Static OSPF Redistribute

Posted on September 17, 2019 by avayarob

Snippet from R1 acting as ASBR with static route towards external router showing the redistribution of the external route into OSPF.

ip route 3.3.3.3 255.255.255.255 10.10.10.2 weight 1
ip route 3.3.3.3 255.255.255.255 10.10.10.2 enable

ip prefix-list StaticOSPFRedistribute 3.3.3.3/32 ge 32 le 32

route-map “OSPFStatic” 1
enable
match network “StaticOSPFRedistribute”
exit

router ospf
as-boundary-router enable

redistribute static route-map “OSPFStatic”
redistribute static metric 10
redistribute static metric-type type1
redistribute static enable
exit

#WARNING: Routes will not be injected until apply command is issued after enable command

ip ospf apply redistribute static

show ip route
show ip ospf redistribute
show ip prefix-list
show route-map
show route-map detail

XMC EAC with 802.1X and Windows

Posted on September 3, 2019 by avayarob

Create a rule for machine login that checks the computer is a domain joined machine. A Windows machine in a logged out state will add “host” in front of the hostname and in order to authenticate the machine EAC needs to perform a User lookup in Active Directory.

This lookup uses a servicePrincipalName and an LDAP authentication rule should be added which looks for host/* and searches AD using an LDAP Configuration that searches based on servicePrincipalName. This means an additional LDAP Configuration will be needed to lookup machines to validate they are allowed on the network. It can still use the same LDAP server as for User logins but the attributes will be different.

This is covered by the following GTAC solution which can be referenced and used for your own XMC EAC implementation. The key point to note is that in End Systems table the Username column will show different information for when there is nobody logged into the machine and when somebody has logged into the machine. This is why there is a need for two LDAP Configurations, one that covers Machine logins (servicePrincipalName) and one which covers Machine (cn) and User (sAmAccountName) logins.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-authorise-Windows-domain-user-computer-using-802-1x-and-LDAP-lookups-to-ensure-the-user-AND-computer-is-in-the-domain-denying-access-to-users-with-valid-domain-credentials-on-BYOD-devices

Analytics Licenses

Posted on June 20, 2019 by avayarob

Analytics License changes for 8.2 are client based, not flow based

https://gtacknowledge.extremenetworks.com/articles/Q_A/Analytics-License-changes-for-8-2-are-client-based-not-flow-based/?l=en_US&fs=RelatedArticle

Analytics or Purview licensing recommendations – Installs prior to 8.2

https://gtacknowledge.extremenetworks.com/articles/Q_A/Purview-licensing-recommendations?l=en_US&fs=RelatedArticle

How to add or update license key in Extreme Management Center (XMC) in version 8.x

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-add-license-key-in-EMC-8-x?q=upgrading+licenses+xmc&r=1&ArticleActions.handleEditPublished=1&l=en_US&fs=Search&pn=1

EXOS Fundamentals

Posted on June 17, 2019 by avayarob

Creating a VLAN

create [ {vlan} vlan_name ] {tag tag } {description vlan description} {vr name }

Example…

* X450e-48p.2 # create vlan test tag 100
* X450e-48p.3 # configure vlan test add port 1 tagged
* X450e-48p.4 # configure vlan test add port 2
* X450e-48p.5 # sh vlan
———————————————————————————————
Name VID Protocol Addr Flags Proto Ports Virtual
Active router
/Total
———————————————————————————————
Default 1 ———————————————— ANY 0 /0 VR-Default
Mgmt 4095 ———————————————— ANY 1 /1 VR-Mgmt
test 100 ———————————————— ANY 0 /2 VR-Default
———————————————————————————————
Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN,
(d) Dynamically created VLAN, (D) VLAN Admin Disabled,Total number of VLAN(s) : 3
sh te* X450e-48p.6 # sh test
VLAN Interface with name test created by user
Admin State: Enabled Tagging: 802.1Q Tag 100
Description: None
Virtual router: VR-Default
IPv4 Forwarding: Disabled
IPv4 MC Forwarding: Disabled
IPv6 Forwarding: Disabled
IPv6 MC Forwarding: Disabled
IPv6: None
STPD: None
Protocol: Match all unfiltered protocols
Loopback: Disabled
NetLogin: Disabled
OpenFlow: Disabled
QosProfile: None configured
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile: None configured
Ports: 2. (Number of active ports=0)
Untag: 2
Tag: 1
Flags: (*) Active, (!) Disabled, (g) Load Sharing port
(b) Port blocked on the vlan, (m) Mac-Based port
(a) Egress traffic allowed for NetLogin
(u) Egress traffic unallowed for NetLogin
(t) Translate VLAN tag for Private-VLAN
(s) Private-VLAN System Port, (L) Loopback port
(e) Private-VLAN End Point Port
(x) VMAN Tag Translated port
(G) Multi-switch LAG Group port
(H) Dynamically added by MVRP
(U) Dynamically added uplink port
(V) Dynamically added by VM Tracking

Removing port from a VLAN

configure vlan <vlan_name> delete ports <port_list>
configure vlan <vlan_id> delete ports <port_list>

How to delete a VLAN

configure vlan <vlan_name> delete ports all
delete vlan <vlan_name>

Show VLAN information

show port vlan
show vlan
show vlan <vlan_name>
show fdb

Add IP address to a VLAN

configure vlan <vlan_name> ipaddress <ip_address>/<subnet_mask

Remove IP address from a VLAN

unconfigure vlan <vlan_name> ipaddress

https://documentation.extremenetworks.com/exos_commands_22.1/EXOS_21_1/Preface/c_introduction-cr.shtml

Creating Dynamic VLANs

To specify one or more ports as tagged uplink ports that are added to the dynamically created VLAN, use the following command:

configure netlogin dynamic-vlan uplink-ports [port_list | none]

To enable the switch to create dynamic VLANs, use the following command:

configure netlogin dynamic-vlan [disable | enable]

https://documentation.extremenetworks.com/exos_22.1/exos_21_1/netlogin/c_configuring-dynamic-vlans-for-network-login.shtml

Extreme Networks VSAs

https://documentation.extremenetworks.com/exos_22.1/exos_21_1/Security/r_extreme-networks-vsas.shtml

RADIUS Attributes

https://documentation.extremenetworks.com/exos_22.1/exos_21_1/Security/r_standard-radius-attributes-used-by-extreme-switches.shtml

Tested authentication using Extreme Networks Access Control with RFC3580 which sends the VLAN ID to the Summit switch.

Inter-VLAN routing

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-enable-inter-VLAN-routing-in-EXOS?l=en_US&fs=RelatedArticle

VLANs and tagged or untagged ports

https://gtacknowledge.extremenetworks.com/articles/How_To/Understanding-EXOS-VLANS-and-tagged-and-untagged-ports/?l=en_US&fs=RelatedArticle

Adding DHCP Server to VLAN

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-the-DHCP-server-on-a-VLAN-in-EXOS/?q=dhcp+exos&l=en_US&fs=Search&pn=1

Troubleshooting DHCP

https://gtacknowledge.extremenetworks.com/articles/How_To/Troubleshooting-DHCP-issues/?l=en_US&fs=Search&pn=1

How to apply IP to management interface

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-an-IP-address-on-the-management-interface-of-an-EXOS-switch?l=en_US&fs=RelatedArticle

Switch hardening

https://gtacknowledge.extremenetworks.com/articles/Q_A/EXOS-Switch-Security-Checklist-and-best-practice/?l=en_US&fs=RelatedArticle

Changing SNMP Configuration on Extreme Analytics

Posted on June 17, 2019 by avayarob

SSH to the Analytics engine.

/usr/postinstall/snmpconfig

Check SNMPd is active.

service snmpd status

ERS 4850GTS-PWR+ and 802.3at

Posted on May 24, 2019 by avayarob

There is an inconsistency between CLI and EDM in release 5.9 which results in an EDM error Wrong Value when select 802.3at and 32w on a port.

See attached solution note from Avaya support webpage.

https://support.avaya.com/ext/index?page=content&id=SOLN320951

This issue was fixed in release 5.10. Upgrading the switch to the latest release should eliminate this error. Upgraded switch to 5.12.3 release. The option in EDM for 802.3at has been removed.

It is possible to set 32w of power on a port configured as 802.3af on the Avaya ERS 4850 as a PWR+ switch supports 802.3at.

If still have issues negotiating power with a PD then try to use LLDP on the PSE and PD.

Below are the power related commands that can be enabled.

Switch(config)Interface ethernet 1/13
Switch(config-if)#lldp status txAndRx config-notification
Switch(config-if)#lldp tx-tlv port 1/13 dot3 mdi-power-support
Switch(config-if)#lldp tx-tlv port 1/13 med med-capabilities
Switch(config-if)#lldp tx-tlv port 1/13 med extendedPSE

The AP must have LLDP enabled also so they can exchange LLDPDUs. This note relates to the experience found providing the power demanded for an Aerohive 650 Access Point on an Avaya ERS 4850GTS-PWR+ switch.

VSP transceivers and autonegotiation

Posted on May 21, 2019 by avayarob

Autonegotiation

Use Autonegotiation to allow the device to automatically negotiate the best common data rate and duplex mode to use between two Autonegotiation-capable Ethernet devices.

When you use a 1 Gigabit SFP transceiver on a 10 Gigabit SFP+ port, you must enable autonegotiate if it is not enabled already. However, if you use 1 Gigabit SFP transceivers on a VSP 4000 switch that is connected to third party switches at the remote end, you must have autonegotiate enabled at all times; this applies to SFP transceivers installed in a 1 Gigabit SFP port or a 10 Gigabit SFP+ port.

For VSP 7254XSQ, auto-negotiation is always disabled for 1 Gigabit Ethernet transceivers. If using a 1000BASE-T SFP, the remote 1000BASE-T interface must have auto-negotiation enabled. If not, the link will not be established. Also note that because the SFP+ ports on the VSP 7254XSQ only support 1 and 10 Gbps speeds, the AA1419043-E6 1000BASE-T SFP will only operate at 1G speeds.

If you use 1 Gbps fiber SFP transceivers, auto-negotiation is always disabled so the remote end must also have auto-negotiation disabled. Otherwise this is not a supported configuration with VSP 7254XSQ.

Connecting VSP 7254XSQ with 1 Gbps fiber SFP to EXOS switches will require autonegotiation to be disabled on EXOS switch.

configure port <port#> auto off speed < speed > duplex <half | full>

XMC Documentation

Posted on May 9, 2019 by avayarob

Home

https://emc.extremenetworks.com/content/home.htm

Initial Configuration Checklist

https://emc.extremenetworks.com/content/oneview/docs/ct_emc_new_checklist.html

Scripting

https://emc.extremenetworks.com/content/oneview/docs/tasks/docs/ov_ht_scripts_create.htm

XMC Hints

Posted on May 2, 2019 by avayarob

XMC Installation

To rerun the post install script…

cd /usr/postinstall

./dnetconfig

Check server log file

tail -f /usr/local/Extreme_Networks/Netsight/appdata/logs/server.log

Check Spanning Tree status using FlexView

Select switches from Devices and use FlexView to open a new tab with Bridge Spanning Tree Information or Bridge Port Summary Information.

Terminal CLI

Select multiple devices by type and choose Device>Execute CLI Commands… and run commands across multiple devices. View results and/or Export results to a file.

Interface Statistics

From FlexView (Interface Statistics) select a column such as In Discards or In Errors and use a Filter >0 to pick out interfaces with errors.

EXOS STP Domain

Posted on April 18, 2019 by avayarob

Make sure VLAN / ports are assoiciated with a STP domain so the ports can particiapate in STP. Check with show vlan (T flag means VLAN is member of a STP domain) or show stpd (check VLAN bindings).

Created VLAN 11 and moved port 5 to it and purposely tried to set p-t-p link knowing VLAN not part of STP domain…

* EXOS-VM.28 # create vlan 11
* EXOS-VM.29 # configure vlan 11 add ports 5
VLAN 11 VLAN_0011: Port 5 untagged has been auto-moved from VLAN “Default” to “VLAN_0011”.

* EXOS-VM.30 # show stpd s0 p 5-8
Port     Mode   State      Cost Flags     Priority Port ID Designated Bridge
Port 5 not in STP domain s0
6      802.1D FORWARDING 200000 eDap-w–B- 128      8006    80:00:0c:72:16:86:e7:00
7      802.1D FORWARDING 200000 eDap-w–B- 128      8007    80:00:0c:72:16:86:e7:00
8      802.1D FORWARDING 200000 eDap-w–B- 128      8008    80:00:0c:72:16:86:e7:00

Total Ports: 3

————————- Flags: —————————-
1:                e=Enable, d=Disable
2: (Port role)    R=Root, D=Designated, A=Alternate, B=Backup, M=Master
3: (Config type) b=broadcast, p=point-to-point, e=edge, a=auto
4: (Oper. type)   b=broadcast, p=point-to-point, e=edge
5:                p=proposing, a=agree
6: (partner mode) d = 802.1d, w = 802.1w, m = mstp
7:                i = edgeport inconsistency
8:                S = edgeport safe guard active
s = edgeport safe guard configured but inactive
8:                G = edgeport safe guard bpdu restrict active in 802.1w and mstp
g = edgeport safe guard bpdu restrict active in 802.1d
9:                B = Boundary, I = Internal
10:               r = restricted role, t = active role
* EXOS-VM.31 # configure stpd s0 ports link-type point-to-point 5
Error: Port 5 is not a member of STP domain s0
Error: Command aborted due to input errors, no changes made
* EXOS-VM.32 #

After binding VLAN 11 I can set port 5 as link-type point-to-point…

* EXOS-VM.33 # enable stpd s0 auto-bind vlan 11
* EXOS-VM.34 # configure stpd s0 ports link-type point-to-point 5

* EXOS-VM.35 # show stpd s0 port 5
Port Mode State Cost Flags Priority Port ID Designated Bridge
5 802.1D FORWARDING 200000 eDpppw–B- 128 8005 80:00:0c:72:16:86:e7:00

explorerob's Blog

A great WordPress.com site

Author Archives: avayarob