Category Archives: EXOS

Extreme 5520

Posted on by
Reply

Tested the new Extreme 5520 universal switch this week, which supports EXOS (default) or VOSS. VOSS does not support stacking so was a learning experience creating a stack of EXOS switches for the first time.

Stacking is quite straight forward and can be simplified by using easy-setup when run the enable stacking command on the master switch where I consoled onto. It is recommended to create a ring topology before doing this step.

After powering on the first switch I saw a message advising me to upgrade the software version.

I configured a management VLAN and gave it an IP address and moved a port into the VLAN for my laptop. I initially used TFTP to upgrade the XOS version but for the remaining switches I used a USB disk on USB2 at the rear.

Insert a USB in the USB slot and type show memorycard to make sure the USB is recognised.

Type ls /usr/local/ext to list the files on the USB disk. Enter download image memorycard summit_arm-31.1.1.3-patch1-1.xos to upgrade from USB instead of TFTP which is much quicker.

It is good practice to upgrade the software and ensure all switches are using the same release before stacking them.

Used 0.5m QSFP+ Passive Copper Cables 40GB to connect stacking ports at the front of the switch.

Inserted 5520-VIM-4X 4x10GE SFP+ in two different switches and created a static lag group with two ports (one from each VIM). See Extreme website for list of SFP/SFP+ supported in the VIM module.

enable sharing 1:57 grouping 1:57,2:57 algorithm address-based L2

When enabled RADIUS mgmt-access I could no longer SSH into the switch. I expected it to work and fallback to use local accounts as I had no RADIUS server to test with but was surprised to get access denied. To workaround this issue I created a fail-safe account and permitted SSH for it and then I could login when RADIUS was not connected.

EXOS ELRP-Client

Posted on by
Reply

Summit EXOS switches have a useful command to check for loops.

elrp

GNS3 setup above recreates a loop in VLAN DATA using ports 1 and 2 which are connected to a hub. Configure ELRP and generate test for a specific VLAN. Ports 1 and 2 are both members of VLAN DATA. No SPT protection (created VLAN and added ports to VLAN which is not bound to SPTD s0). Enable port 2 and test for loop.

#Configuring ELRP

enable elrp-client

conf elrp-client one-shot vlan DATA ports all interval 1 retry 5

EXOS-VM.5 # en port 2

* EXOS-VM.6 # conf elrp-client one-shot vlan DATA ports all interval 1 retry 5

Starting ELRP Poll

# LOOP DETECTED # — vlan “DATA” elrp statistics —

1 packets transmitted, 1 received, ingress port 2

. . .

Once finished disable it.

disable elrp-client

Note:

Make sure new VLANs are auto-bound with a Spanning Tree domain otherwise the ports may not be protected by SPT protocol and form loops.

enable stpd s0 auto-bind vlan DATA

EXOS Fundamentals

Posted on by
Reply

Creating a VLAN

create [ {vlan} vlan_name ] {tag tag } {description vlan description} {vr name }

Example…

* X450e-48p.2 # create vlan test tag 100
* X450e-48p.3 # configure vlan test add port 1 tagged
* X450e-48p.4 # configure vlan test add port 2
* X450e-48p.5 # sh vlan
———————————————————————————————
Name            VID  Protocol Addr       Flags                       Proto  Ports  Virtual
Active router
/Total
———————————————————————————————
Default         1    ———————————————— ANY    0 /0   VR-Default
Mgmt            4095 ———————————————— ANY    1 /1   VR-Mgmt
test            100  ———————————————— ANY    0 /2   VR-Default
———————————————————————————————
Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN,
(d) Dynamically created VLAN, (D) VLAN Admin Disabled,Total number of VLAN(s) : 3
sh te* X450e-48p.6 # sh test
VLAN Interface with name test created by user
Admin State:         Enabled     Tagging:   802.1Q Tag 100
Description:         None
Virtual router:      VR-Default
IPv4 Forwarding:     Disabled
IPv4 MC Forwarding:  Disabled
IPv6 Forwarding:     Disabled
IPv6 MC Forwarding:  Disabled
IPv6:                None
STPD:                None
Protocol:            Match all unfiltered protocols
Loopback:            Disabled
NetLogin:            Disabled
OpenFlow:            Disabled
QosProfile:          None configured
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile:       None configured
Ports:   2.           (Number of active ports=0)
Untag:       2
Tag:         1
Flags:    (*) Active, (!) Disabled, (g) Load Sharing port
(b) Port blocked on the vlan, (m) Mac-Based port
(a) Egress traffic allowed for NetLogin
(u) Egress traffic unallowed for NetLogin
(t) Translate VLAN tag for Private-VLAN
(s) Private-VLAN System Port, (L) Loopback port
(e) Private-VLAN End Point Port
(x) VMAN Tag Translated port
(G) Multi-switch LAG Group port
(H) Dynamically added by MVRP
(U) Dynamically added uplink port
(V) Dynamically added by VM Tracking

 

Removing port from a VLAN

  • configure vlan <vlan_name> delete ports <port_list>
  • configure vlan <vlan_id> delete ports <port_list>

How to delete a VLAN

configure vlan <vlan_name> delete ports all
delete vlan <vlan_name>

Show VLAN information

  • show port vlan
  • show vlan
  • show vlan <vlan_name>
  • show fdb

Add IP address to a VLAN

configure vlan <vlan_name> ipaddress <ip_address>/<subnet_mask

Remove IP address from a VLAN

unconfigure vlan <vlan_name> ipaddress

https://documentation.extremenetworks.com/exos_commands_22.1/EXOS_21_1/Preface/c_introduction-cr.shtml

Creating Dynamic VLANs

To specify one or more ports as tagged uplink ports that are added to the dynamically created VLAN, use the following command:

configure netlogin dynamic-vlan uplink-ports [port_list | none]

To enable the switch to create dynamic VLANs, use the following command:

configure netlogin dynamic-vlan [disable | enable]

https://documentation.extremenetworks.com/exos_22.1/exos_21_1/netlogin/c_configuring-dynamic-vlans-for-network-login.shtml

Extreme Networks VSAs

https://documentation.extremenetworks.com/exos_22.1/exos_21_1/Security/r_extreme-networks-vsas.shtml

RADIUS Attributes

https://documentation.extremenetworks.com/exos_22.1/exos_21_1/Security/r_standard-radius-attributes-used-by-extreme-switches.shtml

Tested authentication using Extreme Networks Access Control with RFC3580 which sends the VLAN ID to the Summit switch.

Inter-VLAN routing

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-enable-inter-VLAN-routing-in-EXOS?l=en_US&fs=RelatedArticle

VLANs and tagged or untagged ports

https://gtacknowledge.extremenetworks.com/articles/How_To/Understanding-EXOS-VLANS-and-tagged-and-untagged-ports/?l=en_US&fs=RelatedArticle

Adding DHCP Server to VLAN

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-the-DHCP-server-on-a-VLAN-in-EXOS/?q=dhcp+exos&l=en_US&fs=Search&pn=1

Troubleshooting DHCP

https://gtacknowledge.extremenetworks.com/articles/How_To/Troubleshooting-DHCP-issues/?l=en_US&fs=Search&pn=1

How to apply IP to management interface

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-an-IP-address-on-the-management-interface-of-an-EXOS-switch?l=en_US&fs=RelatedArticle

Switch hardening

https://gtacknowledge.extremenetworks.com/articles/Q_A/EXOS-Switch-Security-Checklist-and-best-practice/?l=en_US&fs=RelatedArticle

 

EXOS STP Domain

Posted on by
Reply

Make sure VLAN / ports are assoiciated with a STP domain so the ports can particiapate in STP. Check with show vlan (T flag means VLAN is member of a STP domain) or show stpd (check VLAN bindings).

Created VLAN 11 and moved port 5 to it and purposely tried to set p-t-p link knowing VLAN not part of STP domain…

* EXOS-VM.28 # create vlan 11
* EXOS-VM.29 # configure vlan 11 add ports 5
VLAN 11 VLAN_0011:  Port 5 untagged has been auto-moved from VLAN “Default” to “VLAN_0011”.

* EXOS-VM.30 # show stpd s0 p 5-8
Port     Mode   State      Cost  Flags     Priority Port ID Designated Bridge
Port 5 not in STP domain s0
6      802.1D FORWARDING 200000 eDap-w–B- 128      8006    80:00:0c:72:16:86:e7:00
7      802.1D FORWARDING 200000 eDap-w–B- 128      8007    80:00:0c:72:16:86:e7:00
8      802.1D FORWARDING 200000 eDap-w–B- 128      8008    80:00:0c:72:16:86:e7:00

Total Ports: 3

————————- Flags: —————————-
1:                e=Enable, d=Disable
2: (Port role)    R=Root, D=Designated, A=Alternate, B=Backup, M=Master
3: (Config type)  b=broadcast, p=point-to-point, e=edge, a=auto
4: (Oper. type)   b=broadcast, p=point-to-point, e=edge
5:                p=proposing, a=agree
6: (partner mode) d = 802.1d, w = 802.1w, m = mstp
7:                i = edgeport inconsistency
8:                S = edgeport safe guard active
s = edgeport safe guard configured but inactive
8:                G = edgeport safe guard bpdu restrict active in 802.1w and mstp
g = edgeport safe guard bpdu restrict active in 802.1d
9:                B = Boundary, I = Internal
10:               r = restricted role, t = active role
* EXOS-VM.31 # configure stpd s0 ports link-type point-to-point 5
Error: Port 5 is not a member of STP domain s0
Error: Command aborted due to input errors, no changes made
* EXOS-VM.32 #

After binding VLAN 11 I can set port 5 as link-type point-to-point…

* EXOS-VM.33 # enable stpd s0 auto-bind vlan 11
* EXOS-VM.34 # configure stpd s0 ports link-type point-to-point 5

* EXOS-VM.35 # show stpd s0 port 5
Port     Mode   State      Cost  Flags     Priority Port ID Designated Bridge
5      802.1D FORWARDING 200000 eDpppw–B- 128      8005    80:00:0c:72:16:86:e7:00

 

EXOS STP

Posted on by
Reply

EXOS VM 22.6.1.4:

!!!!  NOTE: Spanning Tree default changed in ExtremeXOS 22.2  !!!!

Multiple Spanning Tree Protocol (MSTP) is enabled by default to prevent broadcast storms

Would you like to disable MSTP? [y/N/q]:

* EXOS-VM.3 # show stpd
MSTP Global Configuration:
MSTP Region Name        : 0c7216bd8e00
MSTP Format Identifier  : 0
MSTP Revision Level     : 3
MSTP Digest             : ac:36:17:7f:50:28:3c:d4:b8:38:21:d8:ab:26:de:62
Common and Internal Spanning Tree (CIST)        : s0
Total Number of MST Instances (MSTI)            : 0

Name       Tag  Flags  Ports Bridge ID        Designated Root  Rt Port Rt Cost
s0         0000 EM—-    12 80000c7216bd8e00 80000c7216bd8e00 ——-       0

Total number of STPDs: 1                STP Flush Method: VLAN and Port
STP BPDU Forwarding: On
STP Multicast Send IGMP or MLD Query: On

Flags: (C) Topology Change, (D) Disable, (E) Enable, (R) Rapid Root Failover
(T) Topology Change Detected, (M) MSTP CIST, (I) MSTP MSTI

* EXOS-VM.5 # show stpd detail

Stpd: s0                Stp: ENABLED            Number of Ports: 12
Rapid Root Failover: Disabled
Operational Mode: MSTP                  Default Binding Mode: 802.1D
MSTI Instance:  CIST
802.1Q Tag: (none)
Ports: 1,2,3,4,5,6,7,8,9,10,
11,12
Participating Vlans: Default
Auto-bind Vlans: Default
Bridge Priority            : 32768              Bridge Priority Mode: 802.1t
Operational Bridge Priority: 32768
BridgeID                   : 80:00:0c:72:16:bd:8e:00
Designated root            : 80:00:0c:72:16:bd:8e:00
CIST Root                  : 80:00:0c:72:16:bd:8e:00
CIST Regional Root         : 80:00:0c:72:16:bd:8e:00
External RootPathCost      : 0  Internal RootPathCost: 0
Root Port   : —-
MaxAge      : 20s       HelloTime     : 2s      ForwardDelay     : 15s
CfgBrMaxAge : 20s       CfgBrHelloTime: 2s      CfgBrForwardDelay: 15s
RemainHopCount: 20      CfgMaxHopCount: 20
Topology Change Time           : 35s            Hold time        : 1s
Topology Change Detected       : FALSE          Topology Change  : FALSE
Number of Topology Changes     : 0
Time Since Last Topology Change: 0s
Topology Change initiated locally on Port none
Topology Change last received on Port none from none
Backup Root               : Off         Backup Root Activated  : FALSE
Loop Protect Event Window : 180s        Loop Protect Threshold : 3
New Root Trap             : On          Topology Change Trap   : Off
Tx Hold Count             : 6
Participating VLANs:
VLAN                                     Tag    Number of Ports
Ports
——————————————————————————-
Default                                  1      12
1(F),2(F),3(F),4(F),5(F),6(F),7(F),8(F),
9(F),10(F),11(F),12(F)
Flags: B-Blocking, D-Disabled, F-Forwarding, I-Listening, L-Learning

* EXOS-VM.6 # show stpd s0 ports
Port     Mode   State      Cost  Flags     Priority Port ID Designated Bridge
1      802.1D FORWARDING 200000 eDappw–B- 128      8001    80:00:0c:72:16:bd:8e:00
2      802.1D FORWARDING 200000 eDappw–B- 128      8002    80:00:0c:72:16:bd:8e:00
3      802.1D FORWARDING 200000 eDappw–B- 128      8003    80:00:0c:72:16:bd:8e:00
4      802.1D FORWARDING 200000 eDappw–B- 128      8004    80:00:0c:72:16:bd:8e:00
5      802.1D FORWARDING 200000 eDappw–B- 128      8005    80:00:0c:72:16:bd:8e:00
6      802.1D FORWARDING 200000 eDappw–B- 128      8006    80:00:0c:72:16:bd:8e:00
7      802.1D FORWARDING 200000 eDappw–B- 128      8007    80:00:0c:72:16:bd:8e:00
8      802.1D FORWARDING 200000 eDappw–B- 128      8008    80:00:0c:72:16:bd:8e:00
9      802.1D FORWARDING 200000 eDappw–B- 128      8009    80:00:0c:72:16:bd:8e:00
10     802.1D FORWARDING 200000 eDappw–B- 128      800a    80:00:0c:72:16:bd:8e:00
11     802.1D FORWARDING 200000 eDappw–B- 128      800b    80:00:0c:72:16:bd:8e:00
12     802.1D FORWARDING 200000 eDappw–B- 128      800c    80:00:0c:72:16:bd:8e:00

Total Ports: 12

————————- Flags: —————————-
1:                e=Enable, d=Disable
2: (Port role)    R=Root, D=Designated, A=Alternate, B=Backup, M=Master
3: (Config type)  b=broadcast, p=point-to-point, e=edge, a=auto
4: (Oper. type)   b=broadcast, p=point-to-point, e=edge
5:                p=proposing, a=agree
6: (partner mode) d = 802.1d, w = 802.1w, m = mstp
7:                i = edgeport inconsistency
8:                S = edgeport safe guard active
s = edgeport safe guard configured but inactive
8:                G = edgeport safe guard bpdu restrict active in 802.1w and mstp
g = edgeport safe guard bpdu restrict active in 802.1d
9:                B = Boundary, I = Internal
10:               r = restricted role, t = active role

* EXOS-VM.8 # show config stp detail
#
# Module stp configuration.
#
configure mstp region 0c7216bd8e00
configure mstp revision 3
configure mstp format 0
create stpd s0
configure stpd s0 delete vlan default ports all
configure stpd s0 mode mstp cist
configure stpd s0 forwarddelay 15
configure stpd s0 hellotime 2
configure stpd s0 maxage 20
configure stpd s0 max-hop-count 20
configure stpd s0 priority-mode dot1t
configure stpd s0 priority 32768
configure stpd s0 default-encapsulation dot1d
configure stpd s0 loop-protect event-window 180
configure stpd s0 loop-protect event-threshold 3
configure stpd s0 backup-root off
configure stpd s0 trap new-root on
configure stpd s0 trap topology-change off
configure stpd s0 trap topology-change edge-ports off
configure stpd s0 tx-hold-count 6
enable stpd s0 auto-bind vlan Default
enable stpd s0
configure stpd flush-method vlan-and-port
configure stpd bpdu-forwarding on
configure stpd multicast send-query on

After adding another EXOS switch with two inter-switch links between them forming a looped topology, the second port on the non-root bridge is BLOCKING as expected.

EXOS-VM.2 # show stpd s0 p
Port     Mode   State      Cost  Flags     Priority Port ID Designated Bridge
1      802.1D FORWARDING 200000 eRapam–B- 128      8001    80:00:0c:72:16:86:e7:00
2      802.1D BLOCKING   200000 eAapam–B- 128      8002    80:00:0c:72:16:86:e7:00