Monthly Archives: April 2019

EXOS STP Domain

Posted on by
Reply

Make sure VLAN / ports are assoiciated with a STP domain so the ports can particiapate in STP. Check with show vlan (T flag means VLAN is member of a STP domain) or show stpd (check VLAN bindings).

Created VLAN 11 and moved port 5 to it and purposely tried to set p-t-p link knowing VLAN not part of STP domain…

* EXOS-VM.28 # create vlan 11
* EXOS-VM.29 # configure vlan 11 add ports 5
VLAN 11 VLAN_0011:  Port 5 untagged has been auto-moved from VLAN “Default” to “VLAN_0011”.

* EXOS-VM.30 # show stpd s0 p 5-8
Port     Mode   State      Cost  Flags     Priority Port ID Designated Bridge
Port 5 not in STP domain s0
6      802.1D FORWARDING 200000 eDap-w–B- 128      8006    80:00:0c:72:16:86:e7:00
7      802.1D FORWARDING 200000 eDap-w–B- 128      8007    80:00:0c:72:16:86:e7:00
8      802.1D FORWARDING 200000 eDap-w–B- 128      8008    80:00:0c:72:16:86:e7:00

Total Ports: 3

————————- Flags: —————————-
1:                e=Enable, d=Disable
2: (Port role)    R=Root, D=Designated, A=Alternate, B=Backup, M=Master
3: (Config type)  b=broadcast, p=point-to-point, e=edge, a=auto
4: (Oper. type)   b=broadcast, p=point-to-point, e=edge
5:                p=proposing, a=agree
6: (partner mode) d = 802.1d, w = 802.1w, m = mstp
7:                i = edgeport inconsistency
8:                S = edgeport safe guard active
s = edgeport safe guard configured but inactive
8:                G = edgeport safe guard bpdu restrict active in 802.1w and mstp
g = edgeport safe guard bpdu restrict active in 802.1d
9:                B = Boundary, I = Internal
10:               r = restricted role, t = active role
* EXOS-VM.31 # configure stpd s0 ports link-type point-to-point 5
Error: Port 5 is not a member of STP domain s0
Error: Command aborted due to input errors, no changes made
* EXOS-VM.32 #

After binding VLAN 11 I can set port 5 as link-type point-to-point…

* EXOS-VM.33 # enable stpd s0 auto-bind vlan 11
* EXOS-VM.34 # configure stpd s0 ports link-type point-to-point 5

* EXOS-VM.35 # show stpd s0 port 5
Port     Mode   State      Cost  Flags     Priority Port ID Designated Bridge
5      802.1D FORWARDING 200000 eDpppw–B- 128      8005    80:00:0c:72:16:86:e7:00

 

EXOS STP

Posted on by
Reply

EXOS VM 22.6.1.4:

!!!!  NOTE: Spanning Tree default changed in ExtremeXOS 22.2  !!!!

Multiple Spanning Tree Protocol (MSTP) is enabled by default to prevent broadcast storms

Would you like to disable MSTP? [y/N/q]:

* EXOS-VM.3 # show stpd
MSTP Global Configuration:
MSTP Region Name        : 0c7216bd8e00
MSTP Format Identifier  : 0
MSTP Revision Level     : 3
MSTP Digest             : ac:36:17:7f:50:28:3c:d4:b8:38:21:d8:ab:26:de:62
Common and Internal Spanning Tree (CIST)        : s0
Total Number of MST Instances (MSTI)            : 0

Name       Tag  Flags  Ports Bridge ID        Designated Root  Rt Port Rt Cost
s0         0000 EM—-    12 80000c7216bd8e00 80000c7216bd8e00 ——-       0

Total number of STPDs: 1                STP Flush Method: VLAN and Port
STP BPDU Forwarding: On
STP Multicast Send IGMP or MLD Query: On

Flags: (C) Topology Change, (D) Disable, (E) Enable, (R) Rapid Root Failover
(T) Topology Change Detected, (M) MSTP CIST, (I) MSTP MSTI

* EXOS-VM.5 # show stpd detail

Stpd: s0                Stp: ENABLED            Number of Ports: 12
Rapid Root Failover: Disabled
Operational Mode: MSTP                  Default Binding Mode: 802.1D
MSTI Instance:  CIST
802.1Q Tag: (none)
Ports: 1,2,3,4,5,6,7,8,9,10,
11,12
Participating Vlans: Default
Auto-bind Vlans: Default
Bridge Priority            : 32768              Bridge Priority Mode: 802.1t
Operational Bridge Priority: 32768
BridgeID                   : 80:00:0c:72:16:bd:8e:00
Designated root            : 80:00:0c:72:16:bd:8e:00
CIST Root                  : 80:00:0c:72:16:bd:8e:00
CIST Regional Root         : 80:00:0c:72:16:bd:8e:00
External RootPathCost      : 0  Internal RootPathCost: 0
Root Port   : —-
MaxAge      : 20s       HelloTime     : 2s      ForwardDelay     : 15s
CfgBrMaxAge : 20s       CfgBrHelloTime: 2s      CfgBrForwardDelay: 15s
RemainHopCount: 20      CfgMaxHopCount: 20
Topology Change Time           : 35s            Hold time        : 1s
Topology Change Detected       : FALSE          Topology Change  : FALSE
Number of Topology Changes     : 0
Time Since Last Topology Change: 0s
Topology Change initiated locally on Port none
Topology Change last received on Port none from none
Backup Root               : Off         Backup Root Activated  : FALSE
Loop Protect Event Window : 180s        Loop Protect Threshold : 3
New Root Trap             : On          Topology Change Trap   : Off
Tx Hold Count             : 6
Participating VLANs:
VLAN                                     Tag    Number of Ports
Ports
——————————————————————————-
Default                                  1      12
1(F),2(F),3(F),4(F),5(F),6(F),7(F),8(F),
9(F),10(F),11(F),12(F)
Flags: B-Blocking, D-Disabled, F-Forwarding, I-Listening, L-Learning

* EXOS-VM.6 # show stpd s0 ports
Port     Mode   State      Cost  Flags     Priority Port ID Designated Bridge
1      802.1D FORWARDING 200000 eDappw–B- 128      8001    80:00:0c:72:16:bd:8e:00
2      802.1D FORWARDING 200000 eDappw–B- 128      8002    80:00:0c:72:16:bd:8e:00
3      802.1D FORWARDING 200000 eDappw–B- 128      8003    80:00:0c:72:16:bd:8e:00
4      802.1D FORWARDING 200000 eDappw–B- 128      8004    80:00:0c:72:16:bd:8e:00
5      802.1D FORWARDING 200000 eDappw–B- 128      8005    80:00:0c:72:16:bd:8e:00
6      802.1D FORWARDING 200000 eDappw–B- 128      8006    80:00:0c:72:16:bd:8e:00
7      802.1D FORWARDING 200000 eDappw–B- 128      8007    80:00:0c:72:16:bd:8e:00
8      802.1D FORWARDING 200000 eDappw–B- 128      8008    80:00:0c:72:16:bd:8e:00
9      802.1D FORWARDING 200000 eDappw–B- 128      8009    80:00:0c:72:16:bd:8e:00
10     802.1D FORWARDING 200000 eDappw–B- 128      800a    80:00:0c:72:16:bd:8e:00
11     802.1D FORWARDING 200000 eDappw–B- 128      800b    80:00:0c:72:16:bd:8e:00
12     802.1D FORWARDING 200000 eDappw–B- 128      800c    80:00:0c:72:16:bd:8e:00

Total Ports: 12

————————- Flags: —————————-
1:                e=Enable, d=Disable
2: (Port role)    R=Root, D=Designated, A=Alternate, B=Backup, M=Master
3: (Config type)  b=broadcast, p=point-to-point, e=edge, a=auto
4: (Oper. type)   b=broadcast, p=point-to-point, e=edge
5:                p=proposing, a=agree
6: (partner mode) d = 802.1d, w = 802.1w, m = mstp
7:                i = edgeport inconsistency
8:                S = edgeport safe guard active
s = edgeport safe guard configured but inactive
8:                G = edgeport safe guard bpdu restrict active in 802.1w and mstp
g = edgeport safe guard bpdu restrict active in 802.1d
9:                B = Boundary, I = Internal
10:               r = restricted role, t = active role

* EXOS-VM.8 # show config stp detail
#
# Module stp configuration.
#
configure mstp region 0c7216bd8e00
configure mstp revision 3
configure mstp format 0
create stpd s0
configure stpd s0 delete vlan default ports all
configure stpd s0 mode mstp cist
configure stpd s0 forwarddelay 15
configure stpd s0 hellotime 2
configure stpd s0 maxage 20
configure stpd s0 max-hop-count 20
configure stpd s0 priority-mode dot1t
configure stpd s0 priority 32768
configure stpd s0 default-encapsulation dot1d
configure stpd s0 loop-protect event-window 180
configure stpd s0 loop-protect event-threshold 3
configure stpd s0 backup-root off
configure stpd s0 trap new-root on
configure stpd s0 trap topology-change off
configure stpd s0 trap topology-change edge-ports off
configure stpd s0 tx-hold-count 6
enable stpd s0 auto-bind vlan Default
enable stpd s0
configure stpd flush-method vlan-and-port
configure stpd bpdu-forwarding on
configure stpd multicast send-query on

After adding another EXOS switch with two inter-switch links between them forming a looped topology, the second port on the non-root bridge is BLOCKING as expected.

EXOS-VM.2 # show stpd s0 p
Port     Mode   State      Cost  Flags     Priority Port ID Designated Bridge
1      802.1D FORWARDING 200000 eRapam–B- 128      8001    80:00:0c:72:16:86:e7:00
2      802.1D BLOCKING   200000 eAapam–B- 128      8002    80:00:0c:72:16:86:e7:00

 

XMC NAC Troubleshooting

Posted on by
Reply

RADIUS requests/responses

tcpdumpi eth0 port 1812

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

To capture the packets:-

tcpdump –i eth0 –s 0 –w capture.pcap (End capture with “Control+C”)

NAC Device Help (type nachelp):

Extreme Networks NetSight NAC Device Help
/var/log/tag.log                – NAC Log File
/var/log/syslog                 – System Log File
/var/log/message                – System Info
/var/log/radius/*               – RADIUS Logs
/var/log/squid/*                – Squid Logs
/etc/resolv.conf                – DNS Configuration

nacdb                           NAC Database Script
naccapture                      Protocol-specific packet capture
nacstatus                       General NAC Appliance Status
nacreinitializedb               Deletes NAC database, restarts appliance
nacconfig                       Configures Network
nacradiuslogging enable|disable Enable/disable NAC RADIUS logging
nacctl start|stop|restart       Start/stop/restart NAC processes
aglsctl start|stop|restart      Start/stop/restart agentless assessment
/opt/nac/configMgmtIP <ip>      Set management server IP address

CTRL+ALT+<F1-F4> provides access to multiple login shells.

NAC Troubleshooting Tips:

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-methodology-for-Authentication-issues/?q=nac+tips&l=en_US&fs=Search&pn=1

Common Trace examples:

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-common-tcpdump-commands-used-for-isolating-issue?q=nac+tips&l=en_US&fs=Search&pn=1

Switch-Port Information:

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology-for-Switch-Port-Information/?q=nac+tips&l=en_US&fs=RelatedArticle

WebView:

https://IP_CONTROL_APPLIANCE:8443   (admin/Extreme@pp)

XMC Show Support:

Administration>Diagnostics>Generate Show Support

Files stored in following folder…

/usr/local/Extreme_Networks/NetSight/appdata/ShowSupport

Data and Time:

Check the date and time by typing date command on CLI.

Note: Clock skews can affect authentication if the clock has drifted too far.

 

XMC NAC EAP Error TLS Cipher

Posted on by
Reply

If seeing the error below in the Status Description field under Events for end-systems after upgrading NAC (>7.0) try the listed parameters to the engine.

eap_tls: TLS Alert write:fatal:handshake failure eap_tls: SSL says: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher eap_tls: SSL_read failed in a system call (-1), TLS session  failed eap_tls: TLS receive handshake failed during operation eap_tls: [eaptls process] = fail eap: Failed continuing EAP TLS (13) session. EAP sub-module failed

Apply these two Appliance Properties to the NAC appliance:

RADIUS_TLS_REMOVE_RC4_CIPHERS=false

RADIUS_TLS_CIPHER_LIST=DEFAULT

TLS-CipherNote: This was helpful for the XP test machine I was using.

XMC NAC Host Lookup

Posted on by
Reply

When using the “LDAP Host Group” component of a NAC rule, it means that the Hostname resolved by NAC must be present in the LDAP server’s database in order to match that component.  If the Hostname was resolved only by DHCP,  and therefore has no FQDN, chances are the LDAP lookup will fail.  In this case you can try changing the Host Search Attribute in the associated LDAP Config from “dNSHostName” to “name”.

Name