated router (BDR) must also<br />
support opaque LSAs.<br />
Areas<br />
OSPF allows parts of a network to be grouped together into areas. The topology within an area is<br />
hidden from the rest of the autonomous system. Hiding this information enables a significant reduction<br />
in LSA traffic, <strong>and</strong> reduces the computations needed to maintain the LSDB. Routing within the area is<br />
determined only by the topology of the area.<br />
The three types of routers defined by OSPF are as follows:<br />
• Internal Router (IR)—An internal router has all of its interfaces within the same area.<br />
• Area Border Router (ABR)—An ABR has interfaces in multiple areas. It is responsible for<br />
exchanging summary advertisements with other ABRs. You can create a maximum of 7 non-zero<br />
areas.<br />
• Autonomous System Border Router (ASBR)—An ASBR acts as a gateway between OSPF <strong>and</strong> other<br />
routing protocols, or other autonomous systems.<br />
Backbone Area (Area 0.0.0.0)<br />
Any OSPF network that contains more than one area is required to have an area configured as area<br />
0.0.0.0, also called the backbone. All areas in an autonomous system must be connected to the backbone.<br />
When designing networks, you should start with area 0.0.0.0, <strong>and</strong> then exp<strong>and</strong> into other areas.<br />
336 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Overview of OSPF<br />
NOTE<br />
Area 0.0.0.0 exists by default <strong>and</strong> cannot be deleted or changed.<br />
The backbone allows summary information to be exchanged between ABRs. Every ABR hears the area<br />
summaries from all other ABRs. The ABR then forms a picture of the distance to all networks outside of<br />
its area by examining the collected advertisements, <strong>and</strong> adding in the backbone distance to each<br />
advertising router.<br />
When a VLAN is configured to run OSPF, you must configure the area for the VLAN. If you want to<br />
configure the VLAN to be part of a different OSPF area, use the following comm<strong>and</strong>:<br />
configure ospf add vlan area <br />
If this is the first instance of the OSPF area being used, you must create the area first using the<br />
following comm<strong>and</strong>:<br />
create ospf area <br />
Stub Areas<br />
OSPF allows certain areas to be configured as stub areas. A stub area is connected to only one other area.<br />
The area that connects to a stub area can be the backbone area. External route information is not<br />
distributed into stub areas. Stub areas are used to reduce memory consumption <strong>and</strong> computation<br />
requirements on OSPF routers. Use the following comm<strong>and</strong> to configure an OSPF area as a stub area:<br />
configure ospf area stub [summary | nosummary] stub-default-cost<br />
<br />
Not-So-Stubby-Areas (NSSA)<br />
NSSAs are similar to the existing OSPF stub area configuration option, but have the following two<br />
additional capabilities:<br />
• External routes originating from an ASBR connected to the NSSA can be advertised within the<br />
NSSA.<br />
• External routes originating from the NSSA can be propagated to other areas, including the backbone<br />
area.<br />
The CLI comm<strong>and</strong> to control the NSSA function is similar to the comm<strong>and</strong> used for configuring a stub<br />
area, as follows:<br />
configure ospf area nssa [summary | nosummary] stub-default-cost<br />
{translate}<br />
The translate option determines whether type 7 LSAs are translated into type 5 LSAs. When<br />
configuring an OSPF area as an NSSA, the translate should only be used on NSSA border routers,<br />
where translation is to be enforced. If translate is not used on any NSSA border router in a NSSA, one<br />
of the ABRs for that NSSA is elected to perform translation (as indicated in the NSSA specification). The<br />
option should not be used on NSSA internal routers. Doing so inhibits correct operation of the election<br />
algorithm.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 337
Interior Gateway Protocols<br />
Normal Area<br />
A normal area is an area that is not:<br />
• Area 0.<br />
• Stub area.<br />
• NSSA.<br />
Virtual links can be configured through normal areas. External routes can be distributed into normal<br />
areas.<br />
Virtual Links<br />
In the situation when a new area is introduced that does not have a direct physical attachment to the<br />
backbone, a virtual link is used. A virtual link provides a logical path between the ABR of the<br />
disconnected area <strong>and</strong> the ABR of the normal area that connects to the backbone. A virtual link must be<br />
established between two ABRs that have a common area, with one ABR connected to the backbone.<br />
Figure 52 illustrates a virtual link.<br />
NOTE<br />
Virtual links can not be configured through a stub or NSSA area.<br />
Figure 52: Virtual link using Area 1 as a transit area<br />
Virtual link<br />
ABR<br />
ABR<br />
Area 2 Area 1 Area 0<br />
EW_016<br />
Virtual links are also used to repair a discontiguous backbone area. For example, in Figure 53, if the<br />
connection between ABR1 <strong>and</strong> the backbone fails, the connection using ABR2 provides redundancy so<br />
that the discontiguous area can continue to communicate with the backbone using the virtual link.<br />
338 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Overview of OSPF<br />
Figure 53: Virtual link providing redundancy<br />
Virtual link<br />
Area 2<br />
ABR 1 ABR 2<br />
Area 1 Area 0 Area 3<br />
EW_017<br />
Point-to-Point Support<br />
You can manually configure the OSPF link type for a VLAN. Table 45 describes the link types.<br />
Table 45: OSPF Link Types<br />
Link Type Number of Routers Description<br />
Auto Varies <strong><strong>Extreme</strong>Ware</strong> automatically determines the OSPF link type based on<br />
the interface type. This is the default setting.<br />
Broadcast Any Routers must elect a designated router (DR) <strong>and</strong> a backup designated<br />
router (BDR) during synchronization. Ethernet is an example of a<br />
broadcast link.<br />
Point-to-point Up to 2 Synchronizes faster than a broadcast link because routers do not elect<br />
a DR or BDR. Does not operate with more than two routers on the<br />
same VLAN. PPP is an example of a point-to-point link. An OSPF<br />
point-to-point link supports only zero to two OSPF routers <strong>and</strong> does not<br />
elect a DR or BDR. If you have three or more routers on the VLAN,<br />
OSPF will fail to synchronize if the neighbor is not configured.<br />
Passive<br />
A passive link does not send or receive OSPF packets.<br />
NOTE<br />
The number of routers in an OSPF point-to-point link is determined per-VLAN, not per-link.<br />
NOTE<br />
All routers in the VLAN must have the same OSPF link type. If there is a mismatch, OSPF attempts to<br />
operate, but may not be reliable.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 339
Interior Gateway Protocols<br />
Route Re-Distribution<br />
RIP <strong>and</strong> OSPF can be enabled simultaneously on the switch. Route re-distribution allows the switch to<br />
exchange routes, including static routes, between the three routing protocols. Figure 54 is an example of<br />
route re-distribution between an OSPF autonomous system <strong>and</strong> a RIP autonomous system.<br />
Figure 54: Route re-distribution<br />
OSPF AS<br />
Backbone Area<br />
0.0.0.0<br />
ABR<br />
Area<br />
121.2.3.4<br />
ASBR<br />
ASBR<br />
RIP AS<br />
EW_019<br />
Configuring Route Re-Distribution<br />
Exporting routes from one protocol to another, <strong>and</strong> from that protocol to the first one, are discreet<br />
configuration functions. For example, to run OSPF <strong>and</strong> RIP simultaneously, you must first configure<br />
both protocols <strong>and</strong> then verify the independent operation of each. Then you can configure the routes to<br />
export from OSPF to RIP <strong>and</strong> the routes to export from RIP to OSPF. Likewise, for any other<br />
combinations of protocols, you must separately configure each to export routes to the other.<br />
340 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
RIP Configuration Example<br />
Re-Distributing Routes into OSPF<br />
Enable or disable the exporting of RIP, static, <strong>and</strong> direct (interface) routes to OSPF using the following<br />
comm<strong>and</strong>s:<br />
enable ospf export [direct | rip | static] [cost [ase-type-1 | ase-type-2]<br />
{tag }]<br />
disable ospf export [direct | rip | static]<br />
These comm<strong>and</strong>s enable or disable the exporting of RIP, static, <strong>and</strong> direct routes by way of LSA to other<br />
OSPF routers as AS-external type 1 or type 2 routes. The default setting is disabled.<br />
The cost metric is inserted for all RIP, static, <strong>and</strong> direct routes injected into OSPF. If the cost metric is set<br />
to 0, the cost is inserted from the route. The tag value is used only by special routing applications. Use 0<br />
if you do not have specific requirements for using a tag. The tag value in this instance has no<br />
relationship with 802.1Q VLAN tagging.<br />
The same cost, type, <strong>and</strong> tag values can be inserted for all the export routes, or route maps can be used<br />
for selective insertion. When a route map is associated with the export comm<strong>and</strong>, the route map is<br />
applied on every exported route. The exported routes can also be filtered using route maps. Routes<br />
filtered with a route map will be exported as ase-type-1.<br />
Enable or disable the export of virtual IP addresses to other OSPF routers using the following<br />
comm<strong>and</strong>s:<br />
Verify the configuration using the comm<strong>and</strong>:<br />
show ospf<br />
You must configure <strong><strong>Extreme</strong>Ware</strong> to export the direct routes to OSPF. You can use an access profile to<br />
filter unnecessary direct routes, using the comm<strong>and</strong>:<br />
configure ospf direct-filter [ | none]<br />
Re-Distributing Routes into RIP<br />
Enable or disable the exporting of static, direct, <strong>and</strong> OSPF-learned routes into the RIP domain using the<br />
following comm<strong>and</strong>s:<br />
enable rip export [direct | ospf | ospf-extern1 | ospf-extern2 | ospf-inter |<br />
ospf-intra | static] cost {tag }<br />
disable rip export [direct | | ospf | ospf-extern1 | ospf-extern2 | ospf-inter |<br />
ospf-intra | static]<br />
These comm<strong>and</strong>s enable or disable the exporting of static, direct, <strong>and</strong> OSPF-learned routes into the RIP<br />
domain. You can choose which types of OSPF routes are injected, or you can simply choose ospf, which<br />
will inject all learned OSPF routes regardless of type. The default setting is disabled.<br />
RIP Configuration Example<br />
A switch that has three VLANs is defined as follows:<br />
• Finance<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 341
Interior Gateway Protocols<br />
— Contain ports 5 <strong>and</strong> 6.<br />
— IP address 192.207.35.1.<br />
• Personnel<br />
— Contain ports 22 <strong>and</strong> 23.<br />
— IP address 192.207.36.1.<br />
In this configuration, all IP traffic from stations connected to ports 5 <strong>and</strong> 6 have access to the switch by<br />
way of the VLAN Finance. Ports 22 <strong>and</strong> 23 reach the switch by way of the VLAN Personnel.<br />
The example is configured as follows:<br />
create vlan Finance<br />
create vlan Personnel<br />
configure Finance protocol ip<br />
configure Personnel protocol ip<br />
configure Finance add port 5, 6<br />
configure Personnel add port 22, 23<br />
configure Finance ipaddress 192.207.35.1<br />
configure Personnel ipaddress 192.207.36.1<br />
enable ipforwarding<br />
configure rip add vlan all<br />
enable rip<br />
Configuring OSPF<br />
Each switch that is configured to run OSPF must have a unique router ID. It is recommended that you<br />
manually set the router ID of the switches participating in OSPF, instead of having the switch<br />
automatically choose its router ID based on the highest interface IP address. Not performing this<br />
configuration in larger, dynamic environments could result in an older link state database remaining in<br />
use.<br />
Configuring OSPF Wait Interval<br />
<strong><strong>Extreme</strong>Ware</strong> allows you to configure the OSPF wait interval, rather than using the router dead interval.<br />
CAUTION<br />
Do not configure OSPF timers unless you are comfortable exceeding OSPF specifications.<br />
Non-st<strong>and</strong>ard settings might not be reliable under all circumstances.<br />
To specify the timer intervals, use the following comm<strong>and</strong>:<br />
configure ospf timer<br />
You can configure the following parameters:<br />
342 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
OSPF Configuration Example<br />
• Retransmit interval—The length of time that the router waits before retransmitting an LSA that is<br />
not acknowledged. If you set an interval that is too short, unnecessary retransmissions will result.<br />
The default value is 5 seconds.<br />
NOTE<br />
The OSPF st<strong>and</strong>ard specifies that wait times are equal to the dead router wait interval.<br />
OSPF Configuration Example<br />
Figure 55 is an example of an autonomous system using OSPF routers. The details of this network<br />
follow.<br />
Figure 55: OSPF configuration example<br />
Area 0<br />
IR 2 IR 1<br />
10.0.1.1<br />
10.0.1.2<br />
Headquarters<br />
ABR 2<br />
10.0.3.2<br />
HQ_10_0_3<br />
10.0.3.1<br />
ABR 1<br />
HQ_10_0_2<br />
10.0.2.1<br />
10.0.2.2<br />
160.26.25.1 160.26.26.1<br />
Virtual link<br />
Chi_160_26_26<br />
161.48.2.2<br />
Los Angeles<br />
LA_161_48_2<br />
161.48.2.1<br />
160.26.26.2<br />
160.26.25.2<br />
Chicago<br />
Area 5<br />
Area 6 (stub)<br />
EW_018<br />
Area 0 is the backbone area. It is located at the headquarters <strong>and</strong> has the following characteristics:<br />
• Two internal routers (IR1 <strong>and</strong> IR2)<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 343
Interior Gateway Protocols<br />
• Two area border routers (ABR1 <strong>and</strong> ABR2)<br />
• Network number 10.0.x.x<br />
• Two identified VLANs (HQ_10_0_2 <strong>and</strong> HQ_10_0_3)<br />
Area 5 is connected to the backbone area by way of ABR1 <strong>and</strong> ABR2. It is located in Chicago <strong>and</strong> has<br />
the following characteristics:<br />
• Network number 160.26.x.x<br />
• One identified VLAN (Chi_160_26_26)<br />
• Two internal routers<br />
Area 6 is a stub area connected to the backbone by way of ABR1. It is located in Los Angeles <strong>and</strong> has<br />
the following characteristics:<br />
• Network number 161.48.x.x<br />
• One identified VLAN (LA_161_48_2)<br />
• Three internal routers<br />
• Uses default routes for inter-area routing<br />
Two router configurations for the example in Figure 55 are provided in the following section.<br />
Configuration for ABR1<br />
The router labeled ABR1 has the following configuration:<br />
create vlan HQ_10_0_2<br />
create vlan HQ_10_0_3<br />
create vlan LA_161_48_2<br />
create vlan Chi_160_26_26<br />
configure vlan HQ_10_0_2 ipaddress 10.0.2.1 255.255.255.0<br />
configure vlan HQ_10_0_3 ipaddress 10.0.3.1 255.255.255.0<br />
configure vlan LA_161_48_26 ipaddress 161.48.2.26 255.255.255.0<br />
configure vlan Chi_160_26_26 ipaddress 160.26.2.1 255.255.255.0<br />
create ospf area 0.0.0.5<br />
create ospf area 0.0.0.6<br />
enable ipforwarding<br />
configure ospf area 0.0.0.6 stub nosummary stub-default-cost 10<br />
configure ospf add vlan LA_161_48_2 area 0.0.0.6<br />
configure ospf add vlan Chi_160_26_26 area 0.0.0.5<br />
configure ospf add vlan all area 0.0.0.0<br />
enable ospf<br />
Configuration for IR1<br />
The router labeled IR1 has the following configuration:<br />
configure vlan HQ_10_0_1 ipaddress 10.0.1.2 255.255.255.0<br />
configure vlan HQ_10_0_2 ipaddress 10.0.2.2 255.255.255.0<br />
344 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Displaying OSPF Settings<br />
enable ipforwarding<br />
configure ospf add vlan all area 0.0.0.0<br />
enable ospf<br />
Displaying OSPF Settings<br />
There are a number of comm<strong>and</strong>s you can use to display settings for OSPF. To show global OSPF<br />
information, use the show ospf comm<strong>and</strong> with no options.<br />
To display information about one or all OSPF areas, use the following comm<strong>and</strong>:<br />
show ospf area <br />
The detail option displays information about all OSPF areas in a detail format.<br />
To display information about OSPF interfaces for an area, a VLAN, or for all interfaces, use the<br />
following comm<strong>and</strong>:<br />
show ospf interfaces {vlan | area }<br />
The detail option displays information about all OSPF interfaces in a detail format.<br />
OSPF LSDB Display<br />
<strong><strong>Extreme</strong>Ware</strong> provides several filtering criteria for the show ospf lsdb comm<strong>and</strong>. You can specify<br />
multiple search criteria <strong>and</strong> only results matching all of the criteria are displayed. This allows you to<br />
control the displayed entries in large routing tables.<br />
To display the current link-state database, use the following comm<strong>and</strong>:<br />
show ospf lsdb area [all | [/] | detail | interface | lsid<br />
[/] | lstype [all | as-external | external-type7 | network | opaque-area |<br />
opaque-global | opaque-local | router | summary-asb |summary-net| routerid<br />
[/] | stats | summary | vlan ]<br />
The detail option displays all fields of matching LSAs in a multi-line format. The summary option<br />
displays several important fields of matching LSAs, one line per LSA. The stats option displays the<br />
number of matching LSAs, but not any of their contents. If not specified, the default is to display in the<br />
summary format.<br />
A common use of this comm<strong>and</strong> is to omit all optional parameters, resulting in the following shortened<br />
form:<br />
show ospf lsdb<br />
The shortened form displays all areas <strong>and</strong> all types in a summary format.<br />
Authentication<br />
Authentication is supported at two different levels: interface, <strong>and</strong> domain or area.<br />
• Interface authentication—prevents unauthorized routers from forming adjacency. This is achieved<br />
by inserting authentication information in the Hello PDUs <strong>and</strong> validating them on the received Hello<br />
PDUs. You can configure authentication separately for level 1 <strong>and</strong> level 2.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 345
Interior Gateway Protocols<br />
• Domain or area authentication—prevents intruders from injecting invalid routing information into<br />
this router. Similar to interface authentication, this is achieved by inserting the authentication<br />
information using LSP, CSNP, <strong>and</strong> PSNP PDUs <strong>and</strong> validating them on receipt. You can configure<br />
authentication separately for level 1 <strong>and</strong> level 2.<br />
At each of the above levels two different authentication methods are supported: simple password as<br />
specified in ISO/IEC 10589, <strong>and</strong> HMAC-MD5 as specified in draft-ietf-isis-hmac-00.txt.<br />
Summarizing Level 1 IP Routing Information<br />
Level 2 routers include in their level 2 LSPs a list of all combinations (IP address, subnet mask, <strong>and</strong><br />
metric) reachable in the level 1 area attached to them. This information is gathered from the level 1 LSPs<br />
from all routers in the area. By default the combinations from all the level 1 routers are included in the<br />
level 2 LSPs. Summarization of the level 1 combinations reduces the amount of information stored on<br />
the level 2 router <strong>and</strong> helps in scaling to a large routing domain.<br />
You can configure the level 1 areas with one or more combinations for announcement in their level 2<br />
LSPs. The level 1 IP routing information is matched against the summary addresses configured on the<br />
level 1 area. Matches are included in the level 2 LSP.<br />
You can also configure the level 2 router to disregard the summary information. This effectively acts as<br />
a filter, preventing reachability information from being included in the level 2 LSP.<br />
Filtering Level 1 IP Routing Information<br />
Level 2 routers include in their level 2 LSPs a list of all combinations (IP address, subnet mask, <strong>and</strong><br />
metric) reachable in the level 1 area attached to them. This information is gathered from the level 1 LSPs<br />
from all routers in the area. By default the combinations from all the level 1 routers are included in the<br />
level 2 LSPs. Filtering the level 1 combinations prevents the advertisement of the information to other<br />
parts of the domain. This creates a network that is reachable only from routers within the area.<br />
You can configure the level 1 areas in the router with an IP access profile. The level 1 IP routing<br />
information in the level 2 LSP is matched against the access profile, <strong>and</strong> if the result is a deny, the<br />
information is not included in the level 2 LSP.<br />
Originating Default Route<br />
This feature injects IP routing information for the default route in the LSP originated by the router,<br />
thereby advertising the router as the default gateway.<br />
Injection of the default route into the level 2 subdomain <strong>and</strong> level 1 area can be controlled individually.<br />
You can configure the metric <strong>and</strong> metric type associated with the default route. You can also configure<br />
the default to be automatically generated based on the presence of a default route in the kernel routing<br />
table.<br />
Overload Bit<br />
This feature forces the router to set the overload bit (also known as the hippity bit) in its non-pseudo<br />
node link-state packets. Normally the setting of the overload bit is allowed only when a router runs into<br />
problems. For example, when a router has a memory shortage, it might be that the Link State database<br />
is not complete, resulting in an incomplete or inaccurate routing table. By setting the overload bit in its<br />
LSPs, other routers can ignore the unreliable router in their SPF calculations until the router has<br />
recovered from its problems.<br />
346 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Displaying OSPF Settings<br />
Set the overload bit when you want to prevent traffic flow.<br />
Default Routes to Nearest Level 1/2 Switch for Level 1 Only Switches<br />
When one router is a level 1 switch, the route to the nearest level 1/2 switch which attaches to a level 2<br />
backbone network may be installed in the kernel routing table of the level 1 switch.<br />
There are three kinds of level 1 only switches:<br />
• a switch that does not attach to any level 1/2 switch; it is part of a level 1 only network<br />
• a switch that attaches to at least one level 1/2 switch, but none of the level 1/2 switches are attached<br />
to a level 2 backbone network. Here the level 1 non-pseudo node LSP of the level 1/2 switches<br />
should set the attach bit to 0. A level 1 only switch will not install the default routes based on the<br />
unattached level 1/2 switch’s LSP information.<br />
• a switch that attaches to at least one level 1/2 switch, <strong>and</strong> at least one of the level 1/2 switches is<br />
attached to the level 2 backbone network. Here the level 1 non-pseudo node LSP of the level 1/2<br />
switch should set the attach bit to 1. A level 1 only switch will install the default routes based on the<br />
attached level 1/2 switch’s LSP information.<br />
The level 1/2 switch that is attached to the level 2 backbone network when at least one of area<br />
addresses of level 2 LSP received from other level 2 or level 1/2 switches is not in the list of the level 1<br />
union area address set.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 347
Interior Gateway Protocols<br />
348 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
19 IP Multicast Routing<br />
This chapter covers the following topics:<br />
• IP Multicast Routing Overview on page 349<br />
• PIM Sparse Mode (PIM-SM) Overview on page 350<br />
• IGMP Overview on page 352<br />
• Multicast Tools on page 353<br />
• Configuring IP Multicasting Routing on page 354<br />
For more information on IP multicasting, refer to the following publications:<br />
• RFC 1112 – Host Extension for IP Multicasting<br />
• RFC 2236 – Internet Group Management Protocol, Version 2<br />
• PIM-SM Version 2 – draft_ietf_pim_sm_v2_new_04<br />
The following URLs point to the Web sites for the IETF Working Groups:<br />
IEFT PIM Working Group:<br />
http://www.ietf.org/html.charters/pim-charter.html<br />
IP Multicast Routing Overview<br />
IP multicast routing is a function that allows a single IP host to send a packet to a group of IP hosts.<br />
This group of hosts can include devices that reside on the local network, within a private network, or<br />
outside of the local network.<br />
IP multicast routing consists of the following functions:<br />
• A router that can forward IP multicast packets.<br />
• A router-to-router multicast routing protocol (such as Protocol Independent Multicast- Sparse Mode<br />
(PIM-SM).<br />
• A method for the IP host to communicate its multicast group membership to a router (for example,<br />
Internet Group Management Protocol (IGMP)).<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 349
IP Multicast Routing<br />
NOTE<br />
You should configure IP unicast routing before you configure IP multicast routing.<br />
PIM Sparse Mode (PIM-SM) Overview<br />
Protocol independent Multicast-Sparse Mode (PIM-SM) routes multicast packets to multicast groups.<br />
The sparse mode protocol is designed for installations where the multicast groups are scattered over a<br />
large area such as a wide area network (WAN). PIM-SM is a router-to-router protocol, so all routers <strong>and</strong><br />
switches must upgrade to the same PIM-SM version. Summit series “e”switches use PIM-SM version 2<br />
to forward IP packets that are destined to the IP addresses in the Class D Range to multiple networks<br />
using the Multicast Routing information setup.<br />
PIM-SM is an explicit join <strong>and</strong> prune protocol that is a mixture of the shared tree <strong>and</strong> shortest path tree<br />
(SPT) models. The routers must explicitly join the group(s) in which they are interested in becoming a<br />
member, which is beneficial for large networks that have group members who are sparsely distributed.<br />
PIM-SM is not dependant on a specific unicast routing protocol. Summit series “e”switches support<br />
IGMPV2, which allows network hosts to report the multicast group membership to the switch.<br />
Using PIM-SM, the source router sends a join message to a known rendezvous point (RP). The RP is a<br />
central multicast router that is responsible for receiving <strong>and</strong> distributing multicast packets. RPs are<br />
elected by a bootstrap router (BSR). The job of the BSR is to broadcast bootstrap messages, which has a<br />
collection of RP advertisements. You may only configure the “e” series switches in static mode, to point<br />
to a non-Summit switch. In PIM edge mode, the RP address cannot be the local interface IP address. In<br />
this mode, the local router cannot act as an RP or BSR. Summit series “e”switches are not eligible to be<br />
BSRs or RPs.<br />
When a source router has a multicast packet to distribute, it encapsulates the packet in a unicast<br />
message <strong>and</strong> sends it to the RP. The RP decapsulates the multicast packet <strong>and</strong> distributes it among all<br />
member routers.<br />
When a last-hop, receiving router determines that the multicast rate has exceeded a configured<br />
threshold, that router can send an explicit join to the originating router. Once this occurs, the receiving<br />
router gets the multicast directly from the sending router, <strong>and</strong> bypasses the RP.<br />
Configuring PIM-SM<br />
You can configure two active <strong>and</strong> 254 passive interfaces on Summit series “e”switches for PIM-SM. By<br />
default the interface is configured as active. To enable the interface as passive, specify the passive<br />
keyword. The following comm<strong>and</strong> enables PIM-SM on an IP interface.<br />
configure pim add {vlan} [] {passive}<br />
The following comm<strong>and</strong> disables PIM-SM on an IP interface:<br />
configure pim delete vlan [ | all]<br />
For example, to add a VLAN named lobby, as an active interface, you would enter:<br />
configure pim add vlan lobby<br />
350 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
PIM Sparse Mode (PIM-SM) Overview<br />
In PIM edge mode, the RP address cannot be the local interface IP address. For example, in edge mode,<br />
the local router cannot act as an RP or a BSR. Use the core mode of PIM, to configure a local router as<br />
an RP or a BSR.<br />
To configure an RP <strong>and</strong> its associated groups statically, enter the following comm<strong>and</strong>:<br />
configure pim crp static [none | ] {}<br />
The access profile contains a list of multicast group accesses served by the RP.<br />
For example, the following comm<strong>and</strong> statically configures an RP <strong>and</strong> its associated groups defined in<br />
access profile rp-list:<br />
configure pim crp static 10.0.3.1 rp-list<br />
To configure the PIM hello <strong>and</strong> join/prune interval for PIM-SM timers, enter this comm<strong>and</strong>:<br />
configure pim timer vlan []<br />
Specify the intervals in seconds. The hello interval specifies the amount of time before a hello<br />
message is sent out by the PIM router. The join prune interval is the amount of time before a join or a<br />
prune comm<strong>and</strong> is executed. The valid range for both intervals is 1 to 65,519 seconds. The default for<br />
the hello interval is 30 seconds; the default for join prune is 60 seconds.<br />
Because PIM leverages the unicast routing capability that is already present in the switch, the access<br />
policy capabilities are, by nature, different. When the PIM protocol is used for routing IP multicast<br />
traffic, the switch can be configured to use an access profile to determine trusted PIM router neighbors<br />
for the VLAN on the switch running PIM. To configure a trusted neighbor policy enter the following<br />
comm<strong>and</strong>:<br />
configure pim vlan [ | all] trusted-gateway [ | none]<br />
For example, the following comm<strong>and</strong> configures a trusted neighbor policy on the VLAN backbone:<br />
configure pim vlan backbone trusted-gateway <br />
To configure the threshold (in Kbps) for switching to SPT, enter the following comm<strong>and</strong>:<br />
configure pim spt-threshold {}<br />
On leaf routers, this setting is based on data packets. On the RP, this setting is based on register packet<br />
rate in Kbps.<br />
The following comm<strong>and</strong> configures the checksum computation to either include data (for compatibility<br />
with Cisco Systems products) or to exclude data (for RFC-compliant operation), in the register message:<br />
configure pim register-checksum-to [include-data | exclude-data]<br />
Enabling <strong>and</strong> Disabling PIM-SM<br />
To enable or disable PIM-SM on the system, enter the following comm<strong>and</strong>:<br />
enable pim<br />
or<br />
disable pim<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 351
IP Multicast Routing<br />
To display the PIM configuration <strong>and</strong> statistics, enter the following comm<strong>and</strong>:<br />
show pim {detail | rp-set {}| vlan }<br />
IGMP Overview<br />
To constrain the flooding of multicast traffic, configure switch interfaces to use Internet Group<br />
Management Protocol (IGMP) snooping so that multicast traffic is forwarded only to interfaces<br />
associated with IP multicast entities. IGMP is a protocol used by an IP host to register its IP multicast<br />
group membership with a router. Periodically, the router queries the multicast group to see if the group<br />
is still in use. If the group is still active, a single IP host responds to the query, <strong>and</strong> group registration is<br />
maintained.<br />
IGMP is enabled by default on the switch. However, the switch can be configured to disable the<br />
generation of periodic IGMP query packets. IGMP should be enabled when the switch is configured to<br />
perform IP unicast or IP multicast routing.<br />
IGMP Snooping<br />
IGMP snooping is a layer 2 function of the switch. It does not require multicast routing to be enabled. In<br />
IGMP snooping, the layer 2 switch keeps track of IGMP requests, <strong>and</strong> only forwards multicast traffic to<br />
the part of the local network that requires it. IGMP snooping optimizes the usage of network<br />
b<strong>and</strong>width, <strong>and</strong> prevents multicast traffic from being flooded to parts of the local network that do not<br />
need it. The switch does not reduce any IP multicast traffic in the local multicast domain (224.0.0.x).<br />
IGMP snooping is enabled by default on the switch. If IGMP snooping is disabled, all IGMP <strong>and</strong> IP<br />
multicast traffic floods within a given VLAN. IGMP snooping expects at least one device on every<br />
VLAN to periodically generate IGMP query messages. The static IGMP snooping entries do not require<br />
periodic query. An optional optimization for IGMP snooping is the strict recognition of multicast routers<br />
only if the remote devices have joined the PIM (244.0.0.13) multicast groups.<br />
When a port sends an IGMP leave message, the switch removes the IGMP snooping entry after 1000<br />
milli-seconds (the leave time is configurable, ranging from 0 to 10000 ms). The switch sends a query to<br />
determine which ports want to remain in the multicast group. If other members of the VLAN want to<br />
remain in the multicast group, the router ignores the leave message, but the port that requests removal<br />
is removed from the IGMP snooping table.<br />
If the last port within a VLAN sends an IGMP leave message, then the router will not receive any<br />
responses to the query, <strong>and</strong> the router will remove the VLAN from the multicast group in 3 seconds.<br />
Static IGMP<br />
In order to receive multicast traffic, a host needs to explicitly join a multicast group by sending an<br />
IGMP request, then the traffic is forwarded to that host. There are situations where you would like<br />
multicast traffic to be forwarded to a port where a multicast enabled host is not available (for example,<br />
testing multicast configurations). Static IGMP emulates a host or router attached to a switch port, so<br />
that multicast traffic will be forwarded to that port. Emulate a host to forward a particular multicast<br />
group to a port; emulate a router to forward all multicast groups to a port. Use the following comm<strong>and</strong><br />
to emulate a host on a port:<br />
configure igmp snooping vlan ports add static group <br />
352 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Multicast Tools<br />
Use the following comm<strong>and</strong> to emulate a multicast router on a port:<br />
configure igmp snooping vlan ports add static router<br />
To remove these entries, use the corresponding comm<strong>and</strong>:<br />
configure igmp snooping vlan ports delete static group [ | all]<br />
configure igmp snooping vlan ports delete static router<br />
To display the IGMP snooping static groups, use the following comm<strong>and</strong>:<br />
show igmp snooping {vlan } static group<br />
IGMP Snooping Filters<br />
IGMP snooping filters allow you to configure an access profile on a port to allow or deny IGMP report<br />
<strong>and</strong> leave packets coming into the port. For details on creating access profiles, see the section, “Routing<br />
Access Profiles” on page 195. For the access profiles used as IGMP snooping filters, all the profile entries<br />
should IP address type entries, <strong>and</strong> the IP address of each entry must be in the class-D multicast<br />
address space, but should not be in the multicast control packet range (224.0.0.x/24). After you have<br />
created an access profile, use the following comm<strong>and</strong> to associate the access profile <strong>and</strong> filter with a set<br />
of ports:<br />
configure igmp snooping vlan ports filter [ |<br />
none]<br />
To remove the filter, use the none option as shown in the following example:<br />
configure igmp snooping vlan ports filter none<br />
To display the IGMP snooping filters, use the following comm<strong>and</strong>:<br />
show igmp snooping {vlan } filter<br />
Multicast Tools<br />
<strong><strong>Extreme</strong>Ware</strong> provides two commonly available tools to monitor <strong>and</strong> troubleshoot IP multicast, mrinfo<br />
<strong>and</strong> mtrace.<br />
Mrinfo<br />
The multicast router information tool, (mrinfo), requests information from a router that could be used<br />
for tracing <strong>and</strong> troubleshooting. A request is sent to a multicast router, <strong>and</strong> the router responds with the<br />
following information:<br />
• code version<br />
• system multicast information<br />
• interface information<br />
— interface IP address<br />
— interface multicast capabilities<br />
— metric configured on the interface<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 353
IP Multicast Routing<br />
— threshold configured on the interface<br />
— count <strong>and</strong> IP address of the neighbors discovered on the interface<br />
Use the following comm<strong>and</strong> to send an mrinfo request:<br />
mrinfo {from } {timeout }<br />
Mtrace<br />
Multicast trace (mtrace) relies on a feature of multicast routers that is accessed using the IGMP protocol.<br />
Since multicast uses reverse path forwarding, a multicast trace is run from the destination to the source.<br />
A query packet is sent to the last-hop multicast router. This router builds a trace response packet, fills in<br />
a report for its hop, <strong>and</strong> forwards the packet to the next upstream router. As the request is forwarded,<br />
each router in turn adds its own report to the trace response. When the request reaches the first-hop<br />
router, the filled in request is sent back to the system requesting the trace. The request will also be<br />
returned if the maximum hop limit is reached.<br />
If a router does not support the mtrace functionality, it will silently drop the request packet <strong>and</strong> no<br />
information will be returned. For this situation, you could send the trace with a small number of<br />
maximum hops allowed, increasing the number of hops as the stream is traced.<br />
The group IP address must be in the class-D multicast address space, but should not be in the multicast<br />
control subnet range (224.0.0.x/24).<br />
Use the following comm<strong>and</strong> to trace a multicast stream:<br />
mtrace source {destination } {group } {from } {gateway } {timeout } {maximum-hops }<br />
Configuring IP Multicasting Routing<br />
To configure IP multicast routing, you must do the following:<br />
1 Configure the system for IP unicast routing.<br />
2 Enable multicast routing on the interface using the following comm<strong>and</strong>:<br />
enable ipmcforwarding {vlan }<br />
3 Enable PIM on all IP multicast routing interfaces using the following comm<strong>and</strong>:<br />
configure pim add {vlan} [] {passive}<br />
If the vlan option is not supplied, IP multicast cache (ipmc) routing is enabled or disabled on all<br />
VLANs. Due to hardware limitations, a port can only be placed into a single VLAN that has IP<br />
multicast routing enabled.<br />
4 Enable PIM on the router using one of the following comm<strong>and</strong>s:<br />
enable pim<br />
Example—Configuration for IR1<br />
The router labeled IR1 has the following configuration:<br />
configure vlan HQ_10_0_1 ipaddress 10.0.1.2 255.255.255.0<br />
354 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring IP Multicasting Routing<br />
configure vlan HQ_10_0_2 ipaddress 10.0.2.2 255.255.255.0<br />
configure ospf add vlan all area 0.0.0.0<br />
enable ipforwarding<br />
enable ospf<br />
enable ipmcforwarding<br />
configure pim add vlan HQ_10_0_1<br />
configure pim add vlan HQ_10_0_2<br />
enable pim<br />
The following example configures PIM-SM.<br />
Figure 56: IP multicast routing using PIM-SM configuration example<br />
Area 0<br />
IR 2<br />
10.0.1.1 10.0.1.2<br />
IR 1<br />
10.0.3.2<br />
HQ_10_0_1<br />
10.0.2.2<br />
Headquarters<br />
ABR 2<br />
10.0.3.1 ABR 1 10.0.2.1<br />
HQ_10_0_3<br />
HQ_10_0_2<br />
HQ_10_10_4<br />
Rendezvous<br />
point<br />
160.26.25.1 160.26.26.1<br />
Virtual link<br />
Chi_160_26_26<br />
161.48.2.2<br />
LA_161_48_2<br />
161.48.2.1<br />
Los Angeles<br />
160.26.26.2<br />
Chicago<br />
160.26.25.2 Chi_160_26_24<br />
Area 5<br />
Area 6 (stub)<br />
EW_018<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 355
IP Multicast Routing<br />
356 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Part 3<br />
Managing Wireless <strong>Networks</strong>
20 Wireless Networking<br />
This chapter describes wireless networking using an Summit 3800 family switch <strong>and</strong> the Altitude 300<br />
<strong>and</strong> includes information on the following topics:<br />
• Overview of Wireless Networking on page 359<br />
• Wireless Devices on page 360<br />
• Bridging on page 361<br />
• Managing the Altitude 300 on page 362<br />
• Configuring RF Properties on page 363<br />
• Configuring RF Monitoring on page 366<br />
• Performing Client Scanning on page 370<br />
• Collecting Client History Statistics on page 372<br />
• Configuring Wireless Switch Properties on page 375<br />
• Configuring Wireless Ports on page 377<br />
• Configuring Wireless Interfaces on page 378<br />
• Configuring Inter-Access Point Protocol (IAPP) on page 380<br />
• Event Logging <strong>and</strong> Reporting on page 380<br />
• Enabling SVP to Support Voice Over IP on page 381<br />
Overview of Wireless Networking<br />
The Summit 300 switch <strong>and</strong> the Altitude 300 extend network service to wireless 802.11a/b/g clients<br />
within a fully integrated network infrastructure. Ports on the Summit 300 switch h<strong>and</strong>le all of the<br />
management functions typically associated with an access point. The Altitude 300 serves as the radio<br />
transmitter <strong>and</strong> receiver, inheriting configuration information as soon as it is attached to the switch <strong>and</strong><br />
as changes are made to the wireless profiles after the system is deployed.<br />
Figure 57 shows a sample network configuration. The Summit 300 switch provides switching service<br />
across the wired <strong>and</strong> wireless network. Each port on the switch is configured with a “personality” that<br />
identifies its function.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 359
Wireless Networking<br />
Figure 57: Sample integrated wired <strong>and</strong> wireless network<br />
Summit 300-48<br />
Altitude 300<br />
Wireless<br />
clients<br />
Altitude 300<br />
Wired network<br />
Wireless<br />
clients<br />
LB48018A<br />
This arrangement is part of the <strong>Extreme</strong> Unified Access Architecture, which is designed to support both<br />
wired <strong>and</strong> wireless networks from a single network switch. Because the intelligence normally associated<br />
with an access point is maintained in the Summit 300 switch, the cost of implementing radio access is<br />
greatly reduced. The network can still be exp<strong>and</strong>ed as needed, but it becomes much easier to maintain<br />
security <strong>and</strong> reliability at reduced cost.<br />
Summary of Wireless Features<br />
The Summit 300 switch supports the following wireless features:<br />
• Simultaneous support for 802.11A, 802.11B, <strong>and</strong> 802.11G<br />
• EAP authentication for 802.1X devices—PEAP, EAP-TLS, <strong>and</strong> EAP-TTLS<br />
• WPA using TKIP <strong>and</strong> AES<br />
• Detachable Altitude 300-2d antenna<br />
• Integrated Altitude 300-2i antenna<br />
• Per-user VLAN classification<br />
• AccessAdapt management<br />
• Remote troubleshooting<br />
• Easy upgrading of wireless ports<br />
• Detailed reports <strong>and</strong> logging<br />
Wireless Devices<br />
Ports on the Summit 300 switch adopt the “personality” of the device to be connected. Each port<br />
contains separately configurable interfaces for each of its two radios (A <strong>and</strong> G).<br />
In addition to traditional wired devices, the Summit 300 switch supports the Altitude 300 <strong>and</strong> devices<br />
that rely on Power over Ethernet (PoE). Third party access points can connect to the Summit 300 switch<br />
as a layer 2 device.<br />
360 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Bridging<br />
Physical security for the wireless networks ceases to be a problem at the wireless access location,<br />
because the Altitude 300 does not store any configuration settings. Information is loaded as needed<br />
from the switch. Even if the Altitude 300 is physically moved, it can only be reconnected to another<br />
Summit switch.<br />
You can set network policies at layers 2 <strong>and</strong> 3 to cover both the wired <strong>and</strong> wireless networks. In this<br />
way you can block access to individuals suspected of intrusion across the entire network infrastructure.<br />
Altitude Antennas<br />
The switch automatically detects whether the Altitude 300 has an integrated or detachable antenna.<br />
Both the Altitude 300-2i integrated antenna <strong>and</strong> the detachable Altitude 300-2d antenna are compatible<br />
with the Product Name switch.<br />
To setup the switch to correctly use an antenna you need to set the country code. If you are using the<br />
Altitude 300-2d detachable antenna, you need to also configure the antenna for indoor or outdoor use to<br />
comply with regulatory requirements.<br />
To configure the antenna type as indoor or outdoor, to comply with regulatory requirements, use the<br />
following comm<strong>and</strong>:<br />
configure wireless ports [ | all] antenna-location <br />
NOTE<br />
You cannot configure an integrated antenna for outdoor use.<br />
To set the country code for the antenna, configure the country code on the switch using the following<br />
comm<strong>and</strong>:<br />
configure wireless country-code <br />
You can then connect the antenna to the Altitude 300. The switch recognizes the correct<br />
regulatory-domain for the antenna <strong>and</strong> allows the antenna to start operating. For more information on<br />
configuring county codes, see “Configuring Country Codes” on page 909.<br />
Bridging<br />
Wireless bridging on an Summit 300 switch allows wireless users within the same VLAN to<br />
communicate with other wireless users on the same Summit 300 switch using layer 2 bridging. Wireless<br />
bridging can be enabled or disabled for each interface of a wireless port, <strong>and</strong> the setting is locally<br />
significant on each Altitude 300. This setting does not prevent bridging between wired <strong>and</strong> wireless<br />
MAC addresses in the same VLAN or between remote wireless stations associated with a remote<br />
Altitude 300. To configure wireless bridging, use the following comm<strong>and</strong>:<br />
configure wireless ports interface [1 | 2] wireless-bridging [on | off]<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 361
Wireless Networking<br />
Managing the Altitude 300<br />
It is not necessary to configure the individual Altitude 300 ports. You set port attributes on the<br />
Summit 300 switch, copying them as needed to new ports that you configure. Each time you make a<br />
change to wireless configuration on the switch, that change is implemented in the wireless network.<br />
Upgrading wireless software becomes extremely easy, since it is only necessary to upgrade the switch,<br />
<strong>and</strong> not the Altitude 300s.<br />
Device management is flexible. From the management system you can enable <strong>and</strong> disable individual<br />
wireless ports or sets of ports based on time, user, or location. You manage the wireless ports from the<br />
wired IP network.<br />
Profiles are available for security <strong>and</strong> RF parameters. Profiles function as templates, eliminating the<br />
need to issue repetitive comm<strong>and</strong>s <strong>and</strong> thereby simplifying the process of updating configuration<br />
information over multiple ports. You assign profiles to each interface (A or G) on a port <strong>and</strong> share the<br />
profiles across ports. Unless otherwise specified, a default profile is automatically assigned to each new<br />
wireless port.<br />
Follow this process to configure wireless ports on the Summit switch:<br />
1 Designate a VLAN as the wireless management VLAN, or use the default management<br />
VLAN.Create RF-profiles.<br />
2 Create security profiles <strong>and</strong> configure security parameters for each. The security profile includes<br />
ess-name.<br />
3 Configure wireless ports on the switch by assigning RF profiles <strong>and</strong> security profiles.<br />
4 Configure a specific channel (determined from a site survey), if desired, on each interface. If you do<br />
not configure a specific channel, the switch auto-selects the channel with the least interference.<br />
5 Connect the Altitude 300.<br />
After this process is complete, clients can access your network through the Altitude 300.<br />
Wireless Show Comm<strong>and</strong>s<br />
The show comm<strong>and</strong>s described in this section can be used to display information on wireless port<br />
configuration, RF profiles, security profiles, <strong>and</strong> stations.<br />
Use the following comm<strong>and</strong> to list the data rates <strong>and</strong> channel for a selected port <strong>and</strong> interface:<br />
show wireless ports [ | all] interface [1 | 2] rf-status {detail}<br />
Each wireless port on the switch contains two interfaces. Interface 1 supports 802.11a, <strong>and</strong> interface 2<br />
supports 802.11b/g radio signals. The show wireless ports interface rf-status comm<strong>and</strong><br />
allows you to display information about one of the two individual interfaces (1|2) on a port or ports.<br />
Use the following comm<strong>and</strong> to list dot1x <strong>and</strong> network authorization modes for a selected port <strong>and</strong><br />
interface:<br />
show wireless ports [ | all] interface [1 |2] stats<br />
This comm<strong>and</strong> displays Wired Equivalent Privacy (WEP) protocol, authentication, dot1x, <strong>and</strong> ESS name<br />
information for the selected port <strong>and</strong> interface.<br />
Use the following comm<strong>and</strong> to check the basic wireless configuration on a switch:<br />
362 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring RF Properties<br />
show wireless configuration<br />
This comm<strong>and</strong> displays the country, management VLAN, <strong>and</strong> gateway.<br />
Use the following comm<strong>and</strong> to summarize wireless configuration for a selected port <strong>and</strong> interface:<br />
show wireless ports [ | all] interface [1 | 2] configuration {detail}<br />
You can use this comm<strong>and</strong> to show in table or list format the configuration <strong>and</strong> state of the interface of<br />
the selected port or ports.<br />
Use the following comm<strong>and</strong> to list 802.11 interface statistics for a selected port <strong>and</strong> interface:<br />
show wireless ports [ | all] interface [1 |2] stats<br />
You can use this comm<strong>and</strong> to search for errors on a per interface basis.<br />
Use the following comm<strong>and</strong> to display the current state of a selected port <strong>and</strong> interface:<br />
show wireless ports [ | all] interface [1 |2] status<br />
You can use this comm<strong>and</strong> to examine RF profiles on a per wireless port basis, <strong>and</strong> view the log of a<br />
specific port or ports, filtering out the switch log.<br />
Configuring RF Properties<br />
RF profiles allow you to group RF parameters for access using a single CLI comm<strong>and</strong>. The following<br />
rules apply for RF profiles:<br />
• After you have defined a profile, subsequent changes automatically apply to all ports assigned to<br />
that profile.<br />
• Each RF profile applies to a specific interface (A, B, or G), so changing a profile only affects the<br />
specified interface.<br />
• Each Summit switch ships with default profiles for each supported wireless port.<br />
Creating an RF Profile<br />
You can use the comm<strong>and</strong>s described in this section to create RF profiles.<br />
To create a new RF profile by creating a name <strong>and</strong> associating it with an interface mode, use the<br />
following comm<strong>and</strong>:<br />
create rf-profile mode [ A | B | B_G | G ]<br />
Use this comm<strong>and</strong> to create a new RF profile without copying an existing RF profile.<br />
To create a new RF profile by copying an existing RF profile <strong>and</strong> assigning a new name, use the<br />
following comm<strong>and</strong>:<br />
create rf-profile copy <br />
Use this comm<strong>and</strong> to create a new profile identified by the string name. The copy argument specifies<br />
the name of an existing profile from which to obtain the initial values.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 363
Wireless Networking<br />
Deleting an RF Profile<br />
You can use the comm<strong>and</strong> described in this section to delete RF profiles.<br />
To delete an RF profile, use the following comm<strong>and</strong>:<br />
delete rf-profile <br />
The named profile cannot be attached to any active ports before deletion.<br />
Configuring an RF Profile<br />
You can use the configuration comm<strong>and</strong>s described in this section to set RF profile properties to specific<br />
values. Changes take effect immediately <strong>and</strong> are propagated to all ports that share a particular profile.<br />
All failures are written to the syslog.<br />
NOTE<br />
ess-name is no longer part of RF-Profile property values. It is now part of Security Profile property<br />
values.<br />
Setting the Beacon Frequency Interval<br />
A beacon is a packet that is broadcast by the Altitude 300 wireless port to synchronize the wireless<br />
network. The beacon-interval is the time in milliseconds between beacons.<br />
To specify the frequency interval of a beacon in milliseconds for an RF profile, use the following<br />
comm<strong>and</strong>:<br />
configure rf-profile beacon-interval <br />
Setting the DTIM Interval<br />
A delivery traffic indication map (DTIM) field is a countdown field informing clients of the next<br />
listening window to broadcast <strong>and</strong> multicast messages. The DTIM count is an integer value that counts<br />
down to zero. This value represents the number of beacon frames before the delivery of multicast<br />
frames. The DTIM period is the number of beacon frames between multicast frame deliveries. When the<br />
wireless port has buffered broadcast or multicast messages, it sends the next DTIM with a DTIM<br />
interval value. Its clients hear the beacons <strong>and</strong> awaken to receive the broadcast <strong>and</strong> multicast messages.<br />
To specify the interval of the DTIM in number of beacons, use the following comm<strong>and</strong>:<br />
configure rf-profile dtim-interval <br />
Clients achieve greater power savings with larger DTM intervals. However, a larger DTM interval will<br />
increase the delay before multicast frames are delivered to all stations.<br />
Setting the Fragment Size<br />
The RF profile fragment size property specifies the maximum size for a packet before data is<br />
fragmented into multiple packets. To specify the fragment size in bytes, use the following comm<strong>and</strong>:<br />
configure rf-profile frag-length <br />
364 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring RF Properties<br />
The fragment size should remain at its default setting of 2345. If you experience a high packet error rate,<br />
you may slightly increase the fragmentation threshold. Setting the fragmentation threshold too low may<br />
result in poor network performance. Only minor modifications of this value are recommended.<br />
Setting the RTS Threshold<br />
The wireless port sends request-to-send (RTS) frames to a particular receiving station <strong>and</strong> negotiates the<br />
sending of a data frame. After receiving an RTS, the wireless station responds with a CTS frame to<br />
acknowledge the right to begin transmission. Should you encounter inconsistent data flow, only minor<br />
modifications are recommended. If a network packet is smaller than the preset RTS threshold size, the<br />
RTS <strong>and</strong> clear-to-send CTS mechanism is not enabled.<br />
To specify the request to send the RTS threshold in bytes, use the following comm<strong>and</strong>:<br />
configure rf-profile rts-threshold <br />
To specify the number of transmission attempts for frames larger than the RTS threshold setting in the<br />
same RF profile, use the following comm<strong>and</strong>:<br />
configure rf-profile long-retry <br />
The long-retry value specifies the number of attempts before a frame will be discarded when a station<br />
attempts to retransmit a frame. Long retry applies to frames longer than the RTS threshold <strong>and</strong> it is set<br />
to 7 by default. A frame requiring RTS/CTS clearing is retransmitted seven times before being<br />
discarded.<br />
To specify a the number of transmission attempts of a frame smaller than the RTS threshold, use the<br />
following comm<strong>and</strong>:<br />
configure rf-profile short-retry <br />
Setting the Packet Preamble<br />
You can configure the RF profile for 802.11b using the long packet preamble. Configure the RF profile<br />
for 802.11a <strong>and</strong> 802.11g using the short packet preamble.To specify the size of the packet preamble, use<br />
the following comm<strong>and</strong>:<br />
configure rf-profile preamble [short | long]<br />
Viewing RF Profile Properties<br />
To display configuration attributes for a particular RF profile or all RF profiles, use the following<br />
comm<strong>and</strong>:<br />
show rf-profile {}<br />
Displayed RF profile properties are described in Table 46.<br />
Table 46: RF Profile Property Values<br />
Property Default Allowed Values Description<br />
beacon-interval 40 20-1000 Indicates the frequency interval of the beacon in<br />
milliseconds. A beacon is a packet broadcasted by<br />
the wireless port to synchronize the wireless network.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 365
Wireless Networking<br />
Table 46: RF Profile Property Values (Continued)<br />
Property Default Allowed Values Description<br />
frag-length 2345 256-2345 Identifies fragment size in bytes. This value should<br />
remain at its default setting of 2345. It specifies the<br />
maximum size for a packet before data is fragmented<br />
into multiple packets. If you experience a high packet<br />
error rate, you may slightly increase the fragmentation<br />
threshold. Setting the fragmentation threshold too low<br />
may result in poor network performance. Only minor<br />
modifications of this value are recommended.<br />
dtim-interval 2 1-100 Indicates the interval of the delivery traffic indication<br />
message (DTIM) in number of beacon frames. A<br />
DTIM field is a countdown field informing clients of the<br />
next window for listening to broadcast <strong>and</strong> multicast<br />
messages. When the wireless port has buffered<br />
broadcast or multicast messages, it sends the next<br />
DTIM with a DTIM Interval value. Its clients hear the<br />
beacons <strong>and</strong> awaken to receive the broadcast <strong>and</strong><br />
multicast messages.<br />
rts-threshold 2330 0-2347 Identifies request-to-send (RTS) threshold in bytes.<br />
Should you encounter inconsistent data flow, only<br />
minor modifications are recommended. If a network<br />
packet is smaller than the preset RTS threshold size,<br />
the RTS <strong>and</strong> clear-to-send (CTS) mechanism is not<br />
enabled. The wireless port sends RTS frames to a<br />
particular receiving station <strong>and</strong> negotiates the sending<br />
of a data frame. After receiving an RTS, the wireless<br />
station responds with a CTS frame to acknowledge<br />
the right to begin transmission.<br />
preamble short for A profile; short | long Reports the size of the packet preamble.<br />
long for B_G profile<br />
short-retry 4 1-255 Indicates the number of transmission attempts of a<br />
frame, the length of which is less than or equal to<br />
rts-threshold, made before a failure condition is<br />
indicated.<br />
long-retry 7 1-255 Indicates the number of transmission attempts of a<br />
frame, the length of which is greater than<br />
rts-threshold, made before a failure condition is<br />
indicated.<br />
noise floor<br />
Indicates the level above which energy will be<br />
interpreted as a signal. The value is a negative<br />
number representing dBm. Values closer to zero<br />
indicate more noise on the interface.<br />
Configuring RF Monitoring<br />
RF monitoring provides a mechanism to collect network statistics about link utilization <strong>and</strong> channel<br />
activity. RF monitoring can provide information on the following network events:<br />
• Rogue access point detection, including alarm conditions<br />
• RF overlap levels to determine network efficiency<br />
• Notifications of newly discovered access points (APs)<br />
• Client detection upon interaction with the Altitude 300, including client state changes, <strong>and</strong> error<br />
messages<br />
366 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring RF Monitoring<br />
AP Detection<br />
Access point (AP) detection can be configured to use either of two methods: passive scan or active scan.<br />
During a passive scan, the Altitude 300 simply listens for beacons <strong>and</strong> other broadcast traffic <strong>and</strong> uses<br />
the collected information to create a database of stations it recognizes. In active scan mode, the<br />
Altitude 300 sends a probe request to elicit responses from other APs within its area.<br />
The Altitude 300 support both active <strong>and</strong> passive scans on the current operating channel. During scans<br />
operating on the current channel, the Altitude 300 continues to carry user traffic. During an<br />
“off-channel” scan, the Altitude 300 is not be available for user traffic. The effect of an off-channel scan<br />
is to disable the radio for a user-defined period of time, during which the Altitude 300 will scan other<br />
channels. All associated clients will lose connections <strong>and</strong> need to reassociate. Once the scan is complete,<br />
the radio will be returned to its previous state. You can set the scan to occur on all channels, or on a<br />
specific subset of channels at specified scheduled times.<br />
Enabling <strong>and</strong> Disabling AP Scan<br />
The comm<strong>and</strong>s described in this section are used to enable <strong>and</strong> disable access point (AP) detection.<br />
To start a wireless port on-channel scan for the indicated port or ports <strong>and</strong> interface for the Altitude 300,<br />
use the following comm<strong>and</strong>:<br />
enable wireless ports interface [1 |2] ap-scan<br />
The Altitude 300 continues to carry user traffic during scans operating on the current channel<br />
(“on-channel” scans).<br />
To stop an on-channel wireless port scan for the indicated port or ports <strong>and</strong> interface for the<br />
Altitude 300, use the following comm<strong>and</strong>:<br />
disable wireless ports interface [1 |2] ap-scan<br />
To start the access point (AP) scan on the indicated interface at the specified time, use the following<br />
comm<strong>and</strong>:<br />
enable wireless ports interface [1 | 2] ap-scan off-channel [at | every]<br />
<br />
During an “off-channel” scan, the Altitude 300 is not available for user traffic.<br />
To schedule the stopping of the access point (AP) scan on the indicated interface at the specified time,<br />
use the following comm<strong>and</strong>:<br />
disable wireless ports interface [1 | 2] ap-scan off-channel [at | every]<br />
<br />
Configuring AP Scan<br />
The comm<strong>and</strong>s described in this section are used to configure access point (AP) detection.<br />
To add or remove specific channels for the off-channel AP scan, use the following comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] ap-scan off-channel [add<br />
| del] {current-channel | all-channels | every-channel}<br />
Use this comm<strong>and</strong> when the AP scan must be started on a particular interface.<br />
To enable the sending of probes for active scanning, use the following comm<strong>and</strong>:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 367
Wireless Networking<br />
configure wireless ports [ | all] interface [1 | 2] ap-scan send-probe <br />
To configure the interval between probe request packets for active off-channel scanning, use the<br />
following comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] ap-scan probe-interval<br />
<br />
Use this comm<strong>and</strong> to send probe requests at particular intervals on a selected channel during an AP<br />
scan.<br />
To set the maximum time an off-channel scan waits at a particular channel, use the following comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] ap-scan off-channel<br />
max-wait <br />
To set the minimum time an off-channel scan waits at a particular channel, use the following comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] ap-scan off-channel<br />
min-wait <br />
To have the AP scan to send an SNMP trap when new stations are added to the results table, use the<br />
following comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] ap-scan added-trap [on |<br />
off]<br />
Use this comm<strong>and</strong> when an SNMP-based remote management application is used to monitor the<br />
network.<br />
To have the AP scan to send an SNMP trap when new stations are removed from the results table, use<br />
the following comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] ap-scan removed-trap<br />
[on | off]<br />
Use this comm<strong>and</strong> to see a trap when stations are removed from the results table.<br />
To configure the AP scan to send an SNMP trap when information about an AP has changed, use the<br />
following comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] ap-scan updated-trap<br />
<br />
To set the number of elements that the wireless interface stores, use the following comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] ap-scan results size<br />
<br />
Use this comm<strong>and</strong> to specify the size of the results table.<br />
To set the timeout threshold that sets when entries are aged out from the table, use the following<br />
comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] ap-scan results<br />
timeout <br />
368 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring RF Monitoring<br />
Viewing AP Scan Properties <strong>and</strong> Results<br />
The comm<strong>and</strong>s described in this section are used to display access point (AP) scan properties.<br />
To display the current configuration of the scan feature for the selected ports <strong>and</strong> interface, use the<br />
following comm<strong>and</strong>:<br />
show wireless ports [ | all] interface [1 |2] ap-scan configuration<br />
{detail}<br />
To display a switch-wide, correlated view of the results of the access point (AP) scan, use the following<br />
comm<strong>and</strong>:<br />
show wireless ap-scan results {detail}<br />
Use this comm<strong>and</strong> to see the results of an AP scan. Use the optional keyword, detail, to see all of the<br />
fields in Table 47.<br />
Table 47: AP Scan Results (Alphabetized)<br />
Data Value<br />
APMAC<br />
Capability<br />
Channel<br />
ESS Name<br />
Last Change<br />
Min/Max/Avg RSS<br />
Network Type<br />
Number of beacons<br />
Number of probe resp<br />
Supported Rate Set<br />
WEP required/WEP authentication supported<br />
WPA<br />
First Seen<br />
Description<br />
MAC address of the discovered AP<br />
Capability field from a received information packet (in detail<br />
output only)<br />
The channel on which this AP was discovered<br />
String ESS ID I.E.<br />
Time value at which this entry was updated<br />
Received Signal Strength statistics<br />
Ad-hoc or BSSID network (in detail output only)<br />
Count of beacon packets seen from this AP (in detail output only)<br />
Count of PROBE RESP packets sent from the AP (in detail<br />
output only)<br />
List of supported rates<br />
WEP information from beacon <strong>and</strong> probe packets<br />
WPA information, including authentication <strong>and</strong> supported<br />
encryption algorithms<br />
First discovered.<br />
To display information about the AP MAC-address that is entered, use the following comm<strong>and</strong>:<br />
show wireless ap-scan results <br />
To display the status of the AP scan for the port <strong>and</strong> the interface, use the following comm<strong>and</strong>:<br />
show wireless ports [ | all] interface [1|2] ap-scan status<br />
To display information about the results of an AP scan from the port perspective, use the following<br />
comm<strong>and</strong>:<br />
show wireless ports [ | all] interface [1 | 2] ap-scan results {detail}<br />
To clear the AP scan results table on any interface, use the following comm<strong>and</strong>:<br />
clear wireless ports [ | all] interface [1 | 2] ap-scan results<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 369
Wireless Networking<br />
Performing Client Scanning<br />
The client scan feature enables the management layer to receive <strong>and</strong> process PROBE REQ messages<br />
from clients. The management layer then creates an entry in the probe information table for each client<br />
it receives PROBE REQ packets from. The management layer can, optionally, send an asynchronous<br />
notification when a new entry is added to the table. Entries in the probe information table are timed out<br />
if new PROBE REQ packets are not received in some configurable window. The client scan table can be<br />
configured by network administrator to optimize memory performance.<br />
Enabling <strong>and</strong> Disabling Client Scanning<br />
The comm<strong>and</strong>s described in this section are used to enable <strong>and</strong> disable client scanning.<br />
To enable the client scan feature on the specified wireless interface, use the following comm<strong>and</strong>:<br />
enable wireless ports [ | all] interface [1 | 2] client-scan<br />
To disable the client scan feature on the specified wireless interface, use the following comm<strong>and</strong>:<br />
disable wireless ports interface [1 | 2] client-scan<br />
Configuring Client Scanning<br />
The comm<strong>and</strong>s described in this section are used to configure client scanning.<br />
To configure the maximum number of entries in the client scan information table, use the following<br />
comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] client-scan results<br />
size <br />
To configure the timeout period for entries in the client scan information table, use the following<br />
comm<strong>and</strong>:<br />
configure wireless ports interface [1 | 2] client-scan results timeout<br />
<br />
To enable or disable traps from the client-scan feature when a new client is detected, use the following<br />
comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] client-scan added-trap<br />
[on |off]<br />
Enabling traps can saturate management stations if an area is heavily populated.<br />
To enable or disable traps from the client-scan feature when a new client has aged-out of the table, use<br />
the following comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] client-scan<br />
removed-trap [on |off]<br />
370 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Performing Client Scanning<br />
Viewing Client Scanning Properties <strong>and</strong> Results<br />
The comm<strong>and</strong>s described in this section are used to display client scanning properties <strong>and</strong> scan results<br />
<strong>and</strong> to clear information from the client scan table. .<br />
Displaying Client Scanning Information<br />
To display the current configuration of the client scan feature, use the following comm<strong>and</strong>:<br />
show wireless ports [ | all] interface [1 | 2] client-scan configuration<br />
Displays the current configuration of the client scan feature, including:<br />
Port:<br />
The port number used in the scan<br />
Interface: 1 or 2<br />
Enabled:<br />
Send Added:<br />
Send Removed:<br />
Timeout:<br />
Max Size:<br />
Y (yes) N (no)<br />
on | off<br />
on | off<br />
Parameter specified for scan timeouts<br />
Parameter specified for the number of entries for the table<br />
To display the current contents of the probe information table, use the following comm<strong>and</strong>:<br />
show wireless ports [ | all] interface [1 | 2] client-scan results<br />
{detail}<br />
The output of this comm<strong>and</strong> displays the probe information table, which has the following fields:<br />
Table 48: Client Scan Results<br />
Variable<br />
Intf<br />
MAC address of the source<br />
Probe REQs<br />
Last RSS<br />
Channel<br />
Last Seen<br />
Description<br />
Wireless port <strong>and</strong> interface on which this client is seen<br />
MAC address of the source<br />
Number of PROBE REQ packets seen from this source<br />
RSSI of last received PROBE REQ packet<br />
Channel on which last PROBE REQ was received<br />
Time last PROBE REQ was seen from this source<br />
Client Client is associated to the Altitude 300 (Y | N)<br />
To display the details about the specified client MAC address, use the following comm<strong>and</strong>:<br />
show wireless ports [ | all] interface [1 | 2] client-scan results<br />
{detail)<br />
Use this comm<strong>and</strong> to check details about the clients in the client scan table.<br />
To display the overall operation of the client scan results, use the following comm<strong>and</strong>:<br />
show wireless ports [ | all] interface [1 | 2] client-scan status<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 371
Wireless Networking<br />
The output of this comm<strong>and</strong> displays the performance results for the following variables on a per<br />
wireless interface basis.<br />
Table 49: Client Scan Performance Results Per Wireless Interface<br />
Variable<br />
CurrentTableSize<br />
TableWatermark<br />
TotalOverflows<br />
TotalTimeouts<br />
LastElement<br />
TotalProbes<br />
Description<br />
The current size of the table (in entries)<br />
The maximum size the table has been since the last reset of the<br />
historical statistics<br />
The number of times an entry has been overwritten because the<br />
table is full<br />
The number of times an entry has been aged out from the table<br />
The last time an element was added to the table<br />
The total number of probes received on this interface<br />
Clearing Client Scanning Information<br />
To clear the statistics associated with a particular client or with all clients, use the following comm<strong>and</strong>:<br />
clear wireless ports [ | all] interface [1 | 2] client-scan counters<br />
[ | all]<br />
Use this comm<strong>and</strong> to clear client scan counters on any interface: 1 or 2.<br />
To clear the contents of the client scan information table or for a specific client MAC address, use the<br />
following comm<strong>and</strong>:<br />
clear wireless ports [ | all] interface [1 | 2] client-scan results<br />
[ | all]<br />
Use this comm<strong>and</strong> to clear the client scan results on any interface: 1 or 2.<br />
Collecting Client History Statistics<br />
Client information is collected from stations when sending frames to the Altitude 300. Based on the<br />
frames the client exchanges with the Altitude 300, three types of information are collected. These types<br />
are listed below:<br />
• Current state: Current condition of the client. It is limited to clients that have sent this station an<br />
authentication request.<br />
• MAC layer: Information about the operation of the MAC transport layer as it affects this particular<br />
client. This information can be used to detect problems with Altitude 300 placement, link utilization,<br />
etc.<br />
• Historical information: View of a station through time. State transitions are preserved through a<br />
series of counters. This information can be used to debug various configuration problems.<br />
Client Current State<br />
Client current state information is available for all clients that have sent an authentication message to<br />
the Altitude 300. Information in this table is timed out if no packets have been received from the client<br />
by the configurable period of time set by the administrator.<br />
372 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Collecting Client History Statistics<br />
To displays the current wireless client state of a selected port or ports <strong>and</strong> interface, use the following<br />
comm<strong>and</strong>:<br />
show wireless ports [ | all] interface [1 | 2] clients <br />
{detail}<br />
The fields of the client state table displayed with this comm<strong>and</strong> are shown in Table 50:<br />
Table 50: Client Current State Details<br />
Value<br />
Client MAC<br />
Current State<br />
Last state change<br />
Encryption Type<br />
Authentication Type<br />
ESSID<br />
Wireless Port<br />
Client VLAN<br />
Client Priority<br />
Tx Frames<br />
Rx Frames<br />
Tx Bytes<br />
Rx Bytes<br />
RSS<br />
Description<br />
MAC address of the client adapter<br />
DETECTED, AUTHED, ASSOC, or FORWARD. Indicates which part<br />
of the state machine the client is currently in.<br />
The system time when the client last changed states<br />
Type of MAC-level encryption the client is using. This is negotiated<br />
during the association state machine, so is only valid if client state is<br />
FORWARDING.<br />
Last type of authentication the client tried. In the case of a client in<br />
FORWARDING, indicates the type of authentication that granted<br />
access to the network.<br />
Extended service set identifier of the network<br />
Wireless switch port serving the client<br />
VLAN assigned to this client by a radius VSA or other mechanism.<br />
This is only valid for clients in FORWARDING.<br />
Quality of service (QoS) level for the client<br />
Number of frames transferred to the client<br />
Number of frames returned by the client<br />
Number of bytes transferred to the client<br />
Number of bytes returned by the client<br />
Received signal strength<br />
Client History Information<br />
The comm<strong>and</strong>s described in this section support debugging of individual client problems. They are<br />
designed to provide the information to assist debugging client connectivity problems that stem from<br />
non-physical layer problems (that is, WEP configuration problems).<br />
Enabling <strong>and</strong> Disabling Client History<br />
The comm<strong>and</strong>s described in this section are used to enable <strong>and</strong> disable client history collection.<br />
To set the Altitude 300 to log client historical information, use the following comm<strong>and</strong>:<br />
enable wireless ports [ | all] interface [1 | 2] client-history<br />
Use this comm<strong>and</strong> to get the detail status about each associated client.<br />
To disable logging of client historical information, use the following comm<strong>and</strong>:<br />
disable wireless ports [portlist | all] interface [1 | 2] client-history<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 373
Wireless Networking<br />
Configuring Client History<br />
The comm<strong>and</strong>s described in this section are used to configure client history collection.<br />
To configure the client history size, use the following comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] client-history size<br />
<br />
To configure the client history timeout interval, use the following comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] client-history timeout<br />
<br />
Use this comm<strong>and</strong> to specify the timeout interval for the clients in the client history table.<br />
Viewing Client History<br />
The comm<strong>and</strong>s described in this section are used to display client history information.<br />
To display the current configuration of the client history <strong>and</strong> diagnostic features, use the following<br />
comm<strong>and</strong>:<br />
show wireless ports [ | all] interface [1 | 2] client-history<br />
configuration<br />
To display counters <strong>and</strong> errors the information collected on a per-client basis, use the following<br />
comm<strong>and</strong>:<br />
show wireless ports [ | all] interface [1 | 2] client-history diagnostics<br />
<br />
Use this comm<strong>and</strong> to display diagnostic counters <strong>and</strong> error information contained in the<br />
extremeWirelessClientDiagTable.<br />
To display 802.11 MAC layer information collected on a per-client basis, use the following comm<strong>and</strong>:<br />
show wireless ports [ | all] interface [1 | 2] client-history mac-layer<br />
<br />
Use this comm<strong>and</strong> to display information on the operation of the 802.11 MAC layer.<br />
To display the current status of the historical client information, use the following comm<strong>and</strong>:<br />
show wireless ports [ | all] interface [1 | 2] client-history status<br />
This comm<strong>and</strong> displays information about the client diagnostic <strong>and</strong> history database. The output has<br />
the fields shown Table 51:<br />
Table 51: Client Diagnostic <strong>and</strong> History Information<br />
Variable<br />
Enable<br />
TableSize<br />
Timeout<br />
Description<br />
This value indicates if historical information is being collected on this interface or<br />
not.<br />
This is the number of entries allowed in each of the historical client tables.<br />
This is the time, in seconds, that entries will persist in the historical client tables<br />
after the referenced client is removed from the SIB.<br />
374 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring Wireless Switch Properties<br />
Table 51: Client Diagnostic <strong>and</strong> History Information (Continued)<br />
Variable<br />
CurrentSize<br />
Watermark<br />
Overflows<br />
AgeOuts<br />
Description<br />
The current number of entries in the historical client database<br />
The maximum number of entries which have ever been in the historical client<br />
database.<br />
Number of entries which have been overwritten in order to make room for a new<br />
entry.<br />
Number of entries which have been aged out of the table<br />
To clear the counters for a specific MAC address or for all clients, use the following comm<strong>and</strong>:<br />
clear wireless ports [ | all] interface [1 | 2] client-history<br />
[ | all]<br />
Although this comm<strong>and</strong> clears the counters, client entries are not removed from the client information<br />
database.<br />
Client Aging<br />
Client aging allows you to configure an aging timer for wireless stations. When a specified period of<br />
time elapses with no data traffic from the client to the Altitude 300, the client is de-authenticated <strong>and</strong><br />
removed from all client station tables for that interface. After a client is aged out, it can reassociate <strong>and</strong><br />
re-authenticate to the Altitude 300. Age-out information can be collected from such events as client<br />
station failures, station idle-timeouts, or a client abruptly leaving the wireless network without notifying<br />
the associated Altitude 300.<br />
To configure client aging parameters, use the following comm<strong>and</strong>:<br />
configure wireless ports [ | all] detected-station-timeout <br />
The timeout value is configured for each port <strong>and</strong> affects both interfaces 1 <strong>and</strong> 2.<br />
Configuring Wireless Switch Properties<br />
This section describes the wireless configuration comm<strong>and</strong>s that apply to the switch as a whole.<br />
Configuring Country Codes<br />
To configure the country identifier for the switch, use the following comm<strong>and</strong>:<br />
configure wireless country-code <br />
When the Summit 300 is set to factory defaults, you must configure the correct country code using the<br />
country code properties listed in the following table. The country code feature allows you to configure<br />
the approved 802.11a or 802.11b/g “channels” applicable to each of the supported countries.<br />
Table 52: Country Codes<br />
Australia Austria Belgium Canada China Denmark<br />
extreme_default Finl<strong>and</strong> France Germany Greece Hong_Kong<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 375
Wireless Networking<br />
Table 52: Country Codes<br />
Icel<strong>and</strong> Irel<strong>and</strong> Italy Japan Korea_Republic Liechtenstein<br />
Luxembourg Mexico Netherl<strong>and</strong>s Norway Portugal Spain<br />
Sweden Switzerl<strong>and</strong> Taiwan Thail<strong>and</strong> UK USA<br />
<strong>Extreme</strong> <strong>Networks</strong> ships the Summit 300 to be programmed with <strong>Extreme</strong> Network's special<br />
extreme_default country code, which brings up only the B/G radio in channel 6, <strong>and</strong> turns off the A<br />
radio. When an Altitude 300 wireless port is connected <strong>and</strong> the Summit 300 switch is unable to<br />
determine the country for which the Altitude is programmed, then the extreme_default country code<br />
is used. You must program the country code on the Summit 300 switch to enable the remaining<br />
channels for the desired country.<br />
The Altitude 300 wireless port is shipped with a pre-programmed code for the following countries:<br />
• North America (United States, Canada, Hong Kong)<br />
• Japan<br />
• Taiwan<br />
• European Union <strong>and</strong> the Rest of the World.<br />
If you do not program the country code in the Summit 300, then the switch inherits the country code of<br />
the first Altitude 300 wireless port that connects to it, if the Altitude is not programmed for the<br />
'European Union <strong>and</strong> the Rest of World.<br />
If there is a mismatch between the country codes between the Altitude 300 wireless port <strong>and</strong> the code<br />
programmed on the Summit 300 the Altitude 300 wireless port is not allowed to come up.<br />
Configuring the Default Gateway<br />
To configure the default gateway IP address, use the following comm<strong>and</strong>:<br />
configure wireless default-gateway <br />
The wireless default gateway IP address is usually set to the wireless management VLAN address. This<br />
address is used by all wireless client traffic whose destination is upstream switches.<br />
Configuring the Management VLAN<br />
To identify the VLAN on which the Altitude 300 wireless port communicates with the switch, use the<br />
following comm<strong>and</strong>:<br />
configure wireless management-vlan <br />
Identifying the VLAN on which the Altitude 300 wireless port communicates with the switch is<br />
required before wireless features can work. This VLAN can be the default VLAN <strong>and</strong> it can either have<br />
a public or private IP address. This VLAN is a tagged or untagged VLAN on which all the Altitude 300<br />
devices are connected to untagged ports.<br />
376 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring Wireless Ports<br />
Configuring Wireless Ports<br />
This section describes the wireless configuration comm<strong>and</strong>s that apply to a particular port or set<br />
of ports.<br />
Enabling <strong>and</strong> Disabling Wireless Ports<br />
The comm<strong>and</strong>s described in this section are used to enable <strong>and</strong> disable wireless port properties.<br />
To administratively enable a wireless port for use, use the following comm<strong>and</strong>:<br />
enable wireless ports <br />
To administratively disable a wireless port for use, use the following comm<strong>and</strong>:<br />
disable wireless ports <br />
To enable the specified port or ports every day at the specified hour, use the following comm<strong>and</strong>:<br />
enable wireless ports every <br />
Use this comm<strong>and</strong> to automatically enable wireless ports according to a daily schedule. The selected<br />
port or ports will be enabled each day on the specified hour.<br />
To disable the specified port or ports every day at the specified hour, use the following comm<strong>and</strong>:<br />
disable wireless ports every <br />
To enable the specified ports at a particular date <strong>and</strong> hour, use the following comm<strong>and</strong>:<br />
enable wireless ports time <br />
To disable the specified ports at a particular date <strong>and</strong> hour, use the following comm<strong>and</strong>:<br />
disable wireless ports time <br />
To cancel previously scheduled enable or disable scheduling comm<strong>and</strong>s for the port, use the following<br />
comm<strong>and</strong>:<br />
disable wireless ports cancel-scheduler<br />
Configuring Wireless Port Properties<br />
The comm<strong>and</strong>s described in this section are used to configure the wireless port properties listed in<br />
Table 53:<br />
Table 53: Wireless Port Configuration Property Values<br />
Property Default Allowed Values Description<br />
health-check on off | on Indicates whether the health check<br />
reset function is on or off. This<br />
determines whether the port should<br />
be reset if the health check timer<br />
expires.<br />
location “Unknown Location” N/A Identifies the location to be<br />
configured.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 377
Wireless Networking<br />
To configure whether the health check reset function is on or off for the specified port or ports, use the<br />
following comm<strong>and</strong>:<br />
configure wireless ports [ | all] health-check [on | off]<br />
This comm<strong>and</strong> determines whether the port is reset if the health check timer expires.<br />
To configure the physical location of the AP for the specified port or ports, use the following comm<strong>and</strong>:<br />
configure wireless ports location <br />
Use this comm<strong>and</strong> to indicate the physical location of the AP for the specified port or ports. For<br />
example, you could designate a physical location as follows: bldg 1, pole 14, cube 7. Funk Radius<br />
can use this attribute for authentication.<br />
To reset selected wireless ports to their default values, use the following comm<strong>and</strong>:<br />
reset wireless ports <br />
Use this comm<strong>and</strong> to return a port the default values. (See Table 53 for default values.)<br />
Force disassociation permits client user disassociation based on a recurring schedule, a date <strong>and</strong> time, or<br />
a particular MAC address. You can also disassociate a user immediately. You can specify access based<br />
on a preferred time periods, such as during off-hours, weekends, <strong>and</strong> holidays. You can also set up a<br />
user policy on a RADIUS server to allow user authentication based on time of day.<br />
To configure the client force-disassociation capability, use the following comm<strong>and</strong>:<br />
configure wireless ports force-disassociation [all-clients [every | time <br />
] | cancel-scheduler | ]<br />
Configuring Wireless Interfaces<br />
Each wireless port on the Summit 300 switch contains two interfaces. Interface 1 (A radio) supports<br />
802.11a, <strong>and</strong> interface 2 (B radio) supports 802.11b <strong>and</strong> 802.11g radio signals. The configure wireless<br />
interface comm<strong>and</strong>s allow you to configure one of the two individual interfaces (1|2) on a port or<br />
ports. You can move an interface from one profile to another without having to shut it down.<br />
Enabling <strong>and</strong> Disabling Wireless Interfaces<br />
The comm<strong>and</strong>s described in this section are used to enable <strong>and</strong> disable wireless port interface<br />
properties.<br />
To enable a specified port interface, use the following comm<strong>and</strong>:<br />
enable wireless ports interface [1 | 2]\<br />
To disable a specified port interface, use the following comm<strong>and</strong>:<br />
disable wireless ports interface [1 | 2]<br />
Configuring Wireless Interfaces<br />
The comm<strong>and</strong>s described in this section are used to configure wireless port interface properties.<br />
378 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring Wireless Interfaces<br />
To attach a port or ports <strong>and</strong> interface to an RF profile, use the following comm<strong>and</strong>:<br />
configure wireless ports interface [1 | 2] rf-profile <br />
All ports in the port list must have the same wireless port version.<br />
To set the maximum number of clients that can connect simultaneously to a wireless interface, use the<br />
following comm<strong>and</strong>:<br />
configure wireless ports [ | all] interface [1 | 2] max-clients <br />
Valid max-client values range from 0 (zero) to 128.<br />
To configure the power-level for a specified interface, use the following comm<strong>and</strong>:<br />
configure wireless ports interface [1 | 2] power-level <br />
Valid power level values are:<br />
• Full<br />
• Half<br />
• Quarter<br />
• One-eighth<br />
• Min (minimum)<br />
If there is radio interference from other devices, then you can adjust the power level to an appropriate<br />
level below full power.<br />
To attach a port or ports <strong>and</strong> interface to a security profile, use the following comm<strong>and</strong>:<br />
configure wireless ports interface [1 | 2] security-profile <br />
All ports in the port list must have the same wireless port version.<br />
To configure a transmission rate for the specified port, use the following comm<strong>and</strong>:<br />
configure wireless ports interface [1 | 2] transmit-rate <br />
Valid transmission rate values are shown in Table 54.<br />
Table 54: Valid transmission rate values<br />
Mode<br />
A<br />
B<br />
G<br />
Valid Transmission Rate<br />
6, 9, 12, 18, 24, 36, 48, 54, auto<br />
1, 2, 5.5, 11, auto<br />
1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54, auto<br />
To configure a channel for a specified interface, use the following comm<strong>and</strong>:<br />
configure wireless ports interface [1 | 2] channel {0 | }<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 379
Wireless Networking<br />
Valid channel values are shown in Table 55.<br />
Table 55: Valid wireless interface channel values<br />
WLAN St<strong>and</strong>ard<br />
Valid Channels<br />
802.11a 0 (auto), 36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157,<br />
161, 165, 169, (34, 38, 42, 46 for Japan)<br />
802.11b <strong>and</strong> 802.11g 0 (auto), 1-14 (Must be valid entry for the country code<br />
range; e.g., valid range for USA is 1-11.)<br />
To force the wireless port interface to reset, use the following comm<strong>and</strong>:<br />
reset wireless ports interface [1 | 2]<br />
Configuring Inter-Access Point Protocol (IAPP)<br />
Inter-Access Point Protocol (IAPP) facilitates seamless roaming of wireless stations between access<br />
points (APs). IAPP operations are not configurable. Control is limited to enabling or disabling IAPP on<br />
a per interface basis. Debug tracing can be enabled for IAPP to troubleshoot IAPP scenarios.<br />
To enable IAPP on a per interface basis, use the following comm<strong>and</strong>:<br />
enable wireless ports [ | all] interface [1 | 2] iapp<br />
IAPP uses layer 2 updates to allow connected layer 2 devices to update forwarding tables with the<br />
address of the client. The AP sends the updates on behalf of the clients by inserting the MAC address of<br />
the mobile station in the source address. The switch looks up the UDP request packet on the local<br />
subnet that contains the AP MAC address which contains the needed IP address. All APs on the subnet<br />
receive this message. The AP with the matching MAC address sends a unicast response packet with its<br />
IP address.<br />
To disable IAPP on a per interface basis, use the following comm<strong>and</strong>:<br />
disable wireless ports [ | all] interface [1 | 2] iapp<br />
To enable debug tracing for IAPP on a per interface basis to troubleshoot IAPP scenarios, use the<br />
following comm<strong>and</strong>:<br />
configure debug-trace wireless ports [ | all] iapp <br />
The valid debug level range is 0 (off) to 5, corresponding to increasing levels of debug detail.<br />
Event Logging <strong>and</strong> Reporting<br />
The Summit 300 switch supports the following enhancements for wireless event logging <strong>and</strong> reporting<br />
with respect to the Altitude 300 local log, which is filtered on a per port basis:<br />
• Enumerated type fields are included in syslog messages for filtering by external tools.<br />
• An additional CLI comm<strong>and</strong> is included for more granularity, as described below<br />
To display the local Altitude 300 event log of the selected port or ports, use the following comm<strong>and</strong>:<br />
show wireless ports [| all] {summary} log<br />
380 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Enabling SVP to Support Voice Over IP<br />
You can use this comm<strong>and</strong> to display the Altitude 300 local log for debugging errors.<br />
Enabling SVP to Support Voice Over IP<br />
SpectraLink Voice Priority (SVP) is a voice over IP (VoIP) protocol that ensures acceptable audio quality<br />
in a mixed voice <strong>and</strong> data environment. It overcomes limitations of the 802.11 St<strong>and</strong>ard by h<strong>and</strong>ling<br />
RTP packets between the SVP gateway <strong>and</strong> h<strong>and</strong>set in a manner that is optimized for VoIP traffic over a<br />
wireless LAN (WLAN). SVP does this by:<br />
• Prioritizing voice packets on the wireless network through a packet classification scheme based on<br />
the IP protocol number for SpectraLink Radio Protocol (119).<br />
• Assigning filtered packets to high-priority outbound queues on each interface.<br />
• Disabling r<strong>and</strong>om backoff for voice packets, setting the backoff window to zero.<br />
• Queuing packets for Power Saving (PS) devices for the interval specified in the Listen Interval.<br />
NOTE<br />
Queued packets must be properly signaled in the TIM of Beacons. VoIP h<strong>and</strong>sets must be able to enter<br />
PS mode by setting the PS bit in any uplink packet.<br />
SVP control is maintained at the virtual-interface level. It can be turned on or off for each virtual<br />
interface. A separate transmit queue for SVP packet h<strong>and</strong>ling should be maintained for each interface.<br />
To enable the QoS protocol, SpectraLink Voice Protocol (SVP), for VoIP on the specified port <strong>and</strong><br />
interface., use the following comm<strong>and</strong>:<br />
enable wireless ports [ | all] interface [1 | 2] svp<br />
To disable SVP for VoIP on the specified port <strong>and</strong> interface., use the following comm<strong>and</strong>:<br />
disable wireless ports [ | all] interface [1 | 2] svp<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 381
Wireless Networking<br />
382 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
21 Power Over Ethernet<br />
This chapter explains how to configure the Summit 300 to supply power to devices using the Power<br />
over Ethernet (PoE) capability. It contains the following sections:<br />
• Overview on page 383<br />
• Port Power Management on page 384<br />
• Per-Port LEDs on page 391<br />
• Configuring Power Over Ethernet on page 391<br />
Overview<br />
Power over Ethernet (PoE), defined by the IEEE 802.3af specification, is an effective method of<br />
supplying 48 VDC power to certain types of powered devices (PDs) by way of Category 5 or Category 3<br />
twisted pair Ethernet cables. Devices include the Altitude 300 wireless port, IP telephones, laptop<br />
computers, web cameras, or other devices. With PoE, a single Ethernet cable supplies power <strong>and</strong> the<br />
data connection, thereby saving time <strong>and</strong> expense associated with separate power cabling <strong>and</strong> supply.<br />
The 802.3af specification for PoE includes a method of detection to assure that power is delivered only<br />
to devices that meet the specification.<br />
Summary of PoE Features<br />
The Summit 300 supports the following PoE features:<br />
• Configuration <strong>and</strong> control of the power distribution for PoE at the system (slot) level<br />
• Configuration <strong>and</strong> control of the power distribution for PoE at the port level<br />
• Real time detection of powered devices on the line<br />
• Monitor <strong>and</strong> control of fault conditions<br />
• Support for configuring <strong>and</strong> monitoring PoE status at the port level<br />
• Management of an over-subscribed power budget<br />
• LED control for indicating the port “power” state<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 383
Power Over Ethernet<br />
Port Power Management<br />
When you connect PDs, the Summit 300 automatically discovers <strong>and</strong> classifies those that are<br />
AF-complaint. The following functions are supported for delivering power to the port:<br />
• Enabling the port for discovery <strong>and</strong> classification<br />
• Enabling power delivery to a discovered device<br />
• Enforcing port power limits by denying power to a device that exceeds the power limit by more<br />
than approximately 10%<br />
• Enforcing class limits by denying power to a device that exceeds the class limit<br />
• Reporting <strong>and</strong> tracking port power faults<br />
• Managing power budgets <strong>and</strong> allocation<br />
• Managing port priorities<br />
For detailed information about using the PoE comm<strong>and</strong> set to configure <strong>and</strong> manage PoE, see the<br />
<strong><strong>Extreme</strong>Ware</strong> Software Comm<strong>and</strong> Reference <strong>Guide</strong>.<br />
Port Power Operator Limit<br />
Each port is configured by default. The power limit is set to the maximum of the operator limit <strong>and</strong><br />
class. You can also specify a power limit on a per-port basis using the following comm<strong>and</strong>:<br />
configure inline-power violation-precedence [advertised-class | operator-limit |<br />
max-class-operator | none] ports .<br />
Power is allowed up to maximum limit (15.4 watts on the Summit 300-24 <strong>and</strong> 20 watts on the Summit<br />
300-48). There are several options for defining a violation policy <strong>and</strong> creating a device fault:<br />
• Class violation—Power is removed if the PD consumes more than the discovered class limit.<br />
• Operator limit—Power is removed if the PD consumes more than the operator-specified limit. The<br />
PD is allowed to draw about 10% over the configured limit before power is shut off to the device.<br />
• Maximum of operator limit <strong>and</strong> class—Power is removed if the PD consumes more than the operator<br />
limit or discovered class limit, whichever is greater.<br />
• None—Power is removed if the device exceeds the maximum limit.<br />
Power Budget Management<br />
The Summit 300 software is responsible for managing overall power consumption to ensure that it does<br />
not attempt to delivery more power than is available. The Summit 300-24 has sufficient power budget to<br />
provide full 15.4 watts power on all 24 ports simultanously. The Summit 300-48 can operate half of the<br />
48 ports at full power before requiring reserve power. You can configure how the Summit 300-48 switch<br />
allocates power to devices upon power-up <strong>and</strong> in the event that available power is reduced.<br />
Reserved Power on the Summit 300-48<br />
You can reserve power for devices connected to a specific port by using the following comm<strong>and</strong>:<br />
configure inline-power reserved budget ports <br />
384 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Port Power Management<br />
Use the following comm<strong>and</strong> to specify that a user-defined limit applies the indicated port:<br />
configure inline-power violation-precedence [advertised-class | operator-limit |<br />
max-class-operator | none] ports <br />
When a new device is discovered, its defined power requirement is first subtracted from the reserved<br />
power pool. If there is sufficient reserved power on the port, the device is powered. Otherwise the<br />
remaining power is subtracted from the common pool, <strong>and</strong> the device is powered if there is sufficient<br />
reserved plus common power available. Reserved power is subtracted from the common pool <strong>and</strong><br />
unavailable to other ports. The total reserved power cannot exceed the total available power.<br />
NOTE<br />
A connected device may draw more power than the amount reserved, due to configuration error or<br />
oversight. The switch provides notification if this occurs.<br />
Common Power Pool on the Summit 300-48 Only<br />
The common power pool represents the total amount of power available on a per-slot basis, less any<br />
power reserved or allocated to currently powered devices. When a new device is discovered, its defined<br />
power requirements are subtracted from the common power pool. If the common pool does not have<br />
sufficient available power, power is not supplied to the device. In this case, the port is placed in a<br />
power-denied state. The device can be powered at a later time if more power becomes available to the<br />
common power pool due to another device disconnecting or if previously reserved power becomes<br />
available.<br />
If multiple devices are in the denied state <strong>and</strong> more power becomes available, the devices are powered<br />
in order of priority <strong>and</strong> connection.<br />
Port Connection Order (Summit 300-48 Only)<br />
The Summit 300-48 switch software tracks the order of connection for powered devices. The connection<br />
order is recorded at the time a device is first discovered <strong>and</strong> classified. The connection order is reset if<br />
the device is disconnected. This connection order is maintained even if the switch is powered down or<br />
power is interrupted, <strong>and</strong> the device must be discovered again.<br />
During system startup, ports are powered initially based only on the connection order. During normal<br />
system operations, port power order is determined first based upon priority, then discovery time. Thus,<br />
the highest priority port with the earliest discovery time is powered first.<br />
You can view the connection history for a selected port by using the following comm<strong>and</strong>:<br />
show inline-power info [detail] port
Power Over Ethernet<br />
Port Power Priorities (Summit 300-48 only)<br />
You can set the priority of a port to low, high, or critical by using the following comm<strong>and</strong>:<br />
configure inline-power priority [low | high | critical] ports <br />
Higher priority ports are given precedence in powering sequence.<br />
Port Power Reset<br />
You can set ports to experience a power-down, discover, power-up cycle without returning the power to<br />
the common pool. This allows you to reset powered devices without losing their claim to the common<br />
power pool or connection order.<br />
The following comm<strong>and</strong> power cycles the specified ports:<br />
reset inline-power ports <br />
Ports are immediately powered off <strong>and</strong> powered on, maintaining current power allocations.<br />
Port Power Budgets<br />
The st<strong>and</strong>ard 802.3af protocol permits a PD to be classified into one of 5 classes, each of which<br />
determines the maximal power draw to the power sourcing equipment (PSE). <strong>Extreme</strong> PSEs, in the<br />
default configuration, use the classification-to-power draw in performing power management <strong>and</strong><br />
budgeting.<br />
Classification is optional, <strong>and</strong> many PD devices do not support it. Therefore, under normal conditions,<br />
the <strong>Extreme</strong> PSE budgets for the maximum permitted power (15.4 watts), even though the maximum<br />
device draw may be less. This may cause fewer devices to be powered, since the power budget is<br />
prematurely exhausted. There is a wide variation in power consumption levels between 802.3af classes<br />
(~8 watts). In such cases, the power level limit (operator-limit) can be set on a per port basis. If this is<br />
done, the operator limit, rather than the discovered class limit will be used for power budgeting. It is<br />
also necessary for the violation-precedence to be set to operator-limit.<br />
Regardless of how the port power limit is derived (through automatic classification or operator limit),<br />
the port power limit is used to determine whether the overall system limit has been exceeded. Once the<br />
overall system limit is reached, additional PoE ports are powered based on the system<br />
violation-precedence setting <strong>and</strong> port power priority.<br />
The power port limit is also used during system operation to limit the power supplied to each PoE port.<br />
If a powered device attempts to draw more power than has been budgeted, the chassis will remove<br />
power from that port to prevent system overload or device damage.<br />
NOTE<br />
The operator set limit must be based upon the device manufacturer's specified maximal power draw. It<br />
must not be derived from measured device power consumption, since the power draw typically<br />
fluctuates. The operator limit allows the device to draw about 10% more than the configured limit before<br />
power is shut off to the device.<br />
Use the folowing comm<strong>and</strong> to set the maximum power available for PDs on a per port basis:<br />
386 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Port Power Management<br />
configure inline-power power-supply [redundant | load-sharing]<br />
To reset the operator limit back to the default value, use the following comm<strong>and</strong>:<br />
unconfigure inline-power operator-limit ports <br />
Use the following comm<strong>and</strong> to specify that a user-defned limit applies the indicated port.<br />
configure inline-power violation-precedence [advertised-class | operator-limit |<br />
max-class-operator | none] ports <br />
Likewise, to reset the violation precedence to the default value of max-class-operator, enter this<br />
comm<strong>and</strong>:<br />
unconfigure inline-power violation-precedence ports <br />
Port Power Budget Example:<br />
Assume that a PD device maximal draw is 9W based on the manufacturer's specification. Such a device,<br />
if classified, would be considered to be in class 3, <strong>and</strong> under the default configuration, would be<br />
budgeted to draw 15.4 watts.<br />
To budget the power based on 9W, enter the following configuration. It is assumed that the device will<br />
be connected to slot 1, port 1, with budget is set to 10W, allowing a small tolerance above manufacturer<br />
specification.<br />
Summit300# disable inline-power ports 1:1<br />
Summit300# config inline-power operator-limit 10000 port 1:1<br />
Summit300# config inline-power violation-precedence operator-limit port 1:1<br />
Port Power Events<br />
If a port has sufficient reserved power for a newly discovered <strong>and</strong> classified device, the device receives<br />
power. If additional power is required <strong>and</strong> the common pool has sufficient available power, the device<br />
is powered <strong>and</strong> the incremental power is subtracted from the common pool. If the port does not have<br />
reserved power, but sufficient power is available from the common pool, the power is subtracted from<br />
the pool.<br />
Port power budget is determined based upon the maximum class power levels or operator specification,<br />
not actual consumed power. For example, if a port is configured with an operator limit of 15.4 watts<br />
<strong>and</strong> the violation precedence is set to the operator limit, then 15.4 watts is budgeted for the port even if<br />
a 5 watt 802.3af compliant device is connected.<br />
If a sufficient mix of reserved <strong>and</strong> common power is not available, the port enters a denied state <strong>and</strong> is<br />
not given power.<br />
Ports are powered based upon their priority <strong>and</strong> discovery time. Higher priority ports with the oldest<br />
discovery time are powered first.<br />
If a device consumes more power than it is allocated by class type, it is considered a class violation. The<br />
device enters a fault state, <strong>and</strong> unreserved power is returned to the common pool. Power is also<br />
returned to the common pool if a port is disconnected. The device stays in the fault state until you<br />
explicitly clear the fault or disable the port for power.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 387
Power Over Ethernet<br />
Supporting Legacy Devices on the Summit 300-24<br />
The Summit 300-24 is capable of powering devices that are compliant to the IEEE 802.3af Power over<br />
Ethernet st<strong>and</strong>ard. The enable inline-power legacy comm<strong>and</strong> allows PoE devices build before the<br />
st<strong>and</strong>ard was approved to be powered.<br />
If all the devices connected to the switch are 802.3af st<strong>and</strong>ards compliant, it is advised to keep the<br />
default setting of disabled for legacy device support. To return legacy support to the default setting of<br />
disabled, enter the following comm<strong>and</strong>:<br />
disable inline-power legacy<br />
You can determine whether a device connected to the switch is st<strong>and</strong><strong>and</strong>s compliant or not by using the<br />
show inline-power info [detail] port
Port Power Management<br />
system, providing greater PoE power capacity. For load-sharing operation, the amount of power<br />
provided to the PoE system is the sum of the power supplied by the power supplies.<br />
NOTE<br />
With load-sharing, all PoE devices may experience a power hit if a power supply fails.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> supports a 600 W AC power supply unit (PSU), which is identical to the existing PSU<br />
except that it provides 600 W of power. To determine the wattage of the installed PSUs when the PSUs<br />
are in redundant mode, use the show inline-power comm<strong>and</strong>. If System maximum internal<br />
inline-power field indicates 480 W, that means that 600 W PSUs are installed.<br />
<strong><strong>Extreme</strong>Ware</strong> 7.3 provides new firmware to support an advanced PoE controller. Previous versions of<br />
<strong><strong>Extreme</strong>Ware</strong> 6.2a.1 cannot be used on Summit 300es containing the new PoE controller. If you attempt<br />
to install previous versions on a switch containing the new controller, an error similar to the following<br />
is generated:<br />
!Image doesn't support this<br />
hardware ERROR<br />
Redundant Operation<br />
For redundant operation, the amount of power provided to the PoE system is the minimum wattage<br />
supplied by either supply. If a power supply fails or is removed, power to the PoE system is unaffected;<br />
thus powered devices do not experience a power loss.<br />
Load-Sharing Operation<br />
For load-sharing operation, the amount of power provided to the PoE system is the sum of the power<br />
supplied by the power supplies. The maximum amount of power provided is listed in Table 56.<br />
Table 56: Power supplies<br />
Power Supplies Installed Mode Total Available Inline Power<br />
Two 600 W Redundant 450 W<br />
Two 600 W Load-sharing 480 W<br />
One 600 W N/A 450 W<br />
One 400 W, one 600 W Redundant 306 W<br />
One 400 W, one 600 W Load-sharing 480 W<br />
Two 400 W Redundant 306 W<br />
Two 400 W Load-sharing 480 W<br />
One 400 W N/A 306 W<br />
The total power used by all PoE devices must not exceed the total available inline power indicated in<br />
Table 56. If the power used exceeds the total available, power for all devices is removed. To plan for the<br />
total power load, use the PoE device manufacturer’s maximum power use specifications. Use the<br />
configure inline-power comm<strong>and</strong> to set a lower available inline power, set a limit to the amount of<br />
power available to a specific port, or set the precedence of ports if power is removed.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 389
Power Over Ethernet<br />
NOTE<br />
Do not use the output of the show inline-power comm<strong>and</strong> for planning. This output is a snapshot of<br />
current power consumption <strong>and</strong> does not reflect the maximum power use possible.<br />
If a power supply fails or is removed <strong>and</strong> the current draw of the attached devices exceeds the power<br />
supplied by the remaining power supply, the power for all devices is removed <strong>and</strong> all devices<br />
experience a power loss. After power is restored, the PoE system re-enables power to devices until the<br />
supply limit is reached. This is likely to be the single supply limit, <strong>and</strong> previously powered devices<br />
might not be repowered.<br />
Changing Modes (Summit 300-48 Switch Only)<br />
Changing power supply modes from load-sharing to redundant requires first disabling inline power on<br />
ports, as with other configuration comm<strong>and</strong>s. Changing from redundant to load-sharing is allowed<br />
without disabling inline power, as this potentially increases the inline power available to the system.<br />
To select the power supply operating mode, enter this comm<strong>and</strong>:<br />
configure inline-power power-supply [redundant | load-sharing]<br />
To return the configuration to the default value of redundant, enter this comm<strong>and</strong>:<br />
unconfigure inline-power power-supply<br />
To reset a specific slot on the Summit 300-48, enter this comm<strong>and</strong>:<br />
reset inline-power slot <br />
The power supply mode configuration affects the configuration settings as outlined in Table 57. The<br />
operator is responsible for correct system configuration. Changes between load-sharing <strong>and</strong> redundant<br />
modes resulting in invalid configurations will be rejected.<br />
Table 57: Power Parameter Restrictions<br />
Parameter<br />
Slot Power Budget<br />
Reserved-budget per Port<br />
Restriction<br />
Cannot exceed configured card maximum capacity. System issues a warning if the<br />
sum of the slot budgets exceeds the PSU capacity (based on the PSU mode setting<br />
<strong>and</strong> installed power supplies). Configuration is not rejected.<br />
The sum of the port reserved budgets cannot exceed the slot budget.<br />
The power supply mode configuration affects the configuration settings as outlined in Table 57. The<br />
operator is responsible for correct system configuration. Changes between load-sharing <strong>and</strong> redundant<br />
modes resulting in invalid configurations will be rejected.<br />
Table 58: Power Parameter Restrictions<br />
Parameter<br />
Slot Power Budget<br />
Restriction<br />
Cannot exceed configured card maximum capacity. System issues a warning if the<br />
sum of the slot budgets exceeds the PSU capacity (based on the PSU mode setting<br />
<strong>and</strong> installed power supplies). Configuration is not rejected.<br />
390 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Per-Port LEDs<br />
Table 58: Power Parameter Restrictions (Continued)<br />
Parameter<br />
Reserved-budget per Port<br />
Restriction<br />
The sum of the port reserved budgets cannot exceed the slot budget.<br />
The power supply mode configuration affects the configuration settings as outlined in Table 57. The<br />
operator is responsible for correct system configuration. Changes between load-sharing <strong>and</strong> redundant<br />
modes resulting in invalid configurations will be rejected.<br />
Table 59: Power Parameter Restrictions<br />
Parameter<br />
Slot Power Budget<br />
Reserved-budget per Port<br />
Restriction<br />
Cannot exceed configured card maximum capacity. System issues a warning if the<br />
sum of the slot budgets exceeds the PSU capacity (based on the PSU mode setting<br />
<strong>and</strong> installed power supplies). Configuration is not rejected.<br />
The sum of the port reserved budgets cannot exceed the slot budget.<br />
Per-Port LEDs<br />
The per-port LEDs indicate link <strong>and</strong> power status for PoE usage, as indicated in Table 60:<br />
Table 60: Per-Port LEDs<br />
Non-powered<br />
device<br />
Device powered<br />
Power Fault<br />
Port Disabled Link Up Link Down Activity<br />
off solid green off blinking green<br />
slow blinking<br />
amber<br />
alternating<br />
amber/green<br />
solid amber<br />
alternating<br />
amber/green<br />
slow blinking<br />
amber<br />
alternating<br />
amber/green<br />
blinking amber<br />
alternating<br />
amber/green<br />
NOTE<br />
Wait for the LED to extinguish before reconnecting to the port.<br />
Configuring Power Over Ethernet<br />
Power Over Ethernet on the Summit 300 switches support a full set of configuration <strong>and</strong> monitoring<br />
comm<strong>and</strong>s that allow you to:<br />
• Configure <strong>and</strong> control power distribution for PoE at the system (slot) level<br />
• Configure <strong>and</strong> control power distribution for PoE at the port level<br />
• Detect powered devices on the line in real time<br />
• Monitor <strong>and</strong> control fault conditions<br />
• Configure <strong>and</strong> monitor status at the port level<br />
• Manage an over-subscribed power budget<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 391
Power Over Ethernet<br />
Use the inline power comm<strong>and</strong>s described in the following sections to configure PoE on Summit 300<br />
ports. For detailed information about using the PoE comm<strong>and</strong> set to configure <strong>and</strong> manage PoE, see the<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> Comm<strong>and</strong> Reference <strong>Guide</strong>.<br />
Controlling <strong>and</strong> Monitoring System <strong>and</strong> Slot Power<br />
Use the general switch management comm<strong>and</strong>s described in this section to control <strong>and</strong> monitor power<br />
at the system level <strong>and</strong> slot level. The main power supply information <strong>and</strong> settings apply to the system.<br />
System power to the PoE controller is provided by the main PSU that provides power, temperature, <strong>and</strong><br />
fan monitoring status.<br />
Configuring System <strong>and</strong> Slot Power<br />
Before any port can be powered, the system must be enabled for power <strong>and</strong> the slot on which the port<br />
resides must be enabled for power. Ultimately, the port must also be enabled for power. The PoE<br />
comm<strong>and</strong> set lets you configure inline power at the system <strong>and</strong> slot levels. You can perform the<br />
following configuration <strong>and</strong> maintenance tasks at the system <strong>and</strong> slot levels:<br />
• Control inline power to the system<br />
• Control inline power to selected slots<br />
• Set a power usage alarm threshold<br />
• Configure a backup power source for the 48V external power supply<br />
• Replace the firmware<br />
• Clear the port connection history for a slot<br />
NOTE<br />
Configuration parameters affecting operational parameters require the port or slot to be first disabled.<br />
Controlling Inline Power to the System. You can control whether inline power is provided to the<br />
system through a set of enabling <strong>and</strong> disabling comm<strong>and</strong>s. Use the following comm<strong>and</strong> to enable inline<br />
power provided to the system:<br />
enable inline-power<br />
Disabling inline power to the system shuts down power currently provided on all slots <strong>and</strong> all ports in<br />
the system. Use the following comm<strong>and</strong> to disable inline power to the system:<br />
disable inline-power<br />
Controlling Inline Power to Slots on the Summit 300-48 only. You can control whether inline power<br />
is provided to selected slots through a set of enabling <strong>and</strong> disabling comm<strong>and</strong>s. Use the following<br />
comm<strong>and</strong> to enable inline power provided to a particular slot:<br />
enable inline-power slot <br />
Disabling inline power to selected slots shuts down power currently provided on those slots <strong>and</strong> all<br />
ports in those slots. Use the following comm<strong>and</strong> to disable inline power to a particular slot:<br />
disable inline-power slot <br />
Setting a Power Usage Alarm Threshold. You can set an alarm threshold to issue a warning if<br />
system power levels exceed that limit. The limit is expressed as a percentage of measured power to<br />
392 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring Power Over Ethernet<br />
available power. The alarm threshold is shared between the system level utilization <strong>and</strong> the allocated<br />
power budget per slot. (See the configure inline-power reserved budget ports<br />
comm<strong>and</strong>.) A warning is issued if either level exceeds the threshold level set by the<br />
following comm<strong>and</strong>:<br />
configure inline-power usage-threshold <br />
To reset the power usage alarm threshold to the default value of 70%, use the following comm<strong>and</strong>:<br />
unconfigure inline-power usage-threshold<br />
Clearing Port Connection History for a Slot on the Summit 300-48 only. You can clear the port<br />
connection history for a specified slot by using the following comm<strong>and</strong>:<br />
clear inline-power connection-history slot<br />
Monitoring System <strong>and</strong> Slot Power<br />
The PoE comm<strong>and</strong> set lets you view inline power status for the system <strong>and</strong> selected slots. You can view<br />
the following information:<br />
• System power status<br />
• Slot power status<br />
• Slot power configuration<br />
• Slot power statistics<br />
Displaying System Power Status. Use the following comm<strong>and</strong> to view global inline power<br />
information for the system:<br />
show inline-power<br />
The output indicates the following inline power status information for the system:<br />
• System maximum inline power—The nominal power available, in watts.<br />
• Configured System Power Usage—The configured power usage threshold for the system, shown in<br />
watts <strong>and</strong> as a percentage of available power.<br />
Following is sample output from this comm<strong>and</strong>:<br />
Inline Power System Information<br />
System maximum inline-power: 32 watts<br />
Power Usage: 70% (22 watts)<br />
Slot Main PSU Status Backup PSU Status Firmware Status<br />
1 OFF Present, ACTIVATED Operational<br />
Displaying Slot Power Configuration on the Summit 300-48. Use the following comm<strong>and</strong> to view<br />
inline power configuration information for the specified slots:<br />
show inline-power configuration slot <br />
• Status—Indicates power status:<br />
— Enabled: The slot is available to provide power.<br />
— Disabled: The slot is not available to provide power.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 393
Power Over Ethernet<br />
• Cfg PSU Backup—Indicates the current setting of power source precedence:<br />
— Internal<br />
— None<br />
• PSU Active—Indicates the power source currently supplying power:<br />
— Internal<br />
— External<br />
• Usage Threshold—Displays the configured alarm threshold as a percentage.<br />
• Connection Order—Displays the list of ports (1 – 32) by current connection order.<br />
Following is sample output from this comm<strong>and</strong>:<br />
Slot Status Cfg PSU Backup PSU Active Usage Threshold<br />
1 Enabled Internal Internal 70%<br />
Displaying Slot Power Statistics. Use the following comm<strong>and</strong> to view inline power statistics for the<br />
specified slots:<br />
show inline-power stats slot <br />
• This comm<strong>and</strong> lets you view how many ports are faulted, powered, <strong>and</strong> waiting for power for the<br />
slot. It also lists ports by current connection order.<br />
The following is sample output from this comm<strong>and</strong> from a Summit 300-48. Output from a Summit<br />
300-24 differs slightly.<br />
PoE firmware status: Operational<br />
PoE firmware revision: 1.6<br />
Connection Order: 3 15<br />
Total ports powered: 1<br />
Total ports waiting for power: 0<br />
Total ports faulted: 0<br />
Total ports disabled: 1<br />
Controlling <strong>and</strong> Monitoring Port Power<br />
Use the comm<strong>and</strong>s described in this section to control <strong>and</strong> monitor power at the port level. Before any<br />
port can be powered, the system must be enabled for power <strong>and</strong> the slot on which the port resides must<br />
be enabled for power. Ultimately, the port must also be enabled for power.<br />
Configuring Port Power<br />
The PoE comm<strong>and</strong> set lets you configure inline power at the system <strong>and</strong> slot levels. (See “Configuring<br />
System <strong>and</strong> Slot Power” on page 392.) Power control is also provided on a per port basis. You can<br />
perform the following configuration <strong>and</strong> maintenance tasks for selected ports:<br />
• Control inline power.<br />
• Control the power detection mechanism.<br />
• Set the power limit.<br />
• Set the violation precedence.<br />
• Set the reserved power level.<br />
394 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring Power Over Ethernet<br />
• Power cycle.<br />
• Clear fault conditions.<br />
• Create user-defined labels.<br />
Controlling Inline Power to Ports. You can control whether inline power is provided to selected ports<br />
through a set of enabling <strong>and</strong> disabling comm<strong>and</strong>s. Use the following comm<strong>and</strong> to enable inline power<br />
provided to selected ports:<br />
enable inline-power ports ]<br />
Disabling inline power to selected ports shuts down power currently provided to those ports. Disabling<br />
a port providing power to a powered device (PD) will immediately remove power to the PD. The<br />
system defaults to enabling power on all 10/100 ports. Use the following comm<strong>and</strong> to disable inline<br />
power to the system:<br />
disable inline-power ports ]<br />
Controlling the Power Detection Mechanism for Selected Ports on the Summit 300-48. You can<br />
control the power detection mechanism for selected ports by using the following comm<strong>and</strong>:<br />
configure inline-power detection [auto | discovery-test-only] ports <br />
Test mode forces power discovery operations; however, power is not supplied to detected PDs.<br />
To reset the power detection scheme to the default, use the following comm<strong>and</strong>:<br />
unconfigure inline-power detection ports <br />
Setting the Reserved Power Level for Selected Ports on the Summit-300-48. You can set the<br />
reserved power for selected ports by using the following comm<strong>and</strong>:<br />
configure inline-power budget slot <br />
You can specify the default value (0 mW) or you can set the reserved power wattage in the range of 0 or<br />
3000 – 20000 mW. The total power reserved may be up to but not greater than the total power for the<br />
module. If all the power available to the module is reserved, then the common power pool is empty.<br />
To reset the reserved budget to the default value, use the following comm<strong>and</strong>:<br />
unconfigure inline-power reserved-budget ports <br />
Power Cycling Selected Ports. You can power cycle selected ports by using the following comm<strong>and</strong>:<br />
reset inline-power ports <br />
Ports are immediately de-powered <strong>and</strong> re-powered, maintaining current power allocations.<br />
Clearing Fault Conditions <strong>and</strong> Statistics for Selected Ports. Use the following comm<strong>and</strong> to clear<br />
the fault condition on the selected ports:<br />
clear inline-power fault ports <br />
Use the following comm<strong>and</strong> to clear inline statistics for a selected ports:<br />
clear inline-power stats <br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 395
Power Over Ethernet<br />
Using this comm<strong>and</strong> clears to zero all the inline statistics for a selected ports displayed by the following<br />
comm<strong>and</strong>:<br />
show inline-power stats ports <br />
• State—Displays the inline power state:<br />
— Disabled<br />
— Searching<br />
— Discovered<br />
— Delivering<br />
— Faulted<br />
— Disconnected<br />
— Other<br />
— Denied<br />
• Class—Displays the class type:<br />
— “-----”: disabled or searching<br />
— “class0”: class 0 device<br />
— “class1”: class 1 device<br />
— “class2”: class 2 device<br />
— “class3”: class 3 device<br />
— “class4”: class 4 device<br />
• Absent—Displays the number of times the port was disconnected.<br />
• InvSig—Displays the number of times the port had an invalid signature.<br />
• Denied—Displays the number of times the port was denied.<br />
• Over-current—Displays the number of times the port entered an over-current state.<br />
• Short—Displays the number of times the port entered under-current state.<br />
The following is sample output from this comm<strong>and</strong> from a Summit 300-48. Output from a Summit<br />
300-24 differs slightly.<br />
Port State Class Absent InvSig Denied OverCurrent Short<br />
1:1 searching ------ 0 0 0 0 0<br />
1:2 delivering class0 0 0 0 0 0<br />
1:3 searching ------ 0 0 0 0 0<br />
1:4 searching ------ 0 0 0 0 0<br />
1:5 searching ------ 1 0 0 0 0<br />
1:6 delivering class3 0 0 0 0 0<br />
1:7 searching ------ 0 0 0 0 0<br />
1:8 searching ------ 0 0 0 0 0<br />
Use the clear inline-power stats comm<strong>and</strong> to clear inline statistics displayed by the<br />
show inline-power stats ports comm<strong>and</strong>.<br />
Creating <strong>User</strong>-Defined Labels for Selected Ports. You can create your own label for a selected<br />
power port by using the following comm<strong>and</strong> to specify a text string:<br />
configure inline-power label ports <br />
396 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring Power Over Ethernet<br />
Monitoring Port Power<br />
The PoE comm<strong>and</strong> set lets you view inline power status <strong>and</strong> configuration settings for selected ports.<br />
You can view the following information:<br />
• Port power configuration<br />
• Port power information<br />
• Port power statistics<br />
Displaying Port Power Configuration. Use the following comm<strong>and</strong> to view inline power<br />
configuration information for the specified ports:<br />
show inline-power configuration port <br />
The comm<strong>and</strong> output displays the following inline power configuration information for the specified<br />
ports:<br />
• Config—Indicates whether the port is enabled to provide power:<br />
— Enabled: The port is available to provide power.<br />
— Disabled: The port is not available to provide power.<br />
• Detect—Indicates the detect level:<br />
— Auto: The port will power up if there is enough available power.<br />
— Test: The port will not power up. Indicates a test mode to determine whether the port can be<br />
discovered.<br />
• Rsvd Pwr—Displays the amount of configured reserved power in watts.<br />
• Oper Lmt—Displays the configured operator limit in watts. The operator limit is used only with<br />
violation precedence.<br />
• Viol Prec—Displays the violation precedence settings:<br />
— ADVERTISED-LIMIT: Removes or denies power if an IEEE 802.3af-compliant powered device<br />
(PD) consumes power beyond its advertised class limit.<br />
— OPERATOR-LIMIT: Removes or denies power if the PD consumes power beyond the configured<br />
operator limit.<br />
— MAX-CLASS-OPERATOR: Removes or denies power if the PD consumes power beyond the<br />
maximum of the detected class limit or the operator limit.<br />
— NONE: Removes or denies power if the PD consumes power in excess of the regulatory<br />
maximum allowable wattage.<br />
• Label—Displays a text string, up to 13 characters in length, associated with the port.<br />
The following is sample output from this comm<strong>and</strong> from a Summit 300-48. Output from a Summit<br />
300-24 differs slightly.<br />
Port Config Detect Rsvd Pwr Oper Lmt Viol Prec Label<br />
1:1 enabled auto 0.0 15.4 max-class-operator<br />
1:2 enabled auto 10.0 15.4 advertised-limit test_port2<br />
1:3 enabled auto 0.0 15.4 max-class-operator<br />
1:4 enabled auto 0.0 15.4 max-class-operator<br />
1:5 enabled auto 0.0 15.4 max-class-operator<br />
1:6 enabled auto 0.0 15.4 max-class-operator test_port6<br />
1:7 enabled auto 0.0 15.4 max-class-operator<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 397
Power Over Ethernet<br />
Displaying Port Power Information. Use the following comm<strong>and</strong> to view inline power information<br />
for the specified ports:<br />
show inline-power info [detail] port
Configuring Power Over Ethernet<br />
— 9: Class violation<br />
— 10: Disconnect<br />
— 11: Discovery resistance, A2D fail<br />
— 12: Classify, A2D fail<br />
— 13: Sample A2D fail<br />
— 14: Device fault, A2D fail<br />
The detail comm<strong>and</strong> lists all inline power information for the selected ports. Detail output displays the<br />
following information:<br />
• Configured Admin State<br />
• Inline Power State<br />
• MIB Detect Status<br />
• Label<br />
• Violation Precedence<br />
• Operator Limit<br />
• Detection<br />
• Reserved Power<br />
• Inline Type<br />
• Connect Order<br />
• PD Class<br />
• Max Allowed Power<br />
• Measured Power<br />
• Line Voltage<br />
• Discovered Resistance<br />
• Discovered Capacitance<br />
• Current<br />
• Fault Status<br />
The following is sample output from the summary form of the comm<strong>and</strong> on a Summit 300-48. Output<br />
from a Summit 300-24 differs slightly.<br />
Following is sample output from comm<strong>and</strong>:<br />
Port State Class Connect Volts Curr Res Power Fault<br />
History (mA) (Kohms) (Watts)<br />
1:1 searching ----- 0 0.0 0 0.0 0.00 0<br />
The following example displays detail inline power information for port 1:<br />
show inline info detail port 1:1<br />
Following is sample output from detail form of the comm<strong>and</strong>:<br />
Configured Admin State: Enabled<br />
Inline Power State: searching<br />
MIB Detect SStatus: searching<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 399
Power Over Ethernet<br />
Lable:<br />
Violation Precedence: max-class-operator<br />
Operator Limit: 15400 milliwatts<br />
Detection: auto<br />
Reserved Power: 0 milliwatts<br />
Inline Type: other<br />
Connect Order: none<br />
PD Class:<br />
Max Allowed Power: 0.0 W<br />
Measured Power: 0.0 W<br />
Line Voltage: 0.0 Volts<br />
Discovered Resistance: 0.0K ohms<br />
Discovered Capacitance: 0 uF<br />
Current: 0 mA<br />
Fault Status: None<br />
400 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Part 4<br />
Appendixes
A<br />
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
This chapter describes the following topics:<br />
• <strong><strong>Extreme</strong>Ware</strong> Vista Overview on page 403<br />
• Accessing <strong><strong>Extreme</strong>Ware</strong> Vista on page 404<br />
• Navigating within <strong><strong>Extreme</strong>Ware</strong> Vista on page 406<br />
• Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong> Vista on page 407<br />
• Reviewing <strong><strong>Extreme</strong>Ware</strong> Vista Statistical Reports on page 429<br />
• Locating Support Information on page 444<br />
• Logging Out of <strong><strong>Extreme</strong>Ware</strong> Vista on page 448<br />
<strong><strong>Extreme</strong>Ware</strong> Vista Overview<br />
A st<strong>and</strong>ard device-management feature on the Summit “e” series of switches is <strong><strong>Extreme</strong>Ware</strong> Vista.<br />
Using a web browser, <strong><strong>Extreme</strong>Ware</strong> Vista allows you to access the switch over a TCP/IP network.<br />
<strong><strong>Extreme</strong>Ware</strong> Vista provides a subset of the comm<strong>and</strong>-line interface (CLI) in a graphical format that<br />
allows you to configure the switch <strong>and</strong> review statistical reports. However because <strong><strong>Extreme</strong>Ware</strong> Vista<br />
includes only a subset of the CLI, some comm<strong>and</strong>s for the switch are not available using <strong><strong>Extreme</strong>Ware</strong><br />
Vista. If a particular comm<strong>and</strong> is not represented in <strong><strong>Extreme</strong>Ware</strong> Vista, you must use the CLI to<br />
achieve the desired result.<br />
Before attempting to access <strong><strong>Extreme</strong>Ware</strong> Vista, ensure that:<br />
• You assign an IP address to a VLAN to access the switch. For more information on assigning an IP<br />
address, see “Configuring Switch IP Parameters” on page 43.<br />
• You have a properly configured st<strong>and</strong>ard web browser that supports frames <strong>and</strong> JavaScript (such as<br />
Netscape Navigator 3.0 or above, or Microsoft Internet Explorer 3.0 or above).<br />
Setting Up Your Browser<br />
In general, the default settings that come configured on your browser work well with <strong><strong>Extreme</strong>Ware</strong><br />
Vista. The following are recommended settings that you can use to improve the display features <strong>and</strong><br />
functions of <strong><strong>Extreme</strong>Ware</strong> Vista:<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 403
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
• After downloading a newer version of the switch image, clear the browser disk <strong>and</strong> memory cache<br />
to see the updated menus. You must clear the cache while on the main <strong><strong>Extreme</strong>Ware</strong> Vista Logon<br />
page, so that all underlying.GIF files are updated.<br />
• Check for newer versions of stored pages. Every visit to the page should be selected as a cache<br />
setting.<br />
If you are using Netscape Navigator, configure the cache option to check for changes “Every Time”<br />
you request a page.<br />
If you are using Microsoft Internet Explorer, configure the Temporary Internet Files setting to check<br />
for newer versions of stored pages by selecting “Every visit to the page.”<br />
• On older-browsers you might need to specify that images be auto-loaded.<br />
• Use a high-resolution monitor to maximize the amount of information displayed in the content<br />
frame. The recommended resolution is 1024 x 768 pixels. You can also use 800 x 600 pixels.<br />
• Turn off one or more of the browser toolbars to maximize the viewing space of the <strong><strong>Extreme</strong>Ware</strong><br />
Vista content screen.<br />
• If you will be using <strong><strong>Extreme</strong>Ware</strong> Vista to send an email to the <strong>Extreme</strong> <strong>Networks</strong> Technical Support<br />
department, configure the email settings in your browser.<br />
• Configure the browser to use the following recommended fonts:<br />
— Proportional font—Times New Roman<br />
— Fixed-width font—Courier New<br />
Accessing <strong><strong>Extreme</strong>Ware</strong> Vista<br />
After an IP address is assigned to the VLAN, you can access the default home page of the switch.<br />
1 Enter the following comm<strong>and</strong> in your browser:<br />
http://<br />
The home page for <strong><strong>Extreme</strong>Ware</strong> Vista opens as shown in Figure 58.<br />
404 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Accessing <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 58: Home page for <strong><strong>Extreme</strong>Ware</strong> Vista<br />
2 Click Logon to open the <strong>User</strong>name <strong>and</strong> Password dialog box shown in Figure 59.<br />
Figure 59: <strong>User</strong>name <strong>and</strong> Password dialog box<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 405
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
3 Type your username <strong>and</strong> password <strong>and</strong> click OK. The main page for the switch opens as shown in<br />
Figure 60.<br />
If you enter the username <strong>and</strong> password of an administrator-level account, you have access to all<br />
<strong><strong>Extreme</strong>Ware</strong> Vista pages. If you enter a user-level account name <strong>and</strong> password, you only have access to<br />
the Statistics <strong>and</strong> Support information.<br />
Figure 60: <strong><strong>Extreme</strong>Ware</strong> Vista main page<br />
Navigating within <strong><strong>Extreme</strong>Ware</strong> Vista<br />
<strong><strong>Extreme</strong>Ware</strong> Vista pages use a common HTML frameset comprised of two frames: a content frame <strong>and</strong><br />
a task frame. The content frame contains the main body of information in <strong><strong>Extreme</strong>Ware</strong> Vista. The task<br />
frame contains a menu of four buttons that correspond to the four main functions:<br />
• Configuration<br />
• Statistics<br />
• Support<br />
• Logout<br />
While these buttons can be exp<strong>and</strong>ed or contracted to display the submenu links, all four main<br />
functions are static in that they are visible at all times during the session.<br />
When you choose one of the main buttons, that menu exp<strong>and</strong>s to reveal the submenu links available<br />
under that function. If another function list is open at the time, that list contracts so that only the active<br />
menu is open.<br />
406 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
When you choose a submenu link in the task frame, the content frame populates with the<br />
corresponding data. However when you choose a new task, the content frame does not change until<br />
you choose a new a submenu link <strong>and</strong> repopulate the frame.<br />
Browser Controls<br />
Browser controls include drop-down list boxes, check boxes, <strong>and</strong> multiselect list boxes. A multiselect list<br />
box has a scrollbar on the right side of the box. Using a multiselect list box, you can select a single item,<br />
all items, a set of contiguous items, or multiple noncontiguous items. Table 61 describes how to make<br />
selections from a multiselect list box.<br />
Table 61: Multiselect List Box Key Definitions<br />
Selection Type<br />
Single item<br />
All items<br />
Contiguous items<br />
Selected noncontiguous items<br />
Key Sequence<br />
Click the item using the mouse.<br />
Click the first item, <strong>and</strong> drag to the last item.<br />
Click the first desired item, <strong>and</strong> drag to the last desired item.<br />
Hold down [Ctrl], click the first desired item, click the next desired item, <strong>and</strong><br />
so on.<br />
Status Messages<br />
Status messages are displayed at the top of the content frame. The four types of status messages are:<br />
• Information—Displays information that is useful to know before, or as a result of, changing<br />
configuration options.<br />
• Warning—Displays warnings about the switch configuration.<br />
• Error—Displays errors caused by incorrectly configured settings.<br />
• Success—Displays informational messages after you click Submit. The message displayed reads,<br />
“Request was submitted successfully.” These informational messages indicate that the operation was<br />
successful.<br />
St<strong>and</strong>alone Buttons<br />
At the bottom of some of the content frames is a section that contains st<strong>and</strong>alone buttons. St<strong>and</strong>alone<br />
buttons are used to perform tasks that are not associated with a particular configuration option. An<br />
example of this is the Reboot Switch button.<br />
Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong><br />
Vista<br />
Using <strong><strong>Extreme</strong>Ware</strong> Vista, you can configure many features of a Summit “e” series switch. Click the<br />
Configuration button in the task frame to reveal the submenu links, as shown in Figure 61. These<br />
configuration tasks are described in the following sections:<br />
• IP Forwarding on page 408<br />
• License on page 409<br />
• OSPF on page 410<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 407
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
• Ports on page 415<br />
• RIP on page 417<br />
• SNMP on page 419<br />
• Spanning Tree on page 420<br />
• Switch on page 423<br />
• <strong>User</strong> Accounts on page 424<br />
• Virtual LAN on page 425<br />
Figure 61: Configuration submenu links<br />
IP Forwarding<br />
From this window, you can enable or disable the IP unicast forwarding across VLANs. For an example<br />
of this window, see Figure 62. In the top of the window is a table that shows each existing IP interface<br />
configuration. The configuration box that follows allows you to use the pull-down menu to enable or<br />
disable forwarding on those existing VLANs. Before submitting a change, users must select the<br />
appropriate value for all fields.<br />
The configuration box has the following selectable fields:<br />
VLAN name<br />
Unicast Forwarding—Either enable or disable<br />
Broadcast Forwarding—Either enable or disable<br />
Multicast Forwarding—Enable, disable, or don’t change<br />
For more information on forwarding of IP packets, see:<br />
• Configuring IP Unicast Routing on page 324<br />
• Subnet-Directed Broadcast Forwarding on page 322<br />
408 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
• IP Multicast Routing Overview on page 349<br />
Figure 62: IP interface configuration<br />
License<br />
The License window allows you to enable the Advanced Edge license by submitting a valid license key<br />
purchased from <strong>Extreme</strong> <strong>Networks</strong>. See Figure 63 for an example of this window. For more information<br />
on levels of licensing, see “Software Licensing” on page 25.<br />
Figure 63: License Window<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 409
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
OSPF<br />
The OSPF configuration window allows you to perform a wide-range of OSPF configuration tasks. The<br />
window is divided into seven functional areas:<br />
1 Configure global OSPF parameters including enabling or disabling of the exporting of RIP, static,<br />
<strong>and</strong> direct (interface) routes to OSPF<br />
2 Create or delete an OSPF area<br />
3 Configure a range of IP addresses in an OSPF area<br />
4 Configure an OSPF area<br />
5 Configure an IP interface for OSPF<br />
6 Configure OSPF virtual link<br />
7 Configure OSPF authentication<br />
Configure Global OSPF Parameters<br />
Use the global parameters to set up OSPF throughout the switch. See the top portion of Figure 64 for an<br />
example of the global parameters window.<br />
NOTE<br />
Before you can make global changes to OSPF, you must first disable OSPF Export Static <strong>and</strong> OSPF<br />
Export RIP.<br />
From this portion of the window, you can:<br />
• Enable or disable the exporting of RIP, static, <strong>and</strong> direct (interface) routes to OSPF. Be sure you<br />
disable exporting of static <strong>and</strong> RIP before setting other global OSPF parameters.<br />
• Enable or disable the exporting of static, direct, <strong>and</strong> OSPF-learned routes into a RIP domain.<br />
• Set the route type as external type 1 or external type 2.<br />
• Set the cost metric for all RIP-learned, static, <strong>and</strong> direct routes injected into OSPF. If the cost metric is<br />
set to 0, the cost is inserted from the route.<br />
• Set a tag value for use by special routing applications. Use 0 if you do not have specific requirements<br />
for using a tag. The tag value in this instance has no relationship with 802.1Q VLAN tagging.<br />
• Set the OSPF router ID to a user-specified value or to automatic.<br />
• Enable or disable OSPF.<br />
410 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 64: Global OSPF parameters <strong>and</strong> creating or deleting an area<br />
For further details:<br />
• On router IDs, see “Configuring OSPF” on page 342.<br />
• On exporting RIP or OSPF, external types, costs <strong>and</strong> tags, see “Route Re-Distribution” on page 340.<br />
Create or Delete an OSPF Area<br />
Below the global OSPF parameters is a section dedicated to creating or deleting OSPF areas. Before you<br />
configure an area, you must create it. Enter an area ID in the same format as an IP address, (for<br />
example, 1.2.3.4).<br />
This portion of the window is also shown in Figure 64. For further details see “Backbone Area (Area<br />
0.0.0.0)” on page 336.<br />
Configure an Area Range<br />
This portion of the window allows you to configure a range of IP addresses in an OSPF area. The<br />
example in Figure 65 shows that six areas are defined: the backbone (0.0.0.0), <strong>and</strong> area IDs 1.1.1.1,<br />
2.2.2.2, 3.3.3.3, 4.4.4.4, <strong>and</strong> 5.5.5.5. The Area Range Configuration box shows non-default values for the<br />
areas. The Add Area Ranges allow you to add a range to an area, set a netmask, or to specify<br />
advertising. If advertised, the range is exported as a single LSA by the ABR. You can also delete a range<br />
of IP addresses in an OSPF area.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 411
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 65: Area range <strong>and</strong> area configuration<br />
Configure an OSPF Area<br />
Use the scroll bar to locate the next section of the window dedicated to OSPF area configuration, shown<br />
in Figure 65. The first table in this section shows each existing configuration. The table that follows<br />
allows you to use the pull-down menu to select an area ID. You can also set the area type, the cost, <strong>and</strong><br />
determine whether to translate for NSSA or not. You may only translate for area type NSSA.<br />
For more information on area types, see “Areas” on page 336.<br />
Configure an IP interface for OSPF<br />
Using this portion of the window, you can:<br />
• Review the existing OSPF IP interface configuration<br />
• Associate a VLAN with an area ID<br />
• Configure OSPF for each VLAN area<br />
• Configure a route filter for non-OSPF routes exported into OSPF<br />
• Configure the timers for one interface in the same OSPF area<br />
• Configure miscellaneous OSPF parameters, such as cost<br />
• Configure virtual links<br />
As shown in Figure 66, the top table lists the existing OSPF IP interface configuration. The table consists<br />
of the following fields:<br />
VLAN name<br />
412 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Area ID<br />
OSPF—Either enabled or disabled<br />
Priority—Always set to zero for Summit “e” series<br />
Interface—Either passive or non-passive<br />
Transit delay—From 1 to 3600 seconds<br />
Hello interval—From 1 to 65535 seconds<br />
Router dead time—From 1 to 2147483647 seconds<br />
Retransmit interval—From 1 to 3600 seconds<br />
The two boxes that follow the table allow you to change the values of the interfaces in that table.<br />
Figure 66: IP interface configuration for OSPF<br />
The next box allows you to associate VLANs with areas by selecting a VLAN name <strong>and</strong> an area ID. The<br />
third box allows you to configure OSPF for each VLAN by VLAN name or area ID. The fourth box,<br />
shown in Figure 66 allows you to:<br />
• Select the VLAN by name that is being changed<br />
• Enable or disable OSPF on the interface<br />
• Specify whether the interface is passive or non-passive<br />
• Establish a cost metric<br />
• Set values for timers (transit delay, hello interval, router dead time, <strong>and</strong> retransmit interval)<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 413
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Use the next three sets of boxes, shown in Figure 67, to configure virtual links. When non-default values<br />
are configured for a router ID or an area ID, the top table displays those values. In the following box<br />
you can configure the timers for the virtual link (transit delay, hello interval, router dead time, <strong>and</strong><br />
retransmit interval).<br />
For further information on virtual links, see “Virtual Links” on page 338.<br />
Figure 67: OSPF Virtual Links<br />
Configure OSPF Authentication<br />
The final section in the OSPF configuration window allows you to configure an interface. This section is<br />
shown at the bottom of Figure 68. The table displays the interface <strong>and</strong> whether an interface type is<br />
currently configured. The configuration box allows you to specify a simple authentication password of<br />
up to eight characters, or a Message Digest 5 (MD5) key for the interface. If you choose MD5, select a<br />
numerical ID between 0 <strong>and</strong> 255, then select a key value between the range of 0 to 65,535.<br />
414 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 68: OSPF Authentication<br />
Ports<br />
Port configuration provides a convenient way to see all the pertinent information about a port in one<br />
place.<br />
Figure 69 shows the following fields in the port configuration window:<br />
Ports—The port number, 1 to 26 or 1 to 48 depending on model number<br />
State—The port state, either enabled or disabled<br />
Link—The link status, either active or ready<br />
Autonegotiation—Indicates whether to autonegotiate the port speed <strong>and</strong> the duplex mode, <strong>and</strong> flow<br />
control. Autonegotiation is either enabled or disabled.<br />
Configuration Speed—The setting for port speed, either autonegotiated (auto), 10, 100, or 1000<br />
Actual Speed—The speed of the link, either 10, 100, or 1000<br />
Configuration Duplex—The duplex mode, either autonegotiation (auto), half, or full<br />
Actual Duplex—The duplex setting, either half or full<br />
Primary Media—The primary wiring media, either unshielded twisted-pair (UTP) or fiber (SX, LX, or<br />
ZX)<br />
Redundant Media—The backup wiring media<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 415
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
QoS Profile—A QoS profile in the format of QPn, where n is from 1 to 8<br />
Figure 69: Port configuration window<br />
Below the Port Configuration table is the box for configuring port parameters, as shown in Figure 70.<br />
When configuring ports, you must select appropriate values for all parameters before submitting the<br />
change. The selectable fields are:<br />
Port Number—Port numbers 1 to 26 or from 1 to 48 depending on model number. For Summit 400-48t<br />
with the optional XEN card installed, it is from 1 to 50.<br />
State—The port state, either enabled or disabled<br />
Restart—Select yes to restart the port<br />
Autonegotiation—The autonegotiation of the port speed <strong>and</strong> the duplex setting, either enabled or<br />
disabled<br />
Speed—The setting for port speed, either 10, 100, or 1000<br />
Duplex—The autonegotiation setting for the duplex setting, either half or full<br />
QoS Profile—A QoS profile in the format of QPn, where n is from 1 to 8<br />
416 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 70: Configure port parameters<br />
RIP<br />
The RIP configuration window allows you to configure global RIP parameters or RIP for an IP interface.<br />
Configure Global RIP Parameters<br />
Use the global parameters to set up RIP for the switch. See Figure 71 for an example of the global<br />
parameters window. From this portion of the window, you can make multiple changes with a single<br />
update:<br />
• Enable or disable RIP for the switch.<br />
• Enable or disable aggregation.<br />
• Enable or disable redistribution of OSPF static routes through RIP.<br />
• Enable or disable split horizon algorithm for RIP.<br />
• Enable or disable poison reverse algorithm.<br />
• Enable or disable trigger update mechanism.<br />
• Change the periodic RIP update timer.<br />
— Minimum setting = 10 seconds<br />
— Maximum setting = Less than the RIP route timeout<br />
— Default setting = 30 seconds<br />
• Change the route timeout. The default setting is 180 seconds.<br />
• Change the RIP garbage time. The timer granularity is 10 seconds. The default setting is 120 seconds.<br />
Use the Unconfigure button to reset the global RIP parameters to the default values. Use the Submit<br />
button to submit the changes to the system.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 417
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 71: RIP global configuration<br />
For more information about setting RIP parameters globally, see “Overview of RIP” on page 333.<br />
Configure RIP for an IP interface<br />
Following the global configuration section is for configuring RIP for an individual IP interface. Figure 71<br />
shows an example of this section of the window.<br />
Using this portion of the window, you can:<br />
• Review the existing RIP configuration for an IP interface.<br />
Each VLAN shows:<br />
— The VLAN name<br />
— The IP address<br />
— Whether IP forwarding is enabled or disabled<br />
— Whether RIP is enabled or disabled<br />
— The RIP version used in receive mode (Rx)<br />
— The RIP version used in transmission mode (Tx)<br />
• Enable or disable RIP on a VLAN<br />
• Configure RIP on a VLAN<br />
• Set the Tx mode values for the selected VLANs. The pull-down menu allows you to specify the<br />
following:<br />
None—Do not transmit any packets on this interface.<br />
V1 Only—Transmit RIP v1 format packets to the broadcast address.<br />
V1 Compatible—Transmit RIP v2 format packets to the broadcast address.<br />
V2 Only—Transmit RIP v2 format packets to the RIP multicast address.<br />
If no VLAN is specified, the setting is applied to all VLANs. The default setting is V2 Only.<br />
418 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
• Set the Rx mode values for the selected VLANs. The pull-down menu allows you to specify the<br />
following:<br />
None—Do not receive packets on this interface.<br />
Any—Receive packets on this interface in any mode.<br />
V1 Only—Receive RIP v1 format packets to the broadcast address.<br />
V2 Only—Receive RIP v2 format packets to the RIP multicast address.<br />
If no VLAN is specified, the setting is applied to all VLANs. The default setting is V2 Only.<br />
• Use the Unconfigure button to reset the RIP configuration for the VLAN to the default values.<br />
• Use the Submit button to submit the changes to the system.<br />
SNMP<br />
The SNMP window is divided into two sections. The top section allows you to enter system group<br />
information <strong>and</strong> authentication information for the community strings. The bottom section allows you<br />
to set the configuration associated with SNMP traps.<br />
System Group Configuration<br />
As shown in Figure 72, this portion of the SNMP window allows you to set:<br />
Contact —A text field that enables you to enter the contact information of the person responsible for<br />
managing the switch.<br />
Name—The system name is the name that you have assigned to this switch. The default name is the<br />
model name of the switch (for example, Summit 400-48t switch).<br />
Location —The location of this switch.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 419
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 72: System contact <strong>and</strong> community authentication information<br />
The Community Authentication Information fields specify community strings, which allow a simple<br />
method of authentication between the switch <strong>and</strong> the remote Network Manager. The default read-only<br />
community string is public. The default read-write community string is private. Each community<br />
string can have a maximum of 127 characters, <strong>and</strong> can be enclosed by double quotation marks.<br />
Trap Information<br />
As shown in Figure 72, the lower section of the SNMP window allows you to enable SNMP <strong>and</strong><br />
configure trap receivers.<br />
To enable SNMP trap support, click the checkbox <strong>and</strong> submit the request.<br />
If authorized trap receivers are currently configured on the network, the Trap Station Configuration<br />
table lists the community string <strong>and</strong> IP address or <strong>User</strong> Datagram Protocol (UDP) port of the trap<br />
receivers.<br />
The last two boxes in the section allow you to add a trap receiver or to delete a trap receiver. For further<br />
information on SNMP <strong>and</strong> trap receivers, see “Using SNMP” on page 46.<br />
Spanning Tree<br />
From this window, you can configure all aspects of a Spanning Tree Domain (STPD). The window is<br />
divided into two sections.<br />
In the top section, you can create or delete a Spanning Tree Domain (STPD) as shown in Figure 73.<br />
420 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 73: Spanning Tree configuration (1 of 3)<br />
In the bottom section, you can:<br />
• Review all STPD configurations<br />
Each STPD shows the:<br />
— STPD name.<br />
— State of the domain, either enabled or disabled.<br />
— Priority level of the bridge, a value between 1 <strong>and</strong> 65535 (default 32768).<br />
— Hello time interval for the bridge, a value between 1 <strong>and</strong> 10 seconds (default 2 seconds). The<br />
hello time specifies the time delay between the transmission of Bridge Protocol Data Units<br />
(BPDUs) from this STPD when it is the Root Bridge.<br />
— Bridge forward delay, a value between 4 <strong>and</strong> 30 seconds (default 15 seconds). The bridge forward<br />
delay specifies the time that the ports in this STPD spend in the listening <strong>and</strong> learning states<br />
when the switch is the Root Bridge.<br />
— The maximum age of a BPDU, a value between 6 <strong>and</strong> 40 seconds (default 20 seconds).<br />
The STPD configuration table is shown in Figure 73 <strong>and</strong> Figure 74.<br />
• Create or change parameters on a STPD.<br />
Select a STPD, change the parameter values as described above, <strong>and</strong> click Configure.<br />
The Configure Spanning Tree Parameters box is shown in Figure 73 <strong>and</strong> Figure 74.<br />
• Assign VLANs to a STPD, as shown in Figure 74.<br />
• Unconfigure STPD, as shown in Figure 74.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 421
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 74: Spanning Tree configuration (2 of 3)<br />
• Review all ports belonging to STPDs.<br />
A port can belong to only one STPD. If a port is a member of multiple VLANs, then all those VLANs<br />
must belong to the same STPD. The Spanning Tree Port Configuration Table contains the following<br />
fields:<br />
Port Number—Port numbers 1 to 26 or from 1 to 48 depending on model number. For Summit<br />
400-48t with the optional XEN card installed, it is from 1 to 50.<br />
Priority— The priority of the port indicates the likelihood of the port becoming the root port. The<br />
range is 0 through 31, where 0 indicates the lowest priority. The default setting is 16.<br />
Path Cost—Specifies the path cost of the port in this STPD. The range is 1 through 65,535. The<br />
switch automatically assigns a default path cost based on the speed of the port, as follows:<br />
— For a 10 Mbps port, the default cost is 100.<br />
— For a 100 Mbps port, the default cost is 19.<br />
— For a 1000 Mbps port, the default cost is 4.<br />
— For a 10000 Mbps port, the default cost is 2.<br />
STPD State—Specifies whether the Spanning Tree Protocol is enabled or disabled on the STPD.<br />
STP Domain—The name of the STP domain.<br />
See Figure 73 for an example of the table.<br />
• Configure Spanning Tree ports.<br />
Add or change the above parameters for STP ports. See Figure 75 for an example of this<br />
configuration box.<br />
422 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 75: Spanning Tree configuration (3 of 3)<br />
Switch<br />
This window, shown in Figure 76, manages basic switch operation. The four sections are:<br />
• Set date <strong>and</strong> time<br />
• Enable or disable Telnet remote management <strong>and</strong> SNMP management<br />
• Select the image <strong>and</strong> configuration to use<br />
You can choose a primary or secondary image to use from the pull-down menu.<br />
• Save the configuration<br />
Settings that are stored in run-time memory are not retained by the switch when the switch is<br />
rebooted. To retain the settings, <strong>and</strong> have them load when you reboot the switch, you must save the<br />
configuration to nonvolatile storage.<br />
The switch can store two different configurations: a primary <strong>and</strong> a secondary. When you save<br />
configuration changes, you can select into which configuration area you want the changes saved. If<br />
you do not specify the configuration area, the changes are saved to the configuration area currently<br />
in use.<br />
• Reboot the switch<br />
This st<strong>and</strong>-alone button causes the switch to reboot immediately.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 423
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 76: Switch configuration<br />
<strong>User</strong> Accounts<br />
This window allows you to control access to the system. As shown in Figure 77, the top table provides:<br />
• The user’s name<br />
• Whether that user has administrator privileges<br />
• The number of times the user has logged into the system since the last reboot<br />
• Whether the user has point-to-point (PPP) user access<br />
You can also manage user accounts through this window. Each account requires a user name <strong>and</strong><br />
password. <strong>User</strong>s with administrative access have read-write authority, where normally a user would<br />
have read-only access to the system. Only users with read-write authority have permission to change<br />
the switch’s configuration. There is also a checkbox to delete a user.<br />
For more information on controlling user access, see “Configuring Management Access” on page 35.<br />
424 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 77: Management access<br />
Virtual LAN<br />
This window allows you to perform the most common VLAN administration tasks. It is divided into<br />
three sections:<br />
• Creating <strong>and</strong> deleting a VLAN<br />
• Changing a VLAN name<br />
• Configuring a VLAN<br />
Creating <strong>and</strong> Deleting a VLAN<br />
The top section of the window allows you to create or delete a VLAN, as shown in Figure 78. When<br />
naming a VLAN, be sure to following the naming guidelines described in “VLAN Names” on page 90.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 425
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 78: VLAN administration (1 of 2)<br />
Configuring a VLAN<br />
The second section of the VLAN window allows you to change VLAN parameters. Use the pull-down<br />
menu to choose an existing VLAN name <strong>and</strong> click Get to populate the remaining fields. Figure 79<br />
shows an example of the Configure VLAN Information.<br />
Use the following fields to make changes to a VLAN:<br />
IP Address—Either changes the IP address or unconfigures the IP address. The Unconfigure button<br />
resets the IP address of the VLAN; the Configure button allows you to assign a different IP address to<br />
the VLAN.<br />
Netmask—Specifies a subnet mask in dotted-quad notation (e.g. 255.255.255.0).<br />
802.1Q Tag—Adds an 802.1Q tag to the VLAN. Acceptable values range from 1 to 4094.<br />
Spanning Tree Domain—Assigns the VLAN to a STPD.<br />
QoS Profile—Assigns a QoS profile to the VLAN.<br />
426 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Configuring an “e” Series Switch Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 79: VLAN administration (2 of 2)<br />
The next section allows you to adds ports to the VLAN.<br />
Adding Ports to a VLAN. You can either add the port as tagged or untagged. If you click Tagged, the<br />
port is added as a tag-based port. If you click Untagged, the port is added as an untagged port.<br />
Figure 79 shows an example of adding ports to a VLAN.<br />
The next box allows you to select a port <strong>and</strong> click Remove to delete the port.<br />
Access List<br />
This window allows you to configure an IP access list, a rate limit, <strong>and</strong> their associated access masks. IP<br />
access lists, also known as access control lists (ACLs) are used to perform packet filtering <strong>and</strong><br />
forwarding decisions on incoming traffic. Each packet arriving on an ingress port is compared to the<br />
access list in sequential order <strong>and</strong> is either forwarded to a specified QoS profile or dropped.<br />
Each access control list consists of an access mask that selects which fields of each incoming packet to<br />
examine, <strong>and</strong> a list of values to compare with the values found in the packet. Access masks can be<br />
shared multiple access control lists, using different lists of values to examine packets.<br />
The top section of the window, as shown in Figure 80, displays information about existing access masks.<br />
The following mask features are shown in a table format:<br />
Dest Mac—Ethernet destination MAC address<br />
Src Mac—Ethernet source MAC address<br />
VLAN ID—VLAN identifier (VLANid)<br />
Ether Type—Ethernet type. Valid types are IP, ARP, or user-defined.<br />
IP Proto—IP protocol. Valid types are TCP, UDP, ICMP, IGMP, or user-defined.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 427
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
TOS/Code Point—IP DiffServ code points from 0 to 7<br />
Dest IP—Destination IP address<br />
Dest IP Mask—Destination subnet mask<br />
Dest L4 Port—Destination UDP layer 4 port<br />
Src IP—Source IP address<br />
Src IP Mask—Source IP subnet mask<br />
Src L4 Port/ICMP—Source UDP layer 4 port/ICMP<br />
TCP Permit Estb—TCP permit established. Options are Permit, Permit Established, <strong>and</strong> Deny.<br />
Egr Port—Egress port<br />
Ingr Port—Ingress port. Port ranges vary by model.<br />
Pre—Precedence<br />
Figure 80: Access List Configuration (1 of 2)<br />
As Figure 80 shows, the next section of the window allows you to create, reset, modify or delete an<br />
access mask. Use the checkboxes to specify an option.<br />
Rate Limiting<br />
Like an access list, a rate limit includes a list of values to compare with the incoming packets <strong>and</strong> an<br />
action to take for packets that match. Additionally, a rate limit specifies an action to take when<br />
matching packets arrive at a rate above the limit you set. When you create a rate limit, you must specify<br />
a value for each of the fields that make up the access mask used by the list. Unlike an access list, a rate<br />
limit can only be applied to a single port. Each port has its own rate limit defined separately.<br />
428 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Reviewing <strong><strong>Extreme</strong>Ware</strong> Vista Statistical Reports<br />
Each entry that makes up a rate limit contains a unique name <strong>and</strong> specifies a previously created access<br />
mask. As Figure 81 shows, the next section allows you configure an access list, a rate limit, or both. Use<br />
the pull-down menus to select the type of listing option, a mask, <strong>and</strong> the ports. Press the Submit<br />
button, when your configuration is complete.<br />
Figure 81: Access List Configuration (2 of 2)<br />
As shown in Figure 81, the final section of this window allows you to create, modify, or delete an access<br />
list. You can also create, modify or reset a rate limit.<br />
Reviewing <strong><strong>Extreme</strong>Ware</strong> Vista Statistical Reports<br />
<strong><strong>Extreme</strong>Ware</strong> Vista offers a number of pre-formatted reports on the most frequently requested<br />
information. These statistical reports provide current information about the switch <strong>and</strong> its configuration.<br />
To access the statistical reports, click Statistics in the task bar to reveal the submenu links. The<br />
following links appear in the submenu:<br />
Event Log—Contains system event log entries<br />
FDB—Contains Forwarding Database entries<br />
IP ARP—Contains the entries in the IP Address Resolution Protocol (ARP) table<br />
IP Configuration—Contains the global IP configuration statistics <strong>and</strong> router interface statistics<br />
IP Route—Contains the IP Route table<br />
IP Statistics—Contains global IP statistics<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 429
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Ports—Contains the physical port statistics<br />
Port Collisions—Contains Ethernet collision summary<br />
Port Errors—Contains Ethernet port error conditions<br />
Port Utilization—Contains link utilization information<br />
RIP—Contains global RIP statistics <strong>and</strong> router interface statistics<br />
Switch—Contains the hardware profile for the switch<br />
Event Log<br />
The System Even Log tracks all configuration <strong>and</strong> fault information pertaining to the device. Each entry<br />
in the log contains the following information:<br />
• Timestamp—The timestamp records the month <strong>and</strong> day of the event, along with the time (hours,<br />
minutes, <strong>and</strong> seconds) in the form HH:MM:SS. If the event was caused by a user, the user name is<br />
also provided.<br />
• Fault level—Describes the levels of importance that the system can assign to a fault. A fault level<br />
can either be classified as critical, warning, informational, or debug.<br />
By default, log entries that are assigned a critical or warning level remain in the log after a switch<br />
reboot. Issuing a clear log comm<strong>and</strong> does not remove these static entries.<br />
• Subsystem—The subsystem refers to the specific functional area to which the error refers.<br />
For additional information on system logging, see “Event Management System/Logging” on page 128.<br />
Figure 82: Event Entries<br />
430 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Reviewing <strong><strong>Extreme</strong>Ware</strong> Vista Statistical Reports<br />
FDB<br />
This window allows you to review the contents of the FDB table. It also gives summary information<br />
about the contents of the view <strong>and</strong> allows you tailor the view by various parameters.<br />
The view of the FDB, as shown in Figure 83, consists of the following entries:<br />
MAC Destination—MAC address of the device<br />
VLAN—VLAN name <strong>and</strong> tag<br />
Flags—Identifier for static (s) or dynamic (d)<br />
Port List—The destination port or ports for the MAC address<br />
Figure 83: FDB (1 of 2)<br />
Summary information is located at the bottom of the view. The summary information contains the:<br />
Total—Total number of entries in this database view<br />
Static—Number of static entries in this view<br />
Permanent—Number of permanent entries in this view<br />
Dynamic—Number of dynamic entries in this view<br />
Discarded—Number of entries discarded<br />
Aging Time—The current time setting for removing entries from the FDB<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 431
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
The View Options allow you to filter <strong>and</strong> restrict the amount of information presented in the FDB view.<br />
Figure 84: FDB (2 of 2)<br />
For further information about the FDB, see “Overview of the FDB” on page 97.<br />
IP ARP<br />
Use the IP ARP to find the MAC address associated with an IP address.<br />
The IP ARP table contains the following fields:<br />
Destination—The destination IP address<br />
MAC Address—The MAC address associated with the IP address<br />
Age—The age of the entry<br />
Flags—Identifier for static entry (m), proxy ARP (p), <strong>and</strong> trailers requested (t)<br />
Static—Either yes for a static entry or no for dynamic<br />
VLAN—VLAN name<br />
VLAN ID<br />
432 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Reviewing <strong><strong>Extreme</strong>Ware</strong> Vista Statistical Reports<br />
Figure 85: IP ARP table<br />
IP Configuration<br />
In this window you can review two different tables containing IP configuration information. The Global<br />
IP Configuration Statistics table provides IP settings <strong>and</strong> summary statistics for the entire switch. The<br />
Router Interface table provides details on each VLAN. Both tables are shown in Figure 86.<br />
Global IP Configuration Statistics<br />
This table contains the following fields:<br />
IP Routing—Indicates whether IP forwarding is either enabled or disabled on the switch. The default<br />
setting for IP forwarding is disabled.<br />
Ipmc Routing— Indicates whether IP multicast forwarding is enabled or disabled on the switch. This<br />
setting is either enabled or disabled.<br />
Use Redirects—Indicates whether the switch can modify the route table information when an ICMP<br />
redirect message is received. This option applies to the switch when it is not configured for routing.<br />
This setting is either enabled or disabled; the default setting is disabled.<br />
IGMP—Internet Group Management Protocol (IGMP) allows network hosts to report the multicast<br />
group membership to the switch. This setting is either enabled or disabled.<br />
RIP—Routing Information Protocol (RIP) is either enabled or disabled.<br />
DVMRP—Distance Vector Multicast Routing Protocol (DVMRP), a distance vector protocol that is used<br />
to exchange routing <strong>and</strong> multicast information between routers. This setting is either enabled or<br />
disabled.<br />
IRDP—ICMP Router Discovery Protocol (IRDP) shows the generation of ICMP router advertisement<br />
messages on one or all VLANs. The setting is either enabled or disabled; the default setting is enabled.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 433
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
OSPF—The OSPF routing protocol for the switch. The setting is either enabled or disabled.<br />
Advertisement Address—The destination address of the router advertisement messages.<br />
Maximum Interval—The maximum time between router advertisements. The default setting is 600<br />
seconds.<br />
Minimum Interval—The minimum amount of time between router advertisements. The default setting<br />
is 450 seconds.<br />
Lifetime—The client aging timer setting, the default is 1,800 seconds.<br />
Preference—The preference level of the router. An IRDP client always uses the router with the highest<br />
preference level. The default setting is 0.<br />
Bootp Relay—The BOOTP relay service on the switch. The setting is either enabled or disabled; the<br />
default is disabled.<br />
Figure 86: IP configuration statistics<br />
Router Interface Statistics<br />
The Router Interface Statistics table gives the details of individual VLANs. It contains the following<br />
fields:<br />
VLAN name<br />
State—up or down<br />
IP Address—in dotted-quad notation<br />
434 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Reviewing <strong><strong>Extreme</strong>Ware</strong> Vista Statistical Reports<br />
Netmask<br />
Broadcast—The broadcast address in dotted-quad notation<br />
Multicast TTL—The multicast time-to-live<br />
MTU—Maximum Transmission Unit (MTU) size<br />
Metric—The hop count to the destination address<br />
IP Forwarding—IP forwarding on this interface is enabled (yes) or disabled (no)<br />
Fwd Bcast—The hardware forwarding of subnet-directed broadcast IP packets is enabled (yes) or<br />
disabled (no)<br />
RIP—RIP is enabled (yes) or disabled (no) on this interface<br />
OSPF—OSPF is enabled (yes) or disabled (no) on this interface<br />
IDRP—IDRP is enabled (yes) or disabled (no) on this interface<br />
Send Redirect—Allows or disallows the interface to modify the route table information when an ICMP<br />
redirect message is received<br />
Send Unreach—Allows or disallows the interface to generate an ICMP port unreachable messages (type<br />
3, code 3) when a TPC or UDP request is made to the switch, <strong>and</strong> no application is waiting for the<br />
request, or access policy denies the request.<br />
IGMP—IGMP is enabled (yes) or disabled (no) on this interface<br />
IGMP Ver—The version of IGMP running on the interface<br />
IGMP Snooping— IGMP Snooping is enabled (yes) or disabled (no)<br />
DVMRP—Distance Vector Multicast Routing Protocol (DVMRP), a distance vector protocol that is used<br />
to exchange routing <strong>and</strong> multicast information between routers. This setting is either enabled (yes) or<br />
disabled (no).<br />
BOOTP Host—Indicates whether BOOTP is enabled on this VLAN or not<br />
Last Querier—The address of the querier<br />
Locally Registered Multicast Address<br />
Learned Multicast Address<br />
IP Route<br />
This window contains the statistics for the IP routing table. The switch exchanges routing information<br />
with other routers <strong>and</strong> switches on the network using either the RIP or the OSPF protocol. The switch<br />
dynamically builds <strong>and</strong> maintains the routing table, <strong>and</strong> determines the best path for each of its routes.<br />
The IP route table contains the following fields:<br />
Destination—The destination address<br />
Gateway—The gateway address<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 435
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Mtr—The cost metric<br />
Flags—For example, U for ub; G for gateway; <strong>and</strong> U for unicast<br />
Use—The number of times the entry is used<br />
VLAN—VLAN name<br />
Origin—Route origin. One of the following:<br />
• direct<br />
• blackhole<br />
• static<br />
• ICMP<br />
• OSPFIntra<br />
• OSPFInter<br />
• RIP<br />
• OSPFExtern1<br />
• OSPFExtern2<br />
• BOOTP<br />
As shown in Figure 87, you can also use the View Options to restrict different aspects of the view. For<br />
more information on IP routing, see “Configuring DHCP/BOOTP Relay” on page 327.<br />
Figure 87: IP Route Table<br />
IP Statistics<br />
This window provides ICMP error reporting statistics <strong>and</strong> error counts from the switch as a whole, <strong>and</strong><br />
also on individual interfaces. For information about error counts:<br />
436 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Reviewing <strong><strong>Extreme</strong>Ware</strong> Vista Statistical Reports<br />
• Across the whole switch, see “Global IP Statistics”<br />
• On an interface, see “Global ICMP Statistics” on page 437<br />
• Across VLANs, see “Global ICMP Statistics” on page 438<br />
Global IP Statistics<br />
The Global IP Statistics report IP traffic flow through the switch. As shown at the top of Figure 88, these<br />
statistics are grouped into four logical groups:<br />
• Inbound traffic<br />
• Outbound traffic<br />
• Bad packets received<br />
• Other types of errors<br />
Figure 88: Global IP statistics<br />
Global ICMP Statistics<br />
ICMP provides error reporting, flow control <strong>and</strong> first-hop gateway redirection. As shown in Figure 89,<br />
the Global ICMP Statistics table provides information about error counts found in the following areas:<br />
• In Bad Code<br />
• In Too Short<br />
• In Bad Length<br />
• In Router Advertisements<br />
• Out Router Advertisements<br />
• Out Responses<br />
• Out Errors<br />
• Bad Checksums<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 437
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 89: Global ICMP Statistics<br />
Router Interface IP Statistics<br />
The Router Interface IP Statistics give detailed traffic details at the VLAN level, as shown in Figure 90.<br />
For each interface the table provides:<br />
• VLAN name<br />
• Interface ID<br />
• IP Address<br />
• Netmask<br />
• Broadcast Address<br />
• Amount in <strong>and</strong> out of the switch for the following units: packets, octets, multicast packets, broadcast<br />
packets, errors, discards, <strong>and</strong> unknown protocols<br />
438 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Reviewing <strong><strong>Extreme</strong>Ware</strong> Vista Statistical Reports<br />
Figure 90: Router interface IP statistics<br />
Ports<br />
This window provides information about active ports as reported by the switch hardware. As shown in<br />
Figure 91, the report consists of the following fields:<br />
Port Number<br />
Port Speed<br />
Link State<br />
Received Packet Count<br />
Transmitted Packet Count<br />
Received Byte Count<br />
Transmitted Byte Count<br />
Collisions<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 439
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 91: Physical port statistics<br />
Port Collisions<br />
This window provides information about Ethernet collisions that occur when the port is operating in<br />
half-duplex mode. An example of this window is shown in Figure 92.<br />
Figure 92: Port collisions<br />
440 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Reviewing <strong><strong>Extreme</strong>Ware</strong> Vista Statistical Reports<br />
Port Errors<br />
In this window, you can review Ethernet link errors. As shown in Figure 93, the table reflects the<br />
following information for each active port:<br />
• Link State<br />
• Rx Lost<br />
• Rx Bad Cyclic Redundancy Check (CRC)<br />
• Rx Undersize<br />
• Rx Oversize<br />
• Rx Fragments<br />
• Rx Jabber<br />
• Rx Alignment<br />
• Tx Errored<br />
• Tx Deferred<br />
• Tx Late Collisions<br />
Figure 93: Ethernet port errors<br />
Port Utilization<br />
This window shows port utilization. As shown in Figure 94, the report fields are as follows:<br />
Port Number<br />
Speed—Configured port speed, either 10, 100, 1000, or auto<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 441
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Link Status—Either active (A) or ready (R)<br />
Rx Pkt/Sec—Received packets rate<br />
Peak Rx Pkt/Sec—Peak received packet rate<br />
Tx Pkt/Sec—Transmission packet rate<br />
Peak Tx Pkt/Sec—Peak packet rate transmitted<br />
Rx Byte/Sec—Received byte rate<br />
Peak Rx Byte/Sec—Peak received bytes rate<br />
Tx Byte/Sec—Transmission byte rate<br />
Peak Tx Byte/Sec—Peak transmission byte rate<br />
B<strong>and</strong>width—B<strong>and</strong>width utilization<br />
Peak B<strong>and</strong>width—Peak b<strong>and</strong>width utilization<br />
Figure 94: Utilization averages<br />
RIP<br />
This window provides statistics about the Routing Information Protocol (RIP) both at the global (switch<br />
level) <strong>and</strong> at the interface level. At the switch level, the Global Routing Information Protocol Statistics<br />
table shows the number of route changes <strong>and</strong> the number of queries. As shown in Figure 95, at the<br />
interface level, the Router Interface Statistics table shows the following fields:<br />
VLAN Name<br />
Authentication—Yes for enabled, no for disabled on the interface<br />
442 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Reviewing <strong><strong>Extreme</strong>Ware</strong> Vista Statistical Reports<br />
Rcvd Pkts—Received RIP packets<br />
Sent Pkts—Sent RIP packets<br />
Rcvd Bad Pkts—Received bad RIP packets<br />
Rcvd Bad Routes—Received bad routes<br />
Sent Trig Updts—Sent triggered updates<br />
Peer<br />
Age (sec)—Age in seconds<br />
Version—RIP version<br />
Bad Pkts—Bad Packets<br />
Bad Routes<br />
Figure 95: RIP statistics<br />
Switch<br />
Use this window to locate hardware status information. As shown in Figure 96, the Hardware Status<br />
table provides data about the following areas:<br />
System Name—Such as the Summit 400-48t<br />
MAC Address—MAC address of the device<br />
System Serial Number—Hardware serial number of the switch<br />
Software Image Selected—Primary or secondary image <strong>and</strong> version number of the image<br />
Software Image Booted—Actual image running<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 443
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Configuration Selected—Either primary or secondary<br />
Configuration Booted—Either primary or secondary<br />
Primary Configuration—File size, date <strong>and</strong> time of the download<br />
Secondary Configuration—File size, date <strong>and</strong> time of the download<br />
Switch Temperature—Either normal or over, for over-temperature<br />
Internal Power Supply—Power supply information. If at full capacity it is displayed in green. If it<br />
installed but not operating, it is displayed in red.<br />
External Power Supply—(optional) If present, provides power supply information. If the power supply<br />
is operating at full capacity, an OK message displays in green. If it is present, installed, but not<br />
operating, the status is displayed in red. If an external power supply is not installed, the status “Not<br />
Present” is displayed in brown.<br />
A separate table follows the hardware status that is dedicated to internal cooling fan status.<br />
Figure 96: Hardware status<br />
Locating Support Information<br />
<strong><strong>Extreme</strong>Ware</strong> Vista provides a central location to find support information <strong>and</strong> to download the most<br />
current software images. Click Support in the task frame to reveal the submenu links:<br />
Help—For links to the most current product manual<br />
TFTP—To upgrade software using a TFTP download<br />
Contact Support—For customer support telephone numbers <strong>and</strong> URLs<br />
444 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Locating Support Information<br />
Email Support—To send an email directly to customer support<br />
Help<br />
The Help window provides the URL to the <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> Manual. See Figure 97 for an example<br />
of this window.<br />
Figure 97: Product Manual Link<br />
TFTP Download<br />
You can download the latest software images using Trivial File Transfer Protocol (TFTP) from this<br />
window. As shown in Figure 99, you need to provide the following information:<br />
TFTP Server Address—Obtain this address from your Customer Support Representative<br />
Filename—The filename of the software image to download<br />
Container—The location, either primary or secondary, where you want to store the downloaded image<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 445
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 98: TFTP Download<br />
Contact Support<br />
The Contact Support window contains the mailing address, telephone number, fax number, <strong>and</strong> URL<br />
for Customer Support. An example of this window is shown in Figure 99.<br />
446 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Locating Support Information<br />
Figure 99: Support Address<br />
Email Support<br />
When you click the submenu link for Email Support, the browser closes the <strong><strong>Extreme</strong>Ware</strong> Vista page<br />
<strong>and</strong> opens your browser’s email window. You can then send an email directly to customer support as<br />
shown in Figure 100.<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 447
Using <strong><strong>Extreme</strong>Ware</strong> Vista<br />
Figure 100: Email Support<br />
Logging Out of <strong><strong>Extreme</strong>Ware</strong> Vista<br />
When you click the Logout button in the task frame, it causes an immediate exit from <strong><strong>Extreme</strong>Ware</strong><br />
Vista, if you have not made configuration changes. Be sure you want to exit the application because<br />
there is no confirmation screen. If you changed the configuration during your session, you can save the<br />
changes before leaving <strong><strong>Extreme</strong>Ware</strong> Vista, as shown in Figure 101.<br />
Figure 101: Save configuration<br />
448 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
B<br />
Technical Specifications<br />
This appendix provides additional information on the st<strong>and</strong>ards, protocols <strong>and</strong> MIBs supported by the<br />
Summit “e” series of switches. It covers the following topics:<br />
• Supported Protocols, MIBs, <strong>and</strong> St<strong>and</strong>ards on page 449<br />
Supported Protocols, MIBs, <strong>and</strong> St<strong>and</strong>ards<br />
The following is a list of software st<strong>and</strong>ards <strong>and</strong> protocols supported by the Summit “e” series of<br />
switches:<br />
Denial of Service Protection<br />
RFC 2267 Network Ingress Filtering: Defeating Denial<br />
of Service Attacks which employ IP Source Address<br />
Spoofing<br />
RPF (Unicast Reverse Path Forwarding) Control<br />
Wire-speed ACLs<br />
Rate Limiting by ACLs<br />
IP Broadcast Forwarding Control<br />
ICMP <strong>and</strong> IP-Option Response Control<br />
SYN attack protection<br />
Uni-directional Session Control<br />
CERT (http://www.cert.org)<br />
• CA--97.28.Teardrop_L<strong>and</strong> -Teardrop <strong>and</strong> “LAND”<br />
attack<br />
• IP Options Attack<br />
• CA--98-13-tcp-denial-of-service<br />
• CA--98.01.smurf<br />
• CA--96.26.ping<br />
• CA--96.21.tcp_syn_flooding<br />
• CA--96.01.UDP_service_denial<br />
• CA--95.01.IP_Spoofing_Attacks_<strong>and</strong>_Hijacked_<br />
Terminal_Connections<br />
• CA-2002-03: SNMP vulnerabilities<br />
Host Attacks<br />
• Syndrop<br />
• Nestea<br />
• Latierra<br />
• Newtear<br />
• Bonk<br />
• Winnuke<br />
• Raped<br />
• Simping<br />
• Sping<br />
• Ascend<br />
• Stream<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 449
Technical Specifications<br />
DiffServ - St<strong>and</strong>ards <strong>and</strong> MIBs<br />
RFC 2474 Definition of the Differentiated Services Field<br />
(DS Field) in the IPv4 <strong>and</strong> IPv6 Headers<br />
RFC 2475 An Architecture for Differentiated Services<br />
RFC 2597 Assured Forwarding PHB Group<br />
RFC 2598 An Expedited Forwarding PHB<br />
Environmental<br />
EN 300 019-2-1 (2000-09) Storage Class 1.2 -<br />
Packaged<br />
EN 300 09-2-2 (1999-09) Transportation Class 2.3 -<br />
Packaged<br />
EN 300 019-2-2 (1999-09) Stationary Use at Weather<br />
Protected Locations, Class 3.1e - Operational<br />
EN 300 753 (1997-10) Acoustic Noise - Operational<br />
ASTM D5276 Drop - Packaged<br />
ASTM D3332 Shock - Unpackaged<br />
ASTM D3580 R<strong>and</strong>om Vibration - Unpackaged<br />
ASTM D6179 Tilt - Packaged<br />
General Routing <strong>and</strong> Switching<br />
RFC 1812 Requirements for IP Version 4 Routers<br />
RFC 1519 An Architecture for IP Address Allocation<br />
with CIDR<br />
RFC 1256 ICMP Router Discovery Messages<br />
RFC 783 TFTP Protocol (revision 2)<br />
RFC 951 Bootstrap Protocol<br />
RFC 2131 Dynamic Host Configuration Protocol<br />
RFC 1591 Domain Name System Structure <strong>and</strong><br />
Delegation<br />
RFC 1122 Requirements for Internet Hosts -<br />
Communication Layers<br />
RFC 768 <strong>User</strong> Datagram Protocol<br />
RFC 791 Internet Protocol<br />
RFC 792 Internet Control Message Protocol<br />
RFC 793 Transmission Control Protocol<br />
RFC 826 Ethernet Address Resolution Protocol: Or<br />
converting network protocol addresses to 48.bit<br />
Ethernet address for transmission on Ethernet<br />
hardware<br />
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol (ESRP)<br />
IEEE 802.1D-1998 Spanning Tree Protocol<br />
IEEE 802.1W - 2001 Rapid Spanning Tree Protocol<br />
IEEE 802.1Q - 1998 Virtual Bridged Local Area<br />
<strong>Networks</strong><br />
Ethernet Automatic Protection Switching (EAPS)-Edge<br />
mode, master <strong>and</strong> member of one ring<br />
RFC 3619 Ethernet Automatic Protection Switching<br />
(EAPS) Version 1<br />
IP Multicast<br />
RFC 2362 Protocol Independent Multicast-Sparse Mode<br />
(PIM-SM): Protocol Specification--two non-passive<br />
interfaces<br />
RFC 1112 Host extensions for IP multicasting<br />
RFC 2236 Internet Group Management Protocol,<br />
Version 2<br />
IGMP Snooping with Configurable Router Registration<br />
Forwarding<br />
Static IGMP Membership<br />
IGMP Filters<br />
Mtrace, draft-letf-idmr-traceroute-imp-07<br />
Mrinfo<br />
450 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Supported Protocols, MIBs, <strong>and</strong> St<strong>and</strong>ards<br />
Management - SNMP & MIBs<br />
RFC 1157 Simple Network Management Protocol<br />
(SNMP)<br />
RFC-1215 Convention for defining traps for use with<br />
the SNMP<br />
RFC 1573 Evolution of Interface<br />
RFC 1901 Introduction to Community-based SNMPv2<br />
RFC 1902 Structure of Management Information for<br />
Version 2 of the Simple Network Management Protocol<br />
(SNMPv2)<br />
RFC 1903 Textual Conventions for Version 2 of the<br />
Simple Network Management Protocol (SNMPv2)<br />
RFC 1904 Conformance Statements for Version 2 of<br />
the Simple Network Management Protocol (SNMPv2)<br />
RFC 1905 Protocol Operations for Version 2 of the<br />
Simple Network Management Protocol (SNMPv2)<br />
RFC 1906 Transport Mappings for Version 2 of the<br />
Simple Network Management Protocol (SNMPv2)<br />
RFC 1907 Management Information Base for Version 2<br />
of the Simple Network Management Protocol (SNMPv2)<br />
RFC 1908 Coexistence between Version 1 <strong>and</strong> Version<br />
2 of the Internet-st<strong>and</strong>ard Network Management<br />
Framework<br />
RFC 2570 - 2575 SNMPv3, user based security,<br />
encryption <strong>and</strong> authentication<br />
RFC 2576 Coexistence between SNMP Version 1,<br />
Version 2 <strong>and</strong> Version 3<br />
RFC 3410 Introduction <strong>and</strong> Applicability Statements for<br />
Internet-St<strong>and</strong>ard Management Framework<br />
RFC 3411 An Architecture for Describing Simple<br />
Network Management Protocol (SNMP) Management<br />
Frameworks<br />
RFC 3412 Message Processing <strong>and</strong> Dispatching for the<br />
Simple Network Management Protocol (SNMP)<br />
RFC 3413 Simple Network Management Protocol<br />
(SNMP) Applications<br />
RFC 3414 <strong>User</strong>-based Security Model (USM) for<br />
version 3 of the Simple Network Management Protocol<br />
(SNMPv3)<br />
RFC 3415 View-based Access Control Model (VACM)<br />
for the Simple Network Management Protocol<br />
<strong><strong>Extreme</strong>Ware</strong> vendor MIB (includes ACL, MAC FDB, IP<br />
FDB, MAC Address Security, QoS policy <strong>and</strong> VLAN<br />
configuration <strong>and</strong> statistics, STP <strong>and</strong> others)<br />
RFC-1212 Concise MIB definitions<br />
RFC-1213 Management Information Base for Network<br />
Management of TCP/IP-based internets: MIB-II<br />
RFC 1757 Remote Network Monitoring Management<br />
Information Base<br />
RFC 2021 Remote Network Monitoring Management<br />
Information Base Version 2 using SMIv2<br />
RFC 2613 Remote Network Monitoring MIB Extensions<br />
for Switched <strong>Networks</strong> Version 1.0<br />
RFC 2233 Evolution of the Interfaces Group of MIB-II<br />
RFC 2096 IP Forwarding Table MIB<br />
RFC 1724 RIP Version 2 MIB Extension<br />
RFC 1850 OSPF Version 2 Management Information<br />
Base<br />
RFC 1155 Structure <strong>and</strong> identification of management<br />
information for TCP/IP-based internets<br />
RFC 1406 Definitions of Managed Objects for the DS1<br />
<strong>and</strong> E1 Interface types<br />
RFC 1407 Definitions of Managed Objects for the<br />
DS3/E3 Interface Type<br />
RFC 1493 Definitions of Managed Objects for Bridges<br />
Draft-letf-bridge-rstpmib-03.txt – Definitions of Managed<br />
Objects for Bridges with Rapid Spanning Tree Protocol<br />
RFC 1354 IPv4 Forwarding Table MIB<br />
RFC 2037 Entity MIB<br />
RFC 1650 Definitions of Managed Objects for the<br />
Ethernet-like Interface Types using SMIv2<br />
RFC 2665 Definitions of Managed Objects for the<br />
Ethernet-like Interface Types<br />
RFC 2668 Definitions of Managed Objects for IEEE<br />
802.3 Medium Attachment Units (MAUs)<br />
RFC 2787 Definitions of Managed Objects for the<br />
Virtual Router Redundancy Protocol<br />
RFC 2795 Infinite Monkey Protocol Suite<br />
RFC 2925 Definitions of Managed Objects for Remote<br />
Ping, Traceroute, <strong>and</strong> Lookup Operations<br />
RFC 1643 Ethernet MIB<br />
IEEE-802.1x MIB<br />
<strong>Extreme</strong> extensions to 802.1x-MIB<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 451
Technical Specifications<br />
Management - Other:<br />
RFC 1866 Hypertext Markup Language - 2.0<br />
RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1<br />
RFC 854 Telnet Protocol Specification<br />
HTML/ HTTP management<br />
Secure Shell 2 (SSH2) client <strong>and</strong> server<br />
Secure Copy 2 (SCP2) client <strong>and</strong> server<br />
Telnet client <strong>and</strong> server<br />
NetFlow version 1 export<br />
Configuration logging<br />
Multiple Images, Multiple Configs<br />
BSD System Logging Protocol (SYSLOG), with Multiple<br />
Syslog Servers<br />
999 Local Messages (criticals stored across reboots)<br />
RFC 2030 Simple Network Time Protocol (SNTP)<br />
Version 4 for IPv4, IPv6 <strong>and</strong> OSI<br />
MPLS - St<strong>and</strong>ards <strong>and</strong> MIBs<br />
RFC 2212 Specification of Guaranteed Quality of<br />
Service<br />
RFC 2961 RSVP Overhead Refresh Reduction<br />
Extensions<br />
RFC 3032 MPLS Label Stack Encoding<br />
RFC 3031 Multiprotocol Label Switching Architecture<br />
RFC 3036 LDP Specification<br />
Martini drafts: draft-martini-circuit-encap-mpls-04.txt <strong>and</strong><br />
draft-martini-l2circuit-trans-mpls-08.txt<br />
RSVP-TE LSP tunnel draft:<br />
draft-ietf-mpls-rsvp-lsp-tunnel-09.txt<br />
Traffic Engineering Extensions to OSPF:<br />
draft-katz-yeung-ospf-traffic-06.txt<br />
The <strong>Extreme</strong> MPLS implementation provides read-only<br />
(GET but not SET) support for a subset of the MPLS<br />
LSR MIB, as defined in the Internet Draft<br />
draft-ietf-mpls-lsr-mib-07.txt, <strong>and</strong> a subset of the MPLS<br />
LDP MIB, as defined in the Internet Draft<br />
draft-ietf-mpls-ldp-mib-07.txt.<br />
OSPF<br />
RFC 2328 OSPF Version 2<br />
RFC 1587 The OSPF NSSA Option<br />
RFC 1765 OSPF Database Overflow<br />
RFC 2370 The OSPF Opaque LSA Option<br />
PPP - St<strong>and</strong>ards <strong>and</strong> MIBs<br />
RFC 1661 The Point-to-Point Protocol (PPP)<br />
RFC 1662 PPP in HDLC-like Framing<br />
RFC 2615 PPP over SONET/SDH<br />
RFC 1334 PPP Authentication Protocols<br />
RFC 1994 PPP Challenge H<strong>and</strong>shake Authentication<br />
Protocol (CHAP)<br />
RFC 1332 The PPP Internet Protocol Control Protocol<br />
(IPCP)<br />
RFC 2878 PPP Bridging Control Protocol (BCP)<br />
RFC 1191 Path MTU Discovery<br />
RFC 3032 MPLS Label Stack Encoding<br />
The interface counters in MIB-II (RFC 1213) are<br />
supported for PPP.<br />
Support for read-only operations (GET operations, but<br />
not SET operations) is provided for the following PPP<br />
MIBs:<br />
• RFC 1471 The Definitions of Managed Objects for<br />
the Link Control Protocol of the Point-to-Point<br />
Protocol<br />
• RFC 1472 The Definitions of Managed Objects for<br />
the Security Protocols of the Point-to-Point Protocol<br />
• RFC 1474 The Definitions of Managed Objects for<br />
the Bridge Network Control Protocol of the<br />
Point-to-Point Protocol<br />
• RFC 1473 The Definitions of Managed Objects for<br />
the IP Network Control Protocol of the Point-to-Point<br />
Protocol<br />
452 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Supported Protocols, MIBs, <strong>and</strong> St<strong>and</strong>ards<br />
Quality of Service<br />
IEEE 802.1D -1998 (802.1p) Packet Priority<br />
RFC 2474 Definition of the Differentiated Services Field<br />
(DS Field) in the IPv4 <strong>and</strong> IPv6 Headers<br />
RFC 2598 An Expedited Forwarding PHB<br />
RFC 2597 Assured Forwarding PHB Group<br />
Bi-directional Rate Shaping<br />
RFC 2475 An Architecture for Differentiated Service<br />
Layer 1-4, layer 7 (user name) Policy-Based Mapping<br />
Policy-Based Mapping/Overwriting of DiffServ code<br />
points, .1p priority<br />
DLCS (Dynamic Link Context System, WINS snooping)<br />
for integration with EPICenter Policy Manager<br />
RIP<br />
RFC 1058 Routing Information Protocol RFC 2453 RIP Version 2<br />
Security<br />
Routing protocol authentication (see above)<br />
Secure Shell (SSHv2) & Secure Copy (SCPv2) with<br />
encryption/authentication<br />
SNMPv3 user based security, with<br />
encryption/authentication<br />
RFC 1492 An Access Control Protocol, Sometimes<br />
Called TACACS<br />
RFC 2138 Remote Authentication Dial In <strong>User</strong> Service<br />
(RADIUS)<br />
RFC 2139 RADIUS Accounting<br />
IEEE 802.1x Port Based Network Access Control<br />
Multiple supplicants for Network Login (web-based <strong>and</strong><br />
802.1x modes)<br />
RADIUS Per-comm<strong>and</strong> Authentication<br />
Access Profiles on All Routing Protocols<br />
Access Profiles on All Management Methods<br />
Network Login (including DHCP / RADIUS integration)<br />
MAC Address Security / Lockdown<br />
Network Address Translation (NAT)<br />
Layer 2/3/4/7 Access Control Lists (ACLs)<br />
VLANs<br />
IEEE 802.1Q VLAN Tagging<br />
IEEE 802.3ad Static ConfigPort-based VLANs<br />
IEEE 802.1v VLAN classification by Protocol <strong>and</strong> Port<br />
Port-based VLANs<br />
MAC-based VLANs<br />
Virtual MANs<br />
Multiple STP domains per VLAN<br />
VLAN Translation<br />
RFC 2674 Definitions of Managed Objects for Bridges<br />
with Traffic Classes, Multicast Filtering, <strong>and</strong> Virtual LAN<br />
Extensions<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 453
Technical Specifications<br />
454 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Index<br />
Numerics<br />
802.11a, 802.11b, 802.11g 360<br />
802.1d mode, STP 267<br />
802.1p 109 to 111<br />
802.1q 239<br />
802.1x authentication<br />
co-existence with web-based 157<br />
EAPOL flooding 63<br />
overview 156<br />
requirements 156<br />
802.1x/EAP 170<br />
802.3ad load sharing 71<br />
A<br />
About This <strong>Guide</strong> 18<br />
access control lists<br />
adding 148<br />
deleting 148<br />
description 145, 427<br />
examples 149<br />
ICMP filter example 152<br />
permit-established example 149<br />
permit-established keyword 147<br />
verifying settings 148<br />
access levels 35, 406<br />
access masks 148<br />
access policies 351<br />
access profile mode 195<br />
access profiles<br />
reverse mask 196<br />
SNMP 48<br />
Telnet 45<br />
AccessAdapt management 360<br />
accounts 35 to 38<br />
ACL, installed by DoS protect 206<br />
active scan 367<br />
adding<br />
access lists 148<br />
access masks 148<br />
log filters 133<br />
ports to a VLAN 427<br />
rate limits 148<br />
Address Resolution Protocol. See ARP<br />
admin account 36<br />
Advanced Edge license 409<br />
Advanced Encryption St<strong>and</strong>ard. See AES<br />
AES 360<br />
agent circuit ID sub-option 328<br />
agent remote ID sub-option 328<br />
aging entries, FDB 98<br />
aging value of DoS protection 209<br />
alarm actions 142<br />
Alarms, RMON 141<br />
Altitude 300 359<br />
Altitude 300 antenna 360<br />
Altitude 300-2d 361<br />
antenna, Altitude 300 360<br />
AP detection 367<br />
AP scan<br />
configuring 367<br />
enabling <strong>and</strong> disabling 367<br />
results (table) 369<br />
viewing results 369<br />
APMAC 369<br />
areas, OSPF 336<br />
ARP<br />
communicating with devices outside subnet 323<br />
configuring proxy 323<br />
<strong><strong>Extreme</strong>Ware</strong> Vista 429<br />
incapable device 323<br />
minimal mode 241<br />
proxy ARP between subnets 323<br />
proxy ARP, description of 322<br />
responding to ARP requests 323<br />
table, displaying 325<br />
atestReceivedEngineTime 53<br />
authentication 170<br />
location-based 171<br />
network access examples (table) 172<br />
time-based 171<br />
web-based & 802.1x 156<br />
authentication methods 157<br />
802.1x/EAP 170<br />
open 170<br />
WEP 170<br />
authentication type 373<br />
AuthnoPriv 55<br />
AuthPriv 55<br />
automatic failover 79 to 80<br />
autonegotiation 66<br />
autopolarity 67<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 455
Index<br />
B<br />
backbone area, OSPF 336<br />
beacon interval 364, 365<br />
beacons, number of 369<br />
blackhole entries, FDB 99, 153<br />
blackhole MAC addresses 109<br />
blocking attacks 206<br />
BOOTP relay<br />
configuring 327 to 328<br />
deleting 327<br />
<strong><strong>Extreme</strong>Ware</strong> Vista 434<br />
UDP-forwarding 329<br />
BOOTP server 43<br />
BootROM<br />
image 223<br />
minimal mode 241<br />
prompt 232<br />
signature compatibility 228<br />
upgrading, accessing 231<br />
bootstrap router (BSR) 350<br />
bridging, wireless 361<br />
broadcast forwarding 408<br />
browser<br />
controls 407<br />
fonts 404<br />
setting up 403<br />
buttons in <strong><strong>Extreme</strong>Ware</strong> Vista 407<br />
C<br />
cable diagnostics 236<br />
cabling for redundancy 81<br />
campus mode 162<br />
campus mode authentication 158<br />
capability, value in AP scan results 369<br />
channel 369<br />
checksum computation 351<br />
cipher suites 171<br />
classification, port power 386<br />
clearing the client scan table 371<br />
CLI<br />
comm<strong>and</strong> history 33<br />
comm<strong>and</strong> shortcuts 30<br />
line-editing keys 32<br />
named components 31<br />
numerical ranges, BlackDiamond switch 31<br />
numerical ranges, Summit switch 31<br />
symbols 31<br />
syntax helper 30<br />
troublehooting 237<br />
using 29<br />
client<br />
aging 375<br />
collecting history information 372<br />
current state 372<br />
current state details (table) 373<br />
diagnostic <strong>and</strong> history information (table) 374<br />
history information 373<br />
scan 370<br />
scan performance results (table) 372<br />
scan results (table) 371<br />
client MAC 373<br />
client priority 373<br />
client scan table, clearing 371<br />
client scanning<br />
clearing client scan table 371<br />
configuring 370<br />
overview 370<br />
viewing properties 371<br />
viewing scan results 371<br />
client VLAN 373<br />
collisions 440<br />
combination ports 80<br />
comm<strong>and</strong><br />
history 33<br />
shortcuts 30<br />
Comm<strong>and</strong>-Line Interface. See CLI<br />
common comm<strong>and</strong>s (table) 33<br />
common power pool 385<br />
communicating with devices outside subnet 323<br />
complete configuration download 230<br />
configuration<br />
downloading 230<br />
logging 140<br />
network login 161<br />
primary <strong>and</strong> secondary 228<br />
saving changes 228<br />
schedule download 231<br />
security options (table) 178<br />
uploading to file 229<br />
using <strong><strong>Extreme</strong>Ware</strong> Vista 407<br />
wireless ports 377<br />
configuring PoE 391<br />
console port<br />
enable telnet 46<br />
supported sessions 42<br />
content frame in <strong><strong>Extreme</strong>Ware</strong> Vista 406<br />
controlling Telnet access 45<br />
conventions 18<br />
country codes, configuring for wireless 375<br />
CPU utilization 241<br />
CRC errors 238<br />
creating<br />
access lists 148<br />
access masks 148<br />
OSPF areas using <strong><strong>Extreme</strong>Ware</strong> Vista 411<br />
rate limits 148<br />
user accounts 37<br />
creating rules, NAT 122<br />
D<br />
database applications, <strong>and</strong> QoS 105<br />
database overflow, OSPF 335<br />
debug mode for EMS 240<br />
debug tracing facility 240<br />
default<br />
gateway 307<br />
passwords 36<br />
routes 238<br />
settings 27<br />
STP domain 266<br />
users 36<br />
default gateway 376<br />
default route 240<br />
default VLAN 91<br />
delete<br />
access list 148<br />
access masks 148<br />
access profile 198<br />
456 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Index<br />
BOOTP relay 327<br />
EAPS domain 252<br />
filter 57<br />
group 54<br />
MIB view 56<br />
OSPF area using <strong><strong>Extreme</strong>Ware</strong> Vista 410<br />
rate limit 148<br />
session 45<br />
SNMP notification tags 58<br />
SNMP target 56<br />
target parameters 57<br />
trap receiver 47<br />
user 37, 53<br />
delivery traffic indication message (DTIM) 364, 366<br />
denial of service protection 202 to 209<br />
aging value 209<br />
configuring 202<br />
deploying 205<br />
disabling 204<br />
displaying 204<br />
drop probability rates 207<br />
enabling 203<br />
enhanced 206<br />
IPFDB cache size 209<br />
IPFDB learning qualifier 208<br />
learn windows 207, 209<br />
learning limit 209<br />
setting protocol types 208<br />
setting thresholds 207<br />
SQL slammer 206<br />
trusted <strong>and</strong> untrusted ports 207, 209<br />
deploying denial of service protection 205<br />
DHCP<br />
network login <strong>and</strong> 156<br />
option 82 328<br />
relay 327, 328<br />
requirement for web-based network login 156<br />
server, used as part of network login 165<br />
UDP-forwarding 329<br />
verifying relay configuration 328<br />
DiffServ, configuring 111<br />
disabling route advertising (RIP) 334<br />
disconnecting a Telnet session 45<br />
distance-vector protocol, description 332<br />
DNS, description 38<br />
Domain Name Service. See DNS<br />
domains, STP 266<br />
DoS protection. See denial of service protection<br />
downloading incremental configuration 230<br />
drop probability rates 207<br />
DTIM 364, 366<br />
dynamic entries, FDB 98, 153<br />
dynamic routes 321<br />
E<br />
EAP<br />
EAPOL 63<br />
IEEE 802.1x port authentication 63<br />
EAP-MD5 360<br />
EAPOL <strong>and</strong> DHCP 157<br />
EAPOL flooding 63<br />
EAPS<br />
common link 258<br />
domain, creating <strong>and</strong> deleting 251<br />
enabling <strong>and</strong> disabling a domain 255<br />
enabling <strong>and</strong> disabling on a switch 255<br />
multi-ring topologies 250<br />
polling timers, configuring 252<br />
restrictions 251<br />
ring port, unconfiguring 255<br />
shared port<br />
configuration rules 263<br />
configuring the domain ID 262<br />
creating <strong>and</strong> deleting 261<br />
defining the mode 261<br />
shared port, common link failure 260<br />
shared ports 258<br />
show eaps display fields (table) 257<br />
status information, displaying 255 to 258, 262<br />
switch mode, defining 252<br />
EAPS awareness 251<br />
EAP-TLS 360<br />
EAP-TLS (Transport Layer Security) 170<br />
EAP-TTLS 360<br />
EAP-TTLS (Tunneled TLS) 170<br />
echo server 330<br />
EDP, description 76<br />
ELRP<br />
description 300<br />
master behavior 301<br />
pre-master behavior 301<br />
terms 300<br />
EMISTP<br />
description 267<br />
rules 270<br />
enabling a switch port 66<br />
encryption 171<br />
encryption type 373<br />
Enhanced DoS Protection 206<br />
Equal Cost Multi-Path (ECMP) routing. See IP route sharing<br />
error level messages in <strong><strong>Extreme</strong>Ware</strong> Vista 407<br />
errors, port 126<br />
ESRP<br />
<strong>and</strong> IP multinetting 306<br />
<strong>and</strong> STP 306<br />
<strong>and</strong> VRRP 312<br />
description 285<br />
diagnostic tracking 291<br />
direct link 288<br />
domains 296<br />
don’t count 296<br />
environment tracking 291<br />
example 303<br />
failover time 290<br />
groups 297<br />
host attach 295<br />
linking switches 288<br />
load sharing 296<br />
master<br />
behavior 289<br />
definition 287<br />
determining 288<br />
electing 289<br />
election algorithms 290<br />
multiple VLANs sharing a host port 288<br />
OSPF tracking 293<br />
ping tracking 292, 293<br />
port restart 295<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 457
Index<br />
pre-master, behavior 289<br />
restarting ports 295<br />
RIP tracking 293<br />
route table tracking 292<br />
selective forwarding 298<br />
slave mode<br />
behavior 289<br />
definition 287<br />
terms 286<br />
tracking, description 291<br />
ESRP, load sharing <strong>and</strong> 73<br />
ESS name 369<br />
ESSID 373<br />
establishing a Telnet session 43<br />
Ethernet collisions 440<br />
Ethernet link errors 441<br />
Ethernet packet encapsulation 110<br />
Events, RMON 141<br />
examples<br />
port power budget 387<br />
security configuration 179<br />
wireless configuration 177<br />
explicit packet marking 109<br />
export restrictions 27<br />
exporting routes to OSPF 410<br />
Extended Service Set Identifier. See ESSID<br />
Extensible Authentication Protocol. See EAP<br />
External Power Supply EPS-LD 388<br />
<strong>Extreme</strong> Discovery Protocol See EDP<br />
<strong>Extreme</strong> Loop Recovery Protocol. See ELRP<br />
<strong>Extreme</strong> St<strong>and</strong>by Router Protocol. See ESRP<br />
<strong>Extreme</strong> Unified Access Architecture 360<br />
<strong><strong>Extreme</strong>Ware</strong><br />
factory defaults 27<br />
features 23<br />
<strong><strong>Extreme</strong>Ware</strong> Vista 403 to 448<br />
access levels 406<br />
accessing 404<br />
browser controls 407<br />
browser setup 403<br />
buttons 407<br />
Ethernet collisions 440<br />
event logging 430<br />
FDB 431<br />
fonts 404<br />
frames 406<br />
hardware status 443<br />
home page 404<br />
IP ARP 432<br />
IP configuration statistics 433<br />
IP forwarding configuration 408<br />
IP routing table statistics 435<br />
IP statistics 436<br />
JavaScript 403<br />
license window 409<br />
link errors 441<br />
logging out 448<br />
navigating 406<br />
OSPF configuration 410<br />
overview 403<br />
port configuration 415<br />
port statistics 439<br />
port utilization 441<br />
requirements 403<br />
RIP configuration 417<br />
RIP statistics 442<br />
screen resolution 404<br />
SNMP configuration 419<br />
status messages 407<br />
STP configuration 420<br />
support information 444<br />
switch configuration 423<br />
user account 424<br />
username, password 405<br />
VLAN administration 425<br />
F<br />
FDB 97 to 101<br />
adding an entry 97<br />
aging entries 98<br />
blackhole entries 99<br />
contents 97<br />
creating a permanent entry example 100<br />
displaying 101<br />
dynamic entries 98<br />
dynamic entries, limiting 153<br />
entries 97<br />
limiting entries 153<br />
non-aging entries 98<br />
permanent entries 99<br />
prioritizing entries 153<br />
QoS profile association 99<br />
reviewing through <strong><strong>Extreme</strong>Ware</strong> Vista 431<br />
troubleshooting 238, 240<br />
fiber, troubleshooting 239<br />
file server applications, <strong>and</strong> QoS 105<br />
flow control 66<br />
fonts, browser 404<br />
force disassociation 378<br />
Forwarding Database. See FDB<br />
fragment length 364, 366<br />
fragment size 364, 366<br />
frames in <strong><strong>Extreme</strong>Ware</strong> Vista 406<br />
G<br />
gateway, default 376<br />
Greenwich Mean Time Offsets (table) 61<br />
groups 54<br />
H<br />
hardware status information 443<br />
health check reset 378<br />
hello interval 351<br />
history comm<strong>and</strong> 33<br />
History, RMON 141<br />
home page 404<br />
host attach 73<br />
HTTP clients 174<br />
HTTPS 174<br />
I<br />
ICMP attacks 206<br />
IEEE 802.1Q 86<br />
IEEE 802.1x<br />
comparison with web-based authentication 157<br />
EAP Over LANs (EAPOL) 63<br />
458 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Index<br />
IEEE 802.3ad load sharing 71<br />
ifAdminStatus 47<br />
IGMP 352<br />
image 225, 226<br />
information level messages in <strong><strong>Extreme</strong>Ware</strong> Vista 407<br />
Inter-Access Point Protocol. See IAPP<br />
interfaces<br />
configuring wireless 378<br />
router 320<br />
Interframe Gap 68<br />
Internet Group Management Protocol. See IGMP<br />
interoperability requirements 158<br />
Interpacket Gap 68<br />
IP address, entering 44<br />
IP ARP 432<br />
IP configuration statistics 433<br />
IP multicast routing<br />
configuring 354<br />
description 25, 349<br />
IGMP 352 to 353<br />
PIM-SM 350<br />
IP route sharing 322<br />
IP routing table statistics 435<br />
IP statistics 436<br />
IP unicast routing<br />
BOOTP relay 327<br />
configuration examples 325<br />
configuring 324<br />
default gateway 319<br />
description 25<br />
DHCP relay 327<br />
ECMP 322<br />
enabling 324<br />
IP route sharing 322<br />
proxy ARP 322<br />
router interfaces 320<br />
routing table 321<br />
using <strong><strong>Extreme</strong>Ware</strong> Vista 408<br />
verifying the configuration 325<br />
IP-based traffic grouping 108<br />
IPFDB cache size 209<br />
IPFDB learning 208<br />
IPFDB learning qualifer, configuring 208<br />
IPFDB thrashing, preventing 206<br />
ipmc routing 354<br />
ISP mode 158, 162<br />
J<br />
JavaScript on <strong><strong>Extreme</strong>Ware</strong> Vista 403<br />
join prune interval 351<br />
jumbo frames<br />
description 68<br />
enabling 69<br />
IP fragmentation 70<br />
path MTU discovery 69<br />
K<br />
keys<br />
line-editing 32<br />
port monitoring 127<br />
L<br />
LACP 71<br />
last state changed 373<br />
learn windows 207, 209<br />
learning limit 209<br />
LEDs<br />
for PoE usage 391<br />
troubleshooting 235<br />
license vouchers 26<br />
licensing<br />
description 26<br />
license voucher 26<br />
ordering 26<br />
using <strong><strong>Extreme</strong>Ware</strong> Vista 409<br />
verifying 26<br />
line-editing keys 32<br />
link type, RSTP 273<br />
link up <strong>and</strong> link down traps 48<br />
link-state database 335<br />
link-state protocol, description 332<br />
load sharing<br />
configuring 72<br />
description 71<br />
ESRP 73, 296<br />
example 74<br />
load-sharing group, description 71<br />
master port 72<br />
operations 389<br />
power supplies 388<br />
verifying the configuration 74<br />
location, wireless 378<br />
location-based authentication 171<br />
logging<br />
configuration changes 140<br />
fault level 430<br />
subsystem 430<br />
timestamp 430<br />
using <strong><strong>Extreme</strong>Ware</strong> Vista 430<br />
wireless events 380<br />
logging in 37<br />
logon to <strong><strong>Extreme</strong>Ware</strong> Vista 405<br />
Logout button 448<br />
long retry 365, 366<br />
loop protection 241<br />
LSDB 335<br />
M<br />
MAC addresses, permanent FDB entry 108<br />
MAC RADIUS 224<br />
MAC-based security 153<br />
MAC-based traffic grouping 108<br />
MAC-based VLANs 93 to 95, 144<br />
management access 35, 425<br />
management accounts 37<br />
management port 42<br />
management VLAN, configuring 376<br />
master port 72<br />
maximum Telnet session 42<br />
MD5 175<br />
mgmt VLAN 42<br />
MIBs<br />
ifAdminStatus 47<br />
MIB view 56<br />
supported 449<br />
Microsoft Internet Explorer, using for <strong><strong>Extreme</strong>Ware</strong> Vista404<br />
minimal mode 241<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 459
Index<br />
modular switch, enabling <strong>and</strong> disabling ports 66<br />
monitoring the switch 125<br />
mrinfo 353<br />
mtrace 354<br />
multicast forwarding 408<br />
multicast tools 353<br />
multiple routes 321<br />
multi-ring topologies 250<br />
N<br />
names, VLANs 90<br />
NAT 117 to 123<br />
Netscape Navigator, using for <strong><strong>Extreme</strong>Ware</strong> Vista 404<br />
Network Address Translation. See NAT<br />
network login 156<br />
authentication types 156<br />
campus mode 163<br />
configuring 161<br />
DHCP server as part of 165<br />
disabling 165<br />
introduction 59<br />
settings, displaying 165, 167<br />
network policies 361<br />
network security policies 172<br />
network type 369<br />
noAuthnoPriv 54<br />
noise floor 366<br />
non-aging entries, FDB 98<br />
notice icons 18<br />
Not-So-Stubby_Area. See NSSA<br />
NSSA 337<br />
O<br />
off-channel scan 367<br />
opaque LSAs, OSPF 336<br />
open authentication 170<br />
Open Shortest Path First. See OSPF<br />
opening a Telnet session 43<br />
option 82, DHCP relay 328<br />
Organizational Unique Identifier (OUI) 168<br />
OSPF<br />
advantages 332<br />
area 0 336<br />
areas 336<br />
backbone area 336<br />
configuration example 343<br />
configuration using <strong><strong>Extreme</strong>Ware</strong> Vista 410<br />
consistency 335<br />
database overflow 335<br />
description 332, 334<br />
display filtering 345<br />
exporting routes using <strong><strong>Extreme</strong>Ware</strong> Vista 410<br />
link type 339<br />
link-state database 335<br />
normal area 338<br />
NSSA 337<br />
opaque LSAs 336<br />
passive 335<br />
point-to-point links 339<br />
redistributing routes 340<br />
router types 336<br />
routing access policies 199<br />
settings, displaying 345<br />
stub area 337<br />
virtual link 338<br />
wait interval, configuring 342<br />
P<br />
packet fragment size 364, 366<br />
packet preamble 365, 366<br />
passive OSPF 335<br />
passive scan 367<br />
password problems 238<br />
passwords<br />
default 36<br />
forgetting 37<br />
path MTU discovery 69<br />
PD 383, 386<br />
PEAP 360<br />
PEAP (protected EAP) 170<br />
performance enhanced DoS Protection 206<br />
permanent entries, FDB 99<br />
permanent MAC addresses 108<br />
permit-established keyword 147<br />
Per-VLAN Spanning Tree. See PVST+<br />
PIM-SM 350 to 351<br />
ping comm<strong>and</strong> 38<br />
PoE 383 to 400<br />
budget 384<br />
configuring 391<br />
features 383<br />
LEDs for usage 391<br />
poison reverse 333<br />
policy examples 172<br />
port<br />
autonegotiation 66<br />
configuring 416<br />
connection order 385<br />
enabling <strong>and</strong> disabling 66<br />
errors,viewing 126<br />
mode 267, 282<br />
monitoring display keys 127<br />
network login 156<br />
numbering 65<br />
personality 360<br />
power<br />
budget 386, 387<br />
management 384<br />
operator limit 384<br />
priorities 386<br />
reset 386<br />
priority, STP 282<br />
receive errors 127<br />
software-controlled redundant<br />
configuring 79<br />
description 77<br />
statistics, viewing 125, 439<br />
STP state, displaying 284<br />
transmit errors 126<br />
troubleshooting 238<br />
utilization 441<br />
port-based VLANs 84<br />
port-mirroring 75<br />
power<br />
budget management 384<br />
common pool 385<br />
consuming more than allocated 387<br />
460 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Index<br />
load sharing operations 389<br />
load sharing supplies 388<br />
modes 390<br />
operator limit 384<br />
parameter restrictions (table) 390, 391<br />
port 384<br />
port budget example 387<br />
port connection order 385<br />
port power budget 386<br />
port priorities 386<br />
port reset 386<br />
power events 387<br />
redundant supplies 389<br />
reserved 384<br />
power events 387<br />
Power over Ethernet. See PoE<br />
power sourcing equipment (PSE) 386<br />
power supplies (table) 389<br />
powered device 383<br />
preamble 365, 366<br />
primary image 226<br />
priority for slow path traffic 111<br />
privacy 171<br />
private community, SNMP 48<br />
private keys 175<br />
PROBE REQ messages 370<br />
probe resp packets, number of 369<br />
profile<br />
QoS 106<br />
RF 362, 363<br />
security 362<br />
protocol analyzers, use with port-mirroring 75<br />
protocol filters 89<br />
Protocol Independent Multicast- Sparse Mode. See PIM-SM<br />
protocol-based VLANs 88<br />
proxy ARP 322 to 323<br />
public community, SNMP 48<br />
PVST+<br />
description 271<br />
STP mode 267<br />
Q<br />
QoS 103 to 115<br />
802.1p default mapping (table) 110<br />
802.1p priority 110<br />
applications 104<br />
blackhole 109<br />
database applications 105<br />
default QoS profiles 106<br />
description 24, 103<br />
DiffServ, configuring 111<br />
FDB entry association 99<br />
file server applications 105<br />
monitor 113<br />
priority 106<br />
profile 106 to 107<br />
profiles parameters (table) 106<br />
traffic groupings 106<br />
traffic groupings by precedence (table) 107<br />
verifying 114<br />
video applications 104<br />
voice applications 104<br />
web browsing applications 105<br />
Quality of Servce. See QoS 104<br />
R<br />
Radio Frequency See RF<br />
RADIUS<br />
<strong>and</strong> TACACS+ restriction 58<br />
client configuration 213<br />
description 58, 211<br />
Merit server configuration (example) 215<br />
per-comm<strong>and</strong> authentication 212<br />
per-comm<strong>and</strong> configuration (example) 216<br />
request attributes (table) 173<br />
RFC 2138 attributes 213<br />
servers 211<br />
TCP port 213<br />
wireless attributes 173<br />
rapid root failover 267<br />
Rapid Spanning Tree Protocol. See RSTP<br />
rate limit protocol type 208<br />
rate limits<br />
adding 148<br />
<strong>and</strong> QoS 115<br />
deleting 148<br />
real-time performance monitoring 113<br />
reboot loop protection 241<br />
receive errors 127<br />
received signal strength 373<br />
redistributing routes 340<br />
redundant Gigabit uplink port<br />
Summit 200-24 rules 79<br />
Summit 200-48 rules 80<br />
redundant ports, software controlled<br />
configuring 79<br />
redundant ports, software-controlled<br />
description 77<br />
typical configurations 77<br />
redundant power supplies 389<br />
relay agent option, DHCP option 82 328<br />
Remote Monitoring. See RMON<br />
renaming a VLAN 91<br />
rendezvous point (RP) 350<br />
request to send (RTS) threshold 365, 366<br />
requirements for <strong><strong>Extreme</strong>Ware</strong> Vista 403<br />
reserved power 384<br />
reset to factory defaults 229<br />
responding to ARP requests 323<br />
reverse mask 196<br />
RF<br />
monitoring 366<br />
profiles 363<br />
properties 363<br />
RF profile 362<br />
configuring 364<br />
creating 363<br />
deleting 364<br />
property values (table) 365<br />
viewing properties 365<br />
RIP<br />
advantages 332<br />
configuration example 341<br />
configuration using <strong><strong>Extreme</strong>Ware</strong> Vista 417<br />
description 332, 333<br />
disabling route advertising 334<br />
enabling 324<br />
limitations 332<br />
poison reverse 333<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 461
Index<br />
redistributing routes 340<br />
routing access policies 198<br />
routing table entries 333<br />
split horizon 333<br />
statistics 442<br />
triggered updates 334<br />
version 2 334<br />
RMON<br />
alarm actions 142<br />
Alarms group 141<br />
Events group 141<br />
features supported 140<br />
History group 141<br />
probe 140<br />
Statistics group 141<br />
route sharing. See IP route sharing<br />
router interfaces 320<br />
router licensing<br />
description 26<br />
license voucher 26<br />
ordering 26<br />
verifying 26<br />
router types, OSPF 336<br />
routing access policies<br />
access profile 195 to 198<br />
deny 195<br />
none 195<br />
OSPF 199<br />
permit 195<br />
PIM 201<br />
RIP 198<br />
using 195<br />
Routing Information Protocol. See RIP<br />
routing table, populating 321<br />
routing. See IP unicast routing<br />
RSS 373<br />
RSS statistics 369<br />
RSTP<br />
alternate port 272<br />
auto link 273<br />
backup port 272<br />
broadcast link 273<br />
configuring link types 273<br />
designated port 272<br />
designated port rapid behavior 276<br />
edge link 273<br />
edge ports 273<br />
operation 274<br />
overview 271<br />
point-to-point link 273<br />
port roles 272<br />
propogating topology information 277<br />
receiving bridge behavior 277<br />
root port 272<br />
root port rapid behavior 275<br />
terms 271<br />
timers 273<br />
RTS<br />
threshold 365, 366<br />
rule matching, NAT 122<br />
Rx bytes 373<br />
RX CRC errors 238<br />
Rx frames 373<br />
S<br />
sample configuration 162<br />
saving configuration changes 228<br />
scan for AP detection 367<br />
scheduling configuration download 231<br />
screen resolution, <strong><strong>Extreme</strong>Ware</strong> Vista 404<br />
secondary image 226<br />
security<br />
authentication 170<br />
certificates 175<br />
configuration examples 179<br />
configuration options (table) 178<br />
options (table) 169<br />
security licensing<br />
description 27<br />
obtaining 27<br />
security name 53<br />
security policies 172<br />
<strong>and</strong> RADIUS support 173<br />
design 172<br />
security profile 362<br />
sessions, deleting 45<br />
short retry 365, 366<br />
shortcuts, comm<strong>and</strong> 30<br />
shortest path tree (SPT) 350, 351<br />
Simple Network Management Protocol. See SNMP<br />
slow path traffic 111<br />
smart redundancy 77<br />
SNAP protocol 90<br />
SNMP<br />
community strings 48<br />
configuring 47, 419<br />
controlling access 48<br />
filters 57<br />
ifAdminStatus MIB value 47<br />
Network Manager troubleshooting 237<br />
notification tags 58<br />
read access 48<br />
read/write access 48<br />
settings, displaying 49<br />
supported MIBs 47<br />
system contact 48, 419<br />
system location 48, 419<br />
system name 48, 419<br />
targets 56<br />
trap receiver 237<br />
trap receivers 47<br />
using 46<br />
SNMPEngineBoots 53<br />
snmpEngineID 52<br />
SNMPEngineTime 53<br />
SNTP<br />
configuring 59<br />
Daylight Savings Time 59<br />
description 59<br />
example 62<br />
Greenwich Mean Time offset 59<br />
Greenwich Mean Time Offsets (table) 61<br />
NTP servers 59<br />
software licensing<br />
security features 27<br />
SSH2 protocol 27<br />
using <strong><strong>Extreme</strong>Ware</strong> Vista 409<br />
software-controlled redundant ports<br />
462 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Index<br />
typical configuration 77<br />
Spanning Tree Protocol. See STP<br />
speed, ports 66<br />
split horizon 333<br />
SQL slammer DoS attacks 206<br />
SSH2 protocol<br />
authentication key 222<br />
description 46, 221<br />
enabling 222<br />
licensing 27<br />
predefined clients 222<br />
TCP port number 222<br />
st<strong>and</strong>alone buttons in <strong><strong>Extreme</strong>Ware</strong> Vista 407<br />
st<strong>and</strong>-alone switch<br />
enabling <strong>and</strong> disabling ports 66<br />
static IGMP 352<br />
static routes 238, 321<br />
statistics<br />
port 125<br />
reports using <strong><strong>Extreme</strong>Ware</strong> Vista 429<br />
RMON 141<br />
status monitoring<br />
description 125<br />
STP<br />
802.1d mode 267<br />
<strong>and</strong> ESRP 306<br />
<strong>and</strong> VLANs 266<br />
<strong>and</strong> VRRP 312<br />
basic configuration example 268<br />
bridge priority 282<br />
configurable parameters 282<br />
configuration examples 282<br />
configuring 281, 420<br />
description 24<br />
displaying settings 283<br />
domains 266<br />
EAPS awareness 251<br />
EMISTP<br />
description 267<br />
rules 270<br />
forward delay 282<br />
hello time 282<br />
max age 282<br />
overview 265<br />
path cost 282<br />
port mode 267, 282<br />
port priority 282<br />
port state, displaying 284<br />
PVST+ mode 267, 271<br />
rapid root failover 267<br />
requirement for multi-ring topologies 251<br />
rules <strong>and</strong> restrictions 281<br />
StpdID 267, 282<br />
troubleshooting 240<br />
STPD modes 266<br />
stub area, OSPF 337<br />
sub-options, DHCP relay agent option 328<br />
supplicant side requirements 158<br />
support information 444<br />
supported rate set 369<br />
SVP, enabling to support VoIP 381<br />
switch<br />
configuration using <strong><strong>Extreme</strong>Ware</strong> Vista 423<br />
configuring load sharing 72<br />
configuring wireless properties 375<br />
monitoring 125<br />
RMON features 140<br />
switch port-mirroning 75<br />
Symmetric ciphers 175<br />
system contact, SNMP 48, 419<br />
system location, SNMP 48, 419<br />
system name, SNMP 48, 419<br />
system odometer 241<br />
T<br />
TACACS+<br />
<strong>and</strong> RADIUS restriction 58<br />
description 59, 217<br />
servers, specifying 217<br />
tagging, VLAN 86<br />
task frame in <strong><strong>Extreme</strong>Ware</strong> Vista 406<br />
technical support 242<br />
Telnet<br />
connecting to another host 43<br />
controlling access 45<br />
disconnecting a session 45<br />
maximum sessions 42<br />
opening a session 43<br />
problems 237<br />
using 42<br />
Temporal Key Integrity Protocol. See TKIP<br />
Terminal Access Controller Access Control System Plus. See<br />
TACACS+<br />
TFTP<br />
server 225<br />
using 229<br />
thrashing, IPFDB, preventing 206<br />
threshold, RTS 365, 366<br />
time-based authentication 171<br />
timed configuration download, MAC-based VLANs 95<br />
timers, PIM-SM 351<br />
TKIP 360<br />
traceroute comm<strong>and</strong> 39<br />
traffic groupings 106<br />
traffic rate-limiting 115<br />
transmit errors 126<br />
trap receivers 237<br />
triggered updates 334<br />
troubleshooting<br />
cables 236<br />
CLI 237<br />
CPU utilization 241<br />
FDB 240<br />
fiber 239<br />
IP multicast 353<br />
password 238<br />
permanent FDB entries 238<br />
power 235<br />
reboot loops 241<br />
STP 240<br />
technical support 242<br />
VLANs 239<br />
trunks 86<br />
trusted neighbor policy 351<br />
trusted OUI 168<br />
trusted ports 207, 209<br />
Tx bytes 373<br />
Tx frames 373<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 463
Index<br />
U<br />
UDP echo server 330<br />
UDP-forwarding 329<br />
unconfigure RIP 417<br />
unicast forwarding 408<br />
unified access security 168<br />
untrusted ports 207, 209<br />
uplink redundancy 79 to 80<br />
uploading the configuration 229<br />
URL redirection 157<br />
user accounts 36, 424<br />
user login 163<br />
user name 53<br />
users<br />
access levels 35<br />
accounts 158<br />
authenticating 58, 211<br />
creating 37<br />
default 36<br />
viewing 37<br />
USM security 54<br />
UTP problems 236<br />
V<br />
vendor ID 158<br />
Vendor Specific Attribute (VSA) 158<br />
vendor specific attributes (table) 173<br />
verifying load sharing 74<br />
video applications, <strong>and</strong> QoS 104<br />
viewing accounts 37<br />
Virtual LANs. See VLANs<br />
virtual link, OSPF 338<br />
virtual router, VRRP 308<br />
Vista See <strong><strong>Extreme</strong>Ware</strong> Vista<br />
VLANs<br />
administration using <strong><strong>Extreme</strong>Ware</strong> Vista 425<br />
<strong>and</strong> <strong><strong>Extreme</strong>Ware</strong> Vista 403<br />
<strong>and</strong> STP 266<br />
assigning a tag 86<br />
benefits 83<br />
configuration examples 92<br />
configuring 91<br />
default 91<br />
description 24<br />
disabling route advertising 334<br />
displaying settings 93<br />
IP fragmentation 70<br />
MAC-based 93 to 95, 144<br />
management 376<br />
mgmt 42<br />
mixing port-based <strong>and</strong> tagged 88<br />
names 90<br />
network login 156<br />
port-based 84<br />
protocol filters 89<br />
protocol-based 88<br />
renaming 91<br />
routing 324<br />
tagged 86<br />
tagging 86<br />
troubleshooting 239<br />
trunks 86<br />
types 84<br />
UDP-forwarding 329<br />
voice applications, QoS 104<br />
VRRP<br />
advertisement interval 311, 315<br />
<strong>and</strong> ESRP 312<br />
<strong>and</strong> Spanning Tree 312<br />
backup router 308<br />
configuration parameters (table) 315<br />
default gateway 307<br />
description 307<br />
electing the master 311<br />
examples 316<br />
interfaces 308<br />
IP address 308, 315<br />
IP address owner 308<br />
MAC address 308 to 313<br />
master down interval 311, 315<br />
master router 308<br />
master, determining 308<br />
multicast address 311<br />
operation 312<br />
ping tracking 309<br />
port restart 312<br />
preempt mode 315<br />
priority 308 to 315<br />
redundancy 313<br />
restarting ports 312<br />
route table tracking 309<br />
skew time 311, 315<br />
tracking, description 308<br />
virtual router 308<br />
virtual router identifier (VRID) 308, 315<br />
virtual router MAC address 308 to 313<br />
VLAN tracking 309<br />
VRRP router 308<br />
VSA definitions for network login (table) 158<br />
W<br />
warning level messages in <strong><strong>Extreme</strong>Ware</strong> Vista 407<br />
web browsing applications, <strong>and</strong> QoS 105<br />
web login access 174<br />
web-based <strong>and</strong> 802.1x authentication 157<br />
web-based authentication 156<br />
WEP authentication supported 369<br />
WEP required 369<br />
Wi-Fi protected access (WPA) 171<br />
wi-fi security cipher suites (table) 171<br />
wired equivalent privacy (WEP) authentication 170<br />
wireless<br />
bridging 361<br />
client aging 375<br />
client current state 372<br />
client history statistics 372<br />
client scanning 370<br />
configuration examples 177, 178<br />
configuring interfaces 378<br />
country codes 375<br />
default gateway 376<br />
device management 362<br />
enabling SVP 381<br />
event logging <strong>and</strong> reporting 380<br />
example network 360<br />
features 360<br />
health check reset 378<br />
location 378<br />
464 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Index<br />
management VLAN 376<br />
network policies 361<br />
networking overview 359<br />
RF profile, configuring 364<br />
RF profile, creating 363<br />
RF profile, deleting 364<br />
show comm<strong>and</strong>s 362<br />
switch properties, configuring 375<br />
wireless client history information 373<br />
wireless port value in client state table 373<br />
wireless ports<br />
configuration process 362<br />
configuration property values (table) 377<br />
configuring 377<br />
managing 362<br />
wireless user access security 169<br />
WPA 360, 369<br />
X<br />
xmodem 225<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 465
Index<br />
466 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Index of Comm<strong>and</strong>s<br />
Numerics<br />
802.3af 383<br />
C<br />
clear counters 137, 216<br />
clear debug-trace 240<br />
clear fdb 109<br />
clear inline-power connection-history slot 385, 393<br />
clear inline-power fault ports 395<br />
clear inline-power stats ports 395, 396<br />
clear ipmc cache 206<br />
clear log counters 137<br />
clear session 33, 45<br />
clear wireless ports interface ap-scan results 369<br />
clear wireless ports interface client-scan counters 372<br />
clear wireless ports interface client-scan results 372<br />
client scanning<br />
enabling <strong>and</strong> disabling 370<br />
config inline-power detection 395<br />
config inline-power display-string 396<br />
config inline-power reserved budget 393, 395<br />
config inline-power usage-threshold 393<br />
configure acacs-accounting shared-secret 219<br />
configure access-profile add 196<br />
configure access-profile delete 198<br />
configure access-profile mode 196<br />
configure account 33<br />
configure auth mgmt-access radius primary 220<br />
configure auth mgmt-access radius-accounting primary<br />
220<br />
configure auth mgmt-access tacacs primary 220<br />
configure auth mgmt-access tacacs-accounting primary<br />
221<br />
configure auth netlogin radius primary 221<br />
configure auth netlogin radius-accounting primary 221<br />
configure auth netlogin tacacs primary 221<br />
configure auth netlogin tacacs-accounting primary 221<br />
configure banner 33<br />
configure banner netlogin 33<br />
configure bootprelay add 327<br />
configure bootprelay delete 327<br />
configure bootprelay dhcp-agent information check<br />
328<br />
configure bootprelay dhcp-agent information option<br />
328<br />
configure bootprelay dhcp-agent information policy<br />
328<br />
configure cpu-dos-protect 203<br />
configure cpu-dos-protect trusted-ports 205<br />
configure debug-trace wireless ports iapp 380<br />
configure dns-client add 38<br />
configure dns-client default-domain 38<br />
configure download server 95, 231<br />
configure dvmrp vlan export-filter 201<br />
configure eaps add protect vlan 255<br />
configure eaps failtime 249, 252<br />
configure eaps failtime expiry-action 249, 252<br />
configure eaps hellotime 252<br />
configure eaps mode 252<br />
configure eaps primary port 254<br />
configure eaps secondary port 254<br />
configure eaps shared-port domain 262<br />
configure eaps shared-port mode 261<br />
configure enhanced-dos-protect ipfdb agingtime 209<br />
configure enhanced-dos-protect ipfdb cache-size 209<br />
configure enhanced-dos-protect ipfdb learn-limit 209<br />
configure enhanced-dos-protect ipfdb learn-window<br />
209<br />
configure enhanced-dos-protect ports 207, 209<br />
configure enhanced-dos-protect rate-limit 207, 208<br />
configure esrp port-mode ports 296<br />
configure fdb agingtime 101<br />
configure igmp snooping add static group 352<br />
configure igmp snooping add static router 353<br />
configure igmp snooping delete static group 353<br />
configure igmp snooping delete static router 353<br />
configure igmp snooping filter 353<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 467
Index of Comm<strong>and</strong>s<br />
configure inline-power operator-limit ports 387<br />
configure inline-power power-supply 390<br />
configure inline-power priority ports 386<br />
configure inline-power violation-precedence 387<br />
configure iparp add proxy 323<br />
configure ip-mtu vlan 69, 70<br />
configure iproute add default 42, 45, 324<br />
configure iproute priority 324<br />
configure jumbo-frame size 69<br />
configure log display 139<br />
configure log filter 133<br />
configure log filter events match 135<br />
configure log target filter 131, 135<br />
configure log target format 136<br />
configure log target match 134<br />
configure mirroring add 75<br />
configure nat add vlan map source 120, 121, 122<br />
configure nat vlan 118<br />
configure netlogin base-url 166<br />
configure netlogin redirect-page 166<br />
configure osfp area nssa 337<br />
configure osfp area stub 337<br />
configure osfp ase-limit 335<br />
configure ospf area external-filter 200<br />
configure ospf area interarea-filter 200<br />
configure ospf asbr-filter 200<br />
configure ospf direct-filter 200, 341<br />
configure ospf vlan area 337<br />
configure ospf vlan timer 342<br />
configure pim add 350, 354<br />
configure pim crp static 351<br />
configure pim delete vlan 350<br />
configure pim register-checksum-to 351<br />
configure pim spt-threshold 351<br />
configure pim timer 351<br />
configure pim vlan 351<br />
configure pim vlan trusted-gateway 201<br />
configure port interpacket-gap 68<br />
configure ports auto off 33, 66<br />
configure ports auto on 67<br />
configure ports auto-polarity off 67<br />
configure ports auto-polarity on 67<br />
configure ports lock-learning 155<br />
configure ports preferred-medium 81<br />
configure ports redundant 79<br />
configure ports unlimited-learning 154<br />
configure ports unlock-learning 155<br />
configure protocol add 90<br />
configure radius server 218<br />
configure radius server client-ip 211<br />
configure radius server timeout 219<br />
configure radius shared-secret 211, 212, 218<br />
configure radius timeout 211<br />
configure radius-accounting 212<br />
configure radius-accounting server client-ip 218<br />
configure radius-accounting server timeout 219<br />
configure radius-accounting shared-secret 219<br />
configure radius-accounting timeout 212<br />
configure reboot-loop-protection threshold 241<br />
configure rf-profile beacon-interval 364<br />
configure rf-profile dtim-interval 364<br />
configure rf-profile frag-length 364<br />
configure rf-profile long-retry 365<br />
configure rf-profile preamble 365<br />
configure rf-profile rts-threshold 365<br />
configure rf-profile short-retry 365<br />
configure rip vlan export-filter 198<br />
configure rip vlan import-filter 198<br />
configure rip vlan trusted-gateway 198<br />
configure security-profile default-user-vlan 174<br />
configure security-profile dot1x-upa-timers pairwise-update-timer<br />
174<br />
configure security-profile ess-name 174<br />
configure security-profile ssid-in-beacon 174<br />
configure security-profile use-dynamic-vlan 174<br />
configure security-profile wep key delete 174<br />
configure security-rofile dot11-auth 174<br />
configure sharing address-based 72<br />
configure snmp add community 47<br />
configure snmp add trapreceiver community 47<br />
configure snmp add trapreceiver community<br />
trap-group 50<br />
configure snmp delete trapreceiver 47<br />
configure snmp readonly access-profile 48<br />
configure snmp readwrite access-profile 48<br />
configure snmpv3 add access 54<br />
configure snmpv3 add filter subtree type 57<br />
configure snmpv3 add filter-profile param 57<br />
configure snmpv3 add group user 54<br />
configure snmpv3 add mib-view 55<br />
configure snmpv3 add mib-view subtree 55<br />
configure snmpv3 add notify tag 58<br />
configure snmpv3 add target-addr param ipaddress 56<br />
configure snmpv3 add target-params 52<br />
configure snmpv3 add user 53<br />
configure snmpv3 delete access 54<br />
configure snmpv3 delete filter 57<br />
configure snmpv3 delete filter-profile 58<br />
configure snmpv3 delete group user 54<br />
configure snmpv3 delete mib-view 56<br />
configure snmpv3 delete notify 58<br />
configure snmpv3 delete target-addr 56<br />
configure snmpv3 delete target-params 57<br />
configure snmpv3 delete user 53<br />
configure snmpv3 engine-boots 53<br />
configure snmpv3 engine-id 53<br />
configure snmpv3 target-params user mp-model 57<br />
configure sntp-client 61<br />
468 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Index of Comm<strong>and</strong>s<br />
configure sntp-client update-interval 61<br />
configure ssh2 key 33, 222<br />
configure ssh2 key pregenerated 223<br />
configure ssl certificate pregenerated 177<br />
configure ssl certificate prikeylen country organization<br />
common-name 176<br />
configure ssl privkey pregenerated 177<br />
configure stpd add vlan 281<br />
configure stpd mode 266<br />
configure stpd port link-type 273<br />
configure syslog 139<br />
configure sys-recovery-level 34, 128<br />
configure tacacs server client-ip 218<br />
configure tacacs server timeout 219<br />
configure tacacs shared-secret 218, 219<br />
configure tacacs-accounting server client-ip 218<br />
configure tacacs-accounting server timeout 219<br />
configure time 34<br />
configure timezone 34, 59, 60<br />
configure vlan add elrp-poll ports 302<br />
configure vlan add esrp elrp-poll ports 303<br />
configure vlan add ports no-restart 295, 312<br />
configure vlan add ports restart 295, 312<br />
configure vlan add track-diagnostic failover 292<br />
configure vlan add track-iproute 292, 309<br />
configure vlan add track-ospf 293<br />
configure vlan add track-ping 293, 309<br />
configure vlan add track-route 292<br />
configure vlan add track-vlan 292, 309<br />
configure vlan delete esrp elrp-poll ports 302<br />
configure vlan delete track-ospf 293<br />
configure vlan delete track-route 292<br />
configure vlan delete track-vlan 292, 309<br />
configure vlan esrp elrp-master-poll enable 302<br />
configure vlan esrp elrp-premaster-poll disable 302<br />
configure vlan esrp elrp-premaster-poll enable 302<br />
configure vlan esrp esrp-election 292<br />
configure vlan esrp esrp-premaster-timeout 290<br />
configure vlan esrp group add esrp-aware-ports 298<br />
configure vlan esrp group delete esrp-aware-ports 299<br />
configure vlan esrp priority 291<br />
configure vlan ipaddress 44, 324<br />
configure vlan ipaddress{ 42<br />
configure vlan ipadress 34<br />
configure vlan name 91<br />
configure vlan netlogin-lease-timer 165<br />
configure vlan priority 111<br />
configure wireless country-code 361, 375<br />
configure wireless default-gateway 376<br />
configure wireless management-vlan 376<br />
configure wireless port interface ap-scan added-trap<br />
368<br />
configure wireless ports antenna-location 361<br />
configure wireless ports client-scan removed-trap 370<br />
configure wireless ports detected-station-timeout 375<br />
configure wireless ports force-disassociation 378<br />
configure wireless ports health-check 378<br />
configure wireless ports interface ap-scan off-channel<br />
367<br />
configure wireless ports interface ap-scan off-channel<br />
max-wait 368<br />
configure wireless ports interface ap-scan off-channel<br />
min-wait 368<br />
configure wireless ports interface ap-scan probe-interval<br />
368<br />
configure wireless ports interface ap-scan removed-trap<br />
368<br />
configure wireless ports interface ap-scan results size<br />
368<br />
configure wireless ports interface ap-scan results timeout<br />
368<br />
configure wireless ports interface ap-scan send-probe<br />
368<br />
configure wireless ports interface ap-scan updated-trap<br />
368<br />
configure wireless ports interface channel 379<br />
configure wireless ports interface client-history size<br />
374<br />
configure wireless ports interface client-history timeout<br />
374<br />
configure wireless ports interface client-scan added-trap<br />
370<br />
configure wireless ports interface client-scan results<br />
size 370<br />
configure wireless ports interface client-scan results<br />
timeout 370<br />
configure wireless ports interface max-clients 379<br />
configure wireless ports interface power-level 379<br />
configure wireless ports interface rf-profile 379<br />
configure wireless ports interface security-profile 379<br />
configure wireless ports interface transmit-rate 379<br />
configure wireless ports interface wireless-bridging<br />
361<br />
configure wireless ports location 378<br />
create access-list 145, 148<br />
create access-mask 144, 148<br />
create account 34, 37<br />
create eaps 251<br />
create eaps shared-port 261<br />
create fdbentry vlan blackhole 109<br />
create fdbentry vlan dynamic 100, 109<br />
create fdbentry vlan ports 100, 108<br />
create log filter 132<br />
create ospf area 337<br />
create protocol 89<br />
create rate-limit 146, 148<br />
create rf-profile copy 363<br />
create rf-profile mode 363<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 469
Index of Comm<strong>and</strong>s<br />
create security-profile 174<br />
create stpd 281<br />
create vlan 34<br />
D<br />
delete access-list 145, 148<br />
delete access-mask 144, 148<br />
delete account 34, 38<br />
delete eaps 252<br />
delete eaps shared-port 261, 262<br />
delete fdbentry 153<br />
delete rate-limit 148<br />
delete rf-profile 364<br />
delete security-profile 174<br />
delete vlan 34<br />
disable arp-learning 210<br />
disable arp-learning ports 210<br />
disable arp-learning vlan 210<br />
disable arp-learning vlan port 210<br />
disable bootp vlan 34<br />
disable cli-config-logging 34, 140<br />
disable clipaging 34<br />
disable cpu-dos-protect 204<br />
disable dhcp ports vlan 165<br />
disable eapol-flooding 63<br />
disable eaps 255<br />
disable edp ports 76<br />
disable enhanced-dos-protect 206, 208<br />
disable idletimeouts 34<br />
disable inline-power 392<br />
disable inline-power ports 395<br />
disable inline-power slots 392<br />
disable ipforwarding 216, 322<br />
disable ipforwarding ignore-broadcast 322<br />
disable learning ports 99<br />
disable log debug-mode 240<br />
disable log display 139<br />
disable log target 129, 139<br />
disable nat 123<br />
disable netlogin 166<br />
disable netlogin logout-privilege 166<br />
disable netlogin ports vlan 166<br />
disable netlogin session-refresh 166<br />
disable ospf capability opaque-lsa 336<br />
disable ospf export 321<br />
disable ospf export rip 341<br />
disable ospf export static 341<br />
disable pim 351<br />
disable ports 34, 66<br />
disable radius 212<br />
disable radius-accounting 212<br />
disable rip export 341<br />
disable rip exportstatic 321<br />
disable rip poisonreverse 333<br />
disable rip splithorizon 333<br />
disable rip triggerupdate 334<br />
disable rmon 142<br />
disable sharing 73, 74<br />
disable smartredundancy 79<br />
disable snmp access 46<br />
disable snmp access {snmp-v1v2c} 47<br />
disable snmp traps mac-security 49, 154<br />
disable snmp traps port-up-down ports 48<br />
disable ssh2 34<br />
disable stpd rapid-root-failover 267<br />
disable telnet 34, 46<br />
disable udp-echo-server 330<br />
disable web 34<br />
disable web http 175<br />
disable web https 175<br />
disable wireless pors interface client-scan 370<br />
disable wireless ports 377<br />
disable wireless ports cancel-scheduler 377<br />
disable wireless ports every 377<br />
disable wireless ports interface 378<br />
disable wireless ports interface ap-scan 367<br />
disable wireless ports interface ap-scan off-channel 367<br />
disable wireless ports interface client-history 373<br />
disable wireless ports interface iapp 380<br />
disable wireless ports interface svp 381<br />
disable wireless ports time 377<br />
download bootrom 38, 231<br />
download configuration 38, 95, 230<br />
download configuration cancel 231<br />
download configuration every 95, 231<br />
download image 38<br />
download ssl certificate 176<br />
download ssl privkey 177<br />
E<br />
enable arp-learning 210<br />
enable arp-learning ports 210<br />
enable arp-learning vlan port 210<br />
enable bootp vlan 34, 43<br />
enable bootprelay 43, 327<br />
enable cli-config-logging 34, 140<br />
enable clipaging 35<br />
enable cpu-dos-protect 203, 206<br />
enable cpu-dos-protect simulated 205<br />
enable dhcp ports vlan 165<br />
enable diffserv examination ports 112<br />
enable eapol-flooding 63<br />
enable eaps 255<br />
enable edp ports 76<br />
enable enhanced-dos-protect 206, 208<br />
enable idletimeouts 35<br />
enable inline-power 392<br />
enable inline-power ports 395<br />
470 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Index of Comm<strong>and</strong>s<br />
enable inline-power slots 392<br />
enable ipforwarding 322, 324<br />
enable ipforwarding ignore-broadcast 322<br />
enable ipmcforwarding 354<br />
enable jumbo-frame ports 69<br />
enable license 35<br />
enable log debug-mode 138, 240<br />
enable log display 139<br />
enable log target 129, 136, 139<br />
enable log target session 136<br />
enable mirroring to port tagged 75<br />
enable nat 120<br />
enable netlogin 166<br />
enable netlogin logout-privilege 166<br />
enable netlogin session-refresh 166<br />
enable ospf 324<br />
enable ospf capability opaque-lsa 336<br />
enable ospf export rip 341<br />
enable ospf export static 321, 341<br />
enable pim 351, 354<br />
enable ports 66<br />
enable radius 212<br />
enable radius-accounting 212<br />
enable rip 324<br />
enable rip export 341<br />
enable rip exportstatic 321<br />
enable rip poisonreverse 333<br />
enable rip splithorizon 333<br />
enable rip triggerupdate 334<br />
enable rmon 142<br />
enable route sharing 322<br />
enable sharing grouping 73, 74<br />
enable smartredundancy 79<br />
enable snmp access 46<br />
enable snmp traps 48<br />
enable snmp traps exceed-committed-rate ports 48<br />
enable snmp traps mac-security 49, 154<br />
enable sntp-client 61<br />
enable ssh2 35, 222<br />
enable stpd 281<br />
enable stpd rapid-root-failver 267<br />
enable telnet 35, 45, 46<br />
enable udp-echo-server 330<br />
enable web 35<br />
enable web http 175<br />
enable web http access-porfile port 175<br />
enable web https 175<br />
enable web https access-profile port 175<br />
enable wireless ports 377<br />
enable wireless ports every 377<br />
enable wireless ports interface 378<br />
enable wireless ports interface ap-scan 367<br />
enable wireless ports interface ap-scan off-channel 367<br />
enable wireless ports interface client-history 373<br />
enable wireless ports interface client-scan 370<br />
enable wireless ports interface iapp 380<br />
enable wireless ports interface svp 381<br />
enable wireless ports time 377<br />
H<br />
history 33, 35<br />
I<br />
interfaces<br />
configuring 378<br />
enabling 378<br />
L<br />
logout 45<br />
M<br />
mrinfo 354<br />
mtrace 354<br />
N<br />
nslookup 38<br />
P<br />
ping 36, 38, 39<br />
ports<br />
disabling wireless 377<br />
enabling wireless 377<br />
Q<br />
quit 45<br />
R<br />
reboot 228<br />
reset inline-power ports 386, 395<br />
reset inline-power slot 390<br />
reset wireless ports 378<br />
reset wireless ports interface 380<br />
resetting wireless port properties 378<br />
run diagnostics 241<br />
S<br />
save configuration 45, 228<br />
scp2 224<br />
show access-list 145, 149<br />
show access-mask 144, 149<br />
show accounts 37<br />
show arp-learning vlan port 210<br />
show banner 35<br />
show configuration 68<br />
show cpu-dos-protect 204<br />
show debug-trace 240, 241<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 471
Index of Comm<strong>and</strong>s<br />
show debug-trace vlan 241<br />
show eapol-flooding 63<br />
show eaps 256<br />
show eaps shared-port 262<br />
show eaps summary 255<br />
show edp 77<br />
show elrp 303<br />
show enhanced-dos-protect 207, 208, 209<br />
show esrp 293, 299<br />
show esrp vlan 300<br />
show esrp-aware vlan 288, 300<br />
show esrp-aware-ports 299<br />
show fdb 100, 101<br />
show fdb permanent 109, 114<br />
show igmp snooping filter 353<br />
show igmp snooping static group 353<br />
show inline-power 393<br />
show inline-power configuration port 397<br />
show inline-power configuration slot 393<br />
show inline-power info 385, 398<br />
show inline-power info port 388<br />
show inline-power stats ports 385, 396<br />
show inline-power stats slot 394<br />
show iparp 325<br />
show ipconfig 325, 328<br />
show ipfdb 322, 325<br />
show iproute 325<br />
show log 137<br />
show log components 131<br />
show log configuration filter 133<br />
show log configuration target 130<br />
show log counters 137<br />
show log events 131<br />
show management 45, 49, 175, 216<br />
show nat 118<br />
show nat rules 122<br />
show netlogin 167<br />
show netlogin vlan 165<br />
show ospf 341, 345<br />
show ospf area 345<br />
show ospf interfaces 345<br />
show ospf lsdb 345<br />
show ospf lsdb area lstype 345<br />
show pim 352<br />
show ports configuration 235<br />
show ports info 68, 113<br />
show ports info detail 154<br />
show ports qosmonitor 114<br />
show ports rxerrors 127<br />
show ports sharing 74<br />
show ports stats 126<br />
show ports txerrors 126<br />
show qosprofile 109, 114<br />
show radius 219, 220<br />
show radius-accounting 219, 220<br />
show rate-limit 149<br />
show rf-profile 365<br />
show security-profile 174<br />
show session 45, 175<br />
show sharing address-based 72<br />
show snmpv3 access 54<br />
show snmpv3 filter 57<br />
show snmpv3 filter-profile 57<br />
show snmpv3 group 54<br />
show snmpv3 mib-view 56<br />
show snmpv3 notify 58<br />
show snmpv3 target-addr 56<br />
show snmpv3 target-params 57<br />
show snmpv3 user 53<br />
show sntp client 61<br />
show ssl 176<br />
show stpd 268, 283<br />
show stpd ports 273, 284<br />
show switch 60, 61, 95, 114, 216, 226, 227, 231, 241, 328<br />
show tacacs 219, 220<br />
show tacacs-accounting 219, 220<br />
show version 226, 227<br />
show vlan 93, 114, 164, 239, 299<br />
show vlan dhcp-address-allocation 165<br />
show vlan security 154<br />
show vlan stpd 284<br />
show vrrp 309<br />
show wireless ap-scan results 369<br />
show wireless ap-scan results mac_address 369<br />
show wireless configuration 363<br />
show wireless ports interface ap-scan configuration<br />
369<br />
show wireless ports interface ap-scan status 369<br />
show wireless ports interface client-history configuration<br />
374<br />
show wireless ports interface client-history diagnostics<br />
374<br />
show wireless ports interface client-history mac-layer<br />
374<br />
show wireless ports interface client-history status 374<br />
show wireless ports interface clients 167, 373<br />
show wireless ports interface client-scan configuration<br />
371<br />
show wireless ports interface client-scan results 371<br />
show wireless ports interface client-scan results<br />
mac-address 371<br />
show wireless ports interface client-scan status 371<br />
show wireless ports interface configuration 363<br />
show wireless ports interface rf-status 362<br />
show wireless ports interface security-status 362<br />
show wireless ports interface stats 363<br />
show wireless ports interface status 363<br />
show wireless ports log 380<br />
472 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>
Index of Comm<strong>and</strong>s<br />
ssh2 224<br />
T<br />
telnet 38, 43<br />
traceroute 38, 39<br />
U<br />
unconfig inline-power detection ports 395<br />
unconfig inline-power operator-limit ports 387<br />
unconfig inline-power reserved-budget ports 395<br />
unconfig inline-power usage-threshold 393<br />
unconfigure auth mgmt-access 221<br />
unconfigure auth netlogin 221<br />
unconfigure bootprelay dhcp-agent information check<br />
328<br />
unconfigure bootprelay dhcp-agent information option<br />
328<br />
unconfigure bootprelay dhcp-agent information policy<br />
328<br />
unconfigure cpu-dos-protect 203<br />
unconfigure eaps primary port 255<br />
unconfigure eaps secondary port 255<br />
unconfigure eaps shared-port link-id 262<br />
unconfigure eaps shared-port mode 262<br />
unconfigure enhanced-dos-protect rate-limit 207, 208<br />
unconfigure inline-power violation-precedence ports<br />
387<br />
unconfigure inline-power-supply 390<br />
unconfigure port redundant 79<br />
unconfigure switch 35, 229<br />
upload configuration 38, 229, 230<br />
upload configuration cancel 229<br />
upload log 137<br />
use configuration 229<br />
use image 226<br />
W<br />
wireless<br />
interfaces, configuring 378<br />
interfaces, enabling 378<br />
ports, enabling 377<br />
reset port properties 378<br />
<strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong> 473
Index of Comm<strong>and</strong>s<br />
474 <strong><strong>Extreme</strong>Ware</strong> <strong>7.3e</strong> <strong>User</strong> <strong>Guide</strong>