You are on page 1of 348

ExtremeXOS

Switching & Routing


Student Guide
Version 1.6
© 2015 Extreme Networks, Inc. All rights reserved 2
© 2015 Extreme Networks, Inc. All rights reserved 3
© 2015 Extreme Networks, Inc. All rights reserved 4
© 2015 Extreme Networks, Inc. All rights reserved 5
All Extreme switch products may be managed via their console or COM port for out-of-
band access to a Command-Line Interface (CLI). This is commonly referred to as Local
Management (LM). The network administrator must be “local” to the device in order to
manage it. A device IP address is not required to manage the device through LM. The
console port on a device may be either an RJ45 or a DB9 connector, which may be
connected to a VT type terminal, a PC with a terminal emulation application (such as
PUTTY or TeraTerm Pro), or to a modem.

In addition to Local Management there are various configuration and management


options for all Extreme switches, which vary by switch product family.

Management options include:


• CLI via Console Port connection
• CLI via Telnet and SSH
• NetSight via SNMP
• ScreenPlay WebUI

© 2015 Extreme Networks, Inc. All rights reserved 6


Extreme Networks recommends that Telnet is not used for CLI access. This is because
all communication between the client and switch is sent in clear text, and any user who
is capturing traffic, maliciously or not, will be able to view the switch user name and
password used for that session. SSH2 should be used at all times, as all
communication is encrypted and therefore user names and passwords are not
“exposed” to any user capturing traffic.

To enable/disable SSH:

enable ssh2

disable ssh2

© 2015 Extreme Networks, Inc. All rights reserved 7


© 2015 Extreme Networks, Inc. All rights reserved 8
Note: Supported in XOS version 16.1 and above.

© 2015 Extreme Networks, Inc. All rights reserved 9


Note: Switch login events will not be processed until switch's the Authentication Service
(AAA) has completed its startup process. This is indicated by the following messages
on the switch's console:

(pending-AAA) login:

Authentication Service (AAA) on the master node is now available for login Password
policies are disabled by default.

Note: To configure the failsafe account, enter the following command:


configure failsafe-account

You are prompted for the failsafe account name, and prompted twice to specify the
password for the account. For example:

SummitX460-24t.1 # configure failsafe-account


enter failsafe user name: failsafe-user
enter failsafe password:
enter password again:

© 2015 Extreme Networks, Inc. All rights reserved 10


© 2015 Extreme Networks, Inc. All rights reserved 11
© 2015 Extreme Networks, Inc. All rights reserved 12
Note: Session timeouts. With idle-timeout enabled (a default setting) the Telnet and
console connection times out after twenty minutes of inactivity. This time-out value can
be changed from 1 to 240 minutes or disabled using the commands shown above. If a
connection to a Telnet session is lost inadvertently, the switch terminates the session
within two hours automatically.

© 2015 Extreme Networks, Inc. All rights reserved 13


Note: The show system command is new as of XOS version 16.1.

© 2015 Extreme Networks, Inc. All rights reserved 14


By default the show configuration command only shows those configuration changes
that are different from the “Factory Default” configuration. Adding the “detail” command
argument will show all the current configuration including the “Factory Default”
configuration.

The configuration displayed is the configuration that is currently running in the switch’s
RAM and not the booted configuration file stored on the flash file system. The running
RAM configuration needs to be saved if any configuration changes are made. Changes
to the running RAM configuration are indicated by the “*” symbol next to the CLI
command prompt.

© 2015 Extreme Networks, Inc. All rights reserved 15


The default EXOS behavior has not changed. The user must enter ‘disable cli refresh’
to disable the show command auto refresh or add the no-refresh option to the individual
command.

Note: This feature is new as of XOS version 16.1.

© 2015 Extreme Networks, Inc. All rights reserved 16


Rebooting the Switch: There are some processes, such as installing new software, that can
incorporate a reboot of the switch as one of the actions. You may, however, reboot the switch through the
user interface at any time by issuing the following command:

When the switch is new or the unconfigure switch all command has been used, you must connect to the
console to access the switch. You are prompted with an interactive script that specifically asks if you want
to disable telnet, disable SNMP, disable the unconfigured ports and configure the failsafe account.

The system displays the following prompts:


This switch currently has all management methods enabled for convenience reasons.
Please answer these questions about the security settings you would like to use.
Would you like to disable Telnet? [y/N]:
Would you like to disable SNMP? [y/N]:
Would you like unconfigured ports to be turned off by default? [y/N]:
Would you like to change the failsafe account username and password now? [y/N]:
Would you like to permit failsafe account access via the management port?[y/N]:

Note: Entering the unconfigure switch all command resets stacking support and stacking port selection
on the local node only and does not affect the rest of the stack nodes.

© 2015 Extreme Networks, Inc. All rights reserved 17


If no mask is supplied when configuring a VLAN with an IP address, the mask for the
“Class” of the address will be added by the switch. For example, configuring a VLAN
with the IP address 10.1.10.100 without the mask will result in the IP address
10.1.10.100/8. In order to ensure the correct IP address configuration, enter the
command with the correct mask. You can enter the mask in “bits” or as dotted decimal
notation as follows:

configure vlan default ipaddress 10.1.10.100/24

configure vlan default ipaddress 10.1.10.100 255.255.255.0

If you incorrectly configure the IP address or mask for a VLAN, then in order to change
the IP address you will firstly need to unconfigure the IP address and then enter the
correct IP address as follows:

unconfigure vlan default ipaddress

configure vlan default ipaddress 10.1.10.100/24

© 2015 Extreme Networks, Inc. All rights reserved 18


If no mask is supplied when configuring a VLAN with an IP address, the mask for the
“Class” of the address will be added by the switch. For example, configuring a VLAN
with the IP address 10.1.10.100 without the mask will result in the IP address
10.1.10.100/8. In order to ensure the correct IP address configuration, enter the
command with the correct mask. You can enter the mask in “bits” or as dotted decimal
notation as follows:

configure vlan default ipaddress 10.1.10.100/24

configure vlan default ipaddress 10.1.10.100 255.255.255.0

If you incorrectly configure the IP address or mask for a VLAN, then in order to change
the IP address you will firstly need to unconfigure the IP address and then enter the
correct IP address as follows:

unconfigure vlan default ipaddress

configure vlan default ipaddress 10.1.10.100/24

© 2015 Extreme Networks, Inc. All rights reserved 19


A virtual router is an emulation of a physical router. This feature allows a single physical
switch to be split into multiple virtual routers and separates the traffic forwarded by a
virtual router from the traffic on a different virtual router. Each virtual router maintains a
separate logical forwarding table, which allows the virtual routers to have overlapping
address spaces. In ExtremXOS the VR-mgmt and VR-default routers exist by default.

Up to 63 user created VRs can be created on the following XOS based switches:

BD8K with 8900 xl-series MSMs, BDX8K, and Summit X460, X480, X650 switches.

© 2015 Extreme Networks, Inc. All rights reserved 20


For example, the following command will be issued through the VR-Mgmt VR and thus
will be forwarded through the out of band management port:

tftp put 10.1.10.100 primary.cfg

To change this behavior, you have to explicitly add the target VR to the command as
follows:

tftp put 10.0.0.100 vr vr-default primary.cfg

This has the effect of issuing the command through the VR-Default VR and thus will be
forwarded through the VLAN matching the target IP address and mask.

© 2015 Extreme Networks, Inc. All rights reserved 21


Note: All Unshielded Twisted Pair (UTP) ports support the automatic detection of
MDI/MDI-X connections. This eliminates the need for crossover cables between
switches. This feature is not configurable.

© 2015 Extreme Networks, Inc. All rights reserved 22


The port configuration monitor is a real-time display of each port’s configuration state.
To navigate through the ports use the following keys:

“d” (down) displays the next page of port information.


“u” (up) displays the previous page of port information.
“esc” (escape) exits the port configuration monitor.

Using the CLI qualifier no-refresh, displays the port configuration for each port as a list
which is not updated in real-time. For example;

show ports 10-20 configuration no-refresh

© 2015 Extreme Networks, Inc. All rights reserved 23


The display shows everything about a port’s configuration:
VLAN Membership
VLAN Protocols
EDP
ELSM
Ethernet OAM
Flooding
Jumbo Frames
Rate Limiting
QoS
Network Login
Port redundancy

© 2015 Extreme Networks, Inc. All rights reserved 24


Note: Configuration allows directing messages to various local devices (NetSight
Console), files or remote syslog daemons. Care must be taken when updating the
configuration as omitting or misdirecting message facility.level can cause important
messages to be ignored by syslog or overlooked by the administrator.

© 2015 Extreme Networks, Inc. All rights reserved 25


As a useful troubleshooting and testing feature, log entries can be displayed in real-time
within a CLI session. This is achieved by using the following commands:

For console sessions:


enable log display

For Telnet and SSH2 sessions:


enable log target session
enable log display

© 2015 Extreme Networks, Inc. All rights reserved 26


© 2015 Extreme Networks, Inc. All rights reserved 27
© 2015 Extreme Networks, Inc. All rights reserved 28
The security deficiency of both SNMPv1 and SNMPv2 was finally fixed with the release
of the SNMPv3 standard. Designed to enable better support of the complex networks
being deployed in recent years and additional requirements of applications used in
networked environments, SNMPv3 defined standards for both enhanced security and
administration.

The most noteworthy enhancement in SNMPv3 is the strong security protection it


provides for remote management, protecting SNMP itself from being used to automate
exploiting cascading vulnerabilities. As defined in RFCs 2571-2575, SNMPv3 added
robust user-level authentication, message integrity checking, message encryption, and
role-based Authorization.

Note: All switches support SNMP v1, v2, & v3.

© 2015 Extreme Networks, Inc. All rights reserved 29


SNMPv3 support is enabled by default and is configured with the following access parameters:

Group admin: USM with authentication and privacy


- user admin (HMAC-MD5 with DES)

Group initial: USM with no authentication and no privacy


- user initial

Group initial: USM with authentication and no privacy


- user initialmd5 (HMAC-MD5)
- user initialsha (HMAC-SHA)

Group initial: USM with authentication and privacy


- user initialmd5Priv (HMAC-MD5 with DES)
- user initialshaPriv (HMAC-SHA with DES)

Group v1v2c_ro: SNMPv1/v2c with no authentication and no privacy


Group v1v2c_rw: SNMPv1/v2c with no authentication and no privacy
Group v1v2cNotifyGroup: SNMPv1/v2c with no authentication and no privacy

To use one of the existing accounts, you must first configure the authentication and privacy
password keys.

© 2015 Extreme Networks, Inc. All rights reserved 30


© 2015 Extreme Networks, Inc. All rights reserved 31
Although Extreme switches supports the creation of up to 16 user accounts,
synchronizing multiple user accounts across a network with many switches can become
time consuming. Ultimately, network support staff typically use the “admin” account for
switch administration and configuration via the CLI. Not only is this a potential security
issue, but there is potentially, no configuration audit trail identifying who configured what
on the switch.

Extreme Networks recommend the use of a centralized authentication server such as


RADIUS or TACACS+ which can be integrated with Windows Active Directory or similar
for user authentication. This provides the necessary level of security and audit trail
while removing completely any administration of switch accounts.

Note: On XOS based switches a configuration audit trail can be enabled on a switch by
entering the enable cli-config-logging command. Configuration changes made to the
switch are logged to a Syslog server if Syslog has been configured.

© 2015 Extreme Networks, Inc. All rights reserved 32


There are two types of RADIUS clients supported in ExtremeXOS, with each client
operating independently:

RADIUS client for switch management access

RADIUS client for Network Login authentication

Each RADIUS client supports the configuration of a primary and secondary RADIUS
server for redundancy. If the primary server becomes unavailable for some reason, then
the switch will try to authenticate a user to the secondary server if configured. If both
primary and secondary servers are unavailable, the switch will authenticate the user to
the switch’s local user database.

The “client-ip” argument specifies the IP address to be used for sending RADIUS
massages to the RADIUS server. This address should match the IP address of the
authenticating client configured on the server.

© 2015 Extreme Networks, Inc. All rights reserved 33


Two image locations supported:
Primary
Secondary

Fallback feature for verifying upgrades

Compressed executable code, images are compressed to preserve space on the


flash

Loaded at boot time, the image is uncompressed and loaded at boot time:
Uncompress selected image
Load uncompressed image into RAM and start running

© 2015 Extreme Networks, Inc. All rights reserved 34


Note: When reporting a faulty switch to Extreme Networks it is mandatory that you
identify the serial number and software version among other things. The show version
command is useful as the serial number may not be recorded or even be accessible.

© 2015 Extreme Networks, Inc. All rights reserved 35


In order to check the installed images and modules, issue the following command:

show version images

© 2015 Extreme Networks, Inc. All rights reserved 36


Note: The active image location can be verified with the show switch command.

The image is upgraded by using a download procedure from either a TFTP server on
the network or a PC connected to the serial port using the ZMODEM protocol. The
serial download is very slow and can only be done from the BootROM menu. The
BootROM is discussed later in this chapter.

Note: If no parameters are specified for the location, the image is saved to the non-
active location. The nonactive location will be automatically selected to use at next boot.
The use image command is therefore not required when upgrading the switch software
but is included here for completeness and compatibility for earlier versions of
ExtremeXOS and ExtremeWare.

© 2015 Extreme Networks, Inc. All rights reserved 37


The BootROM of the switch initializes certain important switch variables during the boot
process. For disaster recovery purposes (i.e. in the event the switch does not boot
properly), you can download a rescue image from a TFTP server by entering the
download command from the BootROM menu.

During a software upgrade the system BootROM checks the software for a unique
signature. The BootROM denies an incompatible software upgrade.

Interaction with the BootROM menu is only required under special circumstances and
should be done only under the direction of Extreme Networks Customer Support. The
necessity of using these functions implies a non standard problem, which requires the
assistance of Extreme Networks Technical Support.

Accessing the BootROM


To access the BootROM, power cycle or reboot the ExtremeXOS switch and then from
the CLI wait for the message "Running POST" to display, then press and hold the
spacebar until the BootROM prompt displays.

Note: For switches that support a one-stage bootloader, such as chassis based
switches and ExtremeWare based summits, the spacebar must be pressed immediately
after the switch is rebooted or power cycled.

© 2015 Extreme Networks, Inc. All rights reserved 38


© 2015 Extreme Networks, Inc. All rights reserved 39
Note: The image or a configuration selected within the BootROM does not change the
configured selected image or configuration. This process temporarily over-rides the
configuration for a single boot

© 2015 Extreme Networks, Inc. All rights reserved 40


Note: The switch may not boot if the BootROM is corrupted, due to interrupting the
download process, if the Wrong BootRom downloaded. If the BootROM is corrupted,
the switch should be returned to Extreme Networks!

For BD8K series switches, the BootROM is contained in the ExtremeXOS software
image and by default is upgraded manually by entering the install firmware command.
This behavior can be changed to upgrade automatically by entering the following
command, specifying the auto-install option:

configure firmware [auto-install | install-on-demand]

Upgrade the BootROM only when asked to do so by an Extreme Networks technical


representative. If this command does not complete successfully it could prevent the
switch from booting. In the event the switch does not boot properly, some boot option
functions can be accessed through a special BootROM menu.

Use the show version command display the switch BootROM version.

Note: When upgrading the BootROM separately, upgrade the BootROM and reboot the
switch before upgrading a software image.

© 2015 Extreme Networks, Inc. All rights reserved 41


Note: Configuration information stored within the file is XML based, and therefore might
not be easily interpreted.

© 2015 Extreme Networks, Inc. All rights reserved 42


© 2015 Extreme Networks, Inc. All rights reserved 43
To select a configuration to use at the switch’s next reboot, you run the use
configuration command. This command is essentially just a pointer to a specific
configuration stored on the switch’s file system.

Note:
When entering the show switch command, up to four configuration related pieces of
information are displayed:

1. The booted configuration file. i.e. the configuration file which was loaded into RAM
at boot time.

2. The selected configuration file. This is the configured configuration file which will be
loaded into RAM and next boot.

3. Details of the selected configuration file includes:

The software version that created the configuration file.


The size of the configuration file.
The date and time the configuration file was created.

© 2015 Extreme Networks, Inc. All rights reserved 44


© 2015 Extreme Networks, Inc. All rights reserved 45
Although the XML format of the configuration file is useful for XOS software
programmers, it is of limited use for support and operational staff. Text based
configuration files are particularly useful for:

Quickly understanding and validating a switch’s configuration.

Using “cut & paste” techniques to provision other switches in a standard way
thus avoiding errors.

Converting configurations into script files.

© 2015 Extreme Networks, Inc. All rights reserved 46


© 2015 Extreme Networks, Inc. All rights reserved 47
Note: You cannot rename an active configuration file (the configuration currently
selected to boot the switch).

© 2015 Extreme Networks, Inc. All rights reserved 48


© 2015 Extreme Networks, Inc. All rights reserved 49
© 2015 Extreme Networks, Inc. All rights reserved 50
Example:

SummitX460-24t.1 # enable mirroring to port 24


WARNING: This command will remove VLAN membership from the monitor port.
Do you want to continue? (y/N) Yes

SummitX460-24t.18 # configure mirroring add port 13

SummitX460-24t.22 # show mirroring

Mirroring Mode: Standard


Mirror port: 24 is up
Number of Mirroring filters:1
Mirror Port configuration:
Port number 13 in all vlans

© 2015 Extreme Networks, Inc. All rights reserved 51


© 2015 Extreme Networks, Inc. All rights reserved 52
© 2015 Extreme Networks, Inc. All rights reserved 53
© 2015 Extreme Networks, Inc. All rights reserved 54
© 2015 Extreme Networks, Inc. All rights reserved 55
© 2015 Extreme Networks, Inc. All rights reserved 56
The internal VLAN ID is not significant outside of the switch. The value used for the
internal VLAN ID starts at 4094 and decrements for each VLAN added. If a VLAN ID is
used to configure an 802.1Q tagged VLAN that has already been assigned to an
untagged VLAN, the switch automatically assigns another internal VLAN ID to the
untagged VLAN.

© 2015 Extreme Networks, Inc. All rights reserved 57


Tagged Forwarding Behavior:

Frames arriving on an ingress port are forwarded based on 802.1Q tag present within
the Frame into the relevant VLAN.

802.1p CoS is examined, and the frame is placed into the appropriate queue

Values 0-6 are mapped by default to the low priority queue, QoS Profile QP1

Value 7 is mapped by default to the high priority queue, QoS Profile QP8

© 2015 Extreme Networks, Inc. All rights reserved 58


There are a number of pre-configured protocol filters that can be applied to any VLAN.

The list is as follows:


IP
IPX
IPv6
NetBIOS
DECNet
IPX_8022
IPX_SNAP
AppleTalk
MPLS
ANY

You can create a custom protocol filter by using the create protocol command. You then
add the relevant filter entries by entering the configure protocol command. Existing
protocol filters can also be edited using this command.

© 2015 Extreme Networks, Inc. All rights reserved 59


VLAN forwarding decisions for transmitting frames is determined by whether or not the
traffic being classified is or is not in the VLAN’s forwarding database as follows:

Unlearned traffic: When a frame’s destination MAC address is not in the VLAN’s
forwarding database (FDB), it will be forwarded out of every port on the VLAN’s egress
list with the frame format that is specified.

Learned traffic: When a frame’s destination MAC address is in the VLAN’s forwarding
database, it will be forwarded out of the learned port

© 2015 Extreme Networks, Inc. All rights reserved 60


The show vlan command is a useful troubleshooting tool. It displays in summary, a
VLAN’s basic configuration and if what protocols have been enabled if any such as
OSPF, Spanning Tree, and EAPS for example. To display detailed information for all
VLANs, enter the show vlan detail command. To display detailed information for a
specific VLAN, enter the show vlan command with the VLAN name as the command
qualifier. For example show vlan blue.

© 2015 Extreme Networks, Inc. All rights reserved 61


The show vlan command has a number of command qualifiers that allow you to
examine specific VLAN information. The entries are as follows:

show vlan ?

description Description string


detail detailed
dynamic-vlan show configuration related to dynamically created VLANs
ports Show only VLANs associated with the specified ports
statistics VLAN statistics
tag IEEE 802.1Q or 802.1ad tag
| Filter the output of the command
<vlan_name> Name of the VLAN
<vr-name> Virtual router name

"VR-Default" "VR-Mgmt"

© 2015 Extreme Networks, Inc. All rights reserved 62


The FDB in large networks may have many entries and so it may be difficult to find a
specific MAC address in such a large table. The show fdb command has a number of
command qualifiers that allow you to examine specific FDB entries as follows:

Blackhole entries: show fdb blackhole


MAC address tracking entries: show fdb mac-tracking configuration
Netlogin entries: show fdb netlogin all
Permanent entries: show fdb permanent
Entries for a specific MAC address: show fdb <mac_addr>
Entries on a specific port: show fdb ports <port_list>
Entries within a specific VLAN: show fdb vlan <vlan_name>

The clear fdb command also has a number of command qualifiers that allow you to
clear specific FDB entries as follows:

Blackhole entries: clear fdb blackhole


Entries for a specific MAC address: clear fdb <mac_addr>
Entries on a specific port: clear fdb ports <port_list>
Entries within a specific VLAN: clear fdb vlan <vlan_name

© 2015 Extreme Networks, Inc. All rights reserved 63


CLI commands VID/ VID lists:
configure mirror {<mirror_name>} add [vlan <vlan_id> {ingress | [port <port> {ingress}} | port <port> vlan
<vlan_id> {ingress}]
configure mirror {<mirror_name>} delete [vlan <vlan_id> {port <port>} | port <port> vlan <vlan_id>]
configure vlan <vlan_id> add secondary-ipaddress [<ipaddress> {<netmask>} | <ipNetmask>]
configure vlan <vlan_id> delete secondary-ipaddress [all | <ipaddress>]
configure vlan <vlan_id> ipaddress [<ipaddress> {<netmask>} | <ipNetmask>]
configure vlan <vlan_id> name <new_name>
clear l2stats vlan <vlan_list>
configure ip-mtu <mtu> vlan <vlan_list>
configure ports [<port_list> | all] monitor vlan <vlan_list> {rx-only | tx-only}
configure ports <port_list> {tagged} vlan <vlan_list> [limit-learning <number> {action [blackhole | stop-
learning]} | unlimited-learning]
configure ports <port_list> {tagged} vlan <vlan_list> [lock-learning | unlock-learning]
configure vlan <vlan_list> add ports [<port_list> | all] {tagged | untagged | private-vlan translated}
configure vlan <vlan_list> delete ports [<port_list> | all]
configure vlan <vlan_list> protocol {filter} <filter_name>
configure vlan <vlan_list> {qosprofile} [<qosprofile> | none]
create vlan <vlan_list> {vr <vr-name>} {description <vlan-desc>}
delete vlan <vlan_list>

Note: Commands allowing a VID list are “best effort”. Should an error occur during the execution of a
command that was specified with a VID list the execution will continue for the remaining VIDs. “Best
effort” behavior in EXOS is a deviation from legacy EXOS which normally operates in an “all or nothing”
paradigm.

© 2015 Extreme Networks, Inc. All rights reserved 64


Note: The configuration of VLANs by VID is new as of XOS version 16.1.

CLI commands VID/ VID lists:


[enable | disable] iparp gratuitous protect vlan <vlan_list>
[enable | disable] ipforwarding {ipv4 | ipv6} vlan <vlan_list>
[enable | disable] learning vlan <vlan_list>
[enable | disable] loopback-mode vlan <vlan_list>
[enable | disable] vlan <vlan_list>
unconfigure vlan <vlan_list> ipaddress
configure vman <vman_id> add ports [<port_list> | all] {tagged | untagged {port-cvid <port_cvid>} | cep
cvid <cvid_first> {- <cvid_last>} {translate <cvid_first_xlate> {- <cvid_last_xlate>}}}
configure vman <vman_id> ipaddress [<ipaddress> {<netmask>} | <ipNetmask>]
configure vman <vman_id> ports [<port_list> | all] add cvid <cvid_first> {- <cvid_last>} { translate
<cvid_first_xlate> {- <cvid_last_xlate>}}
configure vman <vman_id> name <new_name>
configure vman <vman_list> delete ports [<port_list> | all]
configure vman <vman_list> ports [<port_list> | all] delete cvid <cvid_first> {- <cvid_last>}
configure vman <vman_list> protocol {filter} <filter_name>
configure vman <vman_list> {qosprofile} [<qosprofile> | none]
create vman <vman_list> {vr <vr-name>} {description <vlan-desc>}
delete vman <vman_list>
[enable | disable] learning vman <vman_list>
unconfigure vman <vman_list> ipaddress

© 2015 Extreme Networks, Inc. All rights reserved 65


Note: to remove ports from a VLAN use the configure vlan {vlan_name} delete ports
{vlan_name} {port_list} command:

© 2015 Extreme Networks, Inc. All rights reserved 66


Note: Once a VLAN has been configured with an 802.1Q tag ID, the VLAN is always a tagged VLAN. The
ID can be changed but it cannot be removed.

Note: XOS Switches support the configuration of protocol based VLANS, a VLAN can be configured to
filter on a specific protocol using the configure vlan protocol command. See example below:

configure vlan Red protocol ipv6

© 2015 Extreme Networks, Inc. All rights reserved 67


Note: To remove a protocol filter from a VLAN enter the command:

configure vlan {vlan_name} protocol any

© 2015 Extreme Networks, Inc. All rights reserved 68


© 2015 Extreme Networks, Inc. All rights reserved 69
© 2015 Extreme Networks, Inc. All rights reserved 70
© 2015 Extreme Networks, Inc. All rights reserved 71
Egress flood control alters the standard forwarding behavior of a switch and should be
used with care. However, it can effectively improve network performance and security if
used correctly.

Note: For BD10K and BD12K switches you cannot selectively disable flooding on
specific ports. Additionally, the command disables flooding of unicast, broadcast and
multicast packets.

© 2015 Extreme Networks, Inc. All rights reserved 72


Disabling multicasting egress flooding does not affect clients subscribed to an IGMP
group. Packets are still forwarded. If IGMP snooping is disabled, multicast packets are
not flooded.

Example:
disable flooding unicast ports 24
disable flooding broadcast ports 24
show port 24 info detail

To reset flooding control back to defaults:


enable flooding all broadcast ports all

© 2015 Extreme Networks, Inc. All rights reserved 73


Limit learning does not affect the following:

Packets destined for permanent MAC addresses and other mac address that are not
black hole entries.

Broadcast traffic from MAC addresses that are not black hole entries.

EDP and LLDP traffic.

© 2015 Extreme Networks, Inc. All rights reserved 74


Example:
configure port 24 vlan default limit-learning 1
show fdb

Note: In large networks the application of limit learning using Blackhole entries can
quickly use up FDB entries. A full FDB can have an impact on switch performance. To
alleviate this, use the action stop-learning command qualifier.

The “limit” for a specific virtual port (port/VLAN combination) can be removed by
entering the configure port command, specifying the port, vlan and the keyword
unlimited-learning as shown in the example below:

configure port 24 vlan default unlimited-learning

© 2015 Extreme Networks, Inc. All rights reserved 75


Lock learning does not affect the following:

Packets destined for permanent MAC addresses and other mac address that are not
black hole entries.

Broadcast traffic from MAC addresses that are not black hole entries.

EDP and LLDP traffic.

© 2015 Extreme Networks, Inc. All rights reserved 76


Example:
conf port 24 vlan default lock-learning

© 2015 Extreme Networks, Inc. All rights reserved 77


Example:
conf port 24 vlan default unlock-learning

Note: When you unconfigure the lock learning feature on a virtual port, and if the
configuration was previously saved with the lock learning feature enabled, the “locked”
entries will need to be removed from the running configuration.

© 2015 Extreme Networks, Inc. All rights reserved 78


© 2015 Extreme Networks, Inc. All rights reserved 79
© 2015 Extreme Networks, Inc. All rights reserved 80
© 2015 Extreme Networks, Inc. All rights reserved 81
Note: ExtremeXOS software does not support ELRP and Network Login on the same
port. When used on a VPLS service VLAN, ELRP does not detect loops involving the
VPLS pseudowires.

© 2015 Extreme Networks, Inc. All rights reserved 82


Non-periodic ELRP Requests
You can specify the number of times ELRP packets must be transmitted and the interval
between consecutive transmissions.
A message is printed to the console and logged into the system log file indicating detection of
network loop when ELRP packets are received back or no packets are received within the
specified duration.
Periodic ELRP Requests
You can configure the interval between consecutive transmissions. If ELRP packets are
received back, a message is printed to the system log file and/or a trap is sent to the SNMP
manager indicating detection of a network loop. You have the option to configure the switch to
automatically disable the port where the looped packet arrived as well as the length of time (in
seconds) that the port should remain disabled. When this hold time expires, the port is
automatically enabled
Exclude Port List
When you have configured the switch to automatically disable the port where the looped packet
arrived, there may be certain ports that you do not want disabled.
Limitations
The following are limitations to this feature:
A specified port is added to the list regardless of its corresponding VLAN.
Only ports on the local switch can be added.
A loop detected on an excluded port may persist indefinitely until user action is taken.

© 2015 Extreme Networks, Inc. All rights reserved 83


ELRP on Protocol-based VLANs The following example demonstrates running ELRP on a
protocol-based VLAN. For ELRP to detect loops on a protocol-based VLAN (other than the
protocol any), you need to add the ethertype 0x00bb to the protocol.

Create VLANs:
create vlan v1
create vlan v2

Protocol filter configuration:


configure vlan v1 protocol IP
configure vlan v2 protocol decnet

Add ports to the VLAN:


configure vlan v1 add ports 1
configure vlan v2 add ports 2

Enable ELRP on the created VLANs:


enable elrp-client
configure elrp-client periodic v1 ports all interval 5 log
configure elrp-client periodic v2 ports all interval 5 log
Add the ethertype to the protocol:
configure protocol IP add snap 0x00bb
configure protocol decnet add snap 0x00bb
VLANs v1 and v2 can then detect the loop on their respective broadcast domains.

© 2015 Extreme Networks, Inc. All rights reserved 84


© 2015 Extreme Networks, Inc. All rights reserved 85
© 2015 Extreme Networks, Inc. All rights reserved 86
© 2015 Extreme Networks, Inc. All rights reserved 87
© 2015 Extreme Networks, Inc. All rights reserved 88
© 2015 Extreme Networks, Inc. All rights reserved 89
© 2015 Extreme Networks, Inc. All rights reserved 90
© 2015 Extreme Networks, Inc. All rights reserved 91
© 2015 Extreme Networks, Inc. All rights reserved 92
An EAPS Master detects the failure in its domain, and converges around the failure.

You must create and configure one control VLAN for each EAPS domain. A control
VLAN cannot belong to more than one EAPS domain. If the domain is active, you
cannot delete the domain or modify the configuration of the control VLAN. The control
VLAN must NOT be configured with an IP address. In addition, only ring ports may be
added to this control VLAN. No other ports can be members of this VLAN. Failure to
observe these restrictions can result in a loop in the network. The ring ports of the
control VLAN must be tagged.

© 2015 Extreme Networks, Inc. All rights reserved 93


Protected VLANs are the data-carrying VLANs. When you configure a protected VLAN,
the ring ports of the protected VLAN must be tagged (except in the case of the default
VLAN).

© 2015 Extreme Networks, Inc. All rights reserved 94


© 2015 Extreme Networks, Inc. All rights reserved 95
EAPS Hello (Heath Check) Packets uses the Extreme Encapsulation Protocol (EEP) to
transmit hello packets
EEP packets have a source MAC address of 00 e0 2b 00 00 01

EAPS packets have a destination MAC address of 00 e0 2b 00 00 04

Each switch (node) will examine the hello packet and then forward the packet to its
neighbor switch through the ring port that did not receive the packet. EAPS packets are
sent with an 802.1p value of 7 (QP8)

EAPS hello packets contain the following information:


Packet type
Health, Link Down, Links Up (Pre-Forwarding), Flush FDB
Control VLAN ID
Originator’s system MAC address
Hello fail timer value
Domain state
Complete, Failed
Hello sequence number

© 2015 Extreme Networks, Inc. All rights reserved 96


© 2015 Extreme Networks, Inc. All rights reserved 97
© 2015 Extreme Networks, Inc. All rights reserved 98
© 2015 Extreme Networks, Inc. All rights reserved 99
© 2015 Extreme Networks, Inc. All rights reserved 100
© 2015 Extreme Networks, Inc. All rights reserved 101
© 2015 Extreme Networks, Inc. All rights reserved 102
© 2015 Extreme Networks, Inc. All rights reserved 103
© 2015 Extreme Networks, Inc. All rights reserved 104
© 2015 Extreme Networks, Inc. All rights reserved 105
© 2015 Extreme Networks, Inc. All rights reserved 106
© 2015 Extreme Networks, Inc. All rights reserved 107
© 2015 Extreme Networks, Inc. All rights reserved 108
With EAPS, a data VLAN can spans multiple physical rings or EAPS domains. This is
called an overlapping VLAN. An overlapping VLAN requires loop protection for each
EAPS domain to which it belongs. In the figure above, there is an EAPS domain with its
own control VLAN running on ring 1 and another EAPS domain with its own control
VLAN running on ring 2. A data VLAN that spans both rings is added as a protected
VLAN to both EAPS domains to create an overlapping VLAN. Switch S5 has two
instances of EAPS domains running on it, one for each ring.

© 2015 Extreme Networks, Inc. All rights reserved 109


In the slide shown earlier (Two Rings Interconnected by One Switch) switch S5 would
represent a single point of failure. If switch S5 were to go down, users on Ring 1 would
not be able to communicate with users on Ring 2. To make the network more resilient,
you can add another switch. In the figure shown above, a second switch (S10),
connects to both rings and to S5 through a common link, which is common to both
rings. The EAPS common link in the following figure requires special configuration to
prevent a loop that spans both rings. The software entity that requires configuration is
the eaps shared-port, therefore the common link feature is sometimes called the shared
port feature.

© 2015 Extreme Networks, Inc. All rights reserved 110


During normal operation, the master node on each ring protects the ring as described
earlier in first EAPS module The Controller and Partner nodes work together to protect
against Super Loop problems that can occur with the use of common (overlapping)
VLANs being distributed across multiple rings.

Note: A Controller or Partner can also perform the role of master or transit node within
its EAPS domain. Typically the controller and partner nodes are distribution or core
switches.

© 2015 Extreme Networks, Inc. All rights reserved 111


© 2015 Extreme Networks, Inc. All rights reserved 112
Note: When a common link fails, one of the segment ports becomes the active-open
port, and all other segment ports are blocked to prevent a loop for the protected VLANs.

© 2015 Extreme Networks, Inc. All rights reserved 113


If a link failure occurs in one of the rings, only a single EAPS domain is affected. The
EAPS master detects the failure in its domain, and converges around the failure. In this
case, the controller does not take any blocking action, and EAPS domains on other
rings are not affected. Likewise, when the link is restored, only the local EAPS domain
is affected. The controller and any EAPS domains on other rings are not affected, and
continue forwarding traffic normally.

© 2015 Extreme Networks, Inc. All rights reserved 114


When the common link fails, the secondary port of each master node unblocked, the
new topology introduces a broadcast loop spanning the both rings (EAPS Domain-1 &
Doamin-2) . It is the Controllers responsibility to block this loop.

© 2015 Extreme Networks, Inc. All rights reserved 115


For the failure scenario shown above, the Controller and Partner nodes immediately
detect the loop, and the controller does the following:

Selects an active-open port for protected VLAN communications

Blocks protected VLAN communications on all segment ports except the active-open
port

Note: When a controller goes into or out of the blocking state, the controller sends a
flush-fdb message to flush the FDB in each of the switches in its segments. In a
network with multiple EAPS ports in the blocking state, the flush-fdb message gets
propagated across the boundaries of the EAPS domains.

© 2015 Extreme Networks, Inc. All rights reserved 116


© 2015 Extreme Networks, Inc. All rights reserved 117
The following slides will cover standard configuration with a common link, and EAPS
shared port for EAPS domain Domain-1 and Domain-2. Each Domain supports a
common protected (overlapping) VLAN. Sample configuration will be shown for
SummitStack2, Domain-1, SummitX450-2, Domain-2, and BD8K-1 in the Data Center
Core.

© 2015 Extreme Networks, Inc. All rights reserved 118


Note:
You must create and configure one control VLAN for each EAPS domain. A control
VLAN cannot belong to more than one EAPS domain. If the domain is active, you
cannot delete the domain or modify the configuration of the control VLAN. The control
VLAN must NOT be configured with an IP address. In addition, only ring ports may be
added to this control VLAN. No other ports can be members of this VLAN. Failure to
observe these restrictions can result in a loop in the network. The ring ports of the
control VLAN must be tagged.

You must add one or more protected VLANs to each EAPS domain. The protected
VLANs are the data-carrying VLANs. When you configure a protected VLAN, the ring
ports of the protected VLAN must be tagged (except in the case of the default VLAN).
For instructions on creating a VLAN, see VLAN Module.

© 2015 Extreme Networks, Inc. All rights reserved 119


Configure the Link ID of the Shared Port:
Each common link in the EAPS network must have a unique link ID. The controller and
partner shared ports that belong to the same common link must have matching link IDs.
No other instance in the network should have that link ID. If you have multiple adjacent
common links, Extreme Networks recommends that you configure the link IDs in
ascending order of adjacency.

For example, if you have an EAPS configuration with three adjacent common links,
moving from left to right of the topology, configure the link IDs from the lowest to the
highest value. To configure the link ID of the shared port, use the following command:

configure eaps shared-port <ports> link-id <id>

The link ID range is 1 to 65535.

© 2015 Extreme Networks, Inc. All rights reserved 120


To display EAPS status and configuration information, use the following command:

show eaps {<eapsDomain>} {detail}

© 2015 Extreme Networks, Inc. All rights reserved 121


Each controller and partner node can display status and configuration information for
the shared port or ports on the corresponding side of the common link. To display EAPS
common link information, use the following command:

show eaps shared-port {<port>} {detail}

© 2015 Extreme Networks, Inc. All rights reserved 122


© 2015 Extreme Networks, Inc. All rights reserved 123
© 2015 Extreme Networks, Inc. All rights reserved 124
© 2015 Extreme Networks, Inc. All rights reserved 125
© 2015 Extreme Networks, Inc. All rights reserved 126
© 2015 Extreme Networks, Inc. All rights reserved 127
© 2015 Extreme Networks, Inc. All rights reserved 128
© 2015 Extreme Networks, Inc. All rights reserved 129
Each switch in the ring is configured with the following elements:

Ring Name

RPL (ring protection link) owner configuration for the ERPS ring

East and West ring ports

Control VLAN and Protected VLANs

© 2015 Extreme Networks, Inc. All rights reserved 130


ERPS R-APS Packets:
ERPS uses the 802.1ag CFM protocol to transmit R-APS packets

CFM packets have a source MAC address of the switch and a destination MAC
address of 01:19:a7:00:00:01

Note: 01:19:a7 is the OUI for the ITU who developed Y.1731 on which 802.1ag is based).

R-APS packets are sent with an 802.1p value of 7 (QP8) and a type field of
0x8902.

R-APS packets contain the following information:


Request/State

No Request (idle state), Signal Failure, Manual Switch, Force Switch

RPL Blocked indicator

Flush FDB indicator

R-APS Node ID (sender’s MAC address)

© 2015 Extreme Networks, Inc. All rights reserved 131


© 2015 Extreme Networks, Inc. All rights reserved 132
© 2015 Extreme Networks, Inc. All rights reserved 133
© 2015 Extreme Networks, Inc. All rights reserved 134
Note: Similar configuration would have to be completed for all switches participating in
ring-2

SummitStack2.1 # create erps ring-2


SummitStack2.3 # configure erps ring-2 ring-port east 1:1
SummitStack2.4 # configure erps ring-2 ring-port west 4:1
SummitStack2.2 # configure erps ring-2 protection-port 4:1 (This command will set
SummitStack2 as the ring owner)
SummitStack2.5 # configure erps ring-2 add control ctrl-2
SummitStack2.6 # configure erps ring-2 add protected data
SummitStack2.7# enable erps ring-2
SummitStack2.8 # enable erps

© 2015 Extreme Networks, Inc. All rights reserved 135


© 2015 Extreme Networks, Inc. All rights reserved 136
© 2015 Extreme Networks, Inc. All rights reserved 137
© 2015 Extreme Networks, Inc. All rights reserved 138
© 2015 Extreme Networks, Inc. All rights reserved 139
© 2015 Extreme Networks, Inc. All rights reserved 140
© 2015 Extreme Networks, Inc. All rights reserved 141
Note: CFM is defined in IEEE 802.1ag-2007 standard, and the ITU’s Y.1731. 802.1ag is
similar to Y.1731, but Y.1731 specifies additional performance management. Extreme
implements all of 802.1ag but only implements Y.1731 for frame delay and delay
variance measurement.

Note: CFM is also referred to as Ethernet Operation, Administration and Maintenance


(OAM or OA&M).

© 2015 Extreme Networks, Inc. All rights reserved 142


An UP MEP sends CFM frames toward the frame filtering entity, which forwards the
frames to all other ports of a service instance other than the port on which the UP MEP
is configured. This is similar to how the frame filtering entity forwards a normal data
frame, taking into account the port's STP state. For an UP MEP, a CFM frame exits
from a port if only if the STP state of the port is in the forwarding state.

A DOWN MEP sends CFM frames directly to the physical medium without considering
the port STP state. For a DOWN MEP, a CFM frame exits from a port even if the port
STP state is in blocking state.

© 2015 Extreme Networks, Inc. All rights reserved 143


Note: An “Up MEP” takes into account the Spanning Tree port state when transmitting
CCMs. Only forwards CFM frames through ports in the forwarding state.

© 2015 Extreme Networks, Inc. All rights reserved 144


© 2015 Extreme Networks, Inc. All rights reserved 145
Note: An “Up MEP” takes into account the Spanning Tree port state when transmitting
CCMs. Only forwards CFM frames through ports in the forwarding state.

© 2015 Extreme Networks, Inc. All rights reserved 146


The example above shows the creation of a Down-MEP with the CFM commands.

© 2015 Extreme Networks, Inc. All rights reserved 147


The example above shows the creation of a Down-MEP with the CFM commands.

© 2015 Extreme Networks, Inc. All rights reserved 148


© 2015 Extreme Networks, Inc. All rights reserved 149
© 2015 Extreme Networks, Inc. All rights reserved 150
© 2015 Extreme Networks, Inc. All rights reserved 151
© 2015 Extreme Networks, Inc. All rights reserved 152
Link Aggregation, SmartTrunking, and other port trunking algorithms are all methods of
bonding together two or more data channels into a single channel that appears as a
single, higher-bandwidth, logical link. It is a cost-effective way to implement increased
bandwidth. Aggregated links also provide redundancy and fault tolerance.

In the absence of any type of link aggregation, Spanning Tree Protocol prevents the
addition of bandwidth. Link aggregation makes multiple physical links appear as a
single logical link to the Spanning Tree Protocol, such that those redundant links within
the aggregation will not be blocked. This is accomplished by positioning link
aggregation as an optional sub-layer in the Data Link Layer of the OSI Model (explained
in more detail later in this module), presenting itself as a single MAC address to MAC
clients in the Network layer.

Link aggregation should be viewed as a network configuration option that is primarily


used in network connections that require higher data rate limits than can be provided by
single links, such as between switches or between switches and servers. It can also be
used to increase the reliability of critical links.

© 2015 Extreme Networks, Inc. All rights reserved 153


Key benefits of Link Aggregation are:
Dynamic configuration: Determines which links are eligible for aggregation,
configures them automatically, and provides rapid reconfiguration
Higher link availability: Provides higher link availability. The failure of a single
link effects traffic on that single link, but it will move to one of the other links in
the LAG
Increased bandwidth: The capacity of an aggregated link is higher than an
individual link alone
Backwards compatible with 802.3ad-unaware devices through static
configuration

© 2015 Extreme Networks, Inc. All rights reserved 154


Link Aggregation Scenarios:
There are two typical scenarios in which link aggregation may be useful in a network, as
described below:

Switch-to-switch connections: This is the most common scenario. Multiple ports on a


switch are joined to form an aggregated link. Aggregation of multiple links achieves
higher speed connections between switches without hardware upgrade. If two switches
are connected, each using four 1000 Mbps links, and one of those links fails between
the two switches, data traffic is maintained through the other links in the link
aggregation group. Note that such a configuration reduces the number of ports
available for connection to other network devices or end stations. Thus, aggregation
implies a trade-off between port usage and additional capacity for a given device pair.

Switch-to-station (server or router) connections: Many server platforms can saturate a


single 100 Mbps link. Thus, link capacity limits overall system performance. You can
aggregate switch-to-station connections to improve performance. Better performance
can be achieved without upgrade to server or switch.

© 2015 Extreme Networks, Inc. All rights reserved 155


IPv4 Layer 3 header load balancing example:

LAG contains 2 ports


Requires 1 bit from the header information to select one of two ports
1 bit allows two values; Port 1 is 0 and port 2 is 1

Packet #1
IP Src address 10.0.0.1 (Bit 1=1) and Dst address 10.0.0.100 (Bit 1 = 0)
1 XOR 0 = 1 – Packet is sent down port 2

Packet #2
IP Src address 192.168.1.20 (Bit 1=0) and Dst address 207.23.1.4 (Bit 1 = 0)
0 XOR 0 = 0 – Packet is sent down port 1

Note: Even packet distribution depends on the mix of addresses

© 2015 Extreme Networks, Inc. All rights reserved 156


Example:
enable sharing 13 grouping 13,15 algorithm address-based L3 lacp
show lacp lag 13
configure sharing 13 lacp activity-mode passive

© 2015 Extreme Networks, Inc. All rights reserved 157


Example:
enable sharing 13 grouping 13,15

© 2015 Extreme Networks, Inc. All rights reserved 158


© 2015 Extreme Networks, Inc. All rights reserved 159
© 2015 Extreme Networks, Inc. All rights reserved 160
© 2015 Extreme Networks, Inc. All rights reserved 161
© 2015 Extreme Networks, Inc. All rights reserved 162
© 2015 Extreme Networks, Inc. All rights reserved 163
© 2015 Extreme Networks, Inc. All rights reserved 164
MLAG peer switches must be of the same platform family. The following MLAG peers
are allowed: BlackDiamond 8800 switches with BlackDiamond 8800 switches,
BlackDiamond X8 switches with BlackDiamond X8 switches, Summit switches with
Summit switches, and SummitStack with SummitStack.

© 2015 Extreme Networks, Inc. All rights reserved 165


MLAG (Steady-State Condition):
The peer transmits “hello” and state packets within the ISC VLAN every second.

Default transmit interval for “hello” packet is 1 second.


User traffic is forwarded based on normal FDB rules and LAG load sharing algorithms.

Any traffic that is received on the ISC ports is dropped as long as the peer MLAG port is up in
order to prevent a loop

This prevents the flooding of any broadcast or unknown unicast traffic to the MLAG ports.

© 2015 Extreme Networks, Inc. All rights reserved 166


© 2015 Extreme Networks, Inc. All rights reserved 167
© 2015 Extreme Networks, Inc. All rights reserved 168
Note: You must create a Layer 3 VLAN for control communication between MLAG
peers. You cannot enable IP forwarding on this VLAN. The ISC is exclusively used for
inter-MLAG peer control traffic and should not be provisioned to carry any user data
traffic. Customer data traffic however can traverse the ISC port using other user
VLANs.

Note: A LAG is recommended for the ISC VLAN.

© 2015 Extreme Networks, Inc. All rights reserved 169


Note: Configuration steps taken on one MLAG Switch, must be replicated on the other
MLAG Switch!

Create the MLAG peer and associate the peer switch's IP address. By creating an
MLAG peer you associate a peer name that can be associated with the peer switch's IP
address and other peer configuration properties. The peer is then bound to each
individual MLAG port group.

Create the MLAG port groups. This creates an MLAG port group by specifying the
local switch's port, the MLAG peer switch, and an "mlag-id" which is used to reference
the corresponding port on the MLAG peer switch. The specified local switch's port can
be either a single port or a load share master port.

© 2015 Extreme Networks, Inc. All rights reserved 170


To display information about an MLAG peer, including MLAG peer switch state, MLAG
group count, and health-check statistics:

show mlag peer {<peer_name>}

© 2015 Extreme Networks, Inc. All rights reserved 171


To display each MLAG group, including local port number, local port status, remote
MLAG port state, MLAG peer name, MLAG peer status, local port failure count, remote
MLAG port failure count, and MLAG peer failure count:

show mlag ports {<portlist>}

© 2015 Extreme Networks, Inc. All rights reserved 172


© 2015 Extreme Networks, Inc. All rights reserved 173
© 2015 Extreme Networks, Inc. All rights reserved. 174
© 2015 Extreme Networks, Inc. All rights reserved. 175
Access Control Lists (ACLs) are used to define packet filtering and forwarding rules for
traffic traversing the switch. Each packet arriving on an ingress port and/or VLAN is
compared to the access list applied to that interface and is either permitted or denied.
Packets egressing an interface can also be filtered on certain platforms listed in the
ExtremeXOS Concepts Guide. However, only a subset of the filtering conditions
available for ingress filtering are available for egress filtering.

NOTE
Port Isolation (new in 15.3). This feature blocks accidental and intentional inter-
communication between different customers residing on different physical ports.
Previously, this kind of security was obtained through the access-list module, but this
can be complicated to manage and can be resource intensive. This feature provides a
much simpler blocking mechanism without the use of ACL hardware. A set of physical
or load-share ports can be selected that will be deemed isolated - once isolated, the
ports cannot communicate with other isolated ports, but can communicate with any
other ports. Use the following command: configure ports <port-list> isolation [on | off].

© 2015 Extreme Networks, Inc. All rights reserved. 176


Match Conditions
You can specify multiple, single, or zero match conditions. If no match condition is
specified, all packets match the rule entry. The table above lists a selection of the
available match conditions. For the complete list of match conditions refer to the
Chapter 18 of the ExtremeXOS Concepts Guide.
Match Operators
You can also use the operators <, <=, >, and >= to specify match conditions. For
example, the match condition, source-port > 190, will match packets with a source port
greater than 190. Be sure to use a space before and after an operator.

© 2015 Extreme Networks, Inc. All rights reserved. 177


Match Conditions
You can specify multiple, single, or zero match conditions. If no match condition is
specified, all packets match the rule entry. The table above lists a selection of the
available match conditions. For the complete list of match conditions refer to the
Chapter 18 of the ExtremeXOS Concepts Guide.
Match Operators
You can also use the operators <, <=, >, and >= to specify match conditions. For
example, the match condition, source-port > 190, will match packets with a source port
greater than 190. Be sure to use a space before and after an operator.

© 2015 Extreme Networks, Inc. All rights reserved. 178


Actions
The action is either permit or deny or no action is specified. No action specified permits
the packet. The deny action drops the packet.

Action Modifiers
The above table lists a selection action modifiers such as count, qosprofile and meter.
The count action increments the counter named in the condition. The QoS profile action
forwards the packet to the specified QoS profile; The meter action modifier associates a
rule entry with an ACL meter for rate limiting. For a full list of action modifiers refer to
Chapter 18 of the ExtremeXOS Concepts Guide.

NOTE
Often an ACL policy will have a rule entry at the end of the ACL with no match
conditions. This entry will match any packets.

© 2015 Extreme Networks, Inc. All rights reserved. 179


Wide Key ACLs
This feature allows the use of a 362-bit double wide match key instead of a standard
181-bit single key to be used with match conditions. A wide match key allows you to
add more match conditions to an ACL. It also allows matching on a full destination-
source IPv6 address. The platforms that support this feature can operate either in wide
mode or in the current single mode. A individual switch or module cannot be configured
to operate in a mixed wide and single mode. However, a BlackDiamond 8800 chassis or
a SummitStack can have a mixture of modules and switches with some of them
operating in a single mode and some in a wide mode.

NOTE
Wide key ACLs are supported only on the BlackDiamond 8000 c-, xl-, and xm-series
modules and Summit X460, X480, and X670 switches. When using wide key ACLs, you
can only install half as many rules into the internal ACL TCAM as you can when in a
standard mode.

© 2015 Extreme Networks, Inc. All rights reserved. 180


A number of slices and rules are used by features present on the switch. You consume
these resources when the feature is enabled so the availability of resources depends on
the type and number of features and protocols that are enabled on a switch. Below is a
list of the most common features and there resource consumption. For a detailed list,
refer to the ExtremeXOS Concepts Guide.
● dot1p examination - enabled by default - 1 slice, 8 rules per chip
● IGMP snooping - enabled by default - 2 slice, 2 rules
● VLAN without IP configured - 2 rules - 2 slices
● IP interface - disabled by default - 2 slices, 3 rules (plus IGMP snooping rules above)
● VLAN QoS - disabled by default - 1 slice, n rules (n VLANs)
● Port QoS - disabled by default - 1 slice, 1 rule
● VRRP - 2 slices, 2 rules
● EAPS - 1 slice, 1 rule (master), n rules (transit - n domains)
● ESRP - 2 slices, 2 rules
● ESRP Aware - 1 slice, 1 rule
● IPv6 - 2 slices, 3 rules
● Netlogin - 1 slice, 1 rule
● VLAN Mirroring - 1 slice, n rules (n VLANs)

© 2015 Extreme Networks, Inc. All rights reserved. 181


© 2015 Extreme Networks, Inc. All rights reserved. 182
For example, physical ports, dest IP, source IP and IP fragments are all compatible and
will require one slice. If an ACL requires the use of field selectors from two different
rows, it must be implemented on two different slices.

For more information, refer to the ExtremeXOS Concepts Guide.

© 2015 Extreme Networks, Inc. All rights reserved. 183


As the layer 2 rules contained in the mac.pol policy file are not compatible with the
previous rules, as defined in on the previous page, a new slice will be used.

© 2015 Extreme Networks, Inc. All rights reserved. 184


Notice that slice 14 now contains 10 rules: the eight system rules in this configuration,
plus the two compatible IP rules. As there are a mixture of system rules and user rules
contained in the slice, the slice status now indicates “user/other”. Slice 15 now contains
the two non-compatible L2 user rules.
NOTE
Older BD8K and SummitX series switches do not use slices, but use an another
method called masks. Although they operate in a similar way, masks are much less
flexible. To view the available mask usage, enter the show access-list usage command
specifying the acl-mask command option along with the relevant port number. ACL
mask operation for older BD8K and SummitX series switches is not covered in this
course material.

© 2015 Extreme Networks, Inc. All rights reserved. 185


As an example of precedence among interface types, suppose a physical port 1:2 is a
member port of the VLAN yellow. ACLs could be configured on the port, either singly or
as part of a port list, on the VLAN yellow, and on all ports in the switch (the wildcard
ACL). For all packets crossing this port, the port-based ACL has highest precedence,
followed by the VLAN-based ACL and then the wildcard ACL.
NOTE
ACLs applied to a VLAN are actually applied to all ports on the switch, without regard to
VLAN membership. The result is that resources are consumed per chip on
BlackDiamond 8000 a-, c-, e- xl-, and xmseries modules and Summit family switches.

© 2015 Extreme Networks, Inc. All rights reserved. 186


The edit policy command spawns a VI-like editor to edit the named file. Edit operates in
one of two modes; command and input. When a file first opens, you are in the
command mode. To write in the file, use the keyboard arrow keys to position your
cursor within the file, then press one of the following keys to enter input mode:
i - To insert text ahead of the initial cursor position
a- To append text after the initial cursor position
To escape the input mode and return to the command mode, press the Escape key.
There are several commands that can be used from the command mode:
dd - To delete the current line
yy - To copy the current line
p - To paste the line copied
:w - To write (save) the file
:q - To quit the file if no changes were made
:q! - To forcefully quit the file without saving changes
:wq - To write and quit the file

© 2015 Extreme Networks, Inc. All rights reserved. 187


Notice from the output of the show policy command that the policy has been applied as
an ACL and is bound once to the VLAN “data”.

The output from the show access-list command shows the actual VLAN the ACL is
bound to (notice that the ACL is bound to all ports as indicated by the asterisk “*”). It
also shows whether the policy is ingress or egress and how many rules are contained in
the policy.

© 2015 Extreme Networks, Inc. All rights reserved. 188


© 2015 Extreme Networks, Inc. All rights reserved. 189
Creating a dynamic ACL rule is similar to creating an ACL policy file rule entry. You
specify the name of the dynamic ACL rule, the match conditions, and the actions and
action-modifiers. You can configure a dynamic ACL to be permanent or non-permanent.
Permanent dynamic ACLs are stored in the running configuration and need to be saved
to be persistent across system reboots. Non-permanent ACLs are just programed into
the hardware directly and are not added to the running configuration. They are therefore
not listed by the show configuration command.
User-created access-list names are not case sensitive. The match conditions, actions,
and action modifiers are the same as those that are available for ACL policy files. In
contrast to the ACL policy file entries, dynamic ACLs are created directly in the CLI.
More than one dynamic ACL can be applied to an interface, and the precedence among
the dynamic ACLs can be configured when adding the dynamic ACL via the CLI. By
default, the priority among dynamic ACLs is established by the order in which they are
configured.
NOTE
Dynamic ACLs have a higher precedence than ACLs applied using a policy file.

© 2015 Extreme Networks, Inc. All rights reserved. 190


The equivalent policy file rule to permit Telnet would be as follows:
entry permitTelnet {
if match all {
protocol tcp ;
destination-port 23 ;
}
then {
permit ;
}
}
To configure a non-permanent dynamic ACL, enter the create access-list command
specifying the rule name, conditions and actions then add the non-permanent command
option. The above example can be configured as follows:
create access-list permitTelnet "protocol tcp; destination-port 23" permit non-permanent

© 2015 Extreme Networks, Inc. All rights reserved. 191


To remove a dynamic ACL from a VLAN or port, enter the configure access-list delete
command specifying the dynamic rule to delete and the port or VLAN to which the ACL
was applied.

© 2015 Extreme Networks, Inc. All rights reserved. 192


Notice from the output of the show access-list command that VLAN data now indicates
that a dynamic ACL has been applied as well as the policy. However, the dynamic ACL
name is not shown in the output of this command. To do this enter the show access-list
dynamic command.
There may be a number of system dynamic ACLs present depending on the switch you
are using and the software version you are running. System ACLs are designed to
facilitate the operation of some features and are beyond the scope of this course.

© 2015 Extreme Networks, Inc. All rights reserved. 193


© 2015 Extreme Networks, Inc. All rights reserved. 194
© 2015 Extreme Networks, Inc. All rights reserved 195
© 2015 Extreme Networks, Inc. All rights reserved 196
© 2015 Extreme Networks, Inc. All rights reserved 197
© 2015 Extreme Networks, Inc. All rights reserved 198
© 2015 Extreme Networks, Inc. All rights reserved 199
© 2015 Extreme Networks, Inc. All rights reserved 200
© 2015 Extreme Networks, Inc. All rights reserved 201
© 2015 Extreme Networks, Inc. All rights reserved 202
© 2015 Extreme Networks, Inc. All rights reserved 203
© 2015 Extreme Networks, Inc. All rights reserved 204
© 2015 Extreme Networks, Inc. All rights reserved 205
© 2015 Extreme Networks, Inc. All rights reserved 206
© 2015 Extreme Networks, Inc. All rights reserved 207
© 2015 Extreme Networks, Inc. All rights reserved 208
© 2015 Extreme Networks, Inc. All rights reserved. 209
© 2015 Extreme Networks, Inc. All rights reserved 210
© 2015 Extreme Networks, Inc. All rights reserved. 211
RIP v1/v2- Routing Information Protocol version 1 and 2
OSPF-Open Shortest Path First
BGP- Border Gateway protocol
IS-IS- Intermediate system to Intermediate system
DVMRP- Distance Vector Multicast Routing Protocol
PIM-SM- Protocol Independent Multicasts- Sparse Mode
IPv6- Internet Protocol version 6
IRDP- ICMP Router Discovery Protocol
VRRP- Virtual Router redundancy protocol
LSNAT- Load Sharing Network Address Translation
ACLs- Access Control Lists
PBR- Policy Based Routing
DoS Prevention- Denial of Service Prevention
DHCP Server- Dynamic Host Configuration Protocol server

© 2015 Extreme Networks, Inc. All rights reserved. 212


The router typically learns dynamic routes because you have enabled the RIP, OSPF,
IS-IS or BGP protocols. It also learns routes from Internet Control Message Protocol
(ICMP) redirects exchanged with other routers. These routes are called dynamic routes
because they are not a permanent part of the configuration. The router learns these
routes are learned when it starts up and dynamically updates them as the network
changes.

Static routes are routes that are manually entered into the routing tables and are not
advertised through the routing protocols. Static routes can be used to reach networks
that are not advertised by routing protocols and do not have dynamic route entries in
the routing tables.

Without BFD, static routes always remain operationally active because there is no
dynamic routing protocol to report network changes. This can lead to a black hole
situation, where data is lost for an indefinite duration.

© 2015 Extreme Networks, Inc. All rights reserved. 213


The routing table has the following information:
The route’s origin. i.e. which network process added the route to the route table for
example; “d” (direct) for local interfaces, “s” for static routes including the default route
and “oa” for OSPF intra-area routes.
The IP network. This field will be shown as a combination of the network address and
the subnet mask.
The network gateway. This is typically the next hop router. If the network is directly
connected, you should see the IP address of the VLAN's IP routing interface.
The route metric. This field defines the quality of the path to the target network. Since
the routing table can contain multiple entries to a destination network, the router will
pick the route with the lowest metric as it is considered to be of higher quality.
Other information is also displayed such as the route status, VLAN for next hop
forwarding and age.

© 2015 Extreme Networks, Inc. All rights reserved. 214


A default precedence/distance for each type of route is listed, and the table notes the
precedence between protocols. The lower the precedence value, the more preferred
the routes are. In XOS, these values are configurable.

© 2015 Extreme Networks, Inc. All rights reserved. 215


Before you configure routing, you must first create VLANs on your switch, and add
ports to them.

On XOS switches:
Use the create vlan [vlan name] command to create the VLANs you require. Once
VLANs are created, they will be available for layer 3 provisioning.
Next, make your vlan a tagging vlan with the configure vlan [vlan-name] tag [vlan-id]
command. Note that the vlan argument in this command is optional; you can use the
command configure [vlan-name] tag [vlan-id] and get the same results.
Next, add ports to your vlan with the configure vlan [vlan-name] add ports [ports]
[tagged|untagged] command. Note that the vlan argument in this command is optional;
you can use the command configure [vlan-name] add ports [ports] [tagged|untagged]
and get the same results.

© 2015 Extreme Networks, Inc. All rights reserved. 216


Direct Routing is the simplest form of routing. Direct routing allows devices that are on
different VLANs to communicate with each other by crossing the routing function in a
single switch. With direct routing the routers involved do not advertise their IP routes to
each other.
So for example, VLAN 5 and VLAN 10 on Router A in this example can communicate,
because we have enabled direct routing on Router A. Router B, however, does not
know about either VLAN 5 or VLAN 10, and users on VLAN 20 on Router B are unable
to communicate with users on any of Router A’s VLANs.

© 2015 Extreme Networks, Inc. All rights reserved. 217


For all Extreme switches, a device with a VLAN that does not have a corresponding IP
interface defined for it will function as a Layer 2 device only, regardless of the operation
mode. You must configure each VLAN separately for IP routing.

On XOS Switches:
Assign a VLAN a layer 3 IP interface address and subnet mask to enable IP routing
between VLANs. Give the VLAN an IP address and subnet mask, and issue the enable
ip forwarding [vlan-name] command to tie the VLAN into the routing function.

© 2015 Extreme Networks, Inc. All rights reserved. 218


A loopback interface is a logical IP interface on your router that is not associated with a
specific physical connection. It is best network practice to create a loopback interface
on your routers for management purposes. If your management station connects to
your router using the IP address of one of the router’s physical interfaces, and if that
interface goes down, your management station will lose contact with the router, and you
will be unable to repair the problem. If your management station connects to the router
using the IP address of the loopback interface, then it will be able to maintain
connection as long as the router has one or more active physical interfaces.

© 2015 Extreme Networks, Inc. All rights reserved. 219


© 2015 Extreme Networks, Inc. All rights reserved. 220
Routing tables can be maintained either statically or dynamically. All the Extreme switch
routers support static routes and at least one form of dynamic routing. Dynamic routing
uses routing protocols to maintain the routing table.
Static Routes
Static routes are manually configured by a network administrator for entry into a
switch’s routing table, they are flagged as “S” which indicates static. Static routes point
to remote network destinations, and will take precedence over routes chosen by
dynamic routing protocols pointing to the same destination. Although easy to configure
and use, a major drawback of static route implementation on a large scale is that every
time the network topology changes, the routing information will need to be manually
reentered into the route table. Therefore, static routing is not suited to large, dynamic
networks.
Dynamic Routes
Dynamic Routes are created using routing protocols to determine the best path
between routers. When network topologies change, routers using dynamic routing will
automatically recalculate the best possible route. The methods for route recalculation
vary between the protocols.

© 2015 Extreme Networks, Inc. All rights reserved. 221


To configure a static route in XOS use the configure iproute add command, where:

destination-route: specifies an IPv4 address as a single destination for which a static


route is being defined
subnet-mask: specifies the prefix mask for the destination network
next-hop: specifies the next-hop router address for the static route
Optionally, you can set the virtual router upon which you are configuring this static
route. If you do not specify a virtual router, XOS will set the static route in the Default
VR.

© 2015 Extreme Networks, Inc. All rights reserved. 222


The router keeps a record of all its decisions about the best path between it and other
IP subnets in your network in the form of a routing table. The routing table specifies
how the router knows about the IP subnet, the IP address of the subnet, the next hop
router on the path to that subnet, and the IP interface out of which the router must send
the packet to get to its destination.

© 2015 Extreme Networks, Inc. All rights reserved. 223


© 2015 Extreme Networks, Inc. All rights reserved. 224
In XOS, DHCP relay is a device level function. For DHCP relay to succeed, the router
must have a path to the network on which the DHCP server resides in its routing table.
Configure DHCP relay in two steps:
Configure the relay
Enable the relay

© 2015 Extreme Networks, Inc. All rights reserved. 225


When an IP host needs to communicate with another IP device on a common LAN
segment, and an IP address to MAC address mapping does not exist in its ARP table,
the device will issue an ARP request

Note: The ARP function is critical in IP networks. If a network device can not obtain an
IP-to-MAC mapping of the device it is attempting to communicate with, they will be
unable to exchange data across the LAN. Insure proper ARP table entries are present
via the show ip arp [ip-address] command if a connectivity problem has been
encountered.

© 2015 Extreme Networks, Inc. All rights reserved. 226


As a router, if an IP datagram is received and not addressed to any interface on
system, it must be forwarded to its destination through a single port as per instructions
of the routing table. Inability to forward requires the packet be dropped and
transmission of an ICMP error message back to the source with the reason why.

© 2015 Extreme Networks, Inc. All rights reserved. 227


© 2015 Extreme Networks, Inc. All rights reserved. 228
© 2015 Extreme Networks, Inc. All rights reserved. 229
© 2015 Extreme Networks, Inc. All rights reserved. 230
OSPF is classified as an Internal Gateway Protocol (IGP). This means that it
distributes routing information between routers belonging to a single Autonomous
System. The OSPF protocol is based on SPF or link-state technology. This is a
departure from the Bellman-Ford base used by traditional distance vector internet
routing protocols.
The OSPF protocol was developed by the OSPF working group of the Internet
Engineering Task Force. It has been designed expressly for the internet environment,
including explicit support for IP subnetting, TOS-based routing and the tagging of
externally-derived routing information. OSPF also provides for the authentication of
routing updates, and utilizes IP multicast when sending/receiving the updates. In
addition, much work has been done to produce a protocol that responds quickly to
topology changes, yet involves small amounts of routing protocol traffic.

© 2015 Extreme Networks, Inc. All rights reserved. 231


OSPF allows collections of contiguous networks and hosts to be grouped together.
Such a group, together with the routers that have interfaces to any one of the included
networks, is called an area. Each area runs a separate copy of the basic shortest-path-
first routing algorithm. This means that each area has its own topological database.
The topology of an area is invisible from the outside of the area. Conversely, routers
internal to a given area know nothing of the detailed topology external to the area. This
isolation of knowledge enables the protocol to effect a marked reduction in routing
traffic as compared to treating the entire autonomous system as a single SPF domain.
With the introduction of areas, it is no longer true that all routers in the AS have an
identical topological database. A router actually has a separate topological database for
each area to which it is connected. Routers connected to multiple areas are called area
border routers. Two routers belonging to the same area have, for that area, identical
area topological databases.
Routing in the autonomous system takes place on two levels, depending on whether
the source and destination of a packet reside in the same area (intra-area routing is
used) or different areas (inter-area routing is used). In intra-area routing, the packet is
routed solely on information obtained within the area; no routing information obtained
from outside the area can be used. This protects intra-area routing from the injection of
bad routing information.

© 2015 Extreme Networks, Inc. All rights reserved. 232


Every OSPF routing domain AS that has more than one area must have a backbone.
The backbone is a special OSPF area that must have an area ID of 0.0.0.0 (or simply
0). It consists of those networks not contained in any specific area, their attached
routers, and those routers that belong to multiple areas. The backbone must be
contiguous. Each router's interface that is configured in Area 0 must be reachable via
other routers where each interface in the path is configured as being in Area 0.
However, it is possible to define areas in such a way that the backbone is no longer
contiguous--where the continuity between routers is broken. In this case, you must
establish backbone continuity by configuring virtual links. Virtual links are useful when
the backbone area is either purposefully partitioned or when restoring inadvertent
breaks in backbone continuity.

© 2015 Extreme Networks, Inc. All rights reserved. 233


© 2015 Extreme Networks, Inc. All rights reserved. 234
OSPF supports a two level routing design through the use of Areas. OSPF areas are
identified by an area ID. The area consists of the network segments and routers that
reside in the area. Each area has its own link state database (LSDB) which is separate
from LSDBs in other OSPF areas. The LSDB consists of router-LSAs and network-
LSAs which describes how the areas routers and network segments are connected.
Detailed information regarding the areas topology is hidden from all other areas,
(router-LSAs and network-LSAs are not flooded to routers outside the area and are
used for Intra-Area routing).
As a result of OSPF using area based routing, the positioning of routers with respect to
these areas represents a critical element in an OSPF routing environment.

© 2015 Extreme Networks, Inc. All rights reserved. 235


Within OSPF routers take on special responsibilities depending on their topological
orientation. All routers running OSPF on at least one of its interfaces can be
categorized into one of the following categories: ABR’s, ASBR’s, or internal routers.
Depending on what type of router is it, the router has different responsibilities in
restricting or allowing the propagation of certain types of LSAs.

© 2015 Extreme Networks, Inc. All rights reserved. 236


Inter-Area routing is achieved through the use of summary-LSAs that are passed from
area to area (via ABRs). summary-LSAs allow routers in the interior of an area to
dynamically learn about destinations in other areas, so they can to select the best path
when forwarding packets to these destinations.

© 2015 Extreme Networks, Inc. All rights reserved. 237


Stub areas are typically implemented when routers with limited resources (small
amounts of memory or limited CPU processing capacity) must be deployed in an OSPF
routing domain. To conserve router resources, the link state database (LSDB) within a
stub area is kept as small as possible. AS-external-LSAs are not passed into the area.
Routing to external destinations from a stub area is accomplished by using a default
routes originated by the areas ABR.
There are several requirements to take into consideration when configuring a stub area.
All routers participating the stub area must be configured to function as stub area
routers.

In addition:
AS-external-LSAs are not flooded into Stub Areas
Routing to external designations from Stub Areas are based on Default Routes
originated by a Stub Area’s ABR.
Summary LSAs can also use the Default Route for Inter-area routing.
Criteria:
Stub areas must not have an ASBR
Stub areas should have one ABR
Or, if more than one, accept non-optimal routing paths to the External AS
No Virtual Links allowed in a stub area

© 2015 Extreme Networks, Inc. All rights reserved. 238


A Totally Stubby Area (TSA) is a variation of a stub area. For very large OSPF networks
it is sometimes necessary to limit the amount of routing information flooded into an area
to an even greater degree. In addition to filtering AS-external-LSAs, a Totally Stubby
Area filters Network-Summary-LSAs as well, further reducing the volume of OSPF
routing information present in the area.

© 2015 Extreme Networks, Inc. All rights reserved. 239


A Not-So-Stubby Areas (NSSA) is a second variation of a stub area in which external
routing information (in the form of AS-external-LSAs) can be imported into the stub area
via an Autonomous System Border Router (ASBR) that resides in the NSSA. AS-
external-LSAs from outside the area (e.g., AS-external-LSAs from Area 0) are still not
allowed access to the NSSA.

© 2015 Extreme Networks, Inc. All rights reserved. 240


© 2015 Extreme Networks, Inc. All rights reserved. 241
For the current slide, Router A and Router B have been elected Designated Router
(DR) and Backup Designated Router based on priority (Priority 100 and Priority 75). A
set of adjacencies for over the Gig-Ethernet LAN segment as indicated on the slide. To
demonstrate over a broadcast LAN how database updates occur using a DR and BDR,
Router E receives a new LSA (perhaps you configure a new VLAN to participate in
OSPF). It installs the LSA in its database, and then floods the LSA, (LS Update) to the
DR and BDR (using 224.0.0.6 (AllDRouters) so only these routers receive the update.
The Designated Router then sends the LS Update back on to the Gig-Ethernet LAN
segment using address 224.0.0.5 (AllSFPRouters). All the routers hear and process
the update. Router B and Router E update their timers; Router C and Router D add the
LSA to their Link State Database. All the routers stop passing data traffic, run Dijkstra’s
Algorithm to recomputed their Shortest Path Trees, reconverge, and begin passing
traffic again.

© 2015 Extreme Networks, Inc. All rights reserved. 242


Using the loopback interface as the router ID is the preferred method. Its major
advantage is as follows: If a real interface is used, any time that interface goes down
the router must find another Router ID. This causes all the other routers to learn the
router’s new ID number, and update their databases. This would result in the router not
processing OSPF packets during this time frame. As long as the router is turned on and
running, the loopback will never go away, so when a router interface goes down it won’t
affect the other routers in the network.
OSPF packet type 1, these packet types are sent out of all interfaces, transmitted via
multicast to AllSPFRouters (224.0.0.5), a Form of “keep alive”, and used for Designated
Router / Backup Designated Router election.
OSPF packet type 2, exchanged when an adjacency being initiated, describes topology
database, and multiple packets may be used to describe a database.
OSPF packet type 3, requests pieces of the topological database from neighbor
routers. These messages are exchanged after a router discovers (by examining
database-description packets) that parts of its topological database are out of date.
OSPF packet type 4, implement the flooding of LSAs, several LSA may be included
within a single packet, response to Link State request packets, performs the database
update, and acknowledged by Link State Acknowledgement packets.
OSPF packet type 5, performs flooding acknowledgement for LSA’s, sent either
multicast to AllSPFRouters, AllDRouters or unicast, packet format is similar to Data
Description packets, and packet body consists of a list of LSA headers.

© 2015 Extreme Networks, Inc. All rights reserved. 243


OSPF packet type 1, these packet types are sent out of all interfaces, transmitted via
multicast to AllSPFRouters (224.0.0.5), a Form of “keep alive”, and used for Designated
Router / Backup Designated Router election.
OSPF packet type 2, exchanged when an adjacency being initiated, describes topology
database, and multiple packets may be used to describe a database.
OSPF packet type 3, requests pieces of the topological database from neighbor
routers. These messages are exchanged after a router discovers (by examining
database-description packets) that parts of its topological database are out of date.
Type 3 packets allow the router to come to full adjacency with the Designated Router.
OSPF packet type 4, implement the flooding of LSAs, several LSA may be included
within a single packet, response to Link State request packets, performs the database
update, and acknowledged by Link State Acknowledgement packets.
OSPF packet type 5, performs flooding acknowledgement for LSA’s, sent either
multicast to AllSPFRouters, AllDRouters or unicast, packet format is similar to Data
Description packets, and packet body consists of a list of LSA headers.

© 2015 Extreme Networks, Inc. All rights reserved. 244


© 2015 Extreme Networks, Inc. All rights reserved. 245
LSA Types:
Type 1 LSAs are called router-LSAs. Each router originates a single route-LSA to describe its set of
active interface and neighbors. If your routing domain consists entirely of routers connected by point-to-
point links – that is, if you have no client-facing VLANs attached to your routers – the link-state database
will consist only of router-LSAs.

Type 2 LSAs are called network-LSAs. The Type 2 LSA describes a broadcast network segment (such
as Ethernet) or other Non-Broadcast Multiple Access (NBMA) network (such as Asynchronous Transfer
Mode (ATM)), along with the Router-IDs of any routers currently attached to the network.

A Type 3 LSA is called a network-summary-LSA. It advertises a network that resides in one area into
another area. Only ABRs send Type 3 LSAs. You can configure your ABR to summarize the networks it is
advertising, if those networks are summarizable. If they are not, your ABR will issue a Type 3 LSA for
every network in the area.

A Type 4 LSA is called an ASBR-summary-LSA. When an Area Border Router has an ASBR in its area,
it originates an Type 4 LSA to let all the other routers in the OSPF network know the path to the ASBR.
The Type 4 LSA floods throughout the OSPF backbone area; all other routers in the backbone area
receive and process it directly. Any other ABRs in the domain will re-originate the Type 4 LSA into the
area(s) to which they are connected.

Type 5 Link State Advertisements are called Autonomous-System-external-LSAs. ASBRs originate Type
5 LSAs to advertise routes in the non-OSPF routing domains to which they are attached. ASBRs flood
throughout your OSPF domain, crossing ABRs.

If an ASBR is on the back side of a Not So Stubby Area (NSSA), it advertises routes it learns from the
non-OSPF routing protocol into the NSSA as Type 7 LSAs. The Area Border Router advertises these
routes into the rest of the OSPF domain as Type 5 LSAs.

© 2015 Extreme Networks, Inc. All rights reserved. 246


OSPF supports Equal-Cost Multi-Path (ECMP) routing. ECMP is a mechanism for
routing packets over multiple paths of equal cost in order to achieve almost equally
distributed link load sharing.

IP route sharing allows a switch to communicate with a destination through multiple


equal-cost routes. In OSPF, BGP, and IS-IS, this capability is referred to as equal cost
multipath (ECMP) routing. Without IP route sharing, each IP route entry in the routing
tables lists a destination subnet and the next-hop gateway that provides the best path
to that subnet. Every time a packet is forwarded to a particular destination, it uses the
same next-hop gateway.

With IP route sharing, the router can use up to 2, 4, 8, 16, or 32 next-hop gateways
(depending on the platform and feature configuration) for each route in the routing
tables. When multiple next-hop gateways lead to the same destination, the switch can
use any of those gateways for packet forwarding. IP route sharing provides route
redundancy and can provide better throughput when routes are overloaded.
XOS routers support a separate ECMP table. The gateways in the ECMP table can be
defined with static routes (up to 32-way), or they can be learned through the OSPF,
BGP, or IS-IS protocols (up to 8-way).

© 2015 Extreme Networks, Inc. All rights reserved. 247


© 2015 Extreme Networks, Inc. All rights reserved. 248
© 2015 Extreme Networks, Inc. All rights reserved. 249
© 2015 Extreme Networks, Inc. All rights reserved. 250
© 2015 Extreme Networks, Inc. All rights reserved. 251
© 2015 Extreme Networks, Inc. All rights reserved. 252
© 2015 Extreme Networks, Inc. All rights reserved. 253
© 2015 Extreme Networks, Inc. All rights reserved. 254
OSPF Router priority is an interface level command and is used to influence the
election process for the Designated Router (DR) and Backup Designated Router (BDR)
in a broadcast LAN environment. The routers with the highest priority interfaces will win
the election process for DR and BDR on a broadcast network segment. If two routers
have the same priority, the router with the highest router ID will be elected as the DR.
Setting the interface to a priority of “0” precludes that router from becoming a DR for the
LAN segment. Valid values range from 0-255. A priority of 0 means that an interface
will become the DR only if it is the only interface in the area.

© 2015 Extreme Networks, Inc. All rights reserved. 255


© 2015 Extreme Networks, Inc. All rights reserved. 256
© 2015 Extreme Networks, Inc. All rights reserved. 257
© 2015 Extreme Networks, Inc. All rights reserved. 258
Note: in XOS, the show vlan command will also tell you which VLANs have OSPF
enabled on them.

© 2015 Extreme Networks, Inc. All rights reserved. 259


© 2015 Extreme Networks, Inc. All rights reserved. 260
© 2015 Extreme Networks, Inc. All rights reserved. 261
© 2015 Extreme Networks, Inc. All rights reserved. 262
Area 0 can be defined as 0 or 0.0.0.0.

Area 2 can be defined as 2 or 0.0.0.2.

Note that if you are already running OSPF in your network and are changing the area
an interface belongs to, you must first disable OSPF with the disable ospf command.
(You will use this process in the lab.)

© 2015 Extreme Networks, Inc. All rights reserved. 263


© 2015 Extreme Networks, Inc. All rights reserved. 264
With no summarization, Area 1 will advertise routes for all 256 class C networks to Area
0. With summarization in use, Area 1 will advertise a single route of 192.168.0.0/16 to
Area 0. The single route will provides less specific reachability information for Area 1’s
256, class C networks, but it will reduce the number of routes the Area 0 routers will
need to maintain and still provide Area 0 the necessary routing information required to
reach the individual networks.

© 2015 Extreme Networks, Inc. All rights reserved. 265


© 2015 Extreme Networks, Inc. All rights reserved. 266
OSPF supports three different ways in which the routers can authenticate themselves
to each other: Null authentication, the default. With Null authentication, the routers do
not authenticate each other, and accept Hello packets from any source. Plain Text
authentication, in which you configure simple password authentication between your
routers. Message Digest-5 (MD5) authentication, in which you configure an MD5
password on your routers.

© 2015 Extreme Networks, Inc. All rights reserved. 267


On all Extreme switches you must configure simple authentication both for your OSPF
area and on each interface in the area.

© 2015 Extreme Networks, Inc. All rights reserved. 268


The md5-key-id specifies and RSA Data Security, Inc. MD5 Message-Digest Algorithm
key; the valid key numbers range fro 0-255. The md5_key_id must match across all
routers in a given area, as must the password.

© 2015 Extreme Networks, Inc. All rights reserved. 269


© 2015 Extreme Networks, Inc. All rights reserved. 270
© 2015 Extreme Networks, Inc. All rights reserved. 271
© 2015 Extreme Networks, Inc. All rights reserved. 272
© 2015 Extreme Networks, Inc. All rights reserved. 273
Policy-Based Routing allows service providers and other organizations to direct routed
traffic through different connections than would be chosen by the routing protocol.

© 2015 Extreme Networks, Inc. All rights reserved. 274


© 2015 Extreme Networks, Inc. All rights reserved. 275
In the above example, the normal routed path from the branch office to corporate
headquarters would pass across the high-bandwidth connections as identified on the
slide. However, some sub-set of the Branch Office traffic is being directed along an
alternate path that is specified based on PBR.

© 2015 Extreme Networks, Inc. All rights reserved. 276


© 2015 Extreme Networks, Inc. All rights reserved. 277
© 2015 Extreme Networks, Inc. All rights reserved. 278
© 2015 Extreme Networks, Inc. All rights reserved. 279
IP multicast is used by a number of protocols and applications. Applications such as
video and audio conferencing and streaming use protocols such as the Real Time
Protocol (RTP) and Real Time Control Protocol (RTCP) to encapsulate multimedia
streams and to monitor the delivery of the data. Other protocols such as OSPF, RIP2 as
well as other application based protocols such as Session Announcement Protocol
(SAP) and Session Description Protocol (SDP) use multicast to announce and learn the
existence other routers or other multimedia conferences on the network.

© 2015 Extreme Networks, Inc. All rights reserved. 280


The goal of IP multicast is to deliver traffic to a specific subset of all the devices on your
network. That said, how do you tell your switches which devices on your network want
to receive the traffic stream?

© 2015 Extreme Networks, Inc. All rights reserved. 281


The Internet Group Management Protocol (IGMP) is a layer-2 protocol that runs
between hosts and their immediately neighboring multicast routers.
Routers implement IGMP to allow hosts to signal to the network their desire to receive
multicast traffic for a specific group. This enables the routers to learn about the
presence of group members on their directly attached subnetworks.
This receiver-initiated join process has excellent scaling properties since, as the
multicast group increases in size, it becomes ever more likely that a new group member
is able to locate a nearby branch of the multicast distribution tree.

© 2015 Extreme Networks, Inc. All rights reserved. 282


The Internet Group Management Protocol (IGMP) is used between IP hosts and their
local network to support the creation of transient multicast membership groups, the
addition and deletion of members of a group, and the periodic confirmation of group
membership.
A Server has no direct IGMP involvement, as it does not receive a multicast stream and
only sends a multicast stream.
.

© 2015 Extreme Networks, Inc. All rights reserved. 283


IGMP relies on a query and response process. A router on the subnet, called the
“Querier Router”, sends out a query message asking, “Does anyone on this subnet
want a multicast stream?” Hosts that want a multicast stream send a response.
IGMP query messages are addressed to the all-hosts group address (224.0.0.1) and
have a Time to Live (TTL) value of 1. The router periodically multicasts an IGMP
membership query to the “all hosts” multicast group, on the local subnetwork. All hosts
that support IGMP are automatically members of the all hosts group and accept
packets address to the all hosts group.
The default query interval is 60 seconds.

© 2015 Extreme Networks, Inc. All rights reserved. 284


Querier Election
In a multi-access network there may be more than one router that is IGMP enabled.
Only one multicast querier (router) can exist for each LAN at a time. So, there needs to
be an election to determine which router becomes the IGMP querier.
IGMP v1 does not have an election mechanism and relies on the routing protocol to
select a designated router.
IGMP v2 uses a General Query message on start-up. When routers receive the
General Query messages they compare the source IP address with their own. The
router with the lowest IP address is elected the IGMP querier. General query messages
are sent to the all-routers multicast group using address 224.0.0.2.

© 2015 Extreme Networks, Inc. All rights reserved. 285


All hosts receive the membership query and one or more hosts, host 2 in our example,
respond by multicasting an IGMP Membership Report to the multicast group, of which
the host is a member. (225.1.1.1) This report tells the router on the subnetwork that a
host is interested in receiving multicast traffic for group 225.1.1.1. The host responds
within the configured Host Response Interval. The default response interval is 10
seconds.
The multicast router promiscuously accept all possible multicast addresses, updating its
IGMP multicast group table with each new update.
After a multicast router knows what multicast groups that its leaf subnetworks require, it
then uses a multicast routing protocol to communicate with other routers to ensure that
the correct multicast group traffic is delivered from the source.
Routers maintain an IGMP multicast group table for each interface.

© 2015 Extreme Networks, Inc. All rights reserved. 286


When a host wishes to join a multicast group, it transmits a group membership protocol
message for the group(s) that it wishes to receive, and configures its IP process and
network interface card to receive frames addressed to the multicast group.
A new host does not have to wait for a router's membership query before sending its
host membership report. This reduces join latency if it is the first to join a particular
multicast group on a subnetwork.
Latency is the amount of time it takes for the host to receive its first packet after joining.
Note that latency can be near zero if the group is already active on the LAN. The end
station starts receiving the multicast stream even before it transmits a report.
The following applies to the join process:
Individual hosts are free to join or leave a multicast group at any time
There are no restrictions on the physical location or the number of members in a
multicast group
A host may be a member of more than one multicast group at any given time
A host does not have to belong to a group to send messages to members of a group

© 2015 Extreme Networks, Inc. All rights reserved. 287


In XOS, use the configure igmp command with the query_interval parameter to
change the time period that the router sends a general query from the default of 125
seconds. The query_response_interval specifies the maximum query response time (in
seconds). The last_member_query_interval specifies the maximum group-specific
query response time (in seconds). The example on the slide sets the query interval to
60, and accepts the defaults for query response interval and last member query
interval.

© 2015 Extreme Networks, Inc. All rights reserved. 288


IGMP builds a multicast source trees for each IGMP router in a layer 2 network. IGMP
Snooping builds a multicast source tree for a local switch. It is the ability of a switch to
interpret IGMP messages sent by hosts and then to restrict the forwarding of the
multicast packets to only those ports (member ports) on which IGMP messages have
been received without forwarding the multicast traffic to the non-member ports. If IGMP
snooping is disabled, all multicast packets will be flooded to every active port on the
switch.
NOTE
When a host is no longer interested in receiving the multicast stream and it only
supports IGMPv1, the switch stops sending the multicast stream to that host after a
host timer expires. The switch responds by sending
an IGMP query to all ports in the VLAN to detect if there are other interested hosts.

© 2015 Extreme Networks, Inc. All rights reserved. 289


© 2015 Extreme Networks, Inc. All rights reserved. 290
© 2015 Extreme Networks, Inc. All rights reserved. 291
© 2015 Extreme Networks, Inc. All rights reserved. 292
© 2015 Extreme Networks, Inc. All rights reserved. 293
© 2015 Extreme Networks, Inc. All rights reserved. 294
IGMP snooping filters allow you to configure a policy file on a port to allow or deny
IGMP report and leave packets coming into the port. The IGMP snooping filter feature
is supported by IGMPv2 and IGMPv3.
For the policies used as IGMP snooping filters, all the entries should be IP address type
entries, and the IP address of each entry must be in the class-D multicast address
space but should not be in the multicast control subnet range (224.0.0.x/24).

© 2015 Extreme Networks, Inc. All rights reserved. 295


After you create a policy file, use the configure igmp snooping command to associate
the policy file and filter to a set of ports. Use the none option to remove the filter.

© 2015 Extreme Networks, Inc. All rights reserved. 296


PIM Snooping
PIM snooping enables routers connected to a L2 switch to forward multicast streams to
each other. In this scenario, multicast traffic is essentially treated as broadcast traffic in
order for the multicast streams to be propagated because IGMP snooping does not
process PIM join messages.
PIM snooping addresses this flooding behavior by efficiently replicating multicast traffic
only onto ports which routers advertise the PIM join requests. The application for this
feature is for connecting PIM Autonomous Systems usually within an Internet
Exchange’s ISP peering network. PIM snooping does not require PIM to be enabled. A
discussion on PIM snooping is beyond the scope of this course.

© 2015 Extreme Networks, Inc. All rights reserved. 297


Source and Group Notation
Source and group notation is used in the explanations of how multicasting works and is
displayed in show commands.
● (S,G) indicates a specified source and specific group combination. i.e. (10.1.10.102,
225.0.0.1)
● (*,G) indicates any source and a specific group combination, e.g. (*, 225.0.0.1)
Reverse Path Forwarding
When multicasting traffic, a router cannot base a forwarding decision on the destination
address, because there is one address for a number of destination hosts In multicast
routing, the router has to decide which direction traffic needs to be sent by looking at
the source address and then forwarding traffic away from the source. This is essentially
unicast routing in reverse. Reverse Path Forwarding involves a simple check to see if
the interface the traffic is being received on is the shortest path to the source. If it is, the
router can then forward traffic out of all other interfaces. If it is not, it means there is a
loop in the network and the packet can then be discarded. This process is called an
“incoming interface check” or an “RPF check”.

© 2015 Extreme Networks, Inc. All rights reserved. 298


PIM relies on IGMP technology to determine group memberships and uses existing
unicast routes to perform reverse path forwarding (RPF) checks. RFP is, essentially a
method that uses the unicast routing table created by IP protocols such as OSPF, to
determine the source address of a packet. PIM uses RPF to set up distribution trees for
multicast traffic.

© 2015 Extreme Networks, Inc. All rights reserved. 299


Although configuration of a unicast routing protocol such as OSPF is required with PIM,
PIM-SM is protocol independent. That is, it does not rely on any one particular
underlying routing protocol to perform reverse path forwarding RPF checks. It can
perform this function using protocol‐specific routes from, OSPF, RIP, static config.

© 2015 Extreme Networks, Inc. All rights reserved. 300


PIM-SM relies on IGMP technology to determine group memberships and uses existing
unicast routes to perform reverse path forwarding (RPF) checks, which are, essentially,
a route lookup on the source. Its routing engine then returns the best interface,
regardless of how the routing table is constructed. In this sense, PIM is independent of
any routing protocol. It can perform RPF checks using protocol‐specific routes (for
example, OSPF routes), static routes, or a combination of route type.

© 2015 Extreme Networks, Inc. All rights reserved. 301


PIM-SM uses a shared-tree-type technology, which requires a rendezvous point. The
rendezvous point can be administratively assigned or dynamically elected on a specific
router in the PIM domain. Source devices have to register with the rendezvous point by
forwarding a join message. Initially, the source device may not know which router is the
rendezvous point so a join message is used. The multicast source initiates an IGMP
join message to its default gateway. In this case, the source’s default gateway is known
as the DR (Designated Router). The DR will forward the join message onto the RP
router. The RP router will respond building a path (tree) between the DR and itself.

© 2015 Extreme Networks, Inc. All rights reserved. 302


Note: Within PIM-SM a Designated Router (DR) is a router that performs the function of
forwarding multicast traffic from a unicast source to the appropriate distribution
(rendezvous point). A PIM-SM, DR is different from an OSPF Designated Router (DR),
and should not be interpreted as being the same.

Note: All traffic from the source device must be forwarded to the RP router.
Once the RP router receives the multicast traffic, it will then forward traffic to the
receivers. This may cause some delay with multicast packets reaching their final
destination since all packets must first go through the rendezvous point.

© 2015 Extreme Networks, Inc. All rights reserved. 303


PIM-SM operates on an explicit join model. PIM-SM routers only send multicast
streams to hosts that explicitly request it.
When a host wants a multicast stream, it sends an IGMP Join message with the (*,G)
information to its Querier Router. The router adds the interface on which it receives the
Join to the outgoing interface list in its multicast routing table, and forwards the Join to
the Rendezvous Point.

© 2015 Extreme Networks, Inc. All rights reserved. 304


The Rendezvous Point processes the Join, and adds the interface upon which the Join
arrived to outgoing interfaces for this group in its multicast routing table.
If the Rendezvous Point is currently part of the Shortest Path Tree (SPT) for this
multicast group and thus is currently receiving the multicast stream, it immediately
begins to forward the stream out that interface. If the RP is not currently receiving the
multicast stream, the Join process ends here. Note that it is possible for the two routers
involved to have interfaces that are outgoing interfaces for the multicast group, without
having multicast actually flowing.

© 2015 Extreme Networks, Inc. All rights reserved. 305


At this point, the multicast source begins sending multicast packets to the Designated
Router for its network.

© 2015 Extreme Networks, Inc. All rights reserved. 306


The Rendezvous Point sends a Join, (S,G) message to the Designated router to begin
receiving the multicast stream as multicast, and immediately begins to forward the
stream out all of its outgoing interfaces for that group. Each of the receiving routers also
begins immediately to forward the multicast stream out all of their outgoing interfaces
for that group.

© 2015 Extreme Networks, Inc. All rights reserved. 307


In the meantime, as soon as Router E, the Last Hop Router for Host A, receives the
multicast stream, it looks up the IP network for the Source in the (S,G) stream it is
receiving, to see if there is a shorter path back through the network to that source – i.e.,
a path that is faster than going through the Rendezvous Point.

© 2015 Extreme Networks, Inc. All rights reserved. 308


Router E discovers that it has a faster connection to Router B, which is functioning as
the gateway router for the multicast source device. Router E sends a Join (S,G)
message to Router B, to receive the multicast stream along the shortest path through
the network.

© 2015 Extreme Networks, Inc. All rights reserved. 309


Router B adds its connection to Router E to the outgoing interfaces list for this multicast
stream, and begins replicating the multicast packets and forwarding them to Router E.

© 2015 Extreme Networks, Inc. All rights reserved. 310


As soon as Router E begins receiving the multicast stream directly, it sends a Prune
(S,G) message up the shared tree to the Rendezvous Point.

© 2015 Extreme Networks, Inc. All rights reserved. 311


On a multi-access network such as Ethernet, PIM-SM implements a function called the
Designated Router

© 2015 Extreme Networks, Inc. All rights reserved. 312


© 2015 Extreme Networks, Inc. All rights reserved. 313
© 2015 Extreme Networks, Inc. All rights reserved. 314
© 2015 Extreme Networks, Inc. All rights reserved. 315
PIM-SM routers are organized into domains. A domain is defined as a contiguous set of
routers that all implement PIM and are configured to operate within a common
boundary.
The Bootstrap Router (BSR) distributes Rendezvous Point information to the other PIM-
SM routers within the domain. Each PIM-SM domain has one active BSR. You can
configure multiple routers as candidate BSRs for redundancy.
PIM-SM routers learn the addresses of Rendezvous Points and the groups for which
they are responsible from messages that the BSR sends to each of the routers.

© 2015 Extreme Networks, Inc. All rights reserved. 316


© 2015 Extreme Networks, Inc. All rights reserved. 317
© 2015 Extreme Networks, Inc. All rights reserved. 318
© 2015 Extreme Networks, Inc. All rights reserved. 319
© 2015 Extreme Networks, Inc. All rights reserved. 320
© 2015 Extreme Networks, Inc. All rights reserved. 321
© 2015 Extreme Networks, Inc. All rights reserved. 322
© 2015 Extreme Networks, Inc. All rights reserved. 323
© 2015 Extreme Networks, Inc. All rights reserved. 324
© 2015 Extreme Networks, Inc. All rights reserved. 325
End-hosts on a LAN segment are typically configured to send packets through the
gateway defined by a default route (or static routes) for remote destinations. Loss of the
default router results in a catastrophic event, isolating all end-hosts that are unable to
detect any alternate path that may be available. The Virtual Router Redundancy
Protocol (VRRP) is designed to eliminate the single point of failure inherent in the static
default routed environment.
VRRP specifies an election protocol that dynamically assigns responsibility for a virtual
router to one of the VRRP routers on a LAN.
The VRRP router controlling the IP address(es) associated with a virtual router is called
the Master, and forwards packets sent to these IP addresses.
The election process provides dynamic fail-over in the forwarding responsibility should
the Master become unavailable.
Any of the virtual router's IP addresses on a LAN can then be used as the default first
hop router by end-hosts.

© 2015 Extreme Networks, Inc. All rights reserved. 326


Before we go any further, let’s get familiar with the terminology defined in RFC 3768:
VRRP Router - A router running the Virtual Router Redundancy Protocol.
Virtual Router - An abstract object managed by VRRP that acts as a default router for
hosts on a shared LAN. A VRRP router may participate in one or more virtual routers.
VRID – Uniqueness is required on a LAN segment only
IP Address Owner - The VRRP router that has the VR’s IP address(es) also as the real
interface address(es). This is the router that, when up, will be the master of the virtual
router instance and will respond to packets addressed to these IP addresses for ICMP
pings, TCP connections, etc.
Virtual Router Master - The VRRP router that assumes the responsibility of forwarding
packets sent to the IP address(es) associated with the virtual router, and answering
ARP requests for these IP addresses.
Virtual Router Backup - The set of VRRP routers available to assume forwarding
responsibility for a virtual router should the current Master fail.

If the virtual router IP address is the same as the interface (VLAN) address owned by a
VRRP router, then the router owning the address becomes the master. The master
sends an advertisement to all other VRRP routers declaring its status, and assumes
responsibility for forwarding packets associated with its virtual router ID (VRID). If the
virtual router IP address is not owned by any of the VRRP routers, then the routers
compare their priorities and the higher-priority owner becomes the master. If priority
values are the same, then the VRRP router with the higher IP address is selected as
the master.

© 2015 Extreme Networks, Inc. All rights reserved. 327


The VRRP protocol design provides rapid transition from Backup to Master to minimize
service interruption, and incorporates optimizations that reduce protocol complexity
while guaranteeing controlled Master transition for typical operational scenarios.
All protocol messaging is performed using IP multicast datagrams, thus the protocol can
operate over a variety of multiaccess LAN technologies supporting IP multicast. Each
VRRP virtual router has a single well-known MAC address allocated to it. The virtual
router MAC address is used as the source in all periodic VRRP messages sent by the
Master router to enable bridge learning in an extended LAN.
Master_Down_Timer - The amount of time that a Backup router will wait before it
becomes the new Master. Therefore, the higher the priority, the faster a Backup router
will detect that the Master is down.
The virtual router MAC address associated with a virtual router is an IEEE 802 MAC
Address in the following format:
00-00-5E-00-01-{VRID} (in hex in internet standard bit-order)
The first 3 octets are derived from the IANA's OUI. The next 2 octets indicate
the address block assigned to the VRRP protocol. {VRID} is the VRRP Virtual
Router Identifier.

© 2015 Extreme Networks, Inc. All rights reserved. 328


© 2015 Extreme Networks, Inc. All rights reserved. 329
© 2015 Extreme Networks, Inc. All rights reserved. 330
© 2015 Extreme Networks, Inc. All rights reserved. 331
© 2015 Extreme Networks, Inc. All rights reserved. 332
© 2015 Extreme Networks, Inc. All rights reserved. 333
© 2015 Extreme Networks, Inc. All rights reserved. 334
Three types of ARP requests can be employed on a VRRP router:
Host ARP - Host ARP performs according to the following rules:
When a host sends an ARP request for one of the VR IP addresses, the master VR
returns the virtual MAC address (00-00-5e-00-01-VRID).
The backup VR must not respond to the ARP request for one of the VR IP addresses.
If the master VR is the IP address owner, when a host sends an ARP request for this
address, the master VR must respond with the virtual MAC address, not the real
physical MAC address.
For other IP addresses, the VRRP router must respond with the real physical MAC
address, regardless of master or backup.
Gratuitous ARP - behaves in the following manner on a VRRP router:
Each VR sends gratuitous ARP when it becomes the master with virtual IP and MAC
addresses. One gratuitous ARP is issued per VR IP address.
To make the switch learn the correct VR MAC address, the VR master sends gratuitous
ARP for every virtual IP address in the corresponding VR every 10 seconds.
Proxy ARP
If used, the VRRP master router must bind the virtual MAC address to remote IP
destination addresses in proxy ARP replies.

© 2015 Extreme Networks, Inc. All rights reserved. 335


© 2015 Extreme Networks, Inc. All rights reserved. 336
© 2015 Extreme Networks, Inc. All rights reserved. 337
© 2015 Extreme Networks, Inc. All rights reserved. 338
The ability to track remote interfaces is designed to address a condition in which the
Master VRRP it Router continues to process packets sent to the VRRP IP address,
even when it cannot forward the packet toward the packet’s ultimate destination.

© 2015 Extreme Networks, Inc. All rights reserved. 339


© 2015 Extreme Networks, Inc. All rights reserved. 340
© 2015 Extreme Networks, Inc. All rights reserved. 341
© 2015 Extreme Networks, Inc. All rights reserved. 342
© 2015 Extreme Networks, Inc. All rights reserved. 343
When you configure tracking of an IP route, you create a tracking entry for the specified
route. When this route becomes unreachable, this entry is considered to be failing. If
the route you configure does not exist, an immediate VRRP failover will occur.
When you configure tracking using ping, you create a tracking entry for the specified IP
address. The entry is tracked using pings to the IP address, sent at the specified
frequency. The values are:
vlan_name: Specifies the name of a VRRP VLAN.
vridval: Specifies the VRID of the target VRRP instance. To display the configured
VRRP router instances, enter the show vrrp command.
ipaddress: Specifies the IPv4 or IPv6 address to be tracked.
seconds: Specifies the number of seconds between pings to the target IP address.
The range is 1 to 600 seconds.
misses: Specifies the number of misses allowed before this entry is considered to be
failing. The range is 1 to 255 pings.

© 2015 Extreme Networks, Inc. All rights reserved. 344


In addition to the VRRP and EAPS, the core switches are usually configured with
OSPF.

© 2015 Extreme Networks, Inc. All rights reserved. 345


MLAG allows for the provision of multiple connections to the core switches without the
need for a loop prevention protocol. In an edge/core environment the core switches will
usually also run OSPF.

© 2015 Extreme Networks, Inc. All rights reserved. 346


© 2015 Extreme Networks, Inc. All rights reserved. 347
© 2015 Extreme Networks, Inc. All rights reserved 348

You might also like