EXT-XOSS&Rv23-SG-v1.1 (Extended)
Uploaded by
Mario Posadas RiveraEXT-XOSS&Rv23-SG-v1.1 (Extended)
Uploaded by
Mario Posadas RiveraCampus EXOS
Switching and Routing
Student Guide
Version 2.3
© 2019 Extreme Networks, Inc. All rights reserved 3
© 2019 Extreme Networks, Inc. All rights reserved 4
© 2019 Extreme Networks, Inc. All rights reserved 5
© 2019 Extreme Networks, Inc. All rights reserved 6
© 2019 Extreme Networks, Inc. All rights reserved 7
All ExtremeXOS switches may be managed via their console or COM port for out-of-band access to a
Command-Line Interface (CLI). The console port on a device may be either an RJ45 or a DB9
connector, which may be connected to a VT type terminal, a PC with a terminal emulation application
(such as PUTTY or TeraTerm Pro), or to a modem
The console port on a switch may be either a RJ45 or a DB9 connector with the settings are 9600, 8,
N, 1, Xon/Xoff
In addition to Local Management there are various configuration and management options for all
Extreme switches, which vary by switch product family.
Management options include:
• CLI via Console Port connection
• CLI via Telnet and SSH
• SNMP and HTTP/HTTPS
Additionally EXOS supports clients for RADIUS, TACACS+, Syslog, SNTP and FTP.
© 2019 Extreme Networks, Inc. All rights reserved 8
Extreme Management Center is a single pane of glass for the network. It is one piece of software that
provides network administrators and operators visibility and control over their wired and wireless
network infrastructure. Extreme Management Center is a multi-user platform with definable roles
and privileges tied to the individual username or group. For instance, a helpdesk user may have read-
only permissions and can view current device status whereas a network administrator would be able
to access a particular device and alter its configuration
Extreme Management Center provides a collection of software tools and a suite of plugin
applications that can help you configure and manage networks of varying complexity. Each is designed
to facilitate specific network management tasks while sharing data and providing common controls
and a consistent user interface.
Together, they provide comprehensive remote management support for all Extreme intelligent
network management devices as well as any SNMP MIB-I or MIB-II manageable devices.
© 2019 Extreme Networks, Inc. All rights reserved 9
Note: Switch login events will not be processed until switch's the Authentication Service (AAA) has
completed its startup process. This is indicated by the following messages on the switch's console:
(pending-AAA) login:
Authentication Service (AAA) on the master node is now available for login Password policies are
disabled by default.
Management User Accounts
Platforms support up to 16 management accounts. Account password are case sensitive
Optional password policy configures complexity, history, age and min-length
Privilege level
“#” indicates administrator level access
“>” indicates user level access
© 2019 Extreme Networks, Inc. All rights reserved 10
The “show switch” commands displays the following information:
• SysName
• SysLocation
• SysContact
• System MAC
• System Type
• SysHealth check
• Recovery Mode
• System Watchdog
• Current Time
• Timezone
• Boot Time
• Boot Count
• Next Reboot
• System UpTime
• Current State
• Image Selected
• Image Booted
• Primary version
• Secondary version
• Config Booted
• Config Selected
show version images (Displays the installed ExtremeXOS images on each
© 2019 Extreme Networks, Inc. All rights reserved 11
system partition)
© 2019 Extreme Networks, Inc. All rights reserved 11
Displaying a switch’s configuration:
show configuration (shows the running configuration which includes all additional
configuration to factory defaults )
show config vlan (shows only vlan configurations
show config eaps (shows only eaps configurations)
show config lacp (shows only lacp configurations)
show config detail (shows all configuration including the default
Scheduled Reboot
reboot time [month | day | year | hour | minutes | seconds]
© 2019 Extreme Networks, Inc. All rights reserved 12
Displaying a port’s configuration:
show ports {port_list | tag tag} (Displays port summary statistics)
show ports {mgmt | port_list | tag tag} configuration (Displays port configuration statistics, in
real time or snapshot)
show port {mgmt |port_list | tag tag} information {detail} (Displays detailed system-related
information)
Displaying a VLAN’s configuration:
show vlan {virtual-router vr-name}
show [ { vlan } vlan_name | vlan vlan_list ] {ipv4 | ipv6}
show vlan [tag tag | detail] {ipv4 | ipv6}
show vlan ports
© 2019 Extreme Networks, Inc. All rights reserved 13
When downloading an image to the switch only on of the 2 system partitions can be specified. These
partitions are called Primary & Secondary which provide the ability to upgrade a software image
without overwriting the active image. You can also specify Active and Inactive partitions if the specific
partition is not know. This is useful if you are using scripts to upload image files.
By default the “download image” command will select the download partition as the boot image. You
can manually change this by issuing the “use image [primary | secondary}” command.
Downloading a software image file. The image file extensions are .”xos” for a software image and
“.xmod” for a software module.
download [url url {vr vrname} | image [active | inactive] [[hostname | ipaddress ] filename {{vr}
vrname} {block-size block_size} | memorycard filename] {partition}
Default TFTP download:
download image inactive 10.1.10.1 imagefile.xos
USB Image download:
download image memorycard filename.xos primary
URL Image download:
download url http://10.1.10.1/filename.xos primary
download url tftp://10.1.10.1/filename.xos secondary
download url ftp://10.1.10.1/imagefile.mod primary
To download or upload an non image file:
tftp get/put [ ip-address | host-name] { vr vr_name } { block-size block_size } remote-file local-file}
{force-overwrite}
© 2019 Extreme Networks, Inc. All rights reserved 14
© 2019 Extreme Networks, Inc. All rights reserved 14
The running configuration can be saved to the switch’s flash at anytime. Each configuration file is
automatically identified with the ”.cfg” extension. These files are in XML format and cannot easily be
edited. Script files have the extension “.xsf” and Policy files have the extension “.pol”.
Saving the running configuration:
save configuration {primary | secondary | existing-config | new-config}
(The command options ”primary” and “secondary” are for compatibility with older ExtremeWare
switches and in ExtremeXOS will create the files “primary.cfg” and “secondary.cfg”. It is not
recommended to use these filenames, although XMC uses them when it is managing a switches'
configuration)
To save the running configuration as a CLI format script file:
save configuration as-script script-name
To run a script file:
load script <filename> or run script <filename>
To save the running configuration automatically:
save configuration automatic {every minutes {primary | secondary | existing-config | new-
config}
To download or upload a file including configuration files, script files and policy files:
tftp get/put [ ip-address | host-name] { vr vr_name } { block-size block_size } remote-file local-file}
{force-overwrite}
© 2019 Extreme Networks, Inc. All rights reserved 15
To create a mirror:
create mirror mirror_name {to [port port | port-list port_list loopback- port port] { remote-tag rtag } |
remote-ip remote_ip_address {{ vr } {vr_name } {from [ source_ip_address | auto-source-ip]} {ping-
check [on | off] } ] } {description mirror-desc}
To configure a mirror by adding or removing traffic filters:
configure mirror { mirror_name} add | delete [ {vlan} vlan_name | vlan vlan_id] {ingress | [port port
{ingress}}| ip-fix | port port vlan [vlan_id | vlan_name ] {ingress}]
To enable a mirror instance:
enable mirror mirror_name
To enable mirroring to a port or vlan :
enable mirror to [port port | port-list port_list loopback-port port] {remote-tag tag}
To enable mirroring to an IP host:
enable mirror {mirror_name} to remote-ip remote_ip_address {{vr} vr_name} {from
[source_ip_address | auto-source-ip]} {ping-check [on | off]}]
© 2019 Extreme Networks, Inc. All rights reserved 16
© 2019 Extreme Networks, Inc. All rights reserved 17
© 2019 Extreme Networks, Inc. All rights reserved 18
© 2019 Extreme Networks, Inc. All rights reserved 19
© 2019 Extreme Networks, Inc. All rights reserved 20
© 2019 Extreme Networks, Inc. All rights reserved 21
© 2019 Extreme Networks, Inc. All rights reserved 22
All ExtremeXOS Switches operate as Transparent Bridges at Layer 2 of the OSI 7 Layer Model, and by
default forward packets without changing any of the packet’s contents.
The internal VLAN ID is not significant outside of the switch. The value used for the internal VLAN ID
starts at 4094 and decrements for each VLAN added. If a VLAN ID is used to configure an 802.1Q
tagged VLAN that has already been assigned to an untagged VLAN, the switch automatically assigns
another internal VLAN ID to the untagged VLAN.
© 2019 Extreme Networks, Inc. All rights reserved 23
Tagged Forwarding Behavior:
Frames arriving on an ingress port are forwarded based on 802.1Q tag present within the Frame into
the relevant VLAN.
802.1p CoS is examined, and the frame is placed into the appropriate queue
• Values 0-6 are mapped by default to the low priority queue, QoS Profile QP1
• Value 7 is mapped by default to the high priority queue, QoS Profile QP8
VLAN IDs must be consistent from switch to switch. VLAN names are locally significant to the switch’s
configuration and are ignored when using 802.1Q tagged ports. Different VLAN names can be used
from switch to switch for the same VLAN ID but it is recommended to ensure the names are the same
across all switches.
© 2019 Extreme Networks, Inc. All rights reserved 24
There are a number of pre-configured protocol filters that can be applied to any VLAN.
The list is as follows:
• IP
• IPX
• IPv6
• NetBIOS
• DECNet
• IPX_8022
• IPX_SNAP
• AppleTalk
• MPLS
• ANY
You can create a custom protocol filter by using the “create protocol” command. You then add the
relevant filter entries by entering the configure protocol command. Existing protocol filters can also
be edited using this command.
© 2019 Extreme Networks, Inc. All rights reserved 25
VLAN forwarding decisions for transmitting frames are determined by whether or not the traffic being
classified is or is not in the VLAN’s forwarding database as follows:
Unknown traffic: When a frame’s destination MAC address is not in the VLAN’s forwarding database
(FDB), it will be forwarded out of every port on the VLAN’s egress list with the frame format that is
specified.
Learned traffic: When a frame’s destination MAC address is in the VLAN’s forwarding database, it will
be forwarded out of the learned port
© 2019 Extreme Networks, Inc. All rights reserved 26
© 2019 Extreme Networks, Inc. All rights reserved 27
To create a VLAN:
create vlan [ vlan_name {tag <id>} | vlan_list ] {description vlan- description } {vr name }
create vlan vlan_name (Creates an untagged VLAN)
create vlan vlan_name tag <id> (Creates a named tagged 802.1Q VLAN)
create vlan <id> (Creates a tagged 802.1Q VLAN and automatically names
it “VLAN_XXXX” where XXXX is the VLAN ID)
create vlan <id>-<id> (Creates multiple tagged 802.1Q VLANs within the
specified range and automatically names them as above)
To configure a VLANs 802.1Q Tag ID:
configure vlan [ vlan_name {tag <id>} ]
To add or remove an access port to/from a VLAN:
configure vlan [ vlan_name {tag <id>} ] add/delete port [port_list | all] untagged
To add or remove a trunk port to/from a VLAN:
configure vlan [ vlan_name {tag <id>} ] add/delete port [port_list | all] tagged
© 2019 Extreme Networks, Inc. All rights reserved 28
To create a protocol based VLAN:
configure [ {vlan} vlan_name | vlan vlan_list]protocol {filter} filter_name
The following are pre-configured protocol filters:
Any, IP, IPv6, IPX, NetBIOS, DECNet, IPX_8022, IPX_SNAP, AppleTalk.
To create a protocol filter:
create protocol filter_name
To configure a protocol filter:
configure protocol filter filter_name [add | delete] dest-mac mac_address {[etype | llc | snap] hex}
{field offset offset value value {mask mask}}
To disable a VLAN:
disable [ {vlan} vlan_name | vlan vlan_list] (This command disables the forwarding function
for the specified VLAN(s))
To show the forwarding database:
show fdb {option}
Options: {blackhole {netlogin [all | mac-based-vlans]} | netlogin [all | mac-based-vlans] | permanent
{netlogin [all | mac-based-vlans]} | mac_addr {netlogin [all | mac-based-vlans]} | ports port_list
{netlogin [all | mac-based-vlans]} | [ {vlan} vlan_name | vlan vlan_list] {netlogin [all | mac-based-
vlans]} | {{vpls} {vpls_name} | vxlan { vni } | virtual-network vn_name}}
© 2019 Extreme Networks, Inc. All rights reserved 29
The show vlan command is a useful troubleshooting tool.
It displays in summary, a VLAN’s basic configuration and what protocols if any have been enabled if
any [such as OSPF, Spanning Tree, and EAPS for example].
• To display detailed information for all VLANs, enter the show vlan detail command.
• To display detailed information for a specific VLAN, enter the show vlan command with
the VLAN name as the command qualifier. For example show vlan blue.
© 2018 Extreme Networks, Inc. All rights reserved 30
The FDB in large networks may have many entries and so it may be difficult to find a specific MAC
address in such a large table. The show fdb command has a number of command qualifiers that allow
you to examine specific FDB entries as follows:
Blackhole entries: show fdb blackhole
MAC address tracking entries: show fdb mac-tracking configuration
Netlogin entries: show fdb netlogin all
Permanent entries: show fdb permanent
Entries for a specific MAC address: show fdb <mac_addr>
Entries on a specific port: show fdb ports <port_list>
Entries within a specific VLAN: show fdb vlan <vlan_name>
The clear fdb command also has a number of command qualifiers that allow you to clear specific FDB
entries as follows:
Blackhole entries: clear fdb blackhole
Entries for a specific MAC address: clear fdb <mac_addr>
Entries on a specific port: clear fdb ports <port_list>
Entries within a specific VLAN: clear fdb vlan <vlan_name
© 2018 Extreme Networks, Inc. All rights reserved 31
© 2018 Extreme Networks, Inc. All rights reserved 32
This command was first available in ExtremeXOS 22.1.
The default was changed from off to inform in ExtremeXOS 22.4.
© 2019 Extreme Networks, Inc. All rights reserved 33
© 2019 Extreme Networks, Inc. All rights reserved 34
Egress flood control alters the standard forwarding behavior of a switch and should be used with care.
However, it can effectively improve network performance and security if used correctly.
© 2019 Extreme Networks, Inc. All rights reserved 35
Disabling multicast egress flooding does not affect clients subscribed to an IGMP group. Packets are
still forwarded. If IGMP snooping is disabled, multicast packets are not flooded.
Example:
disable flooding unicast ports 24
disable flooding broadcast ports 24
show port 24 info detail
To reset flooding control back to defaults:
enable flooding all_cast ports all
© 2019 Extreme Networks, Inc. All rights reserved 36
Limit learning does not affect the following:
• Packets destined for permanent MAC addresses and other mac address that are not black hole
entries.
• Broadcast traffic from MAC addresses that are not black hole entries.
• EDP and LLDP traffic.
© 2019 Extreme Networks, Inc. All rights reserved 37
To configure Limit-Learning for one learned MAC address:
configure port 24 vlan default limit-learning 1
To verify Limit-Learning for a port:
show fdb (The flags will be set to “Bb”. “B” = Egress blackhole
and “b” = Ingress blackhole)
show [ {vlan} vlan_name | vlan vlan_list] security
Note: In large networks the application of limit learning using Blackhole entries can quickly use up
FDB entries. A full FDB can have an impact on switch performance. To alleviate this, use the action
stop-learning command qualifier.
The “limit” for a specific virtual port (port/VLAN combination) can be removed by entering the
configure port command, specifying the port, vlan and the keyword unlimited-learning as shown in
the example below:
configure port 24 vlan default unlimited-learning
© 2019 Extreme Networks, Inc. All rights reserved 38
Lock learning does not affect the following:
• Packets destined for permanent MAC addresses and other mac address that are not black hole
entries.
• Broadcast traffic from MAC addresses that are not black hole entries.
• EDP and LLDP traffic.
© 2019 Extreme Networks, Inc. All rights reserved 39
To configure Lock-Learning:
conf port 24 vlan default lock-learning
To unconfigure Lock-Learning:
conf port 24 vlan default unlock-learning
Note: When you unconfigure the lock learning feature on a virtual port, and if the configuration was
previously saved with the lock learning feature enabled, the “locked” entries will still remain in the
startup configuration. To prevent unwanted locked entries being loaded on boot up, the configuration
should be saved.
© 2019 Extreme Networks, Inc. All rights reserved 40
© 2019 Extreme Networks, Inc. All rights reserved 41
© 2019 Extreme Networks, Inc. All rights reserved 42
© 2019 Extreme Networks, Inc. All rights reserved 43
© 2019 Extreme Networks, Inc. All rights reserved 44
© 2018 Extreme Networks, Inc. All rights reserved 45
The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for
Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation
that results from them. Spanning tree also allows a network design to include backup links to provide
fault tolerance if an active link fails.
Rapid Spanning Tree Protocol (RSTP) as 802.1w. RSTP provides significantly faster spanning
tree convergence after a topology change, introducing new convergence behaviors and bridge
port roles to do this. RSTP was designed to be backwards-compatible with standard STP.
The Multiple Spanning Tree Protocol (MSTP), originally defined in IEEE 802.1s maps one or more
VLANs to multiple spanning tree domains. Administrators can define alternate paths within a
spanning tree and each spanning tree domain can be assign different root bridges, thereby load
sharing VLAN traffic across multiple redundant links. VLANs must be assigned to a so-called multiple
spanning tree instance (MSTI). Switches are first assigned to an MST region, then VLANs are mapped
against or assigned to this MST. A Common Spanning Tree (CST) is an MST to which several VLANs are
mapped, this group of VLANs is called MST Instance (MSTI). CSTs are backward compatible with the
STP and RSTP standard. A MST that has only one VLAN assigned to it is a Internal Spanning Tree (IST)
© 2019 Extreme Networks, Inc. All rights reserved 46
Port Forwarding:
MSTP and RSTP use rapid forwarding mechanisms to get ports to the forwarding state. However, there
is a difference in forwarding time between user/edge ports and inter-switch links (ISLs). If a user/edge
port is defined as adminedge TRUE using the set spantree adminedge command, it will forward as
soon as the port becomes operational. An ISL will forward based on an exchange of BPDUs. By
default, autoedge is set to TRUE and adminedge is set to FALSE.
These settings satisfy most requirements. Autoedge allows a port defined as adminedge FALSE to
discover in a short period of time that it is an edge port. The only time it is necessary to set
adminedge to TRUE is when the attached user device cannot tolerate the several seconds required for
auto-detection to detect the port as a user/edge port and move it to forwarding. Setting an ISL to
adminedge TRUE should be avoided because it can lead to transient data loops.
© 2018 Extreme Networks, Inc. All rights reserved 47
© 2019 Extreme Networks, Inc. All rights reserved 48
© 2019 Extreme Networks, Inc. All rights reserved 49
Spanning Tree Port States:
Blocking: Actively preventing traffic from using this path. Still receiving BPDUs, so continuing to
monitor for management and STA information.
Listening: Continuing to block traffic while waiting for protocol information to determine whether to
go back to the blocking state or continue to the learning state. Listens to BPDUs to ensure no loops
occur on the network.
Learning: Learning station location information but continuing to block traffic.
Forwarding: Forwarding traffic and continuing to learn station location information.
Disabled: Disabled administratively or by failure.
Discarding: Used as shorthand for blocking, listening, or learning state.
© 2018 Extreme Networks, Inc. All rights reserved 50
IEEE 802.1w, Rapid Reconfiguration Spanning Tree (RSTP), is built upon the original IEEE 802.1D
Spanning Tree Protocol parameters. When a network fails in a traditional spanning tree topology, two-
way communication may not recover for up to 50 seconds. The same recovery can happen almost
immediately in an RSTP environment. Rapid reconfiguration ensures that an end-user is insulated
from dropped sessions or inaccessible resources. IEEE 802.1w and IEEE 802.1D Spanning Tree
algorithms will interoperate. An RSTP switch detects when it is connected to an 802.1D STP switch.
© 2018 Extreme Networks, Inc. All rights reserved 51
The original 802.1D standard treats the overall topology as a single network, while switches treat
VLANs as completely separate networks. Some of the benefits of configuring multiple VLANs are
sacrificed with this compromise. IEEE 802.1s is a supplement to IEEE 802.1Q that adds the facility for
VLAN switches to use multiple instances of spanning trees, allowing for traffic belonging to different
VLANs to flow over potentially different paths within the LAN.
802.1s allows network administrators to assign VLAN traffic to unique paths. Some or all of the
switches in a LAN participate in two or more spanning trees with each VLAN belonging to one of the
spanning tree instances. An advantage of MST is that MST is built on top of 802.1w Rapid
Reconfiguration with its decreased time for re-spans within the network.
© 2018 Extreme Networks, Inc. All rights reserved 52
Note: MSTP port roles are the same as with 802.1w, with one addition, Master Port.
Root Port: The one port that a bridge uses to connect to the Root Bridge. This port is elected as the
Root Port due to its least “path-cost” to Root.
Alternate Port: Any redundant upstream port that provides an alternate path to the Root Bridge
(other than the Root Port).
Designated Port: Any downstream port that provides a path to the Root Bridge.
Edge Port: A port that has no other bridges connected to this port (i.e. User Port). This is
automatically configured by the Bridge Detection State Machine (802.1t Clause 18).
Backup Port: A port that acts as a redundant Designated Port for a LAN segment.
Master Port: The Bridge Port that is the CIST Root Port for the CIST Regional Root, Provides
connectivity from the Region to the CIST Root that lies outside the Region, this Port Role only exists
within the context of the MSTIs
© 2018 Extreme Networks, Inc. All rights reserved 53
© 2018 Extreme Networks, Inc. All rights reserved 54
Where only 802.1d or 802.1w is running, with no failure there is no bandwidth utilization between
switches 2 and 3. With 802.1s it is possible to make each switch a root bridge for different spanning
tree groups and then associate a different VLAN with each spanning tree instance. This way we are
reducing the likely hood of a link being over-utilized.
© 2018 Extreme Networks, Inc. All rights reserved 55
© 2019 Extreme Networks, Inc. All rights reserved 56
Part 1 of the MSTP basic configuration steps apply to switches running EXOS v22.1 & below only.
These steps bring those switches up to the current factory defaults for STP.
Configure MSTP Region Identifiers
For multiple switches to be part of an MSTP region, you must configure each switch in the region with
the same MSTP configuration attributes, also known as MSTP region identifiers. The following list
describes the MSTP region identifiers:
• Region Name: This indicates the name of the MSTP region. In the Extreme Networks
implementation, the maximum length of the name is 32 characters and can be a combination of
alphanumeric characters and underscores ( _ ).
• Format Selector: This indicates a number to identify the format of MSTP BPDUs. The default is 0.
• Revision Level: This identifier is reserved for future use; however, the switch uses and displays a
default of 3.
© 2019 Extreme Networks, Inc. All rights reserved 57
© 2019 Extreme Networks, Inc. All rights reserved 58
© 2019 Extreme Networks, Inc. All rights reserved 59
© 2019 Extreme Networks, Inc. All rights reserved 60
© 2019 Extreme Networks, Inc. All rights reserved 61
In this example ports 6 and 8 are connected to another MSTP enabled switch which is the Root
Bridge. You can see from the CLI output of the “show stpd s1 ports” command that the Root port
(port 6) is never blocked. Port 8 is classified as the Alternate port, which will be blocked.
© 2019 Extreme Networks, Inc. All rights reserved 62
© 2019 Extreme Networks, Inc. All rights reserved 63
© 2019 Extreme Networks, Inc. All rights reserved 64
© 2019 Extreme Networks, Inc. All rights reserved 65
© 2019 Extreme Networks, Inc. All rights reserved 66
A feature to prevent, detect, and recover from Layer 2 loops in the network and potentially disable
ports to prevent loops.
• The ELRP PDU is a Layer 2 multicast packet sent using QP8
• Sender uses source and destination MAC address to identify packets it sends
• When sender receives original packet back, loop detection and prevention is triggered
• When a loop is detected, the loop recovery agent is notified and takes the necessary actions to
recover from the loop
• ELRP only operates on the sending switch, so it operates transparently across the network
• How a loop recovers depends on the protocol that uses ELRP for loop detection—unless it is used
as a standalone option
© 2019 Extreme Networks, Inc. All rights reserved 67
To configure an ELRP periodic poll:
configure elrp-client periodic {vlan} vlan_name ports [ports | all | none] {remote-endpoints vxlan all}
{interval interval {seconds | milliseconds}} {log | log-and-trap | trap} {disable-port {egress | ingress}
{duration {seconds} | permanent}}
To configure an ELRP on-shot poll:
configure elrp-client one-shot {vlan}vlan_name ports [ports | all |none] {remote-endpoints vxlan all}
{interval interval {seconds | milliseconds}} {retry count} {log | print | print-and-log]}
Note: If you do not specify log, the ELRP result is immediately displayed
To include or exclude ports from being disabled by ELRP”
configure elrp-client disable-ports [exclude | include] [ ports | eaps- ring-ports | remote-endpoints
vxlan]
© 2019 Extreme Networks, Inc. All rights reserved 68
© 2019 Extreme Networks, Inc. All rights reserved 69
© 2019 Extreme Networks, Inc. All rights reserved 70
© 2019 Extreme Networks, Inc. All rights reserved 71
© 2019 Extreme Networks, Inc. All rights reserved 72
© 2019 Extreme Networks, Inc. All rights reserved 73
The EAPS protocol provides fast protection switching at Layer 2 for Extreme Switches interconnected
in an Ethernet ring topology. It prevent loops in an Ethernet network which can lead to a broadcast
storm which could prevent network communication.
A broadcast or data storm is excessive transmission of broadcast traffic in a network. This
happens when a broadcast packets across a network are duplicated by the flooding function
of a switch creating even more broadcast packets in a snowball effect. Network hosts are
“swamped” by the amount of broadcast packets they have to examine, which in effects
prevents hosts from communicating.
© 2019 Extreme Networks, Inc. All rights reserved 74
© 2019 Extreme Networks, Inc. All rights reserved 75
© 2019 Extreme Networks, Inc. All rights reserved 76
Note: When a Master Node blocks it’s secondary port, only those Protected VLANs assigned to the
Domain are affected. Traffic using the Control VLAN will not be blocked, therefore it is important not
to have any host connected ports in the Control VLAN. You must also ensure that the Control VLAN is
not configured with an IP address.
© 2019 Extreme Networks, Inc. All rights reserved 77
An EAPS Master detects the failure in its domain, and converges around the failure.
You must create and configure one control VLAN for each EAPS domain which transports the EAPS
control traffic. A control VLAN cannot belong to more than one EAPS domain. If the domain is active,
you cannot delete the domain or modify the configuration of the control VLAN. The control VLAN
must NOT be configured with an IP address.
In addition, only ring ports may be added to this control VLAN. No other ports can be members of this
VLAN. Failure to observe these restrictions can result in a loop in the network. The ring ports of the
control VLAN must be tagged.
When a Hello Packet transmitted from the Master’s egress port (Primary or Secondary) is received on
the Master’s ingress port, the Domain transitions to the “Complete” state, at which point the Master
blocks it’s secondary ports for all Protected VLANs for that Domain.
Note: The secondary port can be configured to transmit EAPS hello packets instead of the primary
port.
© 2019 Extreme Networks, Inc. All rights reserved 78
Protected VLANs are the data-carrying VLANs. When you configure a protected VLAN, the ring ports
of the protected VLAN must be tagged.
© 2019 Extreme Networks, Inc. All rights reserved 79
© 2019 Extreme Networks, Inc. All rights reserved 80
EAPS Hello (Heath Check) Packets uses the Extreme Encapsulation Protocol (EEP) to transmit hello
packets. EEP packets have a source MAC address of 00 e0 2b 00 00 01
EAPS packets have destination MAC addresses of
• 00 e0 2b 00 00 04
• 00 e0 2b 00 00 06
• 00 e0 2b 00 00 07
Each switch (node) will examine the hello packet and then forward the packet to its neighbor switch
through the ring port that did not receive the packet. EAPS packets are sent with an 802.1p value of 7
(QP8)
EAPS hello packets contain the following information:
• Packet type
• Health, Link Down, Links Up (Pre-Forwarding), Flush FDB
• Control VLAN ID
• Originator’s system MAC address
• Hello fail timer value
• Domain state
• Complete, Failed
• Hello sequence number
© 2019 Extreme Networks, Inc. All rights reserved 81
© 2019 Extreme Networks, Inc. All rights reserved 82
© 2019 Extreme Networks, Inc. All rights reserved 83
Note: It is not recommended to configure the “open secondary port” option as this could cause a
loop. The purpose of the default “send alert” is so that the fault can be investigated and the problem
is only limited to those clients that may become isolated due to LAN segmentation.
© 2019 Extreme Networks, Inc. All rights reserved 84
© 2019 Extreme Networks, Inc. All rights reserved 85
© 2019 Extreme Networks, Inc. All rights reserved 86
To rename the EAPS domain name
configure eaps old_name name new_name
To unconfigure the primary EAPS ring port
disable eaps eaps_domain
unconfigure eaps eaps_domain> primary port
enable eaps eaps_domain
To unconfigure the secondary EAPS ring port
disable eaps eaps_domain
unconfigure eaps eaps_domain secondary port
enable eaps eaps_domain
© 2019 Extreme Networks, Inc. All rights reserved 87
To configure the EAPS hello timer for 100 ms:
configure eaps name hellotime 0 100
To configure the EAPS fail timer for 300 ms:
configure eaps name failtime 0 300 (it is recommended that the fail timer = 3 x hello
timer )
To configure the EAPS fail timer:
configure eaps name failtime expiry-action [open-secondary-port | send- alert]
(it is recommended to leave the fail timer expiry
action as “send alert”)
© 2019 Extreme Networks, Inc. All rights reserved 88
© 2019 Extreme Networks, Inc. All rights reserved 89
© 2019 Extreme Networks, Inc. All rights reserved 90
© 2019 Extreme Networks, Inc. All rights reserved 91
© 2019 Extreme Networks, Inc. All rights reserved 92
© 2019 Extreme Networks, Inc. All rights reserved 93
© 2019 Extreme Networks, Inc. All rights reserved 94
© 2019 Extreme Networks, Inc. All rights reserved 95
With EAPS, a protected VLAN can span multiple physical rings or EAPS domains. This is called an
overlapping VLAN. An overlapping VLAN requires loop protection for each EAPS domain to which it
belongs. In the figure above, there is an EAPS domain with its own control VLAN running on ring 1 and
another EAPS domain with its own control VLAN running on ring 2. A data VLAN that spans both rings
is added as a protected VLAN to both EAPS domains to create an overlapping VLAN. Switch S5 has two
instances of EAPS domains running on it, one for each ring.
© 2019 Extreme Networks, Inc. All rights reserved 96
In the slide shown earlier (Two Rings Interconnected by One Switch) switch S5 would represent a
single point of failure. If switch S5 were to go down, users on Ring 1 would not be able to
communicate with users on Ring 2. To make the network more resilient, you can add another switch.
In the figure shown above, a second switch (S10), connects to both rings and to S5 through a common
link, which is common to both rings. The EAPS common link in the following figure requires special
configuration to prevent a loop that spans both rings. The feature that requires enabling is the EAPS
shared-port feature
© 2019 Extreme Networks, Inc. All rights reserved 97
During normal operation, the master node on each ring protects the ring as described earlier in first
EAPS module The Controller and Partner nodes work together to protect against Super Loop problems
that can occur with the use of common (overlapping) VLANs being distributed across multiple rings.
Note: A Controller or Partner can also perform the role of master or transit node within its EAPS
domain. Typically the controller and partner nodes are distribution or core switches.
© 2019 Extreme Networks, Inc. All rights reserved 98
Note: When a common link fails, one of the segment ports becomes the active-open port, and all
other segment ports are blocked to prevent a loop for the protected VLANs.
© 2019 Extreme Networks, Inc. All rights reserved 99
If a link failure occurs in one of the rings, only a single EAPS domain is affected. The EAPS master
detects the failure in its domain, and converges around the failure. In this case, the controller does
not take any blocking action, and EAPS domains on other rings are not affected. Likewise, when the
link is restored, only the local EAPS domain is affected. The controller and any EAPS domains on other
rings are not affected, and continue forwarding traffic normally.
© 2019 Extreme Networks, Inc. All rights reserved 100
When the common link fails and a protected VLAN spans both domains, in this example the Green
VLAN, the secondary port of each master node is unblocked. The new topology introduces a
broadcast loop spanning the both rings (EAPS Domain-1 & Domain-2) . The Controller will block the
loop by disabling the higher numbered ports while leaving one port open. This port is called the
“active-open” port.
© 2019 Extreme Networks, Inc. All rights reserved 101
For the failure scenario shown above, the Controller and Partner nodes immediately detect the loop,
and the controller does the following:
Selects an active-open port for protected VLAN communications
Blocks protected VLAN communications on all segment ports except the active-open port
Note: When a controller goes into or out of the blocking state, the controller sends a flush-fdb
message to flush the FDB in each of the switches in its segments. In a network with multiple EAPS
ports in the blocking state, the flush-fdb message gets propagated across the boundaries of the EAPS
domains.
© 2019 Extreme Networks, Inc. All rights reserved 102
© 2019 Extreme Networks, Inc. All rights reserved 103
The following slides will cover standard configuration with a common link, and EAPS shared port for
EAPS domain Domain-1 and Domain-2. Each Domain supports a common protected (overlapping)
VLAN. Sample configuration will be shown for SummitStack2, Domain-1, SummitX460-G2, Domain-2,
and Core-A in the Data Center Core.
© 2019 Extreme Networks, Inc. All rights reserved 104
© 2019 Extreme Networks, Inc. All rights reserved 105
© 2019 Extreme Networks, Inc. All rights reserved 106
To configure the EAPS Shared-Port segment timer interval:
configure eaps shared-port port segment-timers health-interval <seconds>
To configure the EAPS Shared-Port segment timer interval:
configure eaps shared-port port segment-timers timeout <seconds>
To configure the EAPS Shared-Port segment timer expiry action:
configure eaps shared-port port segment-timers expiry-action [segment- down | send-alert]
© 2019 Extreme Networks, Inc. All rights reserved 107
© 2019 Extreme Networks, Inc. All rights reserved 108
© 2019 Extreme Networks, Inc. All rights reserved 109
© 2019 Extreme Networks, Inc. All rights reserved 110
© 2019 Extreme Networks, Inc. All rights reserved 111
© 2019 Extreme Networks, Inc. All rights reserved 112
© 2019 Extreme Networks, Inc. All rights reserved 113
Link Aggregation, SmartTrunking, and other port trunking algorithms are all methods of bonding
together two or more data channels into a single channel that appears as a single, higher-bandwidth,
logical link. It is a cost-effective way to implement increased bandwidth. Aggregated links also provide
redundancy and fault tolerance.
Link aggregation makes multiple physical links appear as a single logical link to protocols such as
Spanning Tree, EAPS and OSPF. For Spanning Tree those redundant links within the aggregation will
not be blocked. This is accomplished by positioning link aggregation as an optional sub-layer in the
Data Link Layer of the OSI Model (explained in more detail later in this module), presenting itself as a
single MAC address to MAC clients in the Network layer.
Link aggregation should be viewed as a network configuration option that is primarily used in network
connections that require higher data rate than can be provided by single links, such as between
switches or between switches and servers. It can also be used to increase the reliability of critical
links.
© 2019 Extreme Networks, Inc. All rights reserved 114
Link Aggregation Scenarios:
There are two typical scenarios in which link aggregations may be useful in a network, as described
below:
Switch-to-switch connections: This is the most common scenario. Multiple ports on a switch are
joined to form an aggregated link. Aggregation of multiple links achieves higher speed connections
between switches without hardware upgrade. If two switches are connected, each using four 10 Gbps
links, and one of those links fails between the two switches, data traffic is maintained through the
other links in the link aggregation group. Note that such a configuration reduces the number of ports
available for connection to other network devices or end stations. Thus, aggregation implies a trade-
off between port usage and additional capacity for a given device pair.
Switch-to-station (server or router) connections: Many server platforms can saturate a single 100
Mbps link. Thus, link capacity limits overall system performance. You can aggregate switch-to-station
connections to improve performance. Better performance can be achieved without upgrade to
servers or switches.
© 2019 Extreme Networks, Inc. All rights reserved 115
© 2019 Extreme Networks, Inc. All rights reserved 116
Note: Enabling Link Aggregation on one end of a link only does not create a broadcast storm for the
VLANs configured on that port. The non-enabled switch will use the Forwarding Database (FDB) to
forward packets to it’s neighbor switch and will not use any load sharing algorithm.
© 2019 Extreme Networks, Inc. All rights reserved 117
Note. LACP will only combine ports into a LAG if all member ports are connected to the same device.
LACP uses the neighbor switch’s MAC address in the LACP packets to determine if all ports in the LAG
are connected to the same switch. Any LAG members identified as connected to a different MAC
address will not be added to the LAG.
© 2019 Extreme Networks, Inc. All rights reserved 118
Address-Based Link Aggregation: Packets are distributed based on packet header information where
the switch performs a “hash” on the following selectable headers. MAC (L2), IPv4 (L3 or L3 & L4), IPv6
(L3 or L3 & L4)
Port-Based Link Aggregation: Packets are distributed based on the physical source port on which the
packet was received
© 2019 Extreme Networks, Inc. All rights reserved 119
The custom hash-algorithm option uses different fields in the header to process the load sharing. By
selecting the custom option, additional header fields can be used, which should result in a more even
distribution of packets.
For IPv4 packets, the custom header fields can be changed.
© 2019 Extreme Networks, Inc. All rights reserved 120
To create a static 4 port LAG for ports 1 through to 4 with the L3 address based algorithm:
enable sharing 1 grouping 1-4 algorithm address-based l3
To dynamically add ports 5 & 6 to the LAG enabled on port 1:
configure sharing 1 add ports 5-6
To create a dynamic 4 port LAG for ports 1 through to 4 with the L3 address based algorithm:
enable sharing 1 grouping 1-4 algorithm address-based l3 lacp
To create a dynamic 4 port LAG for port 2, 4, 6 and 8 with the address based algorithm:
enable sharing 2 grouping 2,4,6,8 algorithm address-based custom
© 2019 Extreme Networks, Inc. All rights reserved 121
To configure the LAG custom load sharing algorithm to use only the source IP address:
configure sharing address-based custom ipv4 source-only
© 2019 Extreme Networks, Inc. All rights reserved 122
The Health Check LAG application allows you to create a link aggregation group where individual
member links can monitor a particular TCP/IP address and TCP port. When connectivity to the TCP/IP
address and TCP port fails, the member link is removed from the link aggregation group.
Establishing the status of TCP connectivity is based on standard TCP socket connections. As long as
the switch can establish a TCP connection to the target switch and TCP port, the connection is
considered up.
The TCP connection will retry based on the configured frequency (default = 10 secs) and miss (default
= 3) settings.
A typical use case for this application is when a user wishes to connect each member link to a Security
Server to validate traffic. Each member link of the Health Check LAG is connected to an individual
Security Server. The LAG is added to a VLAN on the same subnet as the Security Server IP addresses
they wish to monitor. Each member port is configured to monitor a particular IP address and TCP port.
To configure the LAG port 1 to use a TCP health check to a Web Server:
configure sharing health-check member-port 6 add track-tcp 172.16.11.100
© 2019 Extreme Networks, Inc. All rights reserved 123
The hash algorithm guarantees that the same egress port is selected for traffic distribution based on a
pair of IP addresses, Layer 4 ports, or both, regardless of which is the source and which is the
destination.
Hash polarization (upstream and downstream traffic sharing the same link on both switches)
can be prevented by choosing different load sharing algorithms on neighboring switches in
different layers. With CRC-16 or CRC-32, a cyclic redundancy checksum of the selected header
fields is used instead of using a simple XOR. This can help with load sharing of artificial flows
created by some testing equipment or applications. Additionally a CRC seed value can be
used to introduce pseudo randomness to load sharing the flows. The last 4 bytes of the
Switch’s MAC address is used as the seed by default.
To configure a LAG custom hashing algorithm to use CRC-16:
configure sharing address-based custom hash-algorithm crc-16
To configure a LAG custom hashing seed to use a non-default value:
configure sharing address-based custom hash-seed 0x12345678
© 2019 Extreme Networks, Inc. All rights reserved 124
© 2019 Extreme Networks, Inc. All rights reserved 125
© 2019 Extreme Networks, Inc. All rights reserved 126
© 2019 Extreme Networks, Inc. All rights reserved 127
© 2019 Extreme Networks, Inc. All rights reserved 128
© 2019 Extreme Networks, Inc. All rights reserved 129
© 2019 Extreme Networks, Inc. All rights reserved 130
© 2019 Extreme Networks, Inc. All rights reserved 131
MLAG peer switches must be of the same platform family. The following MLAG peers are allowed:
BlackDiamond 8800 switches with BlackDiamond 8800 switches, BlackDiamond X8 switches with
BlackDiamond X8 switches, Summit switches with Summit switches, and SummitStack with
SummitStack.
© 2019 Extreme Networks, Inc. All rights reserved 132
Previous to ExtremeXOS release 22.2, there were no limitations on the number of MLAG ports you
can configure on a switch. From 22.2 onwards, the maximum numbers are restricted depending on
the model of switch.
© 2019 Extreme Networks, Inc. All rights reserved 133
MLAG (Steady-State Condition):
• The peer transmits “hello” and state packets within the ISC VLAN every second.
• Default transmit interval for “hello” packet is 1 second.
• User traffic is forwarded based on normal FDB rules and LAG load sharing algorithms.
• Any traffic that is received on the ISC ports is dropped as long as the peer MLAG port is up in order
to prevent a loop
• This prevents the flooding of any broadcast or unknown unicast traffic to the MLAG ports.
Each switch synchronizes state information over the ISC to its peer including MLAG link state, MAC
FDB and IP Multicast FDB information.
© 2019 Extreme Networks, Inc. All rights reserved 134
To configure a LAG to fail if a minimum number of active links is reached
configure sharing <master port> minimum-active <min_links_active> e.g. configure sharing 1:1
minimum-active 1
© 2019 Extreme Networks, Inc. All rights reserved 135
© 2019 Extreme Networks, Inc. All rights reserved 136
The ISC VLAN name could be any name you choose. The name “isc” is commonly used for clarity.
Note: You must configure the ISC VLAN with an IP address for control communication between MLAG
peers. You cannot enable IP forwarding on this VLAN. The ISC is exclusively used for inter-MLAG peer
control traffic and should not be provisioned to carry any user data traffic. Customer data traffic
however can traverse the ISC port using other user VLANs.
Note: A LAG is recommended for the ISC VLAN.
© 2019 Extreme Networks, Inc. All rights reserved 137
© 2019 Extreme Networks, Inc. All rights reserved 138
© 2019 Extreme Networks, Inc. All rights reserved 139
© 2019 Extreme Networks, Inc. All rights reserved 140
© 2019 Extreme Networks, Inc. All rights reserved 141
© 2019 Extreme Networks, Inc. All rights reserved 142
© 2019 Extreme Networks, Inc. All rights reserved 143
© 2019 Extreme Networks, Inc. All rights reserved 144
Routing occurs at Layer 3 (the Network layer) of the 7-Layer OSI model. Routers direct traffic through
a network based on information learned from network layer protocols such as IP. In order to forward
network layer traffic, routers use a table known as the route table, to make forwarding decisions.
Each port on the router is called an interface. Each configured interface defines the boundary of a LAN
segment, and layer 3 broadcast domain. Router interfaces are assigned Layer 3 addresses (typically
IP) and associated masks to define the network address. Routers use MAC addresses to address
packets over Layer 2 infrastructures.
Routers are capable of switching packets between different physical networks, based upon network
layer addressing. They do not flood MAC-layer broadcasts from one attached network to another, and
are protocol dependent (IP to IP; IPX to IPX). They support packet fragmentation (the disassembly of
lager packets into smaller packets) when required, and they support multiple Physical and Mac-layer
packet encapsulation types, which gives them the ability to translate from one layer 2 technology to
another, (for example, Ethernet to Packet-over-SONET).
Routers are used when communication is needed between VLANs and multiple active forwarding
paths between systems is required.
© 2019 Extreme Networks, Inc. All rights reserved 145
Routers perform two basic operations. The first is to forward packets towards their correct
destinations. The second is to maintain a routing table which allows the router to determine the
correct path.
Let’s examine how these processes work.
Forwarding:
Step 1:
PC-A checks if the the IP address of PC-B is local or not
Step 2:
PC-A formulates a packet for PC-B, and forwards it to Router A.
© 2019 Extreme Networks, Inc. All rights reserved 146
Step 3:
Router A strips off the Ethernet encapsulation, and examines the packet’s Destination IP address. It
determines that the packet is not addressed to itself, and has therefore come to it to be routed.
Step 4:
Router A examines its routing table. It finds the outgoing interface and next-hop address that the
destination network (10.2.1.0) is reachable through. The next-hop address belongs to the next router
that the packet will be forwarded to, (in this case Router B).
Step 5:
If necessary, Router A ARPs for Router B’s MAC address. Router A then encapsulates the packet in a
new Layer 2 envelope, and forwards it to Router B.
© 2019 Extreme Networks, Inc. All rights reserved 147
Step 6:
Each Router repeats the process until the packet reaches Router C
Step 7:
Router C checks its Routing Table and discovers the 10.2.1.0/24 network is directly connected to it
Step 8:
Router C ARPs for PC-B, creates a Layer 2 envelope for the packet and forwards it to PC-B
© 2019 Extreme Networks, Inc. All rights reserved 148
The switch hardware forwards IP traffic between router interfaces. A router interface is simply a
virtual LAN (VLAN) that has an IP address assigned to it. As you create VLANs with IP addresses
belonging to different IP subnets, you can also choose which VLANs are enabled for IP forwarding.
Both the VLAN switching and IP routing functions occur within the switch.
To enable IP Forwarding on all VLANs configured with an IPv4 Address:
enable ipforwarding
To enable IP Forwarding on a specific vlan?
enable ipforwarding vlan network1
To enable IP Forwarding on a range of vlans:
enable ipforwarding vlan 10-20 (Requires the configuration of a VLAN Tag ID on
each VLAN)
© 2019 Extreme Networks, Inc. All rights reserved 149
The switch maintains a set of IP routing tables for both network routes and host routes. Some routes
are determined dynamically from routing protocols, and some routes are manually entered. When
multiple routes are available to a destination, configurable options such as route priorities, route
sharing are considered when creating and updating the routing tables.
© 2019 Extreme Networks, Inc. All rights reserved 150
Static routes are routes that are manually entered into the routing tables and are not advertised
through the routing protocols.
Static routes can be used to reach networks that are not advertised by routing protocols and do not
have dynamic route entries in the routing tables. Static routes can also be used for security reasons,
to create routes that are not advertised by the router.
Static routes are configured manually and remain part of the configuration which if saved and the
switch is rebooted, are immediately available when the switch completes has fully booted. Static
routes are never aged out of the routing table, however, the Bidirectional Forwarding Detection (BFD)
feature can be used to bring down static routes when the host link fails.
Without BFD, static routes always remain operationally active because there is no dynamic routing
protocol to report network changes.
This can lead to a black hole situation, where data is lost for an indefinite duration. Because upper
layer protocols are unaware that a static route is not working, they cannot switch to alternate routes
and continue to use the static route.
With BFD, a static route is marked operationally inactive if the BFD session goes down. Upper layer
protocols can detect that the static route is down and take the appropriate action.
A default route is a type of static route that identifies the default router interface to which all packets
are routed when the routing table does not contain a route to the packet destination. A default route
© 2019 Extreme Networks, Inc. All rights reserved 151
is also called a default gateway and is the gateway of last resort.
© 2019 Extreme Networks, Inc. All rights reserved 151
© 2019 Extreme Networks, Inc. All rights reserved 152
The router typically learns dynamic routes because you have enabled the RIP, OSPF, IS-IS or BGP
protocols. It also learns routes from Internet Control Message Protocol (ICMP) redirects exchanged
with other routers. These routes are called dynamic routes because they are not a permanent part of
the configuration. The router learns these routes when it starts up and dynamically updates them as
the network changes.
Older dynamic routes aged out of the routing tables when an update for the network is not received
for a period of time, as determined by the routing protocol.
Once a routing protocol is configured, dynamic routes automatically updated as the network changes.
© 2019 Extreme Networks, Inc. All rights reserved 153
When there are multiple, conflicting choices of a route to a particular destination, the router picks the
route with the longest matching network mask. If these are still equal, the router picks the route using
the following default criteria (in the order specified):
• Directly attached network interfaces
• Static routes
• ICMP redirects
• Dynamic routes
You can also configure black hole routes—traffic to these destinations is silently dropped.
The criteria for choosing from multiple routes with the longest matching network mask is set by
choosing the relative route priorities.
© 2019 Extreme Networks, Inc. All rights reserved 154
© 2019 Extreme Networks, Inc. All rights reserved 155
IP route sharing allows a switch to communicate with a destination through multiple equal-cost
routes. This capability is referred to as equal cost multipath (ECMP) routing.
Without IP route sharing, each IP route entry in the routing tables lists a destination subnet and the
next-hop gateway that provides the best path to that subnet. Every time a packet is forwarded to a
particular destination, it uses the same next-hop gateway.
With IP route sharing, the router can use up to 2, 4, 8, 16, or 32 next-hop gateways (depending on the
platform and feature configuration) for each route in the routing tables. When multiple next-hop
gateways lead to the same destination and ECMP is enabled, the switch can use any of those
gateways for packet forwarding. IP route sharing provides route redundancy and can provide better
throughput when routes are overloaded.
EXOS routers support a separate ECMP table. The gateways in the ECMP table can be defined with
static routes and OSPF (up to 64-way), or they can be learned through the BGP, or IS-IS protocols (up
to 8-way).
© 2019 Extreme Networks, Inc. All rights reserved 156
© 2019 Extreme Networks, Inc. All rights reserved 157
The routing table has the following information:
• The route’s origin. i.e. which network process added the route to the route table for example; “d”
(direct) for local interfaces, “s” for static routes including the default routes, “oa” for OSPF intra-
area routes and “or” for OSPF inter-area routes.
• The IP network. This field will be shown as a combination of the network address and the subnet
mask.
• The network gateway. This is typically the next hop router. If the network is directly connected, you
should see the IP address of the VLAN's IP routing interface.
• The route metric. This field defines the quality of the path to the target network. Since the routing
table can contain multiple entries to a destination network, the router will pick the route with the
lowest metric as it is considered to be of higher quality.
• Other information is also displayed such as the route status, VLAN for next hop forwarding and
age.
To display the routes from a specific protocol or origin enter the command:
show iproute origin <origin>
To display the routes from the OSPF protocol enter the command:
show iproute origin ospf
© 2019 Extreme Networks, Inc. All rights reserved 158
© 2019 Extreme Networks, Inc. All rights reserved 159
Switch Platform Edge Adv Edge Core
License License License
ExtremeSwitching X440-G2 series Standard Upgrade —
ExtremeSwitching X620 series Standard Upgrade —
Summit X450-G2 series Standard Upgrade Upgrade
Summit X460-G2 series — Standard Upgrade
Summit X670-G2 series — Standard Upgrade
Summit X770 series — Standard Upgrade
ExtremeSwitching X870 — Standard Upgrade
ExtremeSwitching X690 — Standard Upgrade
ExtremeSwitching X590 — Standard Upgrade
* Not supported in ExtremeXOS 30.1
All ExtremeXOS switches are Layer 3 capable and are able to forward packets between different
physical networks (VLANs) based upon network-layer addressing.
© 2019 Extreme Networks, Inc. All rights reserved 160
© 2019 Extreme Networks, Inc. All rights reserved 161
© 2019 Extreme Networks, Inc. All rights reserved 162
© 2019 Extreme Networks, Inc. All rights reserved 163
© 2019 Extreme Networks, Inc. All rights reserved 164
© 2019 Extreme Networks, Inc. All rights reserved 165
© 2019 Extreme Networks, Inc. All rights reserved 166
Access Control Lists (ACLs) are used to define packet filtering and forwarding rules for traffic
traversing the switch. Each packet arriving on an ingress port and/or VLAN is compared to the access
list applied to that interface and is either permitted or denied. Packets egressing an interface can also
be filtered on certain platforms listed in the ExtremeXOS Concepts Guide. However, only a subset of
the filtering conditions available for ingress filtering are available for egress filtering.
The Port Isolation feature blocks accidental and intentional inter-communication between different
devices residing on different physical ports. Previously, this kind of security was obtained through the
access-list module, but this can be complicated to manage and can be resource intensive. This feature
provides a much simpler blocking mechanism without the use of ACL hardware. A set of physical or
load-share ports can be selected that will be deemed isolated - once isolated, the ports cannot
communicate with other isolated ports, but can communicate with any other ports.
Use the following command to enable Port Isolation:
configure ports <port-list> isolation [on | off].
© 2019 Extreme Networks, Inc. All rights reserved 167
© 2019 Extreme Networks, Inc. All rights reserved 168
© 2019 Extreme Networks, Inc. All rights reserved 169
© 2019 Extreme Networks, Inc. All rights reserved 170
Match Conditions
You can specify multiple, single, or zero match conditions. If no match condition is specified, all
packets match the rule entry. The table above lists a selection of the available match conditions. For
the complete list of match conditions refer to the Chapter 18 of the ExtremeXOS Concepts Guide.
Match Operators
You can also use the operators <, <=, >, and >= to specify match conditions. For example, the match
condition, source-port > 190, will match packets with a source port greater than 190. Be sure to use a
space before and after an operator.
© 2019 Extreme Networks, Inc. All rights reserved 171
Actions
The action is either permit or deny or no action is specified. No action specified permits the packet.
The deny action drops the packet.
Action Modifiers
The above table lists a selection of action modifiers such as count, qosprofile and meter. The count
action increments the counter named in the condition. The qosprofile action forwards the packet to
the specified QoS profile; The meter action modifier associates a rule entry with an ACL meter for rate
limiting. For a full list of action modifiers refer to Chapter 18 of the ExtremeXOS Concepts Guide.
Note: Often an ingress ACL policy will have a rule entry at the end of the ACL with no match
conditions. This entry will match any packets.
For egress ACLs, if a rule entry does not contain any match condition, no packets will match. Unlike
ingress ACLs, for egress ACLs you must specify either a source or destination address, instead of
writing a rule with no match conditions.
© 2019 Extreme Networks, Inc. All rights reserved 172
Wide Key ACLs
This feature allows the use of a 362-bit double wide match key instead of a standard 181-bit single
key to be used with match conditions. A wide match key allows you to add more match conditions to
an ACL. It also allows matching on a full destination-source IPv6 address.
The platforms that support this feature can operate either in wide mode or in the current single
mode.
An individual switch or module cannot be configured to operate in a mixed wide and single mode.
However, a BlackDiamond 8800 chassis or a SummitStack can have a mixture of modules/stack
members and switches with some of them operating in a single mode and some in a wide mode.
© 2019 Extreme Networks, Inc. All rights reserved 173
For example, physical ports, dest IP, source IP and IP fragments are all compatible and will require one
slice. If an ACL requires the use of field selectors from two different rows, it must be implemented on
two different slices.
For more information, refer to the ExtremeXOS Concepts Guide.
© 2019 Extreme Networks, Inc. All rights reserved 174
© 2019 Extreme Networks, Inc. All rights reserved 175
As the layer 2 rules contained in the mac.pol policy file are not compatible with the previous rules, as
defined in on the previous page, a new slice will be used.
© 2019 Extreme Networks, Inc. All rights reserved 176
The CLI output shows that the TCAM slices are used from bottom (slice 15) to top (slice 0) and are
filled in a similar way to a bucket. Any initial default system rules are always allocated to slice 15.
When additional ACL rules or system rules are configured these are added to the same slice if they are
compatible. If they are not compatible, the existing rules in slice 15 are moved into a high slice (slice
14 for example) to make way for the new non-compatible rules which are always added to the bottom
slice (slice 15). This process continues until the TCAM is fully allocated.
A number of slices and rules are used by features present on the switch. You consume these
resources when the feature is enabled so the availability of resources depends on the type and
number of features and protocols that are enabled on a switch. Below is a list of the most common
features and their resource consumption. For a detailed list, refer to the ExtremeXOS Concepts Guide.
• dot1p examination - enabled by default - 1 slice, 8 rules per chip
• IGMP snooping - enabled by default - 2 slice, 2 rules
• VLAN without IP configured - 2 rules - 2 slices
• IP interface - disabled by default - 2 slices, 3 rules (plus IGMP snooping rules above)
• VLAN QoS - disabled by default - 1 slice, n rules (n VLANs)
• Port QoS - disabled by default - 1 slice, 1 rule
• VRRP - 2 slices, 2 rules
• EAPS - 1 slice, 1 rule (master), n rules (transit - n domains)
• ESRP - 2 slices, 2 rules
• ESRP Aware - 1 slice, 1 rule
• IPv6 - 2 slices, 3 rules
• Netlogin - 1 slice, 1 rule
• VLAN Mirroring - 1 slice, n rules (n VLANs)
© 2019 Extreme Networks, Inc. All rights reserved 177
As an example of precedence among interface types, suppose a physical port 1:2 is a member port of
the VLAN yellow. ACLs could be configured on the port, either singly or as part of a port list, on the
VLAN yellow, and on all ports in the switch (the wildcard ACL). For all packets crossing this port, the
port-based ACL has highest precedence, followed by the VLAN-based ACL and then the wildcard ACL.
Note: ACLs applied to a VLAN are actually applied to all ports on the switch, without regard to VLAN
membership. The result is that resources are consumed per chip on BlackDiamond 8000 a-, c-, e- xl-,
and xm series modules and Summit family switches.
© 2019 Extreme Networks, Inc. All rights reserved 178
© 2019 Extreme Networks, Inc. All rights reserved 179
The edit policy command spawns a VI-like editor to edit the named file. Edit operates in one of two
modes; command and input. When a file first opens, you are in the command mode. To write in the
file, use the keyboard arrow keys to position your cursor within the file, then press one of the
following keys to enter input mode:
i - To insert text ahead of the initial cursor position
a- To append text after the initial cursor position
To escape the input mode and return to the command mode, press the Escape key.
There are several commands that can be used from the command mode:
dd - To delete the current line
yy - To copy the current line
p - To paste the line copied
:w - To write (save) the file
:q - To quit the file if no changes were made
:q! - To forcefully quit the file without saving changes
:wq - To write and quit the file
© 2019 Extreme Networks, Inc. All rights reserved 180
The routing software and hardware routes IP traffic between router interfaces. A router interface is
simply a virtual LAN (VLAN) that has an IP address assigned to it. As you create VLANs with IP
addresses belonging to different IP subnets, you can also choose to route between the VLANs. Both
the VLAN switching and IP routing functions occur within the switch.
To enable IP Forwarding on all VLANs configured with an IPv4 Address:
enable ipforwarding
To enable IP Forwarding on a specific vlan:
enable ipforwarding vlan network1
To enable IP Forwarding on a range of vlans:
enable ipforwarding vlan 10-20 (Requires the configuration of a VLAN Tag ID on
each VLAN)
© 2019 Extreme Networks, Inc. All rights reserved 181
Notice from the output of the show policy command that the policy has been applied as an ACL and is
bound once to the VLAN “data”.
The output from the show access-list command shows the actual VLAN the ACL is bound to (notice
that the ACL is bound to all ports as indicated by the asterisk “*”). It also shows whether the policy is
ingress or egress and how many rules are contained in the policy.
© 2019 Extreme Networks, Inc. All rights reserved 182
Creating a dynamic ACL rule is similar to creating an ACL policy file rule entry. You specify the name of
the dynamic ACL rule, the match conditions, and the actions and action-modifiers. You can configure a
dynamic ACL to be permanent or non-permanent. Permanent dynamic ACLs are stored in the running
configuration and need to be saved to be persistent across system reboots. Non-permanent ACLs are
just programed into the hardware directly and are not added to the running configuration. They are
therefore not listed by the show configuration command.
User-created access-list names are not case sensitive. The match conditions, actions, and action
modifiers are the same as those that are available for ACL policy files. In contrast to the ACL policy file
entries, dynamic ACLs are created directly in the CLI.
More than one dynamic ACL can be applied to an interface, and the precedence among the dynamic
ACLs can be configured when adding the dynamic ACL via the CLI. By default, the priority among
dynamic ACLs is established by the order in which they are configured.
Note: Dynamic ACLs have a higher precedence than ACLs applied using a policy file.
© 2019 Extreme Networks, Inc. All rights reserved 183
In the above example, the previous policy denyTelnet is still applied to the Core-A switch preventing
users from accessing the switch’s CLI via Telnet. As dynamic ACLs take precedence over static ACLs, it
is useful to configure a dynamic ACL to temporarily override a static ACL rule for testing purposes.
© 2019 Extreme Networks, Inc. All rights reserved 184
The equivalent policy file rule to permit Telnet would be as follows:
entry permitTelnet {
if match all {
protocol tcp;
destination-port 23;
}
then {
permit;
}
}
To configure a non-permanent dynamic ACL, enter the create access-list command specifying the rule
name, conditions and actions then add the non-permanent command option. The above example can
be configured as follows:
create access-list permitTelnet "protocol tcp; destination-port 23“_”permit”_non-permanent
© 2019 Extreme Networks, Inc. All rights reserved 185
Notice from the output of the show access-list command that VLAN data now indicates that a
dynamic ACL has been applied as well as the policy. However, the dynamic ACL name is not shown in
the output of this command. To do this enter the show access-list dynamic command.
There may be a number of system dynamic ACLs present depending on the switch you are using and
the software version you are running. System ACLs are designed to facilitate the operation of some
features and are beyond the scope of this course.
© 2019 Extreme Networks, Inc. All rights reserved 186
© 2019 Extreme Networks, Inc. All rights reserved 187
© 2019 Extreme Networks, Inc. All rights reserved 188
© 2019 Extreme Networks, Inc. All rights reserved 189
© 2019 Extreme Networks, Inc. All rights reserved 190
End-hosts on a LAN segment are typically configured to send packets through the gateway defined by
a default route (or static routes) for remote destinations. Loss of the default router results in a
catastrophic event, isolating all end-hosts that are unable to detect any alternate path that may be
available. The Virtual Router Redundancy Protocol (VRRP) is designed to eliminate the single point of
failure inherent in the static default routed environment.
VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one
of the VRRP routers on a LAN.
The VRRP router controlling the IP address(es) associated with a virtual router is called the Master,
and forwards packets sent to these IP addresses.
The election process provides dynamic fail-over in the forwarding responsibility should the Master
become unavailable.
Any of the virtual router's IP addresses on a LAN can then be used as the default first hop router by
end-hosts.
© 2019 Extreme Networks, Inc. All rights reserved 191
The advantage gained from using VRRP is a higher availability default path that does not require
routing or router discovery protocols on end-hosts.
Load sharing can also be implemented by configuring multiple VRRP routers across multiple IP
routers, each IP router being the master of a different virtual router.
VRID are converted into Hex when being added to the VIP MAC address, so an appreciation of Hex
numbering is required to decode VRRP MAC addresses to VRID mappings.
© 2019 Extreme Networks, Inc. All rights reserved 192
Before we go any further, let’s get familiar with the terminology defined in RFC 3768:
• VRRP Router - A router running the Virtual Router Redundancy Protocol.
• Virtual Router - An abstract object managed by VRRP that acts as a default router for hosts on a
shared LAN. A VRRP router may participate in one or more virtual routers.
• VRID – Uniqueness is required on a LAN segment only
• IP Address Owner - The VRRP router that has the VR’s IP address(es) also as the real interface
address(es). This is the router that, when up, will be the master of the virtual router instance and
will respond to packets addressed to these IP addresses for ICMP pings, TCP connections, etc.
• Virtual Router Master - The VRRP router that assumes the responsibility of forwarding packets sent
to the IP address(es) associated with the virtual router, and answering ARP requests for these IP
addresses.
• Virtual Router Backup - The set of VRRP routers available to assume forwarding responsibility for a
virtual router should the current Master fail.
If the virtual router IP address is the same as the interface (VLAN) address owned by a VRRP router,
then the router owning the address becomes the master. The master sends an advertisement to all
other VRRP routers declaring its status, and assumes responsibility for forwarding packets associated
with its virtual router ID (VRID). If the virtual router IP address is not owned by any of the VRRP
routers, then the routers compare their priorities and the higher-priority owner becomes the master.
If priority values are the same, then the VRRP router with the higher IP address is selected as the
master.
© 2019 Extreme Networks, Inc. All rights reserved 193
© 2019 Extreme Networks, Inc. All rights reserved 194
© 2019 Extreme Networks, Inc. All rights reserved 195
© 2019 Extreme Networks, Inc. All rights reserved 196
© 2019 Extreme Networks, Inc. All rights reserved 197
© 2019 Extreme Networks, Inc. All rights reserved 198
© 2018 Extreme Networks, Inc. All rights reserved 199
ICMP Echo
The VRRP RFC specifies that a VR master that is not the IP address owner should not respond to an
ICMP ping associated with the virtual IP address.
This poses a problem for network management applications which determine reachability to a given
IP address using ICMP Echos. Best is to make it configurable for allowing non-owner as well.
Note the difference in CLI syntax in various platforms.
Configuration for Echo reply
configure vrrp vlan vlan_name vrid vridval accept-mode
[on | off]
configure vrrp vlan vlan-1 vrid 1 accept-mode on
© 2018 Extreme Networks, Inc. All rights reserved 200
Three types of ARP requests can be employed on a VRRP router:
Host ARP
Host ARP performs according to the following rules:
When a host sends an ARP request for one of the VR IP addresses, the master VR returns the virtual
MAC address (00-00-5e-00-01-VRID).
The backup VR must not respond to the ARP request for one of the VR IP addresses.
If the master VR is the IP address owner, when a host sends an ARP request for this address, the
master VR must respond with the virtual MAC address, not the real physical MAC address.
For other IP addresses, the VRRP router must respond with the real physical MAC address, regardless
of master or backup.
Gratuitous ARP
Behaves in the following manner on a VRRP router:
Each VR sends gratuitous ARP when it becomes the master with virtual IP and MAC addresses. One
gratuitous ARP is issued per VR IP address.
To make the switch learn the correct VR MAC address, the VR master sends gratuitous ARP for every
virtual IP address in the corresponding VR every 10 seconds.
Proxy ARP
If used, the VRRP master router must bind the virtual MAC address to remote IP destination
addresses in proxy ARP replies.
© 2019 Extreme Networks, Inc. All rights reserved 201
VRRP Version Support
ExtremeXOS support both VRRPv2 and VRRPv3 as well as VRRPv2 and VRRPv3 interoperability
VRRP Hitless Failover
The primary node executes the switch’s management functions, and the backup acts in a standby
role. Hitless failover transfers switch management control from the primary to the backup and
maintains the state of VRRP. While VRRP supports hitless failover, you do not explicitly configure
hitless failover support; rather, if you have two nodes installed, hitless failover is available.
VRRP Scaling
From ExtremeXOS release 22.1, the maximum number of unique VRID numbers per switch has been
increased to 255 on the Summit X770, X670-G2, X460-G2, X450-G2 and ExtremeSwitching X440-G2,
X620, X870, X690, X590. Older releases support support 31 or 7 unique VRIDs only depending on the
software version and switch model.
Note: For backwards compatibility in a mixed environment, VRIDs should be re-used wherever
possible to reduce the number of unique VRIDs.
© 2019 Extreme Networks, Inc. All rights reserved 202
© 2019 Extreme Networks, Inc. All rights reserved 203
© 2019 Extreme Networks, Inc. All rights reserved 204
© 2019 Extreme Networks, Inc. All rights reserved 205
To configure the operating version of a VRRP instance for VRRP version 3:
configure vrrp vlan data2 vrid 1 version v3
To configure the pre-emption delay on a VRRP instance:
configure vrrp vlan data2 vrid 1 pre-empt 60 (The configurable delay time is from 0 to
3600 seconds. Default = 0)
To disable pre-emption on a VRRP instance:
configure vrrp vlan data2 vrid 1 dont-preempt
To change the advertisement interval of a VRRP instance:
configure vrrp vlan data2 vrid 1 advertisement-interval (The range is 1 through 40 secs or 10
through 4095 centisecs. Default = 1 sec)
To change the tracking conditions for master status:
configure vrrp vlan data2 vrid 1 track-mode [all | any] (Default = all)
© 2019 Extreme Networks, Inc. All rights reserved 206
© 2019 Extreme Networks, Inc. All rights reserved 207
The ability to track remote interfaces is designed to address a condition in which the Master VRRP it
Router continues to process packets sent to the VRRP IP address, even when it cannot forward the
packet toward the packet’s ultimate destination.
© 2019 Extreme Networks, Inc. All rights reserved 208
© 2018 Extreme Networks, Inc. All rights reserved 209
When a tracking condition is in a failed state, VRRP behaves as though it is locally disabled; so it is
neither master nor backup (which are both active states).
VRRP VLAN Tracking
You can configure VRRP to track up to 8 active VLANs (active ports in a VLAN or Loopback). If no active
ports remain on the specified VLANs, the router automatically relinquishes master status based on
the tracking mode.
VRRP Route Table Tracking
If any of the configured routes are not available within the route table, the router automatically
relinquishes master status based on the tracking mode.
VRRP Ping Tracking
The responder may represent the default route of the router, or any device meaningful to network
connectivity of the master VRRP router. If pinging the responder consecutively fails the specified
number of times, the router automatically relinquishes master status based on the tracking mode.
frequency seconds Specifies the number of seconds between pings to the target IP address. The range
is 1 to 600 seconds.
Ping Tracking options include:
• miss - misses Specifies the number of misses allowed before this entry is considered to be failing.
The range is 1 to 255 pings.
• success - successes Sets how many ping successes are required for tracking success. Range is 1–
255. (Default is 10 × misses.)
© 2019 Extreme Networks, Inc. All rights reserved 210
In addition to the VRRP and EAPS, the core switches are usually configured with OSPF.
© 2018 Extreme Networks, Inc. All rights reserved 211
MLAG allows for the provision of multiple connections to the core switches without the need for a
loop prevention protocol. In an edge/core environment the core switches will usually also run OSPF.
© 2018 Extreme Networks, Inc. All rights reserved 212
© 2019 Extreme Networks, Inc. All rights reserved 213
© 2019 Extreme Networks, Inc. All rights reserved 214
© 2019 Extreme Networks, Inc. All rights reserved 215
OSPF is classified as an Internal Gateway Protocol (IGP). This means that it distributes routing
information between routers belonging to a single Autonomous System. The OSPF protocol is based
on SPF or link-state technology.
The OSPF protocol was developed by the OSPF working group of the Internet Engineering Task Force.
It has been designed expressly for the internet environment, including explicit support for IP
subnetting, TOS-based routing and the tagging of externally-derived routing information. OSPF also
provides for the authentication of routing updates, and utilizes IP multicast when sending/receiving
the updates. In addition, much work has been done to produce a protocol that responds quickly to
topology changes, yet involves small amounts of routing protocol traffic.
© 2019 Extreme Networks, Inc. All rights reserved 216
© 2019 Extreme Networks, Inc. All rights reserved 217
OSPF allows collections of contiguous networks and hosts to be grouped together. Such a group,
together with the routers that have interfaces to any one of the included networks, is called an area.
Each area runs a separate copy of the basic shortest-path-first routing algorithm. This means that
each area has its own topological database.
The topology of an area is invisible from the outside of the area. Conversely, routers internal to a
given area know nothing of the detailed topology external to the area. This isolation of knowledge
enables the protocol to effect a marked reduction in routing traffic as compared to treating the entire
autonomous system as a single SPF domain.
With the introduction of areas, it is no longer true that all routers in the AS have an identical
topological database. A router actually has a separate topological database for each area to which it is
connected. Routers connected to multiple areas are called area border routers. Two routers belonging
to the same area have, for that area, identical area topological databases.
Routing in the autonomous system takes place on two levels, depending on whether the source and
destination of a packet reside in the same area (intra-area routing is used) or different areas (inter-
area routing is used). In intra-area routing, the packet is routed solely on information obtained within
the area; no routing information obtained from outside the area can be used. This protects intra-area
routing from the injection of bad routing information.
© 2019 Extreme Networks, Inc. All rights reserved 218
Every OSPF routing domain AS that has more than one area must have a backbone. The backbone is a
special OSPF area that must have an area ID of 0.0.0.0 (or simply 0). It consists of those networks not
contained in any specific area, their attached routers, and those routers that belong to multiple areas.
The backbone must be contiguous. Each router's interface that is configured in Area 0 must be
reachable via other routers where each interface in the path is configured as being in Area 0.
However, it is possible to define areas in such a way that the backbone is no longer contiguous--where
the continuity between routers is broken. In this case, you must establish backbone continuity by
configuring virtual links. Virtual links are useful when the backbone area is either purposefully
partitioned or when restoring inadvertent breaks in backbone continuity.
© 2019 Extreme Networks, Inc. All rights reserved 219
OSPF supports a two level routing design through the use of Areas. OSPF areas are identified by an
area ID. The area consists of the network segments and routers that reside in the area. Each area has
its own link state database (LSDB) which is separate from LSDBs in other OSPF areas. The LSDB
consists of router-LSAs and network-LSAs which describes how the areas routers and network
segments are connected. Detailed information regarding the areas topology is hidden from all other
areas, (router-LSAs and network-LSAs are not flooded to routers outside the area and are used for
Intra-Area routing).
As a result of OSPF using area based routing, the positioning of routers with respect to these areas
represents a critical element in an OSPF routing environment.
© 2019 Extreme Networks, Inc. All rights reserved 220
Within OSPF, routers take on special responsibilities depending on their topological orientation. All
routers running OSPF on at least one of its interfaces can be categorized into one of the following
categories: ABR’s, ASBR’s, or internal routers. Depending on what type of router it is, the router has
different responsibilities in restricting or allowing the propagation of certain types of LSAs.
© 2019 Extreme Networks, Inc. All rights reserved 221
Inter-Area routing is achieved through the use of summary-LSAs that are passed from area to area (via
ABRs).
Summary-LSAs allow routers in the interior of an area to dynamically learn about destinations in other
areas, so they can to select the best path when forwarding packets to these destinations.
© 2019 Extreme Networks, Inc. All rights reserved 222
Stub areas are typically implemented when routers with limited resources (small amounts of memory
or limited CPU processing capacity) must be deployed in an OSPF routing domain. To conserve router
resources, the link state database (LSDB) within a stub area is kept as small as possible. AS-external-
LSAs are not passed into the area. Routing to external destinations from a stub area is accomplished
by using a default routes originated by the areas ABR.
There are several requirements to take into consideration when configuring a stub area. All routers
participating the stub area must be configured to function as stub area routers.
In addition:
• AS-external-LSAs are not flooded into Stub Areas
• Routing to external designations from Stub Areas are based on Default Routes originated by a Stub
Area’s ABR.
• Summary LSAs can also use the Default Route for Inter-area routing.
Criteria:
• Stub areas must not have an ASBR
• Stub areas should have one ABR or if more than one, accept non-optimal routing paths to the
External AS
• No Virtual Links allowed in a stub area
© 2019 Extreme Networks, Inc. All rights reserved 223
A Totally Stubby Area (TSA) is a variation of a stub area. For very large OSPF networks it is sometimes
necessary to limit the amount of routing information flooded into an area to an even greater degree.
In addition to filtering AS-external-LSAs, a Totally Stubby Area filters Network-Summary-LSAs as well,
further reducing the volume of OSPF routing information present in the area.
© 2019 Extreme Networks, Inc. All rights reserved 224
A Not-So-Stubby Areas (NSSA) is a second variation of a stub area in which external routing
information (in the form of AS-external-LSAs) can be imported into the stub area via an Autonomous
System Border Router (ASBR) that resides in the NSSA. AS-external-LSAs from outside the area (e.g.,
AS-external-LSAs from Area 0) are still not allowed access to the NSSA.
© 2019 Extreme Networks, Inc. All rights reserved 225
© 2019 Extreme Networks, Inc. All rights reserved 226
For the above slide, Router1 and Router2 have been elected Designated Router (DR) and Backup
Designated Router based on priority (Priority 100 and Priority 75). A set of adjacencies for the LAN
segment is indicated on the slide.
To demonstrate on a broadcast LAN how database updates occur using a DR and BDR, Router5
receives a new LSA (perhaps you configure a new VLAN to participate in OSPF). It installs the LSA in its
database, and then floods the LSA, (LS Update) to the DR and BDR (using 224.0.0.6 (AllDRouters) so
only these routers receive the update.
The Designated Router then sends the LS Update back on to the LAN segment using address 224.0.0.5
(AllSFPRouters). All the routers hear and process the update. Router2 and Router5 update their
timers; Router3 and Router4 add the LSA to their Link State Database.
All the routers stop passing data traffic, run Dijkstra’s Algorithm to recomputed their Shortest Path
Trees, reconverge, and begin passing traffic again.
© 2019 Extreme Networks, Inc. All rights reserved 227
Using the loopback interface as the router ID is the preferred method. Its major advantage is as
follows: If a real interface is used, any time that interface goes down the router must find another
Router ID. This causes all the other routers to learn the router’s new ID number, and update their
databases.
This would result in the router not processing OSPF packets during this time frame. As long as the
router is turned on and running, the loopback will never go away, so when a router interface goes
down it won’t affect the other routers in the network.
© 2019 Extreme Networks, Inc. All rights reserved 228
Type 1 LSAs are called router-LSAs. Each router originates a single route-LSA to describe its set of
active interface and neighbors. If your routing domain consists entirely of routers connected by point-
to-point links – that is, if you have no client-facing VLANs attached to your routers – the link-state
database will consist only of router-LSAs.
Type 2 LSAs are called network-LSAs. The Type 2 LSA describes a broadcast network segment (such as
Ethernet) or other Non-Broadcast Multiple Access (NBMA) network (such as Asynchronous Transfer
Mode (ATM)), along with the Router-IDs of any routers currently attached to the network.
A Type 3 LSA is called a network-summary-LSA. It advertises a network that resides in one area into
another area. Only ABRs send Type 3 LSAs. You can configure your ABR to summarize the networks it
is advertising, if those networks are summarizable. If they are not, your ABR will issue a Type 3 LSA
for every network in the area.
A Type 4 LSA is called an ASBR-summary-LSA. When an Area Border Router has an ASBR in its area, it
originates an Type 4 LSA to let all the other routers in the OSPF network know the path to the ASBR.
The Type 4 LSA floods throughout the OSPF backbone area; all other routers in the backbone area
receive and process it directly. Any other ABRs in the domain will re-originate the Type 4 LSA into the
area(s) to which they are connected.
Type 5 Link State Advertisements are called Autonomous-System-external-LSAs. ASBRs originate Type
5 LSAs to advertise routes in the non-OSPF routing domains to which they are attached. ASBRs flood
throughout your OSPF domain, crossing ABRs.
If an ASBR is on the back side of a Not So Stubby Area (NSSA), it advertises routes it learns from the
non-OSPF routing protocol into the NSSA as Type 7 LSAs. The Area Border Router advertises these
routes into the rest of the OSPF domain as Type 5 LSAs.
Reliable flooding is a process where the receipt of LSAs are acknowledge by the receiving routing
© 2019 Extreme Networks, Inc. All rights reserved 229
within the OSPF protocol.
© 2019 Extreme Networks, Inc. All rights reserved 229
OSPF packet type 1, these packet types are sent out of all interfaces, transmitted via multicast to
AllSPFRouters (224.0.0.5), a Form of “keep alive”, and used for Designated Router / Backup
Designated Router election.
OSPF packet type 2, exchanged when an adjacency being initiated, describes topology database, and
multiple packets may be used to describe a database.
OSPF packet type 3, requests pieces of the topological database from neighbor routers. These
messages are exchanged after a router discovers (by examining database-description packets) that
parts of its topological database are out of date. Type 3 packets allow the router to come to full
adjacency with the Designated Router.
OSPF packet type 4, implement the flooding of LSAs, several LSA may be included within a single
packet, response to Link State request packets, performs the database update, and acknowledged by
Link State Acknowledgement packets.
OSPF packet type 5, performs flooding acknowledgement for LSA’s, sent either multicast to
AllSPFRouters, AllDRouters or unicast, packet format is similar to Data Description packets, and packet
body consists of a list of LSA headers.
© 2019 Extreme Networks, Inc. All rights reserved 230
Database Overflow
The OSPF database overflow feature allows you to limit the size of the LSDB and to maintain a
consistent LSDB across all the routers in the domain, which ensures that all routers have a consistent
view of the network.
Opaque LSAs
Opaque LSAs are a generic OSPF mechanism used to carry auxiliary information in the OSPF database.
Opaque LSAs are most commonly used to support OSPF traffic engineering.
Not-So-Stubby-Areas
Not-so-stubby-areas (NSSAs) are similar to the existing OSPF stub area configuration option but have
external routes originating from an ASBR.
Graceful OSPF Restart
Used to maintain LSAs in neighbour routers while an OSPF enabled redundant SummitStack performs
a hitless failover of the control plane. Prevents routing outages.
BFD Overview
Bidirectional Forwarding Detection (BFD) is a hello protocol that provides the rapid detection of
failures in the path and informs the clients (routing protocols) to initiate the route convergence.
© 2019 Extreme Networks, Inc. All rights reserved 231
© 2019 Extreme Networks, Inc. All rights reserved 232
Note: If no OSPF RouterID is configured, the interfaces with the highest configures IP address
will be selected as the RouterID.
© 2019 Extreme Networks, Inc. All rights reserved 233
© 2019 Extreme Networks, Inc. All rights reserved 234
© 2019 Extreme Networks, Inc. All rights reserved 235
© 2019 Extreme Networks, Inc. All rights reserved 236
In order for two OSPF routers to come to adjacency, their timers must all match. The defaults are
given in the table below:
Timer Timer Type Default Value Value Range (Secs.)
Hello Interval Link 10 seconds 1 - 65,535
Router Dead Interval Link 40 seconds 1 - 2,147,483,647
Retransmit Interval Link 5 seconds 1 - 3,600
Router Wait Interval Link 40 second 1 - 2,147,483,647
Transmission Delay Link 1 second 0 - 3,600
SPF Holdtime Protocol 3 seconds 0 - 3,600
LSA Batch Interval Protocol 30 seconds 0 - 600
© 2019 Extreme Networks, Inc. All rights reserved 237
OSPF Neighbor states:
Down/Init: Hello packet is received
2-Way: Hello packer is received with DR information (DR does not transition to 2-Way)
ExStart: LSDB exchange master election
Exchange: LSDB exchange
Loading: Link State Requests & Updates received
Full: LSDB exchange completed and SPF calculation run
© 2019 Extreme Networks, Inc. All rights reserved 238
© 2019 Extreme Networks, Inc. All rights reserved 239
To configure all the interfaces in area 1.2.3.4 to be selected as the DR (assuming all other interfaces
are default)
configure ospf area 1.2.3.4 priority 100
To configure the cost metric of the VLAN accounting:
configure ospf vlan accounting cost 10
To associate the VLAN accounting with an OSPF area:
configure ospf vlan accounting area 0.0.0.6
To configure the OSPF area timers
configure ospf area area-identifier timer retransmit-interval transit- delay hello-interval dead-interval
{wait-timer-interval}
To configure an OSPF area as a normal area:
configure ospf area 10.1.0.0 normal
To configures a OSPF area as an NSSA:
configure ospf area area-identifier stub [summary | nosummary] stub-default-cost cost
To configures a OSPF area as an NSSA:
configure ospf area area-identifier nssa [summary | nosummary] stub-default-cost cost {translate}
© 2019 Extreme Networks, Inc. All rights reserved 240
To configure a virtual link between one ABR that is not directly connected to area 0.0.0.0 and another
ABR that is :
configure ospf add virtual-link <router-id> <transit-area>
To summarize a certain range of IP addresses within an area and export them out as a single address:
configure ospf area 1.2.3.4 add range 10.1.2.0/24 advertise type-3
To configures an external filter policy, nosales:
configure ospf area 1.2.3.4 external-filter nosales (The nosales route policy contains a list of
permitted or denied routes)
© 2019 Extreme Networks, Inc. All rights reserved 241
After OSPF export is enabled, the OSPF router is considered to be an ASBR. Interface routes that
correspond to the interface that has OSPF enabled are ignored.
The cost metric is inserted for all BGP, IS-IS, RIP-learned, static, and direct routes injected into OSPF. If
the cost metric is set to 0, the cost is inserted from the route. The tag value is used only by special
routing applications. Use 0 if you do not have specific requirements for using a tag. The tag value in
this instance has no relationship with 802.1Q VLAN tagging.
The same cost, type, and tag values can be inserted for all the export routes, or a policy can be used
for selective insertion.
When a policy is associated with the export command, the policy is applied on every exported route.
The exported routes can also be filtered using a policy.
© 2019 Extreme Networks, Inc. All rights reserved 242
© 2019 Extreme Networks, Inc. All rights reserved 243
© 2019 Extreme Networks, Inc. All rights reserved 244
© 2019 Extreme Networks, Inc. All rights reserved 245
© 2019 Extreme Networks, Inc. All rights reserved 246
© 2019 Extreme Networks, Inc. All rights reserved 247
© 2019 Extreme Networks, Inc. All rights reserved 248
© 2019 Extreme Networks, Inc. All rights reserved 249
© 2019 Extreme Networks, Inc. All rights reserved 250
© 2019 Extreme Networks, Inc. All rights reserved 251
© 2019 Extreme Networks, Inc. All rights reserved 252
© 2019 Extreme Networks, Inc. All rights reserved 253
IP multicast is used by a number of protocols and applications. Applications such as video and audio
conferencing and streaming use protocols such as the Real Time Protocol (RTP) and Real Time Control
Protocol (RTCP) to encapsulate multimedia streams and to monitor the delivery of the data.
Other protocols such as OSPF, RIP2 as well as other application based protocols such as Session
Announcement Protocol (SAP) and Session Description Protocol (SDP) use multicast to announce and
learn the existence other routers or other multimedia conferences on the network.
© 2019 Extreme Networks, Inc. All rights reserved 254
The IANA has reserved addresses within the range of 224.0.0.1 through to 224.0.0.255 for use by
network protocols within a local subnetwork. Packets with addresses in this range are not forwarded
by routers and are therefore used for routing protocols, topology discovery, and maintenance
protocols. Any router that receives a packet with one of these addresses in the destination field must
either process the information contained within or discard it. These packets are never forwarded.
The illustration shows a partial list of reserved link-local multicast addresses and the network protocol
or function to which they are assigned. There are more than 48 link-local reserved multicast
addresses assigned as well as also additional reserved addresses such as those for Source Specific
Multicast and Internetwork Control Block addresses.
For the current complete list of link-local reserved addresses, visit the following URL:
http://www.iana.org/assignments/multicast-addresses
Administratively Scoped Addresses
IANA has reserved the address range of 239.0.0.0 to 239.255.255.255 as administratively scoped
addresses for use in private multicast domains. Addresses in this range have a similar function to
reserved unicast addresses such as 10.0.0.0 as defined in RFC 1918. Addresses in this range are not
assigned to any other group and can be used inside a domain without conflicting with other addresses
on the Internet. For more information on administratively scoped addresses see RFC2365.
© 2019 Extreme Networks, Inc. All rights reserved 255
The goal of IP multicast is to deliver traffic to a specific subset of all the devices on your network.
© 2019 Extreme Networks, Inc. All rights reserved 256
© 2019 Extreme Networks, Inc. All rights reserved 257
The Internet Group Management Protocol (IGMP) is a layer-2 protocol that runs between hosts and
their immediately neighboring multicast routers.
Routers implement IGMP to allow hosts to signal to the network their desire to receive multicast
traffic for a specific group. This enables the routers to learn about the presence of group members on
their directly attached subnetworks.
This receiver-initiated join process has excellent scaling properties since, as the multicast group
increases in size, it becomes ever more likely that a new group member is able to locate a nearby
branch of the multicast distribution tree.
© 2019 Extreme Networks, Inc. All rights reserved 258
The Internet Group Management Protocol (IGMP) is used between IP hosts and their local network to
support the creation of transient multicast membership groups, the addition and deletion of
members of a group, and the periodic confirmation of group membership.
A Server has no direct IGMP involvement, as it does not receive a multicast stream and only sends a
multicast stream.
© 2019 Extreme Networks, Inc. All rights reserved 259
IGMP relies on a query and response process. A router on the subnet, called the “Querier Router”,
sends out a query message asking, “Does anyone on this subnet want a multicast stream?” Hosts
that want a multicast stream send a response.
IGMP query messages are addressed to the all-hosts group address (224.0.0.1) and have a Time to
Live (TTL) value of 1. The router periodically multicasts an IGMP membership query to the “all hosts”
multicast group, on the local subnetwork. All hosts that support IGMP are automatically members of
the all hosts group and accept packets address to the all hosts group.
The default query interval is 60 seconds for IGMPv1 and 125 seconds for IGMPv2
Querier Election
In a multi-access network there may be more than one router that is IGMP enabled. Only one
multicast querier (router) can exist for each LAN at a time. So, there needs to be an election to
determine which router becomes the IGMP querier.
IGMP v1 does not have an election mechanism and relies on the routing protocol to select a
designated router.
IGMP v2 uses a General Query message on start-up. When routers receive the General Query
messages they compare the source IP address with their own. The router with the lowest IP address is
elected the IGMP querier. General query messages are sent to the all-routers multicast group using
address 224.0.0.2.
© 2019 Extreme Networks, Inc. All rights reserved 260
IGMP builds a multicast source trees for each IGMP router in a layer 2 network. IGMP Snooping builds
a multicast source tree for a local switch. It is the ability of a switch to interpret IGMP messages sent
by hosts and then to restrict the forwarding of the multicast packets to only those ports (member
ports) on which IGMP messages have been received without forwarding the multicast traffic to the
non-member ports. If IGMP snooping is disabled, all multicast packets will be flooded to every active
port on the switch.
Note: When a host is no longer interested in receiving the multicast stream and it only supports
IGMPv1, the switch stops sending the multicast stream to that host after the IGMP Snooping host
timer expires (240 seconds by default). The switch responds by sending an IGMP query to all ports in
the VLAN to detect if there are other interested hosts.
© 2019 Extreme Networks, Inc. All rights reserved 261
© 2019 Extreme Networks, Inc. All rights reserved 262
© 2019 Extreme Networks, Inc. All rights reserved 263
© 2019 Extreme Networks, Inc. All rights reserved 264
© 2019 Extreme Networks, Inc. All rights reserved 265
© 2019 Extreme Networks, Inc. All rights reserved 266
IGMP snooping filters allow you to configure a policy file on a port to allow or deny IGMP report and
leave packets coming into the port. The IGMP snooping filter feature is supported by IGMPv2 and
IGMPv3.
© 2019 Extreme Networks, Inc. All rights reserved 267
For the policies used as IGMP snooping filters, all the entries should be IP address type entries, and
the IP address of each entry must be in the class-D multicast address space but should not be in the
multicast control subnet range (224.0.0.x/24).
© 2019 Extreme Networks, Inc. All rights reserved 268
PIM Snooping
PIM snooping enables routers connected to a L2 switch to forward multicast streams to each other. In
this scenario, multicast traffic is essentially treated as broadcast traffic in order for the multicast
streams to be propagated because IGMP snooping does not process PIM join messages.
PIM snooping addresses this flooding behavior by efficiently replicating multicast traffic only onto
ports which routers advertise the PIM join requests. The application for this feature is for connecting
PIM Autonomous Systems usually within an Internet Exchange’s ISP peering network. PIM snooping
does not require PIM to be enabled. A discussion on PIM snooping is beyond the scope of this course.
© 2019 Extreme Networks, Inc. All rights reserved 269
PIM-SM relies on IGMP technology to determine group memberships and uses existing unicast routes
to perform reverse path forwarding (RPF) checks, which are, essentially, a route lookup on the source.
Its routing engine then returns the best interface, regardless of how the routing table is constructed.
In this sense, PIM is independent of any routing protocol. It can perform RPF checks using
protocol-specific routes (for example, OSPF routes), static routes, or a combination of route type.
© 2019 Extreme Networks, Inc. All rights reserved 270
PIM-SM uses a shared-tree-type technology, which requires a rendezvous point. The rendezvous point
can be administratively assigned or dynamically elected on a specific router in the PIM domain.
Source devices have to register with the rendezvous point by forwarding a join message. Initially, the
source device may not know which router is the rendezvous point so a join message is used. The
multicast source initiates an IGMP join message to its default gateway. In this case, the source’s
default gateway is known as the DR (Designated Router). The DR will forward the join message onto
the RP router. The RP router will respond building a path (tree) between the DR and itself.
© 2019 Extreme Networks, Inc. All rights reserved 271
PIM-SM operates on an explicit join model. PIM-SM routers only send multicast streams to hosts that
explicitly request it.
When a host wants a multicast stream, it sends an IGMP Join message with the (*,G) information to
its Querier Router. The router adds the interface on which it receives the Join to the outgoing
interface list in its multicast routing table, and forwards the Join to the Rendezvous Point.
The Rendezvous Point processes the Join, and adds the interface upon which the Join arrived to
outgoing interfaces for this group in its multicast routing table.
If the Rendezvous Point is currently part of the Shortest Path Tree (SPT) for this multicast group and
thus is currently receiving the multicast stream, it immediately begins to forward the stream out that
interface. If the RP is not currently receiving the multicast stream, the Join process ends here. Note
that it is possible for the two routers involved to have interfaces that are outgoing interfaces for the
multicast group, without having multicast actually flowing.
At this point, the multicast source begins sending multicast packets to the RP.
© 2019 Extreme Networks, Inc. All rights reserved 272
© 2019 Extreme Networks, Inc. All rights reserved 273
© 2019 Extreme Networks, Inc. All rights reserved 274
© 2019 Extreme Networks, Inc. All rights reserved 275
© 2019 Extreme Networks, Inc. All rights reserved 276
© 2019 Extreme Networks, Inc. All rights reserved 277
© 2019 Extreme Networks, Inc. All rights reserved 278
© 2019 Extreme Networks, Inc. All rights reserved 279
© 2019 Extreme Networks, Inc. All rights reserved 280
When you enable PIM ECMP load splitting based on source address, the RPF interface for each (*, G)
or (S,G) state is selected among the equal cost paths based on the hash derived from the source
address.
When you enable PIM ECMP load splitting based on group address, the RPF interface for each (*, G)
or (S,G) state is selected based on the hash derived from the group address.
When you enable PIM ECMP load splitting based on source-group address, the RPF interface for each
(*, G) or (S,G) state is selected among the equal cost paths based on the hash derived from the source
and group addresses among the equal cost paths based on the hash derived from the group address.
When you enable PIM ECMP load splitting based on source-group-next hop address, the RPF interface
for each (*, G) or (S,G) state is selected among the equal cost paths based on the hash derived from
the source, group and next hop addresses.
© 2019 Extreme Networks, Inc. All rights reserved 281
PIM-SSM is a subset of the PIM-SM protocol. PIM-SSM is not independent of PIM-SM. PIM-SM must
be enabled on all interfaces that use PIM-SSM. PIM-SSM is disabled by default and must be explicitly
enabled.
PIM-SSM only builds source-based shortest path trees. Where PIM-SM always joins a shared tree first
and then switches to the source tree, SSM eliminates the need for starting with a shared tree by
immediately joining a source through the shortest path tree. This behavior means that PIM-SSM
does not require an RP or BSR. Members of an SSM group can only receive from a single source. This
is ideal for applications like TV channel distribution, and for certain banking and trade applications,
but rules out SSM for applications such as multicast VoIP teleconferencing.
The Internet Assigned Numbers Authority (IANA) has reserved addresses for PIM-SSM in the
232.0.0.0/8 range for IPv4 and in the ff3x:0000/32 range, where (x = 4,5,8, or E), for IPv6. SSM
recognizes packets in this range and controls the behavior of multicast routing devices and hosts that
use one of these addresses. In PIM-SSM, an IP datagram is transmitted by a source S to an SSM
destination address G, and receivers can receive this datagram by subscribing to channel (S,G).
A channel is a source-group (S,G) pair where S is the source sending to the multicast group and G is an
SSM group address. SSM defines channels on a per-source basis. In SSM, each channel is associated
with one and only one source.
In a mixed PIM-SM and PIM-SSM configuration you configure the RP and BSR only for the PIM-SM
group address range. PIM-SSM does not use Rendezvous Points or Boot Strap Routers.
Enable IGMPv3 on all PIM-SSM interfaces and enable IGMP querying on the PIM-SSM receiver
© 2019 Extreme Networks, Inc. All rights reserved 282
interface. PIM-SSM requires IGMPv3 and/or MLDv2 at the edge of the network to process
the source-specific IGMP and MLD joins.
© 2019 Extreme Networks, Inc. All rights reserved 282
© 2019 Extreme Networks, Inc. All rights reserved 283
© 2019 Extreme Networks, Inc. All rights reserved 284
© 2019 Extreme Networks, Inc. All rights reserved 285
© 2019 Extreme Networks, Inc. All rights reserved 286
© 2019 Extreme Networks, Inc. All rights reserved 287
Note: The master switch stores any configuration information for the stack in its primary and
secondary flash memory. Since the master switch has the knowledge of the state and the
configuration of all the other switches in the stack, it can respond to all external requests for those
switches. For example, the master switch can respond to a request for SNMP information from all
ports within the stack.
© 2019 Extreme Networks, Inc. All rights reserved 288
© 2019 Extreme Networks, Inc. All rights reserved 289
© 2019 Extreme Networks, Inc. All rights reserved 290
© 2019 Extreme Networks, Inc. All rights reserved 291
The SummitStack-V feature allows you to use Ethernet ports that run at least 10 Gbps as stacking
ports.
This feature allows you to overcome the length limit on the custom stacking cables used with
dedicated or native stack ports. For example, Summit family switches on different floors in a building
or in different buildings on a campus can be connected to form a stack using standard Ethernet cables.
The SummitStack-V feature also allows you to stack switches that have no native stacking ports but do
have at least two Ethernet ports, which can be configured to support either data communications or
the stacking protocol.
When these dual-purpose ports are configured to support stacking, they are called alternate stack
ports to distinguish them from the native stack ports that use custom cables.
© 2019 Extreme Networks, Inc. All rights reserved 292
Node Role: A node in the active topology plays a role in the stack. There are three node roles: master
(or primary), backup, and standby.
Master Node Role: A node that is elected as the master (or primary) runs all of the configured control
protocols such as OSPF, RIP, Spanning Tree and EAPS. The master node controls all data ports on itself,
the backup node, and all standby nodes. The master node issues specific programming commands
over the control path to the backup or standby nodes to accomplish this purpose.
Backup Node Role: The node that is operating in the backup node role takes over the master node
role if the master node fails. The master node keeps the backup node databases in synchronization
with its own database in preparation for this event. Upon transfer of role, the backup node becomes
the master node and begins operating with the databases it has previously received. This allows all
other nodes in the stack to continue operating even after the master node fails.
Standby Node Role: A node that is executing the standby node role is prepared to become a backup
node in the event that the backup node becomes the master node. When becoming a backup node,
the new master node synchronizes all of its databases to the new backup node. As a standby node,
most databases are not synchronized, except for those few that directly relate to hardware
programming.
© 2019 Extreme Networks, Inc. All rights reserved 293
Shortest Path Forwarding: Packets are sent via the shortest path. A packet from unit 4 to unit 3 travels
1 hop. If the stack encounters a single link failure, the shortest path is recalculated by all units.
Example: If the path between unit 4 and unit 1 fails, unit 4 would know that an available path to unit
1 existed through units 3 and 2.
Note: When stacking cables are connected, the stacked units exchange information until they
determine stack topology, this occurs whether or not stacking is enabled;
• All units then broadcast discovery packets
• The CPU on each unit processes the discovery packets
• Each unit then increments hop count in the discovery packets and forwards packets.
• The units determine that the topology is a ring when a packet with own MAC address is received.
© 2019 Extreme Networks, Inc. All rights reserved 294
The role of each stack node is determined by:
• The switch model number
• The configured priority value
• The configuration of the master-capability option
Some switch models have more memory and support additional features. If the stack configuration
includes switches that are more capable than others, the stack will try to select the most-capable
backup node.
© 2019 Extreme Networks, Inc. All rights reserved 295
© 2019 Extreme Networks, Inc. All rights reserved 296
© 2019 Extreme Networks, Inc. All rights reserved 297
© 2019 Extreme Networks, Inc. All rights reserved 298
© 2019 Extreme Networks, Inc. All rights reserved 299
© 2019 Extreme Networks, Inc. All rights reserved 300
© 2019 Extreme Networks, Inc. All rights reserved 301
© 2019 Extreme Networks, Inc. All rights reserved 302
© 2019 Extreme Networks, Inc. All rights reserved 303
© 2018 Extreme Networks, Inc. All rights reserved 304
© 2018 Extreme Networks, Inc. All rights reserved 305
Extreme Management Center is a single pane of glass for the network. It is one piece of software that
provides network administrators and operators visibility and control over their wired and wireless
network infrastructure. Extreme Management Center is a multi-user platform with definable roles
and privileges tied to the individual username or group. For instance, a helpdesk user may have read-
only permissions and can view current device status whereas a network administrator would be able
to access a particular device and alter its configuration
Extreme Management Center provides a collection of software tools and a suite of plugin
applications that can help you configure and manage networks of varying complexity. Each is designed
to facilitate specific network management tasks while sharing data and providing common controls
and a consistent user interface.
Together, they provide comprehensive remote management support for all Extreme intelligent
network management devices as well as any SNMP MIB-I or MIB-II manageable devices.
© 2018 Extreme Networks, Inc. All rights reserved 306
Extreme Management Center Applications are access via the following URL:
http://<Extreme Management Center_Server_IP_Address>:8443:/Clients/index.jsp
Note: This is the default URL, the web ports may be changed using the Administration Options.
You can also access these apps by launching the XMC Java based applications.
The Java based applications are still required as not all functionality within the Extreme Management
Center are available yet in the web based management platform.
© 2018 Extreme Networks, Inc. All rights reserved 307
• Network: Device details for all the devices in your network that you are managing with XMC. You
can sort and filter relevant information for network troubleshooting.
• Alarms and Events: Indicates any Alarms or Events that have occurred.
• Control: Configures and enforces technical controls of network devices, whether wired or wireless,
controls network traffic, and Displays End-system Information.
• Analytics: Allows for review of Netflow or Applications data and configuration. Displaying real time
traffic flow and analysis to quickly troubleshoot issues.
• Wireless: Wireless monitoring providing details, dashboards and Top N information to monitor the
overall status of the wireless network plus the ability to drill in to details as needed.
• Governance: A solution that analyses the configuration of the entire wired and wireless network
including wireless events such as rogue APs. The compliance solution provides a detailed
remediation map to achieve 100% compliance of network configurations for HIPAA and PCI.
(Requires licensing)
• Reports: Historical and real-time reporting offering high-level network summary information as
well as detailed reports and drill-downs.
• Administration: Extreme Management Center administration tools to monitor and maintain the
XMC application and its components.
• Connect: Used to integrate with third party systems, like MDM, next generation firewalls or
hypervisors.
HIPAA = Health Insurance Portability and Accountability Act
PCI = Payment Card Industry (Data Security Standard)
© 2018 Extreme Networks, Inc. All rights reserved 308
You can use Compass to search one or more devices or device groups. If you do a search on a user-
created group that contains interfaces, the whole device on which the interface is located will be
searched.
The Search Log tab displays a log of the progress of the search and notifies you of unsupported
devices.
The Results tab displays the results of the Compass search. You can customize table settings and find,
filter, sort, print, and export the information in the Search Log and Results tabs. Access these Table
Tools through a right-click on a column heading or anywhere in the table body.
Here a search was done for a specific IP address belonging to a device that is part of group virtual
network.
Compass works by polling various MIBs on each device in the group that is selected for the search and
then displays the results.
The Active column indicates that the user has been seen recently on the indicate last seen port, this is
typically from one of the dot1* MIBs.
© 2018 Extreme Networks, Inc. All rights reserved 309
The Network tab provides you with device details for all the devices in your network that you are
managing with the Extreme Management Center. You can sort and filter relevant information for
network troubleshooting.
You can also view historical summary breakout of critical device functions; such as end-system events
received, authentication requests, captive portal statistics, agents connected, etc.
© 2018 Extreme Networks, Inc. All rights reserved 310
The Extreme Management Center dashboard streamlines network monitoring with consolidated
status of all the devices and drill down ability for more details. State-of-the-art reporting provides
historical and real-time data for high level network summary information and/or details. The reports
and other views are interactive allowing users to choose the specific variables they need when
analyzing data.
© 2018 Extreme Networks, Inc. All rights reserved 311
© 2018 Extreme Networks, Inc. All rights reserved 312
HIPAA = Health Insurance Portability and Accountability Act
PCI = Payment Card Industry (Data Security Standard)
© 2018 Extreme Networks, Inc. All rights reserved 313
© 2018 Extreme Networks, Inc. All rights reserved 314
© 2018 Extreme Networks, Inc. All rights reserved 315
© 2018 Extreme Networks, Inc. All rights reserved 316
© 2018 Extreme Networks, Inc. All rights reserved 317
© 2018 Extreme Networks, Inc. All rights reserved 318
© 2018 Extreme Networks, Inc. All rights reserved 319
© 2018 Extreme Networks, Inc. All rights reserved 320
Not all information from the device are obtained and modified via SNMP MIBs. Devices such as
Extremes Wireless Controller, relies on other information such as the Secure controller Connection
(Langley) and the CLI. Extreme Summit Switches use Scripting (Telnet or SSH) to perform
configuration tasks.
© 2018 Extreme Networks, Inc. All rights reserved 321
If you select SNMPv1 or SNMPv2, the window lets you enter a community name as the password for
this credential. If you select SNMPv3 (example above), you can specify passwords for Authentication
and Privacy.
Authentication Types = None, MD5, SHA
Privacy Types = None, AES, DES
SHA and AES being the strongest combination
© 2018 Extreme Networks, Inc. All rights reserved 322
The CLI credentials are also used when executing scripts from Extreme Management Center to the
managed devices. Required for ExtremeXOS switches for upgrading Firmware and other configuration
tasks.
© 2018 Extreme Networks, Inc. All rights reserved 323
Profiles are assigned to device models in the Extreme Management Center database. They identify
the credentials that are used for the various access levels when communicating with the
device. When configuring profiles for devices, the profile may also contain CLI credentials. Extreme
Management Center uses these credentials for scripting and management of specific devices.
For example, to backup firmware may use scripting to perform task on the ExtremeXOS devices and
Wireless Manager uses the CLI to retrieve configuration and configure the devices.
© 2018 Extreme Networks, Inc. All rights reserved 324
Devices can now be auto-discovered by adding in a subnet, range of IP’s or a seed address and link
discovery protocols. Once you enter the subnet, IP range or see address and chose a profile you can
save it and schedule it to run, or discover now.
Creating a rule that scans your network range for devices with “public/public” can help with finding
unsecure devices.
If you model with Ping only, you can see if the device is up or down but that’s it.
Seed Address means that the system will also try to discover neighbors to discovered IP addresses.
© 2018 Extreme Networks, Inc. All rights reserved 325
Automation reduces time to value when adding or discovering new devices on the network.
© 2018 Extreme Networks, Inc. All rights reserved 326
When adding a single new device it may not make sense to use the Discovery tool, either Add Device
from the device Tree View by right clicking then selecting Device > Add Device
or
By left clicking on the 3 lines (shown above) then selecting Device > Add Device
© 2018 Extreme Networks, Inc. All rights reserved 327
When a device is created, discovered, or imported, it automatically becomes a member of the
appropriate system-created group. System-created device groups are permanent and cannot be
moved or deleted.
All Devices - contains all the devices in the Extreme Management Center database.
Grouped By - contains multiple subgroups:
• Chassis - contains subgroups for specific chassis in your network
• Contact - contains subgroups based on the system contact
• Device Types - contains subgroups for the specific product families and device types in your
network
• IP - contains subgroups based on the IP subnets in your network
• Location - contains subgroups based on the system location
• Sites – the Site the devices belong to
• User Device Groups – Device Groups manually created by the user
• Wireless Controllers
© 2018 Extreme Networks, Inc. All rights reserved 328
Rarely does there exist a network where the SNMPv3 credentials, system location, and system contact
information is correctly configured for each network device.
When a device or device group is selected from the left panel, the Devices tab shows a table listing
information about your selection.
Columns included here display are:
IP Address, Display Name, Device Type, Status, Firmware, BootROM, Base MAC, Serial Number,
Location, Contact, System Name, Nickname, and Description.
Additionally, User Data 1, User Data 2, Notes columns can be edited to provide extra information
about the device.
Most of these variables can be modified to allow organization of your equipment.
Location information is important in a campus deployment as it allows administrators to quickly
display devices within specific buildings, remote offices or distributed wiring closets. Within the
configuration of most if not all network infrastructure devices is the ability to enter system location.
© 2018 Extreme Networks, Inc. All rights reserved 329
The Devices tab provides you with device details for all the devices in your network that you are
managing with Extreme Management Center. You can sort and filter relevant information for network
troubleshooting.
You can also access FlexViews, view your interface and VLAN information and access DeviceView from
this screen.
© 2018 Extreme Networks, Inc. All rights reserved 330
Device View reports allows an administrator to gain full understanding about the posture of a device
on the network. Each tab presents a different and expandable collection of troubleshooting
information and is easily accessible from this single view. Tabs include:
• Ports
• User Sessions
• Device & Module info
• Power & Fan Status
• Process Utilization
• VLAN
• MLAG
• VPLS
• Port Utilization
• Alarms
• Events
• Archives
© 2018 Extreme Networks, Inc. All rights reserved 331
Expanding the ports for a switch allows an administrator to see in an instant the currently active
ports, the associated neighbors, and associated port aliases. When a port is used as an interswitch
link, the switch and port to where they are connected is presented allowing the administrator to trace
the exact physical topology of the network. Gathering this type of information without the assistance
of this device management tool is typically a much more time consuming task.
The left-panel device summary view (shown above with labels) is displayed in each DeviceView
report.
© 2018 Extreme Networks, Inc. All rights reserved 332
The Interface Summary provides access to FlexView, alarms and alarm history, interface statistic
collection and other editable values for an interface.
Note: FlexView interface statistics will only be displayed if Statistics Collection is enabled.
© 2018 Extreme Networks, Inc. All rights reserved 333
As with Device Groups logically grouping ports can allow FlexViews to only look at certain ports; for
instance Uplink ports or Server ports.
© 2018 Extreme Networks, Inc. All rights reserved 334
You can add Port Groups to the My Network or to any user-created group by selecting the port, right
click, and select Add to Device Group.
© 2018 Extreme Networks, Inc. All rights reserved 335
© 2018 Extreme Networks, Inc. All rights reserved 336
© 2018 Extreme Networks, Inc. All rights reserved 337
© 2019 Extreme Networks, Inc. All rights reserved 338
For details view the ExtremeXOS release notes, CLI and user guides at the ExtremeXOS
documentation web page: https://www.extremenetworks.com/support/documentation/extremexos-
software/
© 2019 Extreme Networks, Inc. All rights reserved 339
As you can see from the slide from version 21.1, this can only be installed on the Summit G2 or
ExtremeSwitching platforms and new switches such as the X620. EXOS 30.X uses the Linux 4.14 kernel
which introduces some changes to certain functional areas of EXOS, which is why a new numbering
scheme is used.
At the moment the current switches that support ExtremeXOS 21 and above are as follows:
Summit X440-G2
Summit X450-G2
Summit X460-G2
Summit X670-G2
ExtremeSwitching X590
ExtremeSwitching X620
ExtremeSwitching X690
ExtremeSwitching X770
ExtremeSwitching X870
For the latest information, view the online EXOS Compatibility Matrix at the following link:
https://www.extremenetworks.com/support/compatibility-matrices/summit-extremeswitching-and-
e4g-components-extremexos-software-support/
© 2019 Extreme Networks, Inc. All rights reserved 340
© 2019 Extreme Networks, Inc. All rights reserved 341
© 2019 Extreme Networks, Inc. All rights reserved 342
© 2019 Extreme Networks, Inc. All rights reserved 343
© 2019 Extreme Networks, Inc. All rights reserved 344
© 2019 Extreme Networks, Inc. All rights reserved 345
© 2019 Extreme Networks, Inc. All rights reserved 346
© 2019 Extreme Networks, Inc. All rights reserved 347
© 2019 Extreme Networks, Inc. All rights reserved 348
© 2019 Extreme Networks, Inc. All rights reserved 349
© 2019 Extreme Networks, Inc. All rights reserved 350
© 2019 Extreme Networks, Inc. All rights reserved 351
© 2019 Extreme Networks, Inc. All rights reserved 352
© 2019 Extreme Networks, Inc. All rights reserved 353
© 2019 Extreme Networks, Inc. All rights reserved 354
© 2019 Extreme Networks, Inc. All rights reserved 355
You might also like
- 21.distributed Control Systems (DCS) OverviewNo ratings yet21.distributed Control Systems (DCS) Overview50 pages
- Extreme Ware Software User Guide Version 6.1.xNo ratings yetExtreme Ware Software User Guide Version 6.1.x432 pages
- SE200 ExtremeManagement Solution EssentialNo ratings yetSE200 ExtremeManagement Solution Essential119 pages
- Joint Universities Preliminary Examinations Board 2015 Examinations Physics: Sci-J155No ratings yetJoint Universities Preliminary Examinations Board 2015 Examinations Physics: Sci-J15519 pages
- ENA 12.6-ILT-Mod 01-Extreme's Solution-Rev02-111230No ratings yetENA 12.6-ILT-Mod 01-Extreme's Solution-Rev02-11123030 pages
- Introduction and Orientation: Extremexos Operation and Configuration, Version 12.1No ratings yetIntroduction and Orientation: Extremexos Operation and Configuration, Version 12.126 pages
- Tech Note 872 - Running AlarmDBLogger As Windows Service On Windows 2008 and Windows 7No ratings yetTech Note 872 - Running AlarmDBLogger As Windows Service On Windows 2008 and Windows 75 pages
- Formation FortiGate Infrastructure v6.2-23-08-2019No ratings yetFormation FortiGate Infrastructure v6.2-23-08-2019159 pages
- 340 - Questions - CCNA - CCNA 200-301 - Billy Calvert100% (10)340 - Questions - CCNA - CCNA 200-301 - Billy Calvert176 pages
- Wonderware Silo - Tips - Alarm-Db-Logger-Object-For-Wonderware-Application-Server-Demo-Guide-Ver-10-Rev-10No ratings yetWonderware Silo - Tips - Alarm-Db-Logger-Object-For-Wonderware-Application-Server-Demo-Guide-Ver-10-Rev-1020 pages
- DOC-00918 Rev01 EXOC Presentation SG Version 12.1100% (1)DOC-00918 Rev01 EXOC Presentation SG Version 12.11,002 pages
- Fortinet - Certshared.nse4 FGT 72.exam - Dumps.2023 Sep 17.by - Hugo.64q.vceNo ratings yetFortinet - Certshared.nse4 FGT 72.exam - Dumps.2023 Sep 17.by - Hugo.64q.vce10 pages
- Getting Started With The Aircrack-Ng Suite of Wi-Fi Hacking ToolsNo ratings yetGetting Started With The Aircrack-Ng Suite of Wi-Fi Hacking Tools9 pages
- DLP 9.3P5 On ePO 5.3.0 Installation DocumentNo ratings yetDLP 9.3P5 On ePO 5.3.0 Installation Document3 pages
- ENA 12.6-ILT-Mod 02-Switch Management-Rev02-111230 PDF100% (1)ENA 12.6-ILT-Mod 02-Switch Management-Rev02-111230 PDF65 pages
- HUAWEI USG6000, USG6000E, USG9500, NGFW Module Quick Configuration Guide (With Old Web UI)No ratings yetHUAWEI USG6000, USG6000E, USG9500, NGFW Module Quick Configuration Guide (With Old Web UI)270 pages
- Summit Switch Installation and User Guide: Summit - BK: FRONTMTR - FM Page I Thursday, June 18, 1998 9:27 AMNo ratings yetSummit Switch Installation and User Guide: Summit - BK: FRONTMTR - FM Page I Thursday, June 18, 1998 9:27 AM227 pages
- Process Interlocks and Trips - PLC - DCS - RTU - InstrumentationTools100% (1)Process Interlocks and Trips - PLC - DCS - RTU - InstrumentationTools18 pages
- Interaction of Process Design and Control: Ref: Seider, Seader and Lewin (2004), Chapter 20100% (1)Interaction of Process Design and Control: Ref: Seider, Seader and Lewin (2004), Chapter 2034 pages
- NSE4 - FGT-6.4: Number: NSE4 - FGT-6.4 Passing Score: 800 Time Limit: 120 Min File Version: 1No ratings yetNSE4 - FGT-6.4: Number: NSE4 - FGT-6.4 Passing Score: 800 Time Limit: 120 Min File Version: 123 pages
- 4.6.2.7 Lab - Using Wireshark To Examine A UDP DNS100% (1)4.6.2.7 Lab - Using Wireshark To Examine A UDP DNS7 pages
- CCNA Dis3 - Chapter 2 - Exploring The Enterprise Network Infrastructure - PPT (Compatibility Mode)No ratings yetCCNA Dis3 - Chapter 2 - Exploring The Enterprise Network Infrastructure - PPT (Compatibility Mode)43 pages
- 3.2.2 Circuit Switching, Packet Switching and Routers100% (1)3.2.2 Circuit Switching, Packet Switching and Routers8 pages
- Remote Protocol Commands: Ir Remote Custom and Data Codes (Nec Standard)No ratings yetRemote Protocol Commands: Ir Remote Custom and Data Codes (Nec Standard)2 pages
- ScanFish Tropheus - EdgeTech 4205 Setup and MobilisationNo ratings yetScanFish Tropheus - EdgeTech 4205 Setup and Mobilisation11 pages
- How Do I Go Online?: Simotion & SinamicsNo ratings yetHow Do I Go Online?: Simotion & Sinamics48 pages
- Advanced Computer Networks: TCP Congestion Control Thanks To Kamil SaracNo ratings yetAdvanced Computer Networks: TCP Congestion Control Thanks To Kamil Sarac12 pages
- Release Notes For Cisco Catalyst 9300 Series Switches, Cisco IOS XE Gibraltar 16.12.xNo ratings yetRelease Notes For Cisco Catalyst 9300 Series Switches, Cisco IOS XE Gibraltar 16.12.x53 pages
- Cant Bridge WLAN With LAN - Error - Index of The Interface - Portshield Interfaces Cant Be AssignedNo ratings yetCant Bridge WLAN With LAN - Error - Index of The Interface - Portshield Interfaces Cant Be Assigned8 pages
- Assignment 2: Name: Jtain Gupta Student Id: 141No ratings yetAssignment 2: Name: Jtain Gupta Student Id: 1415 pages