ExtremeXOS® Concepts Guide

ExtremeXOS® Concepts Guide
ExtremeXOS® Concepts Guide
Software Version 15.2
Extreme Networks, Inc.
3585 Monroe Street
Santa Clara, California 95051
(888) 257-3000
(408) 579-2800
http://www.extremenetworks.com
Published: August 2012
Part number: 120782-00 Rev. 01
AccessAdapt, Alpine, Altitude, BlackDiamond, Direct Attach, EPICenter, ExtremeWorks Essentials, Ethernet
Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router
Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme
Solution, ExtremeXOS ScreenPlay, ReachNXT, Ridgeline, Sentriant, ServiceWatch, Summit, SummitStack, Triumph,
Unified Access Architecture, Unified Access RF Manager, UniStack, XNV, the Extreme Networks logo, the Alpine
logo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS
logo are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States
and/or other countries.
sFlow is the property of InMon Corporation.
Specifications are subject to change without notice.
All other registered trademarks, trademarks, and service marks are property of their respective owners.
© 2012 Extreme Networks, Inc. All Rights Reserved.
ExtremeXOS Concepts Guide, Software Version 15.2
2
Contents
Preface.......................................................................................................................................................31
Introduction.............................................................................................................................................................31
Terminology ....................................................................................................................................................31
Conventions ...........................................................................................................................................................32
Platform-Dependent Conventions ...................................................................................................................32
Text Conventions ............................................................................................................................................32
Related Publications...............................................................................................................................................33
Using ExtremeXOS Publications Online .........................................................................................................33
PART 1: USING EXTREMEXOS
Chapter 1: Getting Started....................................................................................................................... 37
Overview ................................................................................................................................................................37
Software Required..................................................................................................................................................39
Logging In to the Switch .........................................................................................................................................41
Understanding the Command Syntax.....................................................................................................................41
Syntax Helper..................................................................................................................................................42
Object Names .................................................................................................................................................42
Abbreviated Syntax .........................................................................................................................................45
Command Shortcuts .......................................................................................................................................45
Symbols ..........................................................................................................................................................45
Limits ...............................................................................................................................................................46
Port Numbering ......................................................................................................................................................46
Stand-alone Switch Numerical Ranges...........................................................................................................47
Modular Switch and SummitStack Numerical Ranges ....................................................................................47
Stacking Port Numerical Ranges ....................................................................................................................47
Line-Editing Keys ...................................................................................................................................................48
Command History...................................................................................................................................................48
Common Commands..............................................................................................................................................48
Accessing the Switch for the First Time .................................................................................................................51
Safe Defaults Setup Method ...........................................................................................................................51
Configuring Management Access...........................................................................................................................52
Account Access Levels ...................................................................................................................................52
Configuring Banners .......................................................................................................................................53
Startup Screen and Prompt Text.....................................................................................................................54
Default Accounts .............................................................................................................................................55
Creating a Management Account....................................................................................................................56
Failsafe Accounts ............................................................................................................................................56
Managing Passwords .............................................................................................................................................57
Applying a Password to the Default Account ..................................................................................................58
Applying Security to Passwords ......................................................................................................................58
Displaying Passwords .....................................................................................................................................59
Access to Both MSM/MM Console Ports—Modular Switches Only .......................................................................60
Access to an Active Node in a SummitStack..........................................................................................................60
Domain Name Service Client Services...................................................................................................................60
Checking Basic Connectivity ..................................................................................................................................61
Ping .................................................................................................................................................................61
ExtremeXOS Concepts Guide, Software Version 15.2
3
Contents
Traceroute .......................................................................................................................................................62
Displaying Switch Information ................................................................................................................................62
Filtering the Output of Show Commands ........................................................................................................62
Chapter 2: Managing the Switch ............................................................................................................. 65
Overview ................................................................................................................................................................65
Understanding the ExtremeXOS Shell ...................................................................................................................66
Using the Console Interface ...................................................................................................................................66
Using the 10/100 Ethernet Management Port ........................................................................................................67
Using Ridgeline to Manage the Network ................................................................................................................68
Authenticating Users ..............................................................................................................................................68
RADIUS Client ................................................................................................................................................68
TACACS+........................................................................................................................................................68
Management Accounts ...................................................................................................................................68
Using Telnet ...........................................................................................................................................................69
About the Telnet Client....................................................................................................................................69
About the Telnet Server ..................................................................................................................................69
Connecting to Another Host Using Telnet .......................................................................................................70
Configuring Switch IP Parameters ..................................................................................................................70
Configuring Telnet Access to the Switch.........................................................................................................72
Disconnecting a Telnet Session ......................................................................................................................73
Access Profile Logging for Telnet ...................................................................................................................74
Using Secure Shell 2 ..............................................................................................................................................77
SSH2 Overview ...............................................................................................................................................77
Access Profile Logging for SSH2 ....................................................................................................................78
Using the Trivial File Transfer Protocol ..................................................................................................................79
Connecting to Another Host Using TFTP ........................................................................................................80
Understanding System Redundancy—Modular Switches and SummitStack Only ................................................81
Node Election ..................................................................................................................................................81
Replicating Data Between Nodes ...................................................................................................................83
Viewing Node Status .......................................................................................................................................85
Understanding Hitless Failover Support—Modular Switches and SummitStack Only ...........................................85
Protocol Support for Hitless Failover...............................................................................................................86
Platform Support for Hitless Failover...............................................................................................................90
Hitless Failover Caveats .................................................................................................................................91
Understanding Power Supply Management ...........................................................................................................92
Using Power Supplies—Modular Switches Only.............................................................................................92
Using Power Supplies—Summit Family Switches Only ..................................................................................97
Using Power Supplies - SummitStack Only ....................................................................................................97
Displaying Power Supply Information..............................................................................................................97
Using Motion Detectors ..........................................................................................................................................98
Using the Network Time Protocol ...........................................................................................................................98
Limitations .......................................................................................................................................................98
NTP Server/Client ...........................................................................................................................................99
NTP Peer Support ...........................................................................................................................................99
NTP Local Clock Support ................................................................................................................................99
NTP Broadcast Server Support.....................................................................................................................100
NTP Broadcast Client Support ......................................................................................................................100
NTP Authentication .......................................................................................................................................100
NTP Configuration Example..........................................................................................................................101
Using the Simple Network Management Protocol ................................................................................................103
Enabling and Disabling SNMPv1/v2c and SNMPv3......................................................................................103
Accessing Switch Agents ..............................................................................................................................104
Supported MIBs ............................................................................................................................................105
Configuring SNMPv1/v2c Settings ................................................................................................................105
Displaying SNMP Settings ............................................................................................................................106
ExtremeXOS Concepts Guide, Software Version 15.2
4
Contents
SNMPv3 ........................................................................................................................................................107
Message Processing .....................................................................................................................................108
SNMPv3 Security ..........................................................................................................................................108
SNMPv3 MIB Access Control........................................................................................................................111
SNMPv3 Notification .....................................................................................................................................112
Access Profile Logging for SNMP .................................................................................................................115
Using the Simple Network Time Protocol .............................................................................................................116
Configuring and Using SNTP ........................................................................................................................117
SNTP Example..............................................................................................................................................120
Using Auto Provision of Edge Switches ...............................................................................................................120
Auto-provisioning Process ............................................................................................................................122
Auto-provisioning Configuration ....................................................................................................................123
Access Profile Logging for HTTP/HTTPS.............................................................................................................123
Chapter 3: Managing the ExtremeXOS Software.................................................................................127
Overview ..............................................................................................................................................................127
Using the ExtremeXOS File System.....................................................................................................................128
Moving or Renaming Files on the Switch ......................................................................................................129
Copying Files on the Switch ..........................................................................................................................129
Displaying Files on the Switch ......................................................................................................................130
Transferring Files to and from the Switch......................................................................................................130
Deleting Files from the Switch.......................................................................................................................131
Managing the Configuration File ..........................................................................................................................131
Managing ExtremeXOS Processes ......................................................................................................................133
Displaying Process Information.....................................................................................................................133
Stopping a Process .......................................................................................................................................134
Starting a Process .........................................................................................................................................135
Understanding Memory Protection .......................................................................................................................136
Chapter 4: Configuring Stacked Switches ...........................................................................................139
Overview ..............................................................................................................................................................139
SummitStack Terms ......................................................................................................................................140
SummitStack Compatible Switches...............................................................................................................143
SummitStack Topologies ..............................................................................................................................143
Stack Depth...................................................................................................................................................146
Understanding Stack Configuration Parameters, Configuration Files, and Port Numbering.........................147
Understanding Stacking Link Overcommitment ............................................................................................148
About Stack Logging Messages....................................................................................................................149
About QoS in Stacking ..................................................................................................................................149
About Power Management and Power Over Ethernet on Stacking ..............................................................151
About Stacking Node Roles, Redundancy, and Failover ..............................................................................152
About the Failsafe Account on SummitStack Nodes.....................................................................................152
Logging into a Stack .............................................................................................................................................153
Logging in Through the Console Port ...........................................................................................................153
Logging in from the Management Network ...................................................................................................153
Logging Into a Node From Another Node .....................................................................................................154
Stack Configuration Guidelines ............................................................................................................................154
General Stack Configuration Guidelines .......................................................................................................154
Summit X460 Stack Configuration Guidelines ..............................................................................................155
Summit X480 Stack Configuration Guidelines ..............................................................................................156
Summit X650 Stack Configuration Guidelines ..............................................................................................157
Summit X670 Stack Configuration Guidelines ..............................................................................................157
Configuring a New Stack ......................................................................................................................................158
About Easy Setup .........................................................................................................................................158
Configuration Procedure ...............................................................................................................................159
Example: Deploying a New Stack .................................................................................................................160
ExtremeXOS Concepts Guide, Software Version 15.2
5
Contents
Converting a Standalone Node Deployment to a Stack .......................................................................................164
Stack Configuration Tasks ...................................................................................................................................166
Enabling and Disabling Stacking Support for Summit X650 and X670 Switches..........................................166
Using Ethernet Ports for Stacking (SummitStack-V) .....................................................................................167
Configuring Stacking Port Operation with the VIM3-40G4X Option Card .....................................................170
Configuring Stacking Port Operation with the VIM4-40G4X Option Card .....................................................170
Selecting the Stacking Protocol ....................................................................................................................171
Enabling the Stack ........................................................................................................................................171
Verifying the Configuration ............................................................................................................................172
Setting the Command Prompt .......................................................................................................................174
Configuring Slot Numbers .............................................................................................................................175
Configuring the Master, Backup, and Standby Roles....................................................................................175
Assigning a MAC Address for the Stack .......................................................................................................177
Configuring Master-Capability .......................................................................................................................179
Configuring an Alternate IP Address and Gateway.......................................................................................180
Configuring the Failsafe Account on a Stack ................................................................................................183
Disabling Stacking.........................................................................................................................................183
Saving the Configuration ...............................................................................................................................183
Managing an Operating Stack ..............................................................................................................................183
Managing Licenses on a Stack .....................................................................................................................184
Stacking LEDs...............................................................................................................................................187
Viewing the Alternate IP Address..................................................................................................................187
Viewing Stacking Port Statistics ....................................................................................................................189
Adding a Node to a Stack .............................................................................................................................189
Replacing a Node with the Same Switch Type .............................................................................................192
Replacing a Node with a Different Switch Type ............................................................................................194
Merging Two Stacks......................................................................................................................................195
Upgrading ExtremeXOS on a Stack..............................................................................................................201
Upgrading SummitStack Option Cards .........................................................................................................203
Dismantling a Stack ......................................................................................................................................207
Removing a Node from a Stack ....................................................................................................................208
Rebooting a Stack .........................................................................................................................................209
Troubleshooting a Stack.......................................................................................................................................209
Managing a Dual Master Situation ................................................................................................................210
Setting Traps for Stacking .............................................................................................................................213
Connecting to a Stack with No Master ..........................................................................................................213
Rescuing a Stack That Has No Master-Capable Node .................................................................................214
FAQs on the SummitStack Feature......................................................................................................................216
Chapter 5: Configuring Slots and Ports on a Switch ..........................................................................217
Overview ..............................................................................................................................................................217
Configuring Slots on Modular Switches................................................................................................................217
Configuring Ports on a Switch ..............................................................................................................................219
Port Numbering .............................................................................................................................................219
Enabling and Disabling Switch Ports ............................................................................................................220
Configuring Switch Port Speed and Duplex Setting ......................................................................................221
Partitioning 40G Ports ...................................................................................................................................224
Flow Control ..................................................................................................................................................224
IPFIX .............................................................................................................................................................231
WAN PHY OAM ............................................................................................................................................235
Configuring Switching Mode—Cut-through Switching...................................................................................237
SyncE ............................................................................................................................................................238
TDM PWE and TDM Timing..........................................................................................................................241
Using the Precision Time Protocol .......................................................................................................................267
Overview of PTP ...........................................................................................................................................268
Supported PTP Features ..............................................................................................................................270
Limitations of PTP .........................................................................................................................................271
ExtremeXOS Concepts Guide, Software Version 15.2
6
Contents
Configuring and Displaying PTP Clocks and Data Sets................................................................................271
PTP Configuration Example ..........................................................................................................................275
DWDM Optics Support ..................................................................................................................................279
Jumbo Frames .....................................................................................................................................................280
Guidelines for Jumbo Frames .......................................................................................................................280
Enabling Jumbo Frames per Port .................................................................................................................281
Enabling Jumbo Frames ...............................................................................................................................281
Path MTU Discovery .....................................................................................................................................281
IP Fragmentation with Jumbo Frames ..........................................................................................................282
IP Fragmentation within a VLAN ...................................................................................................................282
Link Aggregation on the Switch ............................................................................................................................283
Link Aggregation Overview ...........................................................................................................................284
Link Aggregation and Software-Controlled Redundant Ports........................................................................285
Dynamic Versus Static Load Sharing............................................................................................................285
Load-Sharing Algorithms...............................................................................................................................285
LACP .............................................................................................................................................................288
Health Check Link Aggregation.....................................................................................................................291
Guidelines for Load Sharing..........................................................................................................................292
Configuring Switch Load Sharing ..................................................................................................................294
Load-Sharing Examples ................................................................................................................................297
Displaying Switch Load Sharing....................................................................................................................298
MLAG ...................................................................................................................................................................299
Overview .......................................................................................................................................................299
Limitations and Requirements.......................................................................................................................301
Configuring MLAGs .......................................................................................................................................304
Displaying Information...................................................................................................................................304
Example of MLAG Configuration...................................................................................................................305
Mirroring ...............................................................................................................................................................308
Guidelines for Mirroring .................................................................................................................................309
Mirroring Rules and Restrictions ...................................................................................................................311
Mirroring Examples .......................................................................................................................................312
Verifying the Mirroring Configuration.............................................................................................................313
Remote Mirroring..................................................................................................................................................313
Configuration Details .....................................................................................................................................314
Guidelines .....................................................................................................................................................315
Use of Remote Mirroring with Redundancy Protocols...................................................................................316
Remote Mirroring with EAPS.........................................................................................................................316
Extreme Discovery Protocol .................................................................................................................................319
Software-Controlled Redundant Port and Smart Redundancy.............................................................................320
Guidelines for Software-Controlled Redundant Ports and Port Groups ........................................................321
Configuring Software-Controlled Redundant Ports .......................................................................................321
Verifying Software-Controlled Redundant Port Configurations .....................................................................323
Configuring Automatic Failover for Combination Ports.........................................................................................323
Displaying Port Information ..................................................................................................................................324
DDMI .............................................................................................................................................................324
Chapter 6: Universal Port ......................................................................................................................327
Overview ..............................................................................................................................................................327
Profile Types .................................................................................................................................................328
Dynamic Profile Trigger Types ......................................................................................................................330
How Device Detect Profiles Work .................................................................................................................333
How User Authentication Profiles Work ........................................................................................................334
Profile Configuration Guidelines....................................................................................................................334
Collecting Information from Supplicants........................................................................................................339
Supplicant Configuration Parameters ...........................................................................................................341
Universal Port Configuration Overview .........................................................................................................341
Using Universal Port in an LDAP or Active Directory Environment...............................................................343
ExtremeXOS Concepts Guide, Software Version 15.2
7
Contents
Configuring Universal Port Profiles and Triggers .................................................................................................343
Creating and Configuring New Profiles .........................................................................................................345
Editing an Existing Profile .............................................................................................................................345
Configuring a Device Event Trigger ..............................................................................................................345
Configuring a User Login or Logout Event Trigger........................................................................................346
Configuring a Universal Port Timer ...............................................................................................................346
Configuring a Timer Trigger ..........................................................................................................................346
Creating an EMS Event Filter........................................................................................................................346
Configuring an EMS Event Trigger ...............................................................................................................347
Enabling and Disabling an EMS Event Trigger .............................................................................................347
Unconfiguring a Timer ...................................................................................................................................347
Managing Profiles and Triggers............................................................................................................................347
Manually Executing a Static or Dynamic Profile............................................................................................348
Displaying a Profile .......................................................................................................................................348
Displaying Timers..........................................................................................................................................348
Displaying Universal Port Events ..................................................................................................................348
Displaying Profile History ..............................................................................................................................348
Verifying a Universal Port Profile...................................................................................................................349
Handling Profile Execution Errors .................................................................................................................349
Disabling and Enabling a Profile ...................................................................................................................349
Deleting a Profile ...........................................................................................................................................350
Deleting a Timer ............................................................................................................................................350
Deleting an EMS Event Trigger.....................................................................................................................350
Sample Universal Port Configurations..................................................................................................................350
Sample MAC Tracking Profile .......................................................................................................................350
Universal Port Handset Provisioning Module Profiles ...................................................................................356
Sample Static Profiles ...................................................................................................................................360
Sample Configuration with Device-Triggered Profiles...................................................................................363
Sample Configuration with User-Triggered Profiles ......................................................................................365
Sample Timer-Triggered Profile ....................................................................................................................368
Sample Profile with QoS Support..................................................................................................................368
Sample Event Profile.....................................................................................................................................369
Sample Configuration for Generic VoIP LLDP ..............................................................................................371
Sample Configuration for Generic VoIP 802.1x ............................................................................................372
Sample Configuration for Avaya VoIP 802.1x ...............................................................................................373
Sample Configuration for a Video Camera....................................................................................................375
Chapter 7: Using CLI Scripting .............................................................................................................377
Overview ..............................................................................................................................................................377
Setting Up Scripts.................................................................................................................................................377
Enabling and Disabling CLI Scripting ............................................................................................................378
Creating Scripts.............................................................................................................................................378
Using Script Variables ...................................................................................................................................379
Using Special Characters in Scripts ..............................................................................................................381
Using Operators ............................................................................................................................................381
Using Control Structures in Scripts ...............................................................................................................382
Using Built-In Functions ................................................................................................................................383
Controlling Script Configuration Persistence.................................................................................................384
Saving, Retrieving, and Deleting Session Variables .....................................................................................384
Nesting Scripts ..............................................................................................................................................384
Executing Scripts ..........................................................................................................................................385
Configuring Error Handling............................................................................................................................385
Aborting a Script............................................................................................................................................385
Displaying CLI Scripting Information ....................................................................................................................386
Viewing CLI Scripting Status .........................................................................................................................386
Viewing CLI Scripting Variables ....................................................................................................................387
Controlling CLI Script Output ........................................................................................................................387
ExtremeXOS Concepts Guide, Software Version 15.2
8
Contents
CLI Scripting Examples ........................................................................................................................................387
Chapter 8: LLDP .....................................................................................................................................389
Overview ..............................................................................................................................................................389
Supported Advertisements (TLVs) ................................................................................................................390
LLDP Packets ...............................................................................................................................................393
Transmitting LLDP Messages .......................................................................................................................394
Receiving LLDP Messages ...........................................................................................................................394
LLDP Management .......................................................................................................................................395
Configuring and Managing LLDP .........................................................................................................................395
Configuration Overview .................................................................................................................................396
Enabling and Disabling LLDP .......................................................................................................................396
Configuring LLDP Timers ..............................................................................................................................397
Configuring SNMP for LLDP .........................................................................................................................397
Configuring Optional TLV Advertisements ....................................................................................................398
Clearing LLDP Neighbor Entries ...................................................................................................................404
Unconfiguring LLDP ......................................................................................................................................404
Displaying LLDP Information ................................................................................................................................404
Displaying LLDP Port Configuration Information and Statistics ....................................................................405
Displaying LLDP Information Collected from Neighbors ...............................................................................405
Chapter 9: OAM ......................................................................................................................................407
CFM......................................................................................................................................................................407
Overview .......................................................................................................................................................408
Ping and Traceroute......................................................................................................................................412
Supported Instances for CFM .......................................................................................................................412
Configuring CFM ...........................................................................................................................................413
Displaying CFM .............................................................................................................................................418
CFM Example ...............................................................................................................................................418
Y.1731—Compliant Performance Monitoring .......................................................................................................419
Frame-Delay Measurement...........................................................................................................................419
Frame-Loss Measurement ............................................................................................................................423
Configuring a CFM Segment.........................................................................................................................425
Clearing CFM Information .............................................................................................................................428
EFM OAM—Unidirectional Link Fault Management.............................................................................................430
Summit X450a Series Switches Only............................................................................................................430
Unidirectional Link Fault Management ..........................................................................................................430
Configuring Unidirectional Link Fault Management.......................................................................................432
Bidirectional Forwarding Detection (BFD) ............................................................................................................432
Overview .......................................................................................................................................................432
Limitations .....................................................................................................................................................435
Configuring BFD............................................................................................................................................435
Displaying BFD Information ..........................................................................................................................435
Clearing BFD Information..............................................................................................................................436
Chapter 10: PoE......................................................................................................................................437
Overview ..............................................................................................................................................................437
Extreme Networks PoE Devices...........................................................................................................................438
Summary of PoE Features ...................................................................................................................................439
Power Checking for PoE Module..........................................................................................................................439
Power Delivery .....................................................................................................................................................440
Enabling PoE to the Switch ...........................................................................................................................440
Power Reserve Budget .................................................................................................................................440
PD Disconnect Precedence ..........................................................................................................................441
Port Disconnect or Fault................................................................................................................................442
Port Power Cycling........................................................................................................................................443
ExtremeXOS Concepts Guide, Software Version 15.2
9
Contents
PoE Usage Threshold ...................................................................................................................................443
Legacy Devices .............................................................................................................................................443
PoE Operator Limits ......................................................................................................................................443
Configuring PoE ...................................................................................................................................................444
Enabling Inline Power ...................................................................................................................................444
Reserving Power ...........................................................................................................................................445
Setting the Disconnect Precedence ..............................................................................................................446
Configuring the Usage Threshold .................................................................................................................447
Configuring the Switch to Detect Legacy PDs...............................................................................................448
Configuring the Operator Limit ......................................................................................................................448
Configuring PoE Port Labels .........................................................................................................................449
Power Cycling Connected PDs .....................................................................................................................449
Adding an S-PoE Daughter Card to an Existing Configuration .....................................................................449
Displaying PoE Settings and Statistics.................................................................................................................451
Clearing Statistics .........................................................................................................................................451
Displaying System Power Information...........................................................................................................451
Displaying Slot PoE Information on Modular Switches .................................................................................452
Displaying PoE Status and Statistics on Stand-alone Switches....................................................................453
Displaying Port PoE Information ...................................................................................................................453
Chapter 11: Status Monitoring and Statistics......................................................................................457
Overview ..............................................................................................................................................................457
Viewing Port Statistics ..........................................................................................................................................458
Viewing Port Errors ..............................................................................................................................................459
Using the Port Monitoring Display Keys ...............................................................................................................460
Viewing VLAN Statistics .......................................................................................................................................461
Configuring VLAN Statistics ..........................................................................................................................461
Guidelines and Limitations ............................................................................................................................462
Performing Switch Diagnostics.............................................................................................................................462
Running Diagnostics .....................................................................................................................................463
Observing LED Behavior During a Diagnostic Test ......................................................................................465
Displaying Diagnostic Test Results ...............................................................................................................469
Using the System Health Checker........................................................................................................................469
Understanding the System Health Checker ..................................................................................................469
Enabling Diagnostic Packets on the Switch—Modular Switches Only..........................................................470
Configuring Diagnostic Packets on the Switch—Modular Switches Only .....................................................471
Disabling Diagnostic Packets on the Switch—Modular Switches Only .........................................................471
Displaying the System Health Check Setting—All Platforms ........................................................................471
System Health Check Examples: Diagnostics—Modular Switches Only ......................................................472
Setting the System Recovery Level......................................................................................................................473
Configuring Software Recovery ....................................................................................................................473
Configuring Hardware Recovery—SummitStack and Summit Family Switches Only...................................474
Configuring Module Recovery—Modular Switches Only...............................................................................476
Using ELSM .........................................................................................................................................................482
About ELSM ..................................................................................................................................................482
ELSM Hello Messages ..................................................................................................................................482
ELSM Port States..........................................................................................................................................484
Link States ....................................................................................................................................................484
ELSM Link States..........................................................................................................................................485
ELSM Timers ................................................................................................................................................486
Configuring ELSM on a Switch .....................................................................................................................487
Displaying ELSM Information ........................................................................................................................489
Using ELSM with Layer 2 Control Protocols .................................................................................................491
ELSM Configuration Example .......................................................................................................................493
Viewing Fan Information.......................................................................................................................................494
Viewing the System Temperature ........................................................................................................................494
System Temperature Output .........................................................................................................................495
ExtremeXOS Concepts Guide, Software Version 15.2
10
Contents
Power Supply Temperature—Modular Switches Only ..................................................................................496
Using the Event Management System/Logging ...................................................................................................496
Sending Event Messages to Log Targets .....................................................................................................497
Filtering Events Sent to Targets ....................................................................................................................498
Displaying Real-Time Log Messages............................................................................................................506
Displaying Event Logs...................................................................................................................................506
Uploading Event Logs ...................................................................................................................................506
Displaying Counts of Event Occurrences......................................................................................................507
Displaying Debug Information .......................................................................................................................508
Logging Configuration Changes....................................................................................................................509
Using the XML Notification Client .........................................................................................................................509
Introduction ...................................................................................................................................................509
HTTP Client Interface....................................................................................................................................509
Configuring XML Notification.........................................................................................................................510
Displaying XML Notification ..........................................................................................................................510
Configuring Log Target in EMS .....................................................................................................................511
Examples ......................................................................................................................................................511
Using sFlow ..........................................................................................................................................................512
Sampling Mechanisms ..................................................................................................................................513
Configuring sFlow .........................................................................................................................................513
Additional sFlow Configuration Options ........................................................................................................515
sFlow Configuration Example .......................................................................................................................516
Displaying sFlow Information ........................................................................................................................517
Using RMON ........................................................................................................................................................517
About RMON .................................................................................................................................................517
Supported RMON Groups of the Switch .......................................................................................................518
Configuring RMON ........................................................................................................................................520
Event Actions ................................................................................................................................................521
Displaying RMON Information.......................................................................................................................521
SMON ...........................................................................................................................................................521
Monitoring CPU Utilization....................................................................................................................................521
Disabling CPU Monitoring .............................................................................................................................522
Enabling CPU Monitoring ..............................................................................................................................522
Displaying CPU Utilization History ................................................................................................................522
Chapter 12: VLANs .................................................................................................................................525
Overview ..............................................................................................................................................................525
Benefits .........................................................................................................................................................526
Virtual Routers and VLANs ...........................................................................................................................526
Types of VLANs ............................................................................................................................................526
Default VLAN ................................................................................................................................................532
VLAN Names ................................................................................................................................................533
Configuring VLANs on the Switch ........................................................................................................................533
VLAN Configuration Overview ......................................................................................................................533
Creating and Deleting VLANs .......................................................................................................................534
Managing a VLAN IP Address ......................................................................................................................534
Configuring a VLAN Tag ...............................................................................................................................535
Adding and Removing Ports from a VLAN ....................................................................................................535
Adding and Removing VLAN Descriptions....................................................................................................535
Renaming a VLAN ........................................................................................................................................535
Enabling and Disabling VLANs .....................................................................................................................535
VLAN Configuration Examples......................................................................................................................536
Displaying VLAN Information................................................................................................................................537
Private VLANs ......................................................................................................................................................538
PVLAN Overview ..........................................................................................................................................538
Configuring PVLANs .....................................................................................................................................546
Displaying PVLAN Information ......................................................................................................................550
ExtremeXOS Concepts Guide, Software Version 15.2
11
Contents
PVLAN Configuration Example 1 ..................................................................................................................551
PVLAN Configuration Example 2 ..................................................................................................................553
VLAN Translation .................................................................................................................................................556
VLAN Translation Behavior ...........................................................................................................................557
VLAN Translation Limitations ........................................................................................................................558
Configuring Translation VLANs .....................................................................................................................559
Displaying Translation VLAN Information......................................................................................................559
VLAN Translation Configuration Examples ...................................................................................................560
Chapter 13: VMAN (PBN) and PBBN.....................................................................................................567
Overview ..............................................................................................................................................................567
VMANs ..........................................................................................................................................................567
PBBNs...........................................................................................................................................................572
VMAN Configuration Options and Features ..................................................................................................575
Configuration ........................................................................................................................................................578
Configuring VMANs (PBNs) ..........................................................................................................................578
Configuring VMAN Options ...........................................................................................................................580
Displaying Information ..........................................................................................................................................582
Displaying VMAN Information .......................................................................................................................583
Configuration Examples .......................................................................................................................................583
VMAN Example, BlackDiamond 8810...........................................................................................................584
VMAN CEP Example ....................................................................................................................................585
LAG Port Selection Example.........................................................................................................................586
Multiple VMAN Ethertype Example ...............................................................................................................587
Tag Translation Example Using ACLs Only ..................................................................................................588
1:N Flooding Examples .................................................................................................................................589
PBBN Example .............................................................................................................................................591
Chapter 14: FDB .....................................................................................................................................593
Overview ..............................................................................................................................................................593
FDB Contents................................................................................................................................................593
How FDB Entries Get Added ........................................................................................................................594
FDB Entry Types ...........................................................................................................................................594
Managing the FDB ...............................................................................................................................................596
Increasing the FDB Table Size .....................................................................................................................596
Adding a Permanent Unicast Static Entry .....................................................................................................596
Adding a Permanent Multicast Static Entry ...................................................................................................597
Configuring the FDB Aging Time ..................................................................................................................598
Adding Virtual MAC Entries from IP ARP Packets ........................................................................................598
Managing Reports of Duplicate MAC Addresses for Static Entries...............................................................598
Clearing FDB Entries ....................................................................................................................................599
Supporting Remote Mirroring ........................................................................................................................599
Displaying FDB Entries and Statistics ..................................................................................................................600
Displaying FDB Entries .................................................................................................................................600
Displaying FDB Statistics ..............................................................................................................................600
MAC-Based Security ............................................................................................................................................600
Managing MAC Address Learning ................................................................................................................601
Managing Egress Flooding ...........................................................................................................................602
Displaying Learning and Flooding Settings ...................................................................................................603
Creating Blackhole FDB Entries....................................................................................................................603
Managing MAC Address Tracking........................................................................................................................604
Adding and Deleting MAC Addresses for Tracking .......................................................................................605
Enabling and Disabling MAC Address Tracking on Ports .............................................................................605
Enabling and Disabling SNMP Traps for MAC Address Changes ................................................................605
Configuring Automatic Responses to MAC Tracking Events ........................................................................605
Displaying the Tracked MAC Addresses and Tracking Statistics..................................................................605
ExtremeXOS Concepts Guide, Software Version 15.2
12
Contents
Clearing the Tracking Statistics Counters .....................................................................................................605
Chapter 15: Data Center Solutions .......................................................................................................607
Overview ..............................................................................................................................................................607
Introduction to Data Center Bridging .............................................................................................................607
Introduction to the XNV Feature....................................................................................................................614
Introduction to the Direct Attach Feature ......................................................................................................616
Managing the DCBX Feature ...............................................................................................................................616
Enabling DCBX on Switch Ports ...................................................................................................................617
Configuring DCBX Application Priority Instances..........................................................................................617
Displaying DCBX Configuration and Statistics ..............................................................................................617
DCBX Configuration Example .......................................................................................................................617
Managing the XNV Feature, VM Tracking............................................................................................................618
Limitations .....................................................................................................................................................618
Managing VM Tracking on the Switch...........................................................................................................618
Managing VM Tracking on Specific Ports .....................................................................................................619
Configuring the Authentication Method and Sequence .................................................................................619
Managing the Repository Server...................................................................................................................619
Managing NMS Server Authentication ..........................................................................................................623
Managing Network Authentication (Using the VMMAP File) .........................................................................624
Managing Local Database Authentication.....................................................................................................624
Example XNV Configuration .........................................................................................................................625
Managing Direct Attach to Support VEPA ............................................................................................................635
Managing the FIP Snooping Feature ...................................................................................................................635
Introduction to FIP Snooping.........................................................................................................................636
Extreme’s Implementation of FIP Snooping ..................................................................................................636
Example FIP Snooping Configuration ...........................................................................................................636
Chapter 16: Virtual Routers ...................................................................................................................639
Overview ..............................................................................................................................................................639
Types of Virtual Routers................................................................................................................................640
VR Configuration Context .............................................................................................................................641
Managing Virtual Routers .....................................................................................................................................642
Creating and Deleting User Virtual Routers ..................................................................................................643
Creating and Deleting VRFs .........................................................................................................................643
Enabling and Disabling VRFs .......................................................................................................................644
Configuring and Removing a VR Description................................................................................................644
Changing the VR Context .............................................................................................................................644
Adding and Deleting Routing Protocols ........................................................................................................644
Configuring Ports to Use One or More Virtual Routers .................................................................................645
Displaying Ports and Protocols .....................................................................................................................646
Configuring the Routing Protocols and VLANs .............................................................................................646
Virtual Router Configuration Example ..................................................................................................................647
Chapter 17: Policy Manager ..................................................................................................................649
Overview ..............................................................................................................................................................649
Creating and Editing Policies ...............................................................................................................................649
Using the Edit Command ..............................................................................................................................650
Using a Separate Machine ............................................................................................................................650
Checking Policies ..........................................................................................................................................651
Refreshing Policies .......................................................................................................................................651
Applying Policies ..................................................................................................................................................652
Applying ACL Policies ...................................................................................................................................652
Applying Routing Policies..............................................................................................................................652
ExtremeXOS Concepts Guide, Software Version 15.2
13
Contents
Chapter 18: ACLs ...................................................................................................................................655
Overview ..............................................................................................................................................................655
ACL Rule Syntax ..................................................................................................................................................656
Matching All Egress Packets.........................................................................................................................657
Comments and Descriptions in ACL Policy Files ..........................................................................................658
Types of Rule Entries ....................................................................................................................................659
Match Conditions ..........................................................................................................................................659
Actions ..........................................................................................................................................................659
Action Modifiers.............................................................................................................................................660
ACL Rule Syntax Details ...............................................................................................................................662
Layer-2 Protocol Tunneling ACLs.........................................................................................................................669
ACL Byte Counters...............................................................................................................................................670
Dynamic ACLs......................................................................................................................................................671
Creating the Dynamic ACL Rule ...................................................................................................................671
Configuring the ACL Rule on the Interface ...................................................................................................672
Configuring ACL Priority................................................................................................................................673
Network-Zone Support in ACLs ....................................................................................................................677
ACL Evaluation Precedence ................................................................................................................................682
Precedence for BlackDiamond X8 Series Switches, BlackDiamond 8800 Series Switches and Summit Family
Switches ........................................................................................................................................................682
Applying ACL Policy Files.....................................................................................................................................684
Displaying and Clearing ACL Counters.........................................................................................................685
Example ACL Rule Entries............................................................................................................................685
ACL Mechanisms .................................................................................................................................................688
ACL Slices and Rules ...................................................................................................................................688
ACL Counters—Shared and Dedicated ........................................................................................................704
External TCAM ACLs ....................................................................................................................................705
Policy-Based Routing ...........................................................................................................................................706
Layer 3 Policy-Based Redirect ......................................................................................................................707
Layer 2 Policy-Based Redirect ......................................................................................................................708
LAG Port Selection........................................................................................................................................710
Policy-Based Redirection Redundancy .........................................................................................................711
ACL Troubleshooting............................................................................................................................................714
Chapter 19: Routing Policies.................................................................................................................717
Overview ..............................................................................................................................................................717
Routing Policy File Syntax....................................................................................................................................718
Policy Match Type .........................................................................................................................................719
Policy Match Conditions ................................................................................................................................719
Policy Action Statements ..............................................................................................................................721
Applying Routing Policies .....................................................................................................................................722
Policy Examples ...................................................................................................................................................723
Translating an access profile to a policy .......................................................................................................723
Translating a Route Map to a Policy .............................................................................................................725
Chapter 20: QoS .....................................................................................................................................727
OverviewAppendix A, “Feature License Requirements.”......................................................................................727
Applications and Types of QoS .....................................................................................................................729
Traffic Groups ...............................................................................................................................................731
Introduction to Rate Limiting, Rate Shaping, and Scheduling .......................................................................735
Introduction to WRED ...................................................................................................................................738
Meters ...........................................................................................................................................................739
QoS Profiles ..................................................................................................................................................740
Multicast Traffic Queues ...............................................................................................................................743
Egress Port Rate Limiting and Rate Shaping................................................................................................743
Configuring QoS ...................................................................................................................................................743
ExtremeXOS Concepts Guide, Software Version 15.2
14
Contents
Platform Configuration Procedures ...............................................................................................................743
Selecting the QoS Scheduling Method .........................................................................................................745
Configuring 802.1p or DSCP Replacement...................................................................................................746
Configuring Egress QoS Profile Rate Shaping..............................................................................................749
Configuring Egress Port Rate Limits .............................................................................................................751
Configuring Traffic Groups ............................................................................................................................752
Creating and Managing Meters .....................................................................................................................755
Adjusting the Byte Count Used to Calculate Traffic Rates ............................................................................756
Controlling Flooding, Multicast, and Broadcast Traffic on Ingress Ports.......................................................756
Displaying QoS Configuration and Performance..................................................................................................757
Displaying Traffic Group Configuration Data.................................................................................................757
Displaying Performance Statistics.................................................................................................................757
Chapter 21: Network Login....................................................................................................................761
Overview ..............................................................................................................................................................761
Web-Based, MAC-Based, and 802.1x Authentication...................................................................................765
Multiple Supplicant Support ..........................................................................................................................767
Campus and ISP Modes ...............................................................................................................................767
Network Login and Hitless Failover...............................................................................................................768
Configuring Network Login ...................................................................................................................................769
Enabling or Disabling Network Login on the Switch......................................................................................769
Enabling or Disabling Network Login on a Specific Port ...............................................................................770
Configuring the Move Fail Action ..................................................................................................................770
Displaying Network Login Settings................................................................................................................770
Exclusions and Limitations ............................................................................................................................771
Authenticating Users ............................................................................................................................................771
Local Database Authentication.............................................................................................................................772
Creating a Local Network Login Account—User Name and Password Only ................................................772
Specifying a Destination VLAN .....................................................................................................................773
Modifying an Existing Local Network Login Account.....................................................................................774
Displaying Local Network Login Accounts ....................................................................................................775
Deleting a Local Network Login Account ......................................................................................................776
802.1x Authentication ...........................................................................................................................................776
Interoperability Requirements .......................................................................................................................776
Enabling and Disabling 802.1x Network Login..............................................................................................777
802.1x Network Login Configuration Example ..............................................................................................777
Configuring Guest VLANs .............................................................................................................................778
Post-authentication VLAN Movement ...........................................................................................................781
802.1x Authentication and Network Access Protection.................................................................................782
Web-Based Authentication ...................................................................................................................................786
Enabling and Disabling Web-Based Network Login......................................................................................786
Configuring the Base URL ............................................................................................................................786
Configuring the Redirect Page ......................................................................................................................787
Configuring Proxy Ports ................................................................................................................................787
Configuring Session Refresh ........................................................................................................................787
Configuring Logout Privilege .........................................................................................................................788
Configuring the Login Page...........................................................................................................................788
Customizable Authentication Failure Response............................................................................................790
Customizable Graphical Image in Logout Popup Window ............................................................................790
Web-Based Network Login Configuration Example ......................................................................................791
Web-Based Authentication User Login .........................................................................................................792
MAC-Based Authentication ..................................................................................................................................794
Enabling and Disabling MAC-Based Network Login .....................................................................................795
Associating a MAC Address to a Specific Port..............................................................................................795
Adding and Deleting MAC Addresses ...........................................................................................................795
Displaying the MAC Address List ..................................................................................................................796
Configuring Reauthentication Period ............................................................................................................796
ExtremeXOS Concepts Guide, Software Version 15.2
15
Contents
Secure MAC Configuration Example.............................................................................................................796
MAC-Based Network Login Configuration Example......................................................................................797
Additional Network Login Configuration Details ...................................................................................................798
Configuring Network Login MAC-Based VLANs ...........................................................................................798
Configuring Dynamic VLANs for Network Login............................................................................................800
Configuring Network Login Port Restart........................................................................................................802
Authentication Failure and Services Unavailable Handling...........................................................................803
Chapter 22: Identity Management .........................................................................................................807
Overview ..............................................................................................................................................................807
Identity Information Capture ..........................................................................................................................808
Identity Names ..............................................................................................................................................809
Application of ACLs and Policies for Identities ..............................................................................................810
Switch Configuration Changes in Response to Identity Management Events ..............................................822
Identity Management Feature Limitations ............................................................................................................822
Configuring Identity Management ........................................................................................................................822
Basic Identity Management Feature Configuration .......................................................................................823
Enabling and Disabling SNMP Traps ............................................................................................................825
Adding and Deleting Entries in the Blacklist and Whitelist ............................................................................825
Configuring Kerberos Snooping ....................................................................................................................827
Configuring Default and User-Defined Roles ................................................................................................828
Managing the Identity Management Feature........................................................................................................831
Clearing the Identity Management Counters.................................................................................................831
Refreshing the Role Selection for Users .......................................................................................................831
Enabling/Disabling Snooping Identities .........................................................................................................831
Displaying Identity Management Information .......................................................................................................832
Displaying Database Entries .........................................................................................................................832
Displaying Configuration Information ............................................................................................................832
Displaying Statistics ......................................................................................................................................832
Chapter 23: Security...............................................................................................................................833
Overview ..............................................................................................................................................................833
Safe Defaults Mode ..............................................................................................................................................835
MAC Security .......................................................................................................................................................835
Limiting Dynamic MAC Addresses ................................................................................................................836
MAC Address Lockdown ...............................................................................................................................838
MAC Address Lockdown with Timeout..........................................................................................................839
DHCP Server........................................................................................................................................................844
Enabling and Disabling DHCP ......................................................................................................................844
Configuring the DHCP Server .......................................................................................................................844
Displaying DHCP Information........................................................................................................................845
IP Security ............................................................................................................................................................845
DHCP Snooping and Trusted DHCP Server .................................................................................................846
Source IP Lockdown .....................................................................................................................................853
ARP Learning ................................................................................................................................................855
Gratuitous ARP Protection ............................................................................................................................857
ARP Validation ..............................................................................................................................................859
Denial of Service Protection .................................................................................................................................860
Configuring Simulated Denial of Service Protection......................................................................................861
Configuring Denial of Service Protection.......................................................................................................861
Protocol Anomaly Protection .........................................................................................................................862
Flood Rate Limitation ....................................................................................................................................862
Authenticating Management Sessions Through the Local Database...................................................................863
Authenticating Management Sessions Through a TACACS+ Server ..................................................................863
Configuring the TACACS+ Client for Authentication and Authorization ........................................................864
Configuring the TACACS+ Client for Accounting ..........................................................................................866
ExtremeXOS Concepts Guide, Software Version 15.2
16
Contents
Authenticating Management Sessions Through a RADIUS Server......................................................................869
How Extreme Switches Work with RADIUS Servers.....................................................................................869
Configuration Overview for Authenticating Management Sessions ..............................................................871
Authenticating Network Login Users Through a RADIUS Server.........................................................................871
How Network Login Authentication Differs from Management Session Authentication ................................872
Configuration Overview for Authenticating Network Login Users..................................................................872
Configuring the RADIUS Client ............................................................................................................................872
Configuring the RADIUS Client for Authentication and Authorization ...........................................................873
Configuring the RADIUS Client for Accounting .............................................................................................874
RADIUS Server Configuration Guidelines ............................................................................................................876
Configuring User Authentication (Users File) ................................................................................................876
Configuring the Dictionary File ......................................................................................................................885
Configuring Command Authorization (RADIUS Profiles) ..............................................................................886
Additional RADIUS Configuration Examples.................................................................................................888
Implementation Notes for Specific RADIUS Servers.....................................................................................892
Setting Up Open LDAP .................................................................................................................................894
Configuring a Windows XP Supplicant for 802.1x Authentication ........................................................................899
Hyptertext Transfer Protocol.................................................................................................................................899
Secure Shell 2 ......................................................................................................................................................900
Enabling SSH2 for Inbound Switch Access ..................................................................................................900
Viewing SSH2 Information ............................................................................................................................902
Using ACLs to Control SSH2 Access............................................................................................................903
Using SCP2 from an External SSH2 Client...................................................................................................905
Understanding the SSH2 Client Functions on the Switch .............................................................................906
Using SFTP from an External SSH2 Client ...................................................................................................906
Secure Socket Layer ............................................................................................................................................908
Enabling and Disabling SSL..........................................................................................................................909
Creating Certificates and Private Keys..........................................................................................................909
Displaying SSL Information ...........................................................................................................................911
Chapter 24: CLEAR-Flow .......................................................................................................................913
Overview ..............................................................................................................................................................913
Configuring CLEAR-Flow .....................................................................................................................................914
Displaying CLEAR-Flow Configuration and Activity ......................................................................................914
Adding CLEAR-Flow Rules to ACLs.....................................................................................................................915
CLEAR-Flow Rule Match Type .....................................................................................................................916
CLEAR-Flow Rule Match Conditions ............................................................................................................916
CLEAR-Flow Rule Actions ............................................................................................................................922
CLEAR-Flow Rule Examples................................................................................................................................927
Count Expression Example ...........................................................................................................................927
Delta Expression Example ............................................................................................................................927
Ratio Expression Example ............................................................................................................................928
Delta-Ratio Expression Example...................................................................................................................929
PART 2: USING SWITCHING AND ROUTING PROTOCOLS
Chapter 25: EAPS ...................................................................................................................................933
Overview ..............................................................................................................................................................933
EAPS Benefits...............................................................................................................................................934
EAPS Single Ring Topology .........................................................................................................................934
EAPS Multiple Ring Topology .......................................................................................................................939
Fast Convergence .........................................................................................................................................949
EAPS and Hitless Failover—Modular Switches and SummitStack Only.......................................................949
EAPS Licensing ............................................................................................................................................950
Configuring EAPS ................................................................................................................................................950
Single Ring Configuration Tasks ...................................................................................................................950
ExtremeXOS Concepts Guide, Software Version 15.2
17
Contents
Common Link Topology Configuration Tasks ...............................................................................................957
Clearing the EAPS Counters.........................................................................................................................960
Displaying EAPS Information ...............................................................................................................................960
Displaying Single Ring Status and Configuration Information.......................................................................960
Displaying Domain Counter Information........................................................................................................960
Displaying Common Link Status and Configuration Information ...................................................................961
Displaying Common Link Counter Information..............................................................................................961
Configuration Examples .......................................................................................................................................961
Migrating from STP to EAPS.........................................................................................................................962
Designing and Implementing a Highly Resilient Enterprise Network Using EAPS........................................965
Example EAPS and PBB Configuration ........................................................................................................989
CFM Support in EAPS ..................................................................................................................................994
Chapter 26: ERPS ...................................................................................................................................999
Overview ..............................................................................................................................................................999
Supported ERPS Features .................................................................................................................................1001
Configuring ERPS ..............................................................................................................................................1001
ERPS Version 1 Commands .......................................................................................................................1001
ERPS Version 2 Commands .......................................................................................................................1003
Sample Configuration .........................................................................................................................................1003
CFM Down-MEP Configuration to Provide Link Monitoring/Notifications....................................................1004
Sub-ring Configuration ................................................................................................................................1004
Virtual Channel for Sub-ring ........................................................................................................................1005
Debugging ERPS ...............................................................................................................................................1005
Deferred ERPS Features ...................................................................................................................................1005
Chapter 27: STP.................................................................................................................................... 1007
Overview ............................................................................................................................................................1007
Compatibility Between IEEE 802.1D-1998 and IEEE 802.1D-2004 STP Bridges.......................................1008
BPDU Restrict on Edge Safeguard .............................................................................................................1012
Spanning Tree Domains.....................................................................................................................................1014
Member VLANs ...........................................................................................................................................1015
STPD Modes ...............................................................................................................................................1016
Encapsulation Modes ..................................................................................................................................1017
STP States ..................................................................................................................................................1018
Binding Ports ...............................................................................................................................................1019
Rapid Root Failover ....................................................................................................................................1021
STPD BPDU Tunneling ...............................................................................................................................1021
STP and Hitless Failover—Modular Switches Only ....................................................................................1023
STP Configurations ............................................................................................................................................1024
Basic STP Configuration .............................................................................................................................1025
Multiple STPDs on a Port ............................................................................................................................1027
VLANs Spanning Multiple STPDs ...............................................................................................................1027
EMISTP Deployment Constraints................................................................................................................1028
Per VLAN Spanning Tree ...................................................................................................................................1030
STPD VLAN Mapping .................................................................................................................................1030
Native VLAN................................................................................................................................................1030
Rapid Spanning Tree Protocol ...........................................................................................................................1030
RSTP Concepts ..........................................................................................................................................1031
RSTP Operation ..........................................................................................................................................1035
Multiple Spanning Tree Protocol ........................................................................................................................1042
MSTP Concepts ..........................................................................................................................................1042
MSTP Operation .........................................................................................................................................1050
STP and Network Login .....................................................................................................................................1053
STP Rules and Restrictions................................................................................................................................1054
Configuring STP on the Switch ..........................................................................................................................1055
ExtremeXOS Concepts Guide, Software Version 15.2
18
Contents
STP FDB Flush Criteria...............................................................................................................................1056
Displaying STP Settings .....................................................................................................................................1057
STP Configuration Examples .............................................................................................................................1058
Basic 802.1D Configuration Example .........................................................................................................1058
EMISTP Configuration Example .................................................................................................................1059
RSTP 802.1w Configuration Example.........................................................................................................1060
MSTP Configuration Example .....................................................................................................................1062
Chapter 28: ESRP ................................................................................................................................. 1065
Overview ............................................................................................................................................................1065
ESRP Master Election.................................................................................................................................1067
ESRP Domains ...........................................................................................................................................1071
ESRP Groups..............................................................................................................................................1072
ESRP Extended Mode Features .................................................................................................................1073
Linking ESRP Switches...............................................................................................................................1075
ESRP and Hitless Failover ..........................................................................................................................1075
ESRP-Aware Switches................................................................................................................................1076
ExtremeWare Compatibility.........................................................................................................................1077
Configuring ESRP ..............................................................................................................................................1077
Guidelines ...................................................................................................................................................1078
Configuration Overview ...............................................................................................................................1078
Creating and Deleting an ESRP Domain ....................................................................................................1079
Configuring the ESRP Domain ID ...............................................................................................................1079
Adding and Deleting a Master VLAN ..........................................................................................................1079
Adding and Deleting a Member VLAN ........................................................................................................1080
Enabling and Disabling an ESRP Domain ..................................................................................................1080
Configuring ESRP-Aware Switches ............................................................................................................1080
Configuring Interoperability with ExtremeWare ...........................................................................................1081
Operation with Other ExtremeXOS Features .....................................................................................................1081
ESRP and IP Multinetting............................................................................................................................1082
ESRP and STP ...........................................................................................................................................1082
ESRP and VRRP ........................................................................................................................................1082
ESRP Groups and Host Attach ...................................................................................................................1082
Port Configurations and ESRP....................................................................................................................1082
Using ELRP with ESRP ..............................................................................................................................1082
Advanced ESRP Features .................................................................................................................................1085
ESRP Tracking............................................................................................................................................1085
ESRP Port Restart ......................................................................................................................................1088
ESRP Host Attach .......................................................................................................................................1089
ESRP Port Weight and Don’t Count............................................................................................................1090
Selective Forwarding...................................................................................................................................1090
Displaying ESRP Information .............................................................................................................................1091
ESRP Configuration Examples...........................................................................................................................1092
Single Domain Using Layer 2 and Layer 3 Redundancy.............................................................................1092
Multiple Domains Using Layer 2 and Layer 3 Redundancy ........................................................................1093
ESRP Over IPv6 Configuration Example ....................................................................................................1095
Chapter 29: VRRP................................................................................................................................. 1097
Overview ............................................................................................................................................................1097
VRRP Master Election ................................................................................................................................1100
VRRP Master Preemption ...........................................................................................................................1100
VRRP Tracking ...........................................................................................................................................1101
VRRP Address Support for IPv4 .................................................................................................................1102
VRRP Address Support for IPv6 .................................................................................................................1102
VRRPv3 Interoperation with VRRPv2 .........................................................................................................1103
VRRP Guidelines ........................................................................................................................................1103
VRRP and Hitless Failover..........................................................................................................................1104
ExtremeXOS Concepts Guide, Software Version 15.2
19
Contents
Configuring VRRP ..............................................................................................................................................1105
Configuration Overview ...............................................................................................................................1105
Creating and Deleting VRRP Router Instances ..........................................................................................1106
Adding and Deleting VRRP Router IP Addresses.......................................................................................1106
Adding an IPv6 Link Local Address to a VRRP Router...............................................................................1106
Configuring the VRRP Router Advertisement Interval ................................................................................1106
Configuring VRRP Router Authentication ...................................................................................................1107
Configuring Master Preemption ..................................................................................................................1107
Configuring VRRP Router Priority ...............................................................................................................1107
Configuring the Accept Mode ......................................................................................................................1107
Configuring VRRP Version Support ............................................................................................................1107
Configuring VRRP Tracking ........................................................................................................................1108
Managing VRRP.................................................................................................................................................1108
Enabling and Disabling VRRP and VRRP Router Instances ......................................................................1109
Clearing VRRP Counters ............................................................................................................................1109
Displaying VRRP Information .............................................................................................................................1109
Displaying VRRP Router Information ..........................................................................................................1109
Displaying VRRP Router Information and Statistics for VLANs ..................................................................1109
Displaying VRRP Tracking Information .......................................................................................................1109
VRRP Configuration Examples ..........................................................................................................................1109
Simple VRRP Network Example .................................................................................................................1110
VRRP Load Sharing Example .....................................................................................................................1110
VRRP Tracking ...........................................................................................................................................1111
Chapter 30: MPLS................................................................................................................................. 1113
Overview ............................................................................................................................................................1113
How MPLS Works .......................................................................................................................................1114
MPLS Terms and Acronyms .......................................................................................................................1115
LDP Support................................................................................................................................................1116
MPLS Routing .............................................................................................................................................1118
Layer 2 VPN over MPLS Overview (VPLS and VPWS) ..............................................................................1124
H-VPLS Overview .......................................................................................................................................1129
Protected VPLS and H-VPLS with ESRP Redundancy Overview ..............................................................1134
VPLS STP Redundancy Overview ..............................................................................................................1138
VPLS EAPS Redundancy Overview ...........................................................................................................1140
RSVP-TE Overview.....................................................................................................................................1143
Supporting Quality of Service Features ......................................................................................................1157
Propagation of IP TTL .................................................................................................................................1157
Configuring MPLS ..............................................................................................................................................1157
Configuration Overview ...............................................................................................................................1158
Selecting the Enhanced Protocol ................................................................................................................1158
Moving MPLS From VR to VR.....................................................................................................................1159
Configuring the MPLS LSR ID ....................................................................................................................1159
Adding MPLS Support to VLANs ................................................................................................................1159
Enabling and Disabling MPLS on an LSR...................................................................................................1160
Enabling and Disabling MPLS on a VLAN ..................................................................................................1160
Enabling LDP on the Switch........................................................................................................................1160
Enabling and Disabling LDP on a VLAN .....................................................................................................1161
Creating Static LSPs ...................................................................................................................................1161
Configuring Penultimate Hop Popping ........................................................................................................1163
Configuring QoS Mappings .........................................................................................................................1163
Mapping Dot1p to EXP Bits.........................................................................................................................1164
Enabling and Disabling LDP Loop Detection ..............................................................................................1165
Configuring an LDP Label Advertisement Filter ..........................................................................................1165
Configuring LDP Session Timers ................................................................................................................1166
Clearing LDP Protocol Counters .................................................................................................................1167
Resetting MPLS Configuration Parameter Values ......................................................................................1167
ExtremeXOS Concepts Guide, Software Version 15.2
20
Contents
Managing the MPLS BFD Client .................................................................................................................1167
Displaying MPLS Configuration Information.......................................................................................................1168
Displaying MPLS Basic Configuration Information......................................................................................1169
Displaying LDP Basic Configuration Information.........................................................................................1169
Displaying MPLS Interface Information .......................................................................................................1170
Displaying LDP Interface Information..........................................................................................................1170
Displaying MPLS Label Information ............................................................................................................1171
Displaying MPLS Label Mapping Information .............................................................................................1171
Displaying MPLS QoS Mapping Information ...............................................................................................1172
Displaying LDP Peer Session Information ..................................................................................................1172
Displaying LDP Protocol Counters ..............................................................................................................1173
Displaying LDP LSP Forwarding Database.................................................................................................1173
Displaying RSVP-TE LSP Configuration Information ..................................................................................1174
Displaying the RSVP-TE Paths ...................................................................................................................1175
Displaying the RSVP-TE Path Profile..........................................................................................................1175
Displaying the RSVP-TE LSP .....................................................................................................................1175
MPLS Configuration Example ............................................................................................................................1175
Configuring MPLS Layer-2 VPNs (VPLS and VPWS)........................................................................................1178
Configuring MPLS for Establishing Layer 2 VPN Instances........................................................................1178
Creating or Deleting a Layer 2 VPN Domain...............................................................................................1178
Enabling or Disabling a Layer 2 VPN Domain.............................................................................................1179
Adding or Deleting a Layer 2 VPN Peer......................................................................................................1179
Adding or Deleting a Layer 2 VPN Service .................................................................................................1180
Enabling or Disabling a Layer 2 VPN Service .............................................................................................1180
Managing Layer 2 VPN Packet Forwarding Options...................................................................................1180
Configuring the Layer 2 VPN MTU..............................................................................................................1181
Managing VPLS Redundancy Options........................................................................................................1181
Displaying Layer 2 VPN Status ...................................................................................................................1182
Displaying Layer 2 VPN Statistics ...............................................................................................................1182
Managing Layer 2 VPN SNMP Traps..........................................................................................................1182
VPLS VPN Configuration Examples...................................................................................................................1182
Basic Point-to-Point VPLS Configuration Example .....................................................................................1182
Multipoint Full Mesh VPLS Configuration Example.....................................................................................1183
VPLS with Redundant EAPS Configuration Example .................................................................................1185
Configuring H-VPLS ...........................................................................................................................................1186
Configuring H-VPLS Spoke Nodes .............................................................................................................1186
Configuring H-VPLS Core Nodes................................................................................................................1186
Configuring the MAC Address Withdrawal Feature.....................................................................................1187
Displaying H-VPLS Configuration Information ............................................................................................1187
Configuring Protected VPLS ..............................................................................................................................1187
Configuring RSVP-TE ........................................................................................................................................1187
Enabling and Disabling RSVP-TE on the Switch ........................................................................................1188
Enabling and Disabling RSVP-TE on a VLAN.............................................................................................1188
Configuring RSVP-TE Protocol Parameters................................................................................................1188
Creating or Deleting an RSVP-TE LSP .......................................................................................................1189
Creating an RSVP-TE Path.........................................................................................................................1189
Configuring an Explicit Route ......................................................................................................................1190
Reserving Bandwidth for MPLS ..................................................................................................................1191
Creating and Deleting an RSVP-TE Profile.................................................................................................1191
Configuring an RSVP-TE Profile .................................................................................................................1192
Adding a Path to an RSVP-TE LSP ............................................................................................................1192
Setting up Fast-Reroute Protection for an LSP ...........................................................................................1193
RSVP-TE Configuration Example.......................................................................................................................1194
Troubleshooting MPLS .......................................................................................................................................1197
Using LSP Ping ...........................................................................................................................................1197
Using LSP Trace .........................................................................................................................................1197
Using the Health Check VCCV Feature ......................................................................................................1198
ExtremeXOS Concepts Guide, Software Version 15.2
21
Contents
Chapter 31: IPv4 Unicast Routing.......................................................................................................1199
Overview ............................................................................................................................................................1200
Router Interfaces.........................................................................................................................................1200
Populating the Routing Tables ....................................................................................................................1201
Hardware Routing Table Management .......................................................................................................1208
Configuring Unicast Routing...............................................................................................................................1217
Configuring Basic Unicast Routing..............................................................................................................1217
Adding a Default Route or Gateway............................................................................................................1218
Configuring Static Routes ...........................................................................................................................1218
Configuring the Relative Route Priority .......................................................................................................1218
Configuring Hardware Routing Table Usage...............................................................................................1218
Configuring IP Route Sharing .....................................................................................................................1219
Configuring Route Compression .................................................................................................................1219
Configuring Static Route Advertisement .....................................................................................................1220
Configuring Distributed IP ARP Mode .........................................................................................................1220
Displaying the Routing Configuration and Statistics...........................................................................................1221
Viewing IP Routes .......................................................................................................................................1221
Viewing the IP ARP Table ...........................................................................................................................1221
Viewing IP ARP Statistics ...........................................................................................................................1221
Viewing the IP Configuration for a VLAN ....................................................................................................1221
Viewing Compressed Routes ......................................................................................................................1221
Routing Configuration Example..........................................................................................................................1223
Duplicate Address Detection ..............................................................................................................................1224
DAD Overview.............................................................................................................................................1224
Guidelines and Limitations ..........................................................................................................................1226
Configuring DAD .........................................................................................................................................1227
Running a DAD Check ................................................................................................................................1227
Displaying DAD Configuration and Statistics ..............................................................................................1227
Clearing the DAD Counters.........................................................................................................................1227
Proxy ARP ..........................................................................................................................................................1227
ARP-Incapable Devices ..............................................................................................................................1227
Proxy ARP Between Subnets .....................................................................................................................1228
IPv4 Multinetting .................................................................................................................................................1228
Multinetting Topology ..................................................................................................................................1229
How Multinetting Affects Other Features.....................................................................................................1230
Configuring IPv4 Multinetting ......................................................................................................................1234
IP Multinetting Examples.............................................................................................................................1234
DHCP/BOOTP Relay..........................................................................................................................................1235
Managing DHCP/BOOTP Relay..................................................................................................................1235
Configuring DHCPv6 BOOTP Relay ...........................................................................................................1236
Configuring the DHCP Relay Agent Option (Option 82) at Layer 3.............................................................1236
Viewing the DHCP/BOOTP Relay Statistics and Configuration ..................................................................1238
Broadcast UDP Packet Forwarding....................................................................................................................1238
Configuring UDP Forwarding ......................................................................................................................1239
Configuring UDP Echo Server Support .......................................................................................................1241
IP Broadcast Handling........................................................................................................................................1241
IP Broadcast Handling Overview ................................................................................................................1241
VLAN Aggregation..............................................................................................................................................1242
VLAN Aggregation Properties .....................................................................................................................1243
VLAN Aggregation Limitations ....................................................................................................................1244
SubVLAN Address Range Checking...........................................................................................................1244
Isolation Option for Communication Between SubVLANs...........................................................................1244
VLAN Aggregation Example .......................................................................................................................1245
Verifying the VLAN Aggregation Configuration ...........................................................................................1245
ExtremeXOS Concepts Guide, Software Version 15.2
22
Contents
Chapter 32: IPv6 Unicast Routing.......................................................................................................1247
Overview ............................................................................................................................................................1248
Router Interfaces.........................................................................................................................................1248
Tunnels .......................................................................................................................................................1249
Specifying IPv6 Addresses .........................................................................................................................1249
Neighbor Discovery Protocol ..............................................................................................................................1251
Managing Neighbor Discovery ....................................................................................................................1252
IPv6 Router Advertisement Options for DNS ..............................................................................................1253
IPv6 Router Advertisement Filtering............................................................................................................1254
Managing Duplicate Address Detection .............................................................................................................1255
DAD Overview.............................................................................................................................................1257
Configuring DAD .........................................................................................................................................1257
Populating the Routing Table ......................................................................................................................1258
Unique Local Address (ULA) for IPv6 .........................................................................................................1261
Managing IPv6 Unicast Routing .........................................................................................................................1261
Configuring Basic IP Unicast Routing .........................................................................................................1261
Managing Router Discovery ........................................................................................................................1262
Managing Tunnels.......................................................................................................................................1263
Verifying the IP Unicast Routing Configuration ...........................................................................................1264
Managing IPv6 Routes and Hosts in External Tables .................................................................................1264
Configuring Route Compression ........................................................................................................................1265
Hardware Forwarding Behavior..........................................................................................................................1265
Hardware Forwarding Limitations................................................................................................................1266
Hardware Tunnel Support ...........................................................................................................................1267
Routing Configuration Example..........................................................................................................................1267
Tunnel Configuration Examples .........................................................................................................................1269
6in4 Tunnel Configuration Example ............................................................................................................1269
6to4 Tunnel Configuration Example ............................................................................................................1271
Chapter 33: RIP..................................................................................................................................... 1275
Overview ............................................................................................................................................................1275
RIP Versus OSPF and IS-IS .......................................................................................................................1276
Advantages of RIP, OSPF, and IS-IS .........................................................................................................1276
Overview of RIP .................................................................................................................................................1276
Routing Table ..............................................................................................................................................1277
Split Horizon ................................................................................................................................................1277
Poison Reverse ...........................................................................................................................................1277
Triggered Updates ......................................................................................................................................1277
Route Advertisement of VLANs ..................................................................................................................1277
RIP Version 1 Versus RIP Version 2...........................................................................................................1277
Route Redistribution ...........................................................................................................................................1278
Configuring Route Redistribution ................................................................................................................1278
RIP Configuration Example ................................................................................................................................1279
Chapter 34: RIPng ................................................................................................................................ 1283
Overview ............................................................................................................................................................1283
RIPng Versus OSPFv3 and IS-IS ...............................................................................................................1284
Advantages of RIPng, OSPFv3, and IS-IS..................................................................................................1284
Overview of RIPng .............................................................................................................................................1284
Routing Table ..............................................................................................................................................1285
Split Horizon ................................................................................................................................................1285
Poison Reverse ...........................................................................................................................................1285
Triggered Updates ......................................................................................................................................1285
Route Advertisement of VLANs ..................................................................................................................1285
Route Redistribution ...........................................................................................................................................1285
ExtremeXOS Concepts Guide, Software Version 15.2
23
Contents
Configuring Route Redistribution ................................................................................................................1286
RIPng Configuration Example ............................................................................................................................1286
Chapter 35: OSPF ................................................................................................................................. 1289
Overview ............................................................................................................................................................1289
OSPF Edge Mode .......................................................................................................................................1290
Link State Database ....................................................................................................................................1290
Graceful OSPF Restart ...............................................................................................................................1291
Areas ...........................................................................................................................................................1293
Point-to-Point Support .................................................................................................................................1295
Route Redistribution ...........................................................................................................................................1296
Configuring Route Redistribution ................................................................................................................1297
OSPF Timers and Authentication................................................................................................................1297
Configuring OSPF ..............................................................................................................................................1298
Configuring OSPF Wait Interval ..................................................................................................................1298
OSPF Wait Interval Parameters ..................................................................................................................1298
OSPF Configuration Example ............................................................................................................................1299
Configuration for ABR1 ...............................................................................................................................1300
Configuration for IR1 ...................................................................................................................................1300
Displaying OSPF Settings ..................................................................................................................................1301
Chapter 36: OSPFv3 ............................................................................................................................. 1303
Overview ............................................................................................................................................................1303
OSPFv3 Edge Mode ...................................................................................................................................1304
Link State Database ....................................................................................................................................1304
Areas ...........................................................................................................................................................1304
Link-Type Support .......................................................................................................................................1307
Route Redistribution ...........................................................................................................................................1307
Configuring Route Redistribution ................................................................................................................1308
OSPFv3 Timers...........................................................................................................................................1309
OSPFv3 Configuration Example.........................................................................................................................1309
Configuration for Router 1 ...........................................................................................................................1310
Configuration for Router 2 ...........................................................................................................................1310
Configuration for Router 3 ...........................................................................................................................1310
Chapter 37: IS-IS................................................................................................................................... 1311
Overview ............................................................................................................................................................1312
Establishing Adjacencies ............................................................................................................................1312
IS-IS Hierarchy ............................................................................................................................................1315
IS-IS and IP Routing ...................................................................................................................................1316
Authentication .............................................................................................................................................1316
Dynamic Hostname .....................................................................................................................................1316
Route Leaking .............................................................................................................................................1317
Metric Types................................................................................................................................................1317
IS-IS Restart................................................................................................................................................1317
IPv4 and IPv6 Topology Modes ..................................................................................................................1317
Route Redistribution ...........................................................................................................................................1318
Configuring Route Redistribution ................................................................................................................1319
Configuring IS-IS ................................................................................................................................................1320
Configuring L1 Routers ...............................................................................................................................1320
Configuring L1/L2 Routers ..........................................................................................................................1321
Configuring L2 Routers ...............................................................................................................................1322
Configuring IS-IS Timers .............................................................................................................................1322
Configuring the Graceful Restart Feature ...................................................................................................1323
Configuring Hello Padding ..........................................................................................................................1323
Configuring Interlevel Filters .......................................................................................................................1324
ExtremeXOS Concepts Guide, Software Version 15.2
24
Contents
Configuring the Dynamic Hostname Feature ..............................................................................................1324
Configuring the Adjacency Check Feature..................................................................................................1324
Configuring an Import Policy .......................................................................................................................1325
Configuring the Multi-Topology Feature ......................................................................................................1325
Displaying IS-IS Information ...............................................................................................................................1325
Displaying General Information for Global IS-IS .........................................................................................1325
Displaying Router-Specific Information .......................................................................................................1325
Displaying Router Summary Addresses......................................................................................................1326
Displaying IS-IS Interface Information.........................................................................................................1326
Displaying Link State Database Information ...............................................................................................1326
Displaying IPv4 and IPv6 Topology Information..........................................................................................1326
Displaying IS-IS Neighbors .........................................................................................................................1326
Displaying IS-IS Counter Data ....................................................................................................................1326
Managing IS-IS...................................................................................................................................................1326
Configuring Password Security ...................................................................................................................1327
Managing Transit Traffic with the Overload Bit ...........................................................................................1327
Clearing the IS-IS Counters ........................................................................................................................1328
Originating an L2 Default Route ..................................................................................................................1328
Managing IP Summary Addresses..............................................................................................................1328
Managing an IS-IS Area Address................................................................................................................1329
Managing VLAN Interfaces .........................................................................................................................1329
Managing IS-IS Routers ..............................................................................................................................1331
Configuration Example .......................................................................................................................................1332
Chapter 38: BGP ................................................................................................................................... 1335
Overview ............................................................................................................................................................1335
BGP Four-Byte AS Numbers ......................................................................................................................1337
BGP Attributes ............................................................................................................................................1337
BGP Community Attributes .........................................................................................................................1338
Extended Community Attributes..................................................................................................................1338
Multiprotocol BGP .......................................................................................................................................1342
Route Reflectors .........................................................................................................................................1342
Route Confederations .................................................................................................................................1343
Inactive Route Advertisement .....................................................................................................................1343
Default Route Origination and Advertisement .............................................................................................1344
Using the Loopback Interface .....................................................................................................................1344
Looped AS_Path Attribute...........................................................................................................................1345
BGP Peer Groups .......................................................................................................................................1345
BGP Route Flap Dampening.......................................................................................................................1346
BGP Route Selection ..................................................................................................................................1346
Private AS Number Removal from Route Updates .....................................................................................1347
Route Redistribution....................................................................................................................................1347
BGP ECMP .................................................................................................................................................1347
BGP Static Network ....................................................................................................................................1348
Graceful BGP Restart .................................................................................................................................1348
Cease Subcodes .........................................................................................................................................1349
Fast External Fallover .................................................................................................................................1351
Capability Negotiation .................................................................................................................................1351
Route Refresh .............................................................................................................................................1352
Configuring BGP ................................................................................................................................................1353
Configuration Overview ...............................................................................................................................1353
Configuring BGP Router Settings ...............................................................................................................1354
Configuring BGP Neighbors ........................................................................................................................1356
Configuring BGP Peer Groups ....................................................................................................................1361
Creating and Deleting BGP Static Networks ...............................................................................................1362
Importing Routes from Other Protocols to BGP ..........................................................................................1362
Exporting BGP Routes to other Protocols ...................................................................................................1362
Configuring Route Aggregation ...................................................................................................................1363
ExtremeXOS Concepts Guide, Software Version 15.2
25
Contents
Configuring Route Reflectors ......................................................................................................................1363
Configuring a Route Confederation.............................................................................................................1364
Managing BGP ...................................................................................................................................................1364
Enabling and Disabling BGP Neighbors .....................................................................................................1364
Enabling and Disabling a Peer Group .........................................................................................................1364
Enabling and Disabling BGP .......................................................................................................................1364
Refreshing BGP Routes ..............................................................................................................................1365
Reapplying a Policy.....................................................................................................................................1365
Clearing BGP Flap, Session, or Route Statistics ........................................................................................1365
Clearing BGP Neighbor Counters ...............................................................................................................1365
Displaying BGP Information ...............................................................................................................................1365
Displaying BGP Router Configuration and Route Statistics ........................................................................1365
Displaying Peer Group Configuration Information.......................................................................................1366
Displaying BGP Route Information .............................................................................................................1366
Displaying BGP Memory Usage..................................................................................................................1366
Configuration Examples .....................................................................................................................................1366
BGP IPv6 Example .....................................................................................................................................1367
Graceful BGP Restart Configuration Example for IPv4...............................................................................1371
Graceful BGP Restart Configuration Example for IPv6...............................................................................1372
Route Reflector Example for IPv4 ...............................................................................................................1372
Route Reflector Example for IPv6 ...............................................................................................................1374
Route Confederation Example for IPv4.......................................................................................................1377
Route Confederation Example for IPv6.......................................................................................................1379
Default Route Origination Example for IPv4................................................................................................1381
Default Route Origination Example for IPv6................................................................................................1382
BGP Speaker Black Hole Example .............................................................................................................1382
BGP Route Filtering Example for IPv4 ........................................................................................................1386
BGP Route Filtering Example for IPv6 ........................................................................................................1391
Route Aggregation Example for IPV4 .........................................................................................................1396
Route Aggregation Example for IPv6 ..........................................................................................................1398
Chapter 39: Multicast Routing and Switching ................................................................................... 1401
Overview ............................................................................................................................................................1402
Multicast Table Management .............................................................................................................................1402
IPv4 Multicast Route Table .........................................................................................................................1402
Support for Additional L3 Hash Table Entries .............................................................................................1403
Support for Additional IP Multicast Group Table Entries .............................................................................1403
Capacity Restrictions for Mixed Mode Installations.....................................................................................1404
PIM Overview .....................................................................................................................................................1404
PIM Edge Mode ..........................................................................................................................................1404
PIM Dense Mode ........................................................................................................................................1405
PIM Sparse Mode .......................................................................................................................................1406
PIM Mode Interoperation.............................................................................................................................1407
PIM Source Specific Multicast.....................................................................................................................1407
PIM Snooping..............................................................................................................................................1409
IGMP Overview ..................................................................................................................................................1411
IGMP Snooping ...........................................................................................................................................1411
Static IGMP .................................................................................................................................................1412
IGMP Snooping Filters ................................................................................................................................1413
Limiting the Number of Multicast Sessions on a Port..................................................................................1414
Enabling and Disabling IGMP Snooping Fast Leave ..................................................................................1414
Using IGMP-SSM Mapping .........................................................................................................................1414
Configuring IP Multicast Routing ........................................................................................................................1416
Enabling Multicast Forwarding ....................................................................................................................1416
Configuring PIM ..........................................................................................................................................1416
Configuring Multicast Static Routes ............................................................................................................1417
Configuring EAPS Support for Multicast Traffic ..........................................................................................1417
ExtremeXOS Concepts Guide, Software Version 15.2
26
Contents
Disabling IP Multicast Compression............................................................................................................1418
PIM Configuration Examples.......................................................................................................................1418
Multicast VLAN Registration...............................................................................................................................1425
Basic MVR Deployment ..............................................................................................................................1426
Inter-Multicast VLAN Forwarding ................................................................................................................1429
MVR Configurations ....................................................................................................................................1430
Displaying Multicast Information.........................................................................................................................1436
Displaying the Multicast Routing Table .......................................................................................................1436
Displaying the Multicast Cache ...................................................................................................................1436
Looking Up a Multicast Route .....................................................................................................................1436
Looking Up the RPF for a Multicast Source ................................................................................................1436
Displaying the PIM Snooping Configuration................................................................................................1436
Troubleshooting PIM ..........................................................................................................................................1437
Multicast Trace Tool ....................................................................................................................................1437
Multicast Router Information Tool ...............................................................................................................1438
Chapter 40: IPv6 Multicast................................................................................................................... 1439
Overview ............................................................................................................................................................1439
Managing MLD ...................................................................................................................................................1440
Enabling and Disabling MLD on a VLAN ....................................................................................................1440
Configuring MLD .........................................................................................................................................1440
Clearing MLD Group Registration ...............................................................................................................1440
Configuring Static MLD Groups and Routers ..............................................................................................1440
Displaying MLD Information ........................................................................................................................1441
MLD Snooping ............................................................................................................................................1441
Chapter 41: MSDP ................................................................................................................................ 1445
Overview ............................................................................................................................................................1445
Supported Platforms ...................................................................................................................................1446
Limitations ...................................................................................................................................................1446
PIM Border Configuration ...................................................................................................................................1446
MSDP Peers.......................................................................................................................................................1446
MSDP Default Peers ...................................................................................................................................1447
Peer Authentication .....................................................................................................................................1447
Policy Filters ................................................................................................................................................1448
SA Request Processing ..............................................................................................................................1448
MSDP Mesh-Groups ..........................................................................................................................................1448
Anycast RP.........................................................................................................................................................1449
SA Cache ...........................................................................................................................................................1451
Maximum SA Cache Entry Limit..................................................................................................................1451
Redundancy .......................................................................................................................................................1452
Scaling Limits .....................................................................................................................................................1452
SNMP MIBs ........................................................................................................................................................1452
Configuration Examples .....................................................................................................................................1453
Configuring MSDP ......................................................................................................................................1453
Configuring an MSDP Mesh-Group.............................................................................................................1454
Configuring Anycast RP ..............................................................................................................................1456
PART 3: APPENDIXES
Appendix A: Feature License Requirements ..................................................................................... 1463
Overview ............................................................................................................................................................1463
Displaying the Installed Licenses and Feature Packs ........................................................................................1464
Switch License Features ....................................................................................................................................1465
L2 Edge License Features ..........................................................................................................................1465
Edge License Features ...............................................................................................................................1468
ExtremeXOS Concepts Guide, Software Version 15.2
27
Contents
Advanced Edge License Features ..............................................................................................................1470
Core License Features ................................................................................................................................1471
Feature Pack Features .......................................................................................................................................1472
CNA Feature Pack ......................................................................................................................................1473
Direct Attach Feature Pack .........................................................................................................................1474
Legacy CLI Feature Pack............................................................................................................................1474
MPLS Feature Pack (IPv4 Only) .................................................................................................................1474
Network Timing Feature Pack .....................................................................................................................1474
SSH Feature Pack ......................................................................................................................................1475
Appendix B: Software Upgrade and Boot Options ........................................................................... 1477
Downloading a New Image ................................................................................................................................1477
Image Filename Prefixes ............................................................................................................................1478
Understanding the Image Version String ....................................................................................................1478
Software Signatures ....................................................................................................................................1479
Selecting a Primary or a Secondary Image.................................................................................................1479
Installing a Core Image ...............................................................................................................................1480
Installing a Modular Software Package .......................................................................................................1483
Rebooting the Switch ..................................................................................................................................1485
Rebooting the Management Module—Modular Switches Only...................................................................1486
Rebooting a Node in a SummitStack ..........................................................................................................1486
Understanding Hitless Upgrade—Modular Switches Only .................................................................................1486
Understanding the I/O Version Number ......................................................................................................1487
Performing a Hitless Upgrade .....................................................................................................................1488
Hitless Upgrade Examples ..........................................................................................................................1492
Configuration Changes.......................................................................................................................................1493
Overview .....................................................................................................................................................1493
Viewing a Configuration ..............................................................................................................................1494
Restoring Factory Defaults..........................................................................................................................1494
Uploading ASCII-Formatted Configuration Files .........................................................................................1495
Using TFTP to Upload the Configuration............................................................................................................1498
Using TFTP to Download the Configuration .......................................................................................................1499
Synchronizing Nodes—Modular Switches and SummitStack Only ....................................................................1500
Additional Behavior on the BlackDiamond 8800 Series Switches Only ......................................................1500
Automatic Synchronization of Configuration Files.......................................................................................1501
Accessing the Bootloader...................................................................................................................................1501
Upgrading the BootROM ....................................................................................................................................1502
Summit Family Switches and SummitStack Only........................................................................................1502
Upgrading the Firmware .....................................................................................................................................1503
Displaying the BootROM and Firmware Versions ..............................................................................................1506
Appendix C: CNA Agent ...................................................................................................................... 1511
Overview ............................................................................................................................................................1511
Redundancy ................................................................................................................................................1512
Downloading the CNA Agent Software Module..................................................................................................1512
Running the Tests ..............................................................................................................................................1512
Configuring the CNA Agent ................................................................................................................................1513
Enabling the CNA Agent .............................................................................................................................1513
Connecting to the CNA Server ....................................................................................................................1514
Configuring the Interface .............................................................................................................................1514
Clearing the Counters .................................................................................................................................1514
Displaying CNA Agent Information..............................................................................................................1514
Troubleshooting ..........................................................................................................................................1515
Appendix D: Troubleshooting ............................................................................................................. 1517
Troubleshooting Checklists ................................................................................................................................1518
ExtremeXOS Concepts Guide, Software Version 15.2
28
Contents
Layer 1 ........................................................................................................................................................1518
Layer 2 ........................................................................................................................................................1518
Layer 3 ........................................................................................................................................................1519
LEDs...................................................................................................................................................................1521
Using the Command Line Interface ....................................................................................................................1523
General Tips and Recommendations..........................................................................................................1523
The Summit switch displays only the "(pending-AAA) login: " prompt (SummitStack only): .......................1525
MSM Prompt—Modular Switches Only .......................................................................................................1525
Node Prompt—SummitStack Only ..............................................................................................................1525
Command Prompt .......................................................................................................................................1526
Port Configuration .......................................................................................................................................1526
Software License Error Messages ..............................................................................................................1527
VLANs .........................................................................................................................................................1527
STP .............................................................................................................................................................1528
ESRP ..........................................................................................................................................................1529
VRRP ..........................................................................................................................................................1530
Using ELRP to Perform Loop Tests ...................................................................................................................1530
About Standalone ELRP .............................................................................................................................1530
Configuring Standalone ELRP ....................................................................................................................1532
Displaying Standalone ELRP Information ...................................................................................................1533
Example: ELRP on Protocol-based VLANs.................................................................................................1533
Using the Rescue Software Image .....................................................................................................................1534
Obtaining the Rescue Image from a TFTP Server ......................................................................................1535
Obtaining the Rescue Image from a Compact Flash Card..........................................................................1536
Performing Compact Flash Recovery Using a USB Memory Drive ............................................................1537
....................................................................................................................................................................1538
Rescuing a Node in a SummitStack............................................................................................................1538
Debug Mode .......................................................................................................................................................1539
Saving Debug Information ..................................................................................................................................1540
Enabling the Switch to Send Debug Information to the Internal Memory Card or Removable Storage Device ..
1540
Copying Debug Information to Removable Storage Devices ......................................................................1541
Copying Debug Information to a TFTP Server ............................................................................................1541
Managing Debug Files ................................................................................................................................1542
Evaluation Precedence for ACLs .......................................................................................................................1542
TOP Command ..................................................................................................................................................1542
TFTP Server Requirements................................................................................................................................1543
System Odometer ..............................................................................................................................................1543
Monitored Components ...............................................................................................................................1543
Recorded Statistics .....................................................................................................................................1543
Temperature Operating Range ..........................................................................................................................1545
Modular Switches ........................................................................................................................................1545
Summit Family Switches and SummitStack ................................................................................................1545
Unsupported Module Type .................................................................................................................................1545
Corrupted BootROM on BlackDiamond 8800 Series Switches ..........................................................................1546
Inserting Powered Devices in the PoE Module ..................................................................................................1546
Modifying the Hardware Table Hash Algorithm ..................................................................................................1546
Configuring the Hash Algorithm ..................................................................................................................1548
Viewing the Hash Algorithm Setting ............................................................................................................1548
Untagged Frames on the 10 Gbps Module ........................................................................................................1549
Understanding the Error Reading Diagnostics Message....................................................................................1550
Running MSM/MM Diagnostics from the Bootloader..........................................................................................1550
Contacting Extreme Networks Technical Support ..............................................................................................1551
Appendix E: Supported Standards, Protocols, and MIBs ................................................................ 1553
MIB Support Details ...........................................................................................................................................1553
ExtremeXOS Concepts Guide, Software Version 15.2
29
Contents
Standard MIBs ............................................................................................................................................1553
Extreme Networks Proprietary MIBs ...........................................................................................................1587
Index of Commands ............................................................................................................................. 1623
Glossary ................................................................................................................................................ 1635
ExtremeXOS Concepts Guide, Software Version 15.2
30
Preface
This chapter provides an overview of this guide, describes the conventions used in the guide, and lists
other publications that might be useful.
Introduction
This guide provides the required information to configure ExtremeXOS® software in the currently
supported versions running on switches from Extreme Networks®.
This guide is intended for use by network administrators who are responsible for installing and setting
up network equipment. Working knowledge of the following is assumed:
●
Local area networks (LANs)
●
Ethernet concepts
●
Ethernet switching and bridging concepts
●
Routing concepts
●
Internet Protocol (IP) concepts
●
Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Intermediate
System-Intermediate System (IS-IS)
●
Border Gateway Protocol (BGP-4) concepts
●
IP multicast concepts
●
Protocol Independent Multicast (PIM) concepts
●
Simple Network Management Protocol (SNMP)
NOTE
If the information in the release notes shipped with your switch differs from the information in this guide,
follow the release notes.
Terminology
When features, functionality, or operation is specific to a switch family, the family name is used.
Explanations about features and operations that are the same across all product families simply refer to
the product as the “switch.”
ExtremeXOS Concepts Guide, Software Version 15.2
31
Preface
Conventions
This section describes conventions used in the documentation:
●
Platform-Dependent Conventions on page 32
●
Text Conventions on page 32
Platform-Dependent Conventions
Unless otherwise noted, all information applies to all platforms supported by ExtremeXOS software,
which are the following:
●
BlackDiamond® X8 X-series switch
●
BlackDiamond 8800 series switches
●
Cell Site Routers (E4G-200 and E4G-400)
●
Summit® family switches
●
SummitStack™
When a feature or feature implementation applies to specific platforms, the specific platform is noted in
the heading for the section describing that implementation.
Finally, minor differences in platform implementations are called out in a note, as shown below:
NOTE
This is a note.
Text Conventions
Table 1 and Table 2 list conventions that are used throughout this guide.
Table 1: Notice Icons
Icon
Notice Type
Alerts you to...
Note
Important features or instructions.
Caution
Risk of personal injury, system damage, or loss of data.
Warning
Risk of severe personal injury.
ExtremeXOS Concepts Guide, Software Version 15.2
32
Related Publications
Table 2: Text Conventions
Convention
Description
Screen displays
This typeface indicates command syntax, or represents information as it appears on
the screen.
The words “enter”
and “type”
When you see the word “enter” in this guide, you must type something, and then
press the Return or Enter key. Do not press the Return or Enter key when an
instruction simply says “type.”
[Key] names
Key names are written with brackets, such as [Return] or [Esc].
If you must press two or more keys simultaneously, the key names are linked with a
plus sign (+). Example:
Press [Ctrl]+[Alt]+[Del].
Words in italicized type
Italics emphasize a point or denote new terms at the place where they are defined in
the text. (Italics are also used when referring to publication titles.)
Related Publications
The publications related to this one are:
●
ExtremeXOS Command Reference Guide
●
ExtremeXOS Release Notes
●
ExtremeXOS Hardware and Software Compatibility Matrix
●
BlackDiamond 8800 Series Switches Hardware Installation Guide
●
BlackDiamond X8 Switch Hardware Installation Guide
●
BlackDiamond 10808 Switch Hardware Installation Guide (legacy product)
●
BlackDiamond 12800 Series Switches Hardware Installation Guide (legacy product)
●
BlackDiamond 20800 Series Switches Hardware Installation Guide (legacy product)
●
Summit Family Switches Hardware Installation Guide
●
Extreme Networks Pluggable Interface Installation Guide
Some ExtremeXOS software files have been licensed under certain open source licenses. Information is
available on the World Wide Web at the following location:
http://www.extremenetworks.com/services/osl-exos.aspx
Documentation for Extreme Networks products is available on the World Wide Web at the following
location:
http://www.extremenetworks.com/
Using ExtremeXOS Publications Online
You can access ExtremeXOS publications by downloading them from the Extreme Networks World
Wide Web location. Publications are provided in Adobe® Portable Document Format (PDF). Displaying
or printing PDF files requires that your computer is equipped with Adobe Reader® software, which is
available free of charge from Adobe Systems Incorporated.
The Concepts Guide PDF file provides links that connect you directly to relevant command information
in the Command Reference Guide PDF file. This quick-referencing capability enables you to easily find
ExtremeXOS Concepts Guide, Software Version 15.2
33
Preface
detailed information in the Command Reference Guide for any command mentioned in the Concepts
Guide.
To ensure that the quick-referencing feature functions properly:
1 Download both the Concepts Guide PDF file and the Command Reference guide PDF file to the same
destination directory on your computer.
2 You may open one or both PDF files. To enable cross-referenced linking between the Concepts Guide
and Command Reference guide; however, it is recommended that for ease of use, you keep both files
open concurrently on your computer desktop.
NOTE
If you activate a cross-referencing link from the Concepts Guide PDF file to the Command Reference PDF
file when the Command Reference PDF file is closed (that is, not currently open on your computer desktop), the
system will close the Concepts Guide PDF file and open the Command Reference PDF file. To keep both PDF files
open when you activate a cross-reference link, open both PDF files before using the link.
All of these documents are available in Adobe PDF format. You must have Acrobat Reader 5.0 or later
to properly open the documents. You must have Acrobat Reader 6.0 or later to use the cross-reference
linking feature from the ExtremeXOS Concepts Guide to the ExtremeXOS Command Reference Guide.
ExtremeXOS Concepts Guide, Software Version 15.2
34
Using ExtremeXOS
PA R T
1
Getting Started
CHAPTER
This chapter includes the following sections:
●
Overview on page 37
●
Software Required on page 39
●
Logging In to the Switch on page 41
●
Understanding the Command Syntax on page 41
●
Port Numbering on page 46
●
Line-Editing Keys on page 48
●
Command History on page 48
●
Common Commands on page 48
●
Accessing the Switch for the First Time on page 51
●
Configuring Management Access on page 52
●
Managing Passwords on page 57
●
Access to Both MSM/MM Console Ports—Modular Switches Only on page 60
●
Domain Name Service Client Services on page 60
●
Checking Basic Connectivity on page 61
●
Displaying Switch Information on page 62
Overview
Table 3 lists the Extreme Networks products that run ExtremeXOS software.
Table 3: ExtremeXOS Switches
Switch Series
Switches
BlackDiamond X8 Series
BlackDiamond X8
BlackDiamond 8800 Series
BlackDiamond 8810
BlackDiamond 8806
Cell Site Routers
E4G-200
E4G-400
Summit X150 Series
Summit X150-24p
Summit X150-24t
Summit X150-48t
ExtremeXOS Concepts Guide, Software Version 15.2
37
Chapter 1: Getting Started
Table 3: ExtremeXOS Switches (Continued)
Switch Series
Switches
Summit X250e Series
Summit
Summit
Summit
Summit
Summit
Summit
Summit
Summit
Summit X350 Series
Summit X350-24t
Summit X350-48t
Summit X440 Series
Summit
Summit
Summit
Summit
Summit
Summit
Summit
Summit
Summit
Summit
Summit
Summit
X440-8t
X440-8p
X440-24t
X440-24p
X440-24t-10G
X440-24p-10G
X440-48t
X440-48p
X440-48t-10G
X440-48p-10G
X440-L2-24t
X440-L2-48t
Summit X450a Series
Summit
Summit
Summit
Summit
Summit
Summit
X450a-24t
X450a-24tDC
X450a-24x
X450a-24xDC
X450a-48t
X450a-48tDC
Summit X450e Series
Summit
Summit
Summit
Summit
X450e-24p
X450e-24t
X450e-48p
X450e-48t
Summit X460 Series
Summit
Summit
Summit
Summit
Summit
Summit
X460-24x
X460-24t
X460-24p
X460-48x
X460-48t
X460-48p
Summit X480 Series
Summit X480-24x
Summit X480-48x
Summit X480-48t
Summit X650 Series
Summit X650-24t
Summit X650-24x
Summit X670
Summit X670-48x
Summit X670V-48x
SummitStack
All Summit family
switches, except the
Summit X150, Summit
X350, and Summit X440L2 series.
X250e-24p
X250e-24t
X250e-24tDC
X250e-24x
X250e-24xDC
X250e-48p
X250e-48t
X250e-48tDC
ExtremeXOS Concepts Guide, Software Version 15.2
38
Software Required
Software Required
The tables in this section describe the software version required for each switch that runs ExtremeXOS
software.
NOTE
The features available on each switch are determined by the installed feature license and optional feature
packs. For more information, see Appendix A, “Feature License Requirements.”
Table 4 lists the BlackDiamond 8000 series modules and the ExtremeXOS software version required to
support each module.
Table 4: BlackDiamond 8000 Series Switch Modules and Required Software
Module Series Name
Modules
Minimum
ExtremeXOS Software
Version
MSMs
8500-MSM24
MSM-48c
8900-MSM128
ExtremeXOS 12.3
ExtremeXOS 12.1
ExtremeXOS 12.3
c-series
G24Xc
G48Xc
10G4Xc
10G8Xc
G48Tc
S-10G1Xc
S-10G2Xc
S-G8Xc
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
8900-G96T-c
8900-10G24X-c
ExtremeXOS 12.3
e-series
8500-G24X-e
8500-G48T-e
G48Te2
ExtremeXOS 12.3
ExtremeXOS 12.3
ExtremeXOS 12.1
xl-series
8900-G48X-xl
8900-G48T-xl
8900-10G8X-xl
ExtremeXOS 12.4
xm-series
8900-40G6X-xm
ExtremeXOS 12.6
12.1
12.1
12.1
12.1
12.1
12.1
12.5.3
12.1
The following guidelines provide additional information on the BlackDiamond 8000 series modules
described in Table 4:
●
The term BlackDiamond 8000 series modules refers to all BlackDiamond 8500, 8800, and 8900 series
modules. Beginning with the ExtremeXOS 12.5 release, it does not include other modules formerly
listed as original-series modules.
●
Module names that are not preceded with 8500 or 8900 are BlackDiamond 8800 series modules.
●
The a-series, c-series, e-series, xl-series, and xm-series names are used to distinguish between groups of
modules that support different feature sets.
Table 5 lists the Summit family switches that run ExtremeXOS software and the minimum ExtremeXOS
software version required.
ExtremeXOS Concepts Guide, Software Version 15.2
39
Chapter 1: Getting Started
Table 5: Summit Family Switches and Required Software
Minimum
ExtremeXOS Software
Version
Switch Series
Switches
Summit X150 Series
Summit X150-24t
Summit X150-24p
Summit X150-48t
ExtremeXOS 12.0
Summit X250e Series
Summit
Summit
Summit
Summit
Summit
Summit
Summit
Summit
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
Summit X350 Series
Summit X350-24t
Summit X350-48t
ExtremeXOS 12.1
Summit X440 Series
Summit
Summit
Summit
Summit
Summit
Summit
Summit
Summit
Summit
Summit
Summit
Summit
X440-8t
X440-8p
X440-24t
X440-24p
X440-24t-10G
X440-24p-10G
X440-48t
X440-48p
X440-48t-10G
X440-48p-10G
X440-L2-24t
X440-L2-48t
ExtremeXOS 15.1
Summit X450a Series
Summit
Summit
Summit
Summit
Summit
Summit
X450a-24x
X450a-24xDC
X450a-24t
X450a-24tDC
X450a-48t
X450a-48tDC
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
11.6
11.6
11.5
11.5
11.5
11.6
Summit X450e Series
Summit
Summit
Summit
Summit
X450e-24p
X450e-24t
X450e-48p
X450e-48t
ExtremeXOS
ExtremeXOS
ExtremeXOS
ExtremeXOS
11.5
12.5
11.6
12.5
Summit X460 Series
Summit
Summit
Summit
Summit
Summit
Summit
X460-24x
X460-24t
X460-24p
X460-48x
X460-48t
X460-48p
ExtremeXOS 12.5
Summit X480 Series
Summit X480-24x
Summit X480-48x
Summit X480-48t
ExtremeXOS 12.4
Summit X650 Series
Summit X650-24t
Summit X650-24x
ExtremeXOS 12.2.2
ExtremeXOS 12.2.1
Summit X670
Summit X670-48x
Summit X670V-48x
ExtremeXOS 12.6
SummitStack
Summit family switches
except the Summit X150,
Summit X350, and
Summit X440-L2 series
ExtremeXOS 12.0
X250e-24t
X250e-24tDC
X250e-48t
X250e-48tDC
X250e-24p
X250e-48p
X250e-24x
X250e-24xDC
12.0
12.1
12.0
12.1
12.0
12.0
12.0
12.1
Minimum version
ExtremeXOS 15.2
ExtremeXOS Concepts Guide, Software Version 15.2
40
Logging In to the Switch
Table 5 lists the current Summit Family Switches. It does not include the Summit X450 switch that is
sometimes referred to as the Summit X450 original switch.
Stacking capable switches are a combination of up to eight Summit family switches (excluding the
Summit X150 and the Summit X350 series) that are connected by stacking cables.
Logging In to the Switch
The initial login prompt appears as follows:
(Pending-AAA) login:
At this point, the failsafe account is now available, but the normal AAA login security is not. (For
additional information on using the failsafe account, refer to “Failsafe Accounts” on page 56.)
Wait for the following message to appear:
Authentication Service (AAA) on the master node is now available for login.
At this point, the normal AAA login security is available. When you now press the [Enter] key, the
following prompt appears:
login
Whether or not you press the [Enter] key, once you see the above message you can perform a normal
login. (See “Default Accounts” on page 55.)
Understanding the Command Syntax
This section describes the steps to take when entering a command. Refer to the following sections for
detailed information on using the command line interface (CLI).
ExtremeXOS command syntax is described in detail in the ExtremeXOS Command Reference Guide. Some
commands are also described in this Concepts Guide in order to describe how to use ExtremeXOS
software features. However, only a subset of commands are described here, and in some cases only a
subset of the options that a command supports. The ExtremeXOS Command Reference Guide should be
considered the definitive source for information on ExtremeXOS commands.
You may enter configuration commands at the # prompt. At the > prompt, you may enter only
monitoring commands, not configuration commands. When you log in as administrator (which has read
and write access), you see the # prompt. When you log in as user (which has only read access), you will
see the > prompt. As you are booting up, you may see the > command prompt. When the bootup
process is complete, the # prompt is displayed.
When entering a command at the prompt, ensure that you have the appropriate privilege level. Most
configuration commands require you to have the administrator privilege level. For more information on
setting CLI privilege levels, see the ExtremeXOS Command Reference Guide. To use the CLI:
1 Enter the command name.
If the command does not include a parameter or values, skip to step 3. If the command requires
more information, continue to step 2.
2 If the command includes a parameter, enter the parameter name and values.
ExtremeXOS Concepts Guide, Software Version 15.2
41
Chapter 1: Getting Started
The value part of the command specifies how you want the parameter to be set. Values include
numerics, strings, or addresses, depending on the parameter.
3 After entering the complete command, press [Enter].
NOTE
If an asterisk (*) appears in front of the command line prompt, it indicates that you have pending
configuration changes that have not been saved. For more information on saving configuration changes, see
Appendix B, “Software Upgrade and Boot Options.”
This section describes the following topics:
●
Syntax Helper on page 42
●
Object Names on page 42
●
Command Shortcuts on page 45
●
Symbols on page 45
●
Limits on page 46
Syntax Helper
The CLI has a built-in syntax helper. If you are unsure of the complete syntax for a particular command,
enter as much of the command as possible, and then press [Tab] or [?]. The syntax helper provides a list
of options for the remainder of the command and places the cursor at the end of the command you
have entered so far, ready for the next option.
If you enter an invalid command, the syntax helper notifies you of your error and indicates where the
error is located.
If the command is one where the next option is a named component (such as a VLAN, access profile, or
route map), the syntax helper also lists any currently configured names that might be used as the next
option. In situations where this list is very long, the syntax helper lists only one line of names, followed
by an ellipses (...) to indicate that there are more names that can be displayed.
The syntax helper also provides assistance if you have entered an incorrect command.
Object Names
All named components within a category of the switch configuration, such as VLAN, must be given a
unique object name. Object names must begin with an alphabetical character and may contain
alphanumeric characters and underscores (_), but they cannot contain spaces. The maximum allowed
length for a name is 32 characters. User-created object names for the following modules are not casesensitive: access list, account, CFM, EAPS, ESRP, flow-redirect, meter, MSDP, Network Login, PVLAN,
protocol, SNMP, SSHD2, STP, tunnel, UPM, VLAN, VMAN, etc.
Object names can be reused across categories (for example, STPD and VLAN names). If the software
encounters any ambiguity in the components within your command, it generates a message requesting
that you clarify the object you specified.
ExtremeXOS Concepts Guide, Software Version 15.2
42
Understanding the Command Syntax
NOTE
If you use the same name across categories, Extreme Networks recommends that you specify the
identifying keyword as well as the actual name. If you do not use the keyword, the system may return an error
message.
Reserved Keywords
Keywords such as vlan, stp, and other 2nd level keywords, are determined to be reserved keywords
and cannot be used as object names. This restriction applies to the specific word (vlan) only, while
expanded versions (vlan2) can be used.
A complete list of the reserved keywords for ExtremeXOS 12.4.2 and later software is displayed in
Table 6. Any keyword that is not on this list can be used as an object name. Prior to 12.4.2, all keywords
were reserved, that is, none of them could be used for naming user-created objects such as VLANs.
ExtremeXOS Concepts Guide, Software Version 15.2
43
Chapter 1: Getting Started
Table 6: Reserved Keywords
Reserved Keywords
aaa
access-list
account
accounts
all
bandwidth
banner
bfd
bgp
bootp
bootprelay
brm
bvlan
cancel
cfgmgr
cfm
checkpointdata
clear-flow
cli
cli-configlogging
clipaging
configuration
configure
continuous
count
counters
cpu-monitoring
cvlan
debug
debug-mode
devmgr
dhcp
dhcp-client
dhcp-server
diagnostics
diffserv
dns-client
dont-fragment
dos-protect
dot1ag
dot1p
dot1q
ds
eaps
edp
egress
elrp
elrp-client
elsm
ems
epm
esrp
fabric
failover
failsafeaccount
fans
fdb
fdbentry
firmware
flood-group
flooding
flow-control
flow-redirect
forwarding
from
get
hal
hclag
heartbeat
icmp
identitymanagement
idletimeout
idmgr
igmp
image
ingress
inline-power
internalmemory
interval
iob-debug-level
iparp
ipconfig
ipforwarding
ipmc
ipmcforwarding
ipmroute
ip-mtu
ip-option
iproute
ip-security
ipstats
ipv4
IPv4
ipv6
IPv6
ipv6acl
irdp
isid
isis
jumbo-frame
jumbo-frame-size
l2stats
l2vpn
lacp
learning
learning-domain
license
license-info
licenses
lldp
log
loopback-mode
mac
mac-binding
mac-lockdowntimeout
management
mcast
memory
memorycard
meter
mirroring
mld
mpls
mrinfo
msdp
msgsrv
msm
msm-failover
mstp
mtrace
multipleresponse-timeout
mvr
neighbordiscovery
netlogin
nettools
node
nodemgr
odometers
ospf
ospfv3
pim
policy
ports
power
primary
private-vlan
process
protocol
put
qosprofile
qosscheduler
radius
radiusaccounting
rip
ripng
rmon
routerdiscovery
rtmgr
safe-defaultscript
script
secondary
session
sflow
sharing
show
slot
slot-pollinterval
smartredundancy
snmp
snmpv3
sntp-client
source
ssl
stacking
stackingsupport
stack-topology
start-size
stp
stpd
subvlan-proxyarp
svlan
switch
switch-mode
sys-health-check
syslog
sys-recoverylevel
tacacs
tacacsaccounting
tacacsauthorization
tech
telnet
telnetd
temperature
tftpd
thttpd
time
timeout
timezone
tos
traffic
trusted-ports
trusted-servers
ttl
tunnel
udp
udp-echo-server
udp-profile
update
upm
var
version
virtual-router
vlan
vman
vpls
vr
vrrp
watchdog
web
xmlc
xmld
xml-mode
xml-notification
ExtremeXOS Concepts Guide, Software Version 15.2
44
Understanding the Command Syntax
Abbreviated Syntax
Abbreviated syntax is the shortest unambiguous allowable abbreviation of a command or parameter.
Typically, this is the first three letters of the command. If you do not enter enough letters to allow the
switch to determine which command you mean, the syntax helper provides a list of the options based
on the portion of the command you have entered.
NOTE
When using abbreviated syntax, you must enter enough characters to make the command unambiguous
and distinguishable to the switch.
Command Shortcuts
Components are typically named using the create command. When you enter a command to configure
a named component, you do not need to use the keyword of the component. For example, to create a
VLAN, enter a VLAN name:
create vlan engineering
After you have created the name for the VLAN, you can eliminate the keyword vlan from all other
commands that require the name to be entered. For example, instead of entering the modular switch
command:
configure vlan engineering delete port 1:3,4:6
you can enter the following shortcut:
configure engineering delete port 1:3,4:6
Symbols
You may see a variety of symbols shown as part of the command syntax. These symbols explain how to
enter the command, and you do not type them as part of the command itself. Table 7 summarizes
command syntax symbols.
NOTE
ExtremeXOS software does not support the ampersand (&), left angle bracket (<), or right angle bracket
(>), because they are reserved characters with special meaning in XML.
ExtremeXOS Concepts Guide, Software Version 15.2
45
Chapter 1: Getting Started
Table 7: Command Syntax Symbols
Symbol
Description
angle brackets < >
Enclose a variable or value. You must specify the variable or value. For example, in
the syntax
configure vlan <vlan_name> ipaddress <ipaddress>
you must supply a VLAN name for <vlan_name> and an address for <ipaddress>
when entering the command. Do not type the angle brackets and do not include
spaces within angle brackets.
square brackets [ ]
Enclose a required value or list of required arguments. One or more values or
arguments can be specified. For example, in the syntax
disable port [<port_list> | all]
you must specify either specific ports or all for all ports when entering the command.
Do not type the square brackets.
vertical bar |
Separates mutually exclusive items in a list, one of which must be entered. For
example, in the syntax
configure snmp add community [readonly | readwrite]
<alphanumeric_string>
you must specify either the read or write community string in the command. Do not
type the vertical bar.
braces { }
Enclose an optional value or a list of optional arguments. One or more values or
arguments can be specified. For example, in the syntax
reboot {time <month> <day> <year> <hour> <min> <sec>} {cancel}
{msm <slot_id>} {slot <slot-number> | node-address <nodeaddress> | stack-topology {as-standby} }
You can specify either a particular date and time combination, or the keyword
cancel to cancel a previously scheduled reboot. (In this command, if you do not
specify an argument, the command will prompt, asking if you want to reboot the
switch now.) Do not type the braces.
Limits
The command line can process up to 4500 characters, including spaces. If you attempt to enter more
than 4500 characters, the switch emits an audible “beep” and will not accept any further input. The first
4500 characters are processed, however.
Port Numbering
The ExtremeXOS software runs on both stand-alone and modular switches, and the port numbering
scheme is slightly different on each. This section describes the following topics:
●
Stand-alone Switch Numerical Ranges on page 47
●
Modular Switch and SummitStack Numerical Ranges on page 47
●
Stacking Port Numerical Ranges on page 47
NOTE
The keyword all acts on all possible ports; it continues on all ports even if one port in the sequence fails.
ExtremeXOS Concepts Guide, Software Version 15.2
46
Port Numbering
Stand-alone Switch Numerical Ranges
On Summit family switches, the port number is simply noted by the physical port number, as shown
below:
5
Separate the port numbers by a dash to enter a range of contiguous numbers, and separate the numbers
by a comma to enter a range of noncontiguous numbers:
●
x-y—Specifies a contiguous series of ports on a stand-alone switch.
●
x,y—Specifies a noncontiguous series of ports on a stand-alone switch.
●
x-y,a,d—Specifies a contiguous series of ports and a noncontiguous series of ports on a stand-alone
switch.
Modular Switch and SummitStack Numerical Ranges
On a modular switch, such as the BlackDiamond 10808 or a SummitStack, the port number is a
combination of the slot number and the port number. The nomenclature for the port number is as
follows:
slot:port
For example, if an I/O module that has a total of four ports is installed in slot 2 of the chassis, the
following ports are valid:
●
2:1
●
2:2
●
2:3
●
2:4
You can also use wildcard combinations (*) to specify multiple modular slot and port combinations. The
following wildcard combinations are allowed:
●
slot:*—Specifies all ports on a particular I/O module.
●
slot:x-slot:y—Specifies a contiguous series of ports on a particular I/O module.
●
slot:x-y—Specifies a contiguous series of ports on a particular I/O module.
●
slota:x-slotb:y—Specifies a contiguous series of ports that begin on one I/O module or
SummitStack node and end on another node.
Stacking Port Numerical Ranges
On a SummitStack, a stacking port number is a combination of the slot number and the stacking port
number shown near the connector on the back of the Summit family switch:
slot:port
These numbers are context-specific. For example, while the front-panel port 2:1 on a Summit X450a-24t
is a 10/100/1000 Ethernet port, the stacking port 2:1 is a 10Gb port on the rear panel of the X450a-24t
that has been marked as “Stacking Port 1". When no context is given, port 2:1 refers to a front-panel
port on the Summit family switch (the 10Gb ports on, for example, a XGM2-2xn option card are
considered front-panel ports in this context).
The use of wildcards and ranges for stacking ports is the same as described in "Modular Switch and
SummitStack Numerical Ranges".
ExtremeXOS Concepts Guide, Software Version 15.2
47
Chapter 1: Getting Started
Line-Editing Keys
Table 8 describes the line-editing keys available using the CLI.
Table 8: Line-Editing Keys
Key(s)
Description
Left arrow or [Ctrl] + B
Moves the cursor one character to the left.
Right arrow or [Ctrl] + F
Moves the cursor one character to the right.
[Ctrl] + H or Backspace
Deletes character to left of cursor and shifts remainder of line to left.
Delete or [Ctrl] + D
Deletes character under cursor and shifts remainder of line to left.
[Ctrl] + K
Deletes characters from under cursor to end of line.
Insert
Toggles on and off. When toggled on, inserts text and shifts previous text to right.
[Ctrl] + A
Moves cursor to first character in line.
[Ctrl] + E
Moves cursor to last character in line.
[Ctrl] + L
Clears screen and moves cursor to beginning of line.
[Ctrl] + P or Up Arrow
Displays previous command in command history buffer and places cursor at end of
command.
[Ctrl] + N or Down Arrow
Displays next command in command history buffer and places cursor at end of
command.
[Ctrl] + U
Clears all characters typed from cursor to beginning of line.
[Ctrl] + W
Deletes previous word.
[Ctrl] + C
Interrupts the current CLI command execution.
Command History
The ExtremeXOS software stores the commands you enter. You can display a list of these commands by
using the following command:
history
Common Commands
Table 9 describes some of the common commands used to manage the switch. Commands specific to a
particular feature may also be described in other chapters of this guide. For a detailed description of the
commands and their options, see the ExtremeXOS Command Reference Guide.
Table 9: Common Commands
Command
Description
clear session [history | <sessId> |
all]
Terminates a Telnet or SSH2 session from the switch.
configure account [all | <name>]
Configures a user account password.
Passwords can have a minimum of 0 character and can
have a maximum of 32 characters. Passwords are casesensitive. User names are not case-sensitive.
ExtremeXOS Concepts Guide, Software Version 15.2
48
Common Commands
Table 9: Common Commands (Continued)
Command
Description
configure banner { after-login | {
before-login } { acknowledge } |
before-login {acknowledge} save-toconfiguration}
Configures the banner string. You can configure a
banner to be displayed before login or after login.You
can enter up to 24 rows of 79-column text that is
displayed before the login prompt of each session.
configure ports <port_list> {medium
[copper | fiber]} auto off speed
<speed> duplex [half | full]
Manually configures the port speed and duplex setting of
one or more ports on a switch.
configure slot <slot> module
<module_type>
Configures a slot for a particular I/O module card.
configure ssh2 key {pregenerated}
Generates the SSH2 host key.
NOTE: This command is available only on modular
switches.
You must install the SSH software module in addition to
the base image to run SSH.
configure sys-recovery-level [all |
none]
Configures a recovery option for instances where an
exception occurs in ExtremeXOS software.
configure time <month> <day> <year>
<hour> <min> <sec>
Configures the system date and time. The format is as
follows:
mm dd yyyy hh mm ss
The time uses a 24-hour clock format. You cannot set
the year earlier than 2003 or past 2036.
configure timezone {name <tz_name>}
<GMT_offset> {autodst {name
<dst_timezone_ID>} {<dst_offset>}
{begins [every <floatingday> | on
<absoluteday>] {at <time_of_day>}
{ends [every <floatingday> | on
<absoluteday>] {at <time_of_day>}}} |
noautodst}
Configures the time zone information to the configured
offset from GMT time. The format of GMT_offset is +/minutes from GMT time. The autodst and noautodst
options enable and disable automatic Daylight Saving
Time change based on the North American standard.
configure {vlan} <vlan_name> ipaddress
[<ipaddress> {<ipNetmask>} | ipv6link-local | {eui64}
<ipv6_address_mask>]
Configures an IP address and subnet mask for a VLAN.
create account [admin | user]
<account-name> {encrypted <password>}
Creates a user account. This command is available to
admin-level users and to users with RADIUS command
authorization. The username is between 1 and 32
characters and is not case-sensitive. The password is
between 0 and 32 characters and is case-sensitive.
create vlan <vlan_name> {description <vlandescription>} {vr <name>}
Creates a VLAN.
delete account <name>
Deletes a user account.
delete vlan <vlan_name>
Deletes a VLAN.
disable bootp vlan [<vlan> | all]
Disables BOOTP for one or more VLANs.
disable cli prompting
Disables CLI prompting for the session.
disable cli-config-logging
Disables logging of CLI commands to the Syslog.
disable clipaging
Disables pausing of the screen display when a show
command output reaches the end of the page.
disable idletimeout
Disables the timer that disconnects all sessions. After
being disabled, console sessions remain open until the
switch is rebooted or until you log off. Telnet sessions
remain open until you close the Telnet client. SSH2
sessions time out after 61 minutes of inactivity.
Additional options are described in the ExtremeXOS
Command Reference Guide.
ExtremeXOS Concepts Guide, Software Version 15.2
49
Chapter 1: Getting Started
Table 9: Common Commands (Continued)
Command
Description
disable port [<port_list> | all]
Disables one or more ports on the switch.
disable ssh2
Disables SSH2 Telnet access to the switch.
You must install the SSH2 software module in addition to
the base image to run SSH.
disable telnet
Disables Telnet access to the switch.
enable bootp vlan [<vlan> | all]
Enables BOOTP for one or more VLANs.
enable cli-config-logging
Enables the logging of CLI configuration commands to
the Syslog for auditing purposes. The default setting is
enabled.
enable clipaging
Enables pausing of the screen display when show
command output reaches the end of the page. The
default setting is enabled.
enable idletimeout
Enables a timer that disconnects all sessions (Telnet,
SSH2, and console) after 20 minutes of inactivity. The
default setting is enabled.
enable license {software} <key>
Enables a particular software feature license. Specify
<license_key> as an integer.
The command unconfigure switch {all} does not
clear licensing information. This license cannot be
disabled once it is enabled on the switch.
enable ssh2 {access-profile
[<access_profile> | none]} {port
<tcp_port_number>} {vr [<vr_name> |
all | default]}
Enables SSH2 sessions. By default, SSH2 is disabled.
When enabled, SSH2 uses TCP port number 22.
enable telnet
Enables Telnet access to the switch. By default, Telnet
uses TCP port number 23.
history
Displays the commands entered on the switch.
show banner { after-login | beforelogin }
Displays the user-configured banner.
unconfigure switch {all}
Resets all switch parameters (with the exception of
defined user accounts, and date and time information) to
the factory defaults.
You must install the SSH2 software module in addition to
the base image to run SSH.
If you specify the keyword all, the switch erases the
currently selected configuration image in flash memory
and reboots. As a result, all parameters are reset to
default settings.
ExtremeXOS Concepts Guide, Software Version 15.2
50
Accessing the Switch for the First Time
Accessing the Switch for the First Time
When you take your switch from the box and set it up for the first time, you must connect to the
console to access the switch. You are prompted with an interactive script that specifically asks if you
want to disable Telnet and SNMP, so that these will not be available on your switch at next reboot. This
is called the safe defaults mode.
After you connect to the console and log in to the switch, the screen displays several interactive
questions that lead you through configuring management access. You disable SNMP, or Telnet access by
using the interactive script (refer to “Safe Defaults Setup Method” on page 51).
All ports are enabled in the factory default setting; you can choose to have all unconfigured ports
disabled on reboot using the interactive questions.
In addition, you can return to the safe defaults mode by issuing the following commands:
●
unconfigure switch {all}
●
configure safe-default-script
Safe Defaults Setup Method
After you connect to the console port of the switch, or after you issue the unconfigure switch {all}
or configure safe-default-script CLI command, the system returns the following interactive script:
This switch currently has all management methods enabled for convenience reasons.
Please answer these questions about the security settings you would like to use.
Telnet is enabled by default. Telnet is unencrypted and has been the target of
security exploits in the past.
Would you like to disable Telnet? [y/N]:
SNMP access is enabled by default. SNMP uses no encryption, SNMPv3 can be
configured to eliminate this problem.
Would you like to disable SNMP? [y/N]:
All ports are enabled by default. In some secure applications, it maybe more
desirable for the ports to be turned off.
Would you like unconfigured ports to be turned off by default? [y/N]:
Changing the default failsafe account username and password is highly
recommended. If you choose to do so, please remember the username and
password as this information cannot be recovered by Extreme Networks.
Would you like to change the failsafe account username and password
now? [y/N]:
Would you like to permit failsafe account access via the management port?
[y/N]:
Since you have chosen less secure management methods, please remember to
increase the security of your network by taking the following actions:
* change your admin password
* change your failsafe account username and password
ExtremeXOS Concepts Guide, Software Version 15.2
51
Chapter 1: Getting Started
* change your SNMP public and private strings
* consider using SNMPv3 to secure network management traffic
You see this interactive script only under the following conditions:
●
At initial login (when you use the switch the first time)
●
After the command unconfigure switch {all}
●
After the command configure safe-default-script
All the changes made using this interactive script can be saved through switch reboots, if you save the
setting. If you want to change the management access:
●
Use the configure safe-default-script command to maintain your configuration and rerun the
script.
●
Use the unconfigure switch {all} command to reset your switch to the default factory setting
and rerun the script.
Configuring Management Access
This section discusses the following topics:
●
Account Access Levels on page 52
●
Configuring Banners on page 53
●
Startup Screen and Prompt Text on page 54
●
Default Accounts on page 55
●
Creating a Management Account on page 56
●
Failsafe Accounts on page 56
Account Access Levels
ExtremeXOS software supports the following two levels of management:
●
User
●
Administrator
In addition to the management levels, you can optionally use an external RADIUS server to provide CLI
command authorization checking for each command. For more information on RADIUS, see Chapter
23, “Security.”
User Account
A user-level account has viewing access to all manageable parameters, with the exception of:
●
User account database
●
SNMP community strings
A person with a user-level account can use the ping command to test device reachability and change
the password assigned to the account name. If you have logged on with user capabilities, the command
line prompt ends with a (>) sign. For example:
BD-1.2 >
ExtremeXOS Concepts Guide, Software Version 15.2
52
Configuring Management Access
Administrator Account
A person with an administrator-level account can view and change all switch parameters. With this
level, you can also add and delete users, as well as change the password associated with any account
name (to erase the password, use the unconfigure switch all command).
The administrator can disconnect a management session that has been established by way of a Telnet
connection. If this happens, the user logged on by way of the Telnet connection is notified that the
session has been terminated.
If you have logged on with administrator capabilities, the command line prompt ends with a (#) sign.
For example:
BD-1.18 #
Configuring Banners
You can configure the following types of CLI session banners:
●
A banner for a session that displays before login.
●
A banner for a session that displays after login.
To add a banner to your switch, use the following command:
configure banner { after-login | { before-login } { acknowledge } | before-login
{acknowledge} save-to-configuration}
The following applies to the use of the optional parameters:
●
When no optional parameters are specified, the command configures a banner for a CLI session that
displays before login.
●
A CLI banner can have a maximum size of 24 rows with 79 columns of text.
●
When the acknowledge parameter is specified, you must hit a key to get the login prompt.
To clear a configured banner, use the following command:
unconfigure banner { after-login | before-login }
To disable the acknowledgement feature, which forces the user to press a key before the login screen
displays, use the configure banner command omitting the acknowledge parameter.
To display the banners that are configured on the switch, use the following command:
show banner { after-login | before-login }
NOTE
In addition to CLI banners described here, you can also configure network login banners. For information,
see “Configuring the Login Page” on page 788 in the Network Login chapter.
ExtremeXOS Concepts Guide, Software Version 15.2
53
Chapter 1: Getting Started
Startup Screen and Prompt Text
Once you log into the switch, the system displays the startup screen, as follows:
login: admin
password: blue7
ExtremeXOS
Copyright (C) 2000-2006 Extreme Networks. All rights reserved.
Protected by US Patent Nos: 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957;
6,859,438; 6,912,592; 6,954,436; 6,977,891; 6,980,550; 6,981,174; 7,003,705; 7,01
2,082.
==============================================================================
Press the <tab> or '?' key at any time for completions.
Remember to save your configuration changes.
* <switchname>.1 #
You must have an administrator-level account to change the text of the prompt. The prompt text is
taken from the SNMP sysname setting.
The number that follows the period after the switch name indicates the sequential line of the specific
command or line for this CLI session.
If an asterisk (*) appears in front of the command line prompt, it indicates that you have outstanding
configuration changes that have not been saved. For example:
* BD-1.19 #
If you have logged on with administrator capabilities, the command line prompt ends with a (#) sign.
For example:
BD-1.18 #
If you have logged on with user capabilities, the command line prompt ends with a (>) sign. For
example:
BD-1.2 >
Using the system recovery commands (refer to Chapter 11, “Status Monitoring and Statistics,” for
information on system recovery), you can configure either one or more specified slots on a modular
switch or the entire stand-alone switch to shut down in case of an error. If you have configured this
feature and a hardware error is detected, the system displays an explanatory message on the startup
screen. The message is slightly different, depending on whether you are working on a modular switch
or a stand-alone switch.
The following sample shows the startup screen if any of the slots in a modular switch are shut down as
a result of the system recovery configuration:
login: admin
password:
ExtremeXOS
Copyright (C) 2000-2006 Extreme Networks. All rights reserved.
Protected by US Patent Nos: 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957;
6,859,438; 6,912,592; 6,954,436; 6,977,891; 6,980,550; 6,981,174; 7,003,705; 7,01
2,082.
==============================================================================
ExtremeXOS Concepts Guide, Software Version 15.2
54
Configuring Management Access
Press the <tab> or '?' key at any time for completions.
Remember to save your configuration changes.
The I/O modules in the following slots are shut down: 1,3
Use the "clear sys-recovery-level" command to restore I/O modules
! BD-8810.1 #
When an exclamation point (!) appears in front of the command line prompt, it indicates that one or
more slots or the entire stand-alone switch are shut down as a result of your system recovery
configuration and a switch error. (Refer to Chapter 11, “Status Monitoring and Statistics,” for complete
information on system recovery and system health check features.)
The following sample shows the startup screen if a stand-alone switch is shut down as a result of the
system recovery configuration:
login: admin
password:
ExtremeXOS
Copyright (C) 2000-2006 Extreme Networks. All rights reserved.
Protected by US Patent Nos: 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957;
6,859,438; 6,912,592; 6,954,436; 6,977,891; 6,980,550; 6,981,174; 7,003,705; 7,01
2,082.
==============================================================================
Press the <tab> or '?' key at any time for completions.
Remember to save your configuration changes.
All switch ports have been shut down.
Use the "clear sys-recovery-level" command to restore all ports.
! SummitX450-24x.1 #
Default Accounts
By default, the switch is configured with two accounts, as shown in Table 10.
Table 10: Default Accounts
Account Name
Access Level
admin
This user can access and change all manageable parameters. However, the user may
not delete all admin accounts.
user
This user can view (but not change) all manageable parameters, with the following
exceptions:
•
This user cannot view the user account database.
•
This user cannot view the SNMP community strings.
To change the password on the default account, see “Applying a Password to the Default Account” on
page 58.
ExtremeXOS Concepts Guide, Software Version 15.2
55
Chapter 1: Getting Started
Creating a Management Account
The switch can have a total of 16 management accounts. You can use the default names (admin and
user), or you can create new names and passwords for the accounts. Passwords can have a minimum of
0 characters and a maximum of 32 characters.
To create a new account:
1 Log in to the switch as admin.
2 At the password prompt, press [Enter], or enter the password that you have configured for the admin
account.
3 Add a new user by using the following command:
create account [admin | user] <account-name> {encrypted <password>}
If you do not specify a password or the keyword “encrypted”, you are prompted for one. Passwords
are case-sensitive.
If you do not want a password associated with the specified account, press [Enter] twice.
User-created account names are not case-sensitive.
Viewing Accounts
To view the accounts that have been created, you must have administrator privileges. To see the
accounts, use the following command:
show accounts
Deleting an Account
To delete an account, you must have administrator privileges. To delete an account, use the following
command:
delete account <name>
Failsafe Accounts
The failsafe account is the account of last resort to access your switch. This account is never displayed
by the show accounts command, but it is always present on the switch. To display whether the user
configured a username and password for the failsafe account or to show the configured connection-type
access restrictions use the following command:
show failsafe-account
The failsafe account has admin access level. To configure the account name and password for the failsafe
account, use the following command:
configure failsafe-account {[deny | permit] [all | control | serial | ssh {vr <vrname>} | telnet {vr <vr-name>}]}
When you use the command with no parameters, you are prompted for the failsafe account name and
prompted twice to specify the password for the account. For example:
BD-10808.1 # configure failsafe-account
enter failsafe user name: blue5green
enter failsafe password:
enter password again:
BD-10808.2
ExtremeXOS Concepts Guide, Software Version 15.2
56
Managing Passwords
When you use the command with the permit or deny parameter, the connection-type access restrictions
are altered as specified. For example:
BD-8810.1 # configure failsafe-account deny all
BD-8810.2 # configure failsafe-account permit serial
The failsafe account is immediately saved to NVRAM. On a modular switch, the failsafe account is
saved to both MSM/MMs' NVRAMs if both are present. On a SummitStack, the failsafe account is
saved in the NVRAM of every node in the active topology.
NOTE
On a SummitStack, when the synchronize stacking {node-address <node-address> | slot
<slot-number>} command is used, the failsafe account is transferred from the current node to the specified
nodes in the stack topology.
You need not provide the existing failsafe account information to change it.
NOTE
The information that you use to configure the failsafe account cannot be recovered by Extreme Networks.
Technical support cannot retrieve passwords or account names for this account. Protect this information carefully.
To access your switch using the failsafe account:
1 Connect to the switch using one of the (configured) permitted connection types.
2 At the switch login prompt, carefully enter the failsafe account name. If you enter an erroneous
account name, you cannot re-enter the correct name. In that case, press [Enter] until you get a login
prompt and then try again.
3 When prompted, enter the password.
Managing Passwords
When you first access the switch, you have a default account. You configure a password for your
default account. As you create other accounts (see “Creating a Management Account” on page 56), you
configure passwords for those accounts.
The software allows you to apply additional security to the passwords. You can enforce a specific
format and minimum length for the password. Additionally, you can age out the password, prevent a
user from employing a previously used password, and lock users out of the account after three
consecutive failed login attempts.
You can change the password to an encrypted password after you create an account.
This section describes the following topics:
●
Applying a Password to the Default Account on page 58
●
Applying Security to Passwords on page 58
●
Displaying Passwords on page 59
ExtremeXOS Concepts Guide, Software Version 15.2
57
Chapter 1: Getting Started
Applying a Password to the Default Account
Default accounts do not have passwords assigned to them. Passwords can have a minimum of 0 and a
maximum of 32 characters. (If you specify the format of passwords using the configure account
password-policy char-validation command, the minimum is 8 characters.)
NOTE
Passwords are case-sensitive. User-created account names are not case-sensitive.
To add a password to the default admin account:
1 Log in to the switch using the name admin.
2 At the password prompt, press [Enter].
3 Add a default admin password of green by entering the following command:
configure account admin green
To add a password to the default user account:
1 Log in to the switch using the name user.
2 At the password prompt, press [Enter], or enter the password that you have configured for the user
account.
3 Add a default user password of blue by entering the following command:
configure account user blue
NOTE
If you forget your password while logged out of the CLI, you can use the bootloader to reinstall a default
switch configuration, which allows access to the switch without a password. Note that this process reconfigures all
switch settings back to the initial default configuration.
Applying Security to Passwords
You can increase the security of your system by enforcing password restrictions, which will make it
more difficult for unauthorized users to access your system.
You can specify that each password must include at least two characters of each of the following four
character types:
●
Upper-case A-Z
●
Lower-case a-z
●
0-9
●
!, @, #, $, %, ^, *, (, )
To set this format for the password, use the following command:
configure account [all | <name>] password-policy char-validation [none | all-chargroups]
You can enforce a minimum length for the password and set a maximum time limit, after which the
password will not be accepted.
ExtremeXOS Concepts Guide, Software Version 15.2
58
Managing Passwords
To set a minimum length for the password, use the following command:
configure account [all | <name>] password-policy min-length [<num_characters> | none]
To age out the password after a specified time, use the following command:
configure account [all | <name>] password-policy max-age [<num_days> | none]
You can block users from employing previously used passwords by issuing the command:
configure account [all | <name>] password-policy history [<num_passwords> | none]
By default, the system terminates a session after the user has three consecutive failed login attempts.
The user may then launch another session (which would also terminate after three consecutive failed
login attempts). To increase security, you can lock users out of the system entirely after three failed
consecutive login attempts. To use this feature, use the following command:
configure account [all | <name>] password-policy lockout-on-login-failures [on | off]
NOTE
If you are not working on SSH, you can configure the number of failed logins that trigger lockout, using the
configure cli max-failed-logins <num-of-logins> command. (This command also sets the number of
failed logins that terminate the particular session.)
After the user’s account is locked out (using the configure account password-policy lockout-onlogin-failures command), it must be re-enabled by an administrator. To re-enable a locked-out
account, use the following command:
clear account [all | <name>] lockout
Selecting the all option affects the setting of all existing and future new accounts.
NOTE
The default admin account and failsafe accounts are never locked out, no matter how many consecutive
failed login attempts.
Displaying Passwords
To display the accounts and any applied password security, use the following command:
show accounts password-policy
You can also display which accounts may be locked out by issuing the following command:
show accounts
ExtremeXOS Concepts Guide, Software Version 15.2
59
Chapter 1: Getting Started
Access to Both MSM/MM Console Ports—Modular
Switches Only
You can access either the primary or the backup MSM/MM regardless of which console port you are
connected to.
Use the following command:
telnet msm [a | b]
Access to an Active Node in a SummitStack
You can access any active node in a SummitStack from any other active node in the active topology. Use
the following command:
telnet slot <slot-number>
Domain Name Service Client Services
The Domain Name Service (DNS) client in ExtremeXOS software augments the following commands to
allow them to accept either IP addresses or host names:
●
telnet
●
download bootrom
●
download image
●
ping
●
traceroute
●
configure radius server client-ip
●
configure tacacs server client-ip
●
create cfm domain dns md-level
The DNS client can resolve host names to both IPv4 and IPv6 addresses.
In addition, the nslookup utility can be used to return the IP address of a host name.
You can specify up to eight DNS servers for use by the DNS client using the following command:
configure dns-client add
You can specify a default domain for use when a host name is used without a domain. Use the
following command:
configure dns-client default-domain
For example, if you specify the domain xyz-inc.com as the default domain, then a command such as
ping accounting1 will be taken as if it had been entered ping accounting1.xyz-inc.com.
ExtremeXOS Concepts Guide, Software Version 15.2
60
Checking Basic Connectivity
Checking Basic Connectivity
The switch offers the following commands for checking basic connectivity:
●
ping
●
traceroute
Ping
The ping command enables you to send Internet Control Message Protocol (ICMP) echo messages to a
remote IP device. The ping command is available for both the user and administrator privilege levels.
The ping command syntax is:
ping {count <count> {start-size <start-size>} | continuous {start-size <start-size>} |
{start-size <start-size> {end-size <end-size>}}} {udp} {dont-fragment} {ttl <ttl>}
{tos <tos>} {interval <interval>} {vr <vrid>} {ipv4 <host> | ipv6 <host>} {from} {with
record-route}
Options for the ping command are described in Table 11.
Table 11: Ping Command Parameters
Parameter
Description
count
Specifies the number of ping requests to send.
start-size
Specifies the size, in bytes, of the packet to be sent, or the starting size if
incremental packets are to be sent.
continuous
Specifies that UDP or ICMP echo messages are to be sent continuously. This
option can be interrupted by pressing [Ctrl] + C.
end-size
Specifies an end size for packets to be sent.
udp
Specifies that the ping request should use UDP instead of ICMP.
dont-fragment
Sets the IP to not fragment the bit.
ttl
Sets the TTL value.
tos
Sets the TOS value.
interval
Sets the time interval between sending out ping requests.
vr
Specifies the virtual router name to use for sending out the echo message. If not
specified, VR-Default is used.
NOTE: User-created VRs are supported only on the platforms listed for this feature
in Appendix A, “Feature License Requirements.”
ipv4
Specifies IPv4 transport.
ipv6
Specifies IPv6 transport.
NOTE: If you are contacting an IPv6 link local address, you must specify the VLAN
you are sending the message from: ping <ipv6> <link-local address>
%<vlan_name> <host>.
host
Specifies a host name or IP address (either v4 or v6).
from
Uses the specified source address. If not specified, the address of the transmitting
interface is used.
with record-route
Sets the traceroute information.
ExtremeXOS Concepts Guide, Software Version 15.2
61
Chapter 1: Getting Started
If a ping request fails, the switch stops sending the request after three attempts. Press [Ctrl] + C to
interrupt a ping request earlier. The statistics are tabulated after the ping is interrupted or stops.
Use the ipv6 variable to ping an IPv6 host by generating an ICMPv6 echo request message and sending
the message to the specified address. If you are contacting an IPv6 link local address, you must specify
the VLAN that you are sending the message from, as shown in the following example (you must
include the % sign): ping <ipv6> <link-local address> %<vlan_name> <host>.
Traceroute
The traceroute command enables you to trace the path between the switch and a destination
endstation. The traceroute command syntax is:
traceroute {vr <vrid>} {ipv4 <host>} {ipv6 <host>} {ttl <number>} {from <from>} {[port
<port>] | icmp}
Where:
●
vr is the name of the virtual router.
●
ipv4/ipv6 is the transport.
●
from uses the specified source address in the ICMP packet. If not specified, the address of the
transmitting interface is used.
●
host is the host of the destination endstation. To use the hostname, you must first configure DNS.
●
ttl configures the switch to trace the hops until the time-to-live has been exceeded for the switch.
●
port uses the specified UDP port number.
●
icmp uses ICMP echo messages to trace the routed path.
Displaying Switch Information
To display basic information about the switch, use the following command:
show switch
To display other switch related information, refer to the “Alphabetical List of Standard Commands” in
the ExtremeXOS Command Reference Guide.
Filtering the Output of Show Commands
The output from many show commands can be long and complicated, sometimes containing more
information than you need at a given time. The filter output display feature allows you to extract the
output information from a show command that fits your needs.
The feature is a restricted version of a UNIX/Linux feature that uses a “pipe” character to direct the
output of one command to be used as input for the next command. It provides support for “piping”
show command output to the display filter using the vertical bar (|) operator. (In the following
command, it is the first vertical bar.) The display filter displays the output based on the specified filter
keyword option and the text pattern entered. By selecting different filter options you can include or
ExtremeXOS Concepts Guide, Software Version 15.2
62
Displaying Switch Information
exclude all output that matches the pattern. You can also exclude all output until a line matches the
pattern and then include all output beginning with that line.
In ExtremeXOS software, the resulting command is as follows:
show <specific show command syntax> | {include | exclude | begin} <regexp>
The following describes the command syntax:
show <specific show command syntax>
State the command. For example: show ports. (This is
followed by the vertical bar (|) when used as the pipe
character.)
include
Display the lines that match the regular expression.
exclude
Do not display the lines that match the regular expression.
begin
Display all the lines starting with the first line that matches
the regular expression.
regexp
The regular expression to match.
•
Regular expressions are case-sensitive.
•
Special characters in regular expressions such as [ ], ?,
and * have special significance to the Linux shell and it is
therefore common to specify your regular expression in
quotes to protect it from the shell.
•
A summary of special characters is shown in Table 12.
For example, to display the status of “flow control” on the ports of a BlackDiamond 8810 switch, use
the following command:
show ports 2:1-2 information detail | include "(Port|Flow Control)"
The output would resemble the following:
Port: 2:1
Flow Control:
Rx-Pause: Enabled
Priority Flow Control: Disabled
Port: 2:2
Flow Control:
Rx-Pause: Enabled
Priority Flow Control: Disabled
Tx-Pause: Disabled
Tx-Pause: Disabled
If the specified show command outputs a refreshed display, using the output display filter terminates
the display without refreshing and a message is displayed to that effect.
This command is supported on most of the ExtremeXOS show commands. A few commands, for
example, show tech, are not implemented in such a way as to make piping (filtering) possible.
Table 12 shows a summary of special characters.
Table 12: Definition of Regular Expression Characters
Operator Type
Literal Characters Match a
character exactly
Examples
Description
aAy6%@
Letters, digits and many special characters match
exactly
\$ \^ \+ \\ \?
Precede other special characters with a \ to
cancel their regex special meaning
\n \t \r
Literal new line, tab, return
ExtremeXOS Concepts Guide, Software Version 15.2
63
Chapter 1: Getting Started
Table 12: Definition of Regular Expression Characters (Continued)
Operator Type
Anchors and assertions
Character groups any 1
character from the group
Counts
apply to previous element
Alternation
Examples
Description
^
Starts with
$
Ends with
[aAeEiou]
any character listed from [ to ]
[^aAeEiou]
any character except aAeEio or u
[a-fA-F0-9]
any hex character (0 to 9 or a to f)
.
any character at all
+
1 or more ("some")
*
0 or more ("perhaps some")
?
0 or 1 ("perhaps a")
|
either, or
ExtremeXOS Concepts Guide, Software Version 15.2
64
2
Managing the Switch
CHAPTER
This chapter includes the following sections:
●
Overview on page 65
●
Understanding the ExtremeXOS Shell on page 66
●
Using the Console Interface on page 66
●
Using the 10/100 Ethernet Management Port on page 67
●
Using Ridgeline to Manage the Network on page 68
●
Authenticating Users on page 68
●
Using Telnet on page 69
●
Using Secure Shell 2 on page 77
●
Using the Trivial File Transfer Protocol on page 79
●
Understanding System Redundancy—Modular Switches and SummitStack Only on page 81
●
Understanding Hitless Failover Support—Modular Switches and SummitStack Only on page 85
●
Understanding Power Supply Management on page 92
●
Using the Network Time Protocol on page 98
●
Using the Simple Network Management Protocol on page 103
●
Using the Simple Network Time Protocol on page 116
●
Using Auto Provision of Edge Switches on page 120
●
Access Profile Logging for HTTP/HTTPS on page 123
Overview
Using ExtremeXOS, you can manage the switch using the following methods:
●
Access the command line interface (CLI) by connecting a terminal (or workstation with terminalemulation software) to the console port.
●
Access the switch remotely using TCP/IP through one of the switch ports or through the dedicated
10/100 unshielded twisted pair (UTP) Ethernet management port. Remote access includes:
-
Telnet using the CLI interface.
-
Secure Shell (SSH2) using the CLI interface.
ExtremeXOS Concepts Guide, Software Version 15.2
65
Chapter 2: Managing the Switch
●
Simple Network Management Protocol (SNMP) access using Ridgeline® or another SNMP
manager.
Download software updates and upgrades. For more information, see Appendix B, “Software
Upgrade and Boot Options.”
The switch supports up to the following number of concurrent user sessions:
●
One console session—Two console sessions are available if two management modules are installed.
●
Eight shell sessions
●
Eight Telnet sessions
●
Eight Trivial File Transfer Protocol (TFTP) sessions
●
Eight SSH2 sessions
Understanding the ExtremeXOS Shell
When you log in to ExtremeXOS from a terminal, a shell prompt is displayed. At the prompt, input the
commands to be executed on the switch. After the switch processes and executes a command, the
results are relayed to and displayed on your terminal.
The shell supports ANSI, VT100, and XTERM terminal emulation and adjusts to the correct terminal
type and window size. In addition, the shell supports UNIX-style page view for page-by-page
command output capability.
By default, up to eight active shell sessions can access the switch concurrently; however, you can change
the number of simultaneous, active shell sessions supported by the switch. You can configure up to 16
active shell sessions. Configurable shell sessions include both Telnet and SSH connections (not console
CLI connections). If only eight active shell sessions can access the switch, a combination of eight Telnet
and SSH connections can access the switch even though Telnet and SSH each support eight connections.
For example, if you have six Telnet sessions and two SSH sessions, no one else can access the switch
until a connection is terminated or you access the switch via the console.
If you configure a new limit, only new incoming shell sessions are affected. If you decrease the limit
and the current number of sessions already exceeds the new maximum, the switch refuses only new
incoming connections until the number of shell session drops below the new limit. Already connected
shell sessions are not disconnected as a result of decreasing the limit.
To configure the number of shell sessions accepted by the switch, use the following command:
configure cli max-sessions
For more information about the line-editing keys that you can use with the XOS shell, see “Line-Editing
Keys” on page 48.
Using the Console Interface
The CLI built into the switch is accessible via:
●
BlackDiamond X8 series: RJ-45 port for use with a rollover cable
●
BlackDiamond 8800 series and all Summit switches: 9-pin, RS-232 ports.
ExtremeXOS Concepts Guide, Software Version 15.2
66
Using the 10/100 Ethernet Management Port
On a modular switch, the console port is located on the front of the management module (MSM/MM).
On a stand-alone switch, the console port is located on the front panel.
NOTE
For more information on the console port pinouts, see the hardware installation guide that shipped with
your switch.
After the connection has been established, you see the switch prompt and you can log in.
Using the 10/100 Ethernet Management Port
The management module or Summit family switches provide a dedicated 10/100 Mbps or 10/100/1000
Mbps Ethernet management port. This port provides dedicated remote access to the switch using TCP/
IP. It supports the following management methods:
●
Telnet/SSH2 using the CLI interface
●
SNMP access using Ridgeline or another SNMP manager
The switch uses the Ethernet management port only for host operation, not for switching or routing.
The TCP/IP configuration for the management port is done using the same syntax as used for virtual
LAN (VLAN) configuration. The VLAN mgmt comes preconfigured with only the management port as a
member. The management port is a member of the virtual router VR-Mgmt.
When you configure the IP address for the VLAN mgmt, this address gets assigned to the primary
MSM/MM. You can connect to the management port on the primary MSM/MM for any switch
configuration. The management port on the backup MSM/MM is available only when failover occurs.
At that time, the primary MSM/MM relinquishes its role, the backup MSM/MM takes over, and the
VLAN mgmt on the new primary MSM/MM acquires the IP address of the previous primary MSM/
MM.
To configure the IP address and subnet mask for the VLAN mgmt, use the following command:
configure vlan mgmt ipaddress <ip_address>/<subnet_mask>
To configure the default gateway (you must specify VR-Mgmt for the management port and VLAN
mgmt), use the following command:
configure iproute add default <gateway> {<metric>} {multicast | multicast-only |
unicast | unicast-only} {vr <vrname>}
The following example configuration sets the management port IP address to 192.168.1.50, mask length
of 25, and configures the gateway to use 192.168.1.1:
configure vlan mgmt ipaddress 192.168.1.50/25
configure iproute add default 192.168.1.1 vr vr-mgmt
On a SummitStack, the master node is accessed using the management port primary IP address as
shown above for other platforms. The primary IP address is acquired by the backup node when it
becomes the master node due to a failover. You can also directly access any node in the stack using its
alternate IP address if the node's management port is connected to your network. For more information
see “Logging into a Stack” on page 153.
ExtremeXOS Concepts Guide, Software Version 15.2
67
Chapter 2: Managing the Switch
Using Ridgeline to Manage the Network
Ridgeline is a powerful yet easy-to-use application suite that facilitates the management of a network of
Extreme Networks switches, as well as selected third-party switches. Ridgeline offers a comprehensive
set of network management tools that are easy to use from a client workstation running Ridgeline client
software, or from a workstation configured with a web browser and the Java plug-in.
For more information about the Ridgeline management software available from Extreme Networks, go
to: http://www.extremenetworks.com.
To review the Ridgeline documentation, go to: http://www.extremenetworks.com/services/softwareuserguide.aspx.
Authenticating Users
ExtremeXOS provides three methods to authenticate users who log in to the switch:
●
RADIUS client
●
TACACS+
●
Local database of accounts and passwords
NOTE
You cannot configure RADIUS and TACACS+ at the same time.
RADIUS Client
Remote Authentication Dial In User Service (RADIUS, RFC 2138) is a mechanism for authenticating and
centrally administrating access to network nodes. The ExtremeXOS RADIUS client implementation
allows authentication for Telnet or console access to the switch.
For detailed information about RADIUS and configuring a RADIUS client, see Chapter 23, “Security.”
TACACS+
Terminal Access Controller Access Control System Plus (TACACS+) is a mechanism for providing
authentication, authorization, and accounting on a central server, similar in function to the RADIUS
client. The ExtremeXOS version of TACACS+ is used to authenticate prospective users who are
attempting to administer the switch. TACACS+ is used to communicate between the switch and an
authentication database.
For detailed information about TACACS+ and configuring TACACS+, see Chapter 23, “Security.”
Management Accounts
ExtremeXOS supports two levels of management accounts (local database of accounts and passwords):
User and Administrator. A user level account can view but not change all manageable parameters, with
ExtremeXOS Concepts Guide, Software Version 15.2
68
Using Telnet
the exception of the user account database and SNMP community strings. An administrator level
account can view and change all manageable parameters.
For detailed information about configuring management accounts, see Chapter 1, “Getting Started.”
Using Telnet
ExtremeXOS supports the Telnet Protocol based on RFC 854. Telnet allows interactive remote access to a
device and is based on a client/server model. ExtremeXOS uses Telnet to connect to other devices from
the switch (client) and to allow incoming connections for switch management using the CLI (server).
This section describes the following topics:
●
About the Telnet Client on page 69
●
About the Telnet Server on page 69
●
Connecting to Another Host Using Telnet on page 70
●
Configuring Switch IP Parameters on page 70
●
Configuring Telnet Access to the Switch on page 72
●
Disconnecting a Telnet Session on page 73
●
Access Profile Logging for Telnet on page 74
About the Telnet Client
Before you can start an outgoing Telnet session on the switch, you must set up the IP parameters
described in “Configuring Switch IP Parameters” on page 70. Telnet is enabled and uses VR-Mgmt by
default.
NOTE
Maximize the Telnet screen so that automatically updating screens display correctly.
If you use Telnet to establish a connection to the switch, you must specify the IP address or host name
of the device that you want to connect to. Check the user manual supplied with the Telnet facility if you
are unsure of how to do this.
After the connection is established, you see the switch prompt and you can log in.
The same is true if you use the switch to connect to another host. From the CLI, you must specify the IP
address or host name of the device that you want to connect to. If the host is accessible and you are
allowed access, you may log in.
For more information about using the Telnet client on the switch, see “Connecting to Another Host
Using Telnet” on page 70.
About the Telnet Server
Any workstation with a Telnet facility should be able to communicate with the switch over a TCP/IP
network using VT100 terminal emulation.
ExtremeXOS Concepts Guide, Software Version 15.2
69
Chapter 2: Managing the Switch
Up to eight active Telnet sessions can access the switch concurrently. If you enable the idle timer using
the enable idletimeout command, the Telnet connection times out after 20 minutes of inactivity by
default. If a connection to a Telnet session is lost inadvertently, the switch terminates the session within
two hours.
The switch accepts IPv6 connections.
For information about the Telnet server on the switch, see the following sections:
●
Configuring Telnet Access to the Switch on page 72
●
Disconnecting a Telnet Session on page 73
Connecting to Another Host Using Telnet
You can Telnet from the current CLI session to another host using the following command:
telnet {vr <vr_name>} [<host_name> | <remote_ip>] {<port>}
NOTE
User-created VRs are supported only on the platforms listed for this feature in Appendix A, “Feature
License Requirements.”
If the TCP port number is not specified, the Telnet session defaults to port 23. If the virtual router name
is not specified, the Telnet session defaults to VR-Mgmt. Only VT100 emulation is supported.
You can use Telnet to access either the primary or the backup MSM/MM regardless of which console
port you are connected to. For more information see Chapter 1, “Getting Started.”
Configuring Switch IP Parameters
To manage the switch by way of a Telnet connection or by using an SNMP Network Manager, you must
first configure the switch IP parameters.
Using a BOOTP or DHCP Server
If you are using IP and you have a Bootstrap Protocol (BOOTP) server set up correctly on your network,
you must provide the following information to the BOOTP server:
●
Switch Media Access Control (MAC) address, found on the rear label of the switch
●
IP address
●
Subnet address mask (optional)
The switch contains a BOOTP and Dynamic Host Configuration Protocol (DHCP) client, so if you have
a BOOTP or DHCP server in your IP network, you can have it assign IP addresses to the switch. This is
more likely to be desirable on the switch's VLAN mgmt than it is on any other VLANs.
You can enable the BOOTP or DHCP client per VLAN by using the following commands:
enable bootp vlan [<vlan> | all]
enable dhcp vlan [<vlan_name> | all]
ExtremeXOS Concepts Guide, Software Version 15.2
70
Using Telnet
You can disable the BOOTP or DHCP client per VLAN by using the following commands:
disable bootp vlan [<vlan> | all]
disable dhcp vlan [<vlan_name> | all]
To view the current state of the BOOTP or DHCP client, use the following command:
show dhcp-client state
NOTE
The ExtremeXOS DHCP client will discard the DHCP OFFER if the lease time is less than or equal to 2
seconds.
The switch does not retain IP addresses assigned by BOOTP or DHCP through a power cycle, even if
the configuration has been saved. To retain the IP address through a power cycle, you must configure
the IP address of the VLAN using the CLI or Telnet.
If you need the switch's MAC address to configure your BOOTP or DHCP server, you can find it on the
rear label of the switch. Note that all VLANs configured to use BOOTP or DHCP use the same MAC
address to get their IP address, so you cannot configure the BOOTP or DHCP server to assign multiple
specific IP addresses to a switch depending solely on the MAC address.
Manually Configuring the IP Settings
If you are using IP without a BOOTP server, you must enter the IP parameters for the switch in order
for the SNMP Network Manager or Telnet software to communicate with the device. To assign IP
parameters to the switch, you must perform the following tasks:
●
Log in to the switch with administrator privileges using the console interface.
●
Assign an IP address and subnet mask to a VLAN.
The switch comes configured with a default VLAN named default. To use Telnet or an SNMP
Network Manager, you must have at least one VLAN on the switch, and that VLAN must be
assigned an IP address and subnet mask. IP addresses are always assigned to each VLAN. The
switch can be assigned multiple IP addresses (one for each VLAN).
NOTE
For information on creating and configuring VLANs, see Chapter 12, “VLANs.”
To manually configure the IP settings:
1 Connect a terminal or workstation running terminal emulation software to the console port, as
detailed in “Using the Console Interface” on page 66.
2 At your terminal, press [Return] one or more times until you see the login prompt.
3 At the login prompt, enter your user name and password. The user name is not case-sensitive. The
password is case-sensitive. Ensure that you have entered a user name and password with
administrator privileges.
-
If you are logging in for the first time, use the default user name admin to log in with
administrator privileges. For example:
login: admin
Administrator capabilities enable you to access all switch functions. The default user names have
no passwords assigned.
ExtremeXOS Concepts Guide, Software Version 15.2
71
Chapter 2: Managing the Switch
-
If you have been assigned a user name and password with administrator privileges, enter them at
the login prompt.
4 At the password prompt, enter the password and press [Return].
When you have successfully logged in to the switch, the command line prompt displays the name of
the switch.
5 Assign an IP address and subnetwork mask for the default VLAN by using the following command:
configure {vlan} <vlan_name> ipaddress [<ipaddress> {<ipNetmask>} | ipv6-linklocal | {eui64} <ipv6_address_mask>]
For example:
configure vlan default ipaddress 123.45.67.8 255.255.255.0
The changes take effect immediately.
NOTE
As a general rule, when configuring any IP addresses for the switch, you can express a subnet mask by
using dotted decimal notation or by using classless inter domain routing notation (CIDR). CIDR uses a forward
slash plus the number of bits in the subnet mask. Using CIDR notation, the command identical to the previous
example is: configure vlan default ipaddress 123.45.67.8/24
6 Configure the default route for the switch using the following command:
configure iproute add default <gateway> {<metric>} {multicast | multicast-only |
unicast | unicast-only} {vr <vrname>}
For example:
configure iproute add default 123.45.67.1
7 Save your configuration changes so that they will be in effect after the next switch reboot.
-
If you want to save your changes to the currently booted configuration, use the following
command:
save
-
ExtremeXOS allows you to select or create a configuration file name of your choice to save the
configuration to. If you want to save your changes to an existing or new configuration file, use
the following command:
save configuration {primary | secondary | <existing-config> | <new-config>}
8 When you are finished using the facility, log out of the switch by typing:
logout or quit
Configuring Telnet Access to the Switch
By default, Telnet services are enabled on the switch and all virtual routers listen for incoming Telnet
requests. The switch accepts IPv6 connections.
NOTE
User-created VRs are supported only on the platforms listed for this feature in Appendix A, “Feature
License Requirements.”
ExtremeXOS Concepts Guide, Software Version 15.2
72
Using Telnet
The safe defaults mode runs an interactive script that allows you to enable or disable SNMP, Telnet, and
switch ports. When you set up your switch for the first time, you must connect to the console port to
access the switch. After logging in to the switch, you enter safe defaults mode. Although SNMP, Telnet,
and switch ports are enabled by default, the script prompts you to confirm those settings.
If you choose to keep the default setting for Telnet—the default setting is enabled—the switch returns
the following interactive script:
Since you have chosen less secure management methods, please remember to increase
the security of your network by taking the following actions:
* change your admin password
* change your SNMP public and private strings
* consider using SNMPv3 to secure network management traffic
For more detailed information about safe defaults mode, see “Safe Defaults Setup Method” on page 51.
To configure the virtual router from which you receive a Telnet request, use the following command:
configure telnet vr [all | default | <vr_name>]
To change the default TCP port number, use the following command:
configure telnet port [<portno> | default]
The range for the port number is 1 through 65535. The following TCP port numbers are reserved and
cannot be used for Telnet connections: 22, 80, and 1023. If you attempt to configure a reserved port, the
switch displays an error message.
Viewing Telnet Information
To display the status of Telnet, including the current TCP port, the virtual router used to establish a
Telnet session, and whether ACLs are controlling Telnet access, use the following command:
show management
Disabling and Enabling Telnet
You can choose to disable Telnet by using the following command:
disable telnet
To re-enable Telnet on the switch, use the following command:
enable telnet
You must be logged in as an administrator to configure the virtual router(s) used by Telnet and to
enable or disable Telnet.
Disconnecting a Telnet Session
A person with an administrator level account can disconnect a Telnet management session. If this
happens, the user logged in by way of the Telnet connection is notified that the session has been
terminated.
ExtremeXOS Concepts Guide, Software Version 15.2
73
Chapter 2: Managing the Switch
To terminate a Telnet session:
1 Log in to the switch with administrator privileges.
2 Determine the session number of the session you want to terminate by using the following
command:
show session {{detail} {<sessID>}} {history}
3 Terminate the session by using the following command:
clear session [history | <sessId> | all]
Access Profile Logging for Telnet
By default, Telnet services are enabled on the switch. The access profile logging feature allows you to
use an ACL policy file or dynamic ACL rules to control access to Telnet services on the switch. When
access profile logging is enabled for Telnet, the switch logs messages and increments counters when
packets are denied access to Telnet. No messages are logged for permitted access.
You can manage Telnet access using one (not both) of the following methods:
●
Create and apply an ACL policy file
●
Define and apply individual ACL rules
One advantage of ACL policy files is that you can copy the file and use it on other switches. One
advantage to applying individual ACL rules is that you can enter the rules at the CLI command
prompt, which can be easier than opening, editing, and saving a policy file.
The following sections provide additional information on access profile logging for Telnet:
●
ACL Match Conditions and Actions on page 74
●
Limitations on page 75
●
Managing ACL Policies for Telnet on page 75
●
Managing ACL Rules for Telnet on page 75
●
Misconfiguration Error Messages on page 75
●
Sample ACL Policies on page 76
ACL Match Conditions and Actions
Chapter 18, “ACLs,” describes how to create ACL policies and rules using match conditions and
actions. Access profile logging supports the following match conditions and actions:
●
Match conditions
-
●
Source-address—IPv4 and IPv6
Actions
-
Permit
-
Deny
If the ACL is created with more match conditions or actions, only those listed above are used for
validating the packets. All other conditions and actions are ignored.
The source-address field allows you to identify an IPv4 address, IPv6 address, or subnet mask for which
access is either permitted or denied.
ExtremeXOS Concepts Guide, Software Version 15.2
74
Using Telnet
Limitations
This feature has the following limitations:
●
Either policy files or ACL rules can be associated with Telnet, but not both at the same time.
●
Only source-address match is supported.
●
Access-lists that are associated with one or more applications cannot be directly deleted. They must
be unconfigured from the application first and then deleted from the CLI.
●
Default counter support is added only for ACL rules and not for policy files. For policy files you
must configure count action.
Managing ACL Policies for Telnet
Chapter 18, “ACLs,” describes how to create ACL policy files. To configure Telnet to use an ACL policy,
use one of the following command:
configure telnet access-profile <profile_name>
To configure Telnet to remove a previously configured ACL policy, use the following command:
configure telnet access-profile none
NOTE
Do not also apply the policy to the access list. Applying a policy to both an access profile and an access
list is neither necessary nor recommended.
Managing ACL Rules for Telnet
Before you can assign an ACL rule to Telnet, you must create a dynamic ACL rule as described in
Chapter 18, “ACLs.” To add or delete a rule for Telnet access, use the following command:
configure telnet access-profile [ <access_profile> | [[add <rule> ] [first | [[before
| after] <previous_rule>]]] | delete <rule> | none ]
To display the access-list permit and deny statistics for an application, use the following command:
show access-list counters process [snmp | telnet | ssh2 | http]
Misconfiguration Error Messages
The following messages can appear during configuration of policies or rules for the SNMP service:
●
Rule <rule> is already applied
A rule with the same name is already applied to this service.
●
Please remove the policy <policy> already configured, and then add rule <rule>
A policy file is already associated with the service. You must remove the policy before you can add a
rule.
●
Rule <previous_rule> is not already applied
The specified rule has not been applied to the service, so you cannot add a rule in relation to that
rule.
ExtremeXOS Concepts Guide, Software Version 15.2
75
Chapter 2: Managing the Switch
●
Rule <rule> is not applied
The specified rule has not been applied to the service, so you cannot remove the rule from the
service.
●
Error: Please remove previously configured rule(s) before configuring policy
<policy>
A policy or one or more ACL rules are configured for the service. You must delete the remove the
policy or rules from the service before you can add a policy.
Sample ACL Policies
The following are sample policies that you can apply to restrict Telnet access.
In the following example named MyAccessProfile.pol, the switch permits connections from the subnet
10.203.133.0/24 and denies connections from all other addresses:
MyAccessProfile.pol
entry AllowTheseSubnets {
if {
source-address 10.203.133.0 /24;
} then {
permit;
}
}
In the following example named MyAccessProfile.pol, the switch permits connections from the subnets
10.203.133.0/24 or 10.203.135.0/24 and denies connections from all other addresses:
MyAccessProfile.pol
entry AllowTheseSubnets {
if match any {
source-address 10.203.133.0 /24;
source-address 10.203.135.0 /24;
} then {
permit;
}
}
In the following example named MyAccessProfile_2.pol, the switch does not permit connections from
the subnet 10.203.133.0/24 but accepts connections from all other addresses:
MyAccessProfile_2.pol
entry dontAllowTheseSubnets {
if {
source-address 10.203.133.0 /24;
} then {
deny;
}
}
entry AllowTheRest {
if {
; #none specified
} then {
permit;
}
}
ExtremeXOS Concepts Guide, Software Version 15.2
76
Using Secure Shell 2
In the following example named MyAccessProfile_2.pol, the switch does not permit connections from
the subnets 10.203.133.0/24 or 10.203.135.0/24 but accepts connections from all other addresses:
MyAccessProfile_2.pol
entry dontAllowTheseSubnets {
if match any {
source-address 10.203.133.0 /24;
source-address 10.203.135.0 /24;
} then {
deny;
}
}
entry AllowTheRest {
if {
; #none specified
} then {
permit;
}
}
Using Secure Shell 2
The following sections describe this feature:
●
SSH2 Overview on page 77
●
Access Profile Logging for SSH2 on page 78
SSH2 Overview
Secure Shell 2 (SSH2) is a feature of the ExtremeXOS software that allows you to encrypt session data
between a network administrator using SSH2 client software and the switch or send encrypted data
from the switch to an SSH2 client on a remote system. Configuration, image, public key, and policy files
can be transferred to the switch using the Secure Copy Protocol 2 (SCP2) or the Secure File Transfer
Protocol (SFTP).
The ExtremeXOS SSH2 switch application works with the following clients: Putty, SSH2 (version 2.x or
later) from SSH Communication Security, and OpenSSH (version 2.5 or later). OpenSSH uses the RCP
protocol, which has been disabled from the ExtremeXOS software for security reasons. Therefore,
OpenSSH SCP does not work with the ExtremeXOS SSH implementation. You can use OpenSSH SFTP
instead.
The switch accepts IPv6 connections.
Up to eight active SSH2 sessions can run on the switch concurrently. If you enable the idle timer using
the enable idletimeout command, the SSH2 connection times out after 20 minutes of inactivity by
default. If you disable the idle timer using the disable idletimeout command, the SSH2 connection
times out after 61 minutes of inactivity. If a connection to an SSH2 session is lost inadvertently, the
switch terminates the session within 61 minutes.
For detailed information about SSH2, see Chapter 23, “Security.”
ExtremeXOS Concepts Guide, Software Version 15.2
77
Chapter 2: Managing the Switch
Access Profile Logging for SSH2
The access profile logging feature allows you to use an ACL policy file or dynamic ACL rules to control
access to SSH2 services on the switch. When access profile logging is enabled for SSH2, the switch logs
messages and increments counters when packets are denied access to SSH2. No messages are logged for
permitted access.
You can manage SSH2 access using one (not both) of the following methods:
●
Create and apply an ACL policy file
●
Define and apply individual ACL rules
One advantage of ACL policy files is that you can copy the file and use it on other switches. One
advantage to applying individual ACL rules is that you can enter the rules at the CLI command
prompt, which can be easier than opening, editing, and saving a policy file.
The following sections provide additional information on access profile logging for SSH2:
●
ACL Match Conditions and Actions on page 78
●
Limitations on page 78
●
Managing ACL Policies for SSH2 on page 79
●
Managing ACL Rules for SSH2 on page 79
●
Misconfiguration Error Messages on page 79
ACL Match Conditions and Actions
Chapter 18, “ACLs,” describes how to create ACL policies and rules using match conditions and
actions. Access profile logging supports the following match conditions and actions:
●
Match conditions
-
●
Source-address—IPv4 and IPv6
Actions
-
Permit
-
Deny
If the ACL is created with more match conditions or actions, only those listed above are used for
validating the packets. All other conditions and actions are ignored.
The source-address field allows you to identify an IPv4 address, IPv6 address, or subnet mask for which
access is either permitted or denied.
Limitations
This feature has the following limitations:
●
Either policy files or ACLs can be associated with SSH2, but not both at the same time.
●
Only source-address match is supported.
●
Access-lists that are associated with one or more applications cannot be directly deleted. They must
be unconfigured from the application first and then deleted from the CLI.
●
Default counter support is added only for ACL rules and not for policy files. For policy files you
must configure count action.
ExtremeXOS Concepts Guide, Software Version 15.2
78
Using the Trivial File Transfer Protocol
Managing ACL Policies for SSH2
Chapter 18, “ACLs,” describes how to create ACL policy files. To configure SSH2 to use an ACL policy,
use one of the following command:
configure ssh2 access-profile <profile_name>
To configure SSH2 to remove a previously configured ACL policy, use the following command:
configure ssh2 access-profile none
Managing ACL Rules for SSH2
Before you can assign an ACL rule to SSH2, you must create a dynamic ACL rule as described in
Chapter 18, “ACLs.” To add or delete a rule for SSH2 access, use the following command:
configure ssh2 access-profile [ <access_profile> | [[add <rule> ] [first | [[before |
after] <previous_rule>]]] | delete <rule> | none ]
To display the access-list permit and deny statistics for an application, use the following command:
show access-list counters process [snmp | telnet | ssh2 | http]
Misconfiguration Error Messages
The following messages can appear during configuration of policies or rules for the SSH2 service:
●
Rule <rule> is already applied
A rule with the same name is already applied to this service.
●
Please remove the policy <policy> already configured, and then add rule <rule>
A policy file is already associated with the service. You must remove the policy before you can add a
rule.
●
Rule <previous_rule> is not already applied
The specified rule has not been applied to the service, so you cannot add a rule in relation to that
rule.
●
Rule <rule> is not applied
The specified rule has not been applied to the service, so you cannot remove the rule from the
service.
●
Error: Please remove previously configured rule(s) before configuring policy
<policy>
A policy or one or more ACL rules are configured for the service. You must delete the remove the
policy or rules from the service before you can add a policy.
Using the Trivial File Transfer Protocol
ExtremeXOS supports the Trivial File Transfer Protocol (TFTP) based on RFC 1350. TFTP is a method
used to transfer files from one network device to another. The ExtremeXOS TFTP client is a command
line application used to contact an external TFTP server on the network. For example, ExtremeXOS uses
TFTP to download software image files, switch configuration files, and ACLs from a server on the
network to the switch.
Up to eight active TFTP sessions can run on the switch concurrently.
ExtremeXOS Concepts Guide, Software Version 15.2
79
Chapter 2: Managing the Switch
Extreme Networks recommends using a TFTP server that supports blocksize negotiation (as described
in RFC 2348, TFTP Blocksize Option), to enable faster file downloads and larger file downloads.
For additional information about TFTP, see the following chapters:
●
For information about downloading software image files, BootROM files, and switch configurations,
see Appendix B, “Software Upgrade and Boot Options.”
●
For information about downloading ACL (and other) policy files, see Chapter 17, “Policy Manager.”
●
For information about using TFTP to transfer files to and from the switch, see Chapter 3, “Managing
the ExtremeXOS Software.”
●
For information about configuring core dump files and transferring the core dump files stored on
your switch, see Appendix D, “Troubleshooting.”
Connecting to Another Host Using TFTP
You can TFTP from the current CLI session to another host to transfer files using the following
command:
tftp [<host-name> | <ip-address>] {-v <vr_name>} [-g | -p] [{-l [internal-memory
<local-file-internal> | memorycard <local-file-memcard> | <local-file>} {-r <remotefile>} | {-r <remote-file>} {-l [internal-memory <local-file-internal> | memorycard
<local-file-memcard> | <local-file>]}]
NOTE
User-created VRs are supported only on the platforms listed for this feature in Appendix A, “Feature
License Requirements.”
The TFTP session defaults to port 69. If you do not specify a virtual router, VR-Mgmt is used.
For example, to connect to a remote TFTP server with an IP address of 10.123.45.67 and “get” or retrieve
an ExtremeXOS configuration file named XOS1.cfg from that host, use the following command:
tftp 10.123.45.67 -g -r XOS1.cfg
When you “get” the file via TFTP, the switch saves the file to the primary MSM/MM. If the switch
detects a backup MSM/MM in the running state, the file is replicated to the backup MSM/MM.
To view the files you retrieved, enter the ls command at the command prompt.
In addition to the tftp command, the following two commands are available for transferring files to
and from the switch:
●
tftp get [<host-name> | <ip-address>] {-vr <vr_name>} [{[internal-memory <localfile-internal> | memorycard <local-file-memcard> | <local_file>} {<remote_file>} |
{<remote_file>} {[internal-memory <local-file-internal> | memorycard <local-filememcard> | <local_file>]}] {force-overwrite}
NOTE
User-created VRs are supported only on the platforms listed for this feature in Appendix A, “Feature
License Requirements.”
ExtremeXOS Concepts Guide, Software Version 15.2
80
Understanding System Redundancy—Modular Switches and SummitStack Only
By default, if you transfer a file with a name that already exists on the system, the switch prompts
you to overwrite the existing file. For more information, see the tftp get command in the
ExtremeXOS Command Reference Guide.
●
tftp put [<host-name> | <ip-address>] {-vr <vr_name>} [{[internal-memory <localfile-internal> | memorycard <local-file-memcard> | <local_file>} {<remote_file>} |
{<remote_file>} {[internal-memory <local-file-internal> | memorycard <local-filememcard> | <local_file>]}]
NOTE
User-created VRs are supported only on the platforms listed for this feature in Appendix A, “Feature
License Requirements.”
Understanding System Redundancy—Modular
Switches and SummitStack Only
If you install two MSMs/MM or nodes in the chassis, or if you configure two master-capable nodes in a
SummitStack, one assumes the role of primary (also called "master") and the other assumes the role of
backup. The primary MSM/MM or node provides all of the switch management functions including
bringing up and programming the I/O modules, running the bridging and routing protocols, and
configuring the switch. The primary MSM/MM or node also synchronizes the backup MSM/MM or
node in case it needs to take over the management functions if the primary MSM/MM or node fails.
For SummitStack, a node can be a redundant primary node if it has been configured to be mastercapable. To configure master capability on one or all nodes in a SummitStack, use one of the following
commands:
●
configure stacking [node-address <node-address> | slot <slot-number>] alternateip-address [<ipaddress> <netmask> | <ipNetmask>] <gateway>
●
configure stacking redundancy [none | minimal | maximal]
This section describes the following topics:
●
Node Election on page 81
●
Replicating Data Between Nodes on page 83
●
Viewing Node Status on page 85
Node Election
Node election is based on leader election between the MSMs/MMs installed in the chassis, or mastercapable nodes present in a SummitStack. By default, the MSM/MM installed in slot A or the
SummitStack node in slot 1 has primary status. Each node uses health information about itself together
with a user configured priority value to compute its node role election priority. Nodes exchange their
node role election priorities. During the node election process, the node with the highest node role
election priority becomes the master or primary node, and the node with the second highest node role
election priority becomes the backup node. All other nodes (if any) remain in STANDBY state.
The primary node runs the switch management functions, and the backup node is fully prepared to
become the primary node if the primary fails. In SummitStack, nodes that remain in STANDBY state
(called Standby nodes) program their port hardware based on instructions received from the primary.
ExtremeXOS Concepts Guide, Software Version 15.2
81
Chapter 2: Managing the Switch
Standby nodes configured to be master-capable elect a new backup node from among themselves after a
failover has occurred.
Determining the Primary Node
The following parameters determine the primary node:
●
Node state—The node state must be STANDBY to participate in leader election and be selected as
primary. If the node is in the INIT, DOWN, or FAIL states, it cannot participate in leader election.
For more information about the node states, see “Viewing Node Status” on page 85.
●
Configuration priority—This is a user assigned priority. The configured priority is compared only
after the node meets the minimum thresholds in each category for it to be healthy. Required
processes and devices must not fail.
●
Software health—This represents the percent of processes available.
●
Health of secondary hardware components—This represents the health of the switch components,
such as power supplies, fans, and so forth.
●
Slot ID—The MSM/MM slot where the node is installed (MSM-A or MSM-B), or the slot number
configured on a stack node.
Configuring the Node Priority on a Modular Switch
To configure the priority of an MSM/MM node, use the following command:
configure node slot <slot_id> priority <node_pri>
If you do not configure any priorities, MSM-A has a higher priority than MSM-B. For the slot_id
parameter, enter A for the MSM/MM installed in slot A or B for the MSM/MM installed in slot B. By
default, the priority is 0 and the node priority range is 1 through 100. The higher the value, the higher
the priority.
Configuring the Node Priority on a SummitStack
To configure the priority of a node in a SummitStack, use the following command:
configure stacking {node-address <node-address> | slot <slot-number>} priority [<nodepri> | automatic]
If you do not configure any priorities, slot 1 has the highest priority, slot 2 the second highest priority,
and so forth in order of increasing slot number. Enter a number from 1 through 8 for the slot-number.
You may also use the factory assigned MAC address as the node-address value. By default the priority
is "automatic" and the node-pri value is any number between 1 and 100. The higher the value, the
higher the priority.
Relinquishing Primary Status
Before relinquishing primary status and initiating failover, review the section “Synchronizing Nodes—
Modular Switches and SummitStack Only” on page 1500 to confirm that your platform and both
installed MSMs/MMs or master-capable nodes are running software that supports the synchronize
command.
ExtremeXOS Concepts Guide, Software Version 15.2
82
Understanding System Redundancy—Modular Switches and SummitStack Only
You can cause the primary to failover to the backup, thereby relinquishing its primary status. To cause
the failover:
1 Use the show switch {detail} command on the primary or the backup node to confirm that the
nodes are synchronized and have identical software and switch configurations before failover. The
output displays the status of the nodes, with the primary node showing MASTER and the backup
node showing BACKUP (InSync).
A node may not be synchronized because checkpointing did not occur, incompatible software is
running on the primary and backup, or the backup is down.
●
If the nodes are not synchronized and both nodes are running a version of ExtremeXOS that
supports synchronization, proceed to step 2.
●
If the nodes are synchronized, proceed to step 3.
2 If the nodes are not synchronized because of incompatible software, use the synchronize command
to ensure that the backup has the same software in flash as the primary.
The synchronize command:
●
Reboots the backup node to prepare it for synchronizing with the primary node
●
Copies both the primary and secondary software images
●
Copies both the primary and secondary configurations
●
Reboots the backup node after replication is complete
After you confirm the nodes are synchronized, proceed to step 3.
3 If the nodes are synchronized, use the run failover {force} command to initiate failover from
the primary node to the backup node. The backup node then becomes the primary node and the
original primary node reboots.
Replicating Data Between Nodes
ExtremeXOS replicates configuration and run-time information between the primary node and the
backup node so that the system can recover if the primary fails. This method of replicating data is
known as checkpointing. Checkpointing is the process of automatically copying the active state from the
primary to the backup, which allows for state recovery if the primary fails.
Replicating data consists of the following three steps:
1 Configuration synchronization—Relays current and saved configuration information from the
primary to the backup
2 Bulk checkpoint—Ensures that each individual application running on the system is synchronized
with the backup
3 Dynamic checkpoint—Checkpoints any new state changes from the primary to the backup
To monitor the checkpointing status, use the show checkpoint-data {<process>} command.
Data is not replicated from the primary to the standby nodes.
Relaying Configuration Information
To facilitate a failover from the primary node to the backup node, the primary transfers its active
configuration to the backup. Relaying configuration information is the first level of checkpointing.
During the initial switch boot-up, the primary’s configuration takes effect. During the initialization of a
node, its configuration is read from the local flash. After the primary and backup nodes have been
elected, the primary transfers its current active configuration to the backup. After the primary and
ExtremeXOS Concepts Guide, Software Version 15.2
83
Chapter 2: Managing the Switch
backup nodes are synchronized, any configuration change you make to the primary is relayed to the
backup and incorporated into the backup’s configuration copy.
NOTE
To ensure that all of the configuration commands in the backup’s flash are updated, issue the save
command after you make any changes. On a SummitStack, the save configuration command will normally
save the primary node's configuration file to all active nodes in the SummitStack.
If a failover occurs, the backup node continues to use the primary’s active configuration. If the backup
determines that it does not have the primary’s active configuration because a run-time synchronization
did not happen, the switch or SummitStack reboots. Because the backup always uses the primary’s
active configuration, the active configuration remains in effect regardless of the number of failovers.
NOTE
If you issue the reboot command before you save your configuration changes, the switch prompts you to
save your changes. To keep your configuration changes, save them before you reboot the switch.
Bulk Checkpointing
Bulk checkpointing causes the primary and backup run-time states to be synchronized. Since
ExtremeXOS runs a series of applications, an application starts checkpointing only after all of the
applications it depends on have transferred their run-time states to the backup MSM/MM node.
After one application completes bulk checkpointing, the next application proceeds with its bulk
checkpointing.
To monitor the checkpointing status, use the show checkpoint-data {<process>} command.
To see if bulk checkpointing is complete, that is, to see if the backup node is fully synchronized (In
Sync) with the primary node, use the show switch {detail} command.
If a failover occurs before bulk checkpointing is complete, the switch or SummitStack reboots. However,
once bulk checkpointing is complete, failover is possible without a switch or SummitStack reboot.
Dynamic Checkpointing
After an application transfers its saved state to the backup node, dynamic checkpointing requires that
any new configuration information or state changes that occur on the primary be immediately relayed
to the backup. This ensures that the backup has the most up-to-date and accurate information.
Viewing Checkpoint Statistics
To view and check the status of one or more processes being copied from the primary to the backup
node, use the following command:
show checkpoint-data {<process>}
This command is also helpful in debugging synchronization problems that occur at run time.
ExtremeXOS Concepts Guide, Software Version 15.2
84
Understanding Hitless Failover Support—Modular Switches and SummitStack Only
This command displays, in percentages, the amount of copying completed by each process and the
traffic statistics between the process on both the primary and the backup nodes.
Viewing Node Status
ExtremeXOS allows you to view node statistical information. Each node in a modular switch, or
stackable switch in a SummitStack installed in your system is self-sufficient and runs the ExtremeXOS
management applications. By reviewing this output, you can see the general health of the system along
with other node parameters.
To view node status, use the following command:
show node {detail}
In a SummitStack, the "show stacking" command will show the node roles of active nodes.
Table 13 lists the node status collected by the switch.
Table 13: Node States
Node State
Description
BACKUP
In the backup state, this node becomes the primary node if the primary fails or enters the DOWN
state. The backup node also receives the checkpoint state data from the primary.
DOWN
In the down state, the node is not available to participate in leader election. The node enters this
state during any user action, other than a failure, that makes the node unavailable for
management. Examples of user actions are:
•
Upgrading the software
•
Rebooting the system using the reboot command
•
Initiating an MSM/MM failover using the run failover command
•
Synchronizing the MSM/MM software and configuration in non-volatile storage using the
synchronize command
FAIL
In the fail state, the node has failed and needs to be restarted or repaired. The node reaches
this state if the system has a hardware or software failure.
INIT
In the initial state, the node is being initialized. A node stays in this state when it is coming up
and remains in this state until it has been fully initialized. Being fully initialized means that all of
the hardware has been initialized correctly and there are no diagnostic faults.
MASTER
In the primary (master) state, the node is responsible for all switch management functions.
STANDBY
In the standby state, leader election occurs—the primary and backup nodes are elected. The
priority of the node is only significant in the standby state.
In SummitStack, there can be more than two master-capable nodes. All such nodes that do not
get elected either Master or Backup remain in Standby state.
Understanding Hitless Failover Support—Modular
Switches and SummitStack Only
The term hitless failover has slightly different meanings on a modular chassis and a SummitStack. On a
modular chassis, MSMs/MMs do not directly control customer ports; such ports are directly controlled
by separate processors. However, a SummitStack node has customer ports that are under the control of
its single central processor. When a modular chassis MSM/MM failover occurs, all of the ports in the
chassis are under the control of separate processors which can communicate with the backup MSM/
ExtremeXOS Concepts Guide, Software Version 15.2
85
Chapter 2: Managing the Switch
MM, so all ports continue to function. In a SummitStack, failure of the primary node results in all ports
that require that node's processor for normal operation going down. The remaining SummitStack nodes'
ports continue to function normally. Aside from this difference, hitless failover is the same on modular
chassis and SummitStack.
NOTE
BlackDiamond 8500 modules and BlackDiamond 12802 switches do not support hitless failover.
As described in the section, “Understanding System Redundancy—Modular Switches and SummitStack
Only” on page 81, if you install two MSMs/MMs (nodes) in a chassis or if you configure at least two
master-capable nodes in a SummitStack, one assumes the role of primary and the other assumes the role
of backup. The primary node provides all of the switch management functions including bringing up
and programming the I/O modules or other (Standby) nodes in the SummitStack, running the bridging
and routing protocols, and configuring the switch. The primary node also synchronizes the backup
node in case it needs to take over the management functions if the primary node fails.
The configuration is one of the most important pieces of information checkpointed to the backup node.
Each component of the system needs to checkpoint whatever runtime data is necessary to allow the
backup node to take over as the primary node if a failover occurs, including the protocols and the
hardware dependent layers. For more information about checkpointing data and relaying configuration
information, see “Replicating Data Between Nodes” on page 83.
Not all protocols support hitless failover; see Table 14 for a detailed list of protocols and their support.
Layer 3 forwarding tables are maintained for pre-existing flows, but subsequent behavior depends on
the routing protocols used. Static Layer 3 configurations and routes are hitless. You must configure
OSPF graceful restart for OSPF routes to be maintained, and you must configure BGP graceful restart
for BGP routes to be maintained. For more information about OSPF, see Chapter 35, “OSPF
Commands,” and for more information about BGP, see Chapter 38, “BGP.” For routing protocols that do
not support hitless failover, the new primary node removes and re-adds the routes.
Protocol Support for Hitless Failover
Table 14 summarizes the protocol support for hitless failover. Unless otherwise noted, the behavior is
the same for all modular switches.
If a protocol indicates support for hitless failover, additional information is also available in that
particular chapter. For example, for information about network login support of hitless failover, see
Chapter 21, “Network Login.”
ExtremeXOS Concepts Guide, Software Version 15.2
86
Understanding Hitless Failover Support—Modular Switches and SummitStack Only
Table 14: Protocol Support for Hitless Failover
Protocol
Behavior
Hitless
Bootstrap Protocol
Relay
All bootprelay statistics (including option 82 statistics) are available on the
backup node also
Yes
Border Gateway
Protocol (BGP)
If you configure BGP graceful restart, by default the route manager does
not delete BGP routes until 120 seconds after failover occurs. There is no
traffic interruption. However, after BGP comes up after restart, BGP reestablishes sessions with its neighbors and relearns routes from all of
them. This causes an increase in control traffic onto the network.
Yes
If you do not configure graceful restart, the route manager deletes all BGP
routes 1 second after the failover occurs, which results in a traffic
interruption in addition to the increased control traffic.
Connectivity Fault
Management (IEEE
802.1ag)
Yes
An ExtremeXOS process running on the active MSM/MM should
continuously send the MEP state changes to the backup. Replicating the
protocol packets from an active MSM/MM to a backup may be a huge
overhead if CCMs are to be initiated/received in the CPU and if the CCM
interval is in the order of milliseconds.
RMEP timeout does not occur on a remote node during the hitless failover.
RMEP expiry time on the new master node in case of double failures,
when the RMEP expiry timer is already in progress, is as follows:
RMEP Expiry Time = elapsed expiry time on the master node + 3.5 *
ccmIntervaltime + MSM convergence time.
Dynamic Host
Configuration Protocol
client
The IP addresses learned on all DHCP enabled VLANs are retained on the
backup node after failover.
Yes
Dynamic Host
Configuration Protocol
server
A DHCP server continues to maintain the IP addresses assigned to
various clients and the lease times even after failover. When a failover
happens, all the clients work as earlier.
Yes
Ethernet Automatic
Protection Switching
(EAPS)
The primary node replicates all EAPS BPDUs to the backup, which allows
the backup to be aware of the state of the EAPS domain. Since both
primary and backup nodes receive EAPS BPDUs, each node maintains
equivalent EAPS states.
Yes
By knowing the state of the EAPS domain, the EAPS process running on
the backup node can quickly recover after a primary node failover.
Although both primary and backup nodes receive EAPS BPDUs, only the
primary transmits EAPS BPDUs to neighboring switches and actively
participates in EAPS.
Extreme Discovery
Protocol (EDP)
EDP does not checkpoint protocol data units (PDUs) or states, so the
backup node does not have the neighbor’s information. If the backup node
becomes the primary node, and starts receiving PDUs, the new primary
learns about its neighbors.
No
Extreme Loop
Recovery Protocol
(ELRP)
If you use ELRP as a standalone tool, hitless failover support is not
needed since the you initiate the loop detection.
No
If you use ELRP in conjunction with ESRP, ELRP does not interfere with
the hitless failover support provided by ESRP.
Although there is no hitless failover support in ELRP itself, ELRP does not
affect the network behavior if a failover occurs.
ExtremeXOS Concepts Guide, Software Version 15.2
87
Chapter 2: Managing the Switch
Table 14: Protocol Support for Hitless Failover (Continued)
Protocol
Behavior
Hitless
Extreme Standby
Router Protocol
(ESRP)
If failover occurs on the ESRP MASTER switch, it sends a hello packet
with the HOLD bit set. On receiving this packet, the ESRP SLAVE switch
freezes all further state transitions. The MASTER switch keeps sending
hellos with the HOLD bit set on every hello interval. When the MASTER is
done with its failover, it sends another hello with the HOLD bit reset. The
SLAVE switch resumes normal processing. (If no packet is received with
the HOLD bit reset, the SLAVE timeouts after a certain time interval and
resumes normal processing.)
Yes
Failover on the ESRP SLAVE switch is of no importance because it is the
SLAVE switch.
Intermediate SystemIntermediate System
(IS-IS)
If you configure IS-IS graceful restart, there is no traffic interruption.
However, after IS-IS comes up after restart, IS-IS re-establishes sessions
with its neighbors and relearns Link State Packets (LSPs) from all of the
neighbors. This causes an increase in network control traffic.
If you do not configure graceful restart, the route manager deletes all IS-IS
routes 1 second after the failover occurs, which results in a traffic
interruption and increased control traffic. IS-IS for IPv6 does not support
hitless restart.
IS-IS
(IPv4)
Yes
IS-IS
(IPv6)
No
Link Aggregation
Control Protocol
(LACP)
If the backup node becomes the primary node, there is no traffic
disruption.
Yes
Link Layer Discovery
Protocol (LLDP)
Since LLDP is more of a tool than a protocol, there is no hitless failover
support. LLDP is similar to EDP, but there is also a MIB interface to query
the information learned. After a failover, it takes 30 seconds or greater
before the MIB database is fully populated again.
No
Multicast Source
Discovery Protocol
(MSDP)
If the active MSM/MM fails, the MSDP process loses all state information
and the standby MSM/MM becomes active. However, the failover from the
active MSM/MM to the standby MSM/MM causes MSDP to lose all state
information and dynamic data, so it is not a hitless failover.
No
Multi-switch Link
Aggregation Group
(MLAG)
All MLAG user configuration is executed on both Master and Backup
nodes. Both nodes open listening health-check and checkpoint listening
sockets on the respective well-known ports. All FDB entries and IPMC
group/cache information that were received through ISC checkpointing is
synchronized to the backup node.
Yes
After failover, the TCP session, which is handled by the failed master,
tears down and there is a new session with the MLAG peer switch. After
the failover, the FDB & McMgr processes trigger bulk checkpointing of all
its entries to the MLAG peer upon receiving ISC up notification.
Network Login
802.1x Authentication
Yes
Authenticated clients continue to remain authenticated after failover.
However, 1 second after failover, all authenticated clients are forced to reauthenticate themselves.
Information about unauthenticated clients is not checkpointed so any such
clients that were in the process of being authenticated at the instant of
failover must go through the authentication process again from the
beginning after failover.
ExtremeXOS Concepts Guide, Software Version 15.2
88
Understanding Hitless Failover Support—Modular Switches and SummitStack Only
Table 14: Protocol Support for Hitless Failover (Continued)
Protocol
Behavior
Hitless
Network Login
Continued
MAC-Based Authentication
Yes
Authenticated clients continue to remain authenticated after failover so the
failover is transparent to them. Information about unauthenticated clients is
not checkpointed so any such clients that were in the process of being
authenticated at the instant of failover must go through the authentication
process again from the beginning after failover.
In the case of MAC-Based authentication, the authentication process is
very short with only a single packet being sent to the switch so it is
expected to be transparent to the client stations.
Network Login
Continued
Web-Based Authentication
Open Shortest Path
First (OSPF)
If you configure OSPF graceful restart, there is no traffic interruption.
However, after OSPF comes up after restart, OSPF re-establishes
sessions with its neighbors and relearns Link State Advertisements (LSAs)
from all of the neighbors. This causes an increase in control traffic onto the
network.
Yes
Web-based Netlogin users continue to be authenticated after a failover.
Yes
If you do not configure graceful restart, the route manager deletes all
OSPF routes 1 second after the failover occurs, which results in a traffic
interruption in addition to the increased control traffic.
Open Shortest Path
First v3 (OSPFv3)
No
OSPFv3 does not support graceful restart, so the route manager deletes
all OSPFv3 routes 1 second after the failover occurs. This results in a
traffic interruption.
After OSPFv3 comes up on the new primary node, it relearns the routes
from its neighbors. This causes an increase in control traffic onto the
network.
Power over Ethernet
(PoE)
The PoE configuration is checkpointed to the backup node. This ensures
that if the backup takes over, all ports currently powered stay powered
after the failover and the configured power policies are still in place.
Yes
This behavior is applicable only on the BlackDiamond 8800 series switches
and SummitStack.
Protocol Independent
Multicast (PIM)
After a failover, all hardware and software caches are cleared and learning
from the hardware is restarted. This causes a traffic interruption since it is
the same as if the switch rebooted for all Layer 3 multicast traffic.
No
Routing Information
Protocol (RIP)
RIP does not support graceful restart, so the route manager deletes all RIP
routes 1 second after the failover occurs. This results in a traffic
interruption as well as an increase in control traffic as RIP
re-establishes its database.
No
Routing Information
Protocol next
generation (RIPng)
RIPng does not support graceful restart, so the route manager deletes all
RIPng routes 1 second after the failover occurs. This results in a traffic
interruption.
No
After RIPng comes up on the new primary node, it relearns the routes from
its neighbors. This causes an increase in control traffic onto the network.
Simple Network Time
Protocol Client
SNTP client will keep the backup node updated about the last server from
which a valid update was received, the time at which the last update was
received, whether the SNTP time is currently good or not and all other
statistics.
Yes
ExtremeXOS Concepts Guide, Software Version 15.2
89
Chapter 2: Managing the Switch
Table 14: Protocol Support for Hitless Failover (Continued)
Protocol
Behavior
Hitless
Spanning Tree Protocol
(STP)
STP supports hitless failover including catastrophic failure of the primary
node without interruption. There should be no discernible network event
external to the switch. The protocol runs in lock step on both master and
backup nodes and the backup node is a hot spare that can take over at
any time with no impact on the network.
Yes
Virtual Router
Redundancy Protocol
(VRRP)
VRRP supports hitless failover. The primary node replicates VRRP PDUs
to the backup, which allows the primary and backup nodes to run VRRP in
parallel. Although both nodes receive VRRP PDUs, only the primary
transmits VRRP PDUs to neighboring switches and participates in VRRP.
Yes
Platform Support for Hitless Failover
Table 15 lists when each platform and management module began supporting hitless failover for a
specific protocol. If you are running an earlier version of ExtremeXOS than that listed in the
ExtremeXOS version column, the switch does not support hitless failover for that protocol.
Hitless failover requires a switch with two MSMs/MMs installed.
Remember, as described in Table 14, not all protocols support hitless failover.
Table 15: Platform Support for Hitless Failover
Platform
Management Module
BlackDiamond 8800 series switches
MSM-48c
8900-MSM128
Protocol
ExtremeXOS
Version
BGP graceful restart
12.1
EAPS
12.1
ESRP
12.1
LACP
12.1
MLAG
12.5
Network login
12.1
OSPF graceful restart
12.1
PoE
12.1
STP
12.1
VRRP
12.1
IS-IS graceful restart
12.1
BGP graceful restart
12.3
EAPS
12.3
ESRP
12.3
LACP
12.3
MLAG
12.5
Network login
12.3
OSPF graceful restart
12.3
PoE
12.3
STP
12.3
VRRP
12.3
ExtremeXOS Concepts Guide, Software Version 15.2
90
Understanding Hitless Failover Support—Modular Switches and SummitStack Only
Table 15: Platform Support for Hitless Failover (Continued)
Platform
Management Module
Protocol
ExtremeXOS
Version
IS-IS graceful restart
12.3
BlackDiamond X8 switch
MM
All applicable
15.1
SummitStack
Any Summit family switch
except the Summit X150,
X350, and X440-L2
series.
BGP graceful restart
12.0
(features available
depend on license level)
EAPS
12.0
ESRP
12.0
LACP
12.0
MLAG
12.5
Network login
12.0
OSPF graceful restart
12.0
STP
12.0
VRRP
12.0
IS-IS graceful restart
12.1
Hitless Failover Caveats
This section describes the caveats for hitless failover. Check the latest version of the ExtremeXOS release
notes for additional information.
Caveat for BlackDiamond 8800 Series Switches Only
The following summary describes the hitless failover caveat for BlackDiamond 8800 series switches:
●
I/O modules not yet in the Operational state are
●
ed off and the card state machine is restarted to bring them to the Operational state. This results in a
delay in the I/O module becoming Operational.
Caveats for a SummitStack
The following describes the hitless failover caveats for a SummitStack:
●
All customer ports and the stacking links connected to the failed primary node will go down. In the
recommended stack ring configuration, the stack becomes a daisy chain until the failed node restarts
or is replaced.
●
A brief traffic interruption (less than 50 milliseconds) can occur when the traffic on the ring is
rerouted because the active topology becomes a daisy chain.
●
Since the SummitStack can contain more than two master-capable nodes, it is possible to
immediately elect a new backup node. If a new backup node is elected, when the original primary
node restarts, it will become a standby node.
●
To simulate the behavior of a chassis, a MAC address of one of the nodes is designated as the seed to
form a stack MAC address. When a failover occurs, the SummitStack continues to be identified with
this address.
ExtremeXOS Concepts Guide, Software Version 15.2
91
Chapter 2: Managing the Switch
●
During an OSPF graceful restart, the SummitStack successfully restores the original link state
database only if the OSPF network remains stable during the restart period. If the failed primary
node provided interfaces to OSPF networks, the link state database restoration is prematurely
terminated, and reconvergence occurs in the OSPF network due to the failover. See
Chapter 35, “OSPF,” for a description of OSPF and the graceful restart function.
●
During a BGP graceful restart, the SummitStack successfully restores the BGP routing table only if
the BGP network remains stable during the restart period. If a receiving speaker detected the need for
a routing change due to the failure of links on the failed primary node, it deletes any previous
updates it received from the restarting speaker (the SummitStack) before the restart occurred.
Consequently, reconvergence occurs in the BGP network due to the failover. See Chapter 38, “BGP,”
for a description of BGP and its graceful restart function.
Understanding Power Supply Management
This section describes how ExtremeXOS manages power consumption on the switch:
●
Using Power Supplies—Modular Switches Only on page 92
●
Using Power Supplies—Summit Family Switches Only on page 97
●
Using Power Supplies - SummitStack Only on page 97
●
Displaying Power Supply Information on page 97
●
Power Visualization on page 96
Using Power Supplies—Modular Switches Only
ExtremeXOS monitors and manages power consumption on the switch by periodically checking the
power supply units (PSUs) and testing them for failures. To determine the health of the PSU,
ExtremeXOS checks the voltage, current, and temperature of the PSU.
The power management capability of ExtremeXOS:
●
Protects the system from overload conditions
●
Monitors all installed PSUs, even installed PSUs that are disabled
●
Enables and disables PSUs as required
●
Powers up or down I/O and/or Fabric modules based on available power and required power
resources
●
Logs power resource changes, including power budget, total available power, redundancy, and so on
●
Detects and isolates faulty PSUs
The switch includes two power supply controllers that collect data from the installed PSUs and report
the results to the MSM/MM modules. When you first power on the switch, the power supply
controllers enable a PSU. As part of the power management function, the power controller disables the
PSU if an unsafe condition arises. For more information about the power supply controller, refer to the
hardware documentation which is listed in the Preface.
If you have a BlackDiamond 8000 series Power over Ethernet (PoE) I/O module installed in a
BlackDiamond 8800 series switch, there are specific power budget requirements and configurations
associated with PoE that are not described in this section. For more detailed information about PoE, see
Chapter 10, “PoE.”
ExtremeXOS Concepts Guide, Software Version 15.2
92
Understanding Power Supply Management
ExtremeXOS includes support for the 600/900 W AC PSU for the BlackDiamond 8806 switch. You can
mix existing 700/1200 W AC PSUs and 600/900 W AC PSUs in the same chassis; however, you must be
running ExtremeXOS 11.6 or later to support the 600/900 W AC PSUs. If you install the 600/900 W AC
PSU in a chassis other than the BlackDiamond 8806, ExtremeXOS provides enough power to boot-up
the chassis, display a warning message in the log, and disable the PSU. If this occurs, you see a message
similar to the following:
<Warn:HAL.Sys.Warning>MSM-A:Power supply in slot 6 is not supported and is being
disabled.
When a combination of 700/1200 W AC PSUs and 600/900 W AC PSUs are powered on in the same
BlackDiamond 8806 chassis, all 700/1200 W AC PSUs are budgeted “down” to match the lower
powered 600/900 W AC output values to avoid PSU shutdown. For more information about the 600/
900 W AC PSU, refer to the hardware documentation which is listed in the Preface.
This section describes the following power management topics:
●
Initial System Boot Up on page 93
●
Power Redundancy on page 94
●
Power Management Guidelines on page 95
●
Overriding Automatic Power Supply Management on page 96
Initial System Boot Up
When ExtremeXOS boots up, it reads and analyzes the installed I/O modules (BlackDiamond 8800 and
X8) and Fabric modules (BlackDiamond X8 series only). ExtremeXOS prioritizes the powering up of
modules as follows (see Figure 1):
●
BlackDiamond X8: Fabric modules are considered first for power up from the lowest numbered slot
to the highest numbered slot, based on their power requirements and the available system power. I/
O modules are then given priority from lowest numbered slot to highest numbered slot.
●
BlackDiamond 8800 series: I/O modules are considered for power up from the lowest numbered slot
to the highest numbered slot, based on their power requirements and the available system power.
If the system does not have enough power, some modules are not powered up.
Figure 1: I/O and Fabric Module Power Priority
Highest
Priority
Lowest
Priority
Fabric Module
Lowest Slot Number
I/O Module
Highest Slot Number Lowest Slot Number
BlackDiamond X8
Highest Slot Number
BlackDiamond 8800 and X8
For example, ExtremeXOS:
●
Collects information about the PSUs installed to determine how many are running and how much
power each can supply.
●
Checks for PSU failures.
ExtremeXOS Concepts Guide, Software Version 15.2
93
Chapter 2: Managing the Switch
●
Calculates the number of Fabric (BlackDiamond X8 only) and I/O modules to power up based on
the available power budget and the power requirements of each I/O module, including PoE
requirements for the BlackDiamond 8000 series PoE I/O module.
●
Reserves the amount of power required to power up a second MSM/MM if only one MSM/MM is
installed.
●
Reserves the amount of power required to power all fans and chassis components.
●
Calculates the current power surplus or shortfall.
●
Logs and sends SNMP traps for transitions in the overall system power status, including whether
the available amount of power is:
-
Redundant or N+1—Power from a single PSU can be lost and no I/O or Fabric (BlackDiamond
X8 only) modules are powered down.
-
Sufficient, but not redundant—Power from a single PSU is lost, and one or more I/O modules
(and then Fabric modules, for BlackDiamond X8 only) are powered down.
-
Insufficient—One or more modules are not powered up due to a shortfall of available power.
For the order of module priority during power-up, see Figure 1,
By reading the PSU information, ExtremeXOS determines the power status and the total amount of
power available to the system. The total power available determines which I/O and Fabric
(BlackDiamond X8 series only) modules can be powered up.
Power Redundancy
In simple terms, power redundancy (N+1) protects the system from shutting down. With redundancy, if
the output of one PSU is lost for any reason, the system remains fully powered. In this scenario, N is the
minimum number of power supplies needed to keep the system fully powered and the system has N+1
PSUs powered.
If the system power status is not redundant, the removal of one PSU, the loss of power to one PSU, or a
degradation of input voltage results in insufficient power to keep all of the I/O and Fabric
(BlackDiamond X8 series only) modules powered up. If there is not enough power, ExtremeXOS powers
down the modules as follows:
●
BlackDiamond X8: I/O modules from the highest numbered slot to lowest numbered slot are
powered down, and then Fabric modules from the highest numbered slot to lowest numbered slot
are powered down until the switch has enough power to continue operation (see Figure 1).
●
BlackDiamond 8800 series: I/O modules from the highest numbered slot to lowest numbered slot are
powered down until the switch has enough power to continue operation (see Figure 1).
If you install or provide power to a new PSU, modules powered down due to earlier insufficient power
are considered for power up from the lowest slot number to the highest slot number, based on the
module’s power requirements (see Figure 1).
Whenever the system experiences a change in power redundancy, including a change in the total
available power, degraded input voltage, or a return to redundant power, the switch sends messages to
the syslog.
ExtremeXOS Concepts Guide, Software Version 15.2
94
Understanding Power Supply Management
Power Management Guidelines
The following list describes some key issues to remember when identifying your power needs and
installing PSUs:
●
If you disable a slot, the module installed in that slot is always powered down regardless of the
number of PSUs installed.
●
If a switch has PSUs with a mix of both 220V AC and 110V AC inputs, ExtremeXOS maximizes
system power by automatically taking one of two possible actions:
-
If all PSUs are enabled then all PSUs must be budgeted at 110V AC to prevent overload of PSUs
with 110V AC inputs.
OR
-
If the PSUs with 110V AC inputs are disabled, then the PSUs with 220V AC inputs can be
budgeted with a higher output per PSU.
ExtremeXOS computes the total available power using both methods and automatically uses the PSU
configuration that provides the greatest amount of power to the switch. Table 16 and Table 17 list
combinations where ExtremeXOS maximizes system power by disabling the PSUs with 110V AC
inputs. This can be overridden if desired, as described in “Overriding Automatic Power Supply
Management” on page 96.
Table 16: BlackDiamond 8800 Series PSU Combinations Where 110V PSUs Are Disabled
Number of PSUs
with 220V AC
Inputs
Number of PSUs with
110V AC Inputs
2
1
3
1
3
2
4
1
4
2
5
1
Table 17: BlackDiamond X8 Series PSU Combinations Where 110V PSUs Are Disabled
Number of PSUs with
220V AC Inputs
Number of PSUs with
110V AC Inputs
1
1
2
1
3
1
3
2
4
1
4
2
4
3
5
1
5
2
5
3
6
1
6
2
7
1
ExtremeXOS Concepts Guide, Software Version 15.2
95
Chapter 2: Managing the Switch
For all other combinations of 220V AC and 110V AC PSUs, ExtremeXOS maximizes system power by
enabling all PSUs and budgeting each PSU at 110V AC.
BlackDiamond 8806 switch only—When a combination of 700/1200 W AC PSUs and 600/900 W
AC PSUs are powered on in the same BlackDiamond 8806 chassis, all 700/1200 W AC PSUs are
budgeted “down” to match the lower powered 600/900 W AC output values to avoid PSU
shutdown.
Overriding Automatic Power Supply Management
You can override automatic power supply management to enable a PSU with 110V AC inputs that
ExtremeXOS disables if the need arises, such as for a planned maintenance of 220V AC circuits. If the
combination of AC inputs represents one of those listed in Table 16, you can turn on a disabled PSU
using the following command:
configure power supply <ps_num> on
NOTE
If you override automatic power supply management, you may reduce the available power and cause one
or more I/O modules to power down.
To resume using automatic power supply management on a PSU, use the configure power supply
<ps_num> {auto | on} command. The setting for each PSU is stored as part of the switch
configuration.
To display power supply status and power budget information, use the show power and show power
budget commands.
Power Visualization
Power visualization periodically polls for input power usage. The poll interval is configurable.
Whenever the power is increased or decreased by the configured threshold power value, then a
specified action is initiated (e.g., a trap, log, or trap-and-log). The configurable parameters are:
●
input power usage poll interval (in seconds)
●
change action (log, trap, or log-and-trap)
●
change threshold (power value in watts)
In the stacking case, the Master periodically polls the power usage of all the PSUs in the stack and
sends the log or trap or both, depending on the specified change action. Configuration commands are
synchronized between Master and backup.
If the change-action is configured as trap or log-and-trap then the power usage trap is sent to the
configured SNMP servers.
To configure power visualization, use the following command:
configure power monitor poll-interval [off | <seconds>] change-action [none | [log |
log-and-trap | trap] change-threshold <watts>]
Note that the default poll interval is 60 seconds, and the default change action is none (input power
usage values are only estimates).
ExtremeXOS Concepts Guide, Software Version 15.2
96
Understanding Power Supply Management
Using Power Supplies—Summit Family Switches Only
On Summit family switches, ExtremeXOS reports when the PSU has power or has failed. The Summit
family switches support an internal power supply with a range of 90V to 240V AC power as well as an
external redundant power supply. The Extreme Networks External Power System (EPS) allows you to
add a redundant power supply to the Summit family switches to protect against a power supply failure.
The EPS consists of a tray or module that holds the EPS power supplies.
NOTE
When an EPS-T tray with two EPS-160 PSUs is connected to a Summit family switch, the internal power
supply will show as failed.
On non-PoE Summit switches, if you experience an internal PSU failure and do not have an external
PSU installed, the switch powers down. If you experience a PSU failure and have an external PSU
installed, the switch uses the external PSU to maintain power to the switch.
On PoE Summit switches, there are specific power budget requirements and configurations associated
with PoE that are not described in this section. The PoE Summit switches respond to internal and
external PSU failures based on your PoE configurations. For more information about configuring PoE
on the Summit PoE switches, see Chapter 10, “PoE.”
For more information about Summit family switches and EPS, refer to the hardware documentation
which is listed in the “Preface” chapter.
Using Power Supplies - SummitStack Only
Since the nodes have their own power supplies and since they cannot be shared, management is the
same as it is for standalone Summit family switches. The only difference is that the power management
commands have been centralized so that they can be issued from the primary node.
Displaying Power Supply Information
To display the status of the currently installed power supplies on all switches, use the following
command:
show power {<ps_num>} {detail}
The detail option of this command shows power usage parameters on stacking and standalone Summit
switches.
On modular switches, the following commands provide additional power supply information.
To view the system power status and the amount of available and required power, use the following
command:
show power budget
To display the status of the currently installed power supply controllers on modular switches, use the
following command:
show power controller {<num>}
ExtremeXOS Concepts Guide, Software Version 15.2
97
Chapter 2: Managing the Switch
Using Motion Detectors
On the Summit X670 switch, there is a motion detection system that controls whether the port LEDs are
turned on or off. When the motion detector is enabled, the LEDs are turned on only when motion is
detected. You can also configure the time in seconds that the LEDs stay on after motion is detected.
When the motion detector is disabled, the LED are always turned on.
To configure the motion detector, use the following command:
configure power led motion-detector [disable | enable {timeout <seconds>}]
To show the status and timeout setting of the motion detector, use the following command:
show power led motion-detector
Using the Network Time Protocol
Network Time Protocol (NTP) is used for synchronizing time on devices across a network with variable
latency (time delay). NTP provides a coordinated Universal Time Clock (UTC), the primary time
standard by which the world regulates clocks and time. UTC is used by devices that rely on having a
highly accurate, universally accepted time, and can synchronize computer clock times to a fraction of a
millisecond. In a networked environment, having a universal time can be crucial. For example, the stock
exchange and air traffic control use NTP to ensure accurate, timely data.
NTP uses a hierarchical, semi-layered system of levels of clock sources called a “stratum.” Each stratum
is assigned a layer number starting with 0 (zero), with 0 meaning the least amount of delay. The stratum
number defines the distance, or number of NTP hops away, from the reference clock. The lower the
number, the closer the switch is to the reference clock. The stratum also serves to prevent cyclical
dependencies in the hierarchy.
Simple Network Time Protocol (SNTP), as the name would suggest, is a simplified version of NTP that
uses the same protocol, but without many of the complex synchronization algorithms used by NTP.
SNTP is suited for use in smaller, less complex networks. For more information about SNTP see the
section, “Using the Simple Network Time Protocol” on page 116.
Limitations
The Extreme Networks implementation of NTP includes the following limitations:
●
You can use only the default VR for NTP service.
●
SNTP cannot be enabled at the same time NTP is enabled.
●
The NTP multicast delivery mechanism is not supported.
●
The NTP autokey security mechanism is not supported.
●
The broadcast client option cannot be enabled on a per-VLAN basis.
ExtremeXOS Concepts Guide, Software Version 15.2
98
Using the Network Time Protocol
NTP Server/Client
An NTP server provides clock information to NTP or SNTP clients. You can configure an NTP server as
an NTP client to receive clock information from more reliable external NTP servers or a local clock. You
can also build a hierarchical time distribution topology by using TCP/IP. The switch can work as both
an NTP client and server at the same time to build a hierarchical clock distribution tree. This
hierarchical structure eliminates the need for a centralized clock server and provides a highly available
clock tree with minimal network load and overhead.
Use these commands to configure an NTP server:
configure ntp [server | peer] add [<ip_address> | <host_name>] {key <keyid>} {option
[burst | initial-burst]}
configure ntp restrict-list [add | delete] <network> {<mask>} [permit | deny]
Use this command to delete an NTP server:
configure ntp [server | peer] delete [<ip_address> | <host_name>]
Use these commands to display NTP server or client information:
show
show
show
show
ntp
ntp association [{<ip_address>} | {<host_name>}]
ntp restrict-list {user | system | all}
ntp sys-info
NTP Peer Support
An NTP peer is a member of a group of NTP servers. Normally, an NTP peer is used to synchronize
clock information among a group of servers that serve as mutual backups for each other. Typically, core
switches are configured as NTP peers, and an NTP server is configured as a core switch to an NTP
client, aggregation switch, or edge switch. An NTP client can choose the most reliable clock from all
servers that have a peer relationship with the client.
Use this commands to configure an NTP peer:
configure ntp [server | peer] add [<ip_address> | <host_name>] {key <keyid>} {option
[burst | initial-burst]}
Use this command to delete an NTP peer:
configure ntp [server | peer] delete [<ip_address> | <host_name>]
Use these commands to display an NTP peer:
show ntp
show ntp association [{<ip_address>} | {<host_name>}] statistics
show ntp sys-info
NTP Local Clock Support
A local clock serves as backup to distribute clock information internally when reliable external clock
sources are not reachable. Assign a higher stratum value to the local clock to ensure that it is not
selected when an external reliable clock source with a lower stratum number exists.
Use this command to configure a local clock:
configure ntp local-clock stratum <stratum_number>
ExtremeXOS Concepts Guide, Software Version 15.2
99
Chapter 2: Managing the Switch
Use this command to delete a local clock:
configure ntp local-clock none
Use these commands to display local clock information:
show ntp association [{<ip_address>} | {<host_name>}]
show ntp association [{<ip_address>} | {<host_name>}] statistics
NTP Broadcast Server Support
An NTP broadcast server sends periodic time updates to a broadcast address in a LAN. When a
broadcast client is configured for NTP, that client can receive time information from the broadcasted
NTP packets. Using broadcast packets can greatly reduce the NTP traffic on a network, especially in a
network with many NTP clients.
To ensure that NTP broadcast clients get clock information from the correct NTP broadcast servers, with
minimized risks from malicious NTP broadcast attacks, configure MD5 authentication on both the NTP
broadcast server and NTP clients.
Use this command to configure an NTP broadcast server over a VLAN where NTP broadcast service is
provided:
enable ntp {vlan} <vlan-name> broadcast-server {key <keyid>}
Use this command to delete an NTP broadcast server over a VLAN where NTP broadcast service is
enabled:
disable ntp {vlan} <vlan-name> broadcast-server
Use this command to display an NTP broadcast server:
show ntp server
NTP Broadcast Client Support
An NTP client listens for NTP packets from an NTP broadcast server. To listen for network broadcast
messages, enable an NTP broadcast client. This option is global (it cannot be enabled on a per-VLAN
basis).
Use this command to configure an NTP broadcast client:
enable ntp broadcast-client
Use this command to delete an NTP broadcast client:
disable ntp broadcast-client
Use this command to display an NTP broadcast client:
show ntp sys-info
NTP Authentication
To prevent false time information from unauthorized servers, enable NTP authentication to allow an
authenticated server and client to exchange time information. The currently supported authentication
method is Message Digest 5 (MD5). First, enable NTP authentication globally on the switch. Then create
an NTP authentication key configured as trusted, to check the encryption key against the key on the
ExtremeXOS Concepts Guide, Software Version 15.2
100
Using the Network Time Protocol
receiving device before an NTP packet is sent. After configuration is complete, an NTP server, peer, and
broadcast server can use NTP authenticated service.
Use these commands to enable or disable NTP authentication globally on the switch:
enable ntp authentication
disable ntp authentication
Use these commands to create or delete an MD5 key for NTP authentication:
create ntp key <keyid> md5 <key_string>
delete ntp key [<keyid> | all]
Use these commands to configure an MD5 key as trusted or not trusted:
configure ntp key <keyid> [trusted | not-trusted]
Use this command to display MD5 authentication:
show ntp key
NTP Configuration Example
In the example shown in Figure 2, SW#1 synchronizes its clock from the 0-3.us.pool.ntp.org timer server,
and provides the synchronized clock information to SW#2 as a unicast message, and to SW#3 as a
broadcast message. SW#2 configures SW#1 as a time server using a normal unicast message. It also has
a local clock (127.127.1.1) with a stratum level of 10. SW#3 is configured as broadcast client without
specific server information. For security purposes, SW#2 and SW#3 use MD5 authentication with a key
index of 100.
Figure 2: NTP Configuration Example
ExtremeXOS Concepts Guide, Software Version 15.2
101
Chapter 2: Managing the Switch
SW#1 Configuration
create
create
create
config
config
config
config
config
config
config
vlan internet
vlan toSW2
vlan toSW3
vlan internet add port 1
vlan toSW2 add port 2
vlan toSW3 add port 3
vlan internet ipaddress 10.45.203.74/24
vlan toSW2 ipaddress 100.1.1.1/24
vlan toSW3 ipaddress 102.1.1.1/24
iproute add dfault 10.45.203.1 vr vr-default
enable ntp
create ntp key index 100 md5 EXTREME
configure ntp key index 100 trusted
enable ntp vlan internet
enable ntp vlan toSW2
enable ntp vlan toSW3
enable ntp vlan toSW3 broadcast-server key 100
config ntp server add 0.us.pool.ntp.org
config ntp server add 1.us.pool.ntp.org
config ntp server add 2.us.pool.ntp.org
config ntp server add 3.us.pool.ntp.org
config ntp local-clock stratum 10
SW#2 Configuration
create vlan toSW1
config vlan toSW1 add port 1
config vlan toSW1 ipaddress 100.1.1.2/24
enable ntp
enable ntp vlan toSW1
config ntp server add 100.1.1.1
SW#3 Configuration
create vlan toSW1
config vlan toSW1 add port 1
config vlan toSW1 ipaddress 102.1.1.2/24
enable ntp
enable ntp broadcast-client
create ntp key index 100 md5 EXTREME
configure ntp key index 100 trusted
enable ntp vlan toSW1
ExtremeXOS Concepts Guide, Software Version 15.2
102
Using the Simple Network Management Protocol
Using the Simple Network Management Protocol
Any network manager program running the Simple Network Management Protocol (SNMP) can
manage the switch if the Management Information Base (MIB) is installed correctly on the management
station. Each network manager program provides its own user interface to the management facilities.
NOTE
When using a network manager program to create a VLAN, Extreme Networks does not support the
SNMP create and wait operation. To create a VLAN with SNMP, use the create and go operation.
The following sections describe how to get started if you want to use an SNMP manager. It assumes
you are already familiar with SNMP management.
This section describes the following SNMP topics:
●
Enabling and Disabling SNMPv1/v2c and SNMPv3 on page 103
●
Accessing Switch Agents on page 104
●
Supported MIBs on page 105
●
Configuring SNMPv1/v2c Settings on page 105
●
Displaying SNMP Settings on page 106
●
SNMPv3 on page 107
●
Message Processing on page 108
●
SNMPv3 Security on page 108
●
SNMPv3 MIB Access Control on page 111
●
SNMPv3 Notification on page 112
●
Access Profile Logging for SNMP on page 115
Enabling and Disabling SNMPv1/v2c and SNMPv3
ExtremeXOS can concurrently support SNMPv1/v2c and SNMPv3. The default is both types of SNMP
enabled. Network managers can access the device with either SNMPv1/v2c methods or SNMPv3.
To allow support for all SNMP access, or SNMPv1/v2c access only, or SNMPv3 access only, use the
following command:
enable snmp access {snmp-v1v2c | snmpv3}
To prevent support for all SNMP access, or SNMPv1/v2c access only, or SNMPv3 access only, use the
following command:
disable snmp access {snmp-v1v2c | snmpv3}
Most of the commands that support SNMPv1/v2c use the keyword snmp; most of the commands that
support SNMPv3 use the keyword snmpv3.
After a switch reboot, all slots must be in the “Operational” state before SNMP can manage and access
the slots. To verify the current state of the slot, use the show slot command.
ExtremeXOS Concepts Guide, Software Version 15.2
103
Chapter 2: Managing the Switch
Understanding Safe Defaults Mode and SNMP
The safe defaults mode runs an interactive script that allows you to enable or disable SNMP, Telnet, and
switch ports. When you set up your switch for the first time, you must connect to the console port to
access the switch. After logging in to the switch, you enter safe defaults mode. Although SNMP, Telnet,
and switch ports are enabled by default, the script prompts you to confirm those settings.
If you choose to keep the default setting for SNMP—the default setting is enabled—the switch returns
the following interactive script:
Since you have chosen less secure management methods, please remember to increase
the security of your network by taking the following actions:
* change your admin password
* change your SNMP public and private strings
* consider using SNMPv3 to secure network management traffic
For more detailed information about safe defaults mode, see “Safe Defaults Setup Method” on page 51.
Enabling and Disabling SNMP Access on Virtual Routers.
Beginning with ExtremeXOS 12.4.2 software, you can enable and disable SNMP access on any or all
VRs. By default, SNMP access is enabled on all VRs.
When SNMP access is disabled on a VR, incoming SNMP requests are dropped and the following
message is logged:
SNMP is currently disabled on VR <vr_name> Hence dropping the SNMP requests on this
VR.
To enable SNMP access on a VR, use the following command:
enable snmp access vr [<vr_name> | all]
To disable SNMP access on a VR, use the following command:
disable snmp access vr [<vr_name> | all]
To display the SNMP configuration and statistics on a VR, use the following command:
show snmp {vr} <vr_name>
SNMP access for a VR has global SNMP status that includes all SNMPv1v2c, SNMPv3 default users and
default group status. However, trap receiver configuration and trap enabling/disabling are independent
of global SNMP access and are still forwarded on a VR that is disabled for SNMP access.
Accessing Switch Agents
To access the SNMP agent residing in the switch, at least one VLAN must have an assigned IP address.
ExtremeXOS supports either IPv4 or IPv6 addresses to manage the switch.
By default, SNMP access and SNMPv1/v2c traps are enabled. SNMP access and SNMP traps can be
disabled and enabled independently—you can disable SNMP access but still allow SNMP traps to be
sent, or vice versa.
ExtremeXOS Concepts Guide, Software Version 15.2
104
Using the Simple Network Management Protocol
Supported MIBs
In addition to private MIBs, the switch supports the standard MIBs listed in Appendix E, “Supported
Standards, Protocols, and MIBs.”
Configuring SNMPv1/v2c Settings
The following SNMPv1/v2c parameters can be configured on the switch:
●
Authorized trap receivers—An authorized trap receiver can be one or more network management
stations on your network. The switch sends SNMPv1/v2c traps to all configured trap receivers. You
can specify a community string and UDP port individually for each trap receiver. All community
strings must also be added to the switch using the configure snmp add community command.
To configure a trap receiver on a switch, use the following command:
o
To configure the notification type (trap/inform), use the following command specifying trap as the
type:
configure snmpv3 add notify [[hex <hex_notify_name>] | <notify_name>] tag [[hex
<hex_tag>] | <tag>] {type [trap | inform]}{volatile}
To delete a trap receiver on a switch, use the following command:
configure snmp delete trapreceiver [[<ip_address> | <ipv6_address>]
{<port_number>} | all]
Entries in the trap receiver list can also be created, modified, and deleted using the RMON2
trapDestTable MIB table, as described in RFC 2021.
●
SNMP INFORM—SNMP INFORM allows for confirmation of a message delivery. When an SNMP
manager receives an INFORM message from an SNMP agent, it sends a confirmation response back
to the agent. If the message has not been received and therefore no response is returned, the
INFORM message is resent. You can configure the number of attempts to make and the interval
between attempts.
To configure the notification type (trap/inform), use the following command specifying inform as
the type:
configure snmpv3 add notify [[hex <hex_notify_name>] | <notify_name>] tag [[hex
<hex_tag>] | <tag>] {type [trap | inform]}{volatile}
To configure the number of SNMP INFORM notification retries, use the following command:
configure snmpv3 target-addr [[hex <hex_addr_name>] | <addr_name>] retry
<retry_count>
To configure the SNMP INFORM timeout interval, use the following command:
configure snmpv3 target-addr [[hex <hex_addr_name>] | <addr_name>] timeout
<timeout_val>
●
Community strings—The community strings allow a simple method of authentication between the
switch and the remote network manager. There are two types of community strings on the switch:
-
Read community strings provide read-only access to the switch. The default read-only
community string is public.
-
Read-write community strings provide read- and-write access to the switch. The default readwrite community string is private.
To store and display the SNMP community string in encrypted format, use the following command:
ExtremeXOS Concepts Guide, Software Version 15.2
105
Chapter 2: Managing the Switch
configure snmpv3 add community [[hex <hex_community_index>] | <community_index>]
[encrypted name <community_name> | name [[hex <hex_community_name>] |
<community_name>] {store-encrypted} ] user [[hex <hex_user_name>] | <user_name>]
{tag [[hex <transport_tag>] | <transport_tag>]} {volatile}
●
System contact (optional)—The system contact is a text field that enables you to enter the name of
the person(s) responsible for managing the switch.
●
System name (optional)—The system name enables you to enter a name that you have assigned to
this switch. The default name is the model name of the switch (for example, BD-1.2).
●
System location (optional)—Using the system location field, you can enter the location of the switch.
Displaying SNMP Settings
To display the SNMP settings configured on the switch, use the following command:
show management
This command displays the following information:
●
Enable/disable state for Telnet and SNMP access
●
Login statistics
-
Enable/disable state for idle timeouts
-
Maximum number of CLI sessions
●
SNMP community strings
●
SNMP notification type (trap or INFORM)
●
SNMP trap receiver list
●
SNMP trap receiver source IP address
●
SNMP statistics counter
●
SSH access states of enabled, disabled, and module not loaded
●
CLI configuration logging
●
SNMP access states of v1, v2c disabled and v3 enabled
●
Enable/disable state for Remote Monitoring (RMON)
●
Access-profile usage configured via ACLs for additional Telnet and SSH2 security
ExtremeXOS Concepts Guide, Software Version 15.2
106
Using the Simple Network Management Protocol
●
●
CLI scripting settings
-
Enable/disable state
-
Error message setting
-
Persistence mode
Dropped SNMP packet counter.
SNMPv3
SNMPv3 is an enhanced standard for SNMP that improves the security and privacy of SNMP access to
managed devices and provides sophisticated control of access to the device MIB. The prior standard
versions of SNMP, SNMPv1, and SNMPv2c, provided no privacy and little security.
The following RFCs provide the foundation for the Extreme Networks implementation of SNMPv3:
●
RFC 3410, Introduction to version 3 of the Internet-standard Network Management Framework, provides an
overview of SNMPv3.
●
RFC 3411, An Architecture for Describing SNMP Management Frameworks, talks about SNMP
architecture, especially the architecture for security and administration.
●
RFC 3412, Message Processing and Dispatching for the Simple Network Management Protocol (SNMP),
talks about the message processing models and dispatching that can be a part of an SNMP engine.
●
RFC 3413, SNMPv3 Applications, talks about the different types of applications that can be associated
with an SNMPv3 engine.
●
RFC 3414, The User-Based Security Model for Version 3 of the Simple Network Management Protocol
(SNMPv3), describes the User-Based Security Model (USM).
●
RFC 3415, View-based Access Control Model (VACM) for the Simple Network Management Protocol
(SNMP), talks about VACM as a way to access the MIB.
●
RFC 3826 - The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based
Security Model
NOTE
3DES, AES 192 and AES 256 bit encryption are proprietary implementations and may not work with some
SNMP Managers.
The SNMPv3 standards for network management were driven primarily by the need for greater security
and access control. The new standards use a modular design and model management information by
cleanly defining a message processing (MP) subsystem, a security subsystem, and an access control
subsystem.
The MP subsystem helps identify the MP model to be used when processing a received Protocol Data
Unit (PDU), which are the packets used by SNMP for communication. The MP layer helps in
implementing a multilingual agent, so that various versions of SNMP can coexist simultaneously in the
same network.
The security subsystem features the use of various authentication and privacy protocols with various
timeliness checking and engine clock synchronization schemes. SNMPv3 is designed to be secure
against:
●
Modification of information, where an in-transit message is altered
●
Masquerades, where an unauthorized entity assumes the identity of an authorized entity
ExtremeXOS Concepts Guide, Software Version 15.2
107
Chapter 2: Managing the Switch
●
Message stream modification, where packets are delayed and/or replayed
●
Disclosure, where packet exchanges are sniffed (examined) and information is learned about the
contents
The access control subsystem provides the ability to configure whether access to a managed object in a
local MIB is allowed for a remote principal. The access control scheme allows you to define access
policies based on MIB views, groups, and multiple security levels.
In addition, the SNMPv3 target and notification MIBs provide a more procedural approach for
generating and filtering of notifications.
SNMPv3 objects are stored in non-volatile memory unless specifically assigned to volatile storage.
Objects defined as permanent cannot be deleted.
NOTE
In SNMPv3, many objects can be identified by a human-readable string or by a string of hexadecimal
octets. In many commands, you can use either a character string, or a colon-separated string of hexadecimal octets
to specify objects. To indicate hexadecimal octets, use the keyword hex in the command.
Message Processing
A particular network manager may require messages that conform to a particular version of SNMP. The
choice of the SNMPv1, SNMPv2c, or SNMPv3 MP model can be configured for each network manager
as its target address is configured. The selection of the MP model is configured with the mp-model
keyword in the following command:
configure snmpv3 add target-params [[hex <hex_param_name>] | <param_name>] user [[hex
<hex_user_name>] | <user_name>] mp-model [snmpv1 | snmpv2c | snmpv3] sec-model [snmpv1
| snmpv2c | usm] {sec-level [noauth | authnopriv | priv]} {volatile}
SNMPv3 Security
In SNMPv3 the User-Based Security Model (USM) for SNMP was introduced. USM deals with security
related aspects like authentication, encryption of SNMP messages, and defining users and their various
access security levels. This standard also encompasses protection against message delay and message
replay.
USM Timeliness Mechanisms
An Extreme Networks switch has one SNMPv3 engine, identified by its snmpEngineID. The first four
octets are fixed to 80:00:07:7C, which represents the Extreme Networks vendor ID. By default, the
additional octets for the snmpEngineID are generated from the device MAC address.
Every SNMPv3 engine necessarily maintains two objects: SNMPEngineBoots, which is the number of
reboots the agent has experienced and SNMPEngineTime, which is the local time since the engine reboot.
The engine has a local copy of these objects and the latestReceivedEngineTime for every authoritative
engine it wants to communicate with. Comparing these objects with the values received in messages
and then applying certain rules to decide upon the message validity accomplish protection against
message delay or message replay.
ExtremeXOS Concepts Guide, Software Version 15.2
108
Using the Simple Network Management Protocol
In a chassis, the snmpEngineID is generated using the MAC address of the MSM/MM with which the
switch boots first. In a SummitStack, the MAC address chosen for the snmpEngineID is the configured
stack MAC address.
The snmpEngineID can be configured from the command line, but when the snmpEngineID is changed,
default users revert back to their original passwords/keys, and non-default users are reset to the
security level of no authorization, no privacy. To set the snmpEngineID, use the following command:
configure snmpv3 engine-id <hex_engine_id>
SNMPEngineBoots can also be configured from the command line. SNMPEngineBoots can be set to any
desired value but will latch on its maximum, 2147483647. To set the SNMPEngineBoots, use the
following command:
configure snmpv3 engine-boots <(1-2147483647)>
Users, Groups, and Security
SNMPv3 controls access and security using the concepts of users, groups, security models, and security
levels.
Users. Users are created by specifying a user name. Depending on whether the user will be using
authentication and/or privacy, you would also specify an authentication protocol (MD5 or SHA) with
password or key, and/or privacy (DES, 3DES, AES) password or key.
Before using the AES, 3DES users, you must install the SSH module and restart the snmpMaster
process. Refer to “Installing a Modular Software Package” on page 1483 for information on installing the
SSH module.
To create a user, use the following command:
configure snmpv3 add user [[hex <hex_user_name>] | <user_name>] {authentication [md5 |
sha] [hex <hex_auth_password> | <auth_password>]} {privacy {des | 3des | aes {128 |
192 | 256}} [[hex <hex_priv_password>] | <priv_password>]} }{volatile}
A number of default users are initially available. These user names are: admin, initial, initialmd5,
initialsha, initialmd5Priv, initialshaPriv. The default password for admin is password. For the other default
users, the default password is the user name.
To display information about a user, or all users, use the following command:
show snmpv3 user {[[hex <hex_user_name>] | <user_name>]}
Enabling the SNMPv3 default-user access allows an end user to access the MIBs using SNMPv3 defaultuser. To enable default-user, use the following command:
enable snmpv3 default-user
By disabling default-users access, the end-user is not able to access the switch/MIBs using SNMPv3
default-user. To disable default-user, use the following command:
disable snmpv3 default-user
To delete a user, use the following command:
configure snmpv3 delete user [all-non-defaults | [[hex <hex_user_name>] |
<user_name>]]
ExtremeXOS Concepts Guide, Software Version 15.2
109
Chapter 2: Managing the Switch
NOTE
The SNMPv3 specifications describe the concept of a security name. In the ExtremeXOS implementation,
the user name and security name are identical. In this manual, both terms are used to refer to the same thing.
Groups. Groups are used to manage access for the MIB. You use groups to define the security model,
the security level, and the portion of the MIB that members of the group can read or write. To
underscore the access function of groups, groups are defined using the following command:
configure snmpv3 add access [[hex <hex_group_name>] | <group_name>] {sec-model [snmpv1
| snmpv2c | usm]} {sec-level [noauth | authnopriv | priv]} {read-view [[hex
<hex_read_view_name>] | <read_view_name>]} {write-view [[hex <hex_write_view_name>]] |
<write_view_name>]} {notify-view [[hex <hex_notify_view_name]] | <notify_view_name>]}
{volatile}
The security model and security level are discussed in “Security Models and Levels” on page 111. The
view names associated with a group define a subset of the MIB (subtree) that can be accessed by
members of the group. The read view defines the subtree that can be read, write view defines the
subtree that can be written to, and notify view defines the subtree that notifications can originate from.
MIB views are discussed in “SNMPv3 MIB Access Control” on page 111.
A number of default groups are already defined. These groups are: admin, initial, v1v2c_ro, v1v2c_rw. To
display information about the access configuration of a group or all groups, use the following
command:
show snmpv3 access {[[hex <hex_group_name>] | <group_name>]}
Enabling SNMPv3 default-group access activates the access to an SNMPv3 default group and the usercreated SNMPv3-user part of default group. To enable default-group, use the following command:
enable snmpv3 default-group
Disabling SNMPv3 default-group access removes access to default-users and user-created users who are
part of the default-group. The user-created authenticated SNMPv3 users (who are part of a user-created
group) are able to access the switch. To disable a default-group, use the following command:
disable snmpv3 default-group
Users are associated with groups using the following command:
configure snmpv3 add group [[hex <hex_group_name>] | <group_name>] user [[hex
<hex_user_name>] | <user_name>] {sec-model [snmpv1| snmpv2c | usm]} {volatile}
To show which users are associated with a group, use the following command:
show snmpv3 group {[[hex <hex_group_name>] | <group_name>] {user [[hex
<hex_user_name>] | <user_name>]}}
To delete a group, use the following command:
configure snmpv3 delete access [all-non-defaults | {[[hex <hex_group_name>] |
<group_name>] {sec-model [snmpv1 | snmpv2c | usm] sec-level [noauth | authnopriv |
priv]}}]
When you delete a group, you do not remove the association between the group and users of the group.
To delete the association between a user and a group, use the following command:
configure snmpv3 delete group {[[hex <hex_group_name>] | <group_name>]} user [all-nondefaults | {[[hex <hex_user_name>] | <user_name>] {sec-model [snmpv1|snmpv2c|usm]}}]
ExtremeXOS Concepts Guide, Software Version 15.2
110
Using the Simple Network Management Protocol
Security Models and Levels. For compatibility, SNMPv3 supports three security models:
●
SNMPv1—no security
●
SNMPv2c—community strings-based security
●
SNMPv3—USM security
The default is USM. You can select the security model based on the network manager in your network.
The three security levels supported by USM are:
●
noAuthnoPriv—No authentication, no privacy. This is the case with existing SNMPv1/v2c agents.
●
AuthnoPriv—Authentication, no privacy. Messages are tested only for authentication.
●
AuthPriv—Authentication, privacy. This represents the highest level of security and requires every
message exchange to pass the authentication and encryption tests.
When a user is created, an authentication method is selected, and the authentication and privacy
passwords or keys are entered.
When MD5 authentication is specified, HMAC-MD5-96 is used to achieve authentication with a 16-octet
key, which generates a 128-bit authorization code. This authorization code is inserted in the
msgAuthenticationParameters field of SNMPv3 PDUs when the security level is specified as either
AuthnoPriv or AuthPriv. Specifying SHA authentication uses the HMAC-SHA protocol with a 20-octet
key for authentication.
For privacy, the user can select any one of the following supported privacy protocols: DES, 3DES, AES
128/192/256. In the case of DES, a 16-octet key is provided as input to DES-CBS encryption protocol
which generates an encrypted PDU to be transmitted. DES uses bytes 1-7 to make a 56 bit key. This key
(encrypted itself) is placed in msgPrivacyParameters of SNMPv3 PDUs when the security level is
specified as AuthPriv.
SNMPv3 MIB Access Control
SNMPv3 provides a fine-grained mechanism for defining which parts of the MIB can be accessed. This
is referred to as the View-Based Access Control Model (VACM).
MIB views represent the basic building blocks of VACM. They are used to define a subset of the
information in the MIB. Access to read, to write, and to generate notifications is based on the
relationship between a MIB view and an access group. The users of the access group can then read,
write, or receive notifications from the part of the MIB defined in the MIB view as configured in the
access group.
A view name, a MIB subtree/mask, and an inclusion or exclusion define every MIB view. For example,
there is a System group defined under the MIB-2 tree. The Object Identifier (OID) for MIB-2 is 1.3.6.1.2,
and the System group is defined as MIB-2.1.1, or directly as 1.3.6.1.2.1.1.
To define a MIB view which includes only the System group, use the following subtree/mask
combination:
1.3.6.1.2.1.1/1.1.1.1.1.1.1.0
The mask can also be expressed in hex notation (this is used for the ExtremeXOS CLI):
1.3.6.1.2.1.1/fe
ExtremeXOS Concepts Guide, Software Version 15.2
111
Chapter 2: Managing the Switch
To define a view that includes the entire MIB-2, use the following subtree/mask:
1.3.6.1.2.1.1/1.1.1.1.1.0.0.0
which, in the CLI, is:
1.3.6.1.2.1.1/f8
When you create the MIB view, you can choose to include the MIB subtree/mask or to exclude the MIB
subtree/mask. To create a MIB view, use the following command:
configure snmpv3 add mib-view [[hex <hex_view_name>] | <view_name>] subtree
<object_identifier> {/<subtree_mask>} {type [included | excluded]} {volatile}
After the view has been created, you can repeatedly use the configure snmpv3 add mib-view
command to include and/or exclude MIB subtree/mask combinations to precisely define the items you
want to control access to.
In addition to the user-created MIB views, there are three default views. They are defaultUserView,
defaultAdminView, and defaultNotifyView. To show MIB views, use the following command:
show snmpv3 mib-view {[[hex <hex_view_name>] | <view_name>] {subtree
<object_identifier>}}
To delete a MIB view, use the following command:
configure snmpv3 delete mib-view [all-non-defaults | {[[hex <hex_view_name>] |
<view_name>] {subtree <object_identifier>}}]
MIB views that are used by security groups cannot be deleted.
SNMPv3 Notification
SNMPv3 can use either SNMPv1 traps or SNMPv2c notifications to send information from an agent to
the network manager. The terms trap and notification are used interchangeably in this context.
Notifications are messages sent from an agent to the network manager, typically in response to some
state change on the agent system. With SNMPv3, you can define precisely which traps you want sent, to
which receiver by defining filter profiles to use for the notification receivers.
To configure notifications, you configure a target address for the target that receives the notification, a
target parameters name, and a list of notification tags. The target parameters specify the security and
MP models to use for the notifications to the target. The target parameters name also points to the filter
profile used to filter the notifications. Finally, the notification tags are added to a notification table so
that any target addresses using that tag will receive notifications.
Target Addresses
A target address is similar to the earlier concept of a trap receiver. To configure a target address, use the
following command:
configure snmpv3 add target-addr [[hex <hex_addr_name>] | <addr_name>] param [[hex
<hex_param_name>] | <param_name>] ipaddress [ [ <ip_address> | <ip_and_tmask> ] | [
<ipv6_address> | <ipv6_and_tmask> ]] {transport-port <port_number>} {from
[<src_ip_address> | <src_ipv6_address>]} {vr <vr_name>} {tag-list <tag_list>}
{volatile}
In configuring the target address you supply an address name that identifies the target address, a
parameters name that indicates the MP model and security for the messages sent to that target address,
ExtremeXOS Concepts Guide, Software Version 15.2
112
Using the Simple Network Management Protocol
and the IP address and port for the receiver. The parameters name also is used to indicate the filter
profile used for notifications. The target parameters is discussed in “Target Parameters” next.
The from option sets the source IP address in the notification packets.
The tag-list option allows you to associate a list of tags with the target address. The tag defaultNotify
is set by default. Tags are discussed in the section “Notification Tags”.
To display target addresses, use the following command:
show snmpv3 target-addr {[[hex <hex_addr_name>] | <addr_name>]}
To delete a single target address or all target addresses, use the following command:
configure snmpv3 delete target-addr [{[[hex <hex_addr_name>] | <addr_name>]} | all]
Target Parameters
Target parameters specify the MP model, security model, security level, and user name (security name)
used for messages sent to the target address. See “Message Processing” on page 108 and “Users,
Groups, and Security” on page 109 for more details on these topics. In addition, the target parameter
name used for a target address points to a filter profile used to filter notifications. When you specify a
filter profile, you associate it with a parameter name, so you must create different target parameter
names if you use different filters for different target addresses.
To create a target parameter name and to set the message processing and security settings associated
with it, use the following command:
configure snmpv3 add target-params [[hex <hex_param_name>] | <param_name>] user [[hex
<hex_user_name>] | <user_name>] mp-model [snmpv1 | snmpv2c | snmpv3] sec-model [snmpv1
| snmpv2c | usm] {sec-level [noauth | authnopriv | priv]} {volatile}
To display the options associated with a target parameters name or all target parameters names, use the
following command:
show snmpv3 target-params {[[hex <hex_target_params>] | <target_params>]}
To delete one or all the target parameters, use the following command:
configure snmpv3 delete target-params [{[[hex <hex_param_name>] | <param_name>]} |
all]
Filter Profiles and Filters
A filter profile is a collection of filters that specifies which notifications should be sent to a target
address. A filter is defined by a MIB subtree and mask and by whether that subtree and mask is
included or excluded from notification.
When you create a filter profile, you are associating only a filter profile name with a target parameter
name. The filters that make up the profile are created and associated with the profile using a different
command.
To create a filter profile, use the following command:
configure snmpv3 add filter-profile [[hex <hex_profile_name>] | <profile_name>] param
[[hex <hex_param_name>]] | <param_name>] {volatile}
ExtremeXOS Concepts Guide, Software Version 15.2
113
Chapter 2: Managing the Switch
After the profile name has been created, you associate filters with it using the following command:
configure snmpv3 add filter [[hex <hex_profile_name>] | <profile_name>] subtree
<object_identifier> {/<subtree_mask>} type [included | excluded] {volatile}
The MIB subtree and mask are discussed in “SNMPv3 MIB Access Control” on page 111, as filters are
closely related to MIB views. You can add filters together, including and excluding different subtrees of
the MIB until your filter meets your needs.
To display the association between parameter names and filter profiles, use the following command:
show snmpv3 filter-profile {[[hex <hex_profile_name>] | <profile_name>]} {param [[hex
<hex_param_name>] | <param_name>]}
To display the filters that belong a filter profile, use the following command:
show snmpv3 filter {[[hex <hex_profile_name>] | <profile_name>] {{subtree}
<object_identifier>}
To delete a filter or all filters from a filter profile, use the following command:
configure snmpv3 delete filter [all | [[hex <hex_profile_name>] | <profile_name>]
{subtree <object_identifier>}]]
To remove the association of a filter profile or all filter profiles with a parameter name, use the
following command:
configure snmpv3 delete filter-profile [all |[[hex <hex_profile_name>] |
<profile_name>] {param [[hex <hex_param_name>] | <param_name>}]]
Notification Tags
When you create a target address, either you associate a list of notification tags with the target or by
default, the defaultNotify tag is associated with the target. When the system generates notifications, only
those targets associated with tags currently in the standard MIB table, called snmpNotifyTable, are
notified.
To add an entry to the table, use the following command:
configure snmpv3 add notify [[hex <hex_notify_name>] | <notify_name>] tag [[hex
<hex_tag>] | <tag>] {type [trap | inform]}{volatile}
Any targets associated with tags in the snmpNotifyTable are notified, based on the filter profile associated
with the target.
To display the notifications that are set, use the following command:
show snmpv3 notify {[[hex <hex_notify_name>] | <notify_name>]}
To delete an entry from the snmpNotifyTable, use the following command:
configure snmpv3 delete notify [{[[hex <hex_notify_name>] | <notify_name>]} | all-nondefaults]
Configuring Notifications
Because the target parameters name points to a number of objects used for notifications, configure the
target parameter name entry first. You can then configure the target address, filter profiles and filters,
and any necessary notification tags.
ExtremeXOS Concepts Guide, Software Version 15.2
114
Using the Simple Network Management Protocol
Access Profile Logging for SNMP
The access profile logging feature allows you to use an ACL policy file or dynamic ACL rules to control
access to SNMP services on the switch. When access profile logging is enabled for SNMP, the switch
logs messages and increments counters when packets are denied access to SNMP. No messages are
logged for permitted access.
You can manage SNMP access using one (not both) of the following methods:
●
Create and apply an ACL policy file
●
Define and apply individual ACL rules
One advantage of ACL policy files is that you can copy the file and use it on other switches. One
advantage to applying individual ACL rules is that you can enter the rules at the CLI command
prompt, which can be easier than opening, editing, and saving a policy file.
The following sections provide additional information on access profile logging for SNMP:
●
ACL Match Conditions and Actions on page 115
●
Limitations on page 115
●
Managing ACL Policies for SNMP on page 116
●
Managing ACL Rules for SNMP on page 116
●
Misconfiguration Error Messages on page 116
ACL Match Conditions and Actions
Chapter 18, “ACLs,” describes how to create ACL policies and rules using match conditions and
actions. Access profile logging supports the following match conditions and actions:
●
Match conditions
-
●
Source-address—IPv4 and IPv6
Actions
-
Permit
-
Deny
If the ACL is created with more match conditions or actions, only those listed above are used for
validating the packets. All other conditions and actions are ignored.
The source-address field allows you to identify an IPv4 address, IPv6 address, or subnet mask for which
access is either permitted or denied.
Limitations
This feature has the following limitations:
●
Either policy files or ACL rules can be associated with SNMP, but not both at the same time.
●
Only source-address match is supported.
●
Access-lists that are associated with one or more applications (SNMP or Telnet, for example) cannot
be directly deleted. They must be unconfigured from the application first and then deleted from the
CLI.
●
Default counter support is added only for ACL rules and not for policy files. For policy files you
must configure count action.
ExtremeXOS Concepts Guide, Software Version 15.2
115
Chapter 2: Managing the Switch
Managing ACL Policies for SNMP
Chapter 18, “ACLs,” describes how to create ACL policy files. To configure SNMP to use an ACL policy,
use one of the following commands:
configure snmp access-profile <profile_name>
configure snmp access-profile <profile_name> readonly
configure snmp access-profile <profile_name> readwrite
By default, SNMP supports the readwrite option. However, you can specify the readonly or
readwrite option to change the current configuration.
To configure SNMP to remove a previously configured ACL policy, use the following command:
configure snmp access-profile none
Managing ACL Rules for SNMP
Before you can assign an ACL rule to SNMP, you must create a dynamic ACL rule as described in
Chapter 18, “ACLs.” To add or delete a rule for SNMP access, use the following command:
configure snmp access-profile [ <access_profile> {readonly | readwrite} | [[add <rule>
] [first | [[before | after] <previous_rule>]]] | delete <rule> | none ]
To display the access-list permit and deny statistics for an application, use the following command:
show access-list counters process [snmp | telnet | ssh2 | http]
Misconfiguration Error Messages
The following messages can appear during configuration of policies or rules for the SNMP service:
●
Rule <rule> is already applied
A rule with the same name is already applied to this service.
●
Please remove the policy <policy> already configured, and then add rule <rule>
A policy file is already associated with the service. You must remove the policy before you can add a
rule.
●
Rule <previous_rule> is not already applied
The specified rule has not been applied to the service, so you cannot add a rule in relation to that
rule.
●
Rule <rule> is not applied
The specified rule has not been applied to the service, so you cannot remove the rule from the
service.
●
Error: Please remove previously configured rule(s) before configuring policy
<policy>
A policy or one or more ACL rules are configured for the service. You must delete the remove the
policy or rules from the service before you can add a policy.
Using the Simple Network Time Protocol
ExtremeXOS supports the client portion of the Simple Network Time Protocol (SNTP) Version 3 based
on RFC1769. SNTP can be used by the switch to update and synchronize its internal clock from a
ExtremeXOS Concepts Guide, Software Version 15.2
116
Using the Simple Network Time Protocol
Network Time Protocol (NTP) server. After SNTP has been enabled, the switch sends out a periodic
query to the indicated NTP server, or the switch listens to broadcast NTP updates. In addition, the
switch supports the configured setting for Greenwich Mean time (GMT) offset and the use of Daylight
Saving Time.
Configuring and Using SNTP
To use SNTP:
1 Identify the host(s) that are configured as NTP server(s). Additionally, identify the preferred method
for obtaining NTP updates. The options are for the NTP server to send out broadcasts or for
switches using NTP to query the NTP server(s) directly. A combination of both methods is possible.
You must identify the method that should be used for the switch being configured.
2 Configure the Greenwich Mean Time (GMT) offset and Daylight Saving Time preference. The
command syntax to configure GMT offset and usage of Daylight Saving Time is as follows:
configure timezone {name <tz_name>} <GMT_offset>
{autodst {name <dst_timezone_ID>} {<dst_offset>}
{begins [every <floatingday> | on <absoluteday>] {at <time_of_day_hour>
<time_of_day_minutes>}
{ends [every <floatingday> | on <absoluteday>] {at <time_of_day_hour>
<time_of_day_minutes>}}}
By default beginning in 2007, Daylight Saving Time is assumed to begin on the second Sunday in
March at 2:00 AM, and end the first Sunday in November at 2:00 AM and to be offset from standard
time by one hour. If this is the case in your time zone, you can set up automatic daylight saving
adjustment with the command:
configure timezone <GMT_offset> autodst
If your time zone uses starting and ending dates and times that differ from the default, you can
specify the starting and ending date and time in terms of a floating day, as follows:
configure timezone name MET 60 autodst name MDT begins every last sunday march at
1 30 ends every last sunday october at 1 30
You can also specify a specific date and time, as shown in the following command:
configure timezone name NZST 720 autodst name NZDT 60 begins every first sunday
october at 2 00 ends on 3 16 2004 at 2 00
The optional time zone IDs are used to identify the time zone in display commands such as show
switch {detail}.
Table 18 describes the command options in detail.
Table 18: Time Zone Configuration Command Options
tz_name
Specifies an optional name for this timezone specification. May be up to six characters in
length. The default is an empty string.
GMT_offset
Specifies a Greenwich Mean Time (GMT) offset, in + or - minutes.
autodst
Enables automatic Daylight Saving Time.
dst_timezone_ID
Specifies an optional name for this Daylight Saving Time specification. May be up to six
characters in length. The default is an empty string.
dst_offset
Specifies an offset from standard time, in minutes. Value is in the range of 1 to 60.
Default is 60 minutes.
ExtremeXOS Concepts Guide, Software Version 15.2
117
Chapter 2: Managing the Switch
Table 18: Time Zone Configuration Command Options (Continued)
floatingday
Specifies the day, week, and month of the year to begin or end Daylight Saving Time
each year. Format is:
<week> <day> <month> where:
•
<week> is specified as [first | second | third | fourth | last]
•
<day> is specified as [sunday | monday | tuesday | wednesday | thursday | friday |
saturday]
•
<month> is specified as [january | february | march | april | may | june | july | august |
september | october | november | december]
Default for beginning is second sunday march; default for ending is first sunday
november.
absoluteday
Specifies a specific day of a specific year on which to begin or end DST. Format is:
<month> <day> <year> where:
•
<month> is specified as 1-12
•
<day> is specified as 1-31
•
<year> is specified as 1970 - 2035
The year must be the same for the begin and end dates.
time_of_day_hour
Specifies the time of day to begin or end Daylight Saving Time. May be specified as an
hour (0-23). Default is 2.
time_of_day_minut
es
Specify the minute to begin or end Daylight Saving Time. May be specified as a minute
(0-59).
noautodst
Disables automatic Daylight Saving Time.
Automatic Daylight Saving Time changes can be enabled or disabled. The default setting is enabled.
To disable automatic Daylight Saving Time, use the command:
configure timezone {name <tz_name>} <GMT_offset> noautodst
3 Enable the SNTP client using the following command:
enable sntp-client
After SNTP has been enabled, the switch sends out a periodic query to the NTP servers defined in
step 4 (if configured) or listens to broadcast NTP updates from the network. The network time
information is automatically saved into the onboard real-time clock.
4 If you would like this switch to use a directed query to the NTP server, configure the switch to use
the NTP server(s). An NTP server can be an IPv4 address or an IPv6 address or a hostname. If the
switch listens to NTP broadcasts, skip this step. To configure the switch to use a directed query, use
the following command:
configure sntp-client [primary | secondary] <host-name-or-ip> {vr <vr_name>}
The following two examples use an IPv6 address as an NTP server and a hostname as an NTP
server:
configure sntp-client primary fd98:d3e2:f0fe:0:54ae:34ff:fecc:892
configure sntp-client primary ntpserver.mydomain.com
NTP queries are first sent to the primary server. If the primary server does not respond within 1
second, or if it is not synchronized, the switch queries the secondary server (if one is configured). If
the switch cannot obtain the time, it restarts the query process. Otherwise, the switch waits for the
sntp-client update interval before querying again.
ExtremeXOS Concepts Guide, Software Version 15.2
118
Using the Simple Network Time Protocol
5 Optionally, the interval for which the SNTP client updates the real-time clock of the switch can be
changed using the following command:
configure sntp-client update-interval <update-interval>
The default sntp-client update-interval value is 64 seconds.
6 You can verify the configuration using the following commands:
-
show sntp-client
This command provides configuration and statistics associated with SNTP and its connectivity to
the NTP server.
-
show switch {detail}
This command indicates the GMT offset, the Daylight Saving Time configuration and status, and
the current local time.
NTP updates are distributed using GMT time. To properly display the local time in logs and other timestamp information, the switch should be configured with the appropriate offset to GMT based on
geographical location. Table 19 lists GMT offsets.
Table 19: Greenwich Mean Time Offsets
GMT
Offset in
Hours
GMT
Offset in
Minutes
Common Time Zone References
Cities
+0:00
+0
GMT - Greenwich Mean
London, England; Dublin, Ireland;
Edinburgh, Scotland; Lisbon, Portugal;
Reykjavik, Iceland; Casablanca, Morocco
UT or UTC - Universal (Coordinated)
WET - Western European
-1:00
-60
WAT - West Africa
Cape Verde Islands
-2:00
-120
AT - Azores
Azores
-3:00
-180
-4:00
-240
AST - Atlantic Standard
Caracas; La Paz
-5:00
-300
EST - Eastern Standard
Bogota, Columbia; Lima, Peru; New
York, NY, Trevor City, MI USA
-6:00
-360
CST - Central Standard
Mexico City, Mexico
-7:00
-420
MST - Mountain Standard
Saskatchewan, Canada
-8:00
-480
PST - Pacific Standard
Los Angeles, CA, Santa Clara, CA,
Seattle, WA USA
-9:00
-540
YST - Yukon Standard
-10:00
-600
AHST - Alaska-Hawaii Standard
Brasilia, Brazil; Buenos Aires, Argentina;
Georgetown, Guyana
CAT - Central Alaska
HST - Hawaii Standard
-11:00
-660
NT - Nome
-12:00
-720
IDLW - International Date Line West
+1:00
+60
CET - Central European
FWT - French Winter
MET - Middle European
MEWT - Middle European Winter
Paris France; Berlin, Germany;
Amsterdam, The Netherlands; Brussels,
Belgium; Vienna, Austria; Madrid, Spain;
Rome, Italy; Bern, Switzerland;
Stockholm, Sweden; Oslo, Norway
SWT - Swedish Winter
ExtremeXOS Concepts Guide, Software Version 15.2
119
Chapter 2: Managing the Switch
Table 19: Greenwich Mean Time Offsets (Continued)
GMT
Offset in
Hours
GMT
Offset in
Minutes
Common Time Zone References
Cities
+ 2:00
+120
EET - Eastern European, Russia Zone 1
Athens, Greece; Helsinki, Finland;
Istanbul, Turkey; Jerusalem, Israel;
Harare, Zimbabwe
+3:00
+180
BT - Baghdad, Russia Zone 2
Kuwait; Nairobi, Kenya; Riyadh, Saudi
Arabia; Moscow, Russia; Tehran, Iran
+4:00
+240
ZP4 - Russia Zone 3
Abu Dhabi, UAE; Muscat; Tblisi;
Volgograd; Kabul
+5:00
+300
ZP5 - Russia Zone 4
+5:30
+330
IST - India Standard Time
+6:00
+360
ZP6 - Russia Zone 5
+7:00
+420
WAST - West Australian Standard
+8:00
+480
CCT - China Coast, Russia Zone 7
+9:00
+540
JST - Japan Standard, Russia Zone 8
+10:00
+600
EAST - East Australian Standard
New Delhi, Pune, Allahabad, India
GST - Guam Standard
Russia Zone 9
+11:00
+660
+12:00
+720
IDLE - International Date Line East
NZST - New Zealand Standard
Wellington, New Zealand; Fiji, Marshall
Islands
NZT - New Zealand
SNTP Example
In this example, the switch queries a specific NTP server and a backup NTP server. The switch is
located in Cupertino, California, and an update occurs every 20 minutes. The commands to configure
the switch are as follows:
configure timezone -480 autodst
configure sntp-client update-interval 1200
enable sntp-client
configure sntp-client primary 10.0.1.1
configure sntp-client secondary 10.0.1.2
Using Auto Provision of Edge Switches
Auto provisioning allows you to configure certain parameters on a switch automatically using a DHCP
and TFTP server. This process can make an Extreme Networks switch ready to do the initial
provisioning without any manual intervention, resulting in time saving and efficiency.
ExtremeXOS Concepts Guide, Software Version 15.2
120
Using Auto Provision of Edge Switches
The parameters that an auto-provision capable switch can obtain from a DHCP server and apply are as
follows:
●
IP address
●
Gateway
●
TFTP server to contact
●
Configuration file to be loaded
A switch enabled with auto provision can be identified as follows:
●
A warning message for the console and each Telnet session is displayed as follows:
Note: This switch has Auto-Provision enabled to obtain configuration remotely.
Commands should be limited to:
show auto-provision
show log
Any changes to this configuration will be discarded at the next reboot if auto
provisioning sends a ".cfg" file.
●
The shell prompt reads as follows:
(auto-provision) X450a-24t.1 #
●
The status is shown in the show auto-provision command.
The DHCP server can be any that provides the needed functionality. To obtain the desired parameters,
the following DHCP options are used:
●
Option 43 - vendor-encapsulated-options
●
Option 60 - vendor-class-identifier. Extreme Networks switches use “Switch-type” as the option 60
parameter. You must configure this option on your DHCP server to provide the required attributes
based on the specific model.
Following is a sample Linux DHCP configuration:
option
option
option
option
space EXTREME;
EXTREME.tftp-server-ip code 100 = ip-address;
EXTREME.config-file-name code 101 = text;
EXTREME.snmp-trap-ip code 102 = ip-address;
class "Edge-without-POE" {
match if (option vendor-class-identifier = "X250e-48t");
vendor-option-space EXTREME;
option EXTREME.tftp-server-ip 10.120.89.80;
option EXTREME.config-file-name "x250e_edge.cfg";
option EXTREME.snmp-trap-ip 10.120.91.89;
}
class "Edge-x450e-POE" {
match if (option vendor-class-identifier = "X450e-48p");
vendor-option-space EXTREME;
option EXTREME.tftp-server-ip 10.120.89.80;
option EXTREME.config-file-name "x450e_edge.xsf";
option EXTREME.snmp-trap-ip 10.120.91.89;
}
ExtremeXOS Concepts Guide, Software Version 15.2
121
Chapter 2: Managing the Switch
subnet 10.127.8.0 netmask 255.255.255.0 {
option routers
10.127.8.254;
option domain-name-servers
10.127.8.1;
option subnet-mask
255.255.255.0;
pool {
deny dynamic bootp clients;
range 10.127.8.170 10.127.8.190;
allow members of "Edge-without-POE";
allow members of "Edge-x450e-POE";
}
}
Auto-provisioning Process
The auto-provisioning process is first initiated through the default VLAN (bound to VR-Default). After
three unsuccessful attempts to reach the network, the switch waits for 15 seconds before it switches over
to the Mgmt VLAN (bound to VR-Mgmt). It continues this process until it reaches the network.
Delay in the auto-provisioning process results from the following configuration problems:
●
The DHCP server may not be reachable.
●
The configuration file has an invalid file extension. Only .cfg or .xsf is accepted.
●
The TFTP server is unreachable.
●
The configuration file name does not exist in the TFTP server.
You can use the show log command to view the exact problem reported.
An SNMP trap is sent out for these conditions when the SNMP-Trap-IP code (code 102) is configured in
the DHCP server. The SNMP trap is not sent out when the DHCP server is unreachable.
When these conditions occur, the switch continues to retry to reach the network and remains in an “In
Progress” state.
When there is a system error or internal problem, the switch moves to an auto-provision “Failed” state.
The switch does not retry the auto-provisioning process once it has reached the “Failed” state.
Once the network is reached, the switch receives and configures the IP address and the gateway. The
switch then executes the configuration file (.cfg or .xsf file), sends the trap to inform the user of the
successful auto-provisioning (only when the SNMP-Trap-IP code, code 102, is configured), and reboots
for the new configuration to take effect.
Following is the mandatory DHCP option configuration used for auto provision to work:
Standard Option:
1 IP address
2 Subnet mask
3 Gateway
Option 60:
4 Vendor identifier option
ExtremeXOS Concepts Guide, Software Version 15.2
122
Access Profile Logging for HTTP/HTTPS
Option 43:
5 TFTP server IP address
6 Configuration file name
Optional DHCP option
1 SNMP trap receiver IP address
NOTE
The file uploaded to the TFTP server using the upload configuration <ipaddress> <filename>
command is an .xsf file extension configuration. An .cfg file extension configuration is created using the tftp put
<ip-address> <local_file> command.
NOTE
Configuration changes made to the switch when auto provisioning is in progress will be appended if auto
provisioning uses an .xsf file extension configuration, and it will be discarded if auto provisioning uses a .cfg file
extension configuration.
Auto-provisioning Configuration
To enable auto provision, use the following command:
enable auto-provision
NOTE
Auto provisioning not enabled on the VLAN (Mgmt or Default) if the IP address is already configured.
To disable auto provision, use the following command:
disable auto-provision
When either an enable auto-provision or disable auto-provision command is issued, the
following message is displayed:
This setting will take effect at the next reboot of this switch.
To display the current state of auto provision on the switch, use the following command:
show auto-provision
Access Profile Logging for HTTP/HTTPS
The access profile logging feature allows you to use an ACL policy file or dynamic ACL rules to control
access to Hypertext Transfer Protocol (HTTP) services on the switch. When access profile logging is
enabled for HTTP, the switch logs messages and increments counters when packets are denied access to
HTTP. No messages are logged for permitted access.
ExtremeXOS Concepts Guide, Software Version 15.2
123
Chapter 2: Managing the Switch
NOTE
For more information on ExtremeXOS software support for HTTP, see “Hyptertext Transfer Protocol” on
page 899.
You can manage HTTP access using one (not both) of the following methods:
●
Create and apply an ACL policy file
●
Define and apply individual ACL rules
One advantage of ACL policy files is that you can copy the file and use it on other switches. One
advantage to applying individual ACL rules is that you can enter the rules at the CLI command
prompt, which can be easier than opening, editing, and saving a policy file.
The following sections provide additional information on access profile logging for HTTP:
●
ACL Match Conditions and Actions on page 124
●
Limitations on page 124
●
Managing ACL Rules for HTTP on page 125
●
Managing ACL Rules for HTTP on page 125
●
Misconfiguration Error Messages on page 125
ACL Match Conditions and Actions
Chapter 18, “ACLs,” describes how to create ACL policies and rules using match conditions and
actions. Access profile logging supports the following match conditions and actions:
●
Match conditions
-
●
Source-address—IPv4 and IPv6
Actions
-
Permit
-
Deny
If the ACL is created with more match conditions or actions, only those listed above are used for
validating the packets. All other conditions and actions are ignored.
The source-address field allows you to identify an IPv4 address, IPv6 address, or subnet mask for which
access is either permitted or denied.
Limitations
This feature has the following limitations:
●
Policy file support is not available for HTTP and HTTPS.
●
Only source-address match is supported.
●
Access-lists that are associated with one or more applications cannot be directly deleted. They must
be unconfigured from the application first and then deleted from the CLI.
ExtremeXOS Concepts Guide, Software Version 15.2
124
Access Profile Logging for HTTP/HTTPS
Managing ACL Rules for HTTP
Before you can assign an ACL rule to HTTP, you must create a dynamic ACL rule as described in
Chapter 18, “ACLs.” To add or delete a rule for HTTP access, use the following command:
configure web http access-profile [[[add <rule> ] [first | [[before | after]
<previous_rule>]]] | delete <rule> | none ]
To display the access-list permit and deny statistics for an application, use the following command:
show access-list counters process [snmp | telnet | ssh2 | http]
Misconfiguration Error Messages
The following messages can appear during configuration of policies or rules for the SNMP service:
●
Rule <rule> is already applied
A rule with the same name is already applied to this service.
●
Please remove the policy <policy> already configured, and then add rule <rule>
A policy file is already associated with the service. You must remove the policy before you can add a
rule.
●
Rule <previous_rule> is not already applied
The specified rule has not been applied to the service, so you cannot add a rule in relation to that
rule.
●
Rule <rule> is not applied
The specified rule has not been applied to the service, so you cannot remove the rule from the
service.
●
Error: Please remove previously configured rule(s) before configuring policy
<policy>
A policy or one or more ACL rules are configured for the service. You must delete the remove the
policy or rules from the service before you can add a policy.
ExtremeXOS Concepts Guide, Software Version 15.2
125
Chapter 2: Managing the Switch
ExtremeXOS Concepts Guide, Software Version 15.2
126
3
Managing the ExtremeXOS
Software
CHAPTER
This chapter includes the following sections:
●
Overview on page 127
●
Using the ExtremeXOS File System on page 128
●
Managing the Configuration File on page 131
●
Managing ExtremeXOS Processes on page 133
●
Understanding Memory Protection on page 136
Overview
The ExtremeXOS software platform is a distributed software architecture. The distributed architecture
consists of separate binary images organized into discrete software modules with messaging between
them. The software and system infrastructure subsystem form the basic framework of how the
ExtremeXOS applications interact with each other, including the system startup sequence, memory
allocation, and error events handling. Redundancy and data replication is a built-in mechanism of
ExtremeXOS. The system infrastructure provides basic redundancy support and libraries for all of the
ExtremeXOS applications.
NOTE
For information about downloading and upgrading a new software image, saving configuration changes,
and upgrading the BootROM, see Appendix B, “Software Upgrade and Boot Options.”
Like any advanced operating system, ExtremeXOS gives you the tools to manage your switch and
create your network configurations. With the introduction of ExtremeXOS, the following enhancements
and functionality have been added to the switch operating system:
●
File system administration
●
Configuration file management
●
Process control
●
Memory protection
File system administration—With the enhanced file system, you can move, copy, and delete files from
the switch. The file system structure allows you to keep, save, rename, and maintain multiple copies of
ExtremeXOS Concepts Guide, Software Version 15.2
127
Chapter 3: Managing the ExtremeXOS Software
configuration files on the switch. In addition, you can manage other entities of the switch such as
policies and access control lists (ACLs).
Configuration file management—With the enhanced configuration file management, you can oversee
and manage multiple configuration files on your switch. In addition, you can upload, download,
modify, and name configuration files used by the switch.
Process control—With process control, you can stop and start processes, restart failed processes, and
update the software for a specific process or set of processes.
Memory protection—With memory protection, each function can be bundled into a single application
module running as a memory protected process under real-time scheduling. In essence, ExtremeXOS
protects each process from every other process in the system. If one process experiences a memory fault,
that process cannot affect the memory space of another process.
The following sections describe in more detail how to manage the ExtremeXOS software.
Using the ExtremeXOS File System
The file system in ExtremeXOS is the structure by which files are organized, stored, and named. The
switch can store multiple user-defined configuration and policy files, each with its own name.
Using a series of commands, you can manage the files on your system. For example, you can rename or
copy a configuration file on the switch, display a comprehensive list of the configuration and policy
files on the switch, or delete a policy file from the switch.
NOTE
Filenames are case-sensitive. For information on filename restrictions, refer to the specific command in the
ExtremeXOS Command Reference Guide.
You can also download configuration and policy files from the switch to a network Trivial File Transfer
Protocol (TFTP) server using TFTP. For detailed information about downloading switch configurations,
see Appendix B, “Software Upgrade and Boot Options.” For detailed information about downloading
policies and ACLs, see Chapter 17, “Policy Manager.”
With guidance from Extreme Networks Technical Support personnel, you can configure the switch to
capture core dump files, which contain debugging information that is useful in troubleshooting
situations. For more information about configuring core dump files and managing the core dump files
stored on your switch, see Appendix D, “Troubleshooting.”
This section describes the following file management topics:
●
Moving or Renaming Files on the Switch on page 129
●
Copying Files on the Switch on page 129
●
Displaying Files on the Switch on page 130
●
Transferring Files to and from the Switch on page 130
●
Deleting Files from the Switch on page 131
ExtremeXOS Concepts Guide, Software Version 15.2
128
Using the ExtremeXOS File System
Moving or Renaming Files on the Switch
To move or rename an existing configuration, policy, or if configured, core dump file in the system, use
the following command:
mv [internal-memory <old-name-internal> internal-memory <new-name-internal> |
internal-memory <old-name-internal> memorycard <new-name-memorycard> | memorycard
<old-name-memorycard> memorycard <new-name-memorycard> | memorycard <new-namememorycard> <new-name> | <old-name> memorycard <new-name-memorycard> | <old-name>
<new-name>]
XML-formatted configuration files have a .cfg file extension. The switch runs only .cfg files. ASCIIformatted configuration files have an .xsf file extension. See “Uploading ASCII-Formatted Configuration
Files” on page 1495 for more information. Policy files have a .pol file extension.
When you rename a file, make sure the renamed file uses the same file extension as the original file. If
you change the file extensions, the file may be unrecognized by the system. For example, if you have an
existing configuration file named test.cfg, the new filename must include the .cfg file extension.
When you rename a file on the switch, a message similar to the following appears:
Rename config test.cfg to config megtest.cfg on switch? (y/n)
Enter y to rename the file on your system. Enter n to cancel this process and keep the existing filename.
If you attempt to rename an active configuration file (the configuration currently selected the boot the
switch), the switch displays an error similar to the following:
Error: Cannot rename current selected active configuration.
For more information about configuring core dump files and managing the core dump files stored on
your switch, see Appendix D, “Troubleshooting.”
Copying Files on the Switch
The copy function allows you to make a copy of an existing file before you alter or edit the file. By
making a copy, you can easily go back to the original file if needed.
To copy an existing configuration or policy file on your switch, use the following command:
cp [internal-memory <old-name-internal> internal-memory <new-name-internal> |
internal-memory <old-name-internal> memorycard <new-name-memorycard> | memorycard
<old-name-memorycard> memorycard <new-name-memorycard> | memorycard <old-namememorycard> <new-name> | <old-name> memorycard <new-name-memorycard> | <old-name>
<new-name>]
XML-formatted configuration files have a .cfg file extension. The switch runs .cfg files only. ASCIIformatted configuration files have an .xsf file extension. See “Uploading ASCII-Formatted Configuration
Files” on page 1495 for more information. Policy files have a .pol file extension.
When you copy a configuration or policy file from the system, make sure you specify the appropriate
file extension. For example, if you want to copy a policy file, specify the filename and .pol.
When you copy a file on the switch, a message similar to the following appears:
Copy config test.cfg to config test1.cfg on switch? (y/n)
Enter y to copy the file. Enter n to cancel this process and not copy the file.
ExtremeXOS Concepts Guide, Software Version 15.2
129
Chapter 3: Managing the ExtremeXOS Software
When you enter y, the switch copies the file with the new name and keeps a backup of the original file
with the original name. After the switch copies the file, use the ls command to display a complete list
of files.
NOTE
If you make a copy of a file, such as a core dump file, you can easily compare new information with the
old file if needed.
For more information about configuring the storage of core dump files, see Appendix
D, “Troubleshooting.”
Displaying Files on the Switch
To display a list of the configuration, policy, or if configured, core dump files stored on your switch, use
the following command:
ls {[internal-memory | memorycard]} {<file-name>}
When you do not specify a parameter, this command lists all of the files stored on your switch.
Output from this command includes the file size, date and time the file was last modified, and the file
name.
For more information about configuring core dump files and managing the core dump files stored on
your switch, see Appendix D, “Troubleshooting.”
Transferring Files to and from the Switch
TFTP allows you to transfer files between a TFTP server and the following switch storage areas: local
file system, internal memory card, compact flash card, and USB 2.0 storage device. To download a file
from a TFTP server to the switch, use the tftp or tftp get commands:
●
tftp [<host-name> | <ip-address>] {-v <vr_name>} [-g | -p] [{-l [internal-memory
<local-file-internal> | memorycard <local-file-memcard> | <local-file>} {-r
<remote-file>} | {-r <remote-file>} {-l [internal-memory <local-file-internal> |
memorycard <local-file-memcard> | <local-file>]}]
●
tftp get [<host-name> | <ip-address>] {-vr <vr_name>} [{[internal-memory <localfile-internal> | memorycard <local-file-memcard> | <local_file>} {<remote_file>} |
{<remote_file>} {[internal-memory <local-file-internal> | memorycard <local-filememcard> | <local_file>]}] {force-overwrite}
NOTE
By default, if you transfer a file with a name that already exists on the system, the switch prompts you to
overwrite the existing file. For more information, see the tftp get command in the ExtremeXOS Command
Reference Guide.
ExtremeXOS Concepts Guide, Software Version 15.2
130
Managing the Configuration File
To upload a file from the switch to a TFTP server, use the tftp or tftp put commands:
●
tftp [<host-name> | <ip-address>] {-v <vr_name>} [-g | -p] [{-l [internal-memory
<local-file-internal> | memorycard <local-file-memcard> | <local-file>} {-r
<remote-file>} | {-r <remote-file>} {-l [internal-memory <local-file-internal> |
memorycard <local-file-memcard> | <local-file>]}]
●
tftp put [<host-name> | <ip-address>] {-vr <vr_name>} [{[internal-memory <localfile-internal> | memorycard <local-file-memcard> | <local_file>} {<remote_file>} |
{<remote_file>} {[internal-memory <local-file-internal> | memorycard <local-filememcard> | <local_file>]}]
For more information about TFTP, see Chapter 2, “Managing the Switch.” For detailed information
about downloading software image files, BootROM files, and switch configurations, see Appendix
B, “Software Upgrade and Boot Options.” For more information about configuring core dump files and
managing the core dump files stored on your switch, see Appendix D, “Troubleshooting.”
Deleting Files from the Switch
To delete a configuration, policy, or if configured, core dump file from your system, use the following
command:
rm {internal-memory | memorycard} <file-name>
If you do not specify the internal memory card or a removable storage device, the switch downloads or
uploads the file from the switch local file system.
When you delete a configuration or policy file from the system, make sure you specify the appropriate
file extension. For example, when you want to delete a policy file, specify the filename and .pol. After
you delete a file, it is unavailable to the system.
When you delete a file from the switch, a message similar to the following appears:
Remove testpolicy.pol from switch? (y/n)
Enter y to remove the file from your system. Enter n to cancel the process and keep the file on your
system.
If you attempt to delete an active configuration file (the configuration currently selected to boot the
switch), the switch displays an error similar to the following:
Error: Cannot remove current selected active configuration.
For more information about configuring core dump files and managing the core dump files stored on
your switch, see Appendix D, “Troubleshooting.”
Managing the Configuration File
The configuration is the customized set of parameters that you have selected to run on the switch.
Table 20 describes some of the key areas of configuration file management in ExtremeXOS.
ExtremeXOS Concepts Guide, Software Version 15.2
131
Chapter 3: Managing the ExtremeXOS Software
Table 20: Configuration File Management
Task
Behavior
Configuration file database
ExtremeXOS supports saving a configuration file into any named file and
supports more than two saved configurations.
For example, you can download a configuration file from a network TFTP
server and save that file as primary, secondary, or with a user-defined name.
You also select where to save the configuration: primary or secondary
partition, or another space.
The file names primary and secondary exist for backward compatibility with
ExtremeWare®.
Downloading configuration files
ExtremeXOS uses the tftp and tftp get commands to download
configuration files from the network TFTP server to the switch.
For more information about downloading configuration files, see “Using TFTP
to Download the Configuration” on page 1499.
Uploading configuration files
ExtremeXOS uses the tftp and tftp put commands to upload
configuration files from the switch to the network TFTP server.
For more information about uploading configuration files, see “Using TFTP to
Upload the Configuration” on page 1498.
Managing configuration files,
including listing, copying,
deleting, and renaming
The following commands allow you to manage configuration files:
•
ls—Lists all of the configuration files in the system
•
cp—Makes a copy of an existing configuration file in the system
•
rm—Removes/deletes an existing configuration file from the system
•
mv—Renames an existing configuration file
Configuration file type
ExtremeXOS configuration files are saved in Extensible Markup Language
(XML) format. Use the show configuration command to view on the CLI
your currently running switch configuration.
ASCII-formatted configuration
file
You can upload your current configuration in ASCII format to a network TFTP
server. The uploaded ASCII file retains the CLI format.
To view your configuration in ASCII format, save the configuration with the
.xsf file extension (known as the XOS CLI script file). This saves the XMLbased configuration in an ASCII format readable by a text editor.
ExtremeXOS uses the upload configuration command to upload the
ASCII-formatted configuration file from the switch to the network TFTP
server.
ExtremeXOS uses the tftp and tftp get commands to download
configuration files from the network TFTP server to the switch.
For more information about ASCII-formatted configuration files, see
“Uploading ASCII-Formatted Configuration Files” on page 1495.
XML configuration mode
Indicated by (xml) at the front of the switch prompt. Do not use. Use the
command disable xml-mode to disable this mode.
Displaying configuration files
You can also see a complete list of configuration files by entering the ls
command followed by the Tab key.
For more information about saving, uploading, and downloading configuration files, see “Saving the
Configuration” on page 1497.
ExtremeXOS Concepts Guide, Software Version 15.2
132
Managing ExtremeXOS Processes
Managing ExtremeXOS Processes
ExtremeXOS consists of a number of cooperating processes running on the switch. With process control,
under certain conditions, you can stop and start processes, restart failed processes, examine information
about the processes, and update the software for a specific process or set of processes.
This section describes the following topics:
●
Displaying Process Information on page 133
●
Stopping a Process on page 134
●
Starting a Process on page 135
Displaying Process Information
To display information about the processes in the system, use the following command:
show process {<name>} {detail} {description} {slot <slotid>}
Where the following is true:
●
name—Specifies the name of the process.
●
detail—Specifies more detailed process information, including memory usage statistics, process ID
information, and process statistics.
●
description—Describes the name of all of the processes or the specified process running on the
switch.
●
slotid—On a modular chassis, specifies the slot number of the MSM/MM. A specifies the MSM/
MM installed in slot A. B specifies the MSM/MM installed in slot B. On a SummitStack, specifies the
target node's slot number. The number is a value from 1 to 8. (This parameter is available only on
modular switches and SummitStack.)
The show process and show process slot <slotid> commands display the following information
in a tabular format:
●
Card—The name of the module where the process is running (modular switches only).
●
Process Name—The name of the process.
●
Version—The version number of the process. Options are:
-
Version number—A series of numbers that identify the version number of the process. This is
helpful to ensure that you have version-compatible processes and if you experience a problem.
-
Not Started—The process has not been started. This can be caused by not having the appropriate
license or for not starting the process.
●
Restart—The number of times the process has been restarted. This number increments by one each
time a process stops and restarts.
●
State—The current state of the process. Options are:
-
No License—The process requires a license level that you do not have. For example, you have not
upgraded to that license, or the license is not available for your platform.
-
Ready—The process is running.
-
Stopped—The process has been stopped.
ExtremeXOS Concepts Guide, Software Version 15.2
133
Chapter 3: Managing the ExtremeXOS Software
●
Start Time—The current start time of the process. Options are:
-
Day/Month/Date/Time/Year—The date and time the process began. If a process terminates and
restarts, the start time is also updated.
-
Not Started—The process has not been started. This can be caused by not having the appropriate
license or for not starting the process.
When you specify the detail keyword, more specific and detailed process information is displayed.
The show process detail and show process slot <slotid> detail commands display the
following information in a multi-tabular format:
●
Detailed process information
●
Memory usage configurations
●
Recovery policies
●
Process statistics
●
Resource usage
Stopping a Process
If recommended by Extreme Networks Technical Support personnel, you can stop a running process. To
stop a running process, use the following command:
terminate process <name> [forceful | graceful] {msm <slot>}
In a SummitStack:
terminate process <name> [forceful | graceful] {slot <slot>}
Where the following is true:
●
name—Specifies the name of the process.
●
forceful—Specifies that the software quickly terminate a process. Unlike the graceful option, the
process is immediately shutdown without any of the normal process cleanup.
●
graceful—Specifies that the process shutdown gracefully by closing all opened connections,
notifying peers on the network, and other types of process cleanup.
●
slot—For a modular chassis, specifies the slot number of the MSM/MM. A specifies the MSM/MM
installed in slot A. B specifies the MSM/MM installed in slot B. On a SummitStack, specifies the
target node's slot number. The number is a value from 1 to 8. (This parameter is available only on
modular switches and SummitStack.)
NOTE
Do not terminate a process that was installed since the last reboot unless you have saved your
configuration. If you have installed a software module and you terminate the newly installed process without saving
your configuration, your module may not be loaded when you attempt to restart the process with the start
process command.
To preserve a process’s configuration during a terminate and (re)start cycle, save your switch configuration before
terminating the process. Do not save the configuration or change the configuration during the process terminate
and re(start) cycle. If you save the configuration after terminating a process, and before the process (re)starts, the
configuration for that process is lost.
You can also use a single command to stop and restart a running process during a software upgrade on
the switch. By using the single command, there is less process disruption and it takes less time to stop
ExtremeXOS Concepts Guide, Software Version 15.2
134
Managing ExtremeXOS Processes
and restart the process. To stop and restart a process during a software upgrade, use the following
command:
restart process [class <cname> | <name> {msm <slot>}]
Where the following is true:
●
cname—Specifies that the software terminates and restarts all instances of the process associated with
a specific routing protocol on all VRs.
●
name—Specifies the name of the process.
Starting a Process
To start a process, use the following command:
start process <name> {msm <slot>}
In a SummitStack:
start process <name> {slot <slot>}
Where the following is true:
●
name—Specifies the name of the process.
●
slot—For a modular chassis, specifies the slot number of the MSM/MM. A specifies the MSM/MM
installed in slot A. B specifies the MSM/MM installed in slot B. On a SummitStack, specifies the slot
number of the target node. The number is a value from 1 to 8. (This parameter is available only on
modular switches and SummitStack.)
You are unable to start a process that is already running. If you try to start a currently running process,
for example telnetd, an error message similar to the following appears:
Error: Process
telnetd already exists!
NOTE
After you stop a process, do not change the configuration on the switch until you start the process again.
A new process loads the configuration that was saved prior to stopping the process. Changes made between a
process termination and a process start are lost. Else, error messages can result when you start the new process.
As described in the section, “Stopping a Process” on page 134, you can use a single command, rather
than multiple commands, to stop and restart a running process. To stop and restart a process during a
software upgrade, use the following command:
restart process [class <cname> | <name> {msm <slot>}]
In a SummitStack:
restart process [class <cname> | <name> {slot <slot>}]
For more detailed information, see the previous section or the ExtremeXOS Command Reference
Guide.omm
ExtremeXOS Concepts Guide, Software Version 15.2
135
Chapter 3: Managing the ExtremeXOS Software
Understanding Memory Protection
ExtremeXOS provides memory management capabilities. With ExtremeXOS, each process runs in a
protected memory space. This infrastructure prevents one process from overwriting or corrupting the
memory space of another process. For example, if one process experiences a loop condition, is under
some type of attack, or is experiencing some type of problem, that process cannot take over or overwrite
another processes’ memory space.
Memory protection increases the robustness of the system. By isolating and having separate memory
space for each individual process, you can more easily identify the process or processes that experience
a problem.
To display the current system memory and that of the specified process, use the following command:
show memory process <name> {slot <slotid>}
Where the following is true:
●
name—Specifies the name of the process.
●
slot—On a modular chassis, specifies the slot number of the MSM/MM. A specifies the MSM/MM
installed in slot A. B specifies the MSM/MM installed in slot B. On a SummitStack, specifies the slot
number of the target node. The number is a value from 1 to 8. (This parameter is available only on
modular switches and SummitStack.)
The show memory process command displays the following information in a tabular format:
●
System memory information (both total and free)
●
Current memory used by the individual processes
The current memory statistics for the individual process also includes the following:
●
The module (MSM A or MSM B) and the slot number of the MSM/MM (modular switches only)
●
The name of the process
You can also use the show memory {slot [slotid | a | b]} command to view the system memory
and the memory used by the individual processes, even for all processes on all MSMs/MMs installed in
modular switches. The slot parameter is available only on modular switches and SummitStack.
In general, the free memory count for an MSM/MM or Summit family switch decreases when one or
more running processes experiences an increase in memory usage. If you have not made any system
configuration changes, and you observe a continued decrease in free memory, this might indicate a
memory leak.
The information from these commands may be useful for your technical support representative if you
experience a problem.
ExtremeXOS Concepts Guide, Software Version 15.2
136
Understanding Memory Protection
The following is sample truncated output from a Summit family switch:
CPU Utilization Statistics - Monitored every 25 seconds
----------------------------------------------------------------------Process
5
10
30
1
5
30
1
Max
Total
secs secs secs min mins mins hour
User/System
util util util util util util util util
CPU Usage
(%) (%) (%) (%)
(%) (%) (%) (%)
(secs)
----------------------------------------------------------------------System
aaa
acl
bgp
cfgmgr
cli
devmgr
dirser
dosprotect
eaps
edp
elrp
ems
epm
esrp
etmon
...
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.9
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.1
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.2
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.5
0.0
0.0
0.0
0.8
0.0
0.0
0.0
0.0
0.1
0.0
0.0
0.0
0.0
0.0
0.5
34.6
1.8
0.0
12.6
39.8
0.0
19.5
0.0
0.0
5.5
11.1
0.0
0.0
30.7
2.7
30.5
1.72
0.40
11.18
4743.92
0.59
74.44
0.0
0.8
36.40
10.92
0.49
1.19
48.74
0.82
4865.78
0.78
0.24
2.21
3575.79
0.42
24.52
0.0
0.12
15.41
3.97
0.44
1.29
32.93
0.45
873.87
ExtremeXOS Concepts Guide, Software Version 15.2
137
Chapter 3: Managing the ExtremeXOS Software
ExtremeXOS Concepts Guide, Software Version 15.2
138
4
Configuring Stacked Switches
CHAPTER
This chapter includes the following sections:
●
Overview on page 139
●
Logging into a Stack on page 153
●
Stack Configuration Guidelines on page 154
●
Configuring a New Stack on page 158
●
Converting a Standalone Node Deployment to a Stack on page 164
●
Stack Configuration Tasks on page 166
●
Managing an Operating Stack
●
Troubleshooting a Stack on page 209
●
FAQs on the SummitStack Feature on page 216
Overview
The SummitStack™ feature allows you to physically connect up to eight individual Summit switches
together as a single logical unit, which is called a stack. The stack behaves as a single switch with a
single IP address and a single point of authentication.
In ExtremeXOS, a stack is controlled by a master switch, called the master. The master switch runs full
ExtremeXOS and is responsible for maintaining all of the software tables for all the switches in the
stack. There can only be one master switch in a stack. All switches in the stack, including the master
switch, are called nodes.
A stack can be thought of as a virtual chassis. Each node acts as if it was occupying a slot in a chassis
and is controlled by the master. The high-speed stacking links function like the backplane links of a
chassis.
The master switch stores any configuration information for the stack in its primary and secondary flash
memory. Since the master switch has the knowledge of the state and the configuration of all the other
switches in the stack, it can respond to all external requests for those switches. For example, the master
switch can respond to a request for SNMP information from all ports within the stack.
ExtremeXOS Concepts Guide, Software Version 15.2
139
Chapter 4: Configuring Stacked Switches
NOTE
The SummitStack feature is supported only on the platforms listed for this feature in the license tables in
Appendix A, “Feature License Requirements.” All participants in a stack must run the same image version.
This section introduces the following SummitStack topics:
●
SummitStack Terms on page 140
●
SummitStack Compatible Switches on page 143
●
SummitStack Topologies on page 143
●
Stack Depth on page 146
●
Understanding Stack Configuration Parameters, Configuration Files, and Port Numbering on
page 147
●
Understanding Stacking Link Overcommitment on page 148
●
About Stack Logging Messages on page 149
●
About QoS in Stacking on page 149
●
About Power Management and Power Over Ethernet on Stacking on page 151
●
About Stacking Node Roles, Redundancy, and Failover on page 152
●
About the Failsafe Account on SummitStack Nodes on page 152
SummitStack Terms
Table 21 describes the terms used for the SummitStack feature. These terms are listed in the
recommended reading sequence.
Table 21: List of Stacking Terms
Term
Description
Stackable Switch
A Summit family switch that provides two stacking ports and can participate in
a stack.
Stacking Port
A physical interface of a stackable switch that is used to allow the connection
of a stacking link. Stacking ports are point-to-point links that are dedicated for
the purpose of forming a stack.
Native Port
A native port is a stacking port that can only be used for connections between
stacked switches.
Alternate Port
An alternate port is a port that can be used for either stack connections or
data connections.
Stacking Link
A wire that connects a stacking port of one stackable switch to a stacking port
of another stackable switch, plus the stacking ports themselves.
Node
A node is a stackable switch that runs the ExtremeXOS operating system. The
terms node and stackable switch are used interchangeably in this chapter.
Stack
A stack is a set of stackable switches and their connected stacking links made
with the intentions that: (1) all switches are reachable through their common
connections; (2) a single stackable switch can manage the entire stack; and
(3) configurable entities such as VLANs and link trunk groups can have
members on multiple stackable switches. A stack consists of all connected
nodes regardless of the state of these nodes.
Stack Topology
A contiguously connected set of nodes in a stack that are currently
communicating with one another. All nodes that appear in the show
stacking command display are present in the stack topology.
ExtremeXOS Concepts Guide, Software Version 15.2
140
Overview
Table 21: List of Stacking Terms (Continued)
Term
Description
Stack Path
A data path that is formed over the stacking links for the purpose of
determining the set of nodes that are present in the stack topology and their
locations in the stack. Every node is always present in a stack path whether or
not stacking is enabled on the node.
Control Path
A data path that is formed over the stacking links that is dedicated to carrying
control traffic, such as commands to program hardware or software image data
for software upgrade. A node must join the control path to fully operate in the
stack. A node that is disabled for stacking does not join the control path, but
does communicate over the stack path.
Active Node
A node that has joined the control path. The active node can forward the
control path messages or can process the control path messages. It can also
forward data traffic. Only an active node can appear as a card inserted into a
slot when the show slot {<slot> {detail} | detail } command is
executed on the master node of the stack.
Active Topology
A contiguous set of active nodes in a stack topology plus the set of stacking
links that connect them form the active topology. When an active topology
consists of more than one node, each node in the active topology is directly
and physically connected to at least one other node in the active topology.
Thus, the active topology is a set of physically contiguous active nodes within
a stack topology.
NOTE
A node in the stack topology may not necessarily be a member of the
active topology.
Candidate Node
A node that is a potential member of an active topology is called a candidate
node. An active node is also a candidate node. Unlike an active node, a
candidate node may not have joined the control path.
Node Role
A node in the active topology plays a role in the stack. There are three node
roles: master (or primary), backup, and standby.
Master Node Role
A node that is elected as the master (or primary) runs all of the configured
control protocols such as OSPF, RIP, Spanning Tree, EAPS, and so forth.
The master node controls all data ports on itself, the backup node, and all
standby nodes. The master node issues specific programming commands over
the control path to the backup or standby nodes to accomplish this purpose.
Backup Node Role
The node that is operating in the backup node role takes over the master node
role if the master node fails. The master node keeps the backup node
databases in synchronization with its own database in preparation for this
event. Upon transfer of role, the backup node becomes the master node and
begins operating with the databases it has previously received. This allows all
other nodes in the stack to continue operating even after the master node fails.
Standby Node Role
A node that is executing the standby node role is prepared to become a
backup node in the event that the backup node becomes the master node.
When becoming a backup node, the new master node synchronizes all of its
databases to the new backup node. As a standby node, most databases are
not synchronized, except for those few that directly relate to hardware
programming.
ExtremeXOS Concepts Guide, Software Version 15.2
141
Chapter 4: Configuring Stacked Switches
Table 21: List of Stacking Terms (Continued)
Term
Description
Acquired Node
A standby or backup node is normally acquired by a master node. This means
the master node has used its databases to program the hardware of the
standby or backup node. The standby or backup node has acted as a
hardware programming proxy, accepting the instructions of the master node to
do so. An acquired standby node does not maintain the databases needed to
reflect why the hardware is programmed as it is; however, a backup node
does. An acquired node can only be re-acquired (without a reboot) by the
backup node when that backup node becomes a master node, and only if both
the backup and standby nodes were already acquired by the same master
node at the time of its failure.
Data Ports
This is the set of ports provided by a stackable switch that are available to you
for connection to your data networks. Such ports can be members of a user
configured VLAN or trunk group, and can be used for Layer 2 and 3 forwarding
of user data traffic or for mirroring, or other features you can configure. This
term does not refer to stacking ports.
Failover
When a node that is executing the master node role in a stack fails, a failover
is initiated. If there is a node that is executing the backup node role, and if the
node has completed its initial synchronization with the master node before it
failed, the backup node takes on the master node role. The standby nodes
continue their operation, and their data ports do not fail.
Hitless Failover
A failover whereby all data ports in the stack, except those of the failing
master node, continue normal operation when the master node fails.
Hitless Upgrade
This is an operation where an upgrade of the software image and the
commencement of the new image execution is possible without interrupting
data traffic or forcing any network reconvergence. This ExtremeXOS software
version does not support hitless upgrade for a stack.
Node Address
Stacking nodes are uniquely identified by their node address. This is actually
the MAC address that was factory assigned to each node.
Node Role Election
This is the process that determines the role for each node. The election takes
place during initial stack startup and elects a master and a backup node. An
election also takes place after a master node failover, when a new backup
node is elected from the remaining standby nodes.
Node Role Election Priority
For each node, the stack computes a priority to be used in node role election.
The node with the highest node role election priority during a role election
becomes the master node. The node with the second highest node role
election priority becomes the backup.
Operational Node
This is a node that has achieved operational state as a card in a slot. The
operational state can be displayed using the show slot {<slot>
{detail} | detail } command.
System UpTime
This is the amount of time that has passed since a stack first elected a master
node after the stack last rebooted. The time can be displayed on a master
node by entering the show switch {detail} command.
Stack Segment
This is a collection of nodes that form a stack topology. The term is useful
when a stack is severed. Each severed portion of the stack is referred to as a
stack segment.
Stack State
A state assigned by the stack to a node. This can be displayed using the
command show stacking.
Easy-Setup
Easy-setup is a procedure that configures the essential stack parameters of
every node for initial stack deployment, and automatically reboots the stack to
put the parameters into effect. The choice to run easy-setup is offered when
the enable stacking {node-address <node-address>} command is
run and the essential stacking parameters are unconfigured or inconsistent. It
can also be invoked directly by running the configure stacking easysetup command.
ExtremeXOS Concepts Guide, Software Version 15.2
142
Overview
SummitStack Compatible Switches
Appendix A, “Feature License Requirements,” lists the platforms that are supported by the
SummitStack feature.
SummitStack Topologies
Figure 3 presents a graphical representation of a stack and some of the terms that describe stack
conditions.
Figure 3: Stack and Topologies
Switch 1
Active
topology
Switch 2
Switch 3
Stack
topology
Stack
Switch 4
Failed node
Switch 5
SummitStack disabled
Switch 6
SummitStack disabled
Switch 7
No power
Switch 8
BD_162
A stack is the collection of all nodes that are cabled together in a stack.
A stack topology is the set of contiguous nodes that are powered up and communicating with each
other. Switch 8 is not part of the stack topology in Figure 3 because it is not powered up.
An active topology is the set of contiguous nodes that are active. An active node is powered up,
configured for stack operation, and communicating with the other active nodes. Switch 5 in Figure 3 has
failed, and stacking is disabled on Switch 6 and Switch 7. Switch 8 has no power, so the active topology
includes switches: Switch 1, Switch 2, Switch 3, and Switch 4.
For more information on SummitStack terminology, see “SummitStack Terms” on page 140.
ExtremeXOS Concepts Guide, Software Version 15.2
143
Chapter 4: Configuring Stacked Switches
This section introduces the following topologies and topics:
●
Ring Topology on page 144
●
Daisy Chain Topology on page 145
●
Stack Depth on page 146
Ring Topology
SummitStack nodes should be connected to each other in a ring topology. In a ring topology, one link is
used to connect to a node and the other link is used to connect to another node. The result forms a
physical ring connection. This topology is highly recommended for normal operation. Figure 4 shows a
maximal ring topology of eight active nodes.
Figure 4: Graphical Representation of a Ring Topology
BD_163
While a physical ring connection may be present, a ring active topology only exists if all nodes in the
stack are active nodes.
ExtremeXOS Concepts Guide, Software Version 15.2
144
Overview
Figure 5: Summit Family Switches in a Ring Topology
BD_159A
Daisy Chain Topology
The stackable switches may be connected in a daisy-chain topology. This is a ring topology with one of
the links disconnected, inoperative, or disabled. A daisy chain can be created when a link fails or a node
reboots in a ring topology, but the daisy chain topology is not recommended for normal operation. In
Figure 6, the nodes delineated as the active topology are operating in a daisy-chain configuration, even
though there is physically a ring connection in the stack.
NOTE
The daisy chain topology is not recommended for normal operation.
ExtremeXOS Concepts Guide, Software Version 15.2
145
Chapter 4: Configuring Stacked Switches
Figure 6: X250 Series in Daisy-Chain Topology
BD_153A
You might need to use a daisy chain topology while adding a new node, removing a node, or while
joining two stacks.
If you are using a daisy chain topology, the possibility of a dual master situation increases. So before
you create a daisy chain topology, read “Managing a Dual Master Situation” on page 210.
NOTE
The maximum cable length supported between switches depends on the types of Summit family switches
in your stack, the installed option cards, and the configured stack ports. For more information, see the Summit
Family Switches Hardware Installation Guide.
Stack Depth
A maximum of eight (8) nodes are supported in the active topology. The slot number configuration
assigns only numbers from one (1) to eight (8).
ExtremeXOS Concepts Guide, Software Version 15.2
146
Overview
NOTE
When the VIM1-SummitStack512 option is installed in a Summit X650 switch, the Summit X650 switch can
connect to only one other Summit X650 switch with an installed VIM1-SummitStack512. If you remove a cable
between the two VIM1-SummitStack512 option cards, the stack fails. The cabling is unique to this back-to-back
configuration and is described in the Summit Family Switches Hardware Installation Guide.
The stack tolerates an accidental connection of up to 17 nodes. Because only eight nodes can join an
active topology, there should never be an accidental connection of two stacks resulting in more than 16
nodes. If you have more than 17 nodes in a stack topology, all nodes enter an overflow state and all
stacking links enter a link overflow state. While in an overflow state, the active topology does not
function. All slots containing active nodes show a Failed state. The overflow state is maintained until the
overflow is cleared by manually disconnecting a sufficient number of nodes. After the overflow is
cleared, all nodes in the stack topology reboot.
To see all the nodes in a stack topology, use the show stacking command.
Understanding Stack Configuration Parameters, Configuration
Files, and Port Numbering
The stacking configurations are stored in the NVRAM of each node. Some of these configurations take
effect only during the next node restart.
Table 22: Stacking Configuration Items, Time of Effect and Default Value
Configuration Item
Takes Effect
Default Value
Stacking Mode
at boot time
Disabled
Slot Number
at boot time
1
Master-Capable
at boot time
Yes
License Restriction
at boot time
Not configured
Priority
at the next master
election
Automatic
Alternate IP Address
immediately
Not configured
Stack MAC
at boot time
Not configured
Stacking protocol
at boot time
Standard
Stacking parameters, such as mode, slot number, etc., can be configured from a single unit in the stack
topology. You can change the stacking-specific configuration even when a node is not in stacking mode
but is connected to the stack. The target node for the configuration must be powered on and running a
version of ExtremeXOS that supports stacking. Further, the node need not be in stacking mode and can
be in any node role.
Most ExtremeXOS configuration parameters are not stored in NVRAM, but are instead stored in a
configuration file. Configurations stored in NVRAM are those that are needed when the configuration
file is not available. The configuration file chosen for the stack is the one selected on the master node
that is first elected after a stack restart.
The data (non-stacking) port numbers, in the existing configuration files (which were created when not
in stacking mode), are simple integer quantities. On a stack, the data port numbers are expressed as
slot:port; where the slot is an integer representing the slot and port is an integer representing the port.
ExtremeXOS Concepts Guide, Software Version 15.2
147
Chapter 4: Configuring Stacked Switches
For example: 1:2. The configuration file contains an indication that it was created on a stackable switch
in stacking mode. The indication is the stacking platform ID.
Thus when in stacking mode, the ports are referenced in the configuration file with the slot:port
notation and when not in stacking mode, the ports are referenced as simple integers.
When the stack restarts, if a switch becomes the master and its selected configuration file was not
created in stacking mode, the configuration file is de-selected, and the stack completes its restart using a
default configuration. In addition, if the previously selected file was named with one of the default
names (primary.cfg or secondary.cfg), the file is renamed to old_non_stack.cfg.
Similarly, if a switch is configured not to operate in stacking mode and the selected configuration file
was created in stacking mode, the configuration file is de-selected, and the switch boots with a default
configuration. In addition, if the file was named with one of the default names (primary.cfg or
secondary.cfg), the file is renamed to old_stack.cfg.
The renamed file replaces any file that exists with the same name; the existing file is deleted.
Understanding Stacking Link Overcommitment
The stack is formed by each node supplying a pair of full-duplex, logical stacking ports. Most Summit
switches provide 2 physical stacking ports, but the Summit X650 switch with the VIM1-SummitStack512
option card provides 4 physical stacking ports that function as 2 logical stacking ports.
Each node can operate on a stack with full duplex throughput up to the following limits:
●
512 Gbps: Summit X650 switches with VIM1-SummitStack512 option card
●
256 Gbps: Summit X650 switches with VIM1-SummitStack256 option card
●
160 Gbps:
-
Summit X480 switches with VIM3-40G4X option card
-
Summit X650 switches with VIM3-40G4X option card
-
Summit X670V switches with VIM4-40G4X option card
●
128 Gbps: Summit X480 switches with VIM2-SummitStack128 option card
●
80 Gbps:
●
-
Summit X460 switches with SummitStack V80 option card
-
Summit X480 switches with VIM2-SummitStack-V80 option card
-
Summit X650 switches with VIM3-40G4X option card
-
Summit X670V switches with VIM4-40G4X option card
40 Gbps:
-
Summit X440 switches
-
Summit X460 switches with SummitStack option card
-
Summit X480 switches with VIM2-SummitStack
-
Summit X650 switches with VIM1-SummitStack or VIM1-10G8X option card
-
All other stackable Summit switches
NOTE
When the VIM1-SummitStack512 option is installed in a Summit X650 switch, the Summit X650 switch can
connect to only one other Summit X650 switch with an installed VIM1-SummitStack512. If you remove a cable
ExtremeXOS Concepts Guide, Software Version 15.2
148
Overview
between the two VIM1-SummitStack512 option cards, the stack fails. The cabling is unique to this back-to-back
configuration and is described in the Summit Family Switches Hardware Installation Guide.
Even though two links are available, the links might not be fully utilized. For example, suppose there is
a ring of eight nodes and the nodes are numbered clockwise from 1 to 8. The stacking port limit in this
example is 10 Gbps in each direction for a total stack throughput of 20 Gbps for each port, or 40 Gbps
total. Suppose node 1 wants to send 10 Gbps of unicast traffic to each of node 2 and node 3. The
shortest path topology forces all traffic from node 1 over the link to node 2. Traffic from node 1 to node
3 passes through node 2. Thus, there is only 10 Gbps link available. However, if node 1 wanted to send
10 Gbps to node 2 and node 8, there would be 20 Gbps available because both links connected to node 1
would be used.
In a ring of eight nodes, between any two nodes (with one exception), only one link is used. If the
devices provide 48 1Gbps Ethernet ports, the overcommitment ratio between two such nodes is
approximately 5:1. The exception is if there is an equal distance between the nodes. In this case, if both
nodes are 48-port nodes, the nodes are grouped into two groups of 24 ports (by the hardware
architecture), and thus it is possible to use both directions around the stack.
About Stack Logging Messages
Each node can generate log messages through the usual logging mechanism.
On backup and standby nodes, a log target and related filter is automatically installed. The log target is
the master node. The filter allows all messages that have a log level of warning, error, or critical to be
saved in the log file of the master node.
If the master node changes, the log target is updated on all the remaining nodes.
You can also log in to any node in the active topology and see the complete log of the node.
About QoS in Stacking
Each stack uses QoS on the stacking links to prioritize the following traffic within the stack:
●
Stack topology control packets
●
ExtremeXOS control packets
●
Data packets
For stack performance and reliability, the priority of control packets is elevated over that of data
packets. This is done to prevent control packet loss and avoid the timed retries that can lower
performance. It is also done to prevent unneeded stack topology changes that can occur if enough stack
topology information packets are lost. For these reasons, the SummitStack feature reserves one QoS
profile to provide higher priority to control packets. The following sections describe the differences in
QoS while using it in stack:
●
QoS Profile Restrictions on page 150
●
QoS Scheduler Operation on page 150
●
Processing of Packets Received With 802.1p Priority 6 on page 150
●
Effects on 802.1p Examination on page 150
●
Effects on DiffServ Examination on page 151
●
Effects on Port QoS and VLAN QoS on page 151
ExtremeXOS Concepts Guide, Software Version 15.2
149
Chapter 4: Configuring Stacked Switches
QoS Profile Restrictions
In stacking mode, CoS level 6 (which is hardware queue 6) is reserved for stacking, so you cannot create
quality profile QP7. Because QP7 cannot be created, you cannot use hardware queue 6 to assign CoS
level 6 to a packet. However, you can assign packets received with 802.1p priority 6 to a QoS profile
using the technique described in “Processing of Packets Received With 802.1p Priority 6” on page 150.
NOTE
This restriction is applicable only when the stackable switch is operating in stacking mode.
QoS Scheduler Operation
In stacking mode, the QoS scheduler operation is different for the stacking ports and the data ports. The
scheduler for the data ports operates the same as for standalone Summit family switches and is
managed with the following command:
configure qosscheduler [strict-priority | weighted-round-robin | weighted-deficitround-robin]
The scheduler for the stacking ports is defined by the software when the stack is configured, and it
cannot be modified. For all switches, the scheduler is set to strict-priority for the stacking ports, and
meters are used to elevate the queue 6 priority above the priority of the other queues. This is the only
scheduling method for stack ports.
Processing of Packets Received With 802.1p Priority 6
By default, 802.1p examination is turned on. Priority 7 is mapped to QoS profile QP8, and priorities 6
through 0 are mapped to QoS profile QP1. You can create other QoS profiles and can change this
mapping as needed. Since you cannot create QP7 in stacking mode, 802.1p examination always maps
packets with priority 6 to other CoS levels. However, you can use an ACL rule entry to set the 802.1p
egress value to 6 without affecting the QoS profile assignment as shown in the example below:
entry VoIPinSummitStack {
if {
IP-TOS 46;
} then {
replace-dot1p-value 6;
}
}
Effects on 802.1p Examination
You can turn off 802.1p examination. When stacking is enabled, the examination remains turned on for
priority 6. However, the examination happens at a lower precedence than that of all other traffic
groupings.
The mapping you have configured for priority 6 remains in effect, and changes accordingly if you
subsequently change the mapping.
When stacking is not enabled, all 802.1p examination is disabled when the feature is turned off.
ExtremeXOS Concepts Guide, Software Version 15.2
150
Overview
Effects on DiffServ Examination
When DiffServ examination and 802.1p examination are both turned off, the 802.1p examination for
packets arriving at 802.1p priority level 6 remains on at the lowered precedence. In addition, the
examination is adjusted to apply to all packets. The actual priority levels that are used for such packets
are the defaults (QP1), or the values last configured using the configure dot1p type
<dot1p_priority> {qosprofile} <qosprofile> command.
Effects on Port QoS and VLAN QoS
Port QoS and VLAN QoS have a higher precedence than the 802.1p priority examination performed
when the 802.1p examination feature is turned off, and is therefore unaffected.
About Power Management and Power Over Ethernet on Stacking
The power management for Power over Ethernet (PoE) is applicable only if there are one or more
Summit X440-24p, X460-XXp, X450e-XXp or X250e-XXp switches on the stack.
Each Summit X250e-XXp, X440-24p, X450e-XXp, or X460-XXp switch is equipped with its own
independent power supply that provides power for the PoE ports on that switch. Power is not shared
with other switches in the stack.
PoE configuration and status are maintained on the master node. Configuration information is sent by
the master to the hardware on each PoE capable switch to be controlled by the local PoE hardware on
that switch. Status is gathered on the master by querying the PoE hardware on each switch.
The power supply for each Summit X450e-24p or X460-24p switch is capable of providing a full 15.4
watts per PoE port for all 24 ports. The following power management CLI commands are not supported
on Summit X450e-24p switches:
●
configure inline-power priority [critical | high | low] ports <port_list>
●
configure inline-power disconnect-precedence [deny-port | lowest-priority]
The Summit X450e-48p switches contain an optional external modular Power Supply Unit (PSU) that
can provide redundant PoE power or full PoE power to all ports depending on the EPS-C/EPS600LS
configuration.
When using the EPS-C/EPS600LS, the PoE capability of the Summit X450e-48p switch varies depending
on the number of power modules present.
The following stacking CLI commands are applicable only to Summit X450e-48p switches:
●
configure inline-power disconnect-precedence [deny-port | lowest-priority]
●
configure inline-power priority [critical | high | low] ports <port_list>
●
unconfigure inline-power disconnect-precedence
●
unconfigure inline-power priority ports [all | <port_list>]
●
show power slot
These commands are available in stacking mode and only function on a slot that contains Summit
family switches that support PoE and PoE+.
ExtremeXOS Concepts Guide, Software Version 15.2
151
Chapter 4: Configuring Stacked Switches
About Stacking Node Roles, Redundancy, and Failover
ExtremeXOS supports control plane redundancy and hitless failover. A stack supports control plane
redundancy and hitless failover. Hitless failover is supported to the extent that the failing master node
and all of its ports are operationally lost, including the loss of supplied power on any PoE ports that the
node provided, but all other nodes and their provided ports continue to operate. After the failover, the
backup node becomes the master node.
At failover time, a new backup node is selected from the remaining standby nodes that are configured
to be master capable. All operational databases are then synchronized from the new master node to the
new backup node. Another hitless failover is possible only after the initial synchronization to the new
backup node has completed. This can be seen using the show switch {detail} command on the
master node and noting that the new backup node is In Sync.
When a backup node transitions to the master node role, it activates the Management IP interface that is
common to the whole stack. If you have correctly configured an alternate management IP address, the
IP address remains reachable.
When a standby node is acquired by a master node, the standby node learns the identity of its backup
node. The master node synchronizes a minimal subset of its databases with the standby nodes.
When a standby node loses contact with both its acquiring master and backup nodes, it reboots.
A master node that detects the loss of an acquired standby node indicates that the slot the standby node
occupied is now Empty and flushes its dynamic databases of all information previously learned about
the lost standby node.
A backup node restarts if the backup node has not completed its initial synchronization with the master
node before the master node is lost. When a backup node transitions to the master node role and detects
that the master node has not already synchronized a minimal subset of its databases with a standby
node, the standby node is restarted.
Reboot or Failure of a Non-Master Node
If a backup node fails, a standby node configured as master-capable is elected as the new backup. That
new backup node is then synchronized to the databases of the master node.
For all non-master nodes, a node that reboots or is power cycled loses all of its connections to all
networks for the duration of the reboot cycle. Any PoE ports that were providing power prior to the
event do not supply power.
When a non-master node fails, the master node marks the related slot as Empty. All other nodes exclude
the failed node from the control path and any customer-configured VLANs, trunk group ports,
mirroring ports, and so forth.
About the Failsafe Account on SummitStack Nodes
The failsafe account is a special user account that is set up in the default configuration (see “Failsafe
Accounts” on page 56). The failsafe account functions even when there is no master node in the stack.
By default, the failsafe account can only be accessed through the console port of a node. The failsafe
account cannot be deleted, but you can modify the user ID and password (see “Configuring the Failsafe
Account on a Stack” on page 183).
ExtremeXOS Concepts Guide, Software Version 15.2
152
Logging into a Stack
Logging into a Stack
You can log into any node in a stack. However you can control more stack features when you log into
the master. The following guidelines describe the options available to you when you log into different
nodes:
●
On master nodes, all features supported by the switch license operate correctly.
●
On backup nodes, most show commands show correct data for the active stack. For example, show
vlan {virtual-router <vr-name>} shows all configured VLANs.
●
On all non-master nodes, most of the configuration commands are rejected. However, the failsafe
account, enable license, and stacking configuration commands work on any node.
●
On standby nodes, most show commands do not show correct data for the current stack operation.
However, the show switch {detail}, show licenses, and all show stacking commands show
correct data.
●
If a node is connected to the stack and stacking is not enabled, you can still configure stacking
features on that node.
The login security that is configured on the master node applies when logging into any node in the
active topology. This includes any active node that is present in a slot. A node that is disabled for
stacking is its own master, and uses its own security configuration.
You can log in to a SummitStack node using the following methods:
●
Console connection to any node
●
Management connection to the master
●
Management connection to a standby node
●
Telnet session over the stack from any active node to any other node in the same active topology
Logging in Through the Console Port
You can use the console port on any switch to manage the stack. If you connect to the master node, you
can configure and manage the stack. If you connect to a non-master node, you can view node status and
configure only a few options from the node to which you are connected. However, you can use the
telnet feature to connect to another node and manage that node as if you were connected to it (see
“Logging Into a Node From Another Node” on page 154).
Logging in from the Management Network
The management network is an Ethernet network to which the management port of each switch
connects. The primary management IP address is assigned to the master node. You can use a terminal
emulation program and this IP address to connect to the master for configuration and management.
The alternate management IP addresses allow you to connect to individual nodes from your
management network. During normal operation, you connect to the stack using the primary
management IP address. However, if the stack is split, you can use the alternate management IP address
to connect to the other half of the stack. For more information, see “Configuring an Alternate IP
Address and Gateway” on page 180.
After you log in to a master or standby node through the management network, you can telnet to any
other node and control that node as if you were directly connected to it. For more information, see
“Logging Into a Node From Another Node” on page 154).
ExtremeXOS Concepts Guide, Software Version 15.2
153
Chapter 4: Configuring Stacked Switches
Logging Into a Node From Another Node
You may log into any node in the active topology from any other node in the same active topology. If
you do not know the slot number of the node to which you want to connect, enter the show slot
command. You can telnet to any switch that appears in the show slot command display.
NOTE
If the node to which you want to connect does not appear in the show slot {<slot> {detail} |
detail } command display, you can connect to the node through the its console port or management port.
You have the most control over the stack when you log in to the master. To determine which node is the
master, use the command show stacking.
To telnet to another node, enter the command:
telnet slot <slot-number>
When prompted, log in normally. The switches must be active in the stack for this command to
function.
The telnet slot <slot-number> command accepts a slot number in stacking mode. When the telnet
program accepts a connection from another node in the stack, it performs security validation. The
master node validates all login security information (except for the failsafe account), regardless of the
node into which you are attempting to establish a login. If you are not able to log in using your user
credentials, use the failsafe account to log in.
Stack Configuration Guidelines
The following sections provide guidelines for configuring a stack:
●
General Stack Configuration Guidelines on page 154
●
Summit X460 Stack Configuration Guidelines on page 155
●
Summit X480 Stack Configuration Guidelines on page 156
●
Summit X650 Stack Configuration Guidelines on page 157
●
Summit X670 Stack Configuration Guidelines on page 157
General Stack Configuration Guidelines
Before deploying a new stack, consider the following guidelines:
●
Plan to use the stack as if it were a single multi-slot switch. You need to decide the number and type
of stackable switches in the stack and how the stack ports will be connected to the network.
●
Physically locate the intended master and backup nodes adjacent to each other, and plan to directly
connect these nodes to each other so that ExtremeXOS application synchronization traffic is localized
to a single stack link.
●
Use stacking cables to interconnect the stack nodes into a ring topology (see “SummitStack
Topologies” on page 143). Only include the nodes that are intended to be active in the stack. To see
the recommended procedures for installing and interconnecting a stack, refer to the Summit Family
Switches Hardware Installation Guide.
ExtremeXOS Concepts Guide, Software Version 15.2
154
Stack Configuration Guidelines
●
You can physically connect the stack to your networks before the nodes are configured. However, the
default configuration on a non-stacking mode switch assumes a default untagged VLAN that
contains all switch ports. When first powered on, the switch acts as a Layer 2 switch, possibly
resulting in network loops.
●
Make sure all nodes support the SummitStack feature (see Appendix A, “Feature License Requirements”)
and are running the same ExtremeXOS software version. To view the ExtremeXOS software version
on a node, restart the node and run the command show version {detail | process <name> |
images {partition <partition>} {slot <slotid>} }. If any of the nodes do not have the right
version, install the correct version on that switch. Extreme Networks recommends that you use the
same image partition on all nodes. Once stacking is enabled, image upgrade from the stack is
possible only if the same image is selected on all nodes.
●
If you intend to deploy new units that might be part of a stack in the future, you might want to turn
on stacking mode during initial deployment to avoid a future restart. The only disadvantages of
stacking mode are the loss of QoS profile QP7 and the reservation of some of the packet buffer space
for stacking control traffic.
●
You can configure the stack by logging into the master or any of the other nodes. For more
information, see “Logging into a Stack” on page 153.
●
If the master-capable stackable switches have different purchased license levels, you might need to
configure license level restrictions on some nodes before those nodes can join the stack (see
“Managing Licenses on a Stack” on page 184).
●
If the stack supports any feature pack license (such as MPLS or Direct Attach), that feature pack
license must be installed on all master capable nodes to support that feature and prevent traffic
interruption if a failover event occurs.
●
Most stacking specific configurations are effective only after a restart (see Table 22). However, most
non-stacking configuration commands take effect immediately and require no restart.
●
A basic stack configuration can be achieved by using the procedure described in “About Easy Setup”
on page 158.
NOTE
If EAPS, Spanning Tree, or any Layer 2 redundancy protocol is not running on the network, you need to
make sure that your network connections do not form a network loop.
Summit X460 Stack Configuration Guidelines
Before deploying a new stack with Summit X460 switches, consider the following guidelines:
●
In a stack that contains Summit X460 switches and other Summit switch models, a Summit X460
switch might provide more memory and more features than other Summit switch models, and this
affects master node selection, backup node selection, and failover operation. Before configuring a
stack with Summit X460 switches and other Summit switch models, review “Configuring the Master,
Backup, and Standby Roles” on page 175
●
To use the failover feature in the stack, a second Summit X460 is required, and it must be the backup
node.
●
Beginning with ExtremeXOS Release 12.5.1, only the master and master capable nodes require a
license to support special features such as MPLS.
ExtremeXOS Concepts Guide, Software Version 15.2
155
Chapter 4: Configuring Stacked Switches
●
If the MPLS feature pack is installed on the master capable nodes, the following guidelines apply:
-
Each stack switch must meet the software and hardware requirements listed in Table 142 of
Appendix A, “Feature License Requirements.”
-
You must configure the enhanced stacking protocol on each Summit family switch.
-
Although you can mix Summit X460, X480, and X670 switches in a stack, Extreme Networks
recommends that you do not mix these switch types if the desired routing table exceeds the
supported limit for the Summit X460 switch, which is 12,256 IPv4 LPM routes.
●
Summit X460 switches support multiple types of stacking cables for connection between Summit
X460 compatible SummitStack option cards and other Summit switches. For information on which
cables to use with each type of Summit family switch, see the Summit Family Switches Hardware
Installation Guide.
●
When a SummitStack option card is installed in a Summit X460 switch, the switch prompt remains
unchanged.
NOTE
When MPLS is enabled on a stack, you can only add a MPLS-compatible Summit family switches to the
stack.
Summit X480 Stack Configuration Guidelines
Before deploying a new stack with Summit X480 switches, consider the following guidelines:
●
In a stack that contains Summit X480 switches and other Summit switch models, a Summit X480
switch might provide more memory and more features than other Summit switch models, and this
affects master node selection, backup node selection, and failover operation. Before configuring a
stack with Summit X480 switches and other Summit switch models, review “Configuring the Master,
Backup, and Standby Roles” on page 175
●
To use the failover feature in the stack, a second Summit X480 is required, and it must be the backup
node.
●
Beginning with ExtremeXOS Release 12.5.1, only the master and master capable nodes require a
license to support special features such as MPLS.
●
If the MPLS feature pack is installed on the master capable nodes, the following guidelines apply:
-
Each stack switch must meet the software and hardware requirements listed in Table 142 of
Appendix A, “Feature License Requirements.”
-
You must configure the enhanced stacking protocol on each Summit family switch.
-
Although you can mix Summit X460, X480, and X670 switches in a stack, Extreme Networks
recommends that you do not mix these switch types if the desired routing table exceeds the
supported limit for the Summit X460 switch, which is 12,256 IPv4 LPM routes.
●
Summit X480 switches support multiple types of stacking cables for connection between
Summit X480 compatible SummitStack option cards and other Summit switches. For information on
which cables to use with each type of Summit family switch, see the Summit Family Switches
Hardware Installation Guide.
●
The switch prompt reflects the installed VIM in parenthesis as shown in the following examples:
-
Summit X480-48t switch with no VIM installed: X480-48t.
-
Summit X480-48t switch with VIM2-SummitStack installed: X480-48t(SS).
-
Summit X480-48t switch with VIM2-SummitStack-V80 installed: X480-48t(SSV80).
ExtremeXOS Concepts Guide, Software Version 15.2
156
Stack Configuration Guidelines
-
Summit X480-48t switch with VIM2-SummitStack128 installed: X480-48t(SS128).
-
Summit X480-48t switch with VIM2-10G4X installed: X480-48t(10G4X).
Summit X650 Stack Configuration Guidelines
Before deploying a new stack with Summit X650 switches and no Summit X480 switches, consider the
following guidelines:
●
In a stack that contains Summit X650 switches and other Summit switch models, a Summit X650
switch might provide more memory and more features than other Summit switch models, and this
affects master node selection, backup node selection, and failover operation. Before configuring a
stack with Summit X650 switches and other Summit switch models, review “Configuring the Master,
Backup, and Standby Roles” on page 175
●
Summit X650 switches support multiple types of stacking cables for connection between Summit
X650 compatible SummitStack option cards and other Summit switches. For information on which
cables to use with each type of Summit family switch, see the Summit Family Switches Hardware
Installation Guide.
●
Connection between a Summit X650 switch with an installed VIM1-SummitStack256 option card and
a Summit X650 switch with an installed VIM1-SummitStack512 option card is not supported.
●
When the VIM1-SummitStack512 option is installed in a Summit X650 switch, the Summit X650
switch can connect to only one other Summit X650 switch with an installed VIM1-SummitStack512.
If you remove a cable between the two VIM1-SummitStack512 option cards, the stack fails. The
cabling is unique to this back-to-back configuration and is described in the Summit Family Switches
Hardware Installation Guide.
NOTE
For information on upgrading Summit X650 switches to use the VIM1-SummitStack512 option card, see
“Upgrading a Summit X650 with a VIM1-SummitStack512” on page 204.
Summit X670 Stack Configuration Guidelines
Before deploying a new stack with Summit X670 switches, consider the following guidelines:
●
In a stack that contains Summit X670 switches and other Summit switch models, a Summit X670
switch might provide more memory and more features than other Summit switch models, and this
affects master node selection, backup node selection, and failover operation. Before configuring a
stack with Summit X670 switches and other Summit switch models, review “Configuring the Master,
Backup, and Standby Roles” on page 175
●
To use the failover feature in the stack, a second Summit X670 is required, and it must be the backup
node.
●
Only the master and master capable nodes require a license to support special features such as
MPLS.
●
If the MPLS feature pack is installed on the master capable nodes, the following guidelines apply:
-
Each stack switch must meet the software and hardware requirements listed in Table 142 of
Appendix A, “Feature License Requirements.”
-
You must configure the enhanced stacking protocol on each Summit family switch.
ExtremeXOS Concepts Guide, Software Version 15.2
157
Chapter 4: Configuring Stacked Switches
-
●
Although you can mix Summit X460, X480, and X670 switches in a stack, Extreme Networks
recommends that you do not mix these switch types if the desired routing table exceeds the
supported limit for the Summit X460 switch, which is 12,256 IPv4 LPM routes.
Summit X670V switches support multiple types of stacking cables for connection between the VIM440G4X option card and other Summit switches. For information on which cables to use with each
type of Summit family switch, see the Summit Family Switches Hardware Installation Guide.
NOTE
For information on upgrading Summit X670 switches to use the VIM4-40G4x option card, see “Upgrading a
Summit X670V Switch with a VIM4-40G4x Option Card” on page 207.
Configuring a New Stack
The following sections provide information on configuring a new stack:
●
About Easy Setup on page 158
●
Configuration Procedure on page 159
●
Example: Deploying a New Stack on page 160
About Easy Setup
Using easy setup, you can configure a stack without entering many of the stacking CLI commands. The
easy setup procedure creates a stack with a master and a backup. The remaining nodes are configured
with the master capability disabled. Easy Setup provides you an easy way to configure the required
stacking parameters for all nodes.
To avoid an additional stack reboot, Extreme Networks recommends that you configure the following
stack related features before invoking easy setup:
●
Stacking license restriction (see “Managing Licenses on a Stack” on page 184).
●
SummitStack-V (see “Using Ethernet Ports for Stacking (SummitStack-V)” on page 167).
●
VIM3-40G4X port configuration (see “Configuring Stacking Port Operation with the VIM3-40G4X
Option Card” on page 170).
●
VIM4-40G4X port configuration (see “Configuring Stacking Port Operation with the VIM4-40G4X
Option Card” on page 170).
●
Enhanced protocol for MPLS support on a stack (see “Selecting the Stacking Protocol” on page 171).
The configuration procedure described in the next section starts easy setup. You can also start easy
setup by entering the configure stacking easy-setup command.
Easy setup performs the functions of the following commands required to configure and activate a ring
topology stack:
enable stacking
configure stacking slot-number automatic
configure stacking mac-address
configure stacking redundancy minimal
configure stacking protocol
reboot stack-topology
ExtremeXOS Concepts Guide, Software Version 15.2
158
Configuring a New Stack
In a daisy chain topology (which is not recommended), easy setup designates the node at the beginning
of the chain as the master, and executes the above commands with the following command change:
configure stacking redundancy none.
Configuration Procedure
To configure a new stack:
1 Physically connect the nodes using the stacking ports. Instructions for setting up the stacking
hardware are provided in the Summit Family Switches Hardware Installation Guide.
NOTE
To complete the cabling, you must install any option cards you plan to use.
2 Power on the nodes.
3 If you are using a Summit X650V switch with the VIM3-40G4X option card, configure the stacking
port speed and partition as described in “Configuring Stacking Port Operation with the VIM3-40G4X
Option Card” on page 170.
4 If you are using a Summit X670V switch with the VIM4-40G4X option card, configure the stacking
port speed and partition as described in “Configuring Stacking Port Operation with the VIM4-40G4X
Option Card” on page 170.
5 If needed, enable the switch stacking ports as described in “Enabling and Disabling Stacking
Support for Summit X650 and X670 Switches” on page 166.
6 If the stack will use the SummitStack-V feature, configure those switches that will use alternate stack
ports as described in “Using Ethernet Ports for Stacking (SummitStack-V)” on page 167.
7 If the stack will use MPLS, the stack must contain only Summit X460, X480, and X670 switches, and
you must configure those switches to use the enhanced stacking protocol as described in “Selecting
the Stacking Protocol” on page 171.
8 Log in to any of the nodes through the console port, preferably the one you want to use as the
master. If you plan to use Easy Setup, log into the intended master node.
If the stack is a new stack, the default parameters are in effect.
9 Run the show stacking command to verify the stack. The show stacking command should display
all nodes in the stack. All nodes are in a disabled state and all nodes appear as master nodes.
10 If necessary, configure a license level restriction (see “Managing Licenses on a Stack” on page 184).
11 Enable stacking on all nodes. To enable stacking on all nodes, run the command enable stacking
from the master. This command presents you the option of using the Easy Setup procedure, which is
described in “About Easy Setup” on page 158. If you choose this option, skip steps 10-12.
12 Assign slot numbers to all nodes (see “Configuring Slot Numbers” on page 175).
13 Assign a MAC address to the stack (see “Assigning a MAC Address for the Stack” on page 177).
14 (Optional) Configure node priorities on each slot (see “Configuring the Master, Backup, and Standby
Roles” on page 175).
15 (Optional) Disable the master capability on selected nodes (see “Configuring Master-Capability” on
page 179).
16 Restart the stack using the command reboot stack-topology.
The configuration is set to default values while entering the stacking mode, so all previously entered
configuration information (except for the NVRAM-based stacking parameters, selected image, and
failsafe account information) is not available.
ExtremeXOS Concepts Guide, Software Version 15.2
159
Chapter 4: Configuring Stacked Switches
17 Log in to the intended master node and verify the stack using show stacking, show slot, and show
stacking configuration commands. If the stack configuration is successful:
●
All nodes are visible in the stack.
●
All nodes move to the active state.
●
Some time after the nodes become active, each node is present in the configured slot.
●
After the roles are finalized, you can see one master node, one backup, and a set of standby
nodes.
18 Verify that the master node is the one you intended to be the master.
19 (Optional) Configure an alternate management IP address on each node (see “Configuring an
Alternate IP Address and Gateway” on page 180).
20 Configure a management IP network.
21 Configure other normal parameters such as VLANs, IP subnetworks, trunk groups, and so forth.
22 Save the configuration (see “Saving the Configuration” on page 183).
Example: Deploying a New Stack
This section provides an example of deploying a new stack with 8 nodes, which are numbered Node 1
through Node 8. Node 1 is assigned to slot 1 and becomes the master. Node 2 is assigned to slot 2 and
becomes the backup node. Node 3 to Node 8 are assigned slots 3 to 8, respectively, and become standby
nodes.
Before you begin the configuration, log in to the nodes and get the following information if you do not
already have it:
●
The software release installed on the node (show version {detail | process <name> | images
{partition <partition>} {slot <slotid>} } command)
●
The image selected (all nodes need to be operating from the same selected image). By default, new
nodes have the primary image selected.
●
The purchased license information (show licenses command)
Also, while logged into each node, if you plan to use the SummitStack-V feature, configure the required
alternate ports on that node or enable stacking-support as required (see “Using Ethernet Ports for
Stacking (SummitStack-V)” on page 167).
For this example, assume that all nodes except node 8 have a purchased Advanced Edge license level,
and that node 8 has a purchased license level of Edge.
To deploy the stack:
1 Power up all nodes, if you have not already done so.
2 Log in to Node 1. The safe-default-script may be displayed at this time. If so, for now, accept the
default answer to each question.
ExtremeXOS Concepts Guide, Software Version 15.2
160
Configuring a New Stack
3 Run the show stacking command.
* X450a-24x.1 # show stacking
Stack Topology is a Ring
This node is not in an Active Topology
Node MAC Address
Slot Stack State Role
Flags
------------------ ---- ----------- ------- --*00:04:96:26:6c:df Disabled
Master
--00:04:96:26:6c:e3 Disabled
Master
--00:04:96:26:6b:e4 Disabled
Master
--00:04:96:26:6b:f7 Disabled
Master
--00:04:96:26:6b:ed Disabled
Master
--00:04:96:26:6b:ec Disabled
Master
--00:04:96:26:6d:1f Disabled
Master
--00:04:96:26:6a:e9 Disabled
Master
--* - Indicates this node
Flags: (C) Candidate for this active topology, (A) Active Node
(O) node may be in Other active topology
* X450a-24x.2 #
The stack topology is a ring and all the nodes are present in the stack. Node 1 is at the top and Node
8 at the bottom. The asterisk (*) before a node in the above display, indicates the node to which you
have logged in.
4 Display a summary of the configurations of all nodes in the stack using the command show
stacking configuration:
* X450a-24x.2 # show stacking configuration
Stack MAC in use: <none>
Node
Slot
Alternate
MAC Address
Cfg Cur Prio Mgmt IP / Mask
------------------ --- --- ---- -----------------*00:04:96:26:6c:df 1
Auto <none>
00:04:96:26:6c:e3 1
Auto <none>
00:04:96:26:6b:e4 1
Auto <none>
00:04:96:26:6b:f7 1
Auto <none>
00:04:96:26:6b:ed 1
Auto <none>
00:04:96:26:6b:ec 1
Auto <none>
00:04:96:26:6d:1f 1
Auto <none>
00:04:96:26:6a:e9 1
Auto <none>
Alternate
Gateway
--------------<none>
<none>
<none>
<none>
<none>
<none>
<none>
<none>
Flags
---------c-------c-------c-------c-------c-------c-------c-------c-------
Lic
-----------
* - Indicates this node
Flags: (C) master-Capable in use, (c) master-capable is configured,
(E) Stacking is currently Enabled, (e) Stacking is configured Enabled,
(M) Stack MAC in use, (m) Stack MACs configured and in use are the same,
(N) Stack link protocol Enhanced in use, (n) Stack link protocol Enhanced
configured,
(i) Stack MACs configured and in use are not the same or unknown,
(-) Not in use or not configured
License level restrictions: (C) Core, (A) Advanced edge, or (E) Edge in use,
(c) Core, (a) Advanced edge, or (e) Edge configured,
(-) Not in use or not configured
Since this example uses new nodes, the factory defaults are displayed.
ExtremeXOS Concepts Guide, Software Version 15.2
161
Chapter 4: Configuring Stacked Switches
5 Configure a license restriction of Edge so that node 8 can come up in the stack.
* X450a-24x.7 # configure stacking license-level edge
This command will take effect at the next reboot of the specified node(s).
Note that it is preferable to upgrade the license of node 8 instead of restricting the license level of the
entire stack as is shown here.
6 From the master, use the Easy Setup option to enable stacking on all nodes.
* X450a-24x.3 # enable stacking
You have not yet configured all required stacking parameters.
Would you like to perform an easy setup for stacking operation? (y/N) Yes
Executing "configure stacking easy-setup" command...
For every node in the 8-node stack, this command will:
- enable stacking
- configure a stack MAC address
- choose and configure a slot number (this node will be assigned to slot 1)
- configure redundancy to minimal (slot 1 will be the master node)
Upon completion, the stack will automatically be rebooted into the new configuration.
Warning: If stacking is already configured, this command will alter that
configuration.
Do you wish to proceed? (y/N) Yes
Stacking configuration is complete.
Rebooting...
After a time the following message appears:
Authentication Service (AAA) on the master node is now available for login.
7 Log in to Node 1. At this time, the normal login security information is set to the defaults, so use the
default admin account with no password to log in.
The safe-default-script starts.
Select the values for normal operation. You may configure the failsafe account now. The failsafe
account user id, password, and other related values are saved in non-volatile storage in all active
nodes.
8 Run the show stacking and show stacking configuration commands to verify the
configuration.
* Slot-1 Stack.1 # show stacking
Stack Topology is a Ring
Active Topology is a Ring
Node MAC Address
Slot Stack State Role
Flags
------------------ ---- ----------- ------- --*00:04:96:26:6c:df 1
Active
Master
CA00:04:96:26:6c:e3 2
Active
Backup
CA00:04:96:26:6b:e4 3
Active
Standby CA00:04:96:26:6b:f7 4
Active
Standby CA00:04:96:26:6b:ed 5
Active
Standby CA00:04:96:26:6b:ec 6
Active
Standby CA00:04:96:26:6d:1f 7
Active
Standby CA00:04:96:26:6a:e9 8
Active
Standby CA* - Indicates this node
Flags: (C) Candidate for this active topology, (A) Active Node
(O) node may be in Other active topology
ExtremeXOS Concepts Guide, Software Version 15.2
162
Configuring a New Stack
* Slot-1 Stack.2 # show stacking configuration
Stack MAC in use: 00:04:96:26:6c:df
Node
Slot
Alternate
MAC Address
Cfg Cur Prio Mgmt IP / Mask
------------------ --- --- ---- -----------------*00:04:96:26:6c:df 1
1
Auto <none>
00:04:96:26:6c:e3 2
2
Auto <none>
00:04:96:26:6b:e4 3
3
Auto <none>
00:04:96:26:6b:f7 4
4
Auto <none>
00:04:96:26:6b:ed 5
5
Auto <none>
00:04:96:26:6b:ec 6
6
Auto <none>
00:04:96:26:6d:1f 7
7
Auto <none>
00:04:96:26:6a:e9 8
8
Auto <none>
Alternate
Gateway
--------------<none>
<none>
<none>
<none>
<none>
<none>
<none>
<none>
Flags
--------CcEeMm--CcEeMm----EeMm----EeMm----EeMm----EeMm----EeMm----EeMm---
Lic
--Ee
Ee
Ee
Ee
Ee
Ee
Ee
Ee
* - Indicates this node
Flags: (C) master-Capable in use, (c) master-capable is configured,
(E) Stacking is currently Enabled, (e) Stacking is configured Enabled,
(M) Stack MAC in use, (m) Stack MACs configured and in use are the same,
(N) Stack link protocol Enhanced in use, (n) Stack link protocol Enhanced
configured,
(i) Stack MACs configured and in use are not the same or unknown,
(-) Not in use or not configured
License level restrictions: (C) Core, (A) Advanced edge, or (E) Edge in use,
(c) Core, (a) Advanced edge, or (e) Edge configured,
(-) Not in use or not configured
The user prompt contains the slot number on which the console session is running. Also notice that
the platform has changed from X450a-24x to Stack. The nodes in the stack have become Active and
have been assigned node roles. The configured slot numbers have become current, and the other
stacking parameters have also taken effect.
9 To see the ExtremeXOS state of each node, run the command show slot on the master:
* Slot-1 Stack.3 # show slot
Slots
Type
Configured
State
Ports
-------------------------------------------------------------------Slot-1
X450a-24x
Operational
26
Slot-2
X450a-24xdc
Operational
26
Slot-3
X450a-24tdc
Operational
26
Slot-4
X450a-24tdc
Operational
26
Slot-5
X450a-24tdc
Operational
26
Slot-6
X450a-24tdc
Operational
26
Slot-7
X450a-24xdc
Operational
26
Slot-8
X450e-48p
Operational
50
* Slot-1 Stack.4 #
10 Configure a block of IP addresses and a gateway for the alternate management IP functionality.
* X450a-24x.8 # config stacking alternate-ip-address 10.66.13.200/24 10.66.13.1
automatic
Choose the block as a subset of addresses in the intended primary management subnet that will be
configured later. Arrange the stack so that the alternate IP addresses assigned to each node are easily
calculated so you can easily find the address to use when you need to log into a severed stack
segment.
ExtremeXOS Concepts Guide, Software Version 15.2
163
Chapter 4: Configuring Stacked Switches
There are two methods you can follow:
-
Choose the stack IP address, and then allocate a consecutive block of addresses that immediately
follow the stack IP address. For example, if the Mgmt VLAN is configured with the address
10.4.73.8, and if there are three master-capable nodes in the stack, then their alternate IP addresses
could be 10.4.73.9, 10.4.73.10, and 10.4.73.11.
-
Use the configured Mgmt VLAN address and the slot number to form the alternate IP address.
For example, if 10.4.73.10 is the Mgmt VLAN address, and you are configuring the alternate IP
address for slot 1, the alternate IP address could be 10.4.73.11; and for slot 8 it could be 10.4.73.18.
11 Configure the management IP address, subnetwork, and gateway (VLAN Mgmt). You can configure
non stacking parameters such as security information, VLANs, load aggregation, spanning tree, and
routing protocols now.
12 Save the configuration.
Converting a Standalone Node Deployment to a Stack
This section explains how to add a node to a currently deployed standalone (non-stacking) node for
adding ports and centralizing management.
Node 1 is the currently deployed node, and Node 2 is the new node to be used to form a stack of two
nodes.
Before you begin:
●
Verify that the ExtremeXOS version running on both stackable switches is version 12.0 or later. Both
the nodes must be running the same ExtremeXOS release.
●
Use the show licenses command to verify that the purchased license levels of the switches that
you intend to be master-capable (as potential master or backup nodes) meet your requirements (see
“Managing Licenses on a Stack” on page 184).
●
(Only for nodes on which you have not yet configured the SummitStack feature) If you want to
preserve the ExtremeXOS configuration in use on Node 1, use the upload configuration
[<hostname> | <ipaddress>] <filename> {vr <vr-name>} command to retrieve the
configuration in the CLI command format. The file may be used to restore the ExtremeXOS
configuration to the stack after the stacking configuration is complete.
To convert a standalone node to a stack:
1 Connect the stacking ports of the two nodes together to form a ring topology. You can power on
Node 2 before, during, or after the connection.
2 If needed, enable the switch stacking ports as described in “Enabling and Disabling Stacking
Support for Summit X650 and X670 Switches” on page 166.
3 If the stack will use the SummitStack-V feature, configure those switches that will use alternate stack
ports as described in “Using Ethernet Ports for Stacking (SummitStack-V)” on page 167.
4 If the stack will use MPLS, the stack must contain only Summit X460, X480, and X670 switches, and
you must configure those switches to use the enhanced stacking protocol as described in “Selecting
the Stacking Protocol” on page 171.
5 Log into Node 1 (which becomes the master node and slot 1 in the stack).
6 If necessary, configure the stacking license level restriction (see “Restricting a Switch License Level”
on page 186).
ExtremeXOS Concepts Guide, Software Version 15.2
164
Converting a Standalone Node Deployment to a Stack
7 (Optional) Configure the master node priority (see “Configuring the Master, Backup, and Standby
Roles” on page 175).
8 Enable stacking on both nodes by using the command enable stacking. The choice to run Easy
Setup is offered. If you choose Easy Setup, skip steps 6-9 below.
9 Assign slot numbers to the nodes (see “Configuring Slot Numbers” on page 175).
●
You can specify a number for each node manually.
Or
●
You can use the automatic slot number assignment.
10 Assign a MAC address to the stack (see “Assigning a MAC Address for the Stack” on page 177).
11 (Optional) Configure stacking redundancy or master-capability as desired (see “Configuring MasterCapability” on page 179).
12 Restart the stack using the command reboot stack-topology.
13 After the stack reboots, log in to the console port of the master node. At this time, by default, the
user ID is admin and there is no password.
14 Configure the desired safe-default-script parameters when prompted. The failsafe account parameter
configuration is pushed to the nonvolatile memories of both nodes.
15 Use the show stacking and show stacking configuration commands to confirm that the stack is
now configured and operating as expected.
16 (Optional) Configure an alternate management IP address on each node (see “Configuring an
Alternate IP Address and Gateway” on page 180).
To restore the ExtremeXOS configuration, you must first edit the file created during configuration
upload. All port numbers in the file are simple numeric values. You must replace the port number with
slot:port format with slot number set to one (1). Once the file is ready, you can:
●
Make sure the file has the extension .xsf (rename if necessary).
●
Use TFTP to get the file onto the master node.
●
Use the load script <filename> {arg1} {arg2} ... {arg9} command to run the commands
in the file.
●
Use the save configuration {primary | secondary | <existing-config> | <new-config>}
command.
If you intend to deploy new units that are not to be stacked, consider whether or not you want to
eventually use them in a stack before you deploy them. If so, you should turn on stacking mode during
initial deployment. If a new node is subsequently added, there is no need to switch the existing node to
stacking mode, and since the existing stacking configuration uses the slot:port numbering format, there
is no need to edit the configuration file. The only disadvantages of deployment in stacking mode are the
inability to use QoS profile QP7 for your traffic and the reservation of some of the packet buffer space
for stacking control traffic.
ExtremeXOS Concepts Guide, Software Version 15.2
165
Chapter 4: Configuring Stacked Switches
Stack Configuration Tasks
This section describes how to perform the following configuration tasks:
●
Enabling and Disabling Stacking Support for Summit X650 and X670 Switches on page 166
●
Using Ethernet Ports for Stacking (SummitStack-V) on page 167
●
Configuring Stacking Port Operation with the VIM4-40G4X Option Card on page 170
●
Selecting the Stacking Protocol on page 171
●
Enabling the Stack on page 171
●
Verifying the Configuration on page 172
●
Setting the Command Prompt on page 174
●
Configuring Slot Numbers on page 175
●
Configuring the Master, Backup, and Standby Roles on page 175
●
Assigning a MAC Address for the Stack on page 177
●
Configuring Master-Capability on page 179
●
Configuring an Alternate IP Address and Gateway on page 180
●
Configuring the Failsafe Account on a Stack on page 183
●
Disabling Stacking on page 183
●
Saving the Configuration on page 183
Enabling and Disabling Stacking Support for Summit X650 and
X670 Switches
Summit X650 and X670 series switches provide dual-purpose hardware, which can be configured to
support any one of the following configurations:
●
Data communications on physical data ports 23 and 24.
●
Stacking communications on VIM1-SummitStack Versatile Interface Module (VIM) native stack
ports 1 and 2.
●
Stacking communications on physical data ports 23 and 24.
On Summit X650 switches, data communications are enabled on ports 23 and 24 by default. If you want
to add a Summit X650 switch to a stack, you must enable stacking protocol communications by entering
the following command:
enable stacking-support
When the stacking-support option is enabled, data communications stops on ports 23 and 24. If the
VIM1-SummitStack option card is present, the stacking-support option is enabled on native stack ports 1
and 2. If no VIM1-SummitStack option card is installed, the stacking-support option is enabled on
ports 23 and 24.
NOTE
When you enable the stacking-support option, you are configuring the switch to support the stacking
protocol. To enable stacking protocol operation, you must enter the enable stacking command. For more
information on stacking communications on physical data ports, see “Using Ethernet Ports for Stacking
(SummitStack-V)” on page 167.
ExtremeXOS Concepts Guide, Software Version 15.2
166
Stack Configuration Tasks
To configure the switch data ports to use the Ethernet protocol instead of the stacking protocol, use the
following command:
disable stacking-support
Using Ethernet Ports for Stacking (SummitStack-V)
The SummitStack-V feature allows you to use Ethernet ports that run at at least 10 Gbps as stacking
ports. This feature allows you to overcome the length limit on the custom stacking cables used with
dedicated or native stack ports. For example, Summit family switches on different floors in a building or
in different buildings on a campus can be connected to form a stack using standard Ethernet cables.
The SummitStack-V feature also allows you to stack switches that have no native stacking ports but do
have at least two Ethernet ports, which can be configured to support either data communications or the
stacking protocol. When these dual-purpose ports are configured to support stacking, they are called
alternate stack ports to distinguish them from the native stack ports that use custom cables.
Alternate stack ports use the ExtremeXOS proprietary stacking protocol, not the standard Ethernet
protocol. This means that the alternate stack ports between two stack switches must be directly
connected, with no intervening switch connections.
Summit family switches that support alternate stack ports have two logical stack ports: Stack Port 1 and
Stack Port 2. Each logical stack port is mapped to one physical data port that operates as an alternate
stack port when the stacking protocol is enabled with the stacking-support option.
When the stacking-support option is enabled, data communications stops on the physical data ports
listed in Table 23. When stacking is enabled (with the enable stacking command), the stacking
protocol for logical stack ports 1 and 2 operates on the physical data ports listed in Table 23.
Table 23: Summit Family Switch Support for Alternate Stack Ports
Alternate
Port for
Stack
Port 1
Alternate
Port for
Stack
Port 2
StackingSupport
Option
Controla
Stacking
Port
Selection
Controlb
XGM2-2xf
XGM2-2xn
XGM2-2sf
XGM2-2btc
None
25d
26c
No
Yes
XGM2-2xf
XGM2-2xn
XGM2-2sf
XGM2-2btb
None
49C
50c
No
Yes
Summit
Switch Model
Number
Summit Switch Option
Card
X450a-24t
X450a-24tDC
X450a-24x
X450a-24xDC
X450e-24p
X450a-48t
X450a-48tDC
X450e-48p
ExtremeXOS Concepts Guide, Software Version 15.2
167
Chapter 4: Configuring Stacked Switches
Table 23: Summit Family Switch Support for Alternate Stack Ports (Continued)
Summit
Switch Model
Number
X460-48t
X460-48p
X460-24t
X460-24x
X460-24p
Summit Switch Option
Card
XGM3-2sf with either the
XGM3 SummitStack V80
or XGM3 SummitStack
module or neither
X460-48x
Alternate
Port for
Stack
Port 1
Alternate
Port for
Stack
Port 2
StackingSupport
Option
Controla
Stacking
Port
Selection
Controlb
S1c
S2c
No
Yes
S1c
S2c
No
Yes
S1c
S2c
No
Yes
S3
S4
Yes
No
E4G-400
X480-48t
X480-48x
X480-24x
X650-24x
X650-24te
VIM2-10G4X
VIM2-SummitStack
N/A
N/A
N/A
N/A
VIM2-SummitStack-V80
N/A
N/A
N/A
N/A
VIM2-SummitStack128
N/A
N/A
N/A
N/A
None
N/A
N/A
N/A
N/A
VIM2-10G4X
S3
S4
Yes
No
VIM2-SummitStack
25
26
No
Yes
VIM2-SummitStack-V80
25
26
No
Yes
VIM2-SummitStack128
25
26
No
Yes
None
25
26
Yes
No
VIM1-10G8X
31
32
No
Yes
VIM3-40G4X
23
24
Yes
Yes
VIM1-SummitStack
24
23
Yes
Yes
VIM1-SummitStack256
24
23
No
Yes
VIM1-SummitStack512
N/A
N/A
N/A
N/A
VIM1-10G8X
31
32
No
Yes
VIM3-40G4X
23
24
Yes
Yes
VIM1-SummitStack
23
24
Yes
Yes
VIM1-SummitStack256
23
24
No
Yes
VIM1-SummitStack512
N/A
N/A
N/A
N/A
X670-48x
None
47
48
Yes
Yes
X670V-48x
VIM4-40G4X
47
48
Yes
Yes
a. To operate in a stack, the enable stacking-support must be entered for switch configurations for which this
column displays Yes.
b. The configure stacking-support stack-ports command is supported only on Summit switch configurations for which this
column displays Yes.
c. SummitStack-V requires XGM2-2bt version 4 or later option cards.
d. This alternate port number requires an installed option card. You can configure the port without the option card, but the
configuration does not apply until the switch restarts with the required option card.
e. SummitStack-V requires Summit X650-24t switch version 2 or later.
The following sections describe how to manage the SummitStack-V feature:
●
Enabling and Disabling the Stacking-Support Option on page 169
●
Selecting Native and Alternate Stack Ports on page 169
ExtremeXOS Concepts Guide, Software Version 15.2
168
Stack Configuration Tasks
Enabling and Disabling the Stacking-Support Option
The stacking-support option is automatically enabled for many Summit switch and option card
configurations. However, some Summit switch and option card configurations require you to enable the
stacking-support option before a switch can participate in a stack. Table 23 indicates which switch and
option cards require you to enable the stacking-support option. If the Stacking-Support Option Control
column in this table displays Yes, the stacking-support option must be enabled before the switch can
join a stack.
To enable the stacking-support option, enter the following command:
enable stacking-support
To configure the switch data ports to use the Ethernet protocol instead of the stacking protocol, use the
following command:
disable stacking-support
Selecting Native and Alternate Stack Ports
On switches that provide both native stack ports and alternate stack ports, you can configure each
logical stack port to use either the native stack port or the alternate stack port. You can configure logical
stack ports to use any of the following physical stack port configurations:
●
Two native stack ports
●
Two alternate stack ports
●
One native stack port and on alternate stack port
For the newer switches with the VIM3-40G4X and VIM4-4, when an alternate stack port is selected, the
corresponding native stack port is automatically disabled and cannot be used
When the Stacking Port Selection Control column in Table 23 displays Yes for a switch configuration, you
can choose between native and alternate ports. The default selection is the native stack ports. To select
between the native and alternate stack ports, use the following command:
configure stacking-support stack-port [<stack-ports> | all] selection [native {V80 |
V160} | V320} | alternate]
To display the SummitStack-V configuration, use the following commands:
show stacking-support
show stacking stack-ports
show stacking {node-address <node-address> | slot <slot-number>} detail
To unconfigure the SummitStack-V feature, use the following command:
unconfigure stacking-support
NOTE
Commands that contain the stacking-support keyword apply to the local switch only. This means that
each switch that is to use alternate stacking ports must be separately configured. When the stack is fully active, you
can use the telnet slot <slot-number> command to log in to another node over the stack to unconfigure
SummitStack-V on that node only. There is no way to intentionally or accidentally unconfigure the stacking-support
options on all nodes in a stack.
ExtremeXOS Concepts Guide, Software Version 15.2
169
Chapter 4: Configuring Stacked Switches
Once the SummitStack-V feature has been configured as required on all nodes in a stack, reboot each
node. Then you can use the show stacking stack-ports command to verify that the stack has been
properly connected. Subsequently you can use the stacking commands described in the following
sections to complete the stacking configuration.
Configuring Stacking Port Operation with the VIM3-40G4X
Option Card
When the VIM3-40G4X option card is installed, you can use the following ports for stacking:
●
The native stacking ports on the VIM3-40G4X option card, which can be configured for an 80 Gbps,
160 Gbps, or 320 Gbps data rate. These ports can also be partitioned to operate as one 40 Gbps data
port or four 10 Gbps data ports.
●
The alternate stacking ports, which are defined in Table 23.
To select between the native and alternate stack ports, use the following command:
configure stacking-support stack-port [<stack-ports> | all] selection [native {V80 |
V160} | V320} | alternate]
To configure the port partition, use the following command:
configure ports [<port_list> | all] partition [4x10G | 1x40G]
NOTE
After a configuration change, you must restart the switch to use the stacking ports.
Configuring Stacking Port Operation with the VIM4-40G4X
Option Card
When the VIM4-40G4X option card is installed, you can use the following ports for stacking:
●
The native stacking ports on the VIM4-40G4X option card, which can be configured for an 80 Gbps,
160 Gbps, or 320 Gbps data rate. These ports can also be partitioned to operate as one 40 Gbps data
port or four 10 Gbps data ports.
●
The alternate stacking ports, which are defined in Table 23.
To select between the native and alternate stack ports, use the following command:
configure stacking-support stack-port [<stack-ports> | all] selection [native {V80 |
V160} | V320} | alternate]
To configure the port partition, use the following command:
configure ports [<port_list> | all] partition [4x10G | 1x40G]
NOTE
After a configuration change, you must restart the switch to use the stacking ports.
The stacking rate of 320Gbps can be used across a stack of X670 (equipped with VIM4-40G4X), X650 or
X480 (equipped with VIM3-40G4X) and future Summits using the QSFP+ connection and cables. This
solution uses two trunked HiGig ports at 40G each for 80 Gbps per stack port. Four 40G HiGig ports
are used on the Trident switch chip for this solution.
ExtremeXOS Concepts Guide, Software Version 15.2
170
Stack Configuration Tasks
320G Stack port 1 is formed by trunking VIM4 ports S1 & S3.Similary 320G stack port 2 is formed by
trunking VIM4 port S2 & S4.The following figure will show VIM4 trunk connection in case of 320G
stacking:
Figure 7: VIM4 Connection for 320G Stacking
Stack Port 2
S1
S2
S3
S4
Stack Port 1
Selecting the Stacking Protocol
The Summit X440, X460, X480, X650, and X670 stacking ports can use either the standard or the
enhanced stacking protocol. The default configuration selects the standard stacking protocol. The
enhanced stacking protocol is required for MPLS.
NOTE
You must configure the enhanced stacking protocol on a stack before you can enable MPLS. Although you
can mix Summit X460, X480, and X670 switches in a stack (MPLS is not supported on Summit X650 switches),
Extreme Networks recommends that you do not mix these switch types if the desired routing table exceeds the
supported limit for the Summit X460 switch, which is 12,256 IPv4 LPM routes.
To select the stacking protocol, use the command:
configure stacking protocol [standard | enhanced]
The new protocol selection activates the next time you reboot the switch.
Enabling the Stack
You can enable stacking through the command line interface (CLI).
Use the following command to enable the SummitStack feature on a node:
enable stacking {node-address <node-address>}
●
If no parameters are specified, stacking is enabled on all nodes in the stack topology.
●
If the node-address parameter is present, stacking is enabled on the node with the specified nodeaddress. This is the MAC address assigned to the stackable switch by the factory. The enable
stacking command takes effect only after you restart the node.
●
A node that is booted with stacking enabled is said to be running in stacking mode.
●
If stacking has never been configured or the configuration is inconsistent among the attached nodes,
the command prompts you to perform an easy setup operation. If the easy setup option is not
ExtremeXOS Concepts Guide, Software Version 15.2
171
Chapter 4: Configuring Stacked Switches
offered and you want to perform an easy setup, use the configure stacking easy-setup
command.
Use the show stacking configuration command to see the current configuration of this parameter as
well as the value currently in use.
A node that is running in stacking mode attempts to join the active topology. If successful, it then
negotiates a node role with the other nodes in the stack and becomes an operational node in the stack
according to its role. The master node's configuration is applied to the node.
Verifying the Configuration
The show slot and show stacking commands contain stacking configuration information, including
the state of the slot. These commands are also helpful when debugging stacking problems.
The show slot command shows the states of the nodes as they move from the empty to operational
state. Use the show slot command and Table 24 to determine a slot state:
Slot-1 Stack.25 # show slot
Slots
Type
Configured
State
Ports
-------------------------------------------------------------------Slot-1
X450e-24p
X450e-24p
Operational
26
Slot-2
X450a-24t
X450a-24t
Operational
26
Slot-3
X450a-24tDC
X450a-24tDC
Operational
26
Slot-4
X450a-48t
X450a-48t
Operational
50
Slot-5
X450a-24x
X450a-24x
Operational
26
Slot-6
X450a-24xDC
X450a-24xDC
Operational
26
Slot-7
X450e-48p
X450e-48p
Operational
50
Slot-8
X450a-24t
X450a-24t
Operational
26
Slot-1 Stack.26 #
* Slot-1 Stack.1 # show stacking
Stack Topology is a Ring
Active Topology is a Ring
Node MAC Address
Slot Stack State Role
Flags
------------------ ---- ----------- ------- --*00:04:96:26:60:DD 1
Active
Master
CA00:04:96:26:60:EE 2
Active
Backup
CA00:04:96:26:60:FF 3
Active
Standby CA00:04:96:26:60:AA 4
Active
Standby CA00:04:96:26:60:88 5
Active
Standby CA00:04:96:26:60:99 6
Active
Standby CA00:04:96:26:60:BB 7
Active
Standby CA00:04:96:26:60:CC 8
Active
Standby CA* - Indicates this node
Flags: (C) Candidate for this active topology, (A) Active Node
(O) node may be in Other active topology
The asterisk (*) that precedes the node MAC address indicates the node to which you are logged in.
The node MAC address is the address that is factory assigned to the stackable switch.
The slot number shown is the number currently in use by the related node. Since slot number
configuration only takes effect during node initialization, a change in configured value alone does not
cause a change to the slot number in use.
ExtremeXOS Concepts Guide, Software Version 15.2
172
Stack Configuration Tasks
If a node role has not yet been determined, the node role indicates <none>. In a ring topology, the node
on which this command is executed is always the first node displayed. In a daisy chain, the ends of the
daisy chain are the first and last nodes displayed.
Even though the stack topology could be a ring, the active topology could be a daisy chain because it
does not contain every node in the stack topology. If the node on which this command is being executed
is not active, the line:
Active Topology is a ___
is replaced by the line:
This node is not in an Active Topology.
NOTE
It is possible for a node to be in Stabilizing or Waiting state and still be in the active topology.
Use the show stacking configuration command to get a summary of the stacking configuration for
all nodes in the stack:
Slot-1 Stack.2 # show stacking configuration
Stack MAC in use: 02:04:96:26:6b:ed
Node
Slot
Alternate
MAC Address
Cfg Cur Prio Mgmt IP / Mask
------------------ --- --- ---- -----------------*00:04:96:26:6b:ed 1
1
Auto <none>
00:04:96:34:d0:b8 2
2
Auto <none>
Alternate
Gateway
--------------<none>
<none>
Flags
--------CcEeMm--CcEeMm---
Lic
-----
* - Indicates this node
Flags: (C) master-Capable in use, (c) master-capable is configured,
(E) Stacking is currently Enabled, (e) Stacking is configured Enabled,
(M) Stack MAC in use, (m) Stack MACs configured and in use are the same,
(N) Stack link protocol Enhanced in use, (n) Stack link protocol Enhanced
configured,
(i) Stack MACs configured and in use are not the same or unknown,
(-) Not in use or not configured
License level restrictions: (C) Core, (A) Advanced edge, or (E) Edge in use,
(c) Core, (a) Advanced edge, or (e) Edge configured,
(-) Not in use or not configured
Use the show stacking {node-address <node-address> | slot <slot-number>} detail
command to get a full report from the stacking database:
Slot-1 Stack.33 # show stacking
Stacking Node 00:04:96:26:60:DD
Current:
Stacking
Role
Priority
Slot number
Stack state
Master capable
Stacking protocol
License level restriction
In active topology?
Factory MAC address
Stack MAC address
slot 1 detail
information:
:
:
:
:
:
:
:
:
:
:
:
Enabled
Master
2
1
Active
Yes
Enhanced
Advanced edge
Yes
00:04:96:26:60:DD
02:04:96:26:60:DD
ExtremeXOS Concepts Guide, Software Version 15.2
173
Chapter 4: Configuring Stacked Switches
Alternate IP address
Alternate gateway
Stack port 1:
State
Blocked?
Control path active?
Stack port 2:
State
Blocked?
Control path active?
Configured:
Stacking
Master capable
Stacking protocol
Slot number
Stack MAC address
License level restriction
: 192.168.130.101/24
: 192.168.130.1
: Operational
: No
: Yes
: Operational
: No
: Yes
:
:
:
:
:
:
Enabled
Yes
Enhanced
1
02:04:96:26:60:DD
Edge
If you do not specify any node, the output is generated for all nodes in the stack topology. If the
specified node does not exist, an error message appears.
The slot parameter is available only in stacking mode. The node-address parameter is always available.
Current information represents stacking states and configured values that are currently in effect.
Configured information is that which takes effect at node reboot only.
The roles values are Master, Backup, Standby, and <none>. License level restrictions are Edge,
Advanced Edge, or Core.
To verify the stack port states of each node in the stack topology use the command show stacking
stack-ports.
Setting the Command Prompt
When stacking is enabled, the nodes inherit the SNMP sysname from the master.
The configure snmp sysName command affects the command prompt. The default setting on this
command assigns the model name to the command prompt. When stacking is enabled, the current slot
number is appended to the string, and the sysname is defaulted to Stack.
The command prompt looks similar to:
* Slot-6 Stack.21 #
The * indicates a changed and unsaved ExtremeXOS configuration. Slot-6 indicates that the node is in
stacking mode and is currently using slot number 6 in the active topology. The system name is the
default Stack. The command to be executed is the 21st command entered since login, and you have
logged in as the administrator on the master node (#).
The backup and the standby nodes show > instead of #. For example:
* Slot-6 Stack.23 >
If you have configured a sysName for the stack, each node in the active topology displays the configured
sysName in its command prompt.
ExtremeXOS Concepts Guide, Software Version 15.2
174
Stack Configuration Tasks
There is no specific prompt to indicate the node role. To discover the identities of the master and
backup nodes, use the show switch {detail} or show stacking command.
Use the show slot command to verify the local switch type.
Configuring Slot Numbers
Each node in a stack must be assigned a slot number. The slot number must be unique to each node.
You can assign the slot number only through configuration. The stack does not dynamically assign a
slot number. The available slot numbers are 1 through 8.
You can specify a slot number for each node manually, or you can have the system assign the slot
numbers using a single command.
NOTE
Slot numbers take effect only after a restart. If you change a slot number, the unit continues to
operate with the slot number with which it was last restarted.
To manually add a slot number to a node, use the command configure stacking node-address
<node-address> slot-number <slot-number>.
To configure the system to choose slot numbers for all nodes, enter the command configure stacking
slot-number automatic.
Automatic slot number assignment is performed in the order of appearance of the nodes in the show
stacking display. In the case of a ring topology, the first node in the display is the intended master
node into which you have logged in.
Use the show stacking or show stacking configuration command to view the ordering and the
assigned slot numbers.
NOTE
A node that boots in standalone mode does not use a slot number.
Configuring the Master, Backup, and Standby Roles
Each stack has a master node, and it might have a backup node and multiple standby nodes. The role of
each stack node is determined by:
●
The switch model number
●
The configured priority value
●
The configuration of the master-capability option (see “Configuring Master-Capability” on
page 179)
Some switch models have more memory and support additional features. To support the additional
capabilities in a stack that includes multiple Summit switch models, the most capable switch
ExtremeXOS Concepts Guide, Software Version 15.2
175
Chapter 4: Configuring Stacked Switches
automatically becomes the master node. For this release, the ranking of Summit switch models is as
follows:
●
Summit X480 and X670 switches (most capable)
●
Summit X650 switches
●
All other Summit switches
If the stack configuration includes switches that are more capable than others, the stack will try to select
the most-capable backup node. If a switch with reduced capabilities serves as the backup node for a
switch with greater capabilities, that switch might not be able to support the stack as a master node if a
failover occurs (for example, the less-capable switch might not have enough memory to store the master
node configuration). If your configuration needs to support automatic failover, Extreme Networks
recommends that if a stack contains mixed model numbers, one of the following configurations should
be used:
●
Identical, most-capable switches available to become the master and backup nodes
●
The master-capability option is turned off for all more-capable switches
When all the master-capable nodes in a stack have the same model number, the node with the highest
node role election priority becomes the master as a result of the first node role election, and the node
with the second highest node role election priority becomes the backup node. All other nodes become
standby nodes.
During subsequent node role elections that occur when a master node fails, the node priority
configuration helps determine the node that becomes the replacement backup node.
Node priority configuration takes effect at the next node role election. A change in node priority
configuration does not cause a new election. Once an active topology has elected a master node, that
node retains the master node role until it fails or loses a dual master resolution.
You can configure one of the following election priority algorithms:
●
Priority algorithm - If any node has a numeric priority value configured.
●
Automatic algorithm - If all nodes participating in node role election have the automatic priority
value configured.
The priority algorithm is selected if any node has a numeric priority value configured. You can specify
an integer priority value between 1 and 100. The higher the value, the greater the node role election
priority. If any node participating in a role election has a priority value configured, all nodes use the
priority algorithm. A node configured with the automatic algorithm uses a priority value of zero (the
lowest priority) in the priority algorithm if another node has a priority value configured.
The automatic algorithm is selected if no node participating in a role election has a numeric priority
value configured. In automatic mode, the stack determines the highest role election priority based on
factors such as available processing power, maintenance level of ExtremeXOS, and so forth.
In both algorithms, if the highest computed node role election priority is shared among multiple nodes,
the slot number is used to adjust the node role election priority. A numerically lower slot number
results in a higher role election priority than a numerically higher slot number. If you wish to use the
slot number as the sole determining factor in node role election priority calculation, you should
configure every node with the same priority value, and not automatic.
ExtremeXOS Concepts Guide, Software Version 15.2
176
Stack Configuration Tasks
NOTE
Extreme Networks may change the behavior of the automatic priority algorithm in future ExtremeXOS
releases.
Nodes that are configured as not master-capable do not participate in node role election. Priority
configuration is not relevant on such nodes.
A dual master resolution does not use the configured node priority in most cases. Instead it uses the
oldest time that a node became a master in the current active topology.
Use the following command to set the stacking node priority:
configure stacking {node-address <node-address> | slot <slot-number>} priority [<nodepri> | automatic]
Assigning a MAC Address for the Stack
The stack must use a single MAC address. When the master node fails over to the backup node, the
backup node must continue to use the same MAC address that the master node was using.
Each stackable switch is assigned a single unique MAC address during production. By default, no stack
MAC address is configured. You can choose any node to supply its factory assigned MAC address to
form the stack MAC address.
When you assign a MAC address to a stack, one of the stackable switches is designated as the node
whose factory assigned MAC address is used to form the stack MAC address. Once this is done, all
nodes receive and store this formed MAC address in their own NVRAM. Whenever the stack boots up,
this MAC address is used, regardless of which node is the master node.
NOTE
If new nodes are added to the stack, the new nodes must be configured with the stack MAC address. The
easiest way to do this is to use the synchronize stacking {node-address <node-address> | slot
<slot-number>} command.
Before being stored as the stack MAC address, the chosen node’s factory assigned MAC address is
converted to a locally administered MAC address. This prevents duplicate MAC address problems which
lead to dual master situations. The chosen MAC address is put into effect only at node boot time. If the
address needs to be changed on a single node, rebooting that node results in usage of the same address
stack-wide.
If you do not configure the stack MAC address or it is not the same on all nodes, a warning message
appears in the log.
Each node operates with whatever address is available (the configured stack MAC address or the node’s
factory assigned MAC address). If a master node fails over to the backup node, and the backup node’s
address is different than the one the former master node was using, the address is inconsistent with the
addresses programmed into the packet forwarding hardware. The MAC address related to the
management IP address changes to the one in use by the new master, but no gratuitous ARP requests
are sent. In this case, it takes some time for hosts on the management network to flush the related ARP
entry.
ExtremeXOS Concepts Guide, Software Version 15.2
177
Chapter 4: Configuring Stacked Switches
NOTE
If the node whose MAC address is chosen is removed from the stack with the intention of using the node
elsewhere in the network, and that node is selected to supply the stack MAC in its new stack, the stack MAC of the
original stack must be reconfigured to prevent a duplicate MAC address in the network.
To assign a MAC address to the stack, use the following procedure:
1 Use the show stacking configuration command to display the stack MAC address configuration.
Slot-1 stack.3 # show stacking configuration
Stack MAC in use: 00:04:96:26:6a:f1
Node
Slot
Alternate
MAC Address
Cfg Cur Prio Mgmt IP / Mask
------------------ --- --- ---- -----------------*00:04:96:26:6a:f1 1
1
11
10.127.4.131/24
00:04:96:26:6c:93 2
2
Auto 10.127.4.132/24
00:04:96:27:c8:c7 3
3
Auto 10.127.4.133/24
00:04:96:26:5f:4f 4
4
4
10.127.4.139/24
00:04:96:1f:a5:43 5
5
Auto 10.127.4.135/24
00:04:96:28:01:8f 6
6
6
10.127.4.136/24
00:04:96:20:b2:5c 7
7
Auto 10.127.4.137/24
00:04:96:26:6c:92 8
8
Auto 10.127.4.138/24
Alternate
Gateway
--------------10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
Flags
--------CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm---
Lic
--Aa
Aa
Aa
Aa
Aa
Aa
Aa
Aa
* - Indicates this node
Flags: (C) master-Capable in use, (c) master-capable is configured,
(E) Stacking is currently Enabled, (e) Stacking is configured Enabled,
(M) Stack MAC in use, (m) Stack MACs configured and in use are the same,
(N) Stack link protocol Enhanced in use, (n) Stack link protocol Enhanced
configured,
(i) Stack MACs configured and in use are not the same or unknown,
(-) Not in use or not configured
License level restrictions: (C) Core, (A) Advanced edge, or (E) Edge in use,
(c) Core, (a) Advanced edge, or (e) Edge configured,
(-) Not in use or not configured
The MAC Address column displays the factory MAC address for the node. The stack MAC address
configuration information appears in the last three positions of the Flags column. As shown in the
key at the bottom of the command display, the stack MAC configuration is displayed with the letters
capital M, lower-case m, and lower-case i. If the flags read ---, the stack MAC address needs to be
configured. If the flags read Mm-, the stack MAC address is already configured and in use.
2 To configure the stack to use the MAC address of the master, log in to the master console and enter
the configure stacking mac-address command. For example:
Slot-1 stack.43 # configure stacking mac-address
This command will take effect at the next reboot of the specified node(s).
If you enter the show stacking command now, the stack MAC flags show --i, indicating that the stack
MAC is configured and is not in use. After you restart the stack, the i disappears from the Flags
column. To see if the stack MAC is consistently configured, enter the show stacking {nodeaddress <node-address> | slot <slot-number>} detail command and compare all
configured stack MAC addresses for equality. In this case, they should be equal.
ExtremeXOS Concepts Guide, Software Version 15.2
178
Stack Configuration Tasks
3 To configure the stack to use a MAC address from a non-master node, log in to the master console
and enter the configure stacking {node-address <node-address> | slot <slot-number>}
mac-address command. For example:
Slot-1 stack.4 # configure stacking slot 2 mac-address
This command will take effect at the next reboot of the specified node(s).
4 Reboot the stack.
5 Verify the new stack mac address using the show stacking configuration command. The
following example is based on the previous example:
Slot-1 stack.3 # show stacking configuration
Stack MAC in use: 00:04:96:26:6a:f1
Node
Slot
Alternate
MAC Address
Cfg Cur Prio Mgmt IP / Mask
------------------ --- --- ---- -----------------*00:04:96:26:6a:f1 1
1
11
10.127.4.131/24
00:04:96:26:6c:93 2
2
Auto 10.127.4.132/24
00:04:96:27:c8:c7 3
3
Auto 10.127.4.133/24
00:04:96:26:5f:4f 4
4
4
10.127.4.139/24
00:04:96:1f:a5:43 5
5
Auto 10.127.4.135/24
00:04:96:28:01:8f 6
6
6
10.127.4.136/24
00:04:96:20:b2:5c 7
7
Auto 10.127.4.137/24
00:04:96:26:6c:92 8
8
Auto 10.127.4.138/24
Alternate
Gateway
--------------10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
Flags
--------CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm---
Lic
--Aa
Aa
Aa
Aa
Aa
Aa
Aa
Aa
* - Indicates this node
Flags: (C) master-Capable in use, (c) master-capable is configured,
(E) Stacking is currently Enabled, (e) Stacking is configured Enabled,
(M) Stack MAC in use, (m) Stack MACs configured and in use are the same,
(N) Stack link protocol Enhanced in use, (n) Stack link protocol Enhanced
configured,
(i) Stack MACs configured and in use are not the same or unknown,
(-) Not in use or not configured
License level restrictions: (C) Core, (A) Advanced edge, or (E) Edge in use,
(c) Core, (a) Advanced edge, or (e) Edge configured,
(-) Not in use or not configured
Configuring Master-Capability
Each node is configurable to be master-capable or not. This means that a node can either be allowed to
take on any node role, or be restricted to executing the standby node role only. The default is that a
node can take on any role. The restriction is used to avoid the dual master condition. A mastercapability configuration change takes effect at the next restart.
You can use any of the following commands to configure the master-capability:
●
configure stacking [node-address <node-address> | slot <slot-number>] mastercapability [on | off]
●
configure stacking redundancy [none | minimal | maximal]
Using these commands, you can configure one or more nodes to be allowed to operate either as a
master or a backup.
The configure stacking master-capability command allows you to set the master-capability of
specific nodes, while configure stacking redundancy allows you to set the master-capability on all
nodes in the stack.
ExtremeXOS Concepts Guide, Software Version 15.2
179
Chapter 4: Configuring Stacked Switches
The commands do not allow you to disable master-capability on all nodes in a stack topology.
NOTE
If the entire stack is restarted in stacking mode without any node having master capability, you need to
know the failsafe account and password to log into any node in the stack. If you do not know the failsafe account
information, you might need to rescue the stack. See “Rescuing a Stack That Has No Master-Capable Node” on
page 214.
Configuring an Alternate IP Address and Gateway
The stack has a primary IP address and subnetwork that is configured with the configure vlan mgmt
ipaddress command, and there may also be static or default routes associated to it. For each node in
the stack, you can configure an alternate management IP address, subnetwork mask, and default
gateway. The alternate IP address is restricted to being a member of the primary IP subnetwork that is
configured on the management VLAN, and thus the alternate IP subnetwork must exactly match the
primary IP management subnetwork. A subnetwork match is exact if the subnetwork portion of the IP
addresses match exactly. For example, 10.11.12.1/24 and 10.11.12.2/24 are an exact subnetwork match
(because both represent the subnet 10.11.12.0/24).
Standby nodes always install their configured alternate management IP address and gateway on the
management interface. A standby node does not have the ability to verify whether the configured
alternate IP address matches the primary management IP subnetwork of the stack.
The backup and master nodes have the ability to verify the configured alternate IP address. The master
and backup nodes compare the primary IP subnetwork information to the alternate IP subnetwork. If
there is a match, the backup node installs the primary IP management subnetwork’s default routes and
installs only the alternate management IP address (not the primary IP address). The master node installs
both the configured management subnetwork with specific IP address and the alternate IP address. In
this case, the alternate gateway is not used, expecting that primary management routes are configured
or will be configured. In either case, if the alternate IP subnetwork does not match the configured
management subnetwork, the alternate IP address is not installed on the management interface.
Each node in the stack normally installs its alternate IP address on the management subnetwork. When
an ARP request for the alternate IP address is satisfied, the stackable switch supplies its factory assigned
MAC address and not the stack MAC address. Only the master node installs the primary IP address. An
ARP request for the configured management IP address returns the configured stacking MAC address.
Because of the above behavior, all nodes are reachable over their management ports even during a dual
master situation. The VLAN used is the management VLAN (VID 4095) and is untagged.
The alternate gateway is only installed on a master or backup node when the primary management IP
subnetwork is not configured. Once the primary IP subnetwork is installed, the alternate gateway is
removed. The alternate gateway is always installed on a standby node.
If a dual master situation occurs because of a stack severance, the alternate IP addresses and associated
MAC addresses are unique, and it is possible to use telnet or ssh to reach any node. Any node on the
segment with the incorrect master can then be used to reboot the entire stack segment into standby
mode if you want to rejoin the stack segments later.
If a node is operating in stacking mode, the alternate management IP address configuration takes effect
immediately.
ExtremeXOS Concepts Guide, Software Version 15.2
180
Stack Configuration Tasks
NOTE
Only IPv4 alternate management IP addresses are supported in this release.
To configure an alternate IP address and gateway, use the following procedure:
1 View the alternate IP address configuration using the show stacking configuration command:
Slot-1 stacK.13 # show stacking configuration
Stack MAC in use: 00:04:96:26:6a:f1
Node
Slot
Alternate
MAC Address
Cfg Cur Prio Mgmt IP / Mask
------------------ --- --- ---- -----------------*00:04:96:26:6a:f1 1
1
11
<none>
00:04:96:26:6c:93 2
2
Auto <none>
00:04:96:27:c8:c7 3
3
Auto <none>
00:04:96:26:5f:4f 4
4
4
<none>
00:04:96:1f:a5:43 5
5
Auto <none>
00:04:96:28:01:8f 6
6
6
<none>
00:04:96:20:b2:5c 7
7
Auto <none>
00:04:96:26:6c:92 8
8
Auto <none>
Alternate
Gateway
--------------<none>
<none>
<none>
<none>
<none>
<none>
<none>
<none>
Flags
--------CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm---
Lic
--Aa
Aa
Aa
Aa
Aa
Aa
Aa
Aa
* - Indicates this node
Flags: (C) master-Capable in use, (c) master-capable is configured,
(E) Stacking is currently Enabled, (e) Stacking is configured Enabled,
(M) Stack MAC in use, (m) Stack MACs configured and in use are the same,
(N) Stack link protocol Enhanced in use, (n) Stack link protocol Enhanced
configured,
(i) Stack MACs configured and in use are not the same or unknown,
(-) Not in use or not configured
License level restrictions: (C) Core, (A) Advanced edge, or (E) Edge in use,
(c) Core, (a) Advanced edge, or (e) Edge configured,
(-) Not in use or not configured
In the example above, no alternate IP address or alternate gateway is configured.
2 If you have a continuous block of IP addresses to assign to the stack, enter the configure stacking
alternate-ip-address [<ipaddress> <netmask> | <ipNetmask>] <gateway> automatic
command. For example:
Slot-1 Stack.14 # configure stacking alternate-ip-address 10.127.4.131/24 10.127.4.254
automatic
Slot-1 Stack.15 # show stacking configuration
Stack MAC in use: 00:04:96:26:6a:f1
Node
Slot
Alternate
MAC Address
Cfg Cur Prio Mgmt IP / Mask
------------------ --- --- ---- -----------------*00:04:96:26:6a:f1 1
1
11
10.127.4.131/24
00:04:96:26:6c:93 2
2
Auto 10.127.4.132/24
00:04:96:27:c8:c7 3
3
Auto 10.127.4.133/24
00:04:96:26:5f:4f 4
4
4
10.127.4.134/24
00:04:96:1f:a5:43 5
5
Auto 10.127.4.135/24
00:04:96:28:01:8f 6
6
6
10.127.4.136/24
00:04:96:20:b2:5c 7
7
Auto 10.127.4.137/24
00:04:96:26:6c:92 8
8
Auto 10.127.4.138/24
Alternate
Gateway
--------------10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
Flags
--------CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm---
Lic
--Aa
Aa
Aa
Aa
Aa
Aa
Aa
Aa
ExtremeXOS Concepts Guide, Software Version 15.2
181
Chapter 4: Configuring Stacked Switches
* - Indicates this node
Flags: (C) master-Capable in use, (c) master-capable is configured,
(E) Stacking is currently Enabled, (e) Stacking is configured Enabled,
(M) Stack MAC in use, (m) Stack MACs configured and in use are the same,
(N) Stack link protocol Enhanced in use, (n) Stack link protocol Enhanced
configured,
(i) Stack MACs configured and in use are not the same or unknown,
(-) Not in use or not configured
License level restrictions: (C) Core, (A) Advanced edge, or (E) Edge in use,
(c) Core, (a) Advanced edge, or (e) Edge configured,
(-) Not in use or not configured
3 If you do not have a continuous block of IP addresses for the stack, assign an alternate IP address
and gateway to each node using the configure stacking [node-address <node-address> |
slot <slot-number>] alternate-ip-address [<ipaddress> <netmask> | <ipNetmask>]
<gateway> command. For example:
Slot-1 Stack.18 # configure stacking slot 4 alternate-ip-address 10.127.4.139/24
10.127.4.254
NOTE
If you try to assign an alternate IP address and gateway to a node that is already configured with these
parameters, an error message appears. To remove an existing configuration so you can change the alternate IP
address and gateway, enter the unconfigure stacking {node-address <node-address> | slot
<slot-number>} alternate-ip-address command.
4 Enter the show stacking configuration command to verify that the alternate IP address and gateway
is configured as intended for each node.
Slot-1 Stack.19 # show stacking configuration
Stack MAC in use: 00:04:96:26:6a:f1
Node
Slot
Alternate
MAC Address
Cfg Cur Prio Mgmt IP / Mask
------------------ --- --- ---- -----------------*00:04:96:26:6a:f1 1
1
11
10.127.4.131/24
00:04:96:26:6c:93 2
2
Auto 10.127.4.132/24
00:04:96:27:c8:c7 3
3
Auto 10.127.4.133/24
00:04:96:26:5f:4f 4
4
4
10.127.4.139/24
00:04:96:1f:a5:43 5
5
Auto 10.127.4.135/24
00:04:96:28:01:8f 6
6
6
10.127.4.136/24
00:04:96:20:b2:5c 7
7
Auto 10.127.4.137/24
00:04:96:26:6c:92 8
8
Auto 10.127.4.138/24
Alternate
Gateway
--------------10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
10.127.4.254
Flags
--------CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm--CcEeMm---
Lic
--Aa
Aa
Aa
Aa
Aa
Aa
Aa
Aa
* - Indicates this node
Flags: (C) master-Capable in use, (c) master-capable is configured,
(E) Stacking is currently Enabled, (e) Stacking is configured Enabled,
(M) Stack MAC in use, (m) Stack MACs configured and in use are the same,
(N) Stack link protocol Enhanced in use, (n) Stack link protocol Enhanced
configured,
(i) Stack MACs configured and in use are not the same or unknown,
(-) Not in use or not configured
License level restrictions: (C) Core, (A) Advanced edge, or (E) Edge in use,
(c) Core, (a) Advanced edge, or (e) Edge configured,
(-) Not in use or not configured
ExtremeXOS Concepts Guide, Software Version 15.2
182
Managing an Operating Stack
Configuring the Failsafe Account on a Stack
The failsafe account information is stored in each node's local NVRAM.
To change the failsafe account, use the command configure failsafe-account {[deny | permit]
[all | control | serial | ssh {vr <vr-name>} | telnet {vr <vr-name>}]} from the master
node.
This command changes the account information in the NVRAM of every active node in the same active
topology. If a new node is added later, you can use the synchronize stacking {node-address
<node-address> | slot <slot-number>} command to copy the failsafe account information from the
master to the new node.
Disabling Stacking
To disable stacking on a member of stack, use the following command:
disable stacking {node-address <node-address>}
Rebooting the node with stacking disabled causes it to run in standalone mode.
A node that is running in standalone mode becomes its own master and processes its own
configuration.
By default, stacking is disabled on all nodes.
Saving the Configuration
The ExtremeXOS configuration file is saved to every active node when you use the save
configuration {primary | secondary | <existing-config> | <new-config>} command on the
master.
The stacking specific configuration parameters for a node are saved in the NVRAM of the node when
you run the configuration commands. Stacking configuration parameters are not saved in the
ExtremeXOS configuration file.
Managing an Operating Stack
This section describes the following topics and tasks:
●
Managing Licenses on a Stack on page 184
●
Stacking LEDs on page 187
●
Viewing the Alternate IP Address on page 187
●
Viewing Stacking Port Statistics on page 189
●
Adding a Node to a Stack on page 189
●
Replacing a Node with the Same Switch Type on page 192
●
Replacing a Node with a Different Switch Type on page 194
●
Merging Two Stacks on page 195
●
Upgrading ExtremeXOS on a Stack on page 201
ExtremeXOS Concepts Guide, Software Version 15.2
183
Chapter 4: Configuring Stacked Switches
●
Upgrading SummitStack Option Cards on page 203
●
Dismantling a Stack on page 207
●
Removing a Node from a Stack on page 208
●
Rebooting a Stack on page 209
Managing Licenses on a Stack
The SummitStack feature is not licensed separately. You can use the SummitStack feature with an Edge
license.
NOTE
For successful operation, all master-capable nodes in a stack must be at or above the license level on the
master node, and all feature packs installed on the master node must also be installed on the master-capable
nodes.
The rules for licensing are:
●
At startup, the license level the stack uses is the effective license level of the elected master node.
If the stack is using the Advanced Edge license and you attempt to add a master-capable node that is
using an Edge license, the node does not become operational and shows as Failed with a License
Mismatch reason when using the show slot {<slot> {detail} | detail } command.
●
License mismatch detection is continually checked in master-capable nodes.
If master-capable nodes of different license levels are operational in the stack and there is a failover
to a backup node that has a level that is not the same as that of the failed master, the stack operating
license level changes to the effective license level of the new master. If any other master-capable
node is using an effective license level that is not the same as that of the new master, the node fails
with a license mismatch.
●
Nodes with higher licenses levels than other nodes can be restricted to operate at a lower or effective
license level.
The following sections describe license management in a stack:
●
Viewing Switch Licenses and License Restrictions on page 184
●
Enabling a Switch License on page 185
●
Restricting a Switch License Level on page 186
●
Upgrading Stack Licenses on page 186
Viewing Switch Licenses and License Restrictions
To view the current license information for a node, log into that node and enter the show licenses
command. The command display is similar to the following:
Slot-1 Stack.1 # show licenses
Enabled License Level:
Advanced Edge
Enabled Feature Packs:
None
Effective License Level:
Advanced Edge
Slot-1 Stack.2 #
ExtremeXOS Concepts Guide, Software Version 15.2
184
Managing an Operating Stack
The Enabled License Level is the purchased license level. This is the maximum level at which this node
can operate without purchasing a license level upgrade.
The Effective License Level is the operating license level. If a license level restriction is configured for this
node, the effective license level may be lower than the enabled license level. All master-capable switches
must be operated at the same effective license level.
To view the license level restrictions configured for all nodes in a stack, log in to the master node and
enter the show stacking configuration command:
Slot-1 Stack.33 # show stacking configuration
Stack MAC in use: 02:04:96:26:60:DD
Node
Slot
Alternate
MAC Address
Cfg Cur Prio Mgmt IP / Mask
------------------ --- --- ---- -----------------*00:04:96:26:60:DD 1
1
Auto 192.168.130.101/24
00:04:96:26:60:EE 2
2
Auto 192.168.130.102/24
00:04:96:26:60:FF 3
3
Auto 192.168.130.103/24
00:04:96:26:60:AA 4
4
Auto 192.168.130.104/24
00:04:96:26:60:88 5
5
Auto 192.168.130.105/24
00:04:96:26:60:99 6
6
Auto 192.168.130.106/24
00:04:96:26:60:BB 7
7
Auto 192.168.130.107/24
00:04:96:26:60:CC 8
8
Auto 192.168.130.108/24
Alternate
Gateway
--------------192.168.130.1
192.168.130.1
192.168.130.1
192.168.130.1
192.168.130.1
192.168.130.1
192.168.130.1
192.168.130.1
Flags
--------CcEeMm--CcEeMm----EeMm----EeMm----EeMm----EeMm----EeMm----EeMm---
Lic
--Aa
Aa
Aa
Aa
Aa
Aa
Aa
Aa
* - Indicates this node
Flags: (C) master-Capable in use, (c) master-capable is configured,
(E) Stacking is currently Enabled, (e) Stacking is configured Enabled,
(M) Stack MAC in use, (m) Stack MACs configured and in use are the same,
(N) Stack link protocol Enhanced in use, (n) Stack link protocol Enhanced
configured,
(i) Stack MACs configured and in use are not the same or unknown,
(-) Not in use or not configured
License level restrictions: (C) Core, (A) Advanced edge, or (E) Edge in use,
(c) Core, (a) Advanced edge, or (e) Edge configured,
(-) Not in use or not configured
License level restrictions appear in the Lic column. The license level restriction in use appears first,
represented by a capital letter as shown in the display legend. The configured license level restriction
appears second, represented by a lower-case letter. When the letters in the Lic column are different, for
example Ae, the node is configured with a different license level restriction than the one that is
currently in use. To put the configured license level restriction into effect, you must reboot the node.
Enabling a Switch License
The purchased license level of a node can be enabled only after you log in to that node (see “Logging
Into a Node From Another Node” on page 154). For instructions on enabling a license on a node, see
Appendix B, “Software Upgrade and Boot Options.”.
NOTE
All nodes must have a purchased license level at least equal to the license level of the master node in
order to become operational in the stack.
ExtremeXOS Concepts Guide, Software Version 15.2
185
Chapter 4: Configuring Stacked Switches
Restricting a Switch License Level
If the master-capable nodes in a stack have different license levels and you want to operate a stack at
the minimum license level, you can apply a license level restriction. The restriction is stored in the
NVRAM of each master-capable node. It forces the node to reduce its license level below its purchased
level at node restart time for the life of the restart. This reduced license level is called the effective license
level and can be displayed by entering the show licenses command on the node you want to evaluate.
To restrict a master-capable node to operate at a license level that is lower than the one purchased for
the node, use the command:
configure stacking {node-address <node-address> | slot <slot-number>} license-level
[core | advanced-edge | edge]
In the following example, node 7 is restricted to operate at the Edge license level:
* X450a-24x.7 # configure stacking slot 7 license-level edge
This command will take effect at the next reboot of the specified node(s).
You must reboot the master-capable node for the command to take effect. The command restricts the
specified node to operate at the specified license level. The specified license level must match the
effective license level of all master-capable nodes in the stack. To avoid stack reboots when future
license level upgrades are purchased, during initial deployment you should purchase the same license
level for every master-capable node in the stack, and the license level restriction should not be
configured.
Upgrading Stack Licenses
You can purchase license level upgrades for Summit family switches. All master-capable switches in a
stack must run the same license level. If the license you want to run is not available for a specific
Summit switch, you cannot use that switch and that license level as a master-capable switch. For
example, if you want to upgrade to the core license, your master-capable nodes must be Summit family
switches that support the core license.
NOTE
See Appendix A, “Feature License Requirements,” for information on which switches support which
licenses. This appendix also lists which switches support the SummitStack feature.
Use the following procedure to upgrade switch licenses:
1 Log in to the master node.
2 Enter the show stacking command and note the role (master, backup, or standby) of each node in
the stack.
3 Enter the show stacking configuration command and note any nodes that are configured with a
license level restriction (see “Viewing Switch Licenses and License Restrictions” on page 184).
4 Install the required license level in each master-capable node (backup and standby nodes) by logging
into each node (telnet slot <slot-number>) and entering the command:
enable license {software} <key>
Enter the license key given to you by Extreme Networks when you purchased the upgrade.
5 Use the commands in Step 4 to install the required license level on the master node.
ExtremeXOS Concepts Guide, Software Version 15.2
186
Managing an Operating Stack
6 If any nodes are configured with a license level restriction that is lower than the intended operating
license level of the stack, log into the master node and remove the stack license level restriction
using the command:
unconfigure stacking license-level
This command removes the restriction on all nodes.
7 If you removed a license level restriction in Step 7, reboot the stack to put the license level restriction
removal into effect using the command:
reboot {[time <mon> <day> <year> <hour> <min> <sec>] | cancel} {slot <slotnumber> | node-address <node-address> | stack-topology {as-standby}}
8 Verify that all master-capable nodes are operating at the intended license level. To do this, use the
show licenses command and show slot {<slot> {detail} | detail } command on the
master node. If no slot shows as Failed, then all master-capable nodes are operating at the effective
license level shown for the master node.
Stacking LEDs
All stackable switches have a seven segment LED.
The seven segment LED on Summit X250, X440, X460, X480, X650, and X670 series switches behaves as
follows:
●
LED dark—Stackable switch is not in stacking mode
●
Slot number displayed, top half blinking—Stack master
●
Slot number displayed, bottom half blinking—Stack backup
●
Slot number display solid—Standby node
When in stacking mode, the slot number is displayed shortly after the node begins initializing and
remains in the display until a restart occurs.
The stacking ports have LEDs that behave the same as the data port LEDs. The stacking port LEDs can
be in the states shown in Table 24, even if the unit is not in a stacking mode.
Table 24: Stacking LED States
State
Description
Off
No signal
Solid Green
Signal present
Flickering Green
Traffic through the port
While in a stack, the remaining LEDs (Mgmt, Fan, PSU-I, and PSU-E) on the unit operate normally.
Viewing the Alternate IP Address
To view the alternate IP address for a node, you can use the following commands:
●
show vlan mgmt
●
show ipconfig Mgmt
ExtremeXOS Concepts Guide, Software Version 15.2
187
Chapter 4: Configuring Stacked Switches
show vlan mgmt Command
The show vlan mgmt command shows the alternate management IP address as applied to the
management VLAN on the local unit. This allows you to see how the configured alternate management
IP address has been applied.
The show vlan mgmt command displays the following information:
Slot-1 Stack.35 # show vlan "Mgmt"
VLAN Interface with name Mgmt created by user
Admin State:
Enabled
Tagging:
Virtual router: VR-Mgmt
Primary IP:
10.1.4.1/24
Alternate IP:
10.1.4.2/24
IPv6:
None
STPD:
None
Protocol:
Match all unfiltered protocols
Loopback:
Disabled
NetLogin:
Disabled
QosProfile:
None configured
Ports:
1.
(Number of active ports=1)
Untag: Mgmt-port on Mgmt-? is active
802.1Q Tag 4095
For the management VLAN, a secondary address cannot be configured and so the Secondary IP line does
not appear. The Alternate IP line shows one of the following:
●
The configured alternate management IP address if it has been activated
●
<none> if it has not been configured
●
Mismatch if it has been configured but does not exactly match the Primary IP subnet.
show ipconfig mgmt Command
The show ipconfig mgmt command shows the configured alternate management IP address as applied
to the management VLAN on the local unit. This allows you to see how the configured alternate
management IP address has been applied.
The Multinetted VLAN indication always appears as no. The alternate IP address is restricted to the same
subnet as the primary subnet configured for the management IP interface. As a result, only a single
subnet is used with the possibility of multiple station addresses. Further, you cannot configure a
secondary IP address on the management VLAN.
The show ip config mgmt command displays the following information:
Slot1 Stack.36 # show ipconfig Mgmt
Router Interface on VLAN Mgmt is enabled and up.
inet 10.66.4.74/24 broadcast 10.66.4.255 Mtu 1500
Alternate IP Address: 10.66.4.75/24
Flags:
AddrMaskRly NO
BOOTP Host NO
DirBcstHwFwd NO
Fwd Bcast NO
IgnoreBcast NO
IP Fwding NO
IPmc Fwd NO Multinetted VLAN NO
IRDP Advert NO
SendParam YES
SendPortUn YES
Send Redir YES
SendTimxceed YES
SendUnreach YES
TimeStampRly NO
VRRP NO
ExtremeXOS Concepts Guide, Software Version 15.2
188
Managing an Operating Stack
For the management VLAN, a secondary address cannot be configured and so the Secondary IP line does
not appear. The Alternate IP Address line shows one of the following:
●
The configured alternate management IP address if it has been activated
●
<none> if it has not been configured
●
Mismatch if it has been configured but does not exactly match the Primary IP subnet.
Viewing Stacking Port Statistics
To view the status of any stacking port, use the following command variations:
show
show
show
show
ports
ports
ports
ports
stack-ports <stacking-port-list> utilization {bandwidth | bytes | packets}
{stack-ports <stacking-port-list> | <port_list>} statistics {norefresh}
{<port_list> | stack-ports <stacking-port-list>} rxerrors {norefresh}
{stack-ports <stacking-port-list> | <port_list>} txerrors {norefresh}
The commands accept stacking port ranges that span multiple nodes. There are no stack port
configuration options.
There is no way to disable a stacking port. These ports are always enabled.
Adding a Node to a Stack
From the perspective of a new node, adding a node to an active topology is similar to bringing up a
new stack. To add a node to a stack, use the following procedure.
NOTE
If the node being added is actually a replacement node for one that was previously removed,
see “Replacing a Node with the Same Switch Type” on page 192 or “Replacing a Node with a Different
Switch Type” on page 194.
1 Review the general and model-specific configuration guidelines for the switch you are installing.
These guidelines are described in “Stack Configuration Guidelines” on page 154.
2 Before connecting the switch to the stack, prepare the switch as follows:
a Review the guidelines for the switch you are installing. These guidelines are described in “Stack
Configuration Guidelines” on page 154.
b With the power off, install any required option cards as described in the Summit Family Switches
Hardware Installation Guide.
c
Power on the new node.
d Use the show switch command to verify that the new node is using the same ExtremeXOS
software version as the stack to which it will be added. If it is not using the correct version, install
the correct version.
e Use the show switch command to verify that the ExtremeXOS software is booted on the same
image (primary or secondary) on which the stack is booted. If the new node is booted on a
different image, change the image before you continue.
f
Use the enable stacking command to enable stacking; then decline the easy setup option.
g Configure a unique slot number for the new node (see “Configuring Slot Numbers” on page 175).
Select a slot number that is not already in use in the stack to which this node will be added.
ExtremeXOS Concepts Guide, Software Version 15.2
189
Chapter 4: Configuring Stacked Switches
h Configure the node's master-capability to correspond to the role it should have in the stack (see
“Configuring Master-Capability” on page 179).
i
If the new node will operate as a master-capable node, use the show licenses command to
verify that the enabled license level is at the same level as the master-capable nodes in the stack.
If necessary, configure the license-level restriction of the new node to be same as the other mastercapable nodes in the stack (see “Managing Licenses on a Stack” on page 184).
j
Configure the node role priority to correspond to the priority it should have in the stack (see
“Configuring the Master, Backup, and Standby Roles” on page 175).
k Configure an alternate IP address and gateway (see “Configuring an Alternate IP Address and
Gateway” on page 180).
l
If the new node is a Summit X650 switch, configure the switch to use the stacking ports as
described in “Enabling and Disabling Stacking Support for Summit X650 and X670 Switches” on
page 166.
m If the new node is a Summit X650 switch with a VIM3-40G4X option card, configure the option
card ports as described in “Configuring Stacking Port Operation with the VIM3-40G4X Option
Card” on page 170.
n If the new node is a Summit X670V switch with a VIM4-40G4X option card, configure the option
card ports as described in “Configuring Stacking Port Operation with the VIM4-40G4X Option
Card” on page 170.
o If the new node will use the SummitStack-V feature, configure the alternate stack ports as
described in “Using Ethernet Ports for Stacking (SummitStack-V)” on page 167.
p If the stack will use MPLS, the stack must contain only Summit X460, X480, and X670 switches,
and you must configure all stack switches to use the enhanced stacking protocol as described in
“Selecting the Stacking Protocol” on page 171.
3 Connect the stacking links to the new node and use the reboot command to reboot the node.
For cabling instructions, see the Summit Family Switches Hardware Installation Guide.
4 At the stack master node, run the synchronize stacking {node-address <node-address> |
slot <slot-number>} command and do not specify either a node-address or a slot.
5 Reboot the new node by entering the reboot slot [<slot-number> | node-address <nodeaddress>] command.
6 (Optional) Run the show stacking configuration command and verify that the configuration is
what you want.
ExtremeXOS Concepts Guide, Software Version 15.2
190
Managing an Operating Stack
Example: Adding a Node to a Stack
Assume the original stack is connected as follows:
Slot-1 Stack.9 # show stacking stack-ports
Stack Topology is a Ring
Slot Port Select Node MAC Address Port State
---- ---- ------ ----------------- ----------*1
1
Native 00:04:96:26:6a:f1 Operational
*1
2
Native 00:04:96:26:6a:f1 Operational
2
1
Native 00:04:96:26:6c:93 Operational
2
2
Native 00:04:96:26:6c:93 Operational
3
1
Native 00:04:96:26:5f:4f Operational
3
2
Native 00:04:96:26:5f:4f Operational
4
1
Native 00:04:96:1f:a5:43 Operational
4
2
Native 00:04:96:1f:a5:43 Operational
5
1
Native 00:04:96:28:01:8f Operational
5
2
Native 00:04:96:28:01:8f Operational
6
1
Native 00:04:96:20:b2:5c Operational
6
2
Native 00:04:96:20:b2:5c Operational
* - Indicates this node
Flags: (C) Control path is active, (B) Port is
Flags Speed
----- ----C10G
C10G
C10G
C10G
C10G
CB
10G
CB
10G
C10G
C10G
C10G
C10G
C10G
Blocked
The following commands add a seventh node to the stack:
* Switch.3 # enable stacking
This command will take effect at the next reboot of the specified node(s).
# Display the node MAC address
* Switch.4 # show stacking
Stack Topology is a Daisy-Chain
This node is not in an Active Topology
Node MAC Address
Slot Stack State Role
Flags
------------------ ---- ----------- ------- --*00:04:96:26:6c:92 Disabled
Master
--* - Indicates this node
Flags: (C) Candidate for this active topology, (A) Active Node
(O) node may be in Other active topology
# Configure a unique slot number
Switch.5 # configure stacking node-address 00:04:96:26:6c:92 slot-number 7
This command will take effect at the next reboot of the specified node(s).
Switch.6 # configure stacking node-address 00:04:96:26:6c:92 license-level edge
This command will take effect at the next reboot of the specified node(s).
Connect the new switch to the stack using a stacking cable to join the stacking ports and form a
physical ring. The connections should be made such that the node appears in the natural position in the
stack and in the slot. The example below adds a new node that becomes slot 7.
●
The connection broken should be the one between node 00:04:96:20:b2:5c port 2 and node
00:04:96:26:6a:f1 port 1.
●
The new node 00:04:96:26:6c:92 port 1 should be connected to node 00:04:96:20:b2:5c port 2
●
The new node 00:04:96:26:6c:92 port 2 should be connected to node 00:04:96:26:6a:f1 port 1.
Switch.7 # reboot
ExtremeXOS Concepts Guide, Software Version 15.2
191
Chapter 4: Configuring Stacked Switches
# Log into the stack master node before entering the next command
Slot-1 Stack.13 # synchronize stacking node-address 00:04:96:26:6c:92
Slot-1 Stack.13 # reboot node-address 00:04:96:26:6c:92
Are you sure you want to reboot this stack node? (y/N) Yes
Slot-1 Stack.18 # show stacking
Stack Topology is a Ring
Active Topology is a Ring
Node MAC Address
Slot Stack State Role
Flags
------------------ ---- ----------- ------- --*00:04:96:26:6a:f1 1
Active
Master
CA00:04:96:26:6c:93 2
Active
Standby CA00:04:96:26:5f:4f 3
Active
Backup
CA00:04:96:1f:a5:43 4
Active
Standby CA00:04:96:28:01:8f 5
Active
Standby CA00:04:96:20:b2:5c 6
Active
Standby CA00:04:96:26:6c:92 7
Active
Standby CA* - Indicates this node
Flags: (C) Candidate for this active topology, (A) Active Node
(O) node may be in Other active topology
Slot-1 stack.19 # show slot
Slots
Type
Configured
State
Ports
-------------------------------------------------------------------Slot-1
X450a-48t
X450a-48t
Operational 50
Slot-2
X450a-24x
X450a-24x
Operational 26
Slot-3
X450a-24t
X450a-24t
Operational 26
Slot-4
X450a-24x
X450a-24x
Operational 26
Slot-5
X450a-24t
X450a-24t
Operational 26
Slot-6
X450a-24x
X450a-24x
Operational 26
Slot-7
X450a-24x
Operational 26
Slot-8
Empty
0
Replacing a Node with the Same Switch Type
When you replace a node with the same switch type, for example when you replace a Summit X450a48t with a Summit X450a-48t, you can continue to use the same stack configuration. The procedure in
this section works only when the old and new nodes have identical switch types.
NOTE
If you are replacing a node with a different switch type, you must change the stack configuration before the
new node can operate. For more information, see “Replacing a Node with a Different Switch Type” on page 194.
NOTE
The Summit Stack X440 X460, X480, and X650 configured via “configure stacking easy-setup” use the
enhanced stacking protocol by default. While replacing a node in Summit Stack X440, X460, X480 or X650
configured with the enhanced stacking protocol, be sure to add “configure stacking protocol” enhanced before
joining active stack topology.
ExtremeXOS Concepts Guide, Software Version 15.2
192
Managing an Operating Stack
To replace a node with an identical switch type:
1 Use the show switch, show licenses, and show stacking configuration commands to display
configuration information for the node to be replaced. Note the following about the switch you are
replacing:
-
ExtremeXOS software version
-
Partition on which the switch is booted
-
Effective license level for the stack
-
Slot number
-
Stacking protocol; standard or enhanced?
-
Master-capable feature configuration
-
Node priority
-
Alternate gateway IP address
2 Remove the stack links from the node to be replaced.
3 Replace the node with the same type of node.
4 Before connecting the replacement switch to the stack, prepare the switch as follows:
a Review the guidelines for the switch you are installing. These guidelines are described in “Stack
Configuration Guidelines” on page 154.
b With the power off, install any required option cards as described in the Summit Family Switches
Hardware Installation Guide.
c
Power on the replacement node.
d Use the show switch command to verify that the replacement node is using the same
ExtremeXOS software version as the stack in which it will be added. If it is not using the correct
version, install the correct version.
e Use the show switch command to verify that the ExtremeXOS software is booted on the same
image (primary or secondary) on which the stack is booted. If the new node is booted on a
different image, change the image before you continue.
f
Use the enable stacking command to enable stacking; then decline the easy setup option.
g Configure the slot number for the replacement node using the slot number noted in Step 1. (See
“Configuring Slot Numbers” on page 175.)
h If the replaced node was using the enhanced stacking protocol, use the configure stacking
protocol command to select that protocol.
i
Configure the node's master-capability to correspond to the value noted in Step 1. (see
“Configuring Master-Capability” on page 179).
j
If the replacement node will operate as a master-capable node, use the show licenses command
to verify that the enabled license level is at the same level as the master-capable nodes in the
stack. If necessary, configure the license-level restriction of the new node to be same as the other
master-capable nodes in the stack (see “Managing Licenses on a Stack” on page 184).
k Configure the node role priority to correspond to the priority it should have in the stack (see
“Configuring the Master, Backup, and Standby Roles” on page 175).
l
Configure an alternate IP address and gateway (see “Configuring an Alternate IP Address and
Gateway” on page 180).
m If the new node is a Summit X650 switch, configure the switch to use the stacking ports as
described in “Enabling and Disabling Stacking Support for Summit X650 and X670 Switches” on
page 166.
ExtremeXOS Concepts Guide, Software Version 15.2
193
Chapter 4: Configuring Stacked Switches
n If the new node is a Summit X650 switch with a VIM3-40G4X option card, configure the option
card ports as described in “Configuring Stacking Port Operation with the VIM3-40G4X Option
Card” on page 170.
o If the new node is a Summit X670V switch with a VIM4-40G4X option card, configure the option
card ports as described in “Configuring Stacking Port Operation with the VIM4-40G4X Option
Card” on page 170.
p If the new node will use the SummitStack-V feature, configure the alternate stack ports as
described in “Using Ethernet Ports for Stacking (SummitStack-V)” on page 167.
q If the stack will use MPLS, the stack must contain only Summit X460, X480, and X670 switches,
and you must configure all stack switches to use the enhanced stacking protocol as described in
“Selecting the Stacking Protocol” on page 171.
5 Connect the stack links and reboot the node. The switch should join the stack topology.
For cabling instructions, see the Summit Family Switches Hardware Installation Guide.
6 At the stack master node, run the synchronize stacking {node-address <node-address> |
slot <slot-number>} command and do not specify either a node-address or a slot.
NOTE
If the master node was replaced, log into another stack node before entering this command.
7 Reboot the new node by entering the reboot slot [<slot-number> | node-address <nodeaddress>] command.
NOTE
If the master node was replaced, reboot the stack by entering the reboot command at the master node.
8 (Optional) Run the show stacking configuration command and verify that the configuration is
what you want.
NOTE
To verify that the new node became operational, enter the show slot {<slot> {detail} |
detail } command. If the slot shows a Mismatch state, the node was replaced with a different type of
switch. (See “Replacing a Node with a Different Switch Type” on page 194.)
Replacing a Node with a Different Switch Type
When you replace a node with the different switch type, for example when you replace a a Summit
X450a-48t with a Summit X450e-48p, you cannot continue to use the same stack configuration. The slot
configuration for the replaced node must change to reflect the new switch type.
NOTE
If you are replacing a node with the same switch type, you can continue to use the existing stack
configuration. For more information, see “Replacing a Node with the Same Switch Type” on page 192.
ExtremeXOS Concepts Guide, Software Version 15.2
194
Managing an Operating Stack
To replace a node with a different switch type:
1 Use the show switch, show licenses, and show stacking configuration commands to display
configuration information for the node to be replaced. Note the following about the switch you are
replacing:
-
ExtremeXOS software version
-
Partition on which the switch is booted
-
Effective license level for the stack
-
Slot number
-
Stacking protocol; standard or enhanced?
-
Master-capable feature configuration
-
Node priority
-
Alternate gateway IP address
2 Enter the unconfigure slot <slot> command to remove the configuration for the node to be
replaced.
All configuration parameters (except for the related node's NVRAM-based configurations such as
stacking parameters, image to be used, and failsafe account) for the slot are erased.
3 Follow the procedure outlined in “Replacing a Node with the Same Switch Type” on page 192.
Merging Two Stacks
You can join or merge two stacks to create one larger stack. However, the maximum number of nodes in
an active topology is eight.
The operation performed when two stack segments are joined together depends on the following
factors:
●
Whether a slot number is duplicated
●
Whether both stacks have master nodes
●
The states of the nodes in each stack.
If the nodes are configured with stacking enabled, one of the following occurs:
●
If two segments are joined, both have operational masters, and at least one of the nodes in one of the
stacks duplicates a slot number of a node in the other stack, the join is allowed. The link that has just
connected the two stacks shows as Inhibited. This prevents accidental stack joins. In this condition,
the nodes on the joined segment can still be reconfigured centrally for stacking.
●
If two segments are joined, both have operational masters, and all nodes have assigned slot numbers
that are unique in both stacks, the dual master situation is automatically resolved.
●
If two segments are joined, there are no duplicate slot numbers, one of the segments has a master
and a backup node, and the other segment does not have either a master or a backup node, the
nodes in this segment are acquired by the master node. These nodes become standby nodes in the
stack.
The nodes that are not configured for stacking, do not attempt to join the active topology but
nevertheless join the stack.
Any nodes enabled for stacking that are isolated between nodes that are not enabled for stacking
attempt to form an isolated active topology.
ExtremeXOS Concepts Guide, Software Version 15.2
195
Chapter 4: Configuring Stacked Switches
If one of the nodes that is not configured for stacking is then configured for stacking and restarted, the
behavior is as if two active stacks were joined.
Example: Merging Two Stacks
The example in this section demonstrates how to join two stacks. This example assumes two stacks
named StackA and StackB. The joined stack assumes the name StackA. Here are displays taken from the
original StackA:
Slot-1 StackA.8 # show stacking
Stack Topology is a Ring
Active Topology is a Ring
Node MAC Address
Slot Stack State Role
Flags
------------------ ---- ----------- ------- --*00:04:96:26:60:DD 1
Active
Master
CA00:04:96:26:60:EE 2
Active
Backup
CA00:04:96:26:60:FF 3
Active
Standby CA(*) Indicates This Node
Flags: (C) Candidate for this active topology, (A) Active node,
(O) node may be in Other active topology
Slot-1 StackA.9 # show stacking configuration
Stack MAC in use: 02:04:96:26:60:DD
Node
Slot
Alternate
MAC Address
Cfg Cur Prio Mgmt IP / Mask
------------------ --- --- ---- -----------------*00:04:96:26:60:DD 1
1
Auto 192.168.130.101/24
00:04:96:26:60:EE 2
2
Auto 192.168.130.102/24
00:04:96:26:60:FF 3
3
Auto 192.168.130.103/24
Alternate
Gateway
--------------192.168.130.1
192.168.130.1
192.168.130.1
Flags
--------CcEeMm--CcEeMm----EeMm---
Lic
--Aa
Aa
Aa
* - Indicates this node
Flags: (C) master-Capable in use, (c) master-capable is configured,
(E) Stacking is currently Enabled, (e) Stacking is configured Enabled,
(M) Stack MAC in use, (m) Stack MACs configured and in use are the same,
(N) Stack link protocol Enhanced in use, (n) Stack link protocol Enhanced
configured,
(i) Stack MACs configured and in use are not the same or unknown,
(-) Not in use or not configured
License level restrictions: (C) Core, (A) Advanced edge, or (E) Edge in use,
(c) Core, (a) Advanced edge, or (e) Edge configured,
(-) Not in use or not configured
Slot-1 StackA.10 # show stacking stack-ports
Stack Topology is a Ring
Slot Port Select Node MAC Address Port State Flags Speed
---- ---- ------ ----------------- ----------- ----- ----*1
1
Native 00:04:96:26:60:DD Operational CB
10G
*1
2
Native 00:04:96:26:60:DD Operational C10G
2
1
Native 00:04:96:26:60:EE Operational C10G
2
2
Native 00:04:96:26:60:EE Operational C10G
3
1
Native 00:04:96:26:60:FF Operational C10G
3
2
Native 00:04:96:26:60:FF Operational CB
10G
* - Indicates this node
Flags: (C) Control path is active, (B) Port is Blocked
ExtremeXOS Concepts Guide, Software Version 15.2
196
Managing an Operating Stack
Slot-1 StackA.3 # show slot
Slots
Type
Configured
State
Ports
-------------------------------------------------------------------Slot-1
X450e-24p
X450e-24p
Operational
26
Slot-2
X450a-24t
X450a-24t
Operational
26
Slot-3
X450a-24tDC
X450a-24tDC
Operational
26
Slot-4
Empty
0
Slot-5
Empty
0
Slot-6
Empty
0
Slot-7
Empty
0
Slot-8
Empty
0
Slot-1 StackA.4 #
Here are displays taken from StackB:
Slot-1 StackB.3 # show stacking
Stack Topology is a Ring
Active Topology is a Ring
Node MAC Address
Slot Stack State Role
Flags
------------------ ---- ----------- ------- --00:04:96:26:60:AA 1
Active
Master
CA00:04:96:26:60:88 2
Active
Backup
CA00:04:96:26:60:99 3
Active
Standby CA(*) Indicates This Node
Flags: (C) Candidate for this active topology, (A) Active node,
(O) node may be in Other active topology
Slot-1 StackB.4 # show stacking configuration
Stack MAC in use: 02:04:96:26:60:AA
Node
Slot
Alternate
MAC Address
Cfg Cur Prio Mgmt IP / Mask
------------------ --- --- ---- -----------------*00:04:96:26:60:AA 1
1
Auto 192.168.131.101/24
00:04:96:26:60:88 2
2
Auto 192.168.131.102/24
00:04:96:26:60:99 3
3
Auto 192.168.131.103/24
Alternate
Gateway
--------------192.168.131.1
192.168.131.1
192.168.131.1
Flags
--------CcEeMm--CcEeMm----EeMm---
Lic
--Aa
Aa
Aa
* - Indicates this node
Flags: (C) master-Capable in use, (c) master-capable is configured,
(E) Stacking is currently Enabled, (e) Stacking is configured Enabled,
(M) Stack MAC in use, (m) Stack MACs configured and in use are the same,
(N) Stack link protocol Enhanced in use, (n) Stack link protocol Enhanced
configured,
(i) Stack MACs configured and in use are not the same or unknown,
(-) Not in use or not configured
License level restrictions: (C) Core, (A) Advanced edge, or (E) Edge in use,
(c) Core, (a) Advanced edge, or (e) Edge configured,
(-) Not in use or not configured
ExtremeXOS Concepts Guide, Software Version 15.2
197
Chapter 4: Configuring Stacked Switches
Slot-1 StackB.5 # show stacking stack-ports
Stack Topology is a Ring
Slot Port Select Node MAC Address Port State Flags Speed
---- ---- ------ ----------------- ----------- ----- ----1
1
Native 00:04:96:26:60:AA Operational C10G
1
2
Native 00:04:96:26:60:AA Operational CB
10G
2
1
Native 00:04:96:26:60:88 Operational CB
10G
2
2
Native 00:04:96:26:60:88 Operational C10G
3
1
Native 00:04:96:26:60:99 Operational C10G
3
2
Native 00:04:96:26:60:99 Operational C10G
* - Indicates this node
Flags: (C) Control path is active, (B) Port is Blocked
Slot-1 StackB.6 # show slot
Slots
Type
Configured
State
Ports
-------------------------------------------------------------------Slot-1
X450a-48t
X450a-48t
Operational
26
Slot-2
X450a-24x
X450a-24x
Operational
26
Slot-3
X450a-24xDC
X450a-24xDC
Operational
26
Slot-4
Empty
0
Slot-5
Empty
0
Slot-6
Empty
0
Slot-7
Empty
0
Slot-8
Empty
0
Form the new stack. Assuming both stacks are rings, break one link in each stack as follows:
●
For StackA, break the link between node 00:04:96:26:60:FF port 2 and node 00:04:96:26:60:DD port 1.
●
For StackB, break the link between node 00:04:96:26:60:99 port 2 and node 00:04:96:26:60:AA port 1.
Then connect the broken links between the two stacks to form a ring as follows:
●
Connect node 00:04:96:26:60:FF port 2 to node 00:04:96:26:60:AA port 1.
●
Connect node 00:04:96:26:60:99 port 2 to node 00:04:96:26:60:DD port 1.
Since both are active stacks with duplicate slot numbers, the links between the two stacks are in
Inhibited state. This can be seen using the show stacking stack-ports command as shown below in
Step 1.
Assume that the master of stack A is to be the master node of the joined stack. Log into the intended
master node.
1 Verify the details of the new stack using the commands show stacking, show stacking
configuration, and show stacking stack-ports.
Slot-1 StackA.11 # show stacking
Stack Topology is a Ring
Active Topology is a Daisy-Chain
Node MAC Address
Slot Stack State
------------------ ---- ----------*00:04:96:26:60:DD 1
Active
00:04:96:26:60:EE 2
Active
00:04:96:26:60:FF 3
Active
00:04:96:26:60:AA 1
Active
00:04:96:26:60:88 2
Active
00:04:96:26:60:99 3
Active
(*) Indicates This Node
Role
------Master
Backup
Standby
Master
Backup
Standby
Flags
--CACACA--O
--O
--O
ExtremeXOS Concepts Guide, Software Version 15.2
198
Managing an Operating Stack
Flags: (C) Candidate for this active topology, (A) Active node,
(O) node may be in Other active topology
Slot-1 StackA.12 # show stacking configuration
Stack MAC in use: 02:04:96:26:60:DD
Node
Slot
Alternate
MAC Address
Cfg Cur Prio Mgmt IP / Mask
------------------ --- --- ---- -----------------*00:04:96:26:60:DD 1
1
Auto 192.168.130.101/24
00:04:96:26:60:EE 2
2
Auto 192.168.130.102/24
00:04:96:26:60:FF 3
3
Auto 192.168.130.103/24
00:04:96:26:60:AA 1
1
Auto 192.168.131.101/24
00:04:96:26:60:88 2
2
Auto 192.168.131.102/24
00:04:96:26:60:99 3
3
Auto 192.168.131.103/24
Alternate
Gateway
--------------192.168.130.1
192.168.130.1
192.168.130.1
192.168.131.1
192.168.131.1
192.168.131.1
Flags
--------CcEeMm--CcEeMm----EeMm--CcEe--i-CcEe--i---Ee--i--
Lic
--Aa
Aa
Aa
----
* - Indicates this node
Flags: (C) master-Capable in use, (c) master-capable is configured,
(E) Stacking is currently Enabled, (e) Stacking is configured Enabled,
(M) Stack MAC in use, (m) Stack MACs configured and in use are the same,
(N) Stack link protocol Enhanced in use, (n) Stack link protocol Enhanced
configured,
(i) Stack MACs configured and in use are not the same or unknown,
(-) Not in use or not configured
License level restrictions: (C) Core, (A) Advanced edge, or (E) Edge in use,
(c) Core, (a) Advanced edge, or (e) Edge configured,
(-) Not in use or not configured
Slot-1 StackA.13 # show stacking stack-ports
Stack Topology is a Ring
Slot Port Select Node MAC Address Port State Flags Speed
---- ---- ------ ----------------- ----------- ----- ----*1
1
Native 00:04:96:26:60:DD Inhibited
-10G
*1
2
Native 00:04:96:26:60:DD Operational C10G
2
1
Native 00:04:96:26:60:EE Operational C10G
2
2
Native 00:04:96:26:60:EE Operational C10G
3
1
Native 00:04:96:26:60:FF Operational C10G
3
2
Native 00:04:96:26:60:FF Inhibited
-10G
1
1
Native 00:04:96:26:60:AA Inhibited
-10G
1
2
Native 00:04:96:26:60:AA Operational C10G
2
1
Native 00:04:96:26:60:88 Operational C10G
2
2
Native 00:04:96:26:60:88 Operational C10G
3
1
Native 00:04:96:26:60:99 Operational C10G
3
2
Native 00:04:96:26:60:99 Inhibited
-10G
* - Indicates this node
Flags: (C) Control path is active, (B) Port is Blocked
Slot-1 StackA.14 #
2 Configure the nodes such that they all have unique slot numbers. Because the slot numbers
configured for the first three nodes in your stack are consistent with automatic slot assignment, you
may perform automatic slot assignment now: configure stacking slot-number automatic.
3 Configure the stack MAC address with the command: configure stacking mac-address.
4 Configure stacking redundancy so that only slots 1 and 2 are master-capable with the command:
configure stacking redundancy minimal.
ExtremeXOS Concepts Guide, Software Version 15.2
199
Chapter 4: Configuring Stacked Switches
5 Configure new alternate IP addresses for nodes from original StackB. Assume that the block of
addresses allocated to StackA can be extended, and use the automatic form of the command as
follows:
configure stacking alternate-ip-address 192.168.130.101/24 192.168.130.1 automatic
6 For master capable nodes, configure a license restriction to be the minimum of the two original
values on all master-capable nodes. Alternatively, you may purchase license upgrades from Extreme
if necessary. In this case, use the command:
configure stacking license-level edge
7 Either reboot the entire stack topology using the reboot stack-topology command, or individually
reboot the three nodes formerly from stack B. The latter requires the following commands:
reboot node 00:04:96:26:60:99
reboot node 00:04:96:26:60:88
reboot node 00:04:96:26:60:AA
The order of reboot should be the Standby nodes first, the Backup node next, and the Master node
last. Because none of these nodes is master-capable, there is no temporary dual master situation as a
result of these separate node reboots.
8 When the rebooted nodes come back up, run the following commands to see the resulting stack. You
can verify the joined stack came up as expected, that is, all nodes should have unique slot numbers,
a common stack MAC address, and so forth:
Slot-1 StackA.11 # show stacking
Stack Topology is a Ring
Active Topology is a Ring
Node MAC Address
Slot Stack State Role
Flags
------------------ ---- ----------- ------- --*00:04:96:26:60:DD 1
Active
Master
CA00:04:96:26:60:EE 2
Active
Backup
CA00:04:96:26:60:FF 3
Active
Standby CA00:04:96:26:60:AA 4
Active
Standby CA00:04:96:26:60:88 5
Active
Standby CA00:04:96:26:60:99 6
Active
Standby CA(*) Indicates This Node
Flags: (C) Candidate for this active topology, (A) Active node,
(O) node may be in Other active topology
Slot-1 StackA.12 # show stacking configuration
Stack MAC in use: 02:04:96:26:60:DD
Node
Slot
Alternate
MAC Address
Cfg Cur Prio Mgmt IP / Mask
------------------ --- --- ---- -----------------*00:04:96:26:60:DD 1
1
Auto 192.168.130.101/24
00:04:96:26:60:EE 2
2
Auto 192.168.130.102/24
00:04:96:26:60:FF 3
3
Auto 192.168.130.103/24
00:04:96:26:60:AA 4
4
Auto 192.168.130.104/24
00:04:96:26:60:88 5
5
Auto 192.168.130.105/24
00:04:96:26:60:99 6
6
Auto 192.168.130.106/24
Alternate
Gateway
--------------192.168.130.1
192.168.130.1
192.168.130.1
192.168.130.1
192.168.130.1
192.168.130.1
Flags
--------CcEeMm--CcEeMm--–-EeMm--–-EeMm--–-EeMm--–-EeMm---
Lic
--Aa
Aa
Aa
Aa
Aa
Aa
* - Indicates this node
Flags: (C) master-Capable in use, (c) master-capable is configured,
(E) Stacking is currently Enabled, (e) Stacking is configured Enabled,
(M) Stack MAC in use, (m) Stack MACs configured and in use are the same,
(N) Stack link protocol Enhanced in use, (n) Stack link protocol Enhanced
configured,
ExtremeXOS Concepts Guide, Software Version 15.2
200
Managing an Operating Stack
(i) Stack MACs configured and in use are not the same or unknown,
(-) Not in use or not configured
License level restrictions: (C) Core, (A) Advanced edge, or (E) Edge in use,
(c) Core, (a) Advanced edge, or (e) Edge configured,
(-) Not in use or not configured
Slot-1 StackA.13 # show stacking stack-ports
Stack Topology is a Ring
Slot Port Select Node MAC Address Port State Flags Speed
---- ---- ------ ----------------- ----------- ----- ----*1
1
Native 00:04:96:26:60:DD Operational C10G
*1
2
Native 00:04:96:26:60:DD Operational C10G
2
1
Native 00:04:96:26:60:EE Operational C10G
2
2
Native 00:04:96:26:60:EE Operational C10G
3
1
Native 00:04:96:26:60:FF Operational C10G
3
2
Native 00:04:96:26:60:FF Operational C10G
4
1
Native 00:04:96:26:60:AA Operational C10G
4
2
Native 00:04:96:26:60:AA Operational CB
10G
5
1
Native 00:04:96:26:60:88 Operational CB
10G
5
2
Native 00:04:96:26:60:88 Operational C10G
6
1
Native 00:04:96:26:60:99 Operational C10G
6
2
Native 00:04:96:26:60:99 Operational C10G
* - Indicates this node
Flags: (C) Control path is active, (B) Port is Blocked
Slot-1 StackA.14 #
Slot-1 StackA.3 # show slot
Slots
Type
Configured
State
Ports
-------------------------------------------------------------------Slot-1
X450e-24p
X450e-24p
Operational
26
Slot-2
X450a-24t
X450a-24t
Operational
26
Slot-3
X450a-24tDC
X450a-24tDC
Operational
26
Slot-4
X450a-48t
Operational
50
Slot-5
X450a-24x
Operational
26
Slot-6
X450a-24xDC
Operational
26
Slot-7
Empty
0
Slot-8
Empty
0
9 Configure the new slots in VLANs, IP subnetworks, and so forth as required.
Upgrading ExtremeXOS on a Stack
This section includes the following:
●
“Upgrading the Software on All Active Nodes” on page 201
●
“Upgrading the Software on a Single Node” on page 203
●
“Upgrading the Bootrom” on page 203
Upgrading the Software on All Active Nodes
You can centrally upgrade the software on all active nodes in a stack. To upgrade all nodes in the stack,
all nodes must be running an ExtremeXOS release that supports stacking (ExtremeXOS release 12.0 or
greater).
ExtremeXOS Concepts Guide, Software Version 15.2
201
Chapter 4: Configuring Stacked Switches
Use the command download image [[<hostname> | <ipaddress>] <filename> {{vr}
<vrname>}] {<partition>} to download a new ExtremeXOS software release and install it on all
nodes on the active topology. If necessary, use the use image {partition} {primary | secondary}
command to select the image partition (primary or secondary) into which the software was saved. Use
the reboot {[time <mon> <day> <year> <hour> <min> <sec>] | cancel} command to restart
all nodes in the new release. For example:
download image [[<hostname> | <ipaddress>] <filename> {{vr} <vrname>}] {primary |
secondary}
use image {partition} [primary | secondary]
reboot
Before you upgrade a stack, make sure that the active image partition is same across all nodes. To
determine the active partition selected on all nodes and the ExtremeXOS versions installed in each
partition, use the show slot detail command. You can install the image only on the alternate image
partition and not on the active image partition. To run the upgraded software, you must reboot the
stack after installation with the image partition that received the software being selected.
If the active partition is different on some nodes, the action you take depends on what is stored in both
partitions:
●
If both primary and secondary partitions have the same ExtremeXOS release, you may use the
commands
use image {primary | secondary} slot <slot-number>
reboot slot <slot-number>
to cause a node to use the same active image as the rest of the stack.
●
If you are using the primary image on your master node and some other node primary image does
not contain the same ExtremeXOS version as your master node's primary image, you may use the
command
synchronize slot <slotid>
to cause the node to contain the same ExtremeXOS versions in both partitions as it is on the master
node, and to reboot the node into the primary partition.
NOTE
The synchronize {slot <slotid>} command is not allowed in certain SummitStack-V configurations when the
target slot is occupied by a Summit X450a or X450e series switch. In these cases, you can use the use image
and download image commands to change the images on the node. Use the save configuration command
to transfer the configuration file. Use the tftp put and tftp get commands to transfer other files via a remote
host (tftp requires alternate IP address configuration on non-master nodes).
NOTE
Hitless upgrade is not supported in a stack.
ExtremeXOS Concepts Guide, Software Version 15.2
202
Managing an Operating Stack
Upgrading the Software on a Single Node
You can upgrade the software on a single active node. Enter the following commands to download an
image to a node:
download image [[<hostname> | <ipaddress>] <filename> {{vr} <vrname>}] {<primary |
secondary>} slot <slot number>
use image {partition} [primary | secondary] slot <slotid>
reboot slot <slot number>
The slot number is the one in use by the active node that is to be upgraded.
Be sure that you keep the same image versions on all the other nodes as you have on the master node.
Alternatively, if your master node has the same image versions in its partitions that you want installed
in the node to be upgraded, you can use the command
synchronize slot <slotid>
to upgrade both images and select the desired image.
NOTE
The synchronize {slot <slotid>} command is not allowed in certain SummitStack-V configurations when the
target slot is occupied by a Summit X450a or X450e series switch. In these cases, you can use the use image
and download image commands to change the images on the node. Use the save configuration command
to transfer the configuration file. Use the tftp put and tftp get commands to transfer other files via a remote
host (tftp requires alternate IP address configuration on non-master nodes).
You can upgrade the image on an active node even if the node shows as Failed when using the
show slot command.
Upgrading the Bootrom
The SummitStack feature does not require a bootrom upgrade. You should not upgrade the bootrom of
any node unless there are other reasons to do so. However, the SummitStack feature does allow
centralized bootrom upgrade.
You can download and install the bootrom to a specific slot using the slot parameter. The slot parameter
is available only on stackable switches in the active stack topology. For information on upgrading the
bootrom, see Appendix B, “Software Upgrade and Boot Options.”
If you do not provide a slot number, the stack attempts to download the bootrom image and install it on
all stackable switches in the active topology.
Upgrading SummitStack Option Cards
The following sections describe how to upgrade the SummitStack option cards on Summit family
switches:
●
Upgrading a Summit X460 with a SummitStack Option Card on page 204
●
Upgrading a Summit X480 with a VIM2 SummitStack Option Card on page 204
●
Upgrading a Summit X650 with a VIM1-SummitStack256 on page 204
●
Upgrading a Summit X650 with a VIM1-SummitStack512 on page 204
ExtremeXOS Concepts Guide, Software Version 15.2
203
Chapter 4: Configuring Stacked Switches
●
Upgrading a Summit X650 Switch with a VIM3-40G4x Option Card on page 206
●
Upgrading a Summit X670V Switch with a VIM4-40G4x Option Card on page 207
Upgrading a Summit X460 with a SummitStack Option Card
To upgrade a Summit X460 in a stack to use a SummitStack or SummitStack V80 option card, do the
following:
1 Power down the node to be upgraded.
2 Replace the option card to be upgraded with the new option card.
3 Cable the node as described in the Summit Family Switches Hardware Installation Guide.
4 Power up the upgraded node.
Upgrading a Summit X480 with a VIM2 SummitStack Option Card
The VIM2 SummitStack option cards include the following:
●
VIM2-SummitStack
●
VIM2-SummitStack-V80
●
VIM2-SummitStack128
To upgrade a Summit X480 in a stack to use the VIM2 SummitStack option card, do the following:
1 Power down the nodes to be upgraded.
2 Replace the VIMs to be upgraded with the new VIM2 SummitStack option cards.
3 Cable each new stack as described in the Summit Family Switches Hardware Installation Guide.
4 Power up the upgraded nodes.
Upgrading a Summit X650 with a VIM1-SummitStack256
To upgrade a Summit X650 in a stack to use the VIM1-SummitStack256 option card, do the following:
1 Upgrade the ExtremeXOS software on all SummitStack nodes to a version that supports VIM1SummitStack256.
2 Power down the nodes to be upgraded.
3 Replace the VIMs to be upgraded with the VIM1-SummitStack256 option cards.
4 Cable each new Summit switch as described in the Summit Family Switches Hardware Installation
Guide.
5 Power up the upgraded nodes.
Upgrading a Summit X650 with a VIM1-SummitStack512
To upgrade a Summit X650 in a stack to use the VIM1-SummitStack512 option card, do the following:
1 Upgrade the ExtremeXOS software on all stack nodes to a version that supports VIM1SummitStack512.
2 Power down the nodes to be upgraded.
3 Replace the VIMs to be upgraded with the VIM1-SummitStack512 option cards.
4 Reconfigure the stack so that there are no more than 2 Summit X650 switches with VIM1SummitStack512 option cards in each stack.
ExtremeXOS Concepts Guide, Software Version 15.2
204
Managing an Operating Stack
5 Cable each new stack as described in the Summit Family Switches Hardware Installation Guide.
NOTE
The stack fails if one or both cables are not connected between the VIM1-SummitStack512 option cards.
6 Power up the upgraded nodes.
7 Check that the license level of both Summit X650 switches is as expected. For example:
* X650-24t(SS512).2 # show licenses
Enabled License Level:
Advanced Edge
Enabled Feature Packs:
None
8 Configure the stack license level:
* X650-24t(SS512).4 # configure stacking license-level advanced-edge
This command will take effect at the next reboot of the specified node(s).
9 Use the configure stacking easy-setup command to set up the stack:
* X650-24t(SS512).5 # configure stacking easy-setup
For every node in the 2-node stack, this command will:
- enable stacking
- configure a stack MAC address
- choose and configure a slot number (this node will be assigned to slot 1)
- configure redundancy to minimal (slot 1 will be the master node)
Upon completion, the stack will automatically be rebooted into the new configuration.
Warning: If stacking is already configured, this command will alter that
configuration.
Warning: There are unsaved configuration changes.
before proceeding.
You may wish to save them
Do you wish to proceed? (y/N) Yes
Stacking configuration is complete.
Rebooting...
NOTE
For the VIM1-SummitStack512 to operate correctly, all 4 physical stack ports must be connected as per the
cabling guidelines, and the switch state must be Operational.
* Slot-2 Stack.1 # show slot
Slots
Type
Configured
State
Ports
-------------------------------------------------------------------Slot-1
X650-24t(SS512)
Operational
24
Slot-2
X650-24x(SS512)
Operational
24
Slot-3
Empty
0
Slot-4
Empty
0
Slot-5
Empty
0
Slot-6
Empty
0
Slot-7
Empty
0
Slot-8
Empty
0
ExtremeXOS Concepts Guide, Software Version 15.2
205
Chapter 4: Configuring Stacked Switches
* Slot-2 Stack.2 # show stacking
Stack Topology is a Ring
Active Topology is a Ring
Node MAC Address
Slot Stack State Role
Flags
------------------ ---- ----------- ------- --*00:04:96:35:9d:55 2
Active
Master
CA00:04:96:1e:a8:02 1
Active
Backup
CA* - Indicates this node
Flags: (C) Candidate for this active topology, (A) Active Node
(O) node may be in Other active topology
* Slot-2 Stack.3 # show stacking stack-ports
Stack Topology is a Ring
Slot Port Select Node MAC Address Port State Flags Speed
---- ---- ------ ----------------- ----------- ----- ----*2
1
Native 00:04:96:35:9d:55 Operational C128G
*2
2
Native 00:04:96:35:9d:55 Operational C128G
1
2
Native 00:04:96:1e:a8:02 Operational C128G
1
1
Native 00:04:96:1e:a8:02 Operational C128G
* - Indicates this node
Flags: (C) Control path is active, (B) Port is Blocked
Upgrading a Summit X650 Switch with a VIM3-40G4x Option Card
To upgrade a Summit X650 in a stack to use the VIM3-40G4x option card, do the following:
1 Upgrade the ExtremeXOS software on all stack nodes to a version that supports the VIM3-40G4x
option card.
2 Power down the nodes to be upgraded.
3 Install the VIM3-40G4x option cards.
4 Cable the new option card as described in the Summit Family Switches Hardware Installation Guide.
5 Power up the upgraded nodes.
6 To select between the native and alternate stack ports, use the following command:
configure stacking-support stack-port [<stack-ports> | all] selection [native {V80 |
V160} | V320} | alternate]
7 To select the configuration of the VIM3-40G4x option card ports, use the following command:
configure ports [<port_list> | all] partition [4x10G | 1x40G]
For native stack port support, select the 4x10G option for the 80 Gbps rate or the 1x40G option for
the 160 Gbps rate.
NOTE
When 40G ports are in 4x10G mode, ports 25, 29, 33, and 37 will not be added to the default VLAN by
default.
NOTE
If you change the port configuration on the VIM3-40G4x option card, you must restart the switch to start
using the new configuration.
ExtremeXOS Concepts Guide, Software Version 15.2
206
Managing an Operating Stack
Upgrading a Summit X670V Switch with a VIM4-40G4x Option Card
To upgrade a Summit X670V switch in a stack to use the VIM4-40G4x option card, do the following:
1 Upgrade the ExtremeXOS software on all stack nodes to a version that supports the VIM4-40G4x
option card.
2 Power down the nodes to be upgraded.
3 Install the VIM4-40G4x option cards.
4 Cable each new option card as described in the Summit Family Switches Hardware Installation Guide.
5 Power up the upgraded nodes.
6 To select between the native and alternate stack ports, use the following command:
configure stacking-support stack-port [<stack-ports> | all] selection [native {V80 |
V160} | V320} | alternate]
NOTE
The native stacking ports on the VIM4-40G4X option card are not supported in this release.
7 To select the configuration of the VIM4-40G4x option card ports, use the following command:
configure ports [<port_list> | all] partition [4x10G | 1x40G]
For native stack port support, select the 4x10G option for the 80 Gbps rate or the 1x40G option for
the 160 Gbps rate.
NOTE
If you change the port configuration on the VIM4-40G4x option card, you must restart the switch to start
using the new configuration.
Dismantling a Stack
To dismantle a stack and use the Summit switches in stand-alone mode, do the following:
1 Determine if the stack is using the SummitStack-V feature by issuing the following command:
show stacking stack-ports
Examine the Select column to determine if any nodes are using alternate (non-native) stack ports.
2 For every non-master node in the stack that is using alternate stack ports, log into the node and issue
the command:
unconfigure stacking-support
NOTE
If a node is a member of the active topology, node login can be accomplished from the master node using
the telnet slot <slot-number> command. Otherwise you will need access to the node's console port, or you
can log in through a management network.
ExtremeXOS Concepts Guide, Software Version 15.2
207
Chapter 4: Configuring Stacked Switches
NOTE
Do not reboot any switches. It is not necessary to unconfigure stacking-support on the master node.
3 When the stacking-support option has been removed from all non-master stack nodes, log into the
master node and issue the command:
unconfigure switch all
After this command is entered, the configuration file is deselected, all stacking parameters are reset to
factory defaults, and all nodes in the active topology reboot. In effect, this sets all nodes back to the
factory default configuration, thus allowing individual redeployment of each switch.
Removing a Node from a Stack
To remove only one switch from the stack:
1 Determine if the target node to be removed is using the SummitStack-V feature by issuing the
following command:
show stacking stack-ports
Examine the Select column to determine if the target node is using alternate (non-native) stack ports.
2 If the target node is using alternate stack ports, do the following:
a Log into the node and issue the command:
unconfigure stacking-support
b Log out of the target node.
NOTE
Do not reboot the target node at this time.
3 Log into the master node.
4 Delete the target node stacking configuration by entering the following command:
unconfigure stacking {node-address <node-address> | slot <slot-number>}
5 Reboot the target node by entering the following command:
reboot [node <node-address> | slot <slot-number>]
When the node reboots, it detects that the configuration file selected is a stacking configuration file (see
“Understanding Stack Configuration Parameters, Configuration Files, and Port Numbering” on
page 147). It de-selects the configuration file and uses the factory defaults.
You may now disconnect the switch from the stack and your networks as needed, and redeploy the
switch.
ExtremeXOS Concepts Guide, Software Version 15.2
208
Troubleshooting a Stack
Rebooting a Stack
You can reboot a stack by entering the command reboot from the master.
You can:
●
Reboot all the nodes in the stack topology
●
A specific node
●
Reboot all nodes in the active topology
●
Move a node to a standby node
●
Reboot the stack topology so that every node comes up in standby role
To reboot all nodes in the active topology, enter the following command from a master node login
session:
reboot
To reboot all the nodes in the stack topology, enter:
reboot stack-topology
To reboot a specific node, enter:
reboot node-address <node-address>
Or to reboot an active node from another active node, enter:
reboot slot <slot-number>
Troubleshooting a Stack
Use this section to diagnose and troubleshoot common configuration errors for stacking. The most
common errors are:
●
The stack did not come up as expected—Use the show stacking, show stacking configuration,
show stacking-support, and show stacking stack-ports commands to diagnose the problem.
There could be incorrect stacking cabling, a configuration error, or powered down nodes. Also check
the log using the show log command.
NOTE
If two Summit X650 switches are configured as a stack with VIM1-SummitStack512 option cards, the stack
will not operate until all cables are connected.
●
The switch with the highest priority was not elected manager—nodes might have been powered up
at different times. Reboot all nodes in the stack simultaneously.
●
A node appears in the stack as expected but does not appear to be operating as configured—Use the
show slot {<slot> {detail} | detail } command to see if there is a license mismatch or an
incorrect ExtremeXOS software version. For more information, see “Managing Licenses on a Stack”
on page 184.
●
A correctly cabled and powered-on node does not appear in the stack—The node might be running
an ExtremeXOS version that is earlier than ExtremeXOS 12.0. Upgrade its ExtremeXOS version using
the procedure you would use if the node was not part of the stack.
ExtremeXOS Concepts Guide, Software Version 15.2
209
Chapter 4: Configuring Stacked Switches
●
The following message appears: Warning: The Backup stack node is not as powerful or
as capable as the Master stack node. This configuration is not recommended for
successful use of the failover feature.
This message appears once, about 5 minutes after master node takes control of the stack. To better
support the failover feature, follow the guidelines in “Configuring the Master, Backup, and Standby
Roles” on page 175.
●
The following message appears: Notice: There are Standby stack nodes which are more
powerful and more capable than the Master and/or Backup stack nodes. This
configuration is not recommended for optimal stack performance. We recommend that
you reconfigure the stacking master-capability and/or priority parameters to allow
the higher performing and more capable nodes to become Master and/or Backup stack
nodes.
This message appears once, about 5 minutes after master node takes control of the stack. To optimize
stack performance, follow the guidelines in “Configuring the Master, Backup, and Standby Roles” on
page 175.
●
Either or both ends of a stacking link show that the state is No Neighbor. This can happen when the
port at either end is configured incorrectly. Some configuration errors can produce the No Neighbor
state at one end and the Link Down state at the other end. Check the configuration at each port and
correct as necessary.
●
If the show stacking command displays the node status as Disabled, you need to enable stacking on
that node with the enable stacking command. You can enable stacking on the node from the
master node, and you can reboot the disabled node from the master node to activate the slot number
configuration.
●
If the show stacking command shows the stack state for a slot as Failed, check the following:
●
-
Does the show stacking stack-ports command show a port state as Inhibited? If so, the
problem might be a duplicate slot number. If more than one node is using the same slot number,
change the slot number on one of the affected nodes to a unique slot number.
-
Is the affected node isolated by other nodes for which the stack state is listed as Disabled? If so,
you need to enable stacking on the disabled nodes.
-
Enter the show slot detail command. If the command displays License Mismatch, either
upgrade the node license, or configure a license level restriction so that all master-capable nodes
are at the same effective license level.
-
Enter the show slot detail command. If the command displays Incompatible EXOS Version, log
into the master node and use the synchronize slot command to update the failed node.
If the show stacking command shows the stack state for a slot as Active and the “O” flag is set,
check to see if the node is isolated from other stack nodes by a failed node.
This remainder of this section describes the following troubleshooting topics:
●
Managing a Dual Master Situation on page 210
●
Setting Traps for Stacking on page 213
●
Rescuing a Stack That Has No Master-Capable Node on page 214
●
Connecting to a Stack with No Master on page 213
Managing a Dual Master Situation
If a daisy chain is broken, or if a ring is broken in two places, it is possible to form two separate Active
Topologies. This results in a dual master situation.
ExtremeXOS Concepts Guide, Software Version 15.2
210
Troubleshooting a Stack
Figure 8: Example of a Split Stack That Results in a Dual Master Situation
M1
B8
M2
B3
S7
S4
P6
S5
P6
Node 6 is powered off
M
Master node
B
Backup node
S
Standby node
X
Indicates the broken link
BD_161
For example, in Figure 8, a link is broken while a node in the ring was powered off. The link that is now
broken formerly connected the original master (M1) and backup (M2) nodes of a single active topology.
All nodes in the stack except the powered off node are in the active topology and all nodes are
configured to be master-capable. Nodes 1, 7 and 8 form an active topology and nodes 2, 3, 4, and 5 form
another active topology. Node M2 immediately transitions from backup to master node role. Nodes B8
and B3 are elected in their respective active topologies as backup nodes.
If the backup node is on one stack and the master node is on the other, the backup node becomes a
master node because the situation is similar to that of master failure. Because both the stacks are
configured to operate as a single stack, there is confusion in your networks. For example, all of the
switch’s configured IP addresses appear to be duplicated. The management IP address also appears to
be duplicated since that address applies to the entire original stack.
To help mitigate the dual master problem, you can configure the master-capability so as to prevent some
nodes in the stack from operating in backup or master node roles. In addition, you can force all nodes
in the (broken) stack topology to restart and come up as not master-capable for the life of that restart.
The save configuration {primary | secondary | <existing-config> | <new-config>}
command saves the configuration on all nodes in the active topology.
Standby nodes that exist in a severed stack segment that does not contain either the original master or
backup node do not attempt to become the master node. Instead, these nodes reboot. After rebooting,
however, a master election process occurs among the nodes on this broken segment, resulting in a dual
master situation.
Dual master conditions are also possible when two non-adjacent nodes in a ring or a single (middle)
node in a daisy chain reboot. For a period of time, a rebooting node does not advertise itself to its
ExtremeXOS Concepts Guide, Software Version 15.2
211
Chapter 4: Configuring Stacked Switches
neighbors, resulting in temporary stacking link failures. This could cause node isolation, and the nodes
that are isolated perform as a severed stack segment depending on the circumstances of the severance:
●
if the backup node is on the broken portion, it becomes a (dual) master;
●
if the backup node is on the same portion as the master, all nodes on the (other) broken portion
reboot.
When the rebooting nodes have sufficiently recovered, or when a severed stack is rejoined, the dual
master condition is resolved, resulting in the reboot of one of the master nodes. All standby and backup
nodes that had been acquired by the losing master node also reboot.
You can avoid a dual master possibility during configuration by:
●
Configuring the stack in a ring topology.
●
Avoiding too many master-capable nodes when configuring larger stacks.
●
Placing the master-capable nodes that provide stack redundancy such that stacking link severances
are unlikely.
Eliminating a Dual Master Situation Manually
To eliminate the dual master situation, you need to know all the nodes that are supposed to be in the
stack. You might lose the management connectivity to the master node because the other master node
duplicates the stack’s primary management IP address and stack MAC address.
NOTE
The following procedure is necessary only if you cannot reconnect the severed link in a timely manner. If
you can reconnect, the dual master condition resolves itself. The formerly broken portion of the stack reboots and
the nodes come up as standby nodes.
1 If you lose the management connectivity, log into the master node using its alternate management IP
address.
2 Use the show stacking command to determine the nodes that have been lost from the stack. You
should already know all the nodes that are expected to be part of the stack.
3 Log into any node in the severed segment you wish to deactivate, either through its console port or
through the management interface using the alternate management IP address. Issue show stacking
to find whether the broken segment has indeed elected a new master node.
4 Reboot the broken segment forcing all nodes in the segment to come up as standby nodes using the
reboot stack-topology as-standby command.
If you have unsaved configuration changes, take care when selecting the stack segment to be
rebooted.
You should reboot the segment that has the smaller System UpTime.
If you know the node that was master of the unbroken stack, you can reboot the stack segment that
does not contain this master node. Otherwise, determine the System UpTime shown by each master
node.
If the System UpTimes of both masters are the same, you can reboot either segment without loss of
unsaved configuration changes. If the System UpTimes of both masters differ, you must reboot the
segment with the smaller System UpTime.
ExtremeXOS Concepts Guide, Software Version 15.2
212
Troubleshooting a Stack
Automatic Resolution of the Dual Master Situation
When two stack segments are connected together and no slot number is duplicated on either segment, it
is assumed that this is a severed stack rejoin. It is possible that each stack segment has its own master.
Resolution of the dual master situation should generally be in favor of the original stack segment’s
master node. This is because the original stack segment may still retain the unsaved configuration. If the
severed segment was restarted before electing a new master node, the unsaved configuration is lost on
that segment.
The master election is done using the System UpTime. The master election process collects the System
UpTime information of the nodes. If a failover occurs, the System UpTime is inherited by the new
master node, and the new master node continues to increase it as time passes. Thus the System UpTime
is the time since a master was first elected on a segment. When the stack is broken and both master and
backup nodes are on the same segment, the severed segment always has the smaller System UpTime.
If a stack severance results in the master and backup nodes being on different segments, both have the
same System UpTime. In this case, the master is elected using the normal node role election method.
Setting Traps for Stacking
The stack generates traps that provide status information about the switches in the stack and also
stacking port status. Traps generated by the stack include:
●
extremeStackMemberStatusChanged
●
extremeStackMemberSlotId—Indicates the slot ID
●
extremeStackMemberOperStatus—Indicates the slot state of the switch
The stack generates this trap when an overheat condition is detected on an active node:
●
extremeStackMemberOverheat
This trap is generated when the node reaches a steady state. Whenever a member is added or deleted
from the stack, the change is indicated through this trap:
●
extremeStackingPortStatusChanged
IfIndex—Interface Index of the port
extremeStackingPortRemoteMac—MAC Address of the remote switch attached to this port
extremeStackingPortLinkSpeed—Indicates 10/100/1000 Mbps
extremeStackingPortLinkStatus—Status of the link
The trap is generated whenever the status of a stacking port changes.
Connecting to a Stack with No Master
If an entire stack has no master node because the stack has been rebooted in standby only mode, you
can log in to a node by using the failsafe account.
If a new node has been added to the stack since the stack failsafe account was configured, logging in to
that node requires knowledge of the failsafe account information that is already configured into that
node's NVRAM.
ExtremeXOS Concepts Guide, Software Version 15.2
213
Chapter 4: Configuring Stacked Switches
If you do not know the failsafe account and you still want to log in to the stack, you have to:
●
Join the stack to another segment that has a master node to which the you have access
●
Manually restart the stack to clear the as-standby condition if the reboot stack-topology asstandby command was previously used
●
Use the procedure described in “Rescuing a Stack That Has No Master-Capable Node” on page 214
Rescuing a Stack That Has No Master-Capable Node
NOTE
If a node becomes unbootable, refer to the Troubleshooting appendix for information.
You can have a stack with nodes that are all configured with the master-capability set to off.
For example, if a stack was operating with no redundancy (for example, with one master-capable node)
and the master node failed, all other nodes in the stack restart as standby nodes and there is no master
node.
Another example is the case where you dismantle a stack before using the unconfigure stacking or
unconfigure switch all command. In this case, individual Summit switches are configured for
stacking, not master-capable, and are isolated from a stack master.
In this situation, the only security information available is the failsafe account. If you know the failsafe
user name and password, you can log into any node and reconfigure master-capability or redundancy.
However, if you do not know the failsafe account information, there is another way you can change the
configuration.
At the login prompt, enter the following special login ID exactly as displayed here (all uppercase letters)
and press Enter:
REBOOT AS MASTER-CAPABLE
The following message appears:
Node reboot initiated with master-capability turned on.
This node then sets an internal indicator that is preserved across the reboot. While restarting, the node
notices and resets this indicator, ignores the node master-capability configuration, and becomes a master
node.
Since the save configuration {primary | secondary | <existing-config> | <new-config>}
command saves the configuration file to all nodes, the node that just rebooted as master-capable should
have access to the security information that was configured for the stack. If a RADIUS server is needed,
the selected node requires a network connection for authentication.
The special login ID described above is available only if all the following conditions are met:
●
The node supports the SummitStack feature.
●
Stacking mode is active on the node.
●
All nodes in the active topology have master-capability turned off.
●
There is no master node in the active topology.
ExtremeXOS Concepts Guide, Software Version 15.2
214
Troubleshooting a Stack
If the above conditions are met, five minutes after starting the node and every five minutes after that,
the following message appears on the console:
Warning: the stack has no Master node and all active nodes are operating with
master-capability turned off. If you wish to reconfigure, you may log in
using the failsafe account. Alternatively, you may use the special login
REBOOT AS MASTER-CAPABLE
with no password to force a reboot of a node with master-capability
temporarily turned on.
Using the special login ID does not alter the master-capability configuration permanently. If you restart
a node that has been restarted with the special login ID, that node restarts using its configured mastercapability; unless you again use the special login ID to restart.
The procedure described here is generally not needed if another node that is master-capable is expected
to rejoin the stack. If this procedure is used, it is possible that the new master duplicates the master that
is expected to rejoin later.
When a node has been rebooted using the special login ID, it becomes a Master. While the node is a
master, the special login ID is not recognized, even though the entire stack is still configured as not
master-capable. To get the special login ID to be recognized, the node must be rebooted again.
If a node has been intentionally separated from the stack without first being unconfigured, its security
configuration might be unusable. In this case, perform the following steps:
●
Connect to the node's console port.
●
Reboot the node using the special REBOOT AS MASTER-CAPABLE login described above.
●
During the reboot, enter the bootrom program by waiting until you see the message Starting Default
Bootloader ... and then pressing and holding the space bar until the bootrom prompt appears.
●
Force the switch to boot up with a default configuration by entering the following commands at the
bootrom prompt:
config none
boot
The switch boots up in stacking mode operating as a master-capable switch. You can then log in using
the default admin account with no password.
NOTE
The special login ID does not function on stacks that have nodes configured to be master-capable, even
when the reboot stack-topology as-standby command is issued.
Stacking Link Failure
A stacking link is said to be failed when one of the following happens:
●
The stacking link is physically disconnected.
●
The neighbor on a link stops transmitting topology information.
●
The link goes down while a node restarts or when it is powered off.
Based on the stacking topology, the stack behavior changes.
ExtremeXOS Concepts Guide, Software Version 15.2
215
Chapter 4: Configuring Stacked Switches
Ring Topology . All traffic paths that were directed through the failed link are redirected. All nodes
converge on the new (daisy chain) topology that results from the link break. The Topology Protocol that
determines the stack topology immediately informs other nodes that a link has failed. Each node starts
the process of redirecting traffic paths.
Daisy chain . A stacking link failure means a severed stack. The Topology Protocol reports the loss of
all nodes in the severed portion. Depending on master capability configuration and the original location
of the backup node, the severed portion may or may not elect a new master node. If it does, the dual
master condition may be in effect.
The show slot {<slot> {detail} | detail } command displays the slots that contain active nodes
that are in the severed portion as Empty.
FAQs on the SummitStack Feature
●
How can I find the slot number of the master slot in a stack?
To find the slot number of the master slot, log in to any stack node and run the command show
stacking.
●
How would I know whether there is a dual master situation in a stack?
A main symptom is loss of IP connectivity. Run the show stacking command to see whether all
expected nodes are still in the stack.
●
How would I find the current topology of the stack?
Run show stacking command.
●
Can I enable EAPS on stacking?
Yes. You can enable the EAPS on a stack. EAPS operates in your networks even if an EAPS path
crosses through the stacking links. EAPS is not used as a redundancy protocol for the stacking ring.
●
Why should I configure an Alternate IP address?
To enable login to an individual node using the management port of the node and to be able to
configure a node individually. It is most beneficial in manually resolving a dual master situation
since connectivity using the alternate IP address is not affected by the dual master situation.
ExtremeXOS Concepts Guide, Software Version 15.2
216
5
Configuring Slots and Ports on
a Switch
CHAPTER
This chapter describes the following sections:
●
Overview on page 217
●
Configuring Slots on Modular Switches on page 217
●
Configuring Ports on a Switch on page 219
●
Using the Precision Time Protocol on page 267
●
Jumbo Frames on page 280
●
Link Aggregation on the Switch on page 283
●
MLAG on page 299
●
Mirroring on page 308
●
Remote Mirroring on page 313
●
Extreme Discovery Protocol on page 319
●
Software-Controlled Redundant Port and Smart Redundancy on page 320
●
Configuring Automatic Failover for Combination Ports on page 323
●
Displaying Port Information on page 324
Overview
This chapter describes the processes for enabling, disabling and configuring individual and multiple
ports and displaying port statistics.
Configuring Slots on Modular Switches
This section describes configuring slots on modular switches, which are the BlackDiamond X8 switches,
BlackDiamond 8800 series switches, and SummitStack.
In a SummitStack, a slot number is assigned to a node through configuration and stored in the node's
NVRAM. It takes effect only when the node restarts. In the following descriptions, the phrase inserted
into a slot in a SummitStack means that the node has become active, and because of its configured slot
value it appears to be present in a slot when the show slot command is run. The relationship of a node
ExtremeXOS Concepts Guide, Software Version 15.2
217
Chapter 5: Configuring Slots and Ports on a Switch
and a slot does not change if the SummitStack is rewired. The term module refers to a Summit family
switch that may be present in the stack as an active node.
If a slot has not been configured for a particular type of module, then any type of module is accepted in
that slot, and a default port and VLAN configuration is automatically generated.
After any port on the module has been configured (for example, a VLAN association, a VLAN tag
configuration, or port parameters), all the port information and the module type for that slot must be
saved to non-volatile storage. Otherwise, if the modular switch or SummitStack is rebooted or the
module is removed from the slot, the port, VLAN, and module configuration information is not saved.
NOTE
For information on saving the configuration, see Appendix B, “Software Upgrade and Boot Options.”
You configure the modular switch or a SummitStack with the type of input/output (I/O) module that is
installed in each slot. To do this, use the following command:
configure slot <slot> module <module_type>
You can also preconfigure the slot before inserting the module. This allows you to begin configuring the
module and ports before installing the module in the chassis or activating the related node in the
SummitStack.
If a slot is configured for one type of module, and a different type of module is inserted, the inserted
module is put into a mismatch state and is not brought online. To use the new module type in a slot,
the slot configuration must be cleared or configured for the new module type. To clear the slot of a
previously assigned module type, use the following command:
clear slot <slot>
All configuration information related to the slot and the ports on the module is erased. If a module is
present when you issue this command, the module is reset to default settings.
To display information about a particular slot, use the following command:
show slot {<slot>} {detail}
Information displayed includes:
●
Module type, part number and serial number
●
Current state (power down, operational, diagnostic, mismatch)
●
Port information
If no slot is specified, information for all slots is displayed.
All slots on the modular switches are enabled by default. To disable a slot, use the following CLI
command:
disable slot
To re-enable slot, use the following CLI command:
enable slot
On the BlackDiamond X8 switch, the command to disable a fabric slot is:
disable slot <FM-1 | FM-2 | FM-3 | FM-4> {offline}
ExtremeXOS Concepts Guide, Software Version 15.2
218
Configuring Ports on a Switch
When a fabric slot is disabled, it is powered off and the bandwidth it provides is unavailable. Disabling
an active fabric slot reroutes the switch fabric traffic before powering off the inserted FM blade. Thus, if
there are four active fabric modules when one is disabled, there should be no traffic loss.
On the BlackDiamond X8 switch, the command to enable a fabric slot is:
enable slot <FM-1 | FM-2 | FM-3 | FM-4>
You can configure the number of times that a slot can be restarted on a failure before it is shut down. To
set the restart-limit, use the following command:
configure slot <slot-number> restart-limit <num_restarts>
Configuring Ports on a Switch
NOTE
A port can belong to multiple virtual routers (VRs). See Chapter 16, “Virtual Routers,” for more information
on VRs.
This section describes the following topics:
●
Port Numbering on page 219
●
Enabling and Disabling Switch Ports on page 220
●
Configuring Switch Port Speed and Duplex Setting on page 221
●
Flow Control on page 224
●
IPFIX on page 231
●
WAN PHY OAM on page 235
●
Configuring Switching Mode—Cut-through Switching on page 237
●
SyncE on page 238
●
TDM PWE and TDM Timing on page 241
●
Overview of PTP on page 268
●
DWDM Optics Support on page 279
Port Numbering
ExtremeXOS runs on both stand-alone and modular switches, and the port numbering scheme is
slightly different on each. There are also special considerations for mobile backhaul routers. This section
describes the following topics:
●
Stand-alone Switch Numerical Ranges on page 220
●
Modular Switch and SummitStack Numerical Ranges on page 220
●
Mobile Backhaul Routers on page 220
ExtremeXOS Concepts Guide, Software Version 15.2
219
Chapter 5: Configuring Slots and Ports on a Switch
Stand-alone Switch Numerical Ranges
On a stand-alone switch, such as a Summit family switch, the port number is simply noted by the
physical port number, as shown below:
5
Separate the port numbers by a dash to enter a range of contiguous numbers, and separate the numbers
by a comma to enter a range of noncontiguous numbers:
●
x-y—Specifies a contiguous series of ports on a stand-alone switch
●
x,y—Specifies a noncontiguous series of ports on a stand-alone switch
●
x-y,a,d—Specifies a contiguous series of ports and a series of noncontiguous ports on a stand-alone
switch
Modular Switch and SummitStack Numerical Ranges
On a modular switch and SummitStack, the port number is a combination of the slot number and the
port number. The nomenclature for the port number is as follows:
slot:port
For example, if an I/O module that has a total of four ports is installed in slot 2 of the chassis, the
following ports are valid:
●
2:1
●
2:2
●
2:3
●
2:4
You can also use wildcard combinations (*) to specify multiple modular slot and port combinations. The
following wildcard combinations are allowed:
●
slot:*—Specifies all ports on a particular I/O module or stack node
●
slot:x-slot:y—Specifies a contiguous series of ports on multiple I/O modules or stack nodes
●
slot:x-y—Specifies a contiguous series of ports on a particular I/O module or stack node
●
slota:x-slotb:y—Specifies a contiguous series of ports that begin on one I/O module or stack
node and end on another I/O module or stack node
Mobile Backhaul Routers
Mobile backhaul routers include the E4G-200 and E4G-400. Commands operating on a <port_list> for
mobile backhaul routers all use the keyword “tdm.” When the tdm keyword is present, the <port_list>
is expanded to include only time division multiplexing (TDM) ports, omitting any Ethernet ports
occurring within the <port_list> range. Existing CLI commands without the tdm keyword continue to
work as usual without any change, and these commands omit any TDM ports that may lie within the
<port_list> range.
Enabling and Disabling Switch Ports
By default, all ports are enabled. To enable or disable one or more ports on a switch, use the following
commands:
enable port [<port_list> | all]
ExtremeXOS Concepts Guide, Software Version 15.2
220
Configuring Ports on a Switch
disable port [<port_list> | all]
For example, to disable slot 7, ports 3, 5, and 12 through 15 on a modular switch or SummitStack, use
the following command:
disable port 7:3,7:5,7:12-7:15
You have the flexibility to receive or not to receive SNMP trap messages when a port transitions
between up and down. To receive these SNMP trap messages, use the following command:
enable snmp traps port-up-down ports [<port_list> | all]
To stop receiving these messages, use the following command:
disable snmp traps port-up-down ports [<port_list> | all]
Refer to “Displaying Port Information” for information on displaying link status.
NOTE
You can choose to boot the BlackDiamond 12800 series switches with the ports disabled. This information
is saved in NVRAM and is not saved in the “.cfg” configuration files. Use the commands configure switch
ports initial-mode disabled to disable and configure switch ports initial-mode enabled to
enable, and show switch to display the configuration. You cannot disable the stacking ports of a Summit family
switch (whether or not it is included in a SummitStack).
Configuring Switch Port Speed and Duplex Setting
NOTE
Refer to “Displaying Port Information” for information on displaying port speed, duplex, autonegotiation, and
flow control settings.
ExtremeXOS supports the following port types:
●
10 Gbps ports
●
40 Gbps ports
●
10/100/1000 Mbps copper ports
●
10/100/1000 SFPs
●
10/100/1000 Mbps copper ports with Power over Ethernet (PoE)—only on the G48Tc, G48Te2, and
8900-G48T-xl with PoE daughter card modules installed in the BlackDiamond 8800 series switch, and
the Summit X250e-24p, X250e-48p, X440-24p, X450e-24p, X450e-48p, X460-24p, and X460-48p
switches
●
1 Gbps small form factor pluggable (SFP) fiber ports
●
100 FX SFPs, which must have their speed configured to 100 Mbps
●
100/1000 FX/LX SFP SFP ports—only on BlackDiamond 8800 series switches, BlackDiamond 12800
series switches, SummitStack, and the Summit family switches
●
Wide area network (WAN) PHY port—only on the Summit X450a and X480 series switches
●
10/100 Mbps copper ports with Power over Ethernet (PoE) ports for Summit X250e series switches
●
10Gbps stacking ports (Summit family switches only)
ExtremeXOS Concepts Guide, Software Version 15.2
221
Chapter 5: Configuring Slots and Ports on a Switch
●
10 Gbps small Form Factor pluggable+ (SFP+) fiber ports. These should be configured to 10Gbps
auto off if an SFP+ optic is inserted; they should be configured to 1G auto on (or auto off) if 1G SFP
optic is inserted. Note that Summit X650-24x, ports 23 and 24 can only support SFP+ optics.
NOTE
Stacking ports always use the same type of connector and copper PHY which are built in to the Summit
family switches. You cannot configure stacking port parameters such as port speed, duplex, and link fault signal.
You also cannot configure data port features such as VLANs and link aggregation. Stacking links provide the same
type of switch fabric that is provided in a BlackDiamond 8800 series switch or BlackDiamond X8 series switch.
Autonegotiation determines the port speed and duplex setting for each port (except 10 and 40 Gbps
ports). You can manually configure the duplex setting and the speed of 10/100/1000 Mbps ports.
The 10/100/1000 Mbps ports can connect to either 10BASE-T, 100BASE-T, or 1000BASE-T networks. By
default, the ports autonegotiate port speed. You can also configure each port for a particular speed
(either 10 Mbps or 100 Mbps).
NOTE
With autonegotiation turned off, you cannot set the speed to 1000 Mbps.
In general, SFP gigabit Ethernet ports are statically set to 1 Gbps, and their speed cannot be modified.
However, there are two SFPs supported by Extreme that can have a configured speed:
●
100 FX SFPs, which must have their speed configured to 100 Mbps
●
100FX/1000LX SFPs, which can be configured at either speed (available only on the BlackDiamond
8800 series switches, the BlackDiamond 12800 series switches, and the Summit family switches)
The 10 Gbps ports always run at full duplex and 10 Gbps.
The 40 Gbps ports always run at full duplex and 40 Gbps.
ExtremeXOS allows you to specify the medium as copper or fiber when configuring Summit switches
with combination ports. If the medium is not specified for combination ports then the configuration is
applied to the current primary medium. The current primary medium is displayed in the Media
Primary column of the show ports configuration command output.
To configure port speed and duplex setting, use the following command:
configure ports <port_list> {medium [copper | fiber]} auto off speed <speed> duplex
[half | full]
To configure the system to autonegotiate, use the following command:
configure ports <port_list> {medium [copper|fiber]} auto on {[{speed <speed>} {duplex
[half | full]}] | [{duplex [half | full]} {speed <speed>}]}
NOTE
The keyword medium is used to select the configuration medium for combination ports. If port_list contains
any non-combination ports, the command is rejected.
ExtremeXOS Concepts Guide, Software Version 15.2
222
Configuring Ports on a Switch
NOTE
When upgrading a switch running ExtremeXOS 12.3 or earlier software to ExtremeXOS 12.4 or later,
saved configurations from combo ports (copper or fiber) are applied only to combo ports fiber medium. When
downgrading from ExtremeXOS 12.4 or later to ExtremeXOS 12.3 or earlier, saved configurations from combo ports
(copper or fiber) are silently ignored. Therefore, you need to reconfigure combo ports during such an upgrade or
downgrade.
ExtremeXOS does not support turning off autonegotiation on the management port.
Table 25 lists the support for autonegotiation, speed, and duplex setting for the various types of ports.
Table 25: Support for Autonegotiation on Various Ports
Port
Autonegotiation
Speed
Duplex
10 Gbps
Off
10000 Mbps
Full duplex
1 Gbps fiber SFP
On (default)
Off
1000 Mbps
Full duplex
100 FX SFP
On (default)
Off
100 Mbps
Full duplex
100/1000 Mbps FX/LX
SFP SFP
On (default)
Off
100 Mbps
1000 Mbps
Full duplex
10/100/1000 Mbps
On (default)
Off
10 Mbps
100 Mbps
Full/half duplex
Full/half duplex
10/100 Mbps
On (default)
Off
10 Mbps
100 Mbps
Full/half duplex
Full/half duplex
10 Gbps SFP+
Off
10000 Mbps
Full duplex
Flow control on Gigabit Ethernet ports is enabled or disabled as part of autonegotiation (see IEEE
802.3x). If autonegotiation is set to Off on the ports, flow control is disabled. When autonegotiation is
turned On, flow control is enabled.
With Extreme Networks devices, the 1 Gbps ports and the 10 Gbps ports implement flow control as
follows:
●
1 Gbps ports
- Autonegotiation enabled
- Advertise support for pause frames
- Respond to pause frames
- Do not transmit pause frames
-
●
Autonegotiation disabled
- Do not advertise support for pause frames
- Do not respond to pause frames
- Do not transmit pause frames
10 Gbps ports for the Summit X450a, X450e, X460, X480, and X650 series switches, SummitStack, and
on modules for the BlackDiamond X8 series switches and the BlackDiamond 8800 series switch:
- Autonegotiation always disabled
- Do not advertise support for pause frames
- Respond to pause frames
- Do not transmit pause frames
ExtremeXOS Concepts Guide, Software Version 15.2
223
Chapter 5: Configuring Slots and Ports on a Switch
Partitioning 40G Ports
The 40G ports on BlackDiamond X8 switches, BlackDiamond 8900-40G6X-xm modules and Summit
X650 and X670 switches can be partitioned into 4x10G or 1x40G modes.
To partition the ports, use the following command:
configure ports [<port_list> | all] partition [4x10G | 1x40G]
After you make a configuration change, you must do one of the following to apply the change:
●
For BlackDiamond X8 series switches and BlackDiamond 8900-40G6X-xm modules, you can disable
and then enable the affected slot, which applies the change without affecting other modules
●
For BlackDiamond X8 series switches, BlackDiamond 8900-40G6X-xm modules and Summit X650
and X670 switches you can reboot the switch
NOTE
Because of the nature of these ports at the physical layer level, the 10G side may show a remote or local
linkup.
A configuration change is not applied until the affected slot is disabled and enabled or the switch is rebooted.
Flow Control
This section describes the following topics:
●
IEEE 802.3x Flow Control—Summit Family Switches, BlackDiamond X8 Series Switches and
BlackDiamond 8800 Series Switches Only on page 224
●
IEEE 802.1Qbb Priority Flow Control—BlackDiamond X8 Series Switches, BlackDiamond 890010G24X-c and 8900-40G6X-xm Modules and Summit X460, X650, and X670 Switches on page 225
IEEE 802.3x Flow Control—Summit Family Switches, BlackDiamond X8 Series
Switches and BlackDiamond 8800 Series Switches Only
As mentioned above, with autonegotiation enabled, Summit family switches, BlackDiamond X8
switches, and BlackDiamond 8800 series switches advertise the ability to support pause frames. This
includes receiving, reacting to (stopping transmission), and transmitting pause frames. However, the
switch does not actually transmit pause frames unless it is configured to do so, as described below.
IEEE 802.3x flow control provides the ability to configure different modes in the default behaviors. Ports
can be configured to transmit pause frames when congestion is detected, and the behavior of reacting to
received pause frames can be disabled.
TX. You can configure ports to transmit link-layer pause frames upon detecting congestion. The goal of
IEEE 802.3x is to backpressure the ultimate traffic source to eliminate or significantly reduce the amount
of traffic loss through the network. This is also called lossless switching mode.
The following limitations apply to the TX flow control feature:
●
Flow control is applied on an ingress port basis which means that a single stream ingressing a port
and destined to a congested port can stop the transmission of other data streams ingressing the same
port which are destined to other ports.
ExtremeXOS Concepts Guide, Software Version 15.2
224
Configuring Ports on a Switch
●
High volume packets destined to the CPU can cause flow control to trigger. This includes protocol
packets such as, EDP, EAPS, VRRP, and OSPF.
●
When flow control is applied to the fabric ports, there can be a performance limitation. For example,
a single 1G port being congested could backpressure a high-speed fabric port and reduce its effective
throughput significantly.
To configure a port to allow the transmission of IEEE 802.3x pause frames, use the following command:
enable flow-control tx-pause ports
NOTE
To enable TX flow-control, RX flow-control must first be enabled. If you attempt to enable TX flowcontrol with RX flow-control disabled, an error message is displayed.
To configure a port to return to the default behavior of not transmitting pause frames, use the following
command:
disable flow-control tx-pause ports
RX. You can configure the switch to disable the default behavior of responding to received pause
frames. Disabling rx-pause processing avoids dropping packets in the switch and allows for better
overall network performance in some scenarios where protocols such as TCP handle the retransmission
of dropped packets by the remote partner.
To configure a port to disable the processing of IEEE 802.3x pause frames, use the following command:
disable flow-control rx-pause ports
NOTE
To disable RX flow-control, TX flow-control must first be disabled. If you attempt to disable RX flowcontrol with TX flow-control enabled, an error message is displayed.
To configure a port to return to the default behavior of enabling the processing of pause frames, use the
following command:
enable flow-control rx-pause ports
IEEE 802.1Qbb Priority Flow Control—BlackDiamond X8 Series Switches,
BlackDiamond 8900-10G24X-c and 8900-40G6X-xm Modules and Summit X460,
X650, and X670 Switches
Priority flow control (PFC) as defined in the IEEE 802.1Qbb standard is an extension of IEEE 802.3x flow
control which is discussed above. When buffer congestion is detected, IEEE 802.3x flow control allows
the communicating device to pause all traffic on the port whereas IEEE 802.1Qbb allows the device to
pause just a portion of the traffic while allowing other traffic on the same port to continue.
For PFC, when an ingress port detects congestion, it generates a MAC control packet to the connected
partner with an indication of which traffic priority to pause and an associated time for the pause to
remain in effect. The recipient of the PFC packet then stops transmission on the priority indicated in the
control packet and starts a timer indicating when traffic can resume.
Traffic can resume in two ways:
●
On the transmitting side, when the timer expires, traffic on that priority can resume.
ExtremeXOS Concepts Guide, Software Version 15.2
225
Chapter 5: Configuring Slots and Ports on a Switch
●
On the receiving side, once congestion is relieved, another PFC packet is generated to un-pause the
priority so that traffic can resume.
Limitations. The following limitations are associated with this feature:
●
In this release, PFC must be explicitly configured by the user.
●
In order to support the signaling of congestion across the fabric, an enhanced fabric mode is
required. This enhanced mode is not available on some older models of Summits and BlackDiamond
8000 series modules (see the following supported platforms section). Also, this enhanced mode
reduces the effective bandwidth on the fabric by a small amount (less than 5%). The BlackDiamond
8900-10G24X-c becomes slightly more blocking and the BlackDiamond 8900-10G8X-xl card is no
longer non-blocking when this enhanced mode is configured.
●
The fabric flow control packets take up some small amount of bandwidth on the fabric ports.
●
On Summit X670 and X670V switches, the PFC feature does not support fabric flow control messages
on alternate stack ports or SummitStack-V80 native stack ports.
Supported Platforms. PFC is currently supported only on 10G ports and on specific models of the
following newer platforms indicated by the part number:
●
BlackDiamond X8 series switches
●
BlackDiamond 8900-10G24X-c modules (manufacturing number 800397-00)
●
BlackDiamond 8900-40G6X-xm modules, 40G ports and 10G ports when in 4x10 partition mode
●
Summit X460 switches, 10G ports
●
Summit X650-24t switches (manufacturing number 800394-00)
●
Summit X650-24x switches (manufacturing number 800395-00)
●
Summit X650 VIM-10G8X (manufacturing number 800396-00)
●
Summit X670 switches, 10G ports
●
Summit X670V switches, 10G and 40G ports
To verify that your switch or module supports PFC, use the show version command. If you attempt to
enable PFC on unsupported ports, an error message is displayed. (See Abnormal Configuration
Examples below.)
Setting the Priorities. Priority is established for reception of PFC packets with a QoS profile value on
the ExtremeXOS switch and for transmission with a priority value added to the PFC packet.
●
QoS profile—Ingress traffic is associated with a QoS profile for assignment to one of eight hardware
queues in the system that define how the traffic flows with respect to bandwidth, priority, and other
parameters. By default, there are two QoS profiles (QP1 and QP8) defined in these supported
platforms and PFC works with this default. To segregate the ingress traffic with more granularity,
you will want to define other QoS profiles. The traffic that will be paused on reception of the PFC
packet is associated with the hardware queue of the QoS profile that you specify.
The QoS profile is also used to configure the fabric ports.
●
Priority—When the hardware transmits a PFC packet, it uses the priority bits in the VLAN header
on the ingress packet to determine the priority to pause, if the ingress packet is tagged. You can
specify this transmit priority independently from the QoS profile to associate it with the reception of
a PFC packet thus giving flexibility in the configuration of the network. For untagged ingress
packets, the hardware queue determines the priority in the transmitted PFC packet.
(For additional information, see QoS Profiles in the “QoS and HQoS” chapter)
ExtremeXOS Concepts Guide, Software Version 15.2
226
Configuring Ports on a Switch
It is suggested that the priority in the VLAN header match the QoS profile priority when traffic
ingresses at the edge of the network so that the traffic can be more easily controlled as it traverses
through the network.
Fabric Port Configuration. This feature also configures the fabric between ingress and egress ports to
optimize PFC behavior. When the ingress and egress ports are located on separate BlackDiamond I/O
modules or different nodes in a SummitStack, note that some older systems do not support the
enhanced fabric mode required for PFC. The following applies:
●
For BlackDiamond 8800 switches, the BlackDiamond 8900-MSM128 is needed. If other MSMs are
installed, a log message is issued indicating that system performance for PFC will not be optimal.
●
In a SummitStack, PFC cannot be enabled until the following command is executed:
configure stacking protocol enhanced
The fabric can be set up to support the flow control messages only in the following switches:
-
Summit X460
-
Summit X480
-
Summit X650
-
Summit X670
If any other Summit switch attempts to join the stack after the initial configuration of PFC, it is not
allowed to join.
If your situation does not respond well to having flow control enabled on the fabric links, you can turn
off flow control in the fabric by using the following command:
configure forwarding flow-control fabric [auto | off]
Configuring Priority Flow Control . With PFC, it is expected that both RX and TX be enabled or
disabled.
To enable PFC, use the following command:
enable flow-control [tx-pause {priority <priority>} | rx-pause {qosprofile
<qosprofile>}] ports [all | <port_list>]
To disable PFC, use the following command:
disable flow-control [tx-pause {priority <priority>} | rx-pause {qosprofile
<qosprofile>}] ports [all | <port_list>]
Example. The network needs to transport FCoE (Fiber Channel over Ethernet) traffic which is
intermixed with other more typical LAN traffic on the same Ethernet network. FCoE needs a lossless
transport and PFC can be used to enable this. You define QoS profiles for all eight traffic priorities. At
the network level, it is decided that FCoE traffic will be assigned to priority 3 (which corresponds to
QP4) and the remaining traffic is assigned to one or more other priorities. For this example, it is also
assumed that the priority bits in the incoming packets are also 3.
One mechanism that can be used for this classification is the use of Access Control Lists (ACLs) that
match on the FCoE ethertypes (0x8906 and 0x8914) using the ethernet-type qualifier with an action of
QoS profile QP4 for both rules. Other traffic can be classified to other priorities. Once this configuration
is applied, FCoE is now separated from the other Ethernet traffic and is assigned a priority of 3 through
the switch.
ExtremeXOS Concepts Guide, Software Version 15.2
227
Chapter 5: Configuring Slots and Ports on a Switch
PFC is enabled at the ports that will see FCoE traffic, in this case, ports 1:1, 2:3, and 6:5. Since FCoE is
assigned to QP4, you would enable the receive PFC for QoS profile to be QP4 and, in this example,
would also enable PFC with a transmit priority of 3. The enable commands would then read as follows:
enable flow-control tx-pause priority 3 ports 1:1,2:3,6:5
enable flow-control rx-pause qosprofile qp4 ports 1:1,2:3,6:5
Once this configuration is complete, if a switch ingress port detects congestion, it will send PFC packets
to the remote link partner and will respond to PFC packets from the remote link partner by stopping
transmit.
Abnormal Configuration Examples. Following are examples of abnormal configuration scenarios that
can occur:
●
If you attempt to configure PFC on a port that does not support it, an error message similar to the
following is issued and you will be informed that PFC cannot be configured on that port:
BD8810.1# enable flow-control tx-pause priority 3 port 1:1
Error:
●
Port 1:1 does not support Priority Flow Control.
If you attempt to configure PFC on a port in a system that has older MSM models, the PFC
configuration will succeed as long as the user port supports it, but a log message will be issued
indicating that overall PFC operation is not optimal.
01/22/2010 14:14:37.88 <Warn:HAL.VLAN.PFCSubopt> MSM-A: Priority Flow Control is
enabled but system behavior will not be optimal.
Older modules in the system
cannot be programmed for fabric flow control.
●
When PFC is enabled on a port, IEEE 802.3x will be disabled. If, after enabling PFC, you try to
modify RX or TX pause parameters, an error message similar to the following will be issued
explaining the dependency on PFC configuration:
BD8810.1# enable flow-control tx-pause port 1:1
Error:
Priority Flow Control is currently enabled on port 1:1 and is mutually
exclusive with TX and RX pause configuration.
TX and RX pause configuration
cannot be done until PFC is disabled on this port.
●
When PFC configuration is attempted on older versions of BlackDiamond 8900-10G24X-c modules or
Summit X650 switches that do not support PFC, as described in the following conditions, the switch
will attempt the configuration.
-
If you try to configure PFC on older BlackDiamond 8900-10G24X-c modules or Summit X650
switches that do not support PFC.
-
If a BlackDiamond 8900-10G24X-c module or Summit X650 switch in a SummitStack that
supports PFC is replaced with a version that does not support PFC.
-
If a slot is preconfigured as an 8900-10G24X-c module, PFC is configured, and a version of the
module that does not support PFC is inserted.
Under any of these conditions, the scenario is flagged and the following log message is issued to
alert you to the misconfiguration:
01/22/2010 14:14:37.88 <Warn:HAL.VLAN.PFCUnsuprt> MSM-A: Port 4:1 is on an older
model of the 8900-10G24X-c or X650 and does not support Priority Flow Control.
8900-10G24X-c 41632B, X650 17001B and 17002B, and VIM-10G8X 17012B are new models
that support PFC.
●
If you try to configure PFC on a port in a SummitStack before you have configured the SummitStack
for enhanced mode, the following error message is issued:
Slot-1 Stack.7 # enable flow-control rx-pause qosprofile qp1 port 1:1
Error:
The stack is not configured for enhanced stacking mode.
Issue the
command "configure stacking protocol enhanced" to enable this mode and retry the
PFC configuration.
ExtremeXOS Concepts Guide, Software Version 15.2
228
Configuring Ports on a Switch
●
On Summit X670 and X670V switches, if you try to configure PFC on alternate stack ports or
SummitStack-V80 native stack ports, the following error message is issued:
07/18/2011 10:42:07.60 <Warn:HAL.Port.FabFlowCtrlUnsuprt> Slot-1: Slot 3 does not
support fabric flow control messages on alternate stack ports or V80 native stack
ports.
Turning Off Autonegotiation on a Gigabit Ethernet Port
In certain interoperability situations, you need to turn autonegotiation off on a fiber gigabit Ethernet
port. Although a gigabit Ethernet port runs only at full duplex, you must specify the duplex setting.
The following example turns autonegotiation off for port 1 (a 1 Gbps Ethernet port) on a module
located in slot 1 of a modular switch:
configure ports 1:1 auto off speed 1000 duplex full
The 10 Gbps ports do not autonegotiate; they always run at full duplex and 10 Gbps speed.
Running Link Fault Signal
The 10 Gbps ports support the Link Fault Signal (LFS) function. This function, which is always enabled,
monitors the 10 Gbps ports and indicates either a remote fault or a local fault. The system then stops
transmitting or receiving traffic from that link. After the fault has been alleviated, the system puts the
link back up and the traffic automatically resumes.
The Extreme Networks implementation of LFS conforms to the IEEE standard 802.3ae-2002.
NOTE
To display the part number of the module, use the show slot <slot_number> command. (All the
modules on the BlackDiamond 8800 series switch support LFS.)
Although the physical link remains up, all Layer 2 and above traffic stops. The system sends LinkDown
and LinkUp traps when these events occur. Additionally, the system writes one or more information
messages to the syslog, as shown in the following example for a BlackDiamond 8800 series switch:
09/09/2004 14:59:08.03 <Info:vlan.dbg.info> MSM-A: Port 4:3 link up at
10 Gbps speed and full-duplex
09/09/2004 14:59:08.02 <Info:hal.sys.info> MSM-A: 4:3 - remote fault
recovered.
09/09/2004 14:59:05.56 <Info:vlan.dbg.info> MSM-A: Port 4:3 link down
due to remote fault
09/09/2004 14:59:05.56 <Info:hal.sys.info> MSM-A: 4:3 - remote fault.
09/09/2004 15:14:12.22 <Info:hal.sys.info> MSM-A: 4:3 - local fault
recovered.
09/09/2004 15:14:11.35 <Info:vlan.dbg.info> MSM-A: Port 4:3 link up at
10 Gbps speed and full-duplex
09/09/2004 15:13:33.56 <Info:vlan.dbg.info> MSM-A: Port 4:3 link down
due to local fault
09/09/2004 15:13:33.56 <Info:hal.sys.info> MSM-A: 4:3 - local fault.
09/09/2004 15:13:33.49 <Info:vlan.dbg.info> MSM-A: Port 4:3 link down
ExtremeXOS Concepts Guide, Software Version 15.2
229
Chapter 5: Configuring Slots and Ports on a Switch
due to local fault
In Summit series switches, on disabling the 10 Gbps ports, the following message is logged to the
syslog:
08/26/2008 06:05:29.29 Port 1 link down - Local fault
This message is logged even when the 10 Gbps port is currently operating in 1 Gbps in the case of
Summit X650 series switches.
NOTE
A link down or up event may trigger Spanning Tree Protocol topology changes or transitions.
Turning off Autopolarity
Summit Family Switches, SummitStack, and BlackDiamond 8800 Series Switches only. The
autopolarity feature allows the system to detect and respond to the Ethernet cable type (straightthrough or crossover cable) used to make the connection to the switch port or an endstation. This
feature applies only to the 10/100/1000 BASE-T ports on the switch and copper medium on Summit
combination ports.
When the autopolarity feature is enabled, the system causes the Ethernet link to come up regardless of
the cable type connected to the port. When the autopolarity feature is disabled, you need a crossover
cable to connect other networking equipment and a straight-through cable to connect to endstations.
The autopolarity feature is enabled by default.
To disable or enable autopolarity detection, use the following command:
configure ports <port_list> auto-polarity [off | on]
Where the following is true:
●
port_list—Specifies one or more ports on the switch
●
off—Disables the autopolarity detection feature on the specified ports
●
on—Enables the autopolarity detection feature on the specified ports
Under certain conditions, you might opt to turn autopolarity off on one or more ports. The following
example turns autopolarity off for ports 5 to 7 on a Summit family switch:
configure ports 5-7 auto-polarity off
When autopolarity is disabled on one or more Ethernet ports, you can verify that status using the
command:
show ports information detail
ExtremeXOS Concepts Guide, Software Version 15.2
230
Configuring Ports on a Switch
IPFIX
BlackDiamond 8900 G96Tc, G48T-xl, G48X-xl, and 10G8X-xl Modules, Summit
X460 and X480 Switches, and E4G-400 Cell Site Routers only
The IP Flow Information Export (IPFIX) protocol was created by the IETF as a standard way to capture
information about traffic flows passing through network elements in a data network. The protocol
consists of a metering process, an exporting process, and a collecting process. This section discusses the
metering and exporting processes; the collecting process is not defined by the standard and therefore is
outside the scope of this document. The IPFIX protocol is a rival, but complimentary, protocol to sFlow.
This feature is supported only on BlackDiamond 8900 G96Tc, G48T-xl, G48X-xl, and 10G8X-xl modules,
Summit X460 and X480 switches, and E4G-400 cell site routers.
The Extreme Networks switch contains various metering processes that gather information about flows
through different ports, or observation points, on the switch. This information includes: the link state,
IPFIX state, flow count, byte count, packet count, flow record count and premature exports. The
metering process then sends the information to the exporting process in the switch which handles
communication, using TCP, UDP, or SCTP transport protocols, over the network to a collecting process.
Figure 9 shows these processes.
Figure 9: IPFIX Processes
Observation Point
(Port on Line Card)
Extreme Switch
Flows
(Observation Domain, Exporter)
Metering
Process
Metering
Process
Metering
Process
Flow Records
Metering
Process
Metering
Process
Metering
Process
Metering
Process
Exporting
Process
Metering
Process
Each line card may
have it’s own metering
process to manage ports
IPFIX Messages flow
over TCP, UDP or SCTP
Collecting
Process
Collector
EX__ports_0046
Limitations
This feature has the following limitations:
●
The flow key definition is limited to the L2 and L3 header fields the hardware provides.
●
There is a 8K flow limit per port—4K for ingress and 4K for egress.
ExtremeXOS Concepts Guide, Software Version 15.2
231
Chapter 5: Configuring Slots and Ports on a Switch
Enabling IPFIX
To enable IPFIX on a port and provide a check to ensure that the port being enabled has hardware
support for IPFIX, use the following command:
enable ip-fix ports [<port_list> | all] {ipv4 | ipv6 | non-ip | all_traffic}
If the port does not support IPFIX, an error message is displayed.
To disable an enabled port, use the following command:
disable ip-fix ports [<port_list> | all]
To enable or disable IPFIX globally and override an individual port enable, use the following command:
[enable | disable] ip-fix
Configuring IPFIX Flow Key Masks
Flow keys define what data in the packet header identifies a unique flow to the hardware. On each port,
there is a flow key for IPv4, IPv6, and non-IP traffic type data. Following are the flow keys together
with the size of the field:
IPv4:
●
Source IP Address (32)
●
Destination IP Address (32)
●
L4 Source Port (16)
●
L4 Destination Port (16)
●
L4 Protocol (8)
●
TOS (DSCP +ECN) (8)
IPv6:
●
Source IP Address (128)
●
Destination IP Address (128)
●
L4 Source Port (16)
●
L4 Destination Port (16)
●
Next Header (8)
●
IPv6 Flow Label (20)
●
TOS (DSCP +ECN) (8)
Non-IP:
●
Source MAC Address (48)
●
Destination MAC Address (48)
●
VLAN ID (12)
●
VLAN Priority (3)
●
Ethertype (16)
●
VLAN Tagged (1)
By default, IPFIX uses all the above listed flow keys and all bits. You can override this on a global basis
and specify exactly which keys to use. The template that specifies the structure of the information that is
communicated from the exporter to the collector will then contain only those specified keys.
ExtremeXOS Concepts Guide, Software Version 15.2
232
Configuring Ports on a Switch
To specify the flow keys to use for each of the three traffic types, use the following commands:
configure ip-fix flow-key ipv4 {src-ip} {src-port} {dest-ip} {dest-port} {protocol}
{tos}
configure ip-fix flow-key ipv6 {src-ip} {src-port} {dest-ip} {dest-port} {next-hdr}
{tos} {flow-label}
configure ip-fix flow-key nonip {src-mac} {dest-mac} {ethertype} {vlan-id} {priority}
{tagged}
To reset to the all keys default, use the following command:
unconfigure ip-fix flow-key
You can then define masks for the IPv4 and IPv6 source and destination address fields on a per port
basis. Use the following commands:
configure ip-fix ports <port_list> flow-key ipv4 mask [source | destination] ipaddress
<value>
configure ip-fix ports <port_list> flow-key ipv6 mask [source | destination] ipaddress
<value>
Example. You can use the flow keys and masks to minimize the information sent to the collector and
aggregate certain types of flows. A common use of the non-default values may be to see all traffic from
a user only instead of each individual flow. For example, in the case of IPv4:
configure ip-fix flow-key ipv4 src-ip dest-ip
Then, by configuring the mask on a port, the aggregation could be further restricted to meter only
individual subnets. For example, with a 255.255.255.0 mask:
configure ip-fix ports 3:1 flow-key ipv4 mask source ipaddress 255.255.255.0
configure ip-fix ports 3:1 flow-key ipv4 mask destination ipaddress 255.255.255.0
To unconfigure the masks, use the following command:
unconfigure ip-fix ports <port_list> flow-key mask
Configuring IPFIX Parameters on a Port
These are optional commands; when not configured, the defaults are used.
To configure whether to meter on ingress and/or egress ports, use the following command:
configure ip-fix ports <port_list> [ingress | egress | ingress-and-egress]
(The default is ingress.)
To configure whether to meter all, dropped only, or non-dropped only records, use the following
command:
configure ip-fix ports <port_list> record [all | dropped-only | non-dropped]
(The default is all)
To unconfigure these IPFIX settings on a port or group of ports, use the following command. This
restores the configuration to the defaults for those ports. It does not enable or disable IPFIX.
unconfigure ip-fix ports <port_list>
ExtremeXOS Concepts Guide, Software Version 15.2
233
Chapter 5: Configuring Slots and Ports on a Switch
Configuring Domain IDs
Observation points are aggregated into observation domains. The entire switch operates as one domain.
The IPFIX protocol contains an observation domain ID in the flow records that are sent to the collector.
The collector can use the domain to correlate records to their origin. How this field is used is up to a
given collector. To configure a domain ID, use the following command:
configure ip-fix domain <domain_id>
Configuring a Collector
To export flow records using the IPFIX protocol, you must first configure a collector. Only a single
collector is allowed. You can specify the source IP address and VR to use when sending from the switch
to a given collector. When not specified, the system defaults to the switch IP address the traffic exits.
To specify, use the following command:
configure ip-fix source ip-address <ipaddress> {vr <vrname>}
To reset back to the default of using the switch IP, use the following command:
unconfigure ip-fix source ip-address
You can specify the IP address, port number, transport protocol and VR for a collector. Use the
following command:
configure ip-fix ip-address <ipaddress> {protocol [sctp | tcp | udp]} {L4-port
<portno>} {vr <vrname>}
To unconfigure this, use the following command:
unconfigure ip-fix ip-address
Unconfiguring IPFIX
To unconfigure IPFIX completely use the following command. This removes all port and collector
configuration and disables all ports.
unconfigure ip-fix
Displaying IPFIX Information
To display the global state, the collector information and the ports that are enabled for IPFIX, use the
following command:
show ip-fix
To display information about per port metering, use the following command:
show ports {<port_list> | tag <tag>} ip-fix {detail | no-refresh}
To show whether IPFIX is enabled on a specific port together with port IPFIX configuration, use the
following command:
show ports {mgmt | <port_list> | tag <tag>} information {detail}
ExtremeXOS Concepts Guide, Software Version 15.2
234
Configuring Ports on a Switch
WAN PHY OAM
Summit X450a and Summit X480 Series Switches only.
You can configure WAN PHY OAM on the Summit X450a and Summit X480 series switches whether or
not they are included in a SummitStack. The WAN-PHY OAM feature is a subset of the SONET/SDH
overhead function and the WAN PHY interface is defined in IEEE 802.3ae.
The WAN-PHY feature is available on LW XENPAK ports on the Summit X450a switches. The LW
XENPAK provides an interface connection between a 10G Ethernet and a 10G SONET/SDH network
from a 10G Ethernet equipment port.
Summit X480 series switches are WAN-PHY capable on 10G XFP ports. XFP ports can operate in both
LAN and WAN modes. For such ports, the WAN PHY configuration commands that are shown in the
following section, are available only after setting the ports to “WAN PHY” mode using the configure
ports <port_list> mode {lan | wan-phy} command.
Configuring WAN PHY OAM Parameters
The following are configurable WAN PHY OAM parameters:
●
Framing—either SONET or SDH; default is SONET.
●
Clock source—either internal or line; default is line.
●
J0 section trace string—16-character string; default is the IEEE default value, which has no string
representation.
●
J1 path trace string—16-character string; default is the IEEE default value, which has no string
representation.
●
Loopback—line, internal, or off; the default is off
To set the framing, use the following command:
configure ports <port_list> wan-phy framing [sonet | sdh]
To choose the clock source, use the following command:
configure ports <port_list> wan-phy clocking [line | internal]
To set a section trace ID, use the following command:
configure ports <port_list> wan-phy trace-section <id_string>
To set a path trace ID, use the following command:
configure ports <port_list> wan-phy trace-path <id_string>
To set a WAN PHY port to loopback, use the following commands:
On X450a series switches:
configure ports <port_list> wan-phy loopback [line | off]
On Summit X480 series switches:
configure ports <port_list> wan-phy loopback {off | internal | line}
To reset the configuration parameters of a WAN PHY port to default values, use the following
command:
unconfigure ports [<port_list> | all] wan-phy
ExtremeXOS Concepts Guide, Software Version 15.2
235
Chapter 5: Configuring Slots and Ports on a Switch
Displaying WAN PHY OAM Information
You display information on the WAN PHY ports using the following commands:
show
show
show
show
show
ports
ports
ports
ports
ports
{mgmt | <port_list> | tag
{<port_list> | tag <tag>}
{<port_list> | tag <tag>}
{<port_list> | tag <tag>}
{<port_list> | tag <tag>}
<tag>} information {detail}
wan-phy configuration
wan-phy errors {no-refresh}
wan-phy events {no-refresh}
wan-phy overhead {no-refresh}
ExtremeXOS Concepts Guide, Software Version 15.2
236
Configuring Ports on a Switch
Configuring Switching Mode—Cut-through Switching
Summit X650 and X670 Series Switches, BlackDiamond X8 Series Switches and
BlackDiamond 8900 Series Modules Only
The default switching mode for ExtremeXOS switches is store-and-forward. Store-and-forward
switching requires the complete receipt of a packet prior to transmitting it out the interface. The packet
is stored in its entirety in packet memory and can be validated via the frame CRC by the switch prior to
forwarding it to the next hop.
On the Summit X650 series switches (whether or not included in a SummitStack) and BlackDiamond
8900 series modules, you can configure the switch to a cut-through switching mode. Cut-through
switching allows the switch to begin transmitting a packet before its entire contents have been received
thereby reducing the overall forwarding latency for large packet sizes.
Of the BlackDiamond 8900 series modules, only the 8900-10G24X-c and 8900-MSM128 fully support cutthrough switching mode. The BlackDiamond 8900-G96T-c has partial support; it can operate only the
switching fabric in cut-through mode.
The following limitations apply to the cut-through switching feature:
●
Cut-through mode cannot be achieved for packet sizes less than or equal to 384 bytes.
●
Error packets may be forwarded when using cut-through mode. These packets need to be detected
and discarded by one of the downstream switches, routers, or the ultimate end station.
In some circumstances, store-and-forward is automatically used. Following are examples:
●
Cut-through mode cannot be achieved when switching a packet internally from a low-speed frontpanel port (1G or 10G) to a higher-speed fabric port. In this case, store-and-forward switching will
automatically be used. However, cut-through switching can be used when switching between equal
speed ports or from a higher-speed interface to a lower-speed interface.
●
Store-and-forward is used for packets that are switched to multiple egress ports in scenarios such as
VLAN flooding and multicast.
●
Store-and-forward is used whenever the egress interface is congested including when QoS rate
shaping is in effect.
Configuring Switching Mode
To configure the switching mode, use the following command:
configure forwarding switching-mode [cut-through | store-and-forward]
To display the switching mode settings, use the following command:
show forwarding configuration
ExtremeXOS Concepts Guide, Software Version 15.2
237
Chapter 5: Configuring Slots and Ports on a Switch
SyncE
Summit X460-24x and X460-48x Switches and E4G-200 and E4G-400 Cell Site
Routers
Synchronous Ethernet (SyncE) is defined in ITU-T recommendations G.8262/G.8264. This feature
provides the capability for the hardware to synchronize the clock time that is used for data transmission
to a reference clock. This primary reference clock (PRC) comes from a base station controller (BSC).
Figure 10 shows a SyncE structure.
Figure 10: SyncE Structure
PRC
BSC
Upstream
Data
PRC Traceable
Recovered Clock
Timing
Cleanup
Switch
Device
Transmit
Clock
Downstream Data
(Synchronized to PRC)
EX_ports_0048
On the switch, one port is configured to be the source for the master interface clock. A second port can
be configured to be the source for a backup reference clock should the master be disconnected or fail.
Up to two ports can be specified as a clock source. Data transmission for all other ports are
synchronized to the master interface clock. If the master port fails, clock accuracy is maintained. When
the ExtremeXOS software detects the failure, it enables the secondary port for the clock. If, at any time,
the master port comes back up, it again becomes the source of the primary clock still with accuracy
maintained.
It is not necessary for data from the clock master or backup ports to be sent over the other interfaces to
maintain synchronization. Only the transmission timing is affected.
The Ethernet Synchronization Messaging Channel (ESMC) is defined by ITU-T for synchronous
Ethernet links. ESMC PDUs guide hardware to pick primary clock source and send ESMC messages
downstream with clock accuracy details for systems to synchronize.
ExtremeXOS Concepts Guide, Software Version 15.2
238
Configuring Ports on a Switch
Limitations and Requirements
SyncE is supported on 100Mbps/1Gbps ports, and it is also available on E4G-400 XGM 10G Ethernet
ports if present.
For synchronous Ethernet (SyncE), the following ports are supported on each platform:
●
X460-24X: Input Ports 1-28, Output Ports 1 - 28
●
X460-48X: Input Ports 1-48, Output Ports 1 – 48
●
E4G-200: All Ethernet ports
●
E4G-400: All Ethernet ports including XGMS 10G ports if present
Clocking Subsystem Selection for E4G-200 and E4G-400
The E4G-200 and E4G-400 have clock sources beyond SyncE. The clock which drives all of the ports on
a switch may be selected from:
●
SyncE.
●
PTP – an optional 1588v2 module.
●
TDM – an optional module which has multiple T1/E1 interfaces for TDM/Ethernet interworking.
●
BITS – Building Integrated Timing Supply. A connector capable of receiving a timing signal provided
by other building equipment.
SyncE for E4G Stacking
The network timing clock can be distributed across different nodes in a stack using 10G alternate
stacking links.
Clock distribution on a stack required a specific configuration:
●
All nodes in a stack must be SyncE capable.
●
All nodes in a stack must support SyncE on stacking links.
Currently only E4G-400 with an XGM3S card in slot A is capable of supporting SyncE for stacking.
The E4G-400 can use any stacking module used by the X460 series. However, the native stacking
modules cannot carry network timing signals throughout the stack. Only the XGM3S plug in modules
have that capability. If clock distribution is desired in an E4G-400 stack, alternate stacking must be used
with an XGM3S module in slot A.
ExtremeXOS Concepts Guide, Software Version 15.2
239
Chapter 5: Configuring Slots and Ports on a Switch
Figure 11 shows E4G Stack Clocking.
Figure 11: E4G-400 Stack Clocking
Use XGM3S-2<xx>
Alternate Stacking links to
distribute clocking across
the stack
E4G-400 Slot 1 Master
XGM3S-2sf
or
XGM2S-2xf
E4G-400 Slot 2
XGM3S-2sf
or
XGM2S-2xf
10G links carry
clock from
clocking
signal
master
E4G-400 Slot 3
XGM3S-2sf
or
XGM2S-2xf
SyncE for E4G Stacking Limitations.
●
Currently SyncE is only supported on stacks with EG4-400 with XGM3S-2SF or XGM3-2XF cards in
Slot A configured as alternate stacking.
●
SyncE cli commands are only available if all nodes in the stack have stacking ports capable of SyncE
distribution.
●
If SyncE is configured on stackng and a new node not capable of SyncE is added to the stack, an
error message will be logged as not capable and the node will be allowed to join. This will break the
SyncE, so the user must be careful when adding a new node into the SyncE stack.
Configuring SyncE
A link flap occurs in the following scenarios:
●
Link is configured as clock source via the command configure network-clock sync-e clocksource source-1/source-2.
●
Link is unconfigured for clock source via the command unconfigure network-clock sync-e
ports <port>.
●
When a valid input clock is selected via the port configured as clock source.
●
When a valid input clock becomes unavailable via the port configured as clock source.
To enable SyncE on ports, use the following command:
enable network-clock sync-e port [<port_list> | all]
To disable SyncE on ports, use the following command:
disable network-clock sync-e port [<port_list> | all]
ExtremeXOS Concepts Guide, Software Version 15.2
240
Configuring Ports on a Switch
To configure SyncE on ports, use the following command:
configure network-clock sync-e [source-1 | source-2] port <port>
To unconfigure SyncE on ports, use the following command:
unconfigure network-clock sync-e [port <port>]
To display the configuration and port state, use the following command:
show network-clock sync-e port [<port-list>] {details}
To display SyncE as part of the port configuration, use the following command:
show ports {mgmt | <port_list> | tag <tag>} information {detail}
To configure the input network clock source, use the following command:
configure network-clock clock-source input {[sync-e | ptp | tdm | [bits-rj45 | bitsbnc] {quality-level <value>}] | region [E1 | T1]}
To configure the output network clock source, use the following command:
configure network-clock clock-source output {bits-bnc-1 [1pps | 8KHz] bits-bnc-2 [E1 |
T1 | 10MHz]}
To display the configured network clock source information, use the following command:
show network-clock clock-source
TDM PWE and TDM Timing
Introduction
Time-Division Multiplexed circuits can be transported via Pseudo-wires (TDM PWE) using tunnels
based on Ethernet, IP/UDP or MPLS.
This method of transporting TDM circuits over a Packet Switching Network is also known as Circuit
Emulation Service (CES).
This feature is available only on the E4G-400 and E4G-200 cell site routers.
Figure 12 explains the different components of a pseudo-wire.
ExtremeXOS Concepts Guide, Software Version 15.2
241
Chapter 5: Configuring Slots and Ports on a Switch
Figure 12: Components of a Pseudo-wire
A pseudo-wire is an emulation of point-to-point circuit over a Packet Switching Network (typically
Ethernet). It emulates the operation of a “transparent wire” carrying the service.
●
Ethernet Pseudo-wires: When the service being carried over the “wire” is Ethernet, it is referred as
Ethernet Pseudo-wires. L2VPN is an example of Ethernet Pseudo-wires.
●
TDM Pseudo-wires: When the service being carried over the “wire” is TDM, it is referred as TDM
Pseudo-wires.
Figure 13 shows a typical mobile-backhaul network.
Figure 13: Mobile-Backhaul Network
●
Cell Site: This is the Radio Access Customer Network Edge and refers to that part of the Mobile
network that includes 2G (T1/E1 Connectivity), 3G and 4G radio towers.
ExtremeXOS Concepts Guide, Software Version 15.2
242
Configuring Ports on a Switch
●
Cell Site Router: The Cell-Site Router backhauls the traffic from the radio towers over the Ethernet
network. Several 2G, 3G and 4G radio towers can be connected to the Ethernet mobile backhaul at
the same time via the Cell Site Router.
●
Cell Site Aggregation Router: This aggregates the multiple Ethernet links from various Cell Site
Routers and also the T1/E1 links (that are co-located with it) and transports them over the Mobile
core. It is likely that Cell Site Aggregation routers are connected to each other via multiple
synchronous Gigabit Ethernet rings.
●
Base Station Control: Terminates TDM pseudo-wires and hand-off cell site (TDM/ATM) traffic to
BSC/RNC devices.
Figure 14 shows the components involved in supporting TDM pseudo-wires.
Figure 14: TDM Pseudo-wire Entities
Timeslot
bundle
d
TS#1
1
PW#1
TS#2
2
PSN Tunnel
#1
TS#3
3
TDM
physical
port#1
mp
TDM
physical
port#2
Ethernet physical
port
TS#1
PW#2
TS#2
Service
interfacee
PW#3
P
PSN Tunnel
#2
PW= Pseudo-wire
instance.
TDM pseudo-wires can be realized as structure-agnostic transport or SAToP (RFC4553) and structureaware transport (RFC5086) transports of TDM circuits. The components involved in both the types of
pseudo-wires are mostly similar. In Figure 14, PW#1 and PW#2 are realized using structure-aware
transport of TDM circuits, while PW#3 is realized using structure-agnostic transport of TDM circuit.
●
●
SAToP: This is a pseudo-wire encapsulation of TDM bit streams (T1/E1) without any cognizance of
the structure of the TDM bit-streams. The entire frame received over the T1/E1 port is treated as
data and sent over the pseudo-wire. This method has the following advantages:
-
Low overhead
-
Lower end-to-end delay
CESoPSN: In this method, there is a structure awareness of the TDM bit streams (signals), meaning
the data that’s encapsulated is NXDS0. This method has the benefit of lower packetization delay
when transporting several timeslots. CESoP supports channel-associated signaling (CAS) for TDM
interfaces.
Packet Encapsulation Formats Supported by ExtremeXOS. The packet encapsulation formats of the
different pseudo-wire transports supported by ExtremeXOS are shown below:
●
MEF-8 (Ethernet) based encapsulation
ExtremeXOS Concepts Guide, Software Version 15.2
243
Chapter 5: Configuring Slots and Ports on a Switch
NOTE
The Ethertype used for MEF-8 encapsulation is 0x88D8.
●
IP/UDP-based encapsulation (RFC 4553 and RFC 5086)
●
MPLS-based encapsulation (RFC 4385 and RFC 5287)
Figure 15 shows the packet encapsulation formats supported by ExtremeXOS.
Figure 15: Packet Encapsulation Formats Supported by ExtremeXOS
MEF-8 (Ethernet) Based Encapsulation
DA
SA
(6 bytes)
(6 bytes)
VLAN
Header
ETHER TYPE
(0x88D8)
(4 bytes)
(2 bytes)
ECID
Control Word
(Emulated Circuit Idenfier)
(4 bytes)
(4 bytes)
TDM PAYLOAD
P/UDP-Based Encapsulation (RFC 4553 and RFC 5086)
DA
SA
(6 bytes)
(6 bytes)
VLAN
Header
ETHER TYPE
(0x0800)
IP
Header
UDP
Header
Control Word
(4 bytes)
(2 bytes)
(20 bytes)
(8 bytes)
(4 bytes)
TDM PAYLOAD
MPLS-Based Encapsulation (RFC 4385 and RFC 5287)
DA
SA
(6 bytes)
(6 bytes)
VLAN
Header
ETHER TYPE
(0x8847)
Tunnel
Label
PW
Label
(4 bytes)
(2 bytes)
(4 bytes)
(4 bytes)
Control Word
TDM PAYLOAD
(4 bytes)
Configuring TDM Hierarchy
The switch boots up in the E1 hierarchy by default (the TDM ports are configured to operate in E1
mode).
For T1 mode of operation, the hierarchy must be configured followed by the save and reboot of the
switch. After reboot, the switch boots up in T1 hierarchy based on the configuration saved and the TDM
ports operate in T1 mode.
Other TDM configurations can be performed after setting up the switch in the correct hierarchy.
NOTE
For a TDM line where TDM services and/or CES pseudo-wires have been configured, and the hierarchy
need to be changed, we recommend that you first remove or reset all of the CES pseudo-wires, TDM services, and
TDM line configurations before you configure the TDM hierarchy.
To configure the TDM hierarchy for the switch (T1 or E1), use the following command:
configure tdm hierarchy [t1 | e1]
Understanding TDM Ports Numbering
ExtremeXOS supports 16 TDM ports on E4G-200 and E4G-400 cell site routers.
ExtremeXOS Concepts Guide, Software Version 15.2
244
Configuring Ports on a Switch
The TDM ports are numbered from 1 to 16 in the face-plate of the switch. However, when the TDM
ports are configured using the ExtremeXOS CLI, the TDM ports are numbered sequentially after the
Ethernet ports. Table 26 shows the port number mapping in E4G-200 and E4G-400 cell site routers.
ExtremeXOS Concepts Guide, Software Version 15.2
245
Chapter 5: Configuring Slots and Ports on a Switch
Table 26: TDM Port Number Mapping for E4G-200 and E4G-400
Cell Site Router
Module
Panel TDM Port Numbers
TDM Port Numbers in
ExtremeXOS CLI
E4G-400
E4G-B16T1E1
1–16
35-50
E4G-200
E4G-F16T1E1
1–16
13–28
Note that the panel TDM port numbers are different from the TDM port numbers used for the configuration.
In E4G-200, the port number 13 in the ExtremeXOS CLI refers to the TDM port 1 in the face-plate.
Similarly, port 14 in the ExtremeXOS CLI refers to TDM port 2 in the face-plate and so on.
In E4G-400, the port number 35 in the ExtremeXOS CLI refers to the TDM port 1 in the face-plate.
Similarly, port 36 in the ExtremeXOS CLI refers to TDM port 2 in the face-plate, and so on.
Examples:
To enable TDM port 2 in E4G-400, use the port number 36.
enable port 36 tdm
To enable TDM port 5 in E4G-200, use the port number 17.
enable port 17 tdm
NOTE
tdm indicates that the port number in the enable/disable/configure port commands is a TDM port.
Configuring TDM Ports
To configure the framing used on TDM ports, use the following command:
configure ports <port_list> tdm framing [d4 | esf | [basic | mf] {crc4} | unframed]
To configure the line coding scheme to be used on TDM ports, use the following command:
configure ports <port_list> tdm line-coding [b8zs | hdb3 | ami]
To configure the cable length and receiver gain to be used on TDM ports, use the following command:
configure ports <port_list> tdm cable-length [ short-haul [110 | 220 | 330 | 440 | 550
| 660] | long-haul line-build-out [0db | 75db | 150db | 225db]]
To configure the local and network loopback mode for TDM ports, use the following commands to
enable and disable loopback:
enable ports <port_list> tdm loopback [local | network [line | payload]]
disable ports <port_list> tdm loopback [local | network [line | payload]]
To configure or clear a display string for TDM ports, use the following commands:
configure ports <port_list> tdm display-string <string>
unconfigure ports <port_list> tdm display-string
ExtremeXOS Concepts Guide, Software Version 15.2
246
Configuring Ports on a Switch
To enable or disable TDM ports, use the following commands:
enable ports [<port_list> | all] tdm
disable ports [<port_list> | all] tdm
To configure the transmit clock source for TDM ports, use the following command:
configure ports <port_list> tdm clock-source [line | network | [adaptive |
differential] ces <ces_name>]
To configure the recovered clock and quality level for TDM ports, use the following command:
configure ports <port_list> tdm recovered-clock {quality-level <value>}
To unconfigure the recovered clock for TDM ports, use the following command:
unconfigure ports <port_list> tdm recovered-clock
To configure the idle code to be used on TDM ports, use the following command:
configure tdm service circuit <service_name> seized-code <seized_code>
To configure signaling on TDM ports, use the following command:
configure ports <port_list> tdm signaling [bit-oriented | robbed-bit | none]
NOTE
A given TDM port cannot belong to more than one TDM service when the port is in unframed mode.
Configuring TDM Services
To create or delete a TDM service, use the following commands:
create tdm service circuit <service_name>
delete tdm service circuit [<service_name> | all]
To add a port or port/time-slot to a TDM service, use the following command:
configure tdm service circuit <service_name> add port <port> {time-slots
[<time_slot_list> | all]}
To delete a port from a TDM service, use the following command:
configure tdm service circuit <service_name> delete port <port>
To configure the idle code and seized code, use the following command:
configure tdm service circuit <service_name> seized-code <seized_code>
To configure the trunk-conditioning value for alarm conditions, use the following command:
configure tdm service circuit <service_name> trunk-conditioning <trunk_conditioning>
ExtremeXOS Concepts Guide, Software Version 15.2
247
Chapter 5: Configuring Slots and Ports on a Switch
NOTE
- A given {TDM port, time-slot} combination cannot belong to more than one TDM service.
- A TDM service can belong to only one TDM pseudo-wire.
- In the framed mode of operation on E1 hierarchy, timeslot 1 cannot be added to a TDM service. Additionally, if
TDM port is configured as multiframed, timeslot 17 cannot be added to a TDM service.
- Time-slots from different TDM ports cannot belong to the same TDM service.
Configuring and Managing CES Pseudo-Wires
Use the following commands to configure Circuit Emulation Service (CES) pseudo-wires.
To create or delete a CES pseudo-wire, use the following commands:
create ces <ces_name> psn [mef8 | udp | mpls]]
delete ces [<ces_name> | all]
To enable or disable the administrative status of a CES pseudo-wire, use the following commands:
enable ces [<ces_name> | all]
disable ces [<ces_name> | all]
To manually add an IPv4 peer (far-end) for a CES pseudo-wire, use the following command:
configure ces <ces_name> add peer ipaddress <ipaddress> [fec-id-type pseudo-wire
<pw_id> {lsp <lsp_name>} | udp-port local <src_udp_port> remote <dst_udp_port> vlan
<vlan_name>]
To manually add an Ethernet (MEF-8) peer (far-end) for a CES pseudo-wire, use the following
command:
configure ces <ces_name> add peer mac-address <mac_address> ecid local <tx_ecid>
remote <rx_ecid> vlan <vlan_name>
To delete a peer of a CES pseudo-wire, use the following command:
configure ces <ces_name> delete peer [ipaddress <ipaddress> | mac-address
<mac_address>]
To add or delete a TDM service on a CES pseudo-wire, use the following commands:
configure ces <ces_name> add service <service_name>
configure ces <ces_name> delete service
To configure the jitter-buffer value for a CES pseudo-wire, use the following command:
configure ces <ces_name> jitter-buffer <min_jbf> {max <max_jbf>}
To configure the payload-size value for a CES pseudo-wire, use the following command:
configure ces <ces_name> payload-size <bytes>
To configure the quality of service (QoS) profile for a CES pseudo-wire, use the following command:
ExtremeXOS Concepts Guide, Software Version 15.2
248
Configuring Ports on a Switch
configure ces <ces_name> qosprofile <qosprofile>
To configure the filler pattern for a CES pseudo-wire, use the following command:
configure ces <ces_name> filler-pattern <byte_value>
To configure Loss of Packet State (LOPS) on a CES pseudo-wire, use the following command:
configure ces <ces_name> lops-threshold [entry <num_packets_for_entry> {exit
<num_packets_for_exit>} | exit <num_packets_for_exit>]
To configure time-to-live (TTL) on a CES pseudo-wire, use the following command:
configure ces <ces_name> ttl <ttl_value>
To enable or disable the CES pseudo-wire peer, use the following commands:
[enable | disable] ces <ces_name> peer ipaddress <ipaddress>
To configure DSCP value on a CES pseudo-wire, use the following command:
configure ces <ces_name> dscp <dscp_value>
NOTE
- Payload size can be reconfigured only after disabling the TDM pseudo-wire.
- TDM service can be removed from a TDM pseudo-wire only after the Peer Configuration of the TDM pseudo-wire
is removed.
- The CES pseudo-wire configured for recovering clock cannot be deleted when it is configured as the clock source
for the TDM port. Change the TDM port transmit clock source before deleting the pseudo-wire.
Displaying TDM PW Configurations
To display TDM port information, use the following command:
show ports {<port_list>} tdm information {detail}
To display TDM port configuration information, use the following command:
show ports {<port_list>} tdm configuration {no-refresh}
To display the TDM port alarms, use the following command:
show ports {<port_list>} tdm alarms {no-refresh}
To display TDM service interface information, use the following command:
show tdm service {circuit} {<service_name>}
To display CES pseudo-wire parameters, use the following command:
show ces {<ces_name>} {detail}
To display CES peer information, use the following command:
show ces peer [ipaddress <ipaddress> | mac-address <mac_address>]
ExtremeXOS Concepts Guide, Software Version 15.2
249
Chapter 5: Configuring Slots and Ports on a Switch
To display TDM port information, use the following command:
show ports {<port_list>} tdm {no-refresh}
To display TDM hierarchy information, use the following command:
show tdm hierarchy
To display CES clock recovery information, use the following command:
show ces {<ces_name>} clock-recovery
TDM Port and PW Statistics
To display specified TDM port error counters, use the following command:
show ports {<port_list>} tdm errors {near-end} {total | intervals | current {norefresh}}
To display specified CES pseudo-wire error counters, use the following command:
show ces {<ces_name>} errors {total | intervals | day-intervals | current {norefresh}}
Understanding Adaptive Clock Recovery
The clock to drive TDM ports can be recovered from a TDM pseudo-wire using the Adaptive Clock
Recovery (ACR) algorithm. ACR recovers the TDM service clock based on the packet arrival rate and
typically employed when no other clock is available in the network to achieve synchronization.
Figure 16: Adaptive Clock Recovery
The adaptive clock recovery uses techniques to filter out the Packet Delay Variations (PDV) introduced
in the packet stream by the PSN and recovers the TDM service clock.
The Wander and the Jitter budgets are defined by G.8261 deployment cases (case 1-a, 2-a, 2-b). Network
deployments that differ from above cases require deriving the budgets based on the deployment model.
Limitations:
●
Only one TDM port can be timed using the clock recovered from the pseudo-wire.
●
The pseudo-wire can only time the TDM port that is attached as a service circuit.
ExtremeXOS Concepts Guide, Software Version 15.2
250
Configuring Ports on a Switch
●
The clock recovered from the pseudo-wire cannot be used as a system clock source for
synchronization. This implies that the pseudo-wire recovered clock cannot be carried through Sync-E
or PTP or BITS.
●
When configuring a SAToP pseudo-wire for clock recovery, the TDM payload bytes carried in
pseudo-wire should be a multiple of 32.
●
Adaptive clock recovery cannot filter out the low frequency wander introduced by ‘beating effect’.
Understanding TDM Transmit Clock Configuration
The TDM transmit clock is configured using the clock-source command. The TDM line can be
configured to use one of the following clock sources for transmit:
●
Line: The clock recovered from the received TDM stream on the TDM port is used as a transmit
clock source on the same TDM port.
●
Adaptive: The transmit clock source for the TDM port is the clock recovered from the PSN pseudowire packets. The transmit clock is adaptively recovering clock from the pseudo-wire packet arrival
rate.
●
Network clock: The transmit clock source for the TDM port is the common synchronized clock in
the system. The system clock could be synchronized to one of the following clock sources: SyncE,
1588v2, BITS or a clock recovered from the TDM port.
Understanding TDM Port Alarms
The alarm events from the TDM port that are detected and the alarm response transmitted on the TDM
port are listed in the following section. The alarm response on the TDM port/time-slot(s) depends on
the port or time-slot(s) configuration state. The port or time-slot is said to be in disconnected or in idle
configuration state when they are not added to a TDM service. The port or time-slot(s) are said to be
connected if they are part of a TDM service. In idle state, depending on the framing configuration on
the port, the alarm response would vary. The alarms generated and the alarm events detected are
logged.
TDM Port Alarms in Unframed mode.
AIS Alarm Generation
The TDM ports generate an Alarm Indication Signal (AIS) alarm by default on the ports that are not
connected to a service. On ports that are connected to a service, the AIS alarm is generated to indicate
pseudo-wire faults.
Figure 17: AIS Alarm
E4G switches do not detect AIS alarm events in unframed mode of operation.
ExtremeXOS Concepts Guide, Software Version 15.2
251
Chapter 5: Configuring Slots and Ports on a Switch
LOS Alarm Generation
The TDM ports generate Loss of Signal (LOS) alarm on the ports that are administratively disabled. The
alarm is cleared when the port is enabled.
Figure 18: LOS Alarm Generation
LOS Alarm Response
The TDM ports detect a Loss of Signal alarm event. No specific data is played out as a response for this
alarm event. However, when the port is not a part of TDM service, the preset idle pattern of all ones (or
AIS) is played out. If the port is connected to a TDM service bound to a CES pseudo-wire, the TDM
data from the remote end of the CES pseudo-wire, is played out, facilitating the tunneling of alarm
event response from the remote TDM CE node.
Figure 19: LOS Alarm Response
TDM Port Alarms in Framed Mode.
Default Line State
The TDM ports send out a preset idle pattern of 0xFF on all timeslot(s) that carry TDM data. If signaling
multiframe is configured on the TDM port (mf in E1 hierarchy and d4 or esf in T1 hierarchy), a
configurable idle code is played out on the signaling channel/bits.
ExtremeXOS Concepts Guide, Software Version 15.2
252
Configuring Ports on a Switch
Figure 20: Default Line State
However, the idle pattern is not played out on certain special timeslots, as listed in Table 27 below.
Table 27: Idle Pattern on Timeslots
E1 Hierarchy
Timeslot - 1
Carries frame alignment signal, CRC and remote alarm information.
Timeslot - 16
(in frame 1/16)
Carries signaling multiframe alignment signal, spare bits and multiframe alarms.
Applicable only if port handles signaling multiframe.
T1 Hierarchy
F-bits
Carries framing alignment signal information. In case of Extended Super Frame
formats, carries data link and CRC-6 information.
Note that the idle pattern playout does not indicate the presence or generation of alarms and is
presented here for information purpose.
LOS/LOF/AIS Alarm Response
The Loss of Signal, Loss of Frame and Alarm Indication Signal events are detected and a Remote Alarm
Indication is played out as alarm response. The Framed modes in E1 and T1 hierarchy have specific bits
in the frame formats for indicating the remote TDM CE interface about the faults.
Figure 21: LOS/LOF/AIS Alarm Response
The following framing types configured on the CE node and on the E4G node are considered as
incompatible in the E4G node. This would result in detection of Loss of Frame alarm. The Loss of
Signaling Multiframe and the Loss of CRC Multiframe are detected as Loss of Frame alarm events.
ExtremeXOS Concepts Guide, Software Version 15.2
253
Chapter 5: Configuring Slots and Ports on a Switch
Table 28: Framing Types
Hierarchy
Framing in E4G node
Framing in Remote CE node
E1
Basic
Unframed
Signaling multiframe
Unframed
Basic
CRC4 enabled
CRC4 disabled
Super frame (D4)
Unframed
Extended super frame (ESF)
Extended super frame (ESF)
Unframed
Super frame (D4)
T1
LOS Alarm Generation
The TDM ports generate Loss of Signal alarm on the ports that are administratively disabled. The alarm
is cleared when the port is enabled.
Figure 22: LOS Alarm Generation
TDM Port Alarms and Remedies
Table 29 shows the TDM port alarm conditions detected and generated in different configuration
setting, with and without the port being part of a TDM service bound to a CES pseudo-wire with
suggested remedies.
Table 29: TDM Port Alarms and Remedies
Alarm
Description
Remedy
LOS
This condition occurs on the TDM port when the local
end of the TDM port is in Loss of Signal state. The
mismatch in the configured hierarchy, cable length or
line gain parameters results in the Loss of Signal state
in the local end of the TDM port.
The hierarchy configuration and the
interface parameters such as cable length
or line gain needs to be reviewed. If no
configuration deviations are observed, the
transmit clocking option in the remote end
requires to be reviewed to isolate the
possibility of using an unavailable clock.
LOF
This condition occurs on the framed TDM port when
the local end of the TDM port is in Loss of Frame
state. The mismatch in the transmitted framing format
in the local end and the configured framing format in
the remote end results in the Loss of Frame state in
the local end of the TDM port.
The framing configuration in the local and
remote end of the TDM port needs to be
reviewed. If no configuration deviations
are observed, the fault due to unstable
clock can be isolated by performing
loopback tests on the local and/or remote
end of the TDM port.
ExtremeXOS Concepts Guide, Software Version 15.2
254
Configuring Ports on a Switch
Table 29: TDM Port Alarms and Remedies (Continued)
Alarm
Description
Remedy
TxRAI
This condition occurs on the framed TDM port due to
either of the two cases:
If there are CES pseudo-wires defined on
the port, the pseudo-wire remote fault can
be referred to. In the presence of
attachment circuit Tx fault, no action is
required. If there are no CES pseudowires defined, the framing configuration on
the TDM port needs to be reviewed.
Additionally, if no configuration deviations
are observed, the fault due to unstable
clock can be isolated by performing
loopback tests on the local and/or remote
end of the TDM port. This condition, if
occurs on the unframed TDM port, can be
cleared by administratively disabling and
enabling the TDM port.
•
When there is a mismatch in the configured and
received framing format. In this case, the
transmission of remote alarm indication is triggered
by the Loss of Frame state in the local end of the
TDM port.
•
In the presence of CES pseudo-wires on the TDM
port, when the remote end of the CES pseudo-wire
sends an RDI (Remote defect indicator) signal, RAI
is transmitted on the TDM port.
The following framing configuration in
local/remote would cause RAI to be
generated from the local end:
RxRAI
TxAIS
RxAIS
This condition occurs on the framed TDM port due to
either of the two cases:
•
The Loss of Frame state in the remote end of the
TDM port.
•
The application associated with the remote end of
the TDM port tunnels the alarm indication to the
local end. The mismatch in the transmitted framing
format in the local end and the configured framing
format in the remote end results in the Loss of
Frame state in the remote end of the TDM port.
This condition occurs on the unframed TDM port due
to either of the two cases:
•
The AIS is transmitted on the TDM port by default
in the absence of loopback or CES pseudo-wire
configuration.
•
In the presence of CES pseudo-wires on the TDM
port, the AIS is transmitted to indicate the remote
end pseudo-wire faults, namely, local end loss of
packet state and remote end attachment circuit
fault.
This condition occurs on the framed TDM port when
the remote end of the TDM port transmits an AIS
alarm indication.
If this condition occurs due to the Loss of
Frame state in the remote end of the TDM
port, the framing configuration on the TDM
port needs to be reviewed. Additionally, if
no configuration deviations are observed,
the fault due to unstable clock can be
isolated by performing loopback tests on
the local and/or remote end of the TDM
port. If this condition occurs due to the
application associated with the remote
end of the TDM port, no action to be
taken. This condition, if occurs on the
unframed TDM port, can be cleared by
administratively disabling and enabling the
TDM port.
If no CES pseudo-wire is configured on
the TDM port, no action is required. If
CES pseudo-wires are configured on the
TDM port, the pseudo-wire fault
information should be referred to for the
remote end fault indication. This condition,
if occurs on a framed TDM port or occurs
on an unframed TDM port with no remote
end fault indication in the CES pseudowire, can be cleared by administratively
disabling and enabling the TDM port.
This condition requires no action to be
performed. If CES pseudo-wires are
present on the TDM port, this condition is
signaled as local attachment circuit Rx
fault.
Understanding TDM CES Pseudo-wire Alarms
The CES pseudo-wires transport the alarm events detected on the service interface and the alarm events
triggered on the PSN transport using the LRM bits in the pseudo-wire control word. The significance
and the usage of the LRM bits are covered by RFC4553 for SAToP pseudo-wires and RFC5086 for CESoP
pseudo-wires. The end-to-end alarm handling between two E4G units for SAToP and CESoP pseudo-
ExtremeXOS Concepts Guide, Software Version 15.2
255
Chapter 5: Configuring Slots and Ports on a Switch
wires are discussed below. The alarms generated and the alarm events detected in the CES pseudowires are logged.
CES Alarms in SAToP Pseudo-wires. T
TDM Service LOS Alarm
The Loss of Signal alarm event in the TDM service attached to the SAToP pseudo-wire is handled endto-end as shown in Figure 23.
Figure 23: SAToP Alarm Handling: TDM Service LOS Alarm
1 The Loss of Signal alarm event from the TDM service is detected by the local end E4G node.
2 The local end E4G node notifies the alarm condition to the remote end of the CES pseudo-wire by
setting the L-bit in the TDM pseudo-wire control word.
3 The remote E4G node, upon receiving the CES pseudo-wire with L-bit, ignores the TDM payload
carried in the packet and plays out Alarm Indication Signal to the remote TDM CE node.
4 The remote TDM CE node sends a response to the Alarm Indication Signal, which could be a specific
pattern in case of unframed services, for example, an all ones pattern.
5 The remote E4G node sends the alarm response with R-bit set, indicating the packet loss caused due
to dropping of packets with L-bit set.
6 The local E4G node receives the alarm response packets with R-bit set and forwards the alarm
response data to the local TDM CE node.
TDM Service AIS Alarm
The Alarm Indication Signal alarm from the TDM service is not detected by the E4G switch. This alarm
is carried transparently to the remote TDM CE node and the alarm response is carried back
transparently to the local TDM CE node as pictured. The CES pseudo-wire control word is not updated
to reflect the presence of this alarm condition.
Figure 24: SAToP Alarm Handling: TDM Service AIS Alarm
PSN Loss of Packet State
The CES pseudo-wire packets carry the TDM service payload at a constant rate depending on the
payload size. The replay of TDM service payload at the remote end of the CES pseudo-wire is done
based on the sequence number in the CES pseudo-wire control word. Due to the variable nature of the
packet switched network, the CES pseudo-wire streams get dropped in the intermediate nodes. Under
ExtremeXOS Concepts Guide, Software Version 15.2
256
Configuring Ports on a Switch
this scenario, the remote end of the CES pseudo-wire is said to be in LOSY state. The LOSY state of the
CES pseudo-wire is indicated to the peer by setting the R-bit in the CES pseudo-wire control word.
Figure 25: SAToP Alarm Handling: PSN Loss of Packet State
The R-bit in the control word is set on the CES pseudo-wire packets from remote E4G node in LOSY
state to the local E4G node, regardless of the RAI pattern received from its local TDM CE node.
CES Alarms in CESoP Pseudo-wires. The handling of CES alarms in CESoP pseudo-wires are more
involved due to association of one or more timeslots to a TDM service and hence multiple services
originating from a single TDM port with disjoint timeslots. On alarm conditions, the configured trunk
condition code for data channels is played out. For signaling channels, the configured seized code
pattern is played out.
TDM Service LOS/LOF/AIS Alarm
The Loss of Signal, Loss of Frame and Alarm Indication Signal events in the TDM service attached to
the CESoP pseudo-wire is handled end-to-end as shown in Figure 26.
Figure 26: CESoP Alarm Handling: TDM Service LOS/LOF/AIS Alarm
The alarm handling sequence is similar to SAToP pseudo-wires, with an exception that the alarm is
indicated only on the specific TDM service bound to the CES pseudo-wires. For instance, if the TDM
service has 10 timeslots bound to the CES pseudo-wire, the alarm is indicated by the remote E4G node
by playing out the configurable trunk conditioning pattern on those 10 timeslots in the TDM service. If
signaling multiframe mode is configured on the TDM port, the configurable seized code pattern is
played on the signaling bits.
TDM Service RAI Alarm
The CESoP pseudo-wires indicates the remote E4G node of the Remote Alarm Indication (or Remote
Defect Identifier) alarms detected on the TDM service attached to local TDM CE node. The M-bit in the
CES pseudo-wire control word is set to indicate the detected alarm. The remote E4G node sets the RAI
indication on the TDM port attached to its local TDM CE node in addition to playing out the TDM
payload received. Figure 27 shows the alarm handling sequence.
ExtremeXOS Concepts Guide, Software Version 15.2
257
Chapter 5: Configuring Slots and Ports on a Switch
Figure 27: CESoP Alarm Handling: TDM Service RAI Alarm
PSN Loss of Packet State
The CESoP pseudo-wires handle the LOSY state due to loss of CES pseudo-wire packets in the PSN, in
the similar way as handled by SAToP pseudo-wires. The configured trunk conditioning code and seized
code is played on the timeslots connected to the TDM service instead of AIS. Figure 28 shows the alarm
handling sequence.
Figure 28: CESoP Alarm Handling: PSN Loss of Packet State
CES Pseudo-wire Alarms and Remedies
Table 30 lists the CES pseudo-wire alarm conditions detected and generated in the E4G node with the
suggested remedies.
Table 30: CES Pseudo-wire Alarms and Remedies
Alarm
Description
Remedy
Local L-bit (Local
attachment circuit
Rx fault)
This condition occurs when the TDM port in
attachment circuit of the CES pseudo-wire is in
failure state or is administratively disabled. When
the TDM port is in LOS, AIS or LOF condition, the
local end of the CES pseudo-wire carries the L-bit
in the control word as an indication of the local
attachment circuit alarm to the remote end of the
pseudo-wire. This condition can be induced by
disabling the TDM port administratively. This
condition applies for both SAToP and CESoP
pseudo-wires.
The alarms associated with the TDM
port in the attachment circuit of the
CES pseudo-wire can be referred.
The L-bit condition is cleared when
the associated TDM port is restored
from the failure state.
ExtremeXOS Concepts Guide, Software Version 15.2
258
Configuring Ports on a Switch
Table 30: CES Pseudo-wire Alarms and Remedies (Continued)
Alarm
Description
Remedy
Local R-bit (Local
pseudo-wire
LOSY state)
This condition occurs when the local end of the
CES pseudo-wire enters the LOSY state. The CES
pseudo-wire enters LOSY state when the packets
from the remote end of the CES pseudo-wire are
lost in the transit. The local end of the CES
pseudo-wire carries the R-bit in the control word as
an indication of the remote pseudo-wire fault. The
CES pseudo-wire stream from the remote end,
carrying L-bit would result in LOSY state in the
local end of the CES pseudo-wire. Administratively
disabling the CES pseudo-wire in the local end
would result in the LOSY state in the remote end
of the CES pseudo-wire. This condition applies for
both SAToP and CESoP pseudo-wires.
If this condition occurs and the CES
pseudo-wire is not disabled, the
reachability of the CES pseudo-wire
peer needs to be checked. If the
peer is reachable, occurrence of
remote end attachment circuit fault
(remote L-bit condition) could be
referred to. The R-bit condition is
cleared when the remote CES
pseudo-wire packets are received.
Local M-bit (Local
attachment circuit
Tx fault)
This condition occurs when the TDM port in the
attachment circuit of the CES pseudo-wire receives
remote alarm indication (Rx RAI). The local end of
the CES pseudo-wire carries M-bit in the control
word to indicate the remote end of the CES
pseudo-wire, of the reception of RAI in the local
attachment circuit. This condition applies for
CESoP pseudo-wires only.
If this condition occurs, the alarms
associated with the TDM port in the
attachment circuit of the CES
pseudo-wire can be referred. The Mbit condition is cleared when the
associated TDM port stops receiving
RAI indication.
Remote L-bit
(Remote
attachment circuit
Rx fault)
This condition occurs when the TDM port in
attachment circuit of the remote CES pseudo-wire
is in failure state or is administratively disabled.
The remote end of the CES pseudo-wire carries
the L-bit in the control word to the local end of the
CES pseudo-wire as an indication of the
attachment circuit alarm in the remote end of the
CES pseudo-wire. This condition can be induced
by disabling the TDM port in the remote end of the
CES pseudo-wire administratively. This condition
applies for both SAToP and CESoP pseudo-wires.
This condition causes AIS or trunk conditioning
pattern to be transmitted on the local attachment
circuit.
If this condition occurs, the TDM
port/attachment circuit alarms in the
remote end of the CES pseudo-wire
can be referred. The L-bit condition
is cleared when the TDM port in the
remote end of CES pseudo-wire is
restored of the failure state.
Remote R-bit
(Remote
attachment circuit
LOSY state)
This condition occurs when the remote end of the
CES pseudo-wire enters the LOSY state. When the
packets from the local end of the CES pseudo-wire
are lost in transit the remote end of the CES
pseudo-wire enters LOSY state. This condition also
occurs when the local end of the CES pseudo-wire
carries L-bit to indicate the remote end of the CES
pseudo-wire, of the fault in the local attachment
circuit. When the local end of the CES pseudo-wire
is administratively disabled, the remote end of the
CES pseudo-wire enters LOSY state. This
condition applies for both SAToP and CESoP
pseudo-wires.
If this condition occurs and the
remote end of CES pseudo-wire is
not disabled, occurrence of the local
end attachment circuit fault (local Lbit condition) could be referred to. If
local end of CES pseudo-wire does
not carry L-bit, the reachability of the
local peer from the remote end of
the CES pseudo-wire needs to be
checked. The R-bit condition is
cleared when the local CES pseudowire packets are received in the
remote end.
Remote M-bit
(Remote
attachment circuit
Tx fault)
This condition occurs when the TDM port in the
attachment circuit of the remote CES pseudo-wire
receives remote alarm indication (Rx RAI). The
remote end of the CES pseudo-wire carries M-bit
in the control word to the local end as an indication
of the RAI reception by the attachment circuit. This
condition applies for CESoP pseudo-wires only.
This condition causes RAI to be transmitted on the
local attachment circuit.
If this condition occurs, the alarms
associated with the TDM port in the
attachment circuit of the remote
CES pseudo-wire can be referred.
The M-bit condition is cleared when
the associated TDM port stops
receiving RAI indication
ExtremeXOS Concepts Guide, Software Version 15.2
259
Chapter 5: Configuring Slots and Ports on a Switch
Management Information Base (MIB) Support
The following TDM pseudo-wire related MIBs are suported in ExtremeXOS:
●
Read-only support for RFC5604—Managed objects for TDM over Packet Switched Networks (PSNs)
●
Read-only support for RFC5601—PW MIB
●
Read-only support for RFC2494—Definitions of managed objects for the DS0 and DS0 Bundle
Interface Type
●
Read-only support for RFC4805—Definitions of managed objects for DS1, J1, E1, DS2 and E2
Interface Types
TDM PW Configurations Examples
Figure 29: TDM PW Configuration Example
Ethernet Port: 10
L3 VLAN: vt1 (50.0.0.3)
L2 VLAN: vt2
Ethernet Port: 1
L3 VLAN: vt1 (40.0.0.1)
L2 VLAN: vt2
TDM Ports: 40, 41, 43
Loopback VLAN: 2.2.2.2
LSR-ID: 2.2.2.2
Switch Mac: 00:00:45:56:02:13
TDM Ports: 17 ,18, 19, 23
Loopback VLAN: 7.7.7.7
LSR-ID: 7.7.7.7
Switch Mac: 00:00:00:05:65:12
To configure TDM UDP SAToP pseudo-wire:
1 Create TDM Service circuit.
On the Left E4G-200 Switch:
create tdm service circuit "udp-satop-s1"
configure tdm service circuit "udp-satop-s1" add port 18
On the Right E4G-400 Switch:
create tdm service circuit "udp-satop-s1"
configure tdm service circuit "udp-satop-s1" add port 41
2 Create CES and add TDM Service Circuit.
On the left E4G-200 Switch:
create ces udp-ces1 psn udp
configure ces udp-ces1 add service udp-satop-s1
On the Right E4G-400 Switch:
create ces udp-ces1 psn udp
configure ces udp-ces1 add service udp-satop-s1
ExtremeXOS Concepts Guide, Software Version 15.2
260
Configuring Ports on a Switch
3 Configure the loopback vlan.
On the left E4G-200 Switch:
create vlan "lpbk"
enable loopback-mode vlan lpbk
configure vlan lpbk ipaddress 7.7.7.7 255.255.255.255
enable ipforwarding vlan lpbk
On the Right E4G-400 Switch:
create vlan "lpbk"
enable loopback-mode vlan lpbk
configure vlan lpbk ipaddress 2.2.2.2 255.255.255.255
enable ipforwarding vlan lpbk
4 Configure the L3 transport vlan to reach the PW peer.
On the left E4G-200 Switch:
create vlan "vt1"
configure vlan vt1 tag 30
configure vlan vt1 add ports 1 tagged
configure vlan vt1 ipaddress 40.0.0.1 255.255.255.0
enable ipforwarding vlan vt1
On the Right E4G-400 Switch:
create vlan "vt1"
configure vlan vt1 tag 20
configure vlan vt1 add ports 10 tagged
configure vlan vt1 ipaddress 50.0.0.3 255.255.255.0
enable ipforwarding vlan vt1
5 Add peer to the CES.
On the left E4G-200 Switch,
configure ces udp-ces1 add peer ipaddress 2.2.2.2 udp-port local 10000 remote 10000
vlan lpbk
On the Right E4G-400 Switch,
configure ces udp-ces1 add peer ipaddress 7.7.7.7
vlan lpbk
udp-port local 10000 remote 10000
To configure TDM UDP CESoP Pseudo-wire:
1 Configure TDM Port Framing mode.
On the left E4G-200 Switch,
configure ports 17 tdm framing mf
On the Right E4G-400 Switch,
configure ports 40 tdm framing mf
2 Create TDM Service Circuit.
On the left E4G-200 Switch,
create tdm service circuit "udp-cesop-s2"
configure tdm service circuit "udp-cesop-s2" add port 17 time-slots 2-4
On the Right E4G-400 Switch,
create tdm service circuit "udp-cesop-s2"
configure tdm service circuit "udp-cesop-s2" add port 40 time-slots 2-4
3 Configure the loopback vlan.
ExtremeXOS Concepts Guide, Software Version 15.2
261
Chapter 5: Configuring Slots and Ports on a Switch
On the left E4G-200 Switch:
create vlan "lpbk"
enable loopback-mode vlan lpbk
configure vlan lpbk ipaddress 7.7.7.7 255.255.255.255
enable ipforwarding vlan lpbk
On the Right E4G-400 Switch:
create vlan "lpbk"
enable loopback-mode vlan lpbk
configure vlan lpbk ipaddress 2.2.2.2 255.255.255.255
enable ipforwarding vlan lpbk
4 Configure the L3 transport vlan to reach the PW peer.
On the left E4G-200 Switch:
create vlan "vt1"
configure vlan vt1 tag 30
configure vlan vt1 add ports 1 tagged
configure vlan vt1 ipaddress 40.0.0.1 255.255.255.0
enable ipforwarding vlan vt1
On the Right E4G-400 Switch:
create vlan "vt1"
configure vlan vt1 tag 20
configure vlan vt1 add ports 10 tagged
configure vlan vt1 ipaddress 50.0.0.3 255.255.255.0
enable ipforwarding vlan vt1
5 Create CES and add the TDM Service Circuit.
On the left E4G-200 Switch:
create ces udp-ces2 psn udp
configure ces udp-ces2 add service udp-cesop-s2
On the Right E4G-400 Switch:
create ces udp-ces2 psn udp
configure ces udp-ces2 add service udp-cesop-s2
6 Add Peer to the CES.
On the left E4G-200 Switch:
configure ces udp-ces1 add peer ipaddress 2.2.2.2 udp-port local 10001 remote 10001
vlan lpbk
On the Right E4G-400 Switch:
configure ces udp-ces1 add peer ipaddress 7.7.7.7 udp-port local 10001 remote 10001
vlan lpbk
NOTE
A single loopback vlan is sufficient when configuring multiple pseudo-wires to the same peer and each PW
is identified using the unique UDP port numbers configured. The recommended option is to use loopback vlan to
specify source IP address to be used in TDM UDP PW. However, the user can also use the normal vlan instead of
loopback vlan.
To configure TDM MEF-8 SAToP pseudo-wire:
ExtremeXOS Concepts Guide, Software Version 15.2
262
Configuring Ports on a Switch
1 Create TDM Service Circuit.
On the left E4G-200 Switch:
create tdm service circuit "mef8-satop-s3"
configure tdm service circuit "mef8-satop-s3" add port 19
On the right E4G-400 Switch:
create tdm service circuit "mef8-satop-s3"
configure tdm service circuit "mef8-satop-s3" add port 42
2 Create CES and add the TDM Service circuit/
On the left E4G-200 Switch:
create ces mef8-ces3 psn mef8
configure ces mef8-ces3 add service mef8-satop-s3
On the right E4G-400 Switch:
create ces mef8-ces3 psn mef8
configure ces mef8-ces3 add service mef8-satop-s3
3 Configure the L2 transport VLAN to reach the PW peer.
On the left E4G-200 Switch:
create vlan "vt2"
configure vlan vt2 tag 130
configure vlan vt2 add ports 1 tagged
On the Right E4G-400 Switch:
create vlan "vt2"
configure vlan vt2 tag130
configure vlan vt2 add ports 10 tagged
4 Add peer to the CES.
On the left E4G-200 Switch:
configure ces mef8-ces3 add peer mac-address 00:00:45:56:02:13 ecid local 1001
remote 1001 vlan vt2
On the right E4G-400 Switch:
configure ces mef8-ces3 add peer mac-address 00:00:00:05:65:12 ecid local 1001
remote 1001 vlan vt2
To configure TDM MEF-8CESoP PW:
1 Configure TDM Port framing mode.
On the left E4G-200 Switch:
configure ports 17 tdm framing mf
On the right E4G-400 Switch:
configure ports 40 tdm framing mf
2 Create TDM Service Circuit.
On the left E4G-200 Switch:
create tdm service circuit "mef8-cesop-s4"
configure tdm service circuit "mef8-cesop-s4" add port 17 time-slots 6-8
On the right E4G-400 Switch:
create tdm service circuit "mef8-cesop-s4"
configure tdm service circuit "mef8-cesop-s4" add port 40 time-slots 6-8
ExtremeXOS Concepts Guide, Software Version 15.2
263
Chapter 5: Configuring Slots and Ports on a Switch
3 Create CES and add the TDM Service Circuit.
On the left E4G-200 Switch:
create ces mef8-ces4 psn mef8
configure ces mef8-ces4 add service mef8-cesop-s4
On the right E4G-400 Switch:
create ces mef8-ces4 psn mef8
configure ces mef8-ces4 add service mef8-cesop-s4
4 Configure the L2 transport VLAN to reach the PW peer.
On the left E4G-200 Switch:
create vlan "vt2"
configure vlan vt2 tag 130
configure vlan vt2 add ports 1 tagged
On the Right E4G-400 Switch:
create vlan "vt2"
configure vlan vt2 tag 130
configure vlan vt2 add ports 10 tagged
5 Add peer to the CES,
On the left E4G-200 Switch:
configure ces mef8-ces4 add peer mac-address 00:00:45:56:02:13 ecid local 1002
remote 1002 vlan vt2
On the right E4G-400 Switch:
configure ces mef8-ces4 add peer mac-address 00:00:00:05:65:12 ecid local 1002
remote 1002 vlan vt2
NOTE
IP address should not be configured on the transport vlan specified for TDM MEF-8 PW.
To configure MPLS TDM SaTOP Pseudo-wire:
1 Configure the loopback vlan.
On the left E4G-200 Switch:
create vlan "lpbk"
enable loopback-mode vlan lpbk
configure vlan lpbk ipaddress 7.7.7.7 255.255.255.255
enable ipforwarding vlan lpbk
On the Right E4G-400 Switch:
create vlan "lpbk"
enable loopback-mode vlan lpbk
configure vlan lpbk ipaddress 2.2.2.2 255.255.255.255
enable ipforwarding vlan lpbk
2 Configure the L3 transport vlan to reach the PW peer.
On the left E4G-200 Switch:
create vlan "vt1"
configure vlan vt1 tag 30
configure vlan vt1 add ports 1 tagged
configure vlan vt1 ipaddress 40.0.0.1 255.255.255.0
ExtremeXOS Concepts Guide, Software Version 15.2
264
Configuring Ports on a Switch
enable ipforwarding vlan vt1
On the Right E4G-400 Switch:
create vlan "vt1"
configure vlan vt1 tag 20
configure vlan vt1 add ports 10 tagged
configure vlan vt1 ipaddress 50.0.0.3 255.255.255.0
enable ipforwarding vlan vt1
3 Configure OSPF.
On the left E4G-200 Switch:
configure ospf routerid 7.7.7.7
enable ospf
configure ospf add vlan lpbk area 0.0.0.0
configure ospf add vlan vt1 area 0.0.0.0
On the right E4G-400 Switch:
configure ospf routerid 2.2.2.2
enable ospf
configure ospf add vlan lpbk area 0.0.0.0
configure ospf add vlan vt1 area 0.0.0.0
4 Configure MPLS.
On the left E4G-200 Switch:
configure mpls add vlan "lpbk"
enable mpls vlan "lpbk"
enable mpls ldp vlan "lpbk"
configure mpls add vlan "vt1"
enable mpls vlan "vt1"
enable mpls ldp vlan "vt1"
configure mpls ldp advertise direct all
configure mpls lsr-id 7.7.7.7
enable mpls protocol ldp
enable mpls
On the right E4G-400 Switch:
configure mpls add vlan "lpbk"
enable mpls vlan "lpbk"
enable mpls ldp vlan "lpbk"
configure mpls add vlan "vt1"
enable mpls vlan "vt1"
enable mpls ldp vlan "vt1"
configure mpls lsr-id 2.2.2.2
enable mpls protocol ldp
enable mpls
5 Create TDM Service Circuit.
On the left E4G-200 Switch:
create tdm service circuit "mpls-satop-s6"
configure tdm service circuit "mpls-satop-s6" add port 23
On the right E4G-400 Switch:
create tdm service circuit "mpls-satop-s6"
configure tdm service circuit "mpls-satop-s6" add port 43
6 Create CES and add TDM Service Circuit.
On the left E4G-200 Switch:
ExtremeXOS Concepts Guide, Software Version 15.2
265
Chapter 5: Configuring Slots and Ports on a Switch
create ces mpls-ces6 psn mpls
configure ces mpls-ces6 add service mpls-satop-s6
On the right E4G-400 Switch:
create ces mpls-ces6 psn mpls
configure ces mpls-ces6 add service mpls-satop-s6
7 Add peer to the CES.
On the left E4G-200 Switch,
configure ces mpls-ces6 add peer ipaddress 2.2.2.2 fec-id-type pseudo-wire 102
On the right E4G-400 Switch,
configure ces mpls-ces6 add peer ipaddress 7.7.7.7 fec-id-type pseudo-wire 102
To configure MPLS TDM CeSOP Pseudo-wire:
1 Follow steps 1–3 of “To configure MPLS TDM SaTOP Pseudo-wire:” above.
2 Configure TDM Port Framing Mode.
On the left E4G-200 Switch:
configure ports 17 tdm framing mf
On the right E4G-400 Switch:
configure ports 40 tdm framing mf
3 Create TDM Service Circuit.
On the left E4G-200 Switch:
create tdm service circuit "mpls-cesop-s5"
configure tdm service circuit "mpls-cesop-s5" add port 17 time-slots 18-23
On the right E4G-400 Switch:
create tdm service circuit "mpls-cesop-s5"
configure tdm service circuit "mpls-cesop-s5" add port 40 time-slots 18-23
4 Create CES and add TDM Service Circuit.
On the left E4G-200 Switch:
create ces mpls-ces5 psn mpls
configure ces mpls-ces5 add service mpls-cesop-s5
On the right E4G-400 Switch:
create ces mpls-ces5 psn mpls
configure ces mpls-ces5 add service mpls-cesop-s5
5 Add peer to the CES.
On the left E4G-200 Switch:
configure ces mpls-ces5 add peer ipaddress 2.2.2.2 fec-id-type pseudo-wire 101
On the right E4G-400 Switch:
configure ces mpls-ces5 add peer ipaddress 7.7.7.7 fec-id-type pseudo-wire 101
NOTE
You must configure a loopback vlan with MPLS lsr-id as its IP address.
ExtremeXOS Concepts Guide, Software Version 15.2
266
Using the Precision Time Protocol
Using the Precision Time Protocol
IEEE1588v2 (also known as Precision Time Protocol, PTP) is an industry-standard protocol that enables
the precise transfer of frequency and time to synchronize clocks over packet-based Ethernet networks.
The locally available clock on each network device synchronizes with a grandmaster clock by
exchanging timestamps that contain sub-nanosecond granularity. This allows them to deliver very high
accuracy to ensure the stability of base station frequency and handovers. The timestamps between
master and slave devices are exchanged through PTP event packets. The ExtremeXOS 1588v2
implementation uses the IPv4/UDP transport mechanism PTP packets.
NOTE
The Precision Time Protocol is currently available only on the cell site routers (E4G-200 and E4G-400).
For these routers, accurate synchronization of base stations to nanoseconds accuracy is critical to minimize service
disruptions and eliminate dropped connections as calls move between adjacent cells.
This section provides the following Precision Time Protocol (PTP) topics:
●
Overview of PTP on page 268
●
Supported PTP Features on page 270
●
Limitations of PTP on page 271
●
Configuring and Displaying PTP Clocks and Data Sets on page 271
●
PTP Configuration Example on page 275
ExtremeXOS Concepts Guide, Software Version 15.2
267
Chapter 5: Configuring Slots and Ports on a Switch
Overview of PTP
The IEEE 1588v2 Precision Time Protocol (PTP) defines a packet-based time synchronization method
that provides frequency, phase, and time-of-day information with nanoseconds level of accuracy. PTP
relies on the use of carefully time-stamped packets to synchronize one or more slave clocks to a master
clock. Synchronous time information is distributed hierarchically, with a grandmaster clock at the root
of the hierarchy.
The grandmaster provides the time reference for one or more slave devices. These slave devices can, in
turn, act as master devices for further hierarchical layers of slave devices.
To determine the master-slave hierarchy, a Best Master Clock (BMC) algorithm is used. This algorithm
determines which clock is the highest quality clock within a network. The clock elected by BMC (the
master clock) then synchronizes all other clocks (slave clocks) in the network. If the BMC is removed
from the network or is determined by the BMC algorithm to no longer be the highest quality clock, the
algorithm then redefines the new BMC and adjusts all other clocks accordingly. No administrator input
is needed for this readjustment because the algorithm provides a fault tolerant behavior.
Synchronizing time across a network requires two essential functions: the measurement of delays and
the distribution of time information. Each node is responsible for independently determining the delays
across the network links from it to its link partners. Once this is accomplished, periodic time
synchronization messages may be sent from the grandmaster clock device to the slave clock devices.
Link-based delays wander over time, so periodic delay measurements are required. Because these
delays vary slowly, the period between link delay measurements is typically in the order of seconds.
A PTP network must have a grandmaster clock reference and a slave. Between a master and a slave, a
PTP network may have multiple boundary clocks, transparent clocks, and non-PTP bridges.
Figure 30 illustrates a typical PTP network hierarchy.
ExtremeXOS Concepts Guide, Software Version 15.2
268
Using the Precision Time Protocol
Figure 30: PTP Network Hierarchy
GPS
Ordinary Clock
PTP Grandmaster Clock
Boundary Clock
Non-PTP bridge
Ordinary Clock
Boundary Clock
Ordinary Clock
Transparent Clocks
Ordinary Clock
Boundary Clock
Ordinary Clock
Clock slave
port
PTP_01
Ordinary clocks are devices with only one PTP port. The grandmaster clock is an ordinary clock acting
as a master.
NOTE
A PTP port is a logical interface (VLAN / IP interface). A loopback VLAN is added as a clock port to PTP
in ExtremeXOS.
Boundary clocks are switches with one or more PTP ports. One PTP port of a boundary clock can act as
a slave to a master clock in the network, and the rest of the PTP ports can act as a master for the
downstream nodes.
Transparent clocks correct the delays for PTP messages in the correction field.
ExtremeXOS Concepts Guide, Software Version 15.2
269
Chapter 5: Configuring Slots and Ports on a Switch
End-to-end transparent clocks accumulate the residence time in the CorrectionField of the PTP
messages. End-to-end transparent clocks do not participate directly in time synchronization with the
master clock. The CorrectionField of Sync, Delay Request and Delay Response messages are updated by
the end-to-end transparent clocks at each hop. The Signaling and Management messages are not
updated by transparent clocks. In a typical setting, boundary and slave clocks are separated by one or
more end-to-end transparent clocks that accumulates the residence time in the CorrectionField.
The residence time is defined as the delay between the reception and the transmission of packets
through the device. The accumulated CorrectionField value is used by boundary or slave clocks for
delay compensation in the time offset correction.
Basic Synchronization
The following event flow describes basic synchronization of PTP:
1 The master sends a Sync message to the slave, notes the time (t1) it was sent, and embeds the t1 time
in the message.
2 The slave receives the Sync message, and notes the time it is received (t2).
3 The slave sends a DelayReq message to the master, and notes the time (t3) it was sent.
4 The master receives the DelayReq message, and notes the time it is received (t4).
5 The master embeds the t4 timestamp in a DelayResp message to the slave.
At the conclusion of this exchange of messages, the slave possesses all four timestamps. You can use
these timestamps to compute the offset of the slave’s clock with respect to the master, and the mean
propagation time of messages between the two clocks.
The computation of offset and propagation time assumes that the master-to-slave and slave-to-master
propagation times are equal. Any asymmetry in propagation time introduces an error in the computed
value of the clock offset.
End-to-End Transparent Clocks Between Master And Slave
PTP defines the notion of End-to-end transparent clocks which do not participate in time
synchronization with master clock. Rather, they simply accumulate the residence time of PTP event
messages such as Sync/DelayReq that transit the switch. The residence time is updated in the
CorrectionField of these messages.
The transit delay in the link between the hops are not accounted in the CorrectionField by the End-toend transparent clocks.
Supported PTP Features
The following PTP features are supported in this release:
●
Ordinary Clock (slave only)
●
Boundary Clock
●
End-to-End Transparent Clock
●
IPv4 Unicast-UDP transport
●
PTP protocol 1-step and 2-step mode with End-to-end delay mechanism.
●
Unicast static slaves and masters.
ExtremeXOS Concepts Guide, Software Version 15.2
270
Using the Precision Time Protocol
Limitations of PTP
The following are the limitations of the current implementation of PTP:
●
Layer 2 transport is not supported
●
IPv6-UDP transport is not supported.
●
Multicast event messages are not supported.
●
1-step timestamp functionality is not supported on Fiber only 1G ports, 10G ports and stacking
ports.
●
Peer-to-peer delay mechanism is not supported.
●
PTP datasets are not maintained for end-to-end transparent clocks.
●
Domain number cannot be assigned to end-to-end transparent clocks.
●
Boundary clock does not support synchronizing clocks across multiple domains.
●
Distributing clock frequency recovered from SyncE or from BITS or from a TDM port over PTP is not
supported.
●
Ordinary clock master (Grandmaster) mode is not supported.
●
Synchronizing system time with the time recovered from PTP event messages is not supported.
●
Time of Day (ToD) output and inputs are not supported.
●
Unicast message negotiation on clock ports is not supported.
●
PTP cannot be used if network clock source is configured as BITS.
Configuring and Displaying PTP Clocks and Data Sets
PTP Transparent clock
A PTP Transparent clock updates the residence time of the PTP event packets that transit the switch.
The switch supports end-to-end delay mechanism and accounts for the residence time for Sync and
DelayReq packets in the switch.
To create or delete an End-to-End Transparent clock, use the following commands:
create network-clock ptp end-to-end-transparent
delete network-clock ptp end-to-end-transparent
To add PTP capable front-panel ports for End-to-End Transparent clock, use the following command:
configure network-clock ptp end-to-end-transparent [add | delete] ports <port_list>
{one-step}
To display the End-to-End Transparent clock configuration use the following command:
show network-clock ptp end-to-end-transparent ports <port_list> {detail}
To enable/disable the End-to-End Transparent clock configuration on the front-panel ports, use the
following commands:
enable network-clock ptp end-to-end-transparent ports <port_list>
disable network-clock ptp end-to-end-transparent ports <port_list>
ExtremeXOS Concepts Guide, Software Version 15.2
271
Chapter 5: Configuring Slots and Ports on a Switch
PTP Boundary/Ordinary Clocks
A PTP Boundary or Ordinary clock synchronizes to the master clock through the reception of the PTP
event packets. The Boundary and Ordinary clocks can be configured to operate on a single PTP domain.
To reconfigure clocks to a different domain, the existing configuration must be deleted.
To create or delete the Boundary or Ordinary clock, use the following commands:
create network-clock ptp [boundary | ordinary] {domain <domain_number>}
delete network-clock ptp [boundary | ordinary]
To enable or disable the Boundary or Ordinary clock, use the following commands:
enable network-clock ptp [boundary | ordinary]
disable network-clock ptp [boundary | ordinary]
NOTE
After you enable a boundary clock, you cannot create an ordinary clock. However, you can delete the
boundary clock instance and create a new one in order to change the domain number.
To create an ordinary clock instance in the switch that has the boundary clock instance enabled, delete
the boundary clock instance, save the configuration and reboot the switch. After the reboot, you can
create and enable the ordinary clock instance. Similarly, to create and enable a boundary clock in a
switch that has an ordinary clock enabled, delete the ordinary clock instance, save the configuration and
reboot the switch. After the reboot you can create and enable a boundary clock. The following message
is displayed when you create the boundary clock instance in a device with no prior clock instances:
Warning: The ordinary clock cannot be created after enabling the boundary clock. A
delete followed by save and reboot are required to create the ordinary clock.
After you enable a boundary clock instance, if you delete the instance and try to create an ordinary
clock instance, the above message is displayed as an error, and the ordinary clock instance is not
created.
To configure priority1 and priority2 values of the Boundary and Ordinary clock, use the following
commands:
configure network-clock ptp [boundary | ordinary] priority1 <priority>
configure network-clock ptp [boundary | ordinary] priority2 <priority>
To display the datasets such as Port, Time-properties and Parent of the Ordinary or Boundary clock, use
the following commands:
show network-clock ptp ordinary {parent | port | time-property}
show network-clock ptp boundary {parent | port | time-property}
PTP Boundary/Ordinary Clock Ports
The Boundary and Ordinary clocks operate in 1-step protocol mode. An Ordinary clock can have at
most one clock port in slave mode. A Boundary clock can have multiple clock ports in master or slave
modes. Multiple unicast master or slave entries can be added to the clock ports.
To add or remove a slave clock port to an Ordinary clock, use the following commands:
configure network-clock ptp ordinary add {vlan} <vlan_name> {one-step | two-step}
slave-only
ExtremeXOS Concepts Guide, Software Version 15.2
272
Using the Precision Time Protocol
configure network-clock ptp ordinary delete {vlan} {vlan_name}
To add or remove a clock port to the Boundary clock, use the following commands:
configure network-clock ptp boundary add {vlan} <vlan_name> {one-step | two-step}
{master-only | slave-only}
configure network-clock ptp boundary delete {vlan} <vlan_name>
To enable or disable a clock port in the Boundary or Ordinary clock, use the following commands:
enable network-clock ptp [boundary | ordinary] {{vlan} <vlan_name>}
disable network-clock ptp [boundary | ordinary] {{vlan} <vlan_name>}
To display the clock ports added to the Boundary or Ordinary clock, use the following commands:
show network-clock ptp ordinary [{vlan} <vlan_name> | vlan all]
show network-clock ptp boundary [{vlan} <vlan_name> | vlan all]
ExtremeXOS Concepts Guide, Software Version 15.2
273
Chapter 5: Configuring Slots and Ports on a Switch
For Ordinary clocks, only unicast master entries can be added on the slave port. The query interval for
unicast announce messages from the slave port is specified in log base 2. To add or remove the unicast
master entries on a slave port of the Ordinary clock, use the following commands:
configure network-clock ptp ordinary add unicast-master <ipv4_address> {query-interval
<seconds_log_base_2>} {vlan} <vlan_name>
configure network-clock ptp ordinary delete unicast-master <ipv4_address> {vlan}
<vlan_name>
The unicast master entries can be added to the slave port of the Boundary clock. The Boundary clock
also support addition of unicast master entries on the port of type 'master or slave'. To add or remove
unicast master entries on the port of the Boundary clock, use the following commands:
configure network-clock ptp boundary add unicast-master <ipv4_address> {query-interval
<seconds_log_base_2>} {vlan} <vlan_name>
configure network-clock ptp boundary delete unicast-master <ipv4_address> {vlan}
<vlan_name>
The unicast slave entries can be added to the master port of the Boundary clock. Additionally, these
entries can be added to the port of type 'master or slave'. The Ordinary clock do not support addition of
unicast slave entries. To add or remove unicast slave entries on the port of the Boundary clock, use the
following commands:
configure network-clock ptp boundary add unicast-slave <ipv4_address> {vlan}
<vlan_name>
configure network-clock ptp boundary delete unicast-slave <ipv4_address> {vlan}
<vlan_name>
To display the unicast-master entries added to the Boundary or Ordinary clock port, use the following
commands:
show network-clock ptp boundary unicast-master [{vlan} <vlan_name> | vlan all]
show network-clock ptp ordinary unicast-master [{vlan} <vlan_name> | vlan all]
To display the unicast-slave entries added to the Boundary clock port, use the following commands:
show network-clock ptp boundary unicast-slave [{vlan} <vlan_name> | vlan all]
To display the PTP message counters for the peers added to Boundary or Ordinary clock port, use the
following commands:
show network-clock ptp
unicast-slave]} | all]
show network-clock ptp
unicast-slave]} | all]
boundary vlan [<vlan_name> {{<ipv4_address>} [unicast-master |
counters
ordinary vlan [<vlan_name> {{<ipv4_address>} [unicast-master |
counters
To clear the PTP message counters for the peers added to Boundary or Ordinary clock port, use the
following commands:
clear network-clock ptp boundary vlan [<vlan_name> {<ipv4_address> [unicast-master |
unicast-slave]} | all] counters
clear network-clock ptp ordinary vlan [<vlan_name> {<ipv4_address> [unicast-master |
unicast-slave]} | all] counters
The following properties can be configured on the clock ports added to the Boundary and Ordinary
clocks:
ExtremeXOS Concepts Guide, Software Version 15.2
274
Using the Precision Time Protocol
Sync message interval:
configure network-clock ptp [boundary | ordinary] sync-interval <seconds_log_base_2>
{vlan} <vlan_name>
DelayReq message interval:
configure network-clock ptp [boundary | ordinary} delay-request-interval
<seconds_log_base_2> {vlan} <vlan_name>
Announce message interval:
configure network-clock ptp [boundary | ordinary} announce interval
<seconds_log_base_2> {vlan} <vlan_name>
Announce message timeout period:
configure network-clock ptp [boundary | ordinary] announce timeout
<seconds_log_base_2> {vlan} <vlan_name>
PTP Clock Recovery State
The PTP clock recovery state (servo state) in the system can be displayed using the following command:
show network-clock ptp
The clock recovery using PTP event messages undergoes the following servo state changes:
●
Warmup - The local reference clock is in warmup state. This state signifies that either clock recovery
is not configured to use the PTP event messages or no clock recovery messages from the master have
been received.
●
FastLoop - The local reference clock is being corrected and the correction is converging.
●
Bridge - The local reference clock correction has been interrupted due to changes in the clocking
information in the received PTP event messages or loss of PTP event messages.
●
Holdover - Prolonged loss of PTP event messages puts the local reference clock correction to the
holdover state.
●
Normal - The local reference clock correction has converged and the corrected clock is synchronous
to the master clock information received in the PTP event messages.
PTP Configuration Example
Figure 31 shows a sample configuration using the E4G-200/E4G-400 as a transparent clock, a boundary
clock, and ordinary clock slaves. .
ExtremeXOS Concepts Guide, Software Version 15.2
275
Chapter 5: Configuring Slots and Ports on a Switch
Figure 31: PTP 1588v2 Configuration Example
GPS
1
PTP Grandmaster Clock
192.168.10.1 / 24
4
3
Boundary Clock
10.10.5.1 / 32
10.10.5.2 / 32
192.168.5.1 / 24
Transparent Clocks
1
2
Ordinary Clock -1
10.10.10.1 / 32
192.168.5.10 / 24
5
2
Ordinary Clock -2
10.10.20.1 / 32
192.168.5.20 / 24
PTP_02
The IP address of the grandmaster and the IP address of the clock ports in each of the boundary/
ordinary clocks are shown in the topology. The IP addresses that are not enclosed in the boxes are
assigned to the clock ports added to boundary/ordinary clocks. The transparent clock node can be
configured as L2 or L3. In the configuration example below, the transparent clock node is configured as
L2.
NOTE
The grandmaster clock should be reachable from the boundary clock and vice versa. Similarly the ordinary
clocks should be reachable from the boundary clock and vice versa. The configuration example below does not
consider the provisioning methods used to achieve reachability between the switches, and only limits to the PTP
1588v2 and its associated configuration.
End-to-End Transparent Clock Configuration
In this example, the transparent clock is configured as an L2 switch to transit the PTP event stream
between boundary and ordinary clocks.
create vlan ptp_tc
configure vlan ptp_tc tag 100
configure vlan ptp_tc add port 1,3,5 tagged
create network-clock ptp end-to-end-transparent
configure network-clock ptp end-to-end-transparent add ports 1,3,5 one-step
ExtremeXOS Concepts Guide, Software Version 15.2
276
Using the Precision Time Protocol
NOTE
The transparent clocks accumulate the residence times on 1-step event messages by performing
timestamp in ingress PHYs and in egress PHYs. For proper transparent clock operation, you must ensure in the
configuration that the PTP events stream ingress and egress through physical ports that are PTP capable.
Ordinary Clock Slave Configuration
The ordinary clock node is configured to synchronize with the boundary clock node. The master clock
port’s (loopback VLAN) IP address in the boundary clock node is added as “unicast-master” in the
ordinary clock node.
NOTE
For PTP event messages originating from ordinary clocks (such as DelayReq), the ingress timestamp for
updating the CorrectionField is done in the switch. So you must enable the End-to-End Transparent clock on all the
egress ports. Ensure that you do not include the non-PTP capable ports in the configuration of possible egress
ports through which the boundary is reachable.
Ordinary Clock Slave Configuration (Node-1)
create vlan lpbk
configure vlan lpbk tag 10
configure vlan lpbk ipaddress 10.10.10.1/32
enable loopback-mode lpbk
enable ipforwarding lpbk
create vlan ptp_slave
configure vlan ptp_slave tag 100
configure vlan ptp_slave add port 2 tagged
configure vlan ptp_slave ipaddress 192.168.5.10/24
enable ipforwarding ptp_slave
create network-clock ptp end-to-end-transparent
configure network-clock ptp end-to-end-transparent add port 2 one-step
create network-clock ptp ordinary
enable network-clock ptp ordinary
configure network-clock ptp ordinary add vlan lpbk one-step slave-only
configure network-clock ptp ordinary add unicast-master 10.10.5.2 lpbk
Ordinary Clock Slave Configuration (Node-2)
create vlan lpbk
configure vlan lpbk tag 20
configure vlan lpbk ipaddress 10.10.20.1/32
enable loopback-mode lpbk
enable ipforwarding lpbk
create vlan ptp_slave
configure vlan ptp_slave tag 100
configure vlan ptp_slave add port 2 tagged
configure vlan ptp_slave ipaddress 192.168.5.20/24
ExtremeXOS Concepts Guide, Software Version 15.2
277
Chapter 5: Configuring Slots and Ports on a Switch
enable ipforwarding ptp_slave
create network-clock ptp end-to-end-transparent
configure network-clock ptp end-to-end-transparent add port 2 one-step
create network-clock ptp ordinary
enable network-clock ptp ordinary
configure network-clock ptp ordinary add vlan lpbk one-step slave-only
configure network-clock ptp ordinary add unicast-master 10.10.5.2 lpbk
Boundary Clock Configuration
The boundary clock node is configured to synchronize with the grandmaster node. The grandmaster
clock’s IP address is added as “unicast-master” in the boundary clock node. The ptp_gm VLAN’s
configuration depends on the grandmaster for properties such as tag, or IP.
NOTE
For boundary clocks, the End-to-End Transparent clock configuration must be applied on the egress ports
through with the Grandmaster and the Ordinary clocks are reachable.
configure vlan lpbk-gm tag 51
configure vlan lpbk-gm ipaddress 10.10.5.1/32
enable loopback-mode lpbk-gm
enable ipforwarding lpbk-gm
create vlan lpbk-slaves
configure vlan lpbk-slaves tag 52
configure vlan lpbk-slaves ipaddress 10.10.5.2/32
enable loopback-mode lpbk-slaves
enable ipforwarding lpbk-slaves
create vlan ptp_gm
configure vlan ptp_gm tag 40
configure vlan ptp_gm add port 1 untagged
configure vlan ptp_slave ipaddress 192.168.10.5/24
enable ipforwarding ptp_gm
create vlan ptp_slaves
configure vlan ptp_slaves tag 100
configure vlan ptp_slaves add port 4 tagged
configure vlan ptp_slaves ipaddress 192.168.5.1/24
enable ipforwarding ptp_slaves
create network-clock ptp end-to-end-transparent
configure network-clock ptp end-to-end-transparent add port 1,4 one-step
create network-clock ptp boundary
enable network-clock ptp boundary
configure network-clock ptp boundary
configure network-clock ptp boundary
configure network-clock ptp boundary
configure network-clock ptp boundary
add
add
add
add
vlan lpbk-gm one-step slave-only
unicast-master 192.168.10.1 lpbk-gm
vlan lpbk-slaves one-step master-only
unicast-slave 10.10.10.1 lpbk-slaves
configure network-clock ptp boundary add unicast-slave 10.10.20.1 lpbk-slaves
ExtremeXOS Concepts Guide, Software Version 15.2
278
Using the Precision Time Protocol
DWDM Optics Support
BlackDiamond 8800 Series Switches and Summit X480 Switches
This feature allows you to configure a dense wavelength division multiplexing (DWDM) channel to a
DWDM capable tunable XFP module on a port. This provides the capability to multiplex 102x10G traffic
over a single fiber. Following is diagram of a DWDM network.
Figure 32: Conceptual Diagram of a DWDM Network
DWDM XFP
With 10G Traffic
Channel 2
DWDM XFP
With 10G Traffic
Channel 7
DWDM XFP
With 10G Traffic
Channel 8
Single Fiber
Carrying
40G Traffic
MUX DEMUX Switch
Channel 1
MUX DEMUX Switch
DWDM XFP
With 10G Traffic
Channel 1
DWDM XFP
With 10G Traffic
Channel 2
DWDM XFP
With 10G Traffic
Channel 7
DWDM XFP
With 10G Traffic
Channel 8
DWDM XFP
With 10G Traffic
EX_ports_0047
The feature is supported on BlackDiamond 8800 switches with 10G8Xc, 10G4Xc, 10G4Xa or 8900-10G8Xxl modules and S-10G1Xc option cards and Summit X480 switches with VIM2-10G4X modules.
For DWDM, there is no standard channel numbering specified by MSA. Extreme Networks devices
support ITU standard channel numbers that range from 11 to 6150. The software can map these
appropriately to the vendor specific channels internally. For more information about the channel
number and wavelength mapping, see Extreme Networks Pluggable Interface Modules Installation Guide.
Limitations
This feature has the following limitations:
●
Support exists only for Extreme Networks certified XFP modules.
●
It may take 500-1000 ms to stabilize the channel once DWDM channel configuration is completed,
meaning that the port loses its data transmission capability for that time frame. Links are dropped
until the channel is stabilized. However, this is expected behavior when the physical medium is
changed.
●
When a tunable dense wavelength division multiplexing (TDWDM) XFP module is inserted, the
software configures the default channel or the configured channel based on the existing
configuration, and the link is likely to be dropped during this process.
Configuring DWDM
To configure DWDM specific channels on the port(s), use the following command:
configure port <all | port-list> dwdm channel <channel-number>
ExtremeXOS Concepts Guide, Software Version 15.2
279
Chapter 5: Configuring Slots and Ports on a Switch
To configure the DWDM default channel 21 on the port(s), use the following command:
configure port <all | port-list> dwdm channel none
Displaying DWDM
To display DWDM configuration, use the following commands:
show ports {mgmt | <port_list> | tag <tag>} configuration {no-refresh}
show ports {mgmt | <port_list> | tag <tag>} information {detail}
To display the channel scheme for mapping the DWDM wavelengths, use the following command:
show dwdm channel-map { <channel_first> { - <channel_last> } } {port <port_num>}
Jumbo Frames
Jumbo frames are Ethernet frames that are larger than 1522 bytes, including four bytes used for the cyclic
redundancy check (CRC). Extreme products support switching and routing of jumbo frames at wirespeed on all ports. The configuration for jumbo frames is saved across reboots of the switch.
Jumbo frames are used between endstations that support larger frame sizes for more efficient transfers
of bulk data. Both endstations involved in the transfer must be capable of supporting jumbo frames.
The switch only performs IP fragmentation, or participates in maximum transmission unit (MTU)
negotiation on behalf of devices that support jumbo frames.
Guidelines for Jumbo Frames
You need jumbo frames when running the Extreme Networks VMAN implementation. If you are
working on a BlackDiamond X8 series switch, BlackDiamond 8800 series switch, SummitStack, or a
Summit family switch, you can enable and disable jumbo frames on individual ports before configuring
VMANs. For more information on configuring VMANs, refer to Chapter 13, “VMAN (PBN) and PBBN.”
The following information applies to jumbo frames on a SummitStack:
●
Jumbo frame support is always enabled and available on Summit family switches that are operating
in a SummitStack.
Refer to “Displaying Port Information” for information on displaying jumbo frame status.
ExtremeXOS Concepts Guide, Software Version 15.2
280
Jumbo Frames
Enabling Jumbo Frames per Port
You can enable jumbo frames per port on the following switches:
●
BlackDiamond X8 series switches
●
BlackDiamond 8000 c-, e-, xl-, and xm-series modules
●
Summit family switches
●
E4-G 200 and E4-G 400
When you configure VMANs on BlackDiamond X8, BlackDiamond 8800 series switches, SummitStack,
and the Summit family switches, you can enable or disable jumbo frames for individual ports before
configuring the VMANs.
Enabling Jumbo Frames
NOTE
Some network interface cards (NICs) have a configured maximum MTU size that does not include the
additional 4 bytes of CRC. Ensure that the NIC maximum MTU size is at or below the maximum MTU size
configured on the switch. Frames that are larger than the MTU size configured on the switch are dropped at the
ingress port.
To enable jumbo frame support, enable jumbo frames on the desired ports. To set the maximum jumbo
frame size, use the following command:
configure jumbo-frame-size <framesize>
The jumbo frame size range is 1523 to 9216. This value describes the maximum size of the frame in
transit (on the wire), and includes 4 bytes of CRC plus another 4 bytes if 802.1Q tagging is being used.
Set the MTU size for the VLAN by using the following command:
configure ip-mtu <mtu> vlan <vlan_name>
Next, enable support on the physical ports that will carry jumbo frames using the following command:
enable jumbo-frame ports [all | <port_list>]
Path MTU Discovery
BlackDiamond X8 series switches, BlackDiamond 8000 a-, c-, e-, xl-, and xm-series modules, E4G-200
and E4G-400 cell site routers, and Summit X250e, X440, X450a, X450e, X460, X480, X650, and X670 series
switches, whether or not included in a SummitStack, support path MTU discovery.
Using path MTU discovery, a source host assumes that the path MTU is the MTU of the first hop
(which is known). The host sends all datagrams on that path with the “don’t fragment” (DF) bit set
which restricts fragmentation. If any of the datagrams must be fragmented by an Extreme switch along
the path, the Extreme switch discards the datagrams and returns an ICMP Destination Unreachable
message to the sending host, with a code meaning “fragmentation needed and DF set”. When the
source host receives the message (sometimes called a “Datagram Too Big” message), the source host
reduces its assumed path MTU and retransmits the datagrams.
ExtremeXOS Concepts Guide, Software Version 15.2
281
Chapter 5: Configuring Slots and Ports on a Switch
The path MTU discovery process ends when one of the following is true:
●
The source host sets the path MTU low enough that its datagrams can be delivered without
fragmentation.
●
The source host does not set the DF bit in the datagram headers.
If it is willing to have datagrams fragmented, a source host can choose not to set the DF bit in datagram
headers. Normally, the host continues to set DF in all datagrams, so that if the route changes and the
new path MTU is lower, the host can perform path MTU discovery again.
IP Fragmentation with Jumbo Frames
The BlackDiamond X8 series switches, BlackDiamond 8000 a-, c-, e-, xl-, and xm-series modules, E4G200 and E4G-400 cell site routers, and Summit X250e, X440, X450a, X450e, X460, X480, X650, and X670
series switches support fragmentation of IP packets. The above support is included whether or not the
switches are present in a SummitStack.
ExtremeXOS supports the fragmenting of IP packets. If an IP packet originates in a local network that
allows large packets and those packets traverse a network that limits packets to a smaller size, the
packets are fragmented instead of discarded.
This feature is designed to be used in conjunction with jumbo frames. Frames that are fragmented are
not processed at wire-speed within the switch fabric.
NOTE
Jumbo frame-to-jumbo frame fragmentation is not supported. Only jumbo frame-to-normal frame
fragmentation is supported.
To configure VLANs for IP fragmentation:
1 Enable jumbo frames on the incoming port.
2 Add the port to a VLAN.
3 Assign an IP address to the VLAN.
4 Enable ipforwarding on the VLAN.
5 Set the MTU size for the VLAN, using the following command:
configure ip-mtu <mtu> vlan <vlan_name>
The ip-mtu value ranges between 1500 and 9194, with 1500 the default.
NOTE
To set the MTU size greater than 1500, all ports in the VLAN must have jumbo frames enabled.
IP Fragmentation within a VLAN
ExtremeXOS supports IP fragmentation within a VLAN. This feature does not require you to configure
the MTU size. To use IP fragmentation within a VLAN:
ExtremeXOS Concepts Guide, Software Version 15.2
282
Link Aggregation on the Switch
1 Enable jumbo frames on the incoming port.
2 Add the port to a VLAN.
3 Assign an IP address to the VLAN.
4 Enable ipforwarding on the VLAN.
If you leave the MTU size configured to the default value, when you enable jumbo frame support on a
port on the VLAN you will receive a warning that the ip-mtu size for the VLAN is not set at maximum
jumbo frame size. You can ignore this warning if you want IP fragmentation within the VLAN, only.
However, if you do not use jumbo frames, IP fragmentation can be used only for traffic that stays
within the same VLAN. For traffic that is sent to other VLANs, to use IP fragmentation, all ports in the
VLAN must be configured for jumbo frame support.
NOTE
IP fragmentation within a VLAN does not apply to Summit X250e, X440, X450a, X450e, X460, X480,
X650, and X670 series switches (whether or not included in a SummitStack), and BlackDiamond 8000 c-, e-, xl-,
and xm-series, and BlackDiamond X8 modules. The platforms that currently support fragmentation do so only for
layer-3 forwarding.
Link Aggregation on the Switch
The link aggregation (also known as load sharing) feature allows you to increase bandwidth and
availability by using a group of ports to carry traffic in parallel between switches. Load sharing, link
aggregation, and trunking are terms that have been used interchangeably in Extreme Networks
documentation to refer to the same feature, which allows multiple physical ports to be aggregated into
one logical port, or link aggregation group (LAG). Refer to IEEE 802.3ad for more information on this
feature. The advantages to link aggregation include an increase in bandwidth and link redundancy.
This section describes the following topics:
●
Link Aggregation Overview on page 284
●
Link Aggregation and Software-Controlled Redundant Ports on page 285
●
Dynamic Versus Static Load Sharing on page 285
●
Load-Sharing Algorithms on page 285
●
LACP on page 288
●
Health Check Link Aggregation on page 291
●
Guidelines for Load Sharing on page 292
●
Configuring Switch Load Sharing on page 294
●
Load-Sharing Examples on page 297
●
Displaying Switch Load Sharing on page 298
ExtremeXOS Concepts Guide, Software Version 15.2
283
Chapter 5: Configuring Slots and Ports on a Switch
Link Aggregation Overview
NOTE
All ports in a LAG must be running at the same speed and duplex setting. Each port can belong to only
one LAG.
Load sharing allows the switch to use multiple ports as a single logical port, or LAG. For example,
VLANs see the LAG as a single logical port. And, although you can only reference the master port of a
LAG to a Spanning Tree Domain (STPD), all the ports of the LAG actually belong to the specified STPD.
Most load-sharing algorithms guarantee packet sequencing between clients.
Link aggregation, or load sharing, is disabled by default.
If a port in a load-sharing group (or LAG) fails, traffic is redistributed to the remaining ports in the
LAG. If the failed port becomes active again, traffic is redistributed to include that port.
NOTE
Load sharing must be enabled on both ends of the link, or a network loop may result.
Link aggregation is most useful when:
●
The egress bandwidth of traffic exceeds the capacity of a single link.
●
Multiple links are used for network resiliency.
In both situations, the aggregation of separate physical links into a single logical link multiplies total
link bandwidth in addition to providing resiliency against individual link failures.
In modular switches, ExtremeXOS supports LAGs across multiple modules, so resiliency is also
provided against individual module failures.
The software supports control protocols across the LAGs, both static and dynamic. If you add the
protocols (for example, EAPS, ESRP, and so forth) to the port and then create a LAG on that port, you
may experience a slight interruption in the protocol operation. To seamlessly add or delete bandwidth
when running control protocols, Extreme Networks recommends that you create a LAG consisting of
only one port. Then add your protocols to that port and add other ports as needed.
VMAN ports can belong to LAGs. You must enable jumbo frames on BlackDiamond 8800 series
switches, SummitStack, and Summit family switches. Also, VMAN is automatically enabled on all ports
of an untagged LAG.
NOTE
You can use VMAN ACLs to configure load sharing on a VMAN. See Chapter 18, “ACLs,” for complete
information on VMAN ACLs.
You can run the Link Layer Discovery Protocol (LLDP) on ports in a LAG.
ExtremeXOS Concepts Guide, Software Version 15.2
284
Link Aggregation on the Switch
Link Aggregation and Software-Controlled Redundant Ports
Summit Family Switches Only.
If you are configuring software-controlled redundant ports and link aggregation together, the following
rules apply:
●
You must unconfigure the software-controlled redundant ports before either configuring or
unconfiguring load sharing.
●
The entire LAG must go down before the software-controlled redundant port takes effect.
Dynamic Versus Static Load Sharing
ExtremeXOS software supports two broad categories of load sharing, or link aggregation:
●
Dynamic load sharing—Dynamic load sharing includes the Link Aggregation Control Protocol
(LACP) and Health Check Link Aggregation. The Link Aggregation Control Protocol is used to
dynamically determine if link aggregation is possible and then to automatically configure the
aggregation. LACP is part of the IEEE 802.3ad standard and allows the switch to dynamically
reconfigure the link aggregation groups (LAGs). The LAG is enabled only when LACP detects that
the remote device is also using LACP and is able to join the LAG. Health Check Link Aggregation is
used to create a link aggregation group that monitors a particular TCP/IP address and TCP port.
●
Static load sharing—Static load sharing is a grouping of ports specifically configured to load share.
The switch ports at each end must be specifically configured as part of a load-sharing group.
NOTE
The platform-related load-sharing algorithms apply to LACP (as well as static load sharing).
Load-Sharing Algorithms
Load-sharing, or link aggregation, algorithms select an egress link for each packet forwarded to egress
LAG. The ExtremeXOS software supports the following types of load sharing algorithms:
●
Port based—The egress link is chosen based on the ingress port number.
●
Address based—The egress link is chosen based on egress packet contents.
The ExtremeXOS software provides multiple addressed-based algorithms. For some types of traffic, the
algorithm is fixed and cannot be changed. For other types of traffic, you can configure an algorithm.
Algorithm selection is not intended for use in predictive traffic engineering.
The following sections describe the algorithm choices for different platforms:
●
Link Aggregation Algorithms—Summit X150, X250e, X350, X450a, and X450e Series Switches on
page 286
●
Link Aggregation Algorithms—BlackDiamond X8, BlackDiamond 8500 and 8800 Series Modules and
SummitStack on page 286
●
Link Aggregation Algorithms—BlackDiamond X8 Series Switches, BlackDiamond 8900 Series
Modules, SummitStack, and Summit X440, X460, X480, X650, and X670 Series Switches on page 287
ExtremeXOS Concepts Guide, Software Version 15.2
285
Chapter 5: Configuring Slots and Ports on a Switch
NOTE
Always reference the master logical port of the load-sharing group when configuring or viewing VLANs.
VLANs configured to use other ports in the LAG will have those ports deleted from the VLAN when link aggregation
is enabled.
Link Aggregation Algorithms—Summit X150, X250e, X350, X450a, and X450e
Series Switches
Summit X150, X250e, X350, X450a, and X450e series switches and SummitStack support address-based
load sharing. (These platforms do not support port-based load sharing.) The following are the types of
traffic to which addressed-based algorithms apply and the traffic components used to select egress
links:
●
Layer 2 frames and non-IP traffic—The source and destination MAC addresses.
●
IPv4 and IPv6 packets—When a Summit X650 switch is not present in a SummitStack, load sharing
is based on the configured options supported on each platform:
●
-
L2 algorithm—Layer 2 source and destination MAC addresses. Available on SummitStack and all
Summit family switches.
-
L3_L4 algorithm—Layer 3 and Layer 4, the combined source and destination IP addresses and
source and destination TCP and UDP port numbers. Available on SummitStack and Summit
X250e, X450a, X450e, and X650 series switches.
IPv4 and IPv6 packets—When Summit X650 switches are installed in a SummitStack, load sharing
on all other switch types is based on the switch type:
-
●
All SummitStack compatible Summit family switches: Layer 3 and Layer 4, the combined source
and destination IP addresses and source and destination TCP and UDP port numbers.
Broadcast, multicast, and unknown unicast packets (not configurable)—Depends on traffic type:
-
IPv4 and IPv6 packets—The source and destination IP addresses.
-
Non-IP traffic—The source and destination MAC addresses.
You control the field examined by the switch for address-based load sharing when the load-sharing
group is created by using the following command:
enable sharing <port> grouping <port_list> {algorithm [address-based {L2 | L3 | L3_L4
| custom}]} {lacp | health-check}
NOTE
The L3 and custom keywords are not supported on Summit X150, X250e, X350, X450a, and X450e
series switches. The L3_L4 keyword is not supported on Summit X150 and X350 series switches.
Link Aggregation Algorithms—BlackDiamond X8, BlackDiamond 8500 and 8800
Series Modules and SummitStack
BlackDiamond X8 series switches, BlackDiamond 8500 and 8800 series modules and SummitStack
support address-based load sharing. (These platforms do not support port-based load sharing.)
BlackDiamond 8000 a-, c-, and e-series modules distribute packets across all members of a LAG.
ExtremeXOS Concepts Guide, Software Version 15.2
286
Link Aggregation on the Switch
The following are the types of traffic to which addressed-based algorithms apply and the traffic
components used to select egress links:
●
IPv4 and IPv6 packets—When no BlackDiamond 8900 series modules or Summit X650 switches are
installed in a modular switch or SummitStack, load sharing is based on the configured options
supported on each platform:
-
L2 algorithm—Layer 2 source and destination MAC addresses. Available on BlackDiamond 8800
series switches, SummitStack, and all Summit family switches.
-
L3 algorithm—Layer 3 source and destination IP addresses. Available on BlackDiamond 8800
series switches and SummitStack.
-
L3_L4 algorithm—Layer 3 and Layer 4, the combined source and destination IP addresses and
source and destination TCP and UDP port numbers. Available on BlackDiamond 8000 a-, c-, and
e-series modules and BlackDiamond 8500 series modules.
●
IPv4 and IPv6 packets—When BlackDiamond 8900 series modules are installed in a BlackDiamond
8800 series switch or when Summit X650 switches are installed in a SummitStack, load sharing on all
other module or switch types is based on the combined source and destination IP addresses and
source and destination TCP and UDP port numbers.
●
Non-IP traffic—The source and destination MAC addresses.
You control the field examined by the switch for address-based load sharing when the load-sharing
group is created by using the following command:
enable sharing <port> grouping <port_list> {algorithm [address-based {L2 | L3 | L3_L4
| custom}]} {lacp | health-check}
Link Aggregation Algorithms—BlackDiamond X8 Series Switches, BlackDiamond
8900 Series Modules, SummitStack, and Summit X440, X460, X480, X650, and
X670 Series Switches
BlackDiamond X8 series switches, BlackDiamond 8900 series modules, SummitStack, and Summit X440,
X460, X480, X650, and X670 series switches support address-based load sharing. (These platforms do not
support port-based load sharing.) These platforms support two types of algorithms:
●
Standard algorithms, which are supported by other switch platforms too.
●
Custom algorithms, which use newer switch hardware to offer additional options, including the
ability to evaluate IP address information from the inner header of an IP-in-IP or GRE tunnel packet.
Standard Algorithms. The following are the types of traffic to which standard addressed-based
algorithms apply and the traffic components used to select egress links:
●
Layer 2 frames and non-IP traffic—The source and destination MAC addresses.
●
IPv4 and IPv6 packets—Load sharing is based on the configured options supported on each
platform:
●
-
L2 algorithm—Layer 2 source and destination MAC addresses.
-
L3 algorithm—Layer 3 source and destination IP addresses.
-
L3_L4 algorithm—Layer 3 and Layer 4, the combined source and destination IP addresses and
source and destination TCP and UDP port numbers.
MPLS packets—The source and destination MAC addresses.
ExtremeXOS Concepts Guide, Software Version 15.2
287
Chapter 5: Configuring Slots and Ports on a Switch
Custom Algorithms. The following are the types of traffic to which custom addressed-based
algorithms apply and the traffic components used to select egress links:
●
Non-IP Layer 2—Uses the VLAN ID, the source and destination MAC addresses, and the ethertype.
●
IPv4 packets—Uses IP address information from an IP header, or for tunneled packets, the custom
algorithm always uses the inner header of an IP-in-IP or GRE tunnel packet. The configuration
options are:
-
The source and destination IPv4 addresses and Layer 4 port numbers (default)
-
The source IP address only,
-
The destination IP address only
-
The source and destination IP addresses
●
IPv6 packets—Uses the source and destination IPv6 addresses and Layer 4 port numbers.
●
MPLS packets—Uses the top, second, and reserved labels and the source and destination IP
addresses.
The following command allows you to enable load sharing and select either a standard algorithm or
specify that you want to use a custom algorithm:
enable sharing <port> grouping <port_list> {algorithm [address-based {L2 | L3 | L3_L4
| custom}]} {lacp | health-check}
If you choose the custom option when you enable load sharing, you can use the following command to
select a custom load sharing algorithm:
configure sharing address-based custom [ipv4 [L3-and-L4 | source-only | destinationonly | source-and-destination] | hash-algorithm [xor | crc-16]]
The hash-algorithm option controls how the source information (such as an IP address) is used to
select the egress port. The xor hash algorithm guarantees that the same egress port is selected for traffic
distribution based on a pair of IP addresses, Layer 4 ports, or both, regardless of which is the source
and which is the destination.
NOTE
Use of the ACL redirect-port-no-sharing <port> action overrides any load-sharing algorithm
hash that is generated based on the lookup results. For more information on this action, see “LAG Port Selection”
on page 710 in the ACL chapter.
LACP
NOTE
LACP fails over hitlessly in the event of a failover to a duplicate MSM/MM in a modular switch.
You can run the Link Aggregation Control Protocol (LACP) on Extreme Networks devices. LACP
enables dynamic load sharing and hot standby for link aggregation links, in accordance with the IEEE
802.3ad standard. All third-party devices supporting LACP run with Extreme Networks devices.
ExtremeXOS Concepts Guide, Software Version 15.2
288
Link Aggregation on the Switch
The addition of LACP provides the following enhancements to static load sharing, or link aggregation:
●
Automatic configuration
●
Rapid configuration and reconfiguration
●
Deterministic behavior
●
Low risk of duplication or misordering
After you enable load-sharing, the LACP protocol is enabled by default. You configure dynamic link
aggregation by first assigning a primary, or logical, port to the group, or LAG and then specifying the
other ports you want in the LAG.
LACP, using an automatically generated key, determines which links can aggregate. Each link can
belong to only one LAG. LACP determines which links are available. The communicating systems
negotiate priority for controlling the actions of the entire trunk (LAG), using LACP, based on the lowest
system MAC number. You can override this automatic prioritization by configuring the system priority
for each LAG.
After you enable and configure LACP, the system sends PDUs (LACPDUs) on the LAG ports. The
LACPDUs inform the remote system of the identity of the sending system, the automatically generated
key of the link, and the desired aggregation capabilities of the link. If a key from a particular system on
a given link matches a key from that system on another link, those links are aggregatable. After the
remote system exchanges LACPDUs with the LAG, the system determines the status of the ports and
whether to send traffic on which ports.
Among those ports deemed aggregatable by LACP, the system uses those ports with the lowest port
number as active ports; the remaining ports aggregatable to that LAG are put into standby status.
Should an active link fail, the standby ports become active, also according to the lowest port number.
(See “Configuring LACP” on page 295 for the number of active and standby LACP links supported per
platform.)
All ports configured in a LAG begin in an unselected state. Based on the LACPDUs exchanged with the
remote link, those ports that have a matching key are moved into a selected state. If there is no matching
key, the ports in the LAG remain in the unselected state.
However if more ports in the LAG are selected than the aggregator can handle because of the system
hardware, those ports that fall out of the hardware’s capability are moved into standby state. The lowest
numbered ports are the first to be automatically added to the aggregator; the rest go to standby. As the
name implies, these ports are available to join the aggregator if one of the selected ports should go
offline.
You can configure the port priority to ensure the order that ports join the aggregator. However, that port
must first be added to the LAG before you can configure the LACP settings. Again, if more than one
port is configured with the same priority, the lowest-numbered port joins the aggregator first.
After the ports in the LAG move into the selected state, LACP uses the mux portion of the protocol to
determine which ports join the aggregator and can collect and distribute traffic. A few seconds after a
port is selected, it moves into the mux state of waiting, and then into the mux state of attached. The
attached ports then send their own LACP sync messages announcing that they are ready to receive
traffic.
The protocol keeps sending and receiving LACPDUs until both sides of the link have echoed back each
other’s information; the ends of the link are then considered synchronized. After the sync messages
match up on each end, that port is moved into the aggregator (into the mux state of collectingdistributing) and is able to collect and distribute traffic.
ExtremeXOS Concepts Guide, Software Version 15.2
289
Chapter 5: Configuring Slots and Ports on a Switch
The protocol then enables the aggregated link for traffic and monitors the status of the links for changes
that may require reconfiguration. For example, if one of the links in a LAG goes down and there are
standby links in that LAG, LACP automatically moves the standby port into selected mode and that
port begins collecting and distributing traffic.
The marker protocol portion of LACP ensures that all traffic on a link has been received in the order in
which it was sent and is used when links must be dynamically moved between aggregation groups. The
Extreme Networks LACP implementation responds to marker frames but does not initiate these frames.
NOTE
Always verify the LACP configuration by issuing the show ports sharing command; look for the ports
specified as being in the aggregator. You can also display the aggregator count by issuing the show lacp lag
command.
You can configure additional parameters for the LACP protocol and the system sends certain SNMP
traps in conjunction with LACP. The system sends a trap when a member port is added to or deleted
from an aggregator.
The system now detects and blocks loopbacks; that is, the system does not allow a pair of ports that are
in the same LAG but are connected to one another by the same link to select the same aggregator. If a
loopback condition exists between two ports, they cannot aggregate. Ports with the same MAC address
and the same admin key cannot aggregate; ports with the same MAC address and a different admin key
can belong to the same LAG.
The system sends an error message if a LAG port is configured and up but still not attached to the
aggregator or in operation within 60 seconds. Use the show lacp member-port <port> detail
command to display the churn on both sides of the link. If the Churn value is shown as True in the
display, check your LACP configuration. The issue may be either on your end or on the partner link,
but you should check your configuration. The display shows as True until the aggregator forms, when it
changes to display as False.
A LAG port moves to expired and then to the defaulted state when it fails to receive an LACPDU from
its partner for a specified time. You can configure this timeout value as long, which is 90 seconds, or
short, which is 3 seconds; the default is long. (In ExtremeXOS 11.3, the timeout value is not configurable
and is set as long, or 90 seconds.) Use the show lacp lag <group-id> detail command to display
the timeout value for the LAG.
There are two LACP activity modes: active and passive. In LACP active mode, the switch periodically
sends LACPDUs; in passive mode, the switch sends LACPDUs only when it receives one from the other
end of the link. The default is active mode. (In ExtremeXOS 11.3, the mode is not configurable; it is
always active mode.) Use the show lacp lag <group-id> detail command to display the LACP
mode for the LAG.
NOTE
One side of the link must be in active mode in order to pass traffic. If you configure your side in the
passive mode, ensure that the partner link is in LACP active mode.
A LAG port moves into a defaulted state after the timeout value expires with no LACPDUs received for
the other side of the link. You can configure whether you want this defaulted LAG port removed from
the aggregator or added back into the aggregator. If you configure the LAG to remove ports that move
ExtremeXOS Concepts Guide, Software Version 15.2
290
Link Aggregation on the Switch
into the default state, those ports are removed from the aggregator and the port state is set to
unselected. The default configuration for defaulted ports is to be removed, or deleted, from the
aggregator. (In ExtremeXOS version 11.3, defaulted ports in the LAG are always removed from the
aggregator; this is not configurable.)
NOTE
To force the LACP trunk to behave like a static sharing trunk, use the configure sharing lacp
defaulted-state-action command to add ports to the aggregator.
If you configure the LAG to add the defaulted port into the aggregator, the system takes inventory of
the number of ports currently in the aggregator. If there are fewer ports in the aggregator than the
maximum number allowed, the system adds the defaulted port to the aggregator (port set to selected
and collecting-distributing). If the aggregator has the maximum ports, the system adds the defaulted
port to the standby list (port set to standby). Use the show lacp lag <group-id> {detail} command
to display the defaulted action set for the LAG.
NOTE
If the defaulted port is assigned to standby, that port automatically has a lower priority than any other port
in the LAG (including those already in standby).
Health Check Link Aggregation
The Health Check LAG application allows you to create a link aggregation group where individual
member links can monitor a particular TCP/IP address and TCP port. When connectivity to the TCP/IP
address and TCP port fails, the member link is removed from the link aggregation group.
Establishing the status of a TCP connectivity is based on standard TCP socket connections. As long as
the switch can establish a TCP connection to the target switch and TCP port, the connection is
considered up. The TCP connection will retry based on the configured frequency and miss settings.
A typical use case for this application is when a user wishes to connect each member link to a Security
Server to validate traffic. Each member link of the Health Check LAG is connected to an individual
Security Server. The LAG is added to a VLAN on the same subnet as the Security Server IP addresses
they wish to monitor. Each member port is configured to monitor a particular IP address and TCP port.
The Health Check LAG application attempts to do a TCP connect to each IP/TCP port through each
member port. The Health Check LAG, by virtue of the sharing algorithm, will load balance traffic across
the member links. If a TCP connection cannot be established through the member link, the port is
removed from the aggregator and traffic through that particular link is redistributed to the other LAG
member links.
Figure 33 displays an example of a Health Check LAG.
ExtremeXOS Concepts Guide, Software Version 15.2
291
Chapter 5: Configuring Slots and Ports on a Switch
Figure 33: Health Check LAG Example
Server1
192.168.1.101
HEALTH CHECK LAG Application
controls this LAG or Trunk Group
Server2
192.168.1.102
1:1
ExtremeXOS
1:2
1:3
1:10
1:3 removed from LAG
Server3
192.168.1.103
1:4
vlan1
192.168.1.1
Connect and monitor
TCP port on each
individual link
No response
from specified
TCP port
Server4
192.168.1.104
Note: The default port to monitor is port 80 (HTTP).
EX_Ports_0045
Guidelines for Load Sharing
The following sections provide guidelines for load sharing:
●
Load Sharing Guidelines for Summit Family Switches and SummitStack on page 292
●
Load Sharing Guidelines for BlackDiamond X8 Series Switches and BlackDiamond 8800 Series
Switches on page 293
●
Load Sharing Rules and Restrictions for All Switches on page 294
Load Sharing Guidelines for Summit Family Switches and SummitStack
The following rules apply to load sharing on Summit family switches:
●
One static LAG can contain up to 8 ports.
●
One LACP LAG can contain up to 16 links per LAG, which includes up to 8 selected links and 8
standby links.
●
A Health Check LAG can contain up to 8 ports.
●
You can configure only the address-based load-sharing algorithm as described in the following
sections:
-
Link Aggregation Algorithms—Summit X150, X250e, X350, X450a, and X450e Series Switches on
page 286
-
Link Aggregation Algorithms—BlackDiamond X8, BlackDiamond 8500 and 8800 Series Modules
and SummitStack on page 286
-
Link Aggregation Algorithms—BlackDiamond X8 Series Switches, BlackDiamond 8900 Series
Modules, SummitStack, and Summit X440, X460, X480, X650, and X670 Series Switches on
page 287
ExtremeXOS Concepts Guide, Software Version 15.2
292
Link Aggregation on the Switch
●
The maximum number of LAGs for Summit family switches is 128.
NOTE
See “Configuring LACP” on page 295 for the maximum number of links, selected and standby, per LACP.
The limits on the number of ports per LAG are different for X670. The following rules apply to load
sharing on the X670.
●
A static LAG can contain up to 32 ports when configured to use the custom address-based
algorithm. For all other algorithms, a static LAG can contain up to 16 ports.
●
An LACP LAG configured to use the custom address-based algorithm can contain up to 64 ports per
LAG, which includes up to 32 selected links and 32 standby links. For all other algorithms, an LACP
LAG can contain up to 32 ports per LAG, which includes up to 16 selected links and 16 standby
links.
NOTE
These limits for X670 do not apply to X670s in a stack. X670s in a stack have the same limits as for other
Summits.
Load Sharing Guidelines for BlackDiamond X8 Series Switches and
BlackDiamond 8800 Series Switches
The following rules apply to load sharing on BlackDiamond X8 series switches and BlackDiamond 8800
series switches:
●
One static LAG can contain up to 8 ports.
●
For the BlackDiamond X8, the maximum number of LAGs is 384.
●
The limits on the BlackDiamond X8 are different from BlackDiamond 8800:
-
A static LAG can contain up to 64 ports.
-
An LACP LAG configured to use the custom address-based algorithm can contain up to 128 links
per LAG, which includes up to 64 selected links and 64 standby links.
-
An LACP LAG configured to use an algorithm other than the custom address-based algorithm
can contain up to 32 links per LAG, which includes up to 16 selected links and 16 standby links.
●
One LACP LAG can contain up to 16 links per LAG, which includes up to 8 selected links and 8
standby links.
●
One Health Check LAG can contain up to 8 ports.
●
You can configure only the address-based load-sharing algorithm as described in the following
sections:
-
Link Aggregation Algorithms—BlackDiamond X8, BlackDiamond 8500 and 8800 Series Modules
and SummitStack on page 286
-
Link Aggregation Algorithms—BlackDiamond X8 Series Switches, BlackDiamond 8900 Series
Modules, SummitStack, and Summit X440, X460, X480, X650, and X670 Series Switches on
page 287
ExtremeXOS Concepts Guide, Software Version 15.2
293
Chapter 5: Configuring Slots and Ports on a Switch
●
The maximum number of LAGs is 128. See “Configuring LACP” on page 295 for the maximum
number of links, selected and standby, per LACP.
●
Load Sharing Rules and Restrictions for All Switches
Additionally, the following rules apply to load sharing on all switches:
●
The ports in the LAG do not need to be contiguous.
●
A LAG that spans multiple modules must use ports that have the same maximum bandwidth
capability, with one exception—you can mix media type on 1 Gbps ports.
●
On both ingress and egress direction on BlackDiamond 8800 series switches and Summit family
switches, when you configure an ACL to a LAG group, you must configure each of the member
ports exclusively.
Configuring Switch Load Sharing
NOTE
See “Guidelines for Load Sharing” on page 292 for specific information on load sharing for each specific
device.
To set up a switch for load sharing, or link aggregation, among ports, you must create a load-sharing
group of ports, also known as a link aggregation group (LAG). The first port in the load-sharing group
is configured to be the master logical port. This is the reference port used in configuration commands
and serves as the LAG group ID. It can be thought of as the logical port representing the entire port
group.
All the ports in a load-sharing group must have the same exact configuration, including
autonegotiation, duplex setting, ESRP host attach or don’t-count, and so on. All the ports in a loadsharing group must also be of the same bandwidth class.
The following sections describe common load sharing configuration tasks:
●
Creating and Deleting Load Sharing Groups on page 294
●
Adding and Deleting Ports in a Load-Sharing Group on page 295
●
Configuring the Load Sharing Algorithm on page 295
●
Configuring LACP on page 295
●
Configuring Health Check Link Aggregation on page 296
Creating and Deleting Load Sharing Groups
To define a load-sharing group, or LAG, you assign a group of ports to a single, logical port number. To
enable or disable a load-sharing group, use the following commands:
enable sharing <port> grouping <port_list> {algorithm [address-based {L2 | L3 | L3_L4
| custom}]} {lacp | health-check}
disable sharing <port>
ExtremeXOS Concepts Guide, Software Version 15.2
294
Link Aggregation on the Switch
NOTE
All ports that are designated for the LAG must be removed from all VLANs prior to configuring the LAG.
Adding and Deleting Ports in a Load-Sharing Group
Ports can be added or deleted dynamically in a load-sharing group, or LAG. To add or delete ports
from a load-sharing group, use the following commands:
configure sharing <port> add ports <port_list>
configure sharing <port> delete ports <port_list>
NOTE
See “Configuring LACP” on page 295 for the maximum number of links, selected and standby, per LACP.
Configuring the Load Sharing Algorithm
For some traffic on selected platforms, you can configure the load sharing algorithm as described in
“Load-Sharing Algorithms” on page 285. The commands for configuring load sharing algorithms are:
enable sharing <port> grouping <port_list> {algorithm [address-based {L2 | L3 | L3_L4
| custom}]} {lacp | health-check} (SummitStack and all Summit family switches except
Summit X650)
configure sharing address-based custom [ipv4 [L3-and-L4 | source-only | destinationonly | source-and-destination] | hash-algorithm [xor | crc-16]] (BlackDiamond 8900
series modules, Summit X650 switches, and SummitStack)
Configuring LACP
NOTE
Extreme Networks does not recommend enabling LACP and ELSM on the same port. See Chapter
11, “Status Monitoring and Statistics,” for information on ELSM.
To configure LACP, you must, again, first create a LAG. The first port in the LAG serves as the logical
port for the LAG. This is the reference port used in configuration commands. It can be thought of as the
logical port representing the entire port group, and it serves as the LAG Group ID.
To create a LAG for LACP:
1 Create a LAG, using the following command:
enable sharing <port> grouping <port_list> {algorithm [address-based {L2 | L3 | L3_L4 | custom}]}
{lacp | health-check}
The port you assign using the first parameter becomes the logical port for the link aggregation group
and the LAG Group ID when using LACP. This logical port must also be included in the port list of
the grouping itself.
ExtremeXOS Concepts Guide, Software Version 15.2
295
Chapter 5: Configuring Slots and Ports on a Switch
2 If you want to override the default prioritization in LACP for a specified LAG, use the following
command:
configure sharing <port> lacp system-priority <priority>
This step is optional; LACP handles prioritization using system MAC addresses.
3 Add or delete ports to the LAG as desired, using the following command:
configure sharing <port> add ports <port_list>
4 If you want to override the ports selection for joining the LAG by configuring a priority for a port
within a LAG, issue the following command:
configure lacp member-port <port> priority <port_priority>
5 If you want to change the expiry timer, use the following command:
configure sharing <port> lacp timeout [long | short]
The default value for the timeout is long, or 90 seconds.
6 If you want to change the activity mode, use the following command:
configure sharing <port> lacp activity-mode [active | passive]
The default value for the activity mode is active.
7 If you want to configure the action the switch takes for defaulted LAG ports, use the following
command:
configure sharing <port> lacp defaulted-state-action [add | delete]
The default value for defaulted LAG ports is delete the default ports.
NOTE
Always verify the LACP configuration by issuing the show ports sharing command; look for the ports
listed as being in the aggregator.
Configuring Health Check Link Aggregation
To configure Health Check link aggregation you must first create a LAG. One port in the LAG serves as
the logical port for the LAG and is the reference port used in configuration commands.
When you create the LAG, no monitoring is initially configured. The LAG is created in the same way
that a static LAG is created and if no monitoring is ever created, this LAG behaves like a static LAG.
1 Create a LAG using the following command:
enable sharing <port> grouping <port_list> {algorithm [address-based {L2 | L3 |
L3_L4 | custom}]} {lacp | health-check}
The port you assign using the <port> parameter becomes the logical port for the link aggregation
group and the LAG Group ID when using Health Check link aggregation. This logical port must also
be included in the port list of the grouping itself.
2 Configure monitoring for each member port using the following command:
configure sharing health-check member-port <port> add tcp-tracking <IP Address>
{tcp-port <TCP Port> frequency <sec> misses <count>}
If the TCP-port, frequency, or misses are not specified, the defaults described in the ExtremeXOS
Command Reference Guide are used.
3 Add the LAG to a VLAN whose subnet is the same as the configured tracking IP addresses.
configure vlan <vlan> add port <lag port> [tagged | untagged]
ExtremeXOS Concepts Guide, Software Version 15.2
296
Link Aggregation on the Switch
All of the tracking IP addresses must be in the same subnet in which the LAG belongs.
NOTE
VLANs to which Health Check LAG ports are to be added must be configured in loopback mode. This is
to prevent the VLAN interface from going down if all ports are removed from the Health Check LAG. In a normal
LAG when all ports are removed from the aggregator, the trunk is considered DOWN. As a consequence, if this
were the only port in the VLAN, the VLAN interface would be brought DOWN as well. In the Health Check LAG
situation, this would cause the TCP monitoring to fail because the L3 vlan interface used by TCP monitoring
would no longer send or receive TCP data.
The following commands are used to modify the configured Health Check LAG.
1 Delete the monitoring configuration for a member port using the following command:
configure sharing health-check member-port <port> delete tcp-tracking <IP Address>
{tcp-port <TCP Port>}
2 Enable or disable monitoring for a member port in the Health Check LAG using the following
command:
configure sharing health-check member-port <port> [disable | enable] tcp-tracking
Load-Sharing Examples
This section provides examples of how to define load sharing, or link aggregation, on stand-alone and
modular switches, as well has defining dynamic link aggregation.
Load Sharing on a Stand-alone Switch
The following example defines a static load-sharing group that contains ports 9 through 12, and uses
the first port in the group as the master logical port 9:
enable sharing 9 grouping 9-12
In this example, logical port 9 represents physical ports 9 through 12.
When using load sharing, you should always reference the master logical port of the load-sharing group
(port 9 in the previous example) when configuring or viewing VLANs; the logical port serves as the
LAG Group ID. VLANs configured to use other ports in the load-sharing group will have those ports
deleted from the VLAN when load sharing becomes enabled.
Cross-Module Load Sharing on a Modular Switch or SummitStack
The following example defines a static load-sharing group on modular switches that contains ports 9
through 12 on slot 3, ports 7 through 10 on slot 5, and uses port 7 in the slot 5 group as the primary
logical port, or LAG Group ID:
enable sharing 5:7 grouping 3:9-3:12, 5:7-5:10
In this example, logical port 5:7 represents physical ports 3:9 through 3:12 and 5:7 through 5:10.
When using load sharing, you should always reference the LAG Group ID of the load-sharing group
(port 5:7 in the previous example) when configuring or viewing VLANs. VLANs configured to use
other ports in the load-sharing group will have those ports deleted from the VLAN when load sharing
becomes enabled.
ExtremeXOS Concepts Guide, Software Version 15.2
297
Chapter 5: Configuring Slots and Ports on a Switch
Address-based load sharing can also span modules.
Single-Module Load Sharing on a Modular Switch or SummitStack
The following example defines a static load-sharing, or link aggregation, group that contains ports 9
through 12 on slot 3 and uses the first port as the master logical port 9, or LAG group ID:
enable sharing 3:9 grouping 3:9-3:12
In this example, logical port 3:9 represents physical ports 3:9 through 3:12.
LACP Example
The following configuration example:
●
Creates a dynamic LAG with the logical port (LAG Group ID) of 10 that contains ports 10 through
12.
●
Sets the system priority for that LAG to 3.
●
Adds port 5 to the LAG.
enable sharing 10 grouping 10-12 lacp
configure sharing 10 lacp system-priority 3
configure sharing 10 add port 5
Health Check LAG Example
The following example creates a Health Check LAG of 4 ports:
create vlan v1
configure v1 ip 192.168.1.1/24
enable sharing 5 grouping 5-8 health-check
enable loopback-mode v1
configure v1 add port 5
configure sharing health-check member-port
configure sharing health-check member-port
configure sharing health-check member-port
configure sharing health-check member-port
5
6
7
8
add
add
add
add
track-tcp
track-tcp
track-tcp
track-tcp
192.168.1.101
192.168.1.102
192.168.1.103
192.168.1.104
tcp-port
tcp-port
tcp-port
tcp-port
8080
8080
8080
8080
Displaying Switch Load Sharing
You can display static and dynamic load sharing. In the link aggregation displays, the types are shown
by the following aggregation controls:
●
Static link aggregation—static
●
Link Aggregation Control Protocol—LACP
●
Health check link aggregation—hlth-chk
To verify your configuration, use the following command:
show ports sharing
To verify LACP configuration, use the following command:
show lacp
ExtremeXOS Concepts Guide, Software Version 15.2
298
MLAG
To display information for the specified LAG, use the following command:
show lacp lag <group-id> {detail}
To display LACP information for a port that is a member of a LAG, use the following command:
show lacp member-port <port> {detail}
Refer to “Displaying Port Information” for information on displaying summary load-sharing
information.
To clear the counters, use the following command:
clear lacp counters
You can display the LACP counters for all member ports in the system. To display the LACP counters,
use the following command:
show lacp counters
To display information for a health check LAG, use the following command:
show sharing health-check
MLAG
BlackDiamond X8 Series Switches, BlackDiamond 8000 Series Modules, Summit
Family Switches, and SummitStack
This section consists of the following topics:
●
Overview on page 299
●
Limitations and Requirements on page 301
●
Configuring MLAGs on page 304
●
Example of MLAG Configuration on page 305
Overview
The multi-switch link aggregation group (MLAG) feature allows you to combine ports on two switches to
form a single logical connection to another network device. The other network device can be either a
server or a switch that is separately configured with a regular LAG (or appropriate server port teaming)
to form the port aggregation.
Figure 34 displays the elements in a basic MLAG configuration.
ExtremeXOS Concepts Guide, Software Version 15.2
299
Chapter 5: Configuring Slots and Ports on a Switch
Figure 34: MLAG Elements
Switch 1
Switch 2
3
2
5
6
6
ISC
1 P1
4
P2 7
8
MLAG - 1
9
10
Server 1
1 MLAG port that is a load-shared link. This port is the peer MLAG port for <Switch2:Port P2>.
2 MLAG peer switch for Switch 2.
3 Inter-Switch Connection (ISC or ISC VLAN) has only the ISC port as a member port on both MLAG peers.
4 ISC Link that connects MLAG peers.
5 MLAG peer switch for Switch 1.
6 ISC ports
7 MLAG port that is a non-load-shared link. This port is the peer MLAG port for <Switch1:Port P1>.
8 MLAG group (MLAG-ID 1) that has 2 member ports (1 load-shared and 1 non-load-shared member).
9 MLAG remote node sees the MLAG ports as a regular load-shared link.
10 MLAG remote node - Can be a server or a switch.
EX_ports_0049
The basic operation of this feature requires two ExtremeXOS switches interconnected by an Inter-Switch
connection (ISC). The ISC is a normal, directly connected, Ethernet connection and it is recommended
that you engineer reliability, redundancy where applicable, and higher bandwidth for the ISC
connection. Then you logically aggregate ports on each of the two switches by assigning MLAG
identifiers (MLAG-ID). Ports with the same MLAG-ID are combined to form a single logical network
connection. Each MLAG can be comprised of a single link or a LAG on each switch. When an MLAG
port is a LAG, the MLAG port state remains up until all ports in the LAG go down. As long as at least
one port in the LAG remains active, the MLAG port state remains active.
When an MLAG port (a single port or all ports in a LAG) fails, any associated MAC FDB entries are
moved to the ISC, forcing traffic destined to the MLAG to be handled by the MLAG peer switch.
Additionally, the MLAG peer switch is notified of the failure and changes its ISC blocking filter to allow
transmission to the MLAG peer port. In order to reduce failure convergence time, you can configure
MLAG to use ACLs for redirecting traffic via the "fast" convergence-control option.
NOTE
For Layer 3 unicast forwarding, you must configure VRRP or ESRP on the peer switches.
Each of the two switches maintains the MLAG state for each of the MLAG ports and communicates
with each other to learn the MLAG states, MAC FDB, and IP multicast FDB of the peer MLAG switch.
ExtremeXOS Concepts Guide, Software Version 15.2
300
MLAG
ISC Blocking Filters
The ISC blocking filters are used to prevent looping and optimize bandwidth utilization. When at least
one MLAG peer port is active, the upper layer software initiates a block of traffic that ingresses the ISC
port and needs to be forwarded to the local MLAG ports. This is considered to be the steady state
condition. In normal steady state operation most network traffic does not traverse the ISC. All unicast
packets destined to MLAG ports are sent to the local MLAG port only. However, flood and multicast
traffic will traverse the ISC but will be dropped from MLAG peer port transmission by the ISC blocking
filter mechanism. The ISC blocking filter matches all Layer 2 traffic received on the ISC and blocks
transmission to all MLAG ports that have MLAG peer ports in the active state.
When there are no active MLAG peer ports, the upper layer software initiates an unblocking of traffic
that ingresses the ISC port and needs to be forwarded to the local MLAG ports thus providing
redundancy. This is considered to be the failed state.
Inter-Switch Communication
Keep-alive Protocol. MLAG peers monitor the health of the ISC using a keep-alive protocol that
periodically sends health-check messages. The frequency of these health-check hellos is configurable.
MLAG Status Checkpointing. Each switch sends its MLAG peer information about the configuration
and status of MLAGs that are currently configured over the ISC link. This information is checkpointed
over a TCP connection that is established between the MLAG peers after the keep-alive protocol has
been bootstrapped.
PIM MLAG Support
ExtremeXOS allows you to configure PIM peers on an ISC link. This will help avoid using other links
for PIM peers. ExtremeXOS supports the following PIM functionality for PIM-MLAG:
●
The checkpoint PIM state between MLAG peers. This should include all MLAG egresses.
You can verify that PIM functionality for MLAG is present by issuing the following show command:
#show pim cache {{detail} | {state-refresh} {mlag-peer-info} {<group_addr>
{<source_addr>}}}
Additionally, the existing show pim cache command displays ingress VLAN information for all MLAG
peers. The output of the command is shown below:
Index Dest Group
Source
InVlan
[0001] 225.0.0.1
64.1.1.100 (S)
vixia
Expires after 210 secs UpstNbr: 0.0.0.0
[S1] Peer Ingress VLAN: 1.1.1.1/24 (Same)
EgressIfList =
Origin
Sparse
v36(0)(FW)(DM)(I)
Limitations and Requirements
This feature has the following limitations:
●
MLAG peer switches must be of the same platform family. The following MLAG peers are allowed:
BlackDiamond 8800 switches with BlackDiamond 8800 switches, BlackDiamond X8 switches with
BlackDiamond X8 switches, Summit switches with Summit switches, and SummitStack with
SummitStack.
ExtremeXOS Concepts Guide, Software Version 15.2
301
Chapter 5: Configuring Slots and Ports on a Switch
NOTE
In the case of Summit standalone switches, it is strongly recommended that MLAG peer switches be of
the same type, for example, Summit X480 switches with Summit X480 switches.
In the case of SummitStack and BlackDiamond 8800 switches, we recommend that the MLAG ports be from
slots of similar capability, for example, Summit X650-24x to Summit X650-24t switches and BlackDiamond 8900G48X-xl to BlackDiamond 8900-G48T-xl modules.
●
Only a single MLAG peer switch is allowed.
●
Layer 2 protocols, such as EAPS or STP, will be configured to not allow the blocking of the ISC.
●
The number of MLAGs for each pair of switches in limited to 768.
Table 31 shows additional MLAG requirements that are specific to other protocols and features.
Table 31: MLAG Requirements
Items
Impact
VLAN:Membership
You must add the respective port (or LAG) that is part of an MLAG to a VLAN on
both MLAG peers.
The set of configured VLANs on [Switch1:P1] must be identical to the set of VLANs
configured on [Switch2:P2].
You must add the ISC to every VLAN that has an MLAG link as a member port.
VMAN:Membership
The restrictions are the same as those for VLAN Membership.
VLAN:ISC
You must create a Layer 3 VLAN for control communication between MLAG peers.
You cannot enable IP forwarding on this VLAN.
The ISC is exclusively used for inter-MLAG peer control traffic and should not be
provisioned to carry any user data traffic. Customer data traffic however can
traverse the ISC port using other user VLANs.
VMAN:ISC
Although not recommended, a VMAN may be configured to carry Inter-MLAG peer
traffic,
LAG:LACP
Not supported for LAGs that form an MLAG.
LAG:Load-Sharing
Algorithm
It is recommended but not required that LAGs that form an MLAG be configured to
use the same algorithm.
Ports:Flooding
To disable flooding on an MLAG you must disable flooding on both ports (or LAGs)
that form the MLAG.
Ports:Learning
To disable learning on an MLAG you must disable learning on both ports (or LAGs)
that form the MLAG.
Learning is disabled by default on ISC ports.
FDB:Static & Blackhole
entries
Configuration must be identical on both MLAG peers for entries that point to an
MLAG port.
FDB:Limit learning
Learning limits are applicable to member ports of each peer. The limit on the MLAG
is the sum of the configured value on each peer.
FDB:MAC Lockdown
This is supported but needs configuration on both peers. A switch can still receive
checkpointed MAC addresses from its peer in the window between executing the
lockdown command on both switches.
EAPS
MLAG ports cannot be configured to be EAPS ring ports.
STP
STP cannot be enabled on MLAG ports.
Configuration of the ISC port as an EAPS blocked port is disallowed.
You should ensure that the ISC port is never blocked by STP.
VRRP
VRRP must be enabled on Layer 3 VLANs that have MLAG member ports.
ExtremeXOS Concepts Guide, Software Version 15.2
302
MLAG
Table 31: MLAG Requirements (Continued)
Items
Impact
ESRP
ESRP must be enabled on Layer 3 VLANs that have MLAG member ports.
MLAG and ISC ports must be added as ESRP host-attach ports.
EDP/LLDP
There are no restrictions but the remote end of the MLAG will display different
neighbors for different ports in the same LAG.
ELSM
ELSM is not to be configured on MLAG ports at either end of an MLAG.
Software-Redundant
ports
These are not to be configured on MLAG ports at either end of an MLAG.
Mirroring
Mirroring on local ports in an MLAG is supported. Mirroring of MLAG peer ports to a
local port is not supported.
Routing Protocols
No routing protocol neighborship can be formed across an MLAG.
Multicast:IGMP
All timers related to IGMP must be identical on both the peers.
Multicast:PIM
PIM should be configured on both the MLAG peers, and the PIM timers must be
identical.
MLAG functionality must not be enabled on PIM Intermediate routers. It should be
enabled only on Last Hop (LHR) and First Hop (FHR) routers.
MLAG peer switches S1 and S2 perform Checkpoint PIM for S and G states. This
should include all MLAG egresses.
To avoid traffic drops due to asserts, do not include ISC port in MLAG egresses if
the ingress VLAN includes ISC port, and both the peers have the same ingress for
the S, G cache.
Multicast:MVR
MVR should be enabled on only one of the MLAG peer switches.
MVR must not be enabled on MLAG VLANs.
Multicast:PIM Snooping
This is not supported.
Multicast:IPv6
There are no restrictions.
CFM
There are no restrictions.
MPLS:General
MPLS cannot be enabled on VLANs having MLAG member ports.
MPLS:VPLS
VPLS must be configured for redundancy using ESRP. The ESRP master VLAN
must include the ISC ports and the VPLS service VLAN ports as members.
Pseudowires cannot traverse an ISC link. You should not add the ISC port as a
member to MPLS VLANs that can be used by LSPs that can carry Layer 2 VPN
traffic terminating on MLAG peer switches.
ACLs
It is strongly recommended that configuration be identical across peers on MLAG
ports.
QoS
It is strongly recommended that configuration be identical across peers on MLAG
ports.
Netlogin
This is not supported.
VLAN:PVLAN
If an MLAG port is a member of either a subscriber VLAN or a network VLAN, the
ISC port needs to be added as a member of the network VLAN.
Subscriber VLANs in a private VLAN cannot have overlapping MLAG ports as
members. Configuring dedicated loopback ports for subscriber VLANs in a private
VLAN that shares an MLAG port causes duplicate traffic to be sent to the remote
node.
L3:IPv6
Routing of IPv6 over an MLAG is not supported in this release. IPv6 traffic needs to
be tunneled using 6in4 or 6to4 tunnels.
DAD
DAD detects duplicate IPv4 addresses configured on a VLAN that spans MLAG
peer switches. This occurs only when the solicitation attempts that use the
configure ip dad attempts <max_solicitations> command is
more than 1.
ExtremeXOS Concepts Guide, Software Version 15.2
303
Chapter 5: Configuring Slots and Ports on a Switch
Configuring MLAGs
This section describes the commands used to configure MLAGs and display information about those
configured.
To create an MLAG peer switch association structure, use the following command:
create mlag peer <peer_name>
To delete a peer switch, use the following command:
delete mlag peer <peer_name>
To associate an MLAG peer structure with an MLAG peer switch IP address, use the following
command:
configure mlag peer <peer_name> ipaddress <peer_ip_address> {vr <VR>}
To unconfigure the association, use the following command:
unconfigure mlag peer <peer_name> ipaddress
To configure the time interval between health check hello packets exchanged between MLAG peer
switches, use the following command:
configure mlag peer <peer_name> interval <msec>
To unconfigure the time interval setting and reset the interval to the default of 1000ms, use the
following command:
unconfigure mlag peer <peer_name> interval
To bind a local port or LAG to an MLAG specified with an integer identifier, use the following
command:
enable mlag port <port> peer <peer_name> id <identifier>
To disable a local port or LAG from an MLAG, use the following command:
disable mlag port <port>
To set a preference for having a fast convergence time or conserving access lists, use the following
command:
configure mlag ports convergence-control [conserve-access-lists | fast]
NOTE
Executing the refresh policy command with MLAG configuration may result in health check hellos not
reaching the CPU. To avoid MLAG peer connectivity disruption, you can either execute the disable accesslist refresh blackhole command or temporarily increase the peer hello interval to a large value (for
instance, 10000 ms) and reset it back once refresh policy is complete.
Displaying Information
To display information about an MLAG peer, including MLAG peer switch state, MLAG group count,
and health-check statistics, use the following command:
show mlag peer {<peer_name>}
ExtremeXOS Concepts Guide, Software Version 15.2
304
MLAG
To display each MLAG group, including local port number, local port status, remote MLAG port state,
MLAG peer name, MLAG peer status, local port failure count, remote MLAG port failure count, and
MLAG peer failure count, use the following command:
show mlag ports {<portlist>}
To see if a port is part of an MLAG group or an ISC port, use the following command:
show ports information detail
Example of MLAG Configuration
This topic provides an example of how to configure an MLAG.
Figure 35 shows a finished MLAG network.
Figure 35: Simple MLAG Configuration
BlackDiamond 8800
1:1
Slot1 - G96T-c
Slot2 - 10G4Xc
Slot3 - 10G4Xc
BlackDiamond 8800
2:1
3:1
2:1
3:1
ISC-1
1:2
MLAG-1
MLAG-2
Server1 Teaming “LAG”
Server2 Teaming “LAG”
Regular LAG “Load Sharing”
Server 1
1:2
Slot1 - G96T-c
Slot2 - 10G4Xc
Slot3 - 10G4Xc
1:1
Server 2
EX_ports_0050
To configure this MLAG, use the following procedure:
1 Create the Inter-Switch Connection (ISC)
Description: The ISC provides an out-of-band IP communications path between the 2 MLAG peer
switches to exchange keep-alive packets and to checkpoint various state information between
switches.
On the “Left” BlackDiamond 8800 switch:
enable
create
config
config
config
sharing 2:1 group 2:1,3:1
vlan isc
vlan isc tag 3000
vlan isc add port 2:1 tag
vlan isc ipaddress 1.1.1.1/24
On the “Right” BlackDiamond 8800 switch:
enable
create
config
config
sharing 2:1 group 2:1,3:1
vlan isc
vlan isc tag 3000
vlan isc add port 2:1 tag
ExtremeXOS Concepts Guide, Software Version 15.2
305
Chapter 5: Configuring Slots and Ports on a Switch
config vlan isc ipaddress 1.1.1.2/24
2 Create the MLAG peer and associate the peer switch's IP address
Description: By creating an MLAG peer you associate a peer name that can be associated with the
peer switch's IP address and other peer configuration properties. The peer is then bound to each
individual MLAG port group.
On the “Left” BlackDiamond 8800 switch:
create mlag peer “rightBD8K”
config mlag peer “rightBD8K” ipaddress 1.1.1.2
On the “Right” BlackDiamond 8800 switch:
create mlag peer “leftBD8K”
config mlag peer “leftBD8K” ipaddress 1.1.1.1
3 Create the MLAG port groups
Description: Creates an MLAG port group by specifying the local switch's port, the MLAG peer
switch, and an "mlag-id" which is used to reference the corresponding port on the MLAG peer
switch. The specified local switch's port can be either a single port or a load share master port.
On the “Left” BlackDiamond 8800 switch:
enable mlag port 1:1 peer "rightBD8K" id 1
enable mlag port 1:2 peer "rightBD8K" id 2
On the “Right” BlackDiamond 8800 switch:
enable mlag port 1:2 peer "leftBD8K" id 1
enable mlag port 1:1 peer "leftBD8K" id 2
4 Verify MLAG peers and ports are operational
Description: After MLAG groups are configured, you can verify the connections via the show mlag
peer and show mlag ports commands. Be sure to note the peer status, the Local Link State, and
the Remote Link status.
On the “Left” BlackDiamond 8800 switch:
BD-8810.5 # show mlag peer
Multi-switch Link Aggregation Peers:
MLAG Peer
:
VLAN
:
Local IP Address :
MLAG ports
:
Checkpoint Status :
Rx-Hellos
:
Rx-Checkpoint Msgs:
Rx-Hello Errors
:
Hello Timeouts
:
Up Time
:
leftBD8k
isc
1.1.1.2
2
Up
184
12
0
1
0d:0h:0m:10s
Virtual Router
:
Peer IP Address
:
Tx-Interval
:
Peer Tx-Interval :
Tx-Hellos
:
Tx-Checkpoint Msgs:
Tx-Hello Errors
:
Checkpoint Errors :
Peer Conn.Failures:
VR-Default
1.1.1.1
1000 ms
1000 ms
184
12
0
0
1
BD-8810.3 # show mlag ports
Local
Local
Remote
MLAG
Local
Link
Remote
Peer
Fail
Fail
Id
Port
State
Link
Peer
Status Count
Count
================================================================================
1
1:1
A
Up
rightBD8K
Up
0
0
2
1:2
A
Up
rightBD8K
Up
0
0
================================================================================
Local Link State: A - Active, D - Disabled, R - Ready, NP - Port not present
ExtremeXOS Concepts Guide, Software Version 15.2
306
MLAG
Remote Link
: Up - One or more links are active on the remote switch,
Down - No links are active on the remote switch,
N/A - The peer has not communicated link state for this MLAG
port
Number of Multi-switch Link Aggregation Groups
Convergence control
: 2
: Fast
On the “Right” BlackDiamond 8800 switch:
BD-8810.3 # show mlag peer
Multi-switch Link Aggregation Peers:
MLAG Peer
:
VLAN
:
Local IP Address :
MLAG ports
:
Checkpoint Status :
Rx-Hellos
:
Rx-Checkpoint Msgs:
Rx-Hello Errors
:
Hello Timeouts
:
Up Time
:
rightBD8k
isc
1.1.1.1
2
Up
167
12
0
1
0d:0h:0m:7s
Virtual Router
:
Peer IP Address
:
Tx-Interval
:
Peer Tx-Interval :
Tx-Hellos
:
Tx-Checkpoint Msgs:
Tx-Hello Errors
:
Checkpoint Errors :
Peer Conn.Failures:
VR-Default
1.1.1.2
1000 ms
1000 ms
167
12
0
0
1
BD-8810.5 # show mlag ports
Local
Local
Remote
MLAG
Local
Link
Remote
Peer
Fail
Fail
Id
Port
State
Link
Peer
Status Count
Count
================================================================================
2
1:1
A
Up
leftBD8K
Up
0
0
1
1:2
A
Up
leftBD8K
Up
0
0
================================================================================
Local Link State: A - Active, D - Disabled, R - Ready, NP - Port not present
Remote Link
: Up - One or more links are active on the remote switch,
Down - No links are active on the remote switch,
N/A - The peer has not communicated link state for this MLAG
port
Number of Multi-switch Link Aggregation Groups
Convergence control
: 2
: Fast
5 Add ISC port to VLAN
Description: The ISC port must be added as a member port for any VLAN that has MLAG member
ports.
create vlan “xyz”
On the “Left” BlackDiamond 8800 switch:
configure vlan “xyz” add port 1:1, 2:1 tagged
On the “Right” BlackDiamond 8800 switch:
configure vlan “xyz” add port 1:2, 2:1 tagged
Figure 35, the example above, shows a basic MLAG network. Figure 36 shows a network with back-toback aggregation. There is one MLAG configured on the BlackDiamond switches and three configured
on the Summit switches.
ExtremeXOS Concepts Guide, Software Version 15.2
307
Chapter 5: Configuring Slots and Ports on a Switch
Figure 36: Two-tier MLAG Network
BlackDiamond 8800
Slot1 - G96T-c
Slot2 - 10G4Xc
Slot3 - 10G4Xc
BlackDiamond 8800
2:1
3:1
2:1
3:1
ISC-1
Slot1 - G96T-c
Slot2 - 10G4Xc
Slot3 - 10G4Xc
1:1
1:2
1:2
1:1
1
2
1
2
50
50
51
Summit X450a 51
Summit X450a
ISC-2
Server 1
MLAG-1 for the BlackDiamond 8800s
MLAG-2 for the Summit X450a’s
Regular LAG
Regular LAG for ISC
1:1
Server 2
MLAG-3 for the Summit X450a’s
MLAG-4 for the Summit X450a’s
Server Port Teaming
Server Port Teaming
EX_ports_0051
Mirroring
NOTE
You can accomplish port mirroring using ACLs or CLEAR-Flow. See Chapter 18, “ACLs,” for more
information on ACLs and Chapter 24, “CLEAR-Flow,” for more information on CLEAR-Flow.
Mirroring configures the switch to copy all traffic associated with one or more ports, VLANs, or virtual
ports. A virtual port is a combination of a VLAN and a port. The monitor port or ports can then be
connected to a network analyzer or RMON probe for packet analysis. The system uses a traffic filter
that copies a group of traffic to the monitor port(s). You can have only one monitor port or port list on
the switch. This feature allows you to mirror multiple ports or VLANs to a monitor port, while
preserving the ability of a single protocol analyzer to track and differentiate traffic within a broadcast
domain (VLAN) and across broadcast domains (for example, across VLANs when routing).
ExtremeXOS Concepts Guide, Software Version 15.2
308
Mirroring
NOTE
The mirroring filter limits discussed in this chapter do not apply when you are working with Sentriant
devices.
Up to 128 mirroring filters can be configured with the restriction that a maximum of 16 of these can be
configured as VLAN and/or virtual port (port + VLAN) filters.
One monitor port or 1 monitor port list can be configured. A monitor port list may contain up to 16
ports.
NOTE
On BlackDiamond X8 series switches, BlackDiamond 8800 series switches, SummitStack, and Summit
family switches, you can mirror up to 16 VLANs.
Mirroring is disabled by default.
NOTE
Frames that contain errors are not mirrored.
Guidelines for Mirroring
The guidelines for mirroring are hardware dependent. Find your hardware type in this section for your
specific guidelines.
Summit Family Switches
The traffic filter on Summit family switches can be defined based on one of the following criteria:
●
Physical port—All data that traverses the port, regardless of VLAN configuration, is copied to the
monitor port(s). You can specify which traffic the port mirrors:
-
Ingress—Mirrors traffic received at the port.
-
Egress—Mirrors traffic sent from the port.
-
Ingress and egress—Mirrors traffic either received at the port or sent from the port.
(If you omit the optional parameters, all traffic is forwarded; the default for port-based mirroring
is ingress and egress).
●
VLAN—All data to a particular VLAN, regardless of the physical port configuration, is copied to the
monitor port(s).
●
Virtual port—All data specific to a VLAN on a specific port is copied to the monitor port(s).
●
Summit family switches support a maximum of 128 mirroring filters with the restriction that a
maximum of 16 VLAN and/or virtual port (port + VLAN) filters may be configured.
●
ExtremeXOS supports up to 16 monitor ports for one-to-many mirroring.
●
Only traffic ingressing a VLAN can be monitored; you cannot specify ingressing or egressing traffic
when mirroring VLAN traffic and a virtual port filter.
ExtremeXOS Concepts Guide, Software Version 15.2
309
Chapter 5: Configuring Slots and Ports on a Switch
●
Ingress traffic is mirrored as it is received (on the wire).
●
Egress mirrored traffic always egresses the monitor port tagged.
●
In normal mirroring, a monitor port cannot be added to a load share group. In one-to-many
mirroring, a monitor port list can be added to a load share group, but a loopback port cannot be
used in a load share group.
●
You can run mirroring and sFlow on the same device when you are running Summit family switches
●
With a monitor port or ports on Summit family switches, all traffic ingressing the monitor port or
ports is tagged only if the ingress packet is tagged. If the packet arrived at the ingress port as
untagged, the packet egresses the monitor port or ports as untagged.
●
Two packets are mirrored when a packet encounters both an ingress and egress mirroring filter.
●
The configuration of remote-tag does not require the creation of a VLAN with the same tag; on
these platforms the existence of a VLAN with the same tag as a configured remote-tag is prevented.
This combination is allowed so that an intermediate remote mirroring switch can configure remote
mirroring using the same remote mirroring tag as other source switches in the network. Make sure
that VLANs meant to carry normal user traffic are not configured with a tag used for remote
mirroring.
When a VLAN is created with remote-tag, that tag is locked and a normal VLAN cannot have that
tag. The tag is unique across the switch. Similarly if you try to create a remote-tag VLAN where
remote-tag already exists in a normal VLAN as a VLAN tag, you cannot use that tag and the
VLAN creation fails.
BlackDiamond X8, BlackDiamond 8800 Series Switches and SummitStack
The traffic filter on BlackDiamond X8, BlackDiamond 8800 series switches and SummitStack can be
defined based on one of the following criteria:
●
Physical port—All data that traverses the port, regardless of VLAN configuration, is copied to the
monitor port(s). You can specify which traffic the port mirrors:
-
Ingress—Mirrors traffic received at the port.
-
Egress—Mirrors traffic sent from the port.
-
Ingress and egress—Mirrors traffic either received at the port or sent from the port.
(If you omit the optional parameters, all traffic is forwarded; the default for port-based mirroring
is ingress and egress).
●
VLAN—All data to a particular VLAN, regardless of the physical port configuration, is copied to the
monitor port(s).
●
Virtual port—All data specific to a VLAN on a specific port is copied to the monitor port(s).
●
BlackDiamond X8, BlackDiamond 8800 series switches, and SummitStack support a maximum of 128
mirroring filters with the restriction that a maximum of 16 VLAN and/or virtual port (port + VLAN)
filters may be configured.
●
ExtremeXOS supports up to 16 monitor ports for one-to-many mirroring.
●
Only traffic ingressing a VLAN can be monitored; you cannot specify ingressing or egressing traffic
when mirroring VLAN traffic.
●
Ingress traffic is mirrored as it is received (on the wire).
●
Egress mirrored traffic always egresses the monitor port tagged.
●
Two packets are mirrored when a packet encounters both an ingress and egress mirroring filter.
●
With a monitor port or ports on a BlackDiamond X8 series switch, BlackDiamond 8000 series
module, a Summit family switch, or a Summit family switch in a SummitStack, all ingress mirrored
ExtremeXOS Concepts Guide, Software Version 15.2
310
Mirroring
traffic egressing the monitor port or ports is tagged only if the ingress packet is tagged. If the packet
arrived at the ingress port as untagged, the packet egresses the monitor port or ports as untagged.
●
With the BlackDiamond X8 series switches, BlackDiamond 8000 a-, c-, e-, xl-, and xm-series modules
or Summit X250e, X440, X450a, X450e, X460, X480, X650, or X670 series switches in a SummitStack,
you may see a packet mirrored twice. This occurs only if both the ingress mirrored port and the
monitor port or ports are on the same one-half of the module and the egress mirrored port is either
on the other one-half of that module or on another module.
●
On BlackDiamond X8 series switches, BlackDiamond 8800 series switches, Summit family switches,
or SummitStack, when traffic is modified by hardware on egress, egress mirrored packets may not be
transmitted out of the monitor port as they egressed the port containing the egress mirroring filter.
For example, an egress mirrored packet that undergoes VLAN translation is mirrored with the
untranslated VLAN ID. In addition, IP multicast packets which are egress mirrored contain the
source MAC address and VLAN ID of the unmodified packet.
●
The configuration of remote-tag does not require the creation of a VLAN with the same tag; on
these platforms the existence of a VLAN with the same tag as a configured remote-tag is prevented.
This combination is allowed so that an intermediate remote mirroring switch can configure remote
mirroring using the same remote mirroring tag as other source switches in the network. Make sure
that VLANs meant to carry normal user traffic are not configured with a tag used for remote
mirroring.
●
When a VLAN is created with remote-tag, that tag is locked and a normal VLAN cannot have that
tag. The tag is unique across the switch. Similarly if you try to create a remote-tag VLAN where
remote-tag already exists in a normal VLAN as a VLAN tag, you cannot use that tag and the
VLAN creation fails.
Mirroring Rules and Restrictions
This section summarizes the rules and restrictions for configuring mirroring:
●
When you disable mirroring, all the filters are unconfigured.
●
To change monitor ports, you must first remove all the filters.
●
You cannot mirror the monitor port.
●
The mirroring configuration is removed when you:
-
Delete a VLAN (for all VLAN-based filters).
-
Delete a port from a VLAN (for all VLAN-, port-based filters).
-
Unconfigure a slot (for all port-based filters on that slot).
●
Any mirrored port can also be enabled for load sharing (or link aggregation); however, each
individual port of the load-sharing group must be explicitly configured for mirroring.
●
The monitor port is automatically removed from all VLANs; you cannot add it to a VLAN.
●
You cannot use the management port at all in mirroring configurations.
●
The mirroring filters are not confined to a single module; they can have ports that span multiple
modules.
●
You cannot run ELSM and mirroring on the same port. If you attempt to enable mirroring on a port
that is already enabled for ELSM, the switch returns a message similar to the following:
Error: Port mirroring cannot be enabled on an ELSM enabled port.
●
With one-to-many mirroring, you need to enable jumbo frame support in the mirror-to port and
loopback port, if you need to mirror tagged packets of length 1519 to 1522.
●
The loopback port is dedicated for mirroring and hence cannot be used for other configuration and
that is indicated through glowing LED.
ExtremeXOS Concepts Guide, Software Version 15.2
311
Chapter 5: Configuring Slots and Ports on a Switch
●
Egress mirrored packets are always tagged when egressing the monitor port. If an egress mirrored
packet is untagged on the egress mirrored port, the mirrored copy contains a tag with an internal
VLAN ID.
●
As traffic approaches line rate, mirroring rate may decrease. Since mirroring makes copies of traffic,
the bandwidth available will be devoted mostly to regular traffic instead of mirrored traffic when the
load is high.
●
On BlackDiamond X8 Series Switches, CPU generated packets for link-based protocols (for example,
EDP and LACP) are not egress mirrored. CPU generated PDUs on L2 protocol blocked ports are also
not egress mirrored.
Mirroring Examples
Mirroring is disabled by default. To enable mirroring on a single port, the following command can be
used:
enable mirroring to port <port-no>
To enable mirroring on multiple ports, use the following command:
enable mirroring to port-list <port-list> loopback-port <port>
The port-list is a list of monitor ports which will transmit identical copies of mirrored packets. The
loopback-port is an otherwise unused port required when mirroring to a port-list. The loopback-port is
not available for switching user data traffic.
To disable mirroring, use the following command:
disable mirroring
NOTE
When you change the mirroring configuration, the switch stops sending egress packets from the monitor
port until the change is complete. The ingress mirroring traffic to the monitor port and regular traffic are not
affected.
BlackDiamond X8 Series Switches, BlackDiamond 8800 Series Switches,
SummitStack, and Summit Family Switches
The following example selects slot 3, port 4 on a modular switch or SummitStack as the monitor port
and sends all traffic received at slot 6, port 5 to the monitor port:
enable mirroring to port 3:4
configure mirroring add port 6:5 ingress
The following example selects slot 3, port 4 on a modular switch or SummitStack as the monitor port
and sends all traffic sent from slot 6, port 5 to the monitor port:
enable mirroring to port 3:4
configure mirroring add port 6:5 egress
The following example selects port 4 on a standalone switch as the monitor port and sends all traffic
ingressing the VLAN red to the monitor port:
enable mirroring to port 4
configure mirroring add vlan red
ExtremeXOS Concepts Guide, Software Version 15.2
312
Remote Mirroring
The following example selects port 4 on a standalone switch as the monitor port and sends all traffic
ingressing the VLAN red on port 5 to the monitor port:
enable mirroring to port 4
configure mirroring add vlan red port 5
The following example selects ports 5, 6, and 7 on slot 2 on a modular switch or SummitStack as the
monitor ports and sends all traffic received at slot 6, port 5 to the monitor ports. Slot 3, port 1 is an
unused port selected as the loopback port.
enable mirroring to port-list 2:5-2:7 loopback-port 3:1
configure mirroring add port 6:5 ingress
Verifying the Mirroring Configuration
The screen output resulting from the show mirroring command lists the ports that are involved in
mirroring and identifies the monitor port. The display differs slightly depending on the platform.
Remote Mirroring
Remote mirroring enables the user to mirror traffic to remotely connected switches. Remote mirroring
allows a network administrator to mirror traffic from several different remote switches to a port at a
centralized location. Remote mirroring is accomplished by reserving a dedicated VLAN throughout the
network for carrying the mirrored traffic. You can enable remote mirroring on the following platforms:
●
BlackDiamond X8 series switches
●
BlackDiamond 8000 a-, c-, e-, xl-, and xm-series modules
●
Summit Family switches
Figure 37 shows a typical remote mirroring topology. Switch A is the source switch that contains ports,
VLANs, and/or virtual ports to be remotely mirrored. Port 25 is the local monitor port on Switch A.
Switch B is the intermediate switch. Switch C is the destination switch, which is connected to the
network analyzer.
ExtremeXOS Concepts Guide, Software Version 15.2
313
Chapter 5: Configuring Slots and Ports on a Switch
Figure 37: Remote Mirroring Topology
Network Analyser
Port 2
Switch C
Port 2
Switch B
Port 25
Switch A
EX_ports_0044
All the mirrored packets are tagged with the remote-tag specified by the source switch, whether the
packet is already tagged or not. The intermediate switches forward the remote-tagged mirrored packets
to the adjacent intermediate/destination switch, as these ports are added as tagged. The port connected
to the network analyzer is added as untagged in the destination switch. This causes the destination
switch to remove the remote-tag, and the mirrored packet reaches the network analyzer as the source
switch sent it.
Unlike basic mirroring, remote mirroring does not remove VLAN membership from the local monitor
port(s). This allows remote mirroring to use the existing network topology to transport remote mirrored
packets to a destination switch.
Configuration Details
This section describes in detail the configuration details for the topology shown in Figure 37.
Configuration on Source Switch
The remote-tag keyword followed by the tag is added in the command to enable mirroring. For
example, in the Summit X450a series switch, you can use the following command to establish ports 24
and 25 as monitor ports, from which any mirrored packets are transmitted with an additional VLAN tag
containing a VLAN ID of 1000:
enable mirroring to port-list 24,25 loopback-port 1 remote-tag 1000
The show mirroring output displays the remote tag when remote mirroring is configured.
In the supported platforms of Summit family switches and BlackDiamond X8 and 8800 series switches,
remote mirroring can also be enabled to a single port, without the port-list and loopback-port keywords.
For instance, to enable remote mirroring to port 25, you can use the following command:
enable mirroring to port 25 remote-tag 1000
ExtremeXOS Concepts Guide, Software Version 15.2
314
Remote Mirroring
Configuration on Intermediate Switch
When you enable mirroring with remote-tag 1000, you need to reserve a VLAN with tag 1000 in all
the intermediate switches for remote mirroring. The remote mirroring VLAN in the intermediate
switches is used for carrying the mirroring traffic to the destination switch. The ports connecting the
source and destination switches are added as tagged in the intermediate switches.
You may add the remote-mirroring keyword when you configure the tag to differentiate a normal
VLAN from the remote mirroring VLAN.
create vlan remote_vlan
configure vlan remote_vlan tag 1000 remote-mirroring
configure vlan remote_vlan add ports 1,2 tagged
Using the remote-mirroring keyword automatically disables learning and IGMP snooping on the
VLAN.
Another way to configure a remote mirroring VLAN is to create a normal VLAN and disable learning
on the VLAN. IGMP snooping must be disabled on that VLAN for you to remotely mirror multicast
packets through the switch.
You may use the following configuration for creating the remote mirroring VLAN:
create vlan remote_vlan
configure vlan remote_vlan tag 1000
disable learning vlan remote_vlan
disable igmp snooping remote_vlan
Configuration on Destination Switch
The configuration on the destination switch is same as that of the intermediate switches, except that the
port connected to the network analyzer is added as untagged whereas all the other ports connected to
the switches are added as tagged.
create vlan remote_vlan
configure vlan remote_vlan tag 1000 remote-mirroring
configure vlan remote_vlan add ports 1 tagged
configure vlan remote_vlan add ports 2 untagged
For a remote mirroring VLAN, the configured tag displayed by the show vlan output is remote tag
instead of the normal tag.
Guidelines
The following are guidelines for remote mirroring:
●
Configurations of remote mirroring, which might cause protocol packets to be remotely mirrored, are
not recommended. Since all packet types are mirrored when you configure remote mirroring,
remotely mirrored protocol packets may have undesirable affects on intermediate and destination
switches. Blocking EDP packets on a remote mirroring VLAN is one example of a case where you
must perform an extra action to accommodate the remote mirroring of protocol packets.
ExtremeXOS Concepts Guide, Software Version 15.2
315
Chapter 5: Configuring Slots and Ports on a Switch
For EDP configuration on the remote mirroring VLAN, in the intermediate and destination switches
you need to install ACL to block the EDP packets on the remote mirroring VLAN. Use the following
commands for installation:
create access-list remote_edp " ethernet-destination-address 00:e0:2b:00:00:00 mask
ff:ff:ff:ff:ff:ff ;" "deny"
conf access-list add "remote_edp" first vlan "remote_vlan"
Use of Remote Mirroring with Redundancy Protocols
You can use remote mirroring with one-to-many mirroring to provide a redundant path from the source
switch to the destination switch. Using EAPS or Spanning Tree can provide remote mirroring packets a
redundant loop-free path through the network. You should perform the configuration of EAPS or
Spanning Tree before adding mirroring filters on the source switch to prevent looping.
Remote Mirroring with EAPS
In Figure 38, the traffic from switch A is mirrored to the two ports 8:2 and 1:48 to connect to the
destination switch. Using the configuration shown in Figure 38, remote mirrored packets have a loopfree redundant path through the network using EAPS.
Figure 38: Remote Mirroring with EAPS
The configuration for the topology in Figure 38 is given in the following sections.
Switch A Configuration
The configuration details for a BlackDiamond 8810 switch are as follows:
configure mirroring mode enhanced
enable mirroring to port-list 8:2,1:48 loopback-port 8:1 remote-tag 1000
configure mirroring add port 8:35
create vlan eaps_control
configure vlan eaps_control tag 1001
configure vlan eaps_control add ports 8:2,1:48 tag
create eaps eaps1
configure eaps1 mode master
configure eaps1 primary port 8:2
configure eaps1 secondary port 1:48
configure eaps1 add control eaps_control
configure eaps1 add protected internalMirrorLoopback
enable eaps1
enable eaps
ExtremeXOS Concepts Guide, Software Version 15.2
316
Remote Mirroring
Switch B Configuration
The configuration details for a Summit X450e switch are as follows:
create vlan remote_vlan
configure vlan remote_vlan tag 1000 remote-mirroring
configure vlan remote_vlan add ports 19,9 tag
create vlan eaps_control
configure vlan eaps_control tag 1001
configure vlan eaps_control add ports 19,9 tag
create eaps eaps1
configure eaps1 mode transit
configure eaps1 primary port 19
configure eaps1 secondary port 9
configure eaps1 add control eaps_control
configure eaps1 add protected remote_vlan
enable eaps1
enable eaps
Switch C configuration
The configuration details for a Summit X450a switch are as follows:
create vlan remote_vlan
configure vlan remote_vlan tag 1000 remote-mirroring
configure vlan remote_vlan add ports 31,45 tag
configure vlan remote_vlan add ports 1
create vlan eaps_control
configure vlan eaps_control tag 1001
configure vlan eaps_control add ports 31,45 tag
create eaps eaps1
configure eaps1 mode transit
configure eaps1 primary port 31
configure eaps1 secondary port 45
configure eaps1 add control eaps_control
configure eaps1 add protected remote_vlan
enable eaps1
enable eaps
NOTE
The internalMirrorLoopback is an internal VMAN created when enabling mirroring to multiple ports.
Depending on the platform, the internal VLAN or VMAN needs to be added as the protected VLAN in the source
switch in order to block the ports for mirroring when EAPS is complete.
ExtremeXOS Concepts Guide, Software Version 15.2
317
Chapter 5: Configuring Slots and Ports on a Switch
Remote Mirroring With STP
For the same topology shown in Figure 38 you can use STP instead of using EAPS. A sample
configuration follows.
Switch A Configuration
configure mirroring mode enhanced
enable mirroring to port-list 8:2,1:48 loopback-port 8:1 remote-tag 1000
configure mirroring add port 8:35
create vlan v1
configure vlan v1 tag 1001
configure vlan v1 add ports 8:2,1:48 tag
create stp stp1
configure stp1 mode dot1w
configure stp1 add v1 ports all
configure stp1 tag 1001
configure stp1 add vlan internalMirrorLoopback ports 8:2,1:48
enable stp1
enable stpd
Switch B Configuration
create vlan remote_vlan
configure vlan remote_vlan tag 1000 remote-mirroring
configure vlan remote_vlan add ports 19,9 tag
create vlan v1
configure vlan v1 tag 1001
configure vlan v1 add ports 19,9 tag
create stp stp1
configure stp1 mode dot1w
configure stp1 add v1 ports all
configure stp1 tag 1001
configure stp1 add vlan remote_vlan ports all
enable stp1
enable stpd
Switch C Configuration
create vlan remote_vlan
configure vlan remote_vlan tag 1000 remote-mirroring
configure vlan remote_vlan add ports 31,45 tag
configure vlan remote_vlan add ports 1
create vlan v1
configure vlan v1 tag 1001
configure vlan v1 add ports 31,45 tag
create stp stp1
configure stp1 mode dot1w
ExtremeXOS Concepts Guide, Software Version 15.2
318
Extreme Discovery Protocol
configure stp1 add v1 ports all
configure stp1 tag 1001
configure stp1 add vlan remote_vlan ports 31,45
enable stp1
enable stpd
Extreme Discovery Protocol
The Extreme Discovery Protocol (EDP) is used to gather information about neighbor Extreme Networks
switches. EDP is used by the switches to exchange topology information. Information communicated
using EDP includes:
●
Switch MAC address (switch ID)
●
Switch software version information
●
Switch IP address
●
Switch VLAN IP information
●
Switch port number
●
Switch configuration data: duplex and speed
EDP is enabled on all ports by default. EDP enabled ports advertise information about the Extreme
Networks switch to other switches on the interface and receives advertisements from other Extreme
Networks switches. Information about other Extreme Networks switches is discarded after a timeout
interval is reached without receiving another advertisement.
To disable EDP on one or more ports, use the following command:
disable edp ports [<ports> | all]
To enable EDP on specified ports, use the following command:
enable edp ports [<ports> | all]
To clear EDP counters on the switch, use the following command:
clear counters edp
This command clears the following counters for EDP protocol data units (PDUs) sent and received per
EDP port:
●
Switch PDUs transmitted
●
VLAN PDUs transmitted
●
Transmit PDUs with errors
●
Switch PDUs received
●
VLAN PDUs received
●
Received PDUs with errors
To view EDP port information on the switch, use the following command:
show edp
Additionally, you view EDP information by using the following command:
show edp port <ports> detail
ExtremeXOS Concepts Guide, Software Version 15.2
319
Chapter 5: Configuring Slots and Ports on a Switch
To configure the advertisement interval and the timeout interval, use the following command:
configure edp advertisment-interval <timer> holddown-interval <timeout>
Refer to “Displaying Port Information” for information on displaying EDP status.
Software-Controlled Redundant Port and
Smart Redundancy
Using the software-controlled redundant port feature you can back up a specified Ethernet port
(primary) with a redundant, dedicated Ethernet port; both ports are on the same switch. If the primary
port fails, the switch will establish a link on the redundant port and the redundant port becomes active.
Only one side of the link must be configured as redundant because the redundant port link is held in
standby state on both sides of the link. This feature provides very fast path or network redundancy.
NOTE
You cannot have any Layer 2 protocols configured on any of the VLANs that are present on the ports.
Smart Redundancy is a feature that allows control over how the failover from a redundant port to the
primary port is managed. If this feature is enabled, which is the default setting, the switch attempts to
revert to the primary port as soon as it can be recovered. If the feature is disabled, the switch attempts
only to recover the primary port to active if the redundant port fails.
A typical configuration of software-controlled redundant ports is a dual-homed implementation
(Figure 39). This example maintains connectivity only if the link between switch A and switch B
remains open; that link is outside the scope of the software-controlled port redundancy on switch C.
Figure 39: Dual-Homed Implementation for Switch C
Switch A
Switch B
Primary
Link
Redundant
Link
Switch C
XOS002
In normal operation, the primary port is active and the software redundant switch (switch C in
Figure 39) blocks the redundant port for all traffic, thereby avoiding a loop in the network. If the switch
detects that the primary port is down, the switch unblocks the redundant port and allows traffic to flow
through that redundant port.
NOTE
The primary and redundant ports must have identical VLAN membership.
ExtremeXOS Concepts Guide, Software Version 15.2
320
Software-Controlled Redundant Port and Smart Redundancy
You configure the software-controlled redundant port feature either to have the redundant link always
physically up but logically blocked or to have the link always physically down. The default value is to
have the link physically down, or Off.
By default, Smart Redundancy is always enabled. If you enable Smart Redundancy, the switch
automatically fails over to the redundant port and returns traffic to the primary port after connectivity
is restored on that port. If you do not want the automatic restoration of the primary link when it
becomes active, disable Smart Redundancy.
Guidelines for Software-Controlled Redundant Ports and Port
Groups
Software-controlled redundant ports and port groups have the following limitations:
●
You cannot have any Layer 2 protocols configured on any of the VLANs that are present on the
ports. (You will see an error message if you attempt to configure software redundant ports on ports
with VLANs running Layer 2 protocols.)
●
The primary and redundant ports must have identical VLAN membership.
●
The master port is the only port of a load-sharing group that can be configured as either a primary
or redundant port. Also, all ports on the load-sharing group must fail before the software-controlled
redundancy is triggered.
●
You must disable the software redundancy on the master port before enabling or disabling load
sharing.
●
You can configure only one redundant port for each primary port.
●
Recovery may be limited by FDB aging on the neighboring switch for unidirectional traffic. For bidirectional traffic, the recovery is immediate.
Configuring Software-Controlled Redundant Ports
When provisioning software-controlled redundant ports, configure only one side of the link as
redundant. In Figure 39 only the ports on switch C would be configured as redundant.
NOTE
To enable the software-controlled redundant port feature, the primary and redundant ports must have
identical VLAN membership.
To configure a software-controlled redundant port, use the following command:
configure ports <primaryPort> redundant <secondaryPort> {link [on | off]}
The first port specified is the primary port. The second port specified is the redundant port.
To unconfigure a software-controlled redundant port, use the following command and enter the
primary port(s):
unconfigure ports <port_list> redundant
To configure the switch for the Smart Redundancy feature, use the following command:
enable smartredundancy <port_list>
ExtremeXOS Concepts Guide, Software Version 15.2
321
Chapter 5: Configuring Slots and Ports on a Switch
To disable the Smart Redundancy feature, use the following command:
disable smartredundancy <port_list>
ExtremeXOS Concepts Guide, Software Version 15.2
322
Configuring Automatic Failover for Combination Ports
Verifying Software-Controlled Redundant Port Configurations
You can verify the software-controlled redundant port configuration by issuing a variety of CLI
commands.
To display the redundant ports as well as which are active or members of load-sharing groups, use the
following command:
show ports redundant
To display information on which ports are primary and redundant software-controlled redundancy
ports, use the following command:
show ports {mgmt | <port_list> | tag <tag>} information {detail}
Refer to “Displaying Port Information” for more information on the show ports information
command.
Configuring Automatic Failover for Combination Ports
Summit Family Switches with Shared Copper/Fiber Gigabit Ports Only.
On Summit family switches with shared copper/fiber gigabit ports, you configure automatic failover
using the combination ports. These ports are called combination ports because either the fiber port or the
copper port is active, but they are never active concurrently. These ports, also called redundant ports,
are shared PHY copper and fiber ports.
If you plan to use the automatic failover feature, ensure that port settings are set correctly for
autonegotiation.
NOTE
You may experience a brief episode of the link going down and recovering during the failover.
To display the port type currently used as well as the preferred media setting, use the following
command:
show ports {mgmt | <port_list> | tag <tag>} information {detail}
Refer to “Displaying Port Information” for more information on the show ports information
command.
There are four ports on the Summit X450a and X450e series switches that are designed as combination
ports for uplink redundancy. When sharing ports, only the fiber medium or only the copper medium
can be active at one time. If the copper medium goes down while transmitting packets, the fiber
medium activates and becomes the primary link; and vice-versa.
Hardware determines when a link is lost and swaps the primary and redundant ports to maintain
stability. After a failover occurs, the switch keeps or sticks with the current port assignment until there
is another failure or until a user changes the assignment using the CLI. To change the uplink failover
assignment, use the following command:
configure ports <port_list> preferred-medium [copper | fiber] {force}
ExtremeXOS Concepts Guide, Software Version 15.2
323
Chapter 5: Configuring Slots and Ports on a Switch
The default preferred-medium is fiber. If you use the force option, it disables automatic failover. If you
force the preferred-medium to fiber and the fiber link goes away, the copper link is not used, even if
available.
NOTE
For more information about combination ports on Summit family switches, refer to the Summit Family
Switches Hardware Installation Guide.
Displaying Port Information
You display summary port configuration information using the show ports {mgmt | <port_list> |
tag <tag>} configuration {no-refresh} and show ports {mgmt | <port_list> | tag
<tag>} information {detail} commands.
The show ports configuration command shows you either summary configuration information on
all the ports, or more detailed configuration information on specific ports. If you specify the norefresh parameter, the system displays a snapshot of the data at the time you issue the command.
The show ports information command shows you either summary information on all the ports, or
more detailed information on specific ports. The output from the command differs very slightly
depending on the platform you are using.
You can display real-time port utilization information, by issuing the following command:
show ports {mgmt | <port_list> | tag <tag> | stack-ports <stacking-port-list>}
utilization {bandwidth | bytes | packets}
When you use a parameter (packets, byte, or bandwidth) with the above command, the display for the
specified type shows a snapshot per port when you issued the command.
DDMI
Digital Diagnostic Monitoring Interface (DDMI) provides critical information about the installed optical
module. It can be used to monitor the condition on XFP, SFP, and SFP+ optical transceiver modules.
The following information is displayed:
●
Temperature of the modules in Celsius
●
Transmit power in dBM for the module
●
Receive power in dBM for the module
●
Bias current in mA for the module
●
Voltage - AUX-1
●
Voltage - AUX-2 (Typically, SFP/SFP+ optics do not support monitoring AUX-2 voltage.)
The feature is supported on the following platforms:
●
BlackDiamond 8800—10G8Xc, 10G4Xc, 10G4Xa modules and S-10G1Xc option cards with 10G XFP
optics
●
BlackDiamond 8900—10G8X-xl modules and S-10G1Xc option cards with 10G XFP optics
ExtremeXOS Concepts Guide, Software Version 15.2
324
Displaying Port Information
●
Summit X250e switches—SFP ZX and LX100 optics
●
Summit X450a, X450e switches—SFP ZX and LX100 optics
●
Summit X460 switch—SFP ZX and LX100 optics and SFP+ SR, LR and ER optics
●
Summit X480 switches and X480 VIM2-10G4X—XFP and SFP ZX and LX100 optics
●
Summit X650 switches—SFP ZX and LX100 optics and SFP+ optics ER/LR
●
Summit X670 switches—SFP ZX and LX100 1G optics and SFP+ 10G optics
To display basic or detailed system information about these optical modules, use the following
commands:
show ports {<port-list> | tag <tag>} transceiver information
or
show ports {<port-list> | tag <tag>} transceiver information detail
ExtremeXOS Concepts Guide, Software Version 15.2
325
Chapter 5: Configuring Slots and Ports on a Switch
ExtremeXOS Concepts Guide, Software Version 15.2
326
6
Universal Port
CHAPTER
This chapter includes the following sections:
●
Overview on page 327
●
Configuring Universal Port Profiles and Triggers on page 343
●
Managing Profiles and Triggers on page 347
●
Sample Universal Port Configurations on page 350
Overview
Universal Port is a flexible framework that enables automatic switch configuration in response to special
events such as:
●
User login and logoff
●
Device connection to or disconnection from a port
●
Time of day
●
Event Management System event messages
NOTE
The Universal Port feature is supported only on the platforms listed for this feature in the license tables in
Appendix A, “Feature License Requirements.”
The primary component of the Universal Port feature is the profile, which is a special form of command
script that runs when triggered by the events mentioned above. Profiles execute commands and use
variables as do the scripts described in Chapter 7, “Using CLI Scripting.” The primary difference is that
a profile can be executed manually or automatically, in response to switch events.
NOTE
Special scripts can be run when the switch boots. For more information, see “Using Autoconfigure and
Autoexecute Files” on page 1497.
ExtremeXOS Concepts Guide, Software Version 15.2
327
Chapter 6: Universal Port
Universal Port works with the following ExtremeXOS components and third-party products:
●
ExtremeXOS Network Login (see Chapter 21, “Network Login”)
●
ExtremeXOS LLDP (see Chapter 8, “LLDP”)
●
ExtremeXOS CLI Scripting (see Chapter 7, “Using CLI Scripting”)
●
ExtremeXOS Event Management System (see Chapter 11, “Status Monitoring and Statistics”)
●
RADIUS servers (see Chapter 23, “Security”)
●
Active directory services such as LDAP and Microsoft Active Directory
The following are some examples of how you can use Universal Port on a network:
●
Automatically provision a VoIP phone and the attached switch port with appropriate Power over
Ethernet (PoE) budget and Quality of Service (QoS) settings when the phone connects.
●
Create security policies that can follow a user as the user roams around a campus. For example, an
engineer can walk from Building 1 to Building 5, plug his PC into the network and be authenticated
with the appropriate access rights and ACLs.
●
Support separate authentication for VoIP phones and workstations on the same port.
●
Create profile templates with variables so that you can re-use templates with different address
ranges and parameters.
●
Apply different security policies for different locations (for example, a restricted area).
●
Disable wireless access after business hours.
NOTE
The term profile is distinct from the term policy because a policy is only one particular application of a
profile.
The following sections introduce Universal Port concepts:
●
Profile Types on page 328
●
Dynamic Profile Trigger Types on page 330
●
How User Authentication Profiles Work on page 334
●
How Device Detect Profiles Work on page 333
●
Profile Configuration Guidelines on page 334
●
Collecting Information from Supplicants on page 339
●
Supplicant Configuration Parameters on page 341
●
Universal Port Configuration Overview on page 341
●
Using Universal Port in an LDAP or Active Directory Environment on page 343
Profile Types
The ExtremeXOS software supports two types of profiles: static and dynamic. The following sections
describe these profile types:
●
Static Profiles on page 329
●
Dynamic Profiles on page 329
ExtremeXOS Concepts Guide, Software Version 15.2
328
Overview
Static Profiles
Static profiles are so named because they are not triggered by dynamic system events. To trigger a static
profile, you must enter a CLI command at the switch prompt or run a script that contains the command
to start a static profile. The following guidelines apply to static profiles:
●
Static profiles are not limited to individual ports and can include system wide configuration changes.
●
Static profiles are not assigned to a port and are not specific to a device or a user.
●
Changes made by static profiles are persistent. They are saved in the switch configuration and are
preserved during system reboots.
Static profiles are typically used to establish default switch settings. Using scripts and variables, you can
create static profiles that serve as templates for initializing switches or reconfiguring switches to
manually respond to network or business events. These templates can simplify complex configuration
tasks such as Netlogin.
Dynamic Profiles
Dynamic profiles are so named because they are dynamically triggered by the following types of events:
●
Device discovery and disconnect
●
User or standards-based authentication and logoff
●
Time of day
●
Switch events reported by the Event Management System (EMS)
Dynamic profiles are event or action driven and do not require an administrator to start the profile.
Without dynamic profile support, IT personnel must be available when devices are added, moved, or
changed so they can configure both the network port and the new device. These tasks typically take a
long time, do not support mobility, and are often prone to human error.
When dynamic profiles are configured properly and a device connects to an edge port, a triggering
event triggers a profile that runs a script to configure the port appropriately. The script can use system
run-time variables and information gathered from tools such as NetLogin and LLDP to customize the
port configuration for the current network environment. For example, the profile can customize the port
configuration based on the user ID or MAC address. Dynamic profiles allow you to automate the
network response to a variety of network events.
Dynamic profiles create temporary states. For example, if a power outage causes the switch to restart,
all ports return to the default configuration. When a triggering event such as a specific device
connection occurs again, the profile is applied again. When the device is no longer connected, the
disconnect event can trigger another profile to unconfigure the port.
The temporary state configured by a dynamic profile is configured by prepending the configure cli
mode non-persistent command to the script. The temporary nature of profile configuration is critical
for network security. Imagine a situation where a dynamic security profile is used. If the information
granting access to specific network resources is saved in the configuration, the switch is restarted, and a
user loses network connectivity on a secure port, the secure port still provides network access after the
switch restarts. Anybody else can access network resources simply by connecting to that secure port.
Although the switch configuration returns to the default values after a restart, there is no automatic
configuration rollback for dynamic profiles. For example, if a profile grants secure access to network
resources at user login, the configuration is not automatically rolled back when the user logs off. To roll
ExtremeXOS Concepts Guide, Software Version 15.2
329
Chapter 6: Universal Port
back the configuration at user log off, you must create another profile that responds to user log-off
events.
To support configuration rollback, the scripting feature allows you to save information used in dynamic
profiles in variables. When a profile is activated and you want the option to roll back to the previous
default setting, some information must be saved, such as the default VLAN setting or the default
configuration of a port. Essentially anything modified from the previous setting can be preserved for
future use by the profile that rolls back the configuration.
There can be multiple profiles on a switch, but only one profile runs at a time. Data from a trigger event
is used to select the appropriate profile, and that data can also be used to make decision points within a
profile. A typical example is the use of a RADIUS server to specify a particular profile and then apply
port-based policies to the user based on the user’s location.
There is no profile hierarchy and no software validation to detect if a new profile conflicts with older
profile. If two profiles conflict, the same profile might produce different results, depending on the
events leading up to the profile trigger. When you create profiles, you must be familiar with all profiles
on the switch and avoid creating profiles that conflict with each other.
Dynamic Profile Trigger Types
The following sections introduce each of the dynamic profile trigger types:
●
Device Triggers on page 330
●
User Authentication Triggers on page 331
●
Time Triggers on page 332
●
Event Management System Triggers on page 333
Device Triggers
Device triggers launch a profile when a device connects to or disconnects from a port. The two types of
device triggers are labeled device-detect and device-undetect in the software. Profiles that respond to these
triggers are called device-detect profiles or device-undetect profiles.
Typically, a device-detect profile is used to configure a port for the device that has just connected.
Likewise, a device-undetect profile is used to return the port to a default configuration after a device
disconnects. A variety of different devices can be connected to a port. When devices connect to the
network, Universal Port helps provide the right configuration at the port.
Device triggers respond to the discovery protocols IEEE 802.1ab LLDP and ANSI/TIA-1057 LLDP-MED
for Voice-over-IP (VoIP) phone extensions. A device-detect trigger occurs when an LLDP packet reaches
a port that is assigned to a device-detect profile. A device-undetect trigger occurs when periodically
transmitted LLDP packets are not received anymore. LLDP age-out occurs when a device has
disconnected or an age-out time has been reached. LLDP must be enabled on ports that are configured
for device-detect or device-undetect profiles. LLD P is described in Chapter 8, “LLDP.”
The combination of device triggers and LLDP enables the custom configuration of devices that connect
to switch ports. For example, Voice-over-IP (VoIP) phones can send and receive information in addition
to normal device identification information. The information sent through LLDP can be used to identify
the maximum power draw of the device. The switch can then set the maximum allocated power for that
port.
ExtremeXOS Concepts Guide, Software Version 15.2
330
Overview
If the switch does not have enough PoE left, the switch can take action to lower the PoE loading and try
again. The switch can also transmit additional VoIP files and call server configuration information to the
phone so the phone can register itself and receive necessary software and configuration information.
There can only be one device-detect profile and one device-undetect profile per port. To distinguish
between different connecting devices, you can use if-then-else statements in a profile along with
detailed information provided through LLDP.
User Authentication Triggers
User authentication triggers launch a profile when a user or an identified device logs in or out of the
network using the network login feature described in Chapter 21, “Network Login.” The network login
feature does not permit any access beyond the port until the user or device is authenticated.
The two types of user authentication triggers are labeled user-authenticate and user-unauthenticated in the
software. Profiles that respond to these triggers are called user-authenticate profiles or user-unauthenticated
profiles. Typically, a user-authenticate profile is used to configure a port for a user and device that has
just connected. Likewise, a user-unauthenticated profile is used to return the port to a default
configuration after a user or device disconnects. Successful network login triggers the user-authenticate
profile, and either an explicit logout, a session time out, or a disconnect triggers the userunauthenticated profile.
NOTE
VoIP phones are also capable of being authenticated before being allowed on the network. The phone
begins 802.1x authentication based on a personal username and password. This authentication step is available
and supported by the latest firmware from vendors such as Avaya and Mitel.
Network login requires a RADIUS server for user or device authentication. The RADIUS server
provides the following features:
●
Centralized database for network authentication
●
Further centralization when connected to an LDAP or Active Directory database
●
Dynamic switch configuration through Vendor Specific Attributes (VSAs)
VSAs are values that are passed from the RADIUS server to the switch after successful authentication.
VSAs can be used by the switch to configure connection attributes such as security policy, VLAN, and
location. For more information on RADIUS and VSAs, see Chapter 23, “Security.”
The following sections introduce each of the network login event types that can trigger profiles:
●
802.1x Network Login on page 331
●
MAC-Based Network Login on page 332
●
Web-Based Network Login on page 332
802.1x Network Login. Network login 802.1x requires 802.1x client software on the device to be
authenticated. At login, the user supplies a user name and password, which the switch passes to the
RADIUS server for authentication. When the user passes authentication, the RADIUS server notifies the
switch, and the user-authenticate profile is triggered.
One advantage of 802.1x network login is that it can uniquely identify a user. A disadvantage is that not
all devices support 802.1x authentication. For more information, see Chapter 21, “Network Login.”
ExtremeXOS Concepts Guide, Software Version 15.2
331
Chapter 6: Universal Port
MAC-Based Network Login. MAC-based network login requires no additional software, and it does
not require any interaction with the user. When network login detects a device with a MAC address
that is configured on the switch, the switch passes the MAC address and an optional password to the
RADIUS server for authentication. When the device passes authentication, the RADIUS server notifies
the switch, and the user-authenticate profile is triggered.
One advantage of MAC-based network login is that it requires no special software. A disadvantage is
that security is based on the MAC address of the client, so the network is more vulnerable to spoofing
attacks. For more information, see Chapter 21, “Network Login.”
NOTE
MAC-based authentication can also be used to identify devices. For example, an entire MAC address or
some bits of the MAC address can identify a device and trigger switch port auto-configuration similar to the LLDPbased device detect event. The difference between MAC-based authentication and LLDP authentication is that
MAC-based authentication does not provide information on the connected device. The advantage of MAC-based
authentication is that it enables non-LLDP devices to trigger profiles.
Web-Based Network Login. Web-based network login requires a DHCP server and may require a
DNS server. At login, the user supplies a user name and password through a Web browser client, which
the switch passes to the RADIUS server for authentication. When the user passes authentication, the
RADIUS server notifies the switch, and the user-authenticate profile is triggered.
Some advantages of Web-based network login are that it can uniquely identify a user and it uses
commonly available Web client software. Some disadvantages are a lower level of security and the IP
configuration requirement. For more information, see Chapter 21, “Network Login.”
Time Triggers
Time triggers launch a profile at a specific time of day or after a specified period of time. For example,
you can use time triggers to launch profiles at the following times:
●
6 p.m. every day
●
One-time after 15 minutes
●
1 hour intervals
You might use a time trigger to launch a profile to disable guest VLAN access, shut down a wireless
service, or power down a port after business hours. Time triggers enable profiles to perform timed
backups for configurations, policies, statistics, and so forth. Anything that needs to happen on a regular
basis or at a specific time can be incorporated into a time-of-day profile.
A profile that uses a time trigger is called a time-of-day profile. Time-of-day profiles are not limited to
non-persistent-capable CLI commands and can use any command in the ExtremeXOS CLI.
Unlike the device-detect and user-authenticate triggers, time triggers do not have an equivalent function
to the device-undetect or user-unauthenticated triggers. If you need the ability to unconfigure changes
made in a time-of-day profile, just create another time-of-day profile to make those changes.
ExtremeXOS Concepts Guide, Software Version 15.2
332
Overview
Event Management System Triggers
EMS-event triggers launch a profile when EMS produces a message that conforms to a predefined
definition that is configured on the switch. The ExtremeXOS EMS feature is described in Chapter
11, “Status Monitoring and Statistics.”
Profiles that respond to EMS-event triggers are called EMS-event profiles. Typically, an EMS-event profile
is used to change the switch configuration in response to a switch or network event.
The EMS events that trigger Universal Port profiles are defined in EMS filters and can be specified in
more detail with additional CLI commands. You can create EMS filters that specify events as follows:
●
Component.subcomponent
●
Component.condition
●
Component.subcomponent.condition
You can use the show log components command to display all the components and subcomponents
for which you can filter events. If you specify a filter to take action on a component or subcomponent,
any event related to that component triggers the profile. You can use the show log events all
command to display all the conditions or events for which you can filter events. If you decide that you
want to configure a profile to take action on an ACL policy change, you can add a filter for the
ACL.Policy.Change event.
You can further define an event that triggers a Universal Port profile by specifying an event severity
level and text that must be present in an event message.
When a specified event occurs, event information is passed to the Universal Port profile in the form of
variables, which can be used to modify the switch configuration.
EMS-triggered profiles allow you to configure responses for any EMS event listed in the show log
components and show log events all commands. However, you must be careful to select the correct
event and corresponding response for each profile. For example, if you attempt to create a Universal
Port log target for a specific event (component.subcomponent.condition) and you accidentally specify a
component (component), the profile is applied to all events related to that component. Using EMStriggered profiles is similar to switch programming. They provide more control and therefore more
opportunity for misconfiguration.
Unlike the device-detect and user-authenticate triggers, EMS event triggers do not have an equivalent
function to the device-undetect or user-unauthenticated triggers. If you need the ability to unconfigure
changes made in an EMS-event profile, just create another static or dynamic profile to make those
changes.
How Device Detect Profiles Work
Device detect profiles enable dynamic port configuration without the use of a RADIUS server. Devicedetect profiles and device undetect profiles are triggered as described earlier in “Device Triggers” on
page 330.
When a device connects to a port that has a device-detect profile configured, the switch runs the
specified profile and stops. Only one device detect profile can be configured for a port, so the same
profile runs each time a device is detected on the port. Only one device-undetect profile can be
configured for a port, so the same profile is run each time the switch detects that all previouslyconnected devices are no longer connected.
ExtremeXOS Concepts Guide, Software Version 15.2
333
Chapter 6: Universal Port
How User Authentication Profiles Work
User-authentication profiles can be assigned to user groups or individual users. Typically, a company
creates profiles for groups such as software engineering, hardware engineering, marketing, sales,
technical support, operations, and executive. These kinds of categories make profile management more
streamlined and simple.
The authentication process starts when a switch receives an authentication request through network
login. The authentication request can be for a specific user or a MAC address. A user name and
password might be entered directly or by means of other security instruments, such as a smart card. A
MAC address would be provided by LLDP, which would need to be operating on the ingress port.
Network login enforces authentication before granting access to the network. All packets sent by a client
on the port do not go beyond the port into the network until the user is authenticated through a
RADIUS server.
The switch authenticates the user through a RADIUS server, which acts as a centralized authorization
point for all network devices. The RADIUS server can contain the authentication database, or it can
serve as a proxy for a directory service database, such as LDAP or Active Directory. The switch also
supports optional backup authentication through the local switch database when a RADIUS server is
unavailable.
The RADIUS server responds to the switch and either accepts or denies user authentication. When user
authentication is accepted, the RADIUS server can also send Vendor Specific Attributes (VSAs) in the
response. The VSAs can specify configuration data for the user such as the Universal Port profile to run
for logon, a VLAN name, a user location, and a Universal Port profile to run for logout. Extreme
Networks has defined vendor specific attributes that specify configuration settings and can include
variables to be processed by the Universal Port profile. If profile information is not provided by the
RADIUS server, the user-authenticate profile is used.
Profiles are stored and processed on the switch. When a user name or MAC address is authenticated,
the switch places the appropriate port in forwarding mode and runs either a profile specified by the
RADIUS server, or the profile defined for the authentication event. The profile configures the switch
resources for the user and stops running until is activated again.
When a user or MAC address is no longer active on the network, due to logoff, disconnect, or inactivity,
user unauthentication begins. To complete unauthentication, the switch stops forwarding on the
appropriate port and does one of the following:
1 Run an unauthenticate profile specified by the RADIUS server during authentication
2 Run an unauthenticate profile configured on the switch and assigned to the affected port
3 Run the authenticate profile used to authenticate the user initially
The preferred unauthenticate profile is one specified by the RADIUS server during authentication. If no
unauthenticate profiles are specified, the switch runs the authenticate profile used to authenticate the
user or device.
Profile Configuration Guidelines
You can configure both static and dynamic profiles using the command line interface (CLI) or the
Ridgeline Universal Port Manager.
ExtremeXOS Concepts Guide, Software Version 15.2
334
Overview
This section presents the following topics:
●
Obtaining Profiles on page 335
●
Profile Rules on page 335
●
Multiple Profiles on the Same Port on page 335
●
Supported Configuration Commands and Functions on page 336
●
Universal Port Variables on page 337
Obtaining Profiles
You can write your own profiles, or you can obtain profiles from the Extreme Networks website,
another Extreme Networks user or partner, or Extreme Networks professional services. Sample profiles
are listed in “Sample Universal Port Configurations” on page 350. The Universal Port Handset
Provisioning Module is a collection of profiles and documentation that is available with other samples
on the Extreme Networks website.
Profile Rules
All profiles have the following restrictions:
●
Maximum 5000 characters in a profile.
●
Maximum 128 profiles on a switch.
●
Profiles are stored as part of the switch configuration file.
●
Copy and paste is the only method to transfer profile data using the CLI.
●
Unless explicitly preceded with the command configure cli mode persistent, all nonpersistent-capable commands operate in non-persistent mode when operating in dynamic profiles.
●
Unless explicitly preceded with the command configure cli mode non-persistent, all nonpersistent-capable commands operate in persistent mode when operating in static profiles.
NOTE
There is no profile hierarchy, which means users must verify there are no conflicting rules in static and
dynamic profiles. This is a normal requirement for ACLs, and is standard when using policy files or dynamic ACLs.
NOTE
When the switch is configured to allow non-persistent-capable commands to operate in non-persistent
mode, the switch configuration can roll back to the configuration that preceded the entry of the non-persistentcapable commands. This roll back behavior enables ports to return to their initial state when a reboot or power
cycle occurs.
Multiple Profiles on the Same Port
Multiple Universal Port profiles can be created on a switch, but only one profile per event can be
applied per port. Different profiles on the same port apply to different events; for example, different
authentication events for different devices or users.
ExtremeXOS Concepts Guide, Software Version 15.2
335
Chapter 6: Universal Port
You can configure multiple user profiles on a port or a group of ports. For instance, you might create
user-authentication profiles for different groups of users, such as Engineering, Marketing, and Sales.
You can also configure a device-triggered profile on a port that supports one or more user profiles.
However, you can configure only one device-triggered profile on a port.
Supported Configuration Commands and Functions
Static and dynamic profiles support the full ExtremeXOS command set and the built-in functions
described in Chapter 7, “Using CLI Scripting.” However, a subset of these commands operates by
default in non-persistent mode when executed in a dynamic profile. Commands that are executed in
persistent mode become part of the saved switch configuration that persists when the switch is
rebooted. Commands that are executed in non-persistent mode configure temporary changes that are
not saved in the switch configuration and do not persist when the switch is rebooted.
Most commands operate only in persistent mode. The subset of commands that operate in nonpersistent mode are called non-persistent-capable commands. The Universal Port feature uses the nonpersistent-capable commands to configure temporary changes that could create security issues if the
switch were rebooted or reset. The use of non-persistent-capable commands in scripts and Universal
Port profiles allows you to make temporary configuration changes without affecting the default
configuration the next time the switch is started.
Table 32 shows the non-persistent capable CLI commands.
Table 32: Non-Persistent-Capable Configuration Commands
CLI Commands
ACL Commands
Dynamic ACL syntax allows the application of all ACLs
configure access-list add <dynamic_rule> [ [[first |
last] {priority <p_number>} {zone <zone>} ] | [[before |
after] <rule>] | [ priority <p_number> {zone <zone>} ]] [
any | vlan <vlanname> | ports <portlist> ] {ingress |
egress}
configure access-list delete <ruleName> [ any | vlan
<vlanname> | ports <portlist> | all] {ingress | egress}
LLDP
configure lldp ports <portlist> [advertise|don'tadvertise]...
Port
disable port [<port_list> | all]
disable jumbo-frame ports [all | <port_list>]
enable port [<port_list> | all]
enable jumbo-frame ports [all | <port_list>]
Power over Ethernet
configure inline-power label <string> ports <port_list>
configure inline-power operator-limit <milliwatts> ports
[all |<port_list>]
configure inline-power priority [critical | high | low]
ports <port_list>
ExtremeXOS Concepts Guide, Software Version 15.2
336
Overview
Table 32: Non-Persistent-Capable Configuration Commands (Continued)
CLI Commands
disable inline-power
disable inline-power ports [all | <port_list>]
disable inline-power slot <slot>
enable inline-power
enable inline-power ports [all | <port_list>]
enable inline-power slot <slot>
unconfigure inline-power priority ports [all |
<port_list>]
VLAN
configure {vlan} <vlan_name> add ports [<port_list> |
all] {tagged | untagged} {{stpd} <stpd_name>} {dot1d |
emistp | pvst-plus}}
configure ip-mtu <mtu> vlan <vlan_name>
QOS/Rate-limiting
802.1p priority assignment to traffic on a port
configure ports <port_list> {qosprofile} <qosprofile>
Show Commands
All show commands can be executed in non-persistent mode.
By default, all commands operate in persistent mode with the following exceptions:
●
In Universal Port dynamic profiles, the non-persistent-capable commands operate in non-persistent
mode unless preceded by the configure cli mode persistent command in the profile.
●
In the CLI, CLI scripts, and static profiles, the non-persistent-capable commands operate in nonpersistent mode only when preceded by the configure cli mode non-persistent command.
You can use the configure cli mode persistent command and the configure cli mode nonpersistent command to change the mode of operation for non-persistent-capable commands multiple
times within a script, profile, or configuration session.
Universal Port Variables
Universal Port uses CLI Scripting variables (see Chapter 7, “Using CLI Scripting”) to make system and
trigger event information available to profiles. Variables allow you to create profiles and scripts that
respond to the state of the switch as defined in the variables. When a profile is triggered, the system
passes variables to the profile. You can also create and use variables of your own. User-defined
variables are limited to the current context unless explicitly saved.
NOTE
You must enable CLI scripting before using variables or executing a script.
If you save variables (as described in “Saving, Retrieving, and Deleting Session Variables” on page 384),
certain data from one profile can be reused in another profile for another event. For example, between
login and logout events, the data necessary for the rollback of a port configuration can be shared.
ExtremeXOS Concepts Guide, Software Version 15.2
337
Chapter 6: Universal Port
The following sections describe the variables that are available to profiles:
●
Common Variables on page 338
●
User Profile Variables on page 338
●
Device Detect Profile Variables on page 339
●
Event Profile Variables on page 339
Common Variables. Table 33 shows the variables that are always available for use by any script. These
variables are set up for use before a script or profile is executed.
Table 33: Common Variables
Variable Syntax
Definition
$STATUS
Status of last command execution.
$CLI.USER
Username for the user who is executing this CLI.
$CLI.SESSION_ID
An identifier for a session. This identifier is available for the roll-back event when a
device or user times out.
$CLI.SESSION_TYPE
Type of session of the user.
$EVENT.NAME
This is the event that triggered this profile.
$EVENT.TIME
Time this event occurred. The time is in seconds since epoch.
$EVENT.TIMER_TYPE
Type of timer, which is periodic or non_periodic.
$EVENT.TIMER_NAME
Name of the timer that the Universal Port is invoking.
$EVENT.TIMER_LATE
_SECS
Time difference between when the timer fired and when the actual shell was run in
seconds.a
$EVENT.PROFILE
Name of the profile that is being run currently.
a. In ExtremeXOS Release 12.0, this variable was named $EVENT.TIMER_DELTA_SECS.
User Profile Variables. Table 34 shows the variables available to user profiles.
Table 34: User Profile Variables
Variable Syntax
Definition
$EVENT.USERNAME
Name of user authenticated. This is a string with the MAC address for
MAC-based user-login.
$EVENT.NUMUSERS
Number of authenticated supplicants on this port after this event
occurred.
NOTE
For user-authenticated events, the initial value of this variable is
0. For user unauthenticated events, the initial value is 1.
$EVENT.USER_MAC
MAC address of the user.
$EVENT.USER_PORT
Port associated with this event.
$EVENT.USER_VLAN
VLAN associated with this event or user.
$EVENT.USER_ALL_VLANS
When a user is authenticated to multiple VLANs, this variable includes
all VLANs for which the user is authenticated.
$EVENT.USER_IP
IP address of the user if applicable. Otherwise, this variable is blank.
ExtremeXOS Concepts Guide, Software Version 15.2
338
Overview
Device Detect Profile Variables. Table 35 shows the variables available to device detect profiles.
Table 35: Device Profile Variables
Variable Syntax
$EVENT.DEVICE
Definition
Device identification string.
Possible values for EVENT.DEVICE are: AVAYA_PHONE,
GEN_TEL_PHONE, ROUTER, BRIDGE, REPEATER, WLAN_ACCESS_PT,
DOCSIS_CABLE_SER, STATION_ONLY and OTHER.
These strings correspond to the devices that the LLDP application
recognizes and reports to the Universal Port management application.
$EVENT.DEVICE_IP
The IP address of the device (if available). Blank if not available.
$EVENT.DEVICE_MAC
The MAC address of the device (if available). Blank if not available.
$EVENT.DEVICE_POWER
The power of the device in milliwatts (if available). Blank if not available.
$EVENT.DEVICE_MANUFACTURE
R_NAME
The manufacturer of the device.
$EVENT.DEVICE_MODEL_NAME
Model name of the device.
$EVENT.USER_PORT
Port associated with the event.
Event Profile Variables. Table 36 shows the variables available to event profiles.
Table 36: Event Profile Variables
Variable Syntax
Definition
$EVENT.NAME
The event message.
$EVENT.LOG_DATE
The event date.
$EVENT.LOG_TIME
The event time.
$EVENT.LOG_
COMPONENT_
SUBCOMPONENT
The component and subcomponent affected by the event as it appears
in the show log components command display.
$EVENT.LOG_EVENT
The event condition as it appears in the show log events command
display.
$EVENT.LOG_FILTER_
NAME
The EMS filter that triggered the profile.
$EVENT.LOG_SEVERITY
The event severity level defined in EMS.
$EVENT.LOG_MESSAGE
The event message with arguments listed in the format %1%.
$EVENT.LOG_PARAM_0 to
$EVENT.LOG_PARAM_9
Event arguments 0 to 9.
Collecting Information from Supplicants
A supplicant is a device such as a VoIP phone or workstation that connects to the switch port and
requests network services. As described in Chapter 8, “LLDP,” LLDP is a protocol that can be used to
collect information about device capabilities from attached devices or supplicants.
To use Universal Port with LLDP, you must enable LLDP on the port.
ExtremeXOS Concepts Guide, Software Version 15.2
339
Chapter 6: Universal Port
NOTE
Avaya and Extreme Networks have developed a series of extensions for submission to the standards
consortium for inclusion in a later version of the LLDP-MED standard:
-
Avaya Power conservation mode
-
Avaya file server
-
Avaya call server
The following is an example of information provided through LLDP about an IP phone:
LLDP Port 1 detected 1 neighbor
Neighbor: (5.1)192.168.10.168/00:04:0D:E9:AF:6B, age 7 seconds
- Chassis ID type: Network address (5); Address type: IPv4 (1)
Chassis ID
: 192.168.10.168
- Port ID type: MAC address (3)
Port ID
: 00:04:0D:E9:AF:6B
- Time To Live: 120 seconds
- System Name: "AVAE9AF6B"
- System Capabilities : "Bridge, Telephone"
Enabled Capabilities: "Bridge, Telephone"
- Management Address Subtype: IPv4 (1)
Management Address
: 192.168.10.168
Interface Number Subtype : System Port Number (3)
Interface Number
: 1
Object ID String
: "1.3.6.1.4.1.6889.1.69.1.13"
- IEEE802.3 MAC/PHY Configuration/Status
Auto-negotiation
: Supported, Enabled (0x03)
Operational MAU Type
: 100BaseTXFD (16)
- MED Capabilities: "MED Capabilities, Network Policy, Inventory"
MED Device Type : Endpoint Class III (3)
- MED Network Policy
Application Type : Voice (1)
Policy Flags
: Known Policy, Tagged (0x1)
VLAN ID
: 0
L2 Priority
: 6
DSCP Value
: 46
- MED Hardware Revision: "4625D01A"
- MED Firmware Revision: "b25d01a2_7.bin"
- MED Software Revision: "a25d01a2_7.bin"
- MED Serial Number: "061622014487"
- MED Manufacturer Name: "Avaya"
- MED Model Name: "4625"
- Avaya/Extreme Conservation Level Support
Current Conservation Level: 0
Typical Power Value
: 7.4 Watts
Maximum Power Value
: 9.8 Watts
Conservation Power Level : 1=7.4W
- Avaya/Extreme Call Server(s): 192.168.10.204
- Avaya/Extreme IP Phone Address: 192.168.10.168 255.255.255.0
Default Gateway Address
: 192.168.10.254
- Avaya/Extreme CNA Server: 0.0.0.0
- Avaya/Extreme File Server(s): 192.168.10.194
- Avaya/Extreme IEEE 802.1q Framing: Tagged
ExtremeXOS Concepts Guide, Software Version 15.2
340
Overview
NOTE
LLDP is tightly integrated with IEEE 802.1x authentication at edge ports. When used together, LLDP
information from authenticated end point devices is trustable for automated configuration purposes. This tight
integration between 802.1x and LLDP protects the network from automation attacks.
Supplicant Configuration Parameters
As described in Chapter 8, “LLDP,” LLDP is a protocol that can be used to configure attached devices or
supplicants. The following LLDP parameters are configurable on the switch ports when device-detect
profiles execute:
●
VLAN Name
●
Port VLAN ID
●
Power Conservation Mode
●
Avaya File Server
●
Avaya Call server
●
802.1Q Framing
Universal Port Configuration Overview
Because Universal Port operates with multiple ExtremeXOS software features and can operate with
multiple third-party products, Universal Port configuration can require more than just the creation of
profiles and triggers. No single overview procedure can cover all the possible Universal Port
configurations. The following sections provide overviews of the following common types of Universal
Port configurations:
●
Device-Detect Configurations on page 341
●
User-Authentication Configurations on page 342
●
Time-of-Day Configurations on page 343
●
EMS-Event Configurations on page 343
Device-Detect Configurations
A Universal Port device-detect configuration requires only a switch and supplicants. If PoE devices will
connect to the switch, the switch should support PoE. Supplicants should support LLDP in the
applicable software or firmware.
NOTE
To support supplicant configuration, you might consider adding a DHCP server to your network.
Use the following procedure to configure Universal Port for device detection:
1 Create a device-detect profile as described in “Creating and Configuring New Profiles” on page 345.
2 Create a device-undetect profile as described in “Creating and Configuring New Profiles” on
page 345.
ExtremeXOS Concepts Guide, Software Version 15.2
341
Chapter 6: Universal Port
3 Assign the device-detect profile to the edge ports as described in “Configuring a Device Event
Trigger” on page 345.
4 Assign the device-undetect profile to the edge ports as described in “Configuring a Device Event
Trigger” on page 345.
5 Verify that correct profiles are assigned to correct ports by entering the following command:
show upm events <event-type>
6 Enable LLDP message advertisements on the ports that are configured for device-detect profiles as
described in Chapter 8, “LLDP.”
7 Test profile operation as described in “Verifying a Universal Port Profile” on page 349.
User-Authentication Configurations
A Universal Port user-authenticate configuration requires the following components:
●
An Extreme Networks switch, which might need to include PoE support.
●
RADIUS server for user authentication and VSA transmission.
●
Supplicants that support the authentication method you select. LLDP support is recommended, but
is optional when MAC address authentication is used.
NOTE
To support supplicant configuration, you might consider adding a DHCP server to your network. For VoIP
applications, you can use a TFTP server and a call server to provide for additional supplicant configuration.
Use the following procedure to configure Universal Port for user login:
1 Configure the RADIUS server as described in Chapter 23, “Security.”. The configuration should
include the following:
-
User ID and password for RADIUS clients.
-
Extreme Networks custom VSAs.
-
Addition of the edge switch as a RADIUS client.
2 Create a user-authenticate profile as described in “Creating and Configuring New Profiles” on
page 345.
3 Create a user-unauthenticate profile as described in “Creating and Configuring New Profiles” on
page 345.
4 Assign the user-authenticate profile to the edge ports as described in “Configuring a User Login or
Logout Event Trigger” on page 346.
5 Assign the user-unauthenticate profile to the edge ports as described in “Configuring a User Login
or Logout Event Trigger” on page 346.
6 Configure network login on the edge switch as described in Chapter 21, “Network Login.”
7 Configure the edge switch as a RADIUS client as described in Chapter 23, “Security.”
8 Verify that correct profiles are assigned to correct ports by entering the following command:
show upm events <event-type>
9 Enable LLDP message advertisements on the ports that are configured for device-detect profiles as
described in Chapter 8, “LLDP.”
10 Test profile operation as described in “Verifying a Universal Port Profile” on page 349.
ExtremeXOS Concepts Guide, Software Version 15.2
342
Configuring Universal Port Profiles and Triggers
Time-of-Day Configurations
To configure Universal Port to use a time-of-day profile, use the following procedure:
1 Create a profile as described in “Creating and Configuring New Profiles” on page 345.
2 Create and configure a timer as described in “Configuring a Universal Port Timer” on page 346.
3 Create the timer trigger and attach it to the profile as described in “Configuring a Timer Trigger” on
page 346.
EMS-Event Configurations
To configure Universal Port to use an EMS-event profile, use the following procedure:
1 Create the EMS-Event profile as described in “Creating and Configuring New Profiles” on page 345.
2 Create and configure an event filter to identify the trigger event as described in “Creating an EMS
Event Filter” on page 346.
3 Create the event trigger and attach it to the profile and filter as described in “Configuring an EMS
Event Trigger” on page 347.
4 Enable the event trigger as described in “Enabling and Disabling an EMS Event Trigger” on
page 347.
Using Universal Port in an LDAP or Active Directory
Environment
The RADIUS server can operate in proxy mode with information stored in a central directory service
such as LDAP or Active Directory. This proxy mode is configured between the RADIUS server and the
central directory service. Once configured, supplicants can be authenticated from the central directory
service. For more information, see the following:
●
“Setting Up Open LDAP” in Chapter 23, “Security”
●
RADIUS server product documentation
●
Product documentation for your central directory service
Configuring Universal Port Profiles and Triggers
You can configure both static and dynamic profiles using the command line interface (CLI) or the
Ridgeline Universal Port Manager. This section describes the following configuration tasks using the
CLI:
●
Creating and Configuring New Profiles on page 345
●
Editing an Existing Profile on page 345
●
Configuring a Device Event Trigger on page 345
●
Configuring a User Login or Logout Event Trigger on page 346
●
Configuring a Universal Port Timer on page 346
●
Configuring a Timer Trigger on page 346
●
Creating an EMS Event Filter on page 346
●
Configuring an EMS Event Trigger on page 347
●
Enabling and Disabling an EMS Event Trigger on page 347
ExtremeXOS Concepts Guide, Software Version 15.2
343
Chapter 6: Universal Port
●
Unconfiguring a Timer on page 347
NOTE
In the CLI, “upm” is used as an abbreviation for the Universal Port feature.
ExtremeXOS Concepts Guide, Software Version 15.2
344
Configuring Universal Port Profiles and Triggers
Creating and Configuring New Profiles
When you create and configure a new profile, you are basically writing a script within a profile that can
be triggered by system events. For more information on the rules, commands, and variables that apply
to profiles, see “Profile Configuration Guidelines” on page 334.
To create and configure a new profile, enter the following command:
configure upm profile <profile-name> maximum execution-time <seconds>
After you enter the command, the switch prompts you to add command statements to the profile as
shown in the following example:
X450e-24p.3 # create upm profile detect-voip
Start typing the profile and end with a . as the first and the only character on a
line.
Use - edit upm profile <name> - for block mode capability
create log message Starting_Script_DETECT-voip
set var callServer 192.168.10.204
set var fileServer 192.168.10.194
set var voiceVlan voice
set var CleanupProfile CleanPort
set var sendTraps false
#
.
X450e-24p.4 #
The example above creates a log entry and sets some variables, but it is not complete. This example
shows that after you enter the create upm profile command, you can enter system commands. When
you have finished entering commands, you can exit the profile creation mode by typing the period
character at the start of a line and pressing <Enter>.
Editing an Existing Profile
To edit an existing profile, enter the following command:
edit upm profile <profile-name>
Configuring a Device Event Trigger
There are two types of device event triggers, which are named as follows in the CLI: device-detect and
device-undetect. When you configure a device event trigger, you assign one of the two device event
trigger types to a profile and specify the ports to which the triggered profile applies. To configure a
device event trigger, use the following command:
configure upm event <upm-event> profile <profile-name> ports <port_list>
Replace <upm-event> with one of the device event trigger types: device-detect or device-undetect.
ExtremeXOS Concepts Guide, Software Version 15.2
345
Chapter 6: Universal Port
Configuring a User Login or Logout Event Trigger
There are two types of user event triggers, which are named as follows in the CLI: user-authenticate and
user-unauthenticated. When you configure a user event trigger, you assign one of the two user event
trigger types to a profile and specify the ports to which the triggered profile applies. To configure a user
event trigger, use the following command:
configure upm event <upm-event> profile <profile-name> ports <port_list>
Replace <upm-event> with one of the device event trigger types: user-authenticate or userunauthenticated.
Configuring a Universal Port Timer
To configure a Universal Port timer, you must complete two steps:
1 Create the timer.
2 Configure the timer.
To create the timer, use the following command:
create upm timer <timer-name>
To configure the timer, use the following commands:
configure upm timer <timer-name> after <time-in-secs> {every <seconds>}
configure upm timer <timer-name> at <month> <day> <year> <hour> <min> <secs> {every
<seconds>}
Configuring a Timer Trigger
When you configure a timer trigger, you assign a configured timer to a profile. When the configured
time arrives, the switch executes the profile.
To configure a timer trigger, use the following command:
configure upm timer <timerName> profile <profileName>
Replace <timerName> with the timer name and <profileName> with the profile name.
Creating an EMS Event Filter
An EMS event filter identifies an event that can be used to trigger a profile. To create an EMS event
filter, use the following procedure:
1 Create a log filter to identify the event using the following command:
create log filter <name> {copy <filter name>}
2 Configure the log filter using the following commands:
configure log filter <name> [add | delete] {exclude} events [<event-condition> |
[all | <event-component>] {severity <severity> {only}}]
configure log filter <name> [add | delete] {exclude} events [<event-condition> |
[all | <event-component>] {severity <severity> {only}}] [match | strict-match]
<type> <value>
ExtremeXOS Concepts Guide, Software Version 15.2
346
Managing Profiles and Triggers
Configuring an EMS Event Trigger
When you configure an EMS event trigger, you identify an EMS filter that defines the event and a
profile that runs when the event occurs. To configure an EMS event-triggered profile, use the following
procedure:
1 Create a log target to receive the event notification using the following command:
create log target upm {<upm_profile_name>}
2 Configure the log target to specify a filter and any additional parameters that define the event with
the following commands:
configure log target upm {<upm_profile_name>} filter <filter-name> {severity
[[<severity>] {only}]}
configure log target upm {<upm_profile_name>} match {any | <regex>}
Enabling and Disabling an EMS Event Trigger
When you configure an EMS event trigger, it is disabled. To enable an EMS event trigger or disable a
previously enabled trigger, use the following commands:
enable log target upm {<upm_profile_name>}
disable log target upm {<upm_profile_name>}
Unconfiguring a Timer
To unconfigure a timer, use the following command:
unconfigure upm timer <timerName> profile <profileName>
Managing Profiles and Triggers
This section describes the following tasks:
●
Manually Executing a Static or Dynamic Profile on page 348
●
Displaying a Profile on page 348
●
Displaying Timers on page 348
●
Displaying Universal Port Events on page 348
●
Displaying Profile History on page 348
●
Verifying a Universal Port Profile on page 349
●
Handling Profile Execution Errors on page 349
●
Disabling and Enabling a Profile on page 349
●
Deleting a Profile on page 350
●
Deleting a Timer on page 350
●
Deleting an EMS Event Trigger on page 350
ExtremeXOS Concepts Guide, Software Version 15.2
347
Chapter 6: Universal Port
Manually Executing a Static or Dynamic Profile
Profiles can be run from the command line interface by configuring the system to run as it would when
the trigger events happen. This facility is provided to allow you to test how the system behaves when
the actual events happen. The actual configuration is applied to the switch when the profile is run.
To manually execute a profile, use the following command:
run upm profile <profile-name> {event <event-name>} {variables <variable-string>}
Example:
run upm profile afterhours
If the variables keyword is not present, but an events variable is specified, the user is prompted for
various environment variables appropriate for the event, including the VSA string for user
authentication.
NOTE
Variables are not validated for correct syntax.
Displaying a Profile
To display a profile, enter the following command:
show upm profile <name>
Displaying Timers
To display a list of timers and associated timer information, enter the following command:
show upm timers
Displaying Universal Port Events
You can display a list of events that relate to one of the following trigger types:
●
device-detect
●
device-undetect
●
user-authenticate
●
user-unauthenticated
To display a list of Universal Port events for one of the above triggers, enter the following command:
show upm events <event-type>
Replace <event-type> with one of the trigger types listed above.
Displaying Profile History
To display a list of triggered events and associate event data, enter one of the following commands:
ExtremeXOS Concepts Guide, Software Version 15.2
348
Managing Profiles and Triggers
show upm history {profile <profile-name> | event <upm-event> | status [pass | fail] |
timer <timer-name> | detail}
show upm history exec-id <number>
Verifying a Universal Port Profile
To verify a Universal Port profile configuration, trigger the profile and verify that it works properly.
Trigger the profile based on the trigger type as follows:
●
Device triggers: plug in the device
●
Authentication triggers: authenticate a device or user
●
Timer triggers: temporarily configure the timer for an approaching time
●
EMS event triggers: reproduce the event to which the trigger responds
You can use the commands described earlier in this section to view information about the profile and
how it behaves. Because Universal Port works with multiple switch features, you might want to enter
commands to examine the configuration of those features. The following commands are an example of
some of the commands that can provide additional information about profile operation:
show
show
show
show
lldp
lldp neighbors
log
netlogin
Handling Profile Execution Errors
To conserve resources, the switch stores only the last execution log for the profile that resulted in an
error.
Use the following command to see a tabular display showing the complete history of the last 100
profiles run:
show upm history {profile <profile-name> | event <upm-event> | status [pass | fail] |
timer <timer-name> | detail}
Use the detail keyword to display the actual executions that happened when the profile was run.
Use the following command to display a specific execution that was run:
show upm history exec-id <number>
Select the exec-id number from the list in the tabular display.
Disabling and Enabling a Profile
Universal Port profiles are automatically enabled when they are created. To disable a profile or enable a
previously disabled profile, use the following commands:
disable upm profile <profile-name>
enable upm profile <profile-name>
ExtremeXOS Concepts Guide, Software Version 15.2
349
Chapter 6: Universal Port
Deleting a Profile
To delete a profile, enter the following command:
delete upm profile <profile-name>
Deleting a Timer
To delete a timer, enter the following command:
delete upm timer <timer-name>
Deleting an EMS Event Trigger
To delete an EMS event trigger, enter the following command:
delete log target upm {<upm_profile_name>}
Sample Universal Port Configurations
This section provides the following examples:
●
Sample MAC Tracking Profile on page 350
●
Universal Port Handset Provisioning Module Profiles on page 356
●
Sample Static Profiles on page 360
●
Sample Configuration with Device-Triggered Profiles on page 363
●
Sample Configuration with User-Triggered Profiles on page 365
●
Sample Profile with QoS Support on page 368
●
Sample Event Profile on page 369
●
Sample Configuration for Generic VoIP LLDP on page 371
●
Sample Configuration for Generic VoIP 802.1x on page 372
●
Sample Configuration for Avaya VoIP 802.1x on page 373
●
Sample Configuration for a Video Camera on page 375
Sample MAC Tracking Profile
The example in this section shows how to create a profile that takes action based on the MAC tracking
feature. When the MAC tracking feature detects a MAC move in a VLAN, the MAC tracking feature
generates an EMS log, which then triggers a profile. The following sections provide information for this
example:
●
Switch Configuration on page 351
●
MAC Tracking EMS Log Message on page 351
●
Profile Configuration on page 351
●
Policy File Configuration on page 352
●
Console Logs on page 352
ExtremeXOS Concepts Guide, Software Version 15.2
350
Sample Universal Port Configurations
NOTE
You can also use the Identity Management feature to configure ports in response to MAC device detection
events. For more information, see Chapter 22, “Identity Management.”
Switch Configuration
The general switch configuration is as follows:
#Vlan config
create vlan v1
configure v1 add ports 1:17-1:18
configure vlan v1 ipadd 192.168.10.1/24
#mac tracking config
create fdb mac-tracking
create fdb mac-tracking
create fdb mac-tracking
create fdb mac-tracking
create fdb mac-tracking
entry
entry
entry
entry
entry
00:01:02:03:04:01
00:01:02:03:04:02
00:01:02:03:04:03
00:01:02:03:04:04
00:01:02:03:04:05
#Log filter configuration
create log filter macMoveFilter
configure log filter "macMoveFilter" add events "FDB.MACTracking.MACMove"
#Meter configuration for ingress /egress rate limit
create meter m1
configure meter m1 peak-rate 250 mbps
create meter m2
configure meter m2 peak-rate 500 mbps
MAC Tracking EMS Log Message
The MAC tracking feature produces the following EMS log message and message parameters:
The MAC address %0% on VLAN '%1%' has moved from port %2% to port %3%"
EVENT.LOG_PARAM_1 "vlan name"
EVENT.LOG_PARAM_2 "source port"
EVENT.LOG_PARAM_3 "moved port"
Profile Configuration
The profile is configured as follows:
create upm profile macMove
;# editor
enable cli scripting
create access-list dacl1 "source-address 192.168.10.0/24 " "permit ;count dacl1"
create access-list dacl2 "source-address 192.168.11.0/24 " "permit ;count dacl2"
create access-list dacl3 "source-address 192.168.15.0/24 " "deny ;count dacl3"
create access-list dacl4 "source-address 192.168.16.0/24 " "deny ;count dacl4"
create access-list dacl5 "source-address 192.168.17.0/24 " "deny ;count dacl5"
configure access-list add dacl1 first ports $(EVENT.LOG_PARAM_3)
configure access-list add dacl2 first ports $(EVENT.LOG_PARAM_3)
configure access-list add dacl3 first ports $(EVENT.LOG_PARAM_3)
ExtremeXOS Concepts Guide, Software Version 15.2
351
Chapter 6: Universal Port
configure access-list add dacl4 first ports $(EVENT.LOG_PARAM_3)
configure access-list add dacl5 first ports $(EVENT.LOG_PARAM_3)
conf access-list ingress_limit vlan v1
conf access-list ingress_limit ports $(EVENT.LOG_PARAM_3)
conf access-list egress_limit any
;# enter . for SAVE/EXIT
log target configuration
create log target upm "macMove"
configure log target upm "macMove" filter "macMoveFilter"
enable log target upm "macMove"
Policy File Configuration
This example uses the following two policy files:
Ingress rate limit (ingress_limit.pol)
=================================
entry ingress {
if {
ethernet-source-address 00:AA:00:00:00:01;
ethernet-destination-address 00:BB:00:00:00:01;
} then {
Meter m1;
count c1;
}
}
Egress QoS (egress_limit.pol)
=================================
entry egress {
if {
ethernet-source-address 00:BB:00:00:00:01;
ethernet-destination-address 00:AA:00:00:00:01;
} then {
qosprofile qp2;
count c2;
}
}
Console Logs
The following show commands display the switch configuration:
* (debug) BD-12804.7 # show log con fil
Log Filter Name: DefaultFilter
I/
E Component
SubComponent Condition
- ----------- ------------ ----------------------I All
Severity
CEWNISVD
-------********
ExtremeXOS Concepts Guide, Software Version 15.2
352
Sample Universal Port Configurations
Log Filter Name: macMoveFilter
I/
E Component
SubComponent Condition
- ----------- ------------ ----------------------I FDB
MACTracking MACMove
Severity
CEWNISVD
----------N----
* (debug) BD-12804.14 # sh fdb mac-tracking configuration
SNMP trap notification
: Disabled
MAC address tracking table (5 entries):
00:01:02:03:04:01
00:01:02:03:04:02
00:01:02:03:04:03
00:01:02:03:04:04
00:01:02:03:04:05
* (debug) BD-12804.15 #
* (debug) BD-12804.27 # show meter
-------------------------------------------------------------------------------Name
Committed Rate(Kbps) Peak Rate(Kbps)
Burst Size(Kb)
-------------------------------------------------------------------------------m1
-250000
-m2
-500000
-Total number of Meter(s) : 2
* (debug) BD-12804.28 #
The following show commands display the switch status after a MAC address move:
==================================
(debug) BD-12804.7 # show log
05/14/2009 11:33:54.89 <Noti:ACL.Policy.bind> MSM-A:
Policy:bind:egress_limit:vlan:*:port:*:
05/14/2009 11:33:54.89 <Info:pm.config.loaded> MSM-A: Loaded Policy: egress_limit
number of entries 1
05/14/2009 11:33:54.89 <Info:pm.config.openingFile> MSM-A: Loading policy egress_limit
from file /config/egress_limit.pol
05/14/2009 11:33:54.89 <Noti:ACL.Policy.bind> MSM-A:
Policy:bind:ingress_limit:vlan:*:port:1:18:
05/14/2009 11:33:54.88 <Noti:ACL.Policy.bind> MSM-A:
Policy:bind:ingress_limit:vlan:v1:port:*:
05/14/2009 11:33:54.87 <Info:pm.config.loaded> MSM-A: Loaded Policy: ingress_limit
number of entries 1
05/14/2009 11:33:54.87 <Info:pm.config.openingFile> MSM-A: Loading policy
ingress_limit from file /config/ingress_limit.pol
05/14/2009 11:33:54.72 <Noti:UPM.Msg.upmMsgExshLaunch> MSM-A: Launched profile macMove
for the event log-message
A total of 8 log messages were displayed.
* (debug) BD-12804.8 # show upm history
-------------------------------------------------------------------------------Exec
Event/
Profile
Port Status Time Launched
ExtremeXOS Concepts Guide, Software Version 15.2
353
Chapter 6: Universal Port
Id
Timer/ Log filter
-------------------------------------------------------------------------------1
Log-Message(macMoveF macMove
--- Pass
2009-05-14 11:33:54
-------------------------------------------------------------------------------Number of UPM Events in Queue for execution: 0
* (debug) BD-12804.9 # sh upm history detail
UPM Profile: macMove
Event: Log-Message(macMoveFilter)
Profile Execution start time: 2009-05-14 11:33:54
Profile Execution Finish time: 2009-05-14 11:33:54
Execution Identifier: 1 Execution Status: Pass
Execution Information:
1 # enable cli scripting
2 # configure cli mode non-persistent
3 # set var EVENT.NAME LOG_MESSAGE
4 # set var EVENT.LOG_FILTER_NAME "macMoveFilter"
5 # set var EVENT.LOG_DATE "05/14/2009"
6 # set var EVENT.LOG_TIME "11:33:54.72"
7 # set var EVENT.LOG_COMPONENT_SUBCOMPONENT "FDB.MACTracking"
8 # set var EVENT.LOG_EVENT "MACMove"
9 # set var EVENT.LOG_SEVERITY "Notice"
10 # set var EVENT.LOG_MESSAGE "The MAC address %0% on VLAN '%1%' has moved from port
%2% to port %3%"
11 # set var EVENT.LOG_PARAM_0 "00:01:02:03:04:05"
12 # set var EVENT.LOG_PARAM_1 "v1"
13 # set var EVENT.LOG_PARAM_2 "1:17"
14 # set var EVENT.LOG_PARAM_3 "1:18"
15 # set var EVENT.PROFILE macMove
16 # enable cli scripting
17 # create access-list dacl1 "source-address 192.168.10.0/24 " "permit ;count dacl1"
18 # create access-list dacl2 "source-address 192.168.11.0/24 " "permit ;count dacl2"
19 # create access-list dacl3 "source-address 192.168.15.0/24 " "deny ;count dacl3"
20 # create access-list dacl4 "source-address 192.168.16.0/24 " "deny ;count dacl4"
21 # create access-list dacl5 "source-address 192.168.17.0/24 " "deny ;count dacl5"
22 # configure access-list add dacl1 first ports $(EVENT.LOG_PARAM_3)
done!
23 # configure access-list add dacl2 first ports $(EVENT.LOG_PARAM_3)
done!
24 # configure access-list add dacl3 first ports $(EVENT.LOG_PARAM_3)
done!
25 # configure access-list add dacl4 first ports $(EVENT.LOG_PARAM_3)
done!
26 # configure access-list add dacl5 first ports $(EVENT.LOG_PARAM_3)
done!
27 # conf access-list ingress_limit vlan v1
done!
28 # conf access-list ingress_limit ports $(EVENT.LOG_PARAM_3)
done!
29 # conf access-list egress_limit any
done!
--------------------------------------------------------------------------------
ExtremeXOS Concepts Guide, Software Version 15.2
354
Sample Universal Port Configurations
Number of UPM Events in Queue for execution: 0
* (debug) BD-12804.10 #
* (debug) BD-12804.7 # show fdb mac-tracking statistics
MAC Tracking Statistics
Thu May 14 11:41:10 2009
Add
Move
Delete
MAC Address
events
events
events
=====================================================
00:01:02:03:04:01
0
0
0
00:01:02:03:04:02
0
0
0
00:01:02:03:04:03
0
0
0
00:01:02:03:04:04
0
0
0
00:01:02:03:04:05
1
1
0
=====================================================
0->Clear Counters U->page up D->page down ESC->exit
(debug) BD-12804.5 # show access-list
Vlan Name
Port
Policy Name
Dir
Rules Dyn Rules
===================================================================
*
*
egress_limit
ingress 1
0
*
1:18
ingress_limit
ingress 1
5
v1
*
ingress_limit
ingress 1
0
* (debug) BD-12804.6 # show access-list dynamic
Dynamic Rules: ((*)- Rule is non-permanent )
(*)dacl1
(*)dacl2
(*)dacl3
(*)dacl4
(*)dacl5
(*)hclag_arp_0_4_96_1e_32_80
HealthCheckLAG
* (debug) BD-12804.7 #
* (debug) BD-12804.7 #
Bound
Bound
Bound
Bound
Bound
Bound
to
to
to
to
to
to
1
1
1
1
1
0
interfaces
interfaces
interfaces
interfaces
interfaces
interfaces
for
for
for
for
for
for
application
application
application
application
application
application
Cli
Cli
Cli
Cli
Cli
=====================================================================================
ExtremeXOS Concepts Guide, Software Version 15.2
355
Chapter 6: Universal Port
Universal Port Handset Provisioning Module Profiles
The Universal Port Handset Provisioning Module provides the following profiles:
●
Device-Triggered Generic Profile on page 356
●
Authentication-Triggered Generic Profile on page 357
●
Authentication-Triggered Avaya Profile on page 359
Device-Triggered Generic Profile
This is a template for configuring network parameters for VoIP phone support without 802.1x
authentication. The profile is triggered after an LLDP packet is detected on the port.
NOTE
The MetaData information is used by the Ridgeline to create a user-friendly interface to modify the
variables. You can ignore the MetaData while using the CLI.
#********************************
# Last Updated: April 11, 2007
# Tested Phones: Avaya 4610, 4620, 4625
# Requirements: LLDP capable devices
#********************************
# @MetaDataStart
# @ScriptDescription "This is a template for configuring network parameters for VoIP
phones support LLDP but without authentication. The module is triggered through the
detection of an LLDP packet on the port.
The following network side configuration is
done: enable SNMP traps, QOS assignment, adjust POE reservation values based on device
requirements, add the voiceVlan to the port as tagged. "
# @VariableFieldLabel "Voice VLAN name"
set var voicevlan voiceavaya
# @VariableFieldLabel "Send trap when LLDP event happens (true or false)"
set var sendTraps false
# @VariableFieldLabel "Set QoS Profile (true or false)"
set var setQuality false
# @MetaDataEnd
#
if (!$match($EVENT.NAME,DEVICE-DETECT)) then
create log message Starting_LLDP_Generic_Module_Config
# VoiceVLAN configuration
configure vlan $voicevlan add port $EVENT.USER_PORT tagged
#SNMP Trap
if (!$match($sendTraps,true)) then
create log message Config_SNMP_Traps
enable snmp traps lldp ports $EVENT.USER_PORT
enable snmp traps lldp-med ports $EVENT.USER_PORT
else
disable snmp traps lldp ports $EVENT.USER_PORT
disable snmp traps lldp-med ports $EVENT.USER_PORT
endif
#Link Layer Discovery Protocol-Media Endpoint Discover
create log message Config_LLDP
configure lldp port $EVENT.USER_PORT advertise vendor-specific med capabilities
ExtremeXOS Concepts Guide, Software Version 15.2
356
Sample Universal Port Configurations
configure lldp port $EVENT.USER_PORT advertise vendor-specific dot1 vlan-name vlan
$voicevlan
configure lldp port $EVENT.USER_PORT advertise vendor-specific med policy application
voice vlan $voicevlan dscp 46
configure lldp port $EVENT.USER_PORT advertise vendor-specific med power-via-mdi
#Configure POE settings per device requirements
create log message Config_POE
configure inline-power operator-limit $EVENT.DEVICE_POWER ports $EVENT.USER_PORT
#QoS Profile
if (!$match($setQuality,true)) then
create log message Config_QOS
configure port $EVENT.USER_PORT qosprofile qp7
endif
endif
if (!$match($EVENT.NAME,DEVICE-UNDETECT) && $match($EVENT.DEVICE_IP,0.0.0.0)) then
create log message Starting_LLDP_Generic_UNATUH_Module_Config
if (!$match($sendTraps,true)) then
create log message UNConfig_SNMP_Traps
disable snmp traps lldp ports $EVENT.USER_PORT
disable snmp traps lldp-med ports $EVENT.USER_PORT
endif
create log message UNConfig_LLDP
unconfig lldp port $EVENT.USER_PORT
if (!$match($setQuality,true)) then
create log message UNConfig_QOS
unconfig qosprofile ports $EVENT.USER_PORT
endif
unconfig inline-power operator-limit ports $EVENT.USER_PORT
endif
if (!$match($EVENT.NAME,DEVICE-UNDETECT) && !$match($EVENT.DEVICE_IP,0.0.0.0)) then
create log message DoNothing_0.0.0.0
create log message $EVENT.TIME
endif
create log message End_LLDP_Generic_Module_Config
Authentication-Triggered Generic Profile
This profile has been created for phones that support an authentication protocol. This profile assumes
that the phone does not support LLDP and is provisioned using DHCP options.
This is a template for configuring network parameters for 802.1x authenticated devices. The module is
triggered through successful authentication or unauthentication of the device.
#***********************************************
# Last Updated: April 11, 2007
# Tested Phones: Avaya 4610, 4620, 4625
# Requirements: 802.1x capable devices, netlogin configured and enabled on deployment
ports
#***********************************************
# @MetaDataStart
ExtremeXOS Concepts Guide, Software Version 15.2
357
Chapter 6: Universal Port
# @ScriptDescription "This is a template for configuring network parameters for 802.1x
authenticated devices. The module is triggered through successful authentication of
the device. The following network side configuration is done: QOS assignment and
enables DOS protection. When used with IP phones, phone provisioning is done through
DHCP options."
# @Description "VLAN name to add to port"
set var vlan1 voiceavaya
# @VariableFieldLabel "Set QoS Profile (yes or no)"
set var setQuality yes
# @Description "QoS Profile (0-100)"
set var lowbw 50
# @VariableFieldLabel "QoS MAX Bandwidth (0-100)"
set var highbw 100
# @VariableFieldLabel "Enable Denial of Service Protection (yes or no)"
set var dosprotection yes
# @MetaDataEnd
##################################
# Start of USER-AUTHENTICATE block
##################################
if (!$match($EVENT.NAME,USER-AUTHENTICATED)) then
############
#QoS Profile
############
# Adds a QOS profile to the port
if (!$match($setQuality,yes)) then
create log message Config_QOS
configure port $EVENT.USER_PORT qosprofile qp7
configure qosprofile qp7 minbw $lowbw maxbw $highbw ports $EVENT.USER_PORT
endif
#
########################
#Security Configurations
########################
create log message Applying_Security_Limits
# enables Denial of Service Protection for the port
if (!$match($dosprotection,yes)) then
enable dos-protect
create log message DOS_enabled
endif
#
endif
################################
# End of USER-AUTHENTICATE block
################################
#
#
####################################
# Start of USER-UNAUTHENTICATE block
####################################
if (!$match($EVENT.NAME,USER-UNAUTHENTICATED)) then
create log message Starting_8021x_Generic_UNATUH_Module_Config
if (!$match($setQuality,yes)) then
create log message UNConfig_QOS
unconfig qosprofile ports $EVENT.USER_PORT
ExtremeXOS Concepts Guide, Software Version 15.2
358
Sample Universal Port Configurations
endif
unconfig inline-power operator-limit ports $EVENT.USER_PORT
endif
##################################
# End of USER-UNAUTHENTICATE block
##################################
create log message End_802_1x_Generic_Module_Config
Authentication-Triggered Avaya Profile
This script has been created for Avaya phones that support both 802.1x authentication and LLDP.
Instead of using DHCP options, the phone is provisioned using LLDP parameters developed jointly by
Extreme Networks and Avaya.
#********************************
# Last Updated: April 11, 2007
# Tested Phones: SW4610, SW4620
# Requirements: 802.1x authentication server, VSA 203 and VSA 212 from authentiication
server. QP7 defined on the switch
#********************************
# @MetaDataStart
# @ScriptDescription "This is a template for configuring LLDP capable Avaya phones
using the authentication trigger. This module will provision the phone with the
following parameters: call server, file server, dot1q, dscp, power. Additionally the
following network side configuration is done: enable SNMP traps and QOS assignment"
# @VariableFieldLabel "Avaya phone call server IP address"
set var callserver 192.45.95.100
# @VariableFieldLabel "Avaya phone file server IP address"
set var fileserver 192.45.10.250
# @VariableFieldLabel "Send trap when LLDP event happens (true or false)"
set var sendTraps true
# @VariableFieldLabel "Set QoS Profile (true or false)"
set var setQuality true
# @MetaDataEnd
#
if (!$match($EVENT.NAME,USER-AUTHENTICATED)) then
create log message Starting_Avaya_VOIP_802.1x_AUTH_Module_Config
if (!$match($sendTraps,true)) then
enable snmp traps lldp ports $EVENT.USER_PORT
enable snmp traps lldp-med ports $EVENT.USER_PORT
else
disable snmp traps lldp ports $EVENT.USER_PORT
disable snmp traps lldp-med ports $EVENT.USER_PORT
endif
enable lldp port $EVENT.USER_PORT
configure lldp port $EVENT.USER_PORT advertise vendor-specific dot1 vlan-name
configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme callserver $callserver
configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme fileserver $fileserver
configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme dot1qframing tag
if (!$match($setQuality,true)) then
configure port $EVENT.USER_PORT qosprofile qp7
endif
ExtremeXOS Concepts Guide, Software Version 15.2
359
Chapter 6: Universal Port
endif
#
if (!$match($EVENT.NAME,USER-UNAUTHENTICATED)) then
create log message Starting_Avaya_VOIP_802.1x_UNATUH_Module_Config
if (!$match($sendTraps,true)) then
enable snmp traps lldp ports $EVENT.USER_PORT
enable snmp traps lldp-med ports $EVENT.USER_PORT
else
disable snmp traps lldp ports $EVENT.USER_PORT
disable snmp traps lldp-med ports $EVENT.USER_PORT
endif
disable lldp port $EVENT.USER_PORT
if (!$match($setQuality,true)) then
unconfig qosprofile ports $EVENT.USER_PORT
endif
endif
create log message End_Avaya_VOIP_802.1x_Module_Config
Sample Static Profiles
The following configuration creates a profile and runs it statically:
* BD-10808.4 # Create upm profile p1
Enable port 1:1
.
* BD-10808.4 #run upm profile p1
* BD-10808.4 # show upm history exec 8006
UPM Profile: p1
Event: User Request
, Time run: 2006-10-18 11:56:15
Execution Identifier: 8006
Execution Status: Pass
Execution Information:
1 # enable cli scripting
2 # set var EVENT.NAME USER-REQUEST
3 # set var EVENT.TIME 1161172575
4 # set var EVENT.PROFILE p1
5 # enable port 1:1
This profile creates and configures EAPS on the edge switch for connecting to the aggregation switch,
creates specific VLANs and assigns tags, configures network login, and configures the RADIUS client
component on the switch.
#***********************************************
# Last Updated: May 11, 2007
# Tested Devices: X450e EXOS 12.0
# Description: This profile configures the switch with an EAPs ring, creates specified
# vlans, configure network login, RADIUS.
#***********************************************
# @MetaDataStart
# @ScriptDescription “This is a template for configuring network parameters for edge
Summit devices. The profile will configure the listed features: EAPs ring, Network
login, 802.1x, vlans, and default routes.”
# @VariableFieldLabel “Create EAPs ring? (yes or no)”
ExtremeXOS Concepts Guide, Software Version 15.2
360
Sample Universal Port Configurations
set var yneaps yes
# @VariableFieldLabel “Name of EAPs domain”
set var eapsdomain upm-domain
# @VariableFieldLabel “Primary port number”
set var eapsprimary 23
# @VariableFieldLabel “Secondary port number”
set var eapssecondary 24
# @VariableFieldLabel “Name of EAPs control VLAN”
set var eapsctrl upm_ctrl
# @VariableFieldLabel “Tag for EAPs control VLAN”
set var eapsctrltag 4000
# @VariableFieldLabel “Create standard VLANs? (yes or no)”
set var ynvlan yes
# @VariableFieldLabel “Name of Voice vlan”
set var vvoice voice
# @VariableFieldLabel “Voice VLAN tag”
set var vvoicetag 10
# @VariableFieldLabel “Voice VLAN virtual router”
set var vvoicevr vr-default
# @VariableFieldLabel “Name of Security Video”
set var vidsec vidcam
# @VariableFieldLabel “Security Video VLAN tag”
set var vidsectag 40
# @VariableFieldLabel “Security Video VLAN virtual router”
set var vidsecvr vr-default
# @VariableFieldLabel “Name of Data vlan”
set var vdata datatraffic
# @VariableFieldLabel “Data VLAN tag”
set var vdatatag 11
# @VariableFieldLabel “Data VLAN virtual router”
set var vdatavr vr-default
# @VariableFieldLabel “Enable Network Login? (yes or no)”
set var ynnetlogin yes
# @VariableFieldLabel “RADIUS Server IP Address”
set var radserver 192.168.11.144
# @VariableFieldLabel “RADIUS Client IP Address”
set var radclient 192.168.11.221
# @VariableFieldLabel “RADIUS Server Shared Secret”
set var radsecret goextreme
# @VariableFieldLabel “Network Login port list”
set var netloginports 1-20
# @MetaDataEnd
##################################
# Start of EAPs Configuration block
##################################
if (!$match($yneaps,yes)) then
create log message Config_EAPs
config eaps config-warnings off
create eaps $eapsdomain
config eaps $eapsdomain mode transit
config eaps $eapsdomain primary port $eapsprimary
config eaps $eapsdomain secondary port $eapssecondary
create vlan $eapsctrl
config $eapsctrl tag $eapsctrltag
config $eapsctrl qosprofile qp8
config $eapsctrl add port $eapsprimary tagged
ExtremeXOS Concepts Guide, Software Version 15.2
361
Chapter 6: Universal Port
config $eapsctrl add port $eapssecondary tagged
config eaps $eapsdomain add control vlan $eapsctrl
enable eaps
enable eaps $eapsdomain
else
create log message EAPs_Not_Configured
endif
############
#VLAN Config
############
if (!$match($ynvlan,yes)) then
create log message CreateStandardVLANs
create vlan $vvoice vr $vvoicevr
config vlan $vvoice tag $vvoicetag
config vlan $vvoice add port $eapsprimary tagged
config vlan $vvoice add port $eapssecondary tagged
config eaps $eapsdomain add protected $vvoice
enable lldp ports $netloginports
create qosprofile qp5
config vlan $vvoice ipa 192.168.10.221
#
create vlan $vidsec vr $vidsecvr
config vlan $vidsec tag $vidsectag
config vlan $vidsec add port $eapsprimary tagged
config vlan $vidsec add port $eapssecondary tagged
config eaps $eapsdomain add protected $vidsec
config vlan $vidsec ipa 192.168.40.221
#
create vlan $vdata vr $vdatavr
config vlan $vdata tag $vdatatag
config vlan $vdata add port $eapsprimary tagged
config vlan $vdata add port $eapssecondary tagged
config eaps $eapsdomain add protected $vdata
config vlan $vdata ipa 192.168.11.221
# config ipr add default 192.168.11.254 vr vr-default
else
create log message NoVLANsCreated
endif
############
#RADIUS & Netlogin
############
if (!$match($ynnetlogin,yes)) then
create log message ConfigNetlogin
#configure $vdata ipaddress 192.168.11.221
create vlan nvlan
config netlogin vlan nvlan
config default del po $netloginports
enable netlogin dot1x
enable netlogin mac
enable netlogin ports $netloginports dot1x mac
config netlogin ports $netloginports mode mac-based-vlans
config radius netlogin primary server $radserver client-ip $radclient vr VR-Default
config radius netlogin primary shared-secret $radsecret
enable radius netlogin
config netlogin add mac-list 00:19:5B:D3:e8:DD
ExtremeXOS Concepts Guide, Software Version 15.2
362
Sample Universal Port Configurations
else
create log message NoNetlogin
endif
Sample Configuration with Device-Triggered Profiles
The following example demonstrates how to configure Universal Port for device detection:
# Create and configure the VLAN for the VoIP network.
#
X450e-24p.1 # create vlan voice
X450e-24p.2 # configure voice ipaddress 192.168.0.1/24
# Create the universal port profile for device-detect on the switch.
#
X450e-24p.3 # create upm profile detect-voip
Start typing the profile and end with a . as the first and the only character on a
line.
Use - edit upm profile <name> - for block mode capability
create log message Starting_Script_DETECT-voip
set var callServer 192.168.10.204
set var fileServer 192.168.10.194
set var voiceVlan voice
set var CleanupProfile CleanPort
set var sendTraps false
#
create log message Starting_DETECT-VOIP_Port_$EVENT.USER_PORT
#**********************************************************
# adds the detected port to the device "unauthenticated" profile port list
#**********************************************************
create log message Updating_UnDetect_Port_List_Port_$EVENT.USER_PORT
configure upm event Device-UnDetect profile CleanupProfile ports $EVENT.USER_PORT
#**********************************************************
# adds the detected port to the proper VoIP vlan
#**********************************************************
configure $voiceVlan add port $EVENT.USER_PORT tag
#**********************************************************
# Configure the LLDP options that the phone needs
#**********************************************************
configure lldp port $EVENT.USER_PORT advertise vendor-specific
server $callServer
configure lldp port $EVENT.USER_PORT advertise vendor-specific
server $fileServer
configure lldp port $EVENT.USER_PORT advertise vendor-specific
framing tagged
configure lldp port $EVENT.USER_PORT advertise vendor-specific
avaya-extreme callavaya-extreme fileavaya-extreme dot1qmed capabilities
#configure lldp port $EVENT.USER_PORT advertise vendor-specific med policy application
voice vlan $voiceVlan dscp 46
ExtremeXOS Concepts Guide, Software Version 15.2
363
Chapter 6: Universal Port
#**********************************************************
# Configure the POE limits for the port based on the phone requirement
#**********************************************************
# If port is PoE capable, uncomment the following lines
#configure lldp port $EVENT.USER_PORT advertise vendor-specific med power-via-mdi
#configure inline-power operator-limit $EVENT.DEVICE_POWER ports $EVENT.USER_PORT
create log message Script_DETECT-phone_Finished_Port_$EVENT.USER_PORT
.
X450e-24p.4 #
# Create the universal port profile for device-undetect on the switch.
#
* X450e-24p.5 # create upm profile clearports
Start typing the profile and end with a . as the first and the only character on a
line.
Use - edit upm profile <name> - for block mode capability
create log message STARTING_UPM_Script_CLEARPORT_on_$EVENT.USER_PORT
#configure $voiceVlan delete port $EVENT.USER_PORT
unconfigure lldp port $EVENT.USER_PORT
create log message LLDP_Info_Cleared_on_$EVENT.USER_PORT
#unconfigure upm event device-undetect profile avaya-remove ports $EVENT.USER_PORT
unconfigure inline-power operator-limit ports $EVENT.USER_PORT
create log message POE_Settings_Cleared_on_$EVENT.USER_PORT
create log message FINISHED_UPM_Script_CLEARPORT_on_$EVENT.USER_PORT
.
* X450e-24p.5 #
#
# Assign the device-detect profile to the edge ports.
#
* X450e-24p.6 # config upm event device-detect profile detect-voip ports 1-10
#
# Assign the device-undetect profile to the edge ports.
#
* X450e-24p.7 # config upm event device-undetect profile clearports ports 1-10
* X450e-24p.8 #
#
# Verify that correct profiles are assigned to correct ports.
#
* X450e-24p.9 # show upm profile
UPM Profile
Events
Flags Ports
=============================================================
clearports
Device-Undetect
e 1-10
detect-voip
Device-Detect
e 1-10
===========================================================
Number of UPM Profiles: 2
Number of UPM Events in Queue for execution: 0
Flags: d - disabled, e - enabled
Event name: log-message(Log filter name) - Truncated to 20 chars
ExtremeXOS Concepts Guide, Software Version 15.2
364
Sample Universal Port Configurations
#
# Enable LLDP message advertisements on the ports assigned to universal ports.
#
* X450e-24p.10 # enable lldp ports 1-10
Sample Configuration with User-Triggered Profiles
The example in this section demonstrates how to configure a RADIUS server and Universal Port for
user login. The first part of the example shows the RADIUS server configuration. For more information
on RADIUS server configuration, see Chapter 23, “Security.”
# Configure the RADIUS server for the userID and password pair.
# For FreeRADIUS, edit the users file located at /etc/raddb/users as shown in the
# following lines.
#
#Sample entry of using an individual MAC addresses
00040D50CCC3
Auth-Type := EAP, User-Password == "00040D50CCC3"
Extreme-Security-Profile = "phone LOGOFF-PROFILE=clearport;",
Extreme-Netlogin-VLAN = voice
#Sample entry of using wildcard MAC addresses (OUI Method)
00040D000000
Auth-Type := EAP, User-Password == "1234"
Extreme-Security-Profile = "phone LOGOFF-PROFILE=clearport;",
Extreme-Netlogin-VLAN = voice
#Sample entry of using numeric UserID and password
10284
Auth-Type := EAP, User-Password == "1234"
Extreme-Security-Profile = "voip LOGOFF-PROFILE=voip",
Extreme-Netlogin-Vlan = voice
#Sample entry of using a text UserID and password
Sales
Auth-Type := EAP, User-Password == "Money"
Extreme-Security-Profile = "Sales-qos LOGOFF-PROFILE=Sales-qos",
Extreme-Netlogin-Vlan = v-sales
# Define the Extreme custom VSAs on RADIUS.
# For FreeRADIUS, edit the dictionary file located at //etc/raddb/dictionary to
# include the following details:
VENDOR
Extreme
1916
ATTRIBUTE
Extreme-CLI-Authorization
201
integer Extreme
ATTRIBUTE
Extreme-Shell-Command
202
string Extreme
ATTRIBUTE
Extreme-Netlogin-Vlan
203
string Extreme
ATTRIBUTE
Extreme-Netlogin-Url
204
string Extreme
ATTRIBUTE
Extreme-Netlogin-Url-Desc
205
string Extreme
ATTRIBUTE
Extreme-Netlogin-Only
206
integer Extreme
ATTRIBUTE
Extreme-User-Location
208
string Extreme
ATTRIBUTE
Extreme-Netlogin-Vlan-Tag
209
integer Extreme
ATTRIBUTE
Extreme-Netlogin-Extended-Vlan 211
string Extreme
ATTRIBUTE
Extreme-Security-Profile
212
string Extreme
ExtremeXOS Concepts Guide, Software Version 15.2
365
Chapter 6: Universal Port
VALUE
Extreme-CLI-Authorization
VALUE
Extreme-CLI-Authorization
VALUE
Extreme-Netlogin-Only
VALUE
Extreme-Netlogin-Only
# End of Dictionary
Disabled
Enabled
Disabled
Enabled
0
1
0
1
# Add the switch as an authorized client of the RADIUS server.
# For FreeRADIUS, edit the file located at //etc/raddb/clients.conf to include the
# switches as details:
#
client
192.168.10.4 {
secret = purple
shortname = x450e-24p
# End of clients.conf
The rest of this example demonstrates the configuration that takes place at the ExtremeXOS switch:
# Create the universal port profile for user-authenticate:
* X450e-24p.1 # create upm profile phone
Start typing the profile and end with a . as the first and the only character on a
line.
Use - edit upm profile <name> - for block mode capability
create log message Starting_Script_Phone
set var callServer 192.168.10.204
set var fileServer 192.168.10.194
set var voiceVlan voice
set var CleanupProfile CleanPort
set var sendTraps false
#
create log message Starting_AUTH-VOIP_Port_$EVENT.USER_PORT
#******************************************************
# adds the detected port to the device "unauthenticated" profile port list
#******************************************************
create log message Updating_Unauthenticated_Port_List_Port_$EVENT.USER_PORT
#******************************************************
# Configure the LLDP options that the phone needs
#******************************************************
configure lldp port
server $callServer
configure lldp port
server $fileServer
configure lldp port
framing tagged
configure lldp port
$EVENT.USER_PORT advertise vendor-specific avaya-extreme call$EVENT.USER_PORT advertise vendor-specific avaya-extreme file$EVENT.USER_PORT advertise vendor-specific avaya-extreme dot1q$EVENT.USER_PORT advertise vendor-specific med capabilities
# If port is PoE capable, uncomment the following lines
#create log message UPM_Script_A-Phone_Finished_Port_$EVENT.USER_PORT
.
ExtremeXOS Concepts Guide, Software Version 15.2
366
Sample Universal Port Configurations
X450e-24p.2 #
#
# Create the universal port profile for user-unauthenticate on the switch:
#
* X450e-24p.1 # create upm profile clearport
Start typing the profile and end with a . as the first and the only character on a
line.
Use - edit upm profile <name> - for block mode capability
create log message STARTING_Script_CLEARPORT_on_$EVENT.USER_PORT
unconfigure lldp port $EVENT.USER_PORT
create log message LLDP_Info_Cleared_on_$EVENT.USER_PORT
unconfigure inline-power operator-limit ports $EVENT.USER_PORT
create log message POE_Settings_Cleared_on_$EVENT.USER_PORT
create log message FINISHED_Script_CLEARPORT_on_$EVENT.USER_PORT
.
* X450e-24p.2 #
# Configure RADIUS on the edge switch.
#
* X450e-24p.4 # config radius primary server 192.168.11.144 client-ip 192.168.10.4 vr
"VR-Default"
* X450e-24p.5 # config radius primary shared-secret purple
# Configure Network Login on the edge switch.
#
For Network Login 802.1x, use the following commands:
* X450e-24p.7 # create vlan nvlan
* X450e-24p.8 # config netlogin vlan nvlan
* X450e-24p.9 # enable netlogin dot1x
* X450e-24p.10 # enable netlogin ports 11-20 mode mac-based-vlans
* X450e-24p.11 # enable radius netlogin
#
# For Network Login MAC-based or OUI method, use the following commands:
* X450e-24p.7 # create vlan nvlan
* X450e-24p.8 # config netlogin vlan nvlan
* X450e-24p.9 # enable netlogin mac
* X450e-24p.10 # config netlogin add mac-list 00:04:0D:00:00:00 24 1234
* X450e-24p.11 # enable radius netlogin
# Assign the user-authenticate profile to the edge port.
#
* X450e-24p.12 # configure upm event user-authenticate profile "phone" ports 11-20
* X450e-24p.13 #
# Assign the user-unauthenticate profile to the edge port.
#
* X450e-24p.14 # configure upm event user-unauthenticated profile "clearport" ports
11-20
* X450e-24p.15 #
ExtremeXOS Concepts Guide, Software Version 15.2
367
Chapter 6: Universal Port
# Check that the correct profiles are assigned to the correct ports.
#
* X450e-24p.16 # show upm profile
===========================================================
UPM Profile
Events
Flags Ports
===========================================================
phone
User-Authenticated
e 11-20
clearport
User-Unauthenticated
e 11-20
===========================================================
Number of UPM Profiles: 5
Number of UPM Events in Queue for execution: 0
Flags: d - disabled, e - enabled
Event name: log-message(Log filter name) - Truncated to 20 chars
# Enable LLDP message advertisements on the ports.
#
* X450e-24p.17 # enable lldp ports 11-20
Sample Timer-Triggered Profile
The following profile and timer configuration disables PoE on ports 1 to 20 everyday at 6 p.m.:
* X450e-24p.1 # create upm profile eveningpoe
Start typing the profile and end with a . as the first and the only character on a
line.
Use - edit upm profile <name> - for block mode capability
create log message Starting_Evening
disable inline-power ports 1-20
.
*X450e-24p.2
*X450e-24p.3 # create upm timer night
*X450e-24p.4 # config upm timer night profile eveningpoe
*X450e-24p.5 # config upm timer night at 7 7 2007 19 00 00 every 86400
Sample Profile with QoS Support
The example below can be used with a Summit family switch that supports QoS profiles qp1 and qp8.
When the user or phone logs in with a particular MAC address, the script configures the QoS profile
configured by the user in the RADIUS server for the USER-AUTHENTICATED event. In this example,
the user sets the QoS profile to be qp8.
You must configure network login, the RADIUS server, and Universal Port on the switch as part of the
user log-in authentication process. The following example is an entry in the RADIUS users file for the
MAC address of the phone:
00040D9D12A9 Auth-Type := local, User-Password == "test"
Extreme-security-profile = "p1 QOS=\"QP8\";LOGOFF-PROFILE=p2;VLAN=\"voicetest\";"
For more information on configuring the RADIUS users file, see Chapter 23, “Security.”
Below is the Universal Port profile configuration for this example:
Create upm profile p1
ExtremeXOS Concepts Guide, Software Version 15.2
368
Sample Universal Port Configurations
set var z1 $uppercase($EVENT.USER_MAC)
set var z2 $uppercase(00:04:0d:9d:12:a9)
#show var z1
#show var z2
if ($match($EVENT.NAME, USER-AUTHENTICATED) == 0) then
if ($match($z1, $z2) == 0) then
configure port $EVENT.USER_PORT qosprofile $QOS
endif
endif
.
Sample Event Profile
If not configured properly, the Spanning Tree Protocol (STP) can create loops in a network. Should these
loops develop, they can cause network degradation and eventually crash the network by duplicating
too many Ethernet frames. By leveraging Universal Port and the Extreme Loop Recovery Protocol
(ELRP) as shown in example below, it is not only possible to detect and isolate the egress port, but it is
also possible to disable the egress port to break loops.
NOTE
This example illustrates how to create an event profile that reconfigures the switch after an event. After this
example was created, ELRP was updated with the capability to disable a port without the help of an event profile.
For more information, see “Using ELRP to Perform Loop Tests” on page 1530.
When a loop is detected on ports where ELRP is enabled and configured, ELRP logs a message using
the following format:
01/17/2008 08:08:04.46 <Warn:ELRP.Report.Message> [CLI:ksu:1] LOOP DETECTED : 436309
transmited, 64 received, ingress slot:port (1) egress slot:port (24)
To view more information on format of this c