Extreme 5520

Tested the new Extreme 5520 universal switch this week, which supports EXOS (default) or VOSS. VOSS does not support stacking so was a learning experience creating a stack of EXOS switches for the first time.

Stacking is quite straight forward and can be simplified by using easy-setup when run the enable stacking command on the master switch where I consoled onto. It is recommended to create a ring topology before doing this step.

After powering on the first switch I saw a message advising me to upgrade the software version.

I configured a management VLAN and gave it an IP address and moved a port into the VLAN for my laptop. I initially used TFTP to upgrade the XOS version but for the remaining switches I used a USB disk on USB2 at the rear.

Insert a USB in the USB slot and type show memorycard to make sure the USB is recognised.

Type ls /usr/local/ext to list the files on the USB disk. Enter download image memorycard summit_arm- to upgrade from USB instead of TFTP which is much quicker.

It is good practice to upgrade the software and ensure all switches are using the same release before stacking them.

Used 0.5m QSFP+ Passive Copper Cables 40GB to connect stacking ports at the front of the switch.

Inserted 5520-VIM-4X 4x10GE SFP+ in two different switches and created a static lag group with two ports (one from each VIM). See Extreme website for list of SFP/SFP+ supported in the VIM module.

enable sharing 1:57 grouping 1:57,2:57 algorithm address-based L2

When enabled RADIUS mgmt-access I could no longer SSH into the switch. I expected it to work and fallback to use local accounts as I had no RADIUS server to test with but was surprised to get access denied. To workaround this issue I created a fail-safe account and permitted SSH for it and then I could login when RADIUS was not connected.

Analytics Licenses

Analytics License changes for 8.2 are client based, not flow based


Analytics or Purview licensing recommendations – Installs prior to 8.2


How to add or update license key in Extreme Management Center (XMC) in version 8.x




EXOS Fundamentals

Creating a VLAN

create [ {vlan} vlan_name ] {tag tag } {description vlan description} {vr name }


* X450e-48p.2 # create vlan test tag 100
* X450e-48p.3 # configure vlan test add port 1 tagged
* X450e-48p.4 # configure vlan test add port 2
* X450e-48p.5 # sh vlan
Name            VID  Protocol Addr       Flags                       Proto  Ports  Virtual
Active router
Default         1    ———————————————— ANY    0 /0   VR-Default
Mgmt            4095 ———————————————— ANY    1 /1   VR-Mgmt
test            100  ———————————————— ANY    0 /2   VR-Default
Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN,
(d) Dynamically created VLAN, (D) VLAN Admin Disabled,Total number of VLAN(s) : 3
sh te* X450e-48p.6 # sh test
VLAN Interface with name test created by user
Admin State:         Enabled     Tagging:   802.1Q Tag 100
Description:         None
Virtual router:      VR-Default
IPv4 Forwarding:     Disabled
IPv4 MC Forwarding:  Disabled
IPv6 Forwarding:     Disabled
IPv6 MC Forwarding:  Disabled
IPv6:                None
STPD:                None
Protocol:            Match all unfiltered protocols
Loopback:            Disabled
NetLogin:            Disabled
OpenFlow:            Disabled
QosProfile:          None configured
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile:       None configured
Ports:   2.           (Number of active ports=0)
Untag:       2
Tag:         1
Flags:    (*) Active, (!) Disabled, (g) Load Sharing port
(b) Port blocked on the vlan, (m) Mac-Based port
(a) Egress traffic allowed for NetLogin
(u) Egress traffic unallowed for NetLogin
(t) Translate VLAN tag for Private-VLAN
(s) Private-VLAN System Port, (L) Loopback port
(e) Private-VLAN End Point Port
(x) VMAN Tag Translated port
(G) Multi-switch LAG Group port
(H) Dynamically added by MVRP
(U) Dynamically added uplink port
(V) Dynamically added by VM Tracking


Removing port from a VLAN

  • configure vlan <vlan_name> delete ports <port_list>
  • configure vlan <vlan_id> delete ports <port_list>

How to delete a VLAN

configure vlan <vlan_name> delete ports all
delete vlan <vlan_name>

Show VLAN information

  • show port vlan
  • show vlan
  • show vlan <vlan_name>
  • show fdb

Add IP address to a VLAN

configure vlan <vlan_name> ipaddress <ip_address>/<subnet_mask

Remove IP address from a VLAN

unconfigure vlan <vlan_name> ipaddress


Creating Dynamic VLANs

To specify one or more ports as tagged uplink ports that are added to the dynamically created VLAN, use the following command:

configure netlogin dynamic-vlan uplink-ports [port_list | none]

To enable the switch to create dynamic VLANs, use the following command:

configure netlogin dynamic-vlan [disable | enable]


Extreme Networks VSAs


RADIUS Attributes


Tested authentication using Extreme Networks Access Control with RFC3580 which sends the VLAN ID to the Summit switch.

Inter-VLAN routing


VLANs and tagged or untagged ports


Adding DHCP Server to VLAN


Troubleshooting DHCP


How to apply IP to management interface


Switch hardening



XMC Hints

XMC Installation

To rerun the post install script…

cd /usr/postinstall



Check server log file

tail -f /usr/local/Extreme_Networks/Netsight/appdata/logs/server.log

Check Spanning Tree status using FlexView

Select switches from Devices and use FlexView to open a new tab with Bridge Spanning Tree Information or Bridge Port Summary Information.

Terminal CLI

Select multiple devices by type and choose Device>Execute CLI Commands… and run commands across multiple devices. View results and/or Export results to a file.

Interface Statistics

From FlexView (Interface Statistics) select a column such as In Discards or In Errors and use a Filter >0 to pick out interfaces with errors.




!!!!  NOTE: Spanning Tree default changed in ExtremeXOS 22.2  !!!!

Multiple Spanning Tree Protocol (MSTP) is enabled by default to prevent broadcast storms

Would you like to disable MSTP? [y/N/q]:

* EXOS-VM.3 # show stpd
MSTP Global Configuration:
MSTP Region Name        : 0c7216bd8e00
MSTP Format Identifier  : 0
MSTP Revision Level     : 3
MSTP Digest             : ac:36:17:7f:50:28:3c:d4:b8:38:21:d8:ab:26:de:62
Common and Internal Spanning Tree (CIST)        : s0
Total Number of MST Instances (MSTI)            : 0

Name       Tag  Flags  Ports Bridge ID        Designated Root  Rt Port Rt Cost
s0         0000 EM—-    12 80000c7216bd8e00 80000c7216bd8e00 ——-       0

Total number of STPDs: 1                STP Flush Method: VLAN and Port
STP BPDU Forwarding: On
STP Multicast Send IGMP or MLD Query: On

Flags: (C) Topology Change, (D) Disable, (E) Enable, (R) Rapid Root Failover
(T) Topology Change Detected, (M) MSTP CIST, (I) MSTP MSTI

* EXOS-VM.5 # show stpd detail

Stpd: s0                Stp: ENABLED            Number of Ports: 12
Rapid Root Failover: Disabled
Operational Mode: MSTP                  Default Binding Mode: 802.1D
MSTI Instance:  CIST
802.1Q Tag: (none)
Ports: 1,2,3,4,5,6,7,8,9,10,
Participating Vlans: Default
Auto-bind Vlans: Default
Bridge Priority            : 32768              Bridge Priority Mode: 802.1t
Operational Bridge Priority: 32768
BridgeID                   : 80:00:0c:72:16:bd:8e:00
Designated root            : 80:00:0c:72:16:bd:8e:00
CIST Root                  : 80:00:0c:72:16:bd:8e:00
CIST Regional Root         : 80:00:0c:72:16:bd:8e:00
External RootPathCost      : 0  Internal RootPathCost: 0
Root Port   : —-
MaxAge      : 20s       HelloTime     : 2s      ForwardDelay     : 15s
CfgBrMaxAge : 20s       CfgBrHelloTime: 2s      CfgBrForwardDelay: 15s
RemainHopCount: 20      CfgMaxHopCount: 20
Topology Change Time           : 35s            Hold time        : 1s
Topology Change Detected       : FALSE          Topology Change  : FALSE
Number of Topology Changes     : 0
Time Since Last Topology Change: 0s
Topology Change initiated locally on Port none
Topology Change last received on Port none from none
Backup Root               : Off         Backup Root Activated  : FALSE
Loop Protect Event Window : 180s        Loop Protect Threshold : 3
New Root Trap             : On          Topology Change Trap   : Off
Tx Hold Count             : 6
Participating VLANs:
VLAN                                     Tag    Number of Ports
Default                                  1      12
Flags: B-Blocking, D-Disabled, F-Forwarding, I-Listening, L-Learning

* EXOS-VM.6 # show stpd s0 ports
Port     Mode   State      Cost  Flags     Priority Port ID Designated Bridge
1      802.1D FORWARDING 200000 eDappw–B- 128      8001    80:00:0c:72:16:bd:8e:00
2      802.1D FORWARDING 200000 eDappw–B- 128      8002    80:00:0c:72:16:bd:8e:00
3      802.1D FORWARDING 200000 eDappw–B- 128      8003    80:00:0c:72:16:bd:8e:00
4      802.1D FORWARDING 200000 eDappw–B- 128      8004    80:00:0c:72:16:bd:8e:00
5      802.1D FORWARDING 200000 eDappw–B- 128      8005    80:00:0c:72:16:bd:8e:00
6      802.1D FORWARDING 200000 eDappw–B- 128      8006    80:00:0c:72:16:bd:8e:00
7      802.1D FORWARDING 200000 eDappw–B- 128      8007    80:00:0c:72:16:bd:8e:00
8      802.1D FORWARDING 200000 eDappw–B- 128      8008    80:00:0c:72:16:bd:8e:00
9      802.1D FORWARDING 200000 eDappw–B- 128      8009    80:00:0c:72:16:bd:8e:00
10     802.1D FORWARDING 200000 eDappw–B- 128      800a    80:00:0c:72:16:bd:8e:00
11     802.1D FORWARDING 200000 eDappw–B- 128      800b    80:00:0c:72:16:bd:8e:00
12     802.1D FORWARDING 200000 eDappw–B- 128      800c    80:00:0c:72:16:bd:8e:00

Total Ports: 12

————————- Flags: —————————-
1:                e=Enable, d=Disable
2: (Port role)    R=Root, D=Designated, A=Alternate, B=Backup, M=Master
3: (Config type)  b=broadcast, p=point-to-point, e=edge, a=auto
4: (Oper. type)   b=broadcast, p=point-to-point, e=edge
5:                p=proposing, a=agree
6: (partner mode) d = 802.1d, w = 802.1w, m = mstp
7:                i = edgeport inconsistency
8:                S = edgeport safe guard active
s = edgeport safe guard configured but inactive
8:                G = edgeport safe guard bpdu restrict active in 802.1w and mstp
g = edgeport safe guard bpdu restrict active in 802.1d
9:                B = Boundary, I = Internal
10:               r = restricted role, t = active role

* EXOS-VM.8 # show config stp detail
# Module stp configuration.
configure mstp region 0c7216bd8e00
configure mstp revision 3
configure mstp format 0
create stpd s0
configure stpd s0 delete vlan default ports all
configure stpd s0 mode mstp cist
configure stpd s0 forwarddelay 15
configure stpd s0 hellotime 2
configure stpd s0 maxage 20
configure stpd s0 max-hop-count 20
configure stpd s0 priority-mode dot1t
configure stpd s0 priority 32768
configure stpd s0 default-encapsulation dot1d
configure stpd s0 loop-protect event-window 180
configure stpd s0 loop-protect event-threshold 3
configure stpd s0 backup-root off
configure stpd s0 trap new-root on
configure stpd s0 trap topology-change off
configure stpd s0 trap topology-change edge-ports off
configure stpd s0 tx-hold-count 6
enable stpd s0 auto-bind vlan Default
enable stpd s0
configure stpd flush-method vlan-and-port
configure stpd bpdu-forwarding on
configure stpd multicast send-query on

After adding another EXOS switch with two inter-switch links between them forming a looped topology, the second port on the non-root bridge is BLOCKING as expected.

EXOS-VM.2 # show stpd s0 p
Port     Mode   State      Cost  Flags     Priority Port ID Designated Bridge
1      802.1D FORWARDING 200000 eRapam–B- 128      8001    80:00:0c:72:16:86:e7:00
2      802.1D BLOCKING   200000 eAapam–B- 128      8002    80:00:0c:72:16:86:e7:00


Workflow Composer



Ubuntu Server:

  1. sudo apt-get install curl
  2. curl -sSL https://stackstorm.com/packages/install.sh | bash -s — –user=st2admin –password=’Ch@ngeMe’

Take EWC for a spin!


You can also do a lot through the Web UI: Check the history, run actions, configure rules, install packs…check it out at https://{YOUR_ST2_IP}. Login is the same as via the st2 CLI. Default is st2admin/Ch@ngeMe.



Converting existing scripts into actions:


st2 run packs.setup_virtualenv packs=default

Action Registration

To register a new action:

  1. Place it into the content location.
  2. Tell the system that the action is available.

The actions are grouped in packs and located at /opt/stackstorm/packs

For hacking one-off actions, the convention is to use the default pack – just create your action in /opt/stackstorm/packs/default/actions. Once you have tested it out, you should move it to a dedicated pack.

Register an individual action by calling st2 action create my_action_metadata.yaml. To reload all actions, use st2ctl reload --register-actions


Restart network services:

sudo vim /etc/network/interfaces

# The secondary network interface
auto eth1
iface eth1 inet dhcp

sudo /etc/init.d/networking restart


sudo ifdown -a
sudo ifup -a

Enable FTP:

sudo apt install vsftpd

sudo vi /etc/vsftpd.conf

sudo systemctl restart vsftpd.service


sudo chmod -R 777 .