Professional Documents
Culture Documents
Extreme Switching Student Guide V1.8 (Ebook)
Extreme Switching Student Guide V1.8 (Ebook)
ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex
Terms & Condition of Use:
Extreme Networks, Inc. reserves all rights to its materials and the content of the
materials. No material provided by Extreme Networks, Inc. to a Partner (or
Customer, etc.) may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying and recording, or by any
information storage or retrieval system, or incorporated into any other published
work, except for internal use by the Partner and except as may be expressly
permitted in writing by Extreme Networks, Inc.
This document and the information contained herein are intended solely for
informational use. Extreme Networks, Inc. makes no representations or
warranties of any kind, whether expressed or implied, with respect to this
information and assumes no responsibility for its accuracy or completeness.
ok
Extreme Networks, Inc. hereby disclaims all liability and warranty for any
information contained herein and all the material and information herein exists to
bo
be used only on an "as is" basis. More specific information may be available on
-e
request. By your review and/or use of the information contained herein, you
expressly release Extreme Networks from any and all liability related in any way
to this information. A copy of the text of this section is an uncontrolled copy,
ks
and may lack important information or contain factual errors. All information
or
herein is Copyright ©Extreme Networks, Inc. All rights reserved. All information
w
http://www.extremenetworks.com/company/legal
Ex
All Extreme switch products may be managed via their console or COM port for out-
N
Local Management (LM). The network administrator must be “local” to the device in
m
order to manage it. A device IP address is not required to manage the device
tre
through LM. The console port on a device may be either an RJ45 or a DB9
connector, which may be connected to a VT type terminal, a PC with a terminal
Ex
Extreme Networks recommends that Telnet is not used for CLI access. This is
N
because all communication between the client and switch is sent in clear text, and
e
any user who is capturing traffic, maliciously or not, will be able to view the switch
m
user name and password used for that session. SSH2.should be used at all times,
tre
as all communication is encrypted and therefore user names and passwords are not
“exposed” to any user capturing traffic.
Ex
To enable/disable SSH:
enable ssh2
disable ssh2
Users with super-user access can create user accounts and passwords. Read-write
N
and read-only accounts can change their own account passwords. User accounts
e
are created, disabled, and enabled with the set system login command. Passwords
m
are created and changed with the set password command. User accounts are
tre
Note: Switch login events will not be processed until switch's the Authentication
N
Service (AAA) has completed its startup process. This is indicated by the following
e
(pending-AAA) login:
Ex
Authentication Service (AAA) on the master node is now available for login
Password policies are disabled by default.
You are prompted for the failsafe account name, and prompted twice to specify the
password for the account. For example:
Note: Session timeouts. With idle-timeout enabled (a default setting) the Telnet and
N
console connection times out after twenty minutes of inactivity. This time-out value
e
can be changed from 1 to 240 minutes or disabled using the commands shown
m
changes that are different from the “Factory Default” configuration. Adding the
e
“detail” command argument will show all the current configuration including the
m
Rebooting the Switch: There are some processes, such as installing new software, that can
N
incorporate a reboot of the switch as one of the actions. You may, however, reboot the switch
through the user interface at any time by issuing the following command:
e
m
When the switch is new or the unconfigure switch all command has been used, you must connect to
tre
the console to access the switch. You are prompted with an interactive script that specifically asks if
you want to disable telnet, disable SNMP, disable the unconfigured ports and configure the failsafe
Ex
account.
Note: Entering the unconfigure switch all command resets stacking support and stacking port
selection on the local node only and does not affect the rest of the stack nodes.
Note: For the K/S Series switches, the (set ip address 172.10.1.101 mask
N
The (set ip interface vlan.0.x default) command sets the default management IP
Ex
The (set host vlan x ) command assigns virtual host management port to a VLAN.
If no mask is supplied when configuring a VLAN with an IP address, the mask for
N
the “Class” of the address will be added by the switch. For example, configuring a
e
VLAN with the IP address 10.1.10.100 without the mask will result in the IP address
m
command with the correct mask. You can enter the mask in “bits” or as dotted
decimal notation as follows:
Ex
If you incorrectly configure the IP address or mask for a VLAN, then in order to
change the IP address you will firstly need to unconfigure the IP address and then
enter the correct IP address as follows:
physical switch to be split into multiple virtual routers and separates the traffic
e
forwarded by a virtual router from the traffic on a different virtual router. Each virtual
m
router maintains a separate logical forwarding table, which allows the virtual routers
tre
Up to 63 user created VRs can be created on the following XOS based switches:
BD8K with 8900 xl-series MSMs, BDX8K, and Summit X460, X480, X650 switches.
For example, the following command will be issued through the VR-Mgmt VR and
N
To change this behavior, you have to explicitly add the target VR to the command as
Ex
follows:
This has the effect of issuing the command through the VR-Default VR and thus will
be forwarded through the VLAN matching the target IP address and mask.
Note: All UTP ports support the automatic detection of MDI/MDI-X connections. This
N
eliminates the need for crossover cables between switches. This feature is not
e
configurable.
m
tre
Ex
In addition to fe, ge, tg, and fg, other port types include:
N
Note: All Unshielded Twisted Pair (UTP) ports support the automatic detection of
N
MDI/MDI-X connections. This eliminates the need for crossover cables between
e
Using the CLI qualifier no-refresh, displays the port configuration for each port as a
list which is not updated in real-time. For example;
VLAN Membership
e
VLAN Protocols
m
EDP
tre
ELSM
Ethernet OAM
Ex
Flooding
Jumbo Frames
Rate Limiting
QoS
Network Login
Port redundancy
WebView is enabled by default on all products and usually works only when it is run
N
with Super User/Admin rights to the managed device. Secure Socket Layer (SSL)
e
works by using a private key to encrypt data for the transmission of private
m
Console), files or remote syslog daemons. Care must be taken when updating the
e
As a useful troubleshooting and testing feature, log entries can be displayed in real-
N
time within a CLI session. This is achieved by using the following commands:
e
m
As a useful troubleshooting and testing feature, log entries can be displayed in real-
N
time within a CLI session. This is achieved by using the following commands:
e
m
The security deficiency of both SNMPv1 and SNMPv2 was finally fixed with the
N
release of the SNMPv3 standard. Designed to enable better support of the complex
e
An SNMP security model is an authentication strategy that is set up for a user and
N
the group in which the user resides. A security level is the permitted level of security
e
within a security model. The three levels of SNMP security are: No authentication
m
SNMPv3 support is enabled by default and is configured with the following access
N
parameters:
e
m
To use one of the existing accounts, you must first configure the authentication and privacy
password keys.
provides a collection of clients that let you monitor device status, define network
e
specific network management tasks while sharing data and providing common
tre
synchronizing multiple user accounts across a network with many switches can
e
become time consuming. Ultimately, network support staff typically use the “admin”
m
account for switch administration and configuration via the CLI. Not only is this a
tre
potential security issue, but there is potentially, no configuration audit trail identifying
who configured what on the switch.
Ex
Note: On XOS based switches a configuration audit trail can be enabled on a switch
by entering the enable cli-config-logging command. Configuration changes made to
the switch are logged to a Syslog server if Syslog has been configured.
The lowest index value associated with the server determines the primary server. If
e
the primary server is down, the operational server with the next lowest index value
m
is used. If the switch fails to establish contact with the authentication server before a
tre
Server identification provides for the configuration of the server IP address and
Ex
index value. The index determines the order in which the switch will attempt to
establish a session with an authentication server. After setting the index and IP
address you are prompted to enter a secret value for this authentication server. Any
authentication requests to this authentication server must present the correct secret
value to gain authentication.
The realm provides for configuration scope for this server: management access,
network access, or both.
Establishment values configure a timer setting the length of time before retries, as
well as the number of retries, before the switch determines the authentication server
is down and attempts to establish with the next server in its list.
There are two types of RADIUS clients supported in ExtremeXOS, with each client
N
operating independently:
e
m
Each RADIUS client supports the configuration of a primary and secondary RADIUS
server for redundancy. If the primary server becomes unavailable for some reason,
then the switch will try to authenticate a user to the secondary server if configured. If
both primary and secondary servers are unavailable, the switch will authenticate the
user to the switch’s local user database.
The “client-ip” argument specifies the IP address to be used for sending RADIUS
massages to the RADIUS server. This address should match the IP address of the
authenticating client configured on the server.
The firmware image is the operating system for an Extreme switch. The firmware
N
NVRAM (Non-Volatile Random Access Memory): RAM that retains its contents (for
Ex
LRAM (Local RAM): Memory area used by the central processor for operational
tables and current processes (for example, VLAN tables).
Following are the steps in the normal boot-up process for Extreme switching
N
products:
e
m
The Boot PROM comes online first and runs diagnostics on all memory areas and
tre
The Boot PROM then checks the NVRAM settings. These settings tell the Boot
PROM where to find the firmware image to load. During a normal boot-up, the
firmware image will be loaded from flash memory.
The Boot PROM will start the Flash Memory Manager to un-compress the firmware
image in flash memory, and to copy the uncompressed firmware image into LRAM.
Once the uncompressed firmware image is in LRAM, the main processor will begin
normal operations. SNMP is now available.
Most devices will take from 30 seconds to a minute to boot up. If the power-up
sequence is interrupted or if optional hardware has been installed or removed, a
device may run an extended diagnostics sequence that may take up to two or more
minutes to complete.
Primary
e
Secondary
m
tre
Loaded at boot time, the image is uncompressed and loaded at boot time:
Uncompress selected image
Load uncompressed image into RAM and start running
Note: When reporting a faulty switch to Extreme Networks it is mandatory that you
N
identify the serial number and software version among other things. The show
e
version command is useful as the serial number may not be recorded or even be
m
accessible.
tre
Ex
In order to check the installed images and modules, issue the following command:
N
e
Note: The active image location can be verified with the show switch command.
N
e
The image is upgraded by using a download procedure from either a TFTP server
m
on the network or a PC connected to the serial port using the ZMODEM protocol.
tre
The serial download is very slow and can only be done from the BootROM menu.
The BootROM is discussed later in this chapter.
Ex
Note: If no parameters are specified for the location, the image is saved to the non-
active location. The nonactive location will be automatically selected to use at next
boot. The use image command is therefore not required when upgrading the switch
software but is included here for completeness and compatibility for earlier versions
of ExtremeXOS and ExtremeWare.
The BootROM of the switch initializes certain important switch variables during the
N
boot process. For disaster recovery purposes (i.e. in the event the switch does not
e
boot properly), you can download a rescue image from a TFTP server by entering
m
During a software upgrade the system BootROM checks the software for a unique
Ex
Interaction with the BootROM menu is only required under special circumstances
and should be done only under the direction of Extreme Networks Customer
Support. The necessity of using these functions implies a non standard problem,
which requires the assistance of Extreme Networks Technical Support.
Note: For switches that support a one-stage bootloader, such as chassis based
switches and ExtremeWare based summits, the spacebar must be pressed
immediately after the switch is rebooted or power cycled.
Note: The image or a configuration selected within the BootROM does not change
N
Note: The switch may not boot if the BootROM is corrupted, due to interrupting the
N
For BD8K series switches, the BootROM is contained in the ExtremeXOS software
image and by default is upgraded manually by entering the install firmware
Ex
Use the show version command display the switch BootROM version.
Note: When upgrading the BootROM separately, upgrade the BootROM and reboot
the switch before upgrading a software image.
Once you have configured a device, you can save that configuration to a file as
N
and for troubleshooting purposes. This section of the module describes how each
tre
use Inventory Manager’s Archive utility. Note that each switch has a limited amount
e
Append means to add on at the end, when this option is used the switch is not
N
required to reboot.
e
m
tre
Ex
Note: Configuration information stored within the file is XML based, and therefore
N
To select a configuration to use at the switch’s next reboot, you run the use
N
Note:
When entering the show switch command, up to four configuration related pieces of
Ex
1. The booted configuration file. i.e. the configuration file which was loaded into
RAM at boot time.
2. The selected configuration file. This is the configured configuration file which will
be loaded into RAM and next boot.
Although the XML format of the configuration file is useful for XOS software
N
programmers, it is of limited use for support and operational staff. Text based
e
Using “cut & paste” techniques to provision other switches in a standard way
thus avoiding errors.
Note: You cannot rename an active configuration file (the configuration currently
N
15 port mirrors
m
15 VLAN mirrors
tre
Example:
N
e
WARNING: This command will remove VLAN membership from the monitor port.
tre
show lldp port <port> neighbors detailed command shows information about a remote device and
N
Chassis
m
MAC address
tre
Port
Remote system name
Ex
Capabilities
Mgmt Address
VLANs
Auto negotiation
Flow control
Speed & duplex
etc.
Note: The advantage of the closed loop stacking is redundancy, this configuration
N
Note: You cannot stack different series (A, B, & C) switches together. A4-
tre
Series switches are stacked only with A4-Series switches, they CANNOT be
mixed with B or C-Series switches.
Ex
Note: You can stack an A4H model switch only with other A4H model
switches. You cannot stack an A4H model switch with switches that are not
A4H model switches. That is, A4 switches DO NOT stack with A2 switches.
The slide above shows an example of a four-high stack connected in a closed loop
N
configuration. All STACK DOWN and STACK UP connectors are used in the
e
installation. The stacking cable connections are from the STACK DOWN connector
m
of one switch to the STACK UP connector of the next switch up in the stack. A
tre
stacking cable connection from the STACK DOWN connector of the switch at the
top of the stack to the STACK UP connector at the bottom of the stack closes the
Ex
loop.
Plug-and-Play Stacking: Connect all stacks cables and then power on the stack,
the units ID’s are assigned at random and not based on physical position in stack.
The switch assigned unit ID 1, becomes the stack manager.
Note: The high-speed stacking cables are optional items that you must order
N
STK-CAB-LONG, a 1m cable
STK-CAB-2M, a 2m cable
Ex
STK-CAB-5M, a 5m cable
topology. All STACK DOWN and STACK UP connectors are used in the installation.
e
The high-speed stacking cable connections are from the STACK DOWN connector
m
of one switch to the STACK UP connector of the next switch up in the stack. A high-
tre
speed stacking cable connection from the STACK DOWN connector of the switch at
the top of the stack to the STACK UP connector at the bottom of the stack
Ex
configuration:
e
m
Plug-and-Play Stacking: Connect all stacks cables and then power on the stack,
tre
the units ID’s are assigned at random and not based on physical position in stack.
Ex
Pre-Configuration Stacking: This is possible using the set switch member unit
switch-id command. Unit IDs can be assigned to switches prior to stacking, via this
command.
Note: After the stack has been configured, you can use the show switch unit
command to physically identify each unit. When you enter the command with a unit
number, the MGR LED of the specified switch will blink for 10 seconds. The normal
state of this LED is off for member units and steady green for the manager unit.
Once a stack is created (more than one switch is interconnected), the following
N
procedure occurs:
e
m
Unit IDs are saved against each module. Then, every time a board is power-cycled,
Ex
it will initialize with the same unit ID. This is important for port-specific information
(for example: ge.4.12 is the 12th Gigabit Ethernet port on Unit # 4). We want to
insure ge.4.12 is always located in the same stack location.
Note: Once the management designation is written to the manager unit, every time
the manager is power-cycled, it will initialize with that role.
Configuration Management:
N
When A, B, & C-Series switches are stacked, the only file structure and
e
which pushes its configuration to the member units every 5 minutes if there has
tre
been a change. To avoid possible configuration loss in the event of manager unit
failure after a configuration change, execute the save config command and wait for
Ex
the system prompt to return. After the prompt returns, the configuration will be
persistent.
Upon manager unit failure, removal, or reassignment with the set switch
e
link state of all ports, will be interrupted for about 30 to 40 seconds. Upon member
tre
unit failure or removal, the operation of the stack will be interrupted for about 2 to 3
seconds.
Ex
Note: When using the clear config command to clear configuration parameters in a
N
Use clear config to clear configuration parameters without clearing stack unit IDs.
tre
This command WILL NOT clear stack parameters or the IP address and avoids the
process of renumbering the stack.
Ex
Use clear config all when it is necessary to clear all configuration parameters,
including stack unit IDs and switch priority values. This command will not clear the
IP address nor will it remove an applied advanced feature license.
Note: The master switch stores any configuration information for the stack in its
N
primary and secondary flash memory. Since the master switch has the knowledge
e
of the state and the configuration of all the other switches in the stack, it can
m
respond to all external requests for those switches. For example, the master switch
tre
can respond to a request for SNMP information from all ports within the stack.
Ex
The SummitStack-V feature allows you to use Ethernet ports that run at least 10
N
Gbps as stacking ports. This feature allows you to overcome the length limit on the
e
custom stacking cables used with dedicated or native stack ports. For example,
m
campus can be connected to form a stack using standard Ethernet cables. The
SummitStack-V feature also allows you to stack switches that have no native
Ex
stacking ports but do have at least two Ethernet ports, which can be configured to
support either data communications or the stacking protocol. When these dual-
purpose ports are configured to support stacking, they are called alternate stack
ports to distinguish them from the native stack ports that use custom cables.
Node Role: A node in the active topology plays a role in the stack. There are three
N
Master Node Role: A node that is elected as the master (or primary) runs all of the
tre
configured control protocols such as OSPF, RIP, Spanning Tree, EAPS, The master
node controls all data ports on itself, the backup node, and all standby nodes. The
Ex
master node issues specific programming commands over the control path to the
backup or standby nodes to accomplish this purpose.
Backup Node Role: The node that is operating in the backup node role takes over
the master node role if the master node fails. The master node keeps the backup
node databases in synchronization with its own database in preparation for this
event. Upon transfer of role, the backup node becomes the master node and begins
operating with the databases it has previously received. This allows all other nodes
in the stack to continue operating even after the master node fails.
Standby Node Role: A node that is executing the standby node role is prepared to
become a backup node in the event that the backup node becomes the master
node. When becoming a backup node, the new master node synchronizes all of its
databases to the new backup node. As a standby node, most databases are not
synchronized, except for those few that directly relate to hardware programming.
Shortest Path Forwarding: Packets are sent via the shortest path. A packet from unit
N
4 to unit 3 travels 1 hop. If the stack encounters a single link failure, the shortest
e
Example: If the path between unit 4 and unit 1 fails, unit 4 would know that an
available path to unit 1 existed through units 3 and 2.
Ex
Note: When stacking cables are connected, the stacked units exchange information
until they determine stack topology, this occurs whether or not stacking is enabled.
The units then broadcast discovery packet, the CPU on each unit processes the
packets, each unit then increments hop count and forwards packet. The units
determine a ring topology when packet with own MAC address is received.
Some switch models have more memory and support additional features. If the
stack configuration includes switches that are more capable than others, the stack
will try to select the most-capable backup node.
Master capable
Stacking state
Stack MAC
License level restrictions
unconfigure stacking
rebooot stack-topology
Ex
Note: If switches have different license levels, the stack won’t form.
N
e
Upgrade license
m
The total number of active VLANs supported on Extreme EOS based stackable (A,
tre
B, & C-Series) and standalone D & G_Series) fixed switches is up to 1024. The total
number of active VLANs supported on Extreme EOS Chassis based switches (K &
Ex
S-Series) is up to 4094
The internal VLAN ID is not significant outside of the switch. The value used for the
N
internal VLAN ID starts at 4094 and decrements for each VLAN added. If a VLAN ID
e
is used to configure an 802.1Q tagged VLAN that has already been assigned to an
m
untagged VLAN, the switch automatically assigns another internal VLAN ID to the
tre
untagged VLAN.
Ex
Frames arriving on an ingress port are forwarded based on 802.1Q tag present
m
802.1p CoS is examined, and the frame is placed into the appropriate queue
Ex
Values 0-6 are mapped by default to the low priority queue, QoS Profile QP1
Value 7 is mapped by default to the high priority queue, QoS Profile QP8
There are a number of pre-configured protocol filters that can be applied to any
N
VLAN.
e
m
IP
IPX
Ex
IPv6
NetBIOS
DECNet
IPX_8022
IPX_SNAP
AppleTalk
MPLS
ANY
You can create a custom protocol filter by using the create protocol command. You
then add the relevant filter entries by entering the configure protocol command.
Existing protocol filters can also be edited using this command.
the traffic being classified is or is not in the VLAN’s forwarding database as follows:
e
m
Unlearned traffic: When a frame’s destination MAC address is not in the VLAN’s
tre
forwarding database (FDB), it will be forwarded out of every port on the VLAN’s
egress list with the frame format that is specified.
Ex
On all EOS based platforms, the show vlan command displays the device’s VLANs
N
and only ports on the VLAN’s egress list that are in a forwarding state. If a port
e
possesses one or more of the following characteristics, the port is not displayed with
m
the show vlan command regardless of the administrative configuration of the device:
tre
No link
Ex
Note: Regarding the above output, a port that is displayed as an Egress Port and
Untagged Port for a VLAN is on this VLAN’s egress list as untagged . A port that is
displayed as only an Egress Port for a VLAN is on this VLAN’s egress list as tagged
Note: Other useful show commands for displaying the VLAN configuration/operation
N
VLAN’s basic configuration and if what protocols have been enabled if any such as
e
OSPF, Spanning Tree, and EAPS for example. To display detailed information for all
m
VLANs, enter the show vlan detail command. To display detailed information for a
tre
specific VLAN, enter the show vlan command with the VLAN name as the command
qualifier. For example show vlan blue.
Ex
The show vlan command has a number of command qualifiers that allow you to
N
show vlan ?
tre
detail detailed
dynamic-vlan show configuration related to dynamically created VLANs
ports Show only VLANs associated with the specified ports
statistics VLAN statistics
tag IEEE 802.1Q or 802.1ad tag
| Filter the output of the command
<vlan_name> Name of the VLAN
<vr-name> Virtual router name
"VR-Default" "VR-Mgmt"
The FDB in large networks may have many entries and so it may be difficult to find
N
a specific MAC address in such a large table. The show fdb command has a
e
number of command qualifiers that allow you to examine specific FDB entries as
m
follows:
tre
The clear fdb command also has a number of command qualifiers that allow you to
clear specific FDB entries as follows:
Note: All EOS based switches support VIDs from 1 to 4094. A, B, C, D, and G-
N
When creating VLANs, first assign a VLAN ID within the supported range of the
N
device. This is a numeric ID. You may also assign a VLAN name to each VLAN.
e
This name is for the administrator’s use. The name of the VLAN has no affect on
m
Before enabling VLANs for the switch, you must first assign each port to the VLAN
N
group or groups in which it will participate. Port VLAN IDs (PVIDs) determine the
e
VLAN to which all untagged frames received on one or more ports will be classified.
m
This is a classification mechanism that associates a port with a specific VLAN and is
tre
used to make forwarding decisions for untagged packets received by the port.
Ex
For example, if port 2 is assigned a PVID of 3, then all untagged packets received
on port 2 will be assigned to VLAN 3. If no VLANs are defined on the switch, all
ports are assigned to the default VLAN with a PVID equal to 1.
You should add a port as a tagged port (that is, a port attached to a VLAN-aware
device) if you want it to carry traffic for one or more VLANs, and the device at the
other end of the link also supports VLANs. On Extreme switches, ports can be
assigned to multiple tagged or untagged VLANs. Each port on the switch is
therefore capable of passing tagged or untagged frames.
PVIDs are configured in the same way on all EOS based switches. The PVID is
N
used to classify untagged frames as they ingress into a given port. When setting a
e
PVID with the set port vlan command, you can also add the port to the VLAN’s
m
Example: If you assign ports 1, 5, 8, and 9 to VLAN 44, untagged frames received
Ex
on those ports will be assigned to VLAN 44. If the specified VLAN (VLAN 44 in this
example) has not already been created, this command (set port vlan) will create it,
add the ports to the VLANs egress list as untagged.
Note: If the frame format is not specified in the set vlan egress command, the port is
N
VLAN and ensures that any dynamic requests, either through GVRP or Dynamic
Egress, for the port to join the VLAN, will be ignored. (Dynamic Egress is discussed
Ex
Note: Setting a port to untagged allows it to transmit frames without a tag header.
This setting is usually used to configure a port connected to an end user or other
VLAN-unaware device.
For EOS based devices, the egress process dictates where the packet is allowed to
N
go within the VLAN. The ingress process classifies received frames as belonging to
e
one and only one VLAN. The forwarding process looks up learned information in the
m
determines which ports will be eligible to transmit frames for a particular VLAN, or it
may be used to prevent one or more ports from participating in a VLAN. In general,
Ex
VLANs have no egress (except VLAN ID 1), until they are configured by static
administration or through dynamic mechanisms (GVRP, policy classification, or
Extreme Dynamic Egress).
network managers will want to place Voice Over IP (VOIP) traffic into a separate
e
VLAN than that for end user PCs. The reason for this is that they will want to treat
m
the VOIP traffic differently in time of congestion and also to reduce the broadcast
tre
traffic, that is why the 2 types of traffic are placed in different VLANs.
Ex
The way this is achieved is that the PCs send untagged packets and the phones
send tagged packets. By doing this the Port VLAN Identifier (PVID) configured on
the port of the switch will place the PC’s packets into that VLAN but the Phone
sends tagged packets to the switch and the switch keeps the packets in that VLAN,
for this to work though the switches still has to have all the VLANs configured on
them.
VLAN used for management purposes only. Devices in other VLANs will not have
m
When a VLAN has egress, the information is transmitted out ports on the device in a
GVRP formatted frame, using the GVRP multicast MAC address. A switch that
Ex
receives this frame examines the frame and extracts the VLAN IDs. The dynamic
VLAN protocol then dynamically registers (creates) the VLANs and adds the
receiving port to its tagged member list for the extracted VLAN IDs. The information
is then transmitted out the other GVRP configured ports of the device.
boundaries may result. Disabling GVRP globally on switches will correct this
m
problem.
tre
Ex
The set vlan egress {vlan-list} {port-string} forbidden ensures that any requests for
N
the port to dynamically join the VLAN will be ignored. Applicable to both GVRP and
e
Dynamic Egress
m
tre
Ex
disabled on all VLANs. If dynamic egress is enabled for a VLAN, the device will add
e
the port receiving a frame to the VLAN’s egress list according to the VLAN ID of the
m
received frame
tre
Ex
Note: to remove ports from a VLAN use the configure vlan {vlan_name} delete ports
N
Note: Once a VLAN has been configured with an 802.1Q tag ID, the VLAN is
N
those incoming frames that do not have a VLAN ID that matches a VLAN ID on the
e
port’s egress list. If ingress filtering is disabled and a port receives frames tagged
m
or untagged for VLANs for which it is not a member, these frames will be flooded.
tre
Ex
In this Figure, Workstation A’s packet has a VLAN ID tag of 7. It is received on port
N
1 of a switch and it is a broadcast packet. The switch logic will check to see if port 1
e
is on the egress list of VLAN 7. If port 1 is on VLAN 7’s egress list, the packet from
m
filtering database and egress list, and transmitted out the appropriate port. If port 1
is not on the egress list of VLAN 7 (as in this figure), the packet will not be
Ex
The Protected Port feature is used to prevent ports from forwarding traffic to each
e
other, even when they are on the same VLAN. Ports may be designated as either
m
Egress flood control alters the standard forwarding behavior of a switch and should
N
be used with care. However, it can effectively improve network performance and
e
Note: For BD10K and BD12K switches you cannot selectively disable flooding on
Ex
specific ports. Additionally, the command disables flooding of unicast, broadcast and
multicast packets.
Disabling multicasting egress flooding does not affect clients subscribed to an IGMP
N
group. Packets are still forwarded. If IGMP snooping is disabled, multicast packets
e
Example:
disable flooding unicast ports 24
Ex
Packets destined for permanent MAC addresses and other mac address that are
m
Broadcast traffic from MAC addresses that are not black hole entries.
Ex
Example:
N
show fdb
m
tre
Note: In large networks the application of limit learning using Blackhole entries can
quickly use up FDB entries. A full FDB can have an impact on switch performance.
Ex
The “limit” for a specific virtual port (port/VLAN combination) can be removed by
entering the configure port command, specifying the port, vlan and the keyword
unlimited-learning as shown in the example below:
Packets destined for permanent MAC addresses and other mac address that are
m
Broadcast traffic from MAC addresses that are not black hole entries.
Ex
Example:
N
Example:
N
Note: When you unconfigure the lock learning feature on a virtual port, and if the
tre
configuration was previously saved with the lock learning feature enabled, the
“locked” entries will need to be removed from the running configuration.
Ex
Port Forwarding:
N
MSTP and RSTP use rapid forwarding mechanisms to get ports to the forwarding
e
using the set spantree adminedge command, it will forward as soon as the port
becomes operational. An ISL will forward based on an exchange of BPDUs. By
Ex
Blocking: Actively preventing traffic from using this path. Still receiving BPDUs, so
m
determine whether to go back to the blocking state or continue to the learning state.
Listens to BPDUs to ensure no loops occur on the network.
IEEE 802.1w, Rapid Reconfiguration Spanning Tree (RSTP), is built upon the
N
original IEEE 802.1D Spanning Tree Protocol parameters. When a network fails in a
e
traditional spanning tree topology, two-way communication may not recover for up
m
The original 802.1D standard treats the overall topology as a single network, while
N
configuring multiple VLANs are sacrificed with this compromise. IEEE 802.1s is a
m
supplement to IEEE 802.1Q that adds the facility for VLAN switches to use multiple
tre
instances of spanning trees, allowing for traffic belonging to different VLANs to flow
over potentially different paths within the LAN.
Ex
802.1s allows network administrators to assign VLAN traffic to unique paths. Some
or all of the switches in a LAN participate in two or more spanning trees with each
VLAN belonging to one of the spanning tree instances. An advantage of MST is that
MST is built on top of 802.1w Rapid Reconfiguration with its decreased time for re-
spans within the network.
Note: MSTP port roles are the same as with 802.1w, with one addition, Master Port.
N
e
Root Port: The one port that a bridge uses to connect to the Root Bridge. This
m
port is elected as the Root Port due to its least “path-cost” to Root.
tre
Alternate Port: Any redundant upstream port that provides an alternate path to the
Ex
Designated Port: Any downstream port that provides a path to the Root Bridge.
Edge Port: A port that has no other bridges connected to this port (i.e. User Port).
This is automatically configured by the Bridge Detection State Machine (802.1t
Clause 18).
Backup Port: A port that acts as a redundant Designated Port for a LAN segment.
Master Port: The Bridge Port that is the CIST Root Port for the CIST Regional
Root, Provides connectivity from the Region to the CIST Root that lies outside the
Region, this Port Role only exists within the context of the MSTIs
utilization between switches 2 and 3. With 802.1s it is possible to make each switch
e
a root bridge for different spanning tree groups and then associate a different VLAN
m
with each spanning tree instance. This way we are reducing the likely hood of a link
tre
being over-utilized.
Ex
In most networks, Spanning Tree version should not be changed from its default
N
setting of MSTP (Multiple Spanning Tree Protocol) mode. MSTP mode is fully
e
compatible and interoperable with legacy STP 802.1D and Rapid Spanning Tree
m
(RSTP) bridges. Setting the version to stpcompatible mode will cause the bridge to
tre
transmit only 802.1D BPDUs, this will prevent non-edge ports from rapidly
transitioning to forwarding state.
Ex
Note: An MST region is a group of devices that are configured together to form a
N
logical region. The MST region presents itself to the rest of the network as a single
e
same configuration identifier information as all other devices in the MST region. By
default, each bridge is in its own MST region and has a default configuration name
Ex
If the Designated Root MAC Address matches the Bridge ID MAC Address, the
N
device views itself as the root bridge. Therefore, no root port is displayed for this
e
bridge.
m
tre
Note: that the port role and port state are both displayed for the bridge when using
the port keyword with the show spantree command.
Ex
Note that the SID column displays the value of 1 in this example, this value
N
counter information.
e
m
tre
Ex
Restricted Role:
N
Restricted Role is a Spanning Tree protocol feature that allows or disallows the root role on
e
specified ports. When Restricted Role is enabled, the port will not be selected as the root port
m
for the CIST or any MSTI, even if it has the best Spanning Tree priority. A port with Restricted
Role enabled is selected as an alternate port after the root port has been selected.
tre
You may wish to use Restricted Role when bridges are not under your full control. You may
Ex
also wish to enable Restricted Role on ports where the bridge is external to the core and where
the port faces away from the root, in cases where the port role would normally be designated.
This can speed network re-convergence, particularly after loss of the root bridge. Restricted role
is disabled by default.
A possible reason for not allowing TCN propagation is when bridges are not under the full
control of the administrator or because MAC operational state for the attached or downstream
LANs transitions frequently, causing disruption throughout the network.
Standard 802.1D STP takes 30-50 seconds to recover from a failure or root bridge
N
changes. By default, all Extreme switches support 802.1w and 802.1s, which
e
new root bridge announcements can cause a Denial of Service (DOS) condition.
tre
Unwanted BPDUs from an attacker can force network changes and cause a Denial
of Service condition in the layer 2 environment. These changes can cause learned
Ex
(enabled/disabled)
m
port (locked/unlocked)
show spantree spanguardtimeout - shows the value of spanguardtimeout (0-
Ex
65535 seconds)
When Span Guard is enabled, reception of a BPDU by a port which has adminEdge
N
set TRUE will cause the port to be locked and its state set to blocking. The port will
e
which may be forever if the timer value is set to 0. The port will become unlocked
tre
In order to utilize Span Guard the system administrator must know which ports are
connected between switches as ISLs (inter-switch links). AdminEdge must be
configured globally before Spanguard will work. AdminEdge is configured via the
set spantree adminedge command from the CLI. Adminedge must be set to false
on all known ISLs. Any remaining ports where protection is desired should be set to
adminedge = True. Setting these remaining ports to adminedge = True indicates to
Spanguard that these ports are not expecting to receive any BPDUs. If BPDUs are
received on these ports the affected ports will become locked. The set spantree
spanguardtimeout command sets the timeout period that a port will remain in the
locked state. By default the timeout period is 300 seconds. This can be configured
to a range of 0-65535 seconds. Setting the value to 0 will set the timeout to forever.
Encapsulation Modes:
N
You can configure ports within an STPD to accept specific BPDU encapsulations. An STP port
e
802.1D mode
tre
Use this mode for backward compatibility with previous STP versions and for compatibility with
third-party switches using IEEE standard 802.1D. BPDUs are sent untagged in 802.1D mode.
Ex
Because of this, any given physical interface can have only one STPD running in 802.1D mode.
This encapsulation mode supports the following STPD modes of operation: 802.1D, 802.1w,
and MSTP (802.1s).
To prevent the loops across the switches, the Edge Safeguard feature can be
N
configured with the BPDU restrict function. When running in BPDU restrict mode,
e
Edge Safeguard ports send STP BPDUs at a rate of 1 every 2 seconds. The port is
m
disabled as soon as an STP BPDU is received on the BPDU restrict port, thereby
tre
preventing the loop. Flexibility is provided with an option to re-enable the port after a
user specified time period. If a user enables a port while STP has disabled it, the
Ex
port is operationally enabled; STP is notified and then stops any recovery timeout
that has started.
For multiple switches to be part of an MSTP region, you must configure each switch
m
in the region with the same MSTP configuration attributes, also known as MSTP
tre
region identifiers. The following list describes the MSTP region identifiers:
Ex
Region Name: This indicates the name of the MSTP region. In the Extreme
Networks implementation, the maximum length of the name is 32 characters and
can be a combination of alphanumeric characters and underscores ( _ ).
Format Selector: This indicates a number to identify the format of MSTP BPDUs.
The default is 0.
Revision Level: This identifier is reserved for future use; however, the switch uses
and displays a default of 3.
Note: You can configure the default STPD, S0 as the CIST. No VLAN can be bound
N
to the CIST and no ports can be added to the CIST. Therefore, the VLAN should be
e
bound to the MSTI and the “show MSTI port” command will show the VLAN ports.
m
The ports added to the MSTI are bound automatically to the CIST even though they
tre
You can configure edge safeguard for loop prevention and detection on an
e
RSTP/MSTP edge port. Loop prevention and detection on an edge port configured
m
for RSTP/MSTP is called edge safeguard . You can configure edge safeguard on
tre
other non-STP switch to an edge port. Edge safeguard also limits the impact of
broadcast storms that might occur on edge ports. This advanced loop prevention
mechanism improves network resiliency but does not interfere with the rapid
convergence of edge ports.
An edge port configured with edge safeguard immediately enters the forwarding
state and transmits BPDUs. If a loop is detected, STP blocks the port. By default,
an edge port without edge safeguard configured immediately enters the forwarding
state but does not transmit BPDUs unless a BPDU is received by that edge port.
To prevent the loops across the switches, the Edge Safeguard feature can be
N
configured with the BPDU restrict function. When running in BPDU restrict mode,
e
Edge Safeguard ports send STP BPDUs at a rate of 1 every 2 seconds. The port is
m
disabled as soon as an STP BPDU is received on the BPDU restrict port, thereby
tre
preventing the loop. Flexibility is provided with an option to re-enable the port after a
user specified time period. If a user enables a port while STP has disabled it, the
Ex
port is operationally enabled; STP is notified and then stops any recovery timeout
that has started.
Note: ExtremeXOS software does not support ELRP and Network Login on the
N
same port. When used on a VPLS service VLAN, ELRP does not detect loops
e
You can specify the number of times ELRP packets must be transmitted and the interval
e
A message is printed to the console and logged into the system log file indicating detection
of network loop when ELRP packets are received back or no packets are received within
tre
protocol-based VLAN. For ELRP to detect loops on a protocol-based VLAN (other than the
e
protocol any), you need to add the ethertype 0x00bb to the protocol.
m
Create VLANs:
tre
create vlan v1
create vlan v2
Ex
An EAPS Master detects the failure in its domain, and converges around the failure.
N
e
You must create and configure one control VLAN for each EAPS domain. A control
m
VLAN cannot belong to more than one EAPS domain. If the domain is active, you
tre
cannot delete the domain or modify the configuration of the control VLAN. The
control VLAN must NOT be configured with an IP address. In addition, only ring
Ex
ports may be added to this control VLAN. No other ports can be members of this
VLAN. Failure to observe these restrictions can result in a loop in the network. The
ring ports of the control VLAN must be tagged.
Protected VLANs are the data-carrying VLANs. When you configure a protected
N
VLAN, the ring ports of the protected VLAN must be tagged (except in the case of
e
EAPS Hello (Heath Check) Packets uses the Extreme Encapsulation Protocol
N
Each switch (node) will examine the hello packet and then forward the packet to its
neighbor switch through the ring port that did not receive the packet. EAPS packets
are sent with an 802.1p value of 7 (QP8)
Ports 1:1 and 4:1 for the SummitStacks will be added to the “ctrl-1”
tre
tagged ports
Note: The above ports must be added tagged to the “data” VLAN on each switch,
along with any end-user ports. End-user ports are usually untagged
enable eaps
Ex
show eaps
In a ring that contains switches made by other companies, the polling timers provide
N
an alternate way to detect ring breaks. The master periodically sends hello PDUs at
e
intervals determined by the hello PDU timer and waits for a reply. If a hello PDU
m
reply is not received before the failtime timer expires, the switch detects a failure
tre
and responds by either sending an alert or opening the secondary port. The
response action is defined by a configuration command.
Ex
Use the hellotime keyword and its associated parameters to specify the amount of
N
time the master node waits between transmissions of health check messages on
e
the control VLAN. The combined value for seconds and milliseconds must be
m
Use the failtime keyword and its associated parameters to specify the amount of
time the master node waits before the failtimer expires. The combined value for
seconds and milliseconds must be greater than the configured value for hellotime.
The default value is 3 seconds.
Note: Increasing the failtime value increases the time it takes to detect a ring break
using the polling timers, but it can also reduce the possibility of incorrectly declaring
a failure when the network is congested.
With EAPS, a data VLAN can spans multiple physical rings or EAPS domains. This
N
each EAPS domain to which it belongs. In the figure above, there is an EAPS
m
domain with its own control VLAN running on ring 1 and another EAPS domain with
tre
its own control VLAN running on ring 2. A data VLAN that spans both rings is added
as a protected VLAN to both EAPS domains to create an overlapping VLAN. Switch
Ex
S5 has two instances of EAPS domains running on it, one for each ring.
In the slide shown earlier (Two Rings Interconnected by One Switch) switch S5
N
Ring 1 would not be able to communicate with users on Ring 2. To make the
m
network more resilient, you can add another switch. In the figure shown above, a
tre
second switch (S10), connects to both rings and to S5 through a common link,
which is common to both rings. The EAPS common link in the following figure
Ex
requires special configuration to prevent a loop that spans both rings. The software
entity that requires configuration is the eaps shared-port, therefore the common link
feature is sometimes called the shared port feature.
During normal operation, the master node on each ring protects the ring as
N
described earlier in first EAPS module The Controller and Partner nodes work
e
together to protect against Super Loop problems that can occur with the use of
m
Note: A Controller or Partner can also perform the role of master or transit node
Ex
within its EAPS domain. Typically the controller and partner nodes are distribution or
core switches.
Note: When a common link fails, one of the segment ports becomes the active-
N
open port, and all other segment ports are blocked to prevent a loop for the
e
protected VLANs.
m
tre
Ex
If a link failure occurs in one of the rings, only a single EAPS domain is affected.
N
The EAPS master detects the failure in its domain, and converges around the
e
failure. In this case, the controller does not take any blocking action, and EAPS
m
domains on other rings are not affected. Likewise, when the link is restored, only the
tre
local EAPS domain is affected. The controller and any EAPS domains on other
rings are not affected, and continue forwarding traffic normally.
Ex
When the common link fails, the secondary port of each master node unblocked,
N
the new topology introduces a broadcast loop spanning the both rings (EAPS
e
For the failure scenario shown above, the Controller and Partner nodes immediately
N
Blocks protected VLAN communications on all segment ports except the active-
Ex
open port
Note: When a controller goes into or out of the blocking state, the controller sends a
flush-fdb message to flush the FDB in each of the switches in its segments. In a
network with multiple EAPS ports in the blocking state, the flush-fdb message gets
propagated across the boundaries of the EAPS domains.
messages are sent from controller to partner, and also from partner to controller
e
m
tre
Ex
The EAPS domain priority feature allows you to select the EAPS domains that are
N
serviced first when a break occurs in an EAPS ring. For example, you might set up
e
a network topology with two or more domains on the same physical ring. In this
m
topology, you could configure one domain as high priority and the others as normal
tre
priority. You would then add a small subset of the total protected VLANs to the high
priority domain, and add the rest of the protected VLANs to the normal priority
Ex
domain. If a ring fault occurs in this topology, the protected VLANs in the high
priority domain are the first to recover.
The following slides will cover standard configuration with a common link, and EAPS
N
shared port for EAPS domain Domain-1 and Domain-2. Each Domain supports a
e
Center Core.
Ex
Domain-1
e
m
Note: remember to enable EAPS at the global level as well as at the domain level
tre
enable eaps
EAPS Domain-2
e
m
tre
Ex
Note:
m
You must create and configure one control VLAN for each EAPS domain. A control
tre
VLAN cannot belong to more than one EAPS domain. If the domain is active, you
cannot delete the domain or modify the configuration of the control VLAN. The
Ex
control VLAN must NOT be configured with an IP address. In addition, only ring
ports may be added to this control VLAN. No other ports can be members of this
VLAN. Failure to observe these restrictions can result in a loop in the network. The
ring ports of the control VLAN must be tagged.
You must add one or more protected VLANs to each EAPS domain. The protected
VLANs are the data-carrying VLANs. When you configure a protected VLAN, the
ring ports of the protected VLAN must be tagged (except in the case of the default
VLAN). For instructions on creating a VLAN, see VLAN Module.
Each common link in the EAPS network must have a unique link ID. The controller
tre
and partner shared ports that belong to the same common link must have matching
link IDs. No other instance in the network should have that link ID. If you have
Ex
multiple adjacent common links, Extreme Networks recommends that you configure
the link IDs in ascending order of adjacency.
For example, if you have an EAPS configuration with three adjacent common links,
moving from left to right of the topology, configure the link IDs from the lowest to the
highest value. To configure the link ID of the shared port, use the following
command:
To display EAPS status and configuration information, use the following command:
N
e
Each controller and partner node can display status and configuration information
N
for the shared port or ports on the corresponding side of the common link. To
e
Ring Name
m
tre
RPL (ring protection link) owner configuration for the ERPS ring
Ex
CFM packets have a source MAC address of the switch and a destination
tre
Note: 01:19:a7 is the OUI for the ITU who developed Y.1731 on which 802.1ag is based).
R-APS packets are sent with an 802.1p value of 7 (QP8) and a type field of
0x8902.
Note: Similar configuration would have to be completed for all switches participating
N
in ring-2
e
m
SummitStack2.2 # configure erps ring-2 protection-port 4:1 (This command will set
SummitStack2 as the ring owner)
SummitStack2.5 # configure erps ring-2 add control ctrl-2
SummitStack2.6 # configure erps ring-2 add protected data
SummitStack2.7# enable erps ring-2
SummitStack2.8 # enable erps
Note: CFM is defined in IEEE 802.1ag-2007 standard, and the ITU’s Y.1731.
N
management. Extreme implements all of 802.1ag but only implements Y.1731 for
m
An UP MEP sends CFM frames toward the frame filtering entity, which forwards the
N
frames to all other ports of a service instance other than the port on which the UP
e
MEP is configured. This is similar to how the frame filtering entity forwards a normal
m
data frame, taking into account the port's STP state. For an UP MEP, a CFM frame
tre
exits from a port if only if the STP state of the port is in the forwarding state.
Ex
A DOWN MEP sends CFM frames directly to the physical medium without
considering the port STP state. For a DOWN MEP, a CFM frame exits from a port
even if the port STP state is in blocking state.
Note: An “Up MEP” takes into account the Spanning Tree port state when
N
transmitting CCMs. Only forwards CFM frames through ports in the forwarding
e
state.
m
tre
Ex
The example above shows the creation of a Down-MEP with the CFM commands.
N
e
m
tre
Ex
The example above shows the creation of a Down-MEP with the CFM commands.
N
e
m
tre
Ex
MD Level. For example, for an MD Level of 5 the switch creates erps_5 as the MD
e
ring Control VLAN. For example, if the Control VLAN has a name of ctrl-2, and a
tre
MD Level. For example, for an MD Level of 5 the switch creates erps_5 as the MD
e
ring Control VLAN. For example, if the Control VLAN has a name of ctrl-2, and a
tre
Link Aggregation, SmartTrunking, and other port trunking algorithms are all methods
N
of bonding together two or more data channels into a single channel that appears as
e
increased bandwidth. Aggregated links also provide redundancy and fault tolerance.
tre
In the absence of any type of link aggregation, Spanning Tree Protocol prevents the
Ex
There are two typical scenarios in which link aggregation may be useful in a
e
Key Benefits:
N
e
networks.
• Higher link availability: Provides higher link availability, in that the failure of any
single link within the aggregate is limited to that link only. Other links continue to
function so there is no disruption of the communications between the devices.
Once the underlying physical ports are associated with an aggregator port, the
N
resulting aggregation will be represented as one LAG with the lag.0.x designation.
e
The K, S and 7100 series are able to utilize three different spreading algorithms to
N
determine which physical ports a packet will be transmitted out of in a LAG port.:
e
m
DIP-SIP: Specifies that destination and source IP addresses will determine the
tre
traffic being transmitted over this LAG port is sourced and destined to mostly the
same set of IP addresses. If this is the case, the distribution of the traffic across the
physical ports in the LAG will be uneven.
DMAC-SMAC: Specifies that destination and source MAC addresses will determine
the LACP physical outport. This is not recommended for LAG’s providing
connectivity between two routers. This is because the DMAC-SMAC pairs will
mostly be identical in this scenario and distribution of the traffic across the physical
ports in the LAG will be uneven. This is recommended for LAG’s providing
connectivity to LAN segments to which end systems are connected.
Round-Robin: Specifies that the round-robin algorithm will determine the LACP
physical outport. This distributes traffic is an even fashion across the physical ports
in the LAG. However, bidirectional communication will most likely be asymmetrical
across different physical
Flow regeneration determines how flows will behave when a new port joins a link
N
aggregation. When enabled, LACP will redistribute all existing flows over the LAG,
e
taking into account the new ports that joined the LAG. It will also attempt to load
m
balance existing flows to take advantage of the new port that has joined the LAG.
tre
When flow regeneration is disabled and a new port joins the LAG, the distribution of
current flows remains unchanged and does not take advantage of the new port. All
Ex
new flows will take into account the new port on the LAG. Flow regeneration is
disabled by default.
commands and menu screens. Not all aggregation commands and screens are
e
included. The lab activities associated with this module will allow you to investigate
m
the aggregation configuration displays and configuration options in more detail. The
tre
Note: Enabling Link Aggregation on one end of a link only does not create a
N
broadcast storm for the VLANs configured on that port. The non-enabled switch will
e
use the Forwarding Database (FDB) to forward packets to it’s neighbor switch and
m
Requires 1 bit from the header information to select one of two ports
tre
Packet #1
IP Src address 10.0.0.1 (Bit 1=1) and Dst address 10.0.0.100 (Bit 1 = 0)
1 XOR 0 = 1 – Packet is sent down port 2
Packet #2
IP Src address 192.168.1.20 (Bit 1=0) and Dst address 207.23.1.4 (Bit 1 = 0)
0 XOR 0 = 0 – Packet is sent down port 1
Note: The BD8K with original series modules and the Summit X450 forward these
N
master port.
m
tre
Note: The port based Link Aggregation algorithm is only supported on the BD10K,
BD12K and BD20K switches. The hashing algorithm can only be configured using
Ex
the configure sharing address-based custom command on the BD8K with xl series
modules and Summit X460, X480, and X650 switches.
When physical ports form a LAG port, the physical port settings do not translate into
e
logical port settings for the LAG port. It is possible, if a LAG is reduced to a single
m
physical port, the single port will take on its physical operating characteristics, (i.e.,
tre
the physical port will operate outside of the LAG). Therefore, it is recommended that
the underlying physical ports that make up the LAG, be configured identically to the
Ex
Note:
An already existing LAG configuration persists through a device or module reset. If
upon reset there is only a single port active for an already existing LAG, that single
port will move to the attached state regardless of the single port LAG setting.
If you plan to connect to a device that does not support link aggregation but you
N
mode. The EOS based switch will need to be configured with a static LAG .
m
tre
Static port assignment allows you to assign ports to a LAG when the partner device
does not support LACP, but does support another proprietary form of link
Ex
aggregation. To assign a static port, specify the LAG port ID, the admin key value
for this LAG, and the ports to be assigned. If you do not specify an admin key value,
a key will be assigned according to the specified aggregator. For example, a key of
4 would be assigned to lag.0.4.
Example:
N
Example:
N
At least two ports need to be assigned to a LAG port for a Link Aggregation Group
N
to form and attach to the specified LAG port. The same usage considerations for
e
usage and typical installations, there is no need to modify any of the default 802.3ad
tre
The default values will result in the maximum number of aggregations possible. If
the switch is placed in a configuration with devices not running the protocol, no
dynamic link aggregations will be formed and the switch will function normally (that
is, will block redundant paths via Spanning Tree). Something to keep in mind is that
a Link Aggregation Group (LAG) may potentially cause periodic network instability if
the partner system participating in the LAG has its LACP Timeout parameter set to
short (encoded as a 1 in the LAC PDU). This parameter determines the time
interval between periodic LAC PDU transmissions.
A LAG will be maintained until all ports that comprise the group are disconnected.
Even if only one port is still active in a LAG group, configuration changes will still
need to be made to the virtual LAG port (not the physical port) to be effective. Some
proprietary implementations provide for a dedicated physical port within a link
aggregation for transmission of “special” frames (Bridge Protocol frames, multicast
frames, unknown frames etc.).
Note: In the above slide, ge.1.5-ge.1.6 and ge.1.11-ge.12 are show in a Dormant
N
state when the show port status command is issued. This is an indication that they
e
MLAG peer switches must be of the same platform family. The following MLAG
N
peers are allowed: BlackDiamond 8800 switches with BlackDiamond 8800 switches,
e
To create a LAG:
enable sharing <master_port> grouping <port list>
Ex
Note: You must create a Layer 3 VLAN for control communication between MLAG
N
peers. You cannot enable IP forwarding on this VLAN. The ISC is exclusively used
e
for inter-MLAG peer control traffic and should not be provisioned to carry any user
m
data traffic. Customer data traffic however can traverse the ISC port using other
tre
user VLANs.
Ex
Create the MLAG peer and associate the peer switch's IP address. By creating an
m
MLAG peer you associate a peer name that can be associated with the
tre
peer switch's IP address and other peer configuration properties. The peer is then
bound to each individual MLAG port group.
Ex
Create the MLAG port groups. This creates an MLAG port group by specifying the
local switch's port, the MLAG peer switch, and an "mlag-id" which is used to
reference the corresponding port on the MLAG peer switch. The specified local
switch's port can be either a single port or a load share master port.
To display information about an MLAG peer, including MLAG peer switch state,
N
To display each MLAG group, including local port number, local port status, remote
N
MLAG port state, MLAG peer name, MLAG peer status, local port failure count,
e
remote MLAG port failure count, and MLAG peer failure count:
m
tre
A Virtual Switch Bonded (VSB) Chassis consists of 2 like physical chassis joined
N
together to create a single logical chassis. The bonded chassis has a single IP
e
address; you manage it as a single object. VSB requires you to connect the two S-
m
Series chassis using one or more 10 GB ports. These ports are designated as
tre
Bonding Ports on each chassis and create the virtual backplane that ties the two
physical chassis together.
Ex
Note: In the above diagram, Switch A views Chassis 1 and Chassis 2 as a single
N
algorithm (which is based on DIP-SIP), and chooses one of its available LAG ports
m
to the bonded S-Series. Switch A could send the fame to Chassis 1, or Chassis 2, in
tre
Chassis 1 receives the frame, consults its FDB for the particular VLAN , and
N
discovers that PC B is out the LAG attached to its Slots 1 and 5. Chassis 1
e
performs the LACP distribution algorithm, with one of two possible results. The
m
LACP distribution algorithm may result in sending the frame out Link 1 or Link 2 of
tre
the LAG. If so, Chassis 1 simply forwards the frame out LAG 2 toward PC B.
Ex
However, the hash may result in sending the frame out Link 3 or Link 4 of the LAG,
N
both of which are connected to Slot 5. If so, Chassis 1 performs the distribution
e
algorithm once more to choose which of the Bonding links to use. It then forwards
m
the frame across the virtual backplane formed by the Bonding Ports to Slot 5, where
tre
In a Bonded Chassis scenario where every edge switch or stack is running LACP to
N
the Bonded Chassis with an equal number of physical ports connected to each
e
chassis, one would expect that 50% of the traffic traversing the bonded chassis will
m
configured, but the user traffic arrives on a LAG port, it is expected that traffic
destined for the server would also travel over the bonding links 50% of the time.
Ex
This behavior could create the unsupportable situation where the VSB link would
have to be as large as 50% of the total uplink bandwidth from your edge switches.
To avoid this condition, Extreme has created a feature called “Local Preference”,
discussed on the next slide.
The virtual chassis bonding feature uses bonding ports to connect two chassis.
N
These ports participate in the LAG for the traffic leaving the VSB chassis. The LAGs
e
default spreading algorithm does not take port location into account, so that traffic
m
may be evenly distributed over the bonding links and local uplink ports.
tre
A feature has been created to manage this behavior. The feature allows the local
Ex
chassis egress ports to be preferred over the bonding ports. The local LAG ports
preference can set using a choice of 1 of 4 types, none (default), weak, strong, or
all-local.
For example:
The VSB link functions as an external backplane for the Bonded Chassis. Thus,
N
you can expect traffic on the link to behave just as if it were crossing the internal
e
backplane on either switch. However, the VSB link is Ethernet at Layer 2, so the
m
frame behavior across the link combines the attributes of Ethernet and the
tre
backplane function. The sending switch generates a complete Ethernet frame for
transmission over the VSB link, including the header with 802.1Q information (if that
Ex
is appropriate for the frame being transmitted) and the Frame Check Sum. The
sending switch also inserts a field in the Ethernet header containing VSB
control/backplane control information specific to that frame, which allows the two
physical switches to coordinate their across-the-backbone treatment of the frame.
Note: The VSB link also functions as the control link for the Bonded Chassis; all
VSB control traffic passes over the VSB link.
The Link Failure Response (LFR) protocol provides for the configuration of one or
N
more 1GbE monitor links. In the unlikely event that all 10GbE interconnect links
e
should go down or otherwise fail, the LFR monitor link determines whether both
m
chassis’ are still operational and places the chassis with the lowest LFR priority in a
tre
dormant state until at least one interconnect link is restored. LFR links do not carry
user traffic. The sole purpose of a an LFR link is to monitor the partner chassis'
Ex
status. 10GbE VSB configured ports are always set as interconnect ports. 1GbE
VSB configured ports are always set as LFR monitor ports.
The LFR protocol allows 1GbE ports to be designated as VSB monitor links that
operate in a standby mode to the primary 10GbE VSB ports. The VSB monitor link
provides dedicated redundant control plane connectivity and is used only as a
backup communication path between two bonded chassis in the unlikely event that
all of the primary VSB interconnect links fail or become unavailable.
Every S-Series switch ships with two MAC addresses: the MAC address it uses for
N
all its communications on the network, and a reserved, unused MAC address that is
e
one higher than the used MAC address. When you initiate Chassis Bonding, the
m
process compares the Reserved MACs of both switches. It chooses the higher of
tre
those two Reserved MACs, and establishes that MAC as the MAC address of the
Bonded Chassis. From that moment on, until you disable Chassis Bonding, both
Ex
physical switches use the MAC address of the Bonded Chassis for all of their
communications on the network.
You can pair any two S-series switches as long as they have the same form factor.
N
For example, you can bond two SSAs or two S3s into a VSB pair. Similarly, you
e
can bond a non-PoE S4 with a PoE S4, since the chassis are the same form factor.
m
However, you cannot mix form factors in a pair. For example, you cannot establish
tre
Note: In a multi-slot chassis you can spread the ends of the bonding link across the
various slots in the chassis. Extreme recommends that you do so for resiliency.
Note: The VSB feature supports a combined total of 32 VSB interconnect and LFR
N
1GbE monitor links on a VSB system (32 VSB ports per chassis).
e
m
tre
Ex
The bonded system features such as route capacities, MAC address tables and
N
user capacities will remain the same as a single chassis. Mirroring capacities are
e
reduced.
m
tre
the physical chassis participating in the bond. You cannot enable the VSB feature
e
consisting of S130, S140 and S150 class S-Series products require the S-EOS-VSB
tre
license. This license is available from Extreme. Modular chassis with S155/S180 I/O
Fabrics can use the VSB feature without the need for additional licenses. SSA 130
Ex
The LFR protocol must be globally enabled on each VSB chassis in the VSB
N
system for LFR monitoring to occur. Use the set bonding lfr enable command to
e
globally enable LFR on each physical chassis. The LFR monitor port is configured
m
using the set bonding port enable command, the same as a VSB interconnect port.
tre
What distinguishes the port types in a VSB context is the port speed. The VSB
interconnect port must be a 10GbE port or greater, and the LFR monitor port must
Ex
be a 1GbE port.
Rolling Firmware updates will allow the system to update and reset one blade at a
N
time. This feature will be available when the existing and upgrade images are
e
or ECMP), the VSB chassis will continue to forward traffic will while the upgrade is
tre
in process. Singly attached edge devices will lose service while the blade they are
attached to reboots. Rolling Firmware updates require the use of two fabrics (in
Ex
fabric based chassis). When the images are not compatible (i.e. major feature
upgrades), the image is propagated to each of the modules and the entire bonded
chassis is rebooted.
Note: If the last bonding link fails, and you have not configured an LFR link, each
N
and the same MAC address. This can cause enormous problems in the network.
m
Extreme strongly encourages you to configure multiple links into the VSB Bond.
tre
Ex
provides for a rolling firmware upgrade for maintenance releases that are HAU
e
Using the standard upgrade method, the image is loaded automatically after the
Ex
system has been reset. The standard method takes the system out of service for
the duration of the firmware upgrade. Using the HAU method, all populated system
slots are assigned to HAU groups. The firmware upgrade takes place one HAU
group at a time with all modules belonging to HAU groups not currently being
upgraded remaining operational. As each HAU group completes its upgrade, a mix
of slots running the original firmware and slots running the upgraded firmware are
simultaneously operating on the device.
To avoid potential feature conflicts between multiple firmware versions, the HAU
N
firmware upgrade feature is limited to maintenance firmware upgrades and will not
e
group:
m
tre
We’ve configured a LAG between Switch 1 and each edge switch. Both LAGs are
distributed between two Chassis 1 HAU groups. LAG 1 is configured on Slots 1 and
2. LAG 2 is configured on Slots 2 and 3. As each HAU group upgrades, packets for
both LAGs continue to forward over connections to non-upgrading HAU groups.
HAU groups can be administratively configured for multiple slots. All slots belonging
N
The HAU group feature determines which slot or slots will be simultaneously upgraded. All
N
system slots within the same HAU group are simultaneously upgraded. Each system slot
e
belongs to an HAU group. HAU occurs one HAU group at a time. By default, there is one
m
slot per group. Therefore, the default HAU behavior is to upgrade each system slot one at a
time.
tre
Ex
Because HAU groups are upgraded sequentially, the total upgrade time increases with the
number of HAU groups configured. In a large chassis it could take a significant amount of
time to complete the upgrade and have all physical links back in operation. Upgrade time
can be reduced by assigning multiple slots to the same HAU group. When planning system
connections, the overall upgrade time will be reduced to the degree that multiple slots can
be configured into a single group and still retain sufficient resources in non-upgrading HAU
groups to assure system operation.
With this in mind, all essential system capabilities on the device should be configured
across multiple groups. For example, all LAGs configured on the device should provide
sufficient redundancy between HAU groups for packets to continue forwarding on the LAG
using slots belonging to HAU groups that are not upgrading. Use the set boot high-
availability group command in any command mode to configure an HAU group, specifying
the group ID and the system slots that will be members of the HAU group. This command
is an intelligent command: it checks for illogical groupings - fabrics, no I/Os, and all bond
links.
When the firmware upgrade of an HAU group completes, depending upon the
N
applications that are configured on the module, it is possible for the next HAU group
e
approximately 5 second delay between the completion of one HAU group upgrade
and the start of the next group upgrade. You can configure a delay of up to 600
Ex
seconds between the upgrade completion of one HAU group and the beginning of a
high availability upgrade for the next HAU group.
Use the set boot high-availability delay command in any command mode to set a
delay in seconds between the upgrade completion of any HAU group and the
beginning of the next HAU group upgrade.
HAU default mode determines HAU behavior if a system boot mode is not set when
N
configuring the system boot image. There are three HAU default modes:
e
performed
Over-ridden by the system boot mode standard or high-availability settings
always – A high availability upgrade is always performed unless:
All HAU preconditions are not met, in which case no upgrade occurs
Over-ridden by the system boot mode standard setting
Note: HAU default mode should always be set to never unless you intend to perform
a high availability upgrade. An if-possible or always HAU default mode setting in
conjunction with no system boot mode specified results in a high availability
firmware upgrade each time you reboot your system, if all HAU preconditions are
met. If you want an HAU default mode change to affect a firmware upgrade, the
change must take place before configuring a pending upgrade. Changing the HAU
default mode after setting the system boot configuration (using the set system boot
command) has no affect on a pending firmware upgrade. Use the set boot high-
availability default-mode command in any command mode to set the HAU default
mode.
When a system is powered on or reset, the current system boot image is loaded on
N
to all system modules. To perform a system upgrade, change the current system
e
boot image to the upgrade image, also referred to as the target image. Image
m
upgrade can occur immediately, the next time the system boots, or by issuing a
tre
reset command. When specifying the new target image, you can optionally, specify
the system boot mode parameter:
Ex
Standard – All system slots are simultaneously upgraded taking the system out of
operation for the duration of the upgrade. This is a non-high availability upgrade.
High-availability – Providing all HAU preconditions are met, HAU groups are
upgraded sequentially. If any HAU precondition is not met, an upgrade does not
occur.
Note: If the system boot mode is not specified, the boot mode is determined by the
HAU default mode configuration. By default, the HAU default mode executes a
standard system upgrade.
The following preconditions must be met for an high availability upgrade to occur:
N
e
HAU Compatibility Key - The target image must have the same HAU Compatibility
m
Key as the active image. To display the HAU key, use the dir command, specifying
tre
the image name. The HAU key field in the display specifies whether the image
displayed is compatible with the current active image. If “HAU compatible” is
Ex
appended to the key field, a high availability upgrade can be performed between the
displayed image and the current active image.
Upgrade Groups - At least two upgrade groups are required, and each group must
contain at least one operational module at the start of a high availability upgrade.
Platform – S series S4, S6, and S8 platforms require the presence of at least 2
fabric modules in the system. VSB can create an exception to this rule; see the next
slide.
Virtual Switch Bonding (VSB) – High availability upgrade is not allowed if the reset
N
of any single upgrade group would break all VSB interconnect bond links. An
e
High availability upgrade is allowed in a bonded system that would break either the
two fabric module restriction or the all VSB interconnect links restrictions, if:
Ex
All chassis slots are members of that upgrade group. In this case, the
upgrade is performed per physical chassis.
You cannot disable a high availability upgrade or revert an image back to the
N
original system image on a high availability upgrade that is running. You can
e
however accelerate the upgrade process, by forcing the simultaneous upgrade of all
m
remaining non-upgraded HAU groups. This should not be considered a normal HAU
tre
Use the set boot high-availability force-complete command in any command mode
to force the simultaneous upgrade of all non-upgraded HAU groups in the system.
You can disable a pending high availability upgrade by:
• Setting the boot image back to the active image using the set boot system active-
image command
• Deleting the boot image using the delete target-image command
• Converting the pending high availability upgrade to a standard upgrade by re-
issuing the boot command, specifying the target image and the standard system
boot mode
Note: After performing one of the methods for disabling an HAU configuration, verify
that the HAU status is disabled by using the show boot high-availability command.
upgrade is in progress. While a high availability upgrade is running. All SNMP set
e
operations will be rejected. A “noAccess” reason will be given for the rejection.
m
tre
– loop
– show
– exit
– dir
– history
– ping
– traceroute
– telnet
– ssh
– set boot high-availability force-complete