Professional Documents
Culture Documents
To enable/disable SSH:
enable ssh2
disable ssh2
(pending-AAA) login:
Authentication Service (AAA) on the master node is now available for login Password
policies are disabled by default.
You are prompted for the failsafe account name, and prompted twice to specify the
password for the account. For example:
The configuration displayed is the configuration that is currently running in the switch’s
RAM and not the booted configuration file stored on the flash file system. The running
RAM configuration needs to be saved if any configuration changes are made. Changes
to the running RAM configuration are indicated by the “*” symbol next to the CLI
command prompt.
When the switch is new or the unconfigure switch all command has been used, you must connect to the
console to access the switch. You are prompted with an interactive script that specifically asks if you want
to disable telnet, disable SNMP, disable the unconfigured ports and configure the failsafe account.
Note: Entering the unconfigure switch all command resets stacking support and stacking port selection
on the local node only and does not affect the rest of the stack nodes.
If you incorrectly configure the IP address or mask for a VLAN, then in order to change
the IP address you will firstly need to unconfigure the IP address and then enter the
correct IP address as follows:
If you incorrectly configure the IP address or mask for a VLAN, then in order to change
the IP address you will firstly need to unconfigure the IP address and then enter the
correct IP address as follows:
Up to 63 user created VRs can be created on the following XOS based switches:
BD8K with 8900 xl-series MSMs, BDX8K, and Summit X460, X480, X650 switches.
To change this behavior, you have to explicitly add the target VR to the command as
follows:
This has the effect of issuing the command through the VR-Default VR and thus will be
forwarded through the VLAN matching the target IP address and mask.
Using the CLI qualifier no-refresh, displays the port configuration for each port as a list
which is not updated in real-time. For example;
To use one of the existing accounts, you must first configure the authentication and privacy
password keys.
Note: On XOS based switches a configuration audit trail can be enabled on a switch by
entering the enable cli-config-logging command. Configuration changes made to the
switch are logged to a Syslog server if Syslog has been configured.
Each RADIUS client supports the configuration of a primary and secondary RADIUS
server for redundancy. If the primary server becomes unavailable for some reason, then
the switch will try to authenticate a user to the secondary server if configured. If both
primary and secondary servers are unavailable, the switch will authenticate the user to
the switch’s local user database.
The “client-ip” argument specifies the IP address to be used for sending RADIUS
massages to the RADIUS server. This address should match the IP address of the
authenticating client configured on the server.
Loaded at boot time, the image is uncompressed and loaded at boot time:
Uncompress selected image
Load uncompressed image into RAM and start running
The image is upgraded by using a download procedure from either a TFTP server on
the network or a PC connected to the serial port using the ZMODEM protocol. The
serial download is very slow and can only be done from the BootROM menu. The
BootROM is discussed later in this chapter.
Note: If no parameters are specified for the location, the image is saved to the non-
active location. The nonactive location will be automatically selected to use at next boot.
The use image command is therefore not required when upgrading the switch software
but is included here for completeness and compatibility for earlier versions of
ExtremeXOS and ExtremeWare.
During a software upgrade the system BootROM checks the software for a unique
signature. The BootROM denies an incompatible software upgrade.
Interaction with the BootROM menu is only required under special circumstances and
should be done only under the direction of Extreme Networks Customer Support. The
necessity of using these functions implies a non standard problem, which requires the
assistance of Extreme Networks Technical Support.
Note: For switches that support a one-stage bootloader, such as chassis based
switches and ExtremeWare based summits, the spacebar must be pressed immediately
after the switch is rebooted or power cycled.
For BD8K series switches, the BootROM is contained in the ExtremeXOS software
image and by default is upgraded manually by entering the install firmware command.
This behavior can be changed to upgrade automatically by entering the following
command, specifying the auto-install option:
Use the show version command display the switch BootROM version.
Note: When upgrading the BootROM separately, upgrade the BootROM and reboot the
switch before upgrading a software image.
Note:
When entering the show switch command, up to four configuration related pieces of
information are displayed:
1. The booted configuration file. i.e. the configuration file which was loaded into RAM
at boot time.
2. The selected configuration file. This is the configured configuration file which will be
loaded into RAM and next boot.
Using “cut & paste” techniques to provision other switches in a standard way
thus avoiding errors.
Frames arriving on an ingress port are forwarded based on 802.1Q tag present within
the Frame into the relevant VLAN.
802.1p CoS is examined, and the frame is placed into the appropriate queue
Values 0-6 are mapped by default to the low priority queue, QoS Profile QP1
Value 7 is mapped by default to the high priority queue, QoS Profile QP8
You can create a custom protocol filter by using the create protocol command. You then
add the relevant filter entries by entering the configure protocol command. Existing
protocol filters can also be edited using this command.
Unlearned traffic: When a frame’s destination MAC address is not in the VLAN’s
forwarding database (FDB), it will be forwarded out of every port on the VLAN’s egress
list with the frame format that is specified.
Learned traffic: When a frame’s destination MAC address is in the VLAN’s forwarding
database, it will be forwarded out of the learned port
show vlan ?
"VR-Default" "VR-Mgmt"
The clear fdb command also has a number of command qualifiers that allow you to
clear specific FDB entries as follows:
Note: Commands allowing a VID list are “best effort”. Should an error occur during the execution of a
command that was specified with a VID list the execution will continue for the remaining VIDs. “Best
effort” behavior in EXOS is a deviation from legacy EXOS which normally operates in an “all or nothing”
paradigm.
Note: XOS Switches support the configuration of protocol based VLANS, a VLAN can be configured to
filter on a specific protocol using the configure vlan protocol command. See example below:
Note: For BD10K and BD12K switches you cannot selectively disable flooding on
specific ports. Additionally, the command disables flooding of unicast, broadcast and
multicast packets.
Example:
disable flooding unicast ports 24
disable flooding broadcast ports 24
show port 24 info detail
Packets destined for permanent MAC addresses and other mac address that are not
black hole entries.
Broadcast traffic from MAC addresses that are not black hole entries.
Note: In large networks the application of limit learning using Blackhole entries can
quickly use up FDB entries. A full FDB can have an impact on switch performance. To
alleviate this, use the action stop-learning command qualifier.
The “limit” for a specific virtual port (port/VLAN combination) can be removed by
entering the configure port command, specifying the port, vlan and the keyword
unlimited-learning as shown in the example below:
Packets destined for permanent MAC addresses and other mac address that are not
black hole entries.
Broadcast traffic from MAC addresses that are not black hole entries.
Note: When you unconfigure the lock learning feature on a virtual port, and if the
configuration was previously saved with the lock learning feature enabled, the “locked”
entries will need to be removed from the running configuration.
Create VLANs:
create vlan v1
create vlan v2
You must create and configure one control VLAN for each EAPS domain. A control
VLAN cannot belong to more than one EAPS domain. If the domain is active, you
cannot delete the domain or modify the configuration of the control VLAN. The control
VLAN must NOT be configured with an IP address. In addition, only ring ports may be
added to this control VLAN. No other ports can be members of this VLAN. Failure to
observe these restrictions can result in a loop in the network. The ring ports of the
control VLAN must be tagged.
Each switch (node) will examine the hello packet and then forward the packet to its
neighbor switch through the ring port that did not receive the packet. EAPS packets are
sent with an 802.1p value of 7 (QP8)
Note: A Controller or Partner can also perform the role of master or transit node within
its EAPS domain. Typically the controller and partner nodes are distribution or core
switches.
Blocks protected VLAN communications on all segment ports except the active-open
port
Note: When a controller goes into or out of the blocking state, the controller sends a
flush-fdb message to flush the FDB in each of the switches in its segments. In a
network with multiple EAPS ports in the blocking state, the flush-fdb message gets
propagated across the boundaries of the EAPS domains.
You must add one or more protected VLANs to each EAPS domain. The protected
VLANs are the data-carrying VLANs. When you configure a protected VLAN, the ring
ports of the protected VLAN must be tagged (except in the case of the default VLAN).
For instructions on creating a VLAN, see VLAN Module.
For example, if you have an EAPS configuration with three adjacent common links,
moving from left to right of the topology, configure the link IDs from the lowest to the
highest value. To configure the link ID of the shared port, use the following command:
Ring Name
RPL (ring protection link) owner configuration for the ERPS ring
CFM packets have a source MAC address of the switch and a destination MAC
address of 01:19:a7:00:00:01
Note: 01:19:a7 is the OUI for the ITU who developed Y.1731 on which 802.1ag is based).
R-APS packets are sent with an 802.1p value of 7 (QP8) and a type field of
0x8902.
A DOWN MEP sends CFM frames directly to the physical medium without considering
the port STP state. For a DOWN MEP, a CFM frame exits from a port even if the port
STP state is in blocking state.
In the absence of any type of link aggregation, Spanning Tree Protocol prevents the
addition of bandwidth. Link aggregation makes multiple physical links appear as a
single logical link to the Spanning Tree Protocol, such that those redundant links within
the aggregation will not be blocked. This is accomplished by positioning link
aggregation as an optional sub-layer in the Data Link Layer of the OSI Model (explained
in more detail later in this module), presenting itself as a single MAC address to MAC
clients in the Network layer.
Packet #1
IP Src address 10.0.0.1 (Bit 1=1) and Dst address 10.0.0.100 (Bit 1 = 0)
1 XOR 0 = 1 – Packet is sent down port 2
Packet #2
IP Src address 192.168.1.20 (Bit 1=0) and Dst address 207.23.1.4 (Bit 1 = 0)
0 XOR 0 = 0 – Packet is sent down port 1
Any traffic that is received on the ISC ports is dropped as long as the peer MLAG port is up in
order to prevent a loop
This prevents the flooding of any broadcast or unknown unicast traffic to the MLAG ports.
Create the MLAG peer and associate the peer switch's IP address. By creating an
MLAG peer you associate a peer name that can be associated with the peer switch's IP
address and other peer configuration properties. The peer is then bound to each
individual MLAG port group.
Create the MLAG port groups. This creates an MLAG port group by specifying the
local switch's port, the MLAG peer switch, and an "mlag-id" which is used to reference
the corresponding port on the MLAG peer switch. The specified local switch's port can
be either a single port or a load share master port.
NOTE
Port Isolation (new in 15.3). This feature blocks accidental and intentional inter-
communication between different customers residing on different physical ports.
Previously, this kind of security was obtained through the access-list module, but this
can be complicated to manage and can be resource intensive. This feature provides a
much simpler blocking mechanism without the use of ACL hardware. A set of physical
or load-share ports can be selected that will be deemed isolated - once isolated, the
ports cannot communicate with other isolated ports, but can communicate with any
other ports. Use the following command: configure ports <port-list> isolation [on | off].
Action Modifiers
The above table lists a selection action modifiers such as count, qosprofile and meter.
The count action increments the counter named in the condition. The QoS profile action
forwards the packet to the specified QoS profile; The meter action modifier associates a
rule entry with an ACL meter for rate limiting. For a full list of action modifiers refer to
Chapter 18 of the ExtremeXOS Concepts Guide.
NOTE
Often an ACL policy will have a rule entry at the end of the ACL with no match
conditions. This entry will match any packets.
NOTE
Wide key ACLs are supported only on the BlackDiamond 8000 c-, xl-, and xm-series
modules and Summit X460, X480, and X670 switches. When using wide key ACLs, you
can only install half as many rules into the internal ACL TCAM as you can when in a
standard mode.
The output from the show access-list command shows the actual VLAN the ACL is
bound to (notice that the ACL is bound to all ports as indicated by the asterisk “*”). It
also shows whether the policy is ingress or egress and how many rules are contained in
the policy.
Static routes are routes that are manually entered into the routing tables and are not
advertised through the routing protocols. Static routes can be used to reach networks
that are not advertised by routing protocols and do not have dynamic route entries in
the routing tables.
Without BFD, static routes always remain operationally active because there is no
dynamic routing protocol to report network changes. This can lead to a black hole
situation, where data is lost for an indefinite duration.
On XOS switches:
Use the create vlan [vlan name] command to create the VLANs you require. Once
VLANs are created, they will be available for layer 3 provisioning.
Next, make your vlan a tagging vlan with the configure vlan [vlan-name] tag [vlan-id]
command. Note that the vlan argument in this command is optional; you can use the
command configure [vlan-name] tag [vlan-id] and get the same results.
Next, add ports to your vlan with the configure vlan [vlan-name] add ports [ports]
[tagged|untagged] command. Note that the vlan argument in this command is optional;
you can use the command configure [vlan-name] add ports [ports] [tagged|untagged]
and get the same results.
On XOS Switches:
Assign a VLAN a layer 3 IP interface address and subnet mask to enable IP routing
between VLANs. Give the VLAN an IP address and subnet mask, and issue the enable
ip forwarding [vlan-name] command to tie the VLAN into the routing function.
Note: The ARP function is critical in IP networks. If a network device can not obtain an
IP-to-MAC mapping of the device it is attempting to communicate with, they will be
unable to exchange data across the LAN. Insure proper ARP table entries are present
via the show ip arp [ip-address] command if a connectivity problem has been
encountered.
In addition:
AS-external-LSAs are not flooded into Stub Areas
Routing to external designations from Stub Areas are based on Default Routes
originated by a Stub Area’s ABR.
Summary LSAs can also use the Default Route for Inter-area routing.
Criteria:
Stub areas must not have an ASBR
Stub areas should have one ABR
Or, if more than one, accept non-optimal routing paths to the External AS
No Virtual Links allowed in a stub area
Type 2 LSAs are called network-LSAs. The Type 2 LSA describes a broadcast network segment (such
as Ethernet) or other Non-Broadcast Multiple Access (NBMA) network (such as Asynchronous Transfer
Mode (ATM)), along with the Router-IDs of any routers currently attached to the network.
A Type 3 LSA is called a network-summary-LSA. It advertises a network that resides in one area into
another area. Only ABRs send Type 3 LSAs. You can configure your ABR to summarize the networks it is
advertising, if those networks are summarizable. If they are not, your ABR will issue a Type 3 LSA for
every network in the area.
A Type 4 LSA is called an ASBR-summary-LSA. When an Area Border Router has an ASBR in its area,
it originates an Type 4 LSA to let all the other routers in the OSPF network know the path to the ASBR.
The Type 4 LSA floods throughout the OSPF backbone area; all other routers in the backbone area
receive and process it directly. Any other ABRs in the domain will re-originate the Type 4 LSA into the
area(s) to which they are connected.
Type 5 Link State Advertisements are called Autonomous-System-external-LSAs. ASBRs originate Type
5 LSAs to advertise routes in the non-OSPF routing domains to which they are attached. ASBRs flood
throughout your OSPF domain, crossing ABRs.
If an ASBR is on the back side of a Not So Stubby Area (NSSA), it advertises routes it learns from the
non-OSPF routing protocol into the NSSA as Type 7 LSAs. The Area Border Router advertises these
routes into the rest of the OSPF domain as Type 5 LSAs.
With IP route sharing, the router can use up to 2, 4, 8, 16, or 32 next-hop gateways
(depending on the platform and feature configuration) for each route in the routing
tables. When multiple next-hop gateways lead to the same destination, the switch can
use any of those gateways for packet forwarding. IP route sharing provides route
redundancy and can provide better throughput when routes are overloaded.
XOS routers support a separate ECMP table. The gateways in the ECMP table can be
defined with static routes (up to 32-way), or they can be learned through the OSPF,
BGP, or IS-IS protocols (up to 8-way).
Note that if you are already running OSPF in your network and are changing the area
an interface belongs to, you must first disable OSPF with the disable ospf command.
(You will use this process in the lab.)
Note: All traffic from the source device must be forwarded to the RP router.
Once the RP router receives the multicast traffic, it will then forward traffic to the
receivers. This may cause some delay with multicast packets reaching their final
destination since all packets must first go through the rendezvous point.
If the virtual router IP address is the same as the interface (VLAN) address owned by a
VRRP router, then the router owning the address becomes the master. The master
sends an advertisement to all other VRRP routers declaring its status, and assumes
responsibility for forwarding packets associated with its virtual router ID (VRID). If the
virtual router IP address is not owned by any of the VRRP routers, then the routers
compare their priorities and the higher-priority owner becomes the master. If priority
values are the same, then the VRRP router with the higher IP address is selected as
the master.