DOC-00918 Rev01 EXOC Presentation SG Version 12.1

ExtremeXOS Operation and Configuration Presentation Guide Rev.12.
Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.com Part number: DOC-00918
AccessAdapt, Alpine, Altitude, BlackDiamond, EPICenter, Essentials, Ethernet Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme Solution, ScreenPlay, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, the Powered by ExtremeXOS logo, and the Color Purple, among others, are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and/or other countries. Adobe, Flash, and Macromedia are registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. AutoCell is a trademark of AutoCell. Avaya is a trademark of Avaya, Inc. Internet Explorer is a registered trademark of Microsoft Corporation, and Microsoft Windows Server is a trademark of Microsoft Corporation. Mozilla Firefox is a registered trademark of the Mozilla Foundation. RSA Ace/Server and RSA SecurID are registered trademarks of RSA Security, Inc. sFlow is a registered trademark of sFlow.org. Solaris and Java are trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Specifications are subject to change without notice. All other registered trademarks, trademarks, and service marks are property of their respective owners. 2008 Extreme Networks, Inc. All Rights Reserved.
Extreme Networks Technical Publications
Table of Contents
Module 1: Introduction and Orientation............................................................................................. 1
ExtremeXOS Operation and Configuration ......................................................................................2 Introductions ..............................................................................................................................4 Facilities ....................................................................................................................................6 Student Kit ................................................................................................................................8 Administrative ..........................................................................................................................10 Course Prerequisites..................................................................................................................12 High-Level Student Objectives....................................................................................................14 Agenda ....................................................................................................................................16 Introduction to the Extreme Networks Certification Program ..........................................................22 Extreme Networks Associate (Level 1) .........................................................................................24 Extreme Networks Specialist (Level 2).........................................................................................26 ENA Certification Curriculum .....................................................................................................28 ENS Certification Curriculum .....................................................................................................30 Supportive Curriculum ...............................................................................................................32 Summary..................................................................................................................................34
Module 2: Extreme Networks Product Overview................................................................................. 1

Student Objectives ......................................................................................................................2 Product Families Overview ...........................................................................................................4 Extreme Networks Switch Operating Systems .................................................................................6 ExtremeWare to ExtremeXOS Comparison ......................................................................................8 Chassis-Based Switching Product Overview..................................................................................10 Standalone Switching Product Overview ......................................................................................12 ExtremeXOS Feature Licensing Model .........................................................................................14 ExtremeXOS Licensing Features Details.......................................................................................16 Extreme Networks Wireless Products...........................................................................................18 Extreme Networks Security Products ...........................................................................................20 Extreme Networks Management Products ....................................................................................22 Switching Product User Interface Tools .......................................................................................24 Summary..................................................................................................................................26 Review Questions ......................................................................................................................28
Module 3: Initial Switch Configuration.............................................................................................. 1

Student Objectives ......................................................................................................................2 Initial Switch Configuration ..........................................................................................................4 CLI Access .................................................................................................................................6 CLI Organization .........................................................................................................................8 Syntax Helper ...........................................................................................................................10 CLI Abbreviated Syntax and History ............................................................................................12 Unique Name Identifiers............................................................................................................14
Table of Contents Switch Login ............................................................................................................................14 CLI - Command Prompt .............................................................................................................16 Management Accounts ..............................................................................................................18 Creating User Accounts .............................................................................................................20 Failsafe Login ...........................................................................................................................22 Limiting CLI Sessions and Failed Logins......................................................................................24 Restricting Telnet Access...........................................................................................................26 Configuring Management Access ................................................................................................28 Using SSH and SCP ..................................................................................................................30 Using SNMP.............................................................................................................................32 Configuring SNMP System Parameters ........................................................................................34 Configuring SNMP Access Parameters.........................................................................................36 Authenticating Switch Management Users ...................................................................................38 Logging Features.......................................................................................................................40 Configuring Logging ..................................................................................................................42 Displaying Log Messages ...........................................................................................................44 Using SNTP..............................................................................................................................46 Verifying the Management Configuration......................................................................................48 Summary..................................................................................................................................50 Lab..........................................................................................................................................52 Review Questions ......................................................................................................................54
Module 4: Switch Management ........................................................................................................ 1

Student Objectives ......................................................................................................................2 Displaying Switch Status .............................................................................................................4 Describing the Virtual Router Command Argument .........................................................................6 Assigning IP Addresses................................................................................................................8 Describing Software Image Features............................................................................................10 Displaying the Current Software Images.......................................................................................10 Interpreting ExtremeXOS Image File Names.................................................................................12 Interpreting ExtremeXOS Version Strings .....................................................................................14 Selecting Active Image Files for the Next Reboot..........................................................................16 Rebooting the Switch ................................................................................................................16 Downloading a New Image File ...................................................................................................18 Describing Configuration File Features ........................................................................................20 Displaying the Current Configuration File Selection ......................................................................22 Displaying the Configuration File Contents...................................................................................24 Selecting Active Configuration Files ............................................................................................24 Backing Up a Configuration File .................................................................................................26 Restoring the Configuration ........................................................................................................28 Managing ASCII-formatted Configuration Files .............................................................................30 Downloading ASCII-formatted Command Scripts ..........................................................................32 Returning the Switch To Factory Defaults ....................................................................................34 File System Commands .............................................................................................................36 Copying, Renaming, and Removing Files .....................................................................................38 Policy Files...............................................................................................................................40
Table of Contents Using the Switch Editor .............................................................................................................42 BootStrap Menu Options............................................................................................................44 BootROM Menu Options ............................................................................................................44 Upgrading the BootROM ............................................................................................................46 Summary..................................................................................................................................48 Lab..........................................................................................................................................50 Review Questions ......................................................................................................................52
Module 5: Layer 1 Configuration ...................................................................................................... 1

Student Objectives ......................................................................................................................2 Configuring Slot Parameters .........................................................................................................4 Configurable Port Parameters .......................................................................................................6 Auto-Negotiation, Speed, and Duplex ............................................................................................8 Enabling Jumbo Frames.............................................................................................................10 Link Aggregation .......................................................................................................................12 Link Aggregation Algorithms.......................................................................................................14 Dynamic Link Aggregation..........................................................................................................16 Switch Specific Link Aggregation Support ...................................................................................18 Enabling Link Aggregation .........................................................................................................20 Configuring Dynamic Link Aggregation ........................................................................................22 Verifying Link Aggregation Settings .............................................................................................24 Verifying Link Aggregation Ports .................................................................................................26 Disabling Link Aggregation.........................................................................................................28 Port Mirroring ...........................................................................................................................30 Extreme Discovery Protocol (EDP)...............................................................................................32 LLDP .......................................................................................................................................34 Configuring LLDP......................................................................................................................36 Summary..................................................................................................................................38 Lab..........................................................................................................................................40 Review Questions ......................................................................................................................42
Module 6: EXOS Stacking ................................................................................................................ 1

Student Objectives ......................................................................................................................2 SummitStack Stacking Technology Benefits ...............................................................................4 Hardware Requirements...............................................................................................................8 Software Requirements..............................................................................................................10 Stacking Ports - Stacking Architecture ........................................................................................12 Unit Roles - Stacking Architecture ..............................................................................................14 Ring Topology - Stacking Architecture .........................................................................................16 Topology Traffic - Traffic Handling - Stacking Architecture ............................................................18 Unicast Traffic - Traffic Handling - Stacking Architecture .............................................................20 Known Multicast Traffic - Traffic Handling - Stacking Architecture ................................................22 Unknown Unicast / Broadcast / Unknown Multicast - Traffic Handling - Stacking Architecture ..........24 Stack Join - Stacking Operations ................................................................................................26 Discover Stack Topology - Stack Topology....................................................................................28 Master / Backup Master Election - Stacking Operations.................................................................30
Table of Contents Stack Configuration - Stacking Operations ...................................................................................32 Operational Phase - Stacking Operations .....................................................................................32 Stack Link Failure Recovery - Stack Operations............................................................................34 Multiple Link Failure Recovery - Stack Operations ........................................................................36 Unit Failure Recovery - Stack Operations.....................................................................................38 Preparing a Stack for Configuration.............................................................................................40 Configuring a New Stack............................................................................................................42 Describing the Easy-Setup Option...............................................................................................44 Enabling / Disabling Stacking.....................................................................................................46 Configuring the Stacking Slot-number .........................................................................................48 Configure the Stacking MAC Address ..........................................................................................50 Configure Stacking Redundancy .................................................................................................52 Rebooting the Stack ..................................................................................................................54 Making The Non-Master Nodes IP Manageable.............................................................................56 Configuring Stacking License Level.............................................................................................58 Synchronizing Stacking Parameters.............................................................................................60 Verifying Stack Configuration .....................................................................................................62 Troubleshooting Stack Operation ................................................................................................62 Verifying Stack Operations .........................................................................................................64 Summary..................................................................................................................................66 Demonstration ..........................................................................................................................68 Review Questions ......................................................................................................................70
Module 7: Layer 2 Forwarding.......................................................................................................... 1

Student Objectives ......................................................................................................................2 ISO Seven-Layer Reference Model ................................................................................................4 Collision Domains in a Shared Medium .........................................................................................6 Carrier Sense Multiple Access with Collision Detection ...................................................................8 Transparent Bridges Used for LAN Segmentation .........................................................................10 Ethernet Frames .......................................................................................................................12 Bridge Functions.......................................................................................................................14 Flooding...................................................................................................................................16 Forwarding ...............................................................................................................................18 Filtering ...................................................................................................................................20 Forwarding Database .................................................................................................................22 FDB Entry Types .......................................................................................................................24 Displaying the FDB Table...........................................................................................................26 Adding Entries to the FDB .........................................................................................................28 Removing Entries from the FDB..................................................................................................30 Configuring MAC Address Learning .............................................................................................32 Configuring the FDB Aging Time.................................................................................................34 Describing Layer 2 Security Features ..........................................................................................36 Configuring Egress Flooding .......................................................................................................40 Configuring Limit-Learning.........................................................................................................42 Configuring Lock-Learning .........................................................................................................44 Verifying Limit-Learning and Lock-Learning .................................................................................46
Table of Contents Extreme Link Status Monitoring (ELSM) ......................................................................................48 Verifying Extreme Link Status Monitoring ....................................................................................50 Summary..................................................................................................................................52 Lab..........................................................................................................................................54 Review Questions ......................................................................................................................56
Module 8: Introduction to VLANs ...................................................................................................... 1

Student Objectives ......................................................................................................................2 Virtual LANs ...............................................................................................................................4 VLAN Operation ..........................................................................................................................6 Types of VLANs...........................................................................................................................8 Port-Based VLANs .....................................................................................................................10 802.1Q Tagged VLANs ..............................................................................................................12 802.1Q Tagged VLANs Uses ......................................................................................................14 Protocol-Based VLANs ...............................................................................................................16 Benefits of VLANs .....................................................................................................................18 Managing Port-Based VLANs ......................................................................................................20 Displaying VLAN Information......................................................................................................22 Creating and Deleting Port-Based VLANs .....................................................................................24 Adding and Removing Ports to and from a Port-Based VLANs ........................................................26 Enabling and Disabling Port-Based VLANs...................................................................................28 Renaming VLANs ......................................................................................................................30 Verifying Port-Based VLAN Configuration.....................................................................................32 System VLANs ..........................................................................................................................34 Extending Port-Based VLANs Across Switches..............................................................................36 Managing Tagged VLANs ...........................................................................................................38 Creating a Tagged VLAN ............................................................................................................40 Adding and Deleting Ports to and from a Tagged VLAN .................................................................42 Example: Configuring Tagged VLANs on Multiple Switches............................................................50 VLAN Rules ..............................................................................................................................52 Managing Protocol-Based VLAN..................................................................................................54 Creating a Protocol-Based VLAN .................................................................................................56 Creating a Protocol Filter ...........................................................................................................58 Predefined Protocol Filters .........................................................................................................60 Custom Protocol Filters..............................................................................................................62 Verifying Protocol-Based VLANs..................................................................................................64 Assigning a Protocol filter to a Protocol-Based VLAN ....................................................................66 Adding a Port to a Protocol-Based VLAN......................................................................................66 Protocol-Based VLAN Example Configuration ...............................................................................68 Configuring Protocol-Based VLANs..............................................................................................70 Notes on Protocol-Based VLANs .................................................................................................72 Summary..................................................................................................................................74 Lab..........................................................................................................................................76 Review Questions ......................................................................................................................78
Table of Contents
Module 9: Spanning Tree................................................................................................................. 1

Student Objectives ......................................................................................................................2 Introducing the Spanning Tree Protocol.........................................................................................4 Network Redundancy...................................................................................................................6 Identifying the Solution ...............................................................................................................8 Spanning Tree Algorithm ...........................................................................................................10 Spanning Tree Port States..........................................................................................................12 How Spanning Tree Works..........................................................................................................14 Spanning Tree Protocol Building Blocks ......................................................................................16 Selecting the Root Bridge ..........................................................................................................18 Selecting the Root Port..............................................................................................................20 Selecting the Designated Bridge and Designated Port ...................................................................22 Forwarding and Blocking Ports ...................................................................................................24 Detecting Topology Changes.......................................................................................................26 Recalculating Port States...........................................................................................................28 Planning a Spanning Tree Topology.............................................................................................30 Spanning Tree Enhancements ....................................................................................................32 Configuring a Single STPD in dot1w Mode...................................................................................34 Configuring STP Parameters.......................................................................................................36 Verifying STP Configuration........................................................................................................38 Notes on Spanning Tree Configuration.........................................................................................40 Summary..................................................................................................................................42 Lab..........................................................................................................................................44 Review Questions ......................................................................................................................46
Module 10: Ethernet Automatic Protection Switching ........................................................................ 1

Student Objectives ......................................................................................................................2 Ethernet Automatic Protection Switching.......................................................................................4 EAPS Domains and Ring Elements ...............................................................................................6 EAPS Domain and VLAN Relationship ...........................................................................................8 EAPS MAC Address ...................................................................................................................10 EAPS Fault Detection ................................................................................................................12 EAPS Fault Restoration .............................................................................................................16 EAPS Ring Design Considerations...............................................................................................20 Fail Time Triggers .....................................................................................................................22 Steps to Configuring EAPS on the Network ..................................................................................24 Configuring the Control VLAN.....................................................................................................24 Configuring Protected VLANs .....................................................................................................26 Configuring an EAPS Ring..........................................................................................................28 Disabling, Deleting, Unconfiguring, or Renaming EAPS ................................................................32 Configuring Polling Timers and Failure Actions ............................................................................34 Verifying the EAPS Configuration and Status................................................................................36 Summary..................................................................................................................................38 Lab..........................................................................................................................................40 Review Questions ......................................................................................................................42
Table of Contents
Module 11: IP Unicast Routing......................................................................................................... 1

Student Objectives ......................................................................................................................2 Layer 2 Versus Layer 3 Operations ................................................................................................4 Layer 2 ARP Operations Review....................................................................................................6 IP Routing Process ......................................................................................................................8 Directly Attached Routing Table Entries ......................................................................................10 Static Routes............................................................................................................................12 Default Route Routing Table Entry..............................................................................................12 Black Hole Route Routing Table Entry.........................................................................................14 Dynamic Route Entries ..............................................................................................................14 IP Routing, IP Switching, IP Forwarding ......................................................................................16 IP Forwarding / Switching ..........................................................................................................18 Directly Attached Forwarding Example ........................................................................................20 Multiple Hop Layer 3 IP Forwarding Example...............................................................................20 Relative Route Priorities ............................................................................................................22 Virtual Router Overview..............................................................................................................24 Configuring IP Forwarding - CLI Commands .................................................................................26 Configuring IP Forwarding Optional CLI Commands ...................................................................26 Configuring IP Forwarding - Configuration Example ......................................................................28 Verifying the IP Configuration.....................................................................................................30 Verifying the IP Route Table.......................................................................................................30 Verifying the IP ARP Table .........................................................................................................32 Verifying IP Statistics ................................................................................................................32 Managing ICMP Messages..........................................................................................................36 Using the PING Command .........................................................................................................38 Additional IP Unicast Features ...................................................................................................40 Lab..........................................................................................................................................42 Review Questions ......................................................................................................................44
Module 12: Configuring RIP ............................................................................................................. 1

Student Objectives ......................................................................................................................2 Limitations of Manual Configuration..............................................................................................4 Routing Information Protocol........................................................................................................6 Limitations of RIP Version 1.......................................................................................................10 RIP Version 2 ...........................................................................................................................10 Routing Table For Routers Using RIP ..........................................................................................12 Routing Loops ..........................................................................................................................14 Counting to Infinity Problem ......................................................................................................16 Split Horizon ............................................................................................................................18 Poison Reverse .........................................................................................................................20 Triggered Updates .....................................................................................................................22 RIP Limitations.........................................................................................................................24 RIP Configuration Steps.............................................................................................................26 RIP Specific Configuration Commands ........................................................................................28 RIP Configuration Example ........................................................................................................30 RIP Timer and Cost Configuration Commands ..............................................................................32
Table of Contents Additional RIP Configuration Commands .....................................................................................34 Verifying the RIP-specific Configuration ......................................................................................36 Verifying RIP Interfaces and Routes ............................................................................................38 Verifying IP Forwarding and VLAN Interface.................................................................................40 Verifying the Route Source .........................................................................................................42 Summary..................................................................................................................................44 Lab..........................................................................................................................................46 Review Questions ......................................................................................................................48
Module 13: Configuring OSPF .......................................................................................................... 1

Student Objectives ......................................................................................................................2 Defining OSPF ............................................................................................................................4 OSPF Routing Hierarchy ..............................................................................................................6 OSPF Areas ................................................................................................................................8 Identifying OSPF Area Types ......................................................................................................10 OSPF Router Types and Network Types .......................................................................................12 Designated Router Types ...........................................................................................................14 Designated Router Election ........................................................................................................16 Link State Advertisement ...........................................................................................................18 OSPF LSA Types .......................................................................................................................20 Building the Shortest Path Tree..................................................................................................22 How OSPF Operates ..................................................................................................................22 OSPF Router Neighbor Discovery ................................................................................................24 OSPF Hello Packets ..................................................................................................................26 LSDB Initial Synchronization......................................................................................................28 LSDB Synchronization ...............................................................................................................30 Identifying When OSPF Routing Occurs.......................................................................................32 Basic IP Configuration Review ....................................................................................................34 Configuring the OSPF Router ID .................................................................................................36 Configuring a Single OSPF Area..................................................................................................38 OSPF Configuration Example......................................................................................................40 Configuring Multiple OSPF Areas ................................................................................................42 Advanced OSPF Configuration ....................................................................................................44 Verifying the Basic IP Configuration ............................................................................................48 Verifying the Global OSPF Configuration......................................................................................50 Verifying a Single Area Configuration...........................................................................................50 Verifying OSPF Interface Configuration and Neighbor State ...........................................................52 Monitoring the LSDB .................................................................................................................54 Summary..................................................................................................................................56 Lab..........................................................................................................................................58 Review Questions ......................................................................................................................60
Module 14: Network Login Using Local MAC-Based Authentication .................................................... 1

Student Objectives ......................................................................................................................2 Describe the Network Login Feature ..............................................................................................4 Describing MAC-Based Authentication ..........................................................................................6
Table of Contents Listing the Steps to Implement Network Login Using Local MAC-Based Authentication....................10 Creating a Network Login VLAN ..................................................................................................12 Enabling Network Login .............................................................................................................14 Configuring Local MAC Authentication ........................................................................................16 Adding a MAC-based User to the Local Authentication Database....................................................18 Verifying Global Network Login Settings ......................................................................................20 Displaying the System Log .........................................................................................................22 Network Login Design Considerations ..........................................................................................24 Local MAC-Based Network Login - Configuration Example .............................................................26 Disconnecting Network Login Sessions ........................................................................................28 Summary..................................................................................................................................30 Lab..........................................................................................................................................32 Review Questions ......................................................................................................................34
Module 15: Universal Port ............................................................................................................... 1

Student Objectives ......................................................................................................................2 Purpose and Function of Universal Port .........................................................................................4 Underlying Technologies for Universal Port ....................................................................................6 Authentication with Universal Port ................................................................................................8 802.1x Authentication Process...................................................................................................10 Configuration with 802.1x Authentication ...................................................................................10 Web-Based Network Login Authentication....................................................................................12 MAC-Based Authentication ........................................................................................................14 Universal Port Dynamic Security Policies.....................................................................................16 Universal Port Profiles ...............................................................................................................18 Profile Rules.............................................................................................................................20 Static Profiles for Edge Ports......................................................................................................22 Dynamic Profiles for Devices and Users.......................................................................................24 Events that Dynamically Trigger Profiles ......................................................................................26 Types of Dynamic Profiles ..........................................................................................................26 Dynamic Device-Based Profile ....................................................................................................28 Example of Device-Based Dynamic Profile ...................................................................................30 Dynamic User-Authentication Profile...........................................................................................32 Example of User-Authenticated Dynamic Profile...........................................................................34 Dynamic Time-of-Day Profile ......................................................................................................36 Dynamic Event Management System Profile.................................................................................38 Running a Profile ......................................................................................................................40 Scripting for Universal Port ........................................................................................................42 Creating Profiles .......................................................................................................................42 Device Detect Configuration: without Authentication.....................................................................44 Device Detect Configuration: with Authentication .........................................................................46 Universal Port Verification Commands.........................................................................................48 Universal Port Modules..............................................................................................................50 Universal Port Manager..............................................................................................................52 Universal Port References ..........................................................................................................54 Summary..................................................................................................................................56
Table of Contents Lab..........................................................................................................................................58 Review Questions ......................................................................................................................60
Module 16: Policy-Based QoS.......................................................................................................... 1

Student Objectives ......................................................................................................................2 What is Quality of Service?...........................................................................................................4 When Do You Need QoS? .............................................................................................................6 Two Major Benefits of QoS ...........................................................................................................8 Traffic Types and QoS Guidelines ...............................................................................................10 Policy-Based QoS Support on an Extreme Network Switch.............................................................12 Configuring Policy-Based QoS ....................................................................................................14 Considerations When Configuring QoS on the BlackDiamond 8800, Summit X450, and Summit X250 Switches ..................................................................................................................................16 Creating and Configuring Queues and Profiles on the BlackDiamond 8800 and Summit X450/X250 Switches ..................................................................................................................................18 Creating a QoS Profile (BlackDiamond 8800, Summit X450, and Summit X250 Switches) ..............20 Configuring QoS Profile Weight...................................................................................................20 QoS Profiles on the BlackDiamond 10808 Switch ........................................................................22 QoS Building Block: Traffic Groupings ........................................................................................24 Traffic Groupings In Default Precedence .....................................................................................26 ACL-Based Traffic Groupings......................................................................................................28 Explicit Class of Service Traffic Groupings ...................................................................................30 802.1p Information...................................................................................................................32 Physical and Logical Groupings ..................................................................................................34 BlackDiamond 8800 Family of Switches, Summit X450, and Summit X250 Switches QOS Profile Display .........................................................................................................................................36 BlackDiamond 10808 Switch Display .........................................................................................38 Verifying QoS Configuration and Performance ..............................................................................40 Other Useful QoS Display Commands..........................................................................................42 BlackDiamond 10808 Bandwidth Settings ..................................................................................44 Modifying a QoS Policy ..............................................................................................................46 Assigning Policy-Based QoS: Review ...........................................................................................48 Summary..................................................................................................................................50 Lab..........................................................................................................................................52 Review Questions ......................................................................................................................54
Module 17: Switch Diagnostics........................................................................................................ 1

Student Objectives ......................................................................................................................2 System Diagnostics .....................................................................................................................4 Power-On Self-Test......................................................................................................................6 System Health Checker................................................................................................................8 Configuring the BlackDiamond System Fault Recovery Level .........................................................10 Configuring the System Fault Recovery Level ...............................................................................12 Configuring the System Health Check Response...........................................................................14 Enabling the Backplane System Health Check .............................................................................16 Running System Diagnostics ......................................................................................................18 Displaying System Diagnostic Results .........................................................................................20
10
Table of Contents Identifying the Busiest Process...................................................................................................22 Displaying Processes .................................................................................................................26 Monitoring Process Heartbeat.....................................................................................................28 Terminating a Process ...............................................................................................................30 Starting a Process .....................................................................................................................32 Monitoring System Memory ........................................................................................................34 Monitoring Protocol Memory.......................................................................................................36 Summary..................................................................................................................................38 Lab..........................................................................................................................................40 Review Questions ......................................................................................................................42
Module 18: Network Troubleshooting ............................................................................................... 1

Student Objectives ......................................................................................................................2 Overview ....................................................................................................................................4 Maintenance Before Troubleshooting.............................................................................................6 Use a Layered Approach when Troubleshooting ..............................................................................8 Troubleshooting at the Physical Layer .........................................................................................10 Port LED Indicators ...................................................................................................................12 Troubleshooting Commands for the Physical Layer .......................................................................14 Displaying Port Configuration Statistics .......................................................................................16 Displaying Real Time Transmitted Packet Errors...........................................................................18 Displaying Real Time Collision Statistics .....................................................................................20 Displaying Real Time Port Utilization Information.........................................................................22 Displaying Connectivity and Configuration Information for Neighboring Switches .............................24 Layer 1 Problem: Diagnosis and Solution.....................................................................................26 Layer 1 Problem: Further Symptoms and Diagnosis ......................................................................28 Troubleshooting at Layer 2: Data Link Layer ................................................................................30 Commands for Layer 2 Troubleshooting .......................................................................................32 Displaying Forwarding Database (FDB) information.......................................................................34 Displaying Information About Every VLAN....................................................................................36 Layer 2 Problem: Symptoms.......................................................................................................40 Troubleshooting at Layer 3: Network Layer...................................................................................42 Displaying IP Forwarding and Routing Protocol ............................................................................44 Displaying VLAN Configuration Information..................................................................................46 Displaying Contents of IP Routing Table ......................................................................................48 Verifying Contents of IP Routing Table ........................................................................................50 Displaying the IP Address Resolution Protocol Table.....................................................................52 Displaying Global OSPF Information............................................................................................54 Displaying RIP Specific Configuration Information........................................................................56 Displaying IP Statistics for the CPU ............................................................................................58 Displaying IP Statistics for the VLAN ..........................................................................................58 Using ICMP Commands for Layer 3 Troubleshooting .....................................................................60 Layer 3 Problem: Symptoms.......................................................................................................62 Layer 3 Problem: Diagnosis ........................................................................................................62 Layer 3 Problem: Solution..........................................................................................................64 Collecting Information for Technical Support ...............................................................................66
11
Table of Contents Interpreting a Syslog File ...........................................................................................................68 Sample Syslog File: You Set Parameters......................................................................................70 Systematic Troubleshooting Steps...............................................................................................72 Defining the Problem.................................................................................................................74 Gathering Information Used for Troubleshooting...........................................................................76 Consider Escalation ...................................................................................................................78 Developing and Testing Theories.................................................................................................80 Implementing a Solution............................................................................................................82 Documenting the Solution..........................................................................................................84 Summary..................................................................................................................................86 Lab..........................................................................................................................................88 Review Questions ......................................................................................................................90
12
Introduction and Orientation
ExtremeXOS Operation and Configuration

The Extreme Networks Operation and Configuration training class is designed to provide students with the ability to identify, describe, and use the features available with ExtremeXOSTM.
Target Audience
The primary audiences for this class are end-users, partners, and Extreme Networks technical personnel that are seeking Extreme Networks Associate (ENA) certification.
Module Content
Module one presents an introduction to the course content, training facilities, student objectives, course prerequisites, agenda, and certification curriculum.
Figure 1: Module Content
Introductions
Provide your name, company, job title, and experience. Please share your previous networking experience as well as any Extreme Networks product exposure. This helps the instructor to adjust the class according to student skill sets.
Figure 2: Introduction
Facilities
Familiarize yourself with the facilities, particularly where the Emergency Exits and First Aid Stations are located. Pick up a name badge from the receptionist if available. The instructor specifies any special parking considerations when necessary.
Figure 3: Facilities
Student Kit
The illustration lists the contents of the student kit.
Figure 4: Student Kit
Administrative
The instructor circulates a class roster during the student introductions. Each student should check his or her own information on the class roster. When all information is verified, initial your name. Ensure that your name is spelled correctly the way you want it to be on the certificate at the completion of this course. Breaks are typically 15 minutes each and lunch is about an hour. However, the times may vary at the discretion of the instructor. Please silence all pagers and cell phones by turning off the audio beeps and/or muting the volume. At the instructor's discretion, pagers/phones in vibrate mode are permitted. If you need to take a phone call, go outside the classroom in consideration of the other students. Questions are encouraged at any time. Lab exercises are performed after each major topic is discussed. A student completing all the requirements of the Extreme Networks Associate (ENA) is certified and provided an Extreme Networks Certified Training Certificate.
10
Figure 5: Administrative
11
Course Prerequisites
To be successful in this class, it is recommended that students have a working knowledge of LAN fundamentals, and TCP/IP, IP addressing, and subnet masking. You should be competent in switching, bridging, and routing concepts.
12
Figure 6: Course Prerequisites
13
High-Level Student Objectives

The illustrations list the high-level student objectives for this course.
14
Figure 7: High-Level Student Objectives
Figure 8: High-Level Student Objectives (Continued)
15
Agenda
16
Figure 9: Day 1 - Agenda
17
Agenda (Continued)
18
Figure 12: Day 4- Agenda
19
Agenda (Continued)
20
21
Introduction to the Extreme Networks Certification Program

Career certification is available from many of places. But we're talking about Extreme Networks certification, an innovative, comprehensive approach to certification. Our lab-intensive learning environments and hands-on exam requirements mean that you become Extreme Networks-certified with proven experience and skills to successfully deploy and manage Extreme Networks products in a variety of network environments. The Extreme Networks certification program authenticates your skill set and supercharges your IT career, bringing measurable benefits to you, your department, and your company.
Certification Levels

Level 1 Extreme Networks Associate (ENA) Level 2 Extreme Networks Specialist (ENS)
22
Figure 14: Introduction to Extreme Networks Certification Program
Figure 15: Extreme Networks Certification Program
23
Extreme Networks Associate (Level 1)

The Extreme Networks Associate (ENA) certification confirms your knowledge of the Extreme Networks product portfolio and configuring and managing Extreme Networks switches in Layer-2 and Layer-3 environments. The certification is intended for individuals responsible for the installation, configuration, and management of Extreme Networks products. Receive your ENA Certification The ENA certification level establishes the foundation for all Extreme Networks certification program levels. Successful completion of the EXOC training course in full provides ENA certification. A certificate with a unique certification number is issued immediately. ENA certification is valid for two years. Alternatively, an 80-question multiple choice exam can be taken to validate the candidates' knowledge of basic Extreme Networks hardware configuration using the ExtremeXOS command line interface (CLI). Extreme Networks Authorized Training Partners (ATP) administer the ENA certification tests. The cost of the exam is equal to one day of training or one training voucher. Candidates who achieve a score of 75% or greater are awarded the distinction of Extreme Networks Associate. Follow these steps to register for the ECF training class or the stand-alone Extreme Networks Associate exam: 1 Direct your web browser to www.extremenetworks.com. 2 From the web page you can select an Extreme Networks ATP test center in your region. 3 Be sure to bring valid, government issued photo identification to the testing location.
24
Figure 16: Extreme Networks Associate (Level 1)
25
Extreme Networks Specialist (Level 2)

The Extreme Networks Specialist (ENS) certification represents a solid foundation of networking skills for individuals responsible for advanced configuring, managing, maintaining, and troubleshooting of Extreme Networks products. The pre-requisite for this certification is completion of the ENA certification level. ENS certified skills include:

Configure Extreme Networks advanced redundancy features. Configure Extreme Networks advanced multicast routing features. Configure Extreme Networks switches in complex routing environments. Configure Extreme Networks switches advanced security features. Troubleshoot Extreme Networks switches for Layer-2 and Layer-3 networking problems.
ENS certification is valid for two years. The exam is administered by selected Extreme Networks Authorized Training Partners.
First-Level TAC Bypass with ENS Certification

ENS certified customers with a valid service contract have direct access to Tier 2 Technical Assistance Center (TAC) support. They are able to bypass Level 1 TAC.
ENS Exam
Scheduling this exam is similar to scheduling the ENA exam. Direct your web browser to www.extremenetworks.com. From the web page you can select an Extreme Networks ATP test center in your region. The ENS exam is a four-hour written and hands-on exam performed at and guided by one of Extreme Networks ATP test centers. The exam is comprised of two parts. One part consists of multiple choice questions. The other part consists of a hands-on practical exam. Candidates must achieve a score of 75% to be certified. The price for this exam is a single one-day training voucher. Be sure to bring a valid, government issued, photo identification to the testing location.
26
Figure 17: Extreme Networks Specialist (Level 2)
Figure 18: Extreme Networks Specialist Exam
27
ENA Certification Curriculum

The curriculum consists of instructor led courses, which provide students with the skill level described in the certification overview. The courses are grouped so you can easily determine which courses are needed for a certain certification level.
ExtremeXOS Operation and Configuration (EXOC-200/5)

The ExtremeXOS Operation and Configuration training class provides Extreme Networks customers with instructor-led lectures and extensive hands-on laboratory exercises. This course presents the concepts and skills required to deploy the Extreme Networks products as Layer 2 switches and as wirespeed Layer 3 routers in a variety of network situations. This course is based on ExtremeXOS 12.1. The course focuses on device management, Layer 2 configuration, Layer 3 configuration for IP networks using static routes, RIP, OSPF, universal port, and basic network troubleshooting. The course also presents an overview of the ExtremeXOS software feature set. Students learn to:

Describe Extreme Networks' products. Use the ExtremeXOS command line interface structure. Configure the Extreme Networks' switch for network management. Configure Layer 1 and Layer 2 networking features. Configure Layer 3 routing. Perform basic troubleshooting steps.
This course is based on ExtremeXOS.
28
Figure 19: Certification Curriculum
29
ENS Certification Curriculum

ExtremeXOS Accelerated Extreme Networks Specialist (ENS) Certification (EANS-300/5)
This is a five day version of the ENS Certification curriculum. The critical content for ENS certification from the four ENS level classes listed below has been identified and included in this rapid paced comprehensive advanced training.
ExtremeXOS Implementing Advanced Security (EIAS-300/3)

This course is tailored for those people who need to implement and maintain security in the network with features as such ACLs, QoS, DoS protection, and Network Login. The knowledge that can be obtained from the EXOC-200/5 course is a prerequisite for attending the EIAS training.
ExtremeXOS Implementing Advanced OSPF Networks (EIAO-300/2)

This course is designed for those individuals responsible for the installation, configuration, management, support, and use of the Extreme Networks switches in a routed environment. This course is ideal for individuals who are familiar with Layer 3 routing but desire a more comprehensive discussion on how to set up an OSPF network using Extreme Networks products. The knowledge that can be obtained from the EXOC-200/5 course is a prerequisite for the EIAO training. This course is based primarily on ExtremeXOS.
ExtremeXOS Implementing Redundant Networks (EIRN-300/2)

This course is intended for people who build and maintain redundant networks using advanced features such as MSTP, EMISTP, EAPS, ESRP, and VRRP. The knowledge that can be obtained from the EXOC-200/5 course is a prerequisite for the EIRN training.
ExtremeXOS Implementing Multicast Routing (EIMR -300/2)

This course covers multicasting concepts and operation and Extreme Networks Multicast Features including the IGMP, MVR, PIM-DM, and PIM-SM protocols. Additional multicasting protocols are also presented. The knowledge that can be obtained from the EXOC-200/5 course is a prerequisite for attending the EIMR training. This course is based primarily on ExtremeXOS.
30
Figure 20: ENS Certification Curriculum
31
Supportive Curriculum
The following courses are currently elective.
EPICenter 5.0 Tutorial

This is a task-based interactive tool for learning how to use EPICenter software to efficiently manage, monitor, and configure your network. The tutorial includes seven modules and is presented using text, video, demonstrations, quizzes, and interactive scenarios. It is available on CD-ROM.
Extreme IPv6 Fundamentals

The Extreme IPv6 Fundamentals training class covers IPv6 theories and Extreme Networks IPv6 implementation and deployment methods. This course is designed for individuals responsible for the configuration, management, maintenance, and support of Extreme Networks switches in an IPv6 environment. This course is ideal for technical individuals who are familiar with IPv4, but are new to IPv6 and IPv6 features on Extreme Networks products.
Summit WM Fundamentals
This course is an introduction to the Summit WM-Series WLAN Switch and the Altitude AP, which comprises the Summit WM Wireless Solution. This course is designed for individuals responsible for the installation, configuration, maintenance and troubleshooting of the wireless solution.
Sentriant AG Operation and Configuration

This two-day instructor led course is designed to demonstrate the recommended methods to be used to configure, troubleshoot, and implement a Network Access Control (NAC) solution based on Extreme Networks Sentriant AG. A critical component of a NAC solution, Sentriant AG systematically tests endpoint devices for compliance with organizational security policies, quarantining non-compliant computers before they can compromise the integrity of the enterprise network.
Sentriant NG Operation and Configuration

This two-day instructor led course is designed to demonstrate the recommended methods to be used to configure, implement, and troubleshoot Extreme Networks Sentriant NG (Network Guard). The Sentriant NG appliance secures the network interior against rapidly propagating threats including DayZero attacks and worm storms by employing behavior-based threat detection methods. As a key component of the Extreme Security Framework - a comprehensive, scalable and easy to use networkbased security solution, Sentriant NG is an out-of-band device that creates no performance impact to networks and cannot jeopardize network availability - even while the network is under attack.
32
Figure 21: Supportive Curriculum
Figure 22: Certification and Curriculum Updates
33
Summary
At this point you should be familiar with the facilities and the Extreme Networks technical curriculum.
34
Figure 23: Summary
35
Introduction and Orientation This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http://www.sec.gov). We undertake no obligation to update the forward-looking information in this release.
36
Extreme Networks Product Overview
Student Objectives
The Product Overview module provides an overview of the Extreme Networks Products, including hardware, and software. Upon completion of this module, you will be able to:

List the various Extreme Networks product lines. Differentiate between the chassis and standalone switches. Describe Extreme Networks Summit WM system. Describe Extreme Networks Sentriant products. Describe Extreme Networks Management products. Identify the web-based user interfaces for Extreme Networks switching products.
Figure 1: Student Objectives
Product Families Overview

Extreme Networks offers products in the following categories:

Switching products Wireless products Security products Network management products
Switching Products
Extreme Networks switching products come in two varieties: chassis and standalone. The chassis-based switching products are represented by the BlackDiamond product lines. The standalone switching products are grouped together under the Summit brand.
Wireless Products
The Summit WM20/200/2000 WLAN controller, and Altitude 350-2i/350-2d AP (indoor) are the wireless products offered by Extreme Networks.
Security Products
The Sentriant product line defines the various security products. Currently the Sentriant NG and Sentriant AG are the products in this portfolio.
Network Management Products

The network management products include EPICenter, EPICenter Asset Discoverer, Service Watch, and Extreme Networks Policy Manager (EPM). Check the Extreme Networks website to get the latest product information. http://www.ExtremeNetworks.com
Figure 2: Product Families Overview
Extreme Networks Switch Operating Systems

Extreme Networks supports two operating systems for the switching product line:

ExtremeWare ExtremeXOS
ExtremeWare
ExtremeWare is a mature operating system that provides a rich set of Layer 2 and Layer 3 resiliency protocols, including EAPS. It provides ease of management and monitoring with support for LLDP and sFlow. Security features include network access authentication integrated with host integrity checking, control, and management plane security.
ExtremeXOS
ExtremeXOS is Extreme Networks advanced operating system. The functions and CLI are compatible with ExtremeWare to enable customers to easily migrate from one platform to another. It provides a high-availability architecture, extensibility via XML, dynamic application loading, and Universal Port scripting.
Figure 3: Extreme Networks Switch Operating Systems
ExtremeWare to ExtremeXOS Comparison

ExtremeWare and ExtremeXOS
ExtremeWare and ExtremeXOS share many of the same core features, such as:

Network login IP security Hitless failover/upgrade MAC security Host integrity checking integration LLDP SNMPv1/v2/v3 SSH2/SCP EAPS, STP, ESRP, VRRP OSPF, RIP, PIM BGP sFlow (i-series platforms)
ExtremeXOS Only
The following list of features is only available on ExtremeXOS (not ExtremeWare):

IPv6 Layer 2 Layer 3 support Process monitoring and restart Process memory protection XML APIs Dynamic software module loading CLI scripting Universal Port

VoIP auto-configuration User-based dynamic security policies Time of the day policies
Virtual routers CLEAR-Flow
Figure 4: ExtremeWare to ExtremeXOS Comparison
Chassis-Based Switching Product Overview

Extreme Networks chassis-based switches are represented by the BlackDiamond product line. These chassis-based switches are powered by ExtremeXOS.
BlackDiamond Chassis-Based Switches

Most BlackDiamond chassis-based switches run ExtremeXOS. The following table identifies some of the capabilities offered by the various BlackDiamond chassis-based switches:
Max 10/100T Ports NA NA NA NA NA NA Max 10/100/1000T Ports 480 80 40 80 432 240
BlackDiamond 10808 12804R 12802R 12804C 8810 8806
GBIC / SFP 480 80 40 80 440 248
10 GB 48 8 4 8 36 20
POE No No No No Yes Yes
Height 22 RU 10 RU 3 RU 10 RU 20 RU 14 RU
10
Figure 5: Chassis-based Switching Product Overview
11
Standalone Switching Product Overview

Extreme Networks standalone switches are also available in ExtremeXOS and ExtremeWare varieties. The following table identifies the various standalone switches that are currently offered by Extreme Networks:
Summit Model / Media Type Summit48si X150-t / -p X250e-t / -p X250e-x X350-t X450-t Series X450-x Series X450a-t Series X450a-x Series X450e-p
OS EWare XOS XOS XOS XOS XOS XOS XOS XOS XOS
Max 10/100 Ports 48 24 / 48 24 / 48 24 -sfp NA NA NA NA NA NA
Max 10/100/ 1000 T Ports NA 2 2 Shared 2 Shared 24 / 48 24 4 24 / 48 4 NA
GBIC / SFP 2 2 2 Shared 2 Shared 4 Shared 4 24 4 24 4
10GB No No No no Yes Yes Yes Yes Yes Yes
POE No 24 -p 24 / 48 -p No No No No No No 24 / 48 -p
Stacking No No Yes Yes Yes Yes Yes Yes Yes Yes
NOTE
The -x, -t, and -p identifiers in the above table indicate if the product media is a optical, twisted-pair, or Power-overEthernet platform, respectively.
12
Figure 6: Standalone Switching Product Overview
13
ExtremeXOS Feature Licensing Model

The default licenses depends on product role. For example, a Core license is typically needed on switches deployed in an aggregation or network core role, for Layer 2 or Layer 3 designs. As you can see from the following list, there are five license levels currently offered by Extreme Networks:

Layer 2 Edge Edge Advanced Edge Core
Simple One-step License Upgrade

Extreme Networks offers and easy one-step upgrade process to enable you to add capabilities to your existing switch. For example:
An Edge license can be upgraded to an Advanced Edge license. This upgrade is appropriate for Summit X250e and Summit X450e switches. An Advanced Edge license can be upgraded to a Core license. This upgrade is appropriate for Summit X450a, BlackDiamond 8800, and BlackDiamond 12802 switches. NOTE
Extreme Networks offers one-step upgrades only. Multi-step upgrades may be offered in the future.
Feature Packs
Feature packs offer separately licensed functionality on specific platforms. The following licenses are examples of Feature Packs:

MPLS L2 VPNs on BlackDiamond 10808 + 12800 H-QoS on BlackDiamond 12800
14
Figure 7: ExtremeXOS Feature Licensing Model
15
ExtremeXOS Licensing Features Details

As you can tell from the slide, features are grouped according to the role that the switch is expected to perform in the network. If the device is expected to only support Layer 2 functions, then a Layer 2 Edge license is appropriate. If the switch is expected to perform an aggregation or core role, then a Core license may be more appropriate.
16
Figure 8: ExtremeXOS Licensing Features Details
17
Extreme Networks Wireless Products

Extreme Networks currently offers two wireless product platforms:

Summit WM20 Summit WM200/2000
Both the SWM (Summit Wireless Mobility) 100 and SWM200/2000 support the Altitude 350-2 AP. Also, both platforms feature dual hot-swappable power supplies.
Summit WM20
The Summit WM20 is a wireless system that features centralized controllers to manage APs. The Summit WM 20 System provides you with two 10/100/1000 Ethernet ports, support for up to thirty-two APs, and Dynamic Radio Management (DRM). It also supports up to five hundred twelve wireless client and eight access domains.
Summit WM200/2000 Series

The Summit WM200/2000 series has greater capacity than the Summit WM20. The hardware uses a modular architecture that provides a greater degree of serviceability because the service blades are field replaceable. The Summit WM200 System provides you with four 10/100/1000 Ethernet ports, support for 100 APs, and Dynamic Radio Management (DRM) as a standard feature. It also supports up to 2048 wireless client and 32 access domains. The Summit WM2000 System provides you with four 10/100/1000 Ethernet ports, support for 200 APs, and has Dynamic Radio Management (DRM) as a standard feature. This WM platform supports up to 4096 wireless client and 64 access domains.
18
Figure 9: Extreme Networks Wireless Products
19
Extreme Networks Security Products

Extreme Networks security products provide vital services to safeguard your network. The Sentriant NG (Network Guard) product analyzes network traffic to detect threats on the wire and then take action to mitigate their effects. The other member of the Sentriant product line is the Sentriant AG (Access Guard). This offering provides network access control services that manages access to the network by verifying integrity of compliancy of systems that as they access the network.
Sentriant NG
The Sentriant NG system has the following characteristics:

Detects and mitigates rapidly propagating threats in seconds. Defends against threats without interfering with network traffic Uses behavior-based threat detection methods (no signatures, no heuristics) Uses behavior-based technology to identify Day-Zero threats for which signatures are unavailable. Delivers fast detection with a network of virtual decoys Isolates attackers and prevents them from communicating with the remainder of the network
Sentriant AG
The Sentriant AG system has the following characteristics:
Network Access Control (NAC)protects the network by verifying that endpoint devices are free from threats and in compliance with IT security policies. Compliancy Tests Include: OS service packs and hot-fixes Browser and OS security settings Wireless security settings Anti-virus software, anti-spyware software, and personal firewall software (installed, running, and up-to-date) Administrator defined required or prohibited software
20
Figure 10: Extreme Networks Security Products
21
Extreme Networks Management Products

EPICenter
EPICenter is an SNMP (Simple Network Management Protocol) / SSH(Secure Shell)-2-based Network Management Tool that enables the Network Administrator to manage and map Extreme Networks and third-party devices. The EPICenter management suite from Extreme Networks is a scalable full-featured network management tool that simplifies configuration, troubleshooting and status monitoring of IP-based networks. Offering a comprehensive set of network management applications providing the ability to configure, monitor, troubleshoot and manage the network and its elements.
Extreme Networks Policy Manager (EPM)

Extreme Networks Policy Manager (EPM) is a client-based software designed to help IT staff quickly and efficiently create and manage Access Control Lists (ACLs) and CLEAR-Flow rules on ExtremeXOS switches. EPM offers real-time interaction with the switches so that information is up-to-the-minute and changes can take place immediately. The GUI and Wizard-based interface supports complex searching, sorting, change control, and rule import/export. This improves efficiency and accuracy of both ACL and CLEAR-Flow management. Automated dependency checks and rule checks are provided to help prevent ACL mis-configuration, which can lead to security breeches.
ServiceWatch Application and Service Monitoring Tool

ServiceWatch is a Layer 4-7 monitoring and management software solution for mission-critical network services such as network access authentication, name and directory services, business applications, email and web. It gives network managers a users perspective of how their Layer 4-7 network services are performing. If service response time starts to degrade, ServiceWatch notifies the network manager to take corrective action before a problem occurs. ServiceWatch may also be used for capacity planning and to track Service Level Agreements (SLAs) through historical reporting and graphing of service availability and response times.
22
Figure 11: Extreme Networks Management Products
23
Switching Product User Interface Tools

Each Extreme Networks switch comes with built-in management interfaces that enable you to manage the devices with tools that are typically available on a standard personal computer (PC).
Command Line Interface (CLI)

The CLI is a text-based single device user-interface that is easy to use, deploy, document, and automate. Commands are organized in an intuitive hierarchy that enables you to easily locate specific commands. The CLI is accessible through the Serial Console Port, Telnet, or SSH-2.
Browser-Based - Built-In Device Management Graphical User Interface (GUI)

The browser-based interface provides a means of managing individual switches using your web browser. On ExtremeWare systems, the browser-based interface is called Vista. On ExtremeXOS systems, the browser-based interface is called ScreenPlay. Screenplay is available on ExtremeXOS version 12.0 and higher. To enable the browser-based interface, you must enable an HTTP server.
24
Figure 12: Switching Product User Interface Tools
25
Summary
In summary, you should now be will be able to:

List the various Extreme Networks product lines. Differentiate between the chassis and standalone switches. Describe Extreme Networks Summit WM system. Describe Extreme Networks Sentriant products. Describe Extreme Networks Management products. Identify the web-based user interfaces for Extreme Networks switching products.
26
Figure 13: Summary
27
Review Questions
1 Which of the following products is part of the security product line? a Summit WM20 b EPICenter c Sentriant NG d Altitude 350-AP
2 The Summit WM20 is which type of product? a Switching product b Wireless product c Security product d Network management product
3 Which of the following products is a standalone switch? a Summit X450-24T b BlackDiamond 12804R c Sentriant NG d Summit WM200
4 Which of the following security products enables you to control network access? a Sentriant AG b Summit WM200 c ServiceWatch d Summit X450-24t 5 Which of the following licenses is on the Summit X150-24T by default? a Layer 2 Edge b Edge c Advanced Edge d Core
28
6 Which of the following features is available with an Edge License, but not with a Layer 2 Edge license? a MAC + IP security b IGMP snooping + filters c PIM snooping d Stacking
7 In which version of software is ExtremeXOS ScreenPlay first supported? a 11.4 b 11.6 c 12.0 d 12.1
29
Extreme Networks Product Overview This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http://www.sec.gov). We undertake no obligation to update the forward-looking information in this release.
30
Initial Switch Configuration
Student Objectives
The Initial Switch Configuration module presents a structured examination of the Extreme Networks Command Line Interface (CLI) along with the syntax and basic commands. Upon completion of this module, you will be able to:

Login to the switch. Interpret the system prompt. Assign a name to the switch. Use the syntax help function. Create a new user account. Describe the Simple Network Management Protocol (SNMP), Simple Network Time Protocol (SNTP), and logging management features.

Unless you have set up a BOOTP server to provide the device with its configuration, you will need to configure the switch through the serial port. The console port can be used for direct local management. The default console port configuration is as follows:
Object Physical Connectors Serial Equipment Type Baud Rate Data Bits Stop Bits Parity Flow Control Attributes DB-9 / Male Data Terminal Equipment (DTE) 9600 8 1 None XON/XOFF
The serial port is a 9-pin Male DTE connector that is configured for serial communications at ninety-six hundred bits per second, no parity bits, 8 data bits, and 1 stop bit. The serial port also uses XON / XOFF flow control. Because the serial port on the switch is configured as a serial Data Terminal Equipment (DTE) port, the serial cable connecting the switch to a PC or terminal should be a crossover cable (null modem). Once the switch and the computer are physically connected, you must invoke a terminal emulation program such as Hyper Terminal or PuTTY to manage the device.
Safe-Defaults Script
If this is the first time the switch has been configured since being set to the factory default configuration, the device executes the safe-default script and prompts you to:

Disable Telnet. Disable SNMP management access. Disable unconfigured system ports. Change the failsafe account username and password. Permit failsafe account access via the management port.
You respond with the letter Y for Yes and N for No in response to the prompts. The safe-default allows the administrator to provide a relative degree of security to the device by prompting them to disable management interfaces and ports that they will not be using. You may use the following command to rerun the safe-default script. configure safe-default-script Executing this command maintains your other configuration parameters.
Figure 2: Initial Switch Configuration
CLI Access
The Extreme Networks switch product family is accessible through the Command Line Interface (CLI) using either of the following three connection types:

The console port A Telnet session A Secure Shell (SSH) session.
Any workstation with a Telnet facility should be able to communicate with the switch over a TCP/IP network. Up to eight active Telnet sessions can access the switch concurrently. With idle-timeout enabled the Telnet and console connection times out after twenty minutes of inactivity. If a connection to a Telnet session is lost inadvertently, the switch terminates the session within two hours. Nested Telnet sessions are also supported. Some Extreme Networks switches provide a dedicated 10/100 or 10/100/1000 Ethernet management port. This port provides dedicated remote access to the switch using TCP/IP. Management through this port can be Telnet using the CLI interface, ExtremeXOS ScreenPlay Web access, or SNMP access using EPICenter or another SNMP management application. The Ethernet management port is a DTE port, and is not capable of supporting switching or routing functions. The TCP/IP configuration for the management port is completed using the same syntax as is used for VLAN configuration. The pre-configured VLAN, called mgmt, only has the Ethernet management port as a member.
Figure 3: CLI Access
CLI Organization
As shown in the illustration the CLI provides commands that are nested five to six layers deep. Most of the CLI commands take effect immediately. The Extreme Networks Command Line Interface, or CLI, is simple to navigate. It uses a flat command hierarchy and doesnt require that you bounce back and forth between modules and sub-menus to configure the device. Simply start typing at the prompt in order to administer the switch.
Figure 4: CLI Organization
Syntax Helper
If you are unsure of the complete syntax for a particular command, enter as much of the command as possible. The syntax helper provides a list of options for the remainder of the command.
Tab Key Completion

Because of the number of features that these devices support, many of the commands contain multiple parameters and options. To assist you in administering the device, the CLI has a built-in syntax helper. If you are unsure of the complete syntax for a particular command, enter as much of the command as possible and press the tab key or the question mark (?). The syntax helper will then provide a list of options for the remainder of the command and places the cursor at the end of the command you have entered so far, ready for the next option. If you enter an invalid command, the syntax helper notifies you of your error and indicates where the error is located. If the command is one where the next option is a named component (such as a VLAN, access profile, or route map), the syntax helper also lists any currently configured names that might be used as the next option. In situations where this list is very long, the syntax helper lists only one line of names, followed by an ellipses (or three dots) to indicate that there are more names that can be displayed. An example of the use of the syntax helper is if you were to type the command CREATE and then press the tab key, you would be presented with a list of parameters associated with that command. If you extend the command to become CREATE VLAN and then press the TAB key, the system will then show you the parameters that are appropriate for the CREATE VLAN command. The syntax helper also provides assistance if you enter an incorrect command.
The Question Mark Command Option

The CLI also allows you to prompt the system for the possible next option by ending the partial command with a question mark (?). At that point, the system will provide you with a list of the options at that point in the command.
10
Figure 5: Syntax Helper
11
CLI Abbreviated Syntax and History

Abbreviated syntax is the shortest, unambiguous abbreviation of a command, parameter, or value. This can be as short as the first letter of the command, but by convention is typically the first three letters. Avoid misspelled words, as the parser is not be able to recognize these. Here is an example, using abbreviation, where you can reduce the command string by typing the following: co defa ad po 1-9 t n The full command string is actually: configure vlan default add ports 1-9 tag nobroadcast
Entering Port Values

When entering the ports within a CLI command, you have the choice to:

List the ports separated by commas, i.e. 1,2,4 Specify a range of ports, i.e. ports 1-9 Specify all ports, i.e. ports all
CLI History
The Extreme Networks switch stores all the commands entered in the command history buffer. The contents of this buffer can be displayed by entering the history command. You can scroll through the command history buffer with the <Up> and <Down> arrow keys. Using these keys echo the next or previous command in the buffer and place the cursor at the end of the command string. To edit the command displayed on the command line use the left and right arrow keys. To display the commands entered, enter the following command: history
12
Figure 6: Abbreviate Syntax
Figure 7: CLI Command - History
13
Unique Name Identifiers

The Unique Name Identifier function supports unique, user-friendly names for VLANs, and Spanning Tree domains. Each VLAN, user account, and Spanning Tree domain name is unique. After naming a VLAN you can specify the VLAN name in commands without preceding the name with the VLAN keyword. For example, if you configure a VLAN with the name of purple, you only need to specify purple in any further commands. The switch allocates some words for system use these are called reserved words. Reserved words can be abbreviated.
Switch Login
The switches support the following two access privileges levels:

User Administrator
The switches can have a total of sixteen management accounts. You can use the default account names (admin and user), or you can create new accounts with different names and passwords. Passwords must have a minimum of four characters and can have a maximum of twelve characters. However, account names can be entered that are between one and thirty-one characters. User names and passwords are case sensitive. You can create two admin accounts, and they are identical in their capabilities. ExtremeXOS provides a special Fail Safe account that can be used to recover from a lost Administrator account password. However, if the Fail Safe account password is lost, the switch must be returned to Extreme Networks. If you reboot the switch, you may login through the serial port using the failsafe account while the Authentication, Authorization and Accounting (AAA) system initializes. (pending-AAA) login: Once the AAA system has initialized, you may login to the switch with either a user or admin-level account.
login: admin password:
14
Figure 8: Unique Name Identifiers
Figure 9: Switch Login
15
CLI - Command Prompt

The CLI command prompt is primarily comprised of three or four components: 1 The asterisk * that precedes the actual command prompt If an asterisk (*) appears in front of the command-line prompt, it indicates that you have outstanding configuration changes that have not been saved. 2 The SNMP Sysname and dot . as a separator. The sysname is user configurable with a maximum of 32 characters allowed. By default, the switch SNMP Sysname is the model name. For example, for a Summit X450a-24t switch, the command prompt sysname displays *X450a-24t. To change the switch SNMP sysname from the default to Training_Switch, enter the following command: configure snmp sysname Training_Switch When executed, the following prompt appears:
*Training_Switch.7#
The prompt identifies the following: 3 The number of the next CLI command to be entered. (The number is reset upon reboot.) 4 The user account privilege level. # - The hash symbol represents an administrator privilege level. > - The greater than symbol represents a user privilege level. When entering a command at the prompt, ensure that you have the appropriate privilege level. Most configuration commands require the administrator privilege level.
16
Figure 10: CLI - Command Prompts
17
Management Accounts
This page describes the two account levels supported.
User Level Account

A user level account has viewing access to all manageable parameters, with the exception of the following:

Showing the switch configuration Showing switch management details User account database SNMP community strings
A user-level account can use the ping command to test if a device is reachable, and change the password assigned to the account name. If you have logged on with user capabilities, the command-line prompt ends with a (>) sign.
Administrator Level Account

An administrator level account has both read and write access to all manageable parameters. If you have logged on with administrator capabilities, the command-line prompt ends with a (#) sign. An administrator can perform the following functions:

View and change all switch parameters Add and delete accounts, and change the password associated with any account name. Disconnect a management session that has been established by way of a Telnet connection. If this happens, the user logged on by way of the Telnet connection is notified that the session has been terminated.
To manage current sessions, use one of the following command: show session show session detail show session history To terminate a user CLI sessions, enter one of the following command: clear session <user_id> clear session all To log out of a session, enter one of the following commands: exit logout
18
Figure 11: Management Accounts
19
Creating User Accounts

To create or delete a user account, enter the following syntax: create account [admin | user] <name> {<password>} delete account <name> Only users with admin level authority can create or delete accounts. You may create an account with no password using the syntax above.
Applying Passwords
Default accounts do not have passwords assigned to them. For security, always configure a password for the default accounts. To configure a password for the default admin account, enter the following command: configure account admin The system prompts you to specify a password after you enter this command. Passwords can have a minimum of 1 characters and a maximum of 32 characters. Passwords are case-sensitive.
NOTE
The default admin account cannot be deleted.
Additionally, using the following commands: configure configure configure configure you can:

account account account account
[all [all [all [all
| | | |
<nam>] <nam>] <nam>] <nam>]
password-policy password-policy password-policy password-policy
char-validation history max-age min-length
Specify that the password must contain numbers, uppercase, lowercase, and special characters. Block users from employing previously used passwords. Configure a time limit for the password. Enforce a minimum length for the password and set a maximum time limit, after which the password will not be accepted.
Show Accounts
To display user account information, enter the following command: show account The command displays the account names, access level, and number of successful and failed login attempts per account.
20
Figure 12: Creating User Accounts
21
Failsafe Login
The failsafe account is the account of last resort to access the switch. This account is never displayed by the show account command, but is always present on the switch. To configure the failsafe account, enter the following command: configure failsafe-account You are prompted for the failsafe account name, and prompted twice to specify the password for the account. The failsafe account is immediately saved to NVRAM - not to the configuration file. For example: BD-10808.1 # configure failsafe-account enter failsafe user name: adminzilla enter failsafe password: enter password again: You may configure the switch to allow or deny the failsafe account access to the device using the following syntax: configure failsafe-account {[deny | permit] [all | control | serial | ssh {vr <vr-name>} | telnet {vr <vr-name>}]}
Table 1: Access Methods

Method deny permit all control serial ssh telnet Description Prohibits failsafe account usage over the specified connection type(s). Allows a failsafe account to be used over the specified connection type(s). Apply change to all failsafe account access methods Connections over the control fabric between nodes Connections over the Serial Console ports Connections via the SSH protocol Connections via the TELNET protocol
To use the failsafe account, enter the failsafe account name and password at the login prompt. Once you enter the failsafe account name, you are prompted to enter the password. Once you successfully log in to the failsafe account, you are logged in to an admin-level account.
NOTE
The information that you use to configure the failsafe account cannot be recovered by Extreme Networks Technical support. Protect this information carefully.
22
Figure 13: Failsafe Login
23
Limiting CLI Sessions and Failed Logins

The ExtremeXOS software supports session control. Up to eight active shell sessions can access the switch concurrently. An administrator-level account can limit the number of simultaneous CLI sessions on the switch. If you configure a new limit, only new incoming ExtremeXOS shell sessions are affected. Shell sessions that are already connected, are not disconnected as a result of decreasing the limit. To limit the number of sessions, enter the following command: configure cli max-sessions <num-of-sessions> Where: num-of-sessions - Specifies the maximum number of concurrent sessions permitted in the range of 1 to 16. The value must be greater than 0. The default is eight sessions. For example: configure cli max-sessions 4 An administrator-level account can limit the maximum number of failed logins permitted before the session is terminated. To limit the number of login attempts, enter the following command: configure cli max-failed-logins <num-of-logins> Where: num-of-logins - Specifies the maximum number of failed logins permitted in the range of 1 to 10. The value must be greater than 0. The default is three login attempts. For example: configure cli max-failed-logins 2 To disable an account after the user has consecutive failed login attempts. configure account [all | <name>] password-policy lockout-on-login-failures on This command applies to sessions at the console port of the switch as well as telnet sessions and to user-level and administrator-level accounts. To view the accounts that are currently locked out, use the following command: show account The users account must be specifically re-enabled by an administrator using the following command syntax: clear account [all | <name>] lockout
24
Figure 14: Limiting CLI Sessions and Failed Logins
25
Restricting Telnet Access

The ExtremeXOS software supports virtual routers. An administrator-level account can restrict which virtual router interfaces listen for Telnet connection requests. To limit which virtual router interfaces listen for Telnet connection requests, enter the following command: configure telnet vr [all | default | <vr_name> Where: all - Specifies to use all virtual routers for Telnet connections. default - Specifies to use the default virtual router for Telnet connections. The default router is VRMgmt. vr_name - Specifies the name of the virtual router to use for Telnet connections. For example: configure telnet vr all
26
Figure 15: Restricting Telnet Access
27
Configuring Management Access

Each ExtremeXOS-based switch supports a dedicated 10/100 unshielded twisted pair (UTP) Ethernet management port for:

Telnet Secure Shell (SSH2) Secure copy (SCP) Simple Network Management Protocol (SNMP) Simple Network Time Protocol (SNTP) Remote Authentication Dial-In User Server/Service (RADIUS) Remote Monitoring (RMON) Remote logging
These Management features along with local logging provide enhanced management of the Extreme Networks switch family: To access the switch through the management port, an IP address must be assigned to the port. To assign an IP address and optional subnetwork mask to the management port, enter the following command: configure vlan mgmt ipaddress <ipaddress> {<netmask>} Examples: configure vlan mgmt ipaddress 10.0.0.1 255.255.255.0 NOTE
The dedicated management port is located on the MSM of a BlackDiamond switch, on the rear panel of the Summit X450 switch, and on the front panel of the SummitX450a and SummitX450e.
28
Figure 16: Configuring Management Access
29
Using SSH and SCP

Secure Shell 2 (SSH2) is a feature of the ExtremeXOS software that allows you to encrypt session data between a network administrator using SSH2 client software and the switch or to send encrypted data from the switch to an SSH2 client on a remote system. Configuration, image, public key, and policy files can be transferred to the switch using the Secure Copy Protocol 2 (SCP2) or the Secure File Transfer Protocol (SFTP). The ExtremeXOS SSH2 switch application works with the following clients: Putty, SSH2 (version 2.x or later) from SSH Communication Security, and OpenSSH (version 2.5 or later). OpenSSH uses the RCP protocol, which has been disabled in the ExtremeXOS software for security reasons. Consequently, OpenSSH SCP does not work with the ExtremeXOS SSH implementation. You can use OpenSSH SFTP instead. SSH2 functionality is not present in the base ExtremeXOS software image, but is available as an additional, installable module. Before you can access any SSH2 commands, you must install this additional software module. Without the software module, the commands do not appear on the command line. To enable SSH2 functionality on the switch, you must complete the following steps: 1 Download the ssh installable software module to the switch. 2 Install the software module. 3 Reboot the system if necessary. 4 Enable the SSH2 feature. 5 Verify that SSH2 is configured. 6 Verify that the SSH2 feature is running as expected by connecting to the switch with an SSH2 client such as Putty. NOTE
To use SSL for secure HTTPS web-based login, you must upgrade your core software image to ExtremeXOS 11.2 or later, install the SSH module that works in concert with that core software image, and reboot the switch.
Using Secure Copy

The Secure Copy function is integrated with the ExtremeXOS Secure Shell installable module. To use the secure copy command, use the following command syntax: scp2 {cipher [3des | blowfish]} {port <portnum>} {debug <debug_level>} <user>@ [<hostname> | <ipaddress>]:<remote_file> <local_file> {vr <vr_name>}
30
Figure 17: Using SSH and SCP
31
Using SNMP
Any Network Management application supporting SNMP or SNMPv3 can manage the switch as long as the correct Management Information Base (MIB) is properly installed on the management console. EPICenter is an integrated application suite that simplifies configuration, troubleshooting, and status monitoring of IP-based networks. EPICenter offers a comprehensive set of network management applications, including the ability to configure, monitor, troubleshoot, and manage the network and its elements.
NOTE
To have access to the SNMP agent residing in the switch, at least one VLAN must have an IP address assigned to it.
Access to one VLAN, gives you access to the entire switch. The switch is managed as a single device since it only has one MAC address that is shared.
NOTE
Ensure that the SNMP Management Information Base (MIB) is installed correctly.
32
Figure 18: Using SNMP
33
Configuring SNMP System Parameters

To enable SNMP access to the switch, enter the following command enable snmp access
System Name
The system name is the name that is assigned to this switch. To configure the SNMP system name of the switch, enter the following command: configure snmp sysname <string> A maximum 32 characters are allowed. The sysname appears in the CLI prompt. The default name is the model name of the switch (for example, SummitX450).
System Location
The system location is a text field used to identify the location of the switch. To configure the SNMP location name of the switch, enter the following command: configure snmp syslocation <string> A maximum of 255 characters are allowed.
System Contact
This is a text field used to identify the name of the person(s) responsible for managing the switch. To configure the name of the system contact, enter the following command: configure snmp syscontact <string> A maximum of 255 characters are allowed.
34
Figure 19: Configuring SNMP System Parameters
35
Configuring SNMP Access Parameters

Additional SNMP configuration commands are listed below.
Community Strings
Community strings are a simple method of authentication between the switch and the remote Network Manager. The default community strings are:

private = default read/write community string public = default read-only community string
To add an SNMP read or read/write community string, enter the following command: configure snmp add community [readonly | readwrite] <string> Each community string can have up to 126 characters, and can be enclosed by double quotation marks.
Authorized Trap Receivers

An authorized trap receiver can be one or more network management stations on your network. The switch sends SNMP traps to all trap receivers. You can have a maximum of sixteen trap receivers configured per switch. To enable SNMP Trap support, enter the following command: enable snmp traps To add the IP address of a specified trap receiver, enter the following command: configure snmp add trapreceiver <ip_address> community <string> A maximum of 16 trap receivers can be specified. The following can also be specified:

The address as unicast, multicast, or broadcast. A UDP port to which the trap should be sent. The IP address of a VLAN to be used as the source address for the trap. The trap mode as standard or enhanced with extra varbinds. NOTE
To configure additional SNMP version 3 parameters, enter configure snmpv3.
NOTE
With ExtremeWare you can use Access Profiles for SNMP.
36
Figure 20: Configuring SNMP Access Parameters
37
Authenticating Switch Management Users

There are two methods for authenticating users who login to the switch:

RADIUS Client TACACS+ NOTE
You cannot use RADIUS and TACACS+ at the same time.
38
Figure 21: Authenticating Switch Management Users
39
Logging Features
The switch log tracks all configuration and fault information pertaining to the device. Each entry in the log contains the following information:
Timestamp
The timestamp records the month and day of the event, along with the time (hours, minutes, seconds, and hundredths of a second)) in the form HH:MM:SS:HH. If a user caused the event, the user name is also provided.
Severity Level
Describes the four levels of importance that the switch can assign to a fault. Critical, Warning, Informational and Debug. By default, log entries that are assigned a critical or warning level remain in the log after a switch reboot. Issuing a clear log command does not remove these entries.
Component, Subcomponent, and Condition Name

The facility flags one of seven specific functional areas of the switch to which the error refers.
Message
The message contains the log information with text that is specific to the problem. The switch maintains up to 20,000 messages in its internal log depending on the model of switch. The default setting is 1000 log entries.
40
Figure 22: Logging Features
41
Configuring Logging
In addition to maintaining an internal log, the switches support remote logging using the UNIX Syslog host facility. To enable remote logging, configure the Syslog host to accept and log messages, and enable remote logging. To configure the remote syslog server host address, and filters messages to be sent to the remote syslog target. configure syslog {add} [<ipaddress> | <ipPort>] {vr <vr_name>} [local0 ...local7] {<severity>} To configure the severity level of messages sent to the target, enter the following command: configure log target [console | memory-buffer | nvram | primary-msm | backup-msm | session | syslog [all | <ipaddress> | <ipPort> {vr <vr_name>} [local0 ... local7]]] {severity <severity> {only}} By default, targets are sent messages of the following severity level and above:

console display.info memory buffer.debug-data NVRAM.warning session.info syslog.debug-data primary MSM.error (modular switches only) backup MSM.error (modular switches only)
To enable the sending of log messages to the specified target., enter the following command: enable log target [console | memory-buffer | nvram | primary-msm | backupmsm | session | syslog [all | <ipaddress> | <ipPort>] {vr <vr_name>} [local0 ... local7]]] To enable logging to all remote syslog host targets, enter the following command: enable syslog
42
Figure 23: Configuring Logging
43
Displaying Log Messages

To display a snapshot of the log at any time, enter the following command: show log {messages [memory-buffer | nvram]} {events {<event-condition> | <event-component>]} {<severity> {only}} {starting [date <date> time <time> | date <date> | time <time>]} {ending [date <date> time <time> | date <date> | time <time>]} {match <regex>} {chronological} If a severity is not specified, all messages are displayed. The severity parameter filters the log to display messages with selected severity or higher (more critical). Severities include (in order) critical, error, warning, notice, info, debug-summary, debugverbose, and debug-data. To display a real-time running log on the console, enter the following command: enable log display To enable logging of any configuration changes, enter the following command: enable cli-config-logging NOTE
Although you can enable the real time log display using a Telnet session, the real time logging is only displayed on the local console.
To remove the log entries of all levels (including warning or critical), enter the following command: clear log {error-led | static | messages [memory-buffer | nvram]}
Syntax Description
error-led static memory-buffer nvram Clears the ERR LED on the MSM. Specifies that the messages in the NVRAM and memory-buffer targets are cleared, and the ERR LED on the MSM is cleared. Clears entries from the memory buffer. Clears entries from NVRAM.
44
Figure 24: Displaying Log Messages
45
Using SNTP
ExtremeXOS supports the client portion of the Simple Network Time Protocol (SNTP) Version 3. When enabled, the switch sends out a periodic query to the NTP server, or the switch listens to broadcast NTP updates. To configure the switch to update and synchronize its internal clock from an NTP server, enter the following command: configure sntp-client [pri | sec] server [<ip address> | <host name>] {vr <vr_name>} Queries are sent first to the primary server. If the primary server does not respond within 1 second, or if it is not synchronized, the switch queries the second server. If the switch cannot obtain the time, it restarts the query process. Otherwise, the switch waits for the sntp-client update interval before querying again. To configure the interval between SNTP queries, enter the following command: configure sntp-client update-interval <seconds> NTP server updates are distributed using GMT time. To properly display the local time in logs and other timestamp information, configure the switch with the appropriate offset to GMT. To configure the GMT offset and Daylight Saving Time (DST) preference, enter the following command: configure timezone {name <tz_name>} <GMT_offset> {autodst {name <dst_timezone_ID>} To enable the SNTP client, enter the following command: enable sntp-client To disable the SNTP client, enter the following command: disable sntp-client To display configuration and statistics information of the SNTP client, enter the following command: show sntp-client NOTE
SNTP is based on RFC1769.
If no time server is available, the system date and time can be set using a command similar to the following: configure time 10 09 2006 17 29 00
46
Figure 25: Using SNTP
47
Verifying the Management Configuration

To display the network management configuration, statistics, and SNMP settings, enter the following command: show management The display includes:

Enable/disable states for Telnet, and SNMP Authorized SNMP station list SNMP trap receiver list RMON polling configuration SNMP statistics
48
Figure 26: Verifying the Management Configuration
49
Summary
The Initial Switch Configuration module provided a structured examination of the Extreme Networks Command Line Interface (CLI) along with the syntax and basic commands. You should now be able to:

Login to the switch. Interpret the system prompt. Assign a name to the switch. Use the syntax help function. Create a new user account. Describe the SNMP, SNTP, and logging management features.
50
Figure 27: Summary
51
Lab
Turn to the Initial Switch Configuration Lab in the ExtremeXOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
52
Figure 28: Lab
53
Review Questions
1 What are the three connection types used to access the command line interface? a Console, Telnet, and SSH2 b Console, Telnet, and SSL c Console, Telnet, and SNMP d Console, Telnet, and RADIUS
2 What key is used to display the next tier of a CLI command or to complete a command? a Number sign/pound sign/hash mark (#) b Exclamation point (!) c Question mark (?) d Tab key
3 Which two authentication mechanisms for administrative access are supported by Extreme Networks switches? a SSL and SNMP b SSH2 and Telnet c RADIUS and TACACS+ d DES3 and 802.1X
4 Which of the following statements is false? a The secure copy feature is available in the ExtremeXOS base image b Secure Socket Layer (SSL) functionality is part of the SSH installable software module. c The SSH feature is provided by an installable software module. d The SSH2 feature does not appear as a CLI option until after the SSH installable software module has been downloaded and installed.
5 Which of the following is needed to log into the switch using the serial console port? a A null modem or serial crossover cable. b A PC running terminal emulation software. c Serial communications protocol set to 9600, N, 8, 1, and None. d All of the above.
54
6 Which of the following is true? a If the CLI prompt has an asterisk as the first character, there have been configuration changes that have not been saved. b The pound sign (#) at the end of the CLI prompt indicates that the person who has logged in has user-level privileges. c If the SNMP sysname parameter is changed from its default value, it will not be reflected in the CLI prompt.
d All of the above.
7 Which of the following commands creates a user-level account named fred? a create account fred b configure account user fred c add account fred user d create account user fred
8 Which of the following commands allows the user to view commands that have been previously entered during this session? a show history b view history c display history d None of the above
9 Which of the following commands enables the syslog feature? a configure syslog enable b start syslog c enable syslog d set syslog on
55
Initial Switch Configuration This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http://www.sec.gov). We undertake no obligation to update the forward-looking information in this release.
56
Switch Management
Switch Management
Student Objectives
This module presents a structured examination of the Extreme Networks Switch Management. Upon completion of this module, you will be able to:

Identify switch software images and configuration files. Save the switch configuration. Copy, rename, and remove configuration files. Assign an IP address to a VLAN. Backup the switch configuration. Create, edit, and restore an ASCII-based command script. Download a software image.
Switch Management
Displaying Switch Status

To display the current switch information, enter the following command: show switch The display shows:

System name, system location, system contact MAC address Current date and time, and system boot time Scheduled reboot information Non-Volatile Random Access Memory (NVRAM) image (primary/secondary image, version) NVRAM configuration (primary/secondary configuration, date, time, size)
From this display, you can determine the software image file that the switch booted from. It is identified as Image Booted. The software image file that the switch boots from next is identified as the Image Selected. You can also determine the configuration file the switch used to boot. It is identified as Config Booted. The configuration file that the switch uses during the next boot is identified as the Config Selected. In the example shown, the software image selected and booted is taken from the primary location. The configuration selected and configuration booted is also taken from the primary location.
Figure 2: Displaying Switch Status
Switch Management
Describing the Virtual Router Command Argument

ExtremeXOS supports Virtual Routers (VRs). A virtual router is an emulation of a physical router. This feature allows a single physical switch to be split into multiple virtual routers. This feature separates the traffic forwarded by a virtual router from the traffic on a different virtual router. Each virtual router maintains a separate logical forwarding table, which allows the virtual routers to have overlapping address spaces. Each virtual router is capable of running any combination of routing protocol modules such as RIP, OSPF, BGP, or PIM.
System Virtual Routers

In ExtremeXOS the following three system VRs exist by default:
VR-Default - The default VR created by the system. All data ports in the switch are assigned to this VR by default. Any port or VLAN can be added. One instance of each routing protocol is spawned for this VR during boot up. These routing instances cannot be deleted. (called VR-2 in EXOS release 10.2) VR-Mgmt - The switch management port is owned by this VR. The Mgmt VLAN is created in this VR during boot up. No other ports or VLANS can be added. Used for default access for Telnet, SNMP, SSH2, TACACS, and RADIUS. (called VR-0 in release 10.2) VR-Control - Has no external port and no VLAN interface. No port, VLAN, or routing protocol can be added. Used internally by the switch for inter-process communication. (called VR-1 in release 10.2) NOTE
System VRs cannot be deleted.
NOTE
Users are allowed to create Virtual Routers on BlackDiamond platforms. Users are not allowed to create Virtual Routers on Summit Platforms.
The VR Command Argument

In ExtremeXOS many system commands require the VR (-vr, vr, -v, or v) argument. For example: tftp put 10.0.4.106 vr vr-mgmt primary.cfg ping vr vr-mgmt 10.0.4.106 If you do not specify a virtual router, VR-Default is the default for most commands. If there is no default VR associated with the command, the system will prompt you for the VR name.
Figure 3: Describing the Virtual Router Command Argument
Switch Management
Assigning IP Addresses
The switch comes with pre-configured VLANs named Mgmt (management) and Default.
The Mgmt VLAN is available on devices that feature an Ethernet Management port. The Ethernet management port provides out-of-band management access to an Extreme Networks switch. The Default VLAN comes configured with all data ports assigned to it.
For lab exercise purposes, we need to assign an IP address to one of the pre-configured VLANs and assign an IP address to the PC-laptop that is connected to the switch. Assigning an IP address creates a router interface within that VLAN. The default VLAN router interface is in the corresponding VR-Default virtual router. The mgmt VLAN router interface is in the corresponding VR-Mgmt virtual router. To assign an IP address and optional subnetwork mask to the named VLAN, enter the following command: configure vlan <vlan name> ipaddress <ipaddress> {<netmask>} The subnetwork mask notation can take either of two forms:

Full dotted-decimal notation For example: 255.255.255.0 Slash notation which indicates the network portion in binary bits. For example, /24
Examples: configure vlan mgmt ipaddress 10.0.0.1 255.255.255.0 configure vlan default ipaddress 10.0.1.1/24 To remove an IP address and optional mask from the named VLAN, enter the following command: unconfigure vlan <vlan name> ipaddress
Figure 4: Assigning IP Addresses
Switch Management
Describing Software Image Features

Every Extreme Networks switch loads a user-selected software operating system image when it boots. The image file contains executable code in a compressed format. The switches can store two software operating system images:

Primary Secondary
When downloading a new image, select which image space (primary or secondary) the new image is to be placed into. The primary and secondary software images are stored in Flash RAM. You may find it useful to use both primary and secondary image files, especially when upgrading software. If something goes wrong with an upgrade, you have a fallback image to boot from. These containers, although called primary and secondary, are just placeholders.
Displaying the Current Software Images

Using the Show Switch Command
To display which software is running on the switch and which software is set to be used after the next reboot, enter the following command: show switch The show switch command display the following:

Which software image is selected, and which image that is used when the switch boots. The configuration that is selected and the configuration that is used when the switch boots.
Using the Show Version Command

To display the hardware serial and version numbers, use the following command: show version The output from the command shows the version of software currently running on the switch, and (if applicable) the software version running on the modules and power controllers.
10
Figure 5: Describing Software Image Features
Figure 6: Displaying the Current Software Images
11
Switch Management
Interpreting ExtremeXOS Image File Names

ExtremeXOS software is available on the BlackDiamond 12804TM, BlackDiamond 10808TM, BlackDiamond 8810TM BlackDiamond 8806TM, Summit X450TM, Summit X450aTM, and Summit X450eTM switches.
NOTE
Although all of the switches listed above run ExtremeXOS 12.1, the binary image files are unique for different switches.
Every switch loads a user-selected software operating system image file when it boots. The image name identifies the compatible switch type. For example:
For BlackDiamond 8810 and 8806 the current file name is: bd8800-12.1.1.4.xos For BlackDiamond 10808 the current file name is: bd10K-12.1.1.4.xos For Summit X450 the current file name is: summitX450-12.1.1.4.xos NOTE
Prior to release 11.3 the file name for BlackDiamond 8810 images began with the word aspen; for example, aspen-11.2.3.3.xos.
NOTE
Frequently the image file name downloaded from Extreme Networks web site contains square brackets. For example: bd10K-11[1][1].6.3.3.xos. Some TFTP servers cannot interpret the square brackets. Therefore the file must be renamed before it can be downloaded to the switch.
ExtremeXOS Image File Extensions

The ExtremeXOS uses the following file extensions:

.xos - The core image file .xmod - A software module that adds functionality to supplement a core image. .xbr - A BootROM image. NOTE
The version number of a modular software package must match the version number of the core image that it will be running with.
12
Figure 7: Interpreting ExtremeXOS Image File Names
13
Switch Management
Interpreting ExtremeXOS Version Strings

The image version string contains build information for each version of ExtremeXOS. You can use either the show version or show switch command to display the version running on your switch. Depending on the CLI command, the output is structured as follows: show version
ExtremeXOS version 12.1.1.4
ExtremeXOS Version <major>.<minor>.<patch>.<build> show switch

12.1.1.4
<major>.<minor>.<patch>.<build> Table 1 describes the image version fields.
Table 1: Image version fields

Field major minor patch build Description Specifies the ExtremeXOS Major version number. Specifies the ExtremeXOS Minor version number. Identifies a specific patch release. Specifies the ExtremeXOS build number. This value is reset to zero for each new Major and Minor release.
A software module version string contains the following:

<SWITCH PLATFORM>-<GLOBAL VERSION>-><PACKAGE NAME>.XMOD example: bd10K-12.1.1.4-ssh.xmod
Where: <Switch Platform> is the name of the platform (e.g. bd10K) <Package Name> is an abbreviated name for the content of the package. <Global Version> is the overall version of ExtremeXOS in the format <major>.<minor>.<patch>.<build>
14
Figure 8: Interpreting ExtremeXOS Version Strings
15
Switch Management
Selecting Active Image Files for the Next Reboot

Use the following procedure to select an image for the switch to load on the next reboot: 1 Select the image file to be used after next reboot use image primary use image secondary 2 Save the configuration save configuration 3 Reboot the switch reboot 4 Verify that the correct image file is in use show switch CAUTION
Make sure that your software image is compatible with the BootROM Master Release Version for the ExtremeXOS version being used.
Rebooting the Switch

There are some processes, such as installing new software, that incorporate a reboot of the switch as one of the actions. You may, however, reboot the switch through the user interface by issuing the following command: reboot You may also schedule a reboot to happen in the future by issuing the reboot command along with the time option. Use the following syntax to specify the time of reboot: reboot time <month> <day> <year>
16
Figure 9: Selecting Active Image Files for the Next Reboot
17
Switch Management
Downloading a New Image File

The image is upgraded by using a download procedure from either a Trivial File Transfer Protocol (TFTP) server on the network or a PC connected to the serial port using the XMODEM protocol. The serial download is very slow and can only be done from the BootROM menu. Prior to downloading the new image, execute the following steps after IP connectivity has been properly set up. For example, ensure that you load the image onto a TFTP server and that you verify IP connectivity between the switch and the TFTP server. Use the following process to download a new image to the switch: 1 Download the image to either the Primary or Secondary location. download image [[<hostname> | <ipaddress>] <filename> {{vr} <vrname>} | memorycard <filename>] {<partition>} {msm <slotid>} The system will prompt you if you wish to install the image after it downloads. 2 Verify the image downloaded: show log 3 Select the image to use on the next reboot use image <primary | secondary> 4 The switch must reboot for the new image to become active. reboot 5 Verify that the correct image file is in use. show switch
Download Command Syntax Description

hostname ipaddress memorycard filename vrname partition slotid Specifies the hostname of the TFTP server from which the image should be obtained. Specifies the IP address of TFTP server from which the image should be obtained. Specifies that the image should be obtained from the external compact flash memory card. NOTE: This parameter is available only on modular switches. Specifies the filename of the new image. Specifies the name of the virtual router. Specifies which partition the image should be saved to: primary or secondary. Specifies the MSM where the software image should be downloaded. MSM A or MSM B. NOTE: This parameter is available only on chassis-based switches.
If no parameters are specified, the image is saved to the location selected for the next reboot. To verify that the image downloaded to the correct location, enter the following command: show log
18
Figure 10: Downloading a New Image File
19
Switch Management
Describing Configuration File Features

The ExtremeXOS switch operating system has several features that ease the management of the configuration of the switch. For example, you may display all or part of the active configuration file by issuing the following command: show configuration show configuration rip ExtremeXOS allows the administrator to have several different configuration files on the switch. This feature may be useful for testing purposes, or to be able to change the role of the switch by simply changing the configuration file. Active configuration stored in runtime memory, and are stored in NVRAM after administrator issues the save command. Of course, the active configuration must be saved before rebooting or the configuration will revert to the last saved version. ExtremeXOS configurations can be saved to any file name, however primary.cfg and secondary.cfg are names that are commonly used. Primary.cfg is also the default configuration file name for the device. save configuration primary save configuration secondary save configuration lab1 When saving a configuration file to NVRAM on the switch, the switch does not allow you to include the .cfg file extension to the name of the configuration file. The .cfg file extension will be added automatically by the switch. tftp put <target-ip-addres> -vr <vr_name> <config-file-name> When the configuration file is transferred to the tftp server using the tftp command, the configuratin file is stored as an XML file. However, if the configuration file is transferred to the tftp server using the upload configuration command, the file is stored on the tftp server as an ASCII-formatted command script. upload configuration [<hostname> | <ipaddress>] <filename> {vr <vr-name>} NOTE
Configuration files are not backwards compatible with software image files. For example, you should not attempt to run a configuration file created with 11.6 with software 11.3.
20
Figure 11: Describing Configuration File Features
21
Switch Management
Displaying the Current Configuration File Selection

To display information about the configuration file that is currently loaded and the configuration file that is to be loaded upon the next reboot, issue the following command: show switch The show switch command displays a great deal of information about the configuration of the device, as well as information that is specific to the configuration files. The output of the command contains a section that is formatted in the following manner: Config Selected: Config Booted: primary.cfg primary.cfg Factory Default Created by ExtremeXOS version 12.1.1.4 100206 bytes saved on Tue May 13 11:29:46 2008
As you can see, along with the names of the configuration files that are active and selected to be loaded upon next reboot, the display shows:

The name of the active configuration file The version of software that created the configuration file The size of the configuration file And the date that the configuration file was last saved to NVRAM
22
Figure 12: Displaying the Current Configuration File Selection
23
Switch Management
Displaying the Configuration File Contents

ExtremeXOS allows you to display all or part of the active configuration to the screen using the following command syntax: show configuration {<module-name>} {detail} By specifying the detail keyword, you instruct the switch to display parameters that have been modified from their default values as well as those that still contain their default settings. By omitting the detail keyword, you instruct the switch to only provide you with information on those parameters that no are no longer set to their default values.
NOTE
You may press the tab key after typing the show configuration command to display the modules for which configuration information is available.
To display the entire active configuration, enter the following command: show configuration detail To display a specific configuration module, simply use the show configuration command followed by the module name. For example to limit the display to the Routing Information Protocol (RIP) parameters that have changed from their default values, enter the following command: show configuration rip
Selecting Active Configuration Files

To use a particular configuration on the next reboot, enter the following command: use configuration [ primary | secondary | filename]
The configuration file name must already exist on the switch.
NOTE
The use configuration command does not select the active configuration. The command selects which configuration is going to be used after the next reboot.
24
Figure 13: Displaying the Configuration File Contents
Figure 14: Selecting Active Configuration Files
25
Switch Management
Backing Up a Configuration File

Extreme Networks recommends that you maintain a backup of the switch configuration. ExtremeXOS provides you with the ability to transfer a configuration file to a TFTP server on your network. When using the tftp command, the uploaded configuration file retains your system configuration and is saved in XML format. While you view the ExtremeXOS XML-based configuration files with a text editor, the XML formatting makes it difficult to decipher the configuration. A better alternative to view your current switch configuration is to use the show configuration command. To transfer a configuration file to a tftp server, use the following command: tftp put [<host-name> | <ip-address>] {-vr <vr_name>} [{[internal-memory <local-file-internal> | memorycard <local-file-memcard> | <local_file>} {<remote_file>} | {<remote_file>} {[internal-memory <local-file-internal> | memorycard <local-file-memcard> | <local_file>]}]
Syntax Description
host-name ip-address vr_name internal-memory local-file-internal memorycard local-file-memcard local-file remote-file Specifies the name of the remote host. Specifies the IP address of the TFTP server. Specifies the name of the virtual router. The default is vr-mgmt Specifies the internal memory card. Specifies the name of the core dump file located on the internal memory card. Specifies the removable external compact flash card. NOTE: This parameter is available only on modular switches. Specifies the name of the file on the external compact flash card. NOTE: This parameter is available only on modular switches. Specifies the name of the file (configuration file, policy file) on the local host. Specifies the name of the file on the remote host.
Example:
tftp put 10.0.4.106 -vr vr-mgmt primary.cfg Uploading /root/config/primary.cfg to 10.0.4.106 ..........
Using the TFTP -P Command

An alternate form of the TFTP put command is available. To copy the file from the switch, internal memory card, or external compact flash card to a TFTP server, enter the following command: tftp 10.0.4.106 -v vr-default -p primary.cfg
26
Figure 15: Backing Up a Configuration File
27
Switch Management
Restoring the Configuration

An ExtremeXOS configuration file can be downloaded to the switch using the tftp get command. For examples: tftp get 103.0.0.2 -vr vr-default tested.cfg backup.cfg tftp get 103.0.0.2 -vr vr-default switch2.cfg Where:

host-name - Is the host name of the TFTP server. ip_address - Is the IP address of the TFTP server. -g - Gets the specified file from the TFTP server and copies it to the switch. -l local_file - Specifies the name of the configuration file on the switch. -r remote_file - Specifies the name of the configuration file on the TFTP server.
You must reboot the switch to copy the downloaded configuration file into the active configuration. To reboot the switch, enter the following command: reboot
Using the tftp Command

An alternate form of the TFTP command is available. To copy the file from a TFTP server to the switch internal memory card, or external compact flash card, enter the following command: tftp [<host-name> | <ip-address>] {-v <vr_name>} [-g | -p] [{-l [internalmemory <local-file-internal> | memorycard <local-file-memcard> | <localfile>} {-r <remote-file>} | {-r <remote-file>} {-l [internal-memory <localfile- internal> | memorycard <local-file-memcard> | <local-file>]}]
28
Figure 16: Restoring the Configuration
29
Switch Management
Managing ASCII-formatted Configuration Files

The active configuration can be uploaded to a TFTP server as an ASCII-formatted command script. This allows you to do the following:

Modify the command script using a text editor Download a copy of the file to the same switch or to one or more different switches, and load the commands in the script on to the switch. Send a copy of the command script file to Extreme Networks Technical Support for problem-solving purposes.
To upload the current configuration as an ASCII-formatted command script to a TFTP server on your network, enter the following command: upload configuration [<hostname> | <ipaddress>] <filename> {vr <vr-name>}
Syntax Description
hostname ipaddress filename vr-name Specifies the hostname of the TFTP server where you want to upload the configuration file. You must have DNS enabled Specifies the IP address of the TFTP server where you want to upload the configuration file. Specifies a user-defined name for the command script. Specifies the name of the virtual router. The default is VR-Mgmt.
Example
upload configuration 20.0.0.102 sanjose.xsf vr vr-default NOTE
To load the ASCII-formatted command script using the load script command, the file must have an ExtremeXOS
CLI script (XSF) file extension. Even though the configuration file in the example is named primary.cfg on the switch, the upload command allows you to save it on the TFTP server as sanjose.xsf. The uploaded ASCII file retains the ASCII CLI format.
30
Figure 17: Managing ASCII-formatted Configuration Files
31
Switch Management
Downloading ASCII-formatted Command Scripts

ExtremeXOS provides the network administrator with the ability to download ASCII-formatted command scripts and to load and execute the command scripts. To download the modified command script, use the TFTP command: tftp get [<host-name> | <ip-address>] <remote-file> To load the ASCII-formatted command script, use the load script command. Commands scroll across on screen as they are executed. load script newscript.xsf NOTE
The file must have a .xsf file extension.
.Save the runtime configuration. save configuration primary Command scripts can be created or modified on the switch using the switch editor. edit script newscript.xsf
32
Figure 18: Downloading ASCII-formatted Command Scripts
33
Switch Management
Returning the Switch To Factory Defaults

To return the switch to its original factory default settings, enter the following command: unconfigure switch This command resets the entire configuration, with the exception of user accounts and passwords that have been configured, and the date and time. To reset all parameters except date and time, enter the following command: unconfigure switch all NOTE
This command initializes the value stored in the "Config Selected" field to "NONE", resets the parameters to original factory defaults, and reboots the switch. After the switch reboots, you will see the value "NONE" in the "Config Selected" field when you execute the "show switch" command.
Re-initializing the Switch

When the switch is new or the unconfigure switch all command has been used, you must connect to the console to access the switch. You are prompted with an interactive script that specifically asks if you want to disable telnet, disable SNMP, and disable the unconfigured ports. The system displays the following prompts:
Would Would Would Would Would you you you you you like like like like like to disable Telnet? [y/N] to disable SNMP? [y/N]: unconfigured ports to be turned off by default? [y/N]: to change the failsafe account username and password now? [y/N]: to permit failsafe account access via the management port? [y/N]:
34
Figure 19: Returning the Switch To Factory Defaults
35
Switch Management
File System Commands

ExtremeXOS supports UNIX-like file system commands for listing, renaming, and removing files. To list all current configuration and policy files in the system, use the following syntax: ls {memorycard} The memorycard argument lists files on the removable compact flash memory card. For example: ls For each file the display is similar to the following:
-rw-rw-rw1 root 0 68297 Dec 8 02:03 primary.cfg
The first column displays the file permission using the following ten place holders.

The first place holder displays d for a directory and - for a file. The next three placeholders display r for read access, w for write access, and x for execute permission for the file owner. The next three placeholders display r for read access, w for write access, and x for execute permission for members of the file owners group. The last three placeholders display r for read access, w for write access, and x for execute permission for every user that is not a member of the file owners group.
The second column shows how many links the file has to other files or directories. The third column shows the file owner. The fourth column is the owners group. The remaining columns show the file size, date it was last modified, and the file name.
36
Figure 20: File System Commands
37
Switch Management
Copying, Renaming, and Removing Files

To copy a file, enter the following command: cp filename newfile For example: cp primary.cfg foo.cfg Copy config primary.cfg to config foo.cfg on switch? (y/n) Yes To rename a file, enter the following command: mv source destination The system prompts: Rename source to destination on switch? (y/n) Enter y to rename the file. Enter n to cancel. For example: mv hughtest.cfg roytest.cfg Rename config hughtest.cfg to config roytest.cfg on switch? (y/n) Yes Make sure the renamed file uses the same file extension as the original file. If you change the file extensions, the file may be unrecognized by the system.

Configuration files use the .cfg file extension Policy files use the .pol file extension
This command also replicates the action from the primary MSM to the backup MSM. For example, if you rename a file on the primary MSM, the same file on the backup MSM is renamed. A message appears that asks you to confirm this action. To remove a file, enter the following command: rm <filename> The system prompts: Remove filename on switch? (y/n) Enter y to rename the file. Enter n to cancel. For example: rm oldtest.cfg Remove oldtest.cfg on switch? (y/n) Yes This command also replicates the action from the primary MSM to the backup MSM. For example, if you delete a file, the file is deleted on both the active on the backup MSM. A message appears that asks you to confirm this action.
38
Figure 21: Copying, Renaming, and Removing Files
39
Switch Management
Policy Files
A policy file is a text file that contains a series of rule entries describing match conditions and actions to take. Policy files are text files that are used by the access control list (ACL) application to perform packet filtering and forwarding decisions on packets. The ACL application will program these policies into the packet filtering hardware on the switch. Packets can be dropped, forwarded, moved to a different QoS profile, or counted, based on the policy statements. Policy files are used by the routing protocol applications to control the advertisement, reception, and use of routing information by the switch. Using policy files, a set of routes can be selectively permitted (or denied) based on their attributes, for advertisements in the routing domain. The routing protocol application can also modify the attributes of the routing information, based on the policy statements. The policy file can be created on the switch using the vi-like edit command. Alternately the policy file can be created on a TFTP server using a simple text editor like Windows Notepad and downloaded to the switch using the tftp command.
Creating Policy Files

Policy files are created by writing a text file containing a number of rule entries. An editor is available on the switch to edit policies. To launch the editor, enter the following command: edit policy <filename> Name the text file with the policy name and use .pol as the filename extension. For example, the policy name boundary refers to the boundary.pol text file. This command spawns a vi-like editor to edit the named file.
40
Figure 22: Policy Files
41
Switch Management
Using the Switch Editor

Command scripts can be created and edited on the switch using the edit command. To launch the editor, enter the following command: edit script <filename> Name the text file with the script name and use .xsf as the filename extension. This command spawns a vi-like editor to edit the named file. Edit operates in one of two modes; command and input When a file first opens, you are in the edit command mode. To write in the file press one of the following keys:
Type This i o To Do This Enter insert mode. Open a new line.
Move your cursor to the end of a line and press a to append to the end of the line. To escape the insert mode and return to the command mode, press the Escape key. When you enter command mode, your cursor appears at the end of the file at the colon : prompt. There are several commands that can be used from the command mode:
Type This dd p :q q! :wq yy :w To Do This Delete the current line. Paste the line copied. Quit the file if no changes were made. Forcefully quit the file without saving changes. Write and quit the file. Copy the current line. Write (save) the file.
42
Figure 23: Using the Switch Editor
43
Switch Management
BootStrap Menu Options

The bootstrap CLI contains commands to support the selection of which bootloader to use. Interaction with the bootstrap is required only under special circumstances and should be done only under the direction of Extreme Networks Technical Support. The illustration shows the options available from the switch's BootStrap menu after entering the help command (or "h").
NOTE
When asked to depress the <spacebar> remember to press and hold the <spacebar> key.
BootROM Menu Options

The BootROM of the switch initializes certain important switch variables during the boot process. If necessary, the BootROM can be upgraded using TFTP. For disaster recovery purposes (i.e. in the event the switch does not boot properly), you can download a rescue image from a TFTP server by entering the dowload image command from the BootROM menu. During a software upgrade the system BootROM checks the software for a unique signature. The BootROM denies an incompatible software upgrade. Some boot option functions can be accessed through a special BootROM menu. The illustration shows the options available from the switch's BootROM menu after entering the help command. Interaction with the BootROM menu is only required under special circumstances and should be done only under the direction of Extreme Networks Customer Support. The necessity of using these functions implies a non-standard problem, which requires the assistance of Extreme Networks Technical Support. The BootROM Menu can only be accessed when the switch is hard-booted.
44
Figure 24: BootStrap Menu Options
Figure 25: BootROM Menu Options
45
Switch Management
Upgrading the BootROM

In ExtremeXOS the BootROM is upgraded along with the software image. Only in rare cases would the BootROM be upgraded separately. Upgrade the BootROM only when asked to do so by an Extreme Networks technical representative. If this command does not complete successfully it could prevent the switch from booting. In the event the switch does not boot properly, some boot option functions can be accessed through a special BootROM menu. To display the switch BootROM version, enter the following command: show version To download the BootROM image from a specified TFTP server, enter the following command: download bootrom [[<ipaddress> | <hostname>] <filename> {{vr} <vrname>} | memorycard <filename>] {msm <slotid>} Reboot the switch after downloading the BootROM. When upgrading the BootROM separately, upgrade the BootROM and reboot before upgrading the software image.
46
Figure 26: Upgrading the BootROM
47
Switch Management
Summary
This module provided an introduction to the Extreme Networks switch management functions and configuration procedures. You should now be able to:

Identify switch software images and configuration files. Save the switch configuration. Copy, rename, and remove configuration files. Assign an IP address to the a VLAN. Backup the switch configuration. Create, edit, and restore an ASCII-based command script. Download a software image.
48
Figure 27: Summary
49
Switch Management
Lab
Turn to the Switch Management Lab in the ExtremeXOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
50
Figure 28: Switch Management Lab - Detail
Figure 29: Lab
51
Switch Management
Review Questions
1 Which of the following commands displays the names of the configuration and policy files on the switch? a list b show c ls d dir
2 Which of the following ExtremeXOS commands retrieves the configuration from a TFTP server? a tftp get b tftp put c retrieve d restore
3 Which of the following commands displays the switch status? a show system b show switch c show system info d show current config
4 Which command enables the system administrator to retrieve a new image file from a TFTP server? a tftp get b copy c download d transfer
5 Which of the following commands use the Virtual Router parameter? a use b tftp c edit d save
52
6 What types of switches support the mgmt VLAN? a Switches managed by the Vista web interface. b Switches managed by a directly connected EPICenter management station. c Switches with a dedicated management Ethernet port. d Switches with SNMP management enabled.
7 How many software images may be stored on the switch at the same time? a 1 b 2 c 3 d It depends on the amount of free memory
8 Which command enables the system administrator to save the current configuration to a file named myConfig.cfg that will be stored on the switch? a store configuration myConfig b write configuration myConfig c put configuration myConfig d save configuration myConfig
9 What does the unconfigure switch all command do? a It deletes the currently selected configuration except for user accounts, and reboots the switch. b It deletes the currently selected configuration except for user accounts. c It deletes all administrator created user accounts and resets the administrator password to the factory default.
d It initializes the value stored in the "Config Selected" field to "NONE", resets the parameters to original factory defaults, and reboots the switch.
10 Which of the following commands displays the software versions running on the switch? a show version b show software c show image d show running
53
Switch Management 11 In the display of the show switch command which field identifies the currently running software? a Primary b Secondary c Image Selected d Image Booted
12 XOS core image files typically end with which one of the following extensions? a .xos b .xmod c .xbr d all of the above
13 The upload command is used for which of the following? a To transfer a core image to a TFTP server as a binary file. b To transfer a configuration file to a TFTP server as XML-formatted file. c To transfer a configuration file to a TFTP server as an ASCII-formatted command script. d To transfer a configuration file to a TFTP server as compressed backup configuration file.
14 Which of the following commands saves the configuration to the secondary location? a save configuration secondary b use configuration secondary c save image secondary d use secondary
15 Which of the following commands configures the switch to boot from the software image in the primary location on the next boot up? a boot image primary b use configuration primary c save image primary d use image primary
54
16 The use image primary command does which of the following? a Causes the switch to load the primary image file in to memory and cause it to immediately execute without a reboot. b Causes the switch to load the primary image file in to memory and cause it to execute on the next reboot. c Causes the switch to clear the current configuration in memory and then immediately load the primary configuration image.
d Causes the switch to load the primary configuration image after next reboot.
17 Which of the following commands copies the primary configuration file to backup.cfg? a copy primary.cfg backup.cfg b duplicate primary.cfg backup.cfg c backup primary.cfg backup.cfg d cp primary.cfg backup.cfg
18 What is the command to reset all configuration parameters except date and time? a reset switch default b reset switch c unconfigure switch d unconfigure switch all
19 Which of the following commands causes the switch to reboot? a reboot b restart c reset d system shutdown
55
Switch Management This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http://www.sec.gov). We undertake no obligation to update the forward-looking information in this release.
56
Layer 1 Configuration
Student Objectives
The Layer 1 Configuration module provides an introduction to the Extreme Networks switch port types, port parameters, and port and load sharing configuration commands. Upon completion of this module, the successful student will be able to:

Configure port speed and duplex. Define the link aggregation feature and its benefits. Describe the different link aggregation algorithms. Configure dynamic address-based link aggregation. Verify the link aggregation configuration. Describe the Extreme Discovery Protocol. Enable the Link Layer Discovery Protocol.
Configuring Slot Parameters

The configure slot, clear slot, and show slot commands are applicable for chassis-based switches. If the type of module used in a slot changes, the slot configuration must be cleared or configured for the new module type. To clear the slot 5 configuration, enter the following command: clear slot 5 All configuration information related to the slot and the ports on the module is erased. To unassign the type of module in slot 5, enter the following command: unconfigure slot 5 To configure slot 5 for the new module type, enter the following command: configure slot 5 module 10G4X
Chassis-based Port Numbering

For ports on the chassis-based BlackDiamond and Alpine switches, the port number is a combination of the slot number and the port number. An example might be: port 4 of an I/O module installed in slot 2 which would be identified as port number 2:4. You can also use wildcards (*) to specify multiple slot and port combinations. To enable one or more ports, enter the following command: enable ports [<portlist> | all ] The syntax for the port number is slot: port For example: enable ports 1:1-4 enable ports 1:6,7,11 By default, all ports are enabled. To disable one or more ports. disable ports [<portlist> | all ]
Figure 2: Configuring Slot Parameters
Configurable Port Parameters

This page describes configurable port parameters.
Port Parameters
Ports on the switch can be configured in the following ways:

Enabling and disabling individual ports Configuring the port speed Configuring half- or full-duplex mode Enabling and disabling auto-negotiation Enabling and disabling auto polarity Creating link aggregation groups on multiple ports Configuring QoS on a port-by-port basis
Figure 3: Configurable Port Parameters
Auto-Negotiation, Speed, and Duplex

By default, the switch is configured to use auto-negotiation to determine the port speed and duplex setting for each port.

Fast Ethernet ports can be manually configured for either 10 Mbps or 100 Mbps. Fast Ethernet ports can be configured for half- or full-duplex operation. 10/100 Mbps copper ports can be manually configured for duplex and speed. 100BASE-FX ports operate in full-duplex only and the speed cannot be modified. 1 Gigabit fiber and copper Ethernet ports are statically set to 1 Gbps. The speed and duplex mode cannot be modified. Flow control for Gigabit Ethernet ports is supported, and is enabled or disabled as part of autonegotiation:

disabled if auto-negotiation is turned off enabled if auto-negotiation is turned on
To configure port duplex and speed, enter the following command: configure ports <port_list> auto off speed [10 | 100 | 1000 | 10000] duplex [half | full] For example: configure ports 9 auto off speed 100 duplex full
Turning Off Auto-Negotiation - Gigabit Ethernet

In certain interoperability situations, it is necessary to turn auto-negotiation off on a Gigabit Ethernet port. Even though a Gigabit fiber port only runs at full duplex and gigabit speeds, the command to turn off auto-negotiation must still include the duplex setting. To turn off auto-negotiation for port 49 (a Gigabit fiber port), enter the following command: configure ports 49 auto off speed 1000 duplex full
Auto Polarity in ExtremeXOS

Many of the Extreme Networks switches support automatic detection of the copper Ethernet cable polarity. This means that connecting cables can be straight through or cross-over. This feature applies to only the 10/100/1000 BASE-T ports on the switch. Please refer to the user documentation to determine the capabilities of your switch.
Figure 4: Auto-Negotiation, Speed, and Duplex
Enabling Jumbo Frames

Ethernet frames that are larger than 1522 bytes, (1514 + 4 bytes 802.1Q tag + 4 bytes CRC) are called Jumbo Frames. This support of larger frame sizes increases efficiency of bulk data transfers. Extreme network switches, other than the original e-series, support switching and routing of jumbo frames at wire-speed on all ports. Some network interface cards (NICs) have an MTU size that does not include the 4-byte CRC. You must ensure that the NIC MTU size is at or below the maximum MTU size configured on the switch. Frames that are larger than the MTU size configured are dropped at the ingress port. To enable support for jumbo frames, enter the following command: enable jumbo-frame ports [all | <ports list>] To configure the maximum MTU size of the jumbo frame allowed by the switch (ranges from 1523 9216), enter the following command: configure jumbo-frame size <jumbo_frame_mtu> The default size is 9216. Using path MTU discovery, a source host assumes that the path MTU is the MTU of the first hop. The host sends all datagrams on that path with the dont fragment (DF) bit set, which restricts fragmentation. If any of the datagrams must be fragmented by an Extreme Networks switch along the path, the Extreme Networks switch discards the datagrams and returns an ICMP Destination Unreachable message to the sending host, with a code indicating fragmentation needed and DF set. When the source host receives the Datagram Too Big message, the source host reduces its assumed path MTU and retransmits.
IP Fragmentation with Jumbo Frames

If an IP packet originates in a local network that allows large packets and those packets traverse a network that limits packets to a smaller size, the packets are fragmented instead of discarded. Frames that are fragmented are not processed at wire-speed. To configure VLANs for IP fragmentation, follow these steps: 1 Enable jumbo frames on the incoming port. 2 Add the port to a VLAN, assign an IP address to the VLAN, and Enable IP forwarding on the VLAN. 3 Set the MTU size for the VLAN, by entering the following command: configure ip-mtu <mtu_size> vlan <vlan name> The ip-mtu size can be 1500 to 9216. The default is 1500.
10
Figure 5: Enabling Jumbo Frames
11
Link Aggregation
The link aggregation (load sharing) feature allows you to interconnect switches with multiple links, yet have those links treated as if they were one physical connection. If there is only a single link between switches, it presents network challenges resulting from the following:

Over subscription Single point of failure
Link aggregation allows you to increase bandwidth and resilience between Extreme Networks switches by using a group of ports to carry traffic in parallel between switches. The sharing algorithm allows the switch to use multiple ports as a single logical port. For example, VLANs treat a load-sharing group as a single logical port. Most load sharing algorithms guarantee packet sequencing between clients. If a port in a load-sharing group fails, traffic is redistributed to the remaining ports in the load-sharing group. If the failed port becomes active again, traffic is redistributed to include that port. The load-sharing feature is supported between all Extreme Networks switches, and may also be compatible with third-party trunking or sharing algorithms
NOTE
Load sharing must be enabled on both ends of the link, or a network loop results.
12
Figure 6: Link Aggregation
Figure 7: Link Aggregation (Continued)
13
Link Aggregation Algorithms

This page describes the link aggregation algorithms.
Address-based
The address-based link aggregation algorithm examines a specific place in the packet to determine which egress port to use for forwarding traffic.

For Layer 2 load sharing, the switch uses the MAC source address and destination addresses. For Layer 3 load sharing, the switch uses the IP source address and destination addresses. If the packet is not IP, the switch applies the Layer 2 algorithm. Layer 3_4 Examines the IP port number in addition to the IP address. NOTE
Beginning with ExtremeXOS software version 11.2, the switch can use IPv6 addresses.
Port-based
Port-based load sharing uses the ingress port to determine which load-sharing member port to forward traffic out of. This is a static mapping between ingress port and load-share port. Along with guaranteed packet sequencing, the address-based link aggregation algorithm provides a more even distribution of traffic than the port-based algorithm.
14
Figure 8: Link Aggregation Algorithms
Figure 9: Link Aggregation Algorithms (Continued)
15
Dynamic Link Aggregation

Dynamic link aggregation (also called dynamic load sharing) is a grouping of ports that use the Link Aggregation Control Protocol (LACP). LACP is part of the IEEE 802.3ad standard. By using LACP, dynamic link aggregation allows the switch to:

dynamically determine if link aggregation is possible. automatically enable and configure link aggregation. dynamically reconfigure the sharing groups.
The group is only enabled when LACP detects that the other end is also using LACP, and the ports are configured to be in a group. Among those ports deemed aggregatable by LACP, the system uses those ports with the lowest port number as active ports; the remaining ports aggregatable to that LAG are put into standby status. If more ports in the LAG are selected than the aggregator can handle because of the system hardware, those extra ports are moved into the standby state. As the name implies, the standby ports are available to join the aggregator if one of the selected ports should fails or is disabled. The lowest numbered ports are the first to be dynamically added to the aggregator.
NOTE
LACP does not control the packet distribution algorithm. Both ends of the link should be configured to use the same algorithm.
16
Figure 10: Dynamic Link Aggregation
17
Switch Specific Link Aggregation Support

The following identifies some of the switch specific capabilities:
BlackDiamond 10808, BlackDiamond 12804, and BlackDiamond 8800 switches support Cross-Module Link Aggregation (CMLA). The link aggregation group can span I/O modules On the BlackDiamond 8800 original modules and Summit X450 switch, any broadcast, multicast, or unknown unicast packets are transmitted on the logical port of a load-sharing group. On the BlackDiamond 8800 a-series and e-series modules and Summit X450a and X450e series switches, broadcast, multicast, or unknown unicast packets are transmitted on all port of a loadsharing group. Port-based load sharing is not supported on the BlackDiamond 8800 series and Summit X450 series of switches. Only the address-based algorithm is supported. The BlackDiamond 10808 and BlackDiamond 12804 switches cannot specify L2 or L3 for the addressbased LACP algorithm. A static Link Aggregation Group (LAG), or load-sharing group, can include a maximum of 8/16 ports. An LACP (dynamic) LAG can include a maximum of 16/32 ports; out of these up to 8/16 can be active links and the remaining 8 will be standby links. The maximum number of LAGs is 32/128. NOTE
The first LAG limitation number applies to BlackDiamond 8800 and Summit X450. The second number applies to the BlackDiamond 10808.
18
Figure 11: Link Aggregation Capabilities
Figure 12: Link Aggregation Capabilities (Continued)
19
Enabling Link Aggregation

Link aggregation, is disabled by default. To enable link aggregation, enter the following command: enable sharing <port> grouping <port_list> {algorithm [port-based | address-based {L2 | L3 | L3_L4}]} {lacp} For example: enable sharing 8 grouping 8-12 algorithm address-based L2 lacp
Syntax Description
port port_list port-based address-based L2 L3 L3_L4 Specifies the logical port for a load-sharing group or link aggregation group (LAG). Specifies one or more ports or slots and ports to be grouped to the logical port. Specifies link aggregation by port-based algorithm. NOTE: This parameter is only on the BlackDiamond 10808 and BlackDiamond 12804 switches. Specifies link aggregation by address-based algorithm. Specifies address-based link aggregation by Layer 2. Layer 2 is the default value. NOTE: This is only on the BlackDiamond 8800 series and Summit X450 switches. Specifies address-based link aggregation by Layer 3. NOTE: This is only on the BlackDiamond 8800 series and Summit X450 switches. Specifies address-based link aggregation by Layer 3 IP plus Layer 4 port. NOTE: This parameter is available only on the Summit X450a switch, X450e switch and BlackDiamond 8800 a-series and e-series modules. lacp Specifies dynamic link aggregation, or load sharing, using the LACP.
All ports in an LAG must have at the same speed and duplex settings. Each port can belong to only one LAG. After link aggregation is enabled the LAG can be modified using the configure command. ExtremeXOS allows the following configuration without deleting the LAG:

Change the address layer for address-based groups. Add ports to or delete ports from the LAG.
Switch LAGs are defined according to the following rules:
The software supports control protocols across the LAGs, both static and dynamic. For example, EAPS, ESRP, LLDP, and STP. Although you can only reference the logical port of an LAG in a Spanning Tree Domain (STPD), all the ports of a load-sharing group actually belong to the specified STPD. Always reference the logical port of the LAG when configuring or viewing VLANs. VLANs configured to use other ports in the LAG will have those ports deleted from the VLAN when link aggregation becomes enabled. NOTE
Load sharing must be enabled on both ends of the link, or a network loop may result.
20
Figure 13: Enabling Link Aggregation
21
Configuring Dynamic Link Aggregation

Beginning with ExtremeXOS 11.3, you can configure the priority used by LACP for each LAG to establish the end that assumes control in determining which LAG ports are moved to the collecting/ distributing state of the protocol. If you do not configure this parameter, LACP uses the system MAC address to determine priority. To configure the LACP priority, enter the following command: configure sharing <port> lacp system-priority <priority>
Syntax Description
port priority Specifies the logical port for the LAG you are setting the priority for. Enter the value you want for the priority of the system for the LACP. The range is 1 to 65535; there is no default. Lowest priority controls LACP.
To remove the assigned priority entirely enter 0. To dynamically add ports to a link aggregation group, enter the following command: configure sharing <logical_port> add ports <port_list> To configure the order that ports are added to the aggregator, enter the following command: configure lacp member-port <port> priority <port_priority> The lower value is added first. If you do not configure this parameter, the lowest numbered ports in the LAG are the first to be added. To configure whether the switch sends LACPDUs periodically (active) (default) or only in response to LACPDUs sent from the partner on the link (passive), enter the following command: configure sharing <port> lacp activity-mode [active | passive] To configure the timeout used by each LAG to stop transmitting once LACPDUs are no longer received from the partner link, enter the following command: configure sharing <port> lacp timeout [long | short] The long value uses 90 seconds as the timeout value. The short value uses 3 seconds as the timeout value. A LAG port moves to expired and then to the defaulted state when it fails to receive an LACPDU. You can configure whether you want an LAG port that moves into the default state removed from the aggregator or added back into the aggregator. If you configure the LAG to remove the ports, those ports are removed from the aggregator and the port state is set to unselected. To configure whether a defaulted LAG port is removed from the aggregator, enter the following command: configure sharing <port> lacp defaulted-state-action [add | delete]
22
Figure 14: Configuring Dynamic Link Aggregation
23
Verifying Link Aggregation Settings

To display LACP settings on the switch, enter the following command: show lacp This command displays the following information about a specific LACP LAG or all LAGs configured on the switch:

Up or Down. LACP is exchanging PDUs or not. Enabled or disabled System MAC
MAC address for the system, which is used for LACP priority in the absence of a specifically configured priority.
LACP PDUs dropped on non-LACP ports LAG
Identifies the particular LAG. This number comes from the logical port assigned to the LAG and is the LAG group ID. Shows the system priority for that LAG. If this number is lower than the number displayed for the Partner Sys-Pri, the system you are working on is the controlling partner in the LAG. Automatically generated LACP key. Identifies the MAC address for the system connecting to the LAG on the remote end. Shows the system priority for that LAG on the remote end. If this number is lower than the number displayed for the Actor Sys-Pri, the system at the remote end is the controlling partner in the LAG. LACP key automatically generated by the system to which this aggregator is connected. If this number is lower than the number displayed for the Actor Key, the partner system is the controlling partner in the LAG. Identifies the number of ports added to the aggregator for that LAG.
Actor Sys-Pri

Actor Key
Partner MAC
Partner Sys-Pri

Partner Key

Agg Count
To display the configuration and status of an LAG, enter the following command: show lacp lag <group-id>
24
Figure 15: Verifying Link Aggregation Settings
Figure 16: Verifying Link Aggregation Settings (Continued)
25
Verifying Link Aggregation Ports

To displays an LAG, enter the following command: show ports sharing The display shows the following:

The configured logical port Current logical port The load-sharing algorithm used The load-share member ports The link status Number of link transitions
To display LACP settings for a specified port that is a member of an LAG, enter the following command: show lacp member-port <port> {detail} To display all LACP, or dynamic link aggregation, counters for all member ports in the system, enter the following command: show lacp counters To verify if a port is part of an LAG, enter the following command: show ports configuration
26
Figure 17: Verifying Link Aggregation Ports
Figure 18: Verifying Link Aggregation Ports (Continued)
27
Disabling Link Aggregation

When sharing is disabled, the logical port retains all configuration including VLAN membership. All other member ports are removed from all VLANs to prevent loops and their configuration is reset to default values. To disable sharing, enter the following command: disable sharing <logical_port> To dynamically delete ports from a link aggregation group, enter the following command: configure sharing <logical_port> delete ports <port_list> To clear the counters associated with LACP, enter the following command: clear lacp counters
28
Figure 19: Disabling Link Aggregation
29
Port Mirroring
Port mirroring configures the switch to copy all traffic associated with one or more ports to the monitor ports on the switch. The monitor ports can be connected to a network analyzer, RMON probe, or Sentriant appliance for packet analysis. The switch uses a traffic filter that copies traffic to the monitor ports. You may designate up to 16 ports as monitor ports when you enable port mirroring using the port-list option. The traffic filter can be defined based on one of the following criteria:
Physical port - All data that traverses a port, regardless of VLAN configuration, is copied to the monitor ports VLAN - All data to and from a particular VLAN, regardless of the physical port, is copied to the monitor ports. Up to 16VLANs can be mirrored. Virtual port - All data for a specific VLAN on a specific port is copied to the monitor port. You can configure up to 16 mirroring filters and one monitor port on the switch. After a port is configured as a monitor port, it cannot be used for any other function.
To configure a mirror output port, use the following syntax: enable mirroring to [port <port> [tagged | untagged] | port-list <portlist> loopback-port <port> [tagged | untagged]] {remote-tag <vlan tag>} NOTE
Frames that contain errors are not mirrored. The untagged parameter is available only on the Black Diamond 10808 and Blackdiamond 12804 switches.
To add a single mirroring filter definition for a VLAN, physical port or a specific VLAN/port combination, enter the following command: configure mirroring add [vlan <name> {port <port>}| port <port> {vlan <name>}] {ingress | egress | ingress-and-egress} NOTE
The ingress and egress parameters are available only on the BlackDiamond 8800 series switches and the Summit X450 series switches.
To delete a particular mirroring filter definition, enter the following command: configure mirroring delete [all | port <port> {vlan <name>} |vlan <name> {port <port>}] To disables port-mirroring. disable mirroring To verify the parameter settings, enter the following command: show mirroring
30
Figure 20: Port Mirroring
31
Extreme Discovery Protocol (EDP)

The Extreme Discovery Protocol (EDP) is a Layer-2 protocol and is Extreme Networks proprietary. EDP uses an Ethernet Sub-Network Address Protocol (SNAP) encapsulation and has a destination MAC address of 00-E0-2B-00-00-00. EDP is enabled by default. EDP is used by the Extreme Networks switches to exchange topology information with each other. Information communicated using EDP includes the following:

Switch MAC address (Switch ID) Switch software version information Switch IP Address Switch VLAN-IP information Switch port number
To enable the generation and processing of EDP messages on one or more ports, enter the following command: enable edp ports [all | <port number>] To disable the generation and processing of EDP messages on one or more ports, enter the following command: disable edp ports [all | <port number>] To verify the EDP parameter settings, enter the following command: show edp {ports [all | <ports>] {detail}}
32
Figure 21: Extreme Discovery Protocol (EDP)
33
LLDP
Beginning with ExtremeXOS version 11.2, the software supports the Link Layer Discovery Protocol (LLDP). LLDP is a Layer 2 protocol (IEEE standard 802.1ab) that is used to determine the capabilities of devices such as repeaters, bridges, access points, routers, and wireless stations. LLDP enables devices to advertise their capabilities and media-specific configuration information and to learn the same information from the devices connected to it. The LLDP supports discovery of network topologies in a multivendor environment. LLDP transmits periodic advertisements containing device information and media-specific configuration information to attached neighbors. The type length value (TLV) within link layer control frames is used to communicate with other LLDP agents. LLDP agents receive link layer control frames, extract the information in the TLVs, and store them in LLDP Management Information Base (MIB) objects. LLDP is configured on a per-port basis. Each port can store information for a maximum of four neighbors. All LLDP configurations are saved when you issue the save configuration command. LLDP can work concurrently with EDP or independently of EDP. The LLDP multicast address is defined as 01:80:C2:00:00:0E, and the EtherType is defined as 0x88CC.
NOTE
The LLDPDU has a maximum of 1500 bytes, even with jumbo frames enabled. TLVs that exceed this limit are dropped. Extreme Networks recommends that you advertise information regarding only one or two VLANs on the LLDP port, to avoid dropped TLVs.
The following information, when configured, can be sent at regular intervals:

Chassis ID (mandatory) Port ID (mandatory) Time-to-live (mandatory) Port description System name System description (system name, hardware version, OS, networking software) System capabilities (WLAN access point, router, IP phone, etc.) Management address (addresses of local LLDP agent) 802.1-specific information

VLAN name Port VLAN ID Port and protocol VLAN ID (protocol/port based VLAN support and VLAN tag) MAC/PHY (duplex and bit rate. auto-negotiation or manual configuration) Power via MDI (power support capabilities of the LAN device) Link aggregation (can be aggregated or is currently aggregated)
802.3-specific information

Maximum frame size
34
Figure 22: LLDP
35
Configuring LLDP
LLDP information is transmitted periodically and stored for a finite period. Once you enable LLDP, you can set a variety of time periods for the transmission and storage of the LLDP messages (or you can use the default values), as follows:

Reinitialization period (default is 2 seconds) Delay between LLDP transmissions (default is 2 seconds)applies to triggered updates, or updates that are initiated by a change in the topology Transmit interval (default is 30 seconds)applies to messages sent periodically as part of the protocol Time-to-live (TTL) value (default is 2 minutes)time that the information remains in the recipients LLDP database. Configure the Transmit Hold time and Transmit Interval to determine the TTL. The TTL is equal to the Transmit Interval X Transmit Hold.
LLDP is disabled by default. To enable the transmitting or receiving of LLDP TLVs, enter the following command: enable lldp ports [all | <port_list>] {receive-only | transmit-only} To modify the LLDP transmit interval, hold timer, or transmit delay, enter the following commands: configure lldp transmit-interval <seconds> configure lldp transmit-hold <hold> configure lldp transmit-delay [ auto | <seconds>] To enable or disable the advertisement of specific TVLs, enter the following command: configure lldp ports [all | <port_list>] [advertise | no-advertise] [ management-address | port-description | system-capabilities | systemdescription | system-name | vendor-specific <TVL_name> Additional commands control the advertisement of the management address, port description, system capabilities, system description, system name, port vlan ID, port VLAN, Power-over-Ethernet, and similar information. To verify the configuration of LLDP, enter the following command: show lldp {port [all | <port_list>]} {neighbors} {statistics} {detailed} Additional useful commands include: show process lldp
36
Figure 23: Configuring LLDP
Figure 24: Verifying LLDP
37
Summary
The Layer 1 Configuration module provides an introduction to the Extreme Networks switch port types, port parameters, and port and load sharing configuration commands. You should now be able to:

Configure port speed and duplex. Define the link aggregation feature and its benefits. Describe the different link aggregation algorithms. Configure dynamic address-based link aggregation. Verify the link aggregation configuration. Describe the Extreme Discovery Protocol. Enable the Link Layer Discovery Protocol.
38
Figure 25: Summary
39
Lab
Turn to the Layer 1 Configuration Lab in the ExtremeXOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
40
Figure 26: Lab
41
Review Questions
1 Which of the following commands correctly configures the link aggregation feature? a configure sharing 1 grouping 1-4 b enable sharing 1 grouping 1-4 c create sharing 1 grouping 1-4 d create grouping 1 sharing 1-4
2 Which of the following commands dynamically adds ports to a link Aggregation group? a configure sharing 6 add ports 7,8 b configure linkaggragation 6 add ports 7,8 c configure lacp group 6 add ports 7,8 d add group 6 lacp ports 7,8
3 What is the purpose of LLDP? a LLDP supports the discovery of network topologies in a multivendor environment. b LLDP supports the discovery of network topologies in an Extreme Networks proprietary environment. c LLDP supports dynamic addition to and deletions from a link aggregation group. d LLDP supports equal-cost multiple paths in a routed environment.
4 Which of the following commands activates the Extreme Discovery Protocol on all ports? a configure edp ports all b create edp ports all c create edp all d enable edp ports all
5 Why is the address-based Port Load Sharing or link aggregation algorithm recommended? a It provides the fastest link-failure recovery time and guarantees packet sequencing. b It provides the most information for troubleshooting and guarantees packet sequencing. c It provides a more even distribution of traffic than the port-based algorithm and guarantees packet sequencing.
d It provides the most reliable transfer of data and guarantees packet sequencing.
42
6 Which of the following identifies the maximum number of monitor ports that can be configured on a switch? a One b Two c Four d Sixteen
7 What feature allows you to copy all traffic associated with one or more ports to a monitor port? a Port monitoring b Port copying c Port mirroring d Port reflecting
8 Which of the following commands correctly configures port 6 to be the port-mirroring monitor port? a create mirroring add port 6 tagged b configure mirroring add port 6 tagged c enable mirroring to port 6 tagged d configure mirroring to port 6 tagged
9 Which of the following examples correctly disables ports one through five on the switch? a disable ports 1-5 b disable ports 1:5 c disable ports 1,5 d disable ports 1:2:3:4:5
10 What is Extreme Discovery Protocol used for? a Performs an active search for all IP devices on the network. b Performs a passive search for all Layer-2 devices on the network. c Exchanges topology information with other third-party and Extreme Networks switches. d Exchanges topology information with other Extreme Networks switches.
43
Layer 1 Configuration 11 What does port mirroring do? a Reflects all received traffic on a port back out the transmit side. b Configures the switch to copy all traffic associated with one or more ports to the monitor ports on the switch. c Configures the switch to copy all traffic entering the switch to a monitor port on the switch. d Displays a real time packet analysis on the console port for traffic received on a specified Ethernet port.
12 What is the link aggregation feature used for? a To increase bandwidth and resilience between switches. b To balance traffic across multiple paths. c To guarantee packet sequencing. d To increase delay tolerance.
44
This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http://www.sec.gov). We undertake no obligation to update the forward-looking information in this release.
45
46
EXOS Stacking
EXOS Stacking
Student Objectives
Upon completion of this module, you will be able to:

Describe the benefits of SummitStack Stacking Technology Explain how stacking operates Identify the various components of stacking Configure a set of devices to employ stacking Verify the stacking configuration Troubleshoot stacking issues Student objectives
EXOS Stacking
SummitStack Stacking Technology Benefits

In order to properly evaluate the benefits of SummitStack Stacking Technology, we'll need to compare it to some alternative technologies. The access layer of a network can be implemented using either chassis or fixed-format switches. A chassis has the advantage of simplifying management and tends employ more redundancy and highavailability options. However, a chassis has the disadvantage of requiring the allocation of more space than what the initial port counts may require. Chassis-based systems also tend to be more expensive than fixed-format switches. Standalone fixed-format switches have the advantage of being less expensive and easier to fit into open rack slots, but have a disadvantage in that each new addition of access ports brings with it another device to manage. Also, fixed-format switches are typically not as redundant and do not have the same level of high-availability features as chassis switches.
Figure 2: SummitStack Stacking Technology Benefits
EXOS Stacking
SummitStack Stacking Technology Benefits (Continued)

There are several benefits to employing ExtremeXOS SummitStack stacking technology in any network. For example: By using stacking, you have the advantage of using Combined Management over several devices. ExtremeXOS SummitStack creates a single management point of control for configuring and managing all of the member switches in a stack. Configuring Layer 2 VLANs or Layer 3 routing interfaces is simplified with a single management view of all the ports in the entire stack. Stacking technology allows you to Pay as You Grow. With ExtremeXOS SummitStack, you can start out with a single switch and grow to eight switches in a single stack. Features such as Link Aggregation, Multicast and Port Mirroring operate with ports on a single switch or operate on ports spread across multiple stack member switches. You can add ports to your Extreme Networks SummitStack when extra port density is needed. Stacking enables you to mix products to fit the unique needs of your business. By using ExtremeXOS SummitStack, you can mix switches with different interface types and port densities in a single stack to support a range of applications. Interfaces available are:

10/100/1000BASE-T available in AC and DC powered versions 10/100/1000BASE-T with Power Over Ethernet in AC powered versions 100/1000BASE-X mini-GBIC available in AC and DC powered versions 10/100BASE-TX with or without PoE in AC powered versions
Extreme SummitStack provides an optimized stacking Architecture. Other stacking technologies can reduce the management overhead of fixed-format switches, but often at a cost in overall performance and reliability. A stacking architecture that lacks adequate bandwidth or incurs forwarding penalties results in a serious loss of performance, which is unsuitable to support new converged applications. The SummitStack stacking architecture was designed to provide significant throughput, up to 320 Gigabits per Second (Gbps) per stack, and the distributed, shortest path forwarding can provide performance comparable with chassis switches. Resiliency is of key importance for these applications and is provided by redundant bidirectional ring architecture and n-1 master redundancy, distributed Layer 2 and Layer 3 link aggregation, link redundancy and distributed uplinks. You will realize Decreased Connectivity Costs with our stacking solution. Using Extreme Networks special stacking cables and built-in stacking ports to connect the supported switches is less expensive than purchasing 10 Gigabit modules to interconnect the devices. The SummitStack stacking architecture delivers the best of both worlds: the benefits of a chassis at the cost of a stackable, in an architecture designed to support todays evolving LAN applications. The resulting network simplification can provide lower management and maintenance costs while enhancing overall availability.
Figure 3: SummitStack Stacking Technology Benefits (Continued)
EXOS Stacking
Hardware Requirements
There are some hardware requirements in order to benefit from the SummitStack architecture. The first requirement is that the stack be built from SummitStack Compatible Hardware. As of this writing, ExtremeXOS allows the following hardware platforms to be joined together in a stack:

Summit x250 Series Switches Summit x450 Series Switches Summit x450a Series Switches Summit x450e Series Switches
Each of these products supports various capabilities and media types. Please refer to company literature to ensure that you select switches that best meet your application's needs. The second hardware requirement is the addition of stacking cables. The SummitStack Stacking Cables contain special connectors that support the high-speed ring topology of the SummitStack Architecture and meet the resiliency requirements of this feature. Extreme Networks offers Stacking cables in four lengths - from a minimum to a half meter, to a maximum of five meters long. The order numbers are listed on the screen for your convenience and more information is available on the Extreme Networks corporate web site.
Figure 4: Hardware Requirements
EXOS Stacking
Software Requirements
SummitStack Stacking Technology requires ExtremeXOS Software Version 12.0 or later. Units running less than ExtremeXOS 12.0 will not join stack. Whichever version of ExtremeXOS Software you plan to deploy in your network, the SummitStack architecture requires that all units run the exact same version of software in order to ensure device interoperability and stack stability. Units with software versions greater than 12.0 but not equal to stack master version become active stack members (provided there are no other stack topology issues) with disabled front panel ports. The noncompliant unit is still accessible to the stack master through the stack port. This allows the network administrator to download the appropriate version of code to the device using the following command: download image This command loads the appropriate version of software the non-conforming unit requiring that the unit be removed from the stack.
NOTE
Since the front panel ports on the target unit are disabled, the tftp server must be accessible though the ports of another unit in the stack.
If possible, stage and configure devices before adding them to a live stack.
10
Figure 5: Software Requirements
11
EXOS Stacking
Stacking Ports - Stacking Architecture

The stacking architecture is very straight forward, but does require a bit of explanation: First of all, there are two stacking ports per device. Each stacking port provides ten gigabits per second of full duplex bandwidth. Thats ten gigabits of bandwidth available to transmit traffic, and ten gigabits of bandwidth available to receive traffic for a total of twenty gigabits per second of bandwidth per port. Each switch has two stacking ports, which provides the unit with the capacity to service an aggregate of forty gigabits per second of traffic through the stack connectors. Finally, In a stack of eight switches, the stacking hardware can support up to three hundred twenty gigabits of throughput.
12
Figure 6: Stacking Ports - Stacking Architecture
13
EXOS Stacking
Unit Roles - Stacking Architecture

The SummitStack Architecture defines three types of roles for the units in the stack:

Master Unit Backup Master Unit and Standby Unit
The Master Unit manages the configuration of all units. No unit in the stack is allowed to look at it's configuration file and program its own switching ASICs. This is because the Master Unit has acquired the ownership of the configuration for all other units in the stack. However, to ensure that the stack can survive it's loss, the master will share the configuration of the stack with the Backup Master Unit. The Backup Master maintains the configuration of the stack in memory, in case it is needed, but does nothing with it unless the Master Unit becomes unavailable. You can compare the functionality of the Master Unit to that of a Master MSM. Much of the architecture and code for the SummitStack Technology is derived from ExtremeXOS chassis code that is used to manage I/O modules. The Backup Master Unit has a hybrid role in the stack. It must be ready to immediately assume the role of the master unit, should the master unit fail, however, it is like every other Standby Unit in that it does not own its own configuration. Remember, the Master Unit acquires ownership of the configuration of all units in the stack, not just the standby units. In order to ensure that a failover condition (where the Master Unit fails and the backup unit takes over) is expedited in the most judicious fashion, the backup master unit will acquire co-ownership of the standby units configuration files. The Backup Master Unit will not exercise its right to configure the standby units unless the Master Unit has failed and the Backup Master Unit has assumed the role of Master Unit. You can compare the functionality of the Backup Master Unit to that of a Backup MSM. The last unit role we'll examine is that of the Standby Unit. These units are essentially slaves to the Master Unit. The ASICs are configured by the master, but the standby unit doesn't maintains a copy of the database in memory. In other words, the standby unit does what it is told, but doesn't know why it's doing it. However, for stack management purposes, the standby unit is aware of its stack configuration. It knows its own slot number, the stack MAC address, the master unit, and other parameters necessary to maintain stack operations. In case of a stack error, such as the loss of the Master Unit or Backup Master Unit, a Standby Unit may become a Master Unit or a Backup Master Unit, depending upon its stack configuration. Finally, you can compare the functionality of the Standby Unit to that of a chassis-based I/O module.
14
Figure 7: Unit Roles - Stacking Architecture
15
EXOS Stacking
Ring Topology - Stacking Architecture

To continue with the discussion of the stacking architecture, the SummitStack supports a ring topology during normal operation. This means that every device is connected to another device in a daisy-chain fashion, and that last device is connected to the first device thus creating a ring. This type of topology provides the stack with the ability to sustain a stack cable failure, or the loss of the a unit and still be able to operate, with all units maintaining a physical and logical association with one another. This break in the ring creates a physical or logical daisy-chain topology. For this reason, a daisy-chain topology is not supported for continuous or standard operations. A daisy-chain topology is only supported to address a stack failure condition. A Daisy chain physical topology not supported for continuous operations. Unfortunately, a daisy-chain topology doesn't have the same level of resiliency as a ring, and the loss of another cable or unit could result in the stack becoming segmented and stack members becoming isolated - either physically or logically - from the rest of the stack members or from the network.
16
Figure 8: Ring Topology - Stacking Architecture
17
EXOS Stacking
Topology Traffic - Traffic Handling - Stacking Architecture

Stack Traffic Classification
SummitStack architecture has different methods for handling different types of traffic. The architecture classifies traffic into these four categories:

Topology Traffic Unicast Traffic Multicast Traffic VLAN Traffic which consists of Unknown Unicast, Unknown Multicast, and Broadcast Traffic
Topology Traffic
Topology Traffic is generated by a proprietary hop-by-hop protocol that is used to manage the stack's topology. Among other things, the Topology protocol is responsible for:
Interrogating the various units that are interconnect by the stack cable to determine their capabilities and stack configuration Electing a stack master Electing a backup master Ensuring a stack MAC address is configured Ensuring each switch in the stack has a unique slot number Managing all stack joins, merges, and failures
Topology traffic does not include any user data, nor does it include any non-stack related configuration messages. Only stack configuration messages are sent using the topology protocol. Topology traffic is processed by the CPU, not by the switching ASICs. The topology of the stack must be determined before user data can be forwarded. Therefore, the topology protocol must work before the stack is formed. Since it works before the stack is formed, it can be used to configure stacking options on devices in the stack even if there are stacking issues. After the stack is formed, topology traffic consumes very little bandwidth.
18
Figure 9: Topology Traffic - Traffic Handling - Stacking Architecture
19
EXOS Stacking
Unicast Traffic - Traffic Handling - Stacking Architecture

To continue on with the topic of how the SummitStack Architecture handles traffic: The SummitStack Architecture allows the stack units to send and receive traffic using either stack port one or stack port two. This enables the switches in the stack to employ a shortest path algorithm for traffic forwarding operations. Using the diagram on the slide, in order to reach unit eight, unit six transmits data out of it's stack port one to reach switch eight. However, the same unit, unit six, would use it's stack port two to transmit data to unit three. If the path to the target is shorter using stack port two, then the system uses stack port two. The same holds true if the path to the target device is shorter using stack port one. Whichever port provides the shortest path, that's the path that the system will use. Known unicast traffic is handled by the switch fabric. When a frame enters the system through a non-stack port, the switching ASIC responsible for that port will lookup the destination MAC address in its forwarding database to determine which Module ID and port number is associated with the destination MAC address. The Module ID identifies a specific unit in the stack, as well as a specific switching ASIC in that unit. The ingress switching ASIC forwards the frame to the egress switching ASIC by pre-pending the Ethernet frame with the destination Module ID and port number and source Module ID and port number. The destination Module ID and Port Number fields enable the frame to navigate the stack fabric to reach the frame's final destination. Once the frame reaches it's destination, the destination ASIC places an entry in it's forwarding database associating the source Module ID and source port number with the MAC address - if it is not already known. Because known unicast is not flooded, there is no danger this type of traffic looping around the stack. Therefore no stacking ports are blocked for known unicast traffic. This is not the case for broadcast, multicast, or unknown unicast traffic as you'll soon see.
20
Figure 10: Unicast Traffic - Traffic Handling - Stacking Architecture
21
EXOS Stacking
Known Multicast Traffic - Traffic Handling - Stacking Architecture

The Stacking Architecture handles multicast traffic slightly different than it does known unicast traffic. Multicast traffic is still handled by the switch fabric, and each ASIC in the switch is made aware of configurations that affect traffic forwarding. For example: If a multicast group only exists on one unit within the stack, there is no need for the other units in the stack to be made aware of that multicast group. However, if a multicast group is configured across several units in a stack, then that information must be distributed to the units in the stack. As the multicast frame comes into a unit on a stack, that ASIC will FLOOD traffic to all relevant front panel ports as well as the stacking ports. Each unit in the stack must be made aware of the multicast group to enable them to either receive the multicast frames and deliver them to its own front panel ports or to allow the multicast traffic to traverse its stack ports on the way to another stack unit. Because multicast traffic is flooded, and is allowed to transmitted onto the stack fabric, and the typical topology for the stack is a ring, there has to be a mechanism to ensure that multicast traffic will not continue to loop around the ring. The SummitStack Architecture answer is to create a logical break in the ring by blocking connected stacking ports on adjacent units to ensure multicast traffic cannot continuously circulate across the ring. While this seems straight forward, there is one more optimization that is included in the way the SummitStack Architecture handles multicast traffic. The decision as to which ports to block is based upon the multicast group address. Let's say that the first multicast group address is 224.0.0.1. The switch will logically block switch port one on unit three, and switch port two on unit four. This creates a logical stack break between units three and four. The result of this operation is that all the units of the stack will receive the multicast traffic meant for 224.0.0.1, but that traffic is also prevented from looping around the stack. Let's add to one more piece of data to the equation. Let's say our upstream router, the one behind which all our multicast servers are located, is connected to unit four. That means that multicast traffic destined for unit three would have to exit stack port 1 on unit 4 and traverse the entire stack before reaching unit 3. Now, what if you blocked the same ports for every multicast group? That would cause all multicast traffic from every group to have to traverse the entire stack before reaching unit 3. But the SummitStack Architecture takes this into account and attempts to distribute multicast traffic more evenly by assigning blocking ports based upon the target address. Now let's say that we get traffic for a second multicast address of 224.0.0.2. The SummitStack Architecture will configure itself to logically block adjacent stacking ports on two units to prevent the multicast traffic from looping over the stack. In this case it may be stack port one on unit five and stack port two on unit six. So, for packets destined for a device on unit three, and addressed to the multicast group of 224.0.0.2, they can get from unit 4 to unit 3 by exiting unit 4's stack port 2. Essentially one hop away.
22
Figure 11: Known Multicast Traffic - Traffic Handling - Stacking Architecture
23
EXOS Stacking
Unknown Unicast / Broadcast / Unknown Multicast Traffic Handling - Stacking Architecture

The SummitStack Architecture handles the following types of traffic the same way:

Unknown Multicast Unknown Unicast Broadcast
Because the destination port is unknown, Unknown Multicast, Unknown Unicast, and Broadcast traffic must be flooded to the entire VLAN - in fact this type of traffic is sometimes referred to as VLAN traffic because it is distributed to every port on a VLAN. This type of traffic can come into from any port, so it doesn't make sense to try to equalize the distribution of traffic in the way that known multicast traffic handles distribution. Therefore, all VLANs will have the same stacking ports blocked to ensure that frames do not endlessly circulate throughout the stack. The blocked port is Stack Port 1 on the unit with the lowest MAC address plus the interconnected port on the adjacent switch.
24
Figure 12: Unknown Unicast / Broadcast / Unknown Multicast - Traffic Handling - Stacking Architecture
25
EXOS Stacking
Stack Join - Stacking Operations

Now that you know how the SummitStack Architecture handles traffic, let's take a look at how it operates. Obviously, the first thing that the stack must do is to join - or to become a single logical unit. From a very high level, the stack software must:

Discover Stack Topology Elect Master Elect Backup Master Stack Synchronize Operational Phase
In the next few slides, we'll take a look at each one of these tasks in more detail.
26
Figure 13: Stack Join - Stacking Operations
27
EXOS Stacking
Discover Stack Topology - Stack Topology

After power is applied to a stack, the unit initiate a discovery process to determine the stack's configuration. In order to participate in the stack discovery process, a unit must be running ExtremeXOS 12.0 or greater. If a unit is running an appropriate ExtremeXOS software version, the stack discovery process occurs whether or not stacking is enabled on the device provided that one of the two stack port is connected to another powered unit. This doesn't mean that a unit that has stacking disabled will join the stack as an active unit, but it will participate in the routines that enable the stack to determine the topology of the stack plane. First, each unit broadcasts a topology discovery packet (hello packet) out of each port (if connected) with information that describes their configuration. The information provided includes:

Stack Mode (enabled / disabled) Unit MAC Address Stack MAC address Model Number Slot # Stack Priority Stack Master Capable Hops Count - Starting count of 0 Unit License Level Alternate IP / Mask Alternate Gateway
Next, the units that are connected to the sending device's stack ports receive the packet and forward them to their respective CPUs. The CPU on each unit processes the packet by extracting information about the unit that originated the packet, incrementing the hop count, and retransmitting the packet out of the port that did not receive the packet originally. Using this hop-by-hop forwarding technique, all the units in the stack will eventually have information about all their neighbors. Finally, a when a unit receives a packet that has its own MAC address as the source, it will remove that packet from the stack plane and will note that the stack is a ring. In a ring topology, each unit should have a path to every other unit through both of its stack ports. The unit will use the shortest path when making forwarding decisions. During the discovery process, if the ring is broken, the units in the stack will not receive the topology packets that they sent (so they know that the stack is not a ring configuration), but they build a daisy chain topology based upon the packets received. Once the discovery process is complete, the units that are qualified to become active stack members proceed to the next step of selecting a stack master. The units that are not qualified to go to the next step are:

Units with stacking mode disabled Units with the same slot number as another device
28
Figure 14: Discover Stack Topology - Stack Topology
29
EXOS Stacking
Master / Backup Master Election - Stacking Operations

The Master and Backup Master election process is fairly straight forward. Each unit is able to select the Master Switch based upon the information that they received during the discovery process. First of all only units that have master-capability turned on can become masters.
Stacking Priority
Next, the units evaluate the stacking priority of each unit. The lower the number, the higher the priority. This parameter is user configurable and can accept the values of AUTOMATIC, and 1 to 100. The unit with the highest priority becomes the stack master. If there are two or more units with the same stack priority (and the value is not automatic), then the system uses the slot number as the tie-breaker.
Slot Number
The slot number is a user configurable parameter. Each unit must be configured with a unique value from 1 to 8 in this parameter. While the slot number is derived from the slot number parameter in an Extreme Networks chassis system, the slot number in a stackable system does not correspond to the unit's physical position in stack or the distance from Master. This number is purely a logical number that is assigned by the network administrator. In terms of electing the Master Unit, if more than one unit is tied with the highest stack priority value (and the parameter is not set to AUTOMATIC), the unit among these with the lowest slot number will become the Master Unit. At this point, the system should be able to select a Master Unit. The units in the stack will then go through the same process to elect the Backup Master Unit.
Automatic Priority
The default value for the stack priority value is AUTOMATIC. The AUTOMATIC setting allows the system to elect the stack master based upon a prioritization algorithm provide by Extreme Networks that may include factors such as CPU speed, memory, or number of ports. As of this writing, the AUTOMATIC setting has not been implemented. If all units have their Stacking Priority parameter set to AUTOMATIC, the master unit will be elected based upon the unit with the lowest slot number.
30
Figure 15: Master / Backup Master Election - Stacking Operations
31
EXOS Stacking
Stack Configuration - Stacking Operations

After the Master Unit and the Backup Master Unit have been elected, the Master reads its configuration file and shares it with Backup Master Unit. Now both the Master Unit and the Backup Master Unit have a copy of the stack's configuration. The next thing that happens is that the Master Unit and Backup Master Unit inform the standby units (non-master units) that they have acquired ownership of the non-master unit's configuration files. This places the standby unit into an ACQUIRED state. As long as the standby units are in an acquired state, and detect the presence of an acquiring unit on the stack, the units remain operational. If the acquiring units should disappear, and no other Master Units have acquired the standby units, then the standby units reboot because the integrity of their configuration cannot be verified. After acquiring ownership of the non-master units, the master unit configures itself, the backup master, and the non-master units. To configure other units, the Master Unit uses a Remote Procedure Call (RPC) -like process to program the switching ASICs. Any future configuration changes will be executed using the same process. Since the master unit is responsible for the non-stacking configuration of all the units in the stack, it is the only unit that configures itself. Even if there is a configuration file on the other units, it will not be used for configuring the unit.
Operational Phase - Stacking Operations

During the operational phase, units continue to verify the integrity of the stack, update their list of stack members, and maintain a logical association with the Master Units. If the administrator issues configuration changes, the stack master propagates the changes to the relevant units. For example: If the administrator creates a VLAN that is confined to a single unit, it is not required that the other units in the stack be aware of that VLAN. However, if the administrator creates a VLAN that has port members on various units in the stack, then all the units must have their configuration updated. Obviously, those units with non-stacking ports that are part of the VLAN need to have their configurations update, but the other units need to have their stacking ports configured to allow the VLAN traffic to traverse the stack plane. Remember, switching decisions are made by ingress switch engine. The switch engine looks up the destination in its forwarding table, and directs the packet to the appropriate port. If the destination port is on another stack member, the packet is sent to the appropriate stack port. If the destination is a port on the same unit, the packet is directed to that port the involvement of the stack plane. Finally, the stack becomes manageable and accessible via the MGMT (management) VLAN. The stack master uses the configured Stack MAC Address (more on the Stack MAC address later) and Stack IP Address to make the stack manageable over the network. The network administrator can now initiate a network connection to the master unit to manage the stack.
32
Figure 16: Stack Configuration - Stacking Operations
Figure 17: Operational Phase - Stacking Operations
33
EXOS Stacking
Stack Link Failure Recovery - Stack Operations

If there is a single stack link failure, the system can recover fairly easily. When the failure is detected, the units in the stack simple recalculate the shortest path to each of the units. Since the ring is now physically segmented, there is no reason to logically block ports. Therefore, the logical port blocks for VLAN traffic and known multicast traffic is removed. In the example on the screen, you can see that the stack cable between unit 4 and unit 5 has failed. Before the failure, unit 5 only needed 1 hop through its stack port 2 to reach unit 4. After the cable failure, unit 5 now finds itself 7 hops away from unit 4 via its stack port 1. Finally, stacking cable failures are rare. If a stack does experience this type of failure, it is usually because somebody has disconnected the cable for maintenance purposes or by accident.
34
Figure 18: Stack Link Failure Recovery - Stack Operations
35
EXOS Stacking
Multiple Link Failure Recovery - Stack Operations

When a multiple link failure occurs, there are going to be issues that have to be overcome. First of all, stack segmentation is going to occur. Units will not be able to communicate to one another like they could when the ring was whole or there was only one failed link. The first concern is the location of the master units. One of two scenarios can occur:

One segment has both the master and backup master units and the other segment has no master unit One segment has the master unit and the other segment has the backup master unit
If the Master Unit and the Backup Master Unit end up on different stack segments, then the segment with master needs to elect a new backup master, recalculate the path to other units, and update switching ASICs to remove entries for units that are no longer accessible to the units. In order to elect a new backup master, there must be another unit on the stack segment that is master-capable. If no other unit on the stack is configured as master-capable, then a Backup Master Unit cannot be elected. On the segment with the Backup Master Unit, the Backup Master Unit becomes the Master Unit; a new backup master is elected if a master-capable unit is available, the stack-path to other units is recalculated by all units on the segment, and all units update their switching ASICs to remove entries for units that are no longer available. This scenario causes two issues that make it difficult to manage either segment. The first issue is that the master on both segments retains the Stack IP Address. Both units could potentially respond to ARP requests. The other problem is that the master unit on both segments retains the Stack MAC address. This, of course, could cause problems with other device on the network with the Stack MAC address may appear to move. If a segment ends up with no master units, all units reboot because they have lost contact with both the Master Unit and the Backup Master Unit. From this point, the units in the stack segment will act as if they have just been powered up and go through the standard stack-join process; including attempting to elect master and backup master units. Unfortunately, these units will be using the same Stack MAC address and Stack IP address as the other segment. Finally, if a segment ends up with both the Master and Backup Master Unit, it simply has to recalculate the shortest path between units. Obviously, having two stack cable failures in the same stack at the same time is extremely rare. This type of failure is more than likely a result of human activity.
36
Figure 19: Multiple Link Failure Recovery - Stack Operations
Figure 20: Multiple Link Failure Recovery - Stack Operations (Continued)
37
EXOS Stacking
Unit Failure Recovery - Stack Operations

Now, we've looked at what happens if there is a cable failure, now we'll look at the stack's recovery process if a unit fails. A unit failure involves both the loss of the unit and the loss of the stacking ports. Of course, the ring integrity is compromised due to loss of stacking port so the stack enters fallback daisy-chain operation. If the lost unit is the Master Unit, the Backup Master Unit immediately becomes the Master Unit. Next, provided a master-capable switch is available in the stack, the stack will elect a unit to take the place of the Backup Master Unit. Finally, all logical blocks are removed from the stack ports, the shortest stack path is recalculated by all units, and the switching ASICs are updated to accommodate the loss of the missing unit. If the lost unit is the Backup Master Unit, a new Backup Master is elected if there is a master-capable unit available in the stack. Finally, all logical blocks are removed from the stack ports, the shortest stack path is recalculated by all units, and the switching ASICs are updated to accommodate the loss of the missing unit. If the lost unit is a standby or non-master unit, then all logical blocks are removed from the stack ports, the shortest stack path is recalculated by all units, and the switching ASICs are updated to accommodate the loss of the missing unit.
38
Figure 21: Unit Failure Recovery - Stack Operations (Continued)
39
EXOS Stacking
Preparing a Stack for Configuration

Before you can begin configuring a stack, you need to prepare and plan for the stack deployment. Use the following procedure to prepare a stack for configuration: 1 Select the appropriate stack units for your application and plan to use the stack as if it were a single multi-slot switch. You'll have to decide how many ports you'll need, port capacities, power-overEthernet capabilities, and power planning considerations. 2 Physically locate the stack nodes adjacent to one another. Stacking cables come in fixed sizes that do not allow the various nodes to be physically distant from one another. It is probably best if the various nodes are physically located right next to one another. Make sure that you implement a stack ring topology. No other topology is supported for normal operations. 3 Ensure the exact same version of software is running on potential stack nodes. Even though the stack may join if there are different versions one another, it is a good management practice to simply standardize on a particular version of software. 4 Ensure all units have default values. Go to the console port of each unit and execute the following command: unconfigure switch all This step is technically unnecessary because the stack doesn't use the configuration files found on non-master nodes. However, to simplify the configuration process and minimize potential issues, it is best to return each switch to default values prior to enabling stacking. If you omit this step, the configuration file will be saved on the unit under a different name. 5 Connect the stacking cables. Once this is done, you are ready to configure the stack. NOTE
If you intend to deploy new units that might be part of a stack in the future, you might want to turn on stacking mode during initial deployment to avoid a future restart.
40
Figure 22: Preparing a Stack for Configuration
41
EXOS Stacking
Configuring a New Stack

The easiest way to set up a stack is to configure the stack as a whole. In this way, all units will start out as if they were brand new, out-of-the-box. Follow this procedure to configure stacking on a new switch: 1 Apply power to all units in the stack. Verify all units have power using the front panel LEDs. 2 Remove any legacy stacking configuration using the unconfigure stacking command. This command resets all stacking parameters to the default or unconfigured values shown in the table on the screen. The following parameters are reconfigured by the command, but their new values do not take effect until the nodes reboot:

The stacking mode parameter is set to disabled. The slot-number parameter is set to 1. The master-capable parameter is set to Yes. The license-level restriction is unconfigured. The stack MAC address is unconfigured.
3 Log in to the intended stack master through the console port. The user name should be admin, and there should be no password. The safe-script command may be executed since there is no configuration on the device. Answer the prompts as you normally would in your network environment. 4 Verify the stack configuration using the show stacking and show stacking configuration commands. Verify the state of the units in the stack - including which units are master and backup master units by issuing the show stacking command. 5 If necessary, configure license level restrictions using the configure stacking license-level command. 6 Enable stacking by issuing the following command: enable stacking Since the stack has no configuration, the system will prompt you to use the easy setup option. Answer Yes to this prompt. Next, answer Yes to proceed to configure the device and reboot. 7 Log into the switch with admin privileges once the stack reboots. At this point - since the stack has a default configuration - the safe-default script runs. Select values for normal operation. 8 Verify that the master node is the one you intended to be the master. 9 Verify reminder of the configuration using the show stacking command. 10 Save the configuration
42
Figure 23: Configuring a New Stack
43
EXOS Stacking
Describing the Easy-Setup Option

The easiest way to configure the stack is to use the following command: configure stacking easy-setup The easy-setup option enables the administrator to effectively execute the following five commands:

enable stacking configure stacking slot-number automatic configure stacking mac-address configure stacking redundancy minimal reboot stack-topology
The administrator could execute each of these commands on their own if they wanted to.
44
Figure 24: Describing the Easy-Setup Option
45
EXOS Stacking
Enabling / Disabling Stacking

To enable stacking, use the following command: enable stacking This command accepts a node-address argument to allow you to target a specific unit provided you follow the node-address argument with the targeted unit's MAC address. All units are targeted by the command if you omit the node-address argument. When a node is operating in stacking mode, QoS profiles QP6 and QP7 cannot be created. To ensure that the stack operates under heavy traffic conditions, topology traffic has been assigned the to QoS profile QP7. Configuration messages are assigned to QoS profile QP6. If a node-address is not specified, this command first performs an analysis of the current stacking configuration on the entire stack. If the stack has not yet been configured for stacking operation, or there are configuration inconsistencies, the user is offered the option of invoking the easy setup function when the following message appears:
You have not yet configured all required stacking parameters. Would you like to perform an easy setup for stacking operation? (y/N)
If you enter yes to the prompt, the easy setup procedure is invoked and following message is displayed:
Executing "configure stacking easy-setup" command...
If you enter no to the easy-setup prompt, a different message is displayed:

Stacking has been enabled as requested.
To disable stacking, use the following command: disable stacking This command accepts a node-address argument to allow you to target a specific unit provided you follow the node-address argument with the targeted unit's MAC address. All units are targeted by the command if you omit the node-address argument. If a unit is a stack has stacking disabled, it will not forward the customer's data through its stacking links and will not become a member of the active topology. Also, a disabled node becomes its own master and processes and executes its own configuration independently. The command does not take effect immediately, but at the node(s) next reboot. You may verify that this command has executed correctly by issuing the command: show stacking configuration You may verify that the enable stacking command has executed correctly by issuing the command:
show stacking configuration
The output of this command displays the current setting of the stacking flags. The lowercase e flag should be set on the target unit(s). The presence of the lowercase e flag indicates that the target unit will have stacking enabled if it is rebooted. The uppercase E flag indicates whether or not stacking is currently enabled on the target device. The presence of an uppercase E flag indicates that stacking is currently enabled. The absence of the uppercase E flag indicates that stacking is currently disabled.
46
Figure 25: Enabling / Disabling Stacking
47
EXOS Stacking
Configuring the Stacking Slot-number

If the network administrator does not choose to use the easy-setup option when enabling the stack, then they must manually configure the stacking slot-number on each node in the stack. The slot number is a logical number that is a assigned to each node in the stack to make the node addressable by software. In a chassis system, the slot number represents a physical slot in the switch. However, in a stacked configuration, the slot number is a logical number from one to eight that is assigned to each unit by the administrator. Because the slot number is used to uniquely identify each node in the stack, a slot number can only be assigned to a single node. There is no check for duplicate slot numbers when the configure stacking slot-number command is executed; the number is simply assigned as requested. To configure a node's slot number, use one of the two following commands: configure stacking slot-number automatic configure stacking node-address <node-address> slot-number <slot-number> The command using the automatic parameter assigns slot number automatically. The Easy-Setup option executes the configure stacking slot-number automatic command. The nodes in the stack topology are assigned the numbers in the order in which they would appear currently in the show stacking command output. If the stack cables are joined in a ring configuration, the current node is assigned slot 1. The node connected to stack port 2 of the current node is assigned slot 2. This numbering scheme continues until all nodes have been assigned slot numbers or slot numbers have been assigned to eight nodes. If the stack cables are joined in a daisy-chain configuration, slot 1 is assigned to the node at the end of the chain that begins with the node connected to the current node's stack port 1. This should be the node that does not have another node connected to its stack port 1. The node connected to stack port 2 of the node in slot 1 is assigned slot 2. This numbering scheme continues until all nodes have been assigned slot numbers or slot numbers have been assigned to eight nodes. Before the command is executed when the automatic option was specified, the following confirmation is solicited:
Reassignment of slot numbers may make the stack incompatible with the current configuration file. Do you wish to continue? (y/n)
When this command is executed successfully, the following message is displayed:

This command will take effect at the next reboot of the specified node(s).
The configure stacking slot-number command syntax that uses the node-address parameter allows the network administrator to configure the slot number on a specific unit by specifying the keyword nodeaddress followed by the MAC address of the target device. To identify ports in the stack, the network administrator uses the slot:port syntax. For example, to identify port 22 of node 3, the administrator would enter 3:22. The command does not take effect immediately, but at the node(s) next reboot. You may verify that this command has executed correctly by issuing the command: show stacking configuration
48
Figure 26: Configuring the Stacking Slot-number
49
EXOS Stacking
Configure the Stacking MAC Address

You must configure the stacking MAC address to make the stack manageable over the network. You must select a node whose factory assigned MAC address will be used to form a MAC address that will represent the stack as a whole. The system forms the stack MAC address by setting the Universal / Local bit in the specified MAC address. This means that the stack MAC address is a locally administered address, and not the universal MAC address assigned to the selected node. The stack MAC address is then configured on every node in the stack topology. If you move the unit from which the stack MAC address is derived to another stack, the stack MAC address will not be changed on the original stack. You need to be careful not to derive the MAC address from same unit on two different stacks. This would result in duplicate MAC addresses on the network. To derive the stack MAC address from the current unit, use the following command: configure stacking mac-address To derive the stack MAC address from another unit in the stack, you must identify the source node either by MAC address or slot number. Use one of the following forms of the command to accomplish this task: configure stacking node-address <node-address> macaddress configure stacking slot <slot-number> macaddress This command takes effect only after you restart the node. The following message appears after you run the command:
This command will take effect at the next reboot of the specified node(s).
If a stack node that has just joined the stack detects that its stack MAC address is not configured or is different than the stack MAC address in use, it will log the following message at the Error log level: The stack MAC address is not correctly configured on this node. The stack can not operate properly in this condition. Please correct and reboot. If you have not configured (or inconsistently configured) the stack MAC address you might encounter difficulty in diagnosing the resulting problems. Whenever the master node (including itself) detects that one or more nodes in its active topology do not have the correct or any stack MAC address configured, it will display the following message to the console every five minutes until you configure a MAC address and restart the node(s): The stack MAC address is either not configured or its configuration is not consistent within the stack. The stack can not operate properly in this condition. Please correct and reboot. You may verify the results of this command by using the command: show stacking detail By default, no stack MAC address is configured.
50
Figure 27: Configure the Stacking MAC Address
51
EXOS Stacking
Configure Stacking Redundancy

In order to simultaneously configure master capability on more than one unit, use the command: configure stacking redundancy [none | minimal | maximal] This command defines the level of Master Unit redundancy that will be configured on the stack. A redundancy setting of none configures the stack to have only one unit that is capable of being a master unit. This means that no other unit can provide redundancy and take over the Master Units functionality if the Master unit should fail. A redundancy setting of minimal configures two nodes in the stack to have master-capability turned on and all other nodes will have master capability turned off. This means the stack will have one Master Unit and one Backup Master Unit. All other nodes in the stack are not able to provide any redundancy should the Master Units fail. The Easy setup option executes the configure stacking redundancy minimal command. Finally, a redundancy setting of maximal configures all nodes all nodes in the stack to have mastercapability turned on. To run this command, the stack should not contain more than eight nodes in its stack topology. If there are more than eight nodes in the stack topology, the following message appears and the command is not executed:
ERROR: This command can only be used when the stack has eight nodes or less.
Since only eight nodes can be operational in an active topology at a time, you must disconnect the remaining nodes before configuring master-capability using this command. If you are using the none or minimal redundancy configuration:
The configured values of slot-number and priority decide the nodes on which the master-capability should be turned on. If the priority values are configured on the nodes, the highest priority node(s) will be chosen. If the priority values of all nodes are set to automatic or to the same priority value, the node(s) with the lowest slot number(s) will be chosen. Extreme Networks may change automatic priority behavior in a future release.
If there is a slot number tie or if neither slot-number nor priority were ever configured, the following message appears and the command is not executed:
ERROR: Unique slot numbers must be configured before using this command.
The master-capability setting does not take effect immediately, but at the node(s) next reboot. You may verify that this command has executed correctly by issuing the command: show stacking configuration The output of this command displays the current setting of the stacking flags. The uppercase C flag indicates whether or not master-capability is currently enabled on the target node. The presence of an uppercase C flag indicates that master-capability is currently enabled. The absence of the uppercase C flag indicates that master-capability is currently disabled.
52
Figure 28: Configure Stacking Redundancy
53
EXOS Stacking
Rebooting the Stack

The reboot option has a number of stack oriented options: reboot slot<slot-number> specifies the slot number currently being used by the active stack node that is to be rebooted. reboot node-address <node-address> specifies the MAC address of the SummitStack node to be rebooted reboot stack-topology specifies that the entire SummitStack is to be rebooted whether or not nodes are active. reboot stack-topology as-standby specifies that all stack nodes that are to be rebooted are to operate as if configured to not be mastercapable
54
Figure 29: Rebooting the Stack
55
EXOS Stacking
Making The Non-Master Nodes IP Manageable

Configure an IP address to make the stack manageable over the network. To accomplish this task. use the command: configure stacking alternate-ip-address This command assigns an alternate IP address to the management VLAN. As you can see, there are two forms of this command; one using the automatic keyword, and the other using the node-address or slot keywords. When using the node-address or slot keywords, you instruct the system to assign an alternate IP address to a specific unit in the stack. This form of the command operates on one node at a time. When using the automatic keyword, you instruct the system to assign the specified IP address to the first node listed in the show stacking display. The remainder of the devices on the list are assigned consecutive IP addresses starting with the specified IP address plus 1. For example, if the first unit on the list was assigned the IP address of 10.10.10.1, the next unit on the list would be assigned 10.10.10.2, and so on. Since there is a specified subnet mask, the address will be checked to insure that the block of IP addresses fits within the specified subnet given the number of nodes in the stack topology. The address block is tested to insure that each address is a valid IP unicast address. If the test fails, no node is configured and an error message is printed. The other command options are fairly straight forward.

The node-address parameter specifies the MAC address of the target node. The slot-number parameter identifies the slot number of the target unit. The ipaddress and netmask parameters enable you to separately identify the IP address and subnet mask you wish to assign to the target node or nodes. The gateway parameter identifiers the address of an IP router. The alternate-ip-address is not applied if the subnet mask differs from the subnet mask already assigned to the management VLAN. The alternate-ip-address is applied if the command's subnet mask is the same as the subnet mask used to assign an IP address to the management vlan, or there is no IP address assigned to the management VLAN.
The alternate-ip-address and its associated parameters are not used unless the node is operating in stacking mode. The configuration takes effect immediately after the command is successfully executed. You may verify the configuration by issuing the command: show stacking configuration By default, there is no alternate-ip-address configured.
56
Figure 30: Making The Non-Master Nodes IP Manageable
57
EXOS Stacking
Configuring Stacking License Level

To enable a unit to run at a lower license level than is installed, use the command: configure stacking license-level This command has three parameters, node-address, slot, and license level. The node-address parameter specifies the MAC address of the target node. The slot-number parameter identifies the slot number of the target unit. If the node-address or slot parameter is not specified, the command takes effect on every node in the stack topology. The license-level parameter is a required parameter that specifies the license level to which you wish to restrict the target node or nodes. This command does not change the installed license level. For example, if a node is configured with the Advanced Edge license and you configure a license level restriction of Edge, the unit is restricted to features available in the Edge license. This license level restriction is not permanent and may removed or reconfigured at your convenience. You must purchase and install a new license in order to upgrade a nodes behavior. You may not cause a node with an Edge license installed to expand its capabilities by issuing a command to restrict the license level to Advanced Edge or Core. If the installed license level of the target node is lower than the level you are attempting to configure, a message appears warning you that the switch will not operate at a license level beyond that which was purchased. This command takes effect after you restart the targeted nodes. To verify the command has taken effect, use the command: show stacking configuration All nodes must be at the same effective level in order for the stack topology to operate. The effective license level will appear only when stacking is enabled. The command is node-specific. The effective license level is the level at which the node is restricted to operate, and is not necessarily. the level at which the entire stack is operating. By default no license level restriction is configured. If you restart the node without configuring a license level restriction, the node operates at the purchased license level.
58
Figure 31: Configuring Stacking License Level
59
EXOS Stacking
Synchronizing Stacking Parameters

When adding a new device to a stack, the network administrator many configure the new device with the stacking parameters already configured on the stack. To apply the stacking parameters from one node to another, use the command: synchronize stacking This command has two optional parameters: node-address and slot-number. These parameters are used to target a specific node in the stack to synchronize with the current node. If the administrator uses one of these two parameters, the target node is synchronized with the current node. If the administrator omits these two parameters, all nodes are synchronized with the current node. This command copies the following NVRAM based configuration parameters to the target node:

stacking mode stack MAC address failsafe account and password failsafe account access point permissions (whether the failsafe account is allowed over the stacking links, console port, or management port) the selected partition
A default value is not applicable to this command.
60
Figure 32: Synchronizing Stacking Parameters
61
EXOS Stacking
Verifying Stack Configuration

The following command enables the network administrator to verify the configuration of the stack options. show stack configuration The command provides a great deal of information to include:

Node MAC Address Configured Slot # Current Slot # Slot priority Alternate Management IP and Mask Alternate Gateway IP address Flags License level restriction
Troubleshooting Stack Operation

You may troubleshoot stack operations by executing the following command: show stacking ports If there is an issue with the physical operation of the stack and the various stack ports, you can use the command to identify failed units or stacking cables.
62
Figure 33: Verifying Stack Configuration
Figure 34: Troubleshooting - Stack Operations (Continued)
63
EXOS Stacking
Verifying Stack Operations

To verify stack operation, use the following command: show stacking The show stacking command provides:

Node MAC Address Slot Stack State Role Flags
To obtain more detailed information about the configuration of various modules in the stack, use the detail option of the show stacking command: show stacking details This command provides a comprehensive display of the configuration of each device.
64
Figure 35: Verifying Stack Operations
Figure 36: Verifying Stack Operations (Continued)
65
EXOS Stacking
Summary
You should now be able to:

Describe the benefits of SummitStack Stacking Technology Explain how stacking operates Identify the various components of stacking Configure a set of devices to employ stacking Verify the stacking configuration Troubleshoot stacking issues
66
Figure 37: Summary
67
EXOS Stacking
Demonstration
Turn to the Configuring a Stacked Switch Demonstration Overview in the ExtremeXOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
68
Figure 38: Demonstration
69
EXOS Stacking
Review Questions
1 Which of the following statements best describes the SummitStack technology? a SummitStack technology allows you to install standalone switches, such as model X450a directly into a chassis-based switch. b SummitStack allows you to physically stack up to 20 units without the need for a system rack. c SummitStack allows you automate the use of your system by stacking commands in a command buffer for execution at a user designated time.
d SummitStack allows you to physically connect up to eight individual Summit switches together as a single logical unit. 2 Which of the following statements is true? a All units in the stack must run the same version of ExtremeXOS software. b All units in the stack must be managed by EPICenter software. c All units in the stack must be identical model numbers. d All units in the stack must be connected to a redundant power supply. 3 Which of the following items specifies the bandwidth for each of the individual stacking ports? a 20 MB b 200 MB c 2 GB d 20 GB 4 Which unit (node) type manages the stack? a Master b Backup Master c Standby d Standalone 5 The functionality of which of the following may be compared to the functionality of a Master MSM? a Master Switch Unit b Backup Master Switch Unit c Standby Switch Unit d Standalone Switch Unit 6 Which of the following stack topologies is supported for continuous operation? a Bus b Daisy Chain c Ring d Star
70
7 Which of the following traffic types manages the function of the stack? a Unicast Traffic b Multicast Traffic c VLAN Traffic d Topology Traffic 8 Which of the following statements is true in regards to the way the stack handles unicast traffic? a Unicast traffic can be sent and received traffic on both stacking ports. b Unicast traffic is handled by the switching fabric and not the CPU. c Unicast traffic may be transmitted by any port in the stack as no ports are blocked. d All of the above 9 Which of the following statements is true in regards to the way the stack handles known multicast traffic? a Multicast traffic is handled by the CPU when traversing the stack. b Multicast traffic is only sent out of stack port 1. c Multicast traffic requires that ports be blocked to prevent loops. The port that is blocked is based upon the multicast group address.
d All of the above 10 Which of the following parameters are taken into account when electing the stack master? a Master capability b Stacking priority c Slot number d All of the above 11 Which of the following is true about how the stack manages its configuration? a The master unit is responsible for configuring all devices in the stack. b Each unit in the stack is responsible to manage its own configuration files and to configure itself. c The master switch and the backup master switch split configuration responsibilities. Each manages half of the units in the stack.
d All of the above
71
EXOS Stacking This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http://www.sec.gov). We undertake no obligation to update the forward-looking information in this release.
72
Layer 2 Forwarding
Layer 2 Forwarding
Student Objectives
The Layer 2 forwarding module presents a description of the various functions a bridge (Layer 2 switch) performs, how a bridge handles frames received from the networks, and a definition of the forwarding database (FDB). Upon completion of this module, the successful student will be able to:

Describe transparent bridging. Describe the flooding and learning port states. Describe the forwarding and filtering port state. Describe the forwarding database. Identify the various FDB entry types. Manage forwarding database entries. Configure egress flooding. Configure and verify the limit-learning feature. Configure and verify the lock-learning feature. Configure the Extreme link status monitor.
Layer 2 Forwarding
ISO Seven-Layer Reference Model

The International Organization for Standardization or International Standards Organization (ISO) created a seven-layer Open System Interconnect (OSI) reference model used to describe networking technologies. The Data Link layer defines different protocols for exchanging data frames. This layer is the focus of the discussion on the subject of bridging. The primary purpose of the Data Link layer is to provide error-free communications across a physical link. This layer provides the basic framing and data encapsulation functions and allows for error detection.
Figure 2: ISO Seven-Layer Reference Model
Layer 2 Forwarding
Collision Domains in a Shared Medium

In an Ethernet network, multiple stations can share a single physical wire to access the network. Because the stations all share the same wire, they must do their best to avoid sending packets when another station is transmitting. To accomplish this, each station is required to monitor the physical connection to ensure no other network device is transmitting. Unfortunately, there are times when two stations will notice that the wire is not being used and will attempt to transmit at the same time. This simultaneous transmission of packets by two or more stations results in packet collisions and the signal on the wire is unreadable by the other stations on the network. When a transmitting station notices that a collision has occurred, it sends out a collision detect signal on the wire informing all the other stations of the collision event. Once the collision event subsides, all stations wait for a random period of time before attempting to transmit any data. This wait period is randomized to ensure that once the collision is over all stations will not attempt to transmit at the same time. If all stations attempted to transmit at the same time, the chances are greatly increased of a collision occurring again. Collisions can occur when network devices share the same physical wire, or when the network has been extended through the use of repeaters or hubs (which are multiport repeaters). Hubs extend a network by simply amplifying the signal. When a collision occurs, the repeater has no intelligence to enable it to isolate the effects of the collision to the segment upon which it originated. Because of this, when a collision occurs the repeater propagates the collision to other attached segments. To make matters worse, the use of repeaters in a network can increase the likelihood of collisions. Repeaters increases the length of a network segment allowing network devices to be placed at a greater distances from one another. The greater the distance devices are from one another, the longer it takes a stations transmissions to reach all the other stations that share the medium. Because of this delay in the transmissions signal propagation, distant station may not be aware that another station has begun transmitting and will inadvertently cause a collision by initiating their own transmission. Because of the way Ethernet bridges work, they do have the ability to isolate collisions from the rest of the network. If a bridge receives part of a packet, and then detects a collision, it discards the portion of the packet that it received (just like every other network device), waits for the collision to subside, and then continues to receive and transmit packets as normal. The effects of the collision are localized to the port on which the collision occurred and the bridges other network segments remain unaffected. Routers handle collisions in a similar fashion. A collision domain is the term used to identify the part of the network upon which collisions can occur. It has these characteristics: multiple stations on shared media bounded by a bridge or router port.
Figure 3: Collision Domains
Layer 2 Forwarding
Carrier Sense Multiple Access with Collision Detection

This page provides a more technical description of how devices on an Ethernet segment transmit data. They use the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) physical media access protocol.
IEEE 802.3 CSMA/CD

The Media Access Control (MAC) protocol is used to provide the data link layer of the 802.3 Ethernet LAN system and thus control access to the shared Ethernet medium.
Carrier Sense Multiple Access

When a node has data to transmit, the node first listens to the cable (using a transceiver) to see if a carrier (signal) is being transmitted by another node. Data is only sent when no carrier is observed (i.e. no signal present) and the physical medium is therefore idle. Any computer, which does not need to transmit, listens to see if other computers have started to transmit information to it. However, this alone is unable to prevent two nodes from transmitting at the same time.
Collision Detection
A second element to the Ethernet access protocol is used to detect when a collision occurs. When there is data waiting to be sent, each transmitting node monitors its own transmission. If it observes a collision (excess current above what it is generating, i.e. > 24 mA for coaxial Ethernet), it stops transmission immediately and instead transmits a 32-bit jam sequence. The purpose of this sequence is to ensure that any other node, which may currently be receiving this frame, receives the jam signal in place of the correct 32-bit MAC CRC, this causes the other receivers to discard the frame due to a CRC error. When two or more transmitting nodes each detect a corruption of their own data (i.e. a collision), each responds in the same way by transmitting the jam sequence. Once the collision event subsides, all stations wait for a random period of time before attempting to transmit any data. A station may attempt to retransmit a packet up to 16 times.
Figure 4: Carrier Sense Multiple Access with Collision Detection
Layer 2 Forwarding
Transparent Bridges Used for LAN Segmentation

Bridges were widely used to segment Ethernet collision domains with the effect of providing more bandwidth to the network user, however, they have since been replaced by switches. Bridges operate at the MAC sub-layer of Layer 2 of the OSI Reference Model, and several different types have been developed to address the needs depending on the topology and the particular network requirements:

A local bridge, which connects two or more Ethernet LAN segments. A remote bridge, which connects Ethernet LAN through high-speed serial connection. It is accomplished with a pair of bridges using a Wide-Area Network (WAN).
A transparent bridge makes the forwarding decisions based on the MAC destination address. This process is completely transparent to the end-devices. Extreme Networks switches provide the Layer 2 services of a transparent switch.
802.1D Transparent Bridges

Transparent bridges perform segmentation of LANs by building address tables that associate segment end stations with the segment's port connection. Forwarding decisions are based on the destination MAC address inside a frame. Because bridges are Layer 2 (L2) devices, they are Layer 3 (L3) protocolindependent and are transparent to the end stations in an Ethernet network. Bridges have often been referred to as plug and play devices because installation is easy and there is no need for further configuration because the bridge automatically learns about the network topology. Frames are received by the bridge, in their entirety, prior to the bridge processing them. This type of bridge operation has been called store and forward. IEEE 802.1D is the specification for bridging, switching and spanning tree, and most of today's bridges and switches conform to this specification. One of the important roles of this standard is to specify not only the functions of the bridge, but also the processes that control bridge behavior in a bridged LAN. Because transparent bridges are unable to detect duplicate paths in a bridged LAN, the Spanning Tree Protocol (STP) is implemented on each bridge in the LAN. The spanning tree protocol has the responsibility of detecting the topology of the network and ensuring that where duplicate paths exist, they are blocked. This process results in an active topology used to maintain the bridged LAN - that would otherwise suffer performance problems or constant downtime. In addition to the various states that a port may transition through, the bridge carries out other necessary functions in a bridged LAN. These include for example; flooding of frames where required, filtering of frames that do not need to be re-transmitted, and ageing out of entries in the forwarding database that have not been used recently.
10
Figure 5: Transparent Bridges Used for LAN Segmentation
Figure 6: 802.1d Transparent Bridges
11
Layer 2 Forwarding
Ethernet Frames
All Extreme Networks switches are fully compliant, 802.1d Layer 2 bridges capable of wire-speed forwarding. Decisions are based on a given destination MAC and port pair. An Ethernet frame contains:

Destination Address - Ethernet address of the destination host, 48-bits. Source Address - Ethernet address of the source host, 48-bits. Type - Type of data encapsulated for Ethernet v2 and Length for 802.3. 16-bits. Data Field - Data area, 46-1500 bytes, which includes the higher layer headers.

Payload - Contains the data or higher layer protocol contents. 0 - 1500 bytes. Padding - Added data (typically 0x00) if payload contents is less than 46 bytes. This enables the Ethernet frame to meet 64-byte minimum length requirement.
CRC - Cyclical Redundancy Check, used for error detection.
12
Figure 7: Ethernet Frames
13
Layer 2 Forwarding
Bridge Functions
The operation of an individual bridge is described in terms of the current port activity. In terms of network data processing, the port performs one of four functions:

Flooding Learning Forwarding Filtering
Flooding
The function of the switch is to receive all packets on the networks it is connected to, and make forwarding decisions based on MAC addresses in the frames and in the switch Forwarding Database (FDB). Initially, there are no MAC addresses learned on a port and the forwarding database for that port is empty. Because the forwarding database is empty, the destination is considered to be unknown, and the packet must be forwarded to every attached interface in an attempt to reach all the nodes. The process of transmitting packets to all ports in a VLAN is referred to as flooding.
Learning
The learning process examines the source addresses of frames received on the port and creates an entry in the forwarding database associating the port on which the frame was received with the MAC address in the source address field of the frame. If the source address does not already exist in the FDB when a packet is received on a port, it is learned and added to the FDB.
Forwarding
A performing this function is now taking part in frame re-transmission. A port that is forwarding can re-transmit received frames and make entries into the forwarding database.
The switch performs a forwarding table lookup on the destination address. If the address is known, the bridge identifies the port on which the destination address is located. If the port is different from the port on which the frame is received, the frame is forwarded to the destination port.
Filtering
When frames are received and the destination MAC address matches the FDB entry for the inbound port, the switch drops (filters) the frame at the port. Other packets which match FDB entries for other ports are forwarded. Unknown addresses and broadcast addresses are still flooded.
14
Figure 8: Bridge Functions
15
Layer 2 Forwarding
Flooding
In the diagram is an example of a newly initialized switch. Host 0B is attempting to initiate a conversation with host 1E. In this situation, host 0B transmits an initial packet to host 1E. The function of the switch is to make packet forwarding decisions for all traffic generated on connected networks. After receiving a packet, the switch makes a forwarding decisions by looking up the destination MAC address in the frame to the entries in its forwarding database. When the switch receives the packet from host 0B, it attempts to find station 1E in the forwarding table. However, the forwarding table is empty because no MAC addresses have been learned by the switch. Because the forwarding database is empty and there is no entry for the station 1E, the destination is "unknown" by the switch. Since the destination station's location is unknown, the switch forwards the frame to every port to ensure that if the station is connected, it will receive the packet. Sending a packet out of every port is referred to as flooding. Host OB is learned on the inbound port and an entry is added to the forwarding database. When host 1E transmits a packet, its MAC address will also be learned.
16
Figure 9: Flooding
17
Layer 2 Forwarding
Forwarding
In the example shown, host 1E replies to host 0B, using the following steps:
The bridge performs a forwarding table lookup on the destination address. If the address is known, the bridge identifies the port on which the destination address is located. If the port is different from the port on which the frame is received, the frame is forwarded to the destination port. If the source address does not exist in the Forwarding Database (FDB) it is added.
Thus, the packet is forwarded onto the destination port learned for 0B which is port 1. At the same time, the MAC address for 1E is learned and added to the bridge table.
18
Figure 10: Forwarding
19
Layer 2 Forwarding
Filtering
Using the same network configuration but a different operation, host "0B" transmits a frame to host "0A", and the bridge receives the frame. Both workstations are attached to the same switch port, and the switch learns the MAC addresses of all workstations that are active on a single port in the same way it would for a single workstation attached to a port. When frames are received and the destination MAC address matches the inbound port, the switch drops (filters) the frame at the port. This reduces traffic on the other ports within the broadcast domain (VLAN) and optimizes performance.
20
Figure 11: Filtering
21
Layer 2 Forwarding
Forwarding Database
The switch-forwarding table is also known as the bridge table or the Layer 2 forwarding table. For an Extreme Networks switch, the forwarding table is known as the Forwarding Database (FDB). The switch maintains a database of all Media Access Control (MAC) addresses received on all of its ports. The information in this database is used to decide whether a frame should be forwarded or filtered. The Forwarding Database holds a maximum number L2 entries depending on the product. Refer to the appropriate User Guide for specific information about switch limitations. Each entry consists of the MAC address of the device, an identifier for the port on which it was received, and an identifier for the VLAN to which the device belongs. Frames destined for devices that are not in the FDB are flooded to all ports within the VLAN.
22
Figure 12: Forwarding Database
Figure 13: Forwarding Database Illustrated
23
Layer 2 Forwarding
FDB Entry Types

This page lists the possible entry types in an FDB display.
Dynamic Entries
Dynamic entries are those that are learned by the switch as it examines incoming traffic. Dynamic entries are removed or aged-out of the FDB if the device does not transmit for a period of time. This period of time is defined as the aging time. Aging out entries from the FDB prevents the database from becoming full with obsolete entries by ensuring that when a device is removed from the network, its entry is deleted from the FDB. Dynamic entries do not survive a switch reset or power cycle.
Non-Aging Entries
If the aging time is set to zero, all entries in the database are defined as static, non-aging entries. This means that they do not age, but they are still deleted if the switch is reset.
Permanent Entries
Permanent Entries are retained in the database if the switch is reset or a power cycle occurs. Only the system administrator can make entries permanent. A permanent entry can either be a unicast or multicast MAC address. All entries entered using the command-line interface are stored as permanent. Once created, permanent entries stay the same as when they were created. For example, the permanent entry is not updated when any of the following take place:

A VLAN is deleted A VLAN ID is changed A port mode is changed (tagged/untagged) A port is deleted from a VLAN or disabled A port enters STP blocking state A port QoS setting is changed A port goes down (link down) NOTE
Each switch family can support a maximum number of permanent entries. Refer to the appropriate user guide for specific information about switch limitations.
Black Hole Entries

Black hole entries configure the switch to discard packets with a specified source or destination MAC address. Black hole entries are useful as a security measure or in special circumstances where a specific destination address must be discarded. Black hole entries are treated like permanent entries in the event of a switch reset or power off/on cycle. Black hole entries are never aged out of the database.
24
Figure 14: FDB Entry Types
25
Layer 2 Forwarding
Displaying the FDB Table

In order to determine which stations are recognized by the Layer 2 switch, you must view the FDB table. The FDB table provides you with a list of the MAC addresses of the stations that it has learned. The FDB also classifies each FDB entry. The classification of FDB Entries is based upon rules established by the configuration of the device - for example: entries exceeding the limit-learning threshold are classified as blackhole - or by the information provided by the network administrator during manual configuration. One of the tools you will use to troubleshoot Layer 2 forwarding issues is to interrogate the FDB. To display the FDB table entries, enter the following command: show fdb
Command Syntax
show fdb {<mac_addr> {netlogin [all | mac-based-vlans]} | permanent {netlogin [all | mac-based-vlans]} | ports <port_list> {netlogin [all | mac-based-vlans]} | vlan <vlan_name> {netlogin [all | mac-based-vlans]} | stats | netlogin [all | mac-based-vlans] | blackhole {netlogin [all | macbased]}}
Syntax Description
mac_addr netlogin all mac-based-vlans Specifies a MAC address, using colon-separated bytes. Displays all FDB entries created as a result of the netlogin process. Not supported on the BlackDiamond 10808. Displays all FDBs created as a result of the netlogin process. Displays all netlogin MAC-based VLAN FDB entries. NOTE: This parameter is supported only for the Summit family of switches, SummitStack, and the BlackDiamond 8800 series switches. permanent port_list vlan_name stats blackhole Displays all permanent entries, including the ingress and egress QoS profiles. Displays the entries for one or more ports or ports and slots. Displays the entries for a specific VLAN. Displays the number of static, permanent, dynamic, and dropped FDB entries. Displays the blackhole entries. (All packets addressed to these entries are dropped.)
26
Figure 15: Displaying the FDB Table
27
Layer 2 Forwarding
Adding Entries to the FDB

Entries are added into the FDB in the following ways:
The switch can learn entries dynamically. The system updates its FDB with the source MAC address from an Ethernet frame, as well as the VLAN, and the port identifier on which the frame was received. MAC addresses may be manually entered or updated through the user interface.
You may wish to manually add an entry to the FDB in the following circumstances:

You do not wish to allow the switch to learn new MAC addresses. The application you are using only receives traffic and does not transmit, therefore the MAC address cannot be learned by the application but must be added manually.
To create a permanent FDB table entry for a specified MAC address, use the following syntax: create fdbentry <mac_addr> vlan <vlan_name> [ports <port_list> | blackhole]
Syntax Description
mac_addr vlan_name port_list blackhole Specifies a device MAC address, using colon-separated bytes. Specifies a VLAN name associated with a MAC address. Specifies one or more ports or slots and ports associated with the MAC address. Specifies a blackhole entry.
Examples
Add a permanent static entry to the FDB: create fdbentry 00:E0:2B:12:34:56 vlan finance port 3:4 If the MAC address is encountered on any port and VLAN pair other than VLAN finance, port 3:4, it is handled as a black hole entry, and packets from that source are dropped. Add a black hole entry to the FDB: create fdbentry 00:E0:2B:12:34:56 vlan finance blackhole Verify the results of the above commands: show fdb
28
Figure 16: Adding Entries to the FDB
29
Layer 2 Forwarding
Removing Entries from the FDB

There are times when you may be required to remove entries from the Fowarding Database. ExtremeXOS provides two commands to enable you to accomplish this task; one command to remove permanent entries and another command to remove dynamic and black hole entries.
Removing Permanent Entries from the FDB

To remove permanent entries from the FDB, use the delete fdbentry command. The syntax is as follows: delete fdbentry [all | <mac_address> [vlan <vlan name>]
Syntax Description
all mac_address vlan vlan_name Specifies all FDB entries. Specifies a device MAC address, using colon-separated bytes. Specifies a VLAN. Specifies the specific VLAN name.
Removing Dynamic or Black Hole Entries from the FDB

To remove dynamic or black hole entries from the FDB, use the clear fdb command. The syntax is as follows: clear fdb {<mac_address> | blackhole | ports <portlist> | vlan <vlan name>}
Syntax Description
mac_addr port_list vlan_name blackhole Specifies a MAC address, using colon-separated bytes. Specifies one or more ports or slots and ports. Specifies a VLAN name. Specifies the blackhole entries.
Examples
Remove a permanent entry from the FDB: delete fdbentry 00:E0:2B:12:34:56 vlan default Remove a dynamic entry from the FDB: clear fdb 00:E0:2B:12:34:56 To verify the results of the delete fdbentry or clear fdb command: show fdb
30
Figure 17: Removing Entries from the FDB
31
Layer 2 Forwarding
Configuring MAC Address Learning

The MAC address learning feature performs two functions: 1 Determines if the Source MAC Address of incoming packets will be added to FDB. 2 Defines if incoming packets with Unknown Source MAC Addresses are dropped or forwarded to the appropriate egress ports. If learning is disabled, and forwarding is enabled, and the source address of the packet is not found in the FDB, the packet is processed as an unknown unicast packet. To prevent a switch from learning the source addresses of incoming packets, use the disable learning command. The syntax for this command is: disable learning {drop-packets | forward-packets} port [<port_list> | all] MAC address learning is enabled by default and is configured on a per port basis.
Syntax Description
drop-packets forward-packets Specifies that packets with unknown source MAC addresses be dropped. Specifies that packets that ingress on this port with unknown source MAC addresses be forwarded.
NOTE
The drop-packets and forward-packets options are available only on the BlackDiamond 8800, SummitStack, and the Summit X150, X250, and X450 series switches.
Examples
To only forward packets with static FDB entries on port 5: disable learning drop-packets port 5 To forward all packets on this port: disable learning forward-packets port 5 To view port the MAC address learning configuration on port 5: show ports 5 information NOTE
The presence of the m flag indicates that MAC address learning is enabled.
32
Figure 18: Configuring MAC Address Learning
33
Layer 2 Forwarding
Configuring the FDB Aging Time

There are times when an application requires that the dynamic entries age out sooner or later than the default age time of 300 seconds. For example, you may want to minimize the amount of traffic that is sent out of a port once a connected station has stopped transmitting. In this case, you would configure the aging timer with a smaller value. However, if your application has stations that do not transmit very often you may want to increase the aging time value or disable aging completely by configuring this option with a value of 0. Increasing the aging timer ensures that the low-transmitting stations receive traffic for longer periods of time. Disabling the aging timer ensures that traffic will be forwarded to stations that have been learned by the switch even if the if they never transmit again. To configure how long the FDB maintains a dynamic entry in the FDB, use the configure fdb agingtime command: configure fdb agingtime <seconds> Default: 300 seconds (5 minutes) Range: 15 - 1,000,000 seconds A value of 0 indicates that entries should never be aged out. An entry is removed from the FDB when the aging timer expires. The timer is restarted when a packet with a matching Source MAC address is received on the same port.
Examples
To change the FDB agetime to an hour: configure fdb agingtime 3600 To ensure no entries in the FDB age out: configure fdb agingtime 0 To verify the agingtime value: show fdb
34
Figure 19: Configuring the FDB Aging Time
35
Layer 2 Forwarding
Describing Layer 2 Security Features

Layer 2 security features include the ability to limit the propagation of broadcast, multicast, and unknown unicast packets. Layer 2 security may be used to control the way the FDB entries are learned and how the FDB is populated. By managing entries in the FDB, you can block or allow packet forwarding on a per-address basis. Layer 2 security features may also limit the number of dynamically learned MAC addresses allowed per port and VLAN. You can also lock down the FDB entries for a port and VLAN so that the current entries do not change and no additional addresses can be learned on the port. ExtremeXOS has three features that enhance Layer 2 security:

Egress Flood Control Limit-Learning Lock-Learning
Egress flood control determines whether broadcast, multicast, or unknown unicast packets are flooded. Limit-learning limits the number of devices that can be learned. Lock-learning freezes the entries in the FDB on a port and VLAN basis. Once enabled, this feature does not allow new MAC address entries to be added dynamically. Layer 2 security features are configured on a per-port basis or by port and VLAN. For example, egress flooding control is configured by port. However, limit-learning and lock-learning are configured based upon the port and VLAN of the entries.
NOTE
Layer 2 security is not foolproof because it is possible for end-users to alter their PC's MAC address and assume the MAC address of another computer. The technique of assuming another station identity it is known as spoofing. Nevertheless, Layer 2 security provides powerful protective mechanisms, particularly when used in conjunction with other security features.
36
Figure 20: Describing Layer 2 Security Features
37
Layer 2 Forwarding
Egress Flood Control

ExtremeXOS enables you to manage the types of packets that get flooded out to the network. Typically, a switch floods unknown unicast, multicast, and broadcast packets to all ports in a VLAN except for the ingress port. You may wish to limit flooding on particular ports to provide a greater degree of privacy to the users of the switch. Egress flooding takes action on a packet based on the packet destination MAC address. By default, egress flooding is enabled, and any packet for which the destination address is not in the FDB is flooded to all ports except the ingress port. You can enhance security and privacy as well as improve network performance by disabling Layer 2 egress flooding on some packets. This is particularly useful when you are working on an edge device in the network. Limiting flooded egress packets to selected interfaces is also known as upstream forwarding. In this example, the three ports are in an ISP-access VLAN. Ports 1 and 2 are connected to clients 1 and 2, respectively, and port 3 is an uplink to the ISP network. Because clients 1 and 2 are in the same VLAN, client 1 could possibly learn about the other client's traffic by sniffing client 2's broadcast traffic; client 1 could then possibly launch an attack on client 2. However, when you disable all egress flooding on ports 1 and 2, this sort of attack is impossible, for the following reasons: Broadcast and multicast traffic from the clients is forwarded only to the uplink port. Any packet with unlearned destination MAC addresses is forwarded only to the uplink port. One client cannot learn any information from the other client. Because egress flooding is disabled on the access ports, the only packets forwarded to each access port are those packets that are specifically targeted for known MAC addresses associated with the ports. There is no traffic leakage. In this way, the communication between client 1 and client 2 is controlled. In order for Client 1 to communicate with Client 2, they would have to be on separate networks with a router facilitating communication between the two.
38
Figure 21: Egress Flood Control
39
Layer 2 Forwarding
Configuring Egress Flooding

The following guidelines apply to enabling and disabling egress flooding:
Egress flooding can be disabled on ports that are in a load-sharing group. If that is the situation, the ports in the group take on the egress flooding state of the master port; each member port of the loadsharing group has the same state as the master port. FDB learning is independent of egress flooding; either can be enabled or disabled independently. Disabling unicast (or all) egress flooding to a port also stops packets with unknown MAC addresses to be flooded to that port. Disabling broadcast (or all) egress flooding to a port also stops broadcast packets to be flooded to that port. enable / disable flooding [all_cast | broadcast | multicast | unicast] port [<port_list> | all]
To control egress flooding, use the enable or disable flooding command with the port option:
Examples
To disable flooding of unknown unicast packets on port 1: disable flooding unicast port 1 To enable flooding of broadcast packets on all ports enable flooding broadcast port all To verify egress flooding configuration on port 1 show port 1 info detail The following commands configures normal flooding behavior on switch ports 1 through 6: enable flooding all_cast ports 1-6
Usage Guidelines
Use this command to re-enable egress flooding that you previously disabled using the disable flooding port command. The following guidelines apply to enabling and disabling egress flooding:
Disabling multicasting egress flooding does not affect those packets within an IGMP membership group at all; those packets are still forwarded out. If IGMP snooping is disabled, multicast packets are not flooded. Egress flooding can be disabled on ports that are in a load-sharing group. If that is the situation, the ports in the group take on the egress flooding state of the master port; each member port of the woolgathering group has the same state as the master port. FDB learning is independent of egress flooding. FDB learning and egress flooding can be enabled or disabled independently.
40
Figure 22: Configuring Egress Flood Control
41
Layer 2 Forwarding
Configuring Limit-Learning
You can set a predefined limit on the number of dynamic MAC addresses that can participate in the network. After the FDB reaches the defined MAC-address limit, all new source MAC addresses are configured as a black hole entry at both the ingress and egress points. This prevents these MAC addresses from responding to Internet control message protocol (ICMP) and address resolution protocol (ARP) packets. The limit-learning feature lets the network administrator control the number of MAC addresses per physical port and VLAN. By limiting the number of MAC addresses per physical port and VLAN, an administrator can block rogue networks from being added to the corporate backbone, prevent a user from adding their own devices (e.g., printer, IP phone) to the network, or keep foreign switches or surreptitious wireless snooping devices off the infrastructure. Limit-learning applies to dynamic FDB entries; permanent FDB entries are not affected by the MAC limit. Packets originating from stations whose MAC addresses that are not in the FDB will be dropped once the limit-learning threshold is reached and the station's MAC address is entered into the FDB as a blackhole entry. For ports that have a learning limit in place, the following traffic still flows to the port:
Packets destined for permanent MAC addresses and other mac address that are not black hole entries. Broadcast traffic from MAC addresses that are not black hole entries. EDP and LLDP traffic
Dynamically learned entries still get aged, and can be cleared. If entries are cleared or aged out after the learning limit has been reached, new entries are then able to be learned until the limit is reached again. Permanent static and permanent dynamic entries can still be added and deleted using the create fdbentry and delete fdbentry commands. These commands override any dynamically learned entries.
42
Figure 23: Configuring Limit-Learning
43
Layer 2 Forwarding
Configuring Lock-Learning
There are applications that require you to freeze the current state of the FDB and not allow the switch to learn new addresses or age out existing address entries. For example, a hotel or library with publicly accessible computers may want to ensure that other stations do try to access the network from those public ports. With the lock-learning feature, the network administrator can connect the publicly accessible computers to the switch, verify the MAC addresses, and then freeze the FDB to ensure that no new stations are authorized access to the network. The lock-learning feature causes all dynamic FDB entries associated with the specified VLAN and ports to be converted to locked static entries. It also sets the learning limit to zero, so that no new entries can be learned. Locking learning has the following results:
All new dynamic source MAC addresses are added to the FDB as black hole entries. Packets to and from black hole stations will be dropped. Locked entries do not get aged, but can be cleared. Dynamic entries active at the time of lock-learning remain in the FDB after the switch is reset or a power cycle occurs. Permanent static entries can still be added and deleted making it easy to add and remove network device when needed.
Design Considerations
When designing a solution using the lock-learning feature, remember that the following traffic is still forwarded:
Packets destined for the permanent MAC entries and other MAC addresses that are not black hole entries Broadcast traffic from MAC addresses that are not black hole entries EDP traffic
Examples
To lock the FDB entries associated with port 4 and the accounting VLAN configure ports 4 vlan accounting lock-learning To unlock the FDB entries associated with port 4 and the accounting VLAN configure ports 4 vlan accounting unlock-learning NOTE
You may apply either the limit-learning or lock-learning feature a particular port on a particular VLAN, but not both.
44
Figure 24: Configuring Lock-Learning
45
Layer 2 Forwarding
Verifying Limit-Learning and Lock-Learning

To displays the FDB table entries that match the filter, enter the following command: show fdb {<mac_addr> | permanent | ports <port_list> | vlan <vlan_name> When no options are specified, the command displays all FDB entries. To verify the configuration, enter the following command: show vlan <name> security To display the MAC security information for the specified port, enter the following command: show ports <portlist> info detail This command displays detailed information, including MAC limit-learning security information, for the specified port.
46
Figure 25: Verifying Limit-Learning and Lock-Learning
Figure 26: Verifying Limit-Learning and Lock-Learning
47
Layer 2 Forwarding
Extreme Link Status Monitoring (ELSM)

The Extreme Link Status Monitoring (ELSM) protocol allows you to detect switch CPU and remote link failures in the network. If hardware forwarding in the switch is active and software forwarding experiences a failure, traffic forwarding may continue. Such failures can trigger control protocols such as Extreme Standby Router Protocol (ESRP) or Ethernet Automatic Protection Switching (EAPS) to select different devices to resume forwarding. This recovery action, combined with the switch CPU failure, can lead to loops in a Layer 2 network. ELSM operates on a point-to-point basis; you only configure ELSM on the ports that connect to other devices within the network, but you must configure ELSM on both sides of the peer connections. The Layer 2 connection between the ports determines the peer. You can have a direct connection between the peers or hubs that separate peer ports. In the first instance, the peers are also considered neighbors. In the second instance, the peer is not considered a neighbor. An Extreme Networks device with ELSM enabled detects switch CPU and remote link failures by exchanging hello messages between two ELSM peers. If ELSM detects a failure, the ELSM-enabled port responds by blocking traffic on that port. For example, if a peer stops receiving messages from its peer, ELSM brings down that connection by blocking all incoming and outgoing data traffic on the port and notifying applications that the link is down. ELSM on ExtremeXOS is backward compatible with ELSM on ExtremeWare. To enable the ELSM protocol on specified ports, enter the following command: enable elsm ports <portlist> To disable the ELSM protocol for the specified ports, enter the following command: disable elsm ports <portlist> If an ELSM-enabled port goes down, ELSM bypasses the Down-Stuck state and automatically transitions the down port to the Down state, regardless of the number of times the port goes up and down. To change the time between consecutive hello messages for the specified ports, enter the following command: configure elsm ports <portlist> hellotime <hello_time> If you disable ELSM automatic restart, the ELSM-enabled port can transition between the following states multiple times: Up, Down, and Down-Wait. To disable ELSM automatic restart for the specified ports, enter the following command: disable elsm ports <portlist> auto-restart If you disabled automatic restart, and the port enters the Down-Stuck state, you can clear the stuck state and enter the Down state by using one of the following commands: clear elsm ports <portlist> auto-restart enable elsm ports <portlist> auto-restart
48
Figure 27: Extreme Link Status Monitoring (ELSM)
49
Layer 2 Forwarding
Verifying Extreme Link Status Monitoring

To display detailed information for one or more ELSM-enabled ports, enter the following command: show elsm ports <all | portlist> The state of the link between ELSM-enabled (peer) ports is known as the link state. The link state can be one of the following:

Ready. Indicates that the port is enabled but there is no physical link Active. Indicates that the port is enabled and the physical link is up.
The state of the ELSM logical link is known as the ELSM link state. The ELSM link state can be one of the following:

ELSM is enabled and the ELSM peer ports are up and communicating ELSM is enabled but the ELSM peer ports are not up or communicating ELSM is disabled
Each ELSM-enabled port exists in one of the following ELSM states:
Up. Indicates a healthy remote system and this port is receiving Hello+ messages from its peer.
If an ELSM-enabled port enters the Up state, the up timer begins. Each time the port receives a Hello+ message from its peer, the up timer restarts and the port remains in the Up state. The up timer is 6* hello timer, which by default is 6 seconds.
Down. Indicates that the port is down, blocked, or has not received Hello+ messages from its peer.
If an ELSM-enabled port does not receive a hello message from its peer before the up timer expires, the port transitions to the Down state.
NOTE
When ELSM is down, data packets are neither forwarded nor transmitted out of that port.
Down-Wait. Indicates a transitional state.
If the port enters the Down state and later receives a Hello+ message from its peer, the port enters the Down-Wait state. If the number of Hello+ messages received is greater than or equal to the hold threshold (by default 2 messages), the port transitions to the Up state. If the number of Hello+ messages received is less than the hold threshold, the port enters the Down state.
Down-Stuck. Indicates that the port is down and requires user intervention.
If the port repeatedly flaps between the Up and Down states, the port enters the Down-Stuck state.
50
Figure 28: Verifying Extreme Link Status Monitoring
51
Layer 2 Forwarding
Summary
The Layer 2 Forwarding module presents a description of the various functions a bridge performs, how a bridge handles frames received from the networks, and how to configure Layer 2 forwarding. You should now be able to:

Describe transparent bridging. Describe the flooding and learning port states. Describe the forwarding and filtering port state. Describe the forwarding database. Identify the various FDB entry types. Manage forwarding database entries. Configure egress flooding. Configure and verify the limit-learning feature. Configure and verify the lock-learning feature. Configure the Extreme link status monitor.
52
Figure 29: Summary
53
Layer 2 Forwarding
Lab
Turn to the Layer 2 Forwarding Lab in the ExtremeXOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
54
Figure 30: Lab
55
Layer 2 Forwarding
Review Questions
1 Which of the following commands configures normal flooding behavior on ports 1 through 6 on a switch? a flood ports 1-6 all_cast b enable flooding all_cast ports 1-6 c configure ports 1-6 enable flooding all_cast d configure all_cast flooding ports 1-6
2 Which of the following commands removes a permanent Layer-2 FDB entry? a configure fdbentry delete 00:E0:2B:12:34:56 vlan finance b delete fdbentry 00:E0:2B:12:34:56 vlan finance c delete fdb permanent 00:E0:2B:12:34:56 d delete fdb 00:E0:2B:12:34:56 permanent
3 Which of the following best describes an Extreme Networks Ethernet switch? a A remote bridge b A transparent bridge c A source route bridge d A source route transparent bridge
4 What action does the switch take when a packet is received on a port and the source MAC address does not already exist in the FDB? a The source MAC address is learned and added to the FDB. b The switch filters the frame at the port. c The destination MAC address is learned and added to the FDB. d The source MAC address is added to the FDB as a black hole entry.
5 Which of the following are the switch functions related to Layer-2 forwarding? a Flooding, learning, forwarding, and filtering. b Blocking, learning, forwarding, and filtering. c Blocking, listening, learning, and forwarding. d Listening, learning, filtering, and forwarding.
56
6 What part of the Ethernet packet does a transparent bridge use to make forwarding decisions? a The destination Layer-3 address b The Layer-3 protocol type field c The Layer-2 protocol type field d The destination MAC address
7 Which of the following best describes the flooding bridge function? a The forwarding database does not contain the entry for the destination, the destination is considered to be unknown, and the packet must be forwarded to every attached interface. b When frames are received and the destination MAC address matches the FDB entry for the inbound port, the packet must be forwarded to every attached interface. c When a packet is received on a port, if the source address does not already exist in the FDB it is learned and flooded to the FDB.
d When a packet is received on a port, if the source address does not already exist in the FDB it is dropped.
8 How many times may a station attempt a retransmission after detecting a collision? a 4 b 8 c 16 d 32
9 Which of the following identifies the minimum Ethernet packet length? a 46 b 64 c 128 d 256
10 Which of the following switch functions is best defined by the following sentence? This function examines the source addresses of frames received on the port and creates an entry in the forwarding database associating the port on which the frame was received with the MAC address. a Flooding b Learning c Forwarding d Filtering
57
Layer 2 Forwarding 11 Which of the following switch functions is best defined by the following sentences? This function looks up the destination address in the forwarding database. If the address is known and the port is the same as the port on which the frame is received, the frame is discarded. a Flooding b Learning c Forwarding d Filtering
12 Which of the following switch functions is best defined by the following sentence? This function forwards packets to all interfaces if the destination MAC address is unknown. a Flooding b Learning c Forwarding d Filtering
13 Which of the following switch functions is best defined by the following sentences? This function looks up the destination address in the forwarding database. If the address is known and the port is different from the port on which the frame is received, the frame is sent to the destination port. a Flooding b Learning c Forwarding d Filtering
14 Which of the following is NOT a Layer 2 FDB entry type? a Dynamic Entries b Static Entries c Black hole Entries d Fast-Aging Entries
15 Which of the following is true? a The show ports command is used to determine the configuration of MAC address learning b MAC address learning is enabled by default c MAC address learning is configured on a per-port basis d All of the above
58
16 Which of the following values is the default for the FDB agingtime parameter? a 15 Seconds b 60 Seconds c 100 Seconds d 300 Seconds
17 Which of following Layer 2 security features freezes the FDB and does not allow new MAC address entries to be added dynamically? a Egress Flood Control b Limit-learning c Lock-learning d All of the above
18 Egress Flood Control enables you to control the transmission of which of the following packets? a Broadcast b Multicast c Unknown Unicast d All of the above
19 Which of the following describes how MAC addresses from unknown stations are handled after the limit-learning threshold has been reached? a MAC addresses are ignored and packets originated by these stations are dropped b MAC addresses are learned and packets originated by these stations are dropped c MAC addresses are learned as black hole entries and packets originated by these stations are dropped
d MAC addresses are learned as black hole entries and packets originating from these stations are forwarded
20 Which of the following commands enable you to view the Layer 2 forwarding database? a show Layer 2 forwarding table b display L2 table c show fdb d L2 view
59
Layer 2 Forwarding 21 Which of the following commands enable you to add an entry to the Layer 2 forwarding database? a add fdbentry b create fdbentry c fdbentry create d fdbentry add
22 Which two commands of the following list enable you to remove entries from the Layer 2 forwarding database? a delete fdbentry / clear fdb b clear fdbentry / delete fdb c remove fdbentry / unconfigure fdb d unconfigure fdbentry / remove fdb
23 Which of the following networking devices defines the boundary of a collision domain? a Hub b Bridge c Repeater d All of the above
60
61
Layer 2 Forwarding
62
Introduction to VLANs
Student Objectives

Define VLANs. Describe port-based (untagged) VLANs. Describe tagged VLANs. Describe protocol-based VLANs. Describe the benefit of VLANs. Manage port-based (untagged) VLANs. Manage tagged VLANs. Manage protocol-based VLANs.
Virtual LANs
A Virtual Local Area Network (VLAN) is an emulation of a Local Area Network (LAN). But, it's more than that. It's a way of grouping different network devices to ensure that those devices can communicate directly with one another. Typically, network devices are grouped together into VLANs based upon one the following criteria:

Physical location (port) IEEE 802.1Q tag value Protocol
A VLAN emulates a LAN by managing how Ethernet frames are propagated throughout a network. For example, in order for the VLAN to operate like a typical LAN, broadcast, multicast, unknown unicast frames must be forwarded to all the stations in the VLAN. A virtual local area network is a collection of devices that communicate as if they were on the same broadcast domain. VLANs are a feature found in most switches (bridges) today. VLANs allow the administrator to configure a bridge to participate in multiple broadcast domains. To forward traffic from one VLAN to another VLAN, use a Layer-3 device such as a router or Layer-3 switch. Virtual LANs are a technology that provides the network administrator with greater control over network traffic and administration.

VLANs can span multiple Layer-2 switches and do not restrict node placement. Broadcast packets are flooded only within a VLAN / broadcast domain. A VLAN is a Layer-2 broadcast domain. With the use of VLANs, the Layer-2 broadcast domain is no longer defined by just a device's physical location. VLANs allow the administrator to define which devices are contained within the same Layer-2 broadcast domain. Devices configured to be within the same VLAN, communicate as though they were on the same physical network. (regardless of physical location)
VLANs greatly increase the control available to the administrator. VLANs can enhance network performance and design flexibility as follows:

A single switch may be configured to support multiple VLANs. A single port on a switch can be a member of more than one VLAN.
Figure 2: Virtual LANs
VLAN Operation
A VLAN emulates a LAN by managing how Ethernet frames are propagated throughout the network. For example, in order for the VLAN to operate like a typical LAN; broadcast, multicast, and unknown unicast Ethernet frames that originate from a station that is part of a VLAN must be forwarded to all the stations in that VLAN. Therefore, a VLAN defines the parts of the network where broadcast packets are to be forward - or the broadcast domain. Just like in traditional LANs, a router (Layer 3 forwarding device) is required to forward traffic from one VLAN to another. This is true even if all VLANs are in a single device. Devices configured to be within the same VLAN, communicate as though they were on the same physical network (regardless of physical location). There must be either an external Layer-3 router, or something inside the switch that acts as a Layer-3 router in order for traffic to traverse VLANs.
Figure 3: VLAN Operation
Types of VLANs
VLANs are created by associating network devices with one another based upon some criteria. That criterion can either be the physical port upon which the network device's traffic ingresses the switch or some other information that is contained in the Ethernet frame. The various VLAN types are named after the criteria used to determine which devices are members of the VLAN.
802.1Q tagged VLAN
Membership is based upon the 802.1Q tag value of the frame. Membership is based upon the Ethernet Frame's ingress port. Membership is based upon the protocol information in the Ethernet Frame. It is quite possible for one station to be a member of several VLANs when using protocol based VLANs. Devices whose MAC addresses match (or partially match) a predefined set of MAC addresses are part of the same VLAN
Port-based (untagged) VLAN
Protocol VLAN
Layer 2 MAC address VLAN
Figure 4: Types of VLANs
Port-Based VLANs
In a port-based VLAN, membership is based upon which ports are assigned to the VLAN. For example, if ports 1, 2, 3, and 4 are assigned to VLAN_BLUE, then any untagged Ethernet frames that are received by the switch on ports 1, 2, 3, or 4 are distributed to only those ports. Untagged Ethernet frames that are received on ports 1, 2, 3, or 4 should never be forwarded to any of the other ports on the switch without the aid of a router. If a tagged Ethernet frame is received on a port that is configured as a member of an untagged VLAN, it can be handled by switches in a number of ways:

Drop the frame. The switch assumes that the port is only meant for untagged frames. Forward the frame based upon the VLAN ID in the frame. This assumes that the switch has a corresponding tagged VLAN configured. If a tagged VLAN with a corresponding VLAN ID is not configured on the switch, there is no way to forward the frame, so it is dropped. Forward the frame as if the incoming frame didn't have a tag. NOTE
Refer to the product documentation to determine how your switch handles this situation.
To create a port-based VLAN, the network administrator associates or assigns ports to the VLAN. This informs the switch on how to redistribute the frames that it receives. If a frame is received on any of the associated VLAN ports, the switch will distribute the frame to the other ports associated with the portbased VLAN. A port can be a member of only one port-based VLAN. However, a port may be a member of another VLAN provided the other VLAN is not a port-based VLAN. For example, a port may be a member of one port-based VLAN and three 802.1Q tagged VLANs.
10
Figure 5: Port-Based VLANs
11
802.1Q Tagged VLANs

With 802.1Q tagged VLANs, membership is based upon the VLAN ID in the 802.1Q field in the incoming packet.
802.1Q Fields
VLAN tagging is a process that inserts an 802.1Q Tag into the Ethernet frame. The 801.Q Tag contains these fields:

Tag Protocol ID (TPID) User Priority Canonical Format Indicator (CFI) VLAN Identifier (VID)
Since the 802.1Q tag adds four bytes to the Ethernet frame, the frame may expand to become larger than the IEEE 802.3 Ethernet Maximum Transmit Unit (MTU) of 1,518 bytes. This can affect network statistics and error counters in some devices, and can also lead to connectivity problems if non-802.1Q bridges or routers are placed in the path. The current version of IEEE 802.1D specifies that a device can receive up to 1,522 bytes.
The Tag Protocol ID (TPID) Field

The TPID is always set to 0x8100. This value at this location in the packet identifies the frame as an 802.1Q tagged frame.
The User Priority Field

The User Priority Field is defined by the IEEE 802.1p specification. This field is used by QoS applications to determine the priority of the frame's contents.
The Canonical Format Indicator (CFI)

The CFI is used for compatibility between Ethernet and Token Ring networks. The Canonical Format Indicator is set to 1 by token ring switches. It is always set to zero for Ethernet switches. If a frame received at an Ethernet port has a CFI set to 1, then that frame should not be bridged to an untagged port.
The VLAN Identifier (VID)

The VLAN ID is a 12-bit field specifying the VLAN to which the frame belongs. A value of 0 means that the frame doesn't belong to any VLAN; in this case the 802.1Q tag specifies only a priority and is referred to as a priority tag. A value of hex 0xFFF is reserved for implementation use. All other values may be used as VLAN identifiers, allowing up to 4094 VLANs. On bridges and switches, VLAN 1 is often reserved for management.
12
Figure 6: 802.1Q Tagged VLANs
13
802.1Q Tagged VLANs Uses

Using 802.1Q Tags between Switches
Tagging is most commonly used to create VLANs that span switches. The switch-to-switch connections are typically called trunks. Using tags, multiple VLANs can span switches using just one trunk. It is also possible (and common) to use multiple trunks for redundancy.
Using 802.1Q Tags to Differentiate Traffic

Tagging also can be used to differentiate one type of incoming traffic from another. For example, what if you have two network devices with different service needs attached to the same port? This could be the case for a user with an IP phone and desktop computer attached to the same network port. IP telephony traffic has different requirements that standard data traffic. Another use for tagged VLANs is the ability to have a port configured as a member of multiple VLANs. This is particularly useful if you have a device (such as a server) that must belong to multiple VLANs. The device must have a Network Interface Card (NIC) that supports IEEE 802.1Q tagging. Remember, a single port can only be a member of one port-based VLAN. However, tags may be used to associate that port with additional VLANs.
14
Figure 7: 802.1Q Tagged VLANs Uses
15
Protocol-Based VLANs
Protocol-based VLANs enable you to define a packet filter that the switch uses as the matching criteria to determine if a particular packet belongs to a particular VLAN. A Protocol-based VLAN dynamically forwards packets within a VLAN based on a protocol filter. The Ethernet frame's protocol is usually defined in one of the following fields:

Ethernet Type Logical Link Control (LLC) Subnetwork Access Protocol (SNAP)
Ethernet Type Field

This two-byte field identifies the protocol of the payload.
Logical Link Control (LLC)

According to the IEEE 802 family of standards, Logical Link Control (LLC) is the upper sublayer of the OSI data link layer. The LLC is the same for the various physical media (such as Ethernet, token ring, and WLAN). The LLC field has the following subfields:

Destination Service Access Point (DSAP) Source Service Access Point (SSAP) Control
The one-byte fields DSAP and SSAP Fields identify the encapsulated protocol. Details of the LLC protocol are not covered by this course.
Subnetwork Access Protocol (SNAP)

The Subnetwork Access Protocol field is an extension of the LLC protocol. When SNAP protocol is specified by the presence of the value 0xAA in the LLC DSAP and SSAP subfields. Various protocols use the SNAP field to identify themselves, rather than the Ethernet Type field or the LLC field. Details of the SNAP protocol are not covered by this course.
16
Figure 8: Protocol-Based VLANs
17
Benefits of VLANs
This page lists several advantages of implementing VLANs on your networks.
Help Control Traffic

VLANs provide a way of defining the size of Layer-2 broadcast domains and which devices are members of the domain. This is important to network design because controlling Layer-2 broadcasts is a factor in overall network performance. The important issue is that this domain is not controlled by physical location. If required, each port on the same switch could be configured as a member of a different VLAN.
Provide Extra Security

Devices within each VLAN can only communicate at Layer 2 with member devices in the same VLAN. If a device in VLAN Marketing must communicate with devices in VLAN Finance, the traffic must cross a routing device. NOTE
When monitoring the traffic on the network using a network analyzer, the analyzer only receives the Layer-2 information for the VLAN (broadcast domain) it is connected to.
Ease Changes and Movement of Devices

With traditional networks, administrators spent much of their time dealing with moves and changes. If users who were configured to be in a specific Layer-2 broadcast domain physically move location, it was difficult (or impossible) to reconfigure the network to maintain them as members of the same broadcast domain. By implementing VLANs, if an end-station in VLAN Marketing is moved to a port in another part of the network and needs to retain its original VLAN membership, you only have to specify that the new port is a member of VLAN Marketing. There is no need to physically reconfigure the network.
18
Figure 9: Benefits of VLANs
19
Managing Port-Based VLANs

Overview
A port-based (untagged) VLAN only uses the port as the criteria for membership. Untagged traffic that ingresses from one of the member ports is forwarded to the other ports that are members of the portbased VLAN. Port-based VLANs are fairly easy to implement and manage. Port-based VLANs may be considered location based VLANs. Any device that attaches to a particular port is now part of the VLAN to which the port is configured as a member. A port-based VLAN may be implemented to support the following applications:

Switch ports connected to a hotel's guest rooms may be all be part of a hotel_guest VLAN. Each cube may have a dedicated port for data and a dedicated port for Voice-over-IP (VoIP). Company ports in public access areas may belong to a visitor VLAN,
When compared to other types of VLANs, port-based VLANs are easy to implement, understand, and document. These benefits make port-based VLANs a very popular tool. Managing a port-based VLAN is comprised of several discreet activities. Among these activities are:

Displaying the VLAN configuration. Creating and Deleting VLANs. Adding and Removing Ports. Verifying VLAN functionality. Enabling and Disabling VLANs. Renaming the VLAN.
Listing the Steps to Create a VLAN

There are just a few steps to creating a VLAN. They are: 1 Determine the current VLAN configuration. Before you start creating and configuring VLANs, you should first verify the current configuration. 2 Create the VLAN. 3 Add ports to the VLAN. 4 Verify VLAN functionality.
Describing other Port-Based VLAN Management Tasks

Subsequent to creating and verifying the port-based VLAN, you may be asked to perform other management tasks associated with the port-based VLAN. Among theses tasks are to:

Enable a VLAN Disable a VLAN Rename a VLAN
20
Figure 10: Managing Port-Based VLANs
Figure 11: Listing the Steps to Create a VLAN
21
Displaying VLAN Information

Prior to changing the configuration of any device, you should ensure that your understanding of how the device is configured is correct. In order to examine how VLANs are configured on the ExtremeXOS switch, use the following syntax: show vlan { detail | <vlan_name> }
Examples
To display a concise description of all VLANs configured on the device, including their tag values, enter the following command: show vlan To display a detailed description of all VLANs configured on the switch, enter the following command: show vlan detail To display a detailed description of the VLAN named accounting, enter the following command: show vlan detail accounting
22
Figure 12: Displaying VLAN Information
Figure 13: Displaying VLAN Information (Continued)
23
Creating and Deleting Port-Based VLANs

To create a port-based VLAN, use the following command syntax: create vlan <vlan name> {vr <vr-name>} To delete a port-based VLAN, use the following command syntax: delete vlan <vlan_name>
Syntax Description
vlan_name vr vr-name Specifies a VLAN name (up to 32 characters). Specifies a virtual router. Specifies in which virtual router to create the VLAN.
Examples
To create a VLAN named accounting, enter the following command: create vlan accounting To remove the VLAN named accounting, enter the following command: delete vlan accounting
Implementation Notes
A newly-created VLAN has no member ports, is untagged, and uses the protocol filter ANY until you configure it otherwise. Use the various configuration commands to configure the VLAN to meet your needs. Internal VLAN IDs are assigned automatically using the next available VLAN-ID starting from the high end (4094) of the range. Each VLAN name can be up to 32 standard alphanumeric characters, but must begin with an alphabetical letter. VLAN names are locally significant. That is, VLAN names used on one switch are only meaningful to that switch. NOTE
The BlackDiamond 8800 series switches, SummitStack, and the Summit family of switches do not support usercreated virtual routers; all user-created VLANs are in VR-Default.
24
Figure 14: Creating and Deleting Port-Based VLANs
25
Adding and Removing Ports to and from a Port-Based VLANs

To add ports to a port-based VLAN, use the following syntax: configure vlan <vlan_name> add ports <ports_list> To remove ports from a port-based VLAN, use the following syntax: configure vlan <vlan_name> delete ports <port_list>
Implementation Notes

The VLAN must already exist before you can add (or delete) ports. Ports can only be in one VLAN as untagged. A port can be added to multiple VLANs only when it has multiple tags. By default, all ports are members of the default VLAN. In order to add untagged ports to a different VLAN, you must first remove them from the default VLAN. Failure to do so results in this error:
Error: Protocol conflict when adding untagged port 1:2. Either add this port as tagged or assign another protocol to this VLAN.
Examples
To add all ports to the VLAN named accounting, use the following command: configure vlan accounting add ports all To remove ports 4, 6, and 10 from the port-based VLAN named accounting, use the following command: configure vlan accounting delete ports 4, 6, 10
26
Figure 15: Adding and Removing Ports to and from a Port-Based VLANs
Figure 16: Adding and Removing Ports to and from a Port-Based VLANs Examples
27
Enabling and Disabling Port-Based VLANs

In certain complex configurations such as MPLS, it might be useful to configure a VLAN and then disable it prior to deploying it on the network. To disable a VLAN, use the following command syntax: disable vlan <vlan_name> When disabling a VLAN keep the following in mind:

Disabling a VLAN stops all traffic on all ports associated with the specified VLAN. You cannot disable any VLAN that is running any Layer-2 protocol such as ESRP or EAPS. When you attempt to disable a VLAN running Layer-2 protocol traffic (for example, the VLAN accounting), the system returns a message similar to the following:
VLAN accounting cannot be disabled because it is actively use by an L2 Protocol
You can disable the default VLAN; however, ensure that this is necessary before disabling the default VLAN. You cannot disable the management VLAN. Although you can remove ports from a disabled VLAN, you cannot add ports to a disabled VLAN or bind Layer-2 protocols to that VLAN.
To re-enable a VLAN, use the following command syntax: enable vlan <vlan_name>
28
Figure 17: Enabling and Disabling Port-Based VLANs
Figure 18: Enabling and Disabling Port-Based VLANs (Continued)
29
Renaming VLANs
If a department moves from one location to another, it may be easier to rename a VLAN than to completely reconfigure the switch to accommodate the move. Consider this scenario:
The accounting department will move from the second floor of building 301 to the first floor of building 300. The engineering department will move into the space vacated by the accounting department after the space is renovated next week.
Rather than remove the ports and deleting the accounting VLAN, it may be easier to simply rename the VLAN engineering.
Command
To rename a VLAN, use the following command syntax: configure vlan <vlan_name> name <name>
Example
To rename the accounting VLAN to finance, use the following command: configure vlan accounting name finance
30
Figure 19: Renaming VLANs
31
Verifying Port-Based VLAN Configuration

After configuring a port-based VLAN, you should verify the configuration. To verify the configuration of a specific port-based VLAN, use the following command syntax: show vlan {detail {ipv4 | ipv6} |<vlan_name> {ipv4 | ipv6} | virtual-router <vr-router> | <vlan_name> stpd} The display provides a great deal of information, but for our purpose well focus on the following items:
Admin State Field

The Admin State field indicates if the VLAN is enabled or disabled. With ExtremeXOS, you can disable and enable an entire VLAN. This means that you do not have to disable or enable the ports in the VLAN in order to cause the switch to stop forwarding traffic on that VLAN.
Tagging Field
This field indicates if the VLAN has been configured with a tag. In the case of port-based VLANs, this field should contain the value Untagged.
Virtual Router Assignment Field

The virtual router assignment identifies the virtual router to which this VLAN is assigned.
Primary IP Field
The Primary IP field displays the IP address and the Sub-net Mask of the internal router interface for this VLAN.
Protocol Field
When examining the configuration of a port-based or untagged VLAN, the protocol should be listed as ANY or Match all unfiltered protocols.
Ports Field
The Ports field indicates the number of ports that are in the VLAN. The example on the slide indicates that there are three ports in this VLAN. The ports are then listed. The example shows that ports 1, 4 and 7 are members of VLAN blue. The asterisk (*) preceding each port number indicates that the port is active.
32
Figure 20: Verifying Port-Based VLAN Configuration
33
System VLANs
The following two VLANs are pre-configured on ExtremeXOS switches:

Default Mgmt
Default VLAN
The default VLAN has the following properties:

An internal VLAN ID of 1 Contains all the switch data ports (all ports except the Ethernet management port) as members Ports are defined as untagged NOTE
The default VLAN cannot be deleted. Although you can rename an existing VLAN, the default and Mgmt VLAN names should not be changed. VLAN names are not case sensitive.
Mgmt VLAN
Many Extreme Networks switches have an additional pre-configured VLAN called Mgmt which contains the dedicated Mgmt Ethernet port. The Mgmt VLAN has the following characteristics:

Only exists on switches that have an Ethernet management port. Only contains the management port. Is only used for management functions. No switching or routing is supported on this VLAN.
You can configure an IP address, subnetwork mask, and a default route for the mgmt VLAN. The Mgmt VLAN and Mgmt port are connected to the VR-Mgmt virtual router interface.
Management Port
The management port supports access for Telnet, SNMP, and TFTP. The management port is a DTE port, and is not capable of supporting switching or routing functions.
34
Figure 21: System VLAN - Default
Figure 22: System VLAN - Mgmt
35
Extending Port-Based VLANs Across Switches

To create port-based VLANs that span two (or more) switches:

The switches must be connected together. VLAN names must be unique. The same VLAN name should be configured on each switch. Each switch must have a configured port(s) for each VLAN. Each link between the switch ports must connect to a port that is a member of the same VLAN on the next switch.
The illustration shows one way to extend three VLANs across two switches. The following steps show the basic process involved in configuring each of the three VLANs:
Create the VLANs on each switch. create vlan finance create vlan engineering create vlan marketing
Add ports to each VLAN on each switch. configure vlan finance add ports 1-4 configure vlan engineering add ports 9-12 configure vlan marketing add ports 17-24
Cable the switches together using one port per VLAN on each switch. NOTE
This type of physical connection uses a lot of physical port resources. To overcome this limitation, implement other VLAN types such as tagged VLANs.
36
Figure 23: Extending Port-Based VLANs Across Switches
37
Managing Tagged VLANs

The next section of training focuses on the process of managing tagged VLANs.
Listing The Steps to Create a Tagged VLAN

Creating a Tagged VLAN
There are several steps involved in creating a tagged VLAN. While many of these steps are exactly the same as those required for creating an untagged VLAN, the differences are significant. From a very high level, the steps to creating a tagged VLAN are: 1 Create the VLAN. 2 Assign a tag value to the VLAN. 3 Add ports to the tagged VLAN. 4 Verify tagged VLAN configuration. 5 Verify tagged VLAN functionality. Of course, before you start the process of creating a VLAN you should verify the existing VLAN configuration.
38
Figure 24: Managing Tagged VLAN
Figure 25: Listing the Steps to Create a Tagged VLAN
39
Creating a Tagged VLAN

The main reason for creating tagged VLANs is that wish for a single port be a member of more than one VLAN. This may be because you wish to have traffic from multiple VLANs be transmitted to another switch through that port. Or, you may wish to have traffic from multiple VLANs funneled to a server through that network connection. Regardless of the reason for creating tagged VLANs, here are steps to accomplish the task:

Creating the VLAN Assigning a tag value (VLAN ID) to the VLAN
Create a VLAN with a unique name using the following syntax: create vlan <vlan name> NOTE
You may want to consider including the tag value as part of the VLAN Name. This may make it easier to maintain the VLAN configuration.
Assign a tag value (VLAN ID) to the VLAN using the following syntax: configure vlan <vlan_name> tag <tag>
Example
To create a VLAN named ENGINEERING with a VLAN ID of 2004, enter the following commands: create vlan ENGINEERING configure vlan ENGINEERING tag 2004
Implementation
The tag range is 2 - 4094. The VLAN tag is the same as its VLAN ID.
40
Figure 26: Creating a Tagged VLAN
41
Adding and Deleting Ports to and from a Tagged VLAN

When you add a port to a tagged VLAN, you need to determine if the port will be added as a tagged port, or as an untagged port. Typically, a port is added as a tagged member if the port is to be used as a trunk port connecting one switch to another. However, if the port is going to be used as an access port for network terminal devices such as PCs and servers, the port membership type would be untagged. Finally, a port may be a member of multiple VLANs. A port can become a member of a tagged VLAN as either an untagged port or as a tagged port. The difference between these two port types is how they process incoming and outgoing Ethernet frames.
Ingress Processing
At ingress, the incoming frame is processed based upon:

The Ethernet frames VLAN ID. The port membership type whether it is tagged or untagged. The port is a member of a VLAN that is configured the same tag value as the incoming frame.
When an Ethernet frame is received by a port that is a member of tagged VLAN, the system must first examine the incoming frame to determine if the frame is tagged or untagged. Using the table on the slide, when a tagged frame is received on Port 1, the switch checks to see if the VLAN ID in the frame has the value of either 2 or 3. If not, the frame is dropped. If an untagged frame is received on Port 1, the frame is associated with the GUEST VLAN.
Egress Processing
Egress frame processing is based upon:

VLAN associated with frame Port membership type
When an Ethernet Frame is transmitted by a switch port, the switch formats the frame based upon the frames associated VLAN and the type of membership associated with the egress port. Using the table on the slide as an example, when the switch transmits a frame that is associated with the FINANCE VLAN out of Port 1, the switch transmits a tagged frame with a VLAN ID value of 2. When the switch transmits a frame that is associated with the FACILITIES VLAN out of the same port, the switch transmits a tagged frame with a VLAN ID value of 3. However, when the switch transmits a frame that is associated with the GUEST VLAN out of Port 1, the switch transmits an untagged frame.
42
Figure 27: Adding and Deleting Ports to and from a Tagged VLAN
43
Adding and Deleting Ports to and from a Tagged VLAN (Continued)

Removing Ports From An Untagged VLAN
Before you can add a port to a tagged VLAN, you need to ensure that the port is not already a member of an untagged VLAN. Remember, by default all ports are members of the Default VLAN - which is an untagged VLAN. In order for the ports on a switch to become members of other VLANs, they must be deleted from the default VLAN. Use this command syntax to remove a port from the default VLAN: configure vlan default delete port <port_list>
Adding Ports To A Tagged VLAN

To add ports to the VLAN, you must specify three things:

The name of the VLAN of which the port will become a member The port number of the target port The membership type whether tagged or untagged
Once you have this information, use the following command syntax to add the port(s) to a VLAN: configure vlan <vlan_name> add port <port_list> [ untagged | untagged ]
Verifying Port Membership

After adding the ports to the tagged VLAN, verify the port membership by using the show VLAN command syntax: show vlan <vlan_name>
Examples
To delete port 7 from the default VLAN: configure vlan default delete port 7 To add port 7 to the engineering VLAN as an untagged member, use the following command: configure vlan engineering add port 7 untagged To add ports 2 and 3 to the engineering VLAN as tagged members, use the following command: configure vlan engineering add ports 2,3 tagged To delete all ports from the default VLAN: configure vlan default delete port all
44
Figure 28: Adding and Deleting Ports to and from a Tagged VLAN
45
Verifying Tagged VLAN Configuration

To verify the VLAN configuration, use the syntax: show vlan <vlan_name> Verify the name of the VLAN, the 802.1Q tag value, and the ports that are members of this VLAN. In our example, we should see that the VLAN name is blue, that the 802.1Q tag value is 10, that port 7 is an untagged port member, while ports 2 and 3 are tagged port members. Ensure that VLAN name blue and the VLAN ID value of 10 are used in a consistent manner throughout the network.
NOTE
For the purposes of VLAN classification, packets arriving on a port with an 802.1Q tag containing a VLANid of 0 are treated as untagged.
46
Figure 29: Verifying Tagged VLAN Configuration
47
Verifying Tagged VLAN Functionality

Once you configure the tagged VLAN and the associated ports, you should then verify that the VLANs behave in an expected manner. To verify that the switch is working as expected, you need to be able to send tagged and untagged frames to the switch, and capture the processed frames as they are forwarded by the switches port.
Generating Ethernet Frames

Generating untagged frames is pretty easy to do. It's usually no harder than plugging a PC into a data port on the switch and pinging a device in the subnet. Most network stations generate untagged packets unless they are specifically configured to generate tagged frames. On the other hand, it requires a little bit more work to generate tagged Ethernet frames. To these types of frames, you will need to do one of the following:

configure a network station to send tagged frames use a device to generate packet such as those provided by Ixia use software on your PC that allows you to generate tagged packet such as Network Packet Generator (npg.exe) use a switch with the egress port configured as a tagged port
Once you are able to transmit tagged and untagged frames, and have the ability to manipulate the VLAN ID in the tagged frames, you are ready to proceed to the next step.
Capturing Ethernet Frames

Once you have the ability to generate the Ethernet frames, you need to be able to capture them to examine their contents and formatting. You will need one of the following network capture tool such as a Network General Sniffer, Wireshark, tcpdump, or windump. To conduct a thorough test, you should generate both tagged and untagged frames. The tagged frames should be contain VLAN ID values that are associated as well as tagged frames with VLAN ID values that are not associated with the port.
Onboard Statistics
You can also examine the packet statistics for the VLAN. When a packet is generated by the network device, you can view the statistics for the appropriate VLAN to verify that the frame is associated with the correct VLAN. Use the command syntax to guide you: clear counters configure port [<port_list> | all} monitor vlan <vlan name> show ports {port_list} vlan statistics {no-refresh}
48
Figure 30: Verifying Tagged VLAN Functionality
49
Example: Configuring Tagged VLANs on Multiple Switches

Here is an example of how to configure tagged VLANs. In this example there are two switches with a single link that must support 2 VLANs. The red VLAN uses a tag of 10 and the green VLAN uses a tag of 20. Any port that is used by a host connection is usually left untagged, since most NICs are not designed to support 802.1Q tags and have no real need to detect them anyway. For switch-to-switch connections, the VLAN ports should be tagged to enable those ports to support more than one VLAN. Frames from VLAN red contain the 802.1Q tag with a VLAN ID of 10 and frames from VLAN green contain the 802.1Q tag of 20.
50
Figure 31: Example: Configuring Tagged VLANs on Multiple Switches
51
VLAN Rules
When designing your network's VLANs, follow a few simple rules.
Use Consistent Tag Values

Use consistent tag values on all links between switches. Remember, when multiple VLANs use a single physical uplink, the system requires the use of 802.1Q tags to identify which VLAN the packets belong to. Tags must match across links for the associated VLANs to be contiguous. If tags are mismatched, datagrams may be discarded at the ingress port and VLANs become isolated from one another.
Ensure VLAN Names Match on All Switches

Ensure that VLAN names match on all switches. The switch relies on the VLAN ID in the Tag Control Information field to make VLAN forwarding decisions. The switch ignores the VLAN name for forwarding decisions. The VLAN name is simply there to benefit the user - to give them an opportunity to label the VLAN something meaningful to the organization, such as Engineering. So, while it is possible to have VLANs configured on multiple switches with the same VLAN ID but with different names, this can cause confusion. Therefore, be as consistent as possible when naming your VLANs.
Configure Links Between Switches to Use Tags

Configure links between switches to use tags. Of course, you can use untagged links between VLANs if absolutely necessary. However, it is a better practice to leverage one physical or logical link between switches to transport VLAN traffic. In the example on the screen, you see that

Links between switches are all tagged. VLANs with the name Yellow and Red are created on all three switches. VLAN Yellow is consistently assigned a tag value of 10. VLAN Red is consistently assigned a tag value of 30.
52
Figure 32: Examples of Best Practices
53
Managing Protocol-Based VLAN

The next section of training focuses on the process of managing protocol-based VLANs.
Listing the Steps to Create a Protocol-Based VLAN

Creating a Protocol-Based VLAN
There are several steps involved in creating a protocol-based VLAN. While many of these steps are exactly the same as those required for creating tagged and untagged VLANs, the differences are significant. From a very high level, the steps to creating a protocol-based VLAN are to: 1 Create the VLAN 2 Add a tag to the VLAN (optional) 3 Create a protocol filter (optional) 4 Assign a protocol filter to the VLAN 5 Add ports to the VLAN 6 Verify VLAN configuration 7 Verify VLAN functionality Of course, before you start the process of creating a VLAN you should verify the existing VLAN configuration.
54
Figure 33: Managing Protocol-Based VLAN
Figure 34: Listing the Steps to Create a Protocol-Based VLAN
55
Creating a Protocol-Based VLAN

The process of creating a protocol-based VLAN is exactly the same as with tagged and untagged VLANs. You essentially create a VLAN object and then configure the VLAN with the attributes to make it a protocol-based VLAN. Use this syntax to create the VLAN object: create vlan <vlan_name>
Adding a Tag Value to a Protocol-Based VLAN

You can associate a tag value with the protocol-based VLAN, but you don't have to. The tag value would be used if you were to aggregate several VLANs onto a single port. Use the following syntax to assign a VLAN ID to the protocol-based VLAN. configure vlan <vlan_name> tag <vlan_id> After completing these two steps, the VLAN is defined, but has no ports.
56
Figure 35: Creating a Protocol-Based VLAN
57
Creating a Protocol Filter

When you configure a protocol-based VLAN on an ExtremeXOS enabled switch, you do so by instructing the switch to determine VLAN certain types of traffic on to the VLAN. This is done by defining a protocol filter to be used as the matching criteria to determine if a particular packet belongs to a particular VLAN. You may choose to use one of the switches predefined protocol filters, or - if the predefined filters do not meet your needs, you may manually configure a protocol filter to better meet the needs of your application. Protocol-based VLANs may be used when network segments contain hosts running multiple protocols. In the example on the slide an ingress port is configured to receive three different protocol types: IPX, IP, and AppleTalk.
58
Figure 36: Creating a Protocol Filter
59
Predefined Protocol Filters

Before you create a custom protocol filter, you should check to see if one of the preconfigured protocol filters will meet your needs. The ExtremeXOS enabled switch provides you with a range of pre-defined protocol filters to make implementation easy. The following is a list of pre-defined protocol filters:

IP IPX IPv6 NetBIOS DECNet IPX_8022 IPX_SNAP AppleTalk MPLS ANY
For IP, IPX, IPv6, MPLS, and DECNet protocols, the Extreme Networks switch investigates the Ether Type field to determine if there is a match. Matching traffic will be forwarded, other traffic will be discarded. For NetBIOS and IPX_8022 protocols, the device looks at the LLC field to determine if there is a match. For IPX_SNAP and AppleTalk protocols, the switch will investigate the SNAP Organizationally Unique Identifier (OUI) to ascertain if there is a match. Finally, the protocol filter ANY is the default protocol filter for all VLANs. This filter essentially associates all incoming traffic with the VLAN. Note: Protocol filters on the BlackDiamond 8800 series switches, SummitStack, and the Summit series switch only. These devices do not forward packets with a protocol-based VLAN set to AppleTalk. To ensure that AppleTalk packets are forwarded on the device, create a protocol-based VLAN set to any and define other protocol-based VLANs for other traffic, such as IP traffic. The AppleTalk packets are forwarded on the VLAN with the ANY protocol filter, and the other protocols pass traffic on their specific protocol-based VLANs. To display a list of custom and pre-defined protocol filters, enter the following command: show protocol
60
Figure 37: Predefined Protocol Filters
61
Custom Protocol Filters

If necessary, define a customized protocol filter based on the EtherType field, Logical Link Control (LLC), and/or Subnetwork Access Protocol (SNAP). A maximum of 15 protocol filters, each containing a maximum of 6 protocols, can be defined. No more than 7 protocols can be active and configured for use. To create a custom protocol filter, enter the following command: create protocol <protocol_name> Protocol names can have a maximum of 32 characters. To configure the protocol filter, enter the following command: configure protocol <protocol_name> add [ etype | llc | snap] <hex_value> {[etype | llc | snap] <hex>} Where: etype - Ethernet frame type llc - LLC Service Advertising Protocol (SAP)
snap - Ethernet frame type inside the IEEE SNAP packet encapsulation hex_value Specifies a four-digit hexadecimal number between 0 and FFFF that represents:

The Ethernet protocol type taken from a list maintained by the IEEE. The DSAP/SSAP combination created by concatenating a two-digit LLC Destination SAP (DSAP) and a two-digit LLC Source SAP (SSAP). The SNAP-encoded Ethernet protocol type.
To display the configuration of pre-defined protocol filters, enter the following command: show protocol <protocol_name> For example to build a filter for LLC SAP packets, enter the following commands: create protocol llcsap configure protocol llcsap add llc 0xfeff To build a filter with multiple protocol types, enter the following command: create protocol new configure protocol new add etype 0xfeff llc 0xe0e0 To delete a protocol filter, enter the following command: delete protocol <protocol_name> If you delete a protocol that is in use by a VLAN, the protocol associated with that VLAN becomes None. You can continue to configure the VLAN. However, no traffic is forwarded to the VLAN until a protocol is assigned to it.
62
Figure 38: Custom Protocol Filters
63
Verifying Protocol-Based VLANs

To verify your protocol configuration, use the command: show protocol This command shows you all the protocol filters that exist on the device. In our example on the screen, you will notice that the administrator has configured protocol filters named foo and fooz. If you would like information about a particular protocol, you may use the command syntax: show protocol <protocol_name> In the example on the screen, the administrator asked for information about the protocol filter named IPv6.
64
Figure 39: Verifying Protocol-Based VLANs
65
Assigning a Protocol filter to a Protocol-Based VLAN

Now that you have created a VLAN, and have decided upon the protocol criteria for the VLAN, you need to assign the protocol to the VLAN. To assign a protocol to a VLAN, use the following syntax: configure vlan <vlan_name> protocol <protocol_name>
Adding a Port to a Protocol-Based VLAN

The next step in the process is to associate ports with the protocol-based VLAN. To add a port to a protocol-based VLAN, use the following command syntax: configure vlan <vlan_name> add ports <port_list> Using the steps outlined in the previous sections has enabled you to configure a protocol-based VLAN. Now, when a frame is received on a port, the system checks:

Is frame is tagged? If yes, and port is a member, then forward appropriately. Does frame have matching protocol filter? If yes then forward appropriately. Protocol filters may include ANY.
66
Figure 40: Assigning a protocol filter to a Protocol-Based VLAN
67
Protocol-Based VLAN Example Configuration

In this example the BlackDiamond 8806 is at the core. Three Protocol-based VLANs are created. One for each protocol. Some clients only use one protocol. Some clients use mixed protocols. Each VLAN consists of four ports on the BlackDiamond 8806; three of the ports are connected to the Summit X450 switches and the remaining one is connected to the appropriate server. All three VLANs have three ports in common on the BlackDiamond 8806. Those ports are the ones serving the Summit X450 switches at the perimeter. To accomplish this, three, protocol-based VLANs are created in the BlackDiamond 8806 and Summit X450 switches. The ports for the link between switches is added to each VLAN. The packets can share a common link because each packet is associated with the correct VLAN by its protocol. This is similar to a tagged packet. The configuration for the BlackDiamond 8806 switch is: create vlan IP_orange configure vlan IP_orange protocol ip configure vlan IP_orange add ports 2:17-2:20 create vlan Atalk_green configure vlan Atalk_green protocol appletalk configure vlan Atalk_green add ports 2:17-2:19,2:21 create vlan IPX_blue configure vlan IPX_blue protocol ipx configure vlan IPX_blue add ports 2:17-2:19,2:22 The protocol filters in this example protect the IP server in the IP_orange VLAN from the traffic coming from the Atalk_green and IPX_blue VLANs.
68
Figure 41: Protocol-Based VLAN Example Configuration
Figure 42: Protocol-Based VLAN Example Configuration (Continued)
69
Configuring Protocol-Based VLANs

To avoid conflicts when configuring protocol-based VLANs, the protocol filter must be applied to the VLAN before adding the ports to the VLAN. Once the filter is applied to the VLAN, only frames with matching protocol types are allowed to join that VLAN. If using protocol based VLANs, a port can participate in multiple VLANs since the protocol type differentiates the traffic. To configure a VLAN using a protocol filter, enter the following command: configure vlan <vlan name> protocol <protocol_name> For example: configure vlan orange protocol ip The illustration shows protocol-based VLANs in use in a Layer-2 network environment. VLAN Blue - IPX based VLAN
VLAN Orange - IP based VLAN In this example the IP server in the orange VLAN is protected from the traffic coming from the blue VLAN. To assign ports to a protocol-based VLAN, enter the following command: configure vlan <vlan name> add ports <portlist> To remove a protocol filter from a VLAN, enter the following command: configure vlan <vlan_name> protocol any
70
Figure 43: Configuring Protocol-Based VLANs
71
Notes on Protocol-Based VLANs

This page lists things to keep in mind when configuring protocol-based VLANs.
Assign only one protocol filter to a VLAN. The protocol filter is treated like a tag with one tag per VLAN. When a protocol filter is deleted, the VLANs which had the protocol filter assigned are now assigned a protocol filter of none. Precedence of tagged packets over protocol filters:
If a VLAN is configured to accept tagged packets on a particular port, incoming packets that match the tag configuration take precedence over any protocol filters associated with the VLAN When a packet is received on the port configured as VLAN purple with a Tag = 10 and VLAN green with an IPX protocol filter. You might ask which the switch services first? When a new VLAN is created, it is assigned the any protocol by default. This means that the VLAN forwards traffic independent of the protocol type. If you want to remove the protocol filter from a VLAN, you should assign the any protocol to the VLAN
The tag takes precedence when there is a match.
72
Figure 44: Notes on Protocol-Based VLANs
73
Summary

Define VLANs. Describe port-based (untagged) VLANs. Describe tagged VLANs. Describe protocol-based VLANs. Describe the benefit of VLANs. Manage port-based (untagged) VLANs. Manage tagged VLANs. Manage protocol-based VLANs.
74
Figure 45: Summary
75
Lab
Turn to the Port-based VLAN Configuration Lab and the Tagged VLAN Configuration Lab in the ExtremeXOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
76
Figure 46: Lab
77
Review Questions
1 Which of the following commands configures the green VLAN with a tag of 54? a create vlan green add ports all tag 54 b configure vlan green add ports all tag 54 c configure vlan green tag 54 d create vlan green tag 54 2 Which of the following pair of commands configures a new protocol filter? a create protocol new / configure protocol new add etype 0xfeff b configure protocol IPv6 / configure protocol IPv6 add etype 0x86DD c create protocol IPv6 / configure protocol add etype 0x86DD d configure protocol IPv6 / add etype 0x86DD to protocol IPv6 3 Which of the following statements is true? a The Ethernet management port is a member of the default VLAN b All ports are members of the management VLAN c You cannot disable the management VLAN d You may add ports to a disabled VLAN 4 Which of the following commands configures ports 4, 5, and 6 as tagged ports for the green VLAN? a create vlan green add ports 4-6 tagged b configure vlan green add ports 4-6 tagged c configure vlan green tag ports 4-6 d create vlan green tag ports 4-6 5 Which of the following commands displays a list of protocol filters? a show protocol b show protocol filter c show protocol list d show protocol configuration 6 Which of the following commands displays the configuration of the IP protocol filter? a show protocol b show protocol ip c show protocol configuration d show protocol ip configuration
78
7 Which of the following commands displays the VLAN tag value? a show vlan b show switch c show tag d show vlanid 8 How many VLANs can an untagged port be added to simultaneously? a One b Two c Eight d 4095 9 A VLAN defines which type of domain? a The collision domain b The broadcast domain c The routing domain d The physical topology 10 What is the IEEE specification for VLAN tagging? a 802.1Q b 802.1W c 802.1D d 802.1p 11 Which types of packets are flooded throughout the VLAN? a known unicast b broadcast c PING d collision detection 12 Port-based VLANs are also known by which other name? a MAC-Based VLANs b Tagged VLANs c Protocol VLANs d Untagged VLANs
79
Introduction to VLANs 13 What is VLAN tagging primarily used for? a To transparently interconnect existing VLANs in separate locations across a Metropolitan Area Network. b To dynamically determine VLAN membership based on the MAC address of the end stations connected to the physical port. c To dynamically determine VLAN membership based on a specified protocol. d To create VLANs that span multiple switches using uplinks. 14 Which of the following best describes protocol-based VLANs? a Dynamically assigns end stations to a VLAN based on the MAC address. b Dynamically assigns end stations to a VLAN based on the Layer-3 address. c Dynamically forwards packets within a VLAN based on a protocol filter. d Dynamically forwards packets within a VLAN based on the physical layer. 15 Which command displays the configuration of VLAN Blue? a show VLAN Blue b display VLAN Blue c confirm VLAN Blue d show VLAN Blue config 16 Which of the following commands creates a VLAN named "Blue?" a configure VLAN blue new b add VLAN blue ports all c create VLAN Blue d enable VLAN Blue 17 Which command adds ports 1-4 to VLAN Blue? a add ports 1-4 VLAN Blue b create VLAN ports 1,2,3,4 to Blue c enable VLAN Blue with ports 1-4 d configure VLAN Blue add ports 1-4 18 Which command disables VLAN Blue? a unconfigure VLAN Blue all b disable VLAN Blue c halt VLAN Blue d configure VLAN Blue disable
80
19 Which is the default VLAN ID for the default VLAN? a 0 b 1 c 4094 d 4095 20 Which of the following statements is true? a By default, all ports are members of the mgmt VLAN b By default, the management port is a member of the default VLAN c By default, all ports except for the management port are part of the default VLAN d By default, all ports are members of the control VLAN 21 Which command removes all ports from the default VLAN? a configure VLAN default delete ports all b configure VLAN default remove ports all c disable all default VLAN ports d unconfigure VLAN default ports all 22 Which of the following is a true statement? a VLAN names must match across links for the associated tagged VLANs to be contiguous. b Tags must match across links for the associated tagged VLANs to be contiguous. c Only one end of a link must be tagged for the associated tagged VLAN to be contiguous. d VLAN names and tags must match across links for the associated tagged VLANs to be functional.
81
Introduction to VLANs This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http://www.sec.gov). We undertake no obligation to update the forward-looking information in this release.
82
Spanning Tree
Spanning Tree
Student Objectives
The Spanning Tree module explains what the Spanning Tree Protocol (STP) is used for and how it works. This module identifies the exact building blocks of the spanning tree protocol and how spanning tree is configured on Extreme Networks switches. It also discusses the Extreme Networks STP enhancements. Upon completion of this module, you will be able to:

Define the spanning tree protocol. Explain how spanning tree works. Identify the building blocks of STP. Describe the relationship between ports, VLANs, and the Spanning Tree Domain. Configure STP on Extreme Networks switches. Describe Extreme Networks STP enhancements. NOTE
Depending on the needs of the students, the instructor may choose to reduce or eliminate the protocol overview portion of this module.
Spanning Tree
Introducing the Spanning Tree Protocol

The spanning tree protocol is used to prevent loops in a redundant network topology. Prior to spanning tree being adopted, the network had to either be carefully designed to ensure that no loops were present in the network configuration, or use a proprietary algorithm provided by the bridge vendor to prevent loops. The spanning tree protocol, originally developed by the Digital Equipment Corporation (DEC) is described in the original documents as a bridge-based mechanism for providing fault tolerance on networks. Spanning tree allows you to implement parallel paths for network traffic, and ensure that:

Redundant paths are disabled when the main paths are operational Redundant paths are enabled if the main path fails
Spanning tree has been adopted by the IEEE committees to run on any LAN topology. Spanning tree is a protocol that performs the task of providing fault tolerance on networks and should not be confused with the functions of a transparent bridge. Most transparent bridges support the spanning tree protocol.
NOTE
STP is a part of the 802.1D bridge specification defined by the IEEE. In this module STP is explained using terms used by the 802.1 specification. So, the Extreme Networks switches are referred to as bridges.
NOTE
To search through the IEEE Standards Status Report for 802.1 go to the following link: http://standards.ieee.org/cgi-bin/status
Figure 2: Introducing the Spanning Tree Protocol
Spanning Tree
Network Redundancy
It is often required to design a network with redundancy at Layer 2 to ensure that frames always have an active path to their destination. Any one of the switch links in the illustration can fail and the 2 PCs can still exchange frames with each other.
Identifying the Requirement for Spanning Tree

When two or more Layer 2 switches connect two network segments, a circular path is formed and physical loops are created. Bridges and switches are designed to flood Ethernet broadcast packets and unknown traffic (where the destination is unknown and so must be sent out on each port). This causes the potential for traffic to loop around the network. When a broadcast frame is received on a switch port, the frame is re-transmitted out of every switch port (unless the switch ports are assigned to different VLANs). If the LAN network contains multiple paths, it can result in the broadcast frame being sent back and forth between the switches. This is often referred to as a broadcast storm. Broadcast storms grow exponentially and can bring a network down.
Figure 3: Network Redundancy
Figure 4: The Requirement for Spanning Tree
Spanning Tree
Identifying the Solution

To prevent broadcast storms, the spanning tree protocol eliminates redundant paths by placing one switch port in forwarding state and placing all other ports connected to the same segment in blocking state.
NOTE
Ports in the blocking state still participate in the Spanning Tree Protocol.
The spanning tree protocol solutions support the following:

Bridged networks must allow for redundancy. Only one path should be enabled to any destination on the network.
Figure 5: Identifying the Solution
Spanning Tree
Spanning Tree Algorithm

The Spanning Tree Algorithm (STA) dynamically configures a loop-free active topology from the connected components of a bridged LAN. Spanning tree uses the STA to calculate the best switch path through the network. The spanning tree protocol shares this information with all switches on the network using frames called Bridge Protocol Data Units (BPDUs). These management control frames are used to exchange STA calculations between the switches. Using the information provided by the BPDUs, the spanning tree protocol can then prune redundant paths.
Reconfiguration Due to Link Failure

Spanning tree maintains an active topology, which re-configures the network automatically if there is a topology change caused by, for example, a link up or link down situation. One of the most important features of any critical network is redundancy. The job of the spanning tree is to prune all of the redundant links. Reconfiguration of the active topology is also necessary as a result of the following:

Network components being removed An active bridge failing to forward packets Management changes made to the active topology
In the example shown, if one of the other links is lost, the link that was put into the blocking state by spanning tree, is returned to the forwarding state to restore connectivity.
10
Figure 6: Spanning Tree Algorithm
Figure 7: Reconfiguration due to Link Failure
11
Spanning Tree
Spanning Tree Port States

The operation of an individual bridge port is described in terms of the state of the port and the operations that provide and support the functions necessary for the operation of the bridge. The state of each port controls the processing of frames received on that port and the possible inclusion of the port in the active topology of the bridged LAN.
Blocking
A port in this state does not participate in frame re-transmission, to prevent frame duplication caused by multiple paths existing in the active topology of the Bridged LAN. A port enters the blocking state following initialization of the bridge, or because it has received information that another bridge is the Designated Bridge for the LAN to which the port is attached. A port in blocking state can transition to the listening state or be disabled by a management command.
Listening
A port in this state is preparing to participate in frame re-transmission, it makes no entries into the forwarding database. In the listening state, frame re-transmission is temporarily disabled to prevent temporary loops, which can occur as the active topology of the bridged LAN changes. A port in the listening state normally transitions to the learning state, but may transition back to the blocking state or be disabled by a management command.
Learning
A port in this state is also preparing to participate in frame re-transmission. In the learning state, frame re-transmission is still temporarily disabled, however, learning is now enabled to allow information to be collected prior to frame re-transmission. The learning process examines the source addresses of frames received on each port and creates (or updates) an entry in the forwarding database associating the port on which the frame was received with the MAC Address in the source address field of the frame. A port in the learning state normally transitions to the forwarding state, but may transition back to the blocking state or be disabled by a management command.
Forwarding
A port in this state is now taking part in frame re-transmission. A port in the forwarding state can forward received frames and make entries into the forwarding database. A port in the forwarding state may transition back to the blocking state or be disabled by a management command.
NOTE
The port states described represent a generic bridge and may not match the exact behavior of any given switch architecture.
12
Figure 8: Spanning Tree Port States
13
Spanning Tree
How Spanning Tree Works

Spanning tree sends out Bridge Protocol Data Unit (BPDU) packets at regular intervals. If there is a change in the status of a link, the BPDUs report this change, and the spanning tree then recalculates the best path through the network. The process of placing one active port in forwarding mode and blocking all other ports is repeated until a stable, active topology is achieved. A stable active topology is maintained by the root bridge by transmitting configuration messages out on all of its active ports. The designated bridges receive these BPDUs on their root ports, and the designated bridges propagate the information out on all of their active ports.
Bridge Protocol Data Unit

A BPDU is a special packet used to maintain the overall spanning tree topology. Bridges constantly communicate their status and any required configuration of the network with each other. BPDUs are sent to the bridge group address (01:80:C2:00:00:00). The two types of BPDUs are:

Configuration BPDUs Topology change BPDUs
Configuration BPDU (CBPDU)

A configuration BPDU is sent to all bridges from the root bridge. It is used to determine the least cost path and determine which bridge is the root bridge. The time-out information is transmitted in the configuration messages to all bridges. The time-out value accounts for propagation delay through the bridges in the spanning tree.
Topology Change BPDU

Whenever a designated bridge detects a topology change, such as bridges being added or removed, the root bridge failing, or manual configuration changes of bridge parameters, it sends out a topology change BPDU through it's root port. This information is eventually relayed to the root bridge. The root bridge then sets the topology change flag in it's CBPDU so that the information is sent to all bridges. It transmits this CBPDU for a fixed amount of time to ensure that all bridges are informed of the topology change. As a result the spanning tree is recalculated. All bridges flush their forwarding database to ensure that each active port still forwards frames to the right network after a topology change.
14
Figure 9: How Spanning Tree Works
15
Spanning Tree
Spanning Tree Protocol Building Blocks

When calculating the active path, there are several building blocks that STP uses to determine the active path. The building blocks are:

Bridge ID Bridge Protocol Data Unit Root Bridge Root Port(s) Designated Bridge Designated Port
The following slides show how these building blocks are used to determine the optimum single path throughout the network.
16
Figure 10: Spanning Tree Protocol Building Blocks
17
Spanning Tree
Selecting the Root Bridge

Each Spanning Tree Protocol Domain (STPD) has one root bridge, which is the controlling source of all spanning tree communications. The root bridge is at the top level of the hierarchy (i.e. the root of the spanning tree) and becomes the designated bridge for it's attached segments.
Determining the Root Bridge

The selection of the root bridge is based on a bridge ID. The bridge ID is an 8-octet number, consisting of a configurable bridge priority and the MAC address. If the bridge priority is not administratively configured, the MAC address is the determining factor in selecting the root bridge. In other words, the bridge with the lowest MAC address becomes the root bridge. The root bridge is determined through the following steps: 1 Initially each bridge in a spanning tree network transmits CBPDUs with a root bridge ID indicating that it is the root bridge. All directly attached bridges receive this information. 2 When a bridge receives a CBPDU it compares the root bridge ID in the CBPDU to its own bridge ID. If the root bridge ID in the CBPDU has a higher priority than the bridge ID of the receiver, the receiver saves the new root ID and starts sending CBPDU packets with the new bridge ID identified as the root bridge ID. 3 If the root ID received in a subsequent CBPDU is a higher priority than the root ID that was saved and is being sent out, the new root bridge ID is sent out. 4 Eventually all bridges reach agreement on the root ID of the root bridge.
18
Figure 11: Selecting the Root Bridge
Figure 12: Selecting the Root Bridge (Continued)
19
Spanning Tree
Selecting the Root Port

Every bridge in the bridged LAN, with the exception of the root bridge, has a root port. The root port has the lowest cumulative cost to reach the root bridge. In the active topology, other bridges that are not the root bridge select a port with the lowest path cost toward the root bridge. The definition of the root port is the port on a designated bridge that transmits to the root bridge. If a root port fails to receive timely CBPDU updates on it's root port, the spanning tree reconfigures because either the root bridge has failed, or because an intervening bridge or link has gone down. The root port is placed in the forwarding state, and there is only one root port per spanning tree per bridge, regardless of the number of ports in that tree.
20
Figure 13: Selecting the Root Port
Figure 14: Selecting the Root Port (Continued)
21
Spanning Tree
Selecting the Designated Bridge and Designated Port

A designated bridge is the bridge attached on each LAN segment that has the lowest cumulative path cost to the root bridge. If more than one bridge on the segment has the same root path cost, the bridge with the lowest bridge ID becomes the designated bridge for the LAN. Each LAN segment has it's own designated bridge offering the lowest path cost to the root bridge from that individual collision domain. The port on the designated bridge that provides the best path to the root bridge for the LAN segment is the designated port.
Designated Ports
The definition of designated ports, are the ports on a designated bridge that attach to the segments for which that bridge is the designated bridge. Certain ports are identified as designated ports. These ports are placed in the forwarding state and are the designated best path to the root bridge. If two ports offer the same best path to the root bridge, the port connected to the bridge with the lowest bridge ID becomes the designated port. If the bridge IDs are the same, (i.e. two links to the same bridge) the port with the lowest port priority is selected. Port priority can be configured or the port interface number can be used.
22
Figure 15: Selecting the Designated Bridge
Figure 16: Selecting the Designated Port
23
Spanning Tree
Forwarding and Blocking Ports

The ports on bridges that are not the designated bridge and the ports on other switches that are not the designated ports are placed in the blocking state. The blocking state prevents data packets from being forwarded on that port. These ports still receive and process STP BPDUs.
Active Topology
We can now see the end result of the calculation - there is a single active path through the network. You can also see that STP has selected the optimum path by giving preference to the links with the higher bandwidth. The remaining links are now blocked from one end and are only allowed to forward traffic if a change in topology occurs.
24
Figure 17: Forwarding and Blocking Ports
Figure 18: Active Topology
25
Spanning Tree
Detecting Topology Changes

Failures such as root bridge failure, port failure, link failure, and designated bridge failure cause reconfiguration changes to occur. The spanning tree topology is kept active through the transmission of BPDUs, and every two seconds the root bridge transmits a root bridge topology message (CBPDU) on all its active ports. The max age timer specifies the maximum time in which a bridge should receive a BPDU:

The default of this timer of 20 seconds Whenever a bridge receives a BPDU, it resets the max age timer
If 20 seconds expire, then the bridge assumes spanning tree has failed and the bridge goes into convergence state. When this situation occurs, the same process that initially selected the original root bridge is used again to determine which bridge should now become the new root bridge. In the case where an active piece of the topology changes, a different BPDU is used to signal the event. The topology change BPDU is released, forwarded, and repeated by the root ports until it finally reaches the root bridge. When the root bridge receives this BPDU, it sets a flag in its configuration BPDU signaling the bridges to recalculate the active topology.
A Change in Active Topology

In the example, the active link between switches 2 and 4 is broken and switch 4 is now cut off from the active topology. Switch 2 can send out a topology change BPDU through its root port which reaches the root bridge directly. The root bridge then modifies its configuration BPDU triggering a recalculation to restore an active topology.
26
Figure 19: Detecting Topology Changes
Figure 20: A Change in Active Topology
27
Spanning Tree
Recalculating Port States

The example in the illustration shows the original root port for switch 4 fails, the switch elects the next port with the lowest cost to the root bridge as the root port, and enables the port to forward traffic. Since the other end is the designated port, this link is now active and can forward the traffic to and from the switch.
New Active Topology

The new active topology ensures that there is still only a single path for the frames. In the event that the link between switches 2 and 4 is restored, STP again allows this link to forward traffic using the same process used when it failed.
28
Figure 21: Recalculating Port States
Figure 22: New Active Topology
29
Spanning Tree
Planning a Spanning Tree Topology

Before configuring switches to participate in a spanning tree, it is useful to plan the active topology and determine what happens during a failure. To plan the active topology, perform the following steps:

Draw the physical network. Identify where loops exist. Determine which bridge is the root bridge if default values are used. Decide which bridge should be the root bridge. Identify which STP parameters need to change to implement the desired root bridge. Determine which bridges becomes the designated bridges for each segment if default values are used. Decide which bridges should be the designated bridges. Identify which STP parameters need to change to implement the desired designated bridge. Determine which ports becomes the designated ports for each segment if default values are used. Decide which ports should be the designated ports. Identify which STP parameters need to change to implement the desired designated port. Label the network diagram with the root bridge, designated bridges, designated ports, and root ports. Create multiple copies of the network diagram. Determine how the network recalculates the port states and topology for each link failure scenario. Determine how the network recalculates the port states and topology for each bridge failure scenario. Decide how the network should recalculate port states for each port or bridge failure. Identify which STP parameters need to change to implement the desired topology for each failure scenario.
30
Figure 23: Planning a Spanning Tree Topology
31
Spanning Tree
Spanning Tree Enhancements

The Extreme Networks switches support the following modes of operation:
IEEE 802.1D This mode is used for backward compatibility with previous STP versions and for compatibility with third-party switches using IEEE standard 802.1D. Each port can only support one STPD running in 1D mode. IEEE 802.1w Rapid Spanning Tree (RSTP). RSTP takes advantage of point-to-point links in the network and actively confirms that a port can safely transition to the forwarding state without relying on any timer configurations. If a network topology change or failure occurs, RSTP rapidly recovers network connectivity by confirming the change locally before propagating that change to other devices across the network. For broadcast links, there is no difference in convergence time between STP and RSTP. RSTP supersedes legacy STP protocols, supports the existing STP parameters and configurations, and allows for seamless interoperability with legacy STP. Multiple Spanning Tree Protocol (MSTP), is based on the IEEE standard 802.Q-2004 (previously 802.1s). MSTP is able to bundle multiple VLANs into one spanning tree topology. MSTP provides the capability to logically divide a Layer 2 network into regions. Every region has a unique identifier and can contain multiple instances of spanning trees. All such regions are bound together using a common instance spanning tree, which is responsible for creating a loop free topology across regions while MSTP controls topology inside regions. MSTP uses rapid spanning tree as a converging algorithm and is fully interoperable with earlier versions of STP. NOTE
802.1w is easy to enable, provides faster switchover, and is compatible with 802.1D.
You can configure ports within an STPD to accept specific BPDU encapsulations. This STP port encapsulation is separate from the STP mode of operation.
PVST+ This mode implements Per-VLAN Spanning Tree (PVST)+ for compatibility with third-party switches running this version of STP. Extreme Multiple Instance Spanning Tree Protocol (EMISTP) This encapsulation mode is an extension of STP that allows a physical port to belong to multiple STPDs by assigning the port to multiple VLANs.
When a physical port belongs to multiple STPDs, it is associated with multiple STP ports. It is possible for the physical port to run in different modes for different domains to which it belongs.
Spanning Tree Enhancements are discussed in more detail in the class ExtremeXOS - Implementing Redundant Networks.
32
Figure 24: Spanning Tree Enhancements
Figure 25: Spanning Tree Enhancements (Continued)
33
Spanning Tree
Configuring a Single STPD in dot1w Mode

The switch can be partitioned into multiple virtual bridges. Each virtual bridge can run an independent Spanning Tree instance. Each Spanning Tree instance is called a Spanning Tree Domain (STPD). This page describes how to create a single spanning tree topology using 802.1w Rapid Spanning Tree Protocol (RSTP) mode. One STPD exists on the switch by default and is named s0. STPD s0 operated in 802.1D mode. To configure Rapid Spanning Tree Protocol on a switch, perform the following steps: 1 Configure the mode for the default STP domain to be 802.1w, by entering the following command: configure stpd s0 mode dot1w When configured in 802.1w mode, all rapid mechanisms are enabled. The benefit of this mode is on point-to-point and edge ports. You enable RSTP on a per STPD basis only. Not on a per port basis. 2 Add a VLAN to the 802.1w spanning tree protocol domain, by using the following syntax: configure stpd <stpd_name> add vlan <vlan name> port <portlist> 3 If necessary, specify the bridge priority in the spanning tree protocol domain to control which bridge is the root bridge, by using the following syntax: configure stpd <stpd_name> priority <priority> The range is 0 - 65535. The default priority is 32,768. The lower number is the higher priority. For RSTP, the priority level increases or decreases in size in increments of 4,096. If you modify the priority in increments other than 4,096, the switch automatically rounds down the priority to the next lower priority value. 4 If necessary, change the port path cost to control which bridge is the designated bridge and which port is the designated port, by using the following syntax: configure stpd <stpd_name> ports cost <auto | cost> <portlist> Specify auto to remove the user-defined port cost value and use the appropriate default port cost. 5 If necessary, specify the priority of the port, by using the following syntax: configure stpd {<stpd_name>} ports priority <priority> <portlist> The range is 0 - 31. The default is 16. The lower number is the higher priority. 6 Enable the STP protocol for the STPD, by using the following syntax. The default spanning tree domain is s0. enable stpd {<stpd_name>} An example configuration of STP on a single switch might look like the following: create vlan blue configure vlan default delete ports 1-3,6 configure vlan blue add ports 1-3,6 untagged configure stpd s0 mode dot1w configure stpd s0 add vlan blue port 1,2,3 configure stpd s0 priority 4 configure stpd s0 ports cost 15 1 configure stpd s0 ports cost 16 2 configure stpd s0 ports cost 17 3 enable stpd s0 enable ports 1-3
34
Figure 26: Configuring a Single STPD in dot1w Mode
Figure 27: Configuring a Single STPD in dot1w Mode (Continued)
35
Spanning Tree
Configuring STP Parameters

This page describes how to configure the behavior of the spanning tree protocol.
NOTE
You should not configure any STP parameters unless you have considerable knowledge and experience with STP. The default STP parameters are adequate for most networks.
The parameters that can be configured per STPD are:

Hello time Forward delay Max age
7 Specify the time delay (in seconds) between the transmission of BPDUs from this root bridge for this STPD, by using the following syntax: configure stpd <stpd_name> hellotime <seconds> The hello time range is 1 through 10 seconds. The default is 2 seconds. 8 Specify the time (in seconds) that the ports in this STPD spend in the listening and learning states when the switch is the root bridge, by using the following syntax: configure stpd <stpd_name> forwarddelay <seconds> The forwarding delay range is 4 through 30 seconds. The default is 15 seconds. 9 Specify the maximum age of a BPDU in this spanning tree protocol domain, by using the following syntax: configure stpd <stpd_name> maxage <seconds> The maximum age range is 6 through 40 seconds. The default is 20 seconds. 10 Verify the configuration settings, by using the following syntax: show configuration stp
36
Figure 28: Configuring STP Parameters
37
Spanning Tree
Verifying STP Configuration

This page describes how to verify the STP configuration and state. To verify spanning tree protocol information, enter the following command: show stpd detail The command displays the following information:

STPD name Bridge ID Designated root bridge ID NOTE
If the bridge ID and the Designated Root match, then this switch is the root bridge.
To verify the state of the spanning tree ports, use the following command syntax: show stpd <stpd_name> {[detail | <port_list> {detail}]} The command displays the following information:

STPD port configuration STPD state (the root bridge) STPD port state (forwarding and blocking.)
Unconfiguring STP
To disable the STP protocol, use the following command syntax: disable stpd {<stpd_name>} To restore the default spanning tree protocol values, use the following command syntax: unconfig stpd {<stpd_name>}
38
Figure 29: Verifying STP Configuration
Figure 30: Verifying STP Ports
39
Spanning Tree
Notes on Spanning Tree Configuration

The key points to remember when configuring VLANs and STP are the following:

The 802.1D ports must be untagged. A VLAN and port can belong to only one 802.1D STPD. If a port is a member of multiple VLANs then all those VLANs must belong to the same 802.1D STPD.
Key points of STP Operation are:
Spanning Tree is designed for a Layer 2 environment where you can have redundant paths but only have one active path at a time to eliminate loops which eventually cause broadcast storms. Each VLAN forms an independent broadcast domain. STP blocks paths to create a loop-free environment. When assigning VLANs to an STPD, pay careful attention to the STP configuration and its effect on the forwarding of VLAN traffic. When STP blocks a path, no data except BPDUs can be transmitted or received on the blocked port. Within any given STPD, all VLANs belonging to it use the same spanning tree. An STPD with multiple VLANs must contain only VLANs that belong to the same virtual router instance. You should remove all VLANs associated with the STP before deleting the STPD. If you do not remove all VLANs associated with the STPD, deleting the STPD also deletes the member VLANs which might not be desired. STP and load-sharing work together. STP and the redundant physical port/link work together. NOTE
Care must be taken to ensure that multiple STPD instances within a single switch do not communicate with each other in the same broadcast domain. For example, this could happen if another external bridge is used to connect VLANs belonging to separate STPDs.
40
Figure 31: Notes on Spanning Tree Configuration
Figure 32: Notes on Spanning Tree Operation
41
Spanning Tree
Summary
The Spanning Tree module presents the IEEE 802.1D Spanning Tree Algorithm and Protocol, and examines the implementation of the spanning tree protocol on traditional bridge technology. This Module also provides an explanation of how the spanning tree protocol may be configured on the Extreme Networks switch product family as well as Extreme Networks enhancements to STP. You should now be able to:

Define the spanning tree protocol. Explain how spanning tree works. Identify the building blocks of STP. Describe the relationship between ports, VLANs, and the Spanning Tree Domain. Configure STP on Extreme Networks switches. Describe Extreme Networks STP enhancements.
42
Figure 33: Summary
43
Spanning Tree
Lab
Turn to the Spanning Tree Configuration Lab in your XOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
44
Figure 34: Lab
45
Spanning Tree
Review Questions
1 What is the spanning tree protocol used for? a To provide fast protection switching for Layer 2 switches interconnected in an Ethernet ring topology. b To prevent loops in a redundant network topology. c To use a group of ports to carry traffic in parallel between switches. d To guarantee packet sequencing across redundant links.
2 What type of problem is caused by a loop topology in an Ethernet network? a Slow Layer 3 topology convergence. b Intermittent link flapping. c A broadcast storm. d Out-of-sequence packet delivery.
3 How does spanning tree protocol eliminate loops in an Ethernet network topology? a By disabling certain ports. b By distributing packets over multiple links using an address-based algorithm. c By forwarding each packet over the best path for that particular packet. d By placing certain ports in blocking mode.
4 What is the primary value used to determine the root bridge? a Bridge ID. b Port priority. c Bridge cost. d Port cost, path cost.
5 What is the primary value used to determine the designated bridge? a Bridge priority b Port priority c Bridge cost d Path cost
46
6 How does a bridge detect a link failure? a The CBPDU does not arrive before the max age timer expires. b The topology change BPDU does not arrive before the max age timer expires. c The CBPDU does not arrive before the hello timer expires. d The topology change BPDU does not arrive before the hello timer expires.
7 Which of the following spanning tree parameters is used to influence which bridge is elected as the root bridge? a The port priority b The hello timer c The port cost d The bridge priority
8 Which of the following commands activates the default spanning tree domain? a create stpd s0 b enable stpd s0 c create stpd s1 d enable stpd default
9 Which of the following commands configures the spanning tree bridge port cost? a configure stp port cost 15 6 b configure port cost 15 6 c configure stpd s0 port cost 15 6 d configure stpd bridgeport cost 15 6
10 Which of the following commands displays the configuration of the default spanning tree? a show stpd s0 b show stp c show stp default d show stpd default
11 Which of the following commands configures the spanning tree bridge priority? a configure stp bridge priority 4 b configure bridge priority 4 c configure stpd s0 priority 4 d configure stpd default priority 4
47
Spanning Tree 12 Which of the following commands configures the VLAN blue to participate in the spanning tree protocol? a configure vlan blue add stpd s0 b configure stpd s0 add vlan blue port 1,2,3 c configure stpd default add vlan blue port 1,2,3 d configure stpd default add vlan blue
13 Which of the following spanning tree parameters is used to influence which port is elected as the designated port? a The port priority b The hello timer c The bridge cost d The bridge priority
48
49
Spanning Tree
50
10 Ethernet Automatic Protection Switching
Ethernet Automatic Protection Switching
Student Objectives
The EAPS module presents basic information about the Ethernet Automatic Protection Switching (EAPS) feature. Upon completion of this module, the successful student will be able to:

Identify the EAPS ring elements. Describe the EAPS domain and VLAN relationship. Identify the control VLAN configuration rules. Describe EAPS MAC address and flush-FDB MAC address. Describe EAPS fault detection. Describe EAPS fault restoration. Identify the steps to create an EAPS ring. Configure EAPS. Verify the EAPS configuration and status.

The Need for Network Redundancy and Reliability
The need for business continuity has placed a greater demand on todays data networks redundancy and reliability are imperative and the network must be able to support them. The network infrastructure must be able to achieve a high availability with continuous access to resources. For this reason the networking industry has relied on the Spanning Tree Protocol (STP) in large Layer-2 networks to provide a certain level of redundancy. However, STP has proven inadequate to provide the level of resiliency required for real-time and mission-critical applications. It is important to note that the entire industry has recognized that a new technology is needed to replace STP and many vendors are in the process of developing pre-standard technologies to meet that requirement.
Extreme Networks Solution: EAPS

Ethernet Automatic Protection Switching is Extreme Networks solution for fault-tolerant Layer-2 ring topologies. EAPS major benefits include:

Loop-free operation Sub-second ring recovery
This revolutionary technology provides end users with continuous operation normally associated with the Public Switched Telephone Network. While EAPS provides an advanced function, it does so with radical simplicity. The real strength of EAPS comes from its ability to integrate into existing and new networks to solve real business issues. EAPS can be built using Ethernet at Layer-2, independent of the physical interface.
Licensing Requirements
You must have a Core or an Advanced Core license to configure and use all of the EAPS features described in this chapter. To use the complete EAPS functionality, including running two or more EAPS rings, having a switch belonging to multiple EAPS rings, or configuring shared-ports that allow multiple EAPS domains to share a common link, you must have a Core software license. A subset of EAPS, called EAPS Edgemode, is available with a Layer 2 Edge license and supports a subset of EAPS. The following features are available with EAPS Edgemode:

Switches can belong to one EAPS ring. Multiple EAPS domains are supported using two matching ring ports.
Figure 2: Ethernet Automatic Protection Switching
EAPS Domains and Ring Elements

EAPS operates as an EAPS domain on a single ring. Any VLAN that warrants fault protection is configured on all ring ports in the ring and then assigned to an EAPS domain. On that ring domain, one node is designated as the master. One of its two ring ports is designated as the primary port and the other as the secondary port. The master node blocks the secondary port for all non-control traffic belonging to the EAPS domain. This avoids a loop on the ring. Layer-2 switching and learning mechanisms operate as normal.
EAPS Elements
A ring is made up of two or more switches. The elements that create an EAPS ring include:
Master Node (S1) - One of the nodes on the ring is designated as the master. Switch S1 in the illustration is the master. Transit nodes (S2-S6) - All other nodes on the ring (S2-S6) are designated as transit nodes, and are also configured with primary and secondary ports. Primary Port (P) - The primary ring port on the master node. Secondary Port (S) - The secondary ring port on the master node. Control VLAN - Carries EAPS Master Health Check packets to determine EAPS ring status. Protected VLAN - Carries user data traffic. The EAPS Master blocks or unblocks the secondary port to the prevent Layer 2 loops.
Figure 3: EAPS Domains and Ring Elements
EAPS Domain and VLAN Relationship

An EAPS domain is configured to protect a group of data-carrying VLANs, called protected VLANs as shown in the illustration. Multiple domains can co-exist on the same EAPS ring protecting different sets of VLANs.
Control VLAN
One control VLAN is created per EAPS domain. This control VLAN is for the purpose of sending and receiving EAPS messages. The control VLAN is not blocked at the master secondary port and control traffic is received. The master sends out periodic poll packets (default = 1 sec) from its primary port on the control VLAN. The poll packets are received on the secondary port, thus verifying that the ring is up. The EAPS PDUs are removed by the Master. Even though the Control VLAN is not blocked on the Master, the EAPS PDUs do not loop around the ring. There can be multiple EAPS domains running on the same switch, each with its unique control VLAN.
NOTE
A control VLAN cannot belong to more than one EAPS domain. If the domain is active, you cannot delete the domain or modify the configuration of the control VLAN(s).
Rules for Configuring the Control VLAN

The following rules apply to configuring the control VLAN:

No user traffic should be on the control VLAN. The control VLAN must be a tagged VLAN. Only ring ports should be added. All ring ports should be tagged. No IP address should be assigned.
Figure 4: EAPS Domain and VLAN Relationship
Figure 5: Rules for Configuring the Control VLAN
EAPS MAC Address

The following EAPS MAC address is a special MAC address assigned to Extreme Networks. 00 e0 2b 00 00 04 The EAPS MAC address is used in the following ways in EAPS:
On the Master Node: When the EAPS domain is started, a static Forwarding Database (FDB) entry is created for this MAC address on the control VLAN. This FDB entry is viewable in ExtremeWare, but not in Extreme XOS. On the Transit Node: When the EAPS domain is started, a static FDB entry is created for this MAC address on the control VLAN. All EAPS packets destined to 00 e0 2b 00 00 04 are removed by the CPU of the EAPS Master.
EAPS Flush-FDB MAC Address

The EAPS FLUSH--FDB PDU is sent to. 00 e0 2b 00 00 04 The FLUSH--FDB PDU is used in the following ways in EAPS:

All EAPS FLUSH--FDB PDU are removed by the switch that originated the FLUSH-FDB PDU. Each node flushes its FDB when it receives this flush-FDB message, and forwards the FLUSH--FDB PDU to the next node.
The FLUSH--FDB PDU gets terminated in the ring when:

A nodes other ring-port is down. When the sending node receives a copy of the FLUSH--FDB PDU it originated.
10
Figure 6: EAPS MAC Address
Figure 7: EAPS Flush-FDB MAC Address
11
EAPS Fault Detection

EAPS fault detection occurs when one of the following occurs:

The master receives a special Link-Down-PDU generated by a transit switch that detects a fault. The master switch has a link failure on a ring port.
Upon learning of a fault, the master unblocks its secondary port, allowing protected VLAN traffic through.
12
Figure 8: EAPS Fault Detection
13
EAPS Fault Detection (Continued)

Fault detection is accomplished in one of the following two ways: 1 Link-down messages are sent by a transit switch. When a transit switch detects that any of its ring ports have lost link, it immediately sends a linkdown message to the master on its good link through the control VLAN. When the master receives this link-down message, it immediately:

Declares a failed state. Opens the logically blocked protected VLANs on its secondary port. Flushes its forwarding database. Sends a flush-FDB message to all transit switches on the ring through the control VLAN.
The other nodes on the ring need not be aware of the fault; they simply flush their FDB on all VLANs belonging to this domain. The MAC addresses are then re-learned following the normal Layer-2 learning mechanisms. 2 Polling Polling is the fail-safe method for ring recovery. During normal operation, the master node sends out a health-check packet every hellotime interval on the control VLAN. If the ring is complete, the master receives the packet on its secondary port. When the master receives the health-check packet, it resets its failtimer and remains in the complete state. If for any reason the health-check packet does not reach the master node, it sends a QUERY_LINK_STATUS_PDU to query the switches of the ring to verify if there is an actual link failure. When the failtimer expires on the Master and it does not receive a Link-Down-PDU the action taken depends on the option set using the following command: configure eaps <name> failtime expiry-action [open-secondary-port | sendalert] The switch acts in one of the following two ways:
The default option is send-alert, which sends an alert if the failtimer expires. The master node remains in a complete or init state, maintains the secondary port blocking, and writes a critical message to the syslog warning that there is a fault in the ring. An SNMP trap is also sent. The second option is the open-secondary-port parameter. The master node:

Declares a failed state. Opens the logically blocked protected VLANs on the secondary port. Flushes its FDB. Sends a flush-FDB message to all transit switches on the ring through the control VLAN.
Use the open-secondary-port option when the EAPS ring contains switches that do not support EAPS. Non-EAPS devices do not send a link-down message when their link goes down. If you specify this option it is recommended that you set the failtime to 15 seconds.
NOTE
By default, the EAPS polling failtimer is off. It is possible to use the failtimer for EAPS fault detection, but Extreme Networks does not recommend it.
14
Figure 9: EAPS Fault Detection (Continued)
15
EAPS Fault Restoration

The Master node continues to send health-check packets through its primary port even if the state is failed (i.e. the ring is broken). As long as there is a break in the ring, the masters failtimer keeps timing out, and it remains in the failed state.
Broken Link Restored

When the broken link is restored, the master receives its health-check packet back on its secondary port, and declares the ring to be complete. It then performs the following standard ring complete operations:

Logically blocks the protected VLANs on the secondary port Flushes the FDB on all transit switches
Preventing a Temporary Loop During Recovery

From the time the link comes up on the transit switch until the master detects the ring complete state and blocks the secondary port, the transit node must not begin forwarding traffic. Otherwise, a temporary loop may occur due to having all ports forwarding traffic on the ring. To prevent this condition, EAPS implement the following actions on the transit node: 1 Places all the protected VLANs on the repaired port in a blocked state 2 Remembers which port has been temporarily blocked 3 Sets its state to pre-forwarding
16
Figure 10: EAPS Fault Restoration
17
EAPS Fault Restoration (Continued)

When the master node detects the ring is up using polled health-check packets, it sends a flush FDB message to all the transit switches. When the transit switches receive this flush-FDB packet, they perform the following steps: 1 Flush FDBs on protected VLANs 2 If the state is set to preforwarding, begin forwarding on all the protected VLANs on that port While sub-second fault detection and recovery is good enough for some applications, it is not reliable enough for others when operating alone. Some applications rely on a higher-level protocol to retransmit and recover from a fault.
Multicast Applications and EAPS

Multicast applications do not rely on acknowledgement from the remote end and need a network protocol for a fast recovery. EAPS does just that. EAPS is fast enough to help multicast streams get redirected around a broken link, resulting in an uninterrupted multicast service. This is the type of traffic that frequently runs over a university distance-learning program, corporate voice-over-IP network, or service provider video broadcast. With real-time and mission-critical applications such as these, EAPS is the only choice for non-stop operation. All other protocols cause multicast clients to timeout or hang. Not only is the interruption noticeable but it also requires user intervention to get the service restarted. EAPS reduces overall business interruption and improves availability. When EAPS enters a failed state due to ring failure or complete state due to ring restoration, the EAPS Master issues an IGMP query as if it were the multicast Designated Querier on all protected VLANs. This causes the stations to respond with their IGMP reports, which speeds up routers in updating their IGMP memberships.
18
Figure 11: EAPS Fault Restoration (Continued)
19
EAPS Ring Design Considerations

EAPS was created to solve slow recovery times inherent to STP, in essence replacing STP in ring topologies. Although STP and EAPS use a similar mechanism to avoid network loops, EAPS provides much more control, resiliency, and flexibility. When designing an EAPS network, follow these best practices guidelines to achieve the desired results:
EAPS is a Layer 2 resiliency protocol designed for ring and interconnected ring topologies. A switch could be connected to a ring running EAPS on one side, and to a mesh network running STP on the other side.
EAPS can coexist with Layer-3 protocols like VRRP, ESRP, and OSPF. EAPS and STP should not be protecting the same VLANs. STP may set the VLANs in to a forwarding state while the EAPS Master is trying to block them, resulting in a loop in the network. EAPS can be used in the core or at the edge. An EAPS ring can be built with as few as 2 switches. There is no theoretical maximum on the number of switches on an EAPS ring. Multiple EAPS domains can coexist on a single ring. Multiple EAPS domains can be defined on a single node. Only one master can be defined per domain. An EAPS domain can be defined on only one ring (it cannot cross rings). Different switches support different maximum numbers for EAPS domains, domains per ring, and VLANs per switch. Both protected and control VLANs are counted towards the maximum VLAN limit. EAPS works with many technologies, like Ethernet (10, 100, 1000), WDM, vDSL, and WAN. The standby secondary port of the EAPS Master should be configured on the least busy link. The control VLAN should not carry data traffic or be assigned an IP address.
20
Figure 12: EAPS Ring Design Considerations
21
Fail Time Triggers

The Default EAPS ring failure detection mechanism is send alert. In this case, the EAPS Master is notified of an EAPS ring failure by the EAPS Transit Nodes. The non-default settings open-secondaryports can also be selected in which case the EAPS Master would determine ring failure if it did not receive three consecutive health check frames. The master might not receive a health-check packet for 3 seconds or more due to one of the following reasons:
Control Vlan is Misconfigured on the Ring

If the control VLAN is not configured properly around the ring (i.e. the VLAN ID is not configured correctly, or the ring ports are not added as tagged). The health-check packet does not make it back to the master, even though the ring itself is complete.
Bad Hardware on One of the Transit Nodes

A hardware failure could be an FDB memory error. Sometimes this can result in EAPS health-check packet being dropped because of a mismatch in the corrupted FDB memory. If the EAPS health-check packet get dropped on any node, the masters fail timer expires.
Link Saturation
If there is a broadcast storm or heavy traffic with a high priority 802.1p setting of 7, the EAPS healthcheck packet could be dropped on the ring.
CPU Queue on Master Congested

The EAPS health-check packet may have made it around the ring, but not received by the CPU on the master node due to congestion in the CPU queue. This results in the failtimer expiring.
Masters CPU is Busy

When the masters CPU is busy with another task and cannot process any of the health-check packets being queued up for 3 seconds, the fail timer expires.
Actual Cut in the Ring

It is possible for a link failure to already be present before the EAPS domain is started. If the ring is physically cut and master doesnt receive the Link-Down-Pdu Message, this timer expires.
NOTE
In Extreme Networks documentation the EAPS health-check packets are sometimes called health-check messages, health-check-PDUs, health packets, control packets, and health messages.
22
Figure 13: Fail Time Triggers
23
Steps to Configuring EAPS on the Network

There are five tasks that you have to complete in order to configure your network to use EAPS. 1 The first task is to configure the EAPS control VLAN. 2 The second task is to configure the EAPS protected VLANs. You will have to perform this task for every protected VLAN on your ring. 3 The third task is to configure the EAPS domain. You may configure more than one domain on your network. You may also configure more than one domain on the switch. You may also configure more than one domain on a link. EAPS allows you this flexibility. 4 The fourth step is to associate the control VLAN and protected VLANs with the EAPS ring. 5 The fifth and final step is to enable EAPS on each of the devices. Each of these step has multiple commands that must be completed on each switch in the proposed ring.
Configuring the Control VLAN

The steps involved in creating the EAPS Control VLAN are similar to creating any other VLAN with one exceptionthere should be no undated ports in this VLAN.
1 The first step in the three step process of configuring the EAPS Control VLAN is to create it. The command syntax is: create vlan <control_vlan_name> 2 That's simple enough. Now, make the VLAN an 802.1Q VLAN by adding a tag value with this syntax: configure vlan <control_vlan_name> tag <vlan_tag> 3 Okay, you're almost done. The last piece of the puzzle is to add the EAPS primary and secondary ports to the VLAN using the syntax: configure vlan <control_vlan_name> add port <EAPS_primary_port_number> tagged and configure vlan <control_vlan_name> add port < EAPS_secondary_port_number > tagged 4 That's it. You will need to repeat these steps on all the switches in the proposed EAPS ring to ensure that the control messages will be able to traverse the ring.
24
Figure 14: Steps to Configuring EAPS on the Network
Figure 15: Configuring the Control VLAN
25
Configuring Protected VLANs

The process for configuring EAPS Protected VLANs is very similar to the process for configuring the EAPS control VLAN with one exceptions: you may add undated ports to the VLAN. 1 The first step in the four step process of configuring an EAPS protected VLAN is to create it. The command syntax is: create vlan <protected_vlan_name> 2 Now, make the VLAN an 802.1Q VLAN by adding a tag value with this syntax: configure vlan <protected_vlan_name> tag <vlan_tag> 3 The next configuration step is to add the EAPS primary and secondary ports to the Protected VLAN using the syntax: configure vlan <protected_vlan_name> add port <primary_port #> tagged and configure vlan <protected_vlan_name> add port <secondary_port #> tagged 4 Finally, since the protected VLAN is meant to carry user packets, there has to be a way to get data into and out of the VLAN. One way top do this is to add other ports to the Protected VLAN. These ports can be tagged, or undated. Typically the ports would be tagged if the ports are connected to other switches or servers, or undated if the ports are user access ports. configure vlan <vlan_name> add port [tagged | untagged] 5 This last step is not required on all switches. If you only want the user data to pass through the device on its way to another switch, you only need to add the VLAN to the EAPS primary and secondary ports. Another way to get user data into and out of the protected VLAN is to assign a routing interface to the VLAN so that information can be placed on the VLAN using Layer three protocols.
NOTE
Make sure you follow these steps for all the switches in the proposed EAPS ring, and remember, that while each EAPS domain may only have one control VLAN, it can have multiple protected VLANs.
26
Figure 16: Configuring Protected VLANs
27
Configuring an EAPS Ring

To create an EAPS ring perform the following steps. 1 Create an EAPS domain on each switch, by entering the following command: create eaps <name> Each EAPS domain is identified by a unique domain name. The name parameter is a character string of up to 32 characters. NOTE
EAPS domain names and VLAN names must be unique, do not use the same name to identify an EAPS domain and a VLAN.
2 Configure one switch in the EAPS ring to be the master, by entering the following command: configure eaps <name> mode master One node on the ring must be configured as the master node for the specified EAPS domain. The remaining nodes in the EAPS ring must be configured as transit nodes. 3 Configure the remaining switches in the EAPS ring to be the transit nodes, by entering the following command: configure eaps <name> mode transit 4 Configure the Primary Port and Secondary Port on the nodes, by entering the following command: configure eaps <name> [primary | secondary] port <port number> Each node on the EAPS ring connects to the ring through two ring ports. As part of the switch protection scheme, one port must be configured as a the primary port and one port must be configured as the secondary port. Primary and Secondary ports have significance only on Master nodes. Whether a port is Primary or Secondary has no significance on Transit nodes.
28
Figure 17: Configuring an EAPS Ring
29
Configuring an EAPS Ring (Continued)

1 Add one Control VLAN to the EAPS domain, by entering the following command: configure eaps <name> add control vlan <name> You must configure one control VLAN for the each EAPS domain. The control VLAN is only used to send and receive EAPS messages. A control VLAN cannot belong to more than one EAPS domain. 2 Add the EAPS protected VLANs to the EAPS domain, by entering the following command: configure eaps <name> add protect vlan <name> When you configure the VLAN as a protected VLAN, the ring ports of the protected VLAN must be tagged (except in the case of the default VLAN). As long as the ring is complete, the master node blocks the protected VLANs on its secondary port. If the user configures a protected VLAN with undated ports, EAPS issues a warning message to the user. If this is the intention of the user, this warning message can be ignored. 3 Enable EAPS globally on each switch, by entering the following command: enable eaps 4 Enable EAPS on the domain on each switch, by entering the following command: enable eaps {<name>} 5 If desired, enable Fast Convergence on the switch, by entering the following command: configure eaps fast-convergence [off | on] The Fast Convergence feature ensures convergence in less than 50 milliseconds. NOTE
Enabling Fast Convergence disables link filters on all EAPS ring ports. This can result in problems if the ring ports start flapping between link-up/link-down states.
30
Figure 18: Configuring an EAPS Ring (Continued)
31
Disabling, Deleting, Unconfiguring, or Renaming EAPS

To disable EAPS globally on a switch, enter one of the following commands: disable eaps To disable one EAPS domain on a switch, enter the following command: disable eaps {<name>} To delete an EAPS domain, enter the following command: delete eaps <name> To uncofigure an EAPS primary or secondary ring port for an EAPS domain, enter the following command: unconfigure eaps <name> [primary | secondary] port Unconfiguring an EAPS port sets its configuration state to INVALID, which causes the port to appear in the Idle state with a a port status of Unknown. To rename an existing eaps domain, enter the following command: configure eaps <eaps domain> name <name>
32
Figure 19: Disabling, Deleting, Unconfiguring, or Renaming EAPS
33
Configuring Polling Timers and Failure Actions

To set the values of the hello timer the master node uses for the EAPS health check packet that is circulated around the ring for an EAPS domain, enter the following command: configure eaps <name> hellotime <seconds> NOTE
The hellotime and failtime apply only to the master node. If you configure the polling timers for a transit node, they are ignored. If you later reconfigure that transit node as the master node, the polling timer values are used as the current values.
The hellotime is the number of seconds the master node waits between transmissions of health check packets on the control VLAN. The value must be greater than 0. The default value is 1 second.
NOTE
Increasing the hellotime value reduces the number of health-check packets that must be processed by the master node.
To set the values of the failtime the master node uses for the EAPS health check packet, enter the following command: configure eaps <name> failtime <seconds> The failtime is the number of seconds the master node waits before the failtimer expires. The time must be greater than the configured value for hellotime. The default value is 3 seconds.
NOTE
Increasing the failtime might be useful when the network is congested. It allows the master node to wait longer to receive a health check packet.
Configuring the Fail Timer Action

To configure the action taken if there is a break in the ring, enter the following command: configure eaps <name> failtime expiry-action [open-secondary-port | sendalert] Use the send-alert parameter to send an alert when the failtimer expires. Instead of going into a failed state, the master node remains in a complete or init state, maintains the secondary port blocking, and writes a critical message to the syslog warning that there is a fault in the ring. An SNMP trap is also sent. Send-alert is the default. Use the open-secondary-port parameter to open the secondary port when the failtimer expires.
34
Figure 20: Configuring Polling Timers and Failure Actions
35
Verifying the EAPS Configuration and Status

To view EAPS domain information, enter the following command: show eaps {<name>} detail If you enter the show eaps command without an argument or keyword, the command displays a summary of status information for all configured EAPS domains. You can use the detail keyword to display more detailed status information. The output displayed by this command depends on whether the node is a transit node or a master node. The display for a transit node contains information fields that are not shown for a master node. Also, some state values are different on a transit node and on a master node.
Verifying the EAPS VLANs

To verify which VLANs are protected and which are the control VLAN, enter the following command: show vlan The flags in the show vlan command output identify which VLANS are protected and which is the control VLAN. To verify tagging on EAPS VLANs, enter the following command: show vlan <name>
Enabling EAPS Debug Messages

To log EAPS messages using ExtremeXOS, the log filter must have events added. To configure the log filter and enable log debug mode, enter the following commands: configure log filter <filter_name> add events EAPS severity debug-summary enable log debug-mode When using ExtremeWare switches, enable EAPS debug messages to be sent to the systole server enter the following command: configure debug-trace eaps 2
36
Figure 21: Verifying the EAPS Configuration
Figure 22: Verifying the EAPS VLANs
37
Summary

Identify the EAPS ring elements. Describe the EAPS domain and VLAN relationship. Identify the control VLAN configuration rules. Describe EAPS MAC address and flush-FDB MAC address. Describe EAPS fault detection. Describe EAPS fault restoration. Identify the steps to create an EAPS ring. Configure EAPS. Verify the EAPS configuration and status.
38
Figure 23: Summary
39
Lab
Turn to the Basic EAPS Configuration Lab in your XOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
40
Figure 24: Lab
41
Review Questions
1 Which of the following blocks the secondary port for all non-control traffic belonging to a specific EAPS domain? a Master Node b Transport Node c Primary Node d Transit Node 2 Which of the following commands creates an EAPS domain named D3? a configure eaps D3 b configure eaps id D3 c create eaps D3 d create eaps id D3 3 Which of the following commands configures a switch as an EAPS master for the EAPS domain D3? a configure eaps D3 master b configure eaps D3 mode master c configure D3 master d enable eaps D3 master 4 Which of the following statements is false? a Only ring ports should be members of the control VLAN. b The control VLAN must be a tagged VLAN. c User traffic is allowed on the control VLAN. d The control VLAN must be configured with QoS Profile 8 (QP8) on ExtremeWare switches. 5 Which command verifies the EAPS configuration? a enable eaps configuration display b show eaps configuration c display eaps detail d show eaps detail 6 Which of the following are four of the basic EAPS ring elements? a Master Node, Transport Node, Primary Port, Secondary Port b Master Node, Standby Node, Primary Port, Secondary Port c Primary Node, Secondary Node, Master Port, Secondary Port d Master Node, Transit Node, Primary Port, Secondary Port
42
43
44
11 IP Unicast Routing
IP Unicast Routing
Student Objectives
The IP Unicast Routing module presents Layer 3 unicast routing fundamentals, Internet Protocol (IP) forwarding, IP routing functionality, and how to configure IP forwarding on the Extreme Networks switches. Upon completion of this module, you will be able to:

Describe the difference between Layer 2 (L2) and Layer 3 (L3) operation. Define routing interface and IP route tables. Describe how entries are added to the IP route table. Add static entries in the IP route table. Configure IP unicast routing. Verify the IP unicast routing configuration.
IP Unicast Routing
Layer 2 Versus Layer 3 Operations

This page presents a brief description of Layer 2 and Layer 3 forwarding.
Layer 2 Data Forwarding

Layer 2 forwarding is known as bridging or switching. Forwarding decisions are based upon the Layer 2 hardware media access control (MAC) address of the device. VLANs (broadcast domains) are logically distinct and separate. When it comes to Layer 2 forwarding, VLANs can be pictured as two unconnected pieces of network media. With Layer 2 forwarding, data frames are transported only inside the VLAN. Data can be sent everywhere inside a broadcast domain (VLAN, LAN), but can not pass its borders. Devices in different VLANs cannot communicate with each other. The system uses a Layer 2 forwarding table called the forwarding database (FDB) to determine where to forward traffic.
Layer 3 Data Forwarding

The forwarding of datagrams at the third Layer-of the OSI model (e.g. IP) is known as routing. The terms Layer 3 switching and Layer 3 forwarding are used when the forwarding operations are done in hardware at wire speed. Data packets can be transported between VLANs by using Layer 3 gateways (routers, Layer 3 switches) to connect broadcast domains (LANs and VLANs). The gateway must have an interface in every VLAN to which they wish to connect. A Layer 3 Router enables devices in different subnetworks to exchange information by forwarding packets from one subnetwork to another. In contrast to bridging, Layer 3 Routing makes its forwarding decisions based upon the Layer 3 address (IP address), not on the Layer 2 hardware MAC address. The Layer 3 router stores the forwarding information in a routing table. When a packet is received by the router, it interrogates the routing table to determine where the packet should be forwarded to next.
Figure 2: Layer 2 Versus Layer 3 Operations
IP Unicast Routing
Layer 2 ARP Operations Review

When forwarding within the same VLAN, end-stations have to resolve the Layer 3 destination address to the destination MAC address. If host A wishes to send an IP packet to host B, host A must determine the host B Layer 2 address. This is accomplished using the address resolution protocol (ARP). Host A sends a broadcast ARP message asking all devices in the broadcast domain if they are configured with the target IP address. Host B replies with an ARP response, containing the host B MAC address. This enables host A to build a frame to send the IP packet to host B. The IP ARP table is used to cache the mapping of MAC addresses and IP addresses the switch has been able to reach. To displays the IP Address Resolution Protocol table, enter the following command: show iparp {<ip address> | <mac_address> | vlan <vlan name> | permanent} {vr <vr_name>} The display can be filtered by IP address, MAC address, VLAN or permanent entries. When the switch receives a packet with a destination MAC address that is not its own, the switch performs a Layer 2 forwarding function by doing a lookup in the forwarding database. When the switch receives a packet with a destination MAC address that is its own, it performs Layer 3 forwarding function.
Figure 3: Layer 2 ARP Operations Review
IP Unicast Routing
IP Routing Process
Upon receiving a packet, the router extracts the destination network address from the packet. Once the IP router (or IP gateway) has the target network address, it searches the routing table for the destination network. If the router finds more than one route to the destination network, it chooses the best route based upon priority and metric. Priority is assigned to a type of route. It may be assigned by how the route was learned by the system. For example, if the route was learned dynamically, it may receive a lower priority than one that is statically entered. Priority also may be based upon the routing protocol through which the route was discovered. For example, OSPF may have a higher priority than a route learned through RIP or IS-IS. If the router finds several route entries that have the same priority, the router further prioritizes the entries based upon the route Metric. The route metric describes the quality of the path to target network. Different routing protocols use various means of calculating a metric to the destination network. For example, the Routing Information Protocol (RIP) uses number of hops to the target network as the metric, while OSPF takes speed of link into consideration when calculating the Metric. After the router completes the route evaluation process, it is ready to take action. If the packet is destined to a directly attached network, the router finds the hardware (MAC) address of the destination station and sends the packet directly to the target device. If a route entry exists in the routing table to the target network, but the packet is not destined to a directly attached network, the router forwards the packet to the next-hop device. If a specific route entry to the target network does not exist in the routing table, the router forwards the packet to the default router. If there is no default route configured on the router, then the router discards the packet and - depending upon the configuration of the router - informs the station that sent it the packet that no route exists to the target network.
IP Routing Table
All routing decisions are made as a result of the contents of the routing table. The routing table defines the reachability of directly connected and remote networks. As you view the routing table, you will notice that it has the following information:
The IP network This field will be shown as a combination of the network address and the subnet mask. The network gateway This is typically the next hop router. If the network is directly connected, you should see the IP address of the VLAN's IP routing interface. The route metric This field defines the quality of the path to the target network. Since the routing table can contain multiple entries to a destination network, the router will pick the route with the lowest metric as it is considered to be of higher quality.
The routing table also identifies the source of the routing entry; whether the entry was automatically created, manually entered, or dynamically learned through a routing protocol such as RIP or OSPF.
Figure 4: IP Routing Table
Figure 5: Directly Attached Routing Table Entries
IP Unicast Routing
Directly Attached Routing Table Entries

In the case of a directly attached network, the router does not require the services of another gateway in order to deliver a packet to the target network since it is directly attached to the target network. Directly attached networks are created automatically when the administrator assigns an IP address to a VLAN using the syntax: configure vlan <vlan_name> ipaddress <ip_address> <netmask>
with the syntax shown on the screen. This informs the switch that the ports in the VLAN are a part of a particular network. To view the routing table, use the command: show iproute The screen provides you with a sample of the output of this command when executed on Router A. The routing table entry indicates that the route is to a directly attached network by assigning the value d in the origin field. The gateway IP address is the IP address assigned to the VLAN. Finally, the uppercase U flag indicates that this network connection is up. The lowercase u and m flags indicate that the route is appropriate for both unicast and multicast routing. As the illustration on the slide indicates, Network 10.0.1.0 and 10.0.2.0 are directly attached to Router A. Network 10.0.3.0 is not directly attached to Router A. A directly attached network is a VLAN with an assigned IP Address. When you assign the IP address to the VLAN, you instantly create a logical connection to the virtual router (VR). This logical connection is referred to as a router interface. Just because you have an interface to the virtual router does not mean that IP Packets are forwarded from VLAN to VLAN. You must first enable IP forwarding in order for packets to be routed internally between VLANs.
10
Figure 6: Directly Attached Routing Table Entries
Figure 7: Directly Attached Routing Table Entries (Continued)
11
IP Unicast Routing
Static Routes
Static routes are entries in the routing table that are manually entered by the administrator. These types of entries are typically used to reach networks that are not advertised by other routers. You may also use static routes when you have no routing protocol configured on your system. You use the following syntax to enter a static route: configure iproute add <network_addr> <netmask> <gateway> When you configure a static route, you inform the router of the existence of a network, the network's address and subnet mask, and the next hop gateway. You also assign a metric to the route to indicate the quality of the path. The static route must be associated with a gateway that is on a directly attached subnet. If a VLAN is subsequently deleted, the static route entries using the IP address that was associated with the VLAN must be deleted manually. Static routes never age out of the routing table. If there is a problem with the route, the router may continue to forward packets to the target network based upon the information provided by this route entry even though communication has been interrupted. A static route entry will have the value s in the Origin field. It will also have the value, uppercase S in the Flags filed. Static routes will also have an uppercase G in the Flags field to indicate that this entry points directly to a gateway and not to a network. As the slide illustrates, in order to forward packets that originate on network 1 to network 3, router A must either have learned about the network through the use of a routing protocol, or by having the route information manually entered into the routing database.
Default Route Routing Table Entry

A default route is the route of last resort. It is a manually entered, static route that is used if no other route to the destination network can be found. The command syntax to create a default route is: configure iproute add default <gateway> A default route entry has many of the same characteristics of a static route entry - such as a lowercase s in the origin field, and uppercase S and uppercase G flags. The default route entry is distinguished by the fact that the words Default Route actually appear in the destination address instead of an IP network address. In the example on the screen, even though Router A only has routing table entries for Network 1 and 2, it can still forward packets to other networks by sending them to the default router (Router B)
12
Figure 8: Static Routes
Figure 9: Default Route Routing Table Entry
13
IP Unicast Routing
Black Hole Route Routing Table Entry

A black hole routing entry is a special type of static route. This type of entry informs the switch to silently discard all packets destined for the referenced network. The originating station is not told that the packet has been dropped, or that the network is unreachable. You may want to insert these types of route entries on the perimeter of your network to protect specific internal networks from receiving traffic from outside of the enterprise. A black hole route entry is identified in the routing table by the b in the origin field. Also, the Flags field contains an uppercase B flag along with the uppercase S (Static) flag. Use the following syntax to create a black hole route: configure iproute add blackhole <ipaddress> <netmask> The black hole route is added to the IP route table with the specified IP destination address. These routes may be used as a security measure.
Dynamic Route Entries

Dynamic route table entries are reachable routes learned using a dynamic routing protocol, such as Routing Internet Protocol (RIP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), or Intermediate System-to-Intermediate System (IS-IS). The maximum number of entries possible varies, depending on the routing protocol and switch type. Dynamic entries are aged out when an update is not received for a period of time. This is a function of the routing protocol used. The routing protocol that provides the route is identified in the origin field. This completes our discussion of routing tables.
14
Figure 10: Black Hole Route Routing Table Entry
Figure 11: Dynamic Route Entries
15
IP Unicast Routing
IP Routing, IP Switching, IP Forwarding

IP Routing, IP Switching, and IP Forwarding are three terms for the same thing - forwarding IP packets based upon IP address - with some small differences in methodology. In order for IP Routing and IP Switching to work, IP Forwarding must be enabled on the switch. Therefore, it is safe to say that IP Routing and IP Switching are IP forwarding implementations. To further complicate things, the terms IP switching and IP forwarding are sometimes substituted for one another, and are considered to be synonymous. However, for our discussion, we will define these terms as follows:
IP Routing is an IP forwarding methodology that is implemented in software and requires that the CPU examine the packet to make a forwarding decision. IP Switching is an IP forwarding methodology that is implemented in a hardware ASIC.
With IP Switching, once a network route is learned, the CPU programs the IP Address and MAC address of the next hop device (gateway or end station) into the switching ASICs. When subsequent packets destined for the same IP address are received, the hardware looks up the IP address in the forwarding table, and sends the packet to the associated MAC address. Packet forwarding now occurs at wire speed since the system's CPU is no longer involved. Not only does the CPU program an entry for the target device, but it also programs an entry for the source device so that packets sent back to the source can also be forwarded at wire speed.
16
Figure 12: IP Routing, IP Switching, IP Forwarding
17
IP Unicast Routing
IP Forwarding / Switching
As soon as it receives a packet, the switching engine compares the Layer 3 Destination IP Address with the entries in its Layer 3 forwarding table. If the switch cannot find an entry, then the packet is forwarded to the CPU for processing using the IP Routing algorithm. If the router is able the locate the IP address in the forwarding table, it will make the following changes to the packet and then forward it: 1 Insert the next-hop device's destination MAC address in the destination address field of the Ethernet Header. 2 Place its own MAC address in the source address field of the Ethernet Header 3 Decrement the Time to Live (TTL) field by one 4 Recalculate the IP Header checksum because of the change in the Time to Live field NOTE
Using this methodology, only the first packet to a station needs to be examined and processed by the CPU using IP Routing algorithms. All subsequent packets to the same destination station are switched at wire-speed using the Layer 3 forwarding table.
18
Figure 13: IP Forwarding / Switching
Figure 14: IP Forwarding / Switching (Continued)
19
IP Unicast Routing
Directly Attached Forwarding Example

In the illustration, host 1 sends a packet with the destination IP address of host 3 to the MAC address of the router, which is the default gateway. The switch receives the packet, consults its own routing table, and determines that the packet should be forwarded out port 3. The router places its own MAC address in the source MAC address field, and the MAC address of host 3 in the destination MAC address field. The IP addresses are not changed.
Multiple Hop Layer 3 IP Forwarding Example

In the illustration the following takes place:
Host A sends a packet with the destination IP address of Host E to the MAC address of the Layer 3 switch S2. Switch S2 receives the packet, consults the route table, and determines that the packet should be forwarded out port 17. Switch S2 places its own hardware address in the source MAC address field and the MAC address of the next hop switch S1 in the destination MAC address field and transmits the packet. The IP addresses are not changed. Switch S1 receives the packet, consults the route table, and determines that the packet should be forwarded out port 1. Switch S1 places its own hardware address in the source MAC address field and the MAC address of Host E in the destination MAC address field and transmits the packet. The IP Address fields are not changed. Finally, the packet arrives at Host E.
20
Figure 15: Directly Attached Forwarding Example
Figure 16: Multiple Hop Layer 3 IP Forwarding Example
21
IP Unicast Routing
Relative Route Priorities

Relative route priorities are assigned to routes learned by the switch depending upon the source of the routing information (route origin field). The table in the illustration lists the relative priorities assigned to different routing protocol sources. As you can see, directly connected networks always get the highest priority. To view the relative route priority table, use the command syntax: show iproute priority You may also change the priority for all routes from a particular routing information origin. To do that, use the command: configure iproute priority NOTE
Do not attempt any manipulation unless you are expertly familiar with the possible consequences.
22
Figure 17: Relative Route Priorities
Figure 18: Relative Route Priorities (Continued)
23
IP Unicast Routing
Virtual Router Overview

Up to this point, we have been discussing how a physical router operates. With Extreme switches, there is a concept of virtual routers. A virtual router is an emulation of a physical router in software. This allows for multiple routing engines to occupy one physical device. virtual routers provide the network with the ability to configure separate routing domains for various customers. Each virtual router has its own routing domain. That means that each VR will maintain its own routing table, and will not know about the entries in the other VRs routing table. virtual routers can share ports with other virtual routers. Routing cannot take place between virtual routers without the help of an external device. Three virtual routers exist by default: VR-Default, VR-Mgmt, and VR-Control. Only VR-Default and VRMgmt may be interrogated by the user. User created virtual routers are supported on BlackDiamond 10808 and BlackDiamond 12800 series switches. Some commands - typically device management commands - allows the virtual router to be specified even on switches that only support system virtual routers. ping vr vr-default 10.0.0.3 ping vr vr-mgmt 10.209.10.19 The virtual router may be specified in the following commands:

ping tftp download telnet configure iproute create vlan configure vlan NOTE
The syntax used to target a particular virtual router may differ depending upon the command. Also, some commands may default to using VR-Mgmt while others may target VR-Default. Please consult your documentation to verify the syntax and default VR for the command being used.
24
Figure 19: Virtual Router Overview
Figure 20: Virtual Router Overview (Continued)
25
IP Unicast Routing
Configuring IP Forwarding - CLI Commands

This provides you with the specific commands that will enable you to configure IP forwarding on your switch 1 Create the VLANs that are required for your network, using the syntax: create vlan <vlan name> 2 Add ports to the VLANs with the syntax: configure vlan <vlan name> add ports <portlist> Remember that if a port is a member of another VLAN, it must be deleted from that VLAN before it can be added to a new one. 3 Assign an IP address to each VLAN using the syntax: configure vlan <vlan name> ipaddress <ipaddr> {<netmask> | <mask length>} 4 Enable IP forwarding for all VLANs using the syntax: enable ipforwarding {ipv4 | broadcast} {vlan <vlan_name>} 5 Add static routes, or enable dynamic routing in order to inform the Layer 3 switch of subnets that are not directly attached to the device. Since we haven't discussed routing protocols yet, we'll use the syntax shown on the screen to create a static route: configure iproute add [<ipNetmask> | <ip_addr> <mask>] <gateway> <metric> {vr <vrname>} {multicast-only | unicast-only} Remember, IP forwarding is disabled by default on Extreme Networks switches. Before using the routing function, make sure that IP forwarding is enabled. Each VLAN should have a unique IP address. If you choose to use a dynamic routing protocol, make sure that you enable it globally on the switch.
Configuring IP Forwarding Optional CLI Commands

There are other commands that you may use to further configure IP routing on the switch. One of the valuable options that you may want to consider is to create a default route. This will enable the device to forward traffic to a specific gateway when the router is unable to find a network entry that corresponds to the destination IP address in packet. The syntax to create a default route is: configure iproute add default <gateway> {vr <vrname>} {<metric>} {multicast-only | unicast-only} As you can see from the syntax, you have the ability to assign the default route to a specific virtual router. You may also specify if the default route is to be used for unicast routing only, multicast routing only, or both. Other optional functionality that you may want to consider is to create a black hole route entry in the routing table. As you may recall, a black-hole route entry causes the router to silently discard any packets that are destined for the specified network. The command syntax to implement a black hole route is: configure iproute add blackhole [<ipNetmask> | <ipaddress> <mask>] {vr <vrname>} {multicast-only | unicast-only}
26
Figure 21: Configuring IP Forwarding - CLI Commands
Figure 22: Inter-VLAN Communication
27
IP Unicast Routing
Configuring IP Forwarding - Configuration Example

The following script creates the configuration for router R1. create vlan vlan1ip configure vlan1ip add ports 2 configure vlan1ip ipaddress 10.1.0.1/24 create vlan vlan0ip configure vlan0ip add ports 1 configure vlan0ip ipaddress 10.0.0.1/24 enable ipforwarding configure iproute add 10.2.0.0/24 10.0.0.2 2 configure iproute add default 10.0.0.3 Based upon this command script, you can see that the configuration for router R1 has the following characteristics:

Two VLANs were created on the switch An IP address has been assigned to each VLAN. IP forwarding is enabled for each VLAN. Static routes have been used instead of dynamic routing protocols.
You do the similar configurations for R2 and R3. Once its done, packets can be routed between remote networks.
28
Figure 23: Configuring IP Forwarding - Configuration Example
29
IP Unicast Routing
Verifying the IP Configuration

To display the current configuration of IP unicast routing for the switch and for each VLAN, enter the command show ipconfig The output includes global flags, global timers, and VLAN-specific information. Among the pieces of information provided by the Flags are:

If forwarding is enabled on the VLAN. If the interface is enabled. If the interface is currently operational.
Verifying the IP Route Table

In order to view the contents of the IP route table, use the following command: show iproute The route origin field identifies how the route entry was learned by the system. The pound sign in the origin field indicates that the route is the preferred unicast and multicast route. The letter S in the origin field identifies the route entry as a static entry. Shown in the routing table is a list of destinations the associated gateways through which those destinations can be reached. If you're interested in finding the route entry of a particular network, you can use the command syntax: rtlookup <ipaddress> vr <vr_name> This command will return the route entry for the specified network. In a large network, this command could save you time in sorting through a large volume of entries.
30
Figure 24: Verifying the IP Configuration
Figure 25: Verifying the IP Route Table
31
IP Unicast Routing
Verifying the IP ARP Table

To verify the contents of the IP ARP table, use the following command syntax: show iparp This command can be used to verify the switches view of the devices that are on directly attached networks. In order to deliver a packet to a device that is directly connected to the switch, the unit must send an ARP request to determine the destination station's hardware address. Once the hardware address is determined, it is placed in a lookup table and associated with its IP Address. Future packets to the station's IP address will be forego the ARP lookup process as the hardware address has already been determined. The address will remain in the table until the entry expires due to inactivity.
NOTE
The command syntax contains an option to allow you to locate a MAC address when you know the IP address. It also allows you to limit your search so specific VLANs or VRs.
If you wish to clear the ARP table, you may do so by issuing the following command: clear iparp This command will also allow you to remove a single entry from the ARP table by specifying an IP address. Also, if you wish to remove all ARP entries related to a particular VLAN, you may do so by using the command's VLAN option. If you move an IP address from one device to another in your network, you may want to use this command to force the switch to learn the hardware address of the new device. Otherwise, the switch may continue to forward IP packets to the old hardware address.
Verifying IP Statistics
Use the following command to view global and per-VLAN IP routing statistics: show ipstats This command categorizes the statistics display into four sections:

Global Statistics ICMP Statistics IGMP Statistics Router Interface Statistics
IP Global Statistics consist of system-wide counters for normal and abnormal events. This command allows you to:

Limit the results to only IPV4 Statistics using the ipv4 option. View only the VLAN statistics of a particular VLAN using the VLAN option. Limit the results to those of a particular VR using the VR option.
32
Figure 26: Verifying the IP ARP Table
Figure 27: Verifying IP Statistics
33
IP Unicast Routing
Verifying IP Statistics (Continued)

The Global ICMP Statistics include important statistics regarding routing, such as:

Destination Unreachable Redirect Router Advertisement
The IGMP Statistics shown on this page provide information about the Internet Group Management Protocol. This protocol is used to manage the membership of IP Multicast Groups. The fourth section of the show ipstats command provides a subset of IP statistics related to each of the VLANs configured on the device. These statistics can aid in troubleshooting as they identify the number of packets in and out of a VLAN, as well as the number of transmissions and receptions that resulted in an error condition.
34
Figure 28: Verifying IP Statistics (Continued)
Figure 29: Verifying IP Statistics (Continued)
35
IP Unicast Routing
Managing ICMP Messages

As you design your IP Unicast Network, you may want to manage the Internet Control Message Protocol (ICMP) Queries and Responses. ExtremeXOS allows you to customize the way your switches handle ICMP. You may enable or disable the following ICMP parameters using the following command syntax: enable icmp <parameter> {vlan [all|<vlan name>]} disable icmp <parameter> {vlan [all|<vlan name>]}
Table 1: Syntax Description

address-mask parameter-problem Controls the generation of an ICMP address-mask reply (type 18, code 0) when an ICMP address mask request is received. The default setting is disabled. Controls the generation of an ICMP parameter-problem message (type 12) when the switch cannot properly process the IP header or IP option information. Controls the generation of ICMP port unreachable messages (type 3, code 3) when a TCP or UDP request is made to the switch, and no application is waiting for the request, or access policy denies the request. This parameter controls the generation of ICMP redirects (Type 5) to hosts who direct routed traffic to the switch where the switch detects that there is another router in the same subnet with a better route to the destination. Controls the generation of an ICMP time exceeded message (type 11) when the TTL field expires during forwarding. IP multicast packets do not trigger ICMP time exceeded messages. Controls the generation of an ICMP timestamp response (type 14, code 0) when an ICMP timestamp request is received. Controls the generation of an ICMP Destination Unreachable, Network Unreachable response (type 3, code 0). Controls whether or not the switch will use the router identified in a redirect message. This option only applies to the switch when the switch is not in routing mode. If the switch has a route to a destination network, the switch will use that router as the gateway to which to forward the packets. If the target router knows about a better route to the destination, and the next hop is in the same subnet as the originating router, the target router will send an ICMP redirect message to the forwarding router. If ICMP useredirects is disabled on the forwarding router, the switch disregards these messages and continue to send the packets to the target router.
port-unreachables
redirects
time-exceeded
timestamp unreachables userredirects
If you omit the VLAN option when invoking the command, then the command will be applied to all VLANs. To reset all ICMP settings to the default values, use the following command syntax: unconfigure icmp
36
Figure 30: Managing ICMP Messages
37
IP Unicast Routing
Using the PING Command

A common tool used to test IP forwarding or routing is the ping command. The ping command sends an ICMP echo request to the specified IP address, and the device with that address responds with an ICMP echo response. Ping is frequently used to test IP forwarding to router interfaces on a different sub network. In a traditional routed environment, you can ping the router interface on a different subnet to verify that you can reach that subnet. This is because traditional routers only respond if Layer 3 forwarding is enabled and the target subnet is reachable. However, in a Layer 3 switched environment, using Extreme Networks switches, theres an unexpected behavior. Extreme Networks Layer 3 switches respond for local router interfaces on a different sub network even if IP forwarding is not enabled. If you ping a router interface that is configured on a switch and is active, the router interface responds with an ICMP echo response even though IP forwarding is not enabled. Therefore, a successful ping response does not mean that IP forwarding is enabled.
NOTE
All router interfaces use the same MAC address.
38
Figure 31: Managing ICMP Messages
39
IP Unicast Routing
Additional IP Unicast Features

There are additional IP routing features supported on Extreme Networks switches, including proxy ARP, IP Multinetting, DHCP, and DHCP and BOOTP relay. Proxy ARP allows the switch to answer ARP requests for other stations. There are two cases where proxy ARP is needed. One, devices on the subnet are not capable of responding to an ARP request. Two, when a station cannot access a default gateway because it is configured with a more general subnet mask than that of the switch. IP multinetting is also supported. In many legacy IP networks, theres a need to overlap multiple subnets into one physical port, with third-party devices that do not support tagging. In normal operation, you can only assign an untagged port to one router interface. IP multinetting allows untagged assignment of multiple VLANs to the same physical port. A DHCP server with limited configuration capabilities is included on the switches to provide IP addresses to clients. The DHCP sever is not supported as a stand-alone feature. It is used only as a part of the network locking feature. DHCP and BOOTP relay can be used in various applications, including DHCP services between Microsoft Windows NT servers and clients. It forwards DHCP and BOOTP requests on behalf of clients. UDP forwarding is used to handle the directed forwarding of broadcast UDP packets. It allows applications to be directed to different DHCP servers. Example applications are multiple DHCP relay services from referring sets of VLANs. Network address translation is a feature that allows one set of IP addresses, typically private IP addresses, to be converted to another set of IP addresses, typically public information. This conversion is done transparently by having a NAT device rewrite the source IP address and Layer-4 port of the packets. Extreme Networks switches support PIM, protocol independent multicasting. It supports two modes of PIM: dense mode and sparse mode. IP multicasting enables a host to send IP packets to a group of hosts anywhere within the IP network. IP multicasting is used to provide video and audio conferencing and streaming applications.
NOTE
Please refer to the documentation for more details on these features.
40
Figure 32: Additional IP Unicast Features
Figure 33: Additional IP Unicast Features (Continued)
41
IP Unicast Routing
Lab
Turn to the Static Routing/IP Forwarding Configuration Lab in your XOS Operations and Configuration Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
42
Figure 34: Lab
43
IP Unicast Routing
Review Questions
1 What are the types of permanent route entries that can be configured? a Static, black hole, and default. b Directly connected, dynamic, and permanent. c RIP, OSPF, and directly connected. d RIP, OSPF, and static.
2 Which of the following commands configures a black hole route? a configure iproute add 10.1.0.0/24 blackhole b configure iproute blackhole 10.1.0.0/24 c configure iproute add blackhole 10.1.0.0/24 d create iproute blackhole 10.1.0.0/24
3 By default, which of the following is used to determine the relative route priority? a The order the route is learned in. b The route metric. c The port priority of the port where the route is learned. d The route origin.
4 Which of the following commands configures a default route? a configure iproute add default 10.0.0.3 b create iproute add default 10.0.0.3 c configure iproute default 10.1.0.0 10.0.4.1/24 d create iproute add default 10.1.0.0 10.0.4.1/24
5 Which of the following commands shows the mapping between IP addresses and MAC addresses? a show fdb b show arpmap c show iparp d show ipstats
44
6 Which of the following commands configures a static route? a configure iproute add 10.1.0.0 255.255.255.0 10.0.4.1 b create iproute add 10.1.0.0 255.255.255.0 10.0.4.1 c configure iproute add 10.1.0.0 10.0.4.1 255.255.255.0 d create iproute add 10.1.0.0 10.0.4.1 255.255.255.0
7 Which of the following commands displays the IP route origin? a show route table b show ipfdb c show iproute d show fdb
8 The switch cannot route statically until which of the following happens? a The VLAN is assigned an IP address, neighbor gateways establish adjacencies, the VLAN is configured to use static routes, and the router interface is active. b The VLAN is assigned an IP address, neighbor gateways establish adjacencies, the VLAN is configured to use static routes, and IP forwarding is enabled globally. c The VLAN is assigned an IP address, IP forwarding is enabled, the VLAN is active, and neighbor gateways establish adjacencies.
d The VLAN is assigned an IP address, IP forwarding is enabled, the VLAN is configured to use static routes, and the router interface is active.
9 What is the primary difference between Layer 2 forwarding and Layer 3 forwarding? a Layer 2 forwarding is based on the MAC address and Layer 3 forwarding is based on the IP address. b Layer 3 forwarding is based on the MAC address and Layer 2 forwarding is based on the IP address. c Layer 3 forwarding is performed on the first packet only and Layer 2 forwarding is performed on all subsequent packets.
d Layer 2 forwarding is performed on the first packet only and Layer 3 forwarding is performed on all subsequent packets.
45
IP Unicast Routing 10 What is the primary difference between routing and Layer 3 forwarding in an Extreme Networks switch? a Layer 3 forwarding is performed on the first packet only and routing is performed on all subsequent packets. b Routing is performed on the first packet only and Layer 2 forwarding is performed on all subsequent packets. c Routing using the CPU is performed on the first packet only and Layer 3 forwarding using an ASIC is performed on all subsequent packets.
d Layer 2 forwarding is performed on the first packet only and routing is performed on all subsequent packets.
46
47
IP Unicast Routing
48
12 Configuring RIP
Configuring RIP
Student Objectives
The Configuring RIP module describes how to configure the Routing Information Protocol (RIP) v1 and RIP v2 IP unicast routing protocols. Upon completion of this module, the successful student will be able to:

Describe the RIP routing protocol. Identify the limitations of RIP version 1. List the benefits of RIP version 2. Interpret RIP routing table entries. Describe the Split Horizon and Poison Reverse loop resolution protocols. Describe the operation of triggered updates. Configure the RIP routing protocol. Verify the RIP configuration. Test RIP operation. NOTE
Prerequisites
The course content assumes that students are familiar with IP Unicast routing. If not, refer to the following publications for additional information:

RFC 1058 - Routing Information Protocol (RIP) RFC 1256 - ICMP Router Discovery Messages RFC 1723 - RIP Version 2 Book: Interconnections: Bridges and Routers by Radia Perlman ISBN 0-201-56332-0. Published by Addison-Wesley Publishing Company
Configuring RIP
Limitations of Manual Configuration

The limitations of manual route table management become apparent as your network begins to grow. The illustrated example network includes 50 switches, 10 subnetworks, and a fully meshed topology (where every subnetwork is interconnected), and over 500 devices. In a small network with few routers and router connections, it is a relatively simple task to maintain the network routing table by using only static entries. However, as the network begins to grow in complexity with new routers, subnets, and connections between routers, it becomes much more difficult to manually configure the routing table. Every time a subnetwork is added or changed, the administrator must go to each router in the network to add the route, consuming more and more of the administrator's time. To resolve this problem, dynamic routing protocols were invented. With this technology, routers exchange information about their routing tables. Eventually, all routers in the network know about the subnetworks that exist and how to reach them. Over the course of this module, we'll discuss the Routing Information Protocol (RIP) versions 1 and 2. This is one of the earliest routing technologies that was implemented, and still is one of the easiest to configure. The Extreme Networks range of switches incorporates this functionality as a separate routing function. The routing function in the switch is defined by the particular routing protocol it supports. Supported unicast routing protocols include:

RIP1 - Routing Information Protocol Version 1 RIP2 - Routing Information Protocol Version 2 OSPF - Open Shortest Path First IS-IS - Intermediate System - Intermediate System BGPv4 - Border Gateway Protocol version 4
Figure 2: Limitation of Manual Configuration
Configuring RIP
Routing Information Protocol

The Routing Information Protocol, or RIP, is a distance-vector protocol. Distance-vector protocols calculate routes based upon the distance to the target network (usually the hop count - which is the number of routers that a packet must traverse in order to reach the target network) and the vector or direction to the target network. The vector in RIP is the next hop router. One disadvantage to RIP is that it does not take into account the quality of the path or the speed of the links to the target network, only the number of hops. For example, if we had a route to a destination network that was only two hops away but it was on a 10 megabit link and we had an alternative path that same destination network but it was three hops away, but those links were all 10 gigabit links, RIP, being only concerned with the hop count, would prefer the ten-megabit over the faster gigabit connection. RIP is an Interior Gateway Protocol or IGP. This means that RIP is a protocol that is designed to be used only within an autonomous system. RIP is primarily intended for use in homogeneous networks of moderate size. A homogeneous network would be a network with links of the same capabilities between routers. Its early predecessor, the Gateway Information Protocol, was first used in computer routing in the Advanced Research Projects Agency Network (ARPANET) as early as 1969. RIP is often used as it's very simple to understand and very easy to implement. Theres very little configuration required. When using RIP, each router creates its routing table based on route information exchanged between neighbors. The distinction between RIP and other routing protocols like OSPF lies in the fundamental differences between distance-vector protocols and link-state protocols. These are discussed later in the course. All Extreme Networks switches support full implementations of RIP, regardless of the license thats installed on the switch Using a distance-vector protocol, each router creates a unique routing table from summarized information obtained from neighboring routers. This is based on the Belman-Ford (distance-vector) algorithm. The biggest advantage of using RIP is that it is relatively simple to understand and implement, and it has been a de-facto routing standard for many years. The distinction between RIP and other routing protocols like OSPF lies in the fundamental differences between distance-vector protocols and link-state protocols. These are discussed later in the course.
Figure 3: Routing Information Protocol
Configuring RIP
Routing Information Protocol (Continued)

Route Advertisements
A RIP router exchanges routing information or router updates with its neighbors every 30 seconds. This exchange happens regardless of whether there has been a change in the network topology. Sometimes routers fail or links become unusable, and the route entries received through those links or routers cannot be updated. If a route entry fails to be refreshed for six update cycles (typically 180 seconds), it's considered to be stale and is removed from the routing table. There are two versions of RIP - RIP version 1 and RIP version 2. Extreme Networks supports both versions. The primary use of RIP version 1 is for backwards compatibility in legacy networks. In RIP Version 1, only 25 routes can be advertised in a single update packet. This limits the maximum packet size to 512 octets. Both RIP version 1 and RIP version 2 support two types of loop resolution protocols to prevent router loops from occurring. These are Poison Reverse and Split Horizon. We'll discuss these protocols in further detail in a couple of slides.
Triggered Updates
Both RIP version 1 and RIP version 2 support triggered updates, meaning that if there is a change in the network, (a device goes down, or we lose all active links on a particular VLAN), RIP will automatically send an update to each of its neighbors indicating the change as opposed to waiting for the next 30second cycle to send the update.
Figure 4: Routing Information Protocol (Continued)
Configuring RIP
Limitations of RIP Version 1

As previously discussed, RIP is well known and utilized. However, RIP Version 1 does have several limitations. These include:

Classfull Addressing: RIP Version 1 only understands class A, B, and C IP addresses. Subnet Masks: RIP Version 1 does not propagate subnet mask information. Variable Length Subnet Masks: RIP Version 1 does not support variable length subnet masks. Generates Broadcasts: RIP Version 1 uses broadcasts to deliver routing updates. Security: RIP Version 1 does not support any authentication and routers sending updates cannot be verified.
RIP Version 2
RIP Version 2 (RIPv2) introduces subnet mask information into the Routing Information Protocol to handle variable-length subnetting that has become prevalent in the IP addressing scheme, due to the scarcity of IP addresses. Benefits of implementing RIPv2 include:

Variable-Length Subnet Masks (VLSMs) Next-hop address Support for next-hop addresses allowing for optimization of routes in certain environments Multicasting
RIP Version 2 uses the multicast address 224.0.0.9 for router updates. RIPv2 uses multicast packets instead of broadcast. This reduces the load on hosts that do not support routing protocols. Using multicast packets also allows RIP Version 2 routers to share information, which RIP Version 1 routers cannot receive. Backward compatibility with existing RIPv1 implementations is an important design criterion. The implementation allows for different compatibility modes to interoperate with both RIPv1 and RIPv2 implementations.
NOTE
If you are using RIP with supernetting/Classless Inter-Domain Routing (CIDR), you must use RIPv2 only. In addition, RIP route aggregation must be turned off.
10
Figure 5: Limitations of RIP Version 1
Figure 6: RIP Version 2
11
Configuring RIP
Routing Table For Routers Using RIP

The routing table in each device using RIP, contains an entry for every known destination network. Each routing table entry contains the following information:
Origin of the route

Directly connected RIP OSPF
IP address of the destination network IP address of the next router (gateway) Metric (hop count) to the destination network Flags VLAN that contains the router interface that the route is using Duration of time since the entry was last updated
The router exchanges an update message with each neighbor every 30 seconds (default value), or if there is a change to the overall routed topology (also called triggered updates). If a router does not receive an update message within six update cycles (nominally 180 seconds) from the router that was the source of the original routing table entry, it assumes that either the source router has failed or that the connecting link has become unusable. The router marks the existing route as invalid and eventually removes the route from its routing table. When the router learns of a new route from another neighbor, the new route is used to replace the deleted one. The distance-vector routing algorithm waits for six times the update interval before timing out the route, even though it expects to hear from each neighbor at every update interval. The additional time is used to avoid invalidating routes based on the loss of a single update message.
12
Figure 7: Routing Table For Routers Using RIP
13
Configuring RIP
Routing Loops
The RIP protocol can have certain situations that cause slow convergence. One of those conditions is called a routing loop. A routing loop describes the condition when a router believes it has two routes to a target network when only one actually exists. The illustration shows how a loop is created between two routers: 1 Router B reaches the target network with a hop count of one using router A. 2 Router C learns, in its regular update from router B, that it reaches the target network using router B with a hop count of two. 3 In the next router C update, it advertises reachability to the target network back to router B with a hop count of three. 4 Router B now has two routes to the target network; the first using router A with a hop count of one, the second using router C with a hop count of three. 5 Router B chooses the route using router A, since router A has the smallest total hop count. 6 The link between router A and router B fails. 7 Router B does not receive an update from router A in the required time and the route times out the target network through router A. Remember that router B has a secondary route to the target network using router C with a hop count of three. 8 Router B now forwards all traffic destined for the target network to router C and router C, in turn, forwards the traffic back to router B. 9 As a result of this mutual deception, a loop is created. 10 The packet travels back and forth between router B and router C until the time to live field in the IP header is reduced to zero. 11 The packet is eventually discarded by one of the routers.
14
Figure 8: Routing Loops
15
Configuring RIP
Counting to Infinity Problem

In a complex network, a particular route is propagated to many routers in the network. When a subnetwork becomes completely isolated from a complex internetwork the routers continue to advertise the route even though the network is unreachable. As each router is deceived into thinking that there is an alternate route the hop count metric being advertised increases slowly until it finally reaches infinity. This problem is called counting to infinity. This is why infinity (the maximum hop count) is chosen to be as small as possible. If a network becomes completely inaccessible, counting to infinity should be stopped as soon as possible. However infinity must be large enough to accommodate any real route. The choice of infinity is a trade-off between network size and speed of convergence. The designers of RIP selected a maximum hop count metric of 15. The split horizon feature can help prevent the count to infinity problem from happening.
NOTE
The maximum reachable hop count is 15. A hop count of 16 is defined as unreachable.
16
Figure 9: Counting to Infinity Problem
17
Configuring RIP
Split Horizon
A number of modifications can be made to the basic distance-vector routing algorithm to improve performance in a dynamic environment and to help expedite convergence and eliminate routing loops. These include:

Split horizon Poison reverse
By default, both are enabled on Extreme Networks switches. This is used to prevent routing loops. The occurrence of loops between two routers can be greatly reduced by using split-horizon. The count-to-infinity problem can be overcome if the router is careful about where it sends its routing information. Split-horizon is a technique whereby a router does not advertise a route over the same port that supplied the route. In other words, a router does not claim network reachability to a neighbor from which the route was learned. The illustration demonstrates the use of split-horizon to break a loop of two hops. 1 Router B reaches the target network with a hop count of one using router A. 2 Router C learns in its regular update from router B that it reaches the target network using router B with a hop count of two. 3 Router C does not advertise the route to the target network back to router B. As a result of split-horizon, router B has only one route to the target network. If the link between router A and router B fails, router B times out the entry and advertises the target network as unreachable. The possibility of a loop has been eliminated.
18
Figure 10: Split Horizon
19
Configuring RIP
Poison Reverse
Poison reverse is a technique whereby a router advertises a route over the same port that supplied the route with a hop count of 16, defining it as unreachable. A router claims that a network is unreachable over the interface from which the route was learned, preventing any route loops. Poison reverse speeds up convergence because erroneous routes are eliminated without waiting for a timeout. The illustration shows a typical exchange of routing information when a router is configured to perform split-horizon with poison reverse. In this example: 1 A routing loop is created as described on page 14. 2 Since poison reverse is enabled on switch C and the route for the target network was learned over the link from switch B. Switch C advertises the route to the target network with a metric of 16 hops. (Unreachable) The disadvantage of poison reverse is that it increases the size of the routing update messages. If split horizon with poisoned reverse is used, the router must mention all poison routes, with a metric of 16. If the system is large, this can result in a large update message, almost all of whose entries indicate unreachable networks. In many cases, the network administrator is willing to accept slower convergence to reduce the overhead that the increased size of the routing table update messages would cause.
20
Figure 11: Poison Reverse
21
Configuring RIP
Triggered Updates
Triggered updates occur whenever a router changes the metric for a route, and it is required to send an update message immediately, even if it is not yet time for a regular update message to be sent. This generally results in faster convergence, but also results in more RIP-related traffic. Triggered updates can cause excessive loads on networks with limited bandwidth or with many routers on them. A simple solution to this problem is to set a timer to a random number between one and five seconds after a triggered update is sent. If other changes occur that would trigger another update before the timer expires, the router must wait until the timer expires before sending the update. A triggered update may also be suppressed if a regular timed update is due by the time the triggered update would be sent. The illustration shows a network in two states:

Before the triggered update was issued (crossed-out entries) After all routers have converged their router tables
In the illustration, router A times out its route to the target network. The timeout forces router A to issue triggered updates on its ports. The update propagates backward along all paths that lead to router A, updating the metric for the target network to infinity (not shown on slide). The network converges on the new route to the target network based on the route available through router B.
22
Figure 12: Triggered Updates
23
Configuring RIP
RIP Limitations
Distance-vector routing algorithms can quickly determine the shortest route to a distant network. However, this can be misleading due to potential slow convergence, which may require multiple updates. The routes are based on hop count and do not take into account any cost related issues. Depending on the size and complexity of the network and the speed of the links, the amount of information exchanged between neighbors can be significant. Each router periodically transmits all its routing information to its neighbors. The information transmitted by each router is based on the information that it receives from its immediate neighbors. Thus, the identification of a router that supplies inaccurate data is quite difficult. A change in the routing table of a single router can result in a chain of updates. It can take a long time for this information to reach all other routers in the routing domain.
24
Figure 13: RIP Limitations
25
Configuring RIP
RIP Configuration Steps

This page presents the general steps and specific commands to configure RIP on a switch. To configure RIP, perform the following general steps:

Create and configure VLANs. Configure the VLAN with an IP address. Enable IP forwarding. Enable RIP on the VLANs that do RIP routing and on the VLANs you want to advertise through RIP. Enable RIP globally. Verify the configuration and operation using show commands.
General IP Configuration Commands

To create the VLAN on the switch, enter the following command: create vlan <vlan_name> To add the ports to the VLAN, enter the following command: configure <vlan_name> add ports [all | <port number>] To add the IP address to the VLAN, enter the following command: configure vlan <vlan_name> ipaddress [<ipaddress> {<ipNetmask>} | ipv6-link-local | {eui64} <ipv6_address_mask>] To enable IP forwarding, enter the following command: enable ipforwarding
26
Figure 14: RIP Configuration Steps
Figure 15: General IP Configuration Commands
27
Configuring RIP
RIP Specific Configuration Commands

Here are the commands required to ensure that routes are advertised for the VLANs configured for RIP. VLANs that are configured with an IP address, but are not configured to forward IP or are not configured to run RIP, do not have their subnets advertised by RIP. Only those VLANs that are configured with an IP address, are configured to forward IP, and run RIP, have their subnets advertised. When an IP interface is created, per-interface RIP configuration is disabled by default. To configure RIP on an IP interface, enter the following command: configure rip add vlan [<vlan_name> | all] You must specify either a VLAN name or all (i.e. all VLANs). To enable RIP globally, enter the following command: enable rip
Removing RIP
To remove RIP from an IP interface, enter the following command: configure rip delete vlan [<vlan_name> | all] To disable RIP, enter the following command: disable rip When RIP is disabled on the interface, the parameters are not reset to their defaults.
28
Figure 16: RIP Specific Configuration Commands
29
Configuring RIP
RIP Configuration Example

The illustration shows an example of a RIP configuration for one switch. Examples of additional RIP configuration are shown below.
Configuration of R2
create vlan vlan2rip configure vlan2rip add ports 2 configure vlan2rip ipaddress 10.2.0.2/24 create vlan vlan0rip configure vlan0rip add ports 1 configure vlan0rip ipaddress 10.0.0.2/24 enable ipforwarding configure rip add vlan vlan0rip configure rip add vlan vlan2rip enable rip
Configuration of R3
create vlan vlan0rip configure vlan0rip add ports 1 configure vlan0rip ipaddress 10.0.0.3/24 create vlan vlan3ip configure vlan3rip add ports 2 configure vlan3rip ipaddress 10.3.0.3/24 enable ipforwarding configure rip add vlan vlan0rip configure rip add vlan vlan3rip enable rip
30
Figure 17: RIP Configuration Example
31
Configuring RIP
RIP Timer and Cost Configuration Commands

Every update timer period, the RIP process sends an unsolicited response message containing the complete routing table to all neighboring RIP routers. To specify the time interval in seconds within which RIP sends update packets, enter the following command: configure rip updatetime {<seconds>} The default is 30 seconds. The range is 10 - 180 and must be less than the route timer. There are two timers associated with each route, a route timeout and a garbage time. Upon expiration of the timeout, the route is no longer valid; however, it is retained in the routing table for a short time so that neighbors can be notified that the route has been dropped. Upon expiration of the garbage timer, the route is finally removed from the tables. To configure the route timeout period, enter the following command: configure rip routetimeout {<seconds>} The default is 180 seconds. The range is 0 - 4294967295 and must be greater than the update timer. To configure the RIP garbage time, enter the following command: configure rip garbagetime {<seconds>} The default is 120 seconds. To configure the cost metric of the VLAN router interface, enter the following command: configure rip vlan [<vlan name> | all] cost <cost> The range is 1 - 14.
32
Figure 18: RIP Timer and Cost Configuration Commands
33
Configuring RIP
Additional RIP Configuration Commands

To modify the received RIP version, enter the following command: configure rip rxmode [none | v1only | v2only | any] {vlan [vlan name | all]}
Syntax Description
none v1only v2only any vlan-name all Specifies to drop all received RIP packets. Specifies to accept only RIP version 1 format packets. Specifies to accept only RIP version 2 format packets. Specifies to accept RIP version 1 and RIP version 2 packets. Specifies to apply settings to specific VLAN name. Specifies all VLANs.
The default for receiving is any. To modify the transmitted RIP version, enter the following command: configure rip txmode [none | v1only | v1comp | v2only] {vlan [vlan name | all]} The default for transmitting is v2. The features for aggregating or summarizing subnetwork routes, exporting updates from other routing protocols, split horizon, poison reverse, and triggered updates can be enable and disabled individually. To enable specific RIP features, enter the following commands: enable rip splithorizon enable rip poisonreverse enable rip triggerupdates To reset all RIP parameters for a VLAN to the default, enter the following command: unconfig rip {vlan <vlan name>}
34
Figure 19: Additional RIP Configuration Commands
35
Configuring RIP
Verifying the RIP-specific Configuration

To verify the RIP-specific configuration for all VLANs, enter the following commands: show rip The command displays the following:
The global status of:

RIP Split Horizon Poison Reverse Triggered Updates
RIP protocol timers
36
Figure 20: Additional RIP Configuration Commands
37
Configuring RIP
Verifying RIP Interfaces and Routes

To verify the RIP-specific interface settings, enter the following command: show rip interface The display shows:

The VLAN name. The router interface IP address and subnetwork mask. The number of RIP packets sent and received. The number of triggered updates. The interface cost.
To verify the RIP-specific routes in the routing table, enter the following command: show rip routes The display shows:

The route origin. The destination network. Any rip peers. The route metric. The VLAN name. The route age.
To verify the rip specific configuration commands, enter the following command: show configuration rip
38
Figure 21: Verifying RIP Interfaces and Routes
39
Configuring RIP
Verifying IP Forwarding and VLAN Interface

To verify that IP Routing and RIP are enabled, enter the following command: show ipconfig The display shows:

The name of each VLAN. The IP address of each router interface. If IP forwarding is enabled for each VLAN. If the interface is enabled and active.
40
Figure 22: Verifying IP Forwarding and VLAN Interface
41
Configuring RIP
Verifying the Route Source

To verify the source of a route entry, enter the following command: show iproute The displays shows:

The origin of the route. (how was the route learned). The destination network. The next hop gateway. The type of route entry. The preferred route for unicast and multicast traffic. The duration of time this route has been in the routing table.
42
Figure 23: Verifying the Route Source
43
Configuring RIP
Summary
Configuring RIP Module describes how to configure the RIP v1 and RIP v2 IP unicast routing protocols. You should now be able to:

Describe the RIP routing protocol. Identify the limitations of RIP version 1. List the benefits of RIP version 2. Interpret RIP routing table entries. Describe the Split Horizon and Poison Reverse loop resolution protocols. Describe the operation of triggered updates. Configure the RIP routing protocol. Verify the RIP configuration. Test RIP operation.
44
Figure 24: Summary
45
Configuring RIP
Lab
Turn to the Routing Information Protocol (RIP) Configuration Lab in your ExtremeXOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
46
Figure 25: Lab
47
Configuring RIP
Review Questions
1 What are the advantages of using RIP? a RIP provides the fastest possible convergence. b RIP is simple and easy to understand. c RIP was originally designed to be very secure. d RIP uses a hop count rather than a cost metric.
2 In RIP, what modifications have been made to the basic distance-vector routing algorithm to address routing loops, slow convergence, and the counting to infinity problem? a Poison horizon, split updates, and reverse triggers. b Split horizon, poison reverse, and triggered updates. c LSDB synchronization, Autonomous System hierarchy, and stub areas. d Link state advertisements, hello packets, and neighbor discovery.
3 What is the maximum reachable hop count for RIP? a 8 b 15 c 16 d 4096
4 The switch cannot route using RIP until which of the following happens? a The VLAN is assigned an IP address, neighbor gateways establish adjacencies, RIP is enabled globally, the VLAN is configured to use RIP, and the router interface is active. b The VLAN is assigned an IP address, RIP is enabled globally, neighbor gateways establish adjacencies, the VLAN is configured to use RIP, and IP forwarding is enabled globally. c The VLAN is assigned an IP address, IP forwarding is enabled, the VLAN is active, and RIP is enabled globally.
d The VLAN is assigned an IP address, IP forwarding is enabled, the VLAN is configured to use RIP, the router interface is active, and RIP is enabled globally.
48
5 Which of the following is true when using RIP? a Upon expiration of the garbage timeout, the route is no longer valid; however, it is retained in the routing table until the expiration of the route timer. b Upon expiration of the route timeout, the route is no longer valid; however, it is retained in the routing table until the expiration of the garbage timer. c Upon expiration of the route timeout, the route is marked suspect; however, it is retained in the routing table until the expiration of the hello timer.
d Upon expiration of the hello timeout, the route is marked suspect; however, it is retained in the routing table until the expiration of the route timer.
6 Which of the following commands displays the state of the Split Horizon feature? a show ipconfig b show rip c show iproute d show fdb
7 Which of the following commands show the RIP peer routers? a show ipconfig b show iproute c show rip interface d show rip routes
8 In a distance-vector routing algorithm, what is the name of the condition when a router believes it has two routes to the target network when only one actually exists? a Routing loop. b Split horizon. c Poison reverse. d Slow convergence.
49
Configuring RIP This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http://www.sec.gov). We undertake no obligation to update the forward-looking information in this release.
50
13 Configuring OSPF
Configuring OSPF
Student Objectives
The Configuring OSPF module presents the Open Shortest Path First (OSPF) IP routing protocol.Upon completion of this module, you will be able to:

Define OSPF as a routing protocol. Identify the advantages of OSPF. Describe the OSPF hierarchy. Define OSPF areas and router types. Describe how OSPF operates. Define Link State Advertisements (LSA) and hello packets. Define Link State Database (LSDB) synchronization. Configure OSPF within a single area. Verify the configuration and operation of OSPF. NOTE
Configuring OSPF
Defining OSPF
The Open Shortest Path First protocol is an IP routing protocol that is classified as an Interior Gateway Protocol (IGP). OSPF employs a link-state routing algorithm. The important features of a link-state routing protocol are:
All routers within a routing domain share information about their interfaces, or links, to directly connected networks. The link information is stored in a database. This topological database contains a complete description of which routers are connected to which networks in the given domain. Following convergence, each router has an identical copy of the link-state database from its own perspective. Each router uses the common link-state database (LSDB) to calculate a shortest-path tree to all destinations. The shortest-path tree is then used to create the routing table. Where several equal cost routes exist to a destination, traffic can be distributed among them.
OSPF as a link-state protocol has several advantages over the use of a distance vector protocols like RIP.
Fast Convergence
OSPF quickly responds to topology changes and calculates new loop free routes. This is done by flooding the information about the topology change through the network and calculating the new routes immediately.
Fewer Network Resources

OSPF generates less network traffic than RIP as individual packets are smaller and multicasting technology is utilized. The individual packets only contain update information, not the whole routing table.
Greater Features
OSPF offers the following:
OSPF calculates the best route based on a cost factor, which is normally related to the bandwidth of a link, not a hop count. OSPF offers greater scalability than RIP. It is not limited to a maximum hop count and supports a hierarchical network design. OSPF allows for load sharing over routes. All OSFP routing exchanges can be authenticated.
OSPF is an IP-only routing protocol. RFC 2328 is the latest RFC for OSPF.
Figure 2: Defining OSPF
Figure 3: Advantages of Link-State Over Distance-Vector
Configuring OSPF
OSPF Routing Hierarchy

OSPF supports a hierarchical network design. Implementing a hierarchy in the routing topology of a network, dramatically enhances its support for larger network designs. OSPF implements a two-level hierarchical routing scheme that consists of an overall autonomous system (AS) that contains one or more areas. An autonomous system is a collection of routers and networks controlled by a single administration. In the classic definition an autonomous system is a set of routers under a single technical administration, using an interior gateway protocol and a common metric to route packets within the AS, and using an exterior gateway protocol to route packets to other autonomous systems. After this classic definition was developed, it has become common for a single AS to use several interior gateway protocols and sometimes several sets of metrics within an AS. So, for OSPF an autonomous system is the set of all routers that are running OSPF as their routing protocol. An area consists of one or more physical networks (e.g. several VLANs and/or LANs) connected together through IP routers. By creating a hierarchy within the OSPF LSDB, larger inter-networks gain the following benefits:

The Internal Router LSDB and routing table consume less router memory. Uses fewer router resources when computing the routing table. The LSDB contains fewer entries, resulting in the OSPF algorithm consuming less CPU time to complete. Uses less link bandwidth when distributing routing data because any topological change is only sent within the affected area. (Hides instability)
Overall OSPF saves network resources and bandwidth because not every link-state change is propagated to all routers in the AS. This limits the number of routers having to perform a recalculation of the OSPF routing table. The AS may contain several areas, all of which share a common administration and common design strategy. The term Domain is often used in place of AS.
Figure 4: OSPF Routing Hierarchy
Configuring OSPF
OSPF Areas
OSPF allows the grouping of contiguous networks (LANs, WANs, Point-to-Point links) and hosts into an area. The flooding of detailed information is restricted to the area. The Shortest Path First (SPF) is computed on a per-area basis, and all intra-area routes are derived from the SPF tree. Areas are built by assigning the interfaces of each OSPF router to an area. Each area has its own link state database consisting of entries called Link State Advertisements (LSA) describing how the area's routers and segments are connected. This means that routers connected to more than one area have a LSDB for each area they are connected to. There are several advantages of OSPF area-routing capabilities:
The use of areas greatly reduces the amount of routing information traffic that must be propagated throughout the entire AS. Areas allow the development of a hierarchy of routing information, and thus protect each area from external routing information. The area's information is hidden from routers outside the area. This information-hiding technique is important from a security standpoint, because it prohibits other areas from identifying the physical topology of an area.
Routing within an area is flat. In intra-area routing the packet is routed solely on information obtained within the area; no routing information obtained from outside the area can be used. This protects intraarea routing from the injection of bad routing information from outside the area. In an Extreme Networks configuration (and as defined by the OSPF protocol), area IDs are described with dotted-decimal notation. This means:

Area 0.0.0.1 can be referred to as area 1. An area ID is not an IP address and bears no relationship to IP addresses.
Figure 5: OSPF Areas
Configuring OSPF
Identifying OSPF Area Types

This page describe the different types of OSPF areas.
Area 0 - Backbone Area

Any OSPF network that contains more than one area is required to have only one area configured as area 0.0.0.0 (referred to as area 0), which is also called the Backbone. All areas in an autonomous system must be connected to the backbone physically through an Area Border Router (ABR), or logically through a Virtual Link and the ABR. When designing networks, you often start with area 0, and then expand into other areas. The backbone area is always a normal area. The backbone allows summary information to be exchanged between ABRs. Every ABR hears the area summaries from all other ABRs. The topology of the backbone is invisible to its attached areas, and the topology of the other areas is invisible to the backbone. Within an Extreme Networks environment, when a VLAN is configured to run OSPF, by default it is automatically joined to the backbone area. If you want a VLAN to be part of a different OSPF area, you have to configure this.
Normal Area
Normal areas connect to other areas through ABRs. External routes are distributed into and out of normal areas. These areas support virtual links and Autonomous System Boundary Routers (ASBRs).
Stub Area
OSPF allows certain areas to be configured as stub areas. External route information is not distributed into stub areas. They are useful to reduce memory and computation requirements on OSPF routers. To take advantage of the OSPF stub area support, default routing must be used on all routers within the stub area. To accomplish this the area border router advertises a default route into the stub area. These default route are used for any destination that is not explicitly reachable by an intra- or inter-area path. If information about other areas is not advertised, the default route is used instead of special inter-area paths. The OSPF protocol ensures that, all routers belonging to an area agree on whether the area has been configured as a stub. The following restrictions apply: virtual links cannot be configured through stub areas and ASBRs cannot be placed internal to stub areas.
Not-So-Stubby Area
Not-So-Stubby Areas (NSSAs) are similar to the existing OSPF stub area configuration option, but have the following additional capabilities: External routes originating from an ASBR connected to the NSSA can be advertised within the NSSA and these routes can be propagated to other areas. NSSAs are an enhancement to current OSPF stub area functionality that allows importing external routes into the stub area and also propagate them out to the rest of the OSPF domain in a limited fashion.
10
Figure 6: Identifying OSPF Components
11
Configuring OSPF
OSPF Router Types and Network Types

Within the OSPF hierarchy, different types of area are defined. Routers that perform the interconnection of these areas require additional functionality, which results in 3 types of routers:
Internal Router
Internal routers (IRs) have all of their network interfaces in the same area. IRs run a single copy of the basic routing algorithm and generate a single LSDB.
Area Border Router

An ABR is an OSPF router that has interfaces connected to more than one area. ABRs maintain a distinct LSBD for each area and run the SPF algorithm on each area's database. The ABR must always be connected to area 0. This can be achieved logically through a virtual link if a physical connection is not possible or impractical. An ABR is responsible for summarizing the information learned from one area and flooding it throughout all the areas it belongs to in the form of Summary LSAs.
Autonomous System Boundary Router

An Autonomous System Boundary Router is a router that has interfaces in both an OSPF routing domain, and a non-OSPF routing domain such as RIP, IS-IS, BGP or static routing information. It acts as a gateway between OSPF and the other routing protocol. An ASBR is not limited to providing connectivity between one OSPF domain and another autonomous system. An ASBR may provide connectivity between an OSPF domain and a non-OSPF domain in the same autonomous system. The ASBR generates AS-external LSAs, these describe routes to external networks outside the OSPF domain.
OSPF Network Types

OSPF classifies networks according to their characteristics, there are four different types of networks:

Broadcast networks, for example, Ethernet Point-to-Point networks, for example, leased lines and ADSL Non-broadcast Multi-access (NBMA) networks, for example X.25, ATM, and Frame Relay (which is NBMA by default) Point-to-Multipoint (PMP) networks, for example, Frame Relay (if it is configured to support PMP)
For Broadcast networks, one of the directly connected routers is elected as the designated router. It represents the network and is responsible for exchanging routing information.
12
Figure 7: OSPF Router and Network Types
13
Configuring OSPF
Designated Router Types

OSPF routers exchange link state information with their adjacent neighbors. Broadcast networks may have many routers. A great deal of bandwidth is consumed by the routing protocol traffic if all neighbors are adjacent. Additionally, a broadcast network is able to support the transmission of a single message that is received by a set of defined destinations (multicast). To reduce the amount of traffic, every broadcast network has a designated router (DR) which represents the network, and a backup designated router (BDR) to ensure quick failover if the designated router is no longer reachable. Essentially, a DR is responsible for ensuring that all other routers on a particular broadcast network have the same LSDB. Therefore the DR (and the BDR) form adjacencies with all neighbors. This means link state information is exchanged and databases are kept synchronized. The other routers on the network, called Other Designated Routers (ODRs) exchange link state information only with the DR and BDR, because they are the only adjacent neighbors. This is performed with packets using the special All designated routers multicast address of 224.0.0.6. The DR then forwards this information to all other routers, using the special All OSPF Routers multicast address of 224.0.0.5. The second task of the designated router is to generate a Network LSA, which describes the broadcast network. It contains information about the IP network address, subnetwork mask, and attached routers. Point-to-Point links do not elect a DR or BDR. Neighbors on Point-to-Point links immediately form an adjacency and synchronize their databases. Point-to-Multipoint links are treated by OSPF like a collection of Point-to-Point links, so there is no election of a DR or BDR and adjacencies are formed immediately. NBMA networks are treated like other broadcast networks, so a DR and BDR are elected in the same way as on broadcast networks, with the same responsibilities for the designated router. But because NBMA networks don't support broadcast/multicast packets, neighbors cannot be found automatically. Therefore, they have to be configured.
14
Figure 8: Designated Router Types
15
Configuring OSPF
Designated Router Election

After initializing the OSPF interfaces, a router transmits Hello packets and listen for Hello packets. For as long as it's Wait Timer has defined (normally 4 times the Hello interval which in turn is often 10 seconds) the router waits for information about an already active designated router. Typically, this means that the first router initialized on a network becomes the DR and the second router initialized on a network becomes the BDR. If the DR fails the BDR immediately becomes the DR and a new BDR is elected. If an election is required, the router with the highest configured router priority is elected the DR or BDR. If all routers have the same priority, the router with the highest router ID is elected. A router with the priority of 0 is never elected DR or BDR.
NOTE
Router priority is configured on a per-interface basis.
The parameters for each router should be configured to avoid electing a router that is very busy processing a high volume of IP traffic, or is already acting as an ASBR. The DR and BDR are elected by the use of the Hello protocol that is discussed later.
16
Figure 9: Designated Router Election
17
Configuring OSPF
Link State Advertisement

Each OSPF router is responsible for describing its local piece of the routing topology through the transmission of link-state advertisements (LSAs). LSAs describe the local state of a router or network. This includes the state of the router's interfaces and adjacencies. Each link state advertisement is flooded throughout the area. Every thirty minutes a router, even in the absence of any change, transmits this self-originating data in the event it may have been lost or corrupted in a neighbors routing tables. There are several types of Link State Advertisements, each type with its own characteristics. These characteristics include:

The router that is the originator of the LSA and is generating this Link State Advertisement. The range this LSA is flooded through and whether it stays within an area or is it flooded through the whole AS. The Link ID used to identify this LSA. Detail information in this LSA.
The next page gives a short overview about the different LSA types.
18
Figure 10: Link State Advertisement
19
Configuring OSPF
OSPF LSA Types

The LSA can be of several types: LSA Type 1 - Router-LSAs

Generated by every OSPF router. Describes the set of active interfaces, their associated cost, and any neighbor information. Flooded throughout a single area only. Link State ID (Identifier) field is the router OSPF router ID.
LSA Type 2 - Network-LSAs

Generated by OSPF designated routers. Describes a broadcast network along with the IDs of all currently attached routers. Flooded throughout a single area only. Link State ID field lists the IP interface address of the DR.
LSA Type 3 - Summary-LSAs (Network)

Originated from ABRs. Supports hierarchical routing through the use of OSPF areas. Describes networks in different areas, reachable through the ABR, with the associated cost. Flooded into the next area by the ABR. Link State ID field is an IP network number.
LSA Type 4 - Summary-LSAs (ASBR)

Originated from ABRs. Describes the existence of an AS Boundary Router. Flooded into the next area by the ABR. Link State ID field is the AS boundary router OSPF router ID
LSA Type 5 - AS-external-LSAs

Originated by an ASBR. Describes destinations external to the AS. Flooded through the whole autonomous system. Link State ID field specifies an IP network number.
LSA Type 7 - NSSA-LSAs
Functionally identical to a Type 5 LSA for a normal area. Originated by an ASBR. Allows the importation of external routes normally not advertised out of the Not So Stubby Area (NSSA). Destined for ABRs with the highest router ID, stays within the NSSA, are transformed by the ABRs into Type 5 LSAs. Link State ID field specifies an IP network number.
20
Figure 11: OSPF LSA Types
21
Configuring OSPF
Building the Shortest Path Tree

The illustrations show the process used to build the Shortest Path Tree. Each router views itself as the root of the network. It then builds its routing table based on the shortest path (link cost) to the destination.
How OSPF Operates

OSPF has been designed to be as resource efficient as possible. One of the ways of achieving this is in the use of multicast packets where they are supported. Two multicast addresses/groups are used:

224.0.0.5 for all OSPF routers to receive 224.0.0.6 for only DR/BDR routers to receive
When joining an OSPF network for the first time, the router goes through several stages prior to actually participating in forwarding/routing of packets. These include:

The announcement of itself. Forming adjacencies with neighbors. Exchanging information with other routers about the state of its links. Learning about other routers. Ensuring that databases are synchronized.
22
Figure 12: Building the Shortest Path Tree
Figure 13: How OSPF Operates
23
Configuring OSPF
OSPF Router Neighbor Discovery

A router discovers neighbors by sending OSPF Hello packets out of all of its interfaces using multicast group 224.0.0.5. By default, a router sends Hello packets out of an interface every 10 seconds. A router learns the existence of a neighboring router when it receives the neighbor's OSPF Hello in return. Consider R1 in the diagram: When R1's interface is first initialized, it sends out its Hello packet to both interfaces in the hope of receiving a Hello packet back from any other listening router (in this case R2, R3, and R4). After a neighbor relationship has been established, failure of this neighbor (or a link to it) is detected when a router does not receive a Hello packet from a neighbor within 40 seconds. This timer is called the Router Dead Interval and is configurable. It is always 4 times the Hello interval. The Hello protocol ensures that neighbor routers agree on timing parameters and can aid in link failure detection. A fault is usually detected way before this time, however, by the data-link protocol, since the absence of Hello packets is most likely caused by an interface going down. "Detecting neighbor failures in a timely fashion is crucial to OSPF protocol performance." (RFC 2178) Note that after a router's LSDB is complete and stable, a router only transmits short, periodic Hello messages until, generally, it is determined that the database is out of date (a change has been detected). This is unlike RIP, which periodically broadcasts its entire routing table.
24
Figure 14: OSPF Router Neighbor Discovery
25
Configuring OSPF
OSPF Hello Packets

The Hello packet contains:

The router's OSPF router ID. The area ID. The Hello interval in seconds at which the router sends Hello packets on the given network and the corresponding Dead Interval after which a neighbor is declared dead. The router's priority value. The router's current choice for the DR and the BDR (a value of zero in these fields indicates that one has not yet been selected). A list of routers from which Hello packets have recently been received. The password if authentication is used. Information identifying if the area is a stub area or a NSSA. The subnetwork mask.
Routers examine the values of the received Hello packets and only build a neighbor relationship if certain values are the same. Neighbors must agree to which area they belong and if this is a normal, stub, or not-so-stubby area. The Hello and Dead intervals must match to ensure that the failure of a neighbor is detected in a timely manner. Of course, if authentication is used, the passwords must be correct. By examining the Hello packets received and locating its own router ID in the neighbor list, a router can be assured that bidirectional communication has been established with all neighbors. Concurrently, the DR and BDR are elected, based on the router priority value. The relationship is now bidirectional and adjacency begins to be set up.
26
Figure 15: OSPF Hello Packets
27
Configuring OSPF
LSDB Initial Synchronization

Before bidirectional neighbors can become fully adjacent, they must decide on an initial sequence number and which router is the master. The router with the largest router ID becomes the master and it provides the initial sequence number. After the master/non-master relationship is defined, the master sends database description packets to the non-master. Database description packets describe the router's link-state database and consist of a list of abbreviated LSAs in the form of link-state headers. A link-state header supplies all the information needed to uniquely identify an individual LSA. The master sends database description packets (polls) that must be acknowledged by database description packets (responses) from the non-master. Based on the summary received from its neighbor, each router builds a list of requests for LSAs that it needs to bring its own database up-to-date. A router builds this list by comparing its link-state database with the link-state headers received in the neighbor's database description packets. If the router does not have a particular LSA in its link-state database, or if it determines that its neighbor has a more recent version of an LSA (e.g. the cost is different), the LSA is added to the request list. Each router sends this list in a link-state request packet to its neighbor. Each router responds to a link-state request packet with a link-state update packet containing the LSAs requested by its neighbor. Neighbors acknowledge the link-state updates with link-state acknowledgement packets. The neighbors become fully adjacent when each has received and acknowledged all requested LSAs. Once the routers become fully adjacent, they run the SPF algorithm on the database and add the OSPF routes to their routing tables.
28
Figure 16: LSDB Initial Synchronization
29
Configuring OSPF
LSDB Synchronization
Database synchronization in a link state protocol is crucial. Synchronization protects the network as a whole from corrupt information. Of the 5 OSPF protocol packet types, 4 are used for database synchronization with the Hello packet being the 5th type as follows:

Database Description packet Link State Request packet Link State Update packet Link State Acknowledge packet
Flooding
After a pair of routers becomes fully adjacent, database synchronization is maintained with a flooding procedure. When an LSA is flooded, it is passed from adjacent router to adjacent router until it has been distributed throughout the entire routing area. LSAs are flooded when the status of a router's link changes or when a timer expires, indicating that it is time for another periodic update. The decision of any router to pass on the LSA to its adjacent neighbor is based on several conditions. For example, an OSPF router should avoid passing timed-out or self-generated LSAs.
Reliable Updates
OSPF implements a reliable link-state flooding procedure by requiring that the adjacent router acknowledges the receipt and transfer of an LSA. In the absence of an acknowledgement, the source router retransmits the LSA until it is acknowledged or until the adjacency is declared down. Whenever it is determined that there is a change in the link-state database, a new Shortest-path Tree (SPT) is constructed and the routing table is updated.
Link-State Age
Every LSA also has an age field, which is used internally to maintain the link-state database. An LSA age is periodically increased as it is flooded throughout the area and while it resides in a router's linkstate database. An LSA can reach an age where it is no longer used in the flooding procedure and must be flushed from the link-state database.
Link-State Sequence Numbers

An LSA in a router's link-state database is often replaced by a more recent LSA from its adjacent neighbor. Each LSA contains a 32-bit sequence number field used by OSPF routers to detect timed-out or duplicate LSAs. A sequence number space is used for LSA identification. When a router generates a new LSA, it uses the next available sequence number. All routers keep their link-state databases synchronized by aging LSAs in their database, and updating it with incoming LSAs.
30
Figure 17: LSDB Synchronization
31
Configuring OSPF
Identifying When OSPF Routing Occurs

It should now be apparent that routing only occurs after the following:

OSPF routers establish neighbor adjacencies The router LSDBs are fully synchronized The routing tables are constructed.
Essentially, this is the only point at which the actual IP routing/forwarding engine is able to use any indirect routes.
Building the Routing Table

The first step in creating a routing table from the link state database is the creation of a topology map. Each router builds a topology map by moving the LSAs around and placing them in the proper position; similar to the way a person would assemble a jigsaw puzzle. After the topology map is built, each router builds a shortest-path tree to all possible destination networks. When building the tree, each router places itself at the root position. The tree is constructed so that the path from the root to each destination network traverses the least-cost path. Directly connected networks are entered into the routing table with a cost of zero. Each router constructs a different SPT despite the fact that all routers are building their trees from an identical link-state database. This is because a router only appears at the root position of its own tree. After the SPT is constructed, each router builds its local routing table.
32
Figure 18: Identifying When OSPF Routing Occurs
33
Configuring OSPF
Basic IP Configuration Review

Before configuring OSPF, make sure the basic IP setup is correct. This includes:

IP addresses are assigned to all VLANs for which routing should be done. IP forwarding is enabled for these VLANs. Physical cabling for the router connectivity has been done and the ports are assigned to the correct VLANs.
Here are the commands to remember for these tasks: To create a VLAN, enter the following command: create vlan <vlan name> To configure a VLAN with member ports, enter the following command: configure vlan <vlan_name> add port [ all | <port number> ] To assign an IP address to the VLAN, enter the following command: configure <vlan_name> ipaddress <ipaddress> [/<netmask>] To enable IP forwarding, enter the following command: enable ipforwarding {vlan <name>}
34
Figure 19: Basic IP Configuration Review
35
Configuring OSPF
Configuring the OSPF Router ID

The first step to configure OSPF is to assign an identifier to the router. If the router ID is not set the default setting uses the highest IP interface address on the router as the router ID. When configuring the router ID follow these recommendations:

Each router/Layer-3 switch that is configured to run OSPF must have a unique router ID. Manually set the router ID of the switches participating in OSPF, instead of having the switch automatically choose its router ID based on the highest interface IP address. Not performing this configuration in a larger, dynamic environment could result in an older link state database remaining in use and a general lack of control.
When the OSPF router ID is set to automatic (default), the router ID is determined by the router every time OSPF is enabled. It is not necessary for OSPF to be configured or for the IP interface to be active on the interface that is used to automatically set the router ID. There is no requirement for the associated VLAN to be up or have any ports assigned to it. If a router ID changes after a reboot or a disable OSPF command, its LSAs could stay in the LSDB for 30 minutes. This corrupts the LSDB for the whole routing domain unless a manual reset is performed. Virtual links are defined to connect to a specific router ID. If this target router changes its router ID the link fails, possibly isolating an entire area
To configure the OSPF router ID, enter the following command: configure ospf routerid [automatic | <routerid>] The default setting is automatic. If automatic is specified, the switch uses the highest IP interface address as the OSPF router ID. For example: configure ospf routerid 10.1.6.1 NOTE
Do not set the router ID to 0.0.0.0, this value is reserved.
36
Figure 20: Configuring the OSPF Router ID
37
Configuring OSPF
Configuring a Single OSPF Area

This page presents the steps to complete a basic OSPF configuration in a single area, which is the backbone area 0.0.0.0. Area 0.0.0.0 does not need to be created. It exists by default. An OSPF network must have one backbone area 0.0.0.0. To configure OSPF in a single area, perform the following general steps:

Perform basic IP configuration. Configure the router IDs. Enable OSPF for the VLANs and associate them with the OSPF area ID 0.0.0.0. Enable OSPF globally on the switch.
In this single area example the area is 0.0.0.0. To enable OSPF for the VLANs and assign them to an area, enter the following command: configure ospf add vlan [<vlan name> | all] area <area-identifier> {passive} The <area identifier> specifies the area to which the VLAN is assigned. Passive specifies to not send and receive hello packets on this interface. A passive interface appears as a stub network to the OSPF domain and helps decrease the time it takes for recalculating the network. If an interface is a VLAN with no other OSPF routers on it, configure the interface as passive. To enable OSPF globally on the switch, enter the following command: enable ospf
Unconfiguring OSPF
To remove a VLAN from the OSPF routing process, enter the following command: configure ospf delete vlan [<vlan name> | all] To stop the OSPF process, enter the following command: disable ospf
38
Figure 21: Configuring a Single OSPF Area
39
Configuring OSPF
OSPF Configuration Example

This example shows the basic IP and OSPF configuration for R1 in the example network. R2 and R3 are configured in the same way. R2 create vlan v0ospf configure vlan v0ospf add port 2 configure vlan v0ospf ipaddress 10.0.0.2/24 create vlan v2ospf configure vlan v2ospf add port 1 configure vlan v2ospf ipaddress 10.2.0.2/24 enable ipforwarding configure ospf routerid 2.2.2.2 configure ospf add v0ospf area 0.0.0.0 configure ospf add v2ospf area 0.0.0.0 enable ospf R3 create vlan v0ospf configure v0ospf add port 2 configure vlan v0ospf ipaddress 10.0.0.3/24 create vlan v3ospf configure v3osfp add port 1 configure vlan v3ospf ipaddress 10.3.0.3/24 enable ipforwarding configure ospf routerid 3.3.3.3 configure ospf add v0ospf area 0.0.0.0 configure ospf add v3ospf area 0.0.0.0 enable ospf
40
Figure 22: OSPF Configuration Example
41
Configuring OSPF
Configuring Multiple OSPF Areas

This page presents the steps to complete an OSPF configuration in multiple areas. To configure OSPF in multiple areas:

Perform basic IP configuration. Configure the router IDs. Enable OSPF for the VLANs and associate them with the OSPF area IDs. Enable OSPF globally on the switch.
To create a new OSPF area, enter the following command: create ospf area <area identifier> Where:

Area IDs are formatted in dotted-decimal notation (i.e. 10.1.6.1, 3.42.6.2). Area 0.0.0.0 does not need to be created. It exists by default. An area ID is not an IP address and bears no relationship to IP addresses.
42
Figure 23: Configuring Multiple OSPF Areas
43
Configuring OSPF
Advanced OSPF Configuration

In addition to required configuration the following advanced configuration may be necessary:

Configure the area as a stub or NSSA area. Change the priority for one or all OSPF router interfaces. Configure the cost metric of one or more interfaces.
OSPF allows certain areas to be configured as stub areas or NSSAs. External route information is not distributed into stub areas. To configure an OSPF area as a stub area, enter the following command: configure ospf area <area-identifier> stub [summary | nosummary] stubdefault-cost <cost> To configure an OSPF area as a NSSA, enter the following command: configure ospf area <area-identifier> nssa [summary | nosummary] stubdefault-cost <cost> {translate} The router with the highest configured router priority is elected the DR for a network. To change the priority for one or all OSPF router interfaces for DR election, enter the following command: configure ospf [area <area identifier> | vlan [<vlan name> | all]] priority <priority> OSPF calculates the best route based on a cost factor, which is normally related to the bandwidth of a link. To configure the cost metric of one or all interface(s), enter the following command: configure ospf [area <area identifier> | vlan [<vlan name> | all]] cost [automatic | <cost_number>]
44
Figure 24: Advanced OSPF Configuration
45
Configuring OSPF
Advanced OSPF Configuration (Continued)

In addition to required configuration the following advanced configuration may be necessary:

Enable the redistribution other routing protocols into the OSPF domain. Configure a range of addresses to be aggregated in the area. Configure the ASBR to accept external routes. Create a virtual link to connect an area to the backbone through another area.
An Autonomous System Boundary Router is a router that has interfaces in both an OSPF routing domain, and a non-OSPF routing domain such as RIP, IS-IS, BGP or static routing information. The ASBR generates AS-external LSAs, these describe routes to external networks outside the OSPF domain To enable the redistribution of other routing protocols into the OSPF domain, enter the following command: enable ospf export [bgp | direct | e-bgp | i-bgp | rip | static] [cost <cost> type [ase-type-1 | ase-type-2] {tag <number>} | <policy-map>] To configure a range of IP addresses to be aggregated in an OSPF area, enter the following command: configure ospf area <area-identifier> add range [<ip-address> <ip-mask> | <ipNetmask>] [advertise | noadvert] [type-3 | type-7] To aggregate AS-external routes in a specified address range, enter the following command: configure ospf ase-summary add [<ip-address> <ip-mask> | <ipNetmask>] cost <cost> {tag <number>} All ABRs in an AS must be connected to the backbone physically or logically through a virtual link. To add a virtual link connected to another ABR, enter the following command: configure ospf add virtual-link <routerid> <area identifier> NOTE
Remember that the virtual link must be configured at both ends.
46
Figure 25: Advanced OSPF Configuration (Continued)
47
Configuring OSPF
Verifying the Basic IP Configuration

To verify which destination networks are in the routing table and the source of the routing entry, enter the following command: show iproute The displays shows:

The origin of the route. (how was the route learned). The destination network. The next hop gateway. The type of route entry. The preferred route for unicast and multicast traffic. The duration of time this route has been in the routing table.
To verify that IP forwarding is enabled and the interface is up, enter the following command: show ipconfig The display shows:

The name of each VLAN. The IP address of each router interface. If IP forwarding is enabled for each VLAN. If the interface is enabled and active.
48
Figure 26: Verifying the Basic IP Configuration
Figure 27: Verifying the Basic IP Configuration (Continued)
49
Configuring OSPF
Verifying the Global OSPF Configuration

To display the global OSPF configuration, enter the following command: show ospf In the example output, notice the following:

The configured router ID. OSPF is enabled, this router is not an ASBR or ABR. There is no redistribution to OSPF configured. The default cost of the OSPF interfaces.
Verifying a Single Area Configuration

To display information about a particular OSPF area, enter the following command: show ospf area <area identifier> The output displays:

Area ID, area type (stub or normal), and router ID. Number of SPF executions, number of ABRs known, number of ASBRs known, number of LSAs in the LSDB, and the LSA checksum. List of router interfaces (VLANs), the link state, their OSPF state, and the IP address for the DR and BDR.
In the example these values are:

Area ID 0.0.0.0, area type normal, and router ID 2.9.7.1. No known ABRs or ASBRs, number of LSAs in the LSDB is 8. There are 3 router interfaces and OSPF is enabled on all. For the third VLAN the router San Jose itself is the DR, there is no known BDR. This is normal, because San Jose is the only router on this segment at the moment. For the first VLAN the router San Jose is the BDR, the DR has the IP address 10.0.0.2.
50
Figure 28: Verifying the Global OSPF Configuration
Figure 29: Verifying a Single Area Configuration
51
Configuring OSPF
Verifying OSPF Interface Configuration and Neighbor State

To display information about one or all OSPF interfaces, enter the following commands: show ospf interfaces {vlan <vlan name> | area <area identifier>} show ospf interfaces detail There are 2 router interfaces shown.

The first displayed router interface is 10.0.0.1/24, VLAN blue. The area ID is 0.0.0.0 and the router ID is 2.9.7.1. The cost for this link is 10. The priority for the DR election on this interface is 1.
The timers are the default values: Hello 10 seconds, Dead 40 seconds, Retransmit 5 seconds. The Retransmit Interval is the time the router waits until retransmitting routing information if it does not get an acknowledge packet.

Authentication is not used. 10.0.0.2 is the DR on this link. There is one neighbor on this interface
The second displayed router interface is 11.0.0.1/24, VLAN green.

The area ID is 0.0.0.0 and the router ID is 2.9.7.1. The cost for this link is 4. The priority for the DR election on this interface is 1. The timers are the default values: Hello 10 seconds, Dead 40 seconds, Retransmit 5 seconds. Authentication is not used. 11.0.0.2 is the DR on this link. The BDR is the router with IP address 11.0.0.1.
To display information about OSPF neighbors, enter the following commands: show ospf neighbor {routerid [<ip-address> {<ip-mask>} | <ipNetmask>]} {vlan <vlan-name>} {detail} The display shows:

The neighbor router ID. The neighbor synchronization state. The neighbor IP address. The interface that provides the path to the neighbor.
52
Figure 30: Verifying OSPF Interface Configuration
Figure 31: Verifying the OSPF Neighbor State
53
Configuring OSPF
Monitoring the LSDB

To display OSPF link state identifier and router ID for all reachable subnetworks, enter the following command: show ospf {{lstype} {routerid ip-mask>} lsdb {detail | stats} {area [<area-identifier> | all]} [<lstype> | all]} {lsid <lsid-address>{<lsid-mask>}} <routerid-address> {<routerid-mask>}} {interface[[<ipaddress>{< | <ipNetmask>] | vlan <vlan-name>]}
There are 4 router LSAs in London's Link State Database:

London generated one to describe itself, this has link ID 2.9.7.3, Londons router ID. Sanjose generated one to describe itself, this has link ID 2.9.7.1, Sanjoses router ID. Newyork generated one to describe itself, this has link ID 2.9.7.2, Newyorks router ID.
There are 4 network LSAs in London's Link State Database: The network LSA for the Broadcast Network 10.0.0.0/24 is generated by the DR, that is router Sanjose in our example.
54
Figure 32: Monitoring the LSDB
55
Configuring OSPF
Summary
The Configuring OSPF module presents the Open Shortest Path First (OSPF) IP routing protocol. You should now be able to:

Define OSPF as a routing protocol. Identify the advantages of OSPF. Describe the OSPF hierarchy. Define OSPF areas and router types. Describe how OSPF operates. Define Link State Advertisements (LSA) and hello packets. Define Link State Database (LSDB) synchronization. Configure OSPF within a single area. Verify the configuration and operation of OSPF.
56
Figure 33: Summary
57
Configuring OSPF
Lab
Turn to the Open Shortest Path First (OSPF) Configuration Lab in your ExtremeXOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
58
Figure 34: Lab
59
Configuring OSPF
Review Questions
1 How are OSPF Link State Databases synchronized? a Hello packets are passed from adjacent router to adjacent router. b Synchronization packets are passed between adjacent routers. c LSA packets are passed between adjacent routers. d Triggered update packets are passed between adjacent routers.
2 Which of the following commands creates OSPF area 1.0.0.4? a configure ospf area 1.0.0.4 b configure ospf add area 1.0.0.4 c create ospf area 1.0.0.4 d create area 1.0.0.4
3 Which of the following best describes the OSPF stub area? a It must be connected to all areas in an OSPF autonomous system. b External route information is not distributed in this area. c Connected to other areas through ABRs. d External routes originating from an ASBR connected to this type of area can be propagated to other areas.
4 Which of the following commands enables OSPF on VLAN blue? a configure ospf add vlan blue area 0.0.0.0 b configure ospf add vlan blue c configure vlan blue add OSPF area 0.0.0.0 d configure vlan blue add OSPF
5 Which of the following commands displays the OSPF router ID? a show ipconfig b show iproute c show ospf d show fdb
60
6 Which of the following best describes an OSPF ABR? a It is responsible for representing a particular broadcast network. b It has interfaces in both an OSPF routing domain, and a non-OSPF routing domain. c It has all of its network interfaces in the same area. d It has interfaces connected to more than one area.
7 What types of networks use an OSPF designated router? a Point-to-Point b Point-to-Multipoint c Broadcast d Not-so-stubby
8 Which of the following commands shows the OSPF link state identifiers and router ID for all reachable subnetworks? a show ipconfig b show ospf c show ospf lsdb d show ospf area 0.0.0.0
9 Which of the following must be connected to all ABRs in an OSPF autonomous system? a Normal area. b Stub area. c Not-so-stubby area. d Area 0.0.0.0
10 Which of the following best describes the OSPF Autonomous System Boundary Router? a It is responsible for representing a particular broadcast network. b It has interfaces in both an OSPF routing domain, and a non-OSPF routing domain. c It has all of its network interfaces in the same area. d It has interfaces connected to more than one area.
11 Which of the following commands identifies the IP address of the designated router? a show ipconfig b show iproute c show ospf ospfdb d show ospf area 0.0.0.0
61
Configuring OSPF 12 Which of the following best describes an OSPF internal router? a It is responsible for representing a particular broadcast network. b It has interfaces in both an OSPF routing domain, and a non-OSPF routing domain. c It has all of its network interfaces in the same area. d It has interfaces connected to more than one area.
13 Which of the following commands allows non-OSPF routes to be distributed into an OSPF routing domain? a configure ospf export external b configure ospf export c export ospf external d enable ospf export
14 If all the routers have the same router priority, which of the following commands can be used to influence the election of an OSPF designated router? a configure ospf routerid 10.1.6.1 b configure ospf routepriority 1 c configure ospf dr 10.1.6.1 d configure ospf dr 1
15 How many levels of hierarchy does OSPF support? a One b Two c Three d Sixteen
16 Which of the following best describes the unique requirements of OSPF area 0? a It must be connected to all areas in an OSPF autonomous system. b External route information is not distributed in this area. c It is connected to other areas through ABRs. d External routes originating from an ASBR connected to this type of area can be propagated to other areas.
62
17 What do OSPF routers use to discover their neighbors? a Router Link-state Advertisements. b Router discovery packets. c Extreme Discovery Protocol packets. d Hello packets.
18 What is the relationship between autonomous systems and areas? a One autonomous systems can contain multiple areas. b One area can contain multiple autonomous systems.
19 What types of networks use an OSPF designated router? a Point-to-Point b Point-to-Multipoint c Broadcast d Asynchronous
63
Configuring OSPF This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http://www.sec.gov). We undertake no obligation to update the forward-looking information in this release.
64
14 Network Login Using Local MAC-Based Authentication
Network Login Using Local MAC-Based Authentication
Student Objectives
Module Description
This module provides you with the information and skills that the network administrator needs to configure Extreme Networks ExtremeXOS network login feature using MAC-based authentication.
Module Objectives

Describe network login. Identify the advantages and disadvantages of the network login feature using MAC-based authentication. Configure network login using local MAC-based authentication. Display network login information and terminate a session.
Prerequisites
Before starting this module, the student should have a basic understanding of data networking, Layer 2 addressing, and the ExtremeXOS implementation of VLANs.
Describe the Network Login Feature

ExtremeXOS supports the network login feature. This feature controls the admission of user packets into a network by allowing traffic from users that are properly authenticated. The network login feature is controlled on a per-port basis and when enabled, that port does not forward any packets until authentication takes place. Network login is capable of three types of authentication:

Web based MAC based 802.1X
Web-Based Authentication
When web-based network login is enabled on a switch port, that port is placed into a non-forwarding state until authentication takes place. To authenticate, a user must open a web browser and provide the appropriate credentials. When credentials approved, the port is placed in forwarding mode. If credentials are not approved, the port remains blocked. The user can logout of the system by submitting a logout request or closing the logout window. Web-based authentication may use HTTP or HTTPS.
MAC-Based Authentication
MAC-based authentication validates the MAC address of the device before it allows traffic from that station to enter the network. MAC address validation may use a local database (one that is located on the switch) or a RADIUS device. The system compares the MAC address of the connecting station against the list of authorized stations in the database. If a matching entry is found, then the station is allowed access to the network.
802.1x Authentication
802.1x authentication is an IEEE standards-based protocol that requires that three components - the accessing network device, the switch, and the RADIUS system - work together to validate the accessing device. This requires support on all three components for the underlying authentication protocols. Once the underlying protocol infrastructure is in place, the system is extremely flexible. Network login allows for multiple web-based, MAC-based, and 802.1X-based supplicants on each port.
Figure 2: Describing the Network Login Feature
Describing MAC-Based Authentication

MAC-based authentication validates the accessing network device based upon all or part of its MAC address.
Advantages
The advantages of MAC-based authentication are that it:

Works with any operating system or network enabled device. Works silently. The user, client, or device does not know that it gets authenticated. Is easy to implement. A set of devices can easily be grouped by the vendor part of the MAC address.
Disadvantages
The disadvantages of MAC-based authentication are that it:
Relies on the MAC address of the client to determine. This makes the network is more vulnerable to spoofing attacks. MAC address database administration may incur a great deal of overhead.
Local Database versus RADIUS database

When comparing using a local database for authenticating MAC addresses to a RADIUS, please take the following into consideration:

Local databases are easy to manage while RADIUS is more complex. Local databases require little additional training to use while RADIUS requires more specialized knowledge. Local databases can be implemented with no new hardware or software while RADIUS requires another network device and specialized software. Local databases require a copy of the database on every switch if the authenticating devices are expected to move while RADIUS provides one centralized database that can be used by all switches. Local databases are typically limited in their extensibility while RADIUS implementations tend to provide greater support for other network devices and protocols. The local database can hold up to a recommended 64 user accounts, while a RADIUS can hold a great deal more.
Figure 3: Describing MAC-Based Authentication
Describing MAC-Based Authentication (Continued)

MAC-based authentication is used for supplicants that do not support a network login mode, or supplicants that are not aware of the existence of such security measure, for example an IP phone. If a MAC address is detected on a MAC-based enabled netlogin port, an authentication request will be sent once to the AAA application. AAA tries to authenticate the MAC address against the configured radius server and its configured parameters (timeout, retries, and so on) or the local database. The credentials used for this are the supplicants MAC address in ASCII representation, and a locally configured password on the switch. If no password is configured, the MAC address is used as the password. You can also group MAC addresses together using a mask. You can configure a MAC list or a table of MAC entries to filter and authenticate clients based on their MAC addresses. If there a match is found in the table of MAC entries, authentication occurs. If no match is found in the table of MAC entries, and a default entry exists, the default will be used to authenticate the client. All entries in the list are automatically sorted in longest prefix order. All passwords are stored and showed encrypted. Beginning with ExtremeXOS 11.3, you can associate a MAC address with one or more ports. By learning a MAC address, the port confirms the supplicant before sending an authorization request to the authentication process. This additional step protects your network against unauthorized supplicants because the port accepts only authorization requests from the MAC address learned on that port. The port blocks all other requests that do not have a matching entry.
Figure 4: Describing MAC-Based Authentication (Continued)
Listing the Steps to Implement Network Login Using Local MAC-Based Authentication
The following list provides the steps that you must execute in order to implement MAC-based network login: 1 Create a network login VLAN. 2 Assign a VLAN to network login. 3 Enable MAC-based network login feature on switch. 4 Enable MAC-based network login feature on port. 5 Configure the authorization database order. 6 Create local MAC-based network login users. 7 Verify configuration. 8 Validate configuration.
10
Figure 5: Listing the Steps to Implement MAC-Based Network Login
11
Creating a Network Login VLAN

You need to create a VLAN to support the network login processes. When the network login feature is enabled, the system needs a mechanism to isolate traffic generated by unauthenticated devices from the rest of the network, while enabling the system to provide services to those devices. This is done by creating assigning a VLAN to the network login feature. Some of the processes that service unauthenticated devices are:

DHCP Web authentication MAC authentication NOTE
You cannot enable the network login process until a VLAN is assigned to service it.
Managing the Network Login VLAN

To create a VLAN for use by the network login process, use the following command syntax: create vlan <vlan_name> To assign the newly created VLAN to the network login process, use the following command syntax: configure netlogin vlan <vlan_name> Before creating a VLAN to support the network login feature, you may want to determine which ports are going to support network login. For example; ports 1 to 10 may be dedicated to support Voice-overIP telephones. In this case, you may want to create a new VLAN for those ports to segregate them for the rest of the network. This is to ensure data traffic does not impact the quality of voice traffic. Once you create the VLAN for your voice traffic, you'll need to remove ports 1 to 10 from the default VLAN and assign them to your newly created VoIP VLAN.
12
Figure 6: Creating a Network Login VLAN
13
Enabling Network Login

There are two steps to enabling the network login feature: 1 Enable the network login feature on the switch 2 Activate the network login feature on individual ports To enable MAC-based network login on the switch, enter the following command: enable netlogin mac To activate MAC-based network login on switch ports, enter the following command: enable netlogin ports <port_list> mac Now, whenever a new device connects to a network login activated port, the network login process confines any traffic from that device to the VLAN assigned to the network login process until the device is authenticated.
14
Figure 7: Enabling Network Login
15
Configuring Local MAC Authentication

Now that MAC-based network login is enabled, you need to identify the MAC addresses that are allowed to enter the network. The network login feature allows you to use a local database or a RADIUS server for authenticating the MAC addresses. In fact, you may configure the system to use both the local and RADIUS database, with one database system acting as the primary authentication database, and the other database system acting as a secondary. The secondary database is used in case the primary authentication database fails to authenticate the client. The following command enables you to define the primary and secondary authentication database: configure netlogin authentication database-order The syntax for this command is: configure netlogin [mac | web-based] authentication database-order [[radius] | [local] | [radius local] | [local radius]] For the purposes of configuring the switch to only use the local authentication database, you enter the following command: configure netlogin mac authentication database-order local The above command does not specify a secondary database, so if the local database fails to authenticate the user the authentication process ends.
16
Figure 8: Configuring Local MAC Authentication
17
Adding a MAC-based User to the Local Authentication Database

Now that you've configured the system to use the local authentication database, you will need to identify the MAC addresses that are allowed onto the system. This is done by using the following command syntax: create netlogin local-user <user-name> <password> When instructing the system to validate MAC addresses, you need to substitute the MAC address for the user-name and password. This is an example of how that command would look: create netlogin local-user 0050B60193ED 0050B60193ED NOTE
Remember to omit the colons or other special characters when converting the MAC address to the user-name and password. Also, the alphabetic characters in the MAC address and password must be entered in uppercase.
To view the users that are in the database, enter the following command: show netlogin local-users
18
Figure 9: Adding a MAC-Based User to the Local Authentication Database
19
Verifying Global Network Login Settings

After configuring the network login feature, youll need to verify the configuration to ensure that the configuration is as you intended. To display the current configuration of the MAC-based network login feature, use the following command: show netlogin mac Along with the network login feature's global configuration parameters, the show netlogin mac command also provides the current status of the ports that have been assigned to participate in the network login process. Among other pieces of information, the network administrator can see:

Current VLAN assignment Authentication type MAC address of the device currently attached to the port The authentication status Whether locally authenticated or authenticated through RADIUS The type of process used to authenticate the attached device The name of the user attached to the port, if applicable
20
Figure 10: Verifying Global Network Login Settings
Figure 11: Verifying Global Network Login Settings (Continued)
21
Displaying the System Log

If you are having problems getting the network login feature to work, you can always view the system log for information. In regards to MAC-based network login, the system log shows when connection attempts are made as well as when the user disconnects from the system. Use the following command to verify network login activity by interrogating the system logs: show log messages memory-buffer Here are some example entries from the system log:
03/05/2008 17:12:55.48 <Info:nl.ClientLinkDown> Network Login user 0050B60193ED cleared due to link down event, Mac 00:50:B6:01:93:ED port 15 VLAN Default 03/05/2008 17:12:55.48 <Info:vlan.dbg.info> Port 15 link down 03/05/2008 17:00:46.02 <Info:AAA.logout> User admin logout from serial 03/05/2008 16:40:32.47 <Info:nl.ClientAuthenticated> Network Login MAC user 0050B60193ED logged in MAC 00:50:B6:01:93:ED port 15 VLAN Default, authentication Locally
22
Figure 12: Displaying the System Log
23
Network Login Design Considerations

When designing and configuring network login, please consider the following limitations.
All unauthenticated MACs will be seeing broadcasts and multicasts sent to the port if even a single MAC is authenticated on that port. The local database is limited to a recommended maximum 64 users. Network login must be disabled on a port before that port can be deleted from a VLAN.

A network login VLAN port should not be a part of following protocols: Ethernet Automatic Protection Switching (EAPS) Extreme Standby Router Protocol (ESRP) Spanning Tree Protocol (STP) Link Aggregation NOTE
Netlogin is a network access control feature. This is an edge feature for PC clients. ExtremeXOS does not have protocols that can block port access running same time on same port. For example, you would not want to have STP in forwarding state, but port is block by netlogin.
24
Figure 13: Network Login Design Considerations
25
Local MAC-Based Network Login - Configuration Example

The example on the screen provides a list of the commands that you will need to execute in order to configure a minimal network login implementation.
# -----------------------# Setup the Network Login Feature # -----------------------create vlan "netlogin_vlan" configure netlogin vlan "netlogin_vlan" enable netlogin mac enable netlogin ports 19 mac # -----------------------# Setup the local mac authentication database # -----------------------configure netlogin mac authentication database-order local create netlogin local-user 0050B60193ED 0050B60193ED # -----------------------# Verify the configuration # -----------------------show network mac
26
Figure 14: Local MAC-Based Network Login - Configuration Example
27
Disconnecting Network Login Sessions

Automatic netlogin logouts occur when:

User initiates logout by using the Logout pop-up window User inactivity for the configured session refresh-interval, if session-refresh is enabled Physical link state change on the users port
CLI Network Login Logouts

Terminating a Network Login Session
To terminate a netlogin session from the switch, enter the following command: clear session <number> An administrator-level account can disconnect a management session that has been established. To view active sessions on the switch, enter the following command: show session The show session command lists the following parameters:

The login date and time The user name The type of session
Terminating a Network Login Session Using a Specific Port and VLAN

To terminate a netlogin that uses a specific port and vlan, enter the following command: clear netlogin port <number> vlan <name>
Globally Disabling Network Login

To disable the network login feature on the switch, enter the following command: disable netlogin New users will be prevented from authenticating if netlogin is disabled. Users with authenticated sessions will not be disconnected if disabled, they will be prevented from logging in if they logout. The default value is enabled.
28
Figure 15: Disconnecting Network Login Sessions
29
Summary

Describe network login. Identify the advantages and disadvantages of the network login feature using MAC-based authentication. Configure network login using local MAC-based authentication. Display network login information and terminate a session.
30
Figure 16: Summary
31
Lab
Turn to the Netlogin using Local MAC Address Authentication Configuration Lab in the ExtremeXOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
32
Figure 17: Lab
33
Review Questions
1 Which of the following is NOT an advantage of using local MAC-based authentication? a Works with any operating system or network enabled device. b Works silently. The user, client, or device does not know that it gets authenticated. c Is easy to implement. A set of devices can easily be grouped by the vendor part of the MAC address.
d MAC address database administration can incur a great deal of overhead. 2 Which of the following scenarios describes when it is appropriate to use MAC-based authentication? a When devices are not aware of authentication protocols b When it is necessary to protect the network from MAC-address spoofing c When authentication needs to be based upon the user regardless of the device they use to log into the network
d When the devices support multiple uses with differing access rights 3 Which of the following most accurately identifies how many ports may be associated with a single MAC address when using MAC-address based authentication? a 1 b 12 c 24 d All of the above 4 Which of the following must occur before the network login feature may be enabled? a All attached network devices must be turned off. b The MAC addresses of all attached devices must be entered into the local database. c A VLAN must be assigned to service the network login feature. d The ports used by the network login VLAN must be removed from the default VLAN. 5 Which of the following command syntax examples identifies the command to assign a VLAN to the network login service? a assign netlogin vlan <vlan_name> b configure netlogin vlan <vlan_name> c netlogn vlan <vlan_name> d configure vlan netlogin add <vlan_name>
34
6 Which of the following commands is used to enable the network login feature using MAC-address based security? a enable netlogin mac b start mac-based netlogin c configure netlogin mac enable d None of the above 7 Which of the following commands activates the network login feature on individual ports? a configure netlogin ports <port_list> mac b enable netlogin ports <port_list> mac c configure ports <port_list> netlogin mac d None of the above 8 Which of the following commands instructs the network login service to only use the local database for authenticating MAC addresses. a configure netlogin database-order local b enable netlogin mac authentication local-only c configure netlogin mac authentication database-order local d None of the above 9 Which of the following rules apply when entering a MAC address into the local database? a Alphabetic characters in the MAC address must be entered in uppercase b Special characters such as colons, dashes, and spaces must be omitted from the MAC address when it is entered into the system c The password that is assigned to the MAC address entry must be identical to the MAC address d All of the above 10 Which of the following commands displays the list of MAC addresses allowed access to this device through the network login service? a display mac-address users b show netlogin local-users c show mac-address users d None of the above 11 Which of the following commands disables the network login service? a disable netlogin b stop netlogin c configure netlogin disable d None of the above
35
Network Login Using Local MAC-Based Authentication 12 Which of the following commands terminates a MAC-address based network login user session? a drop session <number> b clear session <number> c disable session <number> d None of the above
36
37
38
15 Universal Port
Universal Port
Student Objectives
The Universal Port module presents the purpose and function of Universal Port, Universal Port profiles, scripting for Universal Port, and Universal Port Manager. It provides a description of the purpose and underlying technologies used by Universal Portextended CLI scripting, Link Layer Discovery Protocol (LLDP), and Network Login with a RADIUS or other authentication server. It also provides an explanation of Universal Port triggers and profiles. You will learn the steps to configure and verify Universal Port provisioning. Upon completion of this module the successful student will be able to:

Describe the purpose and underlying technologies of Universal Port. List four types of trigger events supported by Universal Port. List three types of authentication supported by Universal Port profiles. List profile rules. List steps to configure and verify Universal Port handset provisioning without authentication and with authentication. List commands used to verify that Universal Port is correctly configured.
Universal Port
Purpose and Function of Universal Port

Universal Port is a powerful framework for event driven activation of CLI scripts or profiles. Universal Port provides time/user/location based dynamic security policies as well as VoIP auto-configuration. It uses standards based authentication (Network Login / 802.1x) and discovery protocols (LLDP and LLDP-MED), time, and log messaging as trigger events. The ExtremeXOS Universal Port framework enables the switch to take actions based on events. Leveraging the ExtremeXOS CLI scripting capability, Universal Port activates profiles that are created and managed either manually via the ExtremeXOS CLI or through the EPICenter Universal Port Manager. Universal Port is primarily used for simplifying edge configuration but can be used for other tasks such as automating conflict resolution, added security, and the reduction of your carbon footprint through scheduled power cycling. Universal Port uses Link Layer Discovery Protocol (LLDP) 802.1AB that allows devices to exchange information about themselves to connected devices on the network. Added security is gained by enabling Network Login and possibly a RADIUS server for authentication prior to granting the device or user access to the network. In its simplest form, Universal Port provides the ability to automatically configure network interface ports on ExtremeXOS switches and automatically provide configuration information to the attached device.
Figure 2: Purpose and Function of Universal Port
Figure 3: Universal Port Description
Universal Port
Underlying Technologies for Universal Port

Universal Port makes use of three underlying technologiesCLI scripting syntax with extended scripting CLI scripting syntax, Link Layer Discovery Protocol (LLDP of 802.1AB), and network authentication through Network Login with a RADIUS or other authentication server.
Extended CLI Scripting Syntax

The ExtremeXOS CLI provides a scripting infrastructure. This capability eases the rollout of networks and reduces configuration errors. Scripting capabilities such as system and user defined environment variables and constructs such as if/then statements and loop creation allow the automation of regular management tasks in scripts. The CLI scripting syntax has been extended for Universal Port and its static and dynamic profile concept. These extensions are:

Non-persistent CLI mode System defined user and device event variables
Link Layer Discovery Protocol (LLDP)

Link Layer Discovery Protocol (LLDP or 802.1AB) is an IEEE standard that allows devices to exchange information about themselves to connected devices. LLDP is a neighbor discovery protocol like Extreme Discovery Protocol (EDP). LLDP defines a standard method for Ethernet network devices such as switches, routers, wireless LAN access points, IP phones, and any other network attached device to advertise information about themselves to other nodes on the network. Information about the network device such as device configuration, capabilities, identification and software version can be advertised using LLDP. This information is passed along using type length value (TLV) fields within the LLDP advertisements. LLDP is an extensible standard, providing a framework for industry consortiums to define application specific extensions without causing compatibility issues. These extensions provide VoIP specific information as well as allow transmission of configuration and location information to VoIP phones. These transmissions include:

Network Policy (which VLAN tag, 802.1p(dot1p), or DSCP, and the phone should use) ECS Location ID (for E911 coordinates or street/building/floor like address), compliant with NENA and TIA-TSB-146 directions. The switch advertises a configurable physical location information to the phone Extended Power-via-MDI (finer grain PoE budget requirement in Watt) Inventory information such as firmware version, serial number, etc. compatibility issues.Underlying Technologies for Universal Port
Network Login and the Radius Server

Network Login enforces authentication before granting access to the network. All packets sent by a client on the port will not get beyond the port to the rest of the network until authentication using RADIUS or other authentication servers occurs.
Figure 4: Underlying Technologies for Universal Port
Universal Port
Authentication with Universal Port

Universal Port works with Network Login which supports three methods of authentication that can be invoked prior to granting access to the network:

802.1x Web-based MAC-based.
All three authentication methods can be enabled individually or together in any combination to provide the smooth implementation of a secured network.
802.1x
802.1x is a standards-based protocol that requires a special client be installed on the device accessing the network. 802.1x is designed as a secure protocol, and uses a number of different secure authentication techniques. ExtremeXOS has been tested against a variety of these techniques, including Message Digest Algorithm 5 (MD5), Protected Extensible Authentication Protocol (PEAP), Transport Layer Security (TLS) and Tunnelled Transport Layer Security (TTLS), supporting password as well as certificate based authentication.
Web-based
The web-based method does not require any specific client side software. Web-based authentication uses standard built-in technologies on clients, such as DHCP and a web browse. Therefore it is an easyto-deploy security mechanism for all client devices that support these technologies. When a web browser requests occurs, an Extreme Networks switch with web-based Network Login enabled will redirect this traffic to the Network Login welcome page. You can configure the login welcome page to post a custom greeting or guest login information for internet access via a dedicated guest VLAN.
MAC-based
The MAC-based authentication method is targeted for networked devices that do not support any 802.1x authentication methods. Devices such as older VoIP phones, printers, IP camera or wireless access points can be authenticated using their MAC address allowing for authentication enforcement on all edge ports in the network. With MAC-based authentication, the frames are forwarded only when the sender (MAC address) is authenticated for that port.
Authentication (e.g., RADIUS) Server Interaction

A common network access, three-component architecture features a supplicant, an access device (switch, access point) and an authentication server (e.g., Remote Authentication Dial in User Service RADIUS). This architecture leverages the decentralized access devices to provide scalable, but computationally expensive, encryption to many supplicants while at the same time centralizing the control of access to a few authentication servers. This centralization of authentication feature makes 802.1x authentication manageable in large installations.
Figure 5: Authentication with Universal Port
Universal Port
802.1x Authentication Process

When Extensible Authentication Protocol (EAP) is run over a LAN, EAP packets are encapsulated by EAP over LAN (EAPOL) messages. The format of EAPOL packets is defined in the 802.1x specification. EAPOL communication occurs between the end-user station (supplicant) and the wireless access point (authenticator). The RADIUS protocol is used for communication between the authenticator and the RADIUS server. The authentication process begins when the end user attempts to connect to the LAN. The authenticator (Extreme Switch) receives the request and creates a virtual port with the supplicant. The authenticator acts as a proxy for the end user, passing authentication information to and from the authentication server on its behalf. The authenticator limits traffic to authentication data to the server. A negotiation takes place, which includes:

The supplicant may send an EAP-start message. The access point sends an EAP-request identity message. The supplicant's EAP-response packet with the supplicant's identity is proxied to the authentication server by the authenticator. The authentication server challenges the client to prove themselves and may send its credentials to prove itself to the client (if using mutual authentication). The supplicant checks the server's credentials (if using mutual authentication) and then sends its credentials to the server to prove itself. The authentication server accepts or rejects the supplicants request for connection. If the end user was accepted, the authenticator changes the virtual port with the end user to an authorized state allowing full network access to that end user. At log-off, the supplicant virtual port is changed back to the unauthorized state.
Configuration with 802.1x Authentication

Here is a flow of the events on the edge switch for an LLDP VoIP phone authenticated with Network Login 802.1x that has a Universal Port profile enabled on the switch port: 1 Once a phone is plugged in, the switch edge port sends an EAPoL start packet which triggers the IP phone to start the 802.1x authentication process. 2 In the standard 802.1x terminology, the IP phone is the supplicant, the switch is the authenticator, and the RADIUS server acts as the authentication server. An exchange of keys occurs and the credentials of the device are checked. Once the phone has been authenticated, the RADIUS server tells the switch which Universal Port scripts to use and the VLAN to place the port into. All of this data is passed using a VSA between the RADIUS server and the switch. 3 Once the switch sees the authentication event and the VSAs from the RADIUS server, the triggering of the Universal Port script occurs and the port is added to the correct VLAN. 4 Once the phone has been authenticated, the phone sends its DHCP requests through the switch to the DHCP server. 5 Once the phone has received an IP address from the DHCP server, the LLDP messages sent by the phone are updated and the provisioning of the phone continues through the Universal Port script. 6 The Universal Port script triggers and the phone is set up along with any PoE settings for the port.
10
Figure 6: Authentication Process
Figure 7: Configuration with 802.1x Authentication
11
Universal Port
Web-Based Network Login Authentication

Because not all devices use 802.1x, the ExtremeXOS operating system also supports web-based Network Login. Web-based login does not require any specific client side software as does 802.1x. Instead webbased login uses standard built-in technologies on clients such as DHCP and a web browser. Web-based login is an easy-to-deploy security mechanism for client devices. After opening a web browser, the user enters a userID/password pair for authentication. Extreme Networks switches redirect traffic to the Network Login welcome page. The login welcome page is configurable to allow a custom greeting or guest login information for network access via a dedicated guest VLAN. This type of login allows machines that are not under the control of an IT department to get network access.
NOTE
Web-based Network Login is an excellent way to deploy 802.1x client software and certificates in a secure fashion on a port without opening up the network. Instead of installing 802.1x client software before turning on Network Login, users can log into the network via the web-based login, be redirected to an IT server to receive instructions on downloading and installing an 802.1x client and any additional software. This process dramatically reduces the costs and complexity of a user authentication rollout in an IT network because installation can be off-loaded to the end user.
NOTE
Beginning with ExtremeXOS Release 12.0, web-based Network Login welcome and authentication failure pages are completely user-configurable including custom graphics and advanced features such as JavaScript code. ExtremeXOS Release 12.0 and later supports any web technology that a client browser supports and does not require HTTP server-based actions.
12
Figure 8: Web-Based Network Login Authentication
13
Universal Port
MAC-Based Authentication
MAC-based Network Login can be used for devices that have no means of performing manual authentication or using certificates. The MAC-based authentication is actually an internal policy processing by the access point. The access point has an internal table of MAC addresses from which the switch allows access to the network. This method provides more flexibility to the Universal Port network login infrastructure. With MACbased Network Login, edge authentication can be turned on at every single port, no matter what connects to the network. Devices such as older VoIP phones, printers, IP camera or wireless access points can be authenticated using their MAC address. This allows for authentication enforcement on all edge ports on the network. MAC-based Network Login can help protect ports that connect devices such as printers or older generation VoIP phones should someone walk up and unplug the device and try to gain access to the network. While not fully secure because of potential MAC spoofing, MAC-based Network Login makes it more complicated for people to hack into the network. In most cases this is sufficient security when combined with physical access restrictions. .
14
Figure 9: MAC-Based Authentication
15
Universal Port
Universal Port Dynamic Security Policies

Dynamic security policies can be deployed via RADIUS Vendor Specific Attributes (VSAs).The Remote Authentication Dial In User Service (RADIUS) server sends requests to either the active directory or Lightweight Directory Access Protocol (LDAP) server for specific user or device access to the network. Dynamic policies can also include rate-limiting, QoS, and dynamic Access Control Lists (ACLs). Dynamic security policies are activated and deactivated based on authentication and hosts connecting or disconnecting from the network.This framework allows for location based policies as the actual implementation of the policy can be changed from port to port.
16
Figure 10: Universal Port Dynamic Security Policies
17
Universal Port
Universal Port Profiles

Universal Port makes port configuration changes either statically or dynamically by applying a profile when triggered by an event This is done through event triggering of ExtremeXOS scripts and dynamic runtime variables. Profiles must not be confused with policies. Policies are special cases for a profile. The term profile is distinct from the term policy because a policy is only one particular application of a profile. A policy usually implies a security rule that takes action on traffic flows. A profile is a variable command set that can take action based on different types of events. For example, a profile can automatically provision a VoIP phone and the attached switch port with appropriate power and Quality of Service (QoS) settings.
Types of Universal Port Profiles

There are two types of profiles you can configure in the system: static and dynamic. You use CLI commands to configure the switch to run a static profile. Dynamic profiles are triggered by a defined set of events, which provide the required set of arguments to help enforce the policy determined by that profile.
Uses for Universal Port Profiles

Before the advent of Universal Port, when devices were added, moved, or changed, IT personnel had to be available to place equipment and then configure both the network port and the new device. These tasks typically took a long time, did not support mobility, and were prone to human error. Static profiles are now used to implement scripts to simplify the administration of complex configuration tasks such as configuring Netlogin.
Creation of Universal Port Policies

Profiles are configured and run via the CLI or by using the Universal Port Manager module in EPICenter.
18
Figure 11: Universal Port Profiles
Figure 12: Universal Port Profile Overview
19
Universal Port
Profile Rules
All profiles have the following restrictions:

Maximum 5000 characters in a profile. Maximum 128 profiles on a switch. Profiles are stored as part of the switch configuration file. Copy and paste is the only method to transfer profile data using the CLI. Unless explicitly stated with the command configure cli mode persistent, configurations set by profiles are non-persistent and cannot be saved to the switch configuration file. NOTE
By keeping the configuration changes invoked by a profile to be non-persistent, you allow the switch to rollback changes. Rolling back changes enables ports to return to their initial state when a config save and then a reboot or power cycle occurs.
Be aware that some commands cannot be run in non-persistent mode, such as those that configure an EAPS ring. These will be saved across a switch reboot even when other commands in the profile are not saved.
20
Figure 13: Profile Rules
21
Universal Port
Static Profiles for Edge Ports

Static profiles are port profiles that include port settings, such as Access Control Lists (ACLs), rate limiting, rate shaping, QoS, VLAN, interface speed, and Power over Ethernet (PoE) budget. Static profiles are not limited to individual ports but can include system wide configuration changes. Static profiles are default settings, and are not event driven. Network administrators create and apply static profiles to a device when needed for configuration. Static profiles are default settings or baselines for ports that leverage ExtremeXOS scripting. Static profiles provide the ability to create common templates and deploy these templates on demand. Changes made by static profiles are persistent, that is, they are saved in the configuration and are preserved during system reboots. Use the static profiles to implement scripts that simplify complex configuration tasks such as Netlogin. Static profiles can be remotely implemented by scripts running locally on the switch. Static profiles allow all CLI commands to be executed. In general, CLI scripts may prove better for this function as they are not bound by the 5K size limit of profiles. When using EPICenter, this functionality is under the config applet called Managed Scripts.
22
Figure 14: Static Profiles for Edge Ports
23
Universal Port
Dynamic Profiles for Devices and Users

Dynamic profiles are scripts that incorporate runtime variables that provide information when a trigger event occurs. Dynamic profiles are event or action driven and do not require an administrator to run the script. This helps you to automate network changes. Universal Port currently supports the following trigger events:
Device detection based on discovery protocols such as IEEE 802.1ab LLDB and ANSI/TIA-1057 LLDP-MED for Voice-over-IP (VoIP) phone devices and other LLDP devices. User login defined by standards-based authentication such as a network login framework with 802.1x support, web-based login, or MAC-based network login Events triggered at particular time of the day Event Management System (EMS) events: other switch events, such as link up, link down, bandwidth exceeded, etc.
Dynamic profiles create temporary states. Information passed to dynamic profiles can be saved in variables and preserved for future use. When a device appears at an edge port, a triggering event occurs that applies a profile to the port and configures it appropriately. Examples of configuration parameters include VLAN, QoS, ACL, PoE and IP Security. When the device is no longer connected, another triggering event occurs to reverse the configuration parameters currently applied. After a reboot the network device is again detected and the dynamic profile is triggered again. By default, universal port profiles run in non-persistent mode. Profiles that run via event triggers are dynamic, which means the universal port prepends the configure CLI mode non-persistent command to each script. These dynamic profile configurations are not restored across configuration changes or reboots on the system. This temporary state is critical for network security. There is no automatic rollback of dynamic profiles. You can roll back the configuration to any previous state by saving information in variables that are retrievable for accomplishing the rollback. The only method of rollback is done by not saving the configuration and rebooting the switch.
NOTE
There is no profile hierarchy, which means administrators must verify there are no conflicting rules in static and dynamic profiles. This is a normal requirement for ACLs, and is standard when using policy files or dynamic ACLs.
There is no profile hierarchy. You should not configure conflicting profiles that might create different results, based on the sequence of events.
24
Figure 15: Dynamic Profiles for Devices and Users
25
Universal Port
Events that Dynamically Trigger Profiles

With Universal Port, configuration changes can be applied to or removed from a port based on profiles activated or deactivated by a trigger. When a trigger event occurs, a profile associated with the trigger is executed. Triggers respond to events such as device detection using LLDP, user authentication onto the network via network login, a timer event, or a predefined EMS event. Data from these events can be used to select specific profiles and even make decision points within profiles. A typical example is the use of a RADIUS server to specify a particular profile and then applying port-based policies to that user based on location. An administrator can assign dynamic profiles to a trigger event via the ExtremeXOS CLI or the EPICenter Universal Port Manager. Commands that are supported by dynamic profiles include VLAN port assignments, QoS settings, rate limiting capabilities of the port, PoE budget and dynamic ACLs. These parameters are not saved in the switch configuration.
Types of Dynamic Profiles

There are four types of dynamic profiles. These are:

Device-based User-authenticated Time-of-day Event Management System
These are explained on the next few slides.
26
Figure 16: Events that Dynamically Trigger Profiles
Figure 17: Types of Dynamic Profiles
27
Universal Port
Dynamic Device-Based Profile

A variety of different devices can be connected to a port. When Layer Discovery Protocol (IEEE 802.1AB, LLDP) devices connect to the network, Universal Port helps provide the right configuration at the port. The dynamic profile is called when the specific trigger event occurs. Triggers are defined sets of events with arguments to enforce policies. Only LLDP devices are detected and undetected as trigger events for the device-based profile. There can only be one profile for the device-detect event trigger per port. This is important because there is no capability or external entity such as a RADIUS server that distinguishes the connecting device as part of the event trigger. Instead, the switch receives this information as part of the event data itself. Because individual ports can only have one device-detect profile, if-then-else statements in profiles along with detailed information provided through LLDP can be used to distinguish between connecting devices. For example, Voice-over-IP (VoIP) phones can send and receive information in addition to normal device identification information. The information sent through LLDP can be used to identify the maximum power draw of the device. The switch can then set the maximum allocated power for that port. If the switch does not have enough PoE left, the switch can advise certain handsets to switch to a lower power mode and try again. The switch can also transmit additional VoIP files and call server configuration information to the phone so the phone can register itself and receive necessary software and configuration information. To test a profile or execute a profile, use the following command: run upm profile <profile-name> {event <event-name>} {variables <variablestring>} Example: run upm profile afterhours If the variables keyword is not present but an event variable is specified in the profile, the ExtremeXOS prompts for environmental variables appropriate to the event, including the VSA string for user authentication.
NOTE
Variables are not validated for correct syntax.
To view profile history, use the show upm history command.
28
Figure 18: Dynamic Device-Based Profile
29
Universal Port
Example of Device-Based Dynamic Profile

The slide shows an example of a device-based dynamic profile using a Voice-over-IP phone. You can create this dynamic device profile by customizing an existing profile. For example, you can use the profile for an Avaya phone which is part of the Universal Port Handset Provisioning Module. Dynamic profiles can be downloaded from an Extreme website, received from another Extreme user or partner, written by Extreme Networks professional services or partner, or be written by the you as the end user. You can write a dynamic device profiles with any editor, including the ExtremeXOS edit capability in the switch. You then cut-and-pasted the content into the CLI. You can be also create a profile with a sophisticated GUI such as the EPICenter Universal Port Manager. With the Universal Port Manager you can store profile templates and then later, customize these templates to your specific needs and environment. You can push profiles out onto the network to lists of ports for massive deployment. Later when you want to update or enhance those profiles, you can use the Universal Port Manager to refresh the same set of ports.
Implementing a Device-Based Dynamic Profile

This slide shows two phases of Dynamic Profile creation: the Preparation and the Operation.
Preparation Phase (Steps 1 and 2)

In the preparation phase the activities only happen once. These are shown on the left side of the slide. 1 The administrator configures policies and profiles. 2 The administrator pushes out the policies and device profiles into the network so that it is stored and enabled on specific ports.
Operation Phase (Steps 3, 4, and 5)

In the operation phase the activities happen many times. These activities occur during runtime. These are shown on the right side of the slide. 3 Any end user plugs in an LLDP Voice over IP phone. The phone starts an 802.1x authentication based on a personal user name and password given to the end user with the phone. This authentication step is available and supported by the latest Avaya firmware releases and other vendors such as Mitel. This authentication step protects the network from spoofing attacks that can occur if authentication is not performed before LLDP advertising. 4 After the successful authentication event, the switch enables LLDP and starts interpreting the information sent by the phone. The phone specifically advertises its PoE budget needs, serial number, and detailed model information. This information allows the switch to configure the edge port automatically. The switch then allocates the Power-over-Ethernet budget, moves the port into the correct voice VLAN, and configure QoS for voice on the port. 5 The switch begins advertising additional information to the phone. With this additional information, the phone goes through a boot-strap mechanism to tag traffic for QoS as well as the VLAN, and where to find the call server to download any additional configuration information. The phone also now gets its physical location based on the E911 emergency location information advertised by the switch.
30
Figure 19: Example of Device-Based Dynamic Profile
31
Universal Port
Dynamic User-Authentication Profile

When using dynamic user-based security policies, implementation details are stored directly on the switch. There is no dependency on anything in the critical path. After a RADIUS server is configured and running, the RADIUS server specifies the policy to be applied as part of the authentication response packet through a RADIUS Vendor Specific Attribute (VSA). The switch takes this information and executes the correct dynamic profile. The RADIUS server can be in proxy mode with information stored in a central directory service such as LDAP or Active Directory
32
Figure 20: Dynamic User-Authentication Profile
33
Universal Port
Example of User-Authenticated Dynamic Profile

The slide illustrates how user profiles are managed. Like device-based dynamic profile, userauthenticated also have two phases: Preparation and Operation. Universal Port uses 802.1xauthenticated LLDP.
Implementing a User-Authenticated Dynamic Profile

The slide shows the two phases of Dynamic Profile creation: the Preparation and the Operation.
Preparation Phase (Steps 1 and 2)

These activities only happen once. These actions are shown on the left side. 1 The administrator configures user group policies (VLANS, ACLs, port speed, 802.1p, priority, etc. 2 The administrator pushes policies and profiles to the switch. The administrator pushes out profiles and assigns profiles to edge ports. You can prepare the profiles with EPICenter Universal Port Manager. However, you can also prepare the profiles manually through the CLI, switch by switch.
Operation Phase (Steps 3, 4, and 5)

These activities happen many times during runtime. These are shown on the right. 3 The user logs onto the network. The switch passes the information up to the RADIUS server. Network Login enforces authentication before granting access to the network. This early authentication step protects the network from spoofing attacks that can occur if authentication is not performed before advertising who is there. All packets sent by a client on the port do not go beyond the port into the network until authentication using a RADIUS server occurs. In many cases, the RADIUS server interacts with a central data repository for user authentication such as Active Directory or an LDAP directory without putting the burden of the LDAP protocol into the network infrastructure. When a VoIP phone is connected to the network, a PC or laptop can connect to the network through a data port on that VoIP phone. This means the VoIP phone and the PC must be identified individually and both must be authenticated separately. This is known as multiple supplicant support. NOTE
Some vendors use the term multiple supplicant without allowing separate authentication. These vendors simply blackhole the traffic of the second MAC address and do not let the second device pass authentication. Even worse, other vendors take a different approach and allow all traffic from any additional device through after the first device has been authenticated on a port, leaving the network wide open.
4 The RADIUS server pushes out user group information via Vendor Specific Attributes (VSAs) and sends the policy name and any additional ExtremeXOS settings or information in the user profile. 5 The switch configures the port according to the triggered profile. The switch moves the port into the correct VLAN (for example an Engineering VLAN) and configures ACLs to specific servers or to specific application types such as enabling CVS access, configuring port interface speed, and/or configuring QoS for that port.
34
Figure 21: Example of User-Authenticated Dynamic Profile
35
Universal Port
Dynamic Time-of-Day Profile

Integration with a timer event provides time-based policies, such as disabling wireless access after business hours. When authenticating to the network, user-based login can be combined with a timer trigger. Combining user authentication with time triggers puts different user policies in place based on the time of day. Universal Port triggers are then used to modify the assignment and implementation of user-based security policies. Timers implement time-of-day profiles that can have various applications. For example, these profiles can be used to disable guest VLAN access after business hours, shut down a wireless service or power down a port. Access point being powered down can apply to a given time of the day or over a time span. Time-of-day profiles are flexible and are not limited to just dynamic profile CLI commands. Time-ofday profiles can use any command in the ExtremeXOS CLI, as long as it is understood that the change is permanent. This feature allows timed backups for configurations, policies, statistics, and so forth. Anything that needs to happen on a regular basis or at a specific time can be incorporated into a timeof-day profile.
36
Figure 22: Dynamic Time-of-Day Profile
37
Universal Port
Dynamic Event Management System Profile

You can configure profiles to run when specific EMS events occur. As with device- and user-triggered profiles, EMS-triggered profiles can run CLI scripts that change the switch configuration. The EMS events that trigger UPM profiles are defined in EMS filters and can be specified in more detail with additional CLI commands. You can create EMS filters that specify events as follows:

Component.subcomponent Component.condition Component.subcomponent.condition
You can use the show log components command to display all the components and subcomponents for which you can filter events. If you specify a filter to take action on a component or subcomponent, any event related to that component triggers the profile. You can use the show log events all command to display all the conditions or events for which you can filter events. If you decide that you want to configure a profile to take action on an ACL policy change, you can add a filter for the ACL.Policy.Change event. You can further define an event that triggers a UPM profile by specifying an event severity level and text that must be present in an event message. When a specified event occurs, event information is passed to the UPM profile in the form of variables, which can be used to modify the switch configuration in CLI scripts. EMS-triggered profiles allow you to configure responses for any EMS event listed in the show log components and show log filters all commands. However, you must be careful to select the correct event and corresponding response for each profile. For example, if you attempt to create a UPM log target for a specific event (component.subcomponent.condition) and you accidentally specify a component (component), the profile is applied to all events related to that component. Using EMStriggered profiles is similar to switch programming. They provide more control and more opportunity for misconfiguration.
38
Figure 23: Dynamic Event Management System Profile
39
Universal Port
Running a Profile
After you create a profile you need to test its functionality. Use the following command with the correct profile name and variables to conduct the test. run upm profile <profile-name> {event <event-name>} {variables <variablestring>} Example: run upm profile afterhours If the variables keyword is not present but an event variable is specified in the profile, the ExtremeXOS prompts for environmental variables appropriate to the event, including the VSA string for user authentication.
NOTE
Variables are not validated for correct syntax.
To view profile history, use the show upm history command. show upm history
40
Figure 24: Running a Profile
41
Universal Port
Scripting for Universal Port

Profiles are the scripts that are applied as part of the port configuration when using Universal port. You can create profiles for Universal Port with either the CLI or by using the Universal Port Manager in EPICenter. Sample scripts (profiles) are included in Chapter 20, Universal Port of the ExtremeEXOS Concepts Guide and in Chapter 12 Universal Port Manager of the EPICenter Concepts and Solutions Guide. Use these sample scripts and examples of configuration steps to create your own configuration for Universal Port on your switch.
Creating Profiles
Profiles can be created in one of two ways:

With the command line interface (CLI) With EPICenter (GUI interface)
42
Figure 25: Scripting for Universal Port
Figure 26: Creating Profiles
43
Universal Port
Device Detect Configuration: without Authentication

The following example is for configuring LLDP enabled VoIP phones without network authentication. Verify that all the necessary devices, servers, and correct software versions are available.

Avaya phone FW Revision: 2.6 or greater (LLDP device) EXOS version: 11.6.1.9. or greater on the switch DHCP Server TFTP Server Call Server
Configuration Process
The sequence of events that needs to occur is as follows: 1 Create the VLAN for the VoIP network. Assign the IP address/subnet to this VLAN either statically or through the DHCP server configuration. Do not assign any ports to this VLAN. 2 Create the Universal Port profile to be triggered by the DEVICE-DETECT event, using the following command syntax: create upm profile <profile name>. Upon the device detection event, this profile

Adds the detected port to the device profile port list. Adds the detected port to the proper VoIP VLAN. Configures the LLDP options that the phone needs. Configures the PoE limits for the port based on the phone requirement.
3 Create the device-undetect profile on the switch. Upon a device-undetect event (removal of the device), this profile

Removes the port from the profile port list. Deletes the port from the VLAN. Unconfigures the inline-power operator-limit and creates log entry. Port PoE settings are cleared. Creates log entry that port is cleared
4 Assign the device-detect profile to the desired edge ports Profile is linked to specific ports. 5 Assign the device -undetect profile to the desired edge ports. Profile is linked to specific ports. 6 Check that the Universal Port profiles are assigned correctly with the following command show upm profiles The output shows the UPM profiles on the switch, the events that trigger them, whether the profile is enabled or disabled, and the ports where the profile is applied. 7 Enable LLDP on the ports with the following command enable lldp <switch name> <port numbers> This configures the ports on the switch to transmit, receive, and store lldp information. 8 Plug the phone into the network and test. Detail information and examples of the above steps are found in the Chapter 20, Universal Port of the ExtremeEXOS Concepts Guide.
44
Figure 27: Device Detect Configuration: without Authentication
45
Universal Port
Device Detect Configuration: with Authentication

The following example is for configuring LLDP enabled VoIP phones without network authentication. Verify that all the necessary devices, servers, and correct software versions are available.

Avaya phone FW Revision: 2.7 or greater (LLDP device) EXOS version: 11.6.1.9. or greater RADIUS Server DHCP Server TFTP Server Avaya Call Server
Configuration Process
Use the following procedure to configure the universal port for authentication (user login): 1 Configure the RADIUS server for the user ID and password pair. You must edit the users file located at /etc/raddb/users to add the default user and passwords. 2 Define Extreme Networks custom VSAs on the RADIUS server. For FreeRADIUS, edit the dictionary file located at //etc/raddb/dictionary 3 Add the switch as an authorized RADIUS client: For FreeRADIUS, edit the file located at //etc/raddb/clients.conf 4 Create the universal port profile for user-authenticate on the switch that does the following:

Adds the detected port to the device "unauthenticated" profile port list Configures the LLDP options that the phone needs Unconfigures LLDP port Unconfigures the inline-power operator-limit and creates log entry and clears Port PoE settings Creates log entry that port is cleared
5 Create the universal port profile for user-unauthenticate on the switch that does the following:

6 Configure RADIUS on the edge switch. 7 Configure network login on the edge switch. You choose what type of authentication: 802.1x, MAAC-based, or web-based. 8 Assign the user-authenticate profile to the desired edge port. Configure ports where profile will be applied when selected event occurs. 9 Assign the user-unauthenticate profile to the desired edge port. Configure ports where profile will be removed when selected event occurs 10 Check that the correct profiles are assigned to the correct ports: show upm profile This shows the number of UPM profiles on the switch and events that trigger them, whether the profile is enabled or disabled, the ports where the profile is applied, and the event name for each. 11 Enable LLDP message advertisements on the ports. 12 Test the setup. Detail information and examples of the above steps are found in the Chapter 20, Universal Port of the ExtremeEXOS Concepts Guide.
46
Figure 28: Device Detect/Undetect Configuration: with Authentication
47
Universal Port
Universal Port Verification Commands

Plug the device in the port and test the configuration. The following commands can be used to help ensure that everything works correctly: show lldp This displays various LLDP configuration settings for the ports. show lldp detailed This displays information that the port transmits out via LLDP. show lldp neighbors This displays information related to LLDP neighbors: IP address, MAC, TTL, and elapsed time since receiving the last LLDP messages. show log match upm This displays upm messages in the system log show upm history This displays event triggers and profiles applied. show upm history detail This displays status of each line executed in the script. show upm profiles This displays the names of the profiles on the system and their status, active or disabled. show upm timer This displays a list of the Universal Port timers on the system and some of their configuration information. show netlogin This displays status information for all Network Login authentication methods.
48
Figure 29: Universal Port Verification Commands
49
Universal Port
Universal Port Modules

The Handset Provisioning Module is an easy way to set up Universal Port for use with LLDP devices. It incorporates ExtremeXOS scripts to configure network edge ports automatically for VoIP service. These are based on device discovery for multi-vendor IP Telephony devices.The Handset Provisioning Module supports Avaya, ShoreTel, Nortel, Cisco, and Mitel phones and can be modified for other handset vendors. To provision the handsets, you need to download the scripts, set variables, select devices and ports, and deploy and enable these profiles. Profiles can be applied through the CLI or through the EPICenter Universal Port Manager. These profiles support multiple devices on a single port, allocating devices into appropriate VLANs with correct QoS attributes. Phones and connecting ports are automatically configured through standardsbased authentication and discovery protocols. The following components are required to implement the module:

ExtremeXOS 11.6 or later (if you are using EPICenter, you need ExtremeXOS 12.0 or later) RADIUS server for user authentication Appropriate firmware for handsets PoE switches for PoE phones
To configure: 1 Download and customize the profile 2 Set variables 3 Deploy the profiles to your switches

Select profile and switches to deploy Select ports Send profiles to switches and enable
The Handset Provisioning Module contains three generic scripts:

Script for device detection for phones with LLDP protocol Script for user authentication Script for Avaya special phones (phones that support 802.1x & LLDP)
50
Figure 30: Scripted Universal Port Modules
51
Universal Port
Universal Port Manager

Universal Port Manager makes the manageability easier for the Universal Port feature of the EXOS switches across the entire network. Universal Port Manager is based on CLI Scripting capabilities in the ExtremeXOS software. The EPICenter Universal Port Manager (UPM) is available from EPICenter 6.0 Service Pack 1. To run UPM, you need EPICenter Base 250 license and Advanced Upgrade license. When the Universal Port Manager is installed on the EPICenter server, the Profiles icon appears in the Navigation Toolbar on the left of your EPICenter client. If no icon is present, it indicates that you do not have a valid license or you have an earlier version of EPICenter. The EPICenter Universal Port Manager is organized into three functional areas:
The Network Profiles View; where you can view, enable, disable, edit configuration, run, and delete the profiles deployed on the Extreme devices. You can also change the profile event binding or port binding configuration on switches. The Managed Profiles View; where you can import, export, create, view, edit, save, delete, test, and deploy profiles. The Audit Log View; where you can view the profile actions done on the network devices by EPICenter, and redeploy profiles to the devices on which you had deployed profiles earlier.
The following list includes some of the tasks you can accomplish using EPICenter Universal Port Manager:

Setup an automatic VoIP network. Setup a secured network; where traffic flow, bandwidth, and access control is reinforced dynamically. Do network provisioning.
52
Figure 31: Universal Port Manager - GUI Configuration
Figure 32: Universal Port Manager
53
Universal Port
Universal Port References

This module presents many topics related to the configuration and operation of Universal Port on your Extreme Networks switches. Since by definition, Universal Port offers a great many options on how you can configure your ports, specific examples have not been included here. In the following locations you can find and download detailed examples of several configuration options to guide you during set up of your ports to take advantage of this feature. http://www.extremenetworks.com/solutions/automation/operations-modules.aspx http://www.extremenetworks.com/solutions/automation/automation-framework.aspx http://www.extremenetworks.com/services/software-userguide.aspxWhat
54
Figure 33: Universal Port References
Figure 34: Universal Port References
55
Universal Port
Summary
This Universal Port module provided an overview of the underlying technology of Universal Port, how it interacts with authentication for users and devices accessing the switch, types of profiles and their use, how profiles are activated, how to run a profile, where to find sample scripts, and the steps to configure Universal Port for your access requirements. You should now be able to:

Describe the purpose and underlying technologies of Universal Port. List four types of trigger events supported by Universal Port. List three types of authentication supported by Universal Port profiles. List profile rules. List steps to configure and verify Universal Port handset provisioning without authentication and with authentication. List commands used to verify that Universal Port is correctly configured.
56
Figure 35: Summary
57
Universal Port
Lab
Turn to the Universal Port Lab in the ExtremeXOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
58
Figure 36: Lab
59
Universal Port
Review Questions
1 What are the three underlying technologies that Universal Port is built upon? a Extended CLI scripting syntax, LLDP (802.1AB), and Network Authentication through Network Login and a RADIUS server. b LLDP (802.1AB), Network Authentication through Network Login and a RADIUS server, and SNMP. c Extended CLI scripting syntax, Network Authentication through Network Login and a RADIUS server, and SNMP.
d Extended CLI scripting syntax, LLDP (802.1AB), and SNMP.
2 What protocol enables devices to advertise their capabilities and media specific configuration and learn the same from the devices networked to it? a DHCP b LLDP c RIP d EAPS
3 Which of the Profile rules stated below is NOT true? a Profiles are non-persistent by default b Profiles are stored on the RADIUS server c Profiles cannot exceed 5000 characters d There is a limit of 128 Universal Port profiles per switch
4 What is a benefit of using Universal Port in static mode? a New devices are automatically configured. b You can apply multiple profiles on the same port. c The profile can include system wide configuration changes. d Only a few CLI commands cannot be used.
5 The profile type that is most prone to misconfiguration is a Time-of-day b User-based authenticated c Event Management System d Dynamic device-detect
60
6 What command shows you the Universal Port event triggers and profiles on an Extreme Networks' switch? a show upm profiles b show log match upm c show lldp neighbors d show history
61
Universal Port This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http://www.sec.gov). We undertake no obligation to update the forward-looking information in this release.
62
16 Policy-Based QoS
Policy-Based QoS
Student Objectives
Upon completion of this module, you should be able to:
Define QoS and describe:

Two major benefits of QoS Five major traffic types Policy-based QoS How to configure QoS profile How to monitor and modify QoS policy IP-based (ACL) Destination MAC address Explicit Class of Service Physical and logical groupings
Describe the types of traffic grouping:

Policy-Based QoS
What is Quality of Service?

QoS is a set of protocols and mechanisms that facilitate the delivery of delay and bandwidth sensitive material across data networks. QoS in the Ethernet networks is fundamentally creating unequal access in an essentially equal access network. QoS only manages bandwidth according to application demands and network management settings. Policy-based Quality of Service (QoS) is a feature of Extreme XOS and the Extreme Networks switch architecture that allows you to specify different service levels for traffic traversing the switch. Policybased QoS allows you to protect bandwidth for important categories of applications or to specifically limit the bandwidth associated with less critical traffic. Using Policy-based QoS, you can specify the service level that a particular traffic type receives. For example, if voice-over-IP (VoIP) traffic requires a reserved amount of bandwidth to function properly, using policy-based QoS, you can reserve sufficient bandwidth critical to this type of application. Other applications deemed less critical can be limited so as to not consume excessive bandwidth.
Switch Platforms and QoS

The architecture of the ExtremeXOS switches varies. Some units have two hardware queues, while others have as many as eight. Hardware queues are configured by the network administrator using Extreme XOS. There are specific parameters that modify the forwarding behavior and affect how the switch transmits traffic for a given queue on a physical port.
QoS and Class of Service (CoS)

Class of Service (CoS) requests a specific service-level for a traffic flow. CoS does not provide any assurance of guaranteed bandwidth or network service. QoS examines the assigned CoS and processes the flow with the goal of meeting the service-level requirements assigned by the network administrator.
NOTE
Policy-based QoS has no impact on switch performance. Using even the most complex traffic groupings has no cost in terms of switch performance.
Figure 2: What is Quality of Service
Figure 3: Policy-Based QoS
Policy-Based QoS
When Do You Need QoS?

When network traffic needs a guarantee of underlying network performance, QoS provides a solution. This typically relates to the amount of bandwidth required, but other factors, such as priority, are also taken into account. QoS based networks enable administrators to manage application traffic with a great degree of control. In this environment, an application is assured that its requirement for bandwidth, priority, latency and delay can be provided
NOTE
QoS does not increase the available bandwidth; it ensures that it is used in a controlled manner. The network designer still has to make sure that the network has sufficient capacity and throughput to deliver the service required.
Figure 4: When Do You Need QoS?
Policy-Based QoS
Two Major Benefits of QoS

Latency Control
Latency, a synonym for delay, describes how much time it takes for a packet of data to get from one point to another. Jitter is the variation in the time between packets arriving. Latency control provides consistent end-to-end delay to traffic flows. The most important QoS parameter for a delay sensitive application is minimum bandwidth, followed by priority. QoS provides control over bandwidth availability to ensure that latency parameters are met. Latency sensitive applications include:

Desktop Video Conferencing Multicast Streaming Video Real-Time Data Feeds SNA, TN3270
Congestion Management
Another benefit of QoS is its ability to manage the sharing of available bandwidth between different types of traffic. This is typically by allocating a maximum or minimum percentage of the available bandwidth to a specified class of traffic. The example highlights the QoS ability to allocate specific bandwidth to different traffic groups. QoS can only share what is available; the network designer has to ensure that the overall bandwidth is adequate.
Figure 5: Two Major Benefits of QoS
Policy-Based QoS
Traffic Types and QoS Guidelines

General guidelines for each traffic type are given. When setting QoS parameters, you should consider bandwidth needs, sensitivity to latency and jitter, and sensitivity to packet loss.
Voice Applications
Voice applications, or voice over IP (VoIP), typically demand small amounts of bandwidth. However, the bandwidth must be constant and predictable because voice applications are typically sensitive to latency (inter-packet delay) and jitter (variation in inter-packet delay). The most important QoS parameter to establish for voice applications is minimum bandwidth, followed by priority.
Video Applications
Video applications are similar in needs to voice applications, with the exception that bandwidth requirements are somewhat larger, depending on the encoding. Key QoS parameters for video applications include minimum bandwidth and priority, and possibly buffering (depending upon the behavior of the application).
Critical Database Applications

Database applications typically do not demand significant bandwidth and are tolerant of delay. You can establish a minimum bandwidth using a priority less than that of delay-sensitive applications.
Web Browsing Applications

QoS needs for web browsing applications can not be easily categorized. Enterprise resource planning (ERP) front end applications may require minimum bandwidth, while basic web browsing may require maximum bandwidth.
File Server Applications

File serving typically poses the greatest demand on bandwidth, although file server applications are very tolerant of latency, jitter, and some packet loss (depending on network OS and use of TCP or UDP).
NOTE
Full-duplex links should be used when deploying policy-based QoS. Half-duplex operation on links can make delivery of guaranteed minimum bandwidth impossible.
10
Figure 6: Traffic Type and QoS Guidelines
11
Policy-Based QoS
Policy-Based QoS Support on an Extreme Network Switch

The main benefit of QoS is that it allows you to have control over the types of traffic that receive enhanced service from the system. An Extreme Network switch can:
Assign different service levels to traffic by specifying bandwidth management and prioritization parameters to hardware queues
Track and enforce minimum and maximum percentage of bandwidth utilization, transmitted on every hardware queue, for every port. Prioritize bandwidth use, when two or more hardware queues on the same physical port are contending for transmission (as long as their respective bandwidth management parameters are satisfied)
12
Figure 7: Policy-Based QoS Support on an Extreme Network Switch
13
Policy-Based QoS
Configuring Policy-Based QoS

Assigning QoS attributes is a three-step process. To configure QoS, you first define how your switch responds to different categories of traffic by creating and configuring QoS profiles. You then group traffic into categories and assign each category to a QoS profile. Finally, you apply the QoS policy and monitor the performance of the application to determine whether the policies are achieving the desired results: 1 Configure the QoS profile. QoS profile The level of service that a particular type of traffic or traffic grouping receives is determined by assigning it to a QoS profile. The names of the QoS profiles are QP1 through QP8; these names are not configurable. 2 Create traffic groupings. Traffic grouping Classification of traffic types that have one or more attributes in common. Some attributes include:

a physical port a VLAN IP Layer 4 port information
Traffic groupings transmitting out of the same port that are assigned to a particular QoS profile share the assigned bandwidth and prioritization characteristics, resulting in sharing the class of service. 3 Apply QoS policy. QoS policy The combination that results from assigning a traffic grouping to a QoS profile.
14
Figure 8: Configuring Policy-Based QoS
Figure 9: QoS Building Block: QoS Profile
15
Policy-Based QoS
Considerations When Configuring QoS on the BlackDiamond 8800, Summit X450, and Summit X250 Switches
The BlackDiamond 8800 series switches, Summit X450, and the Summit X250 switches allow dynamic creation and deletion of QoS queues, with Q1 and Q8 always available.
NOTE
The sFlow application uses QP2 to sample traffic on the BlackDiamond 8800 family of switches and the Summit X450 switch. Any traffic grouping using QP2 may encounter unexpected results when sFlow is enabled.
The following considerations apply only to QoS on the BlackDiamond 8800 family of switches and the Summit X450 and Summit X250 switches:
The BlackDiamond 8800 family of switches and the Summit X450 and Summit X250 switches do not support QoS monitor. The following QoS features share resources on the BlackDiamond 8800 family of switches and the Summit X450 switch and Summit X250:

ACLs DiffServ dot1p VLAN-based QoS Port-based QoS
You may receive an error message when configuring a QoS feature in the above list on the BlackDiamond 8800 family of switches, the Summit X450 switch, and the Summit X250 switch; it is possible that the shared resource is depleted. In this case, unconfigure one of the other QoS features and reconfigure the one you are working on. When a node is operating in stacking mode, QoS profiles QP6 and QP7 are reserved for the stacking function and cannot be created.
16
Figure 10: Considerations When Configuring QoS on the BlackDiamond 8800, Summit X450, and Summit X250 Switches
17
Policy-Based QoS
Creating and Configuring Queues and Profiles on the BlackDiamond 8800 and Summit X450/X250 Switches
The BlackDiamond 8800 family of switches, the Summit X450 switch, and the Summit X250 switch have two default queues, QP1 and QP8. QP1 has the lowest priority, and QP8 has the highest priority. You can configure up to six additional QoS profiles, or queues, on the switch, QP2 through QP7. You can also modify the default parameters of each QoS profile. The names of the QoS profiles, QP1 through QP8, are not configurable. A QoS profile does not alter the behavior of the switch until it is assigned to a traffic grouping. The default QoS profiles, QP1 and QP8, cannot be deleted. The parameters that make up a QoS profile on the BlackDiamond 8800 family of switches, the Summit X450 switch, and the Summit X250 switch include:
BufferThis parameter is the maximum amount of packet buffer memory available to all packets associated with the configured QoS profile within all affected ports. All QoS profiles use 100% of available packet buffer memory by default. You can configure the buffer amount from 1 to 100%, in whole integers. NOTE
Use of all 8 queues on all ports may result in insufficient buffering to sustain 0 packet loss throughput during full-mesh connectivity with large packets.
WeightThis parameter is the relative weighting for each QoS profile; 1 through 16 are the available weight values. The default value for each QoS profile is 1, giving each queue equal weighting. When you configure a QoS profile with a weight of 4, that queue is serviced 4 times as frequently as a queue with a weight of 1. However, if you configure all QoS profiles with a weight of 16, each queue is serviced equally but for a longer period of time.
Finally, you configure the scheduling method that the entire switch will use to empty the queues. The scheduling applies globally to the entire switch, not to each port. You can configure the scheduling to be strict priority, which is the default, or weighted round robin. In the strict priority method, the switch services the higher-priority queues first. As long as a queued packet remains in a higher-priority queue, any lower-priority queues are not serviced. If you configure the switch for weighted-round-robin scheduling, the system services all queues based on the weight assigned to the QoS profile. The hardware services higher-weighted queues more frequently, but lower-weighted queues continue to be serviced at all times. The settings for the default QoS parameters on the BlackDiamond 8800 family of switches, the Summit X450 switch, and the Summit X250 switch are summarized in the following table.
18
Figure 11: Creating and Configuring Queues and Profiles on the BlackDiamond 8800 and Summit X450 / X250 Switches
Table 1: Default BlackDiamond 8800, Summit X450, and Summit X250 Switches - QoS Parameters
Profile name QP1 QP8 Priority Low High Buffer 100% 100% Weight 1 1
19
Policy-Based QoS
Creating a QoS Profile (BlackDiamond 8800, Summit X450, and Summit X250 Switches)
To create a QoS profile, enter the following command: create qosprofile [qp2 | ap3 | qp4 | qp5 | qp6 | qp7] To delete a QoS profile, enter the following command: delete qosprofile [qp2 | ap3 | qp4 | qp5 | qp6 | qp7] You cannot delete the default QoS profiles QP1 and QP8.
Configuring QoS Profile Weight

To modify the QoS profile weight, type the following command: configure qosprofile <qosprofile> {maxbuffer <percent>} {weight <value>} The maxbuffer parameter configures the maximum amount of packet buffer, by percentage, that the packets associated with the specified QoS profile can consume. Regardless of the setting for this parameter, the system does not drop any packets as long as packet buffer memory remains available and the current buffer use of the specified QoS profile is below the specified maxbuffer setting. The weight parameter configures the relative weighting for each QoS profile. Because each QoS profile has a default weight of 1, all QoS profiles have equal weighting. If you configure a QoS profile with a weight of 4, that specified QoS profile is services 4 times as frequently as the remaining QoS profiles, which still have a weight of 1. If you configure all QoS profiles with a weight of 16, each QoS profile is serviced equally but for a longer period.
20
Figure 12: Creating a QoS Profile and Configuring a Profile Weight (BlackDiamond 8800, Summit X450, and Summit X250 Switches)
21
Policy-Based QoS
QoS Profiles on the BlackDiamond 10808 Switch

The BlackDiamond 10808 switch has eight hardware queues for each egress port. The QoS profiles, QP1 to QP8, map to these hardware queues and cannot be deleted. The parameters that make up a QoS profile on the BlackDiamond 10808 switch include:
Minimum bandwidthThe minimum total link bandwidth that is reserved for use by a hardware queue on a physical port. The minimum bandwidth value is configured either as a percentage of the total link bandwidth or using absolute committed rates in Kbps or Mbps. Bandwidth unused by the queue can be used by other queues. The minimum bandwidth for all queues should add up to less than 100%. The default value on all minimum bandwidth parameters is 0%. Maximum bandwidthThe maximum total link bandwidth that can be transmitted by a hardware queue on a physical port (each physical port has eight hardware queues, corresponding to a QoS profile). The maximum bandwidth value is configured either as an absolute percentage of the total maximum link speed, regardless of the currently configured or negotiated speed or an absolute peak rate in Mbps or Kbps. The default value on all maximum bandwidth parameters is 100%. PriorityThe level of priority assigned to a hardware egress queue on a physical port. There are eight different available priority settings and eight different hardware queues. By default, each of the default QoS profiles is assigned a unique priority. You use prioritization when two or more hardware queues on the same physical port are contending for transmission on the same physical port, only after their respective bandwidth management parameters have been satisfied. If two hardware queues on the same physical port have the same priority, a round-robin algorithm is used for transmission, depending on the available link bandwidth.
A QoS profile does not alter the behavior of the switch until it is assigned to a traffic grouping. QoS profiles on the BlackDiamond 10808 switch are linked to hardware queues. Each physical port has eight hardware queues, one corresponding to each of the eight QoS profiles. By default, a QoS profile links to the identical hardware queue across all the physical ports of the switch.
22
Figure 13: QoS Profiles on the BlackDiamond 10808 Switch
Table 2: BlackDiamond 10808 Default QoS Parameter

Profile name QP1 QP2 QP3 QP4 QP5 QP6 QP7 QP8 Hardware queue Q0 Q1 Q2 Q3 Q4 Q50 Q6 Q7 Priority Low LowHi Normal NormalHi Medium MediumHi High HighHi Minimum bandwidth 0% 0% 0% 0% 0% 0% 0% 0% Maximum bandwidth 100% 100% 100% 100% 100% 100% 100% 100%
23
Policy-Based QoS
QoS Building Block: Traffic Groupings

After a QoS profile has been created or modified, you assign a traffic grouping to the profile. A traffic grouping is a classification of traffic that has one or more attributes in common. Traffic is typically grouped based on the needs of the applications. Traffic groupings are separated into the following categories:

ACL-based information Explicit packet class of service information, such as 802.1p or DiffServ (IP TOS) Physical/Logical configuration (physical source port or VLAN association
QoS Building Block: QoS Policy

The combination of a traffic grouping and a QoS profile creates a QoS policy.
24
Figure 14: QoS Building Block: Traffic Groupings
Figure 15: QoS Building Block: QoS Policy
25
Policy-Based QoS
Traffic Groupings In Default Precedence

By default, all traffic groupings are placed in the QoS profile QP1. In the event that a given packet matches two or more grouping criteria, there is a predetermined precedence for which traffic grouping applies. In general, the more specific traffic grouping takes precedence. The supported traffic groupings, by precedence, are listed in the table below. The groupings are listed in order of precedence (highest to lowest):
Access list groupings (ACLs)

IP ACL MAC ACL DiffServ (IP TOS) 802.1p Source port VLAN NOTE
Explicit packet class of service groupings

Physical/logical groupings

The source port and VLAN QoS apply only to untagged packets, and 802.1p QoS applies only to tagged packets. If you use 802.1p or DiffServ QoS in conjunction with ACLs, you must configure the 802.1p or DiffServ action within the ACL itself. On the BlackDiamond 8800 family of switches, the Summit X450 switch, and the Summit X250 switch, the precedence of IP ACL or MAC ACL depends on specifications in the ACL file itself
26
Figure 16: Traffic Groupings In Default Precedence (Highest to Lowest)
27
Policy-Based QoS
ACL-Based Traffic Groupings

ACL-based traffic groupings are defined using access lists. By supplying a named QoS profile on an ACL rule, you can prescribe the bandwidth management and priority handling for that traffic grouping. ACLbased traffic groupings are based on any combination of the following items:

IP source or destination address IP protocol TCP flag TCP/UDP or other Layer 4 protocol TCP/UDP port information IP fragmentation MAC source or destination address Ethertype
28
Figure 17: ACL-Based Traffic Groupings
29
Policy-Based QoS
Explicit Class of Service Traffic Groupings

This category of traffic groupings describes what is sometimes referred to as explicit packet marking and includes:
Prioritization bits used in IEEE 802.1p packets
Extreme Networks switches support the standard IEEE 802.1p priority bits that are part of a tagged Ethernet packet. The 802.1p priority field is located directly following the 802.1Q type field and preceding the 802.1Q VLAN ID, as shown in Figure 19. When a tagged packet arrives at the switch, the switch examines the 802.1p priority field and maps the packet to a specific queue when transmitting the packet.
IP Differentiated Services (DiffServ) code points, formerly known as IP Type of Service (TOS) bits
IEEE 802.1p Packet Diagram
Class of service information can be carried through the network infrastructure, without repeating what may be complex traffic grouping policies at each switch location. End stations can perform their own packet marking on an application-specific basis.
Extreme Networks switch products have the capability of observing and manipulating packet marking information with no performance penalty.
30
Figure 18: Explicit Class of Service Traffic Groupings
Figure 19: IEEE 802.1p Packet Diagram
31
Policy-Based QoS
802.1p Information
802.1p Information on the BlackDiamond 10808 Only
If a port is in more than one virtual router, you cannot use the QoS 802.1p features.
Observing 802.1p Information

When ingress traffic that contains 802.1p prioritization information is detected by the switch, that traffic is mapped to various queues on the egress port of the switch. The BlackDiamond 10808 switch supports 8 hardware queues, each with configurable characteristics. The BlackDiamond 8800 family of switches and the Summit X450 switch support 2 queues by default. You can define up to 6 additional queues. The transmitting queue determines the characteristics used when transmitting packets. To control the mapping of 802.1p prioritization values to queues, 802.1p prioritization values can be mapped to a QoS profile. The default mapping of each 802.1p priority value to QoS profile is shown in Table 3.
Changing the Default 802.1p Mapping

By default, a QoS profile is mapped to a queue, and each QoS profile has configurable parameters. In this way, an 802.1p priority value seen on ingress can be mapped to a particular QoS profile. To change the mapping of 802.1p priority value to QoS profile, enter the following command: configure dot1p type <dot1p_priority> {qosprofile} <qosprofile>
32
Figure 20: Changing the Default 802.1p Mapping
Table 3: Default 802.1 Priority Value-to-QoS Profile Mapping

Priority Value 0 1 2 3 4 5 6 7 BlackDiamond 10808 and 12804 Switch Default QoS Profile QP1 QP2 QP3 QP4 QP5 QP6 QP7 QP8 BlackDiamond 8800 Series Switch and Summit X450 Family of Switches Default QoS Profile QP1 QP1 QP1 QP1 QP1 QP1 QP1 QP8
33
Policy-Based QoS
Physical and Logical Groupings

Source Port
A source port traffic grouping implies that any traffic sourced from this physical port uses the indicated QoS profile when the traffic is transmitted out to any other port. To configure a source port traffic grouping, enter the following command: configure ports <port_list> {qosprofile} <qosprofile> In the following modular switch example, all traffic sourced from slot 5 port 7 uses the QoS profile named QP8 when being transmitted. configure ports 5:7 qosprofile qp8 NOTE
On the BlackDiamond 10808 switch, this command applies only to untagged packets. On the BlackDiamond 8800 family of switches, the Summit X450 switch, and the Summit X250 switch, this command applies to all packets.
VLAN
A VLAN traffic grouping indicates that all intra-VLAN switched traffic and all routed traffic sourced from the named VLAN uses the indicated QoS profile. To configure a VLAN traffic grouping, enter the following command: configure vlan <vlan_name> {qosprofile} <qosprofile> For example, all devices on VLAN servnet require use of the QoS profile QP1. The command to configure this example is as follows: configure vlan servnet qosprofile qp1 NOTE
On the BlackDiamond 10808 switch, this command applies only to untagged packets. On the BlackDiamond 8800 family of switches, the Summit X450 switch, and the Summit X250 switch, this command applies to all packets.
Verifying Physical and Logical Groupings

You can display QoS settings on the ports or VLANs. To verify settings on ports or VLANs, enter the following command: show ports {mgmt | <port_list>} information {detail} To ensure that you display the QoS information, you must use the detail variable. On the BlackDiamond 10808 switch, the screen displays both ingress and egress QoS settings. The 10Gbps ports have 8 ingress queues, and the 1 Gbps ports have 2 ingress queues.
34
Figure 21: Physical and Logical Traffic Groupings
Figure 22: Configuring Physical and Logical Groupings
35
Policy-Based QoS
BlackDiamond 8800 Family of Switches, Summit X450, and Summit X250 Switches QOS Profile Display
To display which QoS profile, if any, is configured on the BlackDiamond 8800 family of switches, Summit X450, and Summit X250 enter the command:
show ports <port_list> information detail
Figure on the facing page displays a sample output of this command for an BlackDiamond 8810 switch.
NOTE
To ensure that you display the QoS information, you must use the detail variable.
36
Figure 23: show ports <port_list> Information Detail
37
Policy-Based QoS
BlackDiamond 10808 Switch Display

To display information on the egress QoS profiles and the ingress QoS profiles (shown as Ingress Rate Shaping), as well as the minimum and maximum available bandwidth and priority on the BlackDiamond 10 K switch enter the command:
show ports <port_list> information detail
The display is slightly different for a 1 Gbps and 10 Gbps port. The figure on the facing page is a sample output of this command for a BlackDiamond 10808 switch 10 Gbps port.
38
Figure 24: show ports <port_list> Information Detail
39
Policy-Based QoS
Verifying QoS Configuration and Performance

Monitoring PerformanceBlackDiamond 10808 Switch
After you have created QoS policies that manage the traffic through the switch, you can use the QoS monitor on the BlackDiamond 10808 switch to determine whether the application performance meets your expectations. To view switch performance per port, enter the following command: show ports <port_list> qosmonitor {ingress | egress} {no-refresh} NOTE
You must specify ingress to view the ingress rate-shaping performance. By default, this command displays the egress performance.
Displaying QoS Profile Information on the BlackDiamond 10808 Switch

To display QoS information on the BlackDiamond 10808 switch, enter the following command: show qosprofile {ingress | egress} {ports [ all | <port_list>]}
Displaying QoS Profile Information on the BlackDiamond 8800 Family of Switches, the Summit X450 Switch, and the Summit X250 Switch
To display QoS information on the BlackDiamond 8800 family of switches, the Summit X450 switch, and the Summit X250 switch, enter the following command: show qosprofile {ports | all | <port_list>]}
show ports <port_list> qosmonitor
40
Figure 25: Verifying QoS Configuration and Performance
41
Policy-Based QoS
Other Useful QoS Display Commands

Additionally, QoS information can be displayed from the traffic grouping perspective by using one or more of the following commands: To display the QoS profile assignments to the VLAN, enter the following command, show vlan To displays information including QoS for the port, enter the following command, show ports <list> info {detail} To display policy files that may affect QoS, enter the following command, show policy detail
42
Figure 26: Other Useful QoS Display Commands
43
Policy-Based QoS
BlackDiamond 10808 Bandwidth Settings

You apply ingress QoS profile (rate shaping) values on the BlackDiamond 10808 switch as either a percentage of bandwidth or as an absolute value in Kbps or Mbps. Bandwidth settings are in turn applied to queues on physical ports. The actual amount of bandwidth assigned is dependant on the port speed (1 or 10 Gbps).
NOTE
You may see slightly different bandwidths because the switch supports granularity down to 62.5 Kbps.
Maximum Bandwidth Settings

The maximum bandwidth settings determine the port bandwidth available to each of the ingress port queues.
Minimum Bandwidth Settings

The minimum bandwidth settings, or maximum committed rate settings, determine the port bandwidth reserved for each of the ingress port queues. The table displays the maximum committed rates available for each port on each BlackDiamond 10808 switch I/O module. These maximum committed rates vary with the number of active ports on each I/O module. The rates shown in Table 4 are what you can expect when all ports on the module are active. If you are using fewer ports, you will have higher committed rates available for each port. The maximum committed rate is reached when you are running traffic on only one port.
NOTE
Cumulative percentages of minimum bandwidth of the queues on a given port should not exceed 100%.
If you choose a setting not listed in the table, the setting is rounded up to the next value. If the actual bandwidth used is below the minimum bandwidth, the additional bandwidth is not available for other queues on that physical port.
44
Figure 27: BlackDiamond 10808 Bandwidth Settings
Table 4: Maximum committed rates per port for I/0 module on the BlackDiamond 10808 Switch
I/O module 1 Gbps module 10 Gbps module MSM configuration Single MSM Dual MSM Single MSM Dual MSM Maximum committed rate 200 Mbps 400 Mbps 2 Gbps 4 Gbps
45
Policy-Based QoS
Modifying a QoS Policy

If you make a change to a QoS profile after applying it to a traffic grouping, the following rules apply:
For destination MAC-based grouping (other than permanent), you must clear the MAC FDB. To clear the MAC FDB, enter the following command: clear fdb This command should also be issued after a policy is first formed, as the policy must be in place before an entry is made in the MAC FDB.
For permanent destination MAC-based grouping, re-apply the QoS profile to the static FDB entry For physical and logical groupings of a source port or VLAN, re-apply the QoS profile to the source port or VLAN
46
Figure 28: Modifying a QoS Policy
47
Policy-Based QoS
Assigning Policy-Based QoS: Review

Step 1 Make a QoS profile
QoS profiles define minimum and maximum bandwidth parameters, configuration of buffering, and prioritization settings. The bandwidth and level of service that a particular type of traffic or traffic grouping receives is determined by assigning it to a QoS profile.
Step 2 Create a Traffic grouping

Traffic groupings are assigned to QoS profiles to modify switch-forwarding behavior. Traffic groupings transmitting out of the same port that are assigned to a particular QoS profile share the assigned bandwidth and prioritization characteristics, and hence share the class of service.
Step 3 Create a QoS policy

A QoS policy is created by assigning one or more traffic groupings to a QoS profile.
48
Figure 29: Assigning Policy-Based QoS Review
49
Policy-Based QoS
Summary
Define QoS and describe:

Two major benefits of QoS Five major traffic types Policy-based QoS How to configure QoS profile How to monitor and modify QoS policy IP-based (ACL) Destination MAC address Explicit Class of Service Physical and logical groupings
Describe the types of traffic grouping:

50
Figure 30: Summary
51
Policy-Based QoS
Lab
Turn to the Policy-based QoS Lab in the ExtremeXOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
52
Figure 31: Lab
53
Policy-Based QoS
Review Questions
1 Which of the following provides a definition of QoS? a QoS is a set of protocols and mechanisms that facilitate the delivery of delay and bandwidth sensitive material across data networks. b QoS provides a means of securing bandwidth against potential attackers. c QoS provides an absolute guarantee that all high-priority traffic will be delivered to the destination.
d QoS ensures that all voice and video traffic will be sent ahead of non-multimedia traffic.
2 Which one of the following is not a goal of traffic engineering? a Optimize network usage b Ensure user authentication prior to granting network access. c Increase the robustness of the network infrastructure d Optimize network performance
3 Which of the following statements indicates a need for QoS? a OSPF routing is used to connect various parts of the network. b Users should only be allowed access to the network after being authorized. c All traffic must be treated with the same level of priority. d Network traffic needs a guarantee of underlying network performance.
4 Which of the following is another term for latency? a Echo b Speed c Delay d Jitter
5 Which of the following traffic types does not generally require QoS? a Voice b File server c Video d All of the above
54
6 Which of the following QoS profiles are not available when using stacking? a QP6 b QP5 c QP4 d All of the above
7 Which of the following identifies the maximum number of queues that can be configured on any Extreme Networks switch? a 2 b 4 c 6 d 8
8 Which of the follow specifications governs the 802.1p field? a DSCP b RSVP c IEEE d IP
55
Policy-Based QoS This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http://www.sec.gov). We undertake no obligation to update the forward-looking information in this release.
56
17 Switch Diagnostics
Switch Diagnostics
Student Objectives
This module presents switch diagnostics. ExtremeXOS provides show commands and diagnostic commands to verify the operation of the switch software and hardware. Upon completion of this module, the successful student will be able to:

Enable the System Health Check. Run diagnostics and verify diagnostic results. Identify which process is using the most CPU time. Monitor the CPU utilization by a process. Monitor process heartbeats. Terminate and start a process. Monitor the system and a protocols memory use.
Switch Diagnostics
System Diagnostics
ExtremeXOS provides hardware diagnostics to test and validate the operating integrity of Extreme Networks switches. The diagnostic are used to detect, isolate, and treat faults in a system. The Extreme Networks diagnostic software is intended to identify possible hardware faults or software error conditions. A thorough discussion of the diagnostics available on every hardware platform for ExtremeXOS is beyond the scope of this course. Therefore, this section concentrates on the diagnostics available on the Summit X450 switches used in the classroom.
NOTE
For a thorough understanding of the diagnostics in the ExtremeWare e-series, i-series, and Triumph-based switches, refer to the Advanced System Diagnostics and Troubleshooting Guide.
Diagnostics
The ExtremeXOS diagnostics include the following types of tools for use in detecting, isolating, and treating faults in a switch. Each of these diagnostic types is summarized below, but is described in greater detail in later sections of this module.
Power-on self-test (POST)A sequence of hardware tests that run automatically each time the switch is booted, to validate basic system integrity. Switch-wide communication-path packet error health checker. This is an integrated diagnostic subsystem called the system health checker. It consists of a number of different test types operating proactively in the background to detect and respond to packet error problems in modules or on communication paths. On-demand system hardware diagnosticsRuns on demand through user CLI commands; runs in either of two modes:

Normalfaster-running but basic test sequence Extended more thorough, but longer-running test sequence.
Figure 2: System Diagnostics
Switch Diagnostics
Power-On Self-Test
The Power-on self-test (POST) runs every time the system is booted. It tests hardware components and verifies basic system integrity. The pre-POST test is a bootup process that tests CPU memory, Universal Asynchronous Receiver/ Transmitter (UART) parts, ASIC registers, and memory. For the CPU subsystem, the POST test includes the following:

Register ASIC on the CPU Real Time Clock Management port
For modules, the POST diagnostics test the following elements:

Register ASICs Memory Loop-back (Includes the ready state initialization, MAC loop-back test, and IP route loop-back test.)
POST LEDs
On the BlackDiamond 10808 the MGMT LED flashes until the switch successfully passes the POST. If the switch fails the POST, the MGMT LED shows a solid yellow light. On the Summit X450 and BlackDiamond 8800 switches the MGMT LED flashes amber until the switch successfully passes the POST. If the switch passes the POST, the MGMT LED shows a blinking green light. On the BlackDiamond 12804 the MSTR LED is blinking green during the POST. If the switch passes the POST, the MSTR LED is solid green (primary) or amber (secondary).
Figure 3: Power-On Self-Test
Switch Diagnostics
System Health Checker

The system health checker monitors the overall health of your system. Depending on your platform, the software performs a proactive, preventive search for problems by polling and reporting the health of system components. These include I/O and management module processes, power supplies, power supply controllers, and fans. The system health checker notifies you of a possible hardware fault. The primary responsibility of the system health checker is to monitor and poll the ASIC error registers. The system health checker processes, tracks, and reads the memory, parity, and checksum error counts. The ASICs maintain counts of correctable and uncorrectable memory errors, as well as packets that encountered checksum and parity errors. In addition, you can enable the system health checker to check the backplane, CPU, and I/O modules by periodically sending diagnostic packets and checking the validity of the looped back diagnostic packets.
ASIC and CPU Checks

Polling is always enabled on the system. The system health checker polls and tracks the ASIC counters that collect correctable and uncorrectable packet memory errors, checksum errors, and parity errors on a per ASIC basis. The CPU health check routine tests the communication path between the CPU and all I/O modules. By default, polling occurs every 60 seconds on BlackDiamond 10808 and BlackDiamond 12804 switches. Polling occurs every 5 seconds on the BlackDiamond 8800 series of switches. Polling occurs every 10 seconds on the Summit X450 series of switches.
Backplane Health Check

On modular BlackDiamond switches, backplane diagnostic packets are disabled by default. If you enable this feature, the system health checker tests the packet path for a specific I/O module. The MSM sends and receives diagnostic packets from the I/O module to determine the state and connectivity. By default backplane diagnostic packets are sent every 6 seconds on BlackDiamond 10808 and BlackDiamond 12804 switches. Polling occurs every 5 seconds on the BlackDiamond 8800 series of switches.
Figure 4: System Health Checker
Switch Diagnostics
Configuring the BlackDiamond System Fault Recovery Level

Depending on your switch model, you can configure the switch, MSM, or I/O module to take action if a fault detection exception occurs. You can configure the system to either take no action or to automatically reboot the switch after a software task exception. To configure how the switch recovers from a software task exception, enter the following command: configure sys-recovery-level [all | none] Where:
all none Configures ExtremeXOS to log an error to the syslog and automatically reboot the system after any software task exception. This is the default. Configures the system to take no action if a software task exception occurs. The system does not reboot, as rebooting can cause unexpected switch behavior.
You can configure the Master Switch Fabric Modules (MSMs) or I/O modules installed in a BlackDiamond switch to take no action, take ports offline in response to errors, automatically reset, shutdown, or if dual MSMs are installed, failover to the other MSM if the switch detects a hardware fault. To configure module auto-recovery upon detection of hardware problems, enter the following command: configure sys-recovery-level slot <slot_number> [none | reset | shutdown] Where:
none Configures the MSM or I/O module to maintain its current state regardless of the detected fault. The offending MSM or I/O module is not reset. ExtremeXOS logs fault and error messages to the syslog and notifies you that the errors are ignored. This does not guarantee that the module remains operational; however, the switch does not reboot the module. Configures the offending MSM or I/O module to reset upon fault detection. ExtremeXOS logs fault, error, system reset, and system reboot messages to the syslog. If there are redundant MSM modules, the primary MSM fails over to the backup MSM. This is the default setting. Configures the switch to shut down all slots/modules configured for shutdown upon fault detection. On the modules configured for shutdown, all ports in the slot are taken offline in response to the reported errors; however, the MSMs remain operational for debugging purposes only. ExtremeXOS logs fault, error, system reset, system reboot, and system shutdown messages to the syslog.
reset
shutdown
To display the module recovery setting, enter the following command: show slot <slot> NOTE
If you configure one or more slots for shut down and the switch detects a hardware fault on one of those slots, all of the configured slots enter the shutdown state and remain in that state until explicitly cleared.
To restore the I/O modules after a shutdown due to hardware problems, enter the following command: clear sys-recovery-level
10
Figure 5: Configuring the BlackDiamond System Fault Recovery Level
11
Switch Diagnostics
Configuring the System Fault Recovery Level

You can configure the Summit X450 family of switches to take no action, automatically reboot, or shut down if the switch detects a hardware fault. To configure how the switch recovers from hardware problems, enter the following command: configure sys-recovery-level switch [none | reset | shutdown] Where:
none reset shutdown Configures the switch to maintain its current state regardless of the detected fault. The switch does not reboot or shutdown. ExtremeXOS logs fault and error messages to the syslog. Configures the switch to reboot upon detecting a hardware fault. ExtremeXOS logs fault, error, system reset, and system reboot messages to the syslog. This is the default setting. Configures the switch to shut down upon detecting a hardware fault. All ports are taken offline in response to the reported errors; however, the management port remains operational for debugging purposes only. If the switch shuts down, it remains in this state across additional reboots or power cycles until you explicitly clear the shutdown state.
To display the software recovery setting on the switch, enter the following command: show switch To restore the switch ports after a shutdown due to hardware problems, enter the following command: clear sys-recovery-level After you clear the shutdown state, use the reboot command to bring the switch and ports back online.
12
Figure 6: Configuring the BlackDiamond System Fault Recovery Level
13
Switch Diagnostics
Configuring the System Health Check Response

To configure whether the system follows or ignores the setting of the configure sys-recovery-level command when responding to system health check faults, enter the following command: configure sys-health-check all level [normal | strict] Where:
normal strict Upon a fault detection, the switch only sends a message to the syslog. This is the default setting. Upon a fault detection, the switch takes the action configured by the configure sys-recoverylevel slot or the configure sys-recovery-level switch command.
14
Figure 7: Configuring the System Health Check Response
15
Switch Diagnostics
Enabling the Backplane System Health Check

The system health checker tests I/O modules, MSM modules, and the backplane by forwarding packets. Additional checking for the validity of these packets is completed by performing a checksum. To enable backplane diagnostic packets, enter the following command: enable sys-health-check slot <slot> The system health checker continues to periodically forward test packets to failed components. When system health checking is disabled, backplane diagnostic packets are no longer sent.
NOTE
Enabling backplane diagnostic packets increases CPU utilization and competes with network traffic for resources.
To verify that the system health check is enabled, enter the following command: show switch To configure the frequency of sending backplane diagnostic packets, use the following command: configure sys-health-check interval <interval> NOTE
Extreme Networks does not recommend configuring an interval of less than the default interval. Doing so can cause excessive CPU utilization.
To disable backplane diagnostic packets, use the following command: disable sys-health-check slot <slot>
16
Figure 8: Configuring the System Health Check Response
Figure 9: Displaying the System Health Check Configuration
17
Switch Diagnostics
Running System Diagnostics

The Extreme Networks switches provide a facility for running normal or extended diagnostics on the main board of the Summit switch and on an I/O module or a Master Switch Fabric Module (MSM) of a BlackDiamond switch without affecting the operation of the rest of the system. If you run the diagnostic routine on an I/O module, that module is taken offline while the diagnostic test is performed. Traffic to and from the ports on the module is temporarily unavailable. After the diagnostic test is completed, the I/O module is reset and becomes operational again. If you run the diagnostic on an MSM, that module is taken offline while the diagnostics test is performed. When the diagnostic test is complete, the MSM reboots, and becomes operational again. To run diagnostics on I/O or MSM modules, use the following command: run diagnostics [extended | normal] slot [<slot> | A | B] Where:
normal extended Takes the switch fabric and ports offline and performs a simple ASIC and packet loopback test on all ports. Takes the switch fabric and ports offline, and performs extensive ASIC, ASIC-memory, and packet loopback tests. Extended diagnostic tests take a maximum of 15 minutes. The CPU is not tested. Console access is available during extended diagnostics. If the switch supports Power over Ethernet (PoE), it also performs an extended PoE test, which tests the functionality of the inline power adapter. Specifies the slot number of an I/O module. When the diagnostics test is complete, the system attempts to bring the I/O module back online. Specifies the slot letter of the MSM. The diagnostic routine is performed when the system reboots. Both switch fabric and management ports are taken offline during diagnostics.
<slot> A| B
On an I/O module, the extended diagnostic routine can require significantly more time to complete, depending on the number of ports on the module. On a management module, the module is taken offline while the diagnostics test is performed. After the diagnostic test is completed, the MSM reboots, and becomes operational again.
NOTE
Run diagnostics when the switch can be brought off-line. The tests conducted are extensive and affect traffic that must be processed by the system CPU. The diagnostics are processed by the CPU whether you run them on an I/O or a management module.
18
Figure 10: Running System Diagnostics
19
Switch Diagnostics
Displaying System Diagnostic Results

To display system diagnostics, enter the following command: show diagnostics slot [<slot> | A | B] Where:
slot A|B Specifies the slot number of an I/O module. Specifies the MSM. A specifies the MSM installed in slot A. B specifies the MSM installed in slot B.
If the results indicate that the diagnostic failed, replace the module with another module of the same type. Use this command to display information from the last diagnostic test run on the switch. The following switch diagnostics information is displayed:

Day, month, date, year, and time of the diagnostic test The slot number or for MSMs, the slot letter. Result of each component tested test (pass/fail/interrupted)
Each type of switch has a different display. On the BlackDiamond 10808 and BlackDiamond 12804 switches the display also includes:

Type of slot. - The slot where the diagnostic test was run: I/O or MSM. Temperature. - The temperature of the module, in celsius, when the test was run. Test data. - More detailed information about the test, which includes the:

Version number of the diagnostic test run. Serial number of the module where the test was run. Type of tests run and if they passed or failed (CPU, register, memory, and system). Diagnostics Pass. The diagnostic test has passed. Diagnostics Fail. One or more diagnostic test has failed.
Summary. - A brief summary of the overall diagnostic test. Options are:

20
Figure 11: Displaying a BlackDiamond 8810 System Diagnostic
21
Switch Diagnostics
Identifying the Busiest Process

ExtremeXOS consists of a number of cooperating processes running on the switch. The ExtremeXOS process manager monitors all of the XOS processes. The process manager also ensures that only version-compatible processes are started. The ExtremeXOS process level watchdog uses simple periodic keep-alive messages that flow between the monitored applications and a process monitor. ExtremeXOS is designed to automatically detect application level infinite loops or general execution problems and take preemptive action. However, under certain conditions, the administrator may need to stop, start, and examine information about processes. The top command shows the percentage of CPU processing devoted to each task, sampled every 5 seconds. Investigate tasks showing consistent or periodic high CPU utilization. To display the system processes, enter the following command: top You can change the display by typing the following characters while the display is active. N A P M T q Sort by PID (Numerically) Sort by age Sort by CPU usage Sort by resident memory usage Sort by time / cumulative time Exit the top display
The display shows:

PID USER STATUS RSS PPID %CPU %MEM COMMAND The process identifier The user that started the process. In the example all process are started by roo. The process status can be: Sleeping, Running, or Waiting The Resident Set Size. This is the part of a process' address space currently in main memory. The parent process ID. This is the parent process that spawned the process being displayed. The parent process is responsible for terminating the child process if necessary. The percent of CPU being used by the process The percent of physical memory being used by the process The name of the command that starts the process
To stop the refresh of the top command display, press Ctrl-c or the q key.
22
23
Switch Diagnostics
Figure 14: Monitoring CPU Utilization

You can monitor the CPU utilization and history for all of the processes running on the switch. By viewing this history on a regular basis, you can see trends emerging and identify processes with peak utilization. Monitoring the workload of the CPU allows you to troubleshoot and identify suspect processes before they become a problem. By default, the switch monitors CPU utilization every 20 seconds. In addition, if CPU utilization of a process exceeds 60% of the regular operating basis, the switch logs an error message specifying the process name and the current CPU utilization for the process. By default, CPU monitoring is enabled and occurs every 20 seconds. The default CPU threshold value is 60%. To change the CPU monitoring values, enter the following command: enable cpu-monitoring {interval <seconds>} {threshold <percent>} Where: seconds - Specifies the monitoring interval. The default interval is 20 seconds, and the range is 5 to 60 seconds. Extreme Networks recommends the default setting for most network environments. If you enter a number lower than 20 seconds, CPU utilization may increase. threshold - Specifies the CPU threshold value. CPU usage is measured in percentages. The default is 60%, and the range is 0% to 100%. To disable CPU monitoring, enter the following command: disable cpu-monitoring This command disables CPU monitoring on the switch; however, it does not clear the monitoring interval. To display the CPU utilization history of one or more processes, enter the following command: show cpu-monitoring {process <name>} {slot <slotid>} The command output shows:

The location (MSM A or MSM B) where the process is running on a modular switch. The name of the process. Range of time for each sample in the CPU utilization history. The CPU utilization history goes back 1 hour. Total User/System CPU Usage. - The amount of time that the process spends occupying CPU resources recorded in seconds. The values are cumulative meaning that the values are displayed as long as the system is running.
You can use this information for debugging purposes to see where the process spends the most amount of time: physical memory or virtual memory.
24
Figure 15: Monitoring CPU Utilization
Figure 16: Show CPU-monitoring
25
Switch Diagnostics
Displaying Processes
The show process command displays the status of ExtremeXOS processes on the switch, including how many times a process has been restarted. To display system processes, enter the following command: show process {<name>} {detail} {description} {slot <slotid>} Where: detail - Specifies more detailed process information. description - Provides the name of all of the processes or a description of the specified process. slotid - Specifies the MSM slot. (A or B) name - Specifies the name of the process. When you use this command without the optional keywords it displays summary process information. If you specify the slot keyword, summary information is displayed for that particular slot only. The show process and show process slot <slotid> commands display the following information in a tabular format:

CardThe name of the MSM where the processes are running (BlackDiamond switches only) Process NameThe name of the process VersionThe version number of the process RestartThe number of times the process has been restarted StateThe current state of the process as ready, stopped or no license Start TimeThe date and time the process began
If you specify the detail keyword, more specific and detailed process information is displayed. The show process detail and show process slot <slotid> detail commands display the following information in a multi-tabular format:

Detailed process information Memory usage configurations Recovery policies Process statistics Resource usage
You may find it useful to capture the process information under normal operating conditions to establish a baseline. If you experience a problem, you can use the baseline to identify the problem more easily.
26
Figure 17: Showing CPU Processes
Figure 18: Displaying Process Details
27
Switch Diagnostics
Monitoring Process Heartbeat

ExtremeXOS supports the ability to monitor the health of the processes. The switch process manager uses two algorithms to collect process health information: polling and reporting. Each process is monitored using either polling or reporting. Both polling and reporting count the heartbeat of the process. When a Hello message is sent and a HelloAck message is received. The two counts remain the same. For example see the esrp process in the illustration. When only a HelloAck message is sent and no Hello messages are sent, the Hello count remains at zero. For example see the bcp process in the illustration. Polling occurs every 10 seconds and reporting occurs every 2 seconds on the BlackDiamond 8800 and Summit X450 switches. To display the health of the ExtremeXOS processes, enter the following command: show heartbeat process {<name>} Where: name - Specifies the name of the process. The show heartbeat process command displays the following information in a tabular format:

CardThe name of the card where the process is running (BlackDiamond switches only) Process NameThe name of the process HelloThe number of hello messages sent to the process HelloAckThe number of hello acknowledgement messages received by the process manager Last Heartbeat TimeThe timestamp of the last health check received by the process manager (Unknown specifies kernel modules which do not participate in heartbeat monitoring)
This status information may be useful for your technical support representative if you have a ExtremeXOS problem. The heartbeat process information can also be displayed for a single process. For example: show heartbeat process tftpd You may find it useful to capture the process information under normal operating conditions to establish a baseline.
28
Figure 19: Monitoring Process Heartbeat
29
Switch Diagnostics
Terminating a Process
ExtremeXOS has the ability to terminate a process. This is useful if a process is stuck in a loop and is using excessive CPU or memory resources. To terminate a process, enter the following command: terminate process <name> [forceful | graceful] {msm <slot>} Where: name - Specifies the name of the process to terminate. You can terminate the following processes:

exsshd (only available if you have installed the SSH module) bgp eaps lldp - 802.1AB; Station and Media Access Control Connectivity Discover netLogin - Network Login includes MAC, Web-Based and 802.1X authentication ospf - Open Shortest Path First Routing Protocol telnetd - The telnet daemon. tftpd - The TFTP daemon. thttpd - The Web Server daemon. vrrp - Virtual Router Redundancy protocol deamon.
graceful - Specifies a graceful termination. The graceful option terminates the process by allowing it to close all opened connections, notify peers on the network, and other types of process cleanup. After this phase, the process is finally terminated. forceful - Specifies a forceful termination. The forceful option quickly terminates a process on demand. Unlike the graceful option, the process is immediately shutdown without any of the normal process cleanup. slot - Specifies the MSM where the process should be terminated. A specifies the MSM installed in slot A, and B specifies the MSM installed in slot B. For example: terminate process tftpd graceful a To get a description of what each process does, enter the following command: show process description
30
Figure 20: Terminating a Process
31
Switch Diagnostics
Starting a Process
The start process command can be used to restart a process that has been terminated by the administrator or has failed. To start a system process, enter the following command: start process <name> {msm <slot>} Where: name - Specifies the name of the process to start. You can terminate the following processes:

exsshd (only available if you have installed the SSH module) bgp eaps lldp - 802.1AB; Station and Media Access Control Connectivity Discover netLogin - Network Login includes MAC, Web-Based and 802.1X authentication ospf - Open Shortest Path First Routing Protocol telnetd - The telnet daemon. tftpd - The TFTP daemon. thttpd - The Web Server daemon. vrrp - Virtual Router Redundancy protocol deamon.
slot - Specifies the MSM where the process should be terminated. A specifies the MSM installed in slot A, and B specifies the MSM installed in slot B. For example: start process tftpd
Restarting Processes
To terminate and restart a specified process, enter the following command: restart process [class <cname> | <name> {msm <slot>}] Where: class_name - Specifies the name of a class of processes to restart. With this parameter, you can terminate and restart all instances of the processes associated with a specific routing protocol on all VRs. Supported process classes are OSPF and BGP. name - Specifies the name of a single process to restart. The supported processes are the same as the stop process and start process commands.
32
Figure 21: Starting a Process
33
Switch Diagnostics
Monitoring System Memory

ExtremeXOS has the ability to monitor memory use. To monitor memory use, enter the following commands: show memory {slot [a | b]} show memory process <name> {slot <slotid>} Where: a - Specifies the MSM module installed in slot A. b - Specifies the MSM module installed in slot B. name - Specifies a single process name slotid - Specifies the slot letter of the MSM module. The show memory command displays the following information in a tabular format:

The total physical memory. The total memory used by the system. The total memory used by user processes. The total free memory. The card letter and slot number of the MSM. (BlackDiamond switches only) The name of each process. Current memory used by the process.
If you issue the command without any parameters, information about all of the MSMs installed in your system is displayed. Examples: show memory show memory slot a show memory process tftpd You may find it useful to capture the memory information under normal operating conditions to establish a baseline. If you observe a continuous decrease in the free memory over an extended period of time, and you have not altered your switch configuration, please contact Extreme Networks Technical Support.
34
Figure 22: Monitoring System Memory
35
Switch Diagnostics
Monitoring Protocol Memory

ExtremeXOS has the ability to monitor the memory of a specific protocol application. This information can be sent to Extreme Networks technical support to help diagnose a protocol process problem. To monitor the memory used by the OSPF process, enter the following command: show ospf memory {detail | <memoryType} Where: detail - Displays detail information. memoryType - Specifies the memory type usage to display. The exact type varies depending on the protocol process. Use command completion to display the list of arguments. Examples: show ospf memory show ospf memory detail show ospf memory ospfArea To monitor the memory used by the RIP process, enter the following command: show rip memory {detail | <memoryType} Where: detail - Displays detail information. memoryType - Specifies the memory type usage to display. The exact type varies depending on the protocol process. Use command completion to display the list of arguments. Examples: show rip memory show rip memory detail show rip memory peer To monitor the memory used by the BGP process, enter the following command: show bgp memory {detail | <memoryType} Where: detail - Displays detail information. memoryType - Specifies the memory type usage to display. The exact type varies depending on the protocol process. Use command completion to display the list of arguments. Examples: show bgp memory show bgp memory detail show bgp memory aggroute
36
Figure 23: Monitoring Protocol Memory
37
Switch Diagnostics
Summary

Enable the System Health Check. Run diagnostics and verify diagnostic results. Identify which process is using the most CPU time. Monitor the CPU utilization by a process. Monitor process heartbeats. Terminate and start a process. Monitor system and a protocols memory.
38
Figure 24: Summary
39
Switch Diagnostics
Lab
Turn to the Switch Diagnostics Lab in the ExtremeXOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
40
Figure 25: Lab
41
Switch Diagnostics
Review Questions
1 Which of the following is not included as a part of the ExtremeXOS diagnostic tool set? a Power-on self-test (POST) b Switch-wide communication-path packet error health checker. c On-demand system hardware diagnostics d Oscilloscope
2 Which of the following indicates how often the Power-on self-test (POST) is run? a The Power-on self-test (POST) runs every time the system is booted. b The Power-on self-test (POST) is run on demand by the administrator. c The Power-on self-test (POST) runs whenever a fault is detected by the system. d All of the above
3 Which of the following commands restores the I/O modules after a shutdown due to hardware problems? a reenable slot b clear sys-recovery-level c enable sys-recovery-level d None of the above
4 Which of the following commands invokes the internal diagnostic routines on the switch? a execute diagnostics b start diagnostics c run diagnostics d enable diagnostics
5 Which of the following describes what should be done prior to executing the internal diagnostics routines on the switch. a increase the power budget to the switch as the switch draws more power while in diagnostic mode b obtain special diagnostic software from the Extreme Networks web site c remove and reseat all hardware modules in the switch d take the switch offline
42
6 Which of the commands enable the administrator to begin monitoring CPU activity? a run cpu-monitoring b configure cpu-monitoring enable c enable cpu-monitoring d start cpu-monitoring
7 Which of the following commands displays the status of ExtremeXOS processes? a top 10 b show process c taskman d run process explorer
8 Which of the following commands enables the administrator to end a running process? a terminate process <name> b end process <name> c kill process <name> d delete process <name>
9 Which of the following commands enables the administrator to invoke a new process? a invoke process <name> b start process <name> c run process <name> d launch process <name>
10 Which of the following commands enables the administrator to monitor memory usage? a display memory b show resource-usage memory c show memory d display resource-usage memory
11 Which of the following commands displays memory utilization by the RIP protocol? a display rip memory b show memory rip c display memory rip d show rip memory
43
Switch Diagnostics This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http:// www.sec.gov). We undertake no obligation to update the forward-looking information in this release.
44
18 Network Troubleshooting
Network Troubleshooting
Student Objectives
The Network Troubleshooting module presents a systematic methodology for troubleshooting, how to use the troubleshooting tools provided in Extreme Networks switches, and examples of how to identify common problems. Upon completion of this module, the successful student will be able to:

Identify the network management and maintenance systems that prepare you to troubleshoot. Describe the Layered approach used for troubleshooting. Identify useful commands for finding errors in OSI Layers 1, 2, and 3. Interpret the output of show commands. Use correct to troubleshoot problems at the Physical, Data Link, and Network Layers. List the steps required to perform systematic troubleshooting.
Overview
Troubleshooting is an important part of managing any network. This module presents a systematic methodology for troubleshooting, how to use the troubleshooting tools provided in Extreme Networks switches, and examples of how to identify common problems. The troubleshooting topics covered are:

Gathering and maintaining the information and tools necessary to troubleshoot the network. Organizing and applying a systematic method of troubleshooting. Identifying which commands to use to systematically troubleshoot a network problem. Describing how to test the operation of the switch.
Figure 2: Overview
Maintenance Before Troubleshooting

This page presents steps you should complete prior to having to troubleshoot a network problem.
Document the Network

Documenting the network topology, configuration, and normal operation so you have the information needed to recognize and locate a network problem. The following documentation is recommended:

Create an illustration of the physical connectivity of the network and keep it up to date. Create an illustration of the logical connectivity of the network and keep it up to date. Set up a Trivial File Transfer Protocol (TFTP) server and:
Store copies of the active and previous versions of configuration files and images, so that you can access them quickly in case of a problem. Make a backup of each switch configuration file on a regularly scheduled basis. Update the stored configuration files after making any changes.
Maintain a contact list of vendors, service suppliers, and users to inform in case of a problem. Store user names, passwords, and SNMP default community strings in a safe location and change (or remove) the default values. Record network problems, symptoms, and the resolution.
Monitor the Network

To identify a problem as soon as possible, monitor the condition of the network.

Establish baselines for network response time, and traffic statistics. Test connectivity and response time on a regularly scheduled basis and compare the response time to the baseline. Monitor traffic statistics on a regularly scheduled basis and compare the statistics to the baseline. Use Extreme Networks EPICenter to

Monitor alarms and events. Verify the physical and logical topology. Monitor network, VLAN, and port statistics. Set traffic thresholds. Store a syslog of switch activity.
Maintain the Network

When building a network, the importance of a well structured network maintenance system is often underestimated. No network is error free. Therefore an important aspect of the performance of the network depends on proper maintenance of the network. Maintenance includes:
Provide a clean/conditioned environment (air and power) and provide proper ventilation depending on hardware type. Some switches vent front to rear, others vent side to side. Software maintenance such as installing new software to fix bugs or add functionality.
Figure 3: Maintenance Before Troubleshooting
Use a Layered Approach when Troubleshooting

The layered approach is the way to thoroughly check a network. This layered model also helps in isolating the problem. If you experience problems in the communication between devices, check the communication layer by layer, using the per layer description as presented on the following pages. When, for example, an end-to-end ping test at Layer 3 succeeds, the problem is probably in the upper four layers.
Figure 4: Use a Layered Approach when Troubleshooting
Troubleshooting at the Physical Layer

Several kinds of common problems can affect the Physical Layer. Your hardware may be faulty. Defective hardware can be cables, patch panels, connectors, ports, or modules in your switch.

First check the physical connectivity. Is the connector seated properly? Ensure that the physical medium connecting to the interface port is fault free. Isolate the problem by swapping cables with ports. Does the problem follow? Check the status of the LEDs. Use loop back plugs or a loop back cable to verify the link. Be aware of the surrounding environment for potential electro-mechanical interference (EMI).
Verify that the correct cables are being used. Distinguish between:

Media type Length of the cables Crossover cable versus straight cable
Verify that the port settings are configured properly. Common problems in port settings are:

Auto negotiation of speed and duplex is set incorrectly. The port is administratively disabled. Speed and duplex settings do not match the settings of the connected device. Load sharing configuration is set improperly.
10
Figure 5: Troubleshooting at Layer 1: Physical Layer
11
Port LED Indicators

This page describes the port Light Emitting Diodes (LEDs) for switches that run ExtremeXOS. The port LEDs provide an indication of the port status. Always verify the status of the port link integrity by checking port activity LEDs when troubleshooting Layer-1 problems.
Table 1: Summit Port LEDs

LED Port Color Solid green Green blinking Off Solid Amber Amber slow blinking Amber fast blinking Blinking amber/green Off Description Link up. Link Integrity signal is received on copper ports or light is detected on fiber ports. Activity. Packets received and transmitted. Link Down. No link Integrity signal or the port is disabled. Power over Ethernet (POE) port has power applied. POE port has power applied and link is down or port is disabled. POE port has power applied and port has activity. POE port has a power fault or insufficient power. POE port has no link or is disabled and power is not applied.
The description for port LEDs in Table 1 applies to ports on the SummitX450 family of switches, Summit 200, Summit 300, and Summit 400.
Table 2: BlackDiamond Port LEDs

LED Port Color Solid green Slow green blinking Amber blinking Off Blinking amber/green Description Link up. Link Integrity signal is received on copper ports. Light is detected on fiber ports. Port disabled by CLI. Activity. Packets received and transmitted. Link Down. No link Integrity signal is received on copper ports. POE port with power enabled has a power fault or insufficient power.
The description for port LEDs in Table 2 applies to ports on the BlackDiamond 8800 series, BlackDiamond 10808 series, and non-POE ports on the BlackDiamond 12804 switches.
Table 3: BlackDiamond 12804 POE Port LEDs

LED Port Color Solid amber Amber slow blinking Amber fast blinking Blinking amber/green Description Link up. Link Integrity signal is received. Link Down or Port disabled by CLI. Activity. Packets received and transmitted. Power over Ethernet port with power enabled has a power fault or insufficient power.
The description for port LEDs in Table 3 applies to POE ports with power enabled on the BlackDiamond 12804.
12
Figure 6: Port LED Indicators
13
Troubleshooting Commands for the Physical Layer

A systematic approach to troubleshooting involves beginning with Layer 1 and working up the OSI model towards Layer. Use show commands for troubleshooting. The illustration lists the most common show commands used to troubleshoot Layer 1.
14
Figure 7: Commands for Layer 1 Troubleshooting
15
Displaying Port Configuration Statistics

To verify the port configuration, enter the following command: show ports {<portlist>} configuration Compare the port settings with the port settings at the other end of the cable.
Primary Information
The show ports configuration command output shows:

The port number and virtual router. The port state as enabled (E) or disabled (D). The link status as ready (R), active (A), or not present (NP). If auto negotiation of speed and duplex is enabled (ON) or disabled (OFF). The link speed configured and if auto negotiation is enabled, the actual speed. The duplex mode configured and if auto negotiation is enabled, the actual duplex as half or full. Link media type for the primary and if configured, redundant port. Examples of media types are:

Unshielded Twisted Pair (UTP) Multimode Gigabit Interface Connector (MGBIC) Small Formfactor Pluggable (SFP)
Use this information to verify that the intended ports are enabled and active. Also verify that the speed, duplex and frame size match the other end of the physical connection. If the switch supports user-created virtual routers, verify that the VLAN router interface (RIF) is configured on the correct VR. Commands such as ping and tftp require that the VR be specified. The media type is useful if redundant fiber and copper ports are supported. In this case the port number is the same for both the fiber and copper port.
Secondary Information
The command output also shows:
If Ethernet flow control is enabled symmetrically in both directions (SYM) or asymmetrically in one direction (ASYM). 10Gbps ports can be asymmetrical. The load sharing master port if the port is participating in link aggregation.
Use this information to verify that the port settings and media type match the other end of the physical connection.
16
Figure 8: Displaying Port Configuration Statistics
17
Displaying Real Time Transmitted Packet Errors

To monitor the real-time transmitted packet errors for a group of ports, enter the following command: show ports {<port_list>} txerrors {no-refresh} The display automatically refreshes unless you enter the no-refresh option. For each port the display shows:
Transmit Collisions (TX Coll). The total number of collisions seen by the port, regardless of whether a device connected to the port participated in any of the collisions. Transmit Late Collisions (TX Late Coll). The total number of collisions that have occurred after the ports transmit window has expired. This could indicate a duplex setting mismatch. Transmit Deferred Frames (TX Deferred). The total number of frames that were transmitted by the port after the first transmission attempt was deferred by other network traffic. Transmit Errored Frames (TX Errors). The total number of frames that were not completely transmitted by the port because of network errors (such as late collisions or excessive collisions). Transmit Lost Frames (TX Lost). The total number of transmit frames that did not get completely transmitted because of buffer problems (FIFO underflow). Transmit Parity Frames (TX Parity). The bit summation has a parity mismatch.
Displaying Real Time Received Packet Errors

To monitor the real-time received packet errors for a group of ports, enter the following command: show ports {<port_list>} rxerrors {no-refresh} The display automatically refreshes unless you enter the no-refresh option. For each port the display shows:
Receive Bad CRC Frames (RX CRC). The total number of frames received by the port that were of the correct length, but contained a bad FCS value. This could indicate a duplex setting mismatch. Receive Oversize Frames (RX Over). The total number of good frames received by the port greater than the supported maximum length of 1,522 bytes. Receive Undersize Frames (RX Under). The total number of frames received by the port that were less than 64 bytes long. Receive Fragmented Frames (RX Frag). The total number of frames received by the port were of incorrect length and contained a bad FCS value. Receive Jabber Frames (RX Jabber). The total number of frames received by the port that was of greater than the support maximum length and had a Cyclic Redundancy Check (CRC) error. Receive Alignment Errors (RX Align). The total number of frames received by the port that occurs if a frame has a CRC error and does not contain an integral number of octets. In a shared Ethernet environment, alignment errors could be the result of collisions. Receive Frames Lost (RX Lost). The total number of frames received by the port that were lost because of buffer overflow in the switch.
18
Figure 9: Displaying Real Time Transmit Errors
Figure 10: Displaying Real Time Received Packet Errors
19
Displaying Real Time Collision Statistics

To monitor the real-time retransmissions due to successive collisions for a group of ports, enter the following command: show ports {mgmt | <port_list>} collisions {no-refresh} The display i automatically refreshes unless you enter the no-refresh option. The mgmt option specifies the management Ethernet port. The display shows:

Collision statistics for each port. The numbers 1 to 16 represent the number of collisions and subsequent retransmissions encountered prior to successfully transmitting the packet. Collision statistics are applicable only for half-duplex links.
Collisions are primarily a problem for shared Ethernet environments where devices are attached through a hub. If you see collisions, it indicates that someone has connected a hub to the switch port.
20
Figure 11: Displaying Real Time Collision Statistics
21
Displaying Real Time Port Utilization Information

Enter the following command to monitor the current and peak packets-per-second transmitted and received for a group of ports: show ports {<portlist>} utilization This command gives a good indication of the port load. You can toggle with the space bar between packet-per-second, bytes-per-second, and bandwidth utilization. You can use this information to decide when to invest in extra link capacity to avoid congestion in the network.
NOTE
Monitoring port utilization is useful to identify broadcast storms caused by loops in the network. Extreme Networks switches are non-blocking. So, links can be utilized up to 100% when there is a network loop.
Enter the show ports utilization command then toggle the screen using the space bar. The first two screens in the output show transmitted and received port byte and packet counts. Use this information to verify that the ports are passing traffic. The third screen in the show port utilization command output shows:

The port number, link status, and link speed. The current and peak port utilization received as a percentage of the maximum bandwidth. The current and peak port utilization transmitted as a percentage of the maximum bandwidth.
Use this information to verify that there are no Layer 2 forwarding loops. If a Layer 2 forwarding loop exists it causes a broadcast storm. During a broadcast storm the port utilization reaches close to 100%.
NOTE
If a forwarding loop exists it may take a minute of two for the utilization to show the broadcast storm.
To clear the port utilization counters, enter the following command: clear counters ports
22
Figure 12: Displaying Real Time Port Utilization Information
23
Displaying Connectivity and Configuration Information for Neighboring Switches

Enter the following command to verify connectivity and configuration information received from neighboring Extreme Networks switches: show edp ports all The show edp command output shows:
The EDP interval timers and which ports have EDP enabled.
Use this information to verify that EDP is enabled on the intended ports and that the timers match the other end of the connection. The show edp ports all command output shows:

The SNMP sysname of each EDP neighbor on every active port. The MAC address of each EDP neighbor. The slot and port number of the other end of the connection. The age of the EDP entry. The number of VLANs supported on this link.
Use this information to verify that the ports are physically connected to the intended EDP neighbor on the intended port. You can also use this command for troubleshooting at the Data Link Layer because you get information about the VLANs on all neighboring switches.
24
Figure 13: Displaying Connectivity and Configuration Information for Neighboring EXTR Switches
25
Layer 1 Problem: Diagnosis and Solution

The illustration shows a typical Layer 1 error often seen in live networks. There is connectivity between the two switches but a lot of errors occur. This has a negative impact on the performance of connections using this link. This might be because of misconfiguration, but often this mismatch occurs because of problems with the auto negotiation of link speed and duplex mode. The easiest command to verify this error is the show ports configuration command. This command displays the configured and actual link speed and duplex mode of all ports. There appears to be a duplex mismatch between the two switches. One is forwarding frames in full duplex mode and the other one is running in half duplex mode. In the example, Switch 1 is configured for autonegotiation off with speed set at 100mb and duplex at full. Switch 2 is left in autonegotiation. Switch 2 is unable to negotiate its duplex setting as Switch 1 has auto disabled. The following port transmit error information is collected by the system:

Port Number Link Status The current status of the link. Options are:

Ready (the port is ready to accept a link) Active (the link is present at this port) Disabled (D): The link is disabled at this port. Not Present (NP): The link is not present at this port.
Transmit Collisions: The total number of collisions seen by the port, regardless of whether a device connected to the port participated in any of the collisions. Transmit Late Collisions: The total number of collisions that have occurred after the ports transmit window has expired. Transmit Deferred Frames: The total number of frames that were transmitted by the port after the first transmission attempt was deferred by other network traffic. Transmit Errored Frames: The total number of frames that were not completely transmitted by the port because of network errors (such as late collisions or excessive collisions). Transmit Parity Frames: The bit summation has a parity mismatch.
26
Figure 14: Layer 1 Problem: Diagnosis and Solution
27
Layer 1 Problem: Further Symptoms and Diagnosis

Often a duplex mismatch is not immediately recognized. Another problem might be that a user connected a small unmanageable switch to the port and it is unknown if it is running half or full duplex mode. Use sh ports txerrors and sh ports rxerrors to examine the port error statistics.and identify if there are incorrect settings. A duplex mismatch causes transmission errors to occur on both sides.
Switch 1 Symptoms
On a switch running in half duplex mode there are a lot of late collisions. The attached switch, running in full duplex mode, sends frames if there is data. It does not detect if the media is already used or not.
Switch 2 Symptoms
On a switch running in full duplex mode there are a lot of CRC errors. The attached switch, running in half duplex mode stops transmitting data each time it detects a collision. The illustration shows Switch 1, running in half duplex mode and Switch 2, running in full duplex mode. The show ports txerrors command on Switch 1 shows the late collisions. The show ports rxerrors command on Switch 2 shows the CRC errors. The following port receive error information is collected by the system:

Port Number Link Status The current status of the link. Options are:

Ready (the port is ready to accept a link) Active (the link is present at this port) Disabled (D): The link is disabled at this port. Not Present (NP): The link is not present at this port.
Receive Bad CRC Frames (RX CRC)The total number of frames received by the port that were of the correct length, but contained a bad FCS value. Receive Oversize Frames (RX Over)The total number of good frames received by the port greater than the supported maximum length of 1,522 bytes. Ports with jumbo frames enabled do not increment this counter. Receive Undersize Frames (RX Under)The total number of frames received by the port that were less than 64 bytes long. Receive Fragmented Frames (RX Frag)The total number of frames received by the port were of incorrect length and contained a bad frame check sequence (FCS) value. Receive Jabber Frames (RX Jabber)The total number of frames received by the port that were longer than the supported maximum length and had a Cyclic Redundancy Check (CRC) error. Receive Alignment Errors (RX Align)The total number of frames received by the port that have a CRC error and do not contain an integral number of octets. Receive Frames Lost (RX Lost)The total number of frames received by the port that were lost because of buffer overflow in the switch.
28
Figure 15: Layer 1 Problem: Further Symptoms and Diagnosis
29
Troubleshooting at Layer 2: Data Link Layer

Various kinds of issues have to be considered while troubleshooting at the Data Link Layer. Common sources of problems include:

Protocol mismatches MAC addressing problems VLAN problems
There might be protocol mismatches because of the different L2 protocols. The Ethernet II, IEEE 802.3, or LLC/SNAP setting causes the mismatch. A wrong driver in the Ethernet card of a server might also cause a mismatch.
Addressing Problems
Start by answering the following questions to identify possible addressing problems. Are there permanent MAC address entries in the Forwarding Database (FDB) which are incorrect? Is there a faulty or misconfigured device that is responding to all ARP requests on a VLAN or network? When troubleshooting spanning tree, answer the following questions:

Which mode of spanning tree are you using? Does your spanning tree domain layout and your VLAN layout work together? Is the VLAN in the correct spanning tree domain? Is spanning tree enabled for the VLAN?
VLAN Problems
When troubleshooting VLAN problems verify the following:

The ports are properly configured on the VLAN. Consistent VLAN tags are used.
If VLAN tags are not properly configured, your 802.1Q link cannot work. Remember that VLAN names are only locally significant but you should use a consistent naming scheme, to prevent confusion and obstruct troubleshooting.
The VLAN name is not a reserved word or the name includes special characters that are not allowed or the switch will not accept the name.
VLAN names consist of alphanumeric characters, must begin with an alphabetical letter, no spaces are allowed, and special characters are only allowed if the VLAN name is enclosed by quotation marks.
The protocol filter is set to ANY or the desired protocol filter when using protocol based VLANs. When the filter is set to NONE, protocol based VLANS will not work. The protocol filter is set to NONE when a special protocol filter is deleted. The port you are adding is not already added to a different VLAN untagged or you will receive an error message.
30
Figure 16: Troubleshooting at Layer 2: Data Link Layer
31
Commands for Layer 2 Troubleshooting

The illustration lists the most common show commands used to troubleshoot Layer 2. The proper use and the interpretation of the information displayed by each of these commands will be explained in the following section.Use the clear command to clear dynamic forwarding database (FDB) entries. The output from the show commands is later used to identify the problem in the Layer 2 example. Each relevant field in the output of the command is explained.
32
33
Displaying Forwarding Database (FDB) information

Use the following command to verify the MAC addresses are learned and in the correct VLAN: show fdb {<mac_address> | vlan <vlan name> | <portlist> | permanent}
Primary Information
The show fdb command output shows:

The Ethernet MAC address of each learned device in the forwarding database. The VLAN where the device is a member. The port where the address is learned.
The flags show:
If the entry is an ingress or egress black hole entry (b, B).
For troubleshooting Layer 2 and Layer 3, verify that the expected device is physically connected to the port and is being learned. Verify that the entry is not a black hole. Verify that the device is in the right VLAN(s).
The show fdb command output also shows:

The age of the FDB entry. The FDB statistics on total learned, static, locked, permanent, dynamic, dropped, locked, and locked with a timer. The age timer and VPLS age timer.
The flags show:

If the entry is learned dynamically (d) or configured statically (s). If the entry is permanent (p). If the entry is locked down or locked with a timer (l, L). If the entry is on a port being used as the mirror port (M). If the entry is created by NetLogin (n).
Use the following command to clear dynamic FDB entries: clear fdb {<mac_address> | locked-mac <mac_address> | vlan <vlan name> | ports <portlist>}
34
Figure 18: Displaying Forwarding Database (FSB) information
35
Displaying Information About Every VLAN

Use this command to display detailed information for all VLANs. show vlan detail This command displays the same information as for an individual VLAN, but shows every VLAN, oneby-one.
Primary show vlan detail Information

The show vlan detail command output shows:

If the VLAN is enabled or disabled. If the VLAN is tagged and what the tag is. The virtual router where this VLAN is assigned. The IP address and subnetwork mask of the router interface of this VLAN. If loopback mode is enabled. The tagged and untagged ports assigned to this VLAN. Flags indicating if each port is:

active (*). disabled (!). part of a load sharing group (g). blocked for this VLAN (b).
For Layer 1 problems verify that the port is enabled, active, and part of or not part of a load sharing group. For Layer 2 problems verify that the port is:

assigned to the correct VLAN. correctly tagged. not blocked.
Verify that the VLAN is:

enabled. correctly tagged. not in loopback mode.
For Layer 3 related problems, verify that the following are correct:

The IP address The subnetwork mask The virtual router
36
Figure 19: Displaying Information About Every VLAN
37
Displaying Information about every VLAN (Continued)

The show vlan detail command output also shows:

The IPv6 address if one is assigned. The Spanning Tree Protocol Domain (STPD) name if one is assigned. The VLAN protocol filter name if one is assigned. If the NetLogin security feature is enabled. The name of the QOS policy file used to assign quality of service to packets on this VLAN if one is assigned. Flags indicating if each port is authenticated (a) or unauthenticated (u) for this VLAN by Netlogin.
For Layer 1 problems verify the port is authenticated if applicable. For Layer 2 problems verify that the VLAN:

is in the correct Spanning Tree domain. has the correct protocol filter if applicable. is correctly configured for security and QOS features if applicable.
38
Figure 20: Displaying Information about every VLAN (Continued)
39
Layer 2 Problem: Symptoms

On each switch in this example the configuration looks fine, but a ping from Switch 1 to Switch 2 does not work. To find the problem, check the VLAN configuration on both switches and compare them using the show vlan command.
Layer 2 Problem: Diagnosis and Solution

The show vlan command shows an error in adding the ports to a VLAN. Ports can be added as tagged or untagged, but it must be the same setting on both sides of the link. The show vlan <vlan name> command helps to find this error. This command shows if the ports are added tagged or untagged. The tag is the same on both switches, so this is not the problem. However, on Switch 1 the port is tagged, while on Switch 2 the port is untagged. To solve the problem, change the configuration on one of the two switches. Enter the following command on Switch 2 to solve the problem and provide connectivity between the two switches: configure vlan tagproblem add ports 2 tagged NOTE
In general it is recommended to always add ports tagged on inter-switch links so the port can be used as 802.1Q links for several VLANs.
40
Figure 21: Layer 2 Problem: Symptoms
Figure 22: Layer 2 Problem: Diagnosis and Solution
41
Troubleshooting at Layer 3: Network Layer

To have Layer 3 connectivity, the following rules must be observed:

Every device must have a unique host address. Devices with the same subnetwork address have to be within the same VLAN. When devices are in separate VLANs, those VLANs must have different subnetwork addresses and the devices providing connectivity between them must be configured to forward Layer 3 traffic. Every device involved in Layer 3 forwarding must have a route to reach the network of the destination IP address or have a default route to the right gateway.
Routing Advertisements
Extreme Networks switches do not advertise routes if:

The VLAN does not have an IP address assigned to it. IP Forwarding is not enabled for that VLAN. The VLAN has not been added to the Routing Protocol. The Routing Protocol has not been enabled globally.
Special RIP Issues

For issues affecting RIP, answer the following:
Are Split Horizon, Poison Reverse, and Triggered Updates enabled?
Special OSPF Issues

For issues affecting OSPF, answer the following:

Does the switch discover its neighbors and establish adjacencies? Are all routers in the same area? Is OSPF enabled on the VLAN and globally? Are the timers correct? Are the Link State Databases synchronized? Is a link state advertisement (LSA) missing? Is SPF running too often because of flapping links? Is authentication used, ECMP enabled, and the Router ID unique?
In a stable network, the Link State Database (LSDB) does not change much. One way to determine whether the entries in the LSDB are changing is to monitor the checksum and SPF runs. These are indicators of how often the LSDB is changing. Using multiple areas there are issues concerning stub area, NSSA, default routes, ABRs, ASBRs, Virtual Links, Route Summarization and more.
42
Figure 23: Troubleshooting at Layer 3: Network Layer
43
Displaying IP Forwarding and Routing Protocol

Use the following command to verify that IP forwarding and the correct routing protocol is enabled for a VLAN. show vlan For each VLAN the show vlan command output shows:

The name of the VLAN. The IP address and subnetwork mask of the router interface. If IP forwarding (f) is enabled. If OSPF is enabled on the VLAN (o). If RIP is enabled on the VLAN (r). If the VLAN loopback is enabled (L).
44
Figure 25: Displaying IP forwarding and Routing Protocol
45
Displaying VLAN Configuration Information

Use the following command to verify that IP forwarding and the routing protocol is enabled for a VLAN. show ipconfig {vlan <vlan name>} {detail} For each VLAN the show ipconfig command output shows:

The name of the VLAN. The IP address and subnetwork mask of the router interface. If IP forwarding (f) is enabled. If the interface is enabled (E) and active (U).
Use this information to verify the following:

The interface is up IP forwarding is enabled The interface has the correct IP address and subnetwork mask
46
Figure 26: Displaying VLAN Configuration Information
47
Displaying Contents of IP Routing Table

Use the following command to verify which destination networks are in the routing table and the source of the routing entry. show iproute {vlan <vlan name> | permanent | <ip address> <netmask> | origin [direct | static | blackhole | rip | icmp | ospf-intra]} {sorted} The show iproute command is one of the most important commands for Layer 3 troubleshooting. The show command output shows:

The destination network. The next hop gateway. The preferred route for unicast and multicast traffic. The duration of time this route has been in the routing table.
Use this information to verify that the destination network is in the routing table. Verify where the packets are being sent for a particular designating network. Also verify if the preferred route is the intended route. If a destination network is unreachable, check the following:

Every router in the path knows the destination network The default gateway is in the correct direction The return path is correct
Verify that directly connected routes are used when IP route sharing is enabled using Equal Cost Multi Paths (ECMP). For IP route sharing directly connected routes should be used instead of other routes even if the cost or relative route priority of the other routes has been manually set. The type of route entry flags show:

The route is Dynamic (D). The route is a Black hole (B). The route is a Gateway (G). The route is a Host Route (H). The route is a Label Distribution Protocol (LDP) Label Switch Path (LSP). The route is an indirect LDP LSP. (i) The route is a multicast (m) or unicast (u) route. The route is a Longest Prefix Match (LPM) route (P). The route is modified (R). The route is a Static route (S). The route is a Resource Reservation Protocol (RSVP) Traffic Engineering (TE) LSP. (T) The route is an indirect RSVP-TE LSP. (t) The route is up (U).
48
Figure 27: Displaying Contents of IP Routing Table
49
Verifying Contents of IP Routing Table

The command show iproute also shows the origin of the route. In addition to OSPF, routes can be learned from:

Directly connected interfaces (d) Border Gateway Protocol (bg), External BGP (be), or Internal BGP (bi) BootP (bo) Core Based Tree (CBT) multicast routing protocol (ce) Down Interface (df) Distance-vector Multi Routing Protocol (dv) Intermediate System - Intermediate System (ISIS) level-1 external (e1) (ExtremeWare only) Intermediate System - Intermediate System level-2 external (e1) (ExtremeWare only) ISIS level-1 internal (i1) and ISIS level-2 internal (i2) (ExtremeWare only) Hardcoded (h) Internet Control Message Protocol (ICMP) (i) Multicast Border Gateway Protocol (MBGP) (mb), MBGP external (mbe), or MBGP internal (mbi) Multicast Open Shortest Path First (MOSPF) (mo) OSPF external LSA type 1 (o1) and OSPF external LSA type 2 (o2) OSPF intranetwork (oa) and OSPF internetwork (or) OSPF external Autonomous System (oe) Protocol Independent Multicast - Dense Mode (pd), PIM-Sparse Mode (ps) Routing Information Protocol (RIP) (r) Route Advertisement (ra) Static (s) Server Load Balance (SLB) virtual server IP (VIP) (sv) (ExtremeWare only) Unknown (un)
Use this information to determine the source of the routes. This is useful for the following:

When using route redistribution When troubleshooting routing loops When unexpected routes are showing up in the routing table
Directly connected routes have a relative route priority of 10. Relative route priorities cannot be modified for directly connected routes or black hole routes. Redistribution of RIP routes into OSPF results in OSPF external routes with different relative priorities.
50
Figure 28: Verifying Contents of IP Routing Table
51
Displaying the IP Address Resolution Protocol Table

Use the following command to verify the contents of the IP Address Resolution Protocol (ARP) table: show iparp {<ip address> | <mac_address> | vlan <vlan name> | permanent} The show iparp command output shows:

Each Ethernet MAC address that has been mapped by ARP. The IP address mapped to the MAC address. If the entry is marked incomplete, it means the switch is arping for an IP address that is not responding. The port on which the MAC address is located. The VLAN on which the MAC address is located. The virtual router associated with the VLAN on which the MAC address is located. A list of all duplicate IP addresses detected.
Use this information to verify that each IP address is mapped to a single MAC address. Duplicate IP addresses are a very common misconfiguration and can cause confusing and unpredictable behavior. Also verify that the IP address is in the correct VLAN and subnetwork. To remove dynamic entries in the IP ARP table, enter the following command: clear iparp {<ip address> | vlan <vlan name>}
The show iparp command output also shows:

If the ARP mapping entry is statically configured. The age of the entry in seconds. Statistics for:

The current number of dynamic and static entries. The current number of pending entries. The ARP request is sent but no response has been received so far. The number of ARP requests received (in request), ARP responses transmitted (out response), ARP requests sent (out request), and ARP responses received (in response). The number of failed requests. A request was sent but no response was ever received. The number of received ARP responses that were rejected due to some protocol error in the packet. For all ARP responses that were rejected what is the count, port, IP address, and interface.
The maximum number of ARP entries and ARP pending replies configured or supported on this switch. Whether ARP address checking and ARP refresh are enabled. Checking checks if the ARP Request source IP address is within the range of the local interface. Disabling ARP refresh stops the sending of any ARP requests before the ARP entry times out. The ARP entry age timeout.
Use this information to verify that ARP is working correctly. Also use this to verify that the proxy ARP server is responding
52
Figure 29: Displaying the IP Address Resolution Protocol Table
53
Displaying Global OSPF Information

Use the following command to verify the OSPF area ID, router state, and link cost. show ospf The show command output shows:

If OSPF is enabled. The router ID and whether it is configured or automatically assigned. If this router is an ASBR or ABR. If the router ID is configured or automatically selected.
Use this information to verify that OSPF is enabled globally on the router. Verify that the router ID is configured correctly. Virtual links are built using the router ID. Verify that the router is acting in the right role: Interior Router, ABR, or ASBR.
54
Figure 30: Displaying Global OSPF Information
55
Displaying RIP Specific Configuration Information

Use the following command to verify RIP specific configuration for all VLANs. enter the following command: show rip The command displays the following:
The global status of:

RIP Split Horizon Poison Reverse Triggered Updates
RIP protocol timers
56
Figure 31: Displaying RIP Specific Configuration Information
57
Displaying IP Statistics for the CPU

To display IP statistics for the CPU for the switch or for a particular VLAN, enter the following command: show ipstats {vlan <vlan name>} The command displays the following:

Packet statistics and error statistic for IP. Packet statistics and error statistic for the Internet Control Message Protocol (ICMP). Packet statistics and error statistic for the Internet Group Management Protocol (IGMP).
Use the IP statistics to identify if errors are causing the protocol to fail or converge slowly. Use the ICMP statistics to identify if errors are causing connectivity failures or ping response failures. Use the ICMP statistics to identify if errors are causing problems with multicast routing.
Displaying IP Statistics for the VLAN

If errors are seen in the IP statistics information, use the VLAN IP statistics section to determine which VLAN is experiencing the errors. The second part of the display shows the following for each VLAN:

The IP address and network mask of the router interface Packets and Bytes in and out Multicast and Broadcast packets in and out Packets with errors and discarded packets Packets received of a unknown protocol type
58
Figure 32: Show IP Statistics for the CPU
Figure 33: Displaying IP Statistics for the VLAN
59
Using ICMP Commands for Layer 3 Troubleshooting

Use the following command to test end-to-end connectivity: ping {udp} {continuous} {size <start_size> {-<end_size}} [<ip_address> | <hostname>] {from <src_ipaddress>} Ping is a good tool to use to start troubleshooting. If ping responses are returned, the problem must be at a higher layer. If the ping response is not received, the problem is at the IP or lower layer.
NOTE
If you ping a router interface that is configured on the switch and is active, the router interface responds with an ICMP echo response even if IP forwarding is not enabled. The router interface may appear to be forwarding packets at Layer 3 even though it is not.
Use the following command to trace the routed path between the switch and a destination end station.: traceroute {vr <vrid>} {ipv4 <host>} {ipv6 <host>} {ttl <number>} {from <from>} {[port <port>] | icmp} Traceroute works by increasing the time-to-live (TTL) value of each successive batch of packets sent. The first three packets have a time-to-live (TTL) value of one (implying that they make a single hop). The next three packets have a TTL value of 2, and so on. The command output shows the IP address of the router interface at each hop along the path and the number of milliseconds it took each packet to receive an ICMP time exceeded packet from that interface. The command continues until the user enters Ctrl-c to abort the command. The traceroute command is useful in determining which route a packet is taking when multiple routes are available. It is also useful in identifying firewalls that may be blocking access to a site. If the trace route cannot reach the destination the command output identifies the reason why. Failures can be due to:
ICMP network unreachable - There is no path. Check the routing table. Make sure you are specifying the correct virtual router. Make sure IP forwarding is enabled. ICMP host unreachable - Make sure you entered the correct address. ICMP fragmentation needed - The packet is too large for one of the routers in the path. Enable fragmentation on the router. ICMP source route failed - Source routing is seldom supported. Transmit error - Check IP statistics for IP errors.
60
Figure 34: Using ICMP Commands for Layer 3 Troubleshooting
61
Layer 3 Problem: Symptoms

In this example the IP configuration looks correct and Switch 1 has connectivity with Host 1 and Switch 2. But Host 1 cannot reach Switch 2. A closer look shows that network 10.1.1.0/24 is not in the routing table of Switch 2 although RIP is running. But even if we configure a static route for network 10.1.1.0/24 on Switch 2 there is still no connectivity. Of course configuring a static route would not be a proper solution, even if it helps, because we are running a dynamic routing protocol. A typical example for a Layer 3 error is that IP forwarding is not enabled for one VLAN. The next step is to take a closer look at Switch 1's IP configuration, perhaps IP forwarding is not enabled for all VLANs. There are several commands to use to display the relevant information.
Layer 3 Problem: Diagnosis

Use the following command to find the error. show ipconfig The first screen displays the switch global settings. You see that IP routing and RIP are enabled correctly. However, this does not mean that these functions are enabled for all VLANs.
NOTE
Part of the output is omitted from the illustration. What is displayed is the overview of the router interfaces because that is what is important.
For the VLAN named noipforwarding, IP forwarding is not enabled. This is the cause of the problem.
62
Figure 35: Layer 3 Problem: Symptoms
Figure 36: Layer 3 Problem: Diagnosis
63
Layer 3 Problem: Solution

Another way to find the error is entering the following command: show vlan When you use this command without any parameters it displays an overview of the configured VLANs. The display includes the most important IP information. The flags indicate that IP forwarding is not enabled for the VLAN noipforwarding and the error is detected.
64
Figure 37: Layer 3 Problem: Solution
65
Collecting Information for Technical Support

When directed by Technical Support you can use the show tech command to collect and display the output of various show commands to assist in monitoring and troubleshooting the switch. When directed, enter the following command syntax: show tech {all | <area>} {detail} {logto [file]}
NOTE
This command is very processor intensive and will affect switch performance when run. Use this command only under the guidance of Extreme Networks Technical Support personnel to view your switch configurations and to troubleshoot the switch.
For EXOS switches, you will likely be directly to record the text output from show tech, save it to a file, and then send it to Technical Support. The show tech command displays the output of the following show commands in Table 4 among others:
Table 4: Sources of the Output of show tech Command

Commands show bootprelay show configuration show dhcp-client state show diagnostics show memory show odometers show policy show port rxerror show port txerror show power Commands show power budget show power controller show process show radius show session show switch show tacacs show version show vlan
Information about the following areas is also displayed, among others:

aaa bootp cli stp
If you enter the detail keyword, the following show output is displayed, among others:

show log show log configuration show log counters all show process detail
Depending on the software version running on your switch, the configurations running of your switch, and the type of switch you have, additional or different show commands and configuration output might be displayed.
66
Figure 38: Collecting Information for Technical Support
67
Interpreting a Syslog File

The illustration shows an example of system log messages. Examples of events that might generate a log message are:

A link going down. A user logging in. A command entered on the command line. The software executing a debugging statement.
Each log messages contains the following:

A timestamp of when the event was logged. The timestamp is in the format yyyy-mm-dd,hh:mm:ss. The sending devices IP Address. The IP Port number used for receiving log messages. 23 in the example. The Syslog Facility number 7 is the default for Extreme Networks devices. The protocol reporting the event. OSPF in this example. The actual log message.
Use system logging to track a series of events. For example:

Start Intra area SPF Area 0.0.0.10. (The start of an SPF run for area 0.0.0.10) Start IntraArea Route Table update SPF area 0.0.0.10. (The start of the routing table update) End IntraArea Route Table update area 0.0.0.10. (The end of the routing table update) End IntraArea Spf Area 0.0.0.10. (The end of an SPF run for area 0.0.0.10) NOTE
The syslog facility can be set to different values and the receiver can be programmed to treat different facility levels uniquely.
68
Figure 39: Interpreting a Syslog File
69
Sample Syslog File: You Set Parameters

Switch configuration and fault information is filtered and saved to target logs, in a memory buffer, and in NVRAM. Use the following command to display system log messages. show log {messages [memory-buffer | nvram]} {events {<event-condition> | <event-component>]} {<severity> {only}} {starting [date <date> time <time> | date <date> | time <time>]} {ending [date <date> time <time> | date <date> | time <time>]} {match <regex>} {chronological} The show log command displays the messages stored in either the internal memory buffer or in NVRAM depending on the switch type. The messages shown can be limited by specifying a severity level, a time range, or a match expression. Each entry in the log contains the following information:
Timestamp - records the month and day of the event, along with the time (hours, minutes, seconds, and hundredths of a second). Severity Level - indicates the urgency of a condition reported in the log. Severities include critical, error, warning, notice, info, debug-summary, debug-verbose, and debug-data. Component, Subcomponent, and Condition Name - describes the subsystem in the software that generates the event. This provides a good indication of where a fault might be. Message - A description of the event occurrence. If the event was caused by a user, the user name is also provided.
Use this information in the same way you use the remote system logging messages. Logging of CLI configuration commands must be enabled. The switch log overwrites existing log messages in a wrap-around memory buffer.
70
Figure 40: Sample Syslog File: You Set Parameters
71
Systematic Troubleshooting Steps

The following steps should be followed when troubleshooting any problem:

Ask questions to clearly define the problem. Gather information about the network. Consider escalating the problem to someone with additional expertise. The goal is to reach a resolution as fast as possible. Determine if the problem can be consistently reproduced or if it is intermittent. Document the history of the problem. Identify when the problem was first noticed and what events preceded the problem occurrence. Locate information about similar problems. This may indicate possible sources of the problem. Develop theories about what could be wrong. Start with simple ideas and advance to more complex issues. Test theories starting with the most inexpensive and simple, then test the more expensive and complex theories until the solution is found. Always document the problem, theories, tests, and end resolution. Retain the problem documentation and make it available for future troubleshooting.
72
Figure 41: Systematic Troubleshooting Steps
73
Defining the Problem

Make sure you have all relevant information about the problem. Begin by getting answers to the following questions:

What are the symptoms? Is the problem reproducible? How long has the problem been happening? How often does the problem happen? When does the problem happen? Is the issue affecting only one device or a large portion of the network? Is the issue isolated within a VLAN or does it also affect Layer 3 functions? How many users are affected? Which applications are affected? Does the problem seem to be related to the network load? Does the problem seem related to a new network installation or change? Was the network previously operating properly?
How long was the network operational prior to this issue arising?
74
Figure 42: Defining the Problem
75
Gathering Information Used for Troubleshooting

Collect all relevant documentation about the network. Use the following list and accompanying flow chart:
Physical network layout
A detailed network diagram with all connected devices, network addresses, and physical media types
Logical network layout Traffic bandwidth baselines
You have to know your network in a stable situation, so that you know what to expect when looking at the status of the network.
Availability reports Records of recent changes made to the network Current status of devices and connections Event and error logs
Keep manuals and release notes of implemented equipment ready to use. Make sure that everybody involved in troubleshooting has access to this information.
76
Figure 43: Gathering Information Used for Troubleshooting
77
Consider Escalation
Before you escalate a problem to technical support, ask the following:

What is the impact on the users? What is the impact on the resiliency of the network? What is the cost per day of the problem? Does the problem seem to be in an area you have expertise in? How much time has already been spent on troubleshooting? What is covered in your support contract?
Escalating does not mean you have to stop troubleshooting. Escalation is most effective when you provide a good problem description and all relevant network information.
Extreme Networks TAC Escalation

The process for escalating a problem to Extreme Networks is documented in the file found at: http://www.extremenetworks.com/services/tac-userguide.aspx Prior to contacting Extreme Networks upgrade to the newest software release and gather the following:

Your company name and the phone number of the contact Serial number(s) of the switch chassis and additional module(s) Service contract number Detailed problem description Output of the following commands:

show version show switch show configuration show tech-support or show diagnostics show log run diagnostics extended
Remote login information for Extreme Networks TAC NOTE
The output of the show tech-support command can be very large.
78
Figure 44: Consider Escalation
Figure 45: Extreme Networks Escalation
79
Developing and Testing Theories

Develop theories based upon the information you have collected. Do this in a structured way, so that you do not repeat steps, but work your way trough all possible causes. Document your theories to provide a checklist for testing.
Testing Theories
A layered approach gives structure to the troubleshooting process. Use the OSI model to structure tests. Start testing the lowest layers first then work your way up the OSI layers. For example: 1. Use the link Light Emitting Diodes (LEDs), show commands, and physical inspection of the cable to verify the Physical Layer. 2. Use the ping command, verify packet statistics, verify port settings, and verify the Layer 2 forwarding tables to test Layer 2 connectivity. 3. Use an end-to-end ping command, trace route command, verify Layer 3 configuration, and verify Layer 3 route tables to test Layer 3 connectivity. 4. Use telnet, FTP, TFTP, or SNMP to test protocols at the top three layers. If the test results support the theory, go on to implementing a solution. If the test results do not support the theory, go back to test a new theory.
80
Figure 46: Developing and Testing Theories
81
Implementing a Solution
After you implement a solution, recheck the status of the problem. If there is still a problem, go back to either gather more information or test different theories. The symptoms of the problem might change as a result of the troubleshooting actions. If you did not improve the situation by your action, consider undoing the actions.
82
Figure 47: Implementing a Solution
83
Documenting the Solution

Take care of your documentation. Logging of problems and solutions helps the next time you have to troubleshoot. It also provides a record of repetitive or intermittent failures and the uptime of your network. If you make configuration changes, make sure that you update the network documentation so it is accurate. After the correct solution is implemented, document the following:

The symptoms The time and frequency of the symptom The theories tested The theory that proved to be correct The solution The root cause of the problem Any ideas of how to recognize this same problem in the future How long the network operation was affected
84
Figure 48: Documenting the Solution
85
Summary
The Network Troubleshooting module presented basic concepts of network troubleshooting and the show commands to use. You should now be able to:

Identify the network management and maintenance systems that prepare you to troubleshoot. Define the steps to perform systematic troubleshooting. Describe the layered approach for troubleshooting. Identify useful commands for finding errors at each layer. Interpret the output of show commands. Troubleshoot problems at the Physical, Data Link, and Network Layers.
86
Figure 49: Summary
87
Lab
Turn to the Troubleshooting Lab in the ExtremeXOS Operations and Configuration - Lab Guide, Rev. 12.1 and complete the hands-on portion of this module.
88
Figure 50: Lab
89
Review Questions
1 Which of the following terms identifies Extreme Networks approach to troubleshooting? a Layered approach b Distributed analysis c Proactive preemption d None of the above 2 Which of the following can effect physical connectivity? a cables b patch panels c connector ports d All of the above 3 Which of the following LED states indicates that the link is down? a Solid green b Green blinking c Off d Solid Amber 4 Which of the following commands is appropriate for troubleshooting Layer-1 connectivity issues? a show ospf configuration b show port configuration c show vlan configuration d All of the above 5 Which of the following commands enables you to reset port statistics values? a clear counters ports b configure port counters reset c disable port counters d zero port counters 6 Which of the following commands enables you to retest the Layer 2 forwarding database? a reset fdb b clear fdb c zero fdb d fdb clear
90
7 Which of the following commands enables you to display the contents of the Layer 2 forwarding database? a fdb show b fdb display c show fdb d display fdb 8 Which of the following commands provides a detailed display of the VLAN configuration? a display vlan configuration detail b display vlan detail c show vlan configuration detail d show vlan detail 9 Which of the following commands enables you to display the contents of the IP routing table? a traceroute b clear iproute c show iproute d show routing table 10 Which of the following commands enables you to display the contents of the ARP table? a show arp b show iparp c arp d iparp
91
Network Troubleshooting This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http:// www.sec.gov). We undertake no obligation to update the forward-looking information in this release.
92

DOC-00918 Rev01 EXOC Presentation SG Version 12.1

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

DOC-00918 Rev01 EXOC Presentation SG Version 12.1

Hochgeladen von

Copyright:

Verfügbare Formate

ExtremeXOS Operation and Configuration Presentation Guide Rev.12.

Extreme Networks Technical Publications

Module 2: Extreme Networks Product Overview................................................................................. 1

Module 3: Initial Switch Configuration.............................................................................................. 1

Extreme Networks Technical Publications

Module 4: Switch Management ........................................................................................................ 1

Extreme Networks Technical Publications

Module 5: Layer 1 Configuration ...................................................................................................... 1

Module 6: EXOS Stacking ................................................................................................................ 1

Extreme Networks Technical Publications

Module 7: Layer 2 Forwarding.......................................................................................................... 1

Extreme Networks Technical Publications

Module 8: Introduction to VLANs ...................................................................................................... 1

Extreme Networks Technical Publications

Module 9: Spanning Tree................................................................................................................. 1

Module 10: Ethernet Automatic Protection Switching ........................................................................ 1

Extreme Networks Technical Publications

Module 11: IP Unicast Routing......................................................................................................... 1

Module 12: Configuring RIP ............................................................................................................. 1

Extreme Networks Technical Publications

Module 13: Configuring OSPF .......................................................................................................... 1

Module 14: Network Login Using Local MAC-Based Authentication .................................................... 1

Extreme Networks Technical Publications

Module 15: Universal Port ............................................................................................................... 1

Extreme Networks Technical Publications

Table of Contents Lab..........................................................................................................................................58 Review Questions ......................................................................................................................60

Module 16: Policy-Based QoS.......................................................................................................... 1

Module 17: Switch Diagnostics........................................................................................................ 1

Extreme Networks Technical Publications

Module 18: Network Troubleshooting ............................................................................................... 1

Extreme Networks Technical Publications

Extreme Networks Technical Publications

Introduction and Orientation

Extreme Networks Technical Publications

Introduction and Orientation

ExtremeXOS Operation and Configuration

Extreme Networks Technical Publications

Figure 1: Module Content

Extreme Networks Technical Publications

Introduction and Orientation

Extreme Networks Technical Publications

Extreme Networks Technical Publications

Introduction and Orientation

Extreme Networks Technical Publications

Extreme Networks Technical Publications

Introduction and Orientation

Extreme Networks Technical Publications

Figure 4: Student Kit

Extreme Networks Technical Publications

Introduction and Orientation

Extreme Networks Technical Publications

Extreme Networks Technical Publications

Introduction and Orientation

Extreme Networks Technical Publications

Figure 6: Course Prerequisites

Extreme Networks Technical Publications

Introduction and Orientation

High-Level Student Objectives

Extreme Networks Technical Publications

Figure 7: High-Level Student Objectives

Figure 8: High-Level Student Objectives (Continued)

Extreme Networks Technical Publications

Introduction and Orientation