ExtremeWare Software User Guide Software Version 6.1 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 http://www.extremenetworks.com Published: April 2000 Part number: 100049-00 Rev.
©2000 Extreme Networks, Inc. All rights reserved. Extreme Networks and BlackDiamond are registered trademarks of Extreme Networks, Inc. in the United States and certain other jurisdictions.
Contents PREFACE Introduction xix Terminology xx Conventions xx Related Publications 1 xxi EXTREMEWARE OVERVIEW Summary of Features 1-1 Virtual LANs (VLANs) 1-3 Spanning Tree Protocol 1-3 Quality of Service 1-3 Unicast Routing 1-4 IP Multicast Routing 1-4 Load Sharing 1-4 “i” Chipset Products 1-5 “i” Chipset Feature Differences 1-5 Software Licensing 1-6 Router Licensing 1-6 Basic Functionality 1-6 Full L3 Functionality 1-6 Product Support 1-7 Verifying the Router License 1-7 Obtaining a Router License
Security Features Under License Control Software Factory Defaults 1-8 2 ACCESSING THE 1-8 SWITCH Understanding the Command Syntax 2-1 Syntax Helper 2-2 Command Completion with Syntax Helper 2-2 Abbreviated Syntax 2-2 Command Shortcuts 2-2 BlackDiamond and Alpine Switch Numerical Ranges Summit Switch Numerical Ranges 2-4 Names 2-4 Symbols 2-4 Line-Editing Keys 2-5 Command History 2-6 Common Commands 2-6 Configuring Management Access 2-9 User Account 2-10 Administrator Account 2-10 Prompt Text 2-10 Defa
Using a BOOTP Server 3-4 Manually Configuring the IP Settings 3-4 Disconnecting a Telnet Session 3-6 Controlling Telnet Access 3-6 Using Secure Shell 2 (SSH2) 3-7 Enabling SSH2 3-7 Using ExtremeWare Vista 3-8 Controlling Web Access 3-9 Using SNMP 3-10 Accessing Switch Agents 3-10 Supported MIBs 3-10 Configuring SNMP Settings 3-10 Displaying SNMP Settings 3-13 Authenticating Users 3-13 RADIUS Client 3-13 Per-Command Authentication Using RADIUS 3-14 Configuring RADIUS Client 3-14 RADIUS RFC 2138 Attributes 3-
Load-Sharing Algorithms 4-8 Configuring BlackDiamond and Alpine Switch Load Sharing Load-Sharing Example 4-11 Verifying the Load-Sharing Configuration 4-11 BlackDiamond and Alpine Switch Port-Mirroring 4-11 Port-Mirroring Commands 4-12 BlackDiamond Switch Port-Mirroring Example 4-12 Extreme Discovery Protocol 4-13 EDP Commands 4-13 5 CONFIGURING SUMMIT SWITCH PORTS Enabling and Disabling Summit Switch Ports 5-1 Configuring Summit Switch Port Speed and Duplex Setting Turning Off Autonegotiation for a Gigab
Assigning a VLAN Tag 6-6 Mixing Port-Based and Tagged VLANs 6-9 Protocol-Based VLANs 6-9 Predefined Protocol Filters 6-10 Defining Protocol Filters 6-11 Deleting a Protocol Filter 6-12 Precedence of Tagged Packets Over Protocol Filters 6-12 VLAN Names 6-12 Default VLAN 6-12 Renaming a VLAN 6-13 Configuring VLANs on the Switch 6-13 VLAN Configuration Commands 6-14 VLAN Configuration Examples 6-15 Displaying VLAN Settings 6-16 Generic VLAN Registration Protocol 6-17 GVRP and Spanning Tree Domains 6-19 GVRP Co
SPANNING TREE PROTOCOL (STP) Overview of the Spanning Tree Protocol 8-1 Spanning Tree Domains 8-2 STPD Status for GVRP-Added Ports 8-2 Defaults 8-3 STP Configurations 8-3 Configuring STP on the Switch 8-6 STP Configuration Example 8-8 Displaying STP Settings 8-8 Disabling and Resetting STP 8-9 9 QUALITY OF SERVICE (QOS) Overview of Policy-Based Quality of Service 9-2 Applications and Types of QoS 9-3 Voice Applications 9-3 Video Applications 9-3 Critical Database Applications 9-4 Web Browsing Applic
Configuring DiffServ 9-15 Observing DiffServ Information 9-17 Changing DiffServ Code point assignments in the Q0S Profile 9-17 Replacing DiffServ Code Points 9-18 DiffServ Example 9-19 Physical and Logical Groupings 9-20 Source port 9-20 VLAN 9-20 Verifying Physical and Logical Groupings 9-21 Verifying Configuration and Performance 9-21 QoS Monitor 9-21 Real-Time Performance Monitoring 9-22 Background Performance Monitoring 9-22 Displaying QoS Profile Information 9-23 Modifying a QoS Policy 9-23 Intra-Subne
ESRP Host Attach 10-9 ESRP Domains 10-10 ESRP Groups 10-11 Linking ESRP Switches 10-12 Configuring ESRP and Multinetting 10-12 ESRP and Spanning Tree 10-12 ESRP and VLAN aggregation 10-13 ESRP Commands 10-14 ESRP Examples 10-16 Single VLAN Using Layer 2 and Layer 3 Redundancy Multiple VLANs Using Layer 2 Redundancy 10-18 Displaying ESRP Information 10-20 11 IP UNICAST ROUTING Overview of IP Unicast Routing 11-2 Router Interfaces 11-2 Populating the Routing Table 11-3 Dynamic Routes 11-4 Static Routes 11-4
Configuring DHCP/BOOTP Relay 11-16 Verifying the DHCP/BOOTP Relay Configuration UDP-Forwarding 11-16 Configuring UDP-Forwarding 11-17 UPD-Forwarding Example 11-17 ICMP Packet Processing 11-18 UDP-Forwarding Commands 11-18 IP Commands 11-19 Routing Configuration Example 11-25 Displaying Router Settings 11-27 Resetting and Disabling Router Settings 11-28 12 11-16 INTERIOR GATEWAY ROUTING PROTOCOLS Overview 12-2 RIP Versus OSPF 12-2 Overview of RIP 12-3 Routing Table 12-3 Split Horizon 12-4 Poison Reverse 1
RIP Configuration Example 12-17 Displaying RIP Settings 12-19 Resetting and Disabling RIP 12-20 Configuring OSPF 12-21 OSPF Configuration Example 12-25 Configuration for ABR1 12-27 Configuration for IR1 12-27 Displaying OSPF Settings 12-28 Resetting and Disabling OSPF Settings 13 12-28 EXTERIOR GATEWAY ROUTING PROTOCOLS Overview 13-2 BGP Attributes 13-2 BGP Communities 13-3 BGP Features 13-3 Route Reflectors 13-3 Route Confederations 13-4 Route Confederation Example 13-4 Route Aggregation 13-8 Using Rout
PIM-DM Configuration Example 14-10 Configuration for IR1 14-11 Configuration for ABR1 14-13 Displaying IP Multicast Routing Settings 14-13 Deleting and Resetting IP Multicast Settings 14-14 15 IPX ROUTING Overview of IPX 15-1 Router Interfaces 15-1 IPX Routing Performance 15-3 IPX Encapsulation Types 15-3 Populating the Routing Table 15-4 Dynamic Routes 15-4 Static Routes 15-4 IPX/RIP Routing 15-4 GNS Support 15-5 Routing SAP Advertisements 15-5 Configuring IPX 15-6 Verifying IPX Router Configuration 15-6
Access Lists for ICMP 16-5 Verifying Access List Configurations 16-6 Access List Commands 16-6 IP Access List Examples 16-11 Using the Permit-Established Keyword 16-11 Example 2: Filter ICMP Packets 16-14 Using Routing Access Policies 16-15 Creating an Access Profile 16-16 Configuring an Access Profile Mode 16-16 Adding an Access Profile Entry 16-17 Specifying Subnet Masks 16-17 Sequence Numbering 16-17 Permit and Deny Entries 16-18 Autonomous System Expressions 16-18 Deleting an Access Profile Entry 16-18
17 SERVER LOAD BALANCING (SLB) Overview 17-2 SLB Components 17-2 Nodes 17-3 Pools 17-3 Virtual Servers 17-3 Using Standard or Wildcard Virtual Servers Forwarding Modes 17-5 Transparent Mode 17-5 Translational Mode 17-8 Port Translation Mode 17-10 GoGo Mode 17-11 VIP Network Advertisement 17-12 Balancing Methods 17-13 Round-Robin 17-13 Ratio 17-13 Ratio Weight 17-14 Least Connections 17-14 Priority 17-14 Basic SLB Commands 17-15 Advanced SLB Application Example 17-18 Health Checking 17-22 Ping-Check 17-23 P
Sample Active-Active Configuration Using Manual Fail-Back 17-31 3DNS Support 17-32 Advanced SLB Commands 17-32 Web Cache Redirection 17-38 Flow Redirection 17-38 Flow Redirection Commands 17-39 Flow Redirection Example 17-39 18 STATUS MONITORING AND STATISTICS Status Monitoring 18-1 Slot Diagnostics 18-3 Port Statistics 18-4 Port Errors 18-5 Port Monitoring Display Keys 18-6 Setting the System Recovery Level 18-7 Logging 18-7 Local Logging 18-9 Real-Time Display 18-9 Remote Logging 18-9 Logging Configu
Task Frame 19-4 Content Frame 19-4 Browser Controls 19-5 Status Messages 19-5 Standalone Buttons 19-5 Saving Changes 19-6 Filtering Information 19-6 Do a GET When Configuring a VLAN 19-7 Sending Screen Output to Extreme Networks 20 SOFTWARE UPGRADE AND 19-7 BOOT OPTIONS Downloading a New Image 20-1 Rebooting the Switch 20-2 Saving Configuration Changes 20-3 Returning to Factory Defaults 20-3 Using TFTP to Upload the Configuration 20-4 Using TFTP to Download the Configuration 20-5 Downloading a Complet
TOP Command B-8 Contacting Extreme Technical Support INDEX INDEX XVIII OF COMMANDS B-8
Preface This Preface provides an overview of this guide, describes guide conventions, and lists other publications that may be useful. INTRODUCTION This guide provides the required information to configure ExtremeWare™ software running on a BlackDiamond™, Alpine™, or Summit™ switch. This guide is intended for use by network administrators who are responsible for installing and setting up network equipment.
PREFACE • Internet Packet Exchange (IPX) concepts • Server Load Balancing (SLB) concepts • Simple Network Management Protocol (SNMP) If the information in the “Release Notes” shipped with your switch differs from the information in this guide, follow the “Release Notes.” TERMINOLOGY When features, functionality, or operation is specific to the Summit, Alpine, or BlackDiamond switch family, the family name is used.
RELATED PUBLICATIONS Table 2: Text Conventions Convention Description Screen displays This typeface indicates command syntax, or represents information as it appears on the screen. Screen displays bold This typeface indicates how you would type a particular command. The words “enter” and “type” When you see the word “enter” in this guide, you must type something, and then press the Return or Enter key. Do not press the Return or Enter key when an instruction simply says “type.
PREFACE XXII EXTREMEWARE SOFTWARE USER GUIDE
1 ExtremeWare Overview This chapter covers the following topics: • Summary of Features on page 1-1 • “i” Chipset Products on page 1-5 • Software Licensing on page 1-6 • Software Factory Defaults on page 1-8 ExtremeWare is the full-featured software operating system that is designed to run on the BlackDiamond, Alpine, and Summit families of Gigabit Ethernet switches.
EXTREMEWARE OVERVIEW • Extreme Standby Router Protocol (ESRP) • Routing Information Protocol (RIP) version 1 and RIP version 2 • Open Shortest Path First (OSPF) routing protocol • Border Gateway Protocol (BGP) version 4 • Wire-speed IP multicast routing support • Diffserv support • Access-policy support for routing protocols • Access list support for packet filtering • IGMP snooping to control IP multicast traffic • Distance Vector Multicast Routing Protocol (DVMRP) • Protocol Independent Multicast-Dense M
SUMMARY OF FEATURES VIRTUAL LANS (VLANS) ExtremeWare has a VLAN feature that enables you to construct your broadcast domains without being restricted by physical connections. A VLAN is a group of location- and topology-independent devices that communicate as if they were on the same physical local area network (LAN). Implementing VLANs on your network has the following three advantages: • They help to control broadcast traffic.
EXTREMEWARE OVERVIEW For more information on Quality of Service, refer to Chapter 9. UNICAST ROUTING The switch can route IP or IPX traffic between the VLANs that are configured as virtual router interfaces. Both dynamic and static IP routes are maintained in the routing table. The following routing protocols are supported: • RIP version 1 • RIP version 2 • OSPF • IPX/RIP • BGP version 4 For more information on IP unicast routing, refer to Chapter 11. For more information on IPX/RIP, refer to Chapter 15.
“I” CHIPSET PRODUCTS For information on load sharing, refer to Chapter 4 and Chapter 5. “i” CHIPSET PRODUCTS Summit switches and BlackDiamond 6800 switch modules that use naming conventions ending with an “i” have additional capabilities that are documented throughout this User Guide. For the most current list of products supporting the “i” chipset, consult your Release Notes.
EXTREMEWARE OVERVIEW SOFTWARE LICENSING Some Extreme Networks products have capabilities that are enabled by using a license key. Keys are typically unique to the switch, and are not transferable. Keys are stored in NVRAM and, once entered, persist through reboots, software upgrades, and reconfigurations. The following sections describe the features that are associated with license keys. ROUTER LICENSING Some switches support software licensing for different levels of router functionality.
SOFTWARE LICENSING PRODUCT SUPPORT ExtremeWare version 6.0 and above supports router licensing on the Summit24 switch, Summit48 switch, and Summit7i switch. The BlackDiamond 6808 switch supports all documented router functions, without the need for additional router licensing. Consult the Release Notes for the most current set of products that require router licensing support. VERIFYING THE ROUTER LICENSE To verify the router license, use the show switch command.
EXTREMEWARE OVERVIEW OBTAINING A SECURITY LICENSE To obtain information on enabling features that require export restriction, access the Extreme Networks Support website at: http://www.extremenetworks.com/go/security.htm Fill out a contact form to indicate compliance or non-compliance with the export restrictions. If you are in compliance, you will be given information that will allow you to enable security features. SECURITY FEATURES UNDER LICENSE CONTROL ExtremeWare version 6.
SOFTWARE FACTORY DEFAULTS Table 1-1: ExtremeWare Global Factory Defaults (continued) Item Default Setting Virtual LANs Three VLANs pre-defined. VLAN named default contains all ports and belongs to the STPD named s0. VLAN mgmt exists only on switches that have an Ethernet management port, and contains only that port. The Ethernet management port is DTE only, and is not capable of switching or routing. VLAN MacVLanDiscover is used only when using the MAC VLAN feature. 802.
EXTREMEWARE OVERVIEW 1-10 EXTREMEWARE SOFTWARE USER GUIDE
2 Accessing the Switch This chapter covers the following topics: • Understanding the Command Syntax on page 2-1 • Line-Editing Keys on page 2-5 • Command History on page 2-6 • Common Commands on page 2-6 • Configuring Management Access on page 2-9 • Domain Name Service Client Services on page 2-13 • Checking Basic Connectivity on page 2-13 UNDERSTANDING THE COMMAND SYNTAX This section describes the steps to take when entering a command.
ACCESSING THE SWITCH 3 The value part of the command specifies how you want the parameter to be set. Values include numerics, strings, or addresses, depending on the parameter. 4 After entering the complete command, press [Return]. If an asterisk (*) appears in front of the command-line prompt, it indicates that you have outstanding configuration changes that have not been saved. For more information on saving configuration changes, refer to Chapter 20.
UNDERSTANDING THE COMMAND SYNTAX Once you have created the VLAN with a unique name, you can then eliminate the keyword vlan from all other commands that require the name to be entered.
ACCESSING THE SWITCH SUMMIT SWITCH NUMERICAL RANGES Commands that require you to enter one or more port numbers on a Summit switch use the parameter in the syntax. A portlist can be a range of numbers, for example: port 1-3 You can add additional port numbers to the list, separated by a comma: port 1-3,6,8 NAMES All named components of the switch configuration must have a unique name.
LINE-EDITING KEYS Table 2-1: Command Syntax Symbols (continued) Symbol Description vertical bar | Separates mutually exclusive items in a list, one of which must be entered. For example, in the syntax config snmp community [read-only | read-write] you must specify either the read or write community string in the command. Do not type the vertical bar. braces { } Enclose an optional value or a list of optional arguments. One or more values or arguments can be specified.
ACCESSING THE SWITCH Table 2-2: Line-Editing Keys (continued) Key(s) Description [Ctrl] + U Clears all characters typed from cursor to beginning of line. [Ctrl] + W Deletes previous word. COMMAND HISTORY ExtremeWare “remembers” the last 49 commands you entered. You can display a list of these commands by using the following command: history COMMON COMMANDS Table 2-3 describes common commands used to manage the switch.
COMMON COMMANDS Table 2-3: Common Commands (continued) Command Description config slot module [f32t | f32f | f48t | g4x | g6x | g8x | g12x] Configures a slot for a particular I/O module card. config ssh2 key {pregenerated} Generates the SSH2 host key. config sys-recovery-level [none | critical | all] Configures a recovery option for instances where an exception occurs in ExtremeWare. Specify one of the following: config time
ACCESSING THE SWITCH Table 2-3: Common Commands (continued) Command Description delete vlan Deletes a VLAN. disable bootp vlan [ | all] Disables BOOTP for one or more VLANs. disable cli-config-logging Disables logging of CLI commands to the Syslog. disable clipaging Disables pausing of the screen display when a show command output reaches the end of the page. disable idletimeout Disables the timer that disconnects all sessions.
CONFIGURING MANAGEMENT ACCESS Table 2-3: Common Commands (continued) Command Description enable ssh2 {access-profile [ | none]} {port } Enables SSH2 Telnet sessions. By default, SSH2 is enabled with no access profile, and uses TCP port number 22. To cancel a previously configured access-profile, use the none option. enable telnet {access-profile [ | none]} {port } Enables Telnet access to the switch.
ACCESSING THE SWITCH USER ACCOUNT A user-level account has viewing access to all manageable parameters, with the exception of the following: • User account database • SNMP community strings A user-level account can use the ping command to test device reachability, and change the password assigned to the account name. If you have logged on with user capabilities, the command-line prompt ends with a (>) sign.
CONFIGURING MANAGEMENT ACCESS DEFAULT ACCOUNTS By default, the switch is configured with two accounts, as shown in Table 2-4. Table 2-4: Default Accounts Account Name Access Level admin This user can access and change all manageable parameters. The admin account cannot be deleted. user This user can view (but not change) all manageable parameters, with the following exceptions: CHANGING THE ■ This user cannot view the user account database. ■ This user cannot view the SNMP community strings.
ACCESSING THE SWITCH 5 Re-enter the new password at the prompt. If you forget your password while logged out of the command-line interface, contact your local technical support representative, who will advise on your next course of action. CREATING A MANAGEMENT ACCOUNT The switch can have a total of 16 management accounts. You can use the default names (admin and user), or you can create new names and passwords for the accounts.
DOMAIN NAME SERVICE CLIENT SERVICES DOMAIN NAME SERVICE CLIENT SERVICES The Domain Name Service (DNS) client in ExtremeWare augments the following commands to allow them to accept either IP addresses or host names: • telnet • download [bootrom | configuration | image] • upload configuration • ping • traceroute In addition, the nslookup utility can be used to return the IP address of a hostname. Table 2-5 describes the commands used to configure DNS.
ACCESSING THE SWITCH PING The ping command enables you to send Internet Control Message Protocol (ICMP) echo messages to a remote IP device. The ping command is available for both the user and administrator privilege level. The ping command syntax is ping {continuous} {size {- }} [ | ] {from | with record-route | from with record-route} Options for the ping command are described in Table 2-6.
CHECKING BASIC CONNECTIVITY TRACEROUTE The traceroute command enables you to trace the routed path between the switch and a destination endstation. The traceroute command syntax is traceroute [ | ] {from } {ttl } {port } where: • ip_address is the IP address of the destination endstation. • hostname is the hostname of the destination endstation. To use the hostname, you must first configure DNS. • from uses the specified source address in the ICMP packet.
ACCESSING 2-16 THE SWITCH EXTREMEWARE SOFTWARE USER GUIDE
3 Managing the Switch This chapter covers the following topics: • Overview on page 3-1 • Using the Console Interface on page 3-2 • Using Telnet on page 3-3 • Using Secure Shell 2 (SSH2) on page 3-7 • Using ExtremeWare Vista on page 3-8 • Using SNMP on page 3-10 • Authenticating Users on page 3-13 • Using the Simple Network Time Protocol on page 3-21 OVERVIEW Using ExtremeWare, you can manage the switch using the following methods: • Access the CLI by connecting a terminal (or workstation with terminal-em
MANAGING THE SWITCH — ExtremeWare Vista Web access using a standard Web browser — SNMP access using ExtremeWare Enterprise Manager or another SNMP manager The switch supports up to the following number of concurrent user sessions: • One console session — Two console sessions are available on a BlackDiamond switch that has two Management Switch Fabric Modules (MSMs) installed.
USING TELNET You can configure the IP address, subnet mask, and default router for the VLAN mgmt, using the following commands: config vlan mgmt ipaddress / config iproute add default USING TELNET Any workstation with a Telnet facility should be able to communicate with the switch over a TCP/IP network. Up to eight active Telnet sessions can access the switch concurrently. If idletimeouts are enabled, the Telnet connection will time out after 20 minutes of inactivity.
MANAGING USING THE A SWITCH BOOTP SERVER If you are using IP and you have a Bootstrap Protocol (BOOTP) server set up correctly on your network, you must add the following information to the BOOTP server: • Switch Media Access Control (MAC) address, found on the rear label of the switch • IP address • Subnet address mask (optional) Once this is done, the IP address and subnet mask for the switch will be downloaded automatically. You can then start managing the switch without further configuration.
USING TELNET must be assigned an IP address and subnet mask. IP addresses are always assigned to a VLAN. The switch can be assigned multiple IP addresses. For information on creating and configuring VLANs, refer to Chapter 6. To manually configure the IP settings, perform the following steps: 1 Connect a terminal or workstation running terminal-emulation software to the console port. 2 At your terminal, press [Return] one or more times until you see the login prompt.
MANAGING THE SWITCH 6 Configure the default route for the switch using the following command: config iproute add default {} For example: config iproute add default 123.45.67.1 7 Save your configuration changes so that they will be in effect after the next switch reboot, by typing save 8 When you are finished using the facility, log out of the switch by typing logout or quit DISCONNECTING A TELNET SESSION An administrator-level account can disconnect a Telnet management session.
USING SECURE SHELL 2 (SSH2) To display the status of Telnet, use the following command: show management You can choose to disable Telnet by using the following command: disable telnet To re-enable Telnet on the switch, at the console port use the following command at the console port: enable telnet You must be logged in as an administrator to enable or disable Telnet. For more information on Access Profiles, see Chapter 16.
MANAGING THE SWITCH To enable SSH2, use the following command: enable ssh2 {access-profile [ | none]} {port } An authentication key must be generated for each SSH2 session. This can be done automatically by the switch or by the client application. To have the key generated by the switch, use the following command: config ssh2 key {pregenerated} If you do not select automatic key generation, you are prompted to enter the key when you enable SSH2.
USING EXTREMEWARE VISTA For more information on assigning an IP address, refer to the section, “Configuring Switch IP Parameters,” on page 3-3. The default home page of the switch can be accessed using the following command: http:// When you access the home page of the switch, you are presented with the Logon screen. For more information on using ExtremeWare Vista, refer to Chapter 19. CONTROLLING WEB ACCESS By default, Web access is enabled on the switch.
MANAGING THE SWITCH USING SNMP Any Network Manager running the Simple Network Management Protocol (SNMP) can manage the switch, provided the Management Information Base (MIB) is installed correctly on the management station. Each Network Manager provides its own user interface to the management facilities. The following sections describe how to get started if you want to use an SNMP manager. It assumes you are already familiar with SNMP management.
USING SNMP To configure SNMP read access to use an access profile, use the command: config snmp access-profile readonly [ | none] Use the none option to remove a previously configured access profile. • SNMP read/write access — The ability to read and write SNMP information can be restricted through the use of an access profile. An access profile permits or denies a named list of IP addresses and subnet masks.
MANAGING THE SWITCH Table 3-1: SNMP Configuration Commands (continued) Command Description config snmp add trapreceiver community Adds the IP address of a specified trap receiver. The IP address can be a unicast, multicast, or broadcast address. A maximum of 16 trap receivers is allowed. config snmp community [read-only | read-write] Adds an SNMP read or read/write community string. The default read-only community string is public.
AUTHENTICATING USERS DISPLAYING SNMP SETTINGS To display the SNMP settings configured on the switch, use the following command: show management This command displays the following information: • Enable/disable state for Telnet, SSH2, SNMP, and Web access, along with access profile information • SNMP community strings • Authorized SNMP station list • SNMP trap receiver list • RMON polling configuration • Login statistics AUTHENTICATING USERS ExtremeWare provides two methods to authenticate users who login
MANAGING THE SWITCH The privileges assigned to the user (admin versus non-admin) at the RADIUS server take precedence over the configuration in the local switch database. PER-COMMAND AUTHENTICATION USING RADIUS The RADIUS implementation can be used to perform per-command authentication. Per-command authentication allows you to define several levels of user capabilities by controlling the permitted command sets based on the RADIUS username and password.
AUTHENTICATING USERS Table 3-2: RADIUS Commands Command Description config radius [primary | secondary] server [ | ] {} client-ip Configures the primary and secondary RADIUS server. Specify the following: ■ [primary | secondary] — Configure either the primary or secondary RADIUS server. ■ [ | ] — The IP address or hostname of the server being configured. ■ — The UDP port to use to contact the RADUIS server.
MANAGING THE SWITCH Table 3-2: RADIUS Commands (continued) Command Description config radius-accounting [primary | secondary] shared-secret Configures the authentication string used to communicate with the RADIUS accounting server. disable radius Disables the RADIUS client. disable radius-accounting Disables RADIUS accounting. enable radius Enables the RADIUS client. When enabled, all Web and CLI logins are sent to the RADIUS servers for authentication.
AUTHENTICATING USERS files. The client configuration file (ClientCfg.txt) defines the authorized source machine, source name, and access level. The user configuration file (users) defines username, password, and service type information. ClientCfg.txt #Client Name #---------------#10.1.2.3:256 #pm1 #pm2 #merit.edu/homeless #homeless #xyz.merit.edu #anyoldthing:1234 10.202.1.3 10.203.1.41 10.203.1.42 10.0.52.
MANAGING THE SWITCH compiled format for Solaris™ or Linux™ operating systems, as well as in source code format. For all clients that use RADIUS per-command authentication, you must add the following type to the client file: type:extreme:nas + RAD_RFC + ACCT_RFC Within the users configuration file, additional keywords are available for Profile-Name and Extreme-CLI-Authorization. To use per-command authentication, enable the CLI authorization function and indicate a profile name for that user.
AUTHENTICATING USERS user Password = "" Filter-Id = "unlim" admin Password = "", Service-Type = Administrative Filter-Id = "unlim" eric Password = "", Service-Type = Administrative, Profile-Name = "" Filter-Id = "unlim" Extreme:Extreme-CLI-Authorization = Enabled albert Password = "", Service-Type = Administrative, Profile-Name = "Profile1" Filter-Id = "unlim" Extreme:Extreme-CLI-Authorization = Enabled lulu Password = "", Service-Type = Administrative, Profile-Name = "Profile1" Filter-Id = "unlim" E
MANAGING THE SWITCH CONFIGURING TACACS+ Terminal Access Controller Access Control System Plus (TACACS+) is a mechanism for providing authentication, authorization, and accounting on a centralized server, similar in function to the RADIUS client. The ExtremeWare version of TACACS+ is used to authenticate prospective users who are attempting to administer the switch. TACACS+ is used to communicate between the switch and an authentication database. You cannot use RADIUS and TACACS+ at the same time.
USING THE SIMPLE NETWORK TIME PROTOCOL Table 3-3: TACACS+ Commands (continued) Command Description disable tacacs-accounting Disables TACACS+ accounting. disable tacacs-authorization Disables CLI command authorization. enable tacacs Enables TACACS+. Once enabled, all WEB and CLI logins are sent to one of the two TACACS+ server for login name authentication and accounting. enable tacacs-accounting Enables TACACS+ accounting. If accounting is use, the TACACS+ client must also be enabled.
MANAGING THE SWITCH CONFIGURING AND USING SNTP To use SNTP, follow these steps: 1 Identify the host(s) that are configured as NTP server(s). Additionally, identify the preferred method for obtaining NTP updates. The options are for the NTP server to send out broadcasts, or for switches using NTP to query the NTP server(s) directly. A combination of both methods is possible. You must identify the method that should be used for the switch being configured.
USING THE SIMPLE NETWORK TIME PROTOCOL This command provides configuration and statistics associated with SNTP and its connectivity to the NTP server. — show switch This command indicates the GMT offset, Daylight Savings Time, and the current local time. NTP updates are distributed using GMT time. To properly display the local time in logs and other timestamp information, the switch should be configured with the appropriate offset to GMT based on geographical location. Table 3-4 describes GMT offsets.
MANAGING THE SWITCH Table 3-4: Greenwich Mean Time Offsets (continued) GMT Offset in Hours GMT Offset Common Time Zone in Minutes References -12:00 -720 IDLW - International Date Line West +1:00 +60 CET - Central European +2:00 +120 EET - Eastern European, Russia Athens, Greece; Helsinki, Finland; Zone 1 Istanbul, Turkey; Jerusalem, Israel; Harare, Zimbabwe +3:00 +180 BT - Baghdad, Russia Zone 2 Kuwait; Nairobi, Kenya; Riyadh, Saudi Arabia; Moscow, Russia; Tehran, Iran +4:00 +240 ZP4 - R
USING THE SIMPLE NETWORK TIME PROTOCOL SNTP CONFIGURATION COMMANDS Table 3-5 describes SNTP configuration commands. Table 3-5: SNTP Configuration Commands Command Description config sntp-client [primary | secondary] server [ | ] Configures an NTP server for the switch to obtain time information. Queries are first sent to the primary server. If the primary server does not respond within 1 second, or if it is not synchronized, the switch queries the second server.
MANAGING 3-26 THE SWITCH EXTREMEWARE SOFTWARE USER GUIDE
4 Configuring BlackDiamond and Alpine Switch Slots and Ports This chapter covers the following topics: • Configuring a Slot on page 4-1 • BlackDiamond and Alpine Switch Port Configuration on page 4-2 • Jumbo Frames on page 4-7 • Load Sharing on the BlackDiamond and Alpine Switch on page 4-7 • BlackDiamond and Alpine Switch Port-Mirroring on page 4-11 For information on configuring ports on the Summit switch, refer to Chapter 5.
CONFIGURING BLACKDIAMOND AND ALPINE SWITCH SLOTS AND PORTS You can configure the BlackDiamond or Alpine switch with the type of I/O module that is installed in each I/O slot. To do this, use the following command: config slot module [f32t | f32f | f48t | g4x | g6x | g8x | g12x] You can also pre-configure the slot before inserting the module card. This allows you to begin configuring the module and ports before installing the card in the chassis.
BLACKDIAMOND AND ALPINE SWITCH PORT CONFIGURATION For example, if a G4X I/O module (having a total of four ports) is installed in slot 2 of the BlackDiamond 6808 chassis, the following ports are valid: • 2:1 • 2:2 • 2:3 • 2:4 You can also use wildcard combinations (*) to specify multiple BlackDiamond or Alpine slot and port combinations. The following wildcard combinations are allowed: • slot:* — Specifies all ports on a particular I/O module.
CONFIGURING BLACKDIAMOND AND ALPINE SWITCH SLOTS AND PORTS 10BASE-T and 100BASE-TX ports can connect to either 10BASE-T or 100BASE-T networks. By default, the ports autonegotiate port speed. You can also configure each port for a particular speed (either 10 Mbps or 100 Mbps). Gigabit Ethernet ports are statically set to 1 Gbps, and their speed cannot be modified.
BLACKDIAMOND AND ALPINE SWITCH PORT CONFIGURATION Table 4-1: BlackDiamond and Alpine Switch Port Commands (continued) Command Description config ports auto off {speed [10 | 100 | 1000]} duplex [half | full] Changes the configuration of a group of ports. Specify the following: ■ auto off — The port will not autonegotiate the settings. ■ speed — The speed of the port (for 10/100 Mbps or 100/1000 Mbps ports only). ■ duplex — The duplex setting (half- or full-duplex).
CONFIGURING BLACKDIAMOND AND ALPINE SWITCH SLOTS AND PORTS Table 4-1: BlackDiamond and Alpine Switch Port Commands (continued) Command Description enable sharing grouping {port-based | address-based | round-robin} Defines a load-sharing group of ports. The ports specified in are grouped to the master port. Optional load-sharing algorithms include: ■ port-based — Uses the ingress port as criteria for egress port selection.
JUMBO FRAMES JUMBO FRAMES Jumbo frames are Ethernet frames that are larger than 1523 bytes, including four bytes used for the cyclic redundancy check (CRC). Extreme products that use the “i” chipset support switching and routing of jumbo frames at wire-speed on all ports. Jumbo frames are used between endstations that support larger frame sizes for more efficient transfers of bulk data. Both endstations involved in the transfer must be capable of supporting jumbo frames.
CONFIGURING BLACKDIAMOND AND ALPINE SWITCH SLOTS AND PORTS For example, VLANs see the load-sharing group as a single logical port. Most load-sharing algorithms guarantee packet sequencing between clients. If a port in a load-sharing group fails, traffic is redistributed to the remaining ports in the load-sharing group. If the failed port becomes active again, traffic is redistributed to include that port. Load sharing must be enabled on both ends of the link, or a network loop may result.
LOAD SHARING ON THE BLACKDIAMOND AND ALPINE SWITCH The address-based and round-robin load-sharing algorithms are supported by BlackDiamond switch modules that use the “i” chipset and all Alpine 3800 switch modules. The modules end with an “i” in their model designation (for example, G12SXi), and require the use of the MSM64i. For more information on “i” chipset products, refer to Chapter 1.
CONFIGURING BLACKDIAMOND AND ALPINE SWITCH SLOTS AND PORTS Table 4-3: Port Combinations for the G6X Module Load-Sharing Group 1 2 4-port groups 2-port groups x x 3 4 5 6 x x x x x x x x Table 4-4: Port Combinations for the F32T and F32F Modules Load-Sharing Group 1 1 1 1 1 1 1 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 4-port groups x x x x x x x x x x x x x x x x 2-port groups x x x x x x x x x x x x x x x x Load-Sharing Group 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 3 7 8 9 0 1 2 3
BLACKDIAMOND AND ALPINE SWITCH PORT-MIRRORING LOAD-SHARING EXAMPLE The following example defines a load-sharing group on slot 3 that contains ports 9 through 12, and uses the first port in the group as the master logical port 9: enable sharing 3:9 grouping 3:9-3:12 In this example, logical port 3:9 represents physical ports 3:9 through 3:12.
CONFIGURING BLACKDIAMOND AND ALPINE SWITCH SLOTS AND PORTS Up to eight mirroring filters and one monitor port can be configured. Once a port is specified as a monitor port, it cannot be used for any other function. Frames that contain errors are not mirrored. On switches that do not support the “i” chipset, mirrored frames that are transmitted from the switch do not contain 802.1Q VLAN tagging information.
BLACKDIAMOND AND ALPINE SWITCH PORT-MIRRORING EXTREME DISCOVERY PROTOCOL The Extreme Discovery Protocol (EDP) is used to gather information about neighbor Extreme Networks switches. EDP is used to by the switches to exchange topology information. EDP is also used by the Extreme Standby Router Protocol (ESRP), described in Chapter 10.
CONFIGURING BLACKDIAMOND 4-14 AND ALPINE SWITCH SLOTS AND PORTS EXTREMEWARE SOFTWARE USER GUIDE
5 Configuring Summit Switch Ports This chapter covers the following topics: • Enabling and Disabling Summit Switch Ports on page 5-1 • Configuring Summit Switch Port Speed and Duplex Setting on page 5-2 • Summit Switch Port Commands on page 5-3 • Jumbo Frames on page 5-5 • Load Sharing on the Summit Switch on page 5-6 • Summit Switch Port-Mirroring on page 5-10 • Smart Redundancy on page 5-13 For information on how to configure ports on the BlackDiamond or Alpine switch, refer to Chapter 4.
CONFIGURING SUMMIT SWITCH PORTS For example, to disable ports 3, 5, and 12 through 15 on the Summit switch, enter the following: disable port 3,5,12-15 Even though a port is disabled, the link remains enabled for diagnostic purposes. CONFIGURING SUMMIT SWITCH PORT SPEED SETTING AND DUPLEX By default, the Summit switch is configured to use autonegotiation to determine the port speed and duplex setting for each port.
SUMMIT SWITCH PORT COMMANDS TURNING OFF AUTONEGOTIATION FOR A GIGABIT ETHERNET PORT In certain interoperability situations, it is necessary to turn autonegotiation off on a Gigabit Ethernet port. Even though a Gigabit Ethernet port runs only at full duplex and gigabit speeds, the command that turns off autonegotiation must still include the duplex setting.
CONFIGURING SUMMIT SWITCH PORTS Table 5-1: Summit Switch Port Commands (continued) Command Description disable learning ports Disables MAC address learning on one or more ports for security purposes. If MAC address learning is disabled, only broadcast traffic, EDP traffic, and packets destined to a permanent MAC address matching that port number, are forwarded to the port. The default setting is enabled. disable ports Disables a port.
JUMBO FRAMES Table 5-1: Summit Switch Port Commands (continued) Command Description restart ports Resets autonegotiation for one or more ports by resetting the physical link. show ports {} collisions Displays real-time collision statistics. show ports {} configuration Displays the port configuration. show ports {} info {detail} Displays detailed system-related information. show ports {} packet Displays a histogram of packet statistics.
CONFIGURING SUMMIT SWITCH PORTS The jumbo_frame_mtu range is 1523 to 9216. The value describes the maximum size “on the wire,” and includes 4 bytes of CRC plus another 4 bytes if 802.1Q tagging is being used. Next, enable support on the physical ports that will carry jumbo frames, using the following command: enable jumbo-frame ports [
LOAD SHARING ON THE SUMMIT SWITCH LOAD SHARING ALGORITHMS Load sharing algorithms allow you to select the distribution technique used by the load-sharing group to determine the output port selection. Algorithm selection is not intended for use in predictive traffic engineering. You can configure one of three load-sharing algorithms on the switch, as follows: • Port-based — Uses the ingress port to determine which physical port in the load-sharing group is used to forward traffic out of the switch.
CONFIGURING SUMMIT SWITCH PORTS On switches that do not have the “i” chipset, the following additional rules apply: • Ports in a load-sharing group must be contiguous. • Ports on the switch are divided into groups of two or four. • Address-based and round-robin load sharing algorithms do not apply. Follow the outlined boxes in Table 5-2 through Table 5-7 to determine the valid port combinations.
LOAD SHARING ON THE SUMMIT SWITCH Table 5-5: Port Combinations for the Summit4 Switch and Summit4/FX Switch Load-Sharing Group 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 4-port groups x x x x x x x x x x x x x x x x 2-port groups x x x x x x x x x x x x x x x x 1 7 x 1 8 x 1 9 2 0 2 1 2 2 x x x x x x x x Table 5-6: Port Combinations for the Summit24 Switch Load-Sharing Group 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
CONFIGURING SUMMIT SWITCH PORTS To define a load-sharing group, you assign a group of ports to a single, logical port number.
SUMMIT SWITCH PORT-MIRRORING The traffic filter can be defined based on one of the following criteria: • Physical port — All data that traverses the port, regardless of VLAN configuration, is copied to the monitor port. • VLAN — All data to and from a particular VLAN, regardless of the physical port configuration, is copied to the monitor port. • Virtual port — All data specific to a VLAN on a specific port is copied to the monitor port.
CONFIGURING SUMMIT SWITCH PORTS SUMMIT SWITCH PORT-MIRRORING EXAMPLE The following example selects port 3 as the mirror port, and sends all traffic coming into or out of the switch on port 1 to the mirror port: enable mirroring to port 3 config mirroring add port 1 The following example sends all traffic coming into or out of the switch on port 1 and the VLAN default to the mirror port: config mirroring add port 1 vlan default EXTREME DISCOVERY PROTOCOL The Extreme Discovery Protocol (EDP) is used to gat
SMART REDUNDANCY SMART REDUNDANCY Smart redundancy defines the behavior of switches equipped with redundancy Gigabit Ethernet ports (for example, the Summit 24 and Summit48). When the switch becomes operational, it attempts to establish connectivity on the primary link. If this fails, the redundancy port is attempted. When connectivity is established (or re-established) on the primary link, the primary link is used.
CONFIGURING SUMMIT SWITCH PORTS If smart redundancy is disabled, both the primary and redundant ports are dual-homed to active Gigabit Ethernet ports. It is not possible to predict which port will become active, and the first port to initialize becomes the primary. Enabling smart redundancy allows you to predict port failover and fail-back behavior.
6 Virtual LANs (VLANs) This chapter covers the following topics: • Overview of Virtual LANs on page 6-1 • Types of VLANs on page 6-2 • VLAN Names on page 6-12 • Configuring VLANs on the Switch on page 6-13 • Displaying VLAN Settings on page 6-16 • Generic VLAN Registration Protocol on page 6-17 • MAC-Based VLANs on page 6-20 Setting up Virtual Local Area Networks (VLANs) on the switch eases many time-consuming tasks of network administration while increasing efficiency in network operations.
VIRTUAL LANS (VLANS) BENEFITS Implementing VLANs on your networks has the following advantages: • VLANs help to control traffic. With traditional networks, congestion can be caused by broadcast traffic that is directed to all network devices, regardless of whether they require it. VLANs increase the efficiency of your network because each VLAN can be set up to contain only those devices that must communicate with each other. • VLANs provide extra security.
TYPES VLANS Finance Marketing Sales OF 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 22 23 25 26 27 28 21 29 30 24 31 32 EW_027 Figure 6-1: Example of a port-based VLAN on the Summit7i switch For the members of the different IP VLANs to communicate, the traffic must be routed by the switch, even if they are physically part of the same I/O module. This means that each VLAN must be configured as a router interface with a unique IP address.
VIRTUAL LANS (VLANS) Sales System 1 1 2 3 4 A B 5 6 7 System 2 8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 22 23 25 26 27 28 21 24 1 29 30 31 32 2 3 4 EW_028 Figure 6-2: Single port-based VLAN spanning two switches To create multiple VLANs that span two switches in a port-based VLAN, a port on System 1 must be cabled to a port on System 2 for each VLAN you want to have span across the switches.
TYPES OF VLANS System 1 1 2 3 4 A B 5 6 7 8 50015 1 1 2 2 3 3 4 4 5 5 6 6 Engineering Accounting System 2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 22 23 25 26 27 28 21 29 30 24 31 32 EW_030 Figure 6-3: Two port-based VLANs spanning two BlackDiamond switches VLAN Accounting spans System 1 and System 2 by way of a connection between System 1, 29 and System 2, slot 3, port 1.
VIRTUAL LANS (VLANS) TAGGED VLANS Tagging is a process that inserts a marker (called a tag) into the Ethernet frame. The tag contains the identification number of a specific VLAN, called the VLANid. The use of 802.1Q tagged packets may lead to the appearance of packets slightly bigger than the current IEEE 802.3/Ethernet maximum of 1,518 bytes. This may affect packet error counters in other devices, and may also lead to connectivity problems if non-802.1Q bridges or routers are placed in the path.
TYPES OF VLANS Figure 6-4 illustrates the physical view of a network that uses tagged and untagged traffic. System 1 M = Marketing S = Sales = Tagged port Marketing & Sales M S S 802.
VIRTUAL LANS (VLANS) Figure 6-5 shows a logical diagram of the same network.
TYPES MIXING PORT-BASED AND OF VLANS TAGGED VLANS You can configure the switch using a combination of port-based and tagged VLANs. A given port can be a member of multiple VLANs, with the stipulation that only one of its VLANs uses untagged traffic. In other words, a port can simultaneously be a member of one port-based VLAN and multiple tag-based VLANs. For the purposes of VLAN classification, packets arriving on a port with an 802.1Q tag containing a VLANid of zero are treated as untagged.
VIRTUAL LANS (VLANS) 1 2 3 4 A 192.207.35.1 B 5 6 7 8 192.207.36.1 My Company 192.207.35.0 Finance 1 2 192.207.36.
TYPES OF VLANS DEFINING PROTOCOL FILTERS If necessary, you can define a customized protocol filter based on EtherType, Logical Link Control (LLC), and/or Subnetwork Access Protocol (SNAP). Up to six protocols may be part of a protocol filter. To define a protocol filter, do the following: 1 Create a protocol using the following command: create protocol For example: create protocol fred The protocol name can have a maximum of 32 characters.
VIRTUAL LANS (VLANS) DELETING A PROTOCOL FILTER If a protocol filter is deleted from a VLAN, the VLAN is assigned a protocol filter of none. You can continue to configure the VLAN. However, no traffic is forwarded to the VLAN until a protocol is assigned to it. PRECEDENCE OF TAGGED PACKETS OVER PROTOCOL FILTERS If a VLAN is configured to accept tagged packets on a particular port, incoming packets that match the tag configuration take precedence over any protocol filters associated with the VLAN.
CONFIGURING VLANS RENAMING A ON THE SWITCH VLAN To rename an existing VLAN, use the following command: config vlan name The following rules apply to renaming VLANs: • Once you change the name of the default VLAN, it cannot be changed back to default. • You cannot create a new VLAN named default. • You cannot change the VLAN name MacVlanDiscover. Although the switch accepts a name change, once it is rebooted, the original name is recreated.
VIRTUAL LANS (VLANS) VLAN CONFIGURATION COMMANDS Table 6-1 describes the commands used to configure a VLAN. Table 6-1: VLAN Configuration Commands Command Description config dot1q ethertype Configures an IEEE 802.1Q Ethertype. Use this command only if you have another switch that supports 802.1Q, but uses a different Ethertype value than 8100. You must reboot the switch for this command to take effect. config protocol [add | delete] Configures a protocol filter.
CONFIGURING VLANS ON THE SWITCH Table 6-1: VLAN Configuration Commands (continued) Command Description config vlan tag Assigns a numerical VLANid. The valid range is from 1 to 4095. config vlan name Renames a previously configured VLAN. create protocol Creates a user-defined protocol. create vlan Creates a named VLAN. delete protocol Removes a protocol. delete vlan Removes a VLAN.
VIRTUAL LANS (VLANS) The following Summit switch example creates a VLAN named sales, with the VLANid 120. The VLAN uses both tagged and untagged ports. Ports 1 through 3 are tagged, and ports 4 and 7 are untagged. Note that when not explicitly specified, ports are added as untagged. create config config config vlan sales sales tag 120 sales add port 1-3 tagged sales add port 4,7 The following BlackDiamond switch example creates a protocol-based VLAN named ipsales.
GENERIC VLAN REGISTRATION PROTOCOL • IPX address (if configured) • STPD information • Protocol information • QoS profile information • Ports assigned • Tagged/untagged status for each port • How the ports were added to the VLAN (manually or by GVRP) Use the detail option to display the detailed format.
VIRTUAL LANS (VLANS) VLAN Untag Red, ged d, Re d N A ge VL ntag U Switch A VLAN Red, Tag 10 GVRP: "Send me traffic for VLAN tag 10." GVRP: "Send me traffic for VLAN tag 10." Switch B GVRP: "Send me traffic for VLAN tag 10." Figure 6-7: Network example using GVRP In Figure 6-7, Switch A is a member of VLAN Red. VLAN Red has the VLANid 10. Port 1 and port 2 on Switch A are added to the VLAN as untagged.
GENERIC VLAN REGISTRATION PROTOCOL VLANs that are automatically created using GVRP are given names in the format gvrp vlan xxxx where xxxx is the VLANid (in decimal) that is discovered by GVRP. These VLANs are not permanently stored in nonvolatile storage, and you cannot add or remove ports from these VLANs. GVRP assumes that the VLANs for which it carries information operate using VLAN tags, unless explicitly configured otherwise.
VIRTUAL LANS (VLANS) Table 6-2: GVRP Commands Command Description config gvrp [listen | send | both | none] port Configures the sending and receiving GVRP information one or all a ports. Options include the following: ■ listen — Receive GVRP packets. ■ send — Send GVRP packets. ■ both — Send and receive GVRP packets. ■ none — Disable the port from participating in GVRP operation. The default setting is both. disable gvrp Disables the Generic VLAN Registration Protocol (GVRP).
MAC-BASED VLANS MAC-BASED VLAN GUIDELINES When using the MAC-to-VLAN mapping, consider the following guidelines: • A port can only accept connections from an endstation/host and should not be connected to a layer-2 repeater device. Connecting to a layer-2 repeater device can cause certain addresses to not be mapped to their respective VLAN if they are not correctly configured in the MAC-VLAN configuration database.
VIRTUAL LANS (VLANS) • A MAC address cannot be configured to associate with more than 1 VLAN. If this is attempted, the MAC address is associated with the most recent VLAN entry in the MAC-to-VLAN database. • The feature is intended to support one client per physical port. Once a client MAC address has successfully registered, the VLAN association remains until the port connection is dropped or the FDB entry ages out. MAC-BASED VLAN COMMANDS Table 6-3 describes MAC-based VLAN commands.
MAC-BASED VLANS enable mac-vlan enable mac-vlan enable mac-vlan config mac-vlan engineering config mac-vlan marketing config mac-vlan mac-group any ports 10-15 mac-group 10 ports 16-17 mac-group 200 ports 18-20 add mac-address 00:00:00:00:00:01 mac-group 10 add mac-address 00:00:00:00:00:02 mac-group any add mac-address 00:00:00:00:00:03 mac-group 200 sales TIMED CONFIGURATION DOWNLOAD FOR MAC-BASED VLANS To allow centralized control of MAC-based VLANs over multiple switches, a timed TFTP configuratio
VIRTUAL LANS (VLANS) The following example shows an incremental configuration file for MAC-based VLAN information that updates the database and saves changes: config mac-vlan engineering config mac-vlan engineering config mac-vlan . .
7 Forwarding Database (FDB) This chapter describes the following topics: • Overview of the FDB on page 7-1 • Configuring FDB Entries on page 7-3 • Displaying FDB Entries on page 7-5 OVERVIEW OF THE FDB The switch maintains a database of all media access control (MAC) addresses received on all of its ports. It uses the information in this database to decide whether a frame should be forwarded or filtered.
FORWARDING DATABASE (FDB) FDB ENTRY TYPES The following are four types of entries in the FDB: • Dynamic entries — Initially, all entries in the database are dynamic. Entries in the database are removed (aged-out) if, after a period of time (aging time), the device has not transmitted. This prevents the database from becoming full with obsolete entries by ensuring that when a device is removed from the network, its entry is deleted from the database.
CONFIGURING FDB ENTRIES HOW FDB ENTRIES GET ADDED Entries are added into the FDB in the following two ways: • The switch can learn entries. The system updates its FDB with the source MAC address from a packet, the VLAN, and the port identifier on which the source packet is received. • You can enter and update entries using a MIB browser, an SNMP Network Manager, or the command-line interface (CLI).
FORWARDING DATABASE (FDB) Table 7-1: FDB Configuration Commands (continued) Command Description create fdbentry vlan [blackhole | | dynamic] {qosprofile } Creates an FDB entry. Specify the following: ■ mac_address — Device MAC address, using colon separated bytes. ■ name — VLAN associated with MAC address. ■ blackhole — Configures the MAC address as a blackhole entry. ■ portlist — Port numbers associated with MAC address.
DISPLAYING FDB ENTRIES • Slot number for this device is 3. • Port number for this device is 4. This example associates the QoS profile qp2 with a dynamic entry that will be learned by the FDB: create fdbentry 00:A0:23:12:34:56 vlan net34 dynamic qosprofile qp2 This entry has the following characteristics: • MAC address is 00A023123456. • VLAN name is net34. • The entry will be learned dynamically. • QoS profile qp2 will be applied when the entry is learned.
FORWARDING DATABASE (FDB) 7-6 EXTREMEWARE SOFTWARE USER GUIDE
8 Spanning Tree Protocol (STP) This chapter covers the following topic: • Overview of the Spanning Tree Protocol on page 8-1 • Spanning Tree Domains on page 8-2 • STP Configurations on page 8-3 • Configuring STP on the Switch on page 8-6 • Displaying STP Settings on page 8-8 • Disabling and Resetting STP on page 8-9 Using the Spanning Tree Protocol (STP) functionality of the switch makes your network more fault tolerant.
SPANNING TREE PROTOCOL (STP) SPANNING TREE DOMAINS The switch can be partitioned into multiple virtual bridges. Each virtual bridge can run an independent Spanning Tree instance. Each Spanning Tree instance is called a Spanning Tree Domain (STPD). Each STPD has its own Root Bridge and active path. Once the STPD is created, one or more VLANs can be assigned to it. A port can belong to only one STPD. If a port is a member of multiple VLANs, then all those VLANs must belong to the same STPD.
STP CONFIGURATIONS For more information on GVRP, refer to Chapter 6. DEFAULTS The default device configuration contains a single STPD called s0. The default VLAN is a member of STPD s0. All STP parameters default to the IEEE 802.1D values, as appropriate. STP CONFIGURATIONS When you assign VLANs to an STPD, pay careful attention to the STP configuration and its effect on the forwarding of VLAN traffic. Figure 8-1 illustrates a network that uses VLAN tagging for trunk connections.
SPANNING TREE PROTOCOL (STP) Sales, Personnel, Marketing Manufacturing, Engineering, Marketing Switch A Switch Y Switch B STPD 1 Switch Z Switch M STPD 2 Sales, Personnel, Manufacturing, Engineering, Marketing EW_011 Figure 8-1: Multiple Spanning Tree Domains When the switches in this configuration start up, STP configures each STPD such that there are no active loops in the topology. STP could configure the topology in a number of ways to make it loop-free.
STP CONFIGURATIONS Marketing & Sales Marketing, Sales & Engineering Switch 1 Switch 3 Switch 2 Sales & Engineering EW_012 Figure 8-2: Tag-based STP configuration The tag-based network in Figure 8-2 has the following configuration: • Switch 1 contains VLAN Marketing and VLAN Sales. • Switch 2 contains VLAN Engineering and VLAN Sales. • Switch 3 contains VLAN Marketing, VLAN Engineering, and VLAN Sales.
SPANNING TREE PROTOCOL (STP) CONFIGURING STP ON THE SWITCH To configure STP you must perform the following actions: • Create one or more STP domains using the following command: create stpd STPD, VLAN, and QoS profile names must all be unique. For example, a name used to identify a VLAN cannot be used when you create an STPD or a QoS profile.
CONFIGURING STP ON THE SWITCH Table 8-1 shows the commands used to configure STP. Table 8-1: STP Configuration Commands Command Description config stpd add vlan Adds a VLAN to the STPD. config stpd forwarddelay Specifies the time (in seconds) that the ports in this STPD spend in the listening and learning states when the switch is the Root Bridge. The range is 4 through 30. The default setting is 15 seconds.
SPANNING TREE PROTOCOL (STP) Table 8-1: STP Configuration Commands (continued) Command Description create stpd Creates an STPD. When created, an STPD has the following default parameters: ■ Bridge priority — 32,768 ■ Hello time — 2 seconds ■ Forward delay — 15 seconds enable ignore-stp vlan Configures the switch to ignore the STP protocol, and not block traffic for the VLAN(s).
DISABLING AND RESETTING STP This command displays the following information: • STPD name • Bridge ID • STPD configuration information To display the STP state of a port, use the following command: show stpd port This command displays the following: • STPD port configuration • STPD state (Root Bridge, and so on) • STPD port state (forwarding, blocking, and so on) DISABLING AND RESETTING STP To disable STP or return STP settings to their defaults, use the commands listed in Tabl
SPANNING TREE PROTOCOL (STP) 8-10 EXTREMEWARE SOFTWARE USER GUIDE
9 Quality of Service (QoS) This chapter covers the following topics: • Overview of Policy-Based Quality of Service on page 9-2 • Applications and Types of QoS on page 9-3 • Assigning QoS Attributes on page 9-5 • QoS Profiles on page 9-6 • Traffic Groupings and Creating a QoS Policy on page 9-8 — IP-Based Traffic Groupings on page 9-10 — MAC-Based Traffic Groupings on page 9-10 — Explicit Class of Service (802.
QUALITY OF SERVICE (QOS) OVERVIEW OF POLICY-BASED QUALITY OF SERVICE Policy-Based QoS allows you to protect bandwidth for important categories of applications or specifically limit the bandwidth associated with less critical traffic. For example, if voice–over-IP traffic requires a reserved amount of bandwidth to function properly, using Policy-Based QoS, you can reserve sufficient bandwidth critical to this type of application.
APPLICATIONS APPLICATIONS AND TYPES OF AND TYPES OF QOS QOS Different applications have different QoS requirements. The following applications are ones that you will most commonly encounter and need to prioritize: • Voice applications • Video applications • Critical database applications • Web browsing applications • File server applications General guidelines for each traffic type are given below and summarized in Table 8-1. Consider them as general guidelines and not strict recommendations.
QUALITY OF SERVICE (QOS) CRITICAL DATABASE APPLICATIONS Database applications, such as those associated with ERP, typically do not demand significant bandwidth and are tolerant of delay. You can establish a minimum bandwidth using a priority less than that of delay-sensitive applications. WEB BROWSING APPLICATIONS QoS needs for Web browsing applications cannot be generalized into a single category.
ASSIGNING QOS ATTRIBUTES Table 9-1: Traffic Type and QoS Guidelines Traffic Type Key QoS Parameters Voice Minimum bandwidth, priority Video Minimum bandwidth, priority, buffering (varies) Database Minimum bandwidth Web browsing Minimum bandwidth for critical applications, maximum bandwidth for non-critical applications, RED File server Minimum bandwidth ASSIGNING QOS ATTRIBUTES Assigning QoS attributes is a three-step process which consists of defining three interrelated QoS building blocks (de
QUALITY OF SERVICE (QOS) QOS PROFILES A QoS profile defines a class of service by specifying traffic behavior attributes, such as bandwidth. The parameters that make up a QoS profile include the following: • Minimum bandwidth – The minimum percentage of total link bandwidth that reserved for use by a hardware queue on a physical port. Bandwidth unused by the queue can be used by other queues. The minimum bandwidth for all queues should add up to less than 90%.
QOS PROFILES Four or eight default QoS profiles are provided, depending on the chipset used in the switch. The default QoS profiles cannot be deleted. Also by default, a QoS profile maps directly to a specific hardware queue across all physical ports. The settings for the default QoS profiles for Summit chipset products are summarized in Table 9-2. The settings for the default QoS profiles for “i” chipset products are summarized in Table 9-3.
QUALITY OF SERVICE (QOS) CONFIGURING A QOS PROFILE Table 9-4 lists the commands used to configure QoS. Table 9-4: QoS Configuration Commands Command Description config ports qosprofile Configures one or more ports to use a particular QoS profile. Available only in ingress mode. config qosprofile {minbw } {maxbw } {priority } {buffer } {} Configures a QoS profile.
TRAFFIC GROUPINGS AND CREATING A QOS POLICY Traffic groupings are separated into the following categories for discussion: • IP-based information, such as IP source/destination and TCP/UDP port information • Destination MAC (MAC QoS groupings) • Explicit packet class of service information, such as 802.
QUALITY OF SERVICE (QOS) IP-BASED TRAFFIC GROUPINGS IP-based traffic groupings are based on any combination of: • IP source or destination address • TCP/UDP or other Layer 4 protocol • TCP/UDP port information IP-based traffic groupings are defined using access lists. Access lists are discussed in detail in Chapter 16. By supplying a named QoS profile at the end of the access list command syntax, you can prescribe the bandwidth management and priority handling for that traffic grouping.
TRAFFIC GROUPINGS AND CREATING A QOS POLICY DYNAMIC MAC ADDRESSES Dynamic MAC addresses can be assigned a QoS profile whenever traffic is destined to the MAC address. For any port on which the specified MAC address is learned in the specified VLAN, the port is assigned the specified QoS profile. For example: create fdbentry 00:11:22:33:44:55 vlan default dynamic qosprofile qp3 The QoS profile is assigned when the MAC address is learned.
QUALITY OF SERVICE (QOS) VERIFYING MAC-BASED QOS SETTINGS To verify any of the MAC-based QoS settings, use either the command show fdb perm or the command show qosprofile EXPLICIT CLASS GROUPINGS OF SERVICE (802.1P AND DIFFSERV) TRAFFIC This category of traffic groupings describes what is sometimes referred to as explicit packet marking, and refers to information contained within a packet intended to explicitly determine a class of service.
TRAFFIC GROUPINGS 802.1Q type 802.1p priority AND CREATING A QOS POLICY 802.1Q VLAN ID 8100 Destination address Source address IP packet CRC EW_024 Figure 9-1: Ethernet packet encapsulation OBSERVING 802.1P INFORMATION When ingress traffic that contains 802.1p prioritization information is detected by the switch, the traffic is mapped to various hardware queues on the egress port of the switch.
QUALITY OF SERVICE (QOS) 802.1P COMMANDS Table 9-7 shows the commands used to configure 802.1p priority. Two are explained in more detail in the following paragraphs. Table 9-7: 802.1p Configuration Commands Command Description config dot1p type qosprofile Configures the default QoS profile to 802.1p priority mapping. The value for dot1p_priority is an integer between 0 and 7. disable dot1p replacement ports [ | all] Disables the ability to overwrite 802.
TRAFFIC GROUPINGS AND CREATING A QOS POLICY 802.1p priority information is replaced according to the hardware queue that is used when transmitting from the switch. The mapping is described in Table 9-8 for switches based on the “i” chipset and for other Extreme switches. This mapping cannot be changed. Table 9-8: Queue to 802.1p Priority Replacement Value Hardware Queue Summit Chipset Hardware Queue “i” Chipset 802.
QUALITY OF SERVICE (QOS) 0 1 2 3 4 5 6 7 DiffServ code point 0 bits Version IHL 31 Type-of-service Identification Time-to-live Total length Flags Fragment offset Header checksum Protocol Source address Destination address Options (+ padding) Data (variable) EW_023 Figure 9-2: IP packet header encapsulation Table 9-9 lists the commands used to configure DiffServ. Some of the commands are described in more detail in the following paragraphs.
TRAFFIC GROUPINGS AND CREATING A QOS POLICY Table 9-9: DiffServ Configuration Commands (continued) Command Description enable diffserv examination ports [ | Enables the diffserv field of an ingress IP packet all] to be examined by the switch in order to select a QoS profile. The default setting is disabled. enable diffserv replacement ports [ | Enables the diffserv code point to be overwritten all] in packets transmitted by the switch.
QUALITY OF SERVICE (QOS) Table 9-10: Default Code Point-to-QoS Profile Mapping (continued) Code Point QoS Profile 32-39 Qp5 40-47 Qp6 48-55 Qp7 56-63 Qp8 You can change the QoS profile assignment for all 64 code points using the following command: config diffserv examination code-point qosprofile ports [ | all] Once assigned, the rest of the switches in the network prioritize the packet using the characteristics specified by the QoS profile.
TRAFFIC GROUPINGS AND CREATING A QOS POLICY Table 9-11: Default 802.1p Priority Value-to-Code Point Mapping Hardware Queue 802.1p Priority Code Point “i” Chipset value Q0 0 0 Q1 1 8 Q2 2 16 Q3 3 24 Q4 4 32 Q5 5 40 Q6 6 48 Q7 7 56 You then change the 802.
QUALITY OF SERVICE (QOS) 3 To enable the switch to overwrite the DiffServ code point: enable dot1p replacement enable diffserv replacement 4 Configure the switch so that other switches may signal class of service that this switch should observe: enable diffserv examination Table 9-3 indicates that qp3 is tied to hardware queue Q2. We also know that when replacement is enabled all traffic sent out Q2 will contain code point value 16 (according to Table 9-11).
VERIFYING CONFIGURATION AND PERFORMANCE For example, all devices on VLAN servnet require use of the QoS profile qp4.
QUALITY OF SERVICE (QOS) Table 9-12: QoS Monitor Commands Command Description disable qosmonitor Disables the QoS monitoring capability. enable qosmonitor {port } Enables the QoS monitoring capability on the switch. When no port is specified, the QoS monitor automatically samples all the ports. Error messages are logged to the syslog if the traffic exceeds the parameters of the QoS profile(s). The default setting is disabled.
MODIFYING A QOS POLICY DISPLAYING QOS PROFILE INFORMATION The QoS monitor can also be used to verify the QoS configuration and monitor the use of the QoS policies that are in place.
QUALITY OF SERVICE (QOS) INTRA-SUBNET QOS Intra-Subnet QoS™ (ISQ) is used only on Extreme switches that do not use the “i” chipset. Using ISQ, it is possible to apply Layer 3 and Layer 4 access lists to traffic that is only being locally switched. Extreme products that use the “i” chipset are already capable of using Layer 3 and Layer 4 access lists without enabling ISQ, even though the switch is performing Layer 2 switching, only.
DYNAMIC LINK CONTEXT SYSTEM Table 9-13: ISQ Configuration Commands (continued) Command Description create isq-server Creates a remote destination that should be snooped. delete isq-server Deletes a remote destination. disable isq Disables ISQ. enable isq Enables ISQ.
QUALITY OF SERVICE (QOS) DLCS LIMITATIONS Consider the following limitations concerning data received from WINS snooping: • DLCS does not work for the WINS server. This is because the WINS server does not send NETBIOS packets on the network (these packets are address to itself). • When the IP address of a host is changed, and the host is not immediately rebooted, the old host-to-IP address mapping is never deleted. You must delete the mapping of the host-to-IP address through the EEM Policy Manager.
DYNAMIC LINK CONTEXT SYSTEM Table 9-14: DLCS Configuration Commands (continued) Command Description config isq-server delete mac vlan Deletes the MAC address of the next hop router create isq-server Creates a WINS server to be snooped. delete isq-server Deletes a WINS server from being snooped. disable dlcs Disables snooping of DLCS packets.
QUALITY 9-28 OF SERVICE (QOS) EXTREMEWARE SOFTWARE USER GUIDE
10 Extreme Standby Router Protocol This chapter covers the following topics: • Overview on page 10-1 • ESRP Basics on page 10-2 • Determining the ESRP Master on page 10-3 • Grouping Blocks of 10/100 Ports on page 10-7 • ESRP Options on page 10-9 • ESRP and VLAN aggregation on page 10-13 • ESRP Commands on page 10-14 • Displaying ESRP Information on page 10-20 OVERVIEW ESRP is a feature of ExtremeWare that allows multiple switches to provide redundant routing services to users.
EXTREME STANDBY ROUTER PROTOCOL network system design, ESRP can provide better resiliency than using the Spanning Tree Protocol (STP). It is highly recommended all switches participating in ESRP run the same version of ExtremeWare. Not all ESRP features are available in all ExtremeWare software releases. ESRP-AWARE SWITCHES Extreme switches that are not running ESRP, but are connected on a network that has other Extreme switches running ESRP are ESRP-aware.
DETERMINING THE ESRP MASTER If you configure OSPF and ESRP, you must manually configure an OSPF router identifier (ID). Be sure that you configure a unique OSPF router ID on each switch running ESRP. For more information on configuring OSPF, refer to Chapter 12. To have two or more switches participate in ESRP, the following must be true: • For each VLAN to be made redundant, the switches must have the ability to exchange packets on the same layer 2 broadcast domain for that VLAN.
EXTREME STANDBY ROUTER PROTOCOL If any of the configured tracking mechanisms fail, the master ESRP switch relinquishes status as master, and remains in standby mode for as long as the tracking mechanism continues to fail. • ESRP priority—This is a user-defined field. The range of the priority value is 0 to 254; a higher number has higher priority. The default priority setting is 0. A priority setting of 255 loses the election and remains in standby mode.
DETERMINING THE ESRP MASTER automatically relinquishes master status and remains in standby mode if a ping keepalive fails three consecutive times. To participate in ESRP ping tracking, all ESRP switches must run ExtremeWare version 6.0 or above. To view the status of tracked devices, use the following command: show esrp ESRP ELECTION ALGORITHMS You configure the switch to use one of five different election algorithms to select the ESRP master.
EXTREME STANDBY ROUTER PROTOCOL STANDBY SWITCH BEHAVIOR If a switch is in standby mode, it exchanges ESRP packets with other switches on that same VLAN. When a switch is in standby, it does not perform layer 3 routing or layer 2 switching services for the VLAN. From a layer 3 routing protocol perspective (for example, RIP or OSPF), when in standby for the VLAN, the switch marks the router interface associated with the VLAN as down.
GROUPING BLOCKS GROUPING BLOCKS OF OF 10/100 PORTS 10/100 PORTS Restrictions on port groupings apply only to switches that do not use the “i” chipset. If you enable ESRP on a VLAN that contains 10/100 ports, a specific block of neighboring ports must also be participating in a VLAN running ESRP, or must not be used. The blocks of ports are physically adjacent, regardless of the switch module.
EXTREME STANDBY ROUTER PROTOCOL Block of 8 ports Block of 8 ports Block of 8 ports = ACTIVITY AMBER = LINK OK GREEN FLASHING GREEN = DISABLED 1 1 2 3 4 5 7 8 9 10 11 12 2 3 4 5 6 7 8 9 10 11 12 10/100BASE-TX MDI-X POWER 6 A 25 25R 13 14 15 16 17 18 1000BASE-X L 25 25R 19 20 21 22 23 24 25 25R 13 14 15 17 16 18 19 20 21 22 23 24 MGMT.
ESRP OPTIONS Block of 8 ports 1 2 3 4 7 8 9 10 11 12 5 Block of 8 ports Block of 8 ports 1 2 3 4 5 6 7 8 9 10 11 12 13 25 14 26 15 27 16 28 17 29 18 30 19 31 20 32 21 33 22 34 23 35 24 36 37 38 39 40 41 42 43 44 45 46 47 48 6 A 49 49R 13 14 15 16 17 18 L 49 49R 19 20 21 22 23 24 49 49R 1000 BASE-X AMBER = ACTIVITY GREEN = LINK OK FLASHING GREEN = DISABLED 10/100 BASE-X MDI-X 25 26 27 28 29 30 Power 31 32 33 34 35 36 A 50 50R 37 38 39 40 41 42 Mgmt.
EXTREME STANDBY ROUTER PROTOCOL The ESRP HA option is useful if you are using dual-homed network interface cards (NICs) for server farms, and in conjunction with high availability server load balancing (SLB) configurations, as shown in Figure 10-6. OSPF/BGP4 EW_045 Figure 10-6: ESRP host attach Other applications allow lower cost redundant routing configurations, because hosts can be directly attached to the switch involved with ESRP.
ESRP OPTIONS ESRP GROUPS ExtremeWare supports running multiple instances of ESRP within the same VLAN or broadcast domain. This functionality is called an ESRP group. Though other uses exist, the most typical application for multiple ESRP groups is when two or more sets of ESRP switches are providing fast-failover protection within a subnet.
EXTREME STANDBY ROUTER PROTOCOL LINKING ESRP SWITCHES When considering system design using ESRP, direct links between ESRP switches are useful under the following conditions: • A direct link can provide a more direct routed path, if the ESRP switches are routing and supporting multiple VLANs where the master/standby configuration is split such that one switch is master for some VLANs and a second switch is master for other VLANs.
ESRP ESRP AND VLAN AND VLAN AGGREGATION AGGREGATION ESRP can be used to provide redundant default router protection to VLAN aggregation clients. ESRP is enabled on the super-VLAN only (not the sub-VLANs). The procedure is to add ports to the super-VLAN that is shared with the sub VLANs. To do so, the super-VLAN should be configured with an 802.1Q tag, and added as tagged with the sub-VLAN ports to avoid a protocol conflict. Lastly, enable ESRP on the super-VLAN.
EXTREME STANDBY ROUTER PROTOCOL ESRP COMMANDS Table 10-1 describes the commands used to configure ESRP. Table 10-1: ESRP Commands Command Description config esrp port-mode [host | normal] ports Configures the ESRP port mode. A normal port does not accept or transmit traffic when the local ESRP device is a slave. The host port always switches user traffic, regardless of the ESRP state. The default setting is normal.
ESRP COMMANDS Table 10-1: ESRP Commands (continued) Command Description config vlan esrp election-algorithm [ports_track_priority_mac | track_ports_priority_mac | priority_ports_track_mac | priority_track_ports_mac | priority_mac_only] Configures the election algorithm on the switch. The algorithm must be the same on all switches for a particular VLAN.
EXTREME STANDBY ROUTER PROTOCOL Table 10-1: ESRP Commands (continued) Command Description disable esrp vlan Disables ESRP on a VLAN. enable esrp vlan Enables ESRP on a VLAN. show esrp {detail} Displays ESRP configuration information. show esrp vlan Displays ESRP configuration information for a specific VLAN. ESRP EXAMPLES This section provides examples of ESRP configurations.
ESRP COMMANDS OSPF or RIP Sales VLAN (master) Sales VLAN (standby) EW_021 Figure 10-8: ESRP example using layer 2 and layer 3 redundancy The BlackDiamond switch, acting as master for VLAN Sales, performs both layer 2 switching and layer 3 routing services for VLAN Sales. The BlackDiamond switch in standby mode for VLAN Sales performs neither, thus preventing bridging loops in the VLAN. The BlackDiamond switch in standby mode does, however, exchange ESRP packets with the master BlackDiamond switch.
EXTREME STANDBY ROUTER PROTOCOL flush FDB entries associated with the uplinks to the ESRP-enabled BlackDiamond switches. The following commands are used to configure both BlackDiamond switches. The assumption is that the inter-router backbone is running OSPF, with other routed VLANs already properly configured. Similar commands would be used to configure a switch on a network running RIP. The primary requirement is that the IP address for the VLAN(s) running ESRP must be identical.
ESRP COMMANDS Sales master, Engineering standby Sales Sales Sales standby, Engineering master Sales + Engineering Engineering Sales - untagged link Engineering - untagged link Sales + Engineering - tagged link EW_022 Figure 10-9: ESRP example using layer 2 redundancy This example builds on the previous example, but eliminates the requirement of layer 3 redundancy. It has the following features: • An additional VLAN, Engineering, is added that uses layer 2 redundancy.
EXTREME STANDBY ROUTER PROTOCOL In this example, the BlackDiamond switches are configured for ESRP such that the VLAN Sales normally uses the first BlackDiamond switch and the VLAN Engineering normally uses the second BlackDiamond switch. This is accomplished by manipulating the ESRP priority setting for each VLAN for the particular BlackDiamond switch.
11 IP Unicast Routing This chapter describes the following topics: • Overview of IP Unicast Routing on page 11-2 • Proxy ARP on page 11-5 • Relative Route Priorities on page 11-6 • IP Multinetting on page 11-7 • Configuring IP Unicast Routing on page 11-10 • VLAN Aggregation on page 11-11 • Configuring DHCP/BOOTP Relay on page 11-16 • UDP-Forwarding on page 11-16 • IP Commands on page 11-19 • Routing Configuration Example on page 11-25 • Displaying Router Settings on page 11-27 • Resetting and Disabling R
IP UNICAST ROUTING For more information on interior gateway protocols, refer to Chapter 12. For information on exterior gateway protocols, refer to Chapter 13. OVERVIEW OF IP UNICAST ROUTING The switch provides full layer 3, IP unicast routing. It exchanges routing information with other routers on the network using either the Routing Information Protocol (RIP) or the Open Shortest Path First (OSPF) protocol.
OVERVIEW 1 2 3 4 A 192.207.35.1 B 2 7 8 192.207.36.0 Personnel 3 192.207.35.11 6 IP UNICAST ROUTING 192.207.36.1 192.207.35.0 Finance 1 5 OF 4 192.207.35.13 192.207.36.12 192.207.36.14 BD_010 Figure 11-1: Routing between VLANs POPULATING THE ROUTING TABLE The switch maintains an IP routing table for both network routes and host routes.
IP UNICAST ROUTING DYNAMIC ROUTES Dynamic routes are typically learned by way of RIP or OSPF. Routers that use RIP or OSPF exchange information in their routing tables in the form of advertisements. Using dynamic routes, the routing table contains only networks that are reachable. Dynamic routes are aged out of the table when an update for the network is not received for a period of time, as determined by the routing protocol. STATIC ROUTES Static routes are manually entered into the routing table.
PROXY ARP You can also configure blackhole routes — traffic to these destinations is silently dropped. IP ROUTE SHARING IP route sharing allows multiple equal-cost routes to be used concurrently. IP route sharing can be used with static routes or with OSPF routes. In OSPF, this capability is referred to as equal cost multi-path (ECMP) routing. To use IP route sharing, use the following command: enable route sharing Next, configure static routes and/or OSPF as you would normally.
IP UNICAST ROUTING • The proxy ARP table entry indicates that the system should always answer this ARP Request, regardless of the ingress VLAN (the always parameter must be applied). Once all the proxy ARP conditions are met, the switch formulates an ARP Response using the configured MAC address in the packet. PROXY ARP BETWEEN SUBNETS In some networks, it is desirable to configure the IP host with a wider subnet than the actual subnet mask of the segment.
IP MULTINETTING Table 11-1: Relative Route Priorities (continued) Route Origin Priority ICMP 1200 OSPFIntra 2200 OSPFInter 2300 RIP 2400 OSPFExtern1 3200 OSPFExtern2 3300 BOOTP 5000 To change the relative route priority, use the following command: config iproute priority [rip | bootp | icmp | static | ospf-intra | ospf-inter | ospf-as-external | ospf-extern1 | ospf-extern2] IP MULTINETTING IP multinetting is used in many legacy IP networks when there is need to overlap multiple
IP UNICAST ROUTING • The FDB aging timer is automatically set to 3,000 seconds (50 minutes). • If you are using a UDP or DHCP relay function, only the "primary" VLAN that is configured with the IP protocol filter is capable of servicing these requests. • The VLAN default should not be used for multinetting. IP MULTINETTING OPERATION To use IP multinetting, follow these steps: 1 Select a slot (BlackDiamond switch only) and port on which IP multinetting is to run.
IP MULTINETTING 10 Enable IP multinetting, by using the following command: enable multinetting 11 If you are using RIP, disable RIP on the dummy VLANs, by using the following command: config rip delete net22 Multinetted VLAN groups must contain identical port assignments. IP MULTINETTING EXAMPLES The following example configures the BlackDiamond switch to have one multinetted segment (slot 5, port 5) that contains three subnets (192.67.34.0, 192.67.35.0, and 192.67.37.0).
IP UNICAST ROUTING create create config config config config config config config config config config create create config config config config config config config config enable enable enable vlan net35 vlan net37 net34 ipaddress 192.67.34.1 net35 ipaddress 192.67.35.1 net37 ipaddress 192.67.37.1 net34 protocol ip net35 protocol mnet net37 protocol mnet net34 add port 5:5 net35 add port 5:5 net37 add port 5:5 default delete port 1:8, 2:9, 3:10 vlan net36 vlan net45 net36 ipaddress 192.67.36.
VLAN AGGREGATION 3 Configure a default route, using the following command: config iproute add default {} {unicast-only | multicast-only} Default routes are used when the router has no other dynamic or static route to the requested destination.
IP UNICAST ROUTING As a result, sub-VLANs can be quite small, but allow for growth without re-defining subnet boundaries. Without using VLAN aggregation, each VLAN has a default router address, and you need to use large subnet masks. The result of this is more unused IP address space. Multiple secondary IP addresses can be assigned to the super-VLAN. These IP addresses are only used to respond to ICMP ping packets to verify connectivity. Figure 11-2 illustrates VLAN aggregation.
VLAN AGGREGATION VLAN AGGREGATION PROPERTIES VLAN aggregation is a very specific application, and the following properties apply to its operation: • All broadcast and unknown traffic remains local to the sub-VLAN and does not cross the sub-VLAN boundary. All traffic within the sub-VLAN is switched by the sub-VLAN, allowing traffic separation between sub-VLANs (while using the same default router address among the sub-VLANs). • Hosts are located on the sub-VLAN.
IP UNICAST ROUTING ISOLATION OPTION FOR COMMUNICATION BETWEEN SUB-VLANS To facilitate communication between sub-VLANs, by default, an entry is made in the IP ARP table of the super-VLAN that performs a proxy ARP function. This allows clients on one sub-VLAN to communicate with clients on another sub-VLAN. In certain circumstances, intra-sub-VLAN communication may not be desired for isolation reasons.
VLAN AGGREGATION VLAN AGGREGATION EXAMPLE The follow example illustrates how to configure VLAN aggregation. The VLAN vsuper is created as a super-VLAN, and sub-VLANs, vsub1, vsub2, and vsub3 are added to it. 1 Create and assign an IP address to a VLAN designated as the super-VLAN. This VLAN should have no member ports. Be sure to enable IP forwarding, and any desired routing protocol, on the switch. create config enable enable config vlan vsuper vsuper ipaddress 192.201.3.
IP UNICAST ROUTING CONFIGURING DHCP/BOOTP RELAY Once IP unicast routing is configured, you can configure the switch to forward Dynamic Host Configuration Protocol (DHCP) or BOOTP requests coming from clients on subnets being serviced by the switch and going to hosts on different subnets. This feature can be used in various applications, including DHCP services between Windows NT servers and clients running Windows 95.
UDP-FORWARDING • If the UDP profile includes other types of traffic, these packets have the IP destination address modified as configured, and changes are made to the IP and UDP checksums and decrements to the TTL field, as appropriate. If the UDP-forwarding is used for BOOTP or DHCP forwarding purposes, do not configure or use the existing bootprelay function. However, if the previous bootprelay functions are adequate, you may continue to use them.
IP UNICAST ROUTING ICMP PACKET PROCESSING As ICMP packets are routed or generated, you can take various actions to control distribution. For ICMP packets typically generated or observed as part of the routing function, you can assert control on a per-type, per-VLAN basis. You would alter the default settings for security reasons: to restrict the success of tools that can be used to find an important application, host, or topology information.
IP COMMANDS Table 11-3: UDP-Forwarding Commands (continued) Command Description create udp-profile Creates a UDP-forwarding profile. You must use a unique name for the UDP-forwarding profile. delete udp-profile Deletes a UDP-forwarding profile. show udp-profile {} Displays the profile names, input rules of UDP port, destination IP address, or VLAN and the source VLANs to which the profile is applied.
IP UNICAST ROUTING Table 11-4: Basic IP Commands (continued) Command Description config iparp add proxy {} {} {always} Configures proxy ARP entries. When mask is not specified, an address with the mask 255.255.255.255 is assumed. When mac_address is not specified, the MAC address of the switch is used in the ARP Response. When always is specified, the switch answers ARP Requests without filtering requests that belong to the same subnet of the receiving router interface.
IP COMMANDS Table 11-4: Basic IP Commands (continued) Command Description enable bootprelay Enables the forwarding of BOOTP and Dynamic Host Configuration Protocol (DHCP) requests. enable ipforwarding {vlan } Enables IP routing for one or all VLANs. If no argument is provided, enables routing for all VLANs that have been configured with an IP address. The default setting for ipforwarding is disabled.
IP UNICAST ROUTING Table 11-5: Route Table Configuration Commands (continued) Command Description config iproute add default {} {unicast-only | multicast-only} Adds a default gateway to the routing table. A default gateway must be located on a configured IP interface. If no metric is specified, the default metric of 1 is used. Use the unicast-only or multicast-only options to specify a particular traffic type. If not specified, both unicast and multicast traffic uses the default route.
IP COMMANDS Table 11-6: ICMP Configuration Commands (continued) Command Description config irdp Configures the router advertisement message timers, using seconds. Specify: ■ mininterval — The minimum amount of time between router advertisements. The default setting is 450 seconds. ■ maxinterval — The maximum time between router advertisements. The default setting is 600 seconds. ■ lifetime — The default setting is 1,800 seconds.
IP UNICAST ROUTING Table 11-6: ICMP Configuration Commands (continued) Command Description enable icmp port-unreachables {vlan } Enables the generation of ICMP port unreachable messages (type 3, code 3) when a TPC or UDP request is made to the switch, and no application is waiting for the request, or access policy denies the request. The default setting is enabled. If a VLAN is not specified, the command applies to all IP interfaces.
ROUTING CONFIGURATION EXAMPLE Table 11-6: ICMP Configuration Commands (continued) Command Description enable ip-option use-router-alert Enables the switch to generate the router alert IP option with routing protocol packets. enable irdp {vlan } Enables the generation of ICMP router advertisement messages on one or all VLANs. The default setting is enabled. unconfig icmp Resets all ICMP settings to the default values.
IP UNICAST ROUTING 1 2 3 4 A 192.207.35.1 B 5 6 7 8 192.207.36.1 MyCompany 192.207.35.0 Finance 1 2 192.207.36.0 Personnel 3 4 IP NetBIOS IP NetBIOS IP NetBIOS IP NetBIOS = IP traffic = NetBIOS traffic BD_011 Figure 11-3: Unicast routing configuration example The stations connected to the system generate a combination of IP traffic and NetBIOS traffic. The IP traffic is filtered by the protocol-sensitive VLANs. All other traffic is directed to the VLAN MyCompany.
DISPLAYING ROUTER SETTINGS config Finance protocol ip config Personnel protocol ip config Finance add port 1:*,3:* config Personnel add port 2:*,4:* config MyCompany add port all config Finance ipaddress 192.207.35.1 config Personnel ipaddress 192.207.36.1 config rip add vlan Finance config rip add vlan Personnel enable ipforwarding enable rip DISPLAYING ROUTER SETTINGS To display settings for various IP routing components, use the commands listed in Table 11-7.
IP UNICAST ROUTING Table 11-7: Router Show Commands (continued) Command Description show ipfdb { | vlan } Displays the contents of the IP forwarding database (FDB) table. If no option is specified, all IP FDB entries are displayed.
RESETTING AND DISABLING ROUTER SETTINGS Table 11-8: Router Reset and Disable Commands (continued) Command Description disable icmp redirects {vlan } Disables the generation of ICMP redirect messages. If a VLAN is not specified, the command applies to all IP interfaces. disable icmp time-exceeded {vlan } Disables the generation of ICMP time exceeded messages. If a VLAN is not specified, the command applies to all IP interfaces.
IP UNICAST ROUTING 11-30 EXTREMEWARE SOFTWARE USER GUIDE
12 Interior Gateway Routing Protocols This chapter describes the following topics: • Overview on page 12-2 • Overview of RIP on page 12-3 • Overview of OSPF on page 12-5 • Route Re-distribution on page 12-10 • Configuring RIP on page 12-14 • RIP Configuration Example on page 12-17 • Displaying RIP Settings on page 12-19 • Resetting and Disabling RIP on page 12-20 • Configuring OSPF on page 12-21 • OSPF Configuration Example on page 12-25 • Displaying OSPF Settings on page 12-28 • Resetting and Disabling O
INTERIOR GATEWAY ROUTING PROTOCOLS • Interconnections: Bridges and Routers by Radia Perlman ISBN 0-201-56332-0 Published by Addison-Wesley Publishing Company OVERVIEW The switch supports the use of two interior gateway protocols (IGPs); the Routing Information Protocol (RIP) and the Open Shortest Path First (OSPF) protocol for IP unicast routing. RIP is a distance-vector protocol, based on the Bellman-Ford (or distance-vector) algorithm.
OVERVIEW RIP OF RIP has a number of limitations that can cause problems in large networks, including the following: • A limit of 15 hops between the source and destination networks • A large amount of bandwidth taken up by periodic broadcasts of the entire routing table • Slow convergence • Routing decisions based on hop count; no concept of link costs or delay • Flat networks; no concept of areas or boundaries OSPF offers many advantages over RIP, including the following: • No limitation on hop count •
INTERIOR GATEWAY ROUTING PROTOCOLS • IP address of the next router • Timer that tracks the amount of time since the entry was last updated The router exchanges an update message with each neighbor every 30 seconds (default value), or if there is a change to the overall routed topology (also called triggered updates).
OVERVIEW OF OSPF RIP VERSION 1 VERSUS RIP VERSION 2 A new version of RIP, called RIP version 2, expands the functionality of RIP version 1 to include the following: • Variable-Length Subnet Masks (VLSMs) • Support for next-hop addresses, which allows for optimization of routes in certain environments. • Multicasting RIP version 2 packets can be multicast instead of being broadcast, reducing the load on hosts that do not support routing protocols.
INTERIOR GATEWAY ROUTING PROTOCOLS Table 12-1: LSA Type Numbers Type Number Description 1 Router LSA 2 Network LSA 3 Summary LSA 4 AS summary LSA 5 AS external LSA 7 NSSA external LSA AREAS OSPF allows parts of a network to be grouped together into areas. The topology within an area is hidden from the rest of the autonomous system. Hiding this information enables a significant reduction in LSA traffic, and reduces the computations needed to maintain the LSDB.
OVERVIEW OF OSPF The backbone allows summary information to be exchanged between ABRs. Every ABR hears the area summaries from all other ABRs. The ABR then forms a picture of the distance to all networks outside of its area by examining the collected advertisements, and adding in the backbone distance to each advertising router. When a VLAN is configured to run OSPF, you must configure the area for the VLAN.
INTERIOR GATEWAY ROUTING PROTOCOLS perform translation (as indicated in the NSSA specification). The option should not be used on NSSA internal routers. Doing so inhibits correct operation of the election algorithm. NORMAL AREA A normal area is an area that is not any of the following: • Area 0 • Stub area • NSSA Virtual links can be configured through normal areas. External routes can be distributed into normal areas.
OVERVIEW OF OSPF Virtual link ABR Area 2 ABR Area 1 Area 0 EW_016 Figure 12-1: Virtual link using Area 1 as a transit area Virtual links are also used to repair a discontiguous backbone area. For example, in Figure 12-2, if the connection between ABR1 and the backbone fails, the connection using ABR2 provides redundancy so that the discontiguous area can continue to communicate with the backbone using the virtual link.
INTERIOR GATEWAY ROUTING PROTOCOLS Virtual link Area 2 ABR 1 Area 1 ABR 2 Area 0 Area 3 EW_017 Figure 12-2: Virtual link providing redundancy ROUTE RE-DISTRIBUTION Both RIP and OSPF can be enabled simultaneously on the switch. Route re-distribution allows the switch to exchange routes, including static routes, between the two routing protocols. Figure 12-3 shows an example of route re-distribution between an OSPF autonomous system and a RIP autonomous system.
ROUTE RE-DISTRIBUTION OSPF AS Backbone Area 0.0.0.0 ABR Area 121.2.3.4 ASBR ASBR RIP AS EW_019 Figure 12-3: Route re-distribution CONFIGURING ROUTE RE-DISTRIBUTION Exporting routes from OSPF to RIP, and from RIP to OSPF, are discreet configuration functions. To run OSPF and RIP simultaneously, you must first configure both protocols and then verify the independent operation of each. Then you can configure the routes to export from OSPF to RIP and the routes to export from RIP to OSPF.
INTERIOR GATEWAY ROUTING PROTOCOLS RE-DISTRIBUTING ROUTES INTO OSPF Enable or disable the exporting of RIP, static, and direct (interface) routes to OSPF, using the following commands: enable ospf export [static | rip | direct] cost [ase-type-1 | ase-type-2] {tag } disable ospf export [static | rip | direct] These commands enable or disable the exporting of RIP, static, and direct routes by way of LSA to other OSPF routers as AS-external type 1 or type 2 routes.
ROUTE RE-DISTRIBUTION In versions of ExtremeWare prior to release 6.0, direct routes corresponding to the interfaces on which RIP was enabled were exported into OSPF as part of RIP routes, using the command enable ospf export rip. Using ExtremeWare 6.0 and above, you must configure ExtremeWare to export these direct routes to OSPF. You can use an access profile to filter unnecessary direct routes, using the command config ospf direct-filter [ | none].
INTERIOR GATEWAY ROUTING PROTOCOLS CONFIGURING RIP Table 12-2 describes the commands used to configure RIP. Table 12-2: RIP Configuration Commands Command Description config rip add vlan [ | all] Configures RIP on an IP interface. When an IP interface is created, per-interface RIP configuration is disabled by default. config rip delete vlan [ | all] Disables RIP on an IP interface. When RIP is disabled on the interface, the parameters are not reset to their defaults.
CONFIGURING RIP Table 12-2: RIP Configuration Commands (continued) Command Description config rip txmode [none | v1only | v1comp | v2only] {vlan } Changes the RIP transmission mode for one or all VLANs. Specify: ■ none — Do not transmit any packets on this interface. ■ v1only — Transmit RIP v1 format packets to the broadcast address. ■ v1comp — Transmit RIP v2 format packets to the broadcast address. ■ v2only — Transmit RIP v2 format packets to the RIP multicast address.
INTERIOR GATEWAY ROUTING PROTOCOLS Table 12-2: RIP Configuration Commands (continued) Command Description enable rip export [static | direct | ospf | ospf-intra | ospf-inter | ospf-extern1 | ospf-extern2 | static | vip] metric {tag } Enables RIP to redistribute routes from other routing functions.
RIP CONFIGURATION EXAMPLE RIP CONFIGURATION EXAMPLE Figure 12-4 illustrates a BlackDiamond switch that has three VLANs defined as follows: • Finance — Protocol-sensitive VLAN using the IP protocol — All ports on slots 1 and 3 have been assigned — IP address 192.207.35.1 • Personnel — Protocol-sensitive VLAN using the IP protocol — All ports on slots 2 and 4 have been assigned — IP address 192.207.36.
INTERIOR GATEWAY ROUTING PROTOCOLS 1 2 3 4 A 192.207.35.1 B 5 6 7 8 192.207.36.1 MyCompany 192.207.35.0 Finance 1 2 192.207.36.0 Personnel 3 4 IP NetBIOS IP NetBIOS IP NetBIOS IP NetBIOS = IP traffic = NetBIOS traffic BD_011 Figure 12-4: RIP configuration example The stations connected to the system generate a combination of IP traffic and NetBIOS traffic. The IP traffic is filtered by the protocol-sensitive VLANs. All other traffic is directed to the VLAN MyCompany.
DISPLAYING RIP SETTINGS The example in Figure 12-4 is configured as follows: create vlan Finance create vlan Personnel create vlan MyCompany config Finance protocol ip config Personnel protocol ip config Finance add port 1:*,3:* config Personnel add port 2:*,4:* config MyCompany add port all config Finance ipaddress 192.207.35.1 config Personnel ipaddress 192.207.36.
INTERIOR GATEWAY ROUTING PROTOCOLS RESETTING AND DISABLING RIP To return RIP settings to their defaults, or to disable RIP, use the commands listed in Table 12-4. Table 12-4: RIP Reset and Disable Commands Command Description config rip delete [vlan | all] Disables RIP on an IP interface. When RIP is disabled on the interface, the parameters are not reset to their defaults. disable rip Disables RIP.
CONFIGURING OSPF CONFIGURING OSPF Each switch that is configured to run OSPF must have a unique router ID. It is recommended that you manually set the router ID of the switches participating in OSPF, instead of having the switch automatically choose its router ID based on the highest interface IP address. Not performing this configuration in larger, dynamic environments could result in an older link state database remaining in use. Table 12-5 describes the commands used to configure OSPF.
INTERIOR GATEWAY ROUTING PROTOCOLS Table 12-5: OSPF Configuration Commands (continued) Command Description config ospf [vlan | area | virtual-link ] timer Configures the timers for one interface or all interfaces in the same OSPF area.
CONFIGURING OSPF Table 12-5: OSPF Configuration Commands (continued) Command Description config ospf area nssa [summary | nosummary] stub-default-cost {translate} Configures an OSPF area as a NSSA. config ospf area stub [summary | nosummary] stub-default-cost Configures an OSPF area as a stub area. config ospf asbr-filter [ | none] Configures a route filter for non-OSPF routes exported into OSPF.
INTERIOR GATEWAY ROUTING PROTOCOLS Table 12-5: OSPF Configuration Commands (continued) Command Description config ospf spf-hold-time {} Configures the minimum number of seconds between Shortest Path First (SPF) recalculations. The default setting is 3 seconds. config ospf vlan area Changes the area ID of an OSPF interface (VLAN). create ospf area Creates an OSPF area. Area 0.0.0.0 does not need to be created. It exists by default.
OSPF CONFIGURATION EXAMPLE OSPF CONFIGURATION EXAMPLE Figure 12-5 shows an example of an autonomous system using OSPF routers. The details of this network follow. Area 0 IR 2 10.0.1.1 IR 1 10.0.1.2 10.0.3.2 Headquarters _3 HQ _0 _1 0 _1 HQ 0_ 0_ 2 10.0.2.2 ABR 2 10.0.3.1 ABR 1 10.0.2.1 161.48.2.2 LA 6_ _2 60 Ch i_1 2 8_ _4 Virtual link 161.48.2.1 61 26 160.26.26.1 _1 160.26.25.1 Los Angeles 160.26.26.2 160.26.25.
INTERIOR GATEWAY ROUTING PROTOCOLS Area 0 is the backbone area. It is located at the headquarters and has the following characteristics: • 2 internal routers (IR1 and IR2) • 2 area border routers (ABR1 and ABR2) • Network number 10.0.x.x • 2 identified VLANs (HQ_10_0_2 and HQ_10_0_3) Area 5 is connected to the backbone area by way of ABR1 and ABR2. It is located in Chicago and has the following characteristics: • Network number 160.26.x.
OSPF CONFIGURATION EXAMPLE CONFIGURATION FOR ABR1 The following is the configuration for the router labeled ABR1: create create create create vlan vlan vlan vlan HQ_10_0_2 HQ_10_0_3 LA_161_48_2 Chi_160_26_26 config config config config vlan vlan vlan vlan HQ_10_0_2 ipaddress 10.0.2.1 255.255.255.0 HQ_10_0_3 ipaddress 10.0.3.1 255.255.255.0 LA_161_48_26 ipaddress 161.48.2.26 255.255.255.0 Chi_160_26_26 ipaddress 160.26.2.1 255.255.255.0 create ospf area 0.0.0.5 create ospf area 0.0.0.
INTERIOR GATEWAY ROUTING PROTOCOLS DISPLAYING OSPF SETTINGS To display settings for OSPF, use the commands listed in Table 12-6. Table 12-6: OSPF Show Commands Command Description show ospf Displays global OSPF information. show ospf area {detail} Displays information about all OSPF areas. show ospf area Displays information about a particular OSPF area. show ospf ase-summary Displays the OSPF external route aggregation configuration.
RESETTING AND DISABLING OSPF SETTINGS Table 12-7: OSPF Reset and Disable Commands Command Description disable ospf export direct Disables exporting of local interface (direct) routes into the OSPF domain. disable ospf export rip Disables exporting of RIP routes in the OSPF domain. disable ospf export static Disables exporting of statically configured routes into the OSPF domain. disable ospf export vip Disables exporting of virtual IP addresses into the OSPF domain.
INTERIOR GATEWAY ROUTING PROTOCOLS 12-30 EXTREMEWARE SOFTWARE USER GUIDE
13 Exterior Gateway Routing Protocols This chapter covers the following topics: • Overview on page 13-2 • BGP Attributes on page 13-2 • BGP Communities on page 13-3 • BGP Features on page 13-3 • Configuring BGP on page 13-10 • Displaying BGP Settings on page 13-15 • Resetting and Disabling BGP on page 13-15 This chapter describes how to configure the Border Gateway Protocol (BGP), an exterior routing protocol available on the switch.
EXTERIOR GATEWAY ROUTING PROTOCOLS OVERVIEW BGP is an exterior routing protocol that was developed for use in TCP/IP networks. The primary function of BGP is to allow different autonomous systems (ASs) to exchange network reachability information. An autonomous system is a set of routers that are under a single technical administration. This set of routers uses a different routing protocol (such as OSPF) for intra-AS routing.
BGP COMMUNITIES • Community – Identifies a group of destinations that share one or more common attributes. • Cluster_ID – Specifies a 4 byte field used by a route reflector to recognize updates from other route reflectors in the same cluster. BGP COMMUNITIES A BGP community is a group of BGP destinations that require common handling.
EXTERIOR GATEWAY ROUTING PROTOCOLS Client Non-client Route Reflector Client Cluster EW_042 Figure 13-1: Route reflectors ROUTE CONFEDERATIONS BGP requires networks to use a fully-meshed router configuration. This requirement does not scale well, especially when BGP is used as an interior gateway protocol. One way to reduce the size of a fully-meshed AS is to divide the AS into multiple sub-autonomous systems and group them into a routing confederation.
BGP FEATURES AS 200 SubAS 65001 EBGP A 192.1.1.6/30 B 192.1.1.5/30 192.1.1.17/30 192.1.1.9/30 192.1.1.22/30 IBGP 192.1.1.21/30 192.1.1.18/30 C EBGP EBGP 192.1.1.13/30 192.1.1.14/30 IBGP E D 192.1.1.10/30 SubAS 65002 EW_049 Figure 13-2: Routing confederation In this example, AS 200 has five BGP speakers. Without a confederation, BGP would require that the routes in AS 200 be fully meshed. Using the confederation, AS 200 is split into two sub-ASs: AS65001 and AS65002.
EXTERIOR GATEWAY ROUTING PROTOCOLS enable ipforwarding vlan ac config ospf add vlan ac area 0.0.0.0 disable bgp config bgp as-number 65001 config bgp routerid 192.1.1.17 config bgp confederation-id 200 enable bgp create bgp neighbor 192.1.1.5 as-number remote-AS-number 65001 create bgp neighbor 192.1.1.18 as-number remote-AS-number 65001 enable bgp neighbor all To configure Router B, use the following commands: create config config enable config vlan ba vlan ba add port 1 vlan ba ipaddress 192.1.1.
BGP FEATURES To configure Router C, use the following commands: create config config enable config vlan ca vlan ca add port 1 vlan ca ipaddress 192.1.1.18/30 ipforwarding vlan ca ospf add vlan ca area 0.0.0.0 create config config enable config vlan cb vlan cb add port 2 vlan cb ipaddress 192.1.1.21/30 ipforwarding vlan cb ospf add vlan cb area 0.0.0.0 disable bgp config bgp as-number 65001 config bgp routerid 192.1.1.21 config bgp confederation-id 200 enable bgp create bgp neighbor 192.1.1.
EXTERIOR GATEWAY ROUTING PROTOCOLS create create enable config bgp bgp bgp bgp neighbor 192.1.1.9 as-number remote-AS-number 65001 neighbor 192.1.1.13 as-number remote-AS-number 65002 neighbor all add confederation-peer sub-AS-number 65001 To configure Router E, use the following commands: create config config enable config vlan ed vlan ed add port 1 vlan ed ipaddress 192.1.1.13/30 ipforwarding vlan ed ospf add vlan ed area 0.0.0.0 disable bgp config bgp as-number 65002 config bgp routerid 192.1.1.
BGP FEATURES IGP SYNCHRONIZATION You can configure an AS to be a transit AS, so that it can pass traffic through from one AS to a third AS. When you configure a transit AS, it is important that the routes advertised by BGP are consistent with the routes that are available within the AS using its interior gateway protocol. To ensure consistency, BGP should be synchronized with the IGP used within the AS. This will ensure that the routes advertised by BGP are, in fact, reachable within the AS.
EXTERIOR GATEWAY ROUTING PROTOCOLS CONFIGURING BGP Table 13-1 describes the commands used to configure BGP. Table 13-1: BGP Configuration Commands Command Description config bgp add aggregate-address / {as-set} {summary-only} {advertise-route-map } {attribute-route-map } Configures an aggregate route. Options include the following: config bgp add confederation-peer 13-10 ■ as-set – Aggregates only the path attributes of the aggregate routes.
CONFIGURING BGP Table 13-1: BGP Configuration Commands (continued) Command Description config bgp add dampening bgp-policy Configures BGP route flap dampening used to suppress the advertisement of routes when the routes are changing rapidly. Specify the following: ■ halflife — The time after which the penalty is decreased to half the original amount. The range is 1 to 45 minutes. The default setting is 15 minutes.
EXTERIOR GATEWAY ROUTING PROTOCOLS Table 13-1: BGP Configuration Commands (continued) Command Description config bgp dampening Configures BGP route flap dampening used to suppress the advertisement of routes when the routes are changing rapidly. Specify the following: ■ halflife — The time after which the penalty is decreased to half the original amount. The range is 1 to 45 minutes. The default setting is 15 minutes.
CONFIGURING BGP Table 13-1: BGP Configuration Commands (continued) Command Description config bgp neighbor [ | all] [route-reflector-client | no-route-reflector-client] Configures a BGP neighbor to be a route reflector client. Implicitly defines the router to be a route reflector. The neighbor must be in the same AS as the router.
EXTERIOR GATEWAY ROUTING PROTOCOLS Table 13-1: BGP Configuration Commands (continued) Command Description config bgp neighbor [ | all] weight Assigns a locally used weight to a neighbor connection for the route selection algorithm. All routes learned from this peer are assigned the same weight. The route with the highest weight is more preferable when multiple routes are available to the same network. The range is 0 to 4294967295. The default setting is 0.
DISPLAYING BGP SETTINGS Table 13-1: BGP Configuration Commands (continued) Command Description enable bgp synchronization Enables synchronization between BGP and IGP. When enabled, BGP waits for IGP to provide the next-hop reachability before advertising the route to an external neighbor. The default setting is enabled. DISPLAYING BGP SETTINGS To display settings for BGP, use the commands listed in Table 13-2.
EXTERIOR GATEWAY ROUTING PROTOCOLS 13-16 EXTREMEWARE SOFTWARE USER GUIDE
14 IP Multicast Routing This chapter covers the following topics: • Overview on page 14-2 • Configuring IP Multicasting Routing on page 14-4 • Configuration Examples on page 14-9 • Displaying IP Multicast Routing Settings on page 14-13 • Deleting and Resetting IP Multicast Settings on page 14-14 For more information on IP multicasting, refer to the following publications: • RFC 1112 – Host Extension for IP Multicasting • RFC 2236 – Internet Group Management Protocol, Version 2 • DVMRP Version 3 – draft_ie
IP MULTICAST ROUTING OVERVIEW IP multicast routing is a function that allows a single IP host to send a packet to a group of IP hosts. This group of hosts can include devices that reside on the local network, within a private network, or outside of the local network. IP multicast routing consists of the following functions: • A router that can forward IP multicast packets.
OVERVIEW PIM DENSE MODE Protocol Independent Multicast- Dense Mode (PIM-DM) is a multicast routing protocol that is similar to DVMRP. PIM-DM routers perform reverse path multicasting (RPM). However, instead of exchanging its own unicast route tables for the RPM algorithm, PIM-DM uses the existing unicast route table for the reverse path. As a result, PIM-DM requires less system memory. PIM-DM is a broadcast and prune protocol. Using PIM-DM, multicast routes are pruned and grafted in the same way as DVMRP.
IP MULTICAST ROUTING IGMP is enabled by default on the switch. However, the switch can be configured to disable the generation of period IGMP query packets. IGMP query should be enabled when the switch is configured to perform IP unicast or IP multicast routing. IGMP SNOOPING IGMP snooping is a layer-2 function of the switch. It does not require multicast routing to be enabled. The feature reduces the flooding of IP multicast traffic.
CONFIGURING IP MULTICASTING ROUTING 4 Enable DVMRP or PIM on the router, using one of the following commands: enable dvmrp enable pim Table 14-1 describes the commands used to configure IP multicast routing. Table 14-1: IP Multicast Routing Configuration Commands Command Description config dvmrp add vlan [ | all] Enables DVMRP one or all IP interfaces. If no VLAN is specified, DVMRP is enabled on all IP interfaces. When an IP interface is created, DVMRP is disabled by default.
IP MULTICAST ROUTING Table 14-1: IP Multicast Routing Configuration Commands (continued) Command Description config dvmrp vlan timer Configures DVMRP interface timers. Specify the following: ■ probe_interval — The amount of time that the system waits between transmitting DVMRP probe messages. The range is 1 to 2,147,483,647 seconds (68 years). The default setting is 10 seconds.
CONFIGURING IP MULTICASTING ROUTING Table 14-1: IP Multicast Routing Configuration Commands (continued) Command Description config pim timer vlan [ | all] Configures the global PIM timers. Specify the following: ■ hello_interval — The amount of time before a hello message is sent out by the PIM router. The range is 1 to 65,519 seconds. The default setting is 30 seconds. ■ jp_interval — The join/prune interval. The range is 1 to 65,519 seconds.
IP MULTICAST ROUTING Table 14-2: IGMP Configuration Commands Command Description config igmp Configures the IGMP timers. Timers are based on RFC2236. Specify the following: config igmp snooping ■ query_interval — The amount of time, in seconds, the system waits between sending out General Queries. The range is 1 to 2,147,483,647 seconds (68 years). The default setting is 125 seconds.
CONFIGURATION EXAMPLES CONFIGURATION EXAMPLES Figure 14-1 and Figure 13-2 are used in Chapter 12 to describe the OSPF configuration on a switch. Refer to Chapter 12 for more information about configuring OSPF. In the first example, the system labeled IR1 is configured for IP multicast routing, using PIM-DM. In the second example, the system labeled ABR1 is configured for IP multicast routing using PIM-SM.
IP MULTICAST ROUTING PIM-DM CONFIGURATION EXAMPLE Area 0 IR 2 10.0.1.1 IR 1 10.0.1.2 10.0.3.2 Headquarters ABR 2 10.0.3.1 HQ 3 0_ 0_ _1 HQ _1 0_ 0_ 2 10.0.2.2 ABR 1 10.0.2.1 161.48.2.2 LA 6_ _2 60 Ch i_1 2 8_ _4 Virtual link 161.48.2.1 61 26 160.26.26.1 _1 160.26.25.1 Los Angeles 160.26.26.2 160.26.25.
CONFIGURATION EXAMPLES CONFIGURATION FOR IR1 The following is the configuration for the router labeled IR1: config config config enable enable enable config config enable vlan HQ_10_0_1 ipaddress 10.0.1.2 255.255.255.0 vlan HQ_10_0_2 ipaddress 10.0.2.2 255.255.255.0 ospf add vlan all ipforwarding ospf ipmcforwarding pim add vlan all dense pim spt-threshold 16 8 pim The following example configures PIM-SM.
IP MULTICAST ROUTING 10.0.1.1 IR 1 10.0.1.2 HQ_10_0_1 3 0_ 0_ _1 HQ Headquarters ABR 2 10.0.3.1 10.0.2.2 _1 0_ 0_ 2 10.0.3.2 ABR 1 HQ_10_10_4 IR 2 HQ Area 0 10.0.2.1 Rendezvous point 161.48.2.2 LA 6_ _2 60 Ch i_1 2 8_ _4 Virtual link 161.48.2.1 61 26 160.26.26.1 _1 160.26.25.1 Los Angeles 160.26.26.2 Chicago 160.26.25.
DISPLAYING IP MULTICAST ROUTING SETTINGS CONFIGURATION FOR ABR1 The following is the configuration for the router labeled ABR1: config config config config config enable enable config create config enable config config vlan HQ_10_0_2 ipaddress 10.0.2.1 255.255.255.0 vlan HQ_10_0_3 ipaddress 10.0.3.1 255.255.255.0 vlan LA_161_48_2 ipaddress 161.48.2.2 255.255.255.0 vlan CHI_160_26_26 ipaddress 160.26.26.1 255.255.255.
IP MULTICAST ROUTING DELETING AND RESETTING IP MULTICAST SETTINGS To return IP multicast routing settings to their defaults and disable IP multicast routing functions, use the commands listed in Table 14-4. Table 14-4: IP Multicast Routing Reset and Disable Commands Command Description clear igmp snooping {vlan } Removes one or all IGMP snooping entries. clear ipmc cache { { Resets the IP multicast cache table.
15 IPX Routing This chapter describes the following topics: • Overview of IPX on page 15-1 • IPX/RIP Routing on page 15-4 • Configuring IPX on page 15-6 • IPX Commands on page 15-7 • IPX Configuration Example on page 15-11 • Displaying IPX Settings on page 15-13 • Resetting and Disabling IPX on page 15-14 This chapter assumes that you are already familiar with IPX. If not, refer to your Novell™ documentation. OVERVIEW OF IPX The switch provides support for the IPX, IPX/RIP, and IPX/SAP protocols.
IPX ROUTING As you create VLANs with different IPX NetIDs the switch automatically routes between them. Both the VLAN switching and IPX routing function occur within the switch. A VLAN can be configured with either an IPX NetID or an IP address. A VLAN cannot be configured for both IPX and IP routing simultaneously. Figure 15-1 shows the same BlackDiamond switch discussed in earlier chapters.
OVERVIEW OF IPX Traffic within each VLAN is switched using the Ethernet MAC address. Traffic between Exec and Support is routed using the IPX NetID. Traffic cannot be sent between the IP VLANs (Finance and Personnel) and the IPX VLANs (Exec and Support). IPX ROUTING PERFORMANCE To use IPX routing, you must have a switch that has the “i” chipset. Switches that have the “i” chipset are capable of performing IPX routing at wire-speed.
IPX ROUTING POPULATING THE ROUTING TABLE The switch builds and maintains an IPX routing table. As in the case of IP, the table is populated using dynamic and static entries. DYNAMIC ROUTES Dynamic routes are typically learned by way of IPX/RIP. Routers that use IPX/RIP exchange information in their routing tables in the form of advertisements. Using dynamic routes, the routing table contains only networks that are reachable.
IPX/RIP ROUTING IPX/RIP is automatically enabled when a NetID is assigned to the VLAN. To remove the advertisement of an IPX VLAN, use the command: config ipxrip delete {vlan | all} GNS SUPPORT ExtremeWare support the Get Nearest Server (GNS) reply function. When a NetID is assigned to the switch, the GNS reply service is automatically enabled.
IPX ROUTING CONFIGURING IPX This section describes the commands associated with configuring IPX, IPX/RIP, and IPX/SAP on the switch. Configuring IPX routing involves the following steps: 1 Create at least two VLANs. 2 If you are combining an IPX VLAN with another VLAN on the same port(s), you must use a protocol filter on one of the VLANs, or use 802.1Q tagging.
IPX COMMANDS PROTOCOL-BASED VLANS FOR IPX When combining IPX VLANs with other VLANs on the same physical port, it may be necessary to assign a protocol filter to the VLAN. This is especially true if it is not possible to use 802.1Q VLAN tagging. For convenience, IPX-specific protocol filters have been defined and named in the default configuration of the switch. Each filter is associated with a protocol encapsulation type.
IPX ROUTING Table 15-3: Basic IPX Commands (continued) Command Description config ipxroute add [ | default] Adds a static IPX route entry in the IPX route table. Specify: ■ next_hop_id — The NetID of the neighbor IPX network. ■ next_hop_node_addr — The node address of the next IPX router. ■ hops — The maximum hop count. ■ tics — The timer delay value. Up to 64 static routes can be entered.
IPX COMMANDS Table 15-3: Basic IPX Commands (continued) Command Description config vlan xnetid [enet_ii | enet_8023 | enet_8022 | enet_snap] Configures a VLAN to run IPX routing. Specify: ■ enet_ii — Uses standard Ethernet 2 header. ■ enet_8023 — Uses IEEE 802.3 length field, but does not include the IEEE 802.2 LLC header. ■ enet_8022 — Uses standard IEEE format and uses IEEE 802.2 LLC header. ■ enet_snap — Adds Subnetwork Access Protocol (SNAP) header to IEEE 802.2 LLC header.
IPX ROUTING Table 15-4: IPX/RIP Configuration Commands (continued) Command Description config ipxrip vlan [ | all] update-interval
IPX CONFIGURATION EXAMPLE Table 15-5: IPX/SAP Configuration Commands (continued) Command Description enable ipxsap Enables IPX/SAP on the router. enable ipxsap gns-reply {vlan } Enables GNS reply on one or all IPX interfaces. If no VLAN is specified, GNS reply is enabled on all IPX interfaces. The default setting is enabled. IPX CONFIGURATION EXAMPLE Figure 15-2 builds on the example showing the IP/RIP configuration that was used in earlier chapters.
IPX ROUTING 1 2 3 4 A IP 192.207.35.0 Finance 1 2 B 6 7 8 IPX 192.207.36.0 Personnel 3 5 2516 Exec 4 A2B5 Support 5 192.207.36.14 NetID 2516 MAC 00:AA:BB:CC:DD:EE 7 NetID A2B5 MAC 01:23:45:66:54:32 NetID 2516 MAC 00:11:22:33:44:55 BD_017 Figure 15-2: IPX routing configuration example The stations connected to the system generate a combination of IP traffic and IPX traffic. The IP traffic is filtered by the IP VLANs. IPX traffic is filtered by the IPX VLANs.
DISPLAYING IPX SETTINGS The IPX configuration shown in example in Figure 15-2 is as follows: create vlan Exec create vlan Support config Exec protocol ipx_8022 config Exec add port 4:*,5:* config Support add port 7:* config Exec xnetid 2516 enet_8022 config Support xnetid A2B5 enet_8022 DISPLAYING IPX SETTINGS To display settings for various IPX components, use the commands listed in Table 15-6.
IPX ROUTING RESETTING AND DISABLING IPX To return IPX settings to their defaults and disable IPX functions, use the commands listed in Table 15-7. Table 15-7: IPX Reset and Disable Commands Command Description disable ipxrip Disables IPX/RIP on the router. disable ipxsap Disables IPX/SAP on the router. disable ipxsap gns-reply {vlan } Disables GNS reply on one or all IPX interfaces. disable type20 forwarding {vlan } Disables the forwarding of IPX type 20 packets.
16 Access Policies This chapter describes the following topics: • Overview of Access Policies on page 16-1 • Using IP Access Lists on page 16-2 • Using Routing Access Policies on page 16-15 • Making Changes to a Routing Access Policy on page 16-25 • Removing a Routing Access Policy on page 16-26 • Routing Access Policy Commands on page 16-26 • Using Route Maps on page 16-29 OVERVIEW OF ACCESS POLICIES Access policies are a generalized category of features that impact forwarding and route forwarding de
ACCESS POLICIES IP ACCESS LISTS IP access lists consist of IP access rules, and are used to perform packet filtering and forwarding decisions on incoming traffic. Each packet arriving on an ingress port is compared to the access list in sequential order, and is either forwarded to a specified QoS profile or dropped. Using access lists has no impact on switch performance.
USING IP ACCESS LISTS • Physical source port • Precedence number (optional) HOW IP ACCESS LISTS WORK When a packet arrives on an ingress port, the packet is compared with the access list rules to determine a match. When a match is found, the packet is processed. If the access list is of type deny, the packet is dropped. If the list is of type permit, the packet is forwarded. A permit access list can also apply a QoS profile to the packet.
ACCESS POLICIES The access-list example, below, performs packet filtering in the following sequence, as determined by the precedence number: • Deny UDP port 32 and TCP port 23 traffic to the 10.2.XX network. • All other TCP port 23 traffic destined for other 10.X.X.X networks is permitted using QoS profile Qp4. • All remaining traffic to 10.2.0.0 uses QoS profile Qp3. With no default rule specified, all remaining traffic is allowed using the default QoS profile. create access-list deny102_32 udp dest 10.2.
USING IP ACCESS LISTS MAXIMUM ENTRIES A maximum of 255 entries with an assigned precedence can be used. In addition to the 255 entries, entries that do not use precedence can also be created, with the following restrictions: • A source IP address must use wildcards or be completely specified (32 bit mask). • The layer 4 source and destination ports must use wildcards or be completely specified (no ranges). • No physical source port can be specified.
ACCESS POLICIES VERIFYING ACCESS LIST CONFIGURATIONS To verify access list settings you can view the access list configuration and see real-time statistics on which access list entries are being accessed when processing traffic.
USING IP ACCESS LISTS Table 16-1: Access List Configuration Commands Command Description create access-list ip destination [/ | any] source [/ | any] [permit | deny] ports [ | any] {precedence } {log} Creates a named IP access list. The access list is applied to all ingress packets. Options include: EXTREMEWARE SOFTWARE USER GUIDE ■ — Specifies the access list name.
ACCESS POLICIES Table 16-1: Access List Configuration Commands (continued) Command Description create access-list tcp destination [/ | any] ip-port [ | range | any] source [/ | any] ip-port [ | range | any] [permit | permit-established | deny] ports [ | any] {precedence } {log} Creates a named IP access list.
USING IP ACCESS LISTS Table 16-1: Access List Configuration Commands (continued) Command Description create access-list udp destination [/ | any] ip-port [ | range | any] source [/ | any] ip-port [ | range | any] [permit | deny] ports [ | any] {precedence } {log} Creates a named IP access list.
ACCESS POLICIES Table 16-1: Access List Configuration Commands (continued) Command Description create access-list icmp destination [/ | any] source [/ | any] type code [permit | deny] {} {log} Creates a named IP access list. The access list is applied to all ingress packets. Options include: ■ — Specifies the access list name. The access list name can be between 1 and 16 characters.
USING IP ACCESS LISTS IP ACCESS LIST EXAMPLES This section presents two IP access list examples: • Using the permit-establish keyword • Filtering ICMP packets USING THE PERMIT-ESTABLISHED KEYWORD This example uses an access list that permits TCP sessions (Telnet, FTP, and HTTP) to be established in one direction. The Summit7i, shown in Figure 16-1, is configured as follows: • Two vlans, NET10 VLAN and NET20 VLAN are defined. • The IP addresses for NET10 VLAN is 10.10.10.1/24.
ACCESS POLICIES The following command creates the access-list: create access-list denyall ip destination any source any deny ports any Figure 16-2 illustrates the outcome of the access list. 10.10.10.1 10.10.20.1 10.10.10.100 10.10.20.100 NET10 VLAN NET20 VLAN TCP UDP ICMP EW_034 Figure 16-2: Access list denies all TCP and UDP traffic Step 2 – Allow TCP traffic. The next set of access-list commands permits TCP-based traffic to flow.
USING IP ACCESS LISTS TCP UDP ICMP 10.10.10.100 10.10.20.100 EW_035 Figure 16-3: Access list allows TCP traffic Step 3 - Permit-Established Access List. When a TCP session begins, there is a 3-way handshake that includes a sequence of a SYN, SYN/ACK and ACK packets. Figure 16-4 shows an illustration of the handshake that occurs when Host A initiates a TCP session to Host B. After this sequence, actual data can be passed.
ACCESS POLICIES The exact command line entry for this example is as follows: create access-list telnet-allow tcp destination 10.10.10.100/32 ip-port 23 source any ip-port any permit-established ports any pre 8 This rule has a higher precedence than the rule “tcp2.” Figure 16-5 shows the final outcome of this access list. SYN SYN 10.10.10.100 10.10.20.
USING ROUTING ACCESS POLICIES 10.10.10.1 10.10.20.1 10.10.10.100 10.10.20.100 NET10 VLAN NET20 VLAN ICMP EW_038 Figure 16-6: ICMP packets are filtered out USING ROUTING ACCESS POLICIES To use routing access policies, you must perform the following steps: 1 Create an access profile. 2 Configure the access profile to be of type permit, deny, or none. 3 Add entries to the access profile.
ACCESS POLICIES CREATING AN ACCESS PROFILE The first thing to do when using routing access policies is to create an access profile. An access profile has a unique name, and contains one of the following entry types: • A list of IP addresses and associated subnet masks • One or more autonomous system path expressions (BGP only) • One or more BGP community numbers (BGP only) You must give the access profile a unique name (in the same manner as naming a VLAN, protocol filter, or Spanning Tree Domain).
USING ROUTING ACCESS POLICIES To configure the access profile mode, use the following command: config access-profile mode [permit | deny | none] ADDING AN ACCESS PROFILE ENTRY Next, configure the access profile by adding or deleting IP addresses, autonomous system path expressions, or BGP communities, using the following command: config access-profile add {} {permit | deny} [ipaddress {exact} | as-path | bgp-community [i
ACCESS POLICIES PERMIT AND DENY ENTRIES If you have configured the access profile mode to be none, you must specify each entry type as either ‘permit’ or ‘deny’. If you do not specify the entry type, it is added as a permit entry. If you have configured the access profile mode to be permit or deny, it is not necessary to specify a type for each entry. AUTONOMOUS SYSTEM EXPRESSIONS The AS-path keyword uses a regular expression string to match against the AS path.
USING ROUTING ACCESS POLICIES ROUTING ACCESS POLICIES FOR RIP If you are using the RIP protocol, the switch can be configured to use an access profile to determine any of the following: • Trusted Neighbor — Use an access profile to determine trusted RIP router neighbors for the VLAN on the switch running RIP.
ACCESS POLICIES Internet Internet 10.0.0.10 / 24 Backbone (RIP) 10.0.0.11 / 24 Switch being configured Engsvrs 10.0.0.12 / 24 Sales 10.1.1.1 / 24 Engsvrs 10.2.1.
USING ROUTING ACCESS POLICIES In addition, if the administrator wants to restrict any user belonging to the VLAN Engsvrs from reaching the VLAN Sales (IP address 10.2.1.0/24) , the additional access policy commands to build the access policy would be as follows: create config config config access-profile nosales ipaddress access-profile nosales mode deny access-profile nosales add 10.2.1.
ACCESS POLICIES for the switch as a whole. To configure a direct filter policy, use the following command: config ospf direct-filter [ | none] EXAMPLE Figure 16-8 illustrates an OSPF network that is similar to the network used previously in the RIP example. In this example, access to the Internet is accomplished by using the ASBR function on the switch labeled Internet. As a result, all routes to the Internet will be done through external routes.
USING ROUTING ACCESS POLICIES To configure the switch labeled Internet, the commands would be as follows: create config config config access-profile okinternet ipaddress access-profile okinternet mode permit access-profile okinternet add 192.1.1.0/24 ospf asbr-filter okinternet ROUTING ACCESS POLICIES FOR DVMRP The access policy capabilities for DVMRP are very similar to those for RIP.
ACCESS POLICIES To configure the switch labeled Engsvrs, use the following commands: create config config config access-profile nointernet ipaddress access-profile nointernet mode deny access-profile nointernet add 10.0.0.10/32 dvmrp vlan backbone trusted-gateway nointernet In addition, suppose the administrator wants to preclude users on the VLAN Engsvrs from seeing any multicast streams that are generated by the VLAN Sales across the backbone.
MAKING CHANGES TO A ROUTING ACCESS POLICY To configure the switch labeled Engsvrs, the commands would be as follows: create config config config access-profile nointernet ipaddress access-profile nointernet mode deny access-profile nointernet add 10.0.0.
ACCESS POLICIES on the ingress or egress side, depending on the change. For soft resets to be applied on the ingress side, the changes must have been previously enabled on the neighbor. Changes to profiles applied to OSPF typically require rebooting the switch, or disabling and re-enabling OSPF on the switch. REMOVING A ROUTING ACCESS POLICY To remove a routing access policy, you must remove the access profile from the routing protocol or VLAN.
ROUTING ACCESS POLICY COMMANDS Table 16-3: Routing Access Policy Configuration Commands Command Description config access-profile add {} {permit | deny} [ipaddress {exact} | as-path | bgp-community [internet | no-advertise | no-export | no-export-subconfed | | number ]] Adds an entry to the access profile.
ACCESS POLICIES Table 16-3: Routing Access Policy Configuration Commands (continued) Command Description config access-profile mode [permit | deny | none] Configures the access profile to be one of the following: ■ permit — Allows the addresses that match the access profile description. ■ deny — Denies the addresses that match the access profile description. ■ none — Permits and denies access on a per-entry basis.
USING ROUTE MAPS Table 16-3: Routing Access Policy Configuration Commands (continued) Command Description config pim vlan [ | all] trusted-gateway [ | none] Configures PIM to use the access profile to determine which PIM neighbor is to receive or reject the routes. config rip vlan [ | all ] export-filter [ | none] Configures RIP to suppress certain routes when performing route advertisements.
ACCESS POLICIES To create a route map, do the following: 1 Create a route map. 2 Add entries to the route map. 3 Add statements to the route map entries.
USING ROUTE MAPS config route-map add set [as-path | community [remove | {add | delete} [access-profile | number ] |] next-hop | med | local-preference | origin [igp | egp | incomplete] config route-map add goto where the following is true: • The route-map is the name of the route map.
ACCESS POLICIES Table 16-5: Set Operation Keywords Keyword Definition as-path Prepends the specified AS number to the AS path in the path attribute. community Adds the specified community to the existing community in the path attribute. next-hop Sets the next hop in the path attribute to the specified IP address. med Sets the MED in the path attribute to the specified MED number.
USING ROUTE MAPS AS 1111 Internet RTA 10.0.0.1 10.0.0.2 RTB AS 2222 EW_048 Figure 16-9: Route maps The following points apply to this example: • RTA is a member of in AS 1111 and peers with a router in the Internet to receive the entire Internet routing table. • RTB is a member of AS 2222, and has an EBGP connection with RTA through which it receives the Internet routing table. • AS 1111 is acting as a transit AS for all traffic between AS 2222 and the Internet.
ACCESS POLICIES config bgp-out add 20 permit config bgp neighbor 10.0.0.2 route-map-filter out bgp-out config bgp neighbor 10.0.0.
USING ROUTE MAPS ROUTE MAP COMMANDS Table 16-6 describes route map commands. Table 16-6: Route Map Commands Command Description config route-map add goto Configures a route map goto statement. config route-map
ACCESS POLICIES Table 16-6: Route Map Commands (continued) Command Description config route-map
17 Server Load Balancing (SLB) This chapter describes the following topics: • Overview on page 17-2 • SLB Components on page 17-2 • Forwarding Modes on page 17-5 • VIP Network Advertisement on page 17-12 • Balancing Methods on page 17-13 • Basic SLB Commands on page 17-15 • Advanced SLB Application Example on page 17-18 • Health Checking on page 17-22 • Persistence on page 17-26 • Using High Availability System Features on page 17-27 • 3DNS Support on page 17-32 • Advanced SLB Commands on page 17-32 • Web
SERVER LOAD BALANCING (SLB) OVERVIEW Server Load Balancing (SLB) is a feature of the switch that divides many client requests among several servers. This is done transparently to the client trying to use the resource. The main use for SLB is in the capacity of web hosting. Web hosting uses several redundant servers to increase the performance and reliability of busy websites.
SLB COMPONENTS NODES A node is an individual service on a physical server that consists of an IP addresses and a port number. POOLS A pool is a group of nodes that are mapped to a corresponding virtual server. Pools are used to more easily scale large networks that contain many nodes. Pools may be configured independently and associated with virtual servers in complex ways. Each pool contains its own load balancing method.
SERVER LOAD BALANCING (SLB) Once you know which virtual server options are useful in your network, you can: • Define standard virtual servers. • Define wildcard virtual servers. USING STANDARD OR WILDCARD VIRTUAL SERVERS Each virtual server maps to a single pool, which can be a group of content servers, firewalls, routers, or cache servers.
FORWARDING MODES FORWARDING MODES The switch supports the following SLB forwarding modes: • Transparent • Translational • Port Translation • GoGo Table 17-1 summarizes the features supported by each forwarding mode.
SERVER LOAD BALANCING (SLB) To configure transparent mode, use the following command: create slb vip pool mode transparent {- }:{} Transparent mode is shown in Figure 17-2. Clients Servers Stream 1 Stream 3 Stream 1 Stream 2 Stream 2 Stream 3 SLB switch 2 virtual servers configured VIP addresses: 192.168.201.1 port 80 representing MyWeb.com points to pool WebVip 192.168.201.1 port 443 representing MySSL.
FORWARDING MODES • The service is configured to use the appropriate address and port, as specified in the switch configuration. The commands used to configure the switch in Figure 17-2 are described below. The following commands configure the VLANs and the switch IP addresses and subnets: create create create config config config config config enable vlan srvr vlan clnt vlan vips srvr ipaddress 192.168.200.10 /24 clnt ipaddress 10.1.1.1 /24 vips ipaddress 192.168.201.
SERVER LOAD BALANCING (SLB) The following commands enable SLB, configure the server VLAN to act as the server side, and configure the client VLAN to act as the client side. enable slb config vlan srvr slb-type server config vlan clnt slb-type client Indivdual servers require that a loopback address be configured for each IP address to which the server will respond. TRANSLATIONAL MODE In translational mode, requests coming in to the VIP are translated to the IP address of the server to be balanced.
FORWARDING MODES Clients Servers Stream 1 Stream 3 Stream 1 Stream 2 Stream 2 Stream 3 SLB switch 2 virtual servers configured VIP addresses: 192.168.201.1 port 80 representing MyWeb.com points to pool WebVip 192.168.201.1 port 443 representing MySSL.com points to pool SSLVip Servers Each server responds to requests on its real unique IP address Server1 192.168.200.1 port 80 MyWeb port 443 MySSL Server2 192.168.200.
SERVER LOAD BALANCING (SLB) config client add port 1-4 enable ipforwarding The following commands create a round-robin pool, MyWeb, and add nodes to the new pool: create slb pool MyWeb lb-method round config slb pool MyWeb add 192.168.200.1:80 config slb pool MyWeb add 192.168.200.2:80 The following command creates a translation mode VIP for the website and assigns the MyWeb pool to it: create slb vip WebVip pool MyWeb mode translation 192.168.201.
FORWARDING MODES To configure port translation mode, use the following command: create slb vip pool mode port-translation {- }:{} GOGO MODE GoGo mode is a very fast (line rate) method of server load balancing. GoGo mode forwards traffic without manipulating packet content. Session persistence is maintained using IP source address persistence information. Traffic is optimally balanced across groups of 2, 4, or 8 directly attached servers.
SERVER LOAD BALANCING (SLB) The servers are configured as follows: • All servers have the same MAC address. • All server have the same IP address. • All servers must have the same content. The commands used to configure the switch as indicated in the example are as follows: create create config config config config enable enable vlan server vlan client server ipaddress 10.1.1.1 /24 client ipaddress 1.1.1.
BALANCING METHODS protocol is enabled, the subnet containing the VIPs is propagated through the network. BALANCING METHODS A load balancing method defines, in part, the logic that the switch uses to determine which node should receive a connection hosted by a particular virtual server. Individual load balancing methods take into account one or more dynamic factors, such as current connection count. Because each application of SLB is unique, node performance depends on a number of different factors.
SERVER LOAD BALANCING (SLB) where the number of connections that each machine receives over time is proportionate to the ratio weight you defined for each machine. The ratio method distributes new connections across server ports in proportion to a user-defined ratio. For example, if your array contained one new, high-speed server and two older servers, you could set the ratio so that the high-speed server receives twice as many connections as either of the two older servers.
BASIC SLB COMMANDS The switch will distribute traffic in round-robin fashion among the pools active nodes with the highest priority. If all nodes at that priority level go down or hit a session limit maximum, all new sessions will be directed to the nodes at the next lowest priority level. The switch continually monitors the status of the down nodes. As each node comes back up, the switch distributes traffic according to the priorities.
SERVER LOAD BALANCING (SLB) Table 17-2: Basic SLB Commands Command Description create slb pool {slb-method [round-robin | ratio | priority | least-connections]} Creates a server pool and optionally assigns a load-balancing method to the pool. The default load-balance method is round-robin. A pool represents a group of physical servers that is used to load-balance one or more VIPs.
BASIC SLB COMMANDS Table 17-2: Basic SLB Commands Command Description disable slb vip {close-connections-now} Disables a VIP group. When disabled, no new connections are allowed to the real servers. If close-connections-now is specified, all existing connections are immediately closed. Otherwise, the existing connections are closed naturally, and are subject to connection reaping if idle for longer than the treaper-timeout configured on the SLB port.
SERVER LOAD BALANCING (SLB) Table 17-2: Basic SLB Commands Command Description show slb pool {detail} Displays the current SLB pool configuration and statistics. If detail is not specified, the pool information is shown in a tabular format. show slb pool {detail} Displays the configuration for the specified SLB pool. show slb l4-port [ | all] Displays the SLB configuration for one or all L4 ports. show slb vip {detail} Displays the current VIP configuration and statistics.
ADVANCED SLB APPLICATION EXAMPLE Clients Server pools Pool "Site1" Pool "Site3" Round Robin Round Robin Pool "Site2" Pool "FTP1" Real unique IP addresses Real unique IP addresses Round Robin Least Connections Server1 192.168.200.1 Server1 192.168.200.7 Real unique IP addresses Real unique IP addresses Server2 192.168.200.2 Server2 192.168.200.8 Server1 192.168.200.5 Server1 192.168.200.3 Associated VIPs Server3 192.168.200.9 Server2 192.168.200.6 Server2 192.168.200.4 192.168.201.1 Server4 192.168.200.
SERVER LOAD BALANCING (SLB) To create is the virtual IP VLAN, use the following commands: create vlan sites config vlan sites ipaddress 192.168.201.254 /24 All VIPs will be configured to use this subnet. There are no ports associated with this VLAN. The following commands create the VLAN servers and enable IP forwarding: create config config enable vlan servers vlan servers ipaddress 192.168.200.254 /24 vlan servers add ports 9-16 ipforwarding The following series of commands creates a Web site.
ADVANCED SLB APPLICATION EXAMPLE create slb pool site2web config slb site2web add 192.168.200.5:80 config slb site2web add 192.168.200.6:80 create slb pool site2ssl config slb site2ssl add 192.168.200.5:443 config slb site2ssl add 192.168.200.6:443 create slb vip myweb2 pool site2web mode transparent 192.168.201.3:80 create slb vip myssl2 pool site2ssl mode transparent 192.168.201.3:443 enable slb vip myweb2 service-check config slb vip myweb2 service-check http url “/testpage.
SERVER LOAD BALANCING (SLB) enable slb vip ftpc service-check config slb vip ftpc service-check ftp user test password testpass Finally, enable SLB and configure the VLANs to be either client or server, using the following commands.
HEALTH CHECKING PING-CHECK Ping-check is Layer 3 based pinging of the physical node. The default ping frequency is one ping generated to the node each 10 seconds. If the node does not respond to any ping within a timeout period of 30 seconds (3 ping intervals), then the node is considered down.
SERVER LOAD BALANCING (SLB) SERVICE-CHECK Service-check is Layer 7 based application-dependent checking defined on a VIP. Service-checking is performed on each node in the pool with which this VIP is associated. The default frequency is 60 seconds and the default timeout is 180 seconds. Each service check has associated parameters that you can set. These parameters are described in Table 17-3.
HEALTH CHECKING For SMTP, service-check identifies the identity of the switch by providing the specified DNS domain. The SMTP server might not even use the specified DNS domain for authentication, only identification. For NNTP, service-check queries the newsgroup specified. Because service-checking is configured on a VIP basis, and multiple VIPs can use the same nodes, and you can run multiple service-checks against a particular node IP address and port number.
SERVER LOAD BALANCING (SLB) PERSISTENCE Using persistence, you can ensure that traffic flows do not span multiple servers. The switch supports two types of persistence: • Client persistence • Sticky persistence CLIENT PERSISTENCE Client persistence for a virtual server provides a persist mask feature. You can define a range of IP addresses that can be matched to a persistent connection. Any client whose source IP address falls within the range is considered a match for the given persistence entry.
USING HIGH AVAILABILITY SYSTEM FEATURES You can only activate sticky persistence on wildcard virtual servers. To configure sticky persistence, use this command: enable slb vip [ | all] sticky-persistence {timeout } USING HIGH AVAILABILITY SYSTEM FEATURES The switch supports several advanced redundant system features. Advanced redundant system features provide additional assurance that your content is available if a switch experiences a problem.
SERVER LOAD BALANCING (SLB) The switches in a redundant SLB configuration should have identical SLB configurations except for the failover parameters. You can configure SLB on one switch, upload the configuration, edit it, and download it to the second switch to replicate the configuration. USING PING-CHECK Failover ping-check is used to determine if the currently active SLB server has the required network connectivity.
USING HIGH AVAILABILITY SYSTEM FEATURES To assign a VIP to a unit, use the following command: config slb vip unit {1 | 2} SAMPLE ACTIVE-ACTIVE CONFIGURATION Figure 17-6 shows an example of an active-active failover configuration. Switch 1 (unit 1) VLAN inside 1.10.0.2/16 VIP site1 1.10.1.1 (unit 1) VIP site2 1.10.1.2 (unit 2) Clients Switch 1 VLAN server 1.205.0.1/16 testpool Real unique IP addresses Server1 1.205.1.1/16 Server2 1.205.1.2/16 Associated VIPs 1.10.1.1 port 80 (site1) 1.10.1.
SERVER LOAD BALANCING (SLB) create create config config config config vlan vlan vlan vlan vlan vlan inside server inside inside server server ipaddress 1.10.0.2 /16 add port 31 ipaddress 1.205.0.1 /16 add port 29-30 enable ipforwarding create config config create create slb slb slb slb slb pool testpool pool testpool add 1.205.1.1:80 pool testpool add 1.205.1.2:80 vip site1 pool testpool mode transparent 1.10.1.1:80 vip site2 pool testpool mode transparent 1.10.1.
USING HIGH AVAILABILITY SYSTEM FEATURES create config config create create slb slb slb slb slb pool testpool pool testpool add 1.206.1.1:80 pool testpool add 1.206.1.2:80 vip site1 pool testpool mode transparent 1.10.1.1:80 vip site2 pool testpool mode transparent 1.10.1.2:80 enable slb config vlan inside slb-type client config vlan server slb-type server config slb failover unit 2 remote 1.10.0.2 local 1.10.0.
SERVER LOAD BALANCING (SLB) 3DNS SUPPORT When you enable SLB, the switch reports health status to 3DNS using the iQuery™ protocol from F5 Networks®. The health status of the nodes within the server farm is based on L3, L4, L7, or external health checker mechanisms. ADVANCED SLB COMMANDS Table 17-4 describes advanced SLB commands. Table 17-4: Advanced SLB Commands Command Description clear slb vip [ | all] persistence Resets all connection information in the persistence table.
ADVANCED SLB COMMANDS Table 17-4: Advanced SLB Commands Command Description config slb failover unit [1 | 2] remote-ip Configures the slb failover. Specify the local-ip : {alive-frequency following: timeout } {dead-frequency remote-ip-address — The remote ■ } peer IP address. EXTREMEWARE SOFTWARE USER GUIDE ■ local-ip-address — The address of a local IP interface used for the failover connection.
SERVER LOAD BALANCING (SLB) Table 17-4: Advanced SLB Commands Command Description config slb global [ping-check | tcp-port-check | service-check] frequency timeout Configures default health checking frequency and timeout period. If the health check frequency and timeout are not specified for a specific node or VIP, the global values are used. Specify one of the following service checkers: ■ ping-check – L3-based pinging of the physical node.
ADVANCED SLB COMMANDS Table 17-4: Advanced SLB Commands Command Description config slb global telnet userid password {encrypted} {} Configures the default parameters for L7 service checking. If the password is not provided, you are prompted for the password twice. config slb node :{} max-connections ] Configures the maximum number of simultaneous connections that can be established to a node. Use 0 to specify no limit. The default setting is 0.
SERVER LOAD BALANCING (SLB) Table 17-4: Advanced SLB Commands Command Description config slb vip unit {1 | 2} Configures a unit number of a VIP name for active-active failover. The default unit number is 1. disable slb 3dns iquery-client Disables 3DNS support. disable slb failover Disables SLB failover. disable slb failover manual-failback Disables manual failback. disable slb failover ping-check Disables ping-check to an external gateway.
ADVANCED SLB COMMANDS Table 17-4: Advanced SLB Commands Command Description enable slb node ping-check Enables L3 pinging to the node address. Ping-check is automatically enabled when a node is added to a pool. enable slb node : tcp-port-check Enables L4 port-check to the node address. enable slb vip [ | all] client-persistence {timeout } {mask } Enables client persistence and specifies the timeout and client address mask.
SERVER LOAD BALANCING (SLB) Table 17-4: Advanced SLB Commands Command Description enable slb vip [ | all] svcdown-reset Enables the svcdown-reset configuration. If enabled, the switch sends TCP RST to both the clients and the node, if the node associated with this VIP completely fails a ping-check, port-check, or service-check. Otherwise, the connections to the node are left as is, and are subject to connection reaping if idle for longer than the treaper-timeout configured on the SLB port.
WEB CACHE REDIRECTION FLOW REDIRECTION COMMANDS To configure flow redirection, use the commands listed in Table 17-5. Table 17-5: Flow Redirection Commands Command Description config flow-redirection add next-hop Adds the next hop host (gateway) that is to receive the packets that match the flow policy. By default, ping-based health checking is enabled. config flow-redirection delete Deletes the next hop host (gateway).
SERVER LOAD BALANCING (SLB) Internet Web client A Web client B Client VLAN 10.10.10.1/24 10.10.30.1/24 10.10.20.1/24 Cache device 1 10.10.20.10/24 Cache device 2 10.10.20.11/24 Cache VLAN EW_054 Figure 17-7: Flow-redirection example The following commands are used to configure the switch in this example: create vlan client config vlan client add port 1 config vlan client ipaddress 10.10.10.1/24 create vlan cache config vlan cache add port 2 config vlan cache ipaddress 10.10.20.
18 Status Monitoring and Statistics This chapter describes the following topics: • Status Monitoring on page 18-1 • Slot Diagnostics on page 18-3 • Port Statistics on page 18-4 • Port Errors on page 18-5 • Port Monitoring Display Keys on page 18-6 • Setting the System Recovery Level on page 18-7 • Logging on page 18-7 • RMON on page 18-12 Viewing statistics on a regular basis allows you to see how well your network is performing.
STATUS MONITORING AND STATISTICS For more information about show commands for a specific ExtremeWare feature, refer to the appropriate chapter in this guide. Table 18-1 describes show commands that are used to monitor the status of the switch. Table 18-1: Status Monitoring Commands Command Description show diag { | msm-a | msm-b} Displays software diagnostics. For BlackDiamond switches, optionally specify a slot number of the MSM64i.
SLOT DIAGNOSTICS Table 18-1: Status Monitoring Commands (continued) Command Description show version Displays the hardware and software versions currently running on the switch. Displays the switch serial number and version numbers of MSM64i and I/O modules (BlackDiamond switch). SLOT DIAGNOSTICS The BlackDiamond switch provides a facility for running normal or extended diagnostics on an I/O module or a Management Switch Fabric Module (MSM) without affecting the operation of the rest of the system.
STATUS MONITORING AND STATISTICS • extended — Takes the switch fabric and ports offline, and performs extensive ASIC, ASIC-memory, and packet loopback tests. Extended diagnostic tests take a maximum of 15 minutes. The CPU is not tested. Console access is available during extended diagnostics. • — Specifies the slot number of an I/O module. Once the diagnostics test is complete, the system attempts to bring the I/O module back online. This parameter is applicable to the BlackDiamond switch, only.
PORT ERRORS • Received Broadcast (RX Bcast) — The total number of frames received by the port that are addressed to a broadcast address. • Received Multicast (RX Mcast) — The total number of frames received by the port that are addressed to a multicast address. PORT ERRORS The switch keeps track of errors for each port.
STATUS MONITORING AND STATISTICS The following port receive error information is collected by the switch: • Receive Bad CRC Frames (RX CRC) — The total number of frames received by the port that were of the correct length, but contained a bad FCS value. • Receive Oversize Frames (RX Over) — The total number of good frames received by the port greater than the supported maximum length of 1,522 bytes. For products that use the “i” chipset, ports with jumbo frames enabled do no increment this counter.
SETTING THE SYSTEM RECOVERY LEVEL Table 18-2: Port Monitoring Display Keys (continued) Key(s) Description [Space] Cycles through the following screens: ■ Packets per second ■ Bytes per second ■ Percentage of bandwidth Available using the show port utilization command only.
STATUS MONITORING AND STATISTICS Table 18-3: Fault Levels Assigned by the Switch Level Description Critical A desired switch function is inoperable. The switch may need to be reset. Warning A noncritical error that may lead to a function failure. Informational Actions and events that are consistent with expected behavior. Debug Information that is useful when performing detailed troubleshooting procedures.
LOGGING LOCAL LOGGING The switch maintains 1,000 messages in its internal log. You can display a snapshot of the log at any time by using the command show log {} where the following is true: • priority — Filters the log to display message with the selected priority or higher (more critical). Priorities include (in order) critical, emergency, alert, error, warning, notice, info, and debug. If not specified, all messages are displayed.
STATUS MONITORING AND STATISTICS • Configure remote logging by using the following command: config syslog {add} {} Specify the following: • ipaddress — The IP address of the syslog host. • facility — The syslog facility level for local use. Options include local0 through local7. • priority — Filters the log to display message with the selected priority or higher (more critical).
LOGGING LOGGING COMMANDS The commands described in Table 18-5 allow you to configure logging options, reset logging options, display the log, and clear the log. Table 18-5: Logging Commands Command Description clear counters Clears all switch statistics and port counters. clear log {static} Clears the log. If static is specified, the critical log messages are also cleared. config log display {} Configures the real-time log display.
STATUS MONITORING AND STATISTICS Table 18-5: Logging Commands (continued) Command Description enable log display Enables the log display. enable syslog Enables logging to a remote syslog host. show log {} Displays the current snapshot of the log. Options include: ■ show log config priority — Filters the log to display message with the selected priority or higher (more critical). Priorities include critical, emergency, alert, error, warning, notice, info, and debug.
RMON • Management workstation — Communicates with the RMON probe and collects the statistics from it. The workstation does not have to be on the same network as the probe, and can manage the probe by in-band or out-of-band connections. RMON FEATURES OF THE SWITCH The IETF defines nine groups of Ethernet RMON statistics. The switch supports the following four of these groups: • Statistics • History • Alarms • Events This section describes these groups, and discusses how they can be used.
STATUS MONITORING AND STATISTICS Alarms inform you of a network performance problem and can trigger automated action responses through the Events group. EVENTS The Events group creates entries in an event log and/or sends SNMP traps to the management workstation. An event is triggered by an RMON alarm. The action taken can be configured to ignore it, to log the event, to send an SNMP trap to the receivers listed in the trap receiver table, or to both log and send a trap.
RMON EVENT ACTIONS The actions that you can define for each alarm are shown in Table 18-6. Table 18-6: Event Actions Action High Threshold No action Notify only Send trap to all trap receivers. Notify and log Send trap; place entry in RMON log. To be notified of events using SNMP traps, you must configure one or more trap receivers, as described in Chapter 3.
STATUS MONITORING 18-16 AND STATISTICS EXTREMEWARE SOFTWARE USER GUIDE
19 Using ExtremeWare Vista This chapter covers the following topics: • Enabling and Disabling Web Access on page 19-2 • Setting Up Your Browser on page 19-2 • Accessing ExtremeWare Vista on page 19-3 • Navigating ExtremeWare Vista on page 19-4 • Saving Changes on page 19-6 • Filtering Information on page 19-6 • Do a GET When Configuring a VLAN on page 19-7 • Sending Screen Output to Extreme Networks on page 19-7 ExtremeWare Vista is device-management software running in the switch that allows you to acces
USING EXTREMEWARE VISTA ENABLING AND DISABLING WEB ACCESS By default, Web access is enabled on the switch. Use of ExtremeWare Vista Web access can be restricted through the use of an access profile. An access profile permits or denies a named list of IP addresses and subnet masks.
ACCESSING EXTREMEWARE VISTA • Check for newer versions of stored pages. Every visit to the page should be selected as a cache setting. If you are using Netscape Navigator, configure the cache option to check for changes “Every Time” you request a page. If you are using Microsoft Internet Explorer, configure the Temporary Internet Files setting to check for newer versions of stored pages by selecting “Every visit to the page.” • Images must be auto-loaded.
USING EXTREMEWARE VISTA To correct this situation, log out of the switch and log in again. NAVIGATING EXTREMEWARE VISTA After logging in to the switch, the ExtremeWare Vista home page is displayed. ExtremeWare Vista divides the browser screen into the following sections: • Task frame • Content frame • Standalone buttons TASK FRAME The task frame has two sections: menu buttons and submenu links.
NAVIGATING EXTREMEWARE VISTA BROWSER CONTROLS Browser controls include drop-down list boxes, check boxes, and multi-select list boxes. A multi-select list box has a scrollbar on the right side of the box. Using a multi-select list box, you can select a single item, all items, a set of contiguous items, or multiple non-contiguous items. Table 19-1 describes how to make selections from a multi-select list box.
USING EXTREMEWARE VISTA SAVING CHANGES There are two ways to save your changes to non-volatile storage using ExtremeWare Vista: • Select Save Configuration from the Configuration task button, Switch option. This field contains a drop-down list box that allows you to select either the primary or secondary configuration area. After you select the configuration area, click Submit to save the changes. • Click the Logout button.
DO DO A GET WHEN CONFIGURING A A GET WHEN CONFIGURING A VLAN VLAN When configuring a VLAN using ExtremeWare Vista, prior to editing the VLAN configuration, you must first click the get button to ensure that subsequent edits are applied to the correct VLAN. If you do not click the get button and you submit the changes, the changes will be made to the VLAN that was previously displayed.
USING EXTREMEWARE VISTA 19-8 EXTREMEWARE SOFTWARE USER GUIDE
20 Software Upgrade and Boot Options This chapter describes the following topics: • Downloading a New Image on page 20-1 • Saving Configuration Changes on page 20-3 • Using TFTP to Upload the Configuration on page 20-4 • Using TFTP to Download the Configuration on page 20-5 • Synchronizing MSMs on page 20-7 • Upgrading and Accessing BootROM on page 20-7 • Boot Option Commands on page 20-8 DOWNLOADING A NEW IMAGE The image file contains the executable code that runs on the switch.
SOFTWARE UPGRADE AND BOOT OPTIONS • Download the new image to the switch using the command download image [ | ] {primary | secondary} where the following is true: ipaddress — Is the IP address of the TFTP server. hostname — Is the hostname of the TFTP server. (You must enable DNS to use this option.) filename — Is the filename of the new image. primary — Indicates the primary image. secondary — Indicates the secondary image.
SAVING CONFIGURATION CHANGES SAVING CONFIGURATION CHANGES The configuration is the customized set of parameters that you have selected to run on the switch. As you make configuration changes, the new settings are stored in run-time memory. Settings that are stored in run-time memory are not retained by the switch when the switch is rebooted. To retain the settings, and have them load when you reboot the switch, you must save the configuration to nonvolatile storage.
SOFTWARE UPGRADE AND BOOT OPTIONS USING TFTP TO UPLOAD THE CONFIGURATION You can upload the current configuration to a TFTP server on your network. The uploaded ASCII file retains the command-line interface (CLI) format. This allows you to do the following: • Modify the configuration using a text editor, and later download a copy of the file to the same switch, or to one or more different switches.
USING TFTP USING TFTP TO DOWNLOAD THE TO DOWNLOAD THE CONFIGURATION CONFIGURATION You can download ASCII files that contain CLI commands to the switch to modify the switch configuration. There are three types of configuration scenarios that can be downloaded: • Complete configuration • Incremental configuration • Scheduled incremental configuration DOWNLOADING A COMPLETE CONFIGURATION Downloading a complete configuration replicates or restores the entire configuration to the switch.
SOFTWARE UPGRADE AND BOOT OPTIONS To download an incremental configuration, use the following command: download configuration {incremental} SCHEDULED INCREMENTAL CONFIGURATION DOWNLOAD You can schedule the switch to download a partial or incremental configuration on a regular basis. You could use this feature to update the configuration of the switch regularly from a centrally administered TFTP server.
SYNCHRONIZING MSMS SYNCHRONIZING MSMS On the BlackDiamond switch, you can take the master MSM configurations and images and replicate them on the slave MSM using the following command: synchronize In addition to replicating the configuration settings and images, this command also replicates which configuration or image the MSM should use on subsequent reboots. This command does not replicate the run-time configuration. You must use the save configuration command to store the run-time configuration first.
SOFTWARE UPGRADE AND BOOT OPTIONS As soon as you see the BootROM-> prompt, release the spacebar. You can see a simple help menu by pressing h . Options in the menu include — Selecting the image to boot from — Booting to factory default configuration — Performing a serial download of an image For example, to change the image that the switch boots from in flash memory, press 1 for the image stored in primary or 2 for the image stored in secondary.
BOOT OPTION COMMANDS Table 20-1: Boot Option Commands (continued) Command Description download configuration {incremental} Downloads a complete configuration. Use the incremental keyword to specify an incremental configuration download. download configuration cancel Cancels a previously scheduled configuration download. download configuration every Schedules a configuration download. Specify the hour using a 24-hour clock, where the range is 0 to 23.
SOFTWARE UPGRADE AND BOOT OPTIONS Table 20-1: Boot Option Commands (continued) Command Description use configuration [primary | secondary] Configures the switch to use a particular configuration on the next reboot. Options include the primary configuration area or the secondary configuration area. use image [primary | secondary] Configures the switch to use a particular image on the next reboot.
A Supported Standards The following is a list of software standards supported by ExtremeWare. Standards and Protocols RFC 1058 RIP RFC 783 TFTP RFC 1723 RIP v2 RFC 1542 BootP RFC 1112 IGMP RFC 854 Telnet RFC 2236 IGMP v2 RFC 768 UDP DVMRP v3 - Draft IETF DVMRP v3-07 RFC 791 IP PIM-DM v2 - Draft IETF PIM-DM v2-dm-01 RFC792 ICMP RFC 1587-NSSA option RFC 793 TCP RFC 2178 OSPF RFC 826 ARP RFC 1122 Host requirements RFC 2068 HTTP IEEE 802.1D-1998 (802.
SUPPORTED STANDARDS Management and Security RFC 1157 SNMP v1/v2c RFC 1757 Four groups of RMON RFC 1213 MIB II RFC 2021 RMON probe configuration RFC 1354 IP forwarding table MIB RFC 2239 802.
B Troubleshooting If you encounter problems when using the switch, this appendix may be helpful. If you have a problem not listed here or in the “Release Notes,” contact your local technical support representative. LEDS Power LED does not light: Check that the power cable is firmly connected to the device and to the supply outlet. On powering-up, the MGMT LED lights yellow: The device has failed its Power On Self Test (POST) and you should contact your supplier for advice.
TROUBLESHOOTING • Both ends of the Gigabit link are set to the same autonegotiation state. Both sides if the Gigabit link must be enabled or disabled. It the two are different, typically the side with autonegotiation disabled will have the link LED list, and the side with autonegotiation enabled will not list. The default configuration for a Gigabit port is autonegotiation enabled.
USING THE COMMAND-LINE INTERFACE If this does not work, try using a different power source (different power strip/outlet) and power cord. USING THE COMMAND-LINE INTERFACE The initial welcome prompt does not display: Check that your terminal or terminal emulator is correctly configured. For console port access, you may need to press [Return] several times before the welcome prompt appears. Check the settings on your terminal or terminal emulator.
TROUBLESHOOTING The SNMP Network Manager or Telnet workstation can no longer access the device: Check that Telnet access or SNMP access is enabled. Check that the port through which you are trying to access the device has not been disabled. If it is enabled, check the connections and network cabling at the port. Check that the port through which you are trying to access the device is in a correctly configured VLAN. Try accessing the device through a different port.
USING THE COMMAND-LINE INTERFACE In the case where no one knows a password for an administrator level user, contact your supplier. PORT CONFIGURATION No link light on 10/100 Base port: If patching from a hub or switch to another hub or switch, ensure that you are using a CAT5 cross-over cable. This is a CAT5 cable that has pins 1&2 on one end connected to pins 3&6 on the other end.
TROUBLESHOOTING Ensure that you are using multi-mode fiber (MMF) when using a 1000BASE-SX GBIC, and single mode fiber (SMF) when using a 1000BASE-LX GBIC. 1000BASE-SX does not work with SMF. 1000BASE-LX works with MMF, but requires the use of a mode conditioning patchcord (MCP).
USING THE COMMAND-LINE INTERFACE 802.1Q links do not work correctly: Remember that VLAN names are only locally significant through the command-line interface. For two switches to communicate across a 802.1Q link, the VLAN ID for the VLAN on one switch should have a corresponding VLAN ID for the VLAN on the other switch. If you are connecting to a third-party device and have checked that the VLAN IDs are the same, the Ethertype field used to identify packets as 802.
TROUBLESHOOTING DEBUG TRACING ExtremeWare includes a debug-tracing facility for the switch. The show debug-tracing command can be applied to one or all VLANs, as follows: show debug-tracing {vlan } The debug commands should only be used under the guidance of Extreme Networks technical personnel. TOP COMMAND The top command is a utility that indicates CPU utilization by process.
Index Numerics 3DNS 17-32 802.
port configuration 4-2 port-mirroring, virtual port 4-11 slot configuration 4-1 verifying load sharing 4-11 blackhole entries, FDB 7-2 boot option commands (table) 20-8 BOOTP and UDP-Forwarding 11-17 BOOTP relay, configuring 11-16 BOOTP, using 3-4 BootROM menu, accessing 20-7 prompt 20-8 upgrading 20-7 Border Gateway Protocol.
host attach 10-9 linking switches 10-12 master behavior 10-5 definition 10-2 determining 10-3 electing 10-6 election algorithms 10-5 port blocks 10-7 standby mode behavior 10-6 definition 10-2 super-VLAN 10-13 using 10/100 ports 10-7 Events, RMON 18-14 external health checking, SLB 17-25 Extreme Discovery Protocol See EDP Extreme Standby Router Protocol.
resetting 14-14 settings, displaying 14-13 show commands (table) 14-13 IP multinetting description 11-7 example 11-9 primary VLAN interface 11-7 secondary VLAN interface 11-7 using 11-8 IP route sharing 11-5 IP TOS configuration commands (table) 9-16 IP unicast routing basic IP commands (table) 11-19 BOOTP relay 11-16 configuration examples 11-25 configuring 11-10 default gateway 11-2 description 1-4 DHCP relay 11-16 disabling 11-28 ECMP enabling 11-11 IP route sharing 11-5 multinetting, description 11-7 mu
verifying the configuration on Summit switch 5-10 local logging 18-9 log display 18-9 logging and Telnet 18-9 commands (table) 18-11 configuration changes 18-10 description 18-7 fault level 18-7 local 18-9 message 18-8 QoS monitor 9-22 real-time display 18-9 remote 18-9 subsystem 18-8 timestamp 18-7 logging in 2-11 M MAC-based VLAN configuration commands (table) 6-22 example 6-22 timed configuration download 6-23 maintenance mode, SLB 17-25 management access 2-9 Management Switch Fabric Module.
port-mirroring BlackDiamond switch configuration commands (table) 4-12 BlackDiamond switch example 4-12 description on BlackDiamond switch 4-11 description on Summit switch 5-10 example on Summit switch 5-12 Summit switch configuration commands (table) 5-11 virtual port on BlackDiamond switch 4-11 virtual port on Summit switch 5-11 primary image 20-2 profiles, QoS 9-6 protocol filters 6-10 protocol filters, IPX 15-7 Protocol Independent Multicast- Dense Mode.
configuration commands (table) 16-35 creating 16-30 description 16-2, 16-29 example 16-32 goto entries 16-31 match entries 16-31 match operation keywords (table) 16-31 processing 16-32 set entries 16-31 set operation keywords (table) 16-32 route sharing.
using 3-10 SNTP configuration commands (table) 3-25 configuring 3-22 Daylight Savings Time 3-22 description 3-21 example 3-25 Greenwich Mean Time offset 3-22 Greenwich Mean Time Offsets (table) 3-23 Spanning Tree Protocol.
Virtual LANs.
X - INDEX
Index of Commands C clear counters 18-11 clear dlcs 9-26 clear fdb 7-3, 9-11 clear igmp snooping 14-14 clear iparp 11-19, 11-28 clear ipfdb 11-19, 11-28 clear ipmc cache 14-14 clear log 18-11 clear session 2-6, 3-6 clear slb connetions 17-15 clear slb vip persistence 17-32 clear slot 4-2, 4-4 config access-profile 16-28 config access-profile add 16-17, 16-27 config access-profile delete 16-18, 16-27 config access-profile mode 16-17 config access-profile type 16-16 config account 2-6 config banner 2-6 confi
16-28 config esrp port-mode 10-14 config fdb agingtime 7-3 config flow redirection add next-hop 17-39 config flow-redirection delete next-hop 17-39 config gvrp 6-20 config igmp query_interval 14-8 config igmp snooping 14-8 config iparp add 11-19 config iparp add proxy 11-5, 11-20 config iparp delete 11-20 config iparp delete proxy 11-20 config iparp timeout 11-20 config ipmc cache timeout 14-14 config iproute add 11-21 config iproute add blackhole 11-21 config iproute add default 11-11, 11-22 config iproute
config rip vlan import-filter 16-19, 16-29 config rip vlan trusted-gateway 16-19, 16-29 config route-map add 16-30, 16-36 config route-map add goto 16-31, 16-35 config route-map add match 16-30, 16-35 config route-map add set 16-31, 16-35 config route-map delete 16-36 config route-map delete goto 16-35 config route-map delete match 16-36 config route-map delete set 16-36 config slb 3dns-encryption-key 17-32 config slb failover 17-27, 17-28, 17-33 config slb failover failback-now 17-31, 17-32 config slb fail
create access-list udp destination 16-9 create access-profile 16-29 create account 2-7, 2-12 create bgp neighbor 13-14 create fdbentry 7-4, 9-10 create flow-redirection 17-39 create isq-server 9-25, 9-27 create ospf area 12-7, 12-24 create protocol 6-15 create qosprofile 9-8 create route-map 16-30, 16-36 create slb pool 17-3, 17-16 create slb vip 17-4 create slb vip pool mode 17-6, 17-8, 17-11 create stpd 8-6, 8-8 create udp-profile 11-19 create vlan 2-7, 6-15 D delete access-list 16-4, 16-10 delete access
disable radius-accounting 3-16 disable red ports 9-8 disable rip 12-20 disable rip aggregation 12-20 disable rip export 11-4, 12-13, 12-20 disable rip originate-default 12-20 disable rip poisonreverse 12-20 disable rip splithorizon 12-20 disable rip triggerupdates 12-20 disable rmon 18-14 disable sharing 4-5, 4-10, 5-4, 5-10 disable slb 17-16 disable slb 3dns 17-36 disable slb failover 17-36 disable slb failover manual-failback 17-36 disable slb failover ping-check 17-36 disable slb global synguard 17-36 di
enable license 2-8 enable license security 3-7 enable log display 18-9, 18-12 enable loopback-mode vlan 11-21 enable mac-vlan 6-22 enable mirroring 4-12, 5-11 enable multinetting 11-21 enable ospf 11-11, 12-24 enable ospf export 11-4, 12-24 enable ospf export direct 12-24 enable ospf export rip 12-12, 12-24 enable ospf export static 12-12, 12-24 enable ospf export vip 12-12, 12-24 enable pim 14-5, 14-7 enable ports 4-3, 4-5, 5-1, 5-4 enable qosmonitor 9-22 enable radius 3-16 enable radius-accounting 3-16 en
show dlcs 9-27 show dns-client 2-13 show dot1p 9-14 show dvmrp 14-13 show edp 4-13, 5-12 show esrp 10-5, 10-13, 10-16, 10-20 show esrp vlan 10-16 show fdb 7-5, 9-12, 9-23 show flow-redirection 17-39 show gvrp 6-20 show igmp snooping 14-13 show iparp 11-11, 11-15, 11-27 show iparp proxy 11-27 show ipconfig 11-11, 11-16, 11-27 show ipfdb 11-11, 11-28 show ipmc cache 14-13 show iproute 11-11, 11-28 show ipstats 11-28 show ipxconfig 15-6, 15-13 show ipxrip 15-6, 15-13 show ipxroute 15-6, 15-13 show ipxsap 15-6,
unconfig vlan xnetid 15-14 upload configuration 2-13, 20-4, 20-9 upload configuration cancel 20-4, 20-9 use configuration 20-3, 20-10 use image 20-2, 20-10 X xping 15-9 viii - Index of Commands
