Initial Switch Configuration

ExtremeXOS Operation and Configuration, Version 12.1

2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.

Student Objectives
Upon completion of this module, you will be able to: Login to the switch. Interpret the system prompt. Assign a name to the switch. Use the syntax help function. Create a new user account. Describe the SNMP, SNTP, and logging management features.

Slide 2

Initial Switch Configuration

Connect to the console port. DB-9, DTE, 9600, N, 8, 1, XON/XOFF A new switch boots and prompts for: Telnet enabled or disabled SNMP enabled or disabled All data ports enabled or disabled Failsafe account and password change Failsafe access on management port
Console

Switch

Slide 3

CLI Access

Telnet Connection
Dedicated Ethernet management port or Ethernet data port: - Up to 8 Sessions - IP must be configured - Nested Telnet - SSH (requires additional s/w module)
Slide 4

Console Port Connection

- DB-9 serial cable - 9600, 8, N, 1, X

CLI Organization

# PROMPT

clear

configure

create

delete

disable

download

enable

exit

history

logout

First-tier Commands
nslookup ping quit reboot restart rtlookup show traceroute upload use

accounts

configuration

rip

vlan

protocol

log

stpd

switch

qosfile

ipstats

Second-tier Commands
fdb iparp memory management iparp iproute ports version session

Third-tier Commands

configuration

stats

collisions

errors

packet

utilization

port number

Slide 5

Syntax Helper
VLAB-R1-X450-24x.2 # show access-list access-list info accounts show accounts bandwidth Bandwidth resource banner Netlogin Banner bgp Display BGP global configuration information bootprelay Show the bootp relay information cfm Configure IEEE 802.1ag specific settings checkpoint-data Checkpoint Data clear-flow CLEAR-Flow configuration System configuration cpu-monitoring CPU Utilization Statistics debug debug command

Using the tab key displays the next set of command options. Using the question mark (?) at the end of the command displays the next set of command options.

VLAB-R1-X450-24x.2 # show ports ? anomaly anomaly statistics collisions Displays collision statistics configuration Display the port configuration information Displays port information packet histogram of packet statistics qosmonitor QOS redundant Display all software redundant ports on the system rxerrors receive error statistics sharing sharing stack-ports Stacking Ports statistics Port statistics txerrors Displays transmit error statistics

Slide 6

Abbreviated Syntax
VLAB-R1-X450-24x.2 # Use Redirects IpOption LSRR IpOption SSRR IpOption RR IpOption TS IpOption RA Route Sharing Originated Packets IP Fwding into LSP Unicast Reverse Path Max Shared Gateways sh ipc : Disabled : Enabled : Enabled : Enabled : Enabled : Enabled : Disabled : Don't require ipforwarding : Disabled : Disabled : Current: 4 Configured: 4

Abbreviation of a command, parameter, or value: # show ipconfig # sh ipc Entering port values Separated by
commas, (1,2,4)

IRDP: Advertisement Address: 255.255.255.255 Interval: 600 Minimum Interval: 450 Lifetime: 1800 VLAN Default IP Address 10.1.0.1

Maximum Preference: 0 nSIA 0

Specify a range (1-9) Specify all ports (all)l

Flags /24 E-----MPuRX-------

Flags: (A) Address Mask Reply Enabled (B) BOOTP Enabled (b) Broadcast Forwarding Enabled, (E) Interface Enabled (f) Forwarding Enabled (g) Ignore IP Broadcast Enabled (h) Directed Broadcast Forwarding by Hardware Enabled Press <SPACE> to continue or <Q> to quit:

Slide 7

# history

CLI Command - History

Displays all commands entered Stored in the command history buffer Content of buffer is displayed by entering the history command
history

Use <Up> and <Down> arrow keys to scroll within the command history buffer
VLAB-R1-X450-24x.7 1 show 2 sh ipc 3 history 4 create vlan 5 create vlan 6 save 7 history VLAB-R1-X450-24x.8 # history

ipV6 Finance

Slide 8

Unique Name Identifiers

Names are used as reference keys within the command set. Unique name identifiers are used for naming VLANs, Spanning Tree protocol domains, etc.

Blue

Green

Finance

Marketing

Slide 9

Switch Login
(pending-AAA) login: Authentication Service (AAA) on the master node is now available for login. login: admin password:

Two access levels: User / Administrator May login after AAA

initialization

ExtremeXOS Copyright (C) 2000-2007 Extreme Networks. All rights reserved. Protected by US Patent Nos: 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957; 6,859,438; 6,912,592; 6,954,436; 6,977,891; 6,980,550; 6,981,174; 7,003,705; 7,017,082; 7,046,665; 7,126,923; 7,142,509; 7,149,217; 7,152,124; 7,154,861; 7,245,619; 7,245,629; 7,269,135. ================================================================== Press the <tab> or '?' key at any time for completions. Remember to save your configuration changes.
VLAB-R1-X450-24x.1 #

Up to 16 accounts Passwords: Blank 4 to 12 characters Case sensitive You can create two admin accounts, and they are identical in their capabilities. Fail Safe account Used for recovery If password is lost,
return switch to Extreme Networks

May use to login before AAA initialization

Slide 10

CLI - Command Prompt

The command prompt tells us four things: Unsaved configuration
changes

* X450a-24t.6 #
New change to switch configuration not saved Switch SNMP Sysname Number of next command to be executed Privilege Level

Switch name Number of commands executed during this session Privilege level

Slide 11

# show session {{detail} {<sessID>}} {history} # clear session [<sessId> | all]

Management Accounts

User account can:

- View anything except: - Switch configuration - Switch management - User accounts - SNMP community strings - Use PING - Change own password Prompt type: X450a-24t >
Slide 12

Administration account can:

- View and change anything - Add/Remove users - Change user passwords - Disconnect Telnet sessions Prompt type: X450a-24t #

# create account [admin | user] <name> {<password>} # delete account <name>

Creating User Accounts

VLAB-R1-X450-24x.4 # show accounts User Name Access LoginOK Failed -------------------------------- ------ ------- -----admin R/W 20 0 user RO 0 0 test R/W 3 7 VLAB-R1-X450-24x.4 # configure account test password: Reenter password: * VLAB-R1-X450-24x.5 # save The configuration file primary.cfg already exists. Do you want to save configuration to primary.cfg and overwrite it? (y/N) Yes Saving configuration on master ....... done! Configuration saved to primary.cfg successfully. VLAB-R1-X450-24x.6 # delete account test * VLAB-R1-X450-24x.7 # save The configuration file primary.cfg already exists. Do you want to save configuration to primary.cfg and overwrite it? (y/N) Yes Saving configuration on master ....... done! Configuration saved to primary.cfg successfully VLAB-R1-X450-24x.7 #

Display user account information with: show account

Only admin-level users can create or delete accounts.

Default accounts have no passwords. configure
account <name>

1 to 32 characters case-sensitive

The default admin account cannot be deleted. You may create password policies.

For security, always configure a password on the default admin account.

Slide 13

# configure failsafe-account

Failsafe Login
The account of last resort to access the ExtremeXOS switch when the admin password has been lost. Never displayed but always present. To access the switch using the failsafe account, you must be connected using a permitted method: all control serial ssh telnet Changes to failsafe account and password are immediately stored in NVRAM, not in the configuration file.
Note: The information that you use to configure the failsafe account cannot be recovered by Extreme Networks Technical support. Protect this information carefully.
Slide 14

# configure cli max-sessions <num_sessions> # configure cli max-failed-logins <max_attempts>

Limiting CLI Sessions and Failed Logins

Limit the number of simultaneous CLI sessions: configure cli max-sessions 4 Limit the number of failed login attempts: configure cli max-failed-logins 2 Lock out a user after consecutive failed login attempts: configure account [all | <name>] password-policy
lockout-on-login-failures on

View the accounts that are currently locked out with the following command: show account Admin-level user must clear lockout condition: clear account [all | <name>] lockout
Slide 15

# configure telnet vr admin_vrouter

Restricting Telnet Access

Restrict which virtual router interfaces listen for Telnet connection requests: configure telnet vr admin_vrouter

Slide 16

Configuring Management Access

Dedicated management port IP address required to access switch Out-of-band management for: Telnet SSH SNMP SNTP RADIUS RMON Regional Offices Remote logging Local logging

IP Network

Management Station

Slide 17

# enable ssh2 # scp2

Using SSH and SCP

Used to encrypt Telnet sessions between a network administrator using SSH2 client software and the switch. Secure copy is included in the SSH module and is used to transfer files using encrypted data between the switch and an SSH2 client. To enable the switch to function as an SSH2 server:
enable ssh2

To copy a file using secure copy:

scp2 {cipher [3des | blowfish]} {port <portnum>} {debug <debug_level>} <user>@ [<hostname> | <ipaddress>]:<remote_file> <local_file> {vr <vr_name>}

Copy policy and configuration files to the switch using the Secure Copy
Protocol 2 (SCP2).

Note: Installing the SSH module also provides secure web (HTTPS / SSL) functionality.
Slide 18

Using SNMP
The switch must have an IP address. The SNMP agent can then be accessed from a Network Management Station (NMS).

10.1.4.1

10.1.6.1

IP Network/ Intranet

10.1.5.1 NMS Any SNMP based network manager can manage a switch. Switch MIB must be installed correctly on the mgmt workstation.
Slide 19

# enable snmp # configure snmp

Configuring SNMP System Parameters

Enable SNMP
enable snmp access
10.1.4.1

System name
configure snmp sysname <string>

System location
configure snmp syslocation <string>

System contact
configure snmp syscontact <string>

10.1.6.1

IP Network/ Intranet

10.1.5.1

NMS

Slide 20

# configure snmp add community # configure snmp

Configuring SNMP Access Parameters

Community strings Default Public and Private SNMP read or read/write access
configure snmp add community [readonly | readwrite] <string>
10.1.4.1

Authorized trap receivers Enable traps

enable snmp traps

10.1.6.1

IP Network/ Intranet

Add trap receiver

configure snmp add trapreceiver <ip_address> community <string>
10.1.5.1 NMS

Slide 21

Authenticating Switch Management Users

RADIUS Client Remote Authentication Dial In User Service (RADIUS) A mechanism for authenticating and centrally administering access to
network nodes

Allows authentication for Telnet, Vista, or console switch access TACACS+ Terminal Access Controller Access Control System Plus Similar to the RADIUS Client Used to authenticate prospective users attempting to administer the switch Used to communicate between the switch and an authentication database NOTE: You cannot configure RADIUS and TACACS+ at the same time.

Slide 22

Logging Features
Timestamp Fault Level Subsystem Message

Remote logging enabled

Local logging

IP Network/ Intranet

Remote logging enabled

UNIX syslog host facility accepts and logs messages

Slide 23

# configure syslog # enable syslog

Logging Features
configure syslog {add} [<ipaddress> | <ipPort>] {vr <vr_name>} [local0 ...local7] {<severity>} enable syslog

Remote logging enabled

IP Network/ Intranet

Local logging

Remote logging enabled UNIX syslog host facility accepts and logs messages
Slide 24

# show log {<severity>}

Displaying Log Messages

Local logging: Up to 20,000 messages in the internal log Default is 1000 entries Display log anytime: show log {<severity>}
Local logging Remote logging enabled

IP Network/ Intranet

Remote logging enabled

Slide 25

# configure sntp-client # enable sntp-client

Using SNTP
Simple Network Time Protocol (SNTP) Version 3. Used to update/synchronize the internal switch clock from a Network Time Protocol (NTP) server. When enabled, the switch sends out a periodic query to the NTP server or the switch listens to broadcast NTP updates.

Console

NTP Server

Switch

# configure sntp-client [pri | sec] server [<ip address> | <host name>] {vr <vr_name>} # enable sntp-client
Slide 26

# show management

Verifying the Management Configuration

VLAB-R1-X450-24x.1 # show management CLI idle timeout : Enabled (20 minutes) CLI max number of login attempts : 3 CLI max number of sessions : 8 CLI paging : Enabled (this session only) CLI space-completion : Disabled (this session only) CLI configuration logging : Disabled CLI scripting : Disabled (this session only) CLI scripting error mode : Ignore-Error (this session only) CLI persistent mode : Persistent (this session only) Telnet access : Enabled (tcp port 23 vr all) : Access Profile : not set SSH Access : ssh module not loaded. Web access : Enabled (tcp port 80) Total Read Only Communities : 1 Total Read Write Communities : 1 RMON : Disabled SNMP access : Disabled : Access Profile Name : not set SNMP Traps : Enabled SNMP v1/v2c TrapReceivers : None SNMP stats: InPkts 0 Gets 0 SNMP traps: Sent 0 VLAB-R1-X450-24x.2 # OutPkts 0 Errors 0 GetNexts 0 Sets 0 AuthTraps Enabled AuthErrors 0

To display the network management configuration, statistics, and SNMP settings: show management The display includes: Enable/disable states
for Telnet, and SNMP

Authorized SNMP station list SNMP trap receiver list RMON polling configuration SNMP statistics

Slide 27

Summary
You should now be able to: Login to the switch. Interpret the system prompt. Assign a name to the switch. Use the syntax help function. Create a new user account. Describe the SNMP, SNTP, and logging management features.

Slide 28

Lab
Turn to the Initial Switch Configuration Lab in the ExtremeXOS Operations and Configuration - Lab Guide Rev. 12.1 and complete the hands-on portion of this module.

Slide 29

Review Questions

2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.

This presentation contains forward-looking statements that involve risks and uncertainties, including statements regarding our expectations as to products, trends and our performance. There can be no assurances that any forward-looking statements will be achieved, and actual results could differ materially from forecasts and estimates. For factors that may affect our business and financial results please refer to our filings with the Securities and Exchange Commission, including, without limitation, under the captions: Managements Discussion and Analysis of Financial Condition and Results of Operations, and Risk Factors, which is on file with the Securities and Exchange Commission (http://www.sec.gov). We undertake no obligation to update the forward-looking information in this release.

2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.

 2008 2008 Extreme Extreme Networks, Networks, Inc. Inc. All All rights rights reserved. reserved. ExtremeXOS ExtremeXOS Operation Operation and and Configuration, Configuration, Version Version 12.1. 12.1. Part Part number number DOC-00919. DOC-00919.