Extreme Switching Student Guide V1.8 (Ebook)

Extreme Networks
Switching Student Guide

Version 1.8
ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex
Terms & Condition of Use:
Extreme Networks, Inc. reserves all rights to its materials and the content of the
materials. No material provided by Extreme Networks, Inc. to a Partner (or
Customer, etc.) may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying and recording, or by any
information storage or retrieval system, or incorporated into any other published
work, except for internal use by the Partner and except as may be expressly
permitted in writing by Extreme Networks, Inc.
This document and the information contained herein are intended solely for
informational use. Extreme Networks, Inc. makes no representations or
warranties of any kind, whether expressed or implied, with respect to this
information and assumes no responsibility for its accuracy or completeness.
ok
Extreme Networks, Inc. hereby disclaims all liability and warranty for any
information contained herein and all the material and information herein exists to
bo
be used only on an "as is" basis. More specific information may be available on
-e
request. By your review and/or use of the information contained herein, you
expressly release Extreme Networks from any and all liability related in any way
to this information. A copy of the text of this section is an uncontrolled copy,
ks
and may lack important information or contain factual errors. All information
or
herein is Copyright ©Extreme Networks, Inc. All rights reserved. All information
w
contain in this document is subject to change without notice.

et
N
e
m
For additional information refer to:

tre
http://www.extremenetworks.com/company/legal
Ex
© 2015 Extreme Networks, Inc. All rights reserved 2

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
All Extreme switch products may be managed via their console or COM port for out-
N
of-band access to a Command-Line Interface (CLI). This is commonly referred to as

e
Local Management (LM). The network administrator must be “local” to the device in
m
order to manage it. A device IP address is not required to manage the device
tre
through LM. The console port on a device may be either an RJ45 or a DB9
connector, which may be connected to a VT type terminal, a PC with a terminal
Ex
emulation application (such as PUTTY or TeraTerm Pro), or to a modem.
In addition to Local Management there are various configuration and management

options for all Extreme switches, which vary by switch product family.
Management options include:

• CLI via Console Port connection
• CLI via Telnet and SSH
• NetSight via SNMP
• WebView and SSL
• ScreenPlay WebUI

ok
bo
-e
ks
or
w
et
Extreme Networks recommends that Telnet is not used for CLI access. This is
N
because all communication between the client and switch is sent in clear text, and
e
any user who is capturing traffic, maliciously or not, will be able to view the switch
m
user name and password used for that session. SSH2.should be used at all times,
tre
as all communication is encrypted and therefore user names and passwords are not
“exposed” to any user capturing traffic.
Ex
To enable/disable SSH:
enable ssh2
disable ssh2

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Users with super-user access can create user accounts and passwords. Read-write
N
and read-only accounts can change their own account passwords. User accounts
e
are created, disabled, and enabled with the set system login command. Passwords
m
are created and changed with the set password command. User accounts are
tre
deleted with the clear system login command.

Ex
Platforms support up to 16 user accounts. When creating a new or editing an

existing login account, use the following syntax:
set system login username {super-user | read-write | read-only} {enable | disable}

[allowed-interval HH:MM HH:MM]
[allowed-days {[Sun] [Mon] [Tue] [Wed] [Thu] [Fri] [Sat]}]
[local-only {yes|no}]
[aging days]
[simultaneous-logins logins]

ok
bo
-e
ks
or
w
et
Note: Switch login events will not be processed until switch's the Authentication
N
Service (AAA) has completed its startup process. This is indicated by the following
e
messages on the switch's console:

m
tre
(pending-AAA) login:
Ex
Authentication Service (AAA) on the master node is now available for login
Password policies are disabled by default.
Note: To configure the failsafe account, enter the following command:

configure failsafe-account
You are prompted for the failsafe account name, and prompted twice to specify the
password for the account. For example:
SummitX460-24t.1 # configure failsafe-account

enter failsafe user name: failsafe-user
enter failsafe password:
enter password again:

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: Session timeouts. With idle-timeout enabled (a default setting) the Telnet and
N
console connection times out after twenty minutes of inactivity. This time-out value
e
can be changed from 1 to 240 minutes or disabled using the commands shown
m
above. If a connection to a Telnet session is lost inadvertently, the switch terminates

tre
the session within two hours automatically.

Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
By default the show configuration command only shows those configuration

N
changes that are different from the “Factory Default” configuration. Adding the
e
“detail” command argument will show all the current configuration including the
m
“Factory Default” configuration.

tre
Ex
The configuration displayed is the configuration that is currently running in the

switch’s RAM and not the booted configuration file stored on the flash file system.
The running RAM configuration needs to be saved if any configuration changes are
made. Changes to the running RAM configuration are indicated by the “*” symbol
next to the CLI command prompt.

ok
bo
-e
ks
or
w
et
Rebooting the Switch: There are some processes, such as installing new software, that can
N
incorporate a reboot of the switch as one of the actions. You may, however, reboot the switch
through the user interface at any time by issuing the following command:
e
m
When the switch is new or the unconfigure switch all command has been used, you must connect to
tre
the console to access the switch. You are prompted with an interactive script that specifically asks if
you want to disable telnet, disable SNMP, disable the unconfigured ports and configure the failsafe
Ex
account.
The system displays the following prompts:

This switch currently has all management methods enabled for convenience reasons.
Please answer these questions about the security settings you would like to use.
Would you like to disable Telnet? [y/N]:
Would you like to disable SNMP? [y/N]:
Would you like unconfigured ports to be turned off by default? [y/N]:
Would you like to change the failsafe account username and password now? [y/N]:
Would you like to permit failsafe account access via the management port?[y/N]:
Note: Entering the unconfigure switch all command resets stacking support and stacking port
selection on the local node only and does not affect the rest of the stack nodes.

ok
bo
-e
ks
or
w
et
Note: For the K/S Series switches, the (set ip address 172.10.1.101 mask
N
255.255.255.0 interface vlan.0.x) command, sets a non-routed management IP

e
address, per VLAN interface.

m
tre
The (set ip interface vlan.0.x default) command sets the default management IP
Ex
interface for the K & S Series
The (set host vlan x ) command assigns virtual host management port to a VLAN.

ok
bo
-e
ks
or
w
et
If no mask is supplied when configuring a VLAN with an IP address, the mask for
N
the “Class” of the address will be added by the switch. For example, configuring a
e
VLAN with the IP address 10.1.10.100 without the mask will result in the IP address
m
10.1.10.100/8. In order to ensure the correct IP address configuration, enter the

tre
command with the correct mask. You can enter the mask in “bits” or as dotted
decimal notation as follows:
Ex
configure vlan default ipaddress 10.1.10.100/24
configure vlan default ipaddress 10.1.10.100 255.255.255.0
If you incorrectly configure the IP address or mask for a VLAN, then in order to
change the IP address you will firstly need to unconfigure the IP address and then
enter the correct IP address as follows:
unconfigure vlan default ipaddress
configure vlan default ipaddress 10.1.10.100/24

ok
bo
-e
ks
or
w
et
A virtual router is an emulation of a physical router. This feature allows a single

N
physical switch to be split into multiple virtual routers and separates the traffic
e
forwarded by a virtual router from the traffic on a different virtual router. Each virtual
m
router maintains a separate logical forwarding table, which allows the virtual routers
tre
to have overlapping address spaces. In ExtremXOS the VR-mgmt and VR-default

routers exist by default.
Ex
Up to 63 user created VRs can be created on the following XOS based switches:
BD8K with 8900 xl-series MSMs, BDX8K, and Summit X460, X480, X650 switches.

ok
bo
-e
ks
or
w
et
For example, the following command will be issued through the VR-Mgmt VR and
N
thus will be forwarded through the out of band management port:

e
m
tftp put 10.1.10.100 primary.cfg

tre
To change this behavior, you have to explicitly add the target VR to the command as
Ex
follows:
tftp put 10.0.0.100 vr vr-default primary.cfg
This has the effect of issuing the command through the VR-Default VR and thus will
be forwarded through the VLAN matching the target IP address and mask.

ok
bo
-e
ks
or
w
et
Note: All UTP ports support the automatic detection of MDI/MDI-X connections. This
N
eliminates the need for crossover cables between switches. This feature is not
e
configurable.
m
tre
Ex

ok
bo
-e
ks
or
w
et
In addition to fe, ge, tg, and fg, other port types include:
N
• com for COM (console) port

e
• vlan for vlan interfaces

m
• lag for IEEE802.3 link aggregation ports, or

tre
• lbpk for loopback interfaces

• vsb for hardware VSB ports
Ex
With the S and K series, routed VLANs will be seen as vlan.0.x.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: All Unshielded Twisted Pair (UTP) ports support the automatic detection of
N
MDI/MDI-X connections. This eliminates the need for crossover cables between
e
switches. This feature is not configurable.

m
tre
Ex

ok
bo
-e
ks
or
w
et
The port configuration monitor is a real-time display of each port’s configuration

N
state. To navigate through the ports use the following keys:

e
m
“d” (down) displays the next page of port information.

tre
“u” (up) displays the previous page of port information.

“esc” (escape) exits the port configuration monitor.
Ex
Using the CLI qualifier no-refresh, displays the port configuration for each port as a
list which is not updated in real-time. For example;
show ports 10-20 configuration no-refresh

ok
bo
-e
ks
or
w
et
The display shows everything about a port’s configuration:

N
VLAN Membership
e
VLAN Protocols
m
EDP
tre
ELSM
Ethernet OAM
Ex
Flooding
Jumbo Frames
Rate Limiting
QoS
Network Login
Port redundancy

ok
bo
-e
ks
or
w
et
WebView is enabled by default on all products and usually works only when it is run
N
with Super User/Admin rights to the managed device. Secure Socket Layer (SSL)
e
works by using a private key to encrypt data for the transmission of private
m
documents over the Internet.

tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: Configuration allows directing messages to various local devices (NetSight

N
Console), files or remote syslog daemons. Care must be taken when updating the
e
configuration as omitting or misdirecting message facility.level can cause important

m
messages to be ignored by syslog or overlooked by the administrator.

tre
Ex

ok
bo
-e
ks
or
w
et
As a useful troubleshooting and testing feature, log entries can be displayed in real-
N
time within a CLI session. This is achieved by using the following commands:
e
m
set logging here

tre
The clear logging here command disables this behavior.

Ex

ok
bo
-e
ks
or
w
et
As a useful troubleshooting and testing feature, log entries can be displayed in real-
N
time within a CLI session. This is achieved by using the following commands:
e
m
For console sessions:

tre
enable log display

Ex
For Telnet and SSH2 sessions:

enable log target session
enable log display

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
The security deficiency of both SNMPv1 and SNMPv2 was finally fixed with the
N
release of the SNMPv3 standard. Designed to enable better support of the complex
e
networks being deployed in recent years and additional requirements of applications

m
used in networked environments, SNMPv3 defined standards for both enhanced

tre
security and administration.

Ex
The most noteworthy enhancement in SNMPv3 is the strong security protection it

provides for remote management, protecting SNMP itself from being used to
automate exploiting cascading vulnerabilities. As defined in RFCs 2571-2575,
SNMPv3 added robust user-level authentication, message integrity checking,
message encryption, and role-based Authorization.
Note: All switches support SNMP v1, v2, & v3.

ok
bo
-e
ks
or
w
et
An SNMP security model is an authentication strategy that is set up for a user and
N
the group in which the user resides. A security level is the permitted level of security
e
within a security model. The three levels of SNMP security are: No authentication
m
required (NoAuthNoPriv); authentication required (AuthNoPriv); and privacy

tre
(authPriv). A combination of a security model and a security level determines which

security mechanism is employed when handling an SNMP frame.
Ex
Configuring authentication and privacy for SNMPv3 is optional, but highly

recommended.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
SNMPv3 support is enabled by default and is configured with the following access
N
parameters:
e
m
Group admin: USM with authentication and privacy

- user admin (HMAC-MD5 with DES)
tre
Ex
Group initial: USM with no authentication and no privacy

- user initial
Group initial: USM with authentication and no privacy

- user initialmd5 (HMAC-MD5)
- user initialsha (HMAC-SHA)
Group initial: USM with authentication and privacy

- user initialmd5Priv (HMAC-MD5 with DES)
- user initialshaPriv (HMAC-SHA with DES)
Group v1v2c_ro: SNMPv1/v2c with no authentication and no privacy

Group v1v2c_rw: SNMPv1/v2c with no authentication and no privacy
Group v1v2cNotifyGroup: SNMPv1/v2c with no authentication and no privacy
To use one of the existing accounts, you must first configure the authentication and privacy
password keys.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Once SNMP is configured, switches can be managed in NetSight. NetSight

N
provides a collection of clients that let you monitor device status, define network
e
configuration, and automate troubleshooting tasks. It is designed to facilitate

m
specific network management tasks while sharing data and providing common
tre
controls and a consistent user interface.

Ex

ok
bo
-e
ks
or
w
et
Although Extreme switches supports the creation of up to 16 user accounts,

N
synchronizing multiple user accounts across a network with many switches can
e
become time consuming. Ultimately, network support staff typically use the “admin”
m
account for switch administration and configuration via the CLI. Not only is this a
tre
potential security issue, but there is potentially, no configuration audit trail identifying
who configured what on the switch.
Ex
Extreme Networks recommend the use of a centralized authentication server such

as RADIUS or TACACS+ which can be integrated with Windows Active Directory or
similar for user authentication. This provides the necessary level of security and
audit trail while removing completely any administration of switch accounts.
Note: On XOS based switches a configuration audit trail can be enabled on a switch
by entering the enable cli-config-logging command. Configuration changes made to
the switch are logged to a Syslog server if Syslog has been configured.

ok
bo
-e
ks
or
w
et
EOS based switches supports the configuration of multiple authentication servers.

N
The lowest index value associated with the server determines the primary server. If
e
the primary server is down, the operational server with the next lowest index value
m
is used. If the switch fails to establish contact with the authentication server before a
tre
configured timeout, the switch will retry for the configured

number of times. Servers can be restricted to management access or network
Ex
access authentication by configuring the realm option.

ok
bo
-e
ks
or
w
et
Configuring the Authentication Server

N
There are four aspects to configuring the authentication server:

e
m
State enables or disables the RADIUS client for this switch.

tre
Server identification provides for the configuration of the server IP address and
Ex
index value. The index determines the order in which the switch will attempt to
establish a session with an authentication server. After setting the index and IP
address you are prompted to enter a secret value for this authentication server. Any
authentication requests to this authentication server must present the correct secret
value to gain authentication.
The realm provides for configuration scope for this server: management access,
network access, or both.
Establishment values configure a timer setting the length of time before retries, as
well as the number of retries, before the switch determines the authentication server
is down and attempts to establish with the next server in its list.

ok
bo
-e
ks
or
w
et
There are two types of RADIUS clients supported in ExtremeXOS, with each client
N
operating independently:
e
m
RADIUS client for switch management access

tre
RADIUS client for Network Login authentication

Ex
Each RADIUS client supports the configuration of a primary and secondary RADIUS
server for redundancy. If the primary server becomes unavailable for some reason,
then the switch will try to authenticate a user to the secondary server if configured. If
both primary and secondary servers are unavailable, the switch will authenticate the
user to the switch’s local user database.
The “client-ip” argument specifies the IP address to be used for sending RADIUS
massages to the RADIUS server. This address should match the IP address of the
authenticating client configured on the server.

ok
bo
-e
ks
or
w
et
The firmware image is the operating system for an Extreme switch. The firmware
N
image is stored in flash memory and runs in Local RAM.

e
m
Some relevant definitions follow below:

tre
NVRAM (Non-Volatile Random Access Memory): RAM that retains its contents (for
Ex
example, IP addresses) when a unit is powered off.
LRAM (Local RAM): Memory area used by the central processor for operational
tables and current processes (for example, VLAN tables).
Flash Memory: Non-volatile storage that can be electrically erased and

reprogrammed. Allows firmware images to be stored, booted, and rewritten as
necessary.
Boot PROM: Holds the boot programs and board revisions.

ok
bo
-e
ks
or
w
et
Following are the steps in the normal boot-up process for Extreme switching
N
products:
e
m
The Boot PROM comes online first and runs diagnostics on all memory areas and
tre
the Ethernet interfaces.

Ex
The Boot PROM then checks the NVRAM settings. These settings tell the Boot
PROM where to find the firmware image to load. During a normal boot-up, the
firmware image will be loaded from flash memory.
The Boot PROM will start the Flash Memory Manager to un-compress the firmware
image in flash memory, and to copy the uncompressed firmware image into LRAM.
Once the uncompressed firmware image is in LRAM, the main processor will begin
normal operations. SNMP is now available.
Most devices will take from 30 seconds to a minute to boot up. If the power-up
sequence is interrupted or if optional hardware has been installed or removed, a
device may run an extended diagnostics sequence that may take up to two or more
minutes to complete.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Two image locations supported:

N
Primary
e
Secondary
m
tre
Fallback feature for verifying upgrades

Ex
Compressed executable code, images are compressed to preserve space on

the flash
Loaded at boot time, the image is uncompressed and loaded at boot time:
Uncompress selected image
Load uncompressed image into RAM and start running

ok
bo
-e
ks
or
w
et
Note: When reporting a faulty switch to Extreme Networks it is mandatory that you
N
identify the serial number and software version among other things. The show
e
version command is useful as the serial number may not be recorded or even be
m
accessible.
tre
Ex

ok
bo
-e
ks
or
w
et
In order to check the installed images and modules, issue the following command:
N
e
show version images

m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: The active image location can be verified with the show switch command.
N
e
The image is upgraded by using a download procedure from either a TFTP server
m
on the network or a PC connected to the serial port using the ZMODEM protocol.
tre
The serial download is very slow and can only be done from the BootROM menu.
The BootROM is discussed later in this chapter.
Ex
Note: If no parameters are specified for the location, the image is saved to the non-
active location. The nonactive location will be automatically selected to use at next
boot. The use image command is therefore not required when upgrading the switch
software but is included here for completeness and compatibility for earlier versions
of ExtremeXOS and ExtremeWare.

ok
bo
-e
ks
or
w
et
The BootROM of the switch initializes certain important switch variables during the
N
boot process. For disaster recovery purposes (i.e. in the event the switch does not
e
boot properly), you can download a rescue image from a TFTP server by entering
m
the download command from the BootROM menu.

tre
During a software upgrade the system BootROM checks the software for a unique
Ex
signature. The BootROM denies an incompatible software upgrade.
Interaction with the BootROM menu is only required under special circumstances
and should be done only under the direction of Extreme Networks Customer
Support. The necessity of using these functions implies a non standard problem,
which requires the assistance of Extreme Networks Technical Support.
Accessing the BootROM

To access the BootROM, power cycle or reboot the ExtremeXOS switch and then
from the CLI wait for the message "Running POST" to display, then press and hold
the spacebar until the BootROM prompt displays.
Note: For switches that support a one-stage bootloader, such as chassis based
switches and ExtremeWare based summits, the spacebar must be pressed
immediately after the switch is rebooted or power cycled.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: The image or a configuration selected within the BootROM does not change
N
the configured selected image or configuration. This process temporarily over-rides

e
the configuration for a single boot

m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: The switch may not boot if the BootROM is corrupted, due to interrupting the
N
download process, if the Wrong BootRom downloaded. If the BootROM is

e
corrupted, the switch should be returned to Extreme Networks!

m
tre
For BD8K series switches, the BootROM is contained in the ExtremeXOS software
image and by default is upgraded manually by entering the install firmware
Ex
command. This behavior can be changed to upgrade automatically by entering the

following command, specifying the auto-install option:
configure firmware [auto-install | install-on-demand]
Upgrade the BootROM only when asked to do so by an Extreme Networks technical

representative. If this command does not complete successfully it could prevent the
switch from booting. In the event the switch does not boot properly, some boot
option functions can be accessed through a special BootROM menu.
Use the show version command display the switch BootROM version.
Note: When upgrading the BootROM separately, upgrade the BootROM and reboot
the switch before upgrading a software image.

ok
bo
-e
ks
or
w
et
Once you have configured a device, you can save that configuration to a file as
N
backup or use it to configure a new, similar switch. Uploading and downloading

e
configurations is useful for replicating configurations of switches of the same model,

m
and for troubleshooting purposes. This section of the module describes how each
tre
product family handles configuration uploads and downloads.

Ex

ok
bo
-e
ks
or
w
et
The Extreme Networks recommended way to back up switch configurations is to

N
use Inventory Manager’s Archive utility. Note that each switch has a limited amount
e
of storage for configurations (the number of configurations a switch can store

m
depends on the size of the configuration).

tre
Ex

ok
bo
-e
ks
or
w
et
Append means to add on at the end, when this option is used the switch is not
N
required to reboot.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: Configuration information stored within the file is XML based, and therefore
N
might not be easily interpreted.

e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
To select a configuration to use at the switch’s next reboot, you run the use
N
configuration command. This command is essentially just a pointer to a specific

e
configuration stored on the switch’s file system.

m
tre
Note:
When entering the show switch command, up to four configuration related pieces of
Ex
information are displayed:
1. The booted configuration file. i.e. the configuration file which was loaded into
RAM at boot time.
2. The selected configuration file. This is the configured configuration file which will
be loaded into RAM and next boot.
3. Details of the selected configuration file includes:
The software version that created the configuration file.

The size of the configuration file.
The date and time the configuration file was created.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Although the XML format of the configuration file is useful for XOS software
N
programmers, it is of limited use for support and operational staff. Text based
e
configuration files are particularly useful for:

m
tre
Quickly understanding and validating a switch’s configuration.

Ex
Using “cut & paste” techniques to provision other switches in a standard way
thus avoiding errors.
Converting configurations into script files.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: You cannot rename an active configuration file (the configuration currently
N
selected to boot the switch).

e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Examples of port mirroring combinations on an EOS based S-Series Switch include:

N
e
15 port mirrors
m
15 VLAN mirrors
tre
8 port and 7 VLAN mirrors

12 port and 3 VLAN mirrors
Ex
14 port and 1 IDS mirror (where the device mirrors to 10 ports)

14 VLAN and 1 IDS mirror (where the device mirrors to 10 ports)

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Supported in a bonded chassis

N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Example:
N
e
SummitX460-24t.1 # enable mirroring to port 24

m
WARNING: This command will remove VLAN membership from the monitor port.
tre
Do you want to continue? (y/N) Yes

Ex
SummitX460-24t.18 # configure mirroring add port 13
SummitX460-24t.22 # show mirroring
Mirroring Mode: Standard

Mirror port: 24 is up
Number of Mirroring filters:1
Mirror Port configuration:
Port number 13 in all vlans

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
show lldp port <port> neighbors detailed command shows information about a remote device and
N
port’s configuration, information includes:

e
Chassis
m
MAC address
tre
Port
Remote system name
Ex
Capabilities
Mgmt Address
VLANs
Auto negotiation
Flow control
Speed & duplex
etc.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: The advantage of the closed loop stacking is redundancy, this configuration
N
eliminates any single point of failure.

e
m
Note: You cannot stack different series (A, B, & C) switches together. A4-
tre
Series switches are stacked only with A4-Series switches, they CANNOT be
mixed with B or C-Series switches.
Ex
Note: You can stack an A4H model switch only with other A4H model
switches. You cannot stack an A4H model switch with switches that are not
A4H model switches. That is, A4 switches DO NOT stack with A2 switches.

ok
bo
-e
ks
or
w
et
The slide above shows an example of a four-high stack connected in a closed loop
N
configuration. All STACK DOWN and STACK UP connectors are used in the
e
installation. The stacking cable connections are from the STACK DOWN connector
m
of one switch to the STACK UP connector of the next switch up in the stack. A
tre
stacking cable connection from the STACK DOWN connector of the switch at the
top of the stack to the STACK UP connector at the bottom of the stack closes the
Ex
loop.
Note: The switches can be stacked using Plug-and-Play, or through Pre-

Configuration:
Plug-and-Play Stacking: Connect all stacks cables and then power on the stack,
the units ID’s are assigned at random and not based on physical position in stack.
The switch assigned unit ID 1, becomes the stack manager.
Pre-Configuration Stacking: This is possible using the set switch member

(unit_number( (unit_type) command. Unit IDs can be assigned to switches prior to
stacking via this command. The switch assigned unit ID 1, becomes the stack
manager.

ok
bo
-e
ks
or
w
et
Note: The high-speed stacking cables are optional items that you must order
N
separately. The B5/C5 switches support the following stacking cables:

e
m
STK-CAB-SHORT, a 30cm cable

tre
STK-CAB-LONG, a 1m cable
STK-CAB-2M, a 2m cable
Ex
STK-CAB-5M, a 5m cable

ok
bo
-e
ks
or
w
et
The above slide shows an example of a four-high stack connected in a ring

N
topology. All STACK DOWN and STACK UP connectors are used in the installation.
e
The high-speed stacking cable connections are from the STACK DOWN connector
m
of one switch to the STACK UP connector of the next switch up in the stack. A high-
tre
speed stacking cable connection from the STACK DOWN connector of the switch at
the top of the stack to the STACK UP connector at the bottom of the stack
Ex
completes the ring connection.

ok
bo
-e
ks
or
w
et
Note: The switches can be stacked using Plug-and-Play, or through Pre-

N
configuration:
e
m
Plug-and-Play Stacking: Connect all stacks cables and then power on the stack,
tre
the units ID’s are assigned at random and not based on physical position in stack.
Ex
Pre-Configuration Stacking: This is possible using the set switch member unit
switch-id command. Unit IDs can be assigned to switches prior to stacking, via this
command.
Note: After the stack has been configured, you can use the show switch unit
command to physically identify each unit. When you enter the command with a unit
number, the MGR LED of the specified switch will blink for 10 seconds. The normal
state of this LED is off for member units and steady green for the manager unit.

ok
bo
-e
ks
or
w
et
Once a stack is created (more than one switch is interconnected), the following
N
procedure occurs:
e
m
By default, unit IDs are arbitrarily assigned on a first-come, first-served basis.

tre
Unit IDs are saved against each module. Then, every time a board is power-cycled,
Ex
it will initialize with the same unit ID. This is important for port-specific information
(for example: ge.4.12 is the 12th Gigabit Ethernet port on Unit # 4). We want to
insure ge.4.12 is always located in the same stack location.
The management election process uses the following precedence to assign a

management switch:
Previously assigned / elected management unit

Management assigned priority (values 1-15)
Hardware preference level
Highest MAC Address
Note: Once the management designation is written to the manager unit, every time
the manager is power-cycled, it will initialize with that role.

ok
bo
-e
ks
or
w
et
Configuration Management:
N
When A, B, & C-Series switches are stacked, the only file structure and
e
configuration information that is viewable or configurable is that of the manager unit,

m
which pushes its configuration to the member units every 5 minutes if there has
tre
been a change. To avoid possible configuration loss in the event of manager unit
failure after a configuration change, execute the save config command and wait for
Ex
the system prompt to return. After the prompt returns, the configuration will be
persistent.

ok
bo
-e
ks
or
w
et
Stack Disruption Times:

N
Upon manager unit failure, removal, or reassignment with the set switch
e
movemanagement command, the operation of the stack, including the Ethernet

m
link state of all ports, will be interrupted for about 30 to 40 seconds. Upon member
tre
unit failure or removal, the operation of the stack will be interrupted for about 2 to 3
seconds.
Ex

ok
bo
-e
ks
or
w
et
Note: When using the clear config command to clear configuration parameters in a
N
stack, it is important to remember the following:

e
m
Use clear config to clear configuration parameters without clearing stack unit IDs.
tre
This command WILL NOT clear stack parameters or the IP address and avoids the
process of renumbering the stack.
Ex
Use clear config all when it is necessary to clear all configuration parameters,
including stack unit IDs and switch priority values. This command will not clear the
IP address nor will it remove an applied advanced feature license.
Use clear ip address to remove the IP address of the stack.
Use clear license to remove an applied license from a switch.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: The master switch stores any configuration information for the stack in its
N
primary and secondary flash memory. Since the master switch has the knowledge
e
of the state and the configuration of all the other switches in the stack, it can
m
respond to all external requests for those switches. For example, the master switch
tre
can respond to a request for SNMP information from all ports within the stack.
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
The SummitStack-V feature allows you to use Ethernet ports that run at least 10
N
Gbps as stacking ports. This feature allows you to overcome the length limit on the
e
custom stacking cables used with dedicated or native stack ports. For example,
m
Summit family switches on different floors in a building or in different buildings on a

tre
campus can be connected to form a stack using standard Ethernet cables. The
SummitStack-V feature also allows you to stack switches that have no native
Ex
stacking ports but do have at least two Ethernet ports, which can be configured to
support either data communications or the stacking protocol. When these dual-
purpose ports are configured to support stacking, they are called alternate stack
ports to distinguish them from the native stack ports that use custom cables.

ok
bo
-e
ks
or
w
et
Node Role: A node in the active topology plays a role in the stack. There are three
N
node roles: master (or primary), backup, and standby.

e
m
Master Node Role: A node that is elected as the master (or primary) runs all of the
tre
configured control protocols such as OSPF, RIP, Spanning Tree, EAPS, The master
node controls all data ports on itself, the backup node, and all standby nodes. The
Ex
master node issues specific programming commands over the control path to the
backup or standby nodes to accomplish this purpose.
Backup Node Role: The node that is operating in the backup node role takes over
the master node role if the master node fails. The master node keeps the backup
node databases in synchronization with its own database in preparation for this
event. Upon transfer of role, the backup node becomes the master node and begins
operating with the databases it has previously received. This allows all other nodes
in the stack to continue operating even after the master node fails.
Standby Node Role: A node that is executing the standby node role is prepared to
become a backup node in the event that the backup node becomes the master
node. When becoming a backup node, the new master node synchronizes all of its
databases to the new backup node. As a standby node, most databases are not
synchronized, except for those few that directly relate to hardware programming.

ok
bo
-e
ks
or
w
et
Shortest Path Forwarding: Packets are sent via the shortest path. A packet from unit
N
4 to unit 3 travels 1 hop. If the stack encounters a single link failure, the shortest
e
path is recalculated by all units.

m
tre
Example: If the path between unit 4 and unit 1 fails, unit 4 would know that an
available path to unit 1 existed through units 3 and 2.
Ex
Note: When stacking cables are connected, the stacked units exchange information
until they determine stack topology, this occurs whether or not stacking is enabled.
The units then broadcast discovery packet, the CPU on each unit processes the
packets, each unit then increments hop count and forwards packet. The units
determine a ring topology when packet with own MAC address is received.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
The role of each stack node is determined by:

N
e
The switch model number

m
The configured priority value

tre
The configuration of the master-capability option

Ex
Some switch models have more memory and support additional features. If the
stack configuration includes switches that are more capable than others, the stack
will try to select the most-capable backup node.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
show stacking configuration

N
e
The display includes:

m
tre
Stack MAC Address

Flags
Ex
Master capable
Stacking state
Stack MAC
License level restrictions

ok
bo
-e
ks
or
w
et
Clear old stacking configuration:

N
e
If you don’t want to unconfigure the switch:

m
tre
unconfigure stacking
rebooot stack-topology
Ex
If you wish to use a clean configuration:
unconfigure switch all
Only clears the stacking configuration on the current node only

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: If switches have different license levels, the stack won’t form.
N
e
Upgrade license
m
enable license <key>

tre
Downgrade higher-level license by forcing them to operate at a lower level

Ex
configure stacking license-level

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
VLAN Support on Extreme EOS Switches:

N
e
Maximum Active VLANs

m
The total number of active VLANs supported on Extreme EOS based stackable (A,
tre
B, & C-Series) and standalone D & G_Series) fixed switches is up to 1024. The total
number of active VLANs supported on Extreme EOS Chassis based switches (K &
Ex
S-Series) is up to 4094

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
The internal VLAN ID is not significant outside of the switch. The value used for the
N
internal VLAN ID starts at 4094 and decrements for each VLAN added. If a VLAN ID
e
is used to configure an 802.1Q tagged VLAN that has already been assigned to an
m
untagged VLAN, the switch automatically assigns another internal VLAN ID to the
tre
untagged VLAN.
Ex

ok
bo
-e
ks
or
w
et
Tagged Forwarding Behavior:

N
e
Frames arriving on an ingress port are forwarded based on 802.1Q tag present
m
within the Frame into the relevant VLAN.

tre
802.1p CoS is examined, and the frame is placed into the appropriate queue
Ex
Values 0-6 are mapped by default to the low priority queue, QoS Profile QP1
Value 7 is mapped by default to the high priority queue, QoS Profile QP8

ok
bo
-e
ks
or
w
et
There are a number of pre-configured protocol filters that can be applied to any
N
VLAN.
e
m
The list is as follows:

tre
IP
IPX
Ex
IPv6
NetBIOS
DECNet
IPX_8022
IPX_SNAP
AppleTalk
MPLS
ANY
You can create a custom protocol filter by using the create protocol command. You
then add the relevant filter entries by entering the configure protocol command.
Existing protocol filters can also be edited using this command.

ok
bo
-e
ks
or
w
et
VLAN forwarding decisions for transmitting frames is determined by whether or not

N
the traffic being classified is or is not in the VLAN’s forwarding database as follows:
e
m
Unlearned traffic: When a frame’s destination MAC address is not in the VLAN’s
tre
forwarding database (FDB), it will be forwarded out of every port on the VLAN’s
egress list with the frame format that is specified.
Ex
Learned traffic: When a frame’s destination MAC address is in the VLAN’s

forwarding database, it will be forwarded out of the learned port

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
On all EOS based platforms, the show vlan command displays the device’s VLANs
N
and only ports on the VLAN’s egress list that are in a forwarding state. If a port
e
possesses one or more of the following characteristics, the port is not displayed with
m
the show vlan command regardless of the administrative configuration of the device:
tre
No link
Ex
Blocking due to spanning tree
Member of a LAG port
Note: Regarding the above output, a port that is displayed as an Egress Port and
Untagged Port for a VLAN is on this VLAN’s egress list as untagged . A port that is
displayed as only an Egress Port for a VLAN is on this VLAN’s egress list as tagged

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: Other useful show commands for displaying the VLAN configuration/operation
N
related information of an EOS based switch are shown below:

e
m
show vlan portinfo

tre
show host vlan

Ex
show port vlan
show port status
show config vlan
show config port

ok
bo
-e
ks
or
w
et
The show vlan command is a useful troubleshooting tool. It displays in summary, a

N
VLAN’s basic configuration and if what protocols have been enabled if any such as
e
OSPF, Spanning Tree, and EAPS for example. To display detailed information for all
m
VLANs, enter the show vlan detail command. To display detailed information for a
tre
specific VLAN, enter the show vlan command with the VLAN name as the command
qualifier. For example show vlan blue.
Ex

ok
bo
-e
ks
or
w
et
The show vlan command has a number of command qualifiers that allow you to
N
examine specific VLAN information. The entries are as follows:

e
m
show vlan ?
tre
description Description string

Ex
detail detailed
dynamic-vlan show configuration related to dynamically created VLANs
ports Show only VLANs associated with the specified ports
statistics VLAN statistics
tag IEEE 802.1Q or 802.1ad tag
| Filter the output of the command
<vlan_name> Name of the VLAN
<vr-name> Virtual router name
"VR-Default" "VR-Mgmt"

ok
bo
-e
ks
or
w
et
The FDB in large networks may have many entries and so it may be difficult to find
N
a specific MAC address in such a large table. The show fdb command has a
e
number of command qualifiers that allow you to examine specific FDB entries as
m
follows:
tre
Blackhole entries: show fdb blackhole

Ex
MAC address tracking entries: show fdb mac-tracking configuration

Netlogin entries: show fdb netlogin all
Permanent entries: show fdb permanent
Entries for a specific MAC address: show fdb <mac_addr>
Entries on a specific port: show fdb ports <port_list>
Entries within a specific VLAN: show fdb vlan <vlan_name>
The clear fdb command also has a number of command qualifiers that allow you to
clear specific FDB entries as follows:
Blackhole entries: clear fdb blackhole

Entries for a specific MAC address: clear fdb <mac_addr>
Entries on a specific port: clear fdb ports <port_list>
Entries within a specific VLAN: clear fdb vlan <vlan_name

ok
bo
-e
ks
or
w
et
Note: All EOS based switches support VIDs from 1 to 4094. A, B, C, D, and G-
N
Series switches, only support the creation 1024 VLANs.

e
m
tre
Ex

ok
bo
-e
ks
or
w
et
When creating VLANs, first assign a VLAN ID within the supported range of the
N
device. This is a numeric ID. You may also assign a VLAN name to each VLAN.
e
This name is for the administrator’s use. The name of the VLAN has no affect on
m
the VLAN or its functioning. It is the VLAN ID that “counts.”

tre
Ex

ok
bo
-e
ks
or
w
et
Before enabling VLANs for the switch, you must first assign each port to the VLAN
N
group or groups in which it will participate. Port VLAN IDs (PVIDs) determine the
e
VLAN to which all untagged frames received on one or more ports will be classified.
m
This is a classification mechanism that associates a port with a specific VLAN and is
tre
used to make forwarding decisions for untagged packets received by the port.
Ex
For example, if port 2 is assigned a PVID of 3, then all untagged packets received
on port 2 will be assigned to VLAN 3. If no VLANs are defined on the switch, all
ports are assigned to the default VLAN with a PVID equal to 1.
You should add a port as a tagged port (that is, a port attached to a VLAN-aware
device) if you want it to carry traffic for one or more VLANs, and the device at the
other end of the link also supports VLANs. On Extreme switches, ports can be
assigned to multiple tagged or untagged VLANs. Each port on the switch is
therefore capable of passing tagged or untagged frames.

ok
bo
-e
ks
or
w
et
PVIDs are configured in the same way on all EOS based switches. The PVID is
N
used to classify untagged frames as they ingress into a given port. When setting a
e
PVID with the set port vlan command, you can also add the port to the VLAN’s
m
untagged egress list (egress is discussed later).

tre
Example: If you assign ports 1, 5, 8, and 9 to VLAN 44, untagged frames received
Ex
on those ports will be assigned to VLAN 44. If the specified VLAN (VLAN 44 in this
example) has not already been created, this command (set port vlan) will create it,
add the ports to the VLANs egress list as untagged.

ok
bo
-e
ks
or
w
et
Note: If the frame format is not specified in the set vlan egress command, the port is
N
automatically added to the VLAN’s egress list as tagged.

e
m
Note: Setting a port to “forbidden” prevents it from participating in the specified

tre
VLAN and ensures that any dynamic requests, either through GVRP or Dynamic
Egress, for the port to join the VLAN, will be ignored. (Dynamic Egress is discussed
Ex
in a later section of this module.)
Note: Setting a port to untagged allows it to transmit frames without a tag header.
This setting is usually used to configure a port connected to an end user or other
VLAN-unaware device.

ok
bo
-e
ks
or
w
et
For EOS based devices, the egress process dictates where the packet is allowed to
N
go within the VLAN. The ingress process classifies received frames as belonging to
e
one and only one VLAN. The forwarding process looks up learned information in the
m
filtering database to determine where received frames should be forwarded. Egress

tre
determines which ports will be eligible to transmit frames for a particular VLAN, or it
may be used to prevent one or more ports from participating in a VLAN. In general,
Ex
VLANs have no egress (except VLAN ID 1), until they are configured by static
administration or through dynamic mechanisms (GVRP, policy classification, or
Extreme Dynamic Egress).

ok
bo
-e
ks
or
w
et
This is quite a common configuration when using IP telephones in a network. All

N
network managers will want to place Voice Over IP (VOIP) traffic into a separate
e
VLAN than that for end user PCs. The reason for this is that they will want to treat
m
the VOIP traffic differently in time of congestion and also to reduce the broadcast
tre
traffic, that is why the 2 types of traffic are placed in different VLANs.
Ex
The way this is achieved is that the PCs send untagged packets and the phones
send tagged packets. By doing this the Port VLAN Identifier (PVID) configured on
the port of the switch will place the PC’s packets into that VLAN but the Phone
sends tagged packets to the switch and the switch keeps the packets in that VLAN,
for this to work though the switches still has to have all the VLANs configured on
them.

ok
bo
-e
ks
or
w
et
If you are configuring multiple VLANs, we recommend that you configure a

N
management-only VLAN. This allows a management station connected to the

e
management VLAN to manage devices associated with this VLAN. A management

m
VLAN improves security by preventing device configuration via ports on other

tre
VLANs in a layer 2 environment

Ex
The process of assigning a management VLAN must be repeated on every device

that is connected to the network to ensure that each device has a secure
management VLAN. When configuring multiple devices, the VLAN names can be
different, but the management VLAN ID must be the same on each device. It is not
necessary to configure a physical port for management on each switch. Only those
switches that will have a management station attached need a physical port
assigned to the management VLAN.

ok
bo
-e
ks
or
w
et
Note: In the above diagram, VLAN 10 is extended throughout the network

N
environment for management purposes. The VLAN is an isolated, (non-routed)

e
VLAN used for management purposes only. Devices in other VLANs will not have
m
access to the switches for management operations.

tre
Ex

ok
bo
-e
ks
or
w
et
Dynamic VLAN support automatically creates VLANs across a switched network by

N
dynamically establishing and updating a device’s knowledge of the set of VLANs

e
that currently have active members.

m
tre
When a VLAN has egress, the information is transmitted out ports on the device in a
GVRP formatted frame, using the GVRP multicast MAC address. A switch that
Ex
receives this frame examines the frame and extracts the VLAN IDs. The dynamic
VLAN protocol then dynamically registers (creates) the VLANs and adds the
receiving port to its tagged member list for the extracted VLAN IDs. The information
is then transmitted out the other GVRP configured ports of the device.

ok
bo
-e
ks
or
w
et
Warning: As a result of GVRP dynamically creating VLANs on switches and adding

N
ports on VLAN egress lists on a LAN, unexpected extensions to a VLANs broadcast

e
boundaries may result. Disabling GVRP globally on switches will correct this
m
problem.
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
The set vlan egress {vlan-list} {port-string} forbidden ensures that any requests for
N
the port to dynamically join the VLAN will be ignored. Applicable to both GVRP and
e
Dynamic Egress
m
tre
Ex

ok
bo
-e
ks
or
w
et
Dynamic Egress is an proprietary EOS based feature. By default, dynamic egress is

N
disabled on all VLANs. If dynamic egress is enabled for a VLAN, the device will add
e
the port receiving a frame to the VLAN’s egress list according to the VLAN ID of the
m
received frame
tre
Ex
set vlan dynamicegress {vlan-id } {enable | disable}

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: to remove ports from a VLAN use the configure vlan {vlan_name} delete ports
N
{vlan_name} {port_list} command:

e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: Once a VLAN has been configured with an 802.1Q tag ID, the VLAN is
N
always a tagged VLAN. The ID can be changed but it cannot be removed.

e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: To remove a protocol filter from a VLAN enter the command:

N
e
configure vlan {vlan_name} protocol any

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Ingress Filtering is disabled by default. Enable ingress filtering on a port to drop

N
those incoming frames that do not have a VLAN ID that matches a VLAN ID on the
e
port’s egress list. If ingress filtering is disabled and a port receives frames tagged
m
or untagged for VLANs for which it is not a member, these frames will be flooded.
tre
Ex

ok
bo
-e
ks
or
w
et
In this Figure, Workstation A’s packet has a VLAN ID tag of 7. It is received on port
N
1 of a switch and it is a broadcast packet. The switch logic will check to see if port 1
e
is on the egress list of VLAN 7. If port 1 is on VLAN 7’s egress list, the packet from
m
Workstation A will be classified to VLAN 7, checked against the information in the

tre
filtering database and egress list, and transmitted out the appropriate port. If port 1
is not on the egress list of VLAN 7 (as in this figure), the packet will not be
Ex
transmitted. This configuration prevents Workstation A’s broadcast packets from

flooding across VLAN 7 and wasting valuable bandwidth.
The process just described is referred to as ingress filtering and it is used to

conserve bandwidth within the switch by dropping packets that are not on the same
VLAN as the ingress port at the point of reception. This eliminates the subsequent
processing of packets that will just be dropped by the destination port. It affects
tagged frames only and does not affect VLAN independent BPDU frames.

ok
bo
-e
ks
or
w
et
CONFIGURING PROTECTED PORTS:

N
The Protected Port feature is used to prevent ports from forwarding traffic to each
e
other, even when they are on the same VLAN. Ports may be designated as either
m
protected or unprotected. Ports are unprotected by default. Multiple groups of

tre
protected ports are supported.

Ex
Protected Port Operation:

Ports that are configured to be protected cannot forward traffic to other protected
ports in the same group, regardless of having the same VLAN membership.
However, protected ports can forward traffic to ports which are unprotected (not
listed in any group). Protected ports can also forward traffic to protected ports in a
different group, if they are in the same VLAN. Unprotected ports can forward traffic
to both protected and unprotected ports. A port may belong to only one set of
protected ports. This feature only applies to ports within a switch. It does not apply
across multiple switches in a network.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Egress flood control alters the standard forwarding behavior of a switch and should
N
be used with care. However, it can effectively improve network performance and
e
security if used correctly.

m
tre
Note: For BD10K and BD12K switches you cannot selectively disable flooding on
Ex
specific ports. Additionally, the command disables flooding of unicast, broadcast and
multicast packets.

ok
bo
-e
ks
or
w
et
Disabling multicasting egress flooding does not affect clients subscribed to an IGMP
N
group. Packets are still forwarded. If IGMP snooping is disabled, multicast packets
e
are not flooded.

m
tre
Example:
disable flooding unicast ports 24
Ex
disable flooding broadcast ports 24

show port 24 info detail
To reset flooding control back to defaults:

enable flooding all_cast ports all

ok
bo
-e
ks
or
w
et
Limit learning does not affect the following:

N
e
Packets destined for permanent MAC addresses and other mac address that are
m
not black hole entries.

tre
Broadcast traffic from MAC addresses that are not black hole entries.
Ex
EDP and LLDP traffic.

ok
bo
-e
ks
or
w
et
Example:
N
configure port 24 vlan default limit-learning 1

e
show fdb
m
tre
Note: In large networks the application of limit learning using Blackhole entries can
quickly use up FDB entries. A full FDB can have an impact on switch performance.
Ex
To alleviate this, use the action stop-learning command qualifier.
The “limit” for a specific virtual port (port/VLAN combination) can be removed by
entering the configure port command, specifying the port, vlan and the keyword
unlimited-learning as shown in the example below:
configure port 24 vlan default unlimited-learning

ok
bo
-e
ks
or
w
et
Lock learning does not affect the following:

N
e
Packets destined for permanent MAC addresses and other mac address that are
m
not black hole entries.

tre
Broadcast traffic from MAC addresses that are not black hole entries.
Ex
EDP and LLDP traffic.

ok
bo
-e
ks
or
w
et
Example:
N
conf port 24 vlan default lock-learning

e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Example:
N
conf port 24 vlan default unlock-learning

e
m
Note: When you unconfigure the lock learning feature on a virtual port, and if the
tre
configuration was previously saved with the lock learning feature enabled, the
“locked” entries will need to be removed from the running configuration.
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Port Forwarding:
N
MSTP and RSTP use rapid forwarding mechanisms to get ports to the forwarding
e
state. However, there is a difference in forwarding time between user/edge ports

m
and inter-switch links (ISLs). If a user/edge port is defined as adminedge TRUE

tre
using the set spantree adminedge command, it will forward as soon as the port
becomes operational. An ISL will forward based on an exchange of BPDUs. By
Ex
default, autoedge is set to TRUE and adminedge is set to FALSE.
These settings satisfy most requirements. Autoedge allows a port defined as

adminedge FALSE to discover in a short period of time that it is an edge port. The
only time it is necessary to set adminedge to TRUE is when the attached user
device cannot tolerate the several seconds required for auto-detection to detect the
port as a user/edge port and move it to forwarding. Setting an ISL to adminedge
TRUE should be avoided because it can lead to transient data loops.

ok
bo
-e
ks
or
w
et
Spanning Tree Port States:

N
e
Blocking: Actively preventing traffic from using this path. Still receiving BPDUs, so
m
continuing to monitor for management and STA information.

tre
Listening: Continuing to block traffic while waiting for protocol information to

Ex
determine whether to go back to the blocking state or continue to the learning state.
Listens to BPDUs to ensure no loops occur on the network.
Learning: Learning station location information but continuing to block traffic.
Forwarding: Forwarding traffic and continuing to learn station location information.
Disabled: Disabled administratively or by failure.
Discarding: Used as shorthand for blocking, listening, or learning state.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
IEEE 802.1w, Rapid Reconfiguration Spanning Tree (RSTP), is built upon the
N
original IEEE 802.1D Spanning Tree Protocol parameters. When a network fails in a
e
traditional spanning tree topology, two-way communication may not recover for up
m
to 50 seconds. The same recovery can happen almost immediately in an RSTP

tre
environment. Rapid reconfiguration ensures that an end-user is insulated from

dropped sessions or inaccessible resources. IEEE 802.1w and IEEE 802.1D
Ex
Spanning Tree algorithms will interoperate. An RSTP switch detects when it is

connected to an 802.1D STP switch.

ok
bo
-e
ks
or
w
et
The original 802.1D standard treats the overall topology as a single network, while
N
switches treat VLANs as completely separate networks. Some of the benefits of

e
configuring multiple VLANs are sacrificed with this compromise. IEEE 802.1s is a
m
supplement to IEEE 802.1Q that adds the facility for VLAN switches to use multiple
tre
instances of spanning trees, allowing for traffic belonging to different VLANs to flow
over potentially different paths within the LAN.
Ex
802.1s allows network administrators to assign VLAN traffic to unique paths. Some
or all of the switches in a LAN participate in two or more spanning trees with each
VLAN belonging to one of the spanning tree instances. An advantage of MST is that
MST is built on top of 802.1w Rapid Reconfiguration with its decreased time for re-
spans within the network.

ok
bo
-e
ks
or
w
et
Note: MSTP port roles are the same as with 802.1w, with one addition, Master Port.
N
e
Root Port: The one port that a bridge uses to connect to the Root Bridge. This
m
port is elected as the Root Port due to its least “path-cost” to Root.
tre
Alternate Port: Any redundant upstream port that provides an alternate path to the
Ex
Root Bridge (other than the Root Port).
Designated Port: Any downstream port that provides a path to the Root Bridge.
Edge Port: A port that has no other bridges connected to this port (i.e. User Port).
This is automatically configured by the Bridge Detection State Machine (802.1t
Clause 18).
Backup Port: A port that acts as a redundant Designated Port for a LAN segment.
Master Port: The Bridge Port that is the CIST Root Port for the CIST Regional
Root, Provides connectivity from the Region to the CIST Root that lies outside the
Region, this Port Role only exists within the context of the MSTIs

ok
bo
-e
ks
or
w
et
Where only 802.1d or 802.1w is running, with no failure there is no bandwidth

N
utilization between switches 2 and 3. With 802.1s it is possible to make each switch
e
a root bridge for different spanning tree groups and then associate a different VLAN
m
with each spanning tree instance. This way we are reducing the likely hood of a link
tre
being over-utilized.
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
In most networks, Spanning Tree version should not be changed from its default
N
setting of MSTP (Multiple Spanning Tree Protocol) mode. MSTP mode is fully
e
compatible and interoperable with legacy STP 802.1D and Rapid Spanning Tree
m
(RSTP) bridges. Setting the version to stpcompatible mode will cause the bridge to
tre
transmit only 802.1D BPDUs, this will prevent non-edge ports from rapidly
transitioning to forwarding state.
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: An MST region is a group of devices that are configured together to form a
N
logical region. The MST region presents itself to the rest of the network as a single
e
switching device, which simplifies administration. For a switching device to be

m
considered as part of an MST region, it must be administratively configured with the

tre
same configuration identifier information as all other devices in the MST region. By
default, each bridge is in its own MST region and has a default configuration name
Ex
derived from the bridge MAC address.

ok
bo
-e
ks
or
w
et
If the Designated Root MAC Address matches the Bridge ID MAC Address, the
N
device views itself as the root bridge. Therefore, no root port is displayed for this
e
bridge.
m
tre
Note: that the port role and port state are both displayed for the bridge when using
the port keyword with the show spantree command.
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note that the SID column displays the value of 1 in this example, this value
N
represents spanning tree instance 1.

e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: The show spantree debug command is used to display protocol-specific

N
counter information.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Restricted Role:
N
Restricted Role is a Spanning Tree protocol feature that allows or disallows the root role on
e
specified ports. When Restricted Role is enabled, the port will not be selected as the root port
m
for the CIST or any MSTI, even if it has the best Spanning Tree priority. A port with Restricted
Role enabled is selected as an alternate port after the root port has been selected.
tre
You may wish to use Restricted Role when bridges are not under your full control. You may
Ex
also wish to enable Restricted Role on ports where the bridge is external to the core and where
the port faces away from the root, in cases where the port role would normally be designated.
This can speed network re-convergence, particularly after loss of the root bridge. Restricted role
is disabled by default.
Restricted Topology Change Notification (TCN):

Restricted Topology Change Notification (TCN) is a Spanning Tree protocol feature that allows
or disallows TCN propagation on specified ports. When Restricted TCN is disabled, TCN
propagation is allowed. The port propagates received TCNs and topology changes to other
ports. Restricted TCN is disabled by default. When Restricted TCN is enabled, the port does
not propagate received TCNs and topology changes to other ports. Enable Restricted TCN to
prevent unnecessary address flushing in the core region of the network caused by activation of
bridges external to the core network.
A possible reason for not allowing TCN propagation is when bridges are not under the full
control of the administrator or because MAC operational state for the attached or downstream
LANs transitions frequently, causing disruption throughout the network.

ok
bo
-e
ks
or
w
et
Standard 802.1D STP takes 30-50 seconds to recover from a failure or root bridge
N
changes. By default, all Extreme switches support 802.1w and 802.1s, which
e
provide sub-second recovery. However, repeated topology change notifications or

m
new root bridge announcements can cause a Denial of Service (DOS) condition.
tre
Unwanted BPDUs from an attacker can force network changes and cause a Denial
of Service condition in the layer 2 environment. These changes can cause learned
Ex
layer 2 address entries to be removed from a switch’s forwarding table, leading to

flooding excessive flooding. Massive flooding can cause MAC entries to be learned
on the wrong port, resulting in loss of communication across the network.

ok
bo
-e
ks
or
w
et
Gathering information – the show commands

N
show spantree spanguard - shows the value of Span Guard

e
(enabled/disabled)
m
show spantree spanguardlock - shows the value of spanguardlock for a given

tre
port (locked/unlocked)
show spantree spanguardtimeout - shows the value of spanguardtimeout (0-
Ex
65535 seconds)

ok
bo
-e
ks
or
w
et
When Span Guard is enabled, reception of a BPDU by a port which has adminEdge
N
set TRUE will cause the port to be locked and its state set to blocking. The port will
e
be locked for a globally specified time (spanguardtimeout) expressed in seconds

m
which may be forever if the timer value is set to 0. The port will become unlocked
tre
when either the timer expires or it is manually unlocked or the configuration is

changed such that either Span Guard is no longer enabled or the port no longer has
Ex
adminEdge set to TRUE.
In order to utilize Span Guard the system administrator must know which ports are
connected between switches as ISLs (inter-switch links). AdminEdge must be
configured globally before Spanguard will work. AdminEdge is configured via the
set spantree adminedge command from the CLI. Adminedge must be set to false
on all known ISLs. Any remaining ports where protection is desired should be set to
adminedge = True. Setting these remaining ports to adminedge = True indicates to
Spanguard that these ports are not expecting to receive any BPDUs. If BPDUs are
received on these ports the affected ports will become locked. The set spantree
spanguardtimeout command sets the timeout period that a port will remain in the
locked state. By default the timeout period is 300 seconds. This can be configured
to a range of 0-65535 seconds. Setting the value to 0 will set the timeout to forever.

ok
bo
-e
ks
or
w
et
Encapsulation Modes:
N
You can configure ports within an STPD to accept specific BPDU encapsulations. An STP port
e
has three possible encapsulation modes:

m
802.1D mode
tre
Use this mode for backward compatibility with previous STP versions and for compatibility with
third-party switches using IEEE standard 802.1D. BPDUs are sent untagged in 802.1D mode.
Ex
Because of this, any given physical interface can have only one STPD running in 802.1D mode.
This encapsulation mode supports the following STPD modes of operation: 802.1D, 802.1w,
and MSTP (802.1s).
Extreme Multiple Instance Spanning Tree Protocol (EMISTP) mode

EMISTP mode is proprietary to Extreme Networks and is an extension of STP that allows a
physical port to belong to multiple STPDs by assigning the port to multiple VLANs. EMISTP
adds significant flexibility to STP network design. BPDUs are sent with an 802.1Q tag having an
STPD instance Identifier (STPD ID) in the VLAN ID field. This encapsulation mode supports the
following STPD modes of operation: 802.1D and 802.1w.
Per VLAN Spanning Tree (PVST+) mode

This mode implements PVST+ in compatibility with third-party switches running this version of
STP. The STPDs running in this mode have a one-to-one relationship with VLANs and send
and process packets in PVST+ format. This encapsulation mode supports the following STPD
modes of operation: 802.1D and 802.1w.

ok
bo
-e
ks
or
w
et
To prevent the loops across the switches, the Edge Safeguard feature can be
N
configured with the BPDU restrict function. When running in BPDU restrict mode,
e
Edge Safeguard ports send STP BPDUs at a rate of 1 every 2 seconds. The port is
m
disabled as soon as an STP BPDU is received on the BPDU restrict port, thereby
tre
preventing the loop. Flexibility is provided with an option to re-enable the port after a
user specified time period. If a user enables a port while STP has disabled it, the
Ex
port is operationally enabled; STP is notified and then stops any recovery timeout
that has started.

ok
bo
-e
ks
or
w
et
Configure MSTP Region Identifiers

N
e
For multiple switches to be part of an MSTP region, you must configure each switch
m
in the region with the same MSTP configuration attributes, also known as MSTP
tre
region identifiers. The following list describes the MSTP region identifiers:
Ex
Region Name: This indicates the name of the MSTP region. In the Extreme
Networks implementation, the maximum length of the name is 32 characters and
can be a combination of alphanumeric characters and underscores ( _ ).
Format Selector: This indicates a number to identify the format of MSTP BPDUs.
The default is 0.
Revision Level: This identifier is reserved for future use; however, the switch uses
and displays a default of 3.

ok
bo
-e
ks
or
w
et
Note: You can configure the default STPD, S0 as the CIST. No VLAN can be bound
N
to the CIST and no ports can be added to the CIST. Therefore, the VLAN should be
e
bound to the MSTI and the “show MSTI port” command will show the VLAN ports.
m
The ports added to the MSTI are bound automatically to the CIST even though they
tre
are not added to it.

Ex

ok
bo
-e
ks
or
w
et
MSTP Edge Safeguard

N
You can configure edge safeguard for loop prevention and detection on an
e
RSTP/MSTP edge port. Loop prevention and detection on an edge port configured
m
for RSTP/MSTP is called edge safeguard . You can configure edge safeguard on
tre
RSTP/MSTP edge ports to prevent accidental or deliberate misconfigurations

(loops) resulting from connecting two edge ports together or by connecting a hub or
Ex
other non-STP switch to an edge port. Edge safeguard also limits the impact of
broadcast storms that might occur on edge ports. This advanced loop prevention
mechanism improves network resiliency but does not interfere with the rapid
convergence of edge ports.
An edge port configured with edge safeguard immediately enters the forwarding
state and transmits BPDUs. If a loop is detected, STP blocks the port. By default,
an edge port without edge safeguard configured immediately enters the forwarding
state but does not transmit BPDUs unless a BPDU is received by that edge port.

ok
bo
-e
ks
or
w
et
To prevent the loops across the switches, the Edge Safeguard feature can be
N
configured with the BPDU restrict function. When running in BPDU restrict mode,
e
Edge Safeguard ports send STP BPDUs at a rate of 1 every 2 seconds. The port is
m
disabled as soon as an STP BPDU is received on the BPDU restrict port, thereby
tre
preventing the loop. Flexibility is provided with an option to re-enable the port after a
user specified time period. If a user enables a port while STP has disabled it, the
Ex
port is operationally enabled; STP is notified and then stops any recovery timeout
that has started.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: ExtremeXOS software does not support ELRP and Network Login on the
N
same port. When used on a VPLS service VLAN, ELRP does not detect loops
e
involving the VPLS pseudowires.

m
tre
Ex

ok
bo
-e
ks
or
w
et
Non-periodic ELRP Requests

N
You can specify the number of times ELRP packets must be transmitted and the interval
e
between consecutive transmissions.

m
A message is printed to the console and logged into the system log file indicating detection
of network loop when ELRP packets are received back or no packets are received within
tre
the specified duration.

Ex
Periodic ELRP Requests

You can configure the interval between consecutive transmissions. If ELRP packets are
received back, a message is printed to the system log file and/or a trap is sent to the SNMP
manager indicating detection of a network loop. You have the option to configure the switch
to automatically disable the port where the looped packet arrived as well as the length of
time (in seconds) that the port should remain disabled. When this hold time expires, the port
is automatically enabled
Exclude Port List
When you have configured the switch to automatically disable the port where the looped
packet arrived, there may be certain ports that you do not want disabled.
Limitations
The following are limitations to this feature:
A specified port is added to the list regardless of its corresponding VLAN.
Only ports on the local switch can be added.
A loop detected on an excluded port may persist indefinitely until user action is taken.

ok
bo
-e
ks
or
w
et
ELRP on Protocol-based VLANs The following example demonstrates running ELRP on a

N
protocol-based VLAN. For ELRP to detect loops on a protocol-based VLAN (other than the
e
protocol any), you need to add the ethertype 0x00bb to the protocol.
m
Create VLANs:
tre
create vlan v1
create vlan v2
Ex
Protocol filter configuration:

configure vlan v1 protocol IP
configure vlan v2 protocol decnet
Add ports to the VLAN:

configure vlan v1 add ports 1
configure vlan v2 add ports 2
Enable ELRP on the created VLANs:

enable elrp-client
configure elrp-client periodic v1 ports all interval 5 log
configure elrp-client periodic v2 ports all interval 5 log
Add the ethertype to the protocol:
configure protocol IP add snap 0x00bb
configure protocol decnet add snap 0x00bb
VLANs v1 and v2 can then detect the loop on their respective broadcast domains.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
An EAPS Master detects the failure in its domain, and converges around the failure.
N
e
You must create and configure one control VLAN for each EAPS domain. A control
m
VLAN cannot belong to more than one EAPS domain. If the domain is active, you
tre
cannot delete the domain or modify the configuration of the control VLAN. The
control VLAN must NOT be configured with an IP address. In addition, only ring
Ex
ports may be added to this control VLAN. No other ports can be members of this
VLAN. Failure to observe these restrictions can result in a loop in the network. The
ring ports of the control VLAN must be tagged.

ok
bo
-e
ks
or
w
et
Protected VLANs are the data-carrying VLANs. When you configure a protected
N
VLAN, the ring ports of the protected VLAN must be tagged (except in the case of
e
the default VLAN).

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
EAPS Hello (Heath Check) Packets uses the Extreme Encapsulation Protocol
N
(EEP) to transmit hello packets

e
EEP packets have a source MAC address of 00 e0 2b 00 00 01

m
tre
EAPS packets have a destination MAC address of 00 e0 2b 00 00 04

Ex
Each switch (node) will examine the hello packet and then forward the packet to its
neighbor switch through the ring port that did not receive the packet. EAPS packets
are sent with an 802.1p value of 7 (QP8)
EAPS hello packets contain the following information:

Packet type
Health, Link Down, Links Up (Pre-Forwarding), Flush FDB
Control VLAN ID
Originator’s system MAC address
Hello fail timer value
Domain state
Complete, Failed
Hello sequence number

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Configuration Overview (Domain-1):

N
e
The control VLAN (VLAN “ctrl-1”) will have a tag of 101

m
Ports 1:1 and 4:1 for the SummitStacks will be added to the “ctrl-1”
tre
VLAN as tagged ports

Ports 1:1 and 2:1 for the BD8Ks will be added to the “ctrl-1” VLAN as
Ex
tagged ports
The protected VLAN (VLAN “data”) has a tag of 10
Note: The above ports must be added tagged to the “data” VLAN on each switch,
along with any end-user ports. End-user ports are usually untagged

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
EAPS Configuration SummitStack2:

N
e
create eaps Domain-1

m
tre
configure eaps Domain-1 mode master

Ex
configure eaps Domain-1 primary 1:1
configure eaps Domain-1 secondary 4:1
configure eaps Domain-1 add control ctrl-1
configure eaps Domain-1 add protected data

ok
bo
-e
ks
or
w
et
EAPS Configuration SummitStack2:

N
e
enable eaps Domain-1

m
tre
enable eaps
Ex
show eaps

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
In a ring that contains switches made by other companies, the polling timers provide
N
an alternate way to detect ring breaks. The master periodically sends hello PDUs at
e
intervals determined by the hello PDU timer and waits for a reply. If a hello PDU
m
reply is not received before the failtime timer expires, the switch detects a failure
tre
and responds by either sending an alert or opening the secondary port. The
response action is defined by a configuration command.
Ex

ok
bo
-e
ks
or
w
et
Use the hellotime keyword and its associated parameters to specify the amount of
N
time the master node waits between transmissions of health check messages on
e
the control VLAN. The combined value for seconds and milliseconds must be
m
greater than 0. The default value is 1 second.

tre
Ex
Use the failtime keyword and its associated parameters to specify the amount of
time the master node waits before the failtimer expires. The combined value for
seconds and milliseconds must be greater than the configured value for hellotime.
The default value is 3 seconds.
Note: Increasing the failtime value increases the time it takes to detect a ring break
using the polling timers, but it can also reduce the possibility of incorrectly declaring
a failure when the network is congested.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
With EAPS, a data VLAN can spans multiple physical rings or EAPS domains. This
N
is called an overlapping VLAN. An overlapping VLAN requires loop protection for

e
each EAPS domain to which it belongs. In the figure above, there is an EAPS
m
domain with its own control VLAN running on ring 1 and another EAPS domain with
tre
its own control VLAN running on ring 2. A data VLAN that spans both rings is added
as a protected VLAN to both EAPS domains to create an overlapping VLAN. Switch
Ex
S5 has two instances of EAPS domains running on it, one for each ring.

ok
bo
-e
ks
or
w
et
In the slide shown earlier (Two Rings Interconnected by One Switch) switch S5
N
would represent a single point of failure. If switch S5 were to go down, users on

e
Ring 1 would not be able to communicate with users on Ring 2. To make the
m
network more resilient, you can add another switch. In the figure shown above, a
tre
second switch (S10), connects to both rings and to S5 through a common link,
which is common to both rings. The EAPS common link in the following figure
Ex
requires special configuration to prevent a loop that spans both rings. The software
entity that requires configuration is the eaps shared-port, therefore the common link
feature is sometimes called the shared port feature.

ok
bo
-e
ks
or
w
et
During normal operation, the master node on each ring protects the ring as
N
described earlier in first EAPS module The Controller and Partner nodes work
e
together to protect against Super Loop problems that can occur with the use of
m
common (overlapping) VLANs being distributed across multiple rings.

tre
Note: A Controller or Partner can also perform the role of master or transit node
Ex
within its EAPS domain. Typically the controller and partner nodes are distribution or
core switches.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: When a common link fails, one of the segment ports becomes the active-
N
open port, and all other segment ports are blocked to prevent a loop for the
e
protected VLANs.
m
tre
Ex

ok
bo
-e
ks
or
w
et
If a link failure occurs in one of the rings, only a single EAPS domain is affected.
N
The EAPS master detects the failure in its domain, and converges around the
e
failure. In this case, the controller does not take any blocking action, and EAPS
m
domains on other rings are not affected. Likewise, when the link is restored, only the
tre
local EAPS domain is affected. The controller and any EAPS domains on other
rings are not affected, and continue forwarding traffic normally.
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
When the common link fails, the secondary port of each master node unblocked,
N
the new topology introduces a broadcast loop spanning the both rings (EAPS
e
Domain-1 & Doamin-2) . It is the Controllers responsibility to block this loop.

m
tre
Ex

ok
bo
-e
ks
or
w
et
For the failure scenario shown above, the Controller and Partner nodes immediately
N
detect the loop, and the controller does the following:

e
m
Selects an active-open port for protected VLAN communications

tre
Blocks protected VLAN communications on all segment ports except the active-
Ex
open port
Note: When a controller goes into or out of the blocking state, the controller sends a
flush-fdb message to flush the FDB in each of the switches in its segments. In a
network with multiple EAPS ports in the blocking state, the flush-fdb message gets
propagated across the boundaries of the EAPS domains.

ok
bo
-e
ks
or
w
et
Note: To discover segments and their up or down status, segment health-check

N
messages are sent from controller to partner, and also from partner to controller
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
The EAPS domain priority feature allows you to select the EAPS domains that are
N
serviced first when a break occurs in an EAPS ring. For example, you might set up
e
a network topology with two or more domains on the same physical ring. In this
m
topology, you could configure one domain as high priority and the others as normal
tre
priority. You would then add a small subset of the total protected VLANs to the high
priority domain, and add the rest of the protected VLANs to the normal priority
Ex
domain. If a ring fault occurs in this topology, the protected VLANs in the high
priority domain are the first to recover.

ok
bo
-e
ks
or
w
et
The following slides will cover standard configuration with a common link, and EAPS
N
shared port for EAPS domain Domain-1 and Domain-2. Each Domain supports a
e
common protected (overlapping) VLAN. Sample configuration will be shown for

m
SummitStack2, Domain-1, SummitX450-2, Domain-2, and BD8K-1 in the Data

tre
Center Core.
Ex

ok
bo
-e
ks
or
w
et
Note: Similar configuration must be implemented on all Summit Stacks in EAPS

N
Domain-1
e
m
Note: remember to enable EAPS at the global level as well as at the domain level
tre
for all switches using shown commands below:

Ex
enable eaps
enable eaps {domain-name}

ok
bo
-e
ks
or
w
et
Note: Similar configuration must be implemented on all SummitX450 switches in

N
EAPS Domain-2
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: Similar configuration must be implemented on Core switch BD8K-2.

N
e
Note:
m
You must create and configure one control VLAN for each EAPS domain. A control
tre
VLAN cannot belong to more than one EAPS domain. If the domain is active, you
cannot delete the domain or modify the configuration of the control VLAN. The
Ex
control VLAN must NOT be configured with an IP address. In addition, only ring
ports may be added to this control VLAN. No other ports can be members of this
VLAN. Failure to observe these restrictions can result in a loop in the network. The
ring ports of the control VLAN must be tagged.
You must add one or more protected VLANs to each EAPS domain. The protected
VLANs are the data-carrying VLANs. When you configure a protected VLAN, the
ring ports of the protected VLAN must be tagged (except in the case of the default
VLAN). For instructions on creating a VLAN, see VLAN Module.

ok
bo
-e
ks
or
w
et
Note: Similar configuration must be implemented on Core switch BD8K-2.

N
e
Configure the Link ID of the Shared Port:

m
Each common link in the EAPS network must have a unique link ID. The controller
tre
and partner shared ports that belong to the same common link must have matching
link IDs. No other instance in the network should have that link ID. If you have
Ex
multiple adjacent common links, Extreme Networks recommends that you configure
the link IDs in ascending order of adjacency.
For example, if you have an EAPS configuration with three adjacent common links,
moving from left to right of the topology, configure the link IDs from the lowest to the
highest value. To configure the link ID of the shared port, use the following
command:
configure eaps shared-port <ports> link-id <id>
The link ID range is 1 to 65535.

ok
bo
-e
ks
or
w
et
To display EAPS status and configuration information, use the following command:
N
e
show eaps {<eapsDomain>} {detail}

m
tre
Ex

ok
bo
-e
ks
or
w
et
Each controller and partner node can display status and configuration information
N
for the shared port or ports on the corresponding side of the common link. To
e
display EAPS common link information, use the following command:

m
tre
show eaps shared-port {<port>} {detail}

Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Each switch in the ring is configured with the following elements:

N
e
Ring Name
m
tre
RPL (ring protection link) owner configuration for the ERPS ring
Ex
East and West ring ports
Control VLAN and Protected VLANs

ok
bo
-e
ks
or
w
et
ERPS R-APS Packets:

N
ERPS uses the 802.1ag CFM protocol to transmit R-APS packets

e
m
CFM packets have a source MAC address of the switch and a destination
tre
MAC address of 01:19:a7:00:00:01

Ex
Note: 01:19:a7 is the OUI for the ITU who developed Y.1731 on which 802.1ag is based).
R-APS packets are sent with an 802.1p value of 7 (QP8) and a type field of
0x8902.
R-APS packets contain the following information:

Request/State
No Request (idle state), Signal Failure, Manual Switch, Force Switch
RPL Blocked indicator
Flush FDB indicator
R-APS Node ID (sender’s MAC address)

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: Similar configuration would have to be completed for all switches participating
N
in ring-2
e
m
SummitStack2.1 # create erps ring-2

tre
SummitStack2.3 # configure erps ring-2 ring-port east 1:1

SummitStack2.4 # configure erps ring-2 ring-port west 4:1
Ex
SummitStack2.2 # configure erps ring-2 protection-port 4:1 (This command will set
SummitStack2 as the ring owner)
SummitStack2.5 # configure erps ring-2 add control ctrl-2
SummitStack2.6 # configure erps ring-2 add protected data
SummitStack2.7# enable erps ring-2
SummitStack2.8 # enable erps

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: CFM is defined in IEEE 802.1ag-2007 standard, and the ITU’s Y.1731.
N
802.1ag is similar to Y.1731, but Y.1731 specifies additional performance

e
management. Extreme implements all of 802.1ag but only implements Y.1731 for
m
frame delay and delay variance measurement.

tre
Ex
Note: CFM is also referred to as Ethernet Operation, Administration and

Maintenance (OAM or OA&M).

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
An UP MEP sends CFM frames toward the frame filtering entity, which forwards the
N
frames to all other ports of a service instance other than the port on which the UP
e
MEP is configured. This is similar to how the frame filtering entity forwards a normal
m
data frame, taking into account the port's STP state. For an UP MEP, a CFM frame
tre
exits from a port if only if the STP state of the port is in the forwarding state.
Ex
A DOWN MEP sends CFM frames directly to the physical medium without
considering the port STP state. For a DOWN MEP, a CFM frame exits from a port
even if the port STP state is in blocking state.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: An “Up MEP” takes into account the Spanning Tree port state when
N
transmitting CCMs. Only forwards CFM frames through ports in the forwarding
e
state.
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
The example above shows the creation of a Down-MEP with the CFM commands.
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
The example above shows the creation of a Down-MEP with the CFM commands.
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
A Maintenance Domain string is automatically generated based on the user defined

N
MD Level. For example, for an MD Level of 5 the switch creates erps_5 as the MD
e
string. A Maintenance Association string is automatically generated based on the

m
ring Control VLAN. For example, if the Control VLAN has a name of ctrl-2, and a
tre
tag of 102, , the switch create erps_MA_102 as the MA string

Ex

ok
bo
-e
ks
or
w
et
A Maintenance Domain string is automatically generated based on the user defined

N
MD Level. For example, for an MD Level of 5 the switch creates erps_5 as the MD
e
string. A Maintenance Association string is automatically generated based on the

m
ring Control VLAN. For example, if the Control VLAN has a name of ctrl-2, and a
tre
tag of 102, , the switch create erps_MA_102 as the MA string

Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Link Aggregation, SmartTrunking, and other port trunking algorithms are all methods
N
of bonding together two or more data channels into a single channel that appears as
e
a single, higher-bandwidth, logical link. It is a cost-effective way to implement

m
increased bandwidth. Aggregated links also provide redundancy and fault tolerance.
tre
In the absence of any type of link aggregation, Spanning Tree Protocol prevents the
Ex
addition of bandwidth. Link aggregation makes multiple physical links appear as a

single logical link to the Spanning Tree Protocol, such that those redundant links
within the aggregation will not be blocked. This is accomplished by positioning link
aggregation as an optional sub-layer in the Data Link Layer of the OSI Model
(explained in more detail later in this module), presenting itself as a single MAC
address to MAC clients in the Network layer.
Link aggregation should be viewed as a network configuration option that is

primarily used in network connections that require higher data rate limits than can
be provided by single links, such as between switches or between switches and
servers. It can also be used to increase the reliability of critical links.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Link Aggregation Scenarios:

N
There are two typical scenarios in which link aggregation may be useful in a
e
network, as described below:

m
tre
Switch-to-switch connections: This is the most common scenario. Multiple ports on

a switch are joined to form an aggregated link. Aggregation of multiple links
Ex
achieves higher speed connections between switches without hardware upgrade. If

two switches are connected, each using four 1000 Mbps links, and one of those
links fails between the two switches, data traffic is maintained through the other
links in the link aggregation group. Note that such a configuration reduces the
number of ports available for connection to other network devices or end stations.
Thus, aggregation implies a trade-off between port usage and additional capacity for
a given device pair.
Switch-to-station (server or router) connections: Many server platforms can saturate

a single 100 Mbps link. Thus, link capacity limits overall system performance. You
can aggregate switch-to-station connections to improve performance. Better
performance can be achieved without upgrade to server or switch.

ok
bo
-e
ks
or
w
et
Key Benefits:
N
e
• Dynamic configuration determines which links are eligible for aggregation,

m
configures them automatically, and provides rapid reconfiguration. Automatic

tre
configuration is the key objective of link aggregation. However, manual overrides

are available for network administrators who want to customize or “tweak” their
Ex
networks.
• Higher link availability: Provides higher link availability, in that the failure of any
single link within the aggregate is limited to that link only. Other links continue to
function so there is no disruption of the communications between the devices.
• Increased bandwidth: Serves to increase bandwidth because the capacity of an

aggregated link is higher than an individual link alone.
Support of existing IEEE 802.3 MAC clients: Requires no change to higher-layer

protocols or applications.

ok
bo
-e
ks
or
w
et
Once the underlying physical ports are associated with an aggregator port, the
N
resulting aggregation will be represented as one LAG with the lag.0.x designation.
e
LACP determines which underlying physical ports are capable of aggregating, by

m
comparing aggregator keys.

tre
Ex

ok
bo
-e
ks
or
w
et
The K, S and 7100 series are able to utilize three different spreading algorithms to
N
determine which physical ports a packet will be transmitted out of in a LAG port.:
e
m
DIP-SIP: Specifies that destination and source IP addresses will determine the
tre
LACP physical outport. This is recommended for LAG’s providing connectivity

anywhere in the network. It is not recommended to use this spreading algorithm if
Ex
traffic being transmitted over this LAG port is sourced and destined to mostly the
same set of IP addresses. If this is the case, the distribution of the traffic across the
physical ports in the LAG will be uneven.
DMAC-SMAC: Specifies that destination and source MAC addresses will determine
the LACP physical outport. This is not recommended for LAG’s providing
connectivity between two routers. This is because the DMAC-SMAC pairs will
mostly be identical in this scenario and distribution of the traffic across the physical
ports in the LAG will be uneven. This is recommended for LAG’s providing
connectivity to LAN segments to which end systems are connected.
Round-Robin: Specifies that the round-robin algorithm will determine the LACP
physical outport. This distributes traffic is an even fashion across the physical ports
in the LAG. However, bidirectional communication will most likely be asymmetrical
across different physical

ok
bo
-e
ks
or
w
et
Flow regeneration determines how flows will behave when a new port joins a link
N
aggregation. When enabled, LACP will redistribute all existing flows over the LAG,
e
taking into account the new ports that joined the LAG. It will also attempt to load
m
balance existing flows to take advantage of the new port that has joined the LAG.
tre
When flow regeneration is disabled and a new port joins the LAG, the distribution of
current flows remains unchanged and does not take advantage of the new port. All
Ex
new flows will take into account the new port on the LAG. Flow regeneration is
disabled by default.

ok
bo
-e
ks
or
w
et
This section reviews product-specific aggregation information, referencing

N
commands and menu screens. Not all aggregation commands and screens are
e
included. The lab activities associated with this module will allow you to investigate
m
the aggregation configuration displays and configuration options in more detail. The
tre
information on this slide applies to all current EOS based switches.

Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Note: Enabling Link Aggregation on one end of a link only does not create a
N
broadcast storm for the VLANs configured on that port. The non-enabled switch will
e
use the Forwarding Database (FDB) to forward packets to it’s neighbor switch and
m
will not use any load sharing algorithm.

tre
Ex

ok
bo
-e
ks
or
w
et
IPv4 Layer 3 header load balancing example:

N
e
LAG contains 2 ports

m
Requires 1 bit from the header information to select one of two ports
tre
1 bit allows two values; Port 1 is 0 and port 2 is 1

Ex
Packet #1
IP Src address 10.0.0.1 (Bit 1=1) and Dst address 10.0.0.100 (Bit 1 = 0)
1 XOR 0 = 1 – Packet is sent down port 2
Packet #2
IP Src address 192.168.1.20 (Bit 1=0) and Dst address 207.23.1.4 (Bit 1 = 0)
0 XOR 0 = 0 – Packet is sent down port 1
Note: Even packet distribution depends on the mix of addresses

ok
bo
-e
ks
or
w
et
Note: The BD8K with original series modules and the Summit X450 forward these
N
packets down the LAG

e
master port.
m
tre
Note: The port based Link Aggregation algorithm is only supported on the BD10K,
BD12K and BD20K switches. The hashing algorithm can only be configured using
Ex
the configure sharing address-based custom command on the BD8K with xl series
modules and Summit X460, X480, and X650 switches.

ok
bo
-e
ks
or
w
et
LAG Port Considerations:

N
When physical ports form a LAG port, the physical port settings do not translate into
e
logical port settings for the LAG port. It is possible, if a LAG is reduced to a single
m
physical port, the single port will take on its physical operating characteristics, (i.e.,
tre
the physical port will operate outside of the LAG). Therefore, it is recommended that
the underlying physical ports that make up the LAG, be configured identically to the
Ex
LAG for VLAN operation.
Note:
An already existing LAG configuration persists through a device or module reset. If
upon reset there is only a single port active for an already existing LAG, that single
port will move to the attached state regardless of the single port LAG setting.
Rules & Recommendations EOS Based Switches:
Ports must be running full duplex to aggregate.

A link aggregation cannot be split among systems on EOS based switches.
Logically, it is a single pipe and, as such, is treated as a single point-to-point
connection.
All links in a LAG must operate at the same data rate.
A given port will bind to, at most, a single aggregator at any time.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
If you plan to connect to a device that does not support link aggregation but you
N
want to aggregate ports, that device must be configured to run in non-protocol

e
mode. The EOS based switch will need to be configured with a static LAG .
m
tre
Static port assignment allows you to assign ports to a LAG when the partner device
does not support LACP, but does support another proprietary form of link
Ex
aggregation. To assign a static port, specify the LAG port ID, the admin key value
for this LAG, and the ports to be assigned. If you do not specify an admin key value,
a key will be assigned according to the specified aggregator. For example, a key of
4 would be assigned to lag.0.4.

ok
bo
-e
ks
or
w
et
Example:
N
enable sharing 13 grouping 13,15 algorithm address-based L3 lacp

e
show lacp lag 13

m
configure sharing 13 lacp activity-mode passive

tre
Ex

ok
bo
-e
ks
or
w
et
Example:
N
enable sharing 13 grouping 13,15

e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
At least two ports need to be assigned to a LAG port for a Link Aggregation Group
N
to form and attach to the specified LAG port. The same usage considerations for
e
dynamic LAGs previously discussed apply to statically created LAGs. In normal

m
usage and typical installations, there is no need to modify any of the default 802.3ad
tre
parameters on any platforms.

Ex
The default values will result in the maximum number of aggregations possible. If
the switch is placed in a configuration with devices not running the protocol, no
dynamic link aggregations will be formed and the switch will function normally (that
is, will block redundant paths via Spanning Tree). Something to keep in mind is that
a Link Aggregation Group (LAG) may potentially cause periodic network instability if
the partner system participating in the LAG has its LACP Timeout parameter set to
short (encoded as a 1 in the LAC PDU). This parameter determines the time
interval between periodic LAC PDU transmissions.
A LAG will be maintained until all ports that comprise the group are disconnected.
Even if only one port is still active in a LAG group, configuration changes will still
need to be made to the virtual LAG port (not the physical port) to be effective. Some
proprietary implementations provide for a dedicated physical port within a link
aggregation for transmission of “special” frames (Bridge Protocol frames, multicast
frames, unknown frames etc.).

ok
bo
-e
ks
or
w
et
Note: In the above slide, ge.1.5-ge.1.6 and ge.1.11-ge.12 are show in a Dormant
N
state when the show port status command is issued. This is an indication that they
e
are members of a LAG.

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
MLAG peer switches must be of the same platform family. The following MLAG
N
peers are allowed: BlackDiamond 8800 switches with BlackDiamond 8800 switches,
e
BlackDiamond X8 switches with BlackDiamond X8 switches, Summit switches with

m
Summit switches, and SummitStack with SummitStack.

tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Configuration Steps SummitX650-1:

N
e
Create the data VLAN and assign a VLAN ID

m
tre
To create a LAG:
enable sharing <master_port> grouping <port list>
Ex
To verify Link Aggregation:

show sharing
Add the LAG to the VLAN:

configure vlan {vlan name} add ports {port-string} tag
Note: No MLAG configuration is required on the downstream switch.

ok
bo
-e
ks
or
w
et
Note: You must create a Layer 3 VLAN for control communication between MLAG
N
peers. You cannot enable IP forwarding on this VLAN. The ISC is exclusively used
e
for inter-MLAG peer control traffic and should not be provisioned to carry any user
m
data traffic. Customer data traffic however can traverse the ISC port using other
tre
user VLANs.
Ex
Note: A LAG is also required for the ISC VLAN.
Note: Configuration steps taken on BD8K-1 Core Switch, must be replicated on

BD8K-2 Core Switch!

ok
bo
-e
ks
or
w
et
Note: Configuration steps taken on BD8K-1 Core Switch, must be replicated on

N
BD8K-2 Core Switch!

e
Create the MLAG peer and associate the peer switch's IP address. By creating an
m
MLAG peer you associate a peer name that can be associated with the
tre
peer switch's IP address and other peer configuration properties. The peer is then
bound to each individual MLAG port group.
Ex
create mlag peer {peer name}

configure mlag peer {peer name} ipaddress {ip address}
Create the MLAG port groups. This creates an MLAG port group by specifying the
local switch's port, the MLAG peer switch, and an "mlag-id" which is used to
reference the corresponding port on the MLAG peer switch. The specified local
switch's port can be either a single port or a load share master port.
Enable mlag port {lad id} peer {peer name} id {number}
Note: To Unconfigure/remove an MLAG configuration, use commands shown below:

unconfigure mlag peer <peer_name> ipaddress
delete mlag peer <peer_name>

ok
bo
-e
ks
or
w
et
To display information about an MLAG peer, including MLAG peer switch state,
N
MLAG group count, and health-check statistics:

e
m
show mlag peer {<peer_name>}

tre
Ex

ok
bo
-e
ks
or
w
et
To display each MLAG group, including local port number, local port status, remote
N
MLAG port state, MLAG peer name, MLAG peer status, local port failure count,
e
remote MLAG port failure count, and MLAG peer failure count:
m
tre
show mlag ports {<portlist>}

Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
A Virtual Switch Bonded (VSB) Chassis consists of 2 like physical chassis joined
N
together to create a single logical chassis. The bonded chassis has a single IP
e
address; you manage it as a single object. VSB requires you to connect the two S-
m
Series chassis using one or more 10 GB ports. These ports are designated as
tre
Bonding Ports on each chassis and create the virtual backplane that ties the two
physical chassis together.
Ex

ok
bo
-e
ks
or
w
et
Note: In the above diagram, Switch A views Chassis 1 and Chassis 2 as a single
N
device. When sending a frame from PC A to PC B, Switch A runs its spreading

e
algorithm (which is based on DIP-SIP), and chooses one of its available LAG ports
m
to the bonded S-Series. Switch A could send the fame to Chassis 1, or Chassis 2, in
tre
this case, the spreading algorithm chooses a link connected to Chassis 1.

Ex

ok
bo
-e
ks
or
w
et
Chassis 1 receives the frame, consults its FDB for the particular VLAN , and
N
discovers that PC B is out the LAG attached to its Slots 1 and 5. Chassis 1
e
performs the LACP distribution algorithm, with one of two possible results. The
m
LACP distribution algorithm may result in sending the frame out Link 1 or Link 2 of
tre
the LAG. If so, Chassis 1 simply forwards the frame out LAG 2 toward PC B.
Ex

ok
bo
-e
ks
or
w
et
However, the hash may result in sending the frame out Link 3 or Link 4 of the LAG,
N
both of which are connected to Slot 5. If so, Chassis 1 performs the distribution
e
algorithm once more to choose which of the Bonding links to use. It then forwards
m
the frame across the virtual backplane formed by the Bonding Ports to Slot 5, where
tre
it forwards the frame out the appropriate LAG link toward PC B.

Ex

ok
bo
-e
ks
or
w
et
In a Bonded Chassis scenario where every edge switch or stack is running LACP to
N
the Bonded Chassis with an equal number of physical ports connected to each
e
chassis, one would expect that 50% of the traffic traversing the bonded chassis will
m
traverse the bonding links by default. In systems where a server is asymmetrically

tre
configured, but the user traffic arrives on a LAG port, it is expected that traffic
destined for the server would also travel over the bonding links 50% of the time.
Ex
This behavior could create the unsupportable situation where the VSB link would
have to be as large as 50% of the total uplink bandwidth from your edge switches.
To avoid this condition, Extreme has created a feature called “Local Preference”,
discussed on the next slide.

ok
bo
-e
ks
or
w
et
The virtual chassis bonding feature uses bonding ports to connect two chassis.
N
These ports participate in the LAG for the traffic leaving the VSB chassis. The LAGs
e
default spreading algorithm does not take port location into account, so that traffic
m
may be evenly distributed over the bonding links and local uplink ports.
tre
A feature has been created to manage this behavior. The feature allows the local
Ex
chassis egress ports to be preferred over the bonding ports. The local LAG ports
preference can set using a choice of 1 of 4 types, none (default), weak, strong, or
all-local.
For example:
Usage: set lacp outportLocalPreference [none | weak | strong | all-local]

None Do not prefer lag ports based on chassis
Weak Use a weak preference towards ports on local chassis
Strong Use a strong preference towards ports on local chassis
All-local Force all packets to be hashed to local chassis ports, if available

ok
bo
-e
ks
or
w
et
The VSB link functions as an external backplane for the Bonded Chassis. Thus,
N
you can expect traffic on the link to behave just as if it were crossing the internal
e
backplane on either switch. However, the VSB link is Ethernet at Layer 2, so the
m
frame behavior across the link combines the attributes of Ethernet and the
tre
backplane function. The sending switch generates a complete Ethernet frame for
transmission over the VSB link, including the header with 802.1Q information (if that
Ex
is appropriate for the frame being transmitted) and the Frame Check Sum. The
sending switch also inserts a field in the Ethernet header containing VSB
control/backplane control information specific to that frame, which allows the two
physical switches to coordinate their across-the-backbone treatment of the frame.
Note: The VSB link also functions as the control link for the Bonded Chassis; all
VSB control traffic passes over the VSB link.

ok
bo
-e
ks
or
w
et
The Link Failure Response (LFR) protocol provides for the configuration of one or
N
more 1GbE monitor links. In the unlikely event that all 10GbE interconnect links
e
should go down or otherwise fail, the LFR monitor link determines whether both
m
chassis’ are still operational and places the chassis with the lowest LFR priority in a
tre
dormant state until at least one interconnect link is restored. LFR links do not carry
user traffic. The sole purpose of a an LFR link is to monitor the partner chassis'
Ex
status. 10GbE VSB configured ports are always set as interconnect ports. 1GbE
VSB configured ports are always set as LFR monitor ports.
The LFR protocol allows 1GbE ports to be designated as VSB monitor links that
operate in a standby mode to the primary 10GbE VSB ports. The VSB monitor link
provides dedicated redundant control plane connectivity and is used only as a
backup communication path between two bonded chassis in the unlikely event that
all of the primary VSB interconnect links fail or become unavailable.

ok
bo
-e
ks
or
w
et
Every S-Series switch ships with two MAC addresses: the MAC address it uses for
N
all its communications on the network, and a reserved, unused MAC address that is
e
one higher than the used MAC address. When you initiate Chassis Bonding, the
m
process compares the Reserved MACs of both switches. It chooses the higher of
tre
those two Reserved MACs, and establishes that MAC as the MAC address of the
Bonded Chassis. From that moment on, until you disable Chassis Bonding, both
Ex
physical switches use the MAC address of the Bonded Chassis for all of their
communications on the network.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
You can pair any two S-series switches as long as they have the same form factor.
N
For example, you can bond two SSAs or two S3s into a VSB pair. Similarly, you
e
can bond a non-PoE S4 with a PoE S4, since the chassis are the same form factor.
m
However, you cannot mix form factors in a pair. For example, you cannot establish
tre
Chassis Bonding between an S4 and an S6, or between an SSA and an S3.

Ex
Note: In a multi-slot chassis you can spread the ends of the bonding link across the
various slots in the chassis. Extreme recommends that you do so for resiliency.

ok
bo
-e
ks
or
w
et
Note: The VSB feature supports a combined total of 32 VSB interconnect and LFR
N
1GbE monitor links on a VSB system (32 VSB ports per chassis).
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
The bonded system features such as route capacities, MAC address tables and
N
user capacities will remain the same as a single chassis. Mirroring capacities are
e
reduced.
m
tre
Note: A complete list of ‘Known Restrictions’ is available in the Release Notes.

Ex

ok
bo
-e
ks
or
w
et
A VSB license or feature entitlement to VSB functionality must be present in each of

N
the physical chassis participating in the bond. You cannot enable the VSB feature
e
until the license or entitlement is present in each chassis. Modular chassis

m
consisting of S130, S140 and S150 class S-Series products require the S-EOS-VSB
tre
license. This license is available from Extreme. Modular chassis with S155/S180 I/O
Fabrics can use the VSB feature without the need for additional licenses. SSA 130
Ex
or SSA150 chassis require the SSA-EOS-VSB license. This license is available

from Extreme. An SSA155 class products can use the VSB feature without the
need for additional licenses.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
The LFR protocol must be globally enabled on each VSB chassis in the VSB
N
system for LFR monitoring to occur. Use the set bonding lfr enable command to
e
globally enable LFR on each physical chassis. The LFR monitor port is configured
m
using the set bonding port enable command, the same as a VSB interconnect port.
tre
What distinguishes the port types in a VSB context is the port speed. The VSB
interconnect port must be a 10GbE port or greater, and the LFR monitor port must
Ex
be a 1GbE port.
The physical chassis to be placed in dormant state is determined by the LFR

priority. A chassis’ LFR priority defaults to 10 times the VSB chassis ID. For
example, if the VSB chassis ID is 1, the LFR priority is 10. The LFR priority can be
manually set using the set bonding chassis command lfr-priority parameter with a
valid range of 1 - 255. Setting a duplicate LFR priority is not allowed.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
Rolling Firmware updates will allow the system to update and reset one blade at a
N
time. This feature will be available when the existing and upgrade images are
e
compatible. In a properly designed network topology, with redundant paths (LAGS

m
or ECMP), the VSB chassis will continue to forward traffic will while the upgrade is
tre
in process. Singly attached edge devices will lose service while the blade they are
attached to reboots. Rolling Firmware updates require the use of two fabrics (in
Ex
fabric based chassis). When the images are not compatible (i.e. major feature
upgrades), the image is propagated to each of the modules and the entire bonded
chassis is rebooted.

ok
bo
-e
ks
or
w
et
Note: If the last bonding link fails, and you have not configured an LFR link, each
N
physical chassis continues to operate independently using the same configuration

e
and the same MAC address. This can cause enormous problems in the network.
m
Extreme strongly encourages you to configure multiple links into the VSB Bond.
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
High Availability Firmware Upgrade (HAU) is an Extreme S-Series feature that

N
provides for a rolling firmware upgrade for maintenance releases that are HAU
e
compatible with the current system firmware.

m
tre
Ex

ok
bo
-e
ks
or
w
et
There are two methods for loading a system firmware image:

N
e
• Standard – The specified image is loaded after a system reset

m
• High Availability – Provides a rolling firmware upgrade

tre
Using the standard upgrade method, the image is loaded automatically after the
Ex
system has been reset. The standard method takes the system out of service for
the duration of the firmware upgrade. Using the HAU method, all populated system
slots are assigned to HAU groups. The firmware upgrade takes place one HAU
group at a time with all modules belonging to HAU groups not currently being
upgraded remaining operational. As each HAU group completes its upgrade, a mix
of slots running the original firmware and slots running the upgraded firmware are
simultaneously operating on the device.

ok
bo
-e
ks
or
w
et
To avoid potential feature conflicts between multiple firmware versions, the HAU
N
firmware upgrade feature is limited to maintenance firmware upgrades and will not
e
be available when upgrading to major feature releases.

m
tre
Ex

ok
bo
-e
ks
or
w
et
Consider this example of a default HAU configuration. Chassis 1 is being firmware

N
upgraded. In a default HAU configuration, each slot belongs to a separate HAU

e
group:
m
tre
Slot 1 – HAU group1

Slot 2 – HAU group 2
Ex
Slot 3 – HAU group 3
We’ve configured a LAG between Switch 1 and each edge switch. Both LAGs are
distributed between two Chassis 1 HAU groups. LAG 1 is configured on Slots 1 and
2. LAG 2 is configured on Slots 2 and 3. As each HAU group upgrades, packets for
both LAGs continue to forward over connections to non-upgrading HAU groups.

ok
bo
-e
ks
or
w
et
HAU groups can be administratively configured for multiple slots. All slots belonging
N
to the updating HAU group are upgraded simultaneously.

e
m
tre
Ex

ok
bo
-e
ks
or
w
et
The HAU group feature determines which slot or slots will be simultaneously upgraded. All
N
system slots within the same HAU group are simultaneously upgraded. Each system slot
e
belongs to an HAU group. HAU occurs one HAU group at a time. By default, there is one
m
slot per group. Therefore, the default HAU behavior is to upgrade each system slot one at a
time.
tre
Ex
Because HAU groups are upgraded sequentially, the total upgrade time increases with the
number of HAU groups configured. In a large chassis it could take a significant amount of
time to complete the upgrade and have all physical links back in operation. Upgrade time
can be reduced by assigning multiple slots to the same HAU group. When planning system
connections, the overall upgrade time will be reduced to the degree that multiple slots can
be configured into a single group and still retain sufficient resources in non-upgrading HAU
groups to assure system operation.
With this in mind, all essential system capabilities on the device should be configured
across multiple groups. For example, all LAGs configured on the device should provide
sufficient redundancy between HAU groups for packets to continue forwarding on the LAG
using slots belonging to HAU groups that are not upgrading. Use the set boot high-
availability group command in any command mode to configure an HAU group, specifying
the group ID and the system slots that will be members of the HAU group. This command
is an intelligent command: it checks for illogical groupings - fabrics, no I/Os, and all bond
links.

ok
bo
-e
ks
or
w
et
When the firmware upgrade of an HAU group completes, depending upon the
N
applications that are configured on the module, it is possible for the next HAU group
e
to begin a firmware upgrade prior to protocols or applications on the just completed

m
HAU module becoming fully operational. Under normal operation there is an

tre
approximately 5 second delay between the completion of one HAU group upgrade
and the start of the next group upgrade. You can configure a delay of up to 600
Ex
seconds between the upgrade completion of one HAU group and the beginning of a
high availability upgrade for the next HAU group.
Use the set boot high-availability delay command in any command mode to set a
delay in seconds between the upgrade completion of any HAU group and the
beginning of the next HAU group upgrade.

ok
bo
-e
ks
or
w
et
HAU default mode determines HAU behavior if a system boot mode is not set when
N
configuring the system boot image. There are three HAU default modes:
e
never – A standard (non-high availability) upgrade is always performed unless over-

m
ridden by the system boot mode high-availability setting

tre
if-possible – A high availability upgrade is always performed unless:

All HAU preconditions are not met, in which case a standard upgrade is
Ex
performed
Over-ridden by the system boot mode standard or high-availability settings
always – A high availability upgrade is always performed unless:
All HAU preconditions are not met, in which case no upgrade occurs
Over-ridden by the system boot mode standard setting
Note: HAU default mode should always be set to never unless you intend to perform
a high availability upgrade. An if-possible or always HAU default mode setting in
conjunction with no system boot mode specified results in a high availability
firmware upgrade each time you reboot your system, if all HAU preconditions are
met. If you want an HAU default mode change to affect a firmware upgrade, the
change must take place before configuring a pending upgrade. Changing the HAU
default mode after setting the system boot configuration (using the set system boot
command) has no affect on a pending firmware upgrade. Use the set boot high-
availability default-mode command in any command mode to set the HAU default
mode.

ok
bo
-e
ks
or
w
et
When a system is powered on or reset, the current system boot image is loaded on
N
to all system modules. To perform a system upgrade, change the current system
e
boot image to the upgrade image, also referred to as the target image. Image
m
upgrade can occur immediately, the next time the system boots, or by issuing a
tre
reset command. When specifying the new target image, you can optionally, specify
the system boot mode parameter:
Ex
Standard – All system slots are simultaneously upgraded taking the system out of
operation for the duration of the upgrade. This is a non-high availability upgrade.
High-availability – Providing all HAU preconditions are met, HAU groups are
upgraded sequentially. If any HAU precondition is not met, an upgrade does not
occur.
Note: If the system boot mode is not specified, the boot mode is determined by the
HAU default mode configuration. By default, the HAU default mode executes a
standard system upgrade.

ok
bo
-e
ks
or
w
et
The following preconditions must be met for an high availability upgrade to occur:
N
e
HAU Compatibility Key - The target image must have the same HAU Compatibility
m
Key as the active image. To display the HAU key, use the dir command, specifying
tre
the image name. The HAU key field in the display specifies whether the image
displayed is compatible with the current active image. If “HAU compatible” is
Ex
appended to the key field, a high availability upgrade can be performed between the
displayed image and the current active image.
Configuration restore-points - Configuration restore-points may be set, but must not

be configured. A configured restore-point would cause upgraded slots to boot with
different configuration data, and all slots must be running the same configuration
data.
Upgrade Groups - At least two upgrade groups are required, and each group must
contain at least one operational module at the start of a high availability upgrade.
Platform – S series S4, S6, and S8 platforms require the presence of at least 2
fabric modules in the system. VSB can create an exception to this rule; see the next
slide.

ok
bo
-e
ks
or
w
et
Virtual Switch Bonding (VSB) – High availability upgrade is not allowed if the reset
N
of any single upgrade group would break all VSB interconnect bond links. An
e
exception to this rule:

m
tre
High availability upgrade is allowed in a bonded system that would break either the
two fabric module restriction or the all VSB interconnect links restrictions, if:
Ex
A single HAU group is configured per chassis
All chassis slots are members of that upgrade group. In this case, the
upgrade is performed per physical chassis.

ok
bo
-e
ks
or
w
et
You cannot disable a high availability upgrade or revert an image back to the
N
original system image on a high availability upgrade that is running. You can
e
however accelerate the upgrade process, by forcing the simultaneous upgrade of all
m
remaining non-upgraded HAU groups. This should not be considered a normal HAU
tre
procedure. It should be assumed that forcing a simultaneous upgrade will degrade

the operational capabilities of the system depending upon the system resources
Ex
taken out of service.
Use the set boot high-availability force-complete command in any command mode
to force the simultaneous upgrade of all non-upgraded HAU groups in the system.
You can disable a pending high availability upgrade by:
• Setting the boot image back to the active image using the set boot system active-
image command
• Deleting the boot image using the delete target-image command
• Converting the pending high availability upgrade to a standard upgrade by re-
issuing the boot command, specifying the target image and the standard system
boot mode
Note: After performing one of the methods for disabling an HAU configuration, verify
that the HAU status is disabled by using the show boot high-availability command.

ok
bo
-e
ks
or
w
et
Changes to system configuration cannot be performed while a high availability

N
upgrade is in progress. While a high availability upgrade is running. All SNMP set
e
operations will be rejected. A “noAccess” reason will be given for the rejection.
m
tre
All CLI commands will unavailable with the exception of:

– reset
Ex
– loop
– show
– exit
– dir
– history
– ping
– traceroute
– telnet
– ssh
– set boot high-availability force-complete

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

Extreme Switching Student Guide V1.8 (Ebook)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Extreme Switching Student Guide V1.8 (Ebook)

Uploaded by

Copyright:

Available Formats

Extreme Networks

Switching Student Guide

contain in this document is subject to change without notice.

For additional information refer to:

© 2015 Extreme Networks, Inc. All rights reserved 2

© 2015 Extreme Networks, Inc. All rights reserved 3

© 2015 Extreme Networks, Inc. All rights reserved 4

© 2015 Extreme Networks, Inc. All rights reserved 5

© 2015 Extreme Networks, Inc. All rights reserved 6

of-band access to a Command-Line Interface (CLI). This is commonly referred to as

emulation application (such as PUTTY or TeraTerm Pro), or to a modem.

In addition to Local Management there are various configuration and management

Management options include:

© 2015 Extreme Networks, Inc. All rights reserved 7

© 2015 Extreme Networks, Inc. All rights reserved 8

© 2015 Extreme Networks, Inc. All rights reserved 9

deleted with the clear system login command.

Platforms support up to 16 user accounts. When creating a new or editing an

set system login username {super-user | read-write | read-only} {enable | disable}

© 2015 Extreme Networks, Inc. All rights reserved 10

messages on the switch's console:

Note: To configure the failsafe account, enter the following command:

SummitX460-24t.1 # configure failsafe-account

© 2015 Extreme Networks, Inc. All rights reserved 11

© 2015 Extreme Networks, Inc. All rights reserved 12

© 2015 Extreme Networks, Inc. All rights reserved 13

© 2015 Extreme Networks, Inc. All rights reserved 14

© 2015 Extreme Networks, Inc. All rights reserved 15

© 2015 Extreme Networks, Inc. All rights reserved 16

above. If a connection to a Telnet session is lost inadvertently, the switch terminates

the session within two hours automatically.

© 2015 Extreme Networks, Inc. All rights reserved 17

© 2015 Extreme Networks, Inc. All rights reserved 18

By default the show configuration command only shows those configuration

“Factory Default” configuration.

The configuration displayed is the configuration that is currently running in the

© 2015 Extreme Networks, Inc. All rights reserved 19

The system displays the following prompts:

© 2015 Extreme Networks, Inc. All rights reserved 20

255.255.255.0 interface vlan.0.x) command, sets a non-routed management IP

address, per VLAN interface.

interface for the K & S Series

© 2015 Extreme Networks, Inc. All rights reserved 21

10.1.10.100/8. In order to ensure the correct IP address configuration, enter the

configure vlan default ipaddress 10.1.10.100/24

configure vlan default ipaddress 10.1.10.100 255.255.255.0

unconfigure vlan default ipaddress

configure vlan default ipaddress 10.1.10.100/24

© 2015 Extreme Networks, Inc. All rights reserved 22

A virtual router is an emulation of a physical router. This feature allows a single

to have overlapping address spaces. In ExtremXOS the VR-mgmt and VR-default

© 2015 Extreme Networks, Inc. All rights reserved 23

thus will be forwarded through the out of band management port:

tftp put 10.1.10.100 primary.cfg

tftp put 10.0.0.100 vr vr-default primary.cfg

© 2015 Extreme Networks, Inc. All rights reserved 24

© 2015 Extreme Networks, Inc. All rights reserved 25

• com for COM (console) port

• vlan for vlan interfaces

• lag for IEEE802.3 link aggregation ports, or

• lbpk for loopback interfaces

With the S and K series, routed VLANs will be seen as vlan.0.x.

© 2015 Extreme Networks, Inc. All rights reserved 26