ESF_Rev3

Extre3585Sant(888(408http:

Extreme Security Fundamentals Rev3.0

me Networks, Inc. Monroe Street

a Clara, California 95051) 257-3000) 579-2800//www.extremenetworks.com

Published March 2006Part number: ESF-300/3

http://www.extremenetworks.com

2

© 2005 Extreme Networks, Inc. All Rights Reserved.

Alpine, Altitude, BlackDiamond, EPICenter, Ethernet Everywhere, Extreme Ethernet Everywhere, Extreme Networks, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, GlobalPx Content Director, the Go Purple Extreme Solution Partners Logo, ServiceWatch, Summit, the Summit7i Logo, and the Color Purple, among others, are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and other countries. Other names and marks may be the property of their respective owners.

© 2005 Extreme Networks, Inc. All Rights Reserved.

Specifications are subject to change without notice.

The ExtremeWare XOS operating system is based, in part, on the Linux operating system. The machine-readable copy of the corresponding source code is available for the cost of distribution. Please direct requests to Extreme Networks for more information at the following address:

Software Licensing Department3585 Monroe StreetSanta Clara CA 95051

NetWare and Novell are registered trademarks of Novell, Inc. Merit is a registered trademark of Merit Network, Inc. Solaris and Java are trademarks of Sun Microsystems, Inc. F5, BIG/ip, and 3DNS are registered trademarks of F5 Networks, Inc. see/IT is a trademark of F5 Networks, Inc.

All other registered trademarks, trademarks and service marks are property of their respective owners.


[Draft Version variable]

Module 1 Introduction and Orientation

Extreme Security Fundamentals ...................................................................................................2Target Audience....................................................................................................................2Module Content ....................................................................................................................2

Introductions ..............................................................................................................................4Facilities ....................................................................................................................................6Student Kit ................................................................................................................................8Administrative ..........................................................................................................................10Course Prerequisite ...................................................................................................................12High-level Student Objectives.....................................................................................................14Agenda ....................................................................................................................................16Agenda ....................................................................................................................................18Introduction to the Extreme Networks Certification Program ..........................................................20

Certification Levels:.............................................................................................................20Extreme Networks Associate (Level 1) .........................................................................................22Extreme Networks Specialist (Level 2).........................................................................................24

First-Level TAC Bypass with ENS Certification .......................................................................24ENS Exam..........................................................................................................................24

ENA Certification Curriculum .....................................................................................................26Extreme Introduction to Data Networking (EDN-100/3) ...........................................................26Extreme Introduction to IP Routing (EIP-100/2).....................................................................26Extreme Configuration Fundamentals (ECF-200/5) .................................................................26

ENS Certification Curriculum .....................................................................................................28Extreme Security Fundamentals (ESF-300/3).........................................................................28Extreme Redundancy Fundamentals (ERF-300/2) ..................................................................28Extreme Multicast Routing (EMR-300/2) ...............................................................................28Extreme Interior Gateway Protocols (EIGP-300/2)...................................................................28

Supportive Curriculum...............................................................................................................30Border Gateway Protocol Concepts and Configuration (BGP-220c) ...........................................30ExtremeWare Unified Access (EUA-310/3) ............................................................................30EPICenter 5.0 Tutorial.........................................................................................................30

Summary..................................................................................................................................32

Module 2 Security and Traffic Engineering

Student Objectives ......................................................................................................................2Network Security Importance .......................................................................................................4Layers of Security .......................................................................................................................6Networked Resources ..................................................................................................................8

Protected Resources..............................................................................................................8Critical Resources .................................................................................................................8

Major Network Threats...............................................................................................................10ExtremeWare XOS Security Features ...........................................................................................12Network SecurityImplementation Sequence .........................................................................................................14Traffic Engineering....................................................................................................................16

Purpose..............................................................................................................................16ExtremeWare XOS Traffic Engineering Features ......................................................................16

Summary..................................................................................................................................18

Extreme Security Fundamentals Rev3.0 1

2

Module 3 Switch Access

Student Objectives ......................................................................................................................2Default Switch Access Options .....................................................................................................4

Safe Defaults Setup Method...................................................................................................4Switch Access Options.................................................................................................................6

Five Types of Switch Access...................................................................................................6Disabling Switch Access Options ............................................................................................6

Management Accounts ................................................................................................................8Administrator Level Account...................................................................................................8User Level Account ...............................................................................................................8Logging Out of a Session........................................................................................................8

Creating Management Accounts..................................................................................................10Displaying Management Accounts (admin level only) ..............................................................10Deleting an Account (admin level only)..................................................................................10

Creating a Failsafe Account........................................................................................................12Managing Passwords .................................................................................................................14Specifying Password Parameters.................................................................................................16Displaying Password Policy ........................................................................................................18Configuring the Login Display Banner..........................................................................................20Displaying the Login Banner.......................................................................................................20Configuring the Switch Idle Timeout............................................................................................22

Disabling Switch Idle Timeout ..............................................................................................22Viewing Idletimeout Status...................................................................................................22

Displaying Active Switch Sessions ..............................................................................................24Clearing Specific Telnet Sessions .........................................................................................24

Using Access Control Lists (ACLs) to Control Telnet Access...........................................................26Sample ACLs that Control Telnet Access ...............................................................................26Configuring Telnet to Use ACL Policies..................................................................................26

SNMP Access ...........................................................................................................................28Accessing Switch Agents......................................................................................................28Supported MIBs..................................................................................................................28

Enabling and Disabling SNMPv1/v2c and SNMPv3 ......................................................................30Configurable SNMPv1/v2c Parameters ........................................................................................32

Authorized Trap Receivers....................................................................................................32Community Strings..............................................................................................................32

Displaying SNMP Settings .........................................................................................................34SNMPv3 ..................................................................................................................................36SNMPv3 Security......................................................................................................................38

USM Timeliness Mechanisms...............................................................................................38SNMPv3 Users .........................................................................................................................40

Creating SNMPv3 Users.......................................................................................................40Displaying SNMPv3 Users....................................................................................................40Deleting SNMPv3 Users.......................................................................................................40

SNMPv3 Groups .......................................................................................................................42Displaying SNMPv3 Groups..................................................................................................42Associating Users with SNMPv3 Groups ................................................................................42Deleting an SNMPv3 Group..................................................................................................42

SNMP Security Models and Levels..............................................................................................44



SNMPv3 MIB Access Control .....................................................................................................46Displaying MIB Views ..........................................................................................................46

SNMPv3 Notification: Target Addresses ......................................................................................48Configuring Target Address ..................................................................................................48Displaying Target Addresses .................................................................................................48Deleting Target Addresses ....................................................................................................48

SNMPv3 Notification: Target Parameters.....................................................................................50Displaying Target Parameters ...............................................................................................50Deleting Target Parameters ..................................................................................................50

SNMPv3 Notification: Filter Profiles and Filters ...........................................................................52Displaying SNMPv3 Notification ...........................................................................................52Deleting and Removing SNMPv3 Filters ................................................................................52

SNMPv3 Notification: Tags ........................................................................................................54Displaying SNMPv3 Notification Tags ...................................................................................54Deleting SNMPv3 Notification Tags ......................................................................................54Configuring Notifications .....................................................................................................54

Secure Shell 2 (SSH2) ..............................................................................................................56SSH2 Module Request ........................................................................................................56

Installing the SSH2 Module .......................................................................................................58Downloading the module to the switch ..................................................................................58

Activating the Installed Modular Software Package .......................................................................60Uninstalling the Module.......................................................................................................60

Private Key, Public Key, and Host Key ........................................................................................62Configuring SSH2 .....................................................................................................................64

Enabling SSH2 ...................................................................................................................64Using ACLs to Control SSH2 Access ...........................................................................................66

Sample SSH2 Policies.........................................................................................................66Configuring SSH2 to Use ACL Policies ..................................................................................66

Logging in with SSH2 Client ......................................................................................................68SSH2 Connection Settings ...................................................................................................68Host Key Acceptance...........................................................................................................68Valid User and Password Entry .............................................................................................68

Secure Copy Protocol 2 (SCP2) ..................................................................................................70Switch as SSH2 Client ..............................................................................................................72Verifying SSH2 .........................................................................................................................74Troubleshooting SSH2...............................................................................................................76Secure Socket Layer (SSL).........................................................................................................78Enabling and Disabling SSL .......................................................................................................80Creating Certificates and Private Keys .........................................................................................80Downloading a Certificate Key from a TFTP Server .......................................................................82

Displaying SSL Information ..................................................................................................82Downloading a Private Key from a TFTP Server ............................................................................84Configuring Pre-generated Certificates and Keys ..........................................................................84Authenticating Users Logging into Switch....................................................................................86RADIUS ...................................................................................................................................88

RADIUS Packet Format........................................................................................................88RADIUS Authentication Process .................................................................................................90


4

Configuring the RADIUS Client...................................................................................................92Configuring the Shared Secret Password for RADIUS Servers.........................................................92Enabling and Disabling RADIUS .................................................................................................94

Verifying the RADIUS Client .................................................................................................94Troubleshooting RADIUS .....................................................................................................94

Configuring RADIUS Accounting.................................................................................................96Configuring the RADIUS Accounting Timeout Value................................................................96Configuring the Shared Secret Password for RADIUS Accounting Servers..................................96Verifying the RADIUS Accounting .........................................................................................96

RADIUS Server Support .............................................................................................................98Using RADIUS Servers with Extreme Networks Switches .............................................................100

Extreme RADIUS...............................................................................................................100Merit RADIUS Server Configuration Example .............................................................................102Summary................................................................................................................................104

Module 4 ACLs and Policies

Student Objectives ..................................................................................................................108EXOS Packet Filtering Structure and Components ......................................................................110How to Use Policies ................................................................................................................110How to Edit Policy Entries/Rules...............................................................................................112Types of Policies .....................................................................................................................112Access Control List..................................................................................................................114ACL Overview..........................................................................................................................114Static ACL - ACL Policy File .....................................................................................................116ACL Policy Syntax and Example................................................................................................118Apply ACL Policies and Display ACL Information ........................................................................118ACL Rule Evaluation Process....................................................................................................120Rule Types and Evaluation Precedence .....................................................................................120Rule Precedence Among Interface Types ...................................................................................122Conserving ACL Masks and Rules on BlackDiamond 8800 and Summit X450 only ........................122Conserving ACL Masks and Rules Examples...............................................................................124Dynamic ACL..........................................................................................................................126Dynamic ACL Match Conditions and Actions ..............................................................................126Dynamic ACL Action Modifiers .................................................................................................128Configuring Dynamic ACL Rules and Examples ..........................................................................130Hands-on Lab #1: Static ACL (ACL Policy) ................................................................................132Hands-on Lab #2: Static ACL (ACL Policy) ................................................................................134Hands-on Lab #3: Dynamic ACLs .............................................................................................136Hands-on Lab #4: Dynamic ACLs .............................................................................................136Routing Policies......................................................................................................................138Routing Policy Syntax and Example ..........................................................................................140Routing Policy Rule Evaluation Process .....................................................................................140Routing Policy Match Conditions ..............................................................................................142Autonomous System (AS) Regular Expressions ...........................................................................142Routing Policy Action Statements .............................................................................................144Applying Routing Policies ........................................................................................................144Hands-on Lab #5: Routing Policies...........................................................................................146



Module 5 Denial of Service Attacks and Countermeasures

Student Objectives ......................................................................................................................2What are DoS Attacks? ................................................................................................................4Two Common DoS Attack Modes...................................................................................................6

Asymmetrical........................................................................................................................6Distributed ...........................................................................................................................6

Different Types of DoS Attacks .....................................................................................................8TCP-SYN Flood example ............................................................................................................10DoS Attack Countermeasures .....................................................................................................12

Basic DoS Countermeasures.................................................................................................12Network Transport Level Issues.............................................................................................12

IP Broadcast Forwarding Control.................................................................................................14DoS-Protect ..............................................................................................................................16

How CPU-DoS-Protect Works................................................................................................18Implementing DoS-Protect .........................................................................................................20

Simulated Mode..................................................................................................................20Configuring Denial of Service Protection......................................................................................22

Specifying DoS Protect Parameters .......................................................................................22Configuring Trusted Ports.....................................................................................................22Enabling or Disabling DoS Protection ....................................................................................22

Verifying DoS-Protect Settings....................................................................................................24Displaying CPU-DoS-Protect Settings ....................................................................................24

Troubleshooting CPU-DoS-Protect...............................................................................................26Actions to Take When Under DoS Attack .....................................................................................28

References: DoS Threats and Countermeasures ......................................................................28Summary..................................................................................................................................30

Module 6 Port and MAC Address Security

Student Objectives ......................................................................................................................2MAC-Based Security....................................................................................................................4

Forwarding Database (FDB) ....................................................................................................4FDB Entry Types .........................................................................................................................6Port Address Security ..................................................................................................................8Limiting Dynamic MAC Addresses...............................................................................................10Limit-Learning: How Does it Work? .............................................................................................12Configuring Limit-Learning.........................................................................................................14

Adding MAC Address Limit-Learning .....................................................................................14Removing MAC Address Limit-Learning .................................................................................14Creating and Deleting FDB entries ........................................................................................14

Limiting MAC Addresses with ESRP............................................................................................16Lock-Learning...........................................................................................................................18

Lock-Learning Enabled ........................................................................................................18Configuring Lock-Learning .........................................................................................................20

Adding Lock-Learning..........................................................................................................20Removing Lock-Learning......................................................................................................20

Verifying MAC Security Information.............................................................................................22MAC Security Information for a Specified VLAN .....................................................................22


6

Detailed MAC Security Information for a Specified Port ..........................................................22Verifying MAC Security Information.............................................................................................24

FDB Table Entries ...............................................................................................................24Logs...................................................................................................................................24

Disabling MAC Address Learning ................................................................................................26Disabling Egress Flooding ..........................................................................................................28

Guidelines for Enabling or Disabling Egress Flooding ..............................................................28Enabling and Disabling Egress Flooding on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only .....................................................................................................................30

Enabling Egress Flooding .....................................................................................................30Disabling Egress Flooding ....................................................................................................30

Disabling Egress Flooding on the BlackDiamond 10K Switch Only .................................................32Displaying Learning and Flooding Settings...................................................................................34Layer 3 Blackholes....................................................................................................................36

Configuring a Layer 3 Blackhole ...........................................................................................36Configuring a Layer 3 Default Blackhole ................................................................................36Deleting Layer 3 Blackholes .................................................................................................36Verifying Layer 3 Blackholes.................................................................................................36

Summary..................................................................................................................................38

Module 7 Network Login1

Student Objectives ......................................................................................................................2Network Login Overview ...............................................................................................................4

Authentication Types .............................................................................................................4Authentication Advantages and Disadvantages ...............................................................................6

Web-Based Authentication .....................................................................................................6MAC-Based Authentication.....................................................................................................6

Authentication Advantages and Disadvantages ...............................................................................8802.1x Authentication...........................................................................................................8

General Network Login Commands..............................................................................................10Enabling or Disabling Network Login on the Switch ................................................................10Enabling or Disabling Network Login on a Specific Port ..........................................................10Configuring the Move Fail Action ..........................................................................................10Displaying Network Login Settings ........................................................................................10

DHCP Server Authentication Role ...............................................................................................12Enabling and Disabling DHCP Server ..........................................................................................12

Setting the DHCP Lease Timer .............................................................................................12DHCP Server Commands............................................................................................................14

Removing DHCP Server Configurations ..................................................................................14Displaying DHCP Configuration.............................................................................................14

Web Based Network Login Sequence...........................................................................................16Network Login Operational Modes...............................................................................................18

Multiple Supplicant Support ................................................................................................18Network Login Design Considerations ..........................................................................................20Authenticating Users .................................................................................................................22

Vendor Specific Attributes (VSA) Types Used By Network Login ...............................................22RADIUS Attributes Used By Network Login..................................................................................24Network Login RADIUS Extensions .............................................................................................26



Extreme Radius Implementation Configuration Example..........................................................26Local Database Authentication ...................................................................................................28Configuring Local Database Authentication..................................................................................30

Creating a Local Netlogin User Name and Password Only ........................................................30Specifying a Destination VLAN in a Local NetLogin Account..........................................................32

Adding VLANs when Creating a Local Netlogin Account ..........................................................32Adding VLANs at a Later Time..............................................................................................32

Modifying an Existing Local Netlogin Account ..............................................................................34Updating the Local Netlogin Password ..................................................................................34Updating VLAN Attributes ....................................................................................................34Displaying Local Netlogin Accounts.......................................................................................34Deleting a Local Netlogin Account ........................................................................................34

802.1x Authentication...............................................................................................................36Interoperability Requirements...............................................................................................36

802.1x Network Login Configuration Example..............................................................................38Configuring Guest VLANs ...........................................................................................................40

Guest VLAN scenario ...........................................................................................................40Configuring a Guest VLAN..........................................................................................................42

Enabling a Guest VLAN........................................................................................................42Modifying the Supplicant Response Timer .............................................................................42Disabling a Guest VLAN.......................................................................................................42

Post-authentication VLAN Movement ..........................................................................................42Web-Based Authentication .........................................................................................................44

HTTPS Support...................................................................................................................44 Configuring Web-Based Authentication.......................................................................................46

Configuring the Base URL....................................................................................................46Configuring the Redirect Page ..............................................................................................46Configuring Session Refresh.................................................................................................46Configuring Logout Privilege.................................................................................................46

Web-Based Network Login Configuration Example ........................................................................48Web-Based Authentication User Login.........................................................................................50MAC-Based Authentication ........................................................................................................52Configuring MAC-Based Authentication .......................................................................................54

Associating a MAC Address to a Specific Port ........................................................................54Adding and Deleting MAC Addresses.....................................................................................54Displaying the MAC Address List ..........................................................................................54

Secure MAC Configuration Example ............................................................................................56 MAC-Based Network Login Configuration Example.......................................................................58Netlogin MAC-Based VLANs.......................................................................................................60

Netlogin MAC-Based VLANs Rules and Restrictions................................................................60Configuring Netlogin MAC-Based VLANs......................................................................................62

Configuring the Port Mode ...................................................................................................62Displaying Netlogin MAC-Based VLAN Information .......................................................................64

FDB Information .................................................................................................................64VLAN and Port Information ..................................................................................................64

Netlogin MAC-Based VLAN Example ...........................................................................................66Disconnecting Network Login Sessions ........................................................................................68

Automatic Netlogin logouts occur when: ................................................................................68


8

CLI Network Login Logouts...................................................................................................68Summary..................................................................................................................................72

Module 8 Policy-Based QoS

Student Objectives ......................................................................................................................2What is Quality of Service?...........................................................................................................4

Switch Platforms and QoS......................................................................................................4QoS is not Class of Service (CoS) ............................................................................................4

When Do You Need QoS? .............................................................................................................6Two Major Benefits of QoS ...........................................................................................................8

Latency Control.....................................................................................................................8Congestion Management ........................................................................................................8

Five Traffic Types and QoS Guidelines ........................................................................................10Policy-Based QoS......................................................................................................................12

Policy-Based QoS Support on an Extreme Network Switch.......................................................12Configuring Policy-Based QoS ....................................................................................................14Configuring QoS on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only16QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only......18QoS Profiles on the BlackDiamond 10K Switch............................................................................20....................................................................................................... QoS Building Block: Profile22

Creating a QoS Profile (BlackDiamond 8800 family of switches and Summit X450 Only) ...........22Configuring QoS Profile Weight.............................................................................................22

QoS Building Block: Traffic Groupings ........................................................................................24QoS Building Block: QoS Policy..................................................................................................26Precedence of Traffic Groupings .................................................................................................28ACL-Based Traffic Groupings......................................................................................................30Explicit Class of Service Traffic Groupings ...................................................................................32

Advantages of Explicit Class of Service..................................................................................32Packet Diagram...................................................................................................................32

802.1p Information...................................................................................................................34802.1p information on the BlackDiamond 10K only ...............................................................34Observing 802.1p information..............................................................................................34Changing the Default 802.1p Mapping..................................................................................34

Replacing 802.1p Priority Information ........................................................................................36DiffServ....................................................................................................................................38DiffServ Information on the BlackDiamond 10K Only....................................................................38Observing DiffServ Information ...................................................................................................38Configuring DiffServ ..................................................................................................................40

Diffserv Code Point Mapping ................................................................................................40Changing the Default DiffServ Code Point Mapping ................................................................40Replacing DiffServ Code Points ............................................................................................40

Default 802.1p Priority Value-To-Diffserv Code Point Mapping ......................................................42BlackDiamond 8800 Family of Switches and the Summit X450 Switch DiffServ Example ................44BlackDiamond 10K Switch DiffServ Example...............................................................................46Physical and Logical Groupings ..................................................................................................48

Source Port ........................................................................................................................48VLAN .................................................................................................................................48Verifying Physical and Logical Groupings ...............................................................................48



BlackDiamond 8800 Family of Switches and Summit X450 Switch QOS Profile Display ............50BlackDiamond 10K Switch Display .............................................................................................52Verifying QoS Configuration and Performance ..............................................................................54

Monitoring Performance—BlackDiamond 10K Switch Only .....................................................54Displaying QoS Profile Information on the BlackDiamond 10K Switch Only...............................54Displaying QoS Profile Information on the BlackDiamond 8800 Family of Switches and Summit X450 Switch Only ...............................................................................................................54

Other Useful QoS Display Commands..........................................................................................56Egress Traffic Rate Limiting—BlackDiamond 8800 Family and Summit X450 Switch Only ..............58Bi-Directional Rate Shaping—BlackDiamond 10K Switch Only......................................................60

Viewing Discarded Traffic Statistics ......................................................................................60Black Diamond 10K Bandwidth Settings .....................................................................................62Configuring Bi-Directional Rate Shaping......................................................................................64Modifying a QoS Policy ..............................................................................................................66Assigning Policy-Based QoS: Review ...........................................................................................68Summary..................................................................................................................................70

Module 9 sFlow

Student Objectives ......................................................................................................................2sFlow .........................................................................................................................................4

Applications .........................................................................................................................4Additional Information ...........................................................................................................4sFlow Components ................................................................................................................6Network Equipment...............................................................................................................6Software Applications ............................................................................................................6

Configuring sFlow......................................................................................................................10Configuring the Local Agent .................................................................................................10Configuring the Remote Collector Address .............................................................................10

Configuring sFlow......................................................................................................................12Enabling sFlow Globally on the Switch ..................................................................................12Enabling sFlow on the Desired Ports .....................................................................................12

Additional sFlow Configuration Options .......................................................................................14Polling Interval ...................................................................................................................14Global Sampling Rate ..........................................................................................................14Per Port Sampling Rate .......................................................................................................14Maximum CPU Sample Limit ...............................................................................................14

Resetting sFlow Values and Verifying sFlow Information ................................................................16Unconfiguring sFlow............................................................................................................16Displaying sFlow Information................................................................................................16

Summary..................................................................................................................................18


10

Module 10 Lab Exercises

Lab 1 – Basic Switch and Routing Configuration ............................................................................2Objectives ............................................................................................................................2Materials Required ................................................................................................................2Network Diagram...................................................................................................................3Remark ................................................................................................................................3Part 1 Clearing the Switch Configuration and Naming the Switch...............................................4Part 2 Configuring the VLANs.................................................................................................4Part 3 Configuring OSPF Routing on the Backbone Area ...........................................................6Part 4 Verifying Switch and Routing Configuration....................................................................6

Lab2 Switch Access ...................................................................................................................7Objectives ...........................................................................................................................7Materials Required ................................................................................................................7Network Diagram...................................................................................................................8Part 1 Creating a New User Account, Disabling SNMP Access, and Configuring Idletimeouts........9Part 2 Configuring the Switch Banner Message ........................................................................9Part 3 Installing the SSH2 Module .........................................................................................9Part 4 Configuring SSH2 .....................................................................................................10Part 5 Configuring the Switch as a RADIUS Client..................................................................10Part 6 Changing the Default SNMPv3 User Password..............................................................11

Lab 3 DOS Protection................................................................................................................12Objectives ..........................................................................................................................12Materials Required ..............................................................................................................12Part 1 Configuring DoS-Protect.............................................................................................12Troubleshooting DoS-Protect ................................................................................................13

Lab 4 – Port and MAC Address Security ......................................................................................14Objectives .........................................................................................................................14Materials Required ..............................................................................................................14Network Diagram.................................................................................................................14Part 1 Configuring Lock Learning..........................................................................................15Part 2 Configuring Limit Learning .........................................................................................15Part 3 Configuring Secure-Mac .............................................................................................15

Lab 7 – Network Login...............................................................................................................17Objectives ..........................................................................................................................17Optional Materials ...............................................................................................................17Network Diagram.................................................................................................................18Part 1 Clearing the Switch Configuration and Naming the Switch.............................................18Part 2 Creating the Temporary and Permanent Netlogin VLANs................................................19Part 3 Configuring the Temporary and Permanent Netlogin VLANs ...........................................19Part 4 Configuring Netlogin DHCP options .............................................................................19Part 5 Configuring Netlogin..................................................................................................19Part 6 Configuring the Network Login options ........................................................................19Part 7 Verifying Netlogin Configuration..................................................................................20

Lab 8 – QoS .............................................................................................................................21Objectives ..........................................................................................................................21Materials Required ..............................................................................................................21Network Diagram.................................................................................................................22Part 1 Clearing the Switch Configuration and Naming the Switch.............................................23Part 2 Configuring the VLANs...............................................................................................23


1 Module 1 Introduction and Orientation

Extreme Security Fundamentals Rev 3.0 1


2

Extreme Security FundamentalsThe ExtremeRedundancy Fundamentals training class is designed to provide students with the ability to identify, describe, and use the security and traffic engineering features available with ExtremeWare XOSTM release 11.3.

Target AudienceThe primary audiences for this class are end-users, partners, and Extreme Networks® technical personnel that are seeking ENA certification.

Module ContentModule one presents an introduction to the course content, training facilities, student objectives, course prerequisites, agenda, and certification curriculum.

Extreme Security Fundamentals Rev 3.0

Extreme Security Fundamentals

Figure 1: Module Content



4

IntroductionsProvide your name, company, job title, and experience. Please share your previous networking experience as well as any Extreme Networks product exposure. This helps the instructor to adjust the class according to student skill sets.


Introductions

Figure 2: Introduction



6

FacilitiesFamiliarize yourself with the facilities, particularly where the Emergency Exits and First Aid Stations are. Pick up a name badge from the receptionist if available.

Telephones are found near the student lounge (if there are any).

The instructor provides the training site telephone number where messages can be sent. However, only urgent messages are immediately posted for the attention of the student concerned.

The instructor specifies any special parking considerations when necessary.


Facilities

Figure 3: Facilities



8

Student KitThe illustration lists the contents of the student kit.


Student Kit

Figure 4: Student Kit



10

AdministrativeThe instructor circulates a class roster during the student introductions. Each student should check his or her own information on the Class Roster. When all information is verified, initial your name.

Ensure that your name is spelled correctly the way you want it to be on the certificate at the completion of this course.

Breaks are typically 15 minutes each and lunch is about an hour. However, the times may vary at the discretion of the instructor.

Please silence all pagers and cell phones by turning off the audio beeps and/or muting the volume. At the instructor's discretion, pagers/phones in vibrate mode are permitted. If you need to take a phone call, go outside the classroom in consideration of the other students.

Questions are encouraged at any time. Lab exercises are performed after each major topic is discussed.

A student completing all the requirements of the Extreme Networks Associate (ENA) is certified and provided an Extreme Networks Certified Training Certificate.


Administrative

Figure 5: Administrative



12

Course PrerequisiteTo be successful in this class, students must have ENA certification or the equivalent experience.


Course Prerequisite

Figure 6: Course Pre-requisite

page 7

Course Knowledge Prerequisites LAN fundamentals

TCP/IP, IP addressing, and subnet masking

Switching, bridging, and routing concepts

Attendance in Extreme Networks courses• Introduction to Data Networking

• Introduction to IP Routing

Extreme Configuration Fundamentals

ENA Certification or equivalent



14

High-level Student ObjectivesThe illustrations list the high-level student objectives for this course.


High-level Student Objectives

Figure 7: Student Objectives

Figure 8: Student Objectives Continued

page 8

Overall ObjectivesStudents will be able to:• Identify the steps necessary for securing a network• Identify potential threats to the network• Describe and configure port based security• Describe and configure MAC-based security• Setup encrypted and authenticated sessions between a

client machine and switch• Describe and configure Netlogin

page 9

Overall Objectives (cont)Students will be able to:• Describe and configure access control lists• Describe and configure policy-based Quality of Service

(QoS)• Describe and configure sFlow



16

Agenda


Agenda

Figure 9: Day 1 - Agenda

Figure 10: Day 2 - Agenda

page 10

Day 1 - Agenda

Module 1 - Introduction and Orientation

Module 2 – Security and Traffic Engineering • Lab1 – Lab Environment Familiarization

LUNCH

Module 3 – Switch Access• Lab2 – Switch access

Module 4 – ExtremeWare Access Control List • Lab3 – ACL

page 11

Day 2 – Agenda Module 6 – Denial of Service • Lab5 – CPU-DOS feature (Optional)

Module 7 – MAC address security• Lab6 – Port & MAC Address Security (Optional)

LUNCH

Module 8 – Netlogin• Lab 7 – Netlogin ISP & Campus mode



18

Agenda


Agenda

Figure 11: Day 3- Agenda

page 12

Day 3 – Agenda Module 9 – Policy-based QoS• Lab 8 – PB QoS

Module 10 – sFlow

Course Wrap-Up• Certificate

• Evaluation

• Others



20

Introduction to the Extreme Networks Certification ProgramCareer certification is available from many of places. But we're talking about Extreme Networks certification, an innovative, comprehensive approach to certification.

Our lab-intensive learning environments and hands-on exam requirements mean that you become Extreme Networks-certified with proven experience and skills to successfully deploy and manage Extreme Networks products in a variety of network environments.

The Extreme Networks certification program authenticates your skill set and supercharges your IT career, bringing measurable benefits to you, your department, and your company.

Certification Levels:● Level 1 Extreme Networks Associate (ENA)

● Level 2 Extreme Networks Specialist (ENS)


Introduction to the Extreme Networks Certification Program

Figure 12: Introduction to Extreme Networks Certification Program

Figure 13: Extreme Networks Certification Program



22

Extreme Networks Associate (Level 1)The Extreme Networks Associate (ENA) certification confirms your knowledge of the Extreme Networks product portfolio and configuring and managing Extreme Networks switches in layer-2 and layer-3 environments. The certification is intended for individuals responsible for the installation, configuration, and management of Extreme Networks products.

Receive your ENA Certification

The ENA Certification level establishes the foundation for all Extreme Networks certification program levels.

Successful completion of the ECF training course in full provides ENA certification.

A certificate with a unique certification number is issued immediately. ENA certification is valid for 2 years.

Alternatively, an 80-question exam can be taken to validate the candidates' knowledge of basic Extreme Networks hardware configuration using the ExtremeWare command line interface (CLI).

Extreme Networks Authorized Training Partners (ATP) administer the ENA certification tests. The cost of the exam is one training voucher.

Candidates who achieve a score of 75% or greater are awarded the distinction of Extreme Networks Associate.

Follow these steps to register for the ECF training class or the stand-alone Extreme Networks Associate exam:

1 Direct your web browser to www.extremenetworks.com.

2 From the web page you can select an Extreme Networks ATP test center in your region.

3 Be sure to bring valid, government issued photo identification to the testing location.


Extreme Networks Associate (Level 1)

Figure 14: Extreme Networks Associate (Level 1)



24

Extreme Networks Specialist (Level 2)The Extreme Networks Specialist (ENS) certification represents a solid foundation of networking skills for individuals responsible for advanced configuring, managing, maintaining, and troubleshooting of Extreme Networks products. The pre-requisite for this certification is completion of the ENA certification level.

ENS certified skills include:

● Configure Extreme Networks advanced redundancy features.

● Configure Extreme Networks advanced multicast routing features.

● Configure Extreme Networks switches in complex routing environments.

● Configure Extreme Networks switches advanced security features.

● Troubleshoot Extreme Networks switches for layer-2 and layer-3 networking problems.

ENS certification is valid for 2 years.

The exam is administered by selected Extreme Networks Authorized Training Partners.

First-Level TAC Bypass with ENS CertificationENS certified customers with a valid service contract have direct access to Tier 2 Technical Assistance Center (TAC) support. They are able to bypass Level 1 TAC.

ENS ExamScheduling this exam is similar to scheduling the ENA exam. Direct your web browser to www.extremenetworks.com.

From the web page you can select an Extreme Networks ATP test center in your region.

The ENS exam is a 4-hour hands-on exam performed at and guided by one of Extreme Networks ATP test centers.

The exam is comprised of four parts. One part consists of 30 multiple choice questions. The other three parts consists of hands-on practical exams based on three of the four training classes in the ENS curriculum. Candidates must achieve a score of 75% to be certified. The price for this exam is a single one-day training voucher.

Successful candidates receive an ENS certificate with a unique certification number immediately upon passing the exam.

Be sure to bring a valid, government issued, photo identification to the testing location.


Extreme Networks Specialist (Level 2)

Figure 15: Extreme Networks Specialist (Level 2)

Figure 16: Extreme Networks Specialist (Level 2) Continued



26

ENA Certification CurriculumThe curriculum consists of instructor led courses, which provide students with the skill level described in the certification overview. The courses are grouped so you can easily determine which courses are needed for a certain certification level.

Extreme Introduction to Data Networking (EDN-100/3)This training is intended for people who are new to networking, or those that want to refresh their knowledge. This course does not include specific Extreme Networks features, but covers the basic concepts and principles of Data Networking. Topics include: History of Networking, The OSI model, Ethernet, Ethernet devices (NIC, repeater, hub, bridge, switch). The knowledge gained from this course is prerequisite for attending ECF-200/5.

Extreme Introduction to IP Routing (EIP-100/2)This course is intended for people that need to have a foundation on IP and IP-routing protocols. The content of this course is a prerequisite for attending the ECF-200 course and includes: TCP/IP overview, IP-addressing, IP-subnetting, TCP/IP applications, the principles of routing, and an overview of the RIP and OSPF routing protocols. The knowledge gained from this course is prerequisite for attending ECF-200/5.

Extreme Configuration Fundamentals (ECF-200/5)This course is designed for people responsible for the installation, configuration, management, support, and troubleshooting of the Extreme Networks family of switch products. Students receive an overview of Extreme Networks software, the switch command line interface, the hardware features, and the software features. Students learn to:

● Login to the switch and create new user accounts.

● Download software updates and backup configuration files.

● Configure layer-2 switching functions.

● Create port-based, protocol-based, and tagged VLANS.

● Create vMan VLAN tunnels.

● Configure the Spanning Tree Protocol.

● Configure basic RIP and OSPF functions.

Students are also introduced to advanced features.

This course is based primarily on ExtremeWare XOS.


ENA Certification Curriculum

Figure 17: ENA Certification Curriculum



28

ENS Certification Curriculum

Extreme Security Fundamentals (ESF-300/3)This course is tailored for those people who need to implement and maintain security in the network with features as such ACLs, QoS, DoS protection, network login and NAT. The knowledge that can be obtained from the ECF-200/5 course is a prerequisite for attending the ESF training.

Extreme Redundancy Fundamentals (ERF-300/2)This course is intended for people who build and maintain redundant networks using advanced features such as EMISTP, EAPS, ESRP, and VRRP. The knowledge that can be obtained from the ECF-200/5 course is a prerequisite for the ERF training.

Extreme Multicast Routing (EMR-300/2)This course covers multicasting concepts and operation and Extreme Networks Multicast Features including the IGMP, PIM-DM, and PIM-SM protocols. Additional multicasting protocols are also presented. The knowledge that can be obtained from the ECF-200/5 course is a prerequisite for attending the EMR training. This course is based primarily on ExtremeWare XOS.

Extreme Interior Gateway Protocols (EIGP-300/2)This course is designed for those individuals responsible for the installation, configuration, management, support, and use of the Extreme Networks switches in a routed environment. This course is ideal for individuals who are familiar with layer-3 routing but desire a more comprehensive discussion on how to set up an OSPF network using Extreme Networks products. The knowledge that can be obtained from the ECF-200/5 course is a prerequisite for the EIGP training. This course is based primarily on ExtremeWare XOS.


ENS Certification Curriculum

Figure 18: ENS Certification Curriculum



30

Supportive CurriculumThe following courses are currently elective.

Border Gateway Protocol Concepts and Configuration (BGP-220c)This course is designed for Internet Service Providers (ISP), individuals connecting to ISPs, and those that want to configure BGP4 on the Extreme Networks family of switch products.

ExtremeWare Unified Access (EUA-310/3)The course is designed to provide students with the skills to design, configure, manage, support, and use the Extreme Networks SummitTM 300-48 and the AltitudeTM 300 for both wireless and wired secure network access.

EPICenter 5.0 TutorialThis is a task-based interactive tool for learning how to use EPICenter software to efficiently manage, monitor, and configure your network. The tutorial includes seven modules and is presented using text, video, demonstrations, quizzes, and interactive scenarios. It is available on CD-ROM.


Supportive Curriculum

Figure 19: Supportive Curriculum

Figure 20: Certification and Curriculum Updates



32

Summary


Summary

Figure 21: Summary



34

2 Module 2 Security and Traffic Engineering

ExtremeWare Security Fundamentals Student Guide Rev. 3.0 1


2

Student ObjectivesModule two introduces you to the importance of network security and how ExtremeWare XOS handles various types of network threats. Also this module explains traffic engineering, and its dual function in network security and network optimization.

Upon completion of this module, the successful student will be able to:

● Identify four major threats to network security.

● For a green field network deployment, sequence the security implementation steps.

● Describe ExtremeWare XOS security features.

● Identify three requirements for secure remote access.

● Describe three traffic engineering goals.

● Identify ExtremeWare XOS traffic engineering features.

ExtremeWare Security Fundamentals Student Guide Rev. 3.0

Student Objectives


page 2

Student ObjectivesUpon completion of this module, the

successful student will be able to:

Identify four major threats to network security.

Sequence the security implementation steps for a green field network deployment.

Describe ExtremeWare XOS security features.

Identify three requirements for secure remote access.

Describe three traffic engineering goals

Describe ExtremeWare XOS traffic engineering features.



4

Network Security ImportanceWith the growing dependence of businesses on data networks, it is important to have a secure network to address any potential threat. There are high costs associated with a down network.

When a network is down or compromised due to a virus or other attack, the consequences include:● Productivity Loss

When a network is down, workers can not access internal resources to perform their work. Productivity loss for an enterprise size company can be immense.

● Revenue Loss

If the business conducts web based business transactions or relies heavily on the data network for revenue generation, even one hour of network downtime is damaging.

● Confidential Data Loss

Any confidential and proprietary data stored on the internal network is potentially accessible by malicious individuals.

● Customer Confidence Loss

Your current customers will lose faith in your company’s ability to manage and protect their interests, resulting in a major credibility loss.

NOTE

This course addresses the protection and optimization of the network. It does not go into corporate security policies. Every corporation has a different security policy to meet their needs.

NOTE

Physical site security is not a major topic in this course. It is assumed you have physically protected all network nodes and critical servers.


Network Security Importance

Figure 2: Network Security Importance

page 3

Network Security Importance Consequences of a compromised network• Productivity Loss

• Revenue Loss

• Confidential Data Loss

• Customer Confidence Loss



6

Layers of SecurityIt is useful to approach network security in terms of layers. At each layer, you can impose restrictions on the associated layer host (PC client machine, web server, device) to limit the any potential attack initiated at or against it. For example, if an insecure PC client machine in the internal user layer is used to launch a network attack, you can configure the switch to route suspect data packets out of the network resulting in minimal impact on the other layers.

1 Outside Layer

Outside refers to the public and private network you do not control. You must assume all outside hosts are potentially infected and hostile. A customer accessing your website can be considered a host from the outside.

2 Demilitarized Zone (DMZ)

The DMZ is the network area that is between an outside network and the internal network. In the DMZ, you can configure specific ports to allow certain types of network traffic through. For example, web servers in the DMZ are typically accessible through Transmission Control Protocol (TCP) ports 80 and 443. As the switch administrator, you should only open specific ports in the firewall to allow only the services that need to available from the outside.

3 Remote Access Layer

The remote access layer allows a host from the outside layer to access services available on the internal network. Users remotely accessing the internal network require the same level of unrestricted access to internal network resources.

Three major components for securing remote access are authentication, encryption, and intrusion detection. Authentication’s primary function is to ensure a user is authorized to access the internal network. User verification is typically based on a username and password. Encryption makes the data sent to and from a remote user to the internal network illegible, only allowing those authorized to read the data. Allowing remote access is a point of entry and weakness for an internal network. Intrusion detection systems enable the network administrator to monitor the remote access points for any potential attacks. Secondarily, the intrusion detection system will collect data associated with an attack, data which may be used for possible future criminal prosecution.

4 Internal User Layer

At the internal user layer, end users require access to internally networked resources and outside resources. Unfortunately, internal end users are often targets of attack. An internal user may unwittingly launch a virus that would propagate throughout the network and possibly shut down critical business services. As a network administrator, you must seamlessly allow end-user authentication, providing them access to the resources required for their work while limiting their access to resources they do not need.

5 Internal Administration Layer

Network switch administrators require extensive access to networked resources to keep the network running smoothly and efficiently. Just like limiting network access to internal end users, internal administrators should only have access to the network services and servers they are responsible for. Network administrators with extensive privileges and rights have the potential to cause major damage to a network.


Layers of Security

Figure 3: Layers of Security

page 4

Layers of Security 1. Outside Layer

2. Demilitarized Zone (DMZ)

3. Remote Access Layer

4. Internal User Layer

5. Internal Administration Layer



8

Networked Resources

Protected ResourcesProtected resources are the resources that end users need to perform their work. Protected resources are not servers located in the DMZ but are servers located in the internal network vulnerable to attacks from compromised internal hosts. There should never be a direct connection from any remote access host to a protected resource without encryption, otherwise, the data transmitted and received is sent in the clear.

Access to a protected resource from the internet should only be accessible from a server in the DMZ. All remotely accessed data requests from a protected resource must go through the server in the DMZ. The server in the DMZ then accesses the data on the protected resource on behalf of the remote client.

Protected resources also act as a front end for the critical servers.

Critical ResourcesPrimary domain controllers, database servers, email servers, and other servers essential to the business are considered critical resources. To minimize any potential threat to the critical resource, it is a good security practice to have a front end protected resource to serve as a buffer between the end user and critical resource. For example, an end user accesses a website and enters queries. These queries are then sent to the actual backend database.


Networked Resources

Figure 4: Networked Resource

page 5

Networked Resources Protected Resources

Critical Resources



10

Major Network ThreatsThe open architecture of the Internet Protocol (IP) makes it a highly efficient, cost-effective, and flexible communications protocol for local and global communications. It has been widely adopted, not only on the global Internet, but also in the internal networks of large corporations. The IP protocol suite, including TCP/IP, was designed to provide reliable and scalable communications over real-world networks.

Criminals now see the corporate network as a new opportunity. Industrial espionage has moved online. The IP protocol, while very tolerant of random errors, is vulnerable to a number of malicious attacks.

The most common threats to the network are:

● Route Table Poisoning

Every host on an IP-based network has a routing table that tells the IP software hot to forward packets. Core network routers generally maintain their routing tables dynamically using a routing protocol, enabling routers to exchange routing information with each other. Route table poisoning occurs when an attacker intentionally sends bogus information to a router. With the route table corrupted, the network may experience network congestion, network looping, or even network misdirection to an exploited system (allowing the attacker to sniff the packets).

● Denial of Service (DoS)

DoS attacks are designed to knock hosts or networks offline, making their services unavailable. DoS attacks primarily target a specific operating system with the intention of crashing the host. Typically, the DoS attack attempts to overwhelm a target with a flood of traffic which occupies the processing power of the router or consumes major network bandwidth. DoS attacks can be launched from single or multiple maliciously controlled hosts.

● Packet Mistreatment

Packet mistreatment refers to attacks on live packet traffic. An attacker alters the packet parameters that subsequently causes the distorted packet to be mishandled by the network and/or receiving client. For example, changing the destination IP address in a large set of packets can cause localized network congestion. A martian attack is also another example of packet mistreatment. A martian packet has a source address that does not have its return traffic routed back to the sender.

● Unauthorized Access

Unauthorized access to the network is a major security issue. Once inside an internal network where the security maybe lighter, a malicious hacker may steal confidential data or launch attacks from systems regarded safe. Wireless data traffic busily streaming through access points can provide a malicious hacker with enough information to crack 128bit WEP keys. All points of network entries are also points of weakness.

NOTE

Domain Name Server (DNS) attacks are also common. DNS is the distributed database on the Internet that translates between IP addresses and host names, as well as mapping e-mail and name servers to Internet domains. DNS attacks slow or cripple the Internet. While DNS hacking is a potential issue for any network, Extreme Networks devices do not implement DNS services, therefore not subject to these particular attacks.


Major Network Threats

Figure 5: Major Network Threats

page 6

Major Network ThreatsRoute Table PoisoningDenial of Service (DoS)Packet MistreatmentUnauthorized Access



12

ExtremeWare XOS Security FeaturesMajor ExtremeWare security features include

● Switch Access Options

Extreme Networks employs a number of mechanism that protect the AlpineTM, BlackDiamond®, and SummitTM from unauthorized access, which includes a combination of:

■ In-Band / Out-of-Band node management

■ Switch Administrator Access Profiles and User Authentication

● Secure Communication Protocols

ExtremeWare supports many standard secure communication protocols such as Simple Network Management Protocol version 3 (SNMPv3), Secure Shell version 2 (SSH2), Secure File Transfer Program version 2 (SFTP2), Secure Copy Program version 2 (SCP2), Message Digest 5 (MD5), and others.

For example, when OSPF and BGP have both been configured for MD5 and access profiles, route table poisoning is minimized. The MD5 and access profile configuration ensures routing table updates only come from legitimate sources.

● DoS-Protect

DoS-Protect is an administrator configurable feature that detects and filters out possible DoS generated traffic.

● Blackhole Options

It is possible to forward suspect data packets to a “blackhole” configured on a switch where they are promptly discarded. For example, a malicious IP packet flood can be immediately sent to a blackhole, minimizing the attack’s influence on network performance.

● Port and Mac-Based Security

ExtremeWare also allows security options based on ports and MAC addresses. For example with MAC limit-learning enabled, you can limit the number of dynamically learned MAC addresses allowed per virtual port.

● Network Login

Network Login requires a user to authenticate their username and password. When the user is authenticated, the user is placed on a preapproved and specific port on the Virtual Local Area Network (VLAN).

● Access Control Lists and Access Profiles

An access control list (ACL) enables a switch to identify specific network traffic and decide to block or forward the packets. The ACL criteria is configured by the network administrator. An access profile is similar to an ACL but it only deals with management and control packets destined to or sent by a switch.


ExtremeWare XOS Security Features

Figure 6: ExtremeWare Security Features

page 7

ExtremeWare XOS Security Features

Switch Access OptionsSecure Communication ProtocolsDoS-Protect FeatureBlackhole OptionsPort and MAC-Based SecurityNetwork LoginAccess Control Lists (ACL)Access Profiles



14

Network SecurityImplementation SequenceHere are the recommended steps for implementing security for a greenfield deployment of an enterprise class network.

1 Power the switch.

2 Change the default administrator password.

3 Enable DOS protection.

4 Enable RADIUS.

5 Create Access Profiles.

6 Configure SNMP settings.

7 Turn off web configuration.

8 Enable SSHv2.

9 Turn off Telnet.

10 Plug cables into the network.

11 Configure MAC security.

12 Configure the switch.

13 Configure the management network.

14 Configure routing.

15 Configure ACLs and martian specific ACLs.

16 Configure the Syslog server.

17 Configure the RADIUS server.

18 Configure the EPICenter server.


Network Security Implementation Sequence

Figure 7: Network Security Implementation Sequence

Figure 8: Network Security Implementation Sequence (cont)

page 8

Network Security Implementation Sequence

1. Power the switch.2. Change the administrator password.3. Enable DOS protection.4. Enable RADIUS.5. Create Access Profiles.6. Configure SNMP settings.7. Turn off web configuration.8. Enable SSHv2.9. Turn off Telnet.

page 9

Network Security Implementation Sequence (cont)

10. Plug cables into the network.11. Configure MAC security.12. Configure the switch.13. Configure management network.14. Configure routing.15. Configure ACLs and martian specific ACLs.16. Configure the Syslog server.17. Configure the RADIUS server.18. Configure the EPICenter server.



16

Traffic EngineeringIn addition to identifying any potential security threat and implementing an appropriate security policy, networks should also address traffic engineering needs. With the increasing use of time sensitive data applications such as Voice over IP (VoIP) and streaming media, tuning the network for minimal congestion and maximum efficiency are important.

PurposeTraffic engineering has three primary goals:

1 Optimize network usage

2 Optimize network performance

3 Increase the robustness of the network infrastructure

ExtremeWare XOS Traffic Engineering FeaturesExtremeWare enables network optimization and tuning with the following major ExtremeWare features:

● Access Profiles

● Quality of Service (QoS)

By configuring QoS parameters, a network administrator can prioritize traffic flows, ensuring time sensitive packets are transmitted and received at high priority.

● Policy Based Routing

Routing based on source and/or destination ip information on port number is known as policy based routing.


Traffic Engineering

Figure 9: Traffic Engineering Goals

Figure 10: ExtremeWare Traffic Engineering Features

page 10

Traffic Engineering Goals

Optimize network usageOptimize network performanceIncrease the robustness of the network infrastructure

page 11

ExtremeWare XOSTraffic Engineering Features

Access ProfilesQuality of Service (QoS)Policy Based Routing



18

SummaryModule two presented the importance of network security and how ExtremeWare handles various types of network threats. Traffic engineering concepts were also introduced.

You should now be able to:

● Identify four major threats to network security.

● For a green field network deployment, sequence the security implementation steps.

● Describe ExtremeWare XOS security features.

● Identify three requirements for secure remote access.

● Describe three traffic engineering goals.

● Identify ExtremeWare XOS traffic engineering features.


Summary

Figure 11: Summary

page 12

SummaryIdentify four major threats to network security.








20

3 Module 3 Switch Access



2

Student ObjectivesUpon completion of this module, the successful student will be able to:

● Identify the five switch access options

● Configure Safe-Default-Script

● Disable nonessential switch access options

● Create management accounts on the switch

● Configure a Failsafe Account

● Manage Passwords

● Configure an Access Control List (ACL) to control telnet access

● Display management accounts

● Configure the banner that displays during login attempts

● Configure switch idle timeouts

● View active switch sessions

● Configure SNMPv3

● Configure SSH2

● Configure an ACL to control SSH2 access

● Configure SCP2

● Describe RADIUS

● Configure the RADIUS client

● Configure RADIUS accounting

● Describe TACACS+


Student Objectives


Figure 2: Student Objectives (cont)

page 2


Identify the five switch access options

Configure Safe-Default-Script

Disable nonessential switch access options

Create management accounts on the switch

Configure a Failsafe Account

Manage Passwords

Configure an Access Control List (ACL) to control telnet access

Display management accounts

Configure the banner that displays during login attempts

Configure switch idle timeouts

page 3

Student ObjectivesView active switch sessions

Configure SNMPv3

Configure SSH2

Configure an ACL to control SSH2 access

Configure SCP2

Describe RADIUS

Configure the RADIUS client

Configure RADIUS accounting

Describe TACACS+



4

Default Switch Access OptionsThe following are enabled by default:

● Telnet access

● SNMP access

● All ports enabled

Safe Defaults Setup MethodUpon initially booting up the switch through the console port, a safe default script is implemented.

To manually run the interactive safe default script that prompts you to choose to enable or disable SNMP, Telnet, Web access, and enabled ports, enter the following command:

configure safe-default-script

NOTE

The safe default script is also implemented when the unconfigure switch all command is entered and the switch is rebooted.


Default Switch Access Options

Figure 3: Configuring Safe Default Script



6

Switch Access Options

Five Types of Switch AccessExtreme Networks switches have five switch access options:

● Console

● SSH2

● Telnet

● HTTP (via ExtremeWare Vista web-based management application)

● SNMPv3

NOTE

Not all configuration is possible using the Extreme Ware Vista interface

The console can be used for direct local management, and the port settings are as follows:

● Baud rate - 9600

● Data bits - 8

● Stop bit - 1

● Parity - None

● Flow Control - XON/XOFF

The PC/Terminal connected to the switch's console port must be configured with the same settings. The CLI console port connection requires a serial crossover cable (a.k.a. Null modem) with DB9 female connectors.

The 9-pin serial port labeled as modem on some switches does not allow any connectivity to the device.

Disabling Switch Access OptionsDepending on your security needs, it is possible to disable ssh2, telnet, and snmp access options. However, console access can not be disabled and is always enabled.

To disable the switch access option, enter the following command:

disable [switch access option]disable ssh2disable telnetdisable snmp access


Switch Access Options

Figure 4: Five Types of Switch Access Options

Figure 5: Disabling Switch Access Option

page 4

Configuring Safe Default Script



8

Management AccountsBy default, the switch is configured with two default user accounts, admin and user. The switch can have a total of 16 management accounts. You can use the default names (admin and user), or you can create new names and passwords for the accounts. Passwords can have a minimum of 0 characters and a maximum of 32 characters.

Administrator Level AccountAn administrator level account has both read and write access to all manageable parameters. With this level, you can also add and delete users, as well as change the password associated with any account name (to erase the password, issue the unconfigure switch all command).

An administrator can perform the following functions:

● View and edit all switch parameters.

● Add and delete accounts, and change the password associated with any account name.

● Disconnect a management session that has been established by a Telnet connection.

When a switch administrator cancels a user’s Telnet session, the user is notified that the session has been terminated. The command syntax to cancel a Telnet connection is:

clear session <id>

An administrator level count login is indicated by the command-line prompt that ends with a pound sign (#). Prompt type:

Summit450 #

User Level AccountA user level account has viewing access to all manageable parameters, with the exception of the following:

● Showing the switch configuration

● Showing switch management details

● Showing and configuring user account database

● Showing and configuring SNMP community strings

A user level account can use the ping command to test if a device is reachable. Also, a user level account end user can change the password assigned to its own account. A user level account login is indicated by the command-line prompt that ends with a greater than (>) sign. Prompt type:

Summit450>

Logging Out of a SessionTo log out of a session, enter one of the following commands:

exitlogout


Management Accounts

Figure 6: Management Accounts

page 7

Management Accounts

User account can- View anything except:

- Show switch configuration- Show switch management- User accounts- SNMP community strings

- Use PING- Change own passwordPrompt type: SummitX450>

Administration account can- View and change anything- Add/Remove users- Change user passwords- Can disconnect Telnet sessionsPrompt type: SummitX450 #



10

Creating Management AccountsTo create a management account, enter the following command:

create account [admin | user] <name> {encrypted} {<password>}

To delete an account, type the following command:

delete account <name>

Only users with admin level status can create and delete accounts.

The encrypted option should not be used for manual account creation and switch access. The encrypted option is reserved for use by the switch. It is a system option for the switch to TFPT server uploads and downloads, not for users. If the encrypted option is used while creating a new account through the CLI, the switch assumes that the username and password are encrypted and not in clear text.

Displaying Management Accounts (admin level only)To view the management accounts associated with the switch, enter the following command:

show account

The fields displayed are:

● User Name

● Access (read write or read only)

● Number of successful and failed login attempts per account

Deleting an Account (admin level only)To delete an account, type the following command:

delete account <name>


Creating Management Accounts

Figure 7: Creating Management Accounts

Figure 8: Displaying Management Accounts



12

Creating a Failsafe AccountThe failsafe account is the account of last resort to access your switch. This account is never displayed by the show account command, but it is always present on the switch.

To configure the account name and password for the failsafe account, enter the following command:

configure failsafe-account

You will be prompted for the failsafe account name and prompted twice to specify the password for the account. After entering the failsafe password, the failsafe account is immediately saved to NVRAM.

NOTE

The information that you use to configure the failsafe account cannot be recovered by Extreme Networks. Technical support cannot retrieve passwords or account names for this account. Protect this information carefully.

To access your switch using the failsafe account, you must connect to the serial port of the switch. You cannot access the failsafe account through any other port.

At the switch login prompt, carefully enter the failsafe account name. If you enter an erroneous account name, you cannot re-enter the correct name.

Once you have entered the failsafe account name, you are prompted to enter the password. You will have three tries to enter the password correctly.

Once you have successfully logged in to the failsafe account, you see the following prompt:

failsafe>

From here, you have the following four command choices:

● Login—Use this command to access the switch CLI. You will have full administrator capabilities.

● Reboot—Use this command to reboot the current MSM (MSM on modular switches only).

● Help—Use this command to display a short help text.

● Exit—Use this command to exit the failsafe account and return to the login prompt.

Typically, you use the Login command to correct the problem that initially required you to use the failsafe account.


Creating a Failsafe Account

Figure 9: Creating a Failsafe Account

Figure 10: Logging in Failsafe Account



14

Managing PasswordsWhen you first access the switch you, have a default account. You configure a password for your default account. As you create other accounts, you configure passwords for those accounts.

Beginning with ExtremeWare XOS version 11.2, the software allows you to apply additional security to the passwords. You can enforce a specific format and minimum length for the password. Additionally, you can age out the password, prevent a user from employing a previously used password, and lock users out of the account after three consecutive failed login attempts.

Applying a Password to the Default Admin AccountDefault accounts do not have passwords assigned to them. Passwords can have a minimum of 0 character and can have a maximum of 32 characters. Passwords are case-sensitive; user names are not case-sensitive.

To add a password to the default admin account:

1 Log in to the switch using the name admin.

2 At the password prompt, press [Return].

3 Add a default admin password of green by entering the following commands:

configure account admin password: greenReenter password: green

Applying a Password to the Default User Account

To add a password to the default user account:

1 Log in to the switch using the name admin.

2 At the password prompt, press [Return], or enter the password that you have configured for the admin account.

3 Add a default user password by blue entering the following commands:

configure account userpassword: blueReenter password: blue

If you forget your password while logged out of the CLI, contact your local technical support representative, who will advise on your next course of action.

NOTE

The entered passwords are not displayed on the screen.


Managing Passwords

Figure 11: Applying a Password to the Default Admin Account

Figure 12: Applying a Password to the Default User Account



16

Specifying Password ParametersYou can increase the security of your system by enforcing password restrictions, which will make it more difficult for unauthorized users to access your system. You can specify that each password must include at least two characters of each of the following four character types:

● Upper-case A-Z

● Lower-case a-z

● 0-9

● !, @, #, $, %, ^, *, (, )

To set this format for the password, enter the following command:

configure account [all | <name>] password-policy char-validation [none | all-char-

groups]

You can enforce a minimum length for the password and set a maximum time limit, after which the password will not be accepted. To set a minimum length for the password, issue the following command:

configure account [all | <name>] password-policy min-length [<num_characters> |

none]

To age out the password after a specified time, issue the following command:

configure account [all | <name>] password-policy max-age [<num_days> | none]

You can block users from employing previously used passwords by issuing the command:

configure account [all | <name>] password-policy history [<num_passwords> | none]

By default, the system terminates a session once the user has 3 consecutive failed login attempts. The user may then launch another session (which again would terminate after 3 consecutive failed login attempts). To increase security, you can lock users out of the system entirely after 3 failed consecutive login attempts. To use this feature, issue the following command:

configure account [all | <name>] password-policy lockout-on-login-failures [on |

off]

NOTE

If you are not working on SSH, you can configure the number of failed logins that trigger lockout, using the configure cli max-failed-logins <num-of-logins> command. (This command also sets the number of failed logins that terminate the particular session.)

Once locked out (using the configure account password-policy lockout-on-login-failures command), the user’s account must be specifically re-enabled by an administrator. To re-enable a locked-out account, issue the following command:

clear account [all | <name>] lockout

Selecting the all option affects the setting of all existing and future new accounts. The default admin account and failsafe accounts are never locked out, no matter how many consecutive failed login attempts.


Specifying Password Parameters

Figure 13: Specifying Password Parameters



18

Displaying Password PolicyTo display the accounts and any applied password security, issue the following command:

show accounts password-policy


Displaying Password Policy

Figure 14: Displaying Password Policy



20

Configuring the Login Display BannerExtremeWare XOS switches allow the admin to configure a banner that is displayed when a login is attempted. It is important for the banner to indicate that switch access is only for authorized users. The primary purpose of the login display banner is to build up a legal case against the unauthorized user.

To configure the login display banner, enter the following commands:

configure banner [Enter]Switch access for Authorized staff only. [Enter]Disconnect now if you have no permission to access. [Enter] E-Mail [email protected] for more information. [Enter][Enter]

● Up to 24 rows of 79 characters wide text can be entered

● Pressing [Enter] at the beginning of a new line saves the previously entered text and enables the login display banner

● Pressing [Enter] at the beginning of the first line clears the login display banner

Displaying the Login BannerTo display the configured banner, enter the following command:

show banner


Displaying the Login Banner

Figure 15: Configuring the Login Display Banner

Figure 16: Displaying the Login Banner



22

Configuring the Switch Idle TimeoutExtremeWare has the option of enabling a timer that disconnects Telnet, HTTP and console sessions after a specific time of inactivity. By default the idle timeout is disabled, to enable the idle timeout feature, enter the following commands:

configure idletimeout <minutes>emable idletimeout

The minutes of inactivity can range from 1 minute to 240 minutes, the default setting is 20 minutes.

Disabling Switch Idle TimeoutTo disable the switch idle timeout, enter the following command:

disable idletimeout

Viewing Idletimeout Status To view the idle time-outs status, enter in the following command:

show management


Configuring the Switch Idle Timeout

Figure 17: Configuring, Enabling, and Displaying Switch Idletimeout



24

Displaying Active Switch SessionsTo view active switch sessions, enter the following command:

show session

Clearing Specific Telnet SessionsTo terminate a specific telnet session, enter the following command:

clear session <number>

Number corresponds to the session ID number visible in the output of the show session command.


Displaying Active Switch Sessions

Figure 18: Displaying and Clearing Specific Telnet Sessions



26

Using Access Control Lists (ACLs) to Control Telnet AccessBy default, Telnet services are enabled on the switch. You can restrict Telnet access by using an access control list (ACL) and implementing an ACL policy. You configure an ACL policy to permit or deny a specific list of IP addresses and subnet masks for the Telnet port.

There are two methods to load ACL policies to the switch:

● You can create the policy directly on the switch. Enter the following command to launch a VI like editor to create the policy file:

edit policy

● To transfer a policy that you created using a text editor on another system to the switch, enter the following command:

tftp

Sample ACLs that Control Telnet Access

MyAccessProfile.pol

The switch permits connections from the subnet 10.203.133.0/24 and denies connections from all other addresses.

MyAccessProfile_2.pol

The switch does not permit connections from the subnet 10.203.133.0/24 but accepts connections from all other addresses.

Configuring Telnet to Use ACL PoliciesOnce the policy file is on the switch, a telnet access profile must be configured. To apply the ACL to the telnet access profile, enter the following command:

configure telnet access-profile [<access_profile> | none]

Use the none option to remove a previously configured ACL.

NOTE

Extreme Advanced Security: Access Control Lists goes into more detail about ACLs, Access Profile, Policy Manager, and CLEARFlow.


Using Access Control Lists (ACLs) to Control Telnet Access

Figure 19: MyAccessProfile.pol

Figure 20: MyAccessProfile_2.pol



28

SNMP AccessAny network manager program running the Simple Network Management Protocol (SNMP) can manage the switch, provided the Management Information Base (MIB) is installed correctly on the management station. Each network manager program provides its own user interface to the management facilities.

Please note, when using a network manager program to create a VLAN, Extreme Networks does not support the SNMP create and wait operation. To create a VLAN with SNMP, use the create and go operation.

The following sections describe how to get started if you want to use an SNMP manager. It assumes you are already familiar with SNMP management. If not, refer to the following publication:

The Simple Book by Marshall T. RoseISBN 0-13-8121611-9Published by Prentice Hall.

Accessing Switch AgentsTo access the SNMP agent residing in the switch, at least one VLAN must have an assigned IP address.

By default, SNMP access and SNMPv1/v2c traps are enabled. SNMP access and SNMP traps can be disabled and enabled independently—you can disable SNMP access but still allow SNMP traps to be sent, or vice versa.

Supported MIBsIn addition to private MIBs, the switch supports standard MIBs. Please refer to ExtremeWare XOS Concepts Guide Software Version 11.3 Appendix D for a listing of supported MIBs.


SNMP Access

Figure 21: SNMP Access

page 22

SNMP Access• At least one VLAN per switch must have an IP address• IT can then access the SNMP agent from the management workstation

• Any SNMP based network manager can manage a switch• The Switch MIB should be installed correctly on the management workstation

IP Network/Intranet

10.1.6.1

10.1.5.1

10.1.4.1

NMS



30

Enabling and Disabling SNMPv1/v2c and SNMPv3

ExtremeWare XOS can concurrently support SNMPv1/v2c and SNMPv3. The default is both types of SNMP enabled. Network managers can access the device with either SNMPv1/v2c methods or SNMPv3.

To enable concurrent support, type the following command:

enable snmp access

To prevent any type of SNMP access, type the following command:

disable snmp access

To prevent access using SNMPv1/v2c methods and allow access using SNMPv3 methods only, type the following commands:

enable snmp access

disable snamp access snmp-v1v2c

There is no way to configure the switch to simultaneously allow SNMPv1/v2c access and prevent SNMPv3 access. Most of the commands that support SNMPv1/v2c use the keyword snmp; most of the commands that support SNMPv3 use the keyword snmpv3.

After a switch reboot, all slots must be in the "Operational" state before SNMP can manage and access the slots.

To verify the current state of the slot, type the following command:

show slot


Enabling and Disabling SNMPv1/v2c and SNMPv3

Figure 22: Disabling SNMPv1/v2c but Allowing SNMPv3



32

Configurable SNMPv1/v2c Parameters

Authorized Trap ReceiversAn authorized trap receiver can be one or more network management stations on your network. The switch sends SNMPv1/v2c traps to all configured trap receivers. You can specify a community string and UDP port individually for each trap receiver.

To add all community strings to the switch, type the following command:

configure snmp add community

To configure a trap receiver on a switch, type the following command:

configure snmp add trapreceiver <ip_address> community [[hex <hex_community_name>] | <community_name>] {port <port_number>} {from <src_ip_address>} {mode <trap_mode> [enhanced | standard]}

To delete a trap receiver, type the following command:

configure snmp delete trapreceiver

Entries in the trap receiver list can also be created, modified, and deleted using the RMON2 trapDestTable MIB table, as described in RFC 2021.

Community StringsThe community strings allow a simple method of authentication between the switch and the remote network manager. There are two types of community strings on the switch:

● Read community strings provide read-only access to the switch. The default read-only community string is public.

● Read-write community strings provide read- and-write access to the switch. The default read-write community string is private.

As these two community strings are well known, it is highly recommended to change the default community strings when implementing SNMP. To change the read only and readwrite SNMP community strings, enter the following commands:

configure snmp community readonly (new-community-name)configure snmp community readwrite (new-community-name2)

Additional SNMPv1/v2c Configurable Parameters● System contact (optional)—The system contact is a text field that enables you to enter the name of

the person(s) responsible for managing the switch.

● System name (optional)—The system name enables you to enter a name that you have assigned to this switch. The default name is the model name of the switch (for example, BD-1.2).

● System location (optional)—Using the system location field, you can enter the location of the switch.



Figure 23: Configurable SNMPv1/v2c Parameters

page 24


IP Network/Intranet

10.1.6.1

10.1.5.1

10.1.4.1

NMS

Authorized Trap Receivers

Authorized Managers

Community Strings (should change the default values)• Read only

• Read / Write



34

Displaying SNMP SettingsTo display SNMP settings for the switch, type the following command:

show management

This command displays the following information:

● Enable/disable state for Telnet and SNMP access

● Login statistics

■ Enable/disable state for idle timeouts

■ Maximum number of CLI sessions

● SNMP community strings

● SNMP trap receiver list

● SNMP trap receiver source IP address

● SNMP statistics counter

● Enable/disable state for Remote Monitoring (RMON)


Displaying SNMP Settings

Figure 24: Displaying SNMP Settings



36

SNMPv3SNMPv3 is an enhanced standard for SNMP that improves the security and privacy of SNMP access to managed devices and provides sophisticated control of access to the device MIB. The prior standard versions of SNMP, SNMPv1 and SNMPv2c, provided no privacy and little security.

The SNMPv3 standards for network management were primarily driven by the need for greater security and access control. The new standards use a modular design and model management information by cleanly defining a message processing (MP) subsystem, a security subsystem, and an access control subsystem.

The MP subsystem helps identify the MP model to be used when processing a received Protocol Data Unit (PDU), which are the packets used by SNMP for communication. The MP layer helps in implementing a multilingual agent, so that various versions of SNMP can coexist simultaneously in the same network.

The security subsystem features the use of various authentication and privacy protocols with various timeliness checking and engine clock synchronization schemes. SNMPv3 is designed to be secure against:

● Modification of information, where an in-transit message is altered.

● Masquerades, where an unauthorized entity assumes the identity of an authorized entity.

● Message stream modification, where packets are delayed and/or replayed.

● Disclosure, where packet exchanges are sniffed (examined) and information is learned about the contents.

The access control subsystem provides the ability to configure whether access to a managed object in a local MIB is allowed for a remote principal. The access control scheme allows you to define access policies based on MIB views, groups, and multiple security levels. In addition, the SNMPv3 target and notification MIBs provide a more procedural approach for generating and filtering of notifications.

SNMPv3 objects are stored in non-volatile memory unless specifically assigned to volatile storage. Objects defined as permanent cannot be deleted.

NOTE

In SNMPv3, many objects can be identified by a human-readable string or by a string of hexadecimal octets. In many commands, you can use either a character string, or a colon-separated string of hexadecimal octets to specify objects. To indicate hexadecimal octets, use the keyword hex in the command.

Message ProcessingA particular network manager may require messages that conform to a particular version of SNMP. The choice of the SNMPv1, SNMPv2c, or SNMPv3 MP model can be configured for each network manager as its target address is configured.

To configured the mp-model selection, enter the following command:

configure snmpv3 add target-params [[hex <hex_param_name>] | <param_name>] user

[[hex <hex_user_name>] | <user_name>] mp-model [snmpv1 | snmpv2c | snmpv3] sec-model

[snmpv1 | snmpv2c | usm] {sec-level [noauth | authnopriv | priv]} {volatile}


SNMPv3

Figure 25: SNMPv3

page 26

SNMPv3

Enhanced SNMP standard

Improved SNMP security and privacy

Modular design using subsystems• Message Processing (MP)

• Security

• Access Control



38

SNMPv3 SecurityIn SNMPv3 the User-Based Security Model (USM) for SNMP was introduced. USM deals with security related aspects like authentication, encryption of SNMP messages, and defining users and their various access security levels. This standard also encompasses protection against message delay and message replay.

USM Timeliness MechanismsAn Extreme Networks switch has one SNMPv3 engine, identified by its snmpEngineID. The first four octets are fixed to 80:00:07:7C, which represents the Extreme Networks vendor ID. By default, the additional octets for the snmpEngineID are generated from the device MAC address.

Every SNMPv3 engine necessarily maintains two objects: SNMPEngineBoots, which is the number of reboots the agent has experienced and SNMPEngineTime, which is the local time since the engine reboot. The engine has a local copy of these objects and the latestReceivedEngineTime for every authoritative engine it wants to communicate with. Comparing these objects with the values received in messages and then applying certain rules to decide upon the message validity accomplish protection against message delay or message replay.

In a chassis, the snmpEngineID is generated using the MAC address of the MSM with which the switch boots first.

The snmpEngineID can be configured from the command line, but once the snmpEngineID is changed, default users will be reverted back to their original passwords/keys, and non-default users will be reset to the security level of no authorization, no privacy. To set the snmpEngineID, enter the following command:

configure snmpv3 engine-id <hex_engine_id>

SNMPEngineBoots can also be configured from the command line. SNMPEngineBoots can be set to any desired value but will latch on its maximum, 2147483647. To set the SNMPEngineBoots, type the following command:

configure snmpv3 engine-boots <(1-2147483647)>


SNMPv3 Security

Figure 26: Configuring SNMPv3 engine-id



40

SNMPv3 Users

Creating SNMPv3 UsersUsers are created by specifying a user name. Depending on whether the user will be using authentication and/or privacy, you would also specify an authentication protocol (MD5 or SHA) with password or key, and/or privacy (DES) password or key. To create a user, type the following command:

configure snmpv3 add user [[hex <hex_user_name>] | <user_name>] {authentication [md5 | sha] [hex <hex_auth_password> | <auth_password>]} {privacy [hex <hex_priv_password> | <priv_password>]} {volatile}

A number of default, permanent users are initially available. The default user names are: admin, initial, initialmd5, initialsha, initialmd5Priv, initialshaPriv. The default password for admin is password. For the other default users, the default password is the user name.

Displaying SNMPv3 UsersTo display information about a user, or all users, type the following command:

show snmpv3 user {[[hex <hex_user_name>] | <user_name>]}

Deleting SNMPv3 UsersTo delete a user, type the following command:

configure snmpv3 delete user [all-non-defaults | [[hex <hex_user_name>] | <user_name>]]

NOTE

The SNMPv3 specifications describe the concept of a security name. In the ExtremeWare XOS implementation, the user name and security name are identical. In this manual, both terms are used to refer to the same thing.


SNMPv3 Users

Figure 27: Displaying SNMPv3 Users



42

SNMPv3 GroupsGroups are used to manage access for the MIB. You use groups to define the security model, the security level, and the portion of the MIB that members of the group can read or write. To underscore the access function of groups, groups are defined by typing the following command:

configure snmpv3 add access [[hex <hex_group_name>] | <group_name>] {sec-model [snmpv1 | snmpv2c | usm]} {sec-level [noauth | authnopriv | priv]} {read-view [[hex <hex_read_view_name>] | <read_view_name>]} {write-view [[hex <hex_write_view_name>]] | <write_view_name>]} {notify-view [[hex <hex_notify_view_name]] | <notify_view_name>]} {volatile}

The view names associated with a group define a subset of the MIB (subtree) that can be accessed by members of the group. The read view defines the subtree that can be read, write view defines the subtree that can be written to, and notify view defines the subtree that notifications can originate from.

Displaying SNMPv3 GroupsA number of default (permanent) groups are already defined. These groups are: admin, initial, v1v2c_ro, v1v2c_rw. To display information about the access configuration of a group or all groups, type the following command:

show snmpv3 access {[[hex <hex_group_name>] | <group_name>]}

Associating Users with SNMPv3 Groups

Users are associated with groups by entering the following command:configure snmpv3 add group [[hex <hex_group_name>] | <group_name>] user [[hex <hex_user_name>] | <user_name>] {sec-model [snmpv1| snmpv2c | usm]} {volatile}To show which users are associated with a group, enter the following command:show snmpv3 group {[[hex <hex_group_name>] | <group_name>] {user [[hex <hex_user_name>] | <user_name>]}}

Deleting an SNMPv3 GroupTo delete a group, type the following command:

configure snmpv3 delete access [all-non-defaults | {[[hex <hex_group_name>] | <group_name>] {sec-model [snmpv1 | snmpv2c | usm] sec-level [noauth | authnopriv | priv]}}]

When you delete a group, you do not remove the association between the group and users of the group. To delete the association between a user and a group, type the following command:

configure snmpv3 delete group {[[hex <hex_group_name>] | <group_name>]} user [all-non-defaults | {[[hex <hex_user_name>] | <user_name>] {sec-model [snmpv1|snmpv2c|usm]}}]


SNMPv3 Groups

Figure 28: Displaying SNMPv3 Groups



44

SNMP Security Models and LevelsFor compatibility, SNMPv3 supports three security models:

● SNMPv1—no security

● SNMPv2c—community strings based security

● SNMPv3—USM security

The default is USM. You can select the security model based on the network manager in your network.

The three security levels supported by USM are:

● noAuthnoPriv—No authentication, no privacy. This is the case with existing SNMPv1/v2c agents.

● AuthnoPriv—Authentication, no privacy. Messages are tested only for authentication.

● AuthPriv—Authentication, privacy. This represents the highest level of security and requires every message exchange to pass the authentication and encryption tests.

When a user is created, an authentication method is selected, and the authentication and privacy passwords or keys are entered.

When MD5 authentication is specified, HMAC-MD5-96 is used to achieve authentication with a 16-octet key, which generates an 128-bit authorization code. This authorization code is inserted in msgAuthenticationParameters field of SNMPv3 PDUs when the security level is specified as either AuthnoPriv or AuthPriv. Specifying SHA authentication uses the HMAC-SHA protocol with a 20-octet key for authentication.

For privacy, a 16-octet key is provided as input to DES-CBS encryption protocol, which generates an encrypted PDU to be transmitted. DES uses bytes 1-7 to make a 56 bit key. This key (encrypted itself) is placed in msgPrivacyParameters of SNMPv3 PDUs when the security level is specified as AuthPriv.


SNMP Security Models and Levels

Figure 29: SNMP Security Models

Figure 30: SNMPv3 Security Levels

page 30

SNMP Security Models

SNMPv1 – No security

SNMPv2c – Community strings based security

SNMPv3 – USM security

page 31

SNMPv3 Security Levels

noAuthnoPriv – No authentication, No Privacy

AuthnoPriv - Authentication, No Privacy

AuthPriv – Authentication, Privacy



46

SNMPv3 MIB Access ControlSNMPv3 provides a fine-grained mechanism for defining which parts of the MIB can be accessed. This is referred to as the View-Based Access Control Model (VACM). MIB views represent the basic building blocks of VACM. They are used to define a subset of the information in the MIB. Access to read, to write, and to generate notifications is based on the relationship between a MIB view and an access group. The users of the access group can then read, write, or receive notifications from the part of the MIB defined in the MIB view as configured in the access group.

A view name, a MIB subtree/mask, and an inclusion or exclusion define every MIB view. For example, there is a System group defined under the MIB-2 tree. The Object Identifier (OID) for MIB-2 is 1.3.6.1.2, and the System group is defined as MIB-2.1.1, or directly as 1.3.6.1.2.1.1. To define a MIB view which includes only the System group, enter the following subtree/mask combination:

1.3.6.1.2.1.1/1.1.1.1.1.1.1.0

The mask can also be expressed in hex notation (this is used for the ExtremeWare XOS CLI):

1.3.6.1.2.1.1/fe

To define a view that includes the entire MIB-2, enter the following subtree/mask:

1.3.6.1.2.1.1/1.1.1.1.1.0.0.0

which, in the CLI, is:

1.3.6.1.2.1.1/f8

When you create the MIB view, you can choose to include the MIB subtree/mask or to exclude the MIB subtree/mask. To create a MIB view, enter the following command:

configure snmpv3 add mib-view [[hex <hex_view_name>] | <view_name>] subtree <object_identifier> {/<subtree_mask>} {type [included | excluded]} {volatile}

After the view has been created, you can repeatedly use the configure snmpv3 add mib-view command to include and/or exclude MIB subtree/mask combinations to precisely define the items you want to control access to.

Displaying MIB ViewsIn addition to the user-created MIB views, there are three default views. These default views are of storage type permanent and cannot be deleted, but they can be modified. The default views are: defaultUserView, defaultAdminView, and defaultNotifyView. To show MIB views, enter the following command:

show snmpv3 mib-view {[[hex <hex_view_name>] | <view_name>] {subtree <object_identifier>}}

To delete a MIB view, enter the following command:configure snmpv3 delete mib-view [all-non-defaults | {[[hex <hex_view_name>] | <view_name>] {subtree <object_identifier>}}]

MIB views that are used by security groups cannot be deleted.


SNMPv3 MIB Access Control

Figure 31: Displaying MIB Views



48

SNMPv3 Notification: Target AddressesSNMPv3 can use either SNMPv1 traps or SNMPv2c notifications to send information from an agent to the network manager. The terms trap and notification are used interchangeably in this context. Notifications are messages sent from an agent to the network manager, typically in response to some state change on the agent system. With SNMPv3, you can define precisely which traps you want sent, to which receiver by defining filter profiles to use for the notification receivers.

To configure notifications, you configure a target address for the target that receives the notification, a target parameters name, and a list of notification tags. The target parameters specify the security and MP models to use for the notifications to the target. The target parameters name also points to the filter profile used to filter the notifications. Finally, the notification tags are added to a notification table so that any target addresses using that tag will receive notifications.

Configuring Target AddressA target address is similar to the earlier concept of a trap receiver. To configure a target address, enter the following command:

configure snmpv3 add target-addr [[hex <hex_addr_name] | <addr_name>] param [[hex <hex_param_name] | <param_name>] ipaddress [[<ip_address> {<netmask>}] | <ip_address>] {transport-port <port_number> {from <src_ip_address>} {tag-list <tag_list>} {volatile}

In configuring the target address you supply an address name that identifies the target address, a parameters name that indicates the MP model and security for the messages sent to that target address, and the IP address and port for the receiver. The parameters name also is used to indicate the filter profile used for notifications. The from option sets the source IP address in the notification packets.

The tag-list option allows you to associate a list of tags with the target address. The tag defaultNotify is set by default.

Displaying Target AddressesTo display target addresses, enter the following command:

show snmpv3 target-addr {[[hex <hex_addr_name>] | <addr_name>]}

Deleting Target AddressesTo delete a single target address or all target addresses, enter the following command:

configure snmpv3 delete target-addr [{[[hex <hex_addr_name>] | <addr_name>]} | all]


SNMPv3 Notification: Target Addresses

Figure 32: Configuring Target Address

Figure 33: Displaying Target Addresses



50

SNMPv3 Notification: Target ParametersTarget parameters specify the MP model, security model, security level, and user name (security name) used for messages sent to the target address. The target parameter name used for a target address points to a filter profile used to filter notifications. When you specify a filter profile, you associate it with a parameter name, so you must create different target parameter names if you use different filters for different target addresses.

To create a target parameter name and to set the message processing and security settings associated with it, enter the following command:

configure snmpv3 add target-params [[hex <hex_param_name>] | <param_name>] user [[hex <hex_user_name>] | <user_name>] mp-model [snmpv1 | snmpv2c | snmpv3] sec-model [snmpv1 | snmpv2c | usm] {sec-level [noauth | authnopriv | priv]} {volatile}

Displaying Target ParametersTo display the options associated with a target parameters name or all target parameters names, enter the following command:

show snmpv3 target-params {[[hex <hex_target_params>] | <target_params>]}

Deleting Target ParametersTo delete one or all the target parameters, enter the following command:

configure snmpv3 delete target-params [{[[hex <hex_param_name>] | <param_name>]} | all]


SNMPv3 Notification: Target Parameters

Figure 34: Configuring Target Parameters

Figure 35: Displaying Target Parameters



52

SNMPv3 Notification: Filter Profiles and FiltersA filter profile is a collection of filters that specifies which notifications should be sent to a target address. A filter is defined by a MIB subtree and mask and by whether that subtree and mask is included or excluded from notification.

When you create a filter profile, you are associating only a filter profile name with a target parameter name. The filters that make up the profile are created and associated with the profile using a different command. To create a filter profile, enter the following command:

configure snmpv3 add filter-profile [[hex <hex_profile_name>] | <profile_name>] param [[hex <hex_param_name>]] | <param_name>] {volatile}

After the profile name has been created, you associate filters with it using the following command:

configure snmpv3 add filter [[hex <hex_profile_name>] | <profile_name>] subtree <object_identifier> {/<subtree_mask>} type [included | excluded] {volatile}

You can add filters together, including and excluding different subtrees of the MIB until your filter meets your needs.

Displaying SNMPv3 NotificationTo display the association between parameter names and filter profiles, enter the following command:

configure snmpv3 add filter [[hex <hex_profile_name>] | <profile_name>] subtree <object_identifier> {/<subtree_mask>} type [included | excluded] {volatile}

To display the filters that belong a filter profile, enter the following command:

show snmpv3 filter {[[hex <hex_profile_name>] | <profile_name>] {{subtree} <object_identifier>}

Deleting and Removing SNMPv3 FiltersTo delete a filter or all filters from a filter profile, enter the following command:

configure snmpv3 delete filter [all | [[hex <hex_profile_name>] | <profile_name>] {subtree <object_identifier>}]]

To remove the association of a filter profile or all filter profiles with a parameter name, enter the following command:

configure snmpv3 delete filter-profile [all |[[hex <hex_profile_name>] | <profile_name>] {param [[hex <hex_param_name>] | <param_name>}]]


SNMPv3 Notification: Filter Profiles and Filters

Figure 36: SNMPv3 Notification: Filter Profiles and Filters

page 35

SNMPv3 Notification: Filter Profiles and Filters

Filter Profile – Collection of filters specifying which notifications are sent to a target address

Filter – Identifies MIB subtree and mask, determines if subtree and mask is included with or excluded from notification

Possible to combine filters together• Selectively include or exclude different subtrees of the MIB



54

SNMPv3 Notification: TagsWhen you create a target address, either you associate a list of notification tags with the target or by default, the defaultNotify tag is associated with the target. When the system generates notifications, only those targets associated with tags currently in the standard MIB table, called snmpNotifyTable, are notified.

To add an entry to the table, enter the following command:

configure snmpv3 add notify [[hex <hex_notify_name>] | <notify_name>] tag [[hex <hex_tag>] | <tag>] {volatile}

Any targets associated with tags in the snmpNotifyTable are notified, based on the filter profile associated with the target.

Displaying SNMPv3 Notification TagsTo display the notifications that are set, enter the following command:

show snmpv3 notify {[[hex <hex_notify_name>] | <notify_name>]}

Deleting SNMPv3 Notification TagsTo delete an entry from the snmpNotifyTable, enter the following command:

configure snmpv3 delete notify [{[[hex <hex_notify_name>] | <notify_name>]} | all-non-defaults]

You cannot delete the default entry from the table, so any targets configured with the defaultNotify tag will always receive notifications consistent with any filter profile specified.

Configuring NotificationsBecause the target parameters name points to a number of objects used for notifications, configure the target parameter name entry first. You can then configure the target address, filter profiles and filters, and any necessary notification tags.


SNMPv3 Notification: Tags

Figure 37: Configuring and Displaying SNMPv3 Notification Tags



56

Secure Shell 2 (SSH2)Regular Telnet session data is sent in the clear, allowing anyone with a packet sniffer tool to view the IP packets. Secure Shell 2 (SSH2) is a feature that allows you to encrypt Telnet session data between an SSH2 client and the SSH2 server that resides on the switch. Configuration and policy files may also be transferred to the switch using the Secure Copy Protocol 2 (SCP2) or the Secure File Transfer Protocol (SFTP).

Beginning with ExtremeWare XOS 11.2, you can also use SSH2 to connect to other devices from the switch. The ExtremeWare XOS CLI provides a command that enables the switch to function as an SSH2 client, sending commands to a remote system via an SSH2 session. The ExtremeWare XOS SSH2 switch application also works with SSH2 client (version 2.x or later) from SSH Communication Security, and with (version 2.5 or later) from OpenSSH. The SFTP file transfer protocol is required for file transfer using SCP2.

SSH2 Module RequestSSH2 functionality is not present in the base ExtremeWare XOS software image, but is available as an additional, installable module. Before you can access any SSH2 commands, you must install this additional software module. Without the software module, the SSH2 commands do not appear on the command line.

As a result of SSH2 being under U.S. export restrictions, you must request the SSH2 module from Extreme Networks before you can enable SSH2 on the switch. The procedure for this can be found on the Extreme Networks e-support website.

http://www.extremenetworks.com/go/security.htm


Figure 38: Secure Shell 2 (SSH2)

page 37

Secure Shell 2 (SSH2)

SSH Client

SSH Server

Ethernet

TCP/IP, IPX/SPXSSH transportSSH AuthenticationSSH Connection

TCP/IP, IPX/SPXSSH transportSSH AuthenticationSSH Connection

Encrypts Telnet session data between SSH2 client and SSH2 server residing on the switch

Requires SSH2 software module

Supports 3DES and Blowfish encryption standards



58

Installing the SSH2 Module

In addition to the functionality available in the ExtremeWare XOS core image, you can add functionality to your switch by installing modular software packages. Modular software packages are contained in files named with the file extension.xmod, while the core images use the file extension.xos. Modular software packages are built at the same time as core images and are designed to work in concert with the core image, so the version number of a modular software package must match the version number of the core image that it will be running with. The modular software package for Secure Shell (SSH) named as follows:

bd10K-11.2.0.18-ssh.xmod

can run only with the core image named:

bd10K-11.2.0.18.xos

You can install a modular software package on the active partition or on the inactive partition. You would install on the active partition if you want to add the package functionality to the currently running core image without having to reboot the switch. You would install on the inactive partition if you want the functionality available after a switch reboot.Downloading a new image involves the following steps:

● Loading the new module onto a TFTP server on your network (if you are using TFTP).

● Loading the new module onto an external compact flash memory card (if you are using the external compact flash slot). This method is available only on modular switches.

For more information about installing the external compact flash memory card into the external compact flash slot of the MSM, please refer to the Extreme Networks Consolidated XOS Hardware Installation Guide.

● Selecting the partition to use when downloading an image.

Downloading the module to the switch● To download the module to the switch, enter the following command:

download image [[<hostname> | <ipaddress>] <filename> {{vr} <vrname>} | memorycard <filename>] {<partition>} {msm <slotid>}

Before the download begins, the switch asks if you want to install the module immediately after the download is finished. If you install the module to the active partition, you must reboot the switch. If you install the module to the inactive partition, you do not need to reboot the switch. Enter y to install the image after download. Enter n to install the image at a later time.


Installing the SSH2 Module

Figure 39: Installing the SSH2 Module

page 38

Installing the SSH Module

Download SSH2 Module to the Switchdownload image [[<hostname> | <ipaddress>] <filename> {{vr} <vrname>} | memorycard <filename>] {<partition>} {msm <slotid>}



60

Activating the Installed Modular Software PackageIf you download and install the software module on the active partition, the switch automatically reboots after the download and installation is completed. The following message appears when downloading and installing on the active partition:

Image will be installed to the active partition, a reboot required. Do you want

to continue? (y or n)

Enter y to continue the installation and reboot the switch. Enter n to cancel.

If you install the module at a later time, the module is still downloaded and saved to the switch, but you must use enter following command to install the software:

install image <fname> {<partition>} {msm <slotid>} {reboot}

NOTE

Unlike ExtremeWare, the download image command in ExtremeWare XOS causes the switch to use the newly downloaded software image during the next switch reboot. To modify or reset the software image used during a switch reboot, issue the use image command.

You activate the installed modular software package either by rebooting the switch or by entering the following command:

run update

Uninstalling the ModuleYou can uninstall packages by issuing the following command:

uninstall image <fname> <partition> {msm <slotid>} {reboot}


Activating the Installed Modular Software Package

Figure 40: Activating the Installed Module

page 39

Activating the SSH2 Module

Reboot the switch or type:run update



62

Private Key, Public Key, and Host KeySSH2 session establishment relies on keys that are exchanged between an SSH2 client and SSH2 server. Three keys are used in SSH2: private key, public key, and host key. In public-key authentication, public-private key pairs are used to identify a user to an SSH2 server.

A user creates both a public and private key, and then transfers a copy of the public key to the SSH2 server to which the user wants secure access. The public and private keys must be correct for the server to allow the connection.

● private key is one of two keys used in public-key encryption. The user keeps the private key secret and uses it to encrypt outgoing messages and decrypt incoming messages. The private key is stored in the user’s local machine and is used to verify the identity of the user when the user attempts to connect to the SSH2 server.

● public key is one of two keys used in public-key encryption. The user releases a copy of this key to the public to allow anyone to use it for encrypting messages to be sent to the user and for decrypting messages received from the user.

When a client connects to a server, the server sends a host key to the client (the server keeps the private key secret). The first time the client connects to a server, the client’s user is asked if they want to save the host key. If the user chooses to save the host key, the client adds the key to its host key database. Each time the client connects to that server, the client expects to receive the same key. If the server sends a different host key, the client is alerted to the fact that there may be a problem, which could be anything from a corrupt key file to a fraudulent server. The client then takes the action that it is required to accept or reject the connection

host key is the public key in a public-private key pair that is used to identify a server to a client in SSH2 connections. The SSH2 client saves the host key in a database.


Private Key, Public Key, and Host Key

Figure 41: Three Keys Used In SSH2

page 40

Three Keys Used In SSH2

Private Key• Stored locally with SSH2 client

• Used to verify user to SSH2 server

• Encrypts outgoing messages and decrypts incoming messages

Public Key• Released to the public by user

• Encrypts messages sent to user and decrypts message from user

Host Key• Sent by SSH2 server to SSH2 client

• SSH2 client saves Host key



64

Configuring SSH2There are two steps in successfully configuring SSH2:

1 Generating the host key on the SSH2 server

2 Enabling SSH2 on the switch

An authentication key must be generated before the switch can accept incoming SSH2 sessions. To have the key generated by the switch, enter the following command:

configure ssh2 key

You are prompted to enter information to be used in generating the key, you should enter random letters and numbers. The key generation process takes approximately ten minutes. Once the key has been generated, you should save your configuration to preserve the host key. The key generation process generates the SSH2 private host key. The SSH2 public host key is derived from the private host key, and is automatically transmitted to the SSH2 client at the beginning of an SSH2 session.

To use a key that has been previously created, enter the following command:

configure ssh2 key pregenerated

You is then prompted to enter the previous key. It is recommended you cut and paste in the previously generated host key.

NOTE

The pregenerated key must be one that was generated by the switch. To get such key, you can use the command show configuration exsshd to display the key on the console. Copy the key to a text editor and remove the carriage return/line feeds from the key. Finally, copy and paste the key into the command line. The key must be entered as one line.

Enabling SSH2To enable SSH2, enter the following command:

enable ssh2 {access-profile [<access_profile> | none]} {port <tcp_port_number>} {vr [<vr_name> | all | default]}

To disable SSH2, enter the following command:

disable ssh2

You can also specify a TCP port number to be used for SSH2 communication. By default the TCP port number is 22. Beginning with ExtremeWare XOS 11.2, the switch accepts IPv6 connections.

Before you initiate a session from an SSH2 client, ensure that the client is configured for any non-default access list or TCP port information that you have configured on the switch. Once these tasks are accomplished, you may establish an SSH2-encrypted session with the switch. Clients must have a valid user name and password on the switch in order to log in to the switch after the SSH2 session has been established.


Configuring SSH2

Figure 42: Configuring and Enabling SSH2



66

Using ACLs to Control SSH2 AccessYou can restrict SSH2 access by creating and implementing an ACL policy. You configure an ACL policy to permit or deny a specific list of IP addresses and subnet masks for the SSH2 port.

There are two methods to load ACL policies to the switch:

● Use the edit policy command to launch a VI-like editor on the switch. You can create the policy directly on the switch.

● Use the tft[ command to transfer a policy that you created using a text editor on another system to the switch.

Sample SSH2 PoliciesThe following are sample policies that you can apply to restrict SSH2 access.

MyAccessProfile.polFor this example , the switch permits connections from the subnet 10.203.133.0/24 and denies connections from all other addresses.

MyAccessProfile_2.pol

In this example, the switch does not permit connections from the subnet 10.203.133.0/24 but accepts connections from all other addresses.

Configuring SSH2 to Use ACL PoliciesThis section assumes that you have already loaded the policy on the switch.

To configure SSH2 to use an ACL policy to restrict access, enter the following command:

enable ssh2 {access-profile [<access_profile> | none]} {port <tcp_port_number>} {vr [<vr_name> | all | default]}

Use the none option to remove a previously configured ACL.


Using ACLs to Control SSH2 Access

Figure 43: MyAccessProfile.pol

Figure 44: MyAccessProfile_2.pol



68

Logging in with SSH2 Client

SSH2 Connection SettingsNow that the SSH2 server on the switch has been configured and enabled, you can now login using an SSH2 client.

Make your SSH2 connection settings are correct for:

● Host: IP address of the switch

● Service: SSH selected

● TCP port: SSH default port number is 22

Host Key AcceptanceAfter the SSH2 client establishes a connection with the SSH2 server, you is asked if you want to accept the SSH2 server host key. You must accept the host key.

Valid User and Password EntryOnce the host key is accepted, you is asked to enter a valid switch username and password to complete the SSH2 logon.


Logging in with SSH2 Client

Figure 45: SSH2 connection settings

Figure 46: Host Key Acceptance



70

Secure Copy Protocol 2 (SCP2)In ExtremeWare XOS version 11.0 or later, the SCP2 protocol is supported for transferring configuration, and policy files to the switch from the SCP2 client.

The user must have administrator-level access to the switch. The switch can be specified by its switch name or IP address.

ExtremeWare XOS only allows SCP2 to transfer to the switch files named as follows:

● *.cfg—ExtremeWare XOS configuration files

● *.pol—ExtremeWare XOS policy files

In the following examples, you are using a Linux system to move files to and from the switch at 192.168.0.120, using the switch administrator account admin.You are logged into your Linux system as user.

To transfer the primary configuration file from the switch to your current Linux directory using SCP2, enter the following command:

[user@linux-server]# scp2 [email protected]:/config/primary.cfg primary.cfg

To copy the policy filename test.pol from your Linux system to the switch, enter the following command:

[user@linux-server]# scp2 test.pol [email protected]:/config/test.pol


Secure Copy Protocol 2 (SCP2)

Figure 47: Secure Copy Protocol 2 (SCP2)

page 46

Secure Copy Protocol 2 (SCP2)Uses SSH2 protocol for data transfers and authentication

Requires admin level access to switch

Corrupts uploaded configuration files



72

Switch as SSH2 ClientBeginning with ExtremeWare XOS 11.2, an Extreme Networks switch can function as an SSH2 client. This means you can connect from the switch to a remote device running an SSH2 server and send commands to that device. You can also use SCP2 to transfer files to and from the remote device.

You do not need to enable SSH2 or generate an authentication key to use the SSH2 and SCP2 commands from the ExtremeWare XOS CLI.

NOTE

The BlackDiamond 8800 family of switches and the Summit X450 switch do not support user-created VRs.

To send commands to a remote system using SSH2, enter the following command:

ssh2 {cipher [3des | blowfish]} {port <portnum>} {compression [on | off]} {user <username>} {debug <debug_level>} {<username>@} [<host> | <ipaddress>] {<remote command>} {vr <vr_name>}

The remote commands can be any command acceptable by the remote system. You can specify the login user name as a separate argument or as part of the user@host specification. If the login user name for the remote system is the same as your user name on the switch, you can omit the username parameter entirely.

For example, to obtain a directory listing from a remote Linux system with IP address 10.10.0.2 using SSH2, enter the following command:

ssh2 [email protected] ls

To initiate a file copy from a remote system to the switch using SCP2, enter the following command:

scp2 {cipher [3des | blowfish]} {port <portnum>} {debug <debug_level>} <user>@ [<hostname> | <ipaddress>]:<remote_file> <local_file> {vr <vr_name>}

For example, to copy the configuration file test.cfg on host system1 to the switch, enter the following command:

scp2 admin@system1:/config/test.cfg localtest.cfg

To initiate a file copy to a remote system from the switch using SCP2, enter the following command:

scp2 {cipher [3des | blowfish]} {port <portnum>} {debug <debug_level>} <local_file> <user>@ [<hostname> | <ipaddress>]:<remote_file> {vr <vr_name>}

For example, to copy the configuration file engineering.cfg from the switch to host system1, enter the following command:

scp2 engineering.cfg admin@system1:/config/engineering.cfg


Switch as SSH2 Client

Figure 48: Switch as SSH2 Client



74

Verifying SSH2Troubleshooting SSH2 requires you to look at the SSH2 server (switch) and SSH2 client (remotely connected PC). You can start the SSH2 troubleshooting process by verifying SSH2 is setup and configured correctly on the switch.

To verify the host key generation is valid, enter the following command:

show management

The SSH Access field should indicate key valid and specify the enabled tcp port number.


Verifying SSH2

Figure 49: Verifying SSH2



76

Troubleshooting SSH2To view the fully generated SSH2 host key, enter the following command:

show configuration

When SSH2 sessions are not set-up properly, the syslog file, can provide you with SSH related information. To view the syslog file, enter the following command:

show log

If the SSH2 is correctly configured and enabled on the switch, you should look at the SSH2 client setup. Please consult with the documentation that accompanies the SSH2 client software. You should verify the following are correct and valid:

● SSH2 client is using valid user name and password on switch

● SSH2 host IP address

● and other SSH2 connection settings


Troubleshooting SSH2

Figure 50: show configuration

Figure 51: show log



78

Secure Socket Layer (SSL)Secure Socket Layer (SSLv3) is a feature of ExtremeWare XOS that allows you to authenticate and encrypt data over an SSL connection to provide secure communication. The existing web server in ExtremeWare XOS allows HTTP clients to access the network login page. By using HTTPS on the web server, clients securely access the network login page using an HTTPS enabled web browser. Since SSL encrypts the data exchanged between the server and the client, you protect your data, including network login credentials, from unwanted exposure.

HTTPS access is provided through SSL and the Transport Layer Security (TLS1.0). These protocols enable clients to verify the authenticity of the server to which they are connecting, thereby ensuring that users are not compromised by intruders.

Similar to SSH2, before you can use any SSL commands, you must first download and install the separate Extreme Networks SSH software module (ssh.xmod). This additional module allows you to configure both SSH2 and SSL on the switch. SSL is packaged with the SSH module; therefore, if you do not install the module, you are unable to configure SSL. If you try to execute SSL commands without installing the module first, the switch notifies you to download and install the module.

You must upload or generate a certificate for SSL server use. Before you can upload a certificate, you must purchase and obtain an SSL certificate from an Internet security vendor. The following security algorithms are supported:

● RSA for public key cryptography (generation of certificate and public-private key pair, certificate signing). RSA key size between 1024 and 4096 bits.

● Symmetric ciphers (for data encryption): RC4, DES, and 3DES.

● Message Authentication Code (MAC) algorithms: MD5 and SHA.


Secure Socket Layer (SSL)

.

Figure 52: Secure Socket Layer (SSL)

page 51

Secure Socket Layer (SSL) Data Authentication

Data Encryption

Used for HTTPS access

Requires SSH2 software module



80

Enabling and Disabling SSLThis section describes how to enable and disable SSL on your switch.

Please keep in mind the following guidelines when using SSL:

● To use SSL with web-based login (secure HTTP access, HTTPS) you must specify the HTTPS protocol when configuring the redirect URL.

● If you are downloading the SSH module for the first time and want to immediately use SSL for secure HTTPS web-based login, restart the http process after installing the SSH module.

To enable SSL and allow secure HTTP (HTTPS) access on the default port (443), enter the following command:

enable web https

To disable SSL and HTTPS, enter the following command:

disable web https

NOTE

Prior to ExtremeWare XOS 11.2, the Extreme Networks SSH module did not include SSL. To use SSL for secure HTTPS web-based login, you must upgrade your core software image to ExtremeWare XOS 11.2 or later, install the SSH module that works in concert with that core software image, and reboot the switch.

Creating Certificates and Private KeysWhen you generate a certificate, the certificate is stored in the configuration file, and the private key is stored in the EEPROM. The certificate generated is in PEM format.

To create a self-signed certificate and private key that can be saved in the EEPROM, enter the following command:

configure ssl certificate privkeylen <length> <country code> organization <org_name> common-name <name>

Make sure to specify the following:

● Country code (maximum size of 2 characters)

● Organization name (maximum size of 64 characters)

● Common name (maximum size of 64)

Any existing certificate and private key is overwritten.

The size of the certificate depends on the RSA key length (privkeylen) and the length of the other parameters (country, organization name, and so forth) supplied by the user. If the RSA key length is 1024, then the certificate is approximately 1 kb. For an RSA key length of 4096, the certificate length is approximately 2 kb, and the private key length is approximately 3 kb.


Creating Certificates and Private Keys

.

Figure 53: Enabling SSL



82

Downloading a Certificate Key from a TFTP ServerYou can download a certificate key from files stored in a TFTP server. If the operation is successful, any existing certificate is overwritten. After a successful download, the software attempts to match the public key in the certificate against the private key stored. If the private and public keys do not match, the switch displays a warning message similar to the following: Warning: The Private Key does not match with the Public Key in the certificate. This warning acts as a reminder to also download the private key.

Downloaded certificates and keys are not saved across switch reboots unless you save your current switch configuration. Once you issue the save command, the downloaded certificate is stored in the configuration file and the private key is stored in the EEPROM.

To download a certificate key from files stored in a TFTP server, enter the following command:

download ssl <ip_address> certificate <cert file>

NOTE

For security measures, you can only download a certificate key in the VR-Mgmt virtual router.

To see whether the private key matches with the public key stored in the certificate, enter the following command:

Displaying SSL Informationshow ssl

This command also displays:

● HTTPS port configured. This is the port on which the clients will connect.

● Length of the RSA key (the number of bits used to generate the private key).

● Basic information about the stored certificate.


Downloading a Certificate Key from a TFTP Server

Figure 54: Displaying SSL Information



84

Downloading a Private Key from a TFTP ServerTo download a private key from files stored in a TFTP server, enter the following command:

download ssl <ip_address> privkey <key file>

If the operation is successful, the existing private key is overwritten. After the download is successful, a check is performed to find out whether the private key downloaded matches the public key stored in the certificate. If the private and public keys do not match, the switch displays a warning message similar to the following: Warning: The Private Key does not match with the Public Key in the certificate. This warning acts as a reminder to also download the corresponding certificate.

NOTE

For security reasons, when downloading private keys, Extreme Networks recommends obtaining a pre-generated key rather than downloading a private key from a TFTP server.

Downloaded certificates and keys are not saved across switch reboots unless you save your current switch configuration. Once you issue the save command, the downloaded certificate is stored in the configuration file and the private key is stored in the EEPROM.

Configuring Pre-generated Certificates and KeysTo get the pre-generated certificate from the user, enter the following command:

configure ssl certificate pregenerated

You can copy and paste the certificate into the command line followed by a blank line to end the command. This command is also used when downloading or uploading the configuration. Do not modify the certificate stored in the uploaded configuration file because the certificate is signed using the issuer’s private key.

The certificate and private key file should be in PEM format and generated using RSA as the cryptography algorithm.

To get the pre-generated private key from the user, enter the following command:

configure ssl privkey pregenerated

You can copy and paste the key into the command line followed by a blank line to end the command.

This command is also used when downloading or uploading the configuration. The private key is stored in the EEPROM.

The certificate and private key file should be in PEM format and generated using RSA as the cryptography algorithm.


Configuring Pre-generated Certificates and Keys

.

Figure 55: Configuring Switch to Receive Pregenerated SSL Certificate from User



86

Authenticating Users Logging into SwitchExtremeWare XOS provides three methods to authenticate users who login to the switch:

● RADIUS

● TACACS+

● Local database of accounts and passwords

RADIUS, TACACS+, local database of accounts and passwords, and SSH are management access security features that control access to the management functions available on the switch. These features help ensure that any configuration changes to the switch can be done only by authorized users.RADIUS versus TACACS+

Terminal Access Controller Access Control System Plus (TACACS+) is a Cisco proprietary AAA implementation similar in function to RADIUS.

Table 1: Differences between RADIUS and TACACS+

NOTE

RADIUS and TACACS+ cannot be active at the same time on an Extreme Networks switch.

RADIUS TACACS+

CPU cycle and Memory Demands

Low High

Routing ProtocolUDP, best effort delivery. Default port number 1646.

TCP, connection oriented. Default port number 49.

Encryption

Encrypts password in access-request packet. Rest of RADIUS packet containing username, authorized services, and accounting fields are sent in clear

Entire TACACS+ packet encrypted

AAA protocol Industry Standard Cisco proprietary

AAA architecture

RADIUS AAA server combines authentication and authorization. Access-accept packets sent by RADIUS server to the client contains authorization information, making it difficult to decouple authentication and authorization.

TACACS+ separates authentication, authorization, and accounting services. Enables AAA services to be spread over multiple servers. For example, possible to use Kerberos for an authentication server and TACACS+ server for authorization and accounting.

Legacy Protocols Support

• AppleTalk Remote Access

• Net Bios Frame Protocol Control

• Novell Asynchronous Services Interface

• X.25 PAD connection


Authenticating Users Logging into Switch

.

Figure 56: Authenticating Users Logging into Switch

page 55

Authenticating Users Logginginto Switch

RADIUS

TACACS+

Local database of accounts and passwords



88

RADIUSThe RADIUS protocol is developed by Livingston Enterprises, Inc., as an access authentication, authorization, and accounting (AAA) protocol. The RADIUS specification is described in RFC’s 2138 and 2865.

● Authentication: The process of validating the claimed identity of an end user or a device, such as a host, server, switch, router, and so on.

● Authorization: The act of granting access rights to a user, groups of users, system, or a process.

● Accounting: The methods to establish who, or what, performed a certain action, such as tracking user connection and logging system users.

RADIUS is a client/server protocol, with the Extreme Networks switch as the client. The RADIUS client is known as a Network Access Server (NAS). The RADIUS server is usually a daemon process running on a UNIX or Windows machine. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver services to the user.

The password is hidden using the RSA Message Digest Algorithm MD5.

Communication between a client (NAS) and a RADIUS server is based on the connectionless User Datagram Protocol (UDP) service. The RADIUS enabled devices instead of the transmission protocol handle potential issues, related to server availability.

The RADIUS implementation can be used to perform per-command authentication allowing you to define several levels of user capabilities by controlling the permitted command sets based on the RADIUS username and password. You do not need to configure any additional switch parameters to take advantage of this capability. The RADIUS server implementation automatically negotiates the per-command authentication capability with the switch.

RADIUS Packet FormatOne RADIUS packet is encapsulated in the UDP data field where the UDP Destination Port is 1645 (RFC2138) or 1812 (RFC2865). The early deployment of RADIUS is done using port 1645, which conflicts with the “datametrics” service.


RADIUS

Figure 57: Remote Authentication Dial-In User Service (RADIUS)

page 56

RADIUS

Authorization, Authentication & Accounting (AAA) protocol

Distributed access control with centrally stored authentication information.

Requires Radius Client (NAS) / Radius Server

IP/UDP based

Per-Command authentication (server)



90

RADIUS Authentication ProcessYou define a primary and secondary RADIUS server for the switch to contact. When a user attempts to log in using Telnet, HTTP, or the console, the request is relayed to the primary RADIUS server and then to the secondary RADIUS server, if the primary does not respond. If the RADIUS client is enabled, but access to the RADIUS primary and secondary server fails, the switch uses its local database for authentication. Beginning with ExtremeWare XOS 11.2, you can specify one pair of RADIUS servers for switch management and another pair for network login.

The privileges assigned to the user (admin versus nonadmin) at the RADIUS server take precedence over the configuration in the local switch database.

When a switch is configured to act as RADIUS client, any user connected to the switch presents its authentication information. Here are the steps in the RADIUS Authentication Process.

1 When the switch (client) obtains the authentication information, it creates an Access-Request. The Access Request contains the following attributes:

● user's name

● user's password

● ID of the RADIUS client

2 The Access-Request is submitted to the RADIUS server via the network. If no response is returned within a length of time, the request is resent. The client can also forward requests to a secondary RADIUS server in the event that the primary RADIUS server is down or unreachable.

3 When the RADIUS server receives the request, it validates the sending client. A request from a client for which the RADIUS server does not have the shared secret password, the request is discarded. If the client is valid, the RADIUS server consults a database of users to find the user whose name matches the request.

● If any condition is not met, the RADIUS server sends an Access-Reject response indicating that this user request is invalid.

● If all conditions are met the RADIUS server sends an Access-Accept response indicating that this user request is valid.

● If all conditions are met and the RADIUS server wishes to issue a challenge to which the user must respond, the RADIUS server sends an Access-Challenge response.

4 If the RADIUS client receives an Access-Challenge and supports challenge/response, it prompt the user for a response. The client then resubmits the original Access-Request with a new request ID, with the User-Password Attribute replaced by the response.

5 The server can respond to this new Access-Request with an Access-Accept, an Access-Reject, or another Access-Challenge.


RADIUS Authentication Process

Figure 58: RADIUS Authentication Process

page 57

RADIUS Authentication Process

RADIUS Client

RADIUS Server

Packet type – Access request (1) Username, Password

Access Accept (2), Reject (3), Challenge (11)User-service, Frame protocol

User

vlanPacket type – Access request (1)

response

Access Accept (2) Reject (3) Challenge (11)User-service, Frame protocol

Note: Username and Radius exchanges are sent in the clear. Only the password is encrypted.



92

Configuring the RADIUS ClientTo configure the switch as a RADIUS client, enter the following command:

configure radius {mgmt-access | netlogin} [primary | secondary] server [<ipaddress> | <hostname>] {<udp_port>} client-ip [<ipaddress>] {vr <vr_name>}

To configure the primary RADIUS server, specify primary. To configure the secondary RADIUS server, specify secondary.

By default, switch management and network login use the same primary and secondary RADIUS servers for authentication. To specify one pair of RADIUS servers for switch management and another pair for network login, make sure to specify the mgmt-access or netlogin keywords.

To configure the timeout for a Radius server to fail to respond, type the following command:

configure radius {mgmt-access | netlogin} timeout <seconds>

If the timeout expires, another authentication attempt will be made. After three failed attempts to authenticate, the alternate server will be used. After six failed attempts, local user authentication will be used.

If you do not specify the mgmt-access or netlogin keywords, the timeout interval applies to both switch management and netlogin RADIUS servers.

Configuring the Shared Secret Password for RADIUS ServersIn addition to specifying the RADIUS server IP information, RADIUS also contains a means to verify communication between network devices and the server. The shared secret is a password configured on the network device and RADIUS server, used by each to verify communication.

To configure the shared secret for RADIUS servers, type the following command:

configure radius {mgmt-access | netlogin} [primary | secondary] shared-secret {encrypted} <string>

If you do not specify the mgmt-access or netlogin keywords, the secret applies to both the primary or secondary switch management and netlogin RADIUS servers.

Do not use the encrypted keyword to set the shared secret. The encrypted keyword is primarily for the output of the show configuration command, so the shared secret is not revealed in the command output.

To configure the shared secret password, type the following command:

configure radius [primary | secondary] shared-secret {encrypted} <string>


Configuring the Shared Secret Password for RADIUS Servers

Figure 59: Configuring the RADIUS Client

Figure 60: Configuring the Shared Secret Password for RADIUS Servers



94

Enabling and Disabling RADIUSAfter server information is entered, you can start and stop RADIUS authentication as many times as necessary without needing to reconfigure server information.

To enable RADIUS authentication, type the following command:

enable radius {mgmt-access | netlogin}

If you do not specify the mgmt-access or netlogin keywords, RADIUS authentication is enabled on the switch for both management and network login.

To disable RADIUS authentication, type the following command:

disable radius {mgmt-access | netlogin}

If you do not specify the mgmt-access or netlogin keywords, RADIUS authentication is disabled on the switch for both management and network login.

Verifying the RADIUS ClientTo display the RADIUS Client configuration on the switch, enter the following command:

show radius

Troubleshooting RADIUSRADIUS troubleshooting is not limited to the switch (RADIUS client). The configuration files required on the RADIUS server need to be properly configured. RADIUS Server log files will provide additional information on the RADIUS Client and RADIUS server communication.


Enabling and Disabling RADIUS

Figure 61: Enabling and Verifying the RADIUS Client



96

Configuring RADIUS AccountingExtreme Networks switches are capable of sending RADIUS accounting information. As with RADIUS authentication, you can specify two servers for receipt of accounting information. You can configure RADIUS accounting servers to be the same as the RADIUS authentication servers, but this is not required.

To specify RADIUS accounting servers, type the following command:

configure radius-accounting {mgmt-access | netlogin} [primary | secondary] server [<ipaddress> | <hostname>] {<tcp_port>} client-ip [<ipaddress>] {vr <vr_name>}

To configure the primary RADIUS accounting server, specify primary. To configure the secondary RADIUS accounting server, specify secondary.

By default, switch management and network login use the same primary and secondary RADIUS servers for accounting. To specify one pair of RADIUS accounting servers for switch management and another pair for network login, make sure to specify the mgmt-access or netlogin keywords.

Configuring the RADIUS Accounting Timeout ValueTo configure the timeout if a server fails to respond, type the following command:

configure radius-accounting {mgmt-access | netlogin} timeout <seconds>

If the timeout expires, another authentication attempt will be made. After three failed attempts to authenticate, the alternate server will be used.

Configuring the Shared Secret Password for RADIUS Accounting ServersRADIUS accounting also uses the shared secret password mechanism to validate communication between network access devices and RADIUS accounting servers.

To specify shared secret passwords for RADIUS accounting servers, type the following command:

configure radius-accounting {mgmt-access | netlogin} [primary | secondary] shared-secret {encrypted} <string>

Verifying the RADIUS AccountingTo display the RADIUS Client configuration on the switch, enter the following command:

show radius-accounting


Configuring RADIUS Accounting

Figure 62: Configuring and Verifying RADIUS Accounting



98

RADIUS Server SupportYou can define primary and secondary server communication information and, for each RADIUS server, the RADIUS port number to use when talking to the RADIUS server. The default port value is 1812 for authentication and 1813 for accounting. The client IP address is the IP address used by the RADIUS server for communicating back to the switch.

NOTE

For information on how to use and configure your RADIUS server, please refer to the documentation that came with your RADIUS server.

RADIUS RFC 2138 AttributesThe RADIUS RFC 2138 optional attributes supported are as follows:

● User-Name

● User-Password

● Service-Type

● Login-IP-Host

RADIUS RFC 3580 AttributesThe RFC 3580 attributes for Netlogin 802.1x supported are as follows:

● EAP-Message

● Message-Authenticator

● State

● Termination-Action

● Session-Timeout

● NAS-Port-Type

● Calling-Station-ID


RADIUS Server Support

Figure 63: RADIUS Server Support

page 62

RADIUS Server Support

Primary or Secondary Server

RADIUS Port Parameter• Default Authentication: 1812

• Default Accounting: 1813

Client IP Address

RADIUS RFC 2138

RADIUS RFC 3580



100

Using RADIUS Servers with Extreme Networks SwitchesExtreme Networks switches have two levels of user privilege:

● Read-only

● Read-write

Because no command line interface (CLI) commands are available to modify the privilege level, access rights are determined when you log in. For a RADIUS server to identify the administrative privileges of a user, Extreme Networks switches expect a RADIUS server to transmit the Service-Type attribute in the Access-Accept packet, after successfully authenticating the user.

Extreme Networks switches grant a RADIUS-authenticated user read-write privilege if a Service-Type value of 6 is transmitted as part of the Access-Accept message from the RADIUS server. Other Service-Type values or no value, result in the switch granting read-only access to the user. Different implementations of RADIUS handle attribute transmission differently. You should consult the documentation for your specific implementation of RADIUS when you configure users for read-write access.

Extreme RADIUSExtreme Networks provides its users, free of charge, a radius server based on Merit RADIUS. Extreme RADIUS provides per-command authentication capabilities in addition to the standard set of radius features. Source code for Extreme RADIUS can be obtained from the Extreme Networks Technical Assistance Center and has been tested on Red Hat Linux.

When Extreme RADIUS is up and running, the two most commonly changed files will be users and profiles. The users file contains entries specifying login names and the profiles used for per-command authentication after they have logged in. Sending a HUP signal to the RADIUS process is sufficient to get changes in the users file to take place. Extreme RADIUS uses the file named profiles to specify command lists that are either permitted or denied to a user based on their login identity. Changes to the profiles file require the RADIUS server to be shutdown and restarted. Sending a HUP signal to the RADIUS process is not enough to force changes to the profiles file to take effect.

When you create command profiles, you can use an asterisk to indicate any possible ending to any particular command. The asterisk cannot be used as the beginning of a command. Reserved words for commands are matched exactly to those in the profiles file. Due to the exact match, it is not enough to simply enter “sh” for “show” in the profiles file, the complete word must be used. Commands can still be entered in the switch in partial format.

When you use per-command authentication, you must ensure that communication between the switch(es) and radius server(s) is not lost. If the RADIUS server crashes while users are logged in, they will have full administrative access to the switch until they log out. Using two RADIUS servers and enabling idle timeouts on all switches will greatly reduce the chance of a user gaining elevated access due to RADIUS


Using RADIUS Servers with Extreme Networks Switches

Figure 64: Using RADIUS Servers with Extreme Networks Switches

page 63

Using RADIUS Servers with Extreme Networks Switches

Two levels of user privilege• Read-only

• Read-write

Free RADIUS Servers• Extreme Networks provides a RADIUS server based on Merit

RADIUS

• Cistron RADIUS

• FreeRadius

Commercial RADIUS Servers• Extreme Networks EPICenter

• RSA ACE

• Funk Software Steel Belted Radius



102

Merit RADIUS Server Configuration Example Many implementations of RADIUS server use the publicly available Merit© AAA server application. To get a copy, search for the server on the website at:

www.merit.edu

The sample displayed are excerpts from relevant portions of a sample Merit RADIUS server implementation. The example shows excerpts from the client and user configuration files. The client configuration file (ClientCfg.txt) defines the authorized source machine, source name, and access level. The user configuration file (users) defines username, password, and service type information.


www.merit.edu

Merit RADIUS Server Configuration Example

Figure 65: Merit RADIUS Server Configuration Example



104

SummaryYou should now be able to:

● Identify the five switch access options

● Configure Safe-Default-Script

● Disable nonessential switch access options

● Create management accounts on the switch

● Configure a Failsafe Account

● Manage Passwords

● Configure an Access Control List (ACL) to control telnet access

● Display management accounts

● Configure the banner that displays during login attempts

● Configure switch idle timeouts

● View active switch sessions

● Configure SNMPv3

● Configure SSH2

● Configure an ACL to control SSH2 access

● Configure SCP2

● Describe RADIUS

● Configure the RADIUS client

● Configure RADIUS accounting

● Describe TACACS+


Summary

Figure 66: Summary

Figure 67: Summary (cont)

page 64

Merit RADIUS ServerConfiguration Example

page 65

TACACS+

Cisco proprietary AAA protocol

TCP based

Support legacy protocols

On an Extreme Networks switch, RADIUS and TACACS+ can not be active at the same time



106

1 Module 4 ACLs and Policies



108


● Describe EXOS Packet Filtering Structure and Components

● Know how to use policies and edit policy files

● Describe the differences between ACL policies and Routing policies

● Understand Dynamic ACL and Static ACL (ACL Policy File), matching conditions, syntax, and troubleshooting

● Understand ACL rule evaluation process

● Understand routing policies

● Routing policy syntax and rule evaluation process

● Routing policy match conditions and actions

● Know how to apply routing policies

● Practice hands-on labs to reinforce the concept


Student Objectives

Internal Draft Only




110

EXOS Packet Filtering Structure and Components When you create a policy file, name the file with the policy name that you will use when applying the policy, and use “.pol” as the filename extension. For example, the policy name “boundary” refers to the text file “boundary.pol”.

The Policy Manager is responsible for maintaining a set of policy files/statements in a policy database and communicating these policy statements to the applications that request them.

How to Use PoliciesA policy is created by writing a text file that contains a series of rule entries describing match conditions and actions to take.

Prior to release 11.0, all policies were created by writing a text file on a separate machine and then downloading it to the switch. Once on the switch, the file was then loaded into a policy database to be used by applications on the switch. With release 11.0, policy text files can also be created and edited directly on the switch through the built-in vi-like editor.


How to Use Policies

Internal Draft Only

Figure 69: EXOS Packet Filtering Structure and Components

Figure 70: How to Use Policies



112

How to Edit Policy Entries/RulesThe vi-like editor is a built-in tool on ExtremeWare XOS. To edit a policy file on the switch by launching the editor, use the following command: #edit policy <filename>.

Types of PoliciesThere are two types of policies: ACL Policy and Routing Policy.

Policies are used by the access control list (ACL) application to perform packet filtering and forwarding decisions on packets. The ACL application will program these policies into the packet filtering hardware on the switch. Packets can be dropped, forwarded, moved to a different QoS profile, or counted, based on the policy statements provided by the policy manager.

Policies are also used by the routing protocols to control the advertisement, reception, and use of routing information by the switch. Using policies, a set of routes can be selectively permitted (or denied) based on their attributes, for advertisements in the routing domain. The routing protocol application can also modify the attributes of the routing information, based on the policy statements.

ExtremeWare XOS does not prohibit mixing ACL policy and routing policy entries in a single policy file. However, it is strongly recommended that you write separate policy files for ACL entries and for routing entries.

ACLs can be created in two ways. One method is to use the ACL policy file mentioned above, which is created and applied to a list of ports or VLANs/interfaces. This method can be persistent across switch reboots, can contain a large number of rule entries, and are all applied at the same time. The other way to create Dynamic ACLs. Dynamic ACLs do not persist across a reboot and consist of only a single rule. Multiple dynamic ACLs can be applied to an interface, and the precedence of the ACLs is determined as they are being configured. Details will be discovered later in this module.


Types of Policies

Internal Draft Only

Figure 71: How to Edit Policy Entries/Rules

Figure 72: Types of Polices



114

Access Control ListACLs can be created in two ways: ACL Policy and Dynamic ACL. The ACL policy creates a policy file and applies it to a list of ports or VLANs/interfaces. This method can be persistent across switch reboots, can contain a large number of rule entries, and are all applied at the same time.

The Dynamic ACL does not persist across a reboot and consist of only a single rule. Multiple dynamic ACLs can be applied to an interface, and the precedence of the ACLs is determined as they are being configured.

ACL OverviewACLs are used to perform packet filtering and forwarding decisions on incoming traffic.

Each packet arriving on an ingress port is compared to the access list applied to that port and is either permitted or denied. Permitted packets can also be forwarded to a specified QoS profile. On the BD10K and DB12K platforms, egress packets can also be filtered. This is a new feature in ExtremeWare EXOS 11.3.

Additionally, you can configure the switch to count permitted and denied (dropped) packets, log packet headers, mirror traffic to a monitor port, send the packet to a QoS profile, and, for the BlackDiamond 8800 family and Summit X450 switches only, meter the packets to control bandwidth.

ACLs in ExtremeWare XOS apply to all traffic. This is somewhat different from the behavior in ExtremeWare. For example, if you deny all the traffic to a port, no traffic, including control packets, such as OSPF or RIP, will reach the switch and the adjacency will be dropped. You must explicitly allow those type of packets (if desired). In ExtremeWare, an ACL that denied “all” traffic would allow control packets (those bound for the CPU) to reach the switch.

Using ACLs has no impact on switch performance.

ACLs are created in two different ways: One method is to create an ACL is to use the CLI to specify a single rule, called a dynamic ACL. Dynamic ACLs do not persist across a reboot and consist of only a single rule. Multiple dynamic ACLs can be applied to an interface, and the precedence of the ACLs is determined as they are being configured. The second method to create an ACL policy file and apply that ACL policy file to a list of ports, a VLAN, or to all interfaces. This method creates ACLs that can be persistent across switch reboots, can contain a large number of rule entries, and are all applied at the same time.


ACL Overview

Internal Draft Only

Figure 73: ACL Overview



116

Static ACL - ACL Policy File

Match Conditions:

You can specify multiple, single, or zero match conditions. If no match condition is specified, all packets match the rule entry. Among the match conditions commonly used are:

● IP source address and mask

● IP destination address and mask

● TCP or UDP source port range

● TCP or UDP destination port range

Actions:

The action is either permit or deny or no action is specified. No action specified permits the packet. The deny action drops the packet.

Action Modifiers:

The action modifiers are count <countername>, qosprofile <qosprofilename>, and meter <metername>. The count action increments the counter named in the condition. The QoS profile action forwards the packet to the specified QoS profile; The meter action modifier associates a rule entry with an ACL meter, and is only available on BD 8810 and Summit X450 platforms. (Metering is a QoS feature and is not discussed into details in this course.)

ACL Match Operators:

You can also use the operators <, <=, >, and >= to specify match conditions. For example, the match condition, source-port > 190, will match packets with a source port greater than 190. Be sure to use a space before and after an operator.

Here on the right is a table of all the possible match conditions.

See these fields on the lower slide of the next page.

Prefix:IP source and destination address prefixes.

To specify the address prefix, use the notation prefix/prefix-length. For a host address, prefix-length should be set to 32.

Number: Numeric value, such as TCP or UDP source and destination port number, IP protocol number.

Range:A range of numeric values, such as TCP or UDP port number ranges. To specify the numeric range, use the notation: number-number.

Bit-field: Used to match specific bits in an IP packet, such as TCP flags and the fragment flag.MAC:6-byte hardware address


Static ACL - ACL Policy File

Internal Draft Only

Figure 74: ACL Policy File

Figure 75: ACL Policy File Match Conditions



118

ACL Policy Syntax and ExampleThis example policy file contains two rule entries: The first entry denies all the UDP packets from the 10.203.134.0/24 subnet that are destined for the host 140.158.18.16, with source port 190 and a destination port in the range of 1200 to 1250. The second entry denies ICMP echo request packets from the 10.203.134.0/24 subnet, and increments the counter icmpcnt.

Apply ACL Policies and Display ACL InformationTo apply an ACL policy, use the following command:

#configure access-list <aclname> [any | ports <portlist> | vlan <vlanname>] {ingress}

Here supply the <aclname> option with the ACL policy name. If you use the any keyword, the ACL is applied to all the interfaces and is referred to as the wildcard ACL. This ACL is evaluated for any ports without specific ACLs, and it is also applied to any packets that do not match the specific ACLs applied to the interfaces. If an ACL is already configured on an interface, the command will be rejected and an error message displayed.

To remove an ACL from an interface, use the following command:

#unconfigure access-list {any | ports <portlist> | vlan <vlanname>} {ingress}

To see if a policy file is syntactically correct, use the following command:

#check policy <policy-name>

To display which interfaces have ACLs configured, and which ACL is on which interface, use the following command:

#show access-list

To display the ACL counters, use the following command:

#show access-list counter {<countername>} {any | ports <portlist> | vlan <vlanname>} {ingress}

To clear the access list counters, use the following command:

#clear access-list counter {<countername>} {any | ports <portlist> | vlan <vlanname>} {ingress}

When a policy file is changed (such as adding, deleting an entry, adding/deleting/modifying a statement), the information in the policy database does not change until the policy is refreshed. The user must refresh the policy so that the latest copy of policy is used. When the policy is refreshed, the new policy file is read, processed, and stored in the server database. Any clients that use the policy are updated. Use the following command to refresh the policy:

#refresh policy <policy-name>

For ACL policies only, during the time that an ACL policy is refreshed, packets on the interface are blackholed, by default. This is to protect the switch during the short time that the policy is being applied to the hardware. It is conceivable that an unwanted packet could be forwarded by the switch as the new ACL is being setup in the hardware. You can disable this behavior. To control the behavior of the switch during an ACL refresh, use commands: #enable/disable access-list refresh blackhole.


Apply ACL Policies and Display ACL Information

Internal Draft Only

Figure 76: ACL Policy Syntax and Example

Figure 77: Apply ACL Policies and Display ACL Information



120

ACL Rule Evaluation ProcessDynamic ACLs have a higher precedence than any ACLs applied using policy files. The precedence among any dynamic ACLs is determined as they are configured.

Often an ACL will have a rule entry at the end of the ACL with no match conditions. This entry will match any packets not otherwise processed, so that user can specify an action to overwrite the default permit action.

Rule Types and Evaluation Precedence

Types of Rules:

An ACL is a policy file that contains one or more rules. In ExtremeWare XOS, each rule can be one of following types:

● L2 rule—a rule containing only Layer 2 (L2) matching conditions, such as Ethernet MAC address and Ethernet type.

● L3 rule—a rule containing only Layer 3 (L3) matching conditions, such as source or destination IP address and protocol.

● L4 rule—a rule containing both Layer 3 (L3) and Layer 4 (L4) matching conditions, such as TCP/UDP port number.

When an ACL file contains both L2 and L3/L4 rules, for BlackDiamond 10K,

● L3/L4 rules have higher precedence over L2 rules. L3/L4 rules are evaluated before any L2 rules.

● The precedence among L3/L4 rules is determined by their relative position in the ACL file. Rules are evaluated sequentially from top to bottom.

● The precedence among L2 rules is determined by their position in the ACL file. Rules are evaluated sequentially from top to bottom.

It is recommended that L2 and L3/L4 rules be grouped together for easy debugging.

For BD 8810 and Summit X450, rule precedence is solely determined by the rule’s relative order in the policy file. L2, L3, and L4 rules are evaluated in the order found in the file.


Rule Types and Evaluation Precedence

Internal Draft Only

Figure 78: ACL Rule Evaluation Process on BlackDiamond10K

Figure 79: Rule Types and Evaluation Precedence



122

Rule Precedence Among Interface TypesPrecedence among interface types:

1 Port-based ACL has highest precedence, followed by VLAN-based ACL and then the wildcard ACL.

2 If the ACL is configured on a port, the port-based ACL is evaluated first.

3 If the ACL is configured on the VLAN to which the port belongs, then VLAN-based ACL is evaluated next.

4 If the wildcard (‘any”) ACL is configured, the wildcard ACL is evaluated last.

For example, a physical port 1:2 is member port of a VLAN yellow. The ACL evaluation is performed in the following sequence:

1 If the ACL is configured on port 1:2, the port-based ACL is evaluated and the evaluation ends.

2 If the ACL is configured on the VLAN yellow, the VLAN-based ACL is evaluated and the evaluation process terminates.

3 If the wildcard ACL is configured, the wildcard ACL is evaluated and evaluation process terminates.

Conserving ACL Masks and Rules on BlackDiamond 8800 and Summit X450 onlyAn ACL mask defines a unique match criteria and relative rule precedence, and are automatically generated based on the contents of an ACL policy. Only adjacent rules within the policy that have identical match criteria will utilize the same ACL mask, therefore, list all rules with the same match criteria together unless relative precedence with other policy rules is required.

There are 16 ACL masks supported per port, 128 rules supported per Gigabit Ethernet port, and 1024 rules supported per 10 Gigabit Ethernet port. As you can see, it is important to conserve and carefully plan the use of ACL masks to avoid exhausting the masks available on the BD8800 and Summit X450 switches.

To display the number of masks and rules used by a particular port:

#show access-list usage [acl-mask | acl-rule] port <port>

Additionally, certain non-ACL features allocate ACL masks and use ACL rules in order to function. Here are is a list by feature –

● dot1p examination—1 mask, 8 rules (default enabled)

● DiffServ examination—1 mask, 64 rules for 10G ports; 0 masks, 0 rules for 1G ports (default disabled)

● IGMP snooping—2 masks, 2 rules (default enabled)

● IP interface—2 masks, 2 rules (default disabled)

● VLAN QoS—1 mask, 1 rule per VLAN (default disabled)

● port QoS—1 mask, 1 rule (default disabled)

● VRRP—1 mask, 1 rule

● EAPS—1 master config + 1 transit config masks, 1 + number of transit-mode EAPS domains on the port rules

● ESRP—1 mask, 1 rule

● LLDP—1 mask, 1 rule

● Netlogin—1 mask, 1 rule

● IPv6—1 mask, 1 rule


Conserving ACL Masks and Rules on BlackDiamond 8800 and Summit X450 only

Internal Draft Only

Figure 80: Rule Precedence Among Interface Types

Figure 81: Conserving ACL Masks and Rules on BlackDiamond 8800 and Summit X450



124

Conserving ACL Masks and Rules Examples Here are some examples about the number of ACL masks used:

Sample_policy1.pol consumes three masks. However, since rule entries two and three have the same action, their relative precedence doesn't matter, and they could be swapped without affecting the results of the policy. Sample_policy2.pol accomplishes the same goal, but uses two masks.

The order of rule entries is important. Different rule orders can have different meanings. In the second example, the only difference between sample_policy20.pol and sample_policy21.pol is that rule entries two and three are swapped. Sample_policy20.pol consumes three masks since there are no adjacent rules with the same match criteria. Sample_policy21.pol consumes two masks since rules one and three are adjacent and have identical match criteria. However, these two policies have different meanings because of precedence. In sample_policy20, all telnet traffic is permitted; in sample_policy21, telnet traffic may be denied if they are from host 2.2.2.2.


Conserving ACL Masks and Rules Examples

Internal Draft Only

Figure 82: Conserving ACL Masks and Rules Examples

Figure 83: Conserving ACL Masks and Rules Examples



126

Dynamic ACLDynamic ACLs are created using the CLI. They use a similar syntax as the ACL Policy, and can accomplish the same actions as single rule entries used in ACL policy files. Once a dynamic ACL rule has been created, it can be applied to a port, VLAN, or to the wildcard any interface. More than one ACLs can be applied to an interface. When the ACL is applied, you will specify the precedence of the rule among the dynamic ACL rules.

Dynamic ACLs have a higher precedence than ACLs applied using a policy file.

Dynamic ACL Match Conditions and Actions

Match Conditions:

The match conditions for Dynamic ACLs are the same as those for ACL Policies.

Notice that, for protocol matching, you can either use the protocol name (such as ICMP) or the protocol number (such as 1 for ICMP).

Actions:

permit—the packet is forwarded.

deny—the packet is dropped.

The default action is permit, so if no action is specified in a rule entry, the packet is forwarded.


Dynamic ACL Match Conditions and Actions

Internal Draft Only

Figure 84: Dynamic ACL

Figure 85: Dynamic ACL Match Conditions and Actions



128

Dynamic ACL Action Modifiers

Action Modifiers:

Additional actions can also be specified, independent of whether the packet is dropped or forwarded. These additional actions are called action modifiers. Not all action modifiers are available on all switches, and not all are available for both ingress and egress ACLs. The action modifiers are:

count <countername>—increments the counter named in the action modifier (ingress only)

To count packets: When the ACL entry match conditions are met, the specified counter is incremented. The counter value can be displayed by the command:

#show access-list counter {<countername>}{any|ports<portlist>|vlan <vlanname>}{ingress|egress}

log—logs the packet header

To log packets. Packets are logged only when they go to the CPU, so packets in the fastpath are not automatically logged. You must use both the mirror-cpu action modifier and the log or log-raw action modifier if you want to log both slowpath and fastpath packets that match the ACL rule entry. Additionally, KERN:INFO messages are not logged by default. You must configure the EMS target to log these messages.

log-raw—logs the packet header in hex format.

meter <metername>—takes action depending on the traffic rate (BlackDiamond 8800 family and Summit X450 switches only).

To meter packets: BlackDiamond 8800 Family and Summit X450 Only—For the BlackDiamond 8800 family and Summit X450 switches, the meter <metername> action modifier associates a rule entry with an ACL meter. See the section, “ACL Metering—BlackDiamond 8800 Family and Summit X450 Only” on page 271 for more information.

mirror—sends a copy of the packet to the monitor (mirror) port (ingress only).

To mirror packets: You must enable port-mirroring on your switch. See the section, “Switch Port Mirroring” on page 130. If you attempt to apply a policy that requires port-mirroring, you will receive an error message if port-mirroring is not enabled.

mirror-cpu—mirrors a copy of the packet to the CPU in order to log it qosprofile <qosprofilename>—forwards the packet to the specified QoS profile (ingress only).

redirect <ipv4 addr>—forwards the packet to the specified IPv4 address (BlackDiamond 10K only).

To redirect packets: BlackDiamond 10K Only—Packets are forwarded to the IPv4 address specified, without modifying the IP header. The IPv4 address must be in the IP ARP cache, otherwise the packet is forwarded normally. Only fast path traffic can be redirected. You may want to create a static ARP entry for the redirection IP address, so that there will always be a cache entry.

replace-dot1p—replace the packet’s 802.1p field with the value from the associated QoS profile (BlackDiamond 10K ingress only).

replace-dscp—replace the packet’s DSCP or 802.1p field with the value from the associated QoS profile (BlackDiamond 10K ingress only). See the slide on the right for an example.


Dynamic ACL Action Modifiers

Internal Draft Only

Figure 86: Dynamic ACL Action Modifiers



130

Configuring Dynamic ACL Rules and ExamplesIn contrast to the ACL policy file entries, dynamic ACLs are created directly in the CLI.

Use the following command to create a dynamic ACL:

#create access-list <dynamic-rule> <conditions> <actions>

You may specify multiple match conditions and actions to take. Multiple match conditions are seperated by semi-colons; multiple actions are also seperated by semi-colons.

Slides on the right page demonstrate how to configure dynamic ACL rules.


Configuring Dynamic ACL Rules and Examples

Internal Draft Only

Figure 87: Configuring Dynamic ACL Rules

Figure 88: Configuring Dynamic ACL Example



132

Hands-on Lab #1: Static ACL (ACL Policy)Switch Configuration:

1 Create ACL rule entries in Notepad and save the file as “test”. The rules should prevent TCP connections from being established from the 10.10.20.0/24 subnet, but allow established connections to continue, and allow TCP connections to be established to that subnet. Permit all other packets and increment the counter default.

entry permit-established {if {

source-address 10.10.20.0/24;protocol TCP;tcp-flags syn;

} then {deny;Count syn;

}}

entry default {if {} then {

permit;count default;

}}

Save the above file as test.txt.

2 TFTP the test.txt file to the switch and rename it as test.pol, and verify the policy file syntax and integrity.

#tftp 192.168.1.2 -g –l test.pol -r test.txt

If your physical connection is through one of the data ports (instead of the Management port), then use command: #tftp 192.168.1.2 -v vr-default -g –l test.pol -r test.txt (Same applies to the following labs.)

#check policy test (Do not use .pol extension)

3 Apply test.pol policy file to all ports and interfaces.

#configure access-list test any

4 Verify by using command:

#show access-list counter

To use the built-in vi-like editor on switch to create or edit a policy file, use the command #edit policy test.pol


Internal Draft Only



134

Hands-on Lab #2: Static ACL (ACL Policy)1 Create ACL rule entries in Notepad.

#entry letgo { if { destination-address 192.20.1.0/24; source-address 192.10.1.0/24;

protocol tcp;destination-port 23;

} then { permit;

count letgo; } } #entry denyall{

if { } then {

deny; count denyall;

} }

Save the above file as class.txt.

2 TFTP the class.txt file to the switch and rename it as test.pol, and verify the policy file syntax and integrity.

#tftp 192.168.1.2 -g –l class.pol -r class.txt

#check policy class (Do not use .pol extension)

3 Apply class.pol policy file to all ports and interfaces.

#configure access-list class port 2:1-2:5

4 Verify by using command:

#show access-list


Hands-on Lab #2: Static ACL (ACL Policy)

Internal Draft Only



136

Hands-on Lab #3: Dynamic ACLsSwitch Configuration on BD10K:

#conf default delete port all

#create access-list dacl1 "source-address 1.1.2.100/32; protocol icmp" “deny;count c1"

#create access-list dacl2 "source-address 1.1.2.100/32" “permit; qosprofile qp8; count c2”

#config access-list add “dacl1" first ports 2:1-2:5 ingress

#config access-list add "dacl2" after dacl1 ports 2:1-2:5 ingress

#show access-list port 2:1-5 ingress

Hands-on Lab #4: Dynamic ACLsSwitch Configuration:

#create access-list dacl1 “destination-address 192.168.1.1/24; protocol tcp” “count c1; redirect 192.168.1.100"

#create access-list dacl2 “destination-address 192.168.1.1/24" “deny; count c2”

#config access-list add “dacl1" first vlan v100

#config access-list add "dacl2" last vlan v100

Use command #show access-list vlan vlan100 to verify result.


Hands-on Lab #4: Dynamic ACLs

Internal Draft Only



138

Routing PoliciesRouting polices :

● are used to control the advertisement or reception of routes using routing protocols

● may hide entire networks or trust specific sources for routes or ranges of routes

● may modify and filter routing information received and advertised by a switch


Routing Policies

Internal Draft Only

Figure 89: Routing Policies Overview



140

Routing Policy Syntax and ExampleThe policy file contains one or more policy rule entries. Each routing policy entry consists of:

1 A policy entry rule name, unique within the same policy.

2 Zero or one match type. If no type is specified, the match type is all, so all match conditions must be satisfied.

3 Zero or more match conditions. If no match condition is specified, every condition matches.

4 Zero or more actions. If no action is specified, the packet is permitted by default.

Routing Policy Rule Evaluation ProcessRouting policy rule entries are evaluated in order, from the beginning of the file to the end, as follows:

1 If a match occurs, the action in the then statement is taken:

a if the action contains an explicit permit or deny, the evaluation process terminates.

b if the action does not contain an explicit permit or deny, then the action is an implicit permit, and the evaluation process terminates.

2 If a match does not occur, then the next policy entry is evaluated.

3 If no match has occurred after evaluating all policy entries, the default action is deny.


Routing Policy Rule Evaluation Process

Internal Draft Only

Figure 90: Routing Policy Syntax and Example

Figure 91: Routing Policy Rule Evaluation Process



142

Routing Policy Match ConditionsThere are two possible choices for the match type:

● match all—All the match conditions must be true for a match to occur. This is the default.

● match any—If any match condition is true, then a match occurs.

The slide on the right shows the possible policy entry match conditions.

Please note that these match conditions only apply to routing policies, not ACL policies. For ACL policies, there is only “match all”.

Autonomous System (AS) Regular Expressions Autonomous system regular expressions:

The AS-path keyword uses a regular expression string to match against the autonomous system (AS) path. The top slide on the right lists the regular expressions that can be used in the match conditions for Border Gateway Path (BGP) AS path and community. The bottom slide explains the usage of each regular expression character.

ExamplesThe following AS-Path statement matches AS paths that contain only (begin and end with) AS number 65535:

as-path "^65535$“

The following AS-Path statement matches AS paths beginning with AS number 65535, ending with AS number 14490, and containing no other AS paths:

as-path "^65535 14490$“

The following AS-Path statement matches AS paths beginning with AS number 1, followed by any AS number from 2 - 8, and ending with either AS number 11, 13, or 15:

as-path "^1 2-8 [11 13 15]$"

The following AS-Path statement matches AS paths beginning with AS number 111 and ending with any AS number from 2 - 8:

as-path "111 [2-8]$"

The following AS-Path statement matches AS paths beginning with AS number 111 and ending with any additional AS number, or beginning and ending with AS number 111: as-path "111.?"


Autonomous System (AS) Regular Expressions

Internal Draft Only

Figure 92: Routing Policy Match Conditions

Figure 93: Autonomous System (AS) Regular Expressions



144

Routing Policy Action StatementsThe slide on the right shows a list of routing policy action statements.

Applying Routing PoliciesTo apply a routing policy, use the command appropriate to the client. Different routing protocols support different ways to apply policies, but there are some generalities.

Policies applied with commands that use the keyword “import-policy” control the routes imported to the protocol from the switch routing table. The following are examples for the BGP and RIP protocols:

#configure bgp import-policy [<policy-name> | none]

#configure rip import-policy [<policy-name> | none]

Commands that use the keyword “route-policy” control the routes advertised or received by the protocol. For BGP and RIP, here are some examples:

#configure bgp neighbor [<remoteaddr>|all]{address-family[ipv4-unicast|ipv4-multicast]}route-policy [in|out][none|<policy>]

#configure bgp peer-group <peer-group-name> route-policy [in | out] [none | <policy>]

#configure rip vlan [<vlan-name> | all] route-policy [in | out] [<policy-name> | none]

Other examples of commands that use route policies include:

#configure ospf area <area-identifier> external-filter [<policy-map> |none]

#configure ospf area <area-identifier> interarea-filter [<policy-map> | none]

#configure rip vlan [<vlan-name> | all] trusted-gateway [<policy-name> | none]

To remove a routing policy, use the none option in the command.


Applying Routing Policies

Internal Draft Only

Figure 94: Routing Policy Action Statements

Figure 95: Applying Routing Policies



146

Hands-on Lab #5: Routing PoliciesSwitch Configuration:

1 Create a rule entry by using any text editor:

#entry RouteRule {if match all {

route-origin rip} then {

cost 10}

}

Save the file as RouteRule.txt

2 TFTP the file to the switch, and rename it as RouteRule.pol. Verify the policy file syntax and integrity.

#tftp 192.168.1.2 -g -r RouteRule.pol

#check policy RouteRule

3 Apply RouteRule.pol policy file to all VLANs.

#configure rip vlan all route-policy RouteRule.pol in


Hands-on Lab #5: Routing Policies

Internal Draft Only



148

5 Module 5 Denial of Service Attacks and Countermeasures



2

Student ObjectivesUpon completion of this module, the successful student is able to:

● Describe DoS attacks

● Describe two common DoS attack modes

● Describe at least five different types of DoS attacks

● Describe DoS countermeasures

● Describe IP broadcast forwarding

● Configure IP broadcast forwarding

● Describe DoS-Protect

● Sequence the steps for required to implement DoS-Protect

● Configure DoS-Protect

● Verify DoS-Protect

● Troubleshoot DoS-Protect

● Identify appropriate actions to take during a DoS attack


Student Objectives



page 2

Student ObjectivesDescribe DoS attacks

Describe two common DoS attack modes

Describe at least five different DoS attack types

Describe basic DoS countermeasures

Describe IP broadcast forwarding

Configure IP broadcast forwarding

page 3

Student ObjectivesDescribe DoS-Protect

Sequence the steps required to implementDoS-Protect

Configure DoS-Protect

Verify DoS-Protect

Troubleshoot DoS-Protect

Identify appropriate actions to take during a DoS attack



4

What are DoS Attacks?A Denial-of-Service (DoS) attack occurs when a critical network or computing resource is overwhelmed and rendered inoperative in a way that legitimate requests for service cannot succeed. In its simplest form, a Denial of Service attack is indistinguishable from normal heavy traffic. There are some operations in any switch or router that are more costly than others, and although normal traffic is not a problem, exception traffic must be handled by the switch’s CPU in software.

Some packets that the switch processes in the CPU software include:

● Learning new traffic (BlackDiamond 10K switch only; the BlackDiamond 8800 family of switches and the Summit X450 switch learn in hardware)

● Routing and control protocols including ICMP, BGP, OSPF, STP, EAPS, ESRP, and so forth

● Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, and so forth)

● Other packets directed to the switch that must be discarded by the CPU

If any one of these functions is overwhelmed, the CPU may be too busy to service other functions and switch performance will suffer. Even with very fast CPUs, there will always be ways to overwhelm the CPU with packets requiring costly processing.


What are DoS Attacks?

Figure 3: What are DoS Attacks?

page 4

What are DoS Attacks?

Objective to overwhelm systems with bogus or defective network traffic

Potential to take network systems offline

Can cost companies millions in damages



6

Two Common DoS Attack Modes

AsymmetricalSome DoS attacks can be executed with limited resources against a large, sophisticated web site network. This type of attack is sometimes called an asymmetric attack because a hacker with an old PC and a slow modem attempts to crash an advanced computer system that has lots of resources.

One of the earlier defenses against asymmetrical based DoS attacks was to monitor the traffic volume from a single source and to block traffic if a suspiciously high volume was detected.

DistributedDistributed DoS attack tools were written to evade asymmetrical countermeasures. Using a wide array of individual computers that have been maliciously hi jacked, DoS traffic from different IP addresses simultaneously target the intended system. Distributed DoS attack tools freely available include Trinoo, Tribal Flood Network, mstream, and Stacheldraght.



Figure 4: Two Common DoS Attack Modes

page 5


Asymmetrical

Distributed



8

Different Types of DoS Attacks

Teardrop Attacks (aka Newtear, Syndrop, Boink, Jolt)

Target the IP mechanisms involved in the reassembly of packets. In normal packets fragments, each packet fragment looks like the original IP packet with the exception of an offset field that specifies which bytes of the original packet are included, enabling the receiving system to reassemble all of the data in the proper sequence. Teardrop attack creates packet fragments with false overlapping offset fields that makes it impossible to reassemble the altered packet fragments, causing the PC system to crash or reboot.

Oversized Packet Attacks (aka Ping of Death)

Sometimes referred to as “ping of death” attacks, oversized packet attacks a known bug in some TCP/IP implementations by sending packets that exceed the maximum 65,535 bytes of data allowed by IP specification. When it first emerged, this type of attack caused crashes, hangs, or reboots in affected systems. However, most operating system vendors have now addressed this issue.

Martian AttacksUse invalid IP source and/or IP destination addresses to overwhelm a router, data packets accumulate in router, causing the system to crash or reboot.

Other Common DoS Attacks

UDP Flood attacks take advantage of UDP mechanisms by creating bogus UDP connections. When a connection is established between two UDP services, each of which produces output, the combined effect can produce a high number of packets resulting in DoS to legitimate users. Octopus attacks attempt to open as many TCP sockets on a remote host as it would allow. Aimed to overwhelm the remote host. Winfreeze attacks take advantage of a device that will allow ICMP redirect packets to modify its routing table.


Different Types of DoS Attacks

Figure 5: DoS Attack Types

page 6

DoS Attack TypesSYN-ACK Attack or TCP-SYN Flooding

Teardrop Attacks

Smurf Attacks

Oversized Packet Attacks

Martian Attacks

Other



10

TCP-SYN Flood example

SYN-ACK Attacks or TCP-SYN Flooding (aka Syn4, Neptune, Land, Stream)

Exploit TCP/IP 3-way handshake process. By only initiating the SYN and not responding to the PC’s SYN-ACK, this attack forces a server to store huge numbers of packets in its backlog queue. This creates data overflow and may disable the PC’s CPU.


TCP-SYN Flood example

Figure 6: TCP-SYN Flood Example

page 7

TCP SYN Flood example1

2

3

4

5

6

1. TCP SYN from 10.10.10.1 to 10.10.10.2

2. Change address from 10.10.10.1 to 20.20.20.1

3. TCP SYN, ACK from10.10.10.2 to 10.10.10.1No longer there

4. TCP SYN from 20.20.20.1 to 10.10.10.2

5. Change address from 20.20.20.1 to 30.30.30.1

6. TCP SYN, ACK from10.10.10.2 to 20.20.20.1 No longer there

10.10.10.1

10.10.10.2

20.20.20.1

30.30.30.1



12

DoS Attack CountermeasuresDoS Attack countermeasures should be deployed at all levels across the inter-networking infrastructure, including taking specific actions at the LAN level and addressing issues at the network transport level.

At the LAN level, system administrators can take a number of preventive measures to guard against the disabling effects of DoS attacks. These preventive measures range from maintaining solid overall administrative and security procedures to implementing specific safeguards targeted at countering each of the various types of DoS attacks.

While it is virtually impossible to completely eliminate spoofing of IP packets, system administrators can effectively reduce the risk of internally launched spoofed IP attacks by instituting filtering actions that restrict the flow of data input if they have source addresses from within the internal network. In addition, administrators can reduce the risk of being used as an intermediary in spoofed IP DoS attacks by installing filters to restrict the external flow of IP packets with source addresses that do not originate within the internal network.

Basic DoS Countermeasures● Ingress address filtering: At the router level, ensure incoming packets from the local network

segment have an IP address that matches the local network's IP NETID. This scheme will not eliminate all address spoofing attacks, it will cut down on the vast majority of them.

● Prevent broadcast amplification: Block any inbound traffic addressed to the broadcast address, stopping broadcast amplication.

● Turn off unused TCP and UDP services: Most systems come with more services on by default than any actual use. By shutting off unnecessary services, ports are no longer accessible the outside. This protection must be applied on a server-by-server basis.

● ACL entries: Prevent IP address spoofing

● IP Broadcast forwarding: Disable this feature

● ExtremeWare XOS DoS-Protect feature: Enable this feature

Network Transport Level IssuesWhile actions taken by LAN administrators are key to laying the groundwork for preventing and combating DoS attacks, they must also be supplemented by comprehensive countermeasures instituted at the network transport level. These network transport issues fall into two categories:

● Actively policing data flows to identify DoS attacks and protect users and subnets against their impacts

● Protecting the infrastructure’s equipment to ensure resiliency against DoS attacks.


DoS Attack Countermeasures

Figure 7: DoS Attack Countermeasures

page 8

DoS Attack CountermeasuresIngress Address Filtering

Prevent Broadcast Amplification

Turn off unused TCP and UDP services

ACL entries

Verify IP Broadcast forwarding is disabled

DoS-Protect



14

IP Broadcast Forwarding ControlSome DoS attacks are based on routing policies, it is important to maintain tight controls over basic policy disciplines such as IP-broadcast forwarding controls, ICMP and IP response options.

IP Forwarding Broadcast

IP forwarding must first be enabled before IP broadcast forwarding can be enabled. When IP broadcast forwarding is enabled, your network can be used as a broadcast amplification site that floods other networks with DoS attacks such as the smurf attack. Controlling ICMP distribution on a per-type, per-VLAN basis, restricts the success of tools that can be used to find an application, host, or topology information).

To disable the IP forwarding broadcast, enter the following command:

disable ipforwarding broadcast

ICMP Unreachable Message

When a packet cannot be forwarded to the destination because of unreachable route or host, an unreachable message is generated. If the switch is overwhelmed with unreachable routes or hosts, the unreachable messages will slow down switch cpu performance. The default setting for unreachable ICMP network unreachable messages is enabled.

To disable the generation of ICMP network unreachable messages (type 3, code 0), and host unreachable messages (type 3, code 1)

disable icmp unreachables {vlan <name>}

ICMP Port Unreachable Message

When a TPC or UDP request is made to the switch, and no application is waiting for the request or access policy denies the request, an ICMP port unreachable message (type 3, code 3) is generated.

To disable the generation of ICMP port unreachable messages (type 3, code 3), enter the following command.

disable icmp port-unreachables {vlan <vlan name>}

ICMP Userredirects

Disables the modification of route table information when an ICMP redirect message is received, enter the following command (the default setting is disabled):

disable icmp useredirects


IP Broadcast Forwarding Control

Figure 8: IP Broadcast Forwarding Control

page 9

IP Broadcast Forwarding ControlTo disable the IP forwarding broadcast,disable ipforwarding broadcast

To disable the generation of ICMP network unreachable (type 3, code 0) and host unreachable (type 3, code 1) messages,disable icmp unreachables {vlan <name>}

To disable the generation of ICMP port unreachable messages (type 3, code 3),disable icmp port-unreachables {vlan <name>}

To disable the modification of route table information when an ICMP redirect message is received,disable icmp useredirects {vlan <name>}



16

DoS-ProtectDoS Protection is designed to help prevent this degraded performance by attempting to characterize the problem and filter out the offending traffic so that other functions can continue. When a flood of CPU bound packets reach the switch, DoS Protection will count these packets. When the packet count nears the alert threshold, packets headers will be saved. If the threshold is reached, then these headers are analyzed, and a hardware access control list (ACL) is created to limit the flow of these packets to the CPU. This ACL will remain in place to provide relief to the CPU. Periodically, the ACL will expire, and if the attack is still occurring, it will be re-enabled. With the ACL in place, the CPU will have the cycles to process legitimate traffic and continue other services.

DoS Protection will send a notification when the notify threshold is reached.

You can also specify some ports as trusted ports, so that DoS protection will not be applied to those ports.


DoS-Protect

Figure 9: DoS-Protect

page 10

DoS-ProtectTracks CPU demanding traffic

Activated when specified threshold reached

Dynamically creates ACL on the fly



18

How CPU-DoS-Protect WorksCPU DoS Protection is designed to prevent degraded CPU performance by attempting to characterize the problem and filter out the offending traffic so that other network functions can continue.

1 Flood of packets are received from the switch, CPU DoS protection counts the incoming packets.

2 Suspicious packet count nears a specified threshold, packets headers are be saved.

3 When the threshold is reached, headers are analyzed.

4 Hardware access control list is created to limit the flow of these packets to the CPU, ACL remains in place to provide relief to the CPU.

5 Periodically, the ACL will expire, and if the attack is still occurring, it is re-enabled.

6 With the ACL in place, the CPU will have the cycles to process legitimate traffic and continue normally.


DoS-Protect

Figure 10: How CPU-DoS-Protect Works

page 11

How DoS-Protect Works1. DoS protection counts the incoming packets

2. Suspicious packet counts near threshold, packet headers are saved

3. When threshold is reached, headers are analyzed

4. Hardware ACL is created to limit flow of the suspect packets to the CPU

5. ACL will periodically expire, will be re-enabled if attack is still occurring

6. With ACL in place, CPU has cycles to process legitimate traffic



20

Implementing DoS-ProtectTo properly implement DoS-Protect, you need to enable the simulated mode, configure the DoS-Protect parameters, and then enable DoS-Protect.

Simulated ModeA conservative and safe way to deploy DoS Protection is to use the simulated mode first to determine the traffic thresholds. In simulated mode, DoS Protection is enabled, but no ACL is generated. Traffic is not discarded. In simulated mode, legitimate traffic is not blocked. Examples include:

● Route Loss

During this period, the switch may receive lots of routing updates that cause heavy traffic.

● Configuration or Image Upload/Download

To enable the simulated mode, enter the following command:

enable dos-protect simulated


Implementing DoS-Protect

Figure 11: Implementing CPU-DoS-Protect

page 12

Implementing DoS-Protect

1. Learn your network data-streams enable dos-protect simulated

2. Configure the DoS-Protect parametersconfigure dos-protect type l3-protect alert-threshold <packets>configure dos-protect type l3-protect notify-threshold <packets>

3. Configure Trusted Ports (optional)configure dos-protect trusted ports <ports>

4. Enable DoS-Protectenable dos-protect



22

Configuring Denial of Service Protection

Specifying DoS Protect ParametersAfter enabling DoS protection, the switch will count the packets handled by the CPU and periodically evaluate whether to send a notification and/or create an ACL to block offending traffic. You can configure a number of the values used by DoS protection if the default values are not appropriate for your situation. The values that you can configure are:

● interval—How often, in seconds, the switch evaluates the DoS counter (default: 1 second)

● alert threshold—The number of packets received in an interval that will generate an ACL (default: 4000 packets)

● notify threshold—The number of packets received in an interval that will generate a notice (default: 3500 packets)

● ACL expiration time—The amount of time, in seconds, that the ACL will remain in place (default: 5 seconds)

To configure the interval at which the switch checks for DoS attacks, enter the following command:

configure dos-protect interval <seconds>

To configure the alert threshold, enter the following command:

configure dos-protect type l3-protect alert-threshold <packets>

To configure the notification threshold, enter the following command:

configure dos-protect type l3-protect notify-threshold <packets>

To configure the ACL expiration time, enter the following command:

configure dos-protect acl-expire <seconds

Configuring Trusted PortsTraffic from trusted ports will be ignored when DoS protect counts the packets to the CPU. If we know that a machine connected to a certain port on the switch is a safe "trusted" machine, and we know that we will not get a DoS attack from that machine, the port where this machine is connected to can be configured as a trusted port, even though a large amount of traffic is going through this port.

To configure the trusted ports list, enter the following command:

configure dos-protect trusted-ports [ports [<ports> | all] | add-ports [<ports-to-add> | all] | delete-ports [<ports-to-delete> | all] ]

Enabling or Disabling DoS ProtectionTo enable or disable DoS protection, enter the following commands:

enable dos-protectdisable dos-protect


Configuring Denial of Service Protection

Figure 12: DoS-Protect Parameters Default Values

page 13

DoS-Protect ParametersDefault Values

Interval: 1 second

Alert Threshold: 4000 packets

Notify Threshold: 3500 packets

ACL Expiration Time: 5 seconds



24

Verifying DoS-Protect Settings

Displaying CPU-DoS-Protect SettingsTo display the CPU-DoS-Protect settings and the status of the CPU-DoS-Protect generated access list, enter the following command:

show dos-protect (detail)


Verifying DoS-Protect Settings

Figure 13: Displaying DoS-Protect Settings

page 14

Displaying DoS-Protect Settings



26

Troubleshooting CPU-DoS-Protect

Useful Information from the Show cpu-dos-protect Command

During an attack, one can view the status of cpu-dos-protect with the show cpu-dos-protect command. This command shows the user, how long the acl will remain active. Once the timer expires, the acl is deleted, and monitoring of slow path packets will continue.

In the event the attack is ongoing, and the flow of slow path packets remains constantly above the threshold, the acl is recreated over and over again.

Determining the IP Destination Address

During a DOS attack the CPU is flooded with slow path packets. CPU-DoS-Protect detects the flood exceeding the set threshold. The acl requires an IP address as a destination, so the switch saves the packets, and uses the source port combined with the destination IP of the majority of packets (it needs 33% of the last 50 packets to go to the same IP address) before it considers the IP address as the destination of the attack.

Local Syslog File

The syslog server in the switch will receive information when messages are set to on. Local logging also records these messages with a maximum of 1000 applying FIFO rules.

To view the content of locally logged messages, enter the following command:

show log

Remote Syslog File

You can also configure the switch to configure your PC workstation as a syslog server. You need to install 3Com’s 3Cdeamon on your PC workstation to serve as the syslog server. After starting the 3CDeamon program on the PC workstation and specifying the syslog server option, configure the switch to add the PC workstation as a syslog server, by entering the following commands:

configure syslog add <ip address pc> local7enable syslog

NOTE

There are many 3rd party syslog utilities that help analyze and organize syslog files. Use of syslog analytical tools allows you to search and analyze the data you specify. For example, you can just search for CPU-DoS-Protect related log entries.


Troubleshooting CPU-DoS-Protect

Figure 14: Troubleshooting CPU-DoS-Protect

page 15

Troubleshooting dos-protect

show log10/07/2003 11:42.15 <DBUG:SYST> DOSprotect notice: this second: raw packets to cpu: 4002 dropped in software: 010/07/2003 11:42.15 <DBUG:SYST> DOSprotect: create ACL block from PhysPorts 1:1 to 10.201.30.2910/07/2003 11:42.15 <WARN:SYST> DOSprotect: possible Denial-of-Service: best guess origin: physport 1:1 mac00:50:70:50:26:a6 to 10.201.30.2910/07/2003 11:42.15 <DBUG:SYST> DOSprotect timeout: remove ACL block from PhysPorts 1:1 to 10.201.30.29



28

Actions to Take When Under DoS Attack1 Verify CPU-DoS-Protect is enabled by viewing the log file.

show log

2 Check CPU utilization. tbgTask parameter is the idle task. A tbgTask value of 96% means the CPU load is 4%.

top

3 Check your IPARP statistics for incomplete IPARP entries.

show iparp

4 Check your ICMP statistics, rapid increments of ICMP messages can indicate an attack.

show ipstat

5 Check your ACL hit count to help determine the attack direction.

show access-list(-monitor)

References: DoS Threats and Countermeasures

http://www.cert.org

Computer Emergency Response Team website maintained by the Carnegie Mellon University.

http://www.rfc-editor.org/

Request for Comments (RFC) documents are accessible here.


Actions to Take When Under DoS Attack

Figure 15: Actions to Take When Under DoS Attack

page 16

Actions to Take When UnderDoS Attack

Check the following• Verify DoS-Protect is enabled

• CPU utilization

• IPARP statistics

• ICMP statistics

• ACL hit count



30


● Describe DoS attacks

● Describe two common DoS attack modes

● Describe at least five different types of DoS attacks

● Describe DoS countermeasures

● Describe IP broadcast forwarding

● Configure IP broadcast forwarding

● Describe DoS-Protect

● Sequence the steps for required to implement DoS-Protect

● Configure DoS-Protect

● Verify DoS-Protect

● Troubleshoot DoS-ProtectIdentify appropriate actions to take during a DoS attack


Summary

Figure 16: Summary

Figure 17: Summary

page 17

SummaryDescribe DoS attacks

Describe two common DoS attack modes

Describe at least five different DoS attack types

Describe basic DoS countermeasures

Describe IP broadcast forwarding

Configure IP broadcast forwarding

page 18

SummaryDescribe DoS-Protect

Sequence the steps required to implementDoS-Protect

Configure DoS-Protect

Verify DoS-Protect

Troubleshoot DoS-Protect

Identify appropriate actions to take during a DoS attack



32

7 Module 6 Port and MAC Address Security



2


● Describe the Forwarding Database (FDB)

● Identify four FDB types

● List two types of port address security

● Describe limit-learning

● Configure limit-learning

● Identify configuration guideline when implementing limit-learning on ESRP ports.

● Troubleshoot limit-learning

● Describe lock-learning

● Configure lock-learning

● Troubleshoot lock-learning

● Disable MAC Address Learning

● List guidelines when enabling or disabling egress flooding

● Enable and disable egress flooding on the BlackDiamond 8800 family of switches and the Summit X450 only

● Enable and disable egress flooding on the BlackDiamond 10K switch only

● Configure a Layer 3 blackhole


Student Objectives



page 2

Student ObjectivesUpon completion of this module, the successful student

will be able to:

Describe the Forwarding Database (FDB)

Identify four FDB types

List two types of port address security

Describe limit-learning

Configure limit-learning

Identify configuration guideline when implementing limit-learning on ESRP ports

Troubleshoot limit-learning

page 3

Student Objectives (cont)Describe lock-learning

Configure lock-learning

Troubleshoot lock-learning

Disable MAC Address Learning

List guidelines when enabling or disabling egress flooding

Enable and disable egress flooding on the BlackDiamond 8800 family of switches and the Summit X450 only

Enable and disable egress flooding on the BlackDiamond 10K switch only

Configure a Layer 3 blackhole



4

MAC-Based SecurityMAC-based security allows you to control the way the FDB is learned and populated. By managing entries in the FDB, you can block and control packet flows on a per-address basis.

MAC-based security allows you to limit the number of dynamically-learned MAC addresses allowed per virtual port. You can also “lock” the FDB entries for a virtual port, so that the current entries will not change, and no additional addresses can be learned on the port.

You can also prioritize or stop packet flows based on the source MAC address of the ingress VLAN or the destination MAC address of the egress VLAN using ACLS. With ACLs, you can also prioritize or stop packet flows based on the source MAC address of the ingress virtual LAN (VLAN) or the destination MAC address of the egress VLAN.

Forwarding Database (FDB)The switch maintains a database of all MAC addresses received on all of its ports. The database (bridge table) is called the Forwarding Database (FDB). The switch uses the information in the FDB to decide whether a frame should be forwarded or filtered. Frames destined for devices that are not in the FDB are flooded to all ports within the VLAN.

Each FDB entry consists of:

● MAC address of the device

● identifier for the port on which it was received

● identifier for the VLAN to which the device belongs


MAC-Based Security

Figure 3: MAC-Based Security

Figure 4: Forwarding Database

page 4

Mac-Based SecurityManages the way Forwarding Database (FDB) is learned and populated

Allows limit to the number of dynamically-learned MAC addresses allowed per virtual port

Using ACLs, can prioritize or stop packet flows based on source MAC address of the ingress VLAN or destination MAC address of the egress VLAN

page 5

Forwarding Database (FDB) Entry Components

FDB

FDB

MAC Address

Port Identifier

VLAN Identifier



6

FDB Entry TypesFDB entries may be dynamic or static, and the entries may be permanent or non-permanent. The following describes the types of entries that can exist in the FDB:

● Dynamic entries—A dynamic entry is learned by the switch by examining packets to determine the source MAC address, VLAN, and port information. The switch then creates or updates an FDB entry for that MAC address. Initially, all entries in the database are dynamic, except for certain entries created by the switch at boot-up.

Entries in the database are removed (aged-out) if, after a period of time (aging time), the device has not transmitted. This prevents the database from becoming full with obsolete entries by ensuring that when a device is removed from the network, its entry is deleted from the database. Dynamic entries are flushed and relearned (updated) when any of the following take place:

■ A VLAN is deleted.

■ A VLAN identifier (VLANid) is changed.

■ A port mode is changed (tagged/untagged).

■ A port is deleted from a VLAN.

■ A port is disabled.

■ A port enters blocking state.

■ A port goes down (link down).

● A non-permanent dynamic entry is initially created when the switch identifies a new source MAC address that does not yet have an entry in the FDB. The entry may then be updated as the switch continues to encounter the address in the packets it examines. These entries are identified by the “d” flag in show fdb output.

Dynamic entries age—that is, a dynamic entry is removed from the FDB (aged-out) if the device does not transmit for a specified period of time (the aging time). This aging process prevents the FDB from becoming full with obsolete entries by ensuring that when a device is removed from the network, its entry is deleted from the database. The aging time is configurable.

● Static entries—A static entry does not age and does not get updated through the learning process. A static entry is maintained exactly as it was created. Conditions that cause dynamic entries to be updated, such as VLAN or port configuration changes, do not affect static entries.

A locked static entry is an entry that was originally learned dynamically, but has been made static (locked) using the MAC address lock-down feature. It is identified by the “s,” “p,” and “l” flags in show fdb output and can be deleted using the delete fdbentry command.

If the FDB entry aging time is set to zero, all entries in the database are considered static, non-aging entries. This means that the entries do not age, but they are still deleted if the switch is reset.

NOTE

On the BlackDiamond 8800 family of switches (formerly known as Aspen) and the Summit X450 switch, if the same MAC address is detected on another virtual port that is not defined in the static FDB entry for the MAC address, that address is handled as a blackhole entry.

● Permanent entries—Permanent entries are retained in the database if the switch is reset or a power off/on cycle occurs. Permanent entries must be created by the system administrator through the CLI. Permanent entries are static, meaning they do not age or get updated.


FDB Entry Types

Figure 5: FDB Entry Types

page 6

FDB

FDB

DynamicNon-Permanent DynamicStaticLocked StaticPermanent

Forwarding Database (FDB)Entry Types



8

Port Address SecurityThe switch maintains a database of all media access control (MAC) addresses received on all of its ports. The switch uses the information in this database to decide whether a frame should be forwarded or filtered. MAC address security allows you to control the way the Forwarding Database (FDB) is learned and populated.

● Limit-Learning: Limit the number of dynamically learned MAC address allowed per virtual port

● Lock-Learning: Lock the FDB entries to a virtual port, so FDB entries will not change and no additional addresses can be learned

A “virtual port” is a switch index ID for a combination of a physical port in a VLAN.

Port address security is not foolproof because it is possible for end-users to alter their PC’s MAC address and assume the MAC-level identity of another computer (known as spoofing).

NOTE

You can either limit dynamic MAC FDB entries or lock down the current MAC FDB entries, but not both.


Port Address Security

Figure 6: Port Address Security

page 7

Port Address SecurityLimit-Learning

Lock-Learning



10

Limiting Dynamic MAC AddressesYou can set a predefined limit on the number of dynamic MAC addresses that can participate in the network. After the FDB reaches the MAC limit, all new source MAC addresses are blackholed at both the ingress and egress points. These dynamic blackhole entries prevent the MAC addresses from learning and responding to Internet Control Message Protocol (ICMP) and address resolution protocol (ARP) packets.

The limit-learning feature lets the network administrator control the number of MAC addresses per physical port who are part of a VLAN (called a “virtual port”).

By limiting the number of MAC addresses per virtual port, you can:

● block rogue networks from being added to the corporate backbone

● prevent a user from adding their own devices (e.g., printer, IP phone) to the network

● keep foreign switches and illegal wireless snooping devices off the infrastructure

NOTE

Blackhole FDB entries added due to MAC security violations on the BlackDiamond 8800 family of switches (formerly known as Aspen) and the Summit X450 switch are removed after each FDB aging period regardless of whether the MAC addresses in question are still sending traffic. If the MAC addresses are still sending traffic, the blackhole entries will be re-added after they have been deleted.


Limiting Dynamic MAC Addresses

Figure 7: Limiting Dynamic MAC Addresses

page 8

Limiting Dynamic MAC Addresses

l100BASE-TX/l1000BASE-T

l16l15l14l13

lSum

mit™ l5lil12l11l10l9

l4l3l2l1 l6 l7

lBOTTOM ROWSlAMBER l= ACTIVITYlGREENlFLASHING GREEN

l= LINK OKl= DISABLED

lTOP ROWS:lGREEN l= 1000 Mbps

l1000BASE-Xl1 l2 l3 l4 l5 l6 l7 l8

l9 l10 l11 l12 l13 l14 l15 l16

l5 l8

FDBMAC 1MAC 2||

MAC nmore MACaddressesare notallowedand will beblackholed

llimit

Limits the number of dynamically learned MAC addresses per virtual port

After specified n number of hosts, subsequently added MAC addresses are blackholed



12

Limit-Learning: How Does it Work?When the learned limit is reached, all new source MAC addresses are blackholed at the ingress and egress points. This prevents these MAC addresses from learning and responding to Internet control message protocol (ICMP) and address resolution protocol (ARP) packets.

Once the configured MAC limit is reached● switch still learns new MAC addresses

● switch creates a blackhole fdb entry

● flag is “Bb,” B - Engress Blackhole, b - Ingress Blackhole

● blackholed pockets drop in hardware ASIC

● FDB aging timer applies

For ports that have learning limit in place, the following traffic will still flow to the port:● Packets destined for permanent MAC addresses and other non-blackholed MAC addresses

● Broadcast traffic from non-blackholed MAC addresses.

● EDP traffic

Dynamically learned entries still get aged, and can be cleared. When entries are cleared or aged out after the learning limit has been reached, new entries will then be able to be learned until the limit is reached again.


Limit-Learning: How Does it Work?

Figure 8: Limit-Learning: How Does it Work?

page 9

Limit-Learning: How Does it Work?Before limit is reached, dynamic FDB entries are createdOnce limit is reached, blackholed fdb entries are createdNon blackholed traffic still flows to the port



14

Configuring Limit-Learning

Adding MAC Address Limit-LearningTo limit the number of dynamic MAC addresses that can participate in the network, enter the following command:

configure ports <portlist> vlan <vlan name> [limit-learning <number> | lock-learning | unlimited-learning | unlock-learning]

This command specifies the number of dynamically-learned MAC entries allowed for these ports in this VLAN. The range is 0 to 500,000 addresses.

When the learned limit is reached, all new source MAC addresses are blackholed at the ingress and egress points. This prevents these MAC addresses from learning and responding to ICMP and ARP packets.

Dynamically learned entries still get aged and can be cleared. If entries are cleared or aged out after the learning limit has been reached, new entries will then be able to be learned until the limit is reached again.

Permanent static and permanent dynamic entries can still be added and deleted using the create fdbentry and disable flooding port commands. These override any dynamically learned entries.

For ports that have a learning limit in place, the following traffic still flows to the port:

● Packets destined for permanent MAC addresses and other non-blackholed MAC addresses

● Broadcast traffic

● EDP traffic

Traffic from the permanent MAC and any other non-blackholed MAC addresses still flows from the virtual port.

Removing MAC Address Limit-LearningTo remove the learning limit, type the following command:

configure ports <portlist> vlan <vlan name> unlimited-learning

Creating and Deleting FDB entriesLimit-learning only applies to dynamic FDB entries, permanent FDB entries are NOT affected by the MAC limit. Permanent static and permanent dynamic entries can still be created and deleted using the respective commands:

create fdbentrydelete fdbentry

These commands also apply to any dynamically learned FDB entries.


Configuring Limit-Learning

Figure 9: Adding MAC Address Limit-Learning

Figure 10: Limit-Learning Commands

page 11

Limit-Learning Commands

Adding MAC Address Limit-Learningconfigure ports <portlist> vlan <vlan name> limit-learning <number>

Removing MAC Address Limit-Learningconfigure ports <portlist> vlan <vlan name> unlimited-learning

Creating and Deleting FDB Entriescreate fdbentrydelete fdbentry



16

Limiting MAC Addresses with ESRPIf you configure a MAC address limit on VLANS that have ESRP enabled, you should add an additional back-to-back link (that has no MAC address limit on these ports) between the ESRP-enabled switches. Doing so prevents ESRP PDU from being dropped due to MAC address limit settings.

In the diagram on the slide Switch 1 & and 2 are ESRP-enabled switches, while Switch 3 is an ESRP-aware (regular layer 2) switch. Configuring a MAC address limit on all ports of Switch 3 might prevent ESRP communication between Switch 1 and Switch 2.

To resolve this, you should add a back-to-back link between Switch1 and Switch2.


Limiting MAC Addresses with ESRP

Figure 11: Limiting MAC Addresses with ESRP

page 12

H/A

H/A

Limiting MAC Addresses on ESRP Ports

Work Station

VLAN 1Master

Switch 1

Switch 2

Switch 3 No address limit on Host

Attach Ports link



18

Lock-LearningIn addition to limit-learning on virtual ports, you can lock down the existing dynamic FDB entries and prevent (per port per VLAN basis) any additional learning.

Lock-Learning EnabledFDB entries (within the specified VLAN and ports) are converted to locked static entries and the learning limit to zero, so that no new entries can be learned.

● All new dynamic source MAC addresses are blackholed.

● Locked entries do not get aged, but can be cleared.

● Dynamic entries active at time of lock-learning remain in the FDB after the switch is reset or a power off/on cycle occurs.

● Permanent static entries can still be added and deleted. Permanent dynamic entries do not override locked static entries.

For ports that have lock-learning in effect, the following traffic will still flow to the port:● Packets destined for the permanent MAC and other non-blackholed MAC addresses

● Broadcast traffic from non-blackholed MAC addresses

● EDP traffic

NOTE

You can either limit dynamic MAC FDB entries per vlan/port, or lock down the current MAC FDB entries per vlan/port, but not both.


Lock-Learning

is

Figure 12: Lock-Learning

page 13

Lock-Learning

Unknown MAC

100BASE-TX/1000BASE-T

16151 413

Sum

mit™ 5i1211109

4321 6 7

BO TTOM ROW SAMBER = A CTIVIT YGREENFLASHING GREEN

= LINK O K= DISAB LE D

TOP ROW S:GREEN = 1000 Mbps

1000BASE-X

1 2 3 4 5 6 7 8

9 10 11 12 13 14 15 16

5 8

Known MAC

Once enabled, existing FDB entries converted to locked static entries

Learning limit set to zero

New entries blackholed



20

Configuring Lock-Learning

Adding Lock-LearningIn contrast to limiting learning on virtual ports, you can lock down the existing dynamic FDB entries and prevent any additional learning using the lock-learning option from the following command:

configure ports <portlist> vlan <vlan name> [limit-learning <number> | lock-learning | unlimited-learning | unlock-learning]

This command causes all dynamic FDB entries associated with the specified VLAN and ports to be converted to locked static entries. It also sets the learning limit to zero, so that no new entries can be learned. All new source MAC addresses are blackholed.

NOTE

Blackhole FDB entries added due to MAC security violations on the BlackDiamond 8800 family of switches and the Summit X450 switch are removed after each FDB aging period regardless of whether the MAC addresses in question are still sending traffic. If the MAC addresses are still sending traffic, the blackhole entries will be re-added after they have been deleted.

Locked entries do not get aged, but can be deleted like a regular permanent entry.

For ports that have lock-down in effect, the following traffic still flows to the port:

● Packets destined for the permanent MAC and other non-blackholed MAC addresses

● Broadcast traffic

● EDP traffic

Traffic from the permanent MAC still flows from the virtual port.

Removing Lock-LearningTo remove MAC address lock down, type the following command:

configure ports <portlist> vlan <vlan name>unlock-learning]

When you remove the lock down using the unlock-learning option, the learning-limit is reset to unlimited, and all associated entries in the FDB are flushed.


Configuring Lock-Learning

Figure 13: Adding Lock-Learning

Figure 14: Limit-Learning Commands

page 15

Lock-Learning Commands

Adding Lock-Learningconfigure ports <portlist> vlan <vlan name> lock-learning

Removing Lock-Learningconfigure ports <portlist> vlan <vlan name>unlock-learning]



22

Verifying MAC Security Information

MAC Security Information for a Specified VLANTo display the MAC security information for the specified VLAN, enter the following command:

show vlan <name> security

Detailed MAC Security Information for a Specified PortTo display detailed information, including MAC security information, for the specified port, enter the following command:

show port <portlist> info detail



Figure 15: show vlan <name> security

Figure 16: show port <portlist> info detail



24


FDB Table EntriesTo display the FDB table entries that match the filters, enter the following command:

show fdb {<mac_addr> {netlogin [all | mac-based]}| permanent {netlogin [all | mac-based]} | ports <port_list> {netlogin [all | mac-based]}| vlan <vlan_name> {netlogin [all | mac-based]} | stats | netlogin {all | mac-based]}}

When no options are specified, the command displays all FDB entries.

LogsTo display the local switch log, enter the following command:

show log {chronological} {<priority>}

● Chronological: displays messages in ascending chronological order.

● Priority: filters the log to display messages with the selected priority or higher (more critical). Priorities include alert, critical, debug, emergency, error, info, notice, and warning.

By default, log entries that are assigned a critical or warning level remain in the log after a switch reboot. Issuing a clear log command does not remove these static entries.

To remove log entries of all levels (including warning or critical), enter the following command:

clear log static



Figure 17: Verifying MAC Security Information (Additional Commands)

page 18

Verifying MAC Security Information (Additional Commands)

FDB Table Entriesshow fdb {<mac_addr> {netlogin [all | mac-based]}| permanent {netlogin [all | mac-based]} | ports <port_list> {netlogin [all | mac-based]}| vlan <vlan_name> {netlogin [all | mac-based]} | stats | netlogin {all | mac-based]}}

Logshow log {chronological} {<priority>}



26

Disabling MAC Address LearningBy default, MAC address learning is enabled on all ports. To disable learning on specific ports, enter the following command:

disable learning ports <portlist>

If MAC address learning is disabled, only broadcast traffic, EDP traffic, and packets destined to a permanent MAC address matching that port number, are forwarded. Use this command in a secure environment where access is granted via permanent FDBs per port. Disabling learning on a port causes the MAC addresses to flood (unless you disable egress flooding) because those addresses will not be present in the FDB during a destination lookup.

NOTE

On BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only, when Mac Address Learning is disabled, packets with unknown source MAC addresses are dropped.


Disabling MAC Address Learning

Figure 18: Disabling MAC Address Learning

page 19

Disabling MAC Address LearningTo disable MAC address learningdisable learning ports <portlist>



28

Disabling Egress FloodingWith ExtremeWare XOS software version 11.2, you can enable or disable egress flooding. Under default conditions, when the system does not find a match in the FDB for a unicast/multicast/broadcast MAC address in a packet received in a given port, the system forwards that frame to every port in the VLAN (known as Layer 2 flooding).

However, you can enhance security and privacy as well as improving network performance by disabling Layer 2 egress flooding on some packets. This is particularly useful when you are working on an edge device in the network. Limiting flooded egress packets to selected interfaces is also known as upstream forwarding.

NOTE

Disabling egress flooding can affect many protocols, such as IP and ARP among others.

Figure 18 illustrates a case where you want to disable Layer 2 egress flooding on specified ports to enhance security and network performance.

In this example, the three ports are in an ISP-access VLAN. Ports 1 and 2 are connected to clients 1 and 2, respectively, and port 3 is an uplink to the ISP network. Because clients 1 and 2 are in the same VLAN, client 1 could possible learn about the other client’s traffic by sniffing client 2’s broadcast traffic; client 1 could then possibly launch an attack on client 2.

However, when you disable all egress flooding on ports 1 and 2, this sort of attack is impossible, for the following reasons:

● Broadcast and multicast traffic from the clients is forwarded only to the uplink port.

● Any packet with unlearned destination MAC addresses is forwarded only to the uplink port.

● One client cannot learn any information from the other client. Because egress flooding is disabled on the access ports, the only packets forwarded to each access port are those packets that are specifically targeted for one of the ports. There is no traffic leakage.

In this way, the communication between client 1 and client 2 is controlled. If client 1 needs to communicate with client 2 and has that IP address, client 1 sends out an ARP request to resolve the IP address for client 2.

Guidelines for Enabling or Disabling Egress FloodingThe following guidelines apply to enabling and disabling egress flooding:

● Egress flooding can be disabled on ports that are in a load-sharing group. If that is the situation, the ports in the group take on the egress flooding state of the master port; each member port of the load-sharing group has the same state as the master port.

● FDB learning is independent of egress flooding; either can be enabled or disabled independently.

● Disabling unicast (or all) egress flooding to a port also stops packets with unknown MAC addresses to be flooded to that port.

● Disabling broadcast (or all) egress flooding to a port also stops broadcast packets to be flooded to that port.


Disabling Egress Flooding

Figure 19: Guidelines for Enabling or Disabling Egress Flooding

Figure 20: Guidelines for Enabling or Disabling Egress Flooding

page 20

Upstream Forwarding or Disabling Egress Flooding Example

page 21

Guidelines for Enabling or Disabling Egress Flooding

Egress flooding can be disabled on ports that are in a load-sharing group

FDB learning is independent of egress flooding

Disabling unicast (or all) egress flooding to a port also stops packets with unknown MAC addresses to be flooded to that port

Disabling broadcast (or all) egress flooding to a port also stops broadcast packets to be flooded to that port



30

Enabling and Disabling Egress Flooding on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch OnlyYou can enable or disable egress flooding for unicast, multicast, or broadcast MAC addresses, as well as for all packets on the ports of the BlackDiamond 8800 family of switches (formerly known as Aspen) or the Summit X450 switch.

Disabling multicasting egress flooding does not affect those packets within an IGMP membership group at all; those packets are still forwarded out. If IGMP snooping is disabled, multicast packets with static FDB entries are forwarded according to the FDB entry.

Enabling Egress FloodingYou enable egress flooding for these switches using the following command:

enable flooding [all_cast | broadcast | multicast | unicast] port [<port_list> | all]

Disabling Egress FloodingTo disable flooding for these switches, enter the following command:

disable flooding [all_cast | broadcast | multicast | unicast] port [<port_list> | all]


Enabling and Disabling Egress Flooding on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only

Figure 21: Enabling and Disabling Egress Flooding on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only

page 22

Enabling and Disabling Egress Flooding on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only

Enabling Egress Floodingenable flooding [all_cast | broadcast | multicast | unicast] port [<port_list> | all]

Disabling Egress Floodingdisable flooding [all_cast | broadcast | multicast | unicast] port [<port_list> | all]



32

Disabling Egress Flooding on the BlackDiamond 10K Switch OnlyYou must enable or disable egress flooding on all packets on the specified port or ports. You cannot specify broadcast, unicast, or multicast packets; the egress flooding command applies to all packets.

Disabling multicasting egress flooding does not affect those packets within an IGMP membership group at all; those packets are still forwarded out. If IGMP snooping is disabled, multicast packets are not flooded.

Issue the following command to enable egress flooding on the BlackDiamond 10K switch:

enable flooding all_cast port [<port_list> | all]

To disable egress flooding on the BlackDiamond 10K switch, issue this command:

disable flooding all_cast port [<port_list> | all]

NOTE

When you disable egress flooding on the BlackDiamond 10K switch, you also turn off broadcasting.


Disabling Egress Flooding on the BlackDiamond 10K Switch Only

Figure 22: Enabling and Disabling Egress Flooding on the BlackDiamond 10K Switch Only

page 23

Enabling and Disabling Egress Flooding on the BlackDiamond 10K Switch Only

Enabling Egress Floodingenable flooding all_cast port [<port_list> | all]

Disabling Egress Floodingdisable flooding all_cast port [<port_list> | all]



34

Displaying Learning and Flooding SettingsTo display the status of MAC learning and egress flooding, enter the following command:

show ports {mgmt | <port_list>} information {detail}

NOTE

The BlackDiamond 10K switch has an additional flag: p - Load Sharing Algorithm, port-based.


Displaying Learning and Flooding Settings

QB_Mariner.4 > show port 3:1 info Port Diag Flags Link Link Num Num Num Jumbo QOS Load State UPS STP VLAN Proto Size profile Master================================================================================3:1 P Em------e-- ready 0 0 1 1 9216================================================================================Flags : a - Load Sharing Algorithm address-based, D - Port Disabled, e - Extreme Discovery Protocol Enabled, E - Port Enabled, f - Flooding Enabled, g - Egress TOS Enabled, j - Jumbo Frame Enabled, l - Load Sharing Enabled, m - MACLearning Enabled, n - Ingress TOS Enabled, o - Dot1p Replacement Enabled, P - Software redundant port(Primary), q - Background QOS Monitoring Enabled, R - Software redundant

port(Redundant), s - diffserv Replacement Enabled, v - Vman Enabled, f - Unicast Flooding Enabled

M - Multicast Flooding Enabled, B - Broadcast Flooding Enabled

Figure 23: Displaying Learning and Flooding Settings



36

Layer 3 BlackholesBlackholes may be configured at Layer 3. At Layer 3, the blackhole address is stored in the routing table. All traffic destined for a configured blackhole IP address is silently dropped and no Internet Control Message Protocol (ICMP) message is generated.

Blackhole entries are:● treated like permanent entries in the event of a switch reset or power off/on cycle

● never aged out of the forwarding database

Configuring a Layer 3 BlackholeTo configure a layer 3 blackhole for a specific IP address, enter the following command:

configure iproute add blackhole [<ipNetmask> | <ipadress> <mask>] {vr <vrname>} {multicast-only | unicast-only}

Configuring a Layer 3 Default BlackholeA default blackhole route is for discarding traffic to the unknown destination. The default blackhole route’s origin is “b” or “blackhole” and the gateway IP address for this route is 0.0.0.0. To add a default layer 3 blackhole route, enter the following command:

configure iproute add blackhole {ipv4} default {vr <vrname>} {multicast-only | unicast-only}

Deleting Layer 3 BlackholesTo delete a blackhole address from the routing table, enter the following command:

configure iproute delete blackhole [<ipNetmask> | <ipaddress> <mask>] {vr <vrname>}

To delete a default blackhole route from the routing table, enter the following command:

configure iproute delete blackhole default {vr <vrname>}

Verifying Layer 3 BlackholesTo view Layer 3 Blackhole information, enter the following command:

show iproute

Blackhole routes are flagged with a “B” or “b.”


Layer 3 Blackholes

Figure 24: Layer 3 Blackholes

Figure 25: Layer 3 Blackhole Commands

page 25

Layer 3 BlackholesBlackholes maybe configured at Layer 3

All traffic destined for a configured blackhole IP address is dropped

No ICMP message is generated

page 26

Layer 3 Blackhole CommandsConfiguring Layer 3 Blackhole for Specific IP Addressconfigure iproute add blackhole <ip address> mask

Configuring Layer 3 Default Blackhole configure iproute add blackhole default

Deleting Layer 3 Blackhole for Specific IP Addressconfigure iproute delete blackhole <ip address> mask

Deleting Layer 3 Default Blackhole for Specific IP Addressconfigure iproute delete blackhole default

Verifying Layer 3 Blackholesshow iproute



38


● Describe the Forwarding Database (FDB)

● Identify four FDB types

● List two types of port address security

● Describe limit-learning


● Identify configuration guideline when implementing limit-learning on ESRP ports.

● Troubleshoot limit-learning

● Describe lock-learning


● Troubleshoot lock-learning

● Disable MAC Address Learning

● List guidelines when enabling or disabling egress flooding

● Enable and disable egress flooding on the BlackDiamond 8800 family of switches and the Summit X450 only

● Enable and disable egress flooding on the BlackDiamond 10K switch only

● Configure a Layer 3 blackhole


Summary

Figure 26: Summary


page 28

SummaryDescribe the Forwarding Database (FDB)

Identify four FDB types

List two types of port address security

Describe limit-learning

Configure limit-learning

Identify configuration guideline when implementing limit-learning on ESRP ports

Troubleshoot limit-learning

page 29

SummaryDescribe lock-learning

Configure lock-learning

Troubleshoot lock-learning

Disable MAC Address Learning

List guidelines when enabling or disabling egress flooding

Enable and disable egress flooding on the BlackDiamond 8800 family of switches and the Summit X450 only

Enable and disable egress flooding on the BlackDiamond 10K switch only

Configure a Layer 3 blackhole



40

8 Module 7 Network Login


Module 7 Network Login

2


● Describe Network Login

● List three Network Login authentication types

● Identify the advantages and disadvantages of Web-Based Authentication

● Identify the advantages and disadvantages of MAC-Based Authentication

● Identify the advantages and disadvantages of 802.1x

● Describe the DHCP server authentication role

● Configure DHCP server

● Describe the Network Login sequence

● Describe Campus Mode

● Describe ISP Mode

● Describe multiple supplicant support

● Identify Network Login design considerations

● List methods of authenticating network login users

● Identify RADIUS attributes used bye Network Login

● Configure Network Login with local database authentication

● Configure Network Login with 802.1x authentication

● Configure Network Login with Web-Based authentication

● Terminate a Network Login session

● Display Network Login information


Student Objectives



page 2

Student ObjectivesDescribe Network LoginList three Network Login authentication typesIdentify the advantages and disadvantages of Web-Based AuthenticationIdentify the advantages and disadvantages of MAC-Based AuthenticationIdentify the advantages and disadvantages of 802.1xDescribe the DHCP server authentication roleConfigure DHCP serverDescribe the Network Login sequenceDescribe Campus ModeDescribe ISP Mode

page 3

Student ObjectivesDescribe multiple supplicant support

Identify Network Login Design considerations

List methods of authenticating network login users

Identify RADIUS attributes used by Network Login

Configure Network Login with local database authentication

Configure Network Login with 802.1x authentication

Configure Network Login with Web-Based authentication

Terminate a Network Login session

Display Network Login information



4

Network Login Overview ExtrmeWare XOS 11.3 supports Network Login. Network login controls the admission of user packets into a network by allowing MAC addresses from users that are properly authenticated. Network login is controlled on a per port basis. When network login is enabled on a port, that port does not forward any packets until authentication takes place.

Network login is capable of three types of authentication: web-based, MAC-based, and 802.1x. In addition, network login has two different modes of operation: Campus mode and ISP mode. The authentication types and modes of operation can be used in any combination.

When web-based network login is enabled on a switch port, that port is placed into a non-forwarding state until authentication takes place. To authenticate, a user must open a web browser and provide the appropriate credentials. These credentials are either approved, in which case the port is placed in forwarding mode, or not approved, in which case the port remains blocked. You can initiate user logout by submitting a logout request or closing the logout window.

The following capabilities are included with network login:

● Web-based login using HTTP available on each port

● Web-based login using HTTPS—if you install the SSH software module that includes SSL—available on each port

● Multiple supplicants for web-based, MAC-based, and 802.1x authentication on each port

Authentication TypesAuthentication is handled as a web-based process, MAC-based process, or as described in the IEEE 802.1x specification. Web-based network login does not require any specific client software and can work with any HTTP-compliant web browser. By contrast, 802.1x authentication may require additional software installed on the client workstation, making it less suitable for a user walk-up situation, such as a cyber-café or coffee shop.1 Extreme Networks supports a smooth transition from web-based to 802.1x authentication.

MAC-based authentication is used for supplicants that do not support a network login mode, or supplicants that are not aware of the existence of such security measures, for example an IP phone.

If a MAC address is detected on a MAC-based enabled network login port, an authentication request is sent once to the AAA application. AAA tries to authenticate the MAC address against the configured Remote Authentication Dial In User Server (RADIUS) server and its configured parameters (timeout, retries, and so on) or the configured local database.The credentials used for this are the supplicant’s MAC address in ASCII representation and a locally configured password on the switch. If no password is configured the MAC address is also used as the password. You can also group MAC addresses together using a mask.

1.


Network Login Overview

Figure 3: Network Login Overview

Figure 4: Three Authentication Types

page 4

Network Login OverviewAuthenticates network user

Controlled on a per port basis

Three types of authentication• Web-Based

• MAC-Based

• 802.1x

Two modes of operation• Campus

• ISP

page 5

General Network Login Commands Enabling or disabling network login

enable netlogin [{dot1x} {mac} {web-based}]

disable netlogin [{dot1x} {mac} {web-based}]

Enabling or disabling network login on a specific portenable netlogin ports <portlist> [{dot1x} {mac} {web-based}]

enable netlogin ports <portlist> [{dot1x} {mac} {web-based}]

Displaying network login settingsshow netlogin {port <portlist> vlan <vlan_name>} {dot1x {detail}} {mac} {web-based}



6

Authentication Advantages and Disadvantages

Web-Based Authentication

Advantages ● Works with any operating system that is capable of obtaining an IP address using DHCP. There is

no need for special client side software; only a web browser is needed.

Disadvantages● The login process involves manipulation of IP addresses and must be done outside the scope of a

normal computer login process. It is not tied to a Windows login. The client must bring up a login page and initiate a login.

● Supplicants cannot be re-authenticated transparently. They cannot be re-authenticated from the authenticator side.

● This method is not as effective in maintaining privacy protection.

MAC-Based Authentication

Advantages ● Works with any operating system or network enabled device.

● Works silently. The user, client, or device does not know that it gets authenticated.

● Ease of management. A set of devices can easily be grouped by the vendor part of the MAC address.

Disadvantages● There is no re-authentication mechanism. The FDB aging timer determines the logout.

● Security is based on the MAC address of the client, so the network is more vulnerable to spoofing attacks.



Figure 5: Web-Based Authentication

Figure 6: MAC-Based Authentication

page 6

Network Login Operational ModesTwo Modes• Campus

• ISP

Differences• Port / VLAN movement

• RADIUS server requirement

• DHCP server requirement

Possible to have Campus and ISP mode enabled ports on the same switch

page 7

Network Login Design Considerations

All unauthenticated MACs will be seeing broadcasts and multicasts sent to the port

Network login must be disabled on a port before that port can be deleted from a VLAN

Campus mode on BlackDiamond 8800 and Summit X450 VLAN display issue



8


802.1x Authentication

Advantages● In cases where the 802.1x is natively supported, login and authentication happens transparently.

● Authentication happens at Layer 2. It does not involve getting a temporary IP address and subsequent release of the address to obtain a permanent IP address.

● Allows for periodic, transparent re-authentication of supplicants.

Disadvantages● 802.1x native support is available only on newer operating systems, such as Windows XP.

● 802.1x requires an Extensible Authentication Protocol (EAP) -capable RADIUS Server. Most current RADIUS servers support EAP, so this is not a major disadvantage.

● Transport Layer Security (TLS) and Tunneled TLS (TTLS) authentication methods involve Public Key Infrastructure (PKI), which adds to the administrative requirements.



Figure 7: 802.1x Authentication

page 8


Network login VLAN port can not be part of the following protocols• Ethernet Automatic Protection Switching (EAPS)

• Extreme Standby Router Protocol (ESRP)

• Spanning Tree Protocol (STP)

• Link Aggregation



10

General Network Login Commands

Enabling or Disabling Network Login on the SwitchBy default netlogin is disabled. To enable or disable network login, use one of the following commands and specify the authentication method:

enable netlogin [{dot1x} {mac} {web-based}] disable netlogin [{dot1x} {mac} {web-based}]

Enabling or Disabling Network Login on a Specific PortBy default, all methods of network login are disabled on all ports. To enable network login on a port, type the following command to specify the ports and the authentication method:

enable netlogin ports <portlist> [{dot1x} {mac} {web-based}]

Network login must be disabled on a port before you can delete a VLAN that contains that port. To disable network login, type the following command:

disable netlogin ports <portlist> [{dot1x} {mac} {web-based}]

Configuring the Move Fail ActionIf network login fails to perform Campus mode login, you can configure the switch to authenticate the client in the original VLAN or deny authentication even if the user name and password are correct. For example, this may occur if a destination VLAN does not exist. To configure the behavior of network login if a VLAN move fails, type the following command:

configure netlogin move-fail-action [authenticate | deny]

By default, the setting is deny.

The following describes the parameters of this command if two clients want to move to a different untagged VLAN on the same port:

● authenticate—Network login authenticates the first client that requests a move and moves that client to the requested VLAN. Network login authenticates the second client but does not move that client to the requested VLAN. The second client moves to the first client’s authenticated VLAN.

● deny—Network login authenticates the first client that requests a move and moves that client. Network login does not authenticate the second client.

Displaying Network Login SettingsTo display the network login settings and parameters, type the following command:

show netlogin {port <portlist> vlan <vlan_name>} {dot1x {detail}} {mac} {web-based}


General Network Login Commands

Figure 8: General Network Login Commands

page 9

Multiple Supplicant SupportMultiple clients can be individually authenticated on the same port

Multiple clients can be connected to a single port of authentication server through a hub or layer-2 switch

Multiple supplicants are supported in ISP mode for both web-based and 802.1x authentication



12

DHCP Server Authentication RoleDynamic Host Control Protocol (DHCP) is required for web-based network login because the underlying protocol used to carry authentication request-response is HTTP. The client requires an IP address to send and receive HTTP packets. Before the client is authenticated, however, the only connection that exists is to the authenticator. As a result, the authenticator must be furnished with a temporary DHCP server to distribute the IP address.

The switch responds to DHCP requests for unauthenticated clients when DHCP parameters such as dhcp-address-range and dhcp-options are configured on the netlogin VLAN. The switch can also answer DHCP requests following authentication if DHCP is enabled on the specified VLAN. If netlogin clients are required to obtain DHCP leases from an external DHCP server elsewhere on the network, DHCP should not be enabled on the VLAN.

The DHCP allocation for network login has a short time duration of 10 seconds and is intended to perform web-based network login only. As soon as the client is authenticated, it is deprived of this address. The client must obtain an operational address from another DHCP server in the network. DHCP is not required for 802.1x, because 802.1x uses only Layer 2 frames (EAPOL) or MAC-based network login.

NOTE

The built in DHCP server is only meant to provide temporary DCHP leases used in network login, it is not meant to replace a fully dedicated DHCP server.

Enabling and Disabling DHCP ServerDHCP is enabled on a per port, per VLAN basis. To enable or disable DHCP on a port in a VLAN, use one of the following commands:

enable dhcp ports <portlist> vlan <vlan_name> disable dhcp ports <portlist> vlan <vlan name>

Setting the DHCP Lease TimerTo set how long the IP address lease assigned by the server exists, enter the following command:

configure vlan <vlan_name> dhcp-lease-timer <lease-timer>


Enabling and Disabling DHCP Server

Figure 9: DHCP Server Authentication Role

Figure 10: DHCP Server Commands

page 10

Three Authentication TypesWeb-based

MAC-based

802.1x

page 11

Web-Based AuthenticationAdvantages• Works with any operating system that has a DHCP client

Disadvantages• Client must bring up a login page and initiate a login

• Supplicants cannot be re-authenticated transparently

• Not effective in maintaining privacy protection



14

DHCP Server CommandsTo configure the range of IP addresses assigned by the DHCP server, enter the following command:

configure vlan <vlan_name> dhcp-address-range <ipaddress1> - <ipaddress2>

To remove the address range information, enter the following command:

unconfigure vlan <vlan_name> dhcp-address-range

To set the default gateway, Domain Name Servers (DNS) addresses, or Windows Internet Naming Service (WINS) server, enter the following command:

configure vlan <vlan_name> dhcp-options [default-gateway | dns-server | wins-server] <ipaddress>

Removing DHCP Server ConfigurationsTo remove the default gateway, DNS server addresses, and WINS server information for a particular VLAN, enter the following command:

unconfigure vlan <vlan_name> dhcp-options

To remove all the DHCP information for a particular VLAN, enter the following command:

unconfigure vunconfigure vlan <vlan_name> dhcp lan <vlan_name> dhcp-options

You can clear the DHCP address allocation table selected entries, or all entries. You would use this command to troubleshoot IP address allocation on the VLAN. To clear entries, enter the following command:

clear vlan <vlan_name> dhcp-address-allocation [[all {offered | assigned | declined | expired}] | <ipaddress>] Displaying DHCP Information

Displaying DHCP ConfigurationTo display the DHCP configuration, including the DHCP range, DHCP lease timer, network login lease timer, DHCP-enabled ports, IP address, MAC address, and time assigned to each end device, enter the following command:

show dhcp-server {vlan <vlan_name>}

The next two commands were retained for compatibility with earlier versions of ExtremeWare. To view only the address allocation of the DHCP server on a VLAN, enter the following command:

show vlan <vlan_name> dhcp-address-allocation

To view only the configuration of the DHCP server on a VLAN, enter the following command:

show vlan <vlan_name> dhcp-config


DHCP Server Commands

Figure 11: DHCP Server Commands

page 12

Network Login Sequence for Web Based Authentication

Web Server

DHCP Server

Switch Port is placed in temporary VLAN1

DHCP request

Temporary IP address

2

3

Start WEB Browser4

Provide Username/Password6

Request Username/Password5

DHCP release9

DHCP request10

Check Username/Password

Allow forwarding on port and assign VLAN

7

8

RADIUS Server

DHCP Server

Radius Client



16

Web Based Network Login SequenceNetwork Login can be broken down and examined in a sequential fashion if you understand the basics of the feature.

1 Network Login has been enabled on a switch port.Switch detects connection on the switch port, but that port is placed in a non-forwarding mode until authentication takes place. No packets get past the switch in the meantime, preventing DOS attacks and other abuses from entering the network.

2 The Client PC requires an IP address. By powering on the PC the client issues a DHCP request.

3 The switch responds as a temporary DHCP server, providing a temporary IP address with a short DHCP lease time.

4 To authenticate, the client user must open a web browser.

5 The switch sends a Login web page.

6 User enters username and a password.

7 The Switch, configured as a RADIUS client, forwards the client credentials in a request to the RADIUS server.

8 When the RADIUS server validates the client, the switch unblocks the port and implements VLAN assignment and possibly an Access Policy.

9 The Network Login switch (temporary DHCP server) set a very low DHCP lease timer, releases the temporary TCP/IP information.

10 This causes the client to send a new DHCP request. The client is now on the appropriate VLAN and gets the required TCP/IP information from the “real” DHCP server.

When the authentication by the RADIUS server fails, the port remains in non-forwarding state. Three failed login attempts will disable the port for a configured length of time.


Web Based Network Login Sequence

Figure 12: Network Login Sequence

Figure 13: Network Login: Example of Components

page 13

<< Base-URL (initial login page)

1) Login-attempt

Network Login: Example of Components

<< Log-Out Window

<< Re-Direct URL Description

2) Successful login

<< Re-Direct URL (loaded after successful login)

3) Redirect after

authenticated

page 14

DHCP Server Authentication RoleRequired for web-based network login

Provides temporary IP address

Not required for 802.1x



18

Network Login Operational Modes Network login supports two modes of operation, Campus and ISP. Campus mode is intended for mobile users who tend to move from one port to another and connect at various locations in the network. ISP mode is meant for users who connect through the same port and VLAN each time (the switch functions as an ISP).

In Campus mode, the clients are placed into a permanent VLAN following authentication with access to network resources. For wired ports, the port is moved from the temporary to the permanent VLAN.

In ISP mode, the port and VLAN remain constant. Before the supplicant is authenticated, the port is in an unauthenticated state. After authentication, the port forwards packets.

You do not explicitly configure the mode of operation; rather, the presence of any Extreme Networks Vendor Specific Attribute (VSA) that has a VLAN name or VLAN ID (any VLAN attribute) in the RADIUS server determines the mode of operation. If a VLAN attribute is present, it is assumed to be Campus mode. If a VLAN attribute is not present, it is assumed to be ISP mode.

Campus and ISP modes compared

Multiple Supplicant SupportAn important enhancement over the IEEE 802.1x standard is that ExtremeWare XOS supports multiple clients (supplicants) to be individually authenticated on the same port. This feature makes it possible for two or more client stations to be connected to the same port, with some being authenticated while others are not. A port's authentication state is the logical “OR” of the individual MAC's authentication states. In other words, a port is authenticated if any of its connected clients is authenticated. Multiple clients can be connected to a single port of authentication server through a hub or layer-2 switch.

Multiple supplicants are supported in ISP mode for both web-based and 802.1x authentication. On the BlackDiamond 10K switch, multiple supplicants are supported in Campus mode only if all supplicants move to the same VLAN. On the BlackDiamond 8800 family of switches and the Summit X450 switch, multiple supplicants are supported in Campus mode if you configure and enable netlogin MAC-based VLANs. Netlogin MAC-based VLANs are not supported on the BlackDiamond 10K switch or 10 Gigabit Ethernet ports.

Campus Mode ISP Mode

Port / Vlan Movement Yes No

VSA or VLAN ID in RADIUS Server Yes No

Radius Server Required Optional, can use local switch database

DHCP Server Required Optional, can use static IP addresses


Network Login Operational Modes

Figure 14: Network Login Operational Modes

Figure 15: Multiple Supplicant Support

page 15

DHCP Server Commands

Enabling DHCP Serverenable dhcp ports <portlist> vlan <vlan_name>

Disabling DHCP Serverdisable dhcp ports <portlist> vlan <vlan_name>

Setting the DHCP Lease Serverconfigure vlan <vlan_name> dhcp-lease-timer <lease-timer>

page 16

DHCP Server Commands DHCP address range

configure vlan corp dhcp-address-range 10.201.26.150 –10.201.26.160

DHCP options default gateway, DNS server, and WINS serverconfigure corp dhcp-options default-gateway 10.201.26.1

configure corp dhcp-options dns-server 10.0.1.1

configure corp dhcp-options wins-server 10.0.1.1

Displaying DHCP Configurationshow dhcp-server {vlan <vlan_name>}



20

Network Login Design ConsiderationsWhen designing and configuring Network Login, please consider the following limitations.

● All unauthenticated MACs will be seeing broadcasts and multicasts sent to the port if even a single MAC is authenticated on that port.

● Network login must be disabled on a port before that port can be deleted from a VLAN.

● In Campus mode on the BlackDiamond 8800 family of switches and the Summit X450 switch, with untagged VLANs and the netlogin port’s mode configured as port-mode, after the port moves to the destination VLAN, the original VLAN for that port is not displayed.

● A network login VLAN port should not be a part of following protocols:

■ Ethernet Automatic Protection Switching (EAPS)

■ Extreme Standby Router Protocol (ESRP)

■ Spanning Tree Protocol (STP)

● Link Aggregation



Figure 16: Network Login Design Considerations

Figure 17: Network Login Design Considerations

page 17


Requires the configuration of• Switch DNS name

• Default redirect page

• Session refresh

• Logout-privilege

If redirected URL is https, Extreme Networks XOS requires the SSH software module

page 18

Web-Based Authentication Commands Configuring the Base URL

configure netlogin base-url <url>

Configuring the Redirect Pageconfigure netlogin redirect-page <url>

Configuring Session Refreshenable netlogin session-refresh {<minutes>}

Configuring Logout Privilegeenable netlogin logout-privilege



22

Authenticating UsersNetwork login uses two methods to authenticate users trying to access the network:

● RADIUS servers

● Local database

All three network login protocols, web-based, MAC-based, and 802.1x netlogin, support RADIUS authentication. Only web-based and MAC-based netlogin support local database authentication.

Vendor Specific Attributes (VSA) Types Used By Network LoginYou can create two types of user accounts on your RADIUS server for authenticating network login users: netlogin-only enabled and netlogin-only disabled. A netlogin-only disabled user can log in using network login and can also access the switch using Telnet or SSH. A netlogin-only enabled user can only log in using network login and cannot access the switch using the same login.

For information on how to use and configure your RADIUS server, please refer to the documentation that came with your RADIUS server. Add the following line to the RADIUS server users file for netlogin-only disabled users:

Extreme:Extreme-Netlogin-Only = Disabled

Add the following line to the RADIUS server users file for netlogin-only enabled users:

Extreme:Extreme-Netlogin-Only = Enabled

Table 1 contains the Vendor Specific Attribute (VSA) definitions for web-based, MAC-based, and 802.1x network login. The Extreme Network Vendor ID is 1916.

Table 1: VSA Definitions for Web-based, MAC-based, and 802.1x network login

VSAVendor Type Type Sent-in Description

Extreme: Netlogin-Extended-VLAN

211 String Access-Accept Name or ID of the destination VLAN after successful authentication (must already exist on switch).

NOTE: When using this attribute, specify whether the port should be moved tagged or untagged to the VLAN.

Extreme: Netlogin-VLAN-Name

203 String Access-Accept Name of destination VLAN after successful authentication (must already exist on switch).

Extreme: Netlogin-VLAN-ID

209 Integer Access-Accept ID of destination VLAN after successful authentication (must already exist on switch).

Extreme: Netlogin-URL 204 String Access-Accept Destination web page after successful authentication.

Extreme: Netlogin-URL-Desc

205 String Access-Accept Text description of network login URL attribute.

Extreme: Netlogin-Only 206 Integer Access-Accept Indication of whether the user can authenticate using other means, such as telnet, console, SSH, or Vista. A value of “1” (enabled) indicates that the user can only authenticate via network login. A value of zero (disabled) indicates that the user can also authenticate via other methods.


Authenticating Users

Figure 18: Authenticating Users

Figure 19: VSA Types Used By Network Login

page 19

Web-Based Network Login Configuration Example

page 20

Web-Based Authentication User Login

1. Set up user for DHCP client

2. Plug into the port that has web-based network login enabled

3. Log in to Windows

4. Release IP settings and renew the DHCP lease

5. Launch browser and open any URL

6. User is redirected to specified URL, click on Network Login

7. Enter username and password



24

RADIUS Attributes Used By Network LoginTable 2 contains the standard RADIUS attributes used by network login.

The NetLogin-Url and NetLogin-Url-Desc attributes are used in case of Web-based login as the page to use for redirection after a successful login. Other authentication methods will ignore these attributes.

The other attributes are used in the following order to determine the destination VLAN to use:

● Extreme: Netlogin-Extended-VLAN (VSA 211)

● Extreme: Netlogin-VLAN-Name (VSA 203)

● Extreme: Netlogin-VLAN-ID (VSA 209)

● IETF: Tunnel-Private-Group-ID representing the VLAN TAG as a string, but only if IETF: Tunnel-Type == VLAN(13) and IETF: Tunnel-Medium-Type == 802 (6).

If none of the previously described attributes are present ISP mode is assumed, and the client remains in the configured VLAN.

Table 2: Standard RADIUS attributes used by network login

AttributeAttribute Value Type Sent-in Description

IETF: Tunnel-Type 64 Integer Access-Accept Specifies the tunneling protocol that is used.

IETF: Tunnel-Medium-Type 65 Integer Access-Accept Specifies the transport medium used when creating a tunnel for protocols (for example, VLANs) that can operate over multiple transports.

IETF: Tunnel-Private-Group-ID 81 String Access-Accept Specifies the VLAN ID of the destination VLAN after successful authentication; used to derive the VLAN name.


RADIUS Attributes Used By Network Login

Figure 20: RADIUS Attributes Used By Network Login

page 21

MAC-Based AuthenticationAdvantages• Works with any operating system or network enabled device

• Works transparently, client does not know that it gets authenticated

• Ease of management

Disadvantages• No re-authentication mechanism

• Security is based on MAC address, MAC address spoofing possible



26

Network Login RADIUS ExtensionsRequires support for Extreme Networks vendor specific attributes

● Extreme Radius based on Merit AAA server implementation

● Alternate 3rd party Radius server such as Steel Belted Radius

Extreme Radius Implementation Configuration Example


Network Login RADIUS Extensions

Figure 21: Network Login RADIUS Extensions

page 17

Network Login Radius Extensions# NETLOGIN CAMPUS USER

campus Password = "campus", Service-Type = login, Profile-Name = "PROFILE1"

Filter-Id = "unlim"

Extreme:Extreme-Netlogin-Only = Disabled

Extreme:Extreme-CLI-Authorization = Enabled

Extreme:Extreme-Netlogin-Vlan = "corp"

Extreme:Extreme-Netlogin-Url = "http://www.yahoo.com"

Extreme:Extreme-Netlogin-Url-Desc = "Yahoo Home“

# NETLOGIN ISP USER

isp Password = "isp", Service-Type = login, Profile-Name = "PROFILE1"

Filter-Id = "unlim"

Extreme:Extreme-Netlogin-Only = Enabled

Extreme:Extreme-CLI-Authorization = Enabled

# Extreme:Extreme-Netlogin-Url = "http://www.extremenetworks.com“

# Extreme:Extreme-Netlogin-Url-Desc = "Extreme Networks Home"



28

Local Database AuthenticationYou can configure the switch to use its local database for web-based and MAC-based network login authentication. 802.1x network login does not support local database authentication. Local authentication essentially mimics the functionality of the remote RADIUS server locally. This method of authentication is useful in the following situations:

● If both the primary and secondary (if configured) RADIUS servers timeout or are unable to respond to authentication requests.

● If no RADIUS servers are configured.

● If the RADIUS server used for network login authentication is disabled.

If any of the above conditions are met, the switch checks for a local user account and attempts to authenticate against that local account.

For local authentication to occur, you must configure the switch’s local database with a user name and password for network login. Beginning with ExtremeWare XOS 11.3 you can also specify the destination VLAN to enter upon a successful authentication.

NOTE

If you have a BlackDiamond 8800 family switch or a Summit X450 switch, you can also use local database authentication in conjunction with netlogin MAC-based VLANs.


Local Database Authentication

Figure 22: Local Database Authentication

page 23

MAC-Based Authentication Commands Associating a MAC Address to a specific port

configure netlogin add mac-list [<mac> {<mask>} | default] {encrypted} {<password>} {ports <port_list>}

Removing MAC Addressesconfigure netlogin delete mac-list [<mac> {<mask>} | default]

Displaying the MAC Address Listshow netlogin mac-list



30

Configuring Local Database Authentication

Creating a Local Netlogin User Name and Password OnlyTo create a local netlogin user name and password, type the following command and specify the <user-name> parameter:

create netlogin local-user <user-name> {encrypted <password>} {vlan-vsa [[{tagged | untagged} [<vlan_name>] | <vlan_tag>]]}

User names are not case-sensitive; passwords are case-sensitive. User names must have a minimum of 1 character and a maximum of 32 characters. Passwords must have a minimum of 0 characters and a maximum of 32 characters. If you use RADIUS for authentication, Extreme Networks recommends that you use the same user name and password for both local authentication and RADIUS authentication.

If you attempt to create a user name with more than 32 characters, the switch displays the following messages:

%% Invalid name detected at '^' marker.%% Name cannot exceed 32 characters.

If you attempt to create a password with more than 32 characters, the switch displays the following message after you re-enter the password:

Password cannot exceed 32 characters

The encrypted option is used by the switch to encrypt the password. Do not use this option through the command line interface (CLI). After you enter a local netlogin user name, press [Enter]. The switch prompts you twice to enter the password.


Configuring Local Database Authentication

Figure 23: Creating a Local Netlogin User Name and Password



32

Specifying a Destination VLAN in a Local NetLogin AccountIf you configure a local netlogin account with a destination VLAN, upon successful authentication, the client transitions to the permanent, destination VLAN. You can specify the destination VLAN when you initially create the local netlogin account or at a later time.

Adding VLANs when Creating a Local Netlogin AccountTo specify the destination VLAN when creating the local netlogin account, type the following command and specify the vlan-vsa option with the associated parameters:

create netlogin local-user <user-name> {encrypted <password>} {vlan-vsa [[{tagged | untagged} [<vlan_name>] | <vlan_tag>]]}

Where the following is true:

● tagged—Specifies that the client be added as tagged

● untagged—Specifies that the client be added as untagged

● vlan_name—Specifies the name of the destination VLAN

● vlan_tag—Specifies the VLAN ID, tag, of the destination VLAN

The following example:

● Creates a new local netlogin user name

● Creates a password associated with the local netlogin user name

● Adds the VLAN test1 as the destination VLAN

Adding VLANs at a Later TimeTo specify the destination VLAN after you created the local netlogin account, type the following command:

configure netlogin local-user <user-name> {vlan-vsa [[{tagged | untagged} [<vlan_name>] | <vlan_tag>]] | none]}

Where the following is true:

● tagged—Specifies that the client be added as tagged

● untagged—Specifies that the client be added as untagged

● vlan_name—Specifies the name of the destination VLAN

● vlan_tag—Specifies the VLAN ID, tag, of the destination VLAN

● none—Specifies that the VSA 211 wildcard (*) is applied, only if you do not specify tagged or untagged


Specifying a Destination VLAN in a Local NetLogin Account

Figure 24: Specifying a Destination VLAN in a Local Netlogin Account



34

Modifying an Existing Local Netlogin AccountAfter you create a local netlogin user name and password, you can update the following attributes of that account:

● Password of the local netlogin account

● Destination VLAN attributes including: adding clients tagged or untagged, the name of the VLAN, and the VLAN ID

Updating the Local Netlogin PasswordTo update the password of an existing local netlogin account, type the following command:

configure netlogin local-user <user_name>

Where user_name specifies the name of the existing local netlogin account. After you enter the local netlogin user name, press [Enter]. The switch prompts you to enter a password. At the prompt enter the new password and press [Enter]. The switch then prompts you to reenter the password. After you complete these steps, the password has been updated.

Updating VLAN AttributesYou can add a destination VLAN, change the destination VLAN, or remove the destination VLAN from an existing local netlogin account. To make any of these VLAN updates, type the following command:

configure netlogin local-user <user-name> {vlan-vsa [[{tagged | untagged} [<vlan_name>] | <vlan_tag>]] | none]}

Displaying Local Netlogin AccountsTo display a list of local netlogin accounts on the switch, including VLAN information, type the following command:

show netlogin local-users

Deleting a Local Netlogin AccountTo delete a local netlogin user name and password, type the following command:

delete netlogin local-user <user-name>


Modifying an Existing Local Netlogin Account

Figure 25: Displaying Local Netlogin Accounts



36

802.1x Authentication802.1x authentication methods govern interactions between the supplicant (client) and the authentication server. The most commonly used methods are Transport Layer Security (TLS); Tunneled TLS (TTLS), which is a Funk/Certicom standards proposal; and PEAP.

TLS is the most secure of the currently available protocols, although TTLS is advertised to be as strong as TLS. Both TLS and TTLS are certificate-based and require a Public Key Infrastructure (PKI) that can issue, renew, and revoke certificates. TTLS is easier to deploy, as it requires only server certificates, by contrast with TLS, which requires client and server certificates. With TTLS, the client can use the MD5 mode of user name/password authentication.

If you plan to use 802.1x authentication, refer to the documentation for your particular RADIUS server, and 802.1x client on how to set up a PKI configuration.

Interoperability RequirementsFor network login to operate, the user (supplicant) software and the authentication server must support common authentication methods. Not all combinations provide the appropriate functionality.

Supplicant SideThe supported 802.1x clients (supplicants) are Windows 2000 SP4 native client, Windows XP native clients, and Meetinghouse AEGIS.

A Windows XP 802.1x supplicant can be authenticated as a computer or as a user. Computer authentication requires a certificate installed in the computer certificate store, and user authentication requires a certificate installed in the individual user's certificate store.

By default, the Windows XP machine performs computer authentication as soon as the computer is powered on, or at link-up when no user is logged into the machine. User authentication is performed at link-up when the user is logged in.

Windows XP also supports guest authentication, but this is disabled by default. Refer to relevant Microsoft documentation for further information. The Windows XP machine can be configured to perform computer authentication at link-up even if user is logged in.

Authentication Server SideThe RADIUS server used for authentication must be EAP-capable. Consider the following when choosing a RADIUS server:

● Types of authentication methods supported on RADIUS, as mentioned previously.

● Need to support VSAs. Parameters such as Extreme-Netlogin-Vlan-Name (destination vlan for port movement after authentication) and Extreme-NetLogin-Only (authorization for network login only) are brought back as VSAs.

● Need to support both EAP and traditional user name-password authentication. These are used by network login and switch console login respectively.



Figure 26: 802.1x Authentication

page 27

Configuring NetloginMAC-Based VLANs Configuring the Port Mode

configure netlogin ports [all <port_list>] mode [mac-based-vlans | port-based-vlans]



38

802.1x Network Login Configuration ExampleIn the following sample configuration, any lines marked (Default) represent default settings and do not need to be explicitly configured.

The following example is for the FreeRADIUS server; the configuration might be different for your RADIUS server:

#RADIUS Server Setting, in this example the user name is eaptesteaptest Auth-Type := EAP, User-Password == "eaptest"Session-Timeout = 120,Termination-Action =1


802.1x Network Login Configuration Example

Figure 27: 802.1x Network Login Configuration Example



40

Configuring Guest VLANs802.1x authentication supports the concept of guest VLANs. A guest VLAN provides limited or restricted network access if a supplicant does not respond to the 802.1x authentication requests sent by the switch. You configure a guest VLAN only on netlogin ports with 802.1x enabled; movement to a guest VLAN is not supported on netlogin ports with MAC-based or web-based authentication. 802.1x must be the only authentication method enabled on the port for movement to guest VLAN. A port always moves untagged into the guest VLAN.

With a guest VLAN configured, if a supplicant does not have 802.1x enabled and does not respond to 802.1x authentication requests sent by the switch, the supplicant moves to a guest VLAN. Upon entering the guest VLAN, the supplicant gains limited network access. You configure the amount of network access granted to clients in the guest VLAN. If a supplicant responds to 802.1x authentication requests, the supplicant gains network accesses based on its credentials.

NOTE

The supplicant does not move to a guest VLAN if it fails authentication after an 802.1x exchange; the supplicant moves to the guest VLAN only if it does not respond to an 802.1x authentication request.

Guest VLAN scenarioSuppose you have a meeting that includes company employees and visitors from outside the company. In this scenario, your employees have 802.1x enabled supplicants (clients) but your visitors do not. By configuring a guest VLAN, when your employees log into the network, they are granted network access (based on their user credentials and 802.1x enabled clients). However, when the visitors attempt to log into the network, they are granted limited network access because they do not have 802.1x enabled clients. The visitors might be able to reach the Internet, but they are unable to access your network.

By default, the switch uses the supplicant response timer and attempts to authenticate the supplicant every 30 seconds for a maximum of three tries. If the supplicant does not respond to the authentication requests, the supplicant moves to the guest VLAN. The number of authentication attempts is not a user-configured parameter.

The port moves out of the guest VLAN if, during subsequent authentications, the port is successfully authenticated and the RADIUS server indicates a different VLAN to move to.


Configuring Guest VLANs

Figure 28: 802.1x Guest VLANs

page 29

Netlogin MAC-Based VLAN Example



42

Configuring a Guest VLAN

Enabling a Guest VLANTo enable the guest VLAN, type the following command:

enable netlogin dot1x guest-vlan ports [all | <ports>]

Modifying the Supplicant Response TimerTo modify the supplicant response timer, type the following command and specify the supp-resp-timeout parameter:

configure netlogin dot1x timers [{server-timeout <server_timeout>} {quiet-period <quiet_period>} {reauth-period <reauth_period>} {supp-resp-timeout <supp_resp_timeout>}]

The default supplicant response timeout is 30 seconds. The number of authentication attempts is not a user-configured parameter.

Disabling a Guest VLANTo disable the guest VLAN, type the following command:

disable netlogin dot1x guest-vlan ports [all | <portlist>]

Post-authentication VLAN MovementOnce the client has been successfully authenticated and the port has been moved to a VLAN, the client can move to a VLAN other than the one it was authenticated on. This occurs when the RADIUS server sends a message to the client telling it of the new VLAN during 802.1x re-authentication. The client remains authenticated during this transition. This occurs on both untagged and tagged VLANs.

For example, suppose a client submits the required credentials for network access; however, the client is not running the current, approved anti-virus software or the client has not installed the appropriate software updates. If this occurs, the client is authenticated but has limited network access until the problem is resolved. After you update the client’s anti-virus software, or install the software updates, the RADIUS server re-authenticates the client by sending ACCESS-ACCEPT messages with the accompanying VLAN attributes, thereby allowing the client to enter its permanent VLAN with full network access. This is normal and expected behavior; no configuration is necessary.


Post-authentication VLAN Movement

Figure 29: Configuring a Guest VLAN



44

Web-Based Authentication For web-based authentication, you need to configure the switch DNS name, default redirect page, session refresh, and logout-privilege. URL redirection requires the switch to be assigned a DNS name. The default name is network-access.net. Any DNS query coming to the switch to resolve switch DNS name in unauthenticated mode is resolved by the DNS server on the switch in terms of the interface (to which the network login port is connected to) IP-address.

HTTPS SupportTo support https in a URL redirect, you must first download and install the separate Extreme Networks SSH software module (ssh.xmod). This additional module allows you to configure both SSH2 and SSL on the switch.



Figure 30: Web-Based Authentication

page 31


Authentication method between supplicant and authentication server

Common methods include:• Transport Layer Security (TLS)

• Tunneled Transport Layer Security (TTLS)

• Protected Extensible Authentication Protocol (PEAP)



46

Configuring Web-Based Authentication

Configuring the Base URLTo configure the network login base URL, type the following command:

configure netlogin base-url <url>

Where <url> is the DNS name of the switch. For example, configure netlogin base-url network-access.net makes the switch send DNS responses back to the netlogin clients when a DNS query is made for network-access.net.

Configuring the Redirect PageTo configure the network login redirect page, type the following command:

configure netlogin redirect-page <url>

Where <url> defines the redirection information for the users once logged in. You must configure a complete URL starting with http:// or https://

By default, the redirect URL value is “http://www.extremenetworks.com”.

This redirection information is used only in case the redirection info is missing from RADIUS server. For example, configure netlogin base-url http://www.extremenetworks.com redirects all users to this URL after they get logged in.

Configuring Session RefreshTo enable or disable the network login session refresh, use one of the following commands:

enable netlogin session-refresh {<minutes>} disable netlogin session-refresh

Where <minutes> ranges from 1 - 255. The default setting is 3 minutes. The command enable netlogin session-refresh makes the logout window refresh itself at every configured time interval. Session -refresh is disabled by default. When you configure the network login session refresh for the logout window, ensure that the FDB aging timer is greater than the network login session refresh timer.

Configuring Logout PrivilegeTo enable or disable network login logout privilege, use one of the following commands:

enable netlogin logout-privilege disable netlogin logout-privilege

These commands turn the privilege for netlogin users to logout by popping up (or not popping up) the logout window. Logout-privilege is enabled by default.


Configuring Web-Based Authentication

Figure 31: Web-Based Authentication Commands

page 32

802.1x Network LoginConfiguration Example



48

Web-Based Network Login Configuration ExampleThe following configuration example shows both the Extreme Networks switch configuration and the Radius server entries needed to support the example. VLAN corp is assumed to be a corporate subnet which has connections to DNS, WINS servers, network routers, and so on. VLAN temp is a temporary VLAN and is created to provide connections to unauthenticated network login clients. Unauthenticated ports belong to the VLAN temp. This kind of configuration provides better security as unauthenticated clients do not connect to the corporate subnet and will not be able to send or receive any data. They have to get authenticated in order to have access to the network.

● ISP Mode—Network login clients connected to ports 1:10 - 1:14, VLAN corp, will be logged into the network in ISP mode. This is controlled by the fact that the VLAN in which they reside in unauthenticated mode and the RADIUS server Vendor Specific Attributes (VSA), Extreme-Netlogin-Vlan, are the same, corp. So there will be no port movement. Also if this VSA is missing from RADIUS server, it is assumed to be ISP Mode.

● Campus Mode—On the other hand, clients connected to ports 4:1 - 4:4, VLAN temp, will be logged into the network in Campus mode since the port will move to the VLAN corp after getting authenticated. A port moves back and forth from one VLAN to the other as its authentication state changes.

Both ISP and Campus mode are not tied to ports but to a user profile. In other words, if the VSA Extreme:Extreme-Netlogin-Vlan represents a VLAN different from the one in which the user currently resides, then VLAN movement will occur after login and after logout. In following example, it is assumed that campus users are connected to ports 4:1-4:4, while ISP users are logged in through ports 1:10-1:14.


#RADIUS Server Setting (VSAs)(optional)Extreme:Extreme-Netlogin-Only = Enabled (if no CLI authorization) Extreme:Extreme-Netlogin-Vlan = "corp" (destination vlan for CAMPUS mode network login)


Web-Based Network Login Configuration Example

Figure 32: Web-Based Network Login Configuration Example



50

Web-Based Authentication User Login1 Set up the Windows IP configuration for DHCP.

2 Plug into the port that has web-based network login enabled.

3 Log in to Windows.

4 Release any old IP settings and renew the DHCP lease.

● The idea of explicit release/renew is required to bring the network login client machine in the same subnet as the connected VLAN. When using we-based authentication, this requirement is mandatory after every logout and before login again as the port moves back and forth between the temporary and permanent VLANs.

At this point, the client will have its temporary IP address. In this example, the client should have obtained the an IP address in the range 198.162.32.20 - 198.162.32.80.

5 Bring up the browser and enter any URL as http://www.123.net or http://1.2.3.4 or switch IP address as http://<IP address>/login (where IP address could be either temporary or Permanent VLAN Interface for Campus Mode). URL redirection redirects any URL and IP address to the network login page. This is significant where security matters most, as no knowledge of VLAN interfaces is required to be provided to network login users, as they can login using a URL or IP address. URL redirection requires that the switch is configured with a DNS client.

A page opens with a link for Network Login.

6 Click the Network Login link.

A dialog box opens requesting a user name and password.

7 Enter the user name and password configured on the RADIUS server.

After the user has successfully logged in, the user will be redirected to the URL configured on the RADIUS server.

During the user login process, the following takes place:

● Authentication is done through the RADIUS server.

● After successful authentication, the connection information configured on the RADIUS server is returned to the switch:

■ The permanent VLAN

■ The URL to be redirected to (optional)

■ The URL description (optional)

● The port is moved to the permanent VLAN.

After a successful login has been achieved, there are several ways that a port can return to a non-authenticated, non-forwarding state:

● The user successfully logs out using the logout web browser window.

● The link from the user to the switch’s port is lost.

● There is no activity on the port for 20 minutes.

● An administrator changes the port state.

NOTE

Because network login is sensitive to state changes during the authentication process, Extreme Networks recommends that you do not log out until the login process is complete. The login process is complete when you receive a permanent address.


Web-Based Authentication User Login

Figure 33: Web-Based Authentication User Login

page 34

Configuring a Guest VLAN



52

MAC-Based AuthenticationMAC-based authentication is used for supplicants that do not support a network login mode, or supplicants that are not aware of the existence of such security measure, for example an IP phone.

If a MAC address is detected on a MAC-Based enabled netlogin port, an authentication request will be sent once to the AAA application. AAA tries to authenticate the MAC address against the configured radius server and its configured parameters (timeout, retries, and so on) or the local database.

The credentials used for this are the supplicants MAC address in ASCII representation, and a locally configured password on the switch. If no password is configured, the MAC address is used as the password. You can also group MAC addresses together using a mask.

You can configure a MAC list or a table of MAC entries to filter and authenticate clients based on their MAC addresses. If there a match is found in the table of MAC entries, authentication occurs. If no match is found in the table of MAC entries, and a default entry exists, the default will be used to authenticate the client. All entries in the list are automatically sorted in longest prefix order. All passwords are stored and showed encrypted.

Beginning with ExtremeWare XOS 11.3, you can associate a MAC address with one or more ports. By learning a MAC address, the port confirms the supplicant before sending an authorization request to the RADIUS server. This additional step protects your network against unauthorized supplicants because the port accepts only authorization requests from the MAC address learned on that port. The port blocks all other requests that do not have a matching entry.


MAC-Based Authentication

Figure 34: MAC-Based Authentication

page 35

Authenticating Users

RADIUS Servers• Web-based

• MAC-based

• 802.1x

Local database• Web-based

• MAC-based



54

Configuring MAC-Based Authentication

Associating a MAC Address to a Specific PortYou can configure the switch to accept and authenticate a client with a specific MAC address. Only MAC addresses that have a match for the specific ports are sent for authentication. For example, if you associate a MAC address with one or more ports, only authentication requests for that MAC address received on the port(s) are sent to the configured RADIUS server or local database. The port(s) block all other authentication requests that do not have a matching entry. This is also known as secure MAC.

To associate a MAC address with one or more ports, specify the ports option when using the following command:


You must enable MAC-based netlogin on the switch and the specified ports. If MAC-based netlogin is not enabled on the specified port(s), the switch displays a warning message similar to the following:

WARNING: Not all specified ports have MAC-Based NetLogin enabled.

Adding and Deleting MAC AddressesTo add a MAC address to the table, type the following command:


To remove a MAC address from the table, type the following command:

configure netlogin delete mac-list [<mac> {<mask>} | default]

Displaying the MAC Address ListTo display the MAC address table, type the following command:

show netlogin mac-list

When a client needs authentication the best match will be used to authenticate to the server. MAC-based authentication is VR aware, so there is one MAC list per VR.

Assume we have a supplicant with MAC address 00:04:96:05:40:00, and the switch displays the sample table The user name used to authenticate against the Radius server would be “000496000000”, as this is the supplicants MAC address with the configured mask applied.


Configuring MAC-Based Authentication

Figure 35: MAC-Based Authentication Commands

page 36

Supported VSA Types (partial list)

Extreme: Netlogin-Extended-VLAN 211 String

Extreme: Netlogin-VLAN-Name 203 String

Extreme: Netlogin-VLAN-ID 209 Integer

Extreme: Netlogin-URL 204 String

Extreme: Netlogin-URL-Desc 205 String

Extreme: Netlogin-Only 206 Integer

VSA Vendor

TypeType



56

Secure MAC Configuration ExampleThe following configuration example shows how to configure secure MAC on your Extreme Networks switch. To configure secure MAC, do the following:

● Create a VLAN used for netlogin

● Configure the VLAN for netlogin

● Enable MAC-based netlogin on the switch

● Enable MAC-based netlogin on the ports used for authentication

● Specify one or more ports to accept authentication requests from a specific MAC address

In the following example, authentication requests from MAC address:

● 00:00:00:00:00:10 are only accepted on ports 1:1 through 1:5

● 00:00:00:00:00:11 are only accepted on ports 1:6 through 1:10

● 00:00:00:00:00:12 are accepted on all other ports


Secure MAC Configuration Example

Figure 36: Secure MAC Configuration Example



58

MAC-Based Network Login Configuration ExampleThe following configuration example shows the Extreme Networks switch configuration needed to support the MAC-based network login example.


#RADIUS Server Setting00E018A8C540 Auth-Type := Local, User-Password == "00E018A8C540"


MAC-Based Network Login Configuration Example

Figure 37: MAC-Based Network Login Configuration Example



60

Netlogin MAC-Based VLANsCurrently, network login allows only a single, untagged VLAN to exist on a port. This limits the flexibility for untagged supplicants because they must be in the same VLAN.

Beginning with ExtremeWare XOS 11.3, the BlackDiamond 8800 family of switches and the Summit X450 switch support netlogin MAC-based VLANs. Netlogin MAC-based VLANs allow a port assigned to a VLAN to operate in a MAC-based fashion. This means that each individual untagged supplicant, identified by its MAC address, can be in different VLANs.

Netlogin MAC-based VLAN utilizes VSA information from both the netlogin local database and the RADIUS server. After successfully performing the Campus mode of operation, the supplicant is added untagged to the destination VLAN.

To support this feature, you must configure the netlogin port’s mode of operation.

Netlogin MAC-Based VLANs Rules and Restrictions● You must configure and enable netlogin on the switch and before you configure netlogin MAC-

based VLANs.

If you attempt to configure the port’s mode of operation before enabling netlogin, the switch displays an error message similar to the following:

ERROR: The following ports do not have NetLogin enabled; 1

● 10 Gigabit Ethernet ports such as those on the 10G4X I/O module and the uplink ports on the Summit X450 switch do not support netlogin MAC-based VLANs.

If you attempt to configure netlogin MAC-based VLANs on 10 Gigabit Ethernet ports, the switch displays an error message similar to the following:

ERROR: The following ports do not support the MAC-Based VLAN mode; 1, 2, 10

● You can have a maximum of 1,024 MAC addresses per I/O module or per Summit X450 switch.


Netlogin MAC-Based VLANs

Figure 38: Netlogin MAC-Based VLANs

page 39

Local Database Authentication

Supported by web-based and MAC-based authentication

Occurs when:• Both primary and secondary RADIUS servers timeout or do

not respond to authentication requests

• No RADIUS servers are configured

• RADIUS server used for network login authentication is disabled



62

Configuring Netlogin MAC-Based VLANs

Configuring the Port ModeTo support netlogin MAC-based VLANs on a netlogin port, you must configure that port’s mode of operation. To specify MAC-based operation, type the following command and specify mac-based-vlans:

configure netlogin ports [all | <port_list>] mode [mac-based-vlans | port-based-vlans]

By default, the netlogin port’s mode of operation is port-based-vlans. If you modify the mode of operation to mac-based-vlans and later disable all netlogin protocols on that port, the mode of operation automatically returns to port-based-vlans.

When you change the netlogin port’s mode of operation, the switch deletes all currently known supplicants from the port and restores all VLANs associated with that port to their original state. In addition, by selecting mac-based-vlans, you are unable to manually add or delete untagged VLANs from this port. Netlogin now controls these VLANs.

With netlogin MAC-based operation, every authenticated client has an additional FDB flag that indicates a translation MAC address. If the supplicant’s requested VLAN does not exist on the port, the switch adds the requested VLAN.


Configuring Netlogin MAC-Based VLANs

Figure 39: Configuring Netlogin MAC-Based VLANs

page 40

Creating a Local Netlogin Usernameand Password



64

Displaying Netlogin MAC-Based VLAN InformationThe following commands display important information for netlogin MAC-based VLANs.

FDB InformationTo view FDB entries, type the following command:

show fdb netlogin [all | mac-based-vlans]

By specifying netlogin, you see only FDB entries related to netlogin or netlogin MAC-based VLANs. The flags associated with netlogin include:

● v—Indicates the FDB entry was added because the port is part of a MAC-Based virtual port/VLAN combination.

● n—Indicates the FDB entry was added by network login.

VLAN and Port InformationTo view the VLANs that netlogin adds temporarily in MAC-based mode, type the following command:

show ports <port_list> information detail

By specifying information and detail, the output displays the temporarily added VLANs in netlogin MAC-based mode. To confirm this, review the following output of this command:

● VLAN cfg—The term MAC-based appears next to the tag number.

● Netlogin port mode—This output was added to display the port mode of operation. Mac based appears and the network login port mode of operation.

To view information about the ports that are temporarily added in MAC-based mode for netlogin, due to discovered MAC addresses, type the following command:

show vlan detail

By specifying detail, the output displays detailed information including the ports associated with the VLAN. The flags associated with netlogin include:

● a—Indicates an authenticated network login port.

● u—Indicates an unauthenticated network login port.

● m—Indicates that the netlogin port operates in MAC-based mode.


Displaying Netlogin MAC-Based VLAN Information

Figure 40: Displaying Netlogin MAC-Based VLAN Information

page 41

Specifying a Destination VLAN in a Local Netlogin Account



66

Netlogin MAC-Based VLAN ExampleThe following example configures the netlogin MAC-based VLAN feature:

Expanding upon the previous example, you can also utilize the local database for authentication rather than the RADIUS server:

create netlogin local-user 000000000012 vlan-vsa untagged defaultcreate netlogin local-user 000000000010 vlan-vsa untagged users12


Netlogin MAC-Based VLAN Example

Figure 41: Netlogin MAC-Based VLAN Example



68

Disconnecting Network Login Sessions

Automatic Netlogin logouts occur when:● User initiates log-out by using the Logout Pop-Up window

● User inactivity for the configured session refresh-interval, if session-refresh is enabled

● Physical link state change on the user’s port

CLI Network Login Logouts

terminating a netlogin sessionTo terminate a netlogin session from the switch, enter the following command:

clear session <number>

An administrator-level account can disconnect a management session that has been established. To view active sessions on the switch, enter the following command:

show session

The show session command lists the following parameters

● The login date and time

● The user name

● The type of session

terminating a netlogin session using a specific port and vlan

To terminate a netlogin that uses a specific port and vlan, enter the following command:

clear netlogin port <number> vlan <name>

globally disabling netlogging

To disable the netlogin feature on the switch, enter the following command:

disable netlogin

New users will be prevented from authenticating if Netlogin is disabled. Users with authenticated sessions will not be disconnected if disabled, they will be prevented from logging in if they logout. Default value is ‘enabled’



Figure 42: Disconnecting Netlogin Sessions

page 14


User logouts

User inactivity

Physical link state change on user’s port

CLI• clear session <session #>

• clear netlogin state ports <#> vlan <name>

• cisable netlogin



70

Verifying Network Login

General Network Login Information

To display netlogin information, enter the following command:

show netlogin

Parameters displayed include:

● Whether netlogin is enabled or disabled.

● Base-URL

● Default redirect page

● logout privileges setting

● Netlogin session-refresh setting and time

Network Login Information for a Specific Port in a VLAN

To display netlogin information for a specific port in a VLAN, enter the following command:

show netlogin ports <portlist> vlan <vlan_name>

Parameters displayed include:

● Port and VLAN for which the information is displayed

● Port state: Authenticated or Not Authenticated

● Temporary IP assigned, if known

● DHCP state: Enabled or Disabled

● User name, if known

● MAC address of the attached client, if know

Network Login Activity

To view netlogin activity on the switch, enter the following command:

show log


Verifying Network Login

Figure 43: show netlogin

Figure 44: show log

page 16

Network Login Verificationshow log

05/03/2001 16:33.39 <WARN:SYST> bootprelay.c 184: bootprelay_input: Sending DHCP NAK to 00:10:a4:a9:11:3b(corp)

05/03/2001 16:33.39 <WARN:SYST> netlogin.c 792: netloginChangePortVlanAndState: Unblocking vlan corp port 9

05/03/2001 16:33.39 <CRIT:SYST> netloginChangePortVlanAndState: Released IP 10.201.26.150

05/03/2001 16:33.39 <CRIT:SYST> netloginChangePortVlanAndState: Vlan

05/03/2001 16:33.33 <INFO:USER> admin logged in through netlogin(00:10:a4:a9:11:3b tempip 10.201.26.150)



72


● Describe Network Login

● List three Network Login authentication types

● Identify the advantages and disadvantages of Web-Based Authentication

● Identify the advantages and disadvantages of MAC-Based Authentication

● Identify the advantages and disadvantages of 802.1x

● Describe the DHCP server authentication role

● Configure DHCP server

● Describe the Network Login sequence

● Describe Campus Mode

● Describe ISP Mode

● Describe multiple supplicant support

● Identify Network Login design considerations

● List methods of authenticating network login users

● Identify RADIUS attributes used bye Network Login

● Configure Network Login with local database authentication

● Configure Network Login with 802.1x authentication

● Configure Network Login with Web-Based authentication

● Terminate a Network Login session

● Display Network Login information


Summary

Figure 45: Summary


page 46

SummaryDescribe Network LoginList three Network Login authentication typesIdentify the advantages and disadvantages of Web-Based AuthenticationIdentify the advantages and disadvantages of MAC-Based AuthenticationIdentify the advantages and disadvantages of 802.1xDescribe the DHCP server authentication roleConfigure DHCP serverDescribe the Network Login sequenceDescribe Campus ModeDescribe ISP Mode

page 47

SummaryDescribe multiple supplicant supportIdentify Network Login Design considerationsList methods of authenticating network login usersIdentify RADIUS attributes used bye Network LoginConfigure Network Login with local database authenticationConfigure Network Login with 802.1x authenticationConfigure Network Login with Web-Based authenticationTerminate a Network Login sessionDisplay Network Login information



74

9 Module 8 Policy-Based QoS



2


● Define QoS

● Identify two major benefits of QoS

● Identify five major traffic types

● Describe policy-based QoS

● Sequence the three steps required to assign QoS attributes

● Define QoS profile

● Describe QoS profile parameters

● Configure QoS profile

● Identify differences between configuring QoS on BlackDiamond 8800 Family of Switches and Summit X$50 with configuring QoS on a BlackDiamond 10K

● Define traffic grouping

● Sequence traffic groupings in order of precedence (highest to lowest)

● Describe IP-based traffic grouping

● Describe destination MAC address traffic grouping

● Configure destination MAC address traffic grouping

● Describe Explicit Class of Service traffic grouping

● Configure Explicit Class of Service traffic grouping

● Describe physical and logical groupings

● Describe QoS policy

● Verify QoS traffic grouping priority settings

● Reset priority setting to default values

● Monitor QoS

● Modify a QoS policy

● Configure Egress Traffic Rate Limiting on the Black Diamond 8800 family of switches and Summit X450

● Configure Bi-Directional Rate Shaping on the BlackDiamond 10K switch


Student Objectives



Figure 3:

page 2

Student ObjectivesUpon completion of this module, the successful student

will be able to:

Define QoS

Identify two major benefits of QoS

Identify five major traffic types

Sequence the three steps required to assign QoS attributes

Define QoS profile

Describe QoS profile parameters

Configure QoS profile

page 3

Student ObjectivesDefine traffic groupingSequence traffic groupings in order of precedence (highest to lowest)Describe IP-based traffic groupingDescribe destination MAC address traffic groupingConfigure destination MAC address traffic groupingDescribe Explicit Class of Service traffic groupingConfigure Explicit Class of Service traffic groupingDescribe physical and logical traffic groupingsDescribe QoS Policy



4

What is Quality of Service?QoS is a set of protocols and mechanisms that facilitate the delivery of delay and bandwidth sensitive material across data networks. To enable QoS requires the cooperation of all network layers from top to bottom, as well as every network element from end to end. Any QoS assurances are only as good as the weakest link in the “chain” between sender and receiver.

QoS does not create bandwidth, QoS only manages bandwidth according to application demands and network management settings. QoS in the Ethernet networks is fundamentally creating unequal access in an essentially equal access network.

Policy-based Quality of Service (QoS) is a feature of ExtremeWare XOS and the Extreme Networks switch architecture that allows you to specify different service levels for traffic traversing the switch. Policy-based QoS is an effective control mechanism for networks that have heterogeneous traffic patterns. Using Policy-based QoS, you can specify the service level that a particular traffic type receives.

Policy-based QoS allows you to protect bandwidth for important categories of applications or to specifically limit the bandwidth associated with less critical traffic.

For example, if voice-over-IP (VoIP) traffic requires a reserved amount of bandwidth to function properly, using policy-based QoS, you can reserve sufficient bandwidth critical to this type of application. Other applications deemed less critical can be limited so as to not consume excessive bandwidth.

Switch Platforms and QoSOn the BlackDiamond 10K switch, the switch contains separate hardware queues on every physical port. On the BlackDiamond 8800 family of switches (formerly known as Aspen) and the Summit X450 switch, the switch has two default queues (based on flows), and you can configure up to six additional queues. Each queue is programmed by ExtremeWare XOS with specific parameters that modify the forwarding behavior of the switch and affect how the switch transmits traffic for a given queue on a physical port.

The switch tracks and enforces the specified parameters on every queue for every port. When two or more queues on the same physical port are contending for transmission, the switch prioritizes use so long as the respective queue management parameters are satisfied. Up to eight queues per port are available.

QoS is not Class of Service (CoS)QoS is not the same as Class of Service (CoS). When CoS assigns a priority to a traffic flow (such as 802.1p), the network elements involved in transporting this information just know that it is more, or less, important than other CoS traffic flow. It does not provide any assurance that the information is provided with a guaranteed bandwidth or network service.

NOTE

Policy-based QoS has no impact on switch performance. Using even the most complex traffic groupings has no cost in terms of switch performance.


What is Quality of Service?

Figure 4: What is QoS?

page 4

What is Quality of Service?

• QoS consists of mechanisms and protocols designed to facilitate the delivery of delay and bandwidth sensitive material across data networks.

• In an Ethernet Network, QoS is used to create unequal access in an essentially equal-access network.



6

When Do You Need QoS?When network traffic needs a guarantee of underlying network performance, QoS provides a solution. This typically relates to the amount of bandwidth required, but other factors, such as priority, are also taken into account.

Historically, the lack of bandwidth was mainly a concern of WAN technologies, as Local Area Network technologies were developing at such a faster pace and were delivering bandwidths of 10, 100 and 1000Mbps. In the LAN, administrators are able to over-provision the available bandwidth to ensure that all network traffic receives adequate service.

The availability of high performance LAN technologies and hardware means that some organizations can provide the levels of service required by their applications by simply over-provisioning their LAN infrastructure. This provides a simple, but not managed, solution to their requirements. “Throwing bandwidth” at the issue of application performance does provide a simple solution, but it does not resolve the underlying issue of supporting the ever-increasing demands of new applications (voice, web, video, etc.) in an efficient and controlled manner.

QoS based networks enable administrators to manage application traffic with a great degree of control. In this environment, an application is assured that its requirement for bandwidth, priority, latency and delay can be provided

NOTE

QoS does not increase the available bandwidth; it ensures that it is used in a controlled manner. The network designer still has to make sure that the network has sufficient capacity and throughput to deliver the service required.


When Do You Need QoS?

Figure 5: When Do You Need QoS?

page 5

When do you need QoS?• If a network provides enough bandwidth for all applications/users,

then QoS is unnecessary

1...

10

Gigabit Server Link

100Mbps Desktop Links

Not Oversubscribed Configuration No QoS Required

• If there is insufficient bandwidth... • ...and the network has an oversubscribed configuration, then QoS can

provide prioritized traffic for applications sensitive to the resultant latencies or delays.

Oversubscribed Configuration QoS Might Make Sense

1..

16

Gigabit Server Link

100Mbps Desktop Links



8

Two Major Benefits of QoS

Latency ControlLatency, a synonym for delay, describes how much time it takes for a packet of data to get from one point to another. Jitter is the variation in the time between packets arriving. Latency control provides consistent end-to-end delay to traffic flows. The most important QoS parameter for a delay sensitive application is minimum bandwidth, followed by priority. QoS provides control over bandwidth availability to ensure that latency parameters are met.

In the early days of LAN technology, the majority of traffic required a reliable, error free environment rather than guaranteed throughput. While there has always been the requirement for a fast and efficient network, the measurement for this speed was often how long a user was prepared to wait for a response once a request was issued. As long as the network provided a fast enough response, it was suitable.

Modern LAN infrastructures carry traffic that were originally designed to run over several different technologies, each with their own characteristics. The modern network has to provide each of these applications with the characteristics it requires, which may not have been part of it’s own original design.

Unlike the original characteristics of “error free with non-deterministic access” provided by Ethernet, many of the newer applications are time sensitive, and the overall latency of the network is important.

Latency Sensitive Applications include:● Desktop Video Conferencing

● Multicast Streaming Video

● Real-Time Data Feeds

● SNA, TN3270

Congestion ManagementAnother benefit of QoS is its ability to manage the sharing of available bandwidth between different types of traffic. This is typically by allocating a maximum or minimum percentage of the available bandwidth to a specified class of traffic.

The example highlights the QoS ability to allocate specific bandwidth to different traffic groups. QoS can only share what is available; the network designer has to ensure that the overall bandwidth is adequate.


Two Major Benefits of QoS

Figure 6: Latency Control

Figure 7: Congestion Management

page 6

Latency Control

Link Latency(Packet Size/Link Speed)

Switch Latency Link Latency(Packet Size/Link Speed)

Switch Latency Link Latency(Packet Size/Link Speed)

Provides consistent end-to-end delay of traffic flows

Important QoS parameter for delay sensitive applications is minimum bandwidth

page 7

Congestion Management• Important traffic bypasses congestion

• Multiple Traffic Groups are allowed equal access to congested resources

100Mbps Links

Option 1Traffic Group A gets QP2Other Traffic Groups get QP1

Option 2Traffic Group A gets MinBW=50% Other Traffic Groups get MinBW=25%

200Mbps Trunk100Mbps LinksA

BC

Option 1All Traffic Groups get MinBW=33%

200Mbps TrunkABC



10

Five Traffic Types and QoS GuidelinesGeneral guidelines for each traffic type are given. Consider them as general guidelines and not strict recommendations. Once QoS parameters are set, you can monitor the performance of the application to determine if the actual behavior of the applications matches your expectations. When setting QoS parameters, you should consider bandwidth needs, sensitivity to latency and jitter, and sensitivity to packet loss.

Voice ApplicationsVoice applications, or voice over IP (VoIP), typically demand small amounts of bandwidth. However, the bandwidth must be constant and predictable because voice applications are typically sensitive to latency (inter-packet delay) and jitter (variation in inter-packet delay). The most important QoS parameter to establish for voice applications is minimum bandwidth, followed by priority.

Video ApplicationsVideo applications are similar in needs to voice applications, with the exception that bandwidth requirements are somewhat larger, depending on the encoding. It is important to understand the behavior of the video application being used. For example, in the playback of stored video streams, some applications can transmit large amounts of data for multiple streams in one “spike,” with the expectation that the endstations will buffer significant amounts of video-stream data. This can present a problem to the network infrastructure, because the network must be capable of buffering the transmitted spikes where there are speed differences (for example, going from gigabit Ethernet to Fast Ethernet). Key QoS parameters for video applications include minimum bandwidth and priority, and possibly buffering (depending upon the behavior of the application).

Critical Database ApplicationsDatabase applications, such as those associated with Enterprise Resource Planning (ERP), typically do not demand significant bandwidth and are tolerant of delay. You can establish a minimum bandwidth using a priority less than that of delay-sensitive applications.

Web Browsing ApplicationsQoS needs for web browsing applications can not be easily categorized. Enterprise resource planning (ERP) front end applications may require minimum bandwidth, while basic web browsing may require maximum bandwidth.

File Server ApplicationsFile serving typically poses the greatest demand on bandwidth, although file server applications are very tolerant of latency, jitter, and some packet loss (depending on network OS and use of TCP or UDP).

NOTE

Full-duplex links should be used when deploying policy-based QoS. Half-duplex operation on links can make delivery of guaranteed minimum bandwidth impossible.


Five Traffic Types and QoS Guidelines

Figure 8: Traffic Type and QoS Guidelines

page 8

Traffic Type and QoS Guidelines

Traffic Type Key QoS Parameters

Voice Minimum Bandwidth, priority

Video Minimum Bandwidth, priority, buffering (varies)

Database Minimum Bandwidth

Web browsing Minimum Bandwidth for critical applications,maximum bandwidth for non-critical applications

File Server Minimum Bandwidth



12

Policy-Based QoS The main benefit of QoS is that it allows you to have control over the types of traffic that receive enhanced service from the system.

For example: If video traffic requires a higher priority than data traffic, using QoS you can assign a different QoS profile to those VLANs that are transmitting video traffic. This QoS profile will assign the video traffic more than a simple high priority, it will provide it with a service level from the underlying network. The specified QoS profile will provide the video traffic with additional characteristics such as maximum or minimum bandwidth guarantees.

As with all Extreme Networks Switch products, Policy-Based QoS has zero impact on switch performance. Using even the most complex traffic groupings is “costless” in terms of switch performance.

Policy-Based QoS Support on an Extreme Network SwitchAn Extreme Network switch can:

● Assign different service levels to traffic by specifying bandwidth management and prioritization parameters to hardware queues

● Track and enforce minimum and maximum percentage of bandwidth utilization, transmitted on every hardware queue, for every port.

● Prioritize bandwidth use, when two or more hardware queues on the same physical port are contending for transmission (as long as their respective bandwidth management parameters are satisfied)


Policy-Based QoS

Figure 9: Policy-Based QoS


page 9

Policy-Based QoS

Voice = service level 1Video = service level 2Web = service level 3File transfer = service level 4

VoiceVideoWeb

File Transfer

Specify different service levels to traffic traversing the switch

Prioritize bandwidth use between queues in the same port

Up to 8 physical queues per port

page 10

Policy-Based QoS

Switch

portport

portport

portport

QP1 to 8

QP1 to 8

QP1 to 8

Contains separate hardware queues on every physical port• specifies each queue’s bandwidth management and

prioritization parameters

Tracks and enforce minimum and max percentage bandwidth use by hardware queue



14

Configuring Policy-Based QoSAssigning QoS attributes is a three-step process, which consists of defining three interrelated QoS building blocks. To configure QoS, you define how your switch responds to different categories of traffic by creating and configuring QoS profiles. You then group traffic into categories (according to the needs of the application, as previously discussed) and assign each category to a QoS profile. Configuring QoS is a three-step process:

1 Configure the QoS profile.QoS profile – A class of service that is defined through minimum and maximum bandwidth parameters and prioritization settings on the BlackDiamond 10K switch or through configuration of buffering and scheduling settings on the BlackDiamond 8800 family of switches and the Summit X450 switch. The level of service that a particular type of traffic or traffic grouping receives is determined by assigning it to a QoS profile. The names of the QoS profiles are QP1 through QP8; these names are not configurable.

2 Create traffic groupings.Traffic grouping — Classification of traffic types that have one or more attributes in common. Some attributes include:

● a physical port

● a VLAN

● IP Layer 4 port information

Traffic groupings transmitting out of the same port that are assigned to a particular QoS profile share the assigned bandwidth and prioritization characteristics, resulting in sharing the class of service.

3 Apply QoS policy.QoS policy — The combination that results from assigning a traffic grouping to a QoS profile.

After applying the QoS policy, you should monitor the performance of the application to determine whether the policies are achieving the desired results. Later in the module, we will go into more detail about QoS monitoring options.


Configuring Policy-Based QoS

Figure 11: Configuring Policy-Based QoS


page 11

Configuring Policy-Based QoS

1. Create a QoS profile

2. Assign one or more traffic grouping

3. Apply QoS Policy

page 12

QoS Building Block: QoS Profile

Defines level of service by specifying traffic attributes

Does not alter switch behavior until assigned to traffic grouping

QoS profile links to the identical hardware queue across all switch physical ports

Eight default QoS profiles are supported, QP1 through QP8



16

Configuring QoS on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch OnlyThe BlackDiamond 8800 family of switches and the Summit X450 switch allow dynamic creation and deletion of QoS queues, with Q1 and Q8 always available, rather than the 8 fixed queues on the BlackDiamond 10K switch.

NOTE

The sFlow application uses QP2 to sample traffic on the BlackDiamond 8800 family of switches and the Summit X450 switch. Any traffic grouping using QP2 may encounter unexpected results when sFlow is enabled.

The following considerations apply only to QoS on the BlackDiamond 8800 family of switches and the Summit X450 switch:

● The BlackDiamond 8800 family of switches and the Summit X450 switch do not support QoS monitor.

● The following QoS features share resources on the BlackDiamond 8800 family of switches and the Summit X450 switch:

■ ACLs

■ DiffServ

■ dot1p

■ VLAN-based QoS

■ Port-based QoS

● You may receive an error message when configuring a QoS feature in the above list on the BlackDiamond 8800 family of switches and the Summit X450 switch; it is possible that the shared resource is depleted. In this case, unconfigure one of the other QoS features and reconfigure the one you are working on.


Configuring QoS on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only

Figure 13: Assigning Policy-Based QoS

page 13

Configuring QoS on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only

Able to dynamically create and delete QoS queues• Default queues Q1 and Q8 always available

Does not support QoS monitor command• Command that monitors QoS running in the background

Following QoS features share the switch resources• ACLs

• DiffServ

• Dot1p

• VLAN-based QoS

• Port-based QoS



18

QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch OnlyThe BlackDiamond 8800 family of switches and the Summit X450 switch have two default queues, QP1 and QP8, which are based on traffic flows. QP1 has the lowest priority, and QP8 has the highest priority. You can configure up to six additional QoS profiles, or queues, on the switch, QP2 through QP7. Creating a queue dynamically will not cause loss of traffic. You can also modify the default parameters of each QoS profile. The names of the QoS profiles, QP1 through QP8, are not configurable.

The parameters that make up a QoS profile on the BlackDiamond 8800 family of switches and the Summit X450 switch include:

● Buffer—This parameter is the maximum amount of packet buffer memory available to all packets associated with the configured QoS profile within all affected ports. All QoS profiles use 100% of available packet buffer memory by default. You can configure the buffer amount from 1 to 100%, in whole integers. Regardless of the maximum buffer setting, the system does not drop any packets if any packet buffer memory remains to hold the packet and the current QoS profile buffer use is below the maximum setting.

NOTE

Use of all 8 queues on all ports may result in insufficient buffering to sustain 0 packet loss throughput during full-mesh connectivity with large packets.

● Weight—This parameter is the relative weighting for each QoS profile; 1 through 16 are the available weight values. The default value for each QoS profile is 1, giving each queue equal weighting. When you configure a QoS profile with a weight of 4, that queue is serviced 4 times as frequently as a queue with a weight of 1. However, if you configure all QoS profiles with a weight of 16, each queue is serviced equally but for a longer period of time.

Finally, you configure the scheduling method that the entire switch will use to empty the queues. The scheduling applies globally to the entire switch, not to each port. You can configure the scheduling to be strict priority, which is the default, or weighted round robin. In the strict priority method, the switch services the higher-priority queues first. As long as a queued packet remains in a higher-priority queue, any lower-priority queues are not serviced. If you configure the switch for weighted-round-robin scheduling, the system services all queues based on the weight assigned to the QoS profile. The hardware services higher-weighted queues more frequently, but lower-weighted queues continue to be serviced at all times.

When configured to do so, the priority of a QoS profile can determine the 802.1p bits used in the priority field of a transmitted packet. The priority of a QoS profile determines the DiffServ code point value used in an IP packet when the packet is transmitted. A QoS profile switch does not alter the behavior of the switch until it is assigned to a traffic grouping. The default QoS profiles cannot be deleted. The settings for the default QoS parameters on the BlackDiamond 8800 family of switches and the Summit X450 switch are summarized in the following table.


QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only

Figure 14: QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only

Table 1: Default BlackDiamond 8800 and Summit X450 Switch Only QoS ParametersProfile name Priority Buffer Weight

QP1 Low 100% 1

QP8 High 100% 1

page 14

QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only

QP1 and QP8 Default Queues• Can neither be deleted nor renamed

QoS Profile Parameters• Buffer

• Weight

• Scheduling Method



20

QoS Profiles on the BlackDiamond 10K SwitchThe BlackDiamond 10K switch has 8 hardware queues for each egress port. The QoS profiles, QP1 to QP8, map to these hardware queues.

A QoS profile on the BlackDiamond 10K switch defines a class of service by specifying traffic behavior attributes, such as bandwidth. The parameters that make up a QoS profile on the BlackDiamond 10K switch include:

● Minimum bandwidth—The minimum total link bandwidth that is reserved for use by a hardware queue on a physical port (each physical port has eight hardware queues, corresponding to a QoS profile). The minimum bandwidth value is configured either as a percentage of the total link bandwidth or using absolute committed rates in Kbps or Mbps. Bandwidth unused by the queue can be used by other queues. The minimum bandwidth for all queues should add up to less than 100%. The default value on all minimum bandwidth parameters is 0%.

● Maximum bandwidth—The maximum total link bandwidth that can be transmitted by a hardware queue on a physical port (each physical port has eight hardware queues, corresponding to a QoS profile). The maximum bandwidth value is configured either as a percentage of the total link bandwidth or using absolute peak rates in Kbps or Mbps. The default value on all maximum bandwidth parameters is 100%.

● Priority—The level of priority assigned to a hardware egress queue on a physical port. There are eight different available priority settings and eight different hardware queues. By default, each of the default QoS profiles is assigned a unique priority. You use prioritization when two or more hardware queues on the same physical port are contending for transmission on the same physical port, only after their respective bandwidth management parameters have been satisfied. If two hardware queues on the same physical port have the same priority, a round-robin algorithm is used for transmission, depending on the available link bandwidth.

■ When configured to do so, the priority of a QoS profile can determine the 802.1p bits used in the priority field of a transmitted packet.

■ The priority of a QoS profile determines the DiffServ code point value used in an IP packet when the packet is transmitte).

A QoS profile does not alter the behavior of the switch until it is assigned to a traffic grouping. Recall that QoS profiles on the BlackDiamond 10K switch are linked to hardware queues. There are multiple hardware queues per physical port. By default, a QoS profile links to the identical hardware queue across all the physical ports of the switch.

The default QoS profiles cannot be deleted. Also by default, a QoS profile maps directly to a specific hardware queue across all physical ports.


QoS Profiles on the BlackDiamond 10K Switch

Figure 15: QoS Profiles on the BlackDiamond 10K

Table 2: Black Diamond 10K Default QoS ParameterProfile name Hardware queue Priority Minimum bandwidth Maximum bandwidth

QP1 Q0 Low 0% 100%

QP2 Q1 LowHi 0% 100%

QP3 Q2 Normal 0% 100%

QP4 Q3 NormalHi 0% 100%

QP5 Q4 Medium 0% 100%

QP6 Q5 MediumHi 0% 100%

QP7 Q6 High 0% 100%

QP8 Q7 HighHi 0% 100%

page 15

QoS Profiles on the BlackDiamond 10K Switch

8 hardware queues for each egress port linked QP1 through QP8

QoS Profile Parameters• Minimum bandwidth

• Maximum bandwidth

• Priority802.1p bits based

DiffServe code point based



22

QoS Building Block: Profile

Creating a QoS Profile (BlackDiamond 8800 family of switches and Summit X450 Only)To create a QoS profile, enter the following command:

create qosprofile [qp2 | ap3 | qp4 | qp5 | qp6 | qp7]

To delete a QoS profile, enter the following command:

delete qosprofile [qp2 | ap3 | qp4 | qp5 | qp6 | qp7]

You cannot delete the default QoS profiles QP1 and QP8.

Configuring QoS Profile WeightTo modify the QoS profile weight, type the following command:

configure qosprofile <qosprofile> {maxbuffer <percent>} {weight <value>}

The maxbuffer parameter configures the maximum amount of packet buffer, by percentage, that the packets associated with the specified QoS profile can consume. Regardless of the setting for this parameter, the system does not drop any packets as long as packet buffer memory remains available and the current buffer use of the specified QoS profile is below the specified maxbuffer setting.

The weight parameter configures the relative weighting for each QoS profile. Because each QoS profile has a default weight of 1, all QoS profiles have equal weighting. If you configure a QoS profile with a weight of 4, that specified QoS profile is services 4 times as frequently as the remaining QoS profiles, which still have a weight of 1. If you configure all QoS profiles with a weight of 16, each QoS profile is serviced equally but for a longer period.



Figure 16: QoS Building Block: Profile

page 16


Create a QoS Profile*create qosprofile [qp2 |qp3 | qp4 | qp5 | qp6 | qp7]

Configure QoS Profile Weightconfigure qosprofile <qosprofile> {maxbuffer <percent>} {weight <value>}

*BlackDiamond 8800 and Summit X450 only



24

QoS Building Block: Traffic GroupingsAfter a QoS profile has been created or modified, you assign a traffic grouping to the profile. A traffic grouping is a classification of traffic that has one or more attributes in common. Traffic is typically grouped based on the needs of the applications.

Traffic groupings are separated into the following categories

● ACL-based information

● Explicit packet class of service information, such as 802.1p or DiffServ (IP TOS)

● Physical/Logical configuration (physical source port or VLAN association


QoS Building Block: Traffic Groupings

Figure 17: QoS Building Block: Traffic Groupings

Figure 18: Traffic Grouping Types

page 17

QoS Building Block: Traffic Groupings

Classification of traffic type based on one or more common attributes

Needs an assigned QoS profile in order to modify switch behavior

Traffic groupings transmitting out of the same port and assigned to a particular QoS profile share the same class of service

page 18

Traffic Grouping Types

ACL-based information

Explicit packet class of service information• 802.1p

• DiffServ (IP TOS)

Physical/Logical configuration• Physical source port

• VLAN association



26

QoS Building Block: QoS PolicyThe combination of a traffic grouping and a QoS profile creates a QoS policy.


QoS Building Block: QoS Policy

Figure 19: QoS Building Block: QoS Policy

page 19

QoS Building Block: QoS Policy

Example:

London:3 # config vlan urgent qosprofile QP4

The traffic grouping category of logical traffic grouping vlan urgent was assigned a QoS profile of QP4.

VLAN Urgent

Assigning a QoS Profile to a Traffic Grouping activates a QoS Policy



28

Precedence of Traffic GroupingsIn the event that a given packet matches two or more grouping criteria, there is a predetermined precedence for which traffic grouping applies. The supported traffic groupings, by precedence, are listed in the following:

● Access list groupings (ACLs)

■ IP ACL

■ MAC ACL

● Explicit packet class of service groupings

■ DiffServ (IP TOS)

■ 802.1p

● Physical/logical groupings

■ Source port

■ VLAN

NOTE

The source port and VLAN QoS apply only to untagged packets, and 802.1p QoS applies only to tagged packets. If you use 802.1p or DiffServ QoS in conjunction with ACLs, you must configure the 802.1p or DiffServ action within the ACL itself.

In general, the more specific traffic grouping takes precedence. Those groupings listed at the top of the table are evaluated first. By default, all traffic groupings are placed in the QoS profile QP1. The groupings are listed in order of precedence (highest to lowest). The three types of traffic groupings are described in detail on the following pages.

NOTE

On the BlackDiamond 8800 family of switches and the Summit X450 switch, the precedence of IP ACL or MAC ACL depends on specifications in the ACL file itself.


Precedence of Traffic Groupings

Figure 20: Traffic Groupings In Default Precedence



30

ACL-Based Traffic GroupingsACL-based traffic groupings are defined using access lists. By supplying a named QoS profile on an ACL rule, you can prescribe the bandwidth management and priority handling for that traffic grouping. This level of packet filtering has no impact on performance. ACL-based traffic groupings are based on any combination of the following items:

● IP source or destination address

● IP protocol

● TCP flag

● TCP/UDP or other Layer 4 protocol

● TCP/UDP port information

● IP fragmentation

● MAC source or destination address

● Ethertype


Figure 21: ACL-Based Traffic Groupings

page 21

ACL-Based Traffic Groupings

Defined by access lists• Specify a named QoS profile in the ACL rule

Parameters• IP source or destination address

• IP protocol

• TCP flag

• TCP/UDP or other Layer 4 protocol

• IP fragmentation

• MAC source or destination address

• Ethertype



32

Explicit Class of Service Traffic GroupingsThis category of traffic groupings describes what is sometimes referred to as explicit packet marking, and refers to information contained within a packet intended to explicitly determine a class of service. That information includes:

● Prioritization bits used in IEEE 802.1p packets

● IP Differentiated Services (DiffServ) code points, formerly known as IP Type of Service (TOS) bits

Advantages of Explicit Class of Service● Class of service information can be carried through the network infrastructure, without repeating

what may be complex traffic grouping policies at each switch location.

● End stations can perform their own packet marking on an application-specific basis

● Extreme Networks switch products have the capability of observing and manipulating packet marking information with no performance penalty.

The documented capabilities for 802.1p priority markings or DiffServ capabilities (if supported) are not impacted by the switching or routing configuration of the switch. For example, 802.1p information may be preserved across a routed switch boundary and DiffServ code points may be observed or overwritten across a layer 2 switch boundary.

Packet DiagramExtreme Networks switches support the standard IEEE 802.1p priority bits that are part of a tagged Ethernet packet. The 802.1p bits can be used to prioritize the packet and to assign that packet to a particular QoS profile.

When a tagged packet arrives at the switch, the switch examines the 802.1p priority field and maps the packet to a specific queue when subsequently transmitting the packet. The 802.1p priority field is located directly following the 802.1Q type field and preceding the 802.1Q VLAN ID, as shown in Figure 20.


Explicit Class of Service Traffic Groupings

Figure 22: Explicit Class of Service Traffic Groupings

page 22

Explicit Class of Service Traffic Groupings

• Information includes• IP DiffServ code points (former IP TOS bits)

• Prioritization bits used in IEEE 802.1p packets

• Extreme switches can observe and manipulate packet marking information with no performance penalty in the hardware

DA SA Data FCSTPI

802.1Q Ethernet Frame

Type

2 bytes 46 - 1500 bytes6 bytes 6 bytes 2 bytes 4 bytes

TAG

2 bytes

Ver IHL Total LengthIdentifier Flags Frag. Offset

TTL Protocol Header ChecksumSource Address

Destination Address

ECN6 bits DSCP

DiffServ

DiffServ IP Packet

3 bits for 802.1p



34

802.1p Information

802.1p information on the BlackDiamond 10K onlyIf a port is in more than one virtual router, you cannot use the QoS 802.1p features. The default VLAN DiffServ examination mappings apply on ports in more than one VR. If you attempt to configure examining or replacing 802.1p information on a port that is in more than one virtual router, the system returns the following message:

Warning: Port belongs to more than one VR. Port properties related to diff serv and code replacement will not take effect.

Observing 802.1p informationWhen ingress traffic that contains 802.1p prioritization information is detected by the switch, that traffic is mapped to various queues on the egress port of the switch. The BlackDiamond 10K switch supports 8 hardware queues by default; you can modify the characteristics of each queue. By default, the BlackDiamond 8800 family of switches and the Summit X450 switch support 2 queues based on flows; you can define up to 6 additional queues. The transmitting queue determines the characteristics used when transmitting packets.

To control the mapping of 802.1p prioritization values to queues, 802.1p prioritization values can be mapped to a QoS profile. The default mapping of each 802.1p priority value to QoS profile is shown in the table 3.

Changing the Default 802.1p MappingBy default, a QoS profile is mapped to a queue, and each QoS profile has configurable parameters. In this way, an 802.1p priority value seen on ingress can be mapped to a particular QoS profile.

To change the mapping of 802.1p priority value to QoS profile, enter the following command:

configure dot1p type <dot1p_priority> {qosprofile} <qosprofile>


Table 3: Default 802.1 priority value-to-QoS profile mapping

Figure 23: Traffic Groupings - Destination MAC Address

Priority valueBlackDiamond 10K switch default QoS profile

BlackDiamond 8800 family of switches and Summit X450 switch default QoS profile

0 QP1 QP1

1 QP2 QP1

2 QP3 QP1

3 QP4 QP1

4 QP5 QP1

5 QP6 QP1

6 QP7 QP1

7 QP8 QP8

page 23

Changing the Default 802.1p Mapping

To change the mapping of 802.1p priority valueto QoS profile:configure dot1p type <dot1p_priority>qosprofile <qosprofile>



36

Replacing 802.1p Priority InformationBy default, 802.1p priority information is not replaced or manipulated, and the information observed on ingress is preserved when transmitting the packet. This behavior is not affected by the switching or routing configuration of the switch.

NOTE

In the BlackDiamond 8800 family of switches and the Summit X450 switch, 802.1p replacement uses existing flow classifiers. If this feature is enabled and the flow classifier has been defined (traffic groupings), the related flow classifier causes the replacement.

However, the switch is capable of inserting and/or overwriting 802.1p priority information when it transmits an 802.1Q tagged frame. If 802.1p replacement is enabled, the 802.1p priority information that is transmitted is determined by the queue that is used when transmitting the packet. The 802.1p replacement configuration is based on the ingress port. To replace 802.1p priority information, enter the following command:

enable dot1p replacement ports [<port_list> | all]

The port in this command is the ingress port. This command affects only that traffic based on explicit packet class of service information and physical/logical configuration.

To disable this feature, enter the following command:

disable dot1p replacement ports [<port_list> | all]

NOTE

On the BlackDiamond 8800 family of switches and the Summit X450 switch, only QP1 and QP8 exist by default; you must create QP2 to QP7. If you have not created these QPs, the replacement feature will not take effect.

The 802.1p priority information is replaced according to the queue that is used when transmitting from the switch. The mapping is described in Table 4. This mapping cannot be changed.


Replacing 802.1p Priority Information

Figure 24: Replacing 802.1p Priority Information

Table 4: Queue-to-802.1p priority replacement value

802.1p priority replacement value

BlackDiamond 10K switch hardware queue

BlackDiamond 8800 family of switches and Summit X450 switch 802.1p queue

0 Q0 Q1

1 Q1 Q2

2 Q2 Q3

3 Q3 Q4

4 Q4 Q5

5 Q5 Q6

6 Q6 Q7

7 Q7 Q8

page 24

Replacing 802.1p Priority Information

To replace 802.1p priority information: enable dot1p replacement ports [<port_list> | all]

To disable 802.1p priority information: disable dot1p replacement ports [<port_list> | all]



38

DiffServContained in the header of every IP packet is a field for IP Type of Service (TOS), now also called the Differentiated Services (DiffServ) field. The DiffServ field is used by the switch to determine the type of service provided to the packet.

Observing DiffServ code points as a traffic grouping mechanism for defining QoS policies and overwriting the Diffserv code point fields are supported.

DiffServ Information on the BlackDiamond 10K OnlyThe default VLAN DiffServ examination mappings apply on ports in more than one VR. If you attempt to configure examining or replacing DiffServ information on a port that is in more than one virtual router, the system returns the following message:

Warning: Port belongs to more than one VR. Port properties related to diff serv and code replacement will not take effect.

Observing DiffServ InformationWhen a packet arrives at the switch on an ingress port and this feature is enabled, the switch examines the first six of eight TOS bits, called the DiffServ code point. The switch can then assign the QoS profile used to subsequently transmit the packet based on the code point. The QoS profile controls which queue is used when transmitting the packet out of the switch and determines the forwarding characteristics of a particular code point. Examining DiffServ information can be enabled or disabled; by default it is disabled. To enable DiffServ examination, enter the following command:

enable diffserv examination port [<port_list> | all]

To disable DiffServ examination, enter the following command:

disable diffserv examination port [<port_list> | all]


Observing DiffServ Information

Figure 25: DiffServ Replacement

Figure 26: Observing Diffserv Information

page 25

• In order to make DiffServ replacement take effect, dot1p replacement has to be enabled on the same port.

* London: 2 # enable diffserv exam port 9

* London: 3 # config diffserv exam code_point 10 qosp qp7 port 9

* London: 4 # enable dot1p replacement port 3

* London: 5 # enable diffserv replace port 3

* London: 6 # config diffserv replace priority vpri 6 code-point 31 port 3

Code QoS Profile Hardware Priority Codepoint i-chipset Queue point

0 - 7 qp1 Q0 0 08 - 15 qp2 Q1 1 8

16 - 23 qp3 Q2 2 1624 - 31 qp4 Q3 3 2432 - 39 qp5 Q4 4 3240 - 47 qp6 Q5 5 4048 - 55 qp7 Q6 6 4856 - 63 qp8 Q7 7 56

qp7 ==== Q6 6 31

10

port 9port 3

CP = 10CP = 31

QP7

port 24

CP = 50

Diffserv Replacement

page 26

Observing Diffserv Information

* London: 3 # enable diffserv examination ports 9

* London: 4 # config diffserv examination code-point 1 qosprofile qp3 ports 9

port 9 port n

CP = 1 CP = 1QP3

Code QoS Profile Hardwarepoint Queue

0 - 7 qp1 Q08 - 15 qp2 Q1

16 - 23 qp3 Q224 - 31 qp4 Q332 - 39 qp5 Q440 - 47 qp6 Q548 - 55 qp7 Q656 - 63 qp8 Q7



40

Configuring DiffServ

Diffserv Code Point MappingBecause the DiffServ code point uses six bits, it has 64 possible values (26 = 64). By default, the values are grouped and assigned to the default QoS profiles listed in Table 5.

Changing the Default DiffServ Code Point Mapping You can change the QoS profile assignment for each of the 64 code points using the following command:

configure diffserv examination code-point <code-point> {qosprofile} <qosprofile>

Once assigned, the rest of the switches in the network prioritize the packet using the characteristics specified by the QoS profile.

Replacing DiffServ Code PointsThe switch can be configured to change the DiffServ code point in the packet prior to the packet being transmitted by the switch. This is done with no impact on switch performance.

The DiffServ code point value used in overwriting the original value in a packet is determined by the QoS profile. You enter the QoS profile you want to use to determine the replacement DiffServ code point value.

To replace DiffServ code points, you must enable DiffServ replacement using the following commands

enable diffserv replacement ports [<port_list> | all]

The port in this command is the ingress port. This command affects only that traffic based on explicit packet class of service information and physical/logical configuration.

To disable this feature, enter the following command:

disable diffserv replacement ports [<port_list> | all]


Table 5: Default DiffServ code point-to-QoS profile mapping

Figure 27: Configuring DiffServ

Code pointBlackDiamond 10K switch QoS profile

BlackDiamond 8800 family of switches and the Summit X450 switch QoS profile

0-7 QP1 QP1

8-15 QP2 QP1

16-23 QP3 QP1

24-31 QP4 QP1

32-39 QP5 QP1

40-47 QP6 QP1

48-55 QP7 QP1

56-63 QP8 QP8

page 27

Configuring DiffServ

To change the QoS profile assignment for each of the 64 code points: configure diffserv examination code-point <code-point> {qosprofile} <qosprofile>

To replace DiffServe code point, DiffServ replacement must be enabled:: enable diffserv replacement ports [<port_list> | all]



42

Default 802.1p Priority Value-To-Diffserv Code Point MappingThe default QoS profile to DiffServ code point mapping is shown in Table 6, and the default 802.1p priority value to code point mapping is described in Table 6.

You change the DiffServ code point mapping, using either the QoS profile or the 802.1p value, to any code point value using the following command:

configure diffserv replacement [{qosprofile} <qosprofile> | priority <value>] code-point <code_point>

NOTE

Extreme Networks recommends that you use the qosprofile <qosprofile> value to configure this parameter.

By doing so, the queue used to transmit a packet determines the DiffServ value replaced in the IP packet.

To view currently configured DiffServ information, enter the following command:

show diffserv [examination | replacement]


Default 802.1p Priority Value-To-Diffserv Code Point Mapping

Table 6: Default 802.1p priority value-to-DiffServ code point mapping

Figure 28: show diffserv replacement

BlackDiamond 10K switch QoS profile

BlackDiamond 8800 family of switches and the Summit X450 switch QoS profile 802.1p priority value Code point

QP1 QP1 0 0

QP2 QP1 1 8

QP3 QP1 2 16

QP4 QP1 3 24

QP5 QP1 4 32

QP6 QP1 5 40

QP7 QP1 6 48

QP8 QP8 7 56



44

BlackDiamond 8800 Family of Switches and the Summit X450 Switch DiffServ ExampleIn this example on the BlackDiamond 8800 family of switches and the Summit X450 switch, we use DiffServ to signal a class of service throughput and assign any traffic coming from network 10.1.2.x with a specific DiffServ code point. This allows all other network switches to send and observe the Diffserv code point instead of repeating the same QoS configuration on every network switch.

To configure the switch, follow these steps:

1 Using ACLs, assign a traffic grouping for traffic from network 10.1.2.x to QP3:

configure access-list qp3sub any

The following is a sample policy file example:

#filename: qp3sub.polentry QP3-subnet {

if {source-address 10.1.2.0/24

} then {Qosprofile qp3;}

2 Configure the switch so that other switches can signal calls of service that this switch should observe by entering the following:

enable diffserv examination ports all


BlackDiamond 8800 Family of Switches and the Summit X450 Switch DiffServ Example

Figure 29: BlackDiamond 8800 Family of Switches and the Summit X450 Switch DiffServ Example

page 29

Black Diamond 8800 Family of Switches and the Summit X450 Switch DiffServ Example

1. Using ACLs, assign a traffic grouping for traffic from network 10.1.2.x to QP3:configure access-list qp3sub any

2. Configure the switch so that other switches can signal calls of service that switch should observeenable diffserv examination ports all

#filename: qp3sub.pol

entry QP3-subnet {

if {

source-address 10.1.2.0/24

} then {

Qosprofile qp3;

}



46

BlackDiamond 10K Switch DiffServ ExampleIn this example on the BlackDiamond 10K switch, we use DiffServ to signal a class of service throughput and assign any traffic coming from network 10.1.2.x with a specific DiffServ code point. This allows all other network switches to send and observe the Diffserv code point instead of repeating the same QoS configuration on every network switch.

To configure the switch, follow these steps:

1 Using ACLs, assign a traffic grouping for traffic from network 10.1.2.x to QP3:

configure access-list qp3sub any

The following is a sample policy file example:

#filename: qp3sub.polentry QP3-subnet {

if {source-address 10.1.2.0/24

} then {Qosprofile qp3;

replace-dscp;}

2 Configure the switch so that other switches can signal calls of service that this switch should observe by entering the following:

enable diffserv examination ports all

NOTE

The switch only observes the DiffServ code points if the traffic does not match the configured access list. Otherwise, the ACL QoS setting overrides the QoS DiffServ configuration.


BlackDiamond 10K Switch DiffServ Example

Figure 30: BlackDiamond 10K Switch DiffServ Example

page 30

Black Diamond 10K DiffServ Example

1. Using ACLs, assign a traffic grouping for traffic from network 10.1.2.x to QP3:configure access-list qp3sub any

2. Configure the switch so that other switches can signal calls of service that switch should observeenable diffserv examination ports all

#filename: qp3sub.pol

entry QP3-subnet {

if {

source-address 10.1.2.0/24

} then {

Qosprofile qp3;

replace-dscp

}



48

Physical and Logical GroupingsTwo traffic groupings exist in this category: Source port and VLAN.

Source PortA source port traffic grouping implies that any traffic sourced from this physical port uses the indicated QoS profile when the traffic is transmitted out to any other port. To configure a source port traffic grouping, enter the following command:

configure ports <port_list> {qosprofile} <qosprofile>

In the following modular switch example, all traffic sourced from slot 5 port 7 uses the QoS profile named QP8 when being transmitted.

configure ports 5:7 qosprofile qp8

NOTE

On the BlackDiamond 10K switch, this command applies only to untagged packets. On the BlackDiamond 8800 family of switches and the Summit X450 switch, this command applies to all packets.

VLANA VLAN traffic grouping indicates that all intra-VLAN switched traffic and all routed traffic sourced from the named VLAN uses the indicated QoS profile. To configure a VLAN traffic grouping, enter the following command:

configure vlan <vlan_name> {qosprofile} <qosprofile>

For example, all devices on VLAN servnet require use of the QoS profile QP1. The command to configure this example is as follows:

configure vlan servnet qosprofile qp1

NOTE

On the BlackDiamond 10K switch, this command applies only to untagged packets. On the BlackDiamond 8800 family of switches and the Summit X450 switch, this command applies to all packets.

Verifying Physical and Logical GroupingsYou can display QoS settings on the ports or VLANs.

To verify settings on ports or VLANs, enter the following command:


To ensure that you display the QoS information, you must use the detail variable.

On the BlackDiamond 10K switch, the screen displays both ingress and egress QoS settings. The 10Gbps ports have 8 ingress queues, and the 1 Gbps ports have 2 ingress queues.


Physical and Logical Groupings

Figure 31: Traffic Groupings: Physical and Logical

Figure 32: Configuring Physical and Logical Groupings

page 31

Physical & Logical Traffic Groupings

Physical port or VLAN

Source Port

VLAN

page 32

Configuring Physical and Logical GroupingsTo configure source port traffic grouping: configure ports <port_list> {qosprofile} <qosprofile>

To configure VLAN traffic grouping: configure vlan <vlan_name> {qosprofile} <qosprofile>

To verify QoS settings on the ports or VLANs: show ports {mgmt | <port_list>} information {detail}



50

BlackDiamond 8800 Family of Switches and Summit X450 Switch QOS Profile Display

You display which QoS profile, if any, is configured on the BlackDiamond 8800 family of switches and the Summit X450 switch using the show ports <port_list> information detail command. Following is a sample output of this command for an BlackDiamond 8810 switch:

NOTE

To ensure that you display the QoS information, you must use the detail variable.


Physical and Logical Groupings

Port: 8:1 Virtual-router: VR-Default Type: EW Random Early drop: Disabled Admin state: Enabled with auto-speed sensing auto-duplex Link State: Active Link Counter: Up 1 time(s) VLAN cfg: Name: Default, Internal Tag = 1, MAC-limit = No-limit

STP cfg: s0(disable), Tag=(none), Mode=802.1D, State=FORWARDING

Protocol: Name: Default Protocol: ANY Match all protocols. Trunking: Load sharing is not enabled. EDP: Enabled DLCS: Unsupported lbDetect: Unsupported Learning: Enabled Flooding: Enabled Jumbo: Disabled BG QoS monitor: Unsupported Egress Port Rate: No-limit Broadcast Rate: No-limit Multicast Rate: No-limit Unknown Dest Mac Rate: No-limit QoS Profile: Qp3 Configured by user Ingress Rate Shaping : Unsupported Ingress IPTOS Examination: Disabled Egress IPTOS Replacement: Disabled Egress 802.1p Replacement: Disabled NetLogIn: Disabled Smart redundancy: Enabled Software redundant port: Disabled



52

BlackDiamond 10K Switch DisplayYou display information on the egress QoS profiles and the ingress QoS profiles (shown as Ingress Rate Shaping), as well as the minimum and maximum available bandwidth and priority on the BlackDiamond 10 K switch using the show ports <port_list> information detail command. The display is slightly different for a 1 Gbps port and for a 10 Gbps port.

Following is sample output of this command for a BlackDiamond 10K switch 10 Gbps port:


BlackDiamond 10K Switch Display

Port: 8:1 Virtual-router: VR-Default Type: XENPAK Random Early drop: Disabled Admin state: Enabled with 10G full-duplex Link State: Ready Link Counter: Up 0 time(s) VLAN cfg:

STP cfg:

Protocol: Trunking: Load sharing is not enabled. EDP: Enabled DLCS: Unsupported lbDetect: Unsupported Learning: Enabled Flooding: Enabled Jumbo: Disabled BG QoS monitor: Unsupported QoS Profile: None configured Queue: Qp1 MinBw=0% MaxBw=100% Pri=1 Qp2 MinBw=0% MaxBw=100% Pri=2 Qp3 MinBw=0% MaxBw=100% Pri=3 Qp4 MinBw=0% MaxBw=100% Pri=4 Qp5 MinBw=0% MaxBw=100% Pri=5 Qp6 MinBw=0% MaxBw=100% Pri=6 Qp7 MinBw=0% MaxBw=100% Pri=7 Qp8 MinBw=0% MaxBw=100% Pri=8 Ingress Rate Shaping : support IQP1-8 IQP1 MinBw= 0% MaxBw=100% Pri=1 IQP2 MinBw= 0% MaxBw=100% Pri=2 IQP3 MinBw= 0% MaxBw=100% Pri=3 IQP4 MinBw= 0% MaxBw=100% Pri=4 IQP5 MinBw= 0% MaxBw=100% Pri=5 IQP6 MinBw= 0% MaxBw=100% Pri=6 IQP7 MinBw= 0% MaxBw=100% Pri=7 IQP8 MinBw= 0% MaxBw=100% Pri=8 Ingress IPTOS: Disabled Egress IPTOS: Replacement disabled Egress 802.1p: Replacement disabled Smart Redundancy: Unsupported VLANs monitored for stats: Unsupported Unsupported Software redundant port: Unsupported jitter-tolerance: Unsupported



54

Verifying QoS Configuration and PerformanceYou can display a variety of QoS measures using the CLI.

Monitoring Performance—BlackDiamond 10K Switch OnlyAfter you have created QoS policies that manage the traffic through the switch, you can use the QoS monitor on the BlackDiamond 10K switch to determine whether the application performance meets your expectations.

QoS features performance monitoring with a snapshot display of the monitored ports. To view switch performance per port, enter the following command:

show ports <port_list> qosmonitor {ingress | egress} {no-refresh}

NOTE

You must specify ingress to view the ingress rate-shaping performance. By default, this command displays the egress performance.

Displaying QoS Profile Information on the BlackDiamond 10K Switch OnlyTo display QoS information on the BlackDiamond 10K switch, enter the following command:

show qosprofile {ingress | egress} {ports [ all | <port_list>]}

Displayed information includes:

● QoS profile name

● Minimum bandwidth

● Maximum bandwidth

● Priority

Displaying QoS Profile Information on the BlackDiamond 8800 Family of Switches and Summit X450 Switch OnlyTo display QoS information on the BlackDiamond 8800 family of switches and the Summit X450 switch, enter the following command:

show qos profile

Displayed information includes:

● QoS profiles configured

● Weight

● Maximum buffer percent


Verifying QoS Configuration and Performance

Figure 33: Verifying QoS Configuration and Performance

page 35

Verifying QoS Configuration and Performance

Black Diamond 10k Onlyshow ports <port_list> qosmonitor {ingress | egress} {no-refresh}

show qosprofile {ingress | egress} {ports | all | <port_list>]}

Black Diamond 8800 Family of Switches and Summit X450 Onlyshow qos profile



56

Other Useful QoS Display CommandsAdditionally, QoS information can be displayed from the traffic grouping perspective by using one or more of the following commands:

To display the QoS profile assignments to the VLAN, enter the following command,

show vlan

To displays information including QoS for the port, enter the following command,

show ports <list> info {detail}

To display policy files that may affect QoS, enter the following command,

show policy detail


Other Useful QoS Display Commands

Figure 34: Other Useful QoS Display Commands

page 36

Other Useful QoS Display CommandsTo display destination QoS profile assignments to the VLAN:show vlan

To display information including QoS for the port:show ports <list> info {detail}

To display policy file information:show policy {detail}



58

Egress Traffic Rate Limiting—BlackDiamond 8800 Family of Switches and Summit X450 Switch OnlyYou can configure the maximum egress traffic allowed per port by specifying the committed rate, or you can allow the egress traffic to pass an unlimited flow.

You can limit egress traffic on a 1 Gbps port in increments of 64 Kbps; on a 10 Gbps port, you can limit egress traffic in increments of 1 Mbps. Optionally, you can also configure a maximum burst size, which is higher than the limit, allowed to egress the specified port(s) for a burst, or short duration.

The default behavior is to have no limit on the egress traffic per port.

To configure an egress traffic rate limit for a port or groups of ports, enter the following command:

configure ports <port_list> rate-limit egress [no-limit | <cir-rate> [Kbps | Mbps | Gbps] {max-burst-size <burst-size> [Kb | Mb]}]

Syntax Description

To view the configured egress port rate-limiting behavior, issue the following command:


You must use the detail parameter to display the Egress Port Rate configuration and, if configured, the Max Burst size. You can also display this information using the following command:

show configuration vlan

port_list Specifies one or more ports or slots and ports.

no-limit Specifies traffic be transmitted without limit; use to reconfigure or unconfigure previous rate-limiting parameters.

cir-rate Specifies the desired rate limit in Kbps, Mbps, or Gbps.

max-burst-size Specifies amount of traffic above the cir-rate that is allowed to burst (for a short duration) from the port in K bits (Kb) or M bits (Mb).


Egress Traffic Rate Limiting—BlackDiamond 8800 Family of Switches and Summit X450 Switch Only

Figure 35: Egress Traffic Rate Limiting - BlackDiamond 8800 Family of Switches and Summit X450 Switch Only

Figure 36: Egress Traffic Rate Limiting Sample Configuration

page 37

Egress Traffic Rate Limiting*

Possible to configure maximum egress traffic allowed per port

Limit egress traffic on • 1Gbps port in 64Kbp increments

• 10Gbps port in 1Mbps increments

Configurable maximum burst rate

*BlackDiamond 8800 Family of Switchesand Summit X450 Switch Only



60

Bi-Directional Rate Shaping—BlackDiamond 10K Switch OnlyWith software version 11.0, you can configure and display bi-directional rate shaping parameters. on the BlackDiamond 10K switch. Bi-directional rate shaping allows you to manage bandwidth on Layer 2 and Layer 3 traffic flowing to each port on the switch and from there to the backplane. You can configure up to 8 ingress queues, which send traffic to the backplane, per physical port on the I/O module. By defining minimum and maximum bandwidth for each queue, you define committed and peak information rates for each queue. You can define different priorities for each queue for each port. Rate shaping on the ingress port allows the switch to enforce how much traffic from a particular port can ingress to the system.

Bi-directional rate shaping on the BlackDiamond 10K switch controls the traffic from the ingress ports to the backplane and provides guaranteed minimum rates. The number of queues from the ingress port to the backplane differs between I/O modules. The 1 Gbps I/O module has 2 queues from the ingress port to the backplane, and the 10 Gbps I/O module has 8 queues from the ingress port to the backplane.

You set minimum bandwidth, maximum bandwidth, and priority for each queue for each port. Use prioritization when two or more hardware queues on the same physical port are contending for transmission, only after their respective bandwidth management parameters have been satisfied. Once the priorities are satisfied, the switch uses a round-robin system to empty the queues to the backplane.

Table 7 displays the mapping of the ingress queues and the priority value for each I/O module.

Viewing Discarded Traffic StatisticsUsing bi-directional rate shaping, excess traffic is discarded at the I/O module and does not traverse to the backplane.To view statistics on the discarded traffic, enter one of the following commands:

show ports qosmonitorshow ports information

The 802.1p value is mapped to the ingress queue. For untagged ports, use port- or VLAN-based QoS to map traffic to the ingress queue.


Bi-Directional Rate Shaping—BlackDiamond 10K Switch Only

Figure 37: Bi-Directional Rate Shaping

Table 7: Ingress queue mapping for I/O modules on the BlackDiamond 10k SwitchI/O module Ingress queues Priority value

1 Gbps module IQP1 1 to 4

IQP2 5 to 8

10 Gbps module IQP1 1

IQP2 2

IQP3 3

IQP4 4

IQP5 5

IQP6 6

IQP7 7

IQP8 8

page 39

B I- D I R E C T I O N A L

Min 5Mb/s

Max 15Mb/sMin 10Mb/s Port

Q7

Q6

Q0

Bi-directional Rate Shaping

• Allows Committed Information Rate (CIR) -type services over Ethernet• Each “service” has bi-directional bandwidth management

(min%,max%)• All existing classifications (e.g. – DiffServ) and queues can be

used for 8 classes of service in both directions.



62

Black Diamond 10K Bandwidth SettingsYou apply ingress QoS profile (IQP or rate shaping) values on the BlackDiamond 10K switch as either a percentage of bandwidth or as an absolute value in Kbps or Mbps. IQP bandwidth settings are in turn applied to queues on physical ports. The impact of the bandwidth setting is determined by the port speed (1 or 10 Gbps).

NOTE

You may see slightly different bandwidths because the switch supports granularity down to 62.5 Kbps.

Maximum Bandwidth SettingsThe maximum bandwidth settings determine the port bandwidth available to each of the ingress port queues.

Minimum Bandwidth SettingsThe minimum bandwidth settings, or maximum committed rate settings, determine the port bandwidth reserved for each of the ingress port queues.

Table 8 displays the maximum committed rates available for each port on each BlackDiamond 10K switch I/O module.

Please note that these maximum committed rates vary with the number of active ports on each I/O module. The rates shown in Table 8 are what you can expect when you all running all ports at traffic level. If you are using fewer ports, you will have higher committed rates available for each port. And, the maximum committed rate is reached when you are running traffic on only one port.

NOTE

Cumulative percentages of minimum bandwidth of the queues on a given port should not exceed 100%

If you choose a setting not listed in the tables, the setting is rounded up to the next value. If the actual bandwidth used is below the minimum bandwidth, the additional bandwidth is not available for other queues on that physical port.


Black Diamond 10K Bandwidth Settings

Figure 38: Black Diamond 10K Bandwidth Settings

Table 8: Maximum committed rates per port for I/0 module on the BlackDiamond 10k SwitchI/O module MSM configuration Maximum committed rate

1 Gbps module Single MSM 200 Mbps

Dual MSM 400 Mbps

10 Gbps module Single MSM 2 Gbps

Dual MSM 4 Gbps

page 40

Black Diamond 10K Bandwidth Settings

Ingress QoS profile values must be entered as either percentage of bandwidth or absolute value in Kpbs or Mbps

Bandwidth settings applied to queues on physical ports

Port speed (1 or 10Gbps) affects bandwidth



64

Configuring Bi-Directional Rate ShapingBi-directional rate shaping allows you to manage bandwidth on layer 2 and layer 3 traffic flowing both to and from the switch.

By defining minimum and maximum bandwidth for each queue, you can define:

● committed information rates for each queue

● different ingress and egress rates

You can then provide traffic groupings (such as physical port, VLAN,.1P, DiffServ, IP address, or layer 4 flow) for the predefined QoS Profiles, directing specific types of traffic to the desired queue.

The maximum bandwidth or rate defined in the BlackDiamond 10K switch ingress QoS profile defines the rate limit for ingress traffic on rate-shaped ports. You set minimum and maximum rates for each port on the ingress port, using either percentage of total bandwidth or absolute values for committed and peak rates in Kbps or Mbps. You also set the priority level for each queue.

To define rate shaping on a port, you assign a minimum and maximum bandwidth or rate plus a priority value to each queue on the ingress port, enter the following command to define rate shaping:

configure qosprofile ingress <iqp> [{committed_rate <committed_bps> [k | m]} {maxbw <maxbw_number>} {minbw <minbw_number>} {peak_rate <peak_bps> [k | m} {priority [<priority> | <priority_number]}] ports [<port_list> | all]

If you choose to use committed rate and peak rate values, be aware of the interactions between the values and the command line interface (CLI) management system. You can enter any integer from 0 in the CLI; however, functionally the switch operates only in multiples of 62.5 Kbps. Also note that the CLI system does not accept decimals.

Rate shaping is disabled by default on all ports; the system does use existing 802.1p, port, and VLAN values to assign packets to the ingress queue. The rate shaping function is used to assign specific priorities by absolute rates or percentages of the bandwidth.

To enable this rate shaping feature, use the configuration command. To disable the rate shaping, enter the following command:

unconfigure qosprofile ingress ports all

To display the parameters for rate shaping (the values for the IQPs), enter the following commands:

show qosprofile {ingress | egress} {ports [ all | <port_list>]} show ports {mgmt | <port_list>} information {detail}

Additionally, you can monitor the performance on the BlackDiamond 10K switch by using the following command:


NOTE

You must specify ingress to view ingress rate shaping performance.


Configuring Bi-Directional Rate Shaping

Figure 39: Configuring Bi-Directional Rate Shaping

page 41

Configuring Bi-Directional Rate ShapingTo enable and configure rate shaping on a port:configure qosprofile ingress <iqp> [{committed_rate <committed_bps> [k | m]} {maxbw <maxbw_number>} {minbw <minbw_number>} {peak_rate <peak_bps> [k | m} {priority [<priority> | <priority_number]}] ports [<port_list> | all]

To disable rate shaping:unconfigure qosprofile ingress ports all

To display rate shaping parameters:show qosprofile {ingress | egress} {ports [ all|<port_list>]}

show ports {mgmt | <port_list> information {detail}




66

Modifying a QoS PolicyIf you make a change to the parameters of a QoS profile after a QoS policy has been created (by applying a QoS profile to a traffic grouping), the timing of the configuration change depends on the traffic grouping involved.

To have a change in QoS profile effect a change in the QoS policy, the following rules apply:

● For destination MAC-based grouping (other than permanent), you must clear the MAC FDB. To clear the MAC FDB, enter the following command.

clear fdb

This command should also be issued after a policy is first formed, as the policy must be in place before an entry is made in the MAC FDB.

● For permanent destination MAC-based grouping, re-apply the QoS profile to the static FDB entry

● For physical and logical groupings of a source port or VLAN, re-apply the QoS profile to the source port or VLAN


Modifying a QoS Policy

Figure 40: Modifying a QoS Policy

page 42

Modifying a QoS PolicyTo have a change in QoS profile effect a change in the Qos Policy, you should:• clear the fdb for MAC-based grouping

• re-apply the QoS profile to the static FDB entry for permanent destination MAC-based grouping

• re-apply the QoS profile to the source port or VLAN for physical and logical groupings of a source port



68

Assigning Policy-Based QoS: Review

Step 1 – Make a QoS profile

QoS profile — A class of service that is defined through minimum and maximum bandwidth parameters, configuration of buffering, and prioritization settings. The bandwidth and level of service that a particular type of traffic or “traffic grouping” receives is determined by assigning it to a QoS profile.

Step 2 – Create a Traffic grouping.

These are a classification or traffic type that has one or more attributes in common. These can range from a physical port to a VLAN to IP Layer 4 port information. Traffic groupings are assigned to QoS profiles to modify switch-forwarding behaviour. Traffic groupings transmitting out of the same port that are assigned to a particular QoS profile share the assigned bandwidth and prioritization characteristics, and hence share the class of service.

Step 3 – Create a QoS policy

Assign one or more traffic groupings to a QoS profile to create a QoS policy.


Assigning Policy-Based QoS: Review

Figure 41: Assigning Policy-Based QoS

page 43

Assigning Policy-Based QoS Review

1. Configure a default QoS Profile2. Assign one or more traffic groupings to a QoS profile to create a

QoS Policy

PacketsIN

Classification QoS Profile• Ordered Hierarchy

• Layer 1,2,3,4, .1p, IP DiffServ packet info 5% Min/100% Max

QpX - Eessential Traffic

PacketsOut

0% Min/100% Max

Qp1 – Best Effort Traffic

Policy

High Priority

Low Priority

Packet

Packet



70


● Define QoS

● Identify two major benefits of QoS

● Identify five major traffic types

● Describe policy-based QoS

● Sequence the three steps required to assign QoS attributes

● Define QoS profile

● Describe QoS profile parameters

● Configure QoS profile

● Identify differences between configuring QoS on BlackDiamond 8800 Family of Switches and Summit X$50 with configuring QoS on a BlackDiamond 10K

● Define traffic grouping

● Sequence traffic groupings in order of precedence (highest to lowest)

● Describe IP-based traffic grouping

● Describe destination MAC address traffic grouping

● Configure destination MAC address traffic grouping

● Describe Explicit Class of Service traffic grouping

● Configure Explicit Class of Service traffic grouping

● Describe physical and logical groupings

● Describe QoS policy

● Verify QoS traffic grouping priority settings

● Reset priority setting to default values

● Monitor QoS

● Modify a QoS policy

● Configure Egress Traffic Rate Limiting on the Black Diamond 8800 family of switches and Summit X450 switch

● Configure Bi-Directional Rate Shaping on the BlackDiamond 10K switch


Summary

Figure 42: Summary


page 44

SummaryUpon completion of this module, the successful student will be able to:

Define QoSIdentify two major benefits of QoSIdentify five major traffic typesDescribe policy-based QoSSequence the three steps required to assign QoS attributesDefine QoS profileDescribe QoS profile parametersConfigure QoS profileIdentify differences between configuring QoS on BlackDiamond 8800 Family of Switches and Summit X$50 with configuring QoS on a BlackDiamond 10KDefine traffic groupingSequence traffic groupings in order of precedence (highest to lowest)

page 45

SummaryDescribe IP-based traffic groupingDescribe destination MAC address traffic groupingConfigure destination MAC address traffic groupingDescribe Explicit Class of Service traffic groupingConfigure Explicit Class of Service traffic groupingDescribe physical and logical groupingsDescribe QoS policyVerify QoS traffic grouping priority settingsReset priority setting to default valuesMonitor QoSModify a QoS policyConfigure Egress Traffic Rate Limiting on the Black Diamond 8800family of switches and Summit X450 switchConfigure Bi-Directional Rate Shaping on the BlackDiamond 10K switch



72

10 Module 9 sFlow


Module 9 sFlow

2


● Define sFlow

● Identify sFlow applications

● List components required for sFlow

● Describe ExtremeWare XOS sFlow implementation

● Sequence the sFlow configuration steps on an Extreme Networks switch

● Configure sFlow on an Extreme Networks switch

● Reset sFlow values to their default values on an Extreme Networks switch

● Display sFlow configuration and statistics related information


Student Objectives


page 2

Student ObjectivesUpon completion of this module, the

successful student will be able to:

Identify four major threats to network security.







Module 9 sFlow

4

sFlowsFlow® is a technology for monitoring traffic in data networks containing switches and routers. It relies on statistical sampling of packets from high-speed networks, plus periodic gathering of the statistics. A User Datagram Protocol (UDP) datagram format is defined to send the information to an external entity for analysis. sFlow consists of a Management Information Base (MIB) and a specification of the packet format for forwarding information to a remote agent.

Applications

Network TroubleshootingsFlows enables the viewing of network traffic. Normal traffic would serve as a baseline metric. Irregular network traffic patterns would be visible, facilitating analysis and resolution.

Controlling CongestionUsing sFlow, it is possible to monitor traffic flows through ports. Highly subscribed links could be identified with their associated traffic sources. sFlow data could help determine the appropriate response such as selective bandwitdh provisioning or traffic priority.

Security and Audit Trail AnalysissFlow provides network-wide information gathering and route tracing data. Such information generated by possible internal and external sourced threats can be identified and controlled.

Route ProfilingActive traffic routes and flow sFlow data can be analyzed, enabling a network administrator the ability to optimize and tune the network routing.

Accounting and Billing for UsagesFlow data is also useful when determining network service charges to clients. It is possible to give customers an itemized breakdown of their traffic, with top client applications highlighted.

Additional InformationDetails of sFlow specifications can be found in RFC 3176, and specifications and more information can be found at the following website:

http://www.sflow.org



sFlow

Figure 2: sFlow

Figure 3: http://www.sflow.org

page 3

sFlow

Traffic monitoring technology

Supported by various switch and router manufacturers

Applications• Network Troubleshooting

• Controlling Congestion

• Security and Audit Trail Analysis

• Route Profiling

• Accounting and Billing for Usage

page 4



Module 9 sFlow

6

sFlow ComponentssFlow solution consists of network equipment and software applications.

Network EquipmentAt the network management software level of a switch, an sFlow Agent software process resides. The switching and routing ASICs feed traffic data to the sFlow Agent. sFlow Agent performs minimal processing, it just packages data into sFlow datagrams that are immediately forwarded.

Software ApplicationsActual sFlow Datagrams are captured sFlow Collector applications. sFLow applications provide a variety of functionality, including: ntework traffic analysis, troubleshooting, audi trail security analysis, and accounting for billing.


sFlow

Figure 4: sFlow Components

page 5

sFlow Components

Network Equipment• sFlow Agents

Software Applications• sFlow Collectors


Module 9 sFlow

8

Extremeware XOS sFlow ImplementationThe ExtremeWare XOS implementation is based on sFlow version 5, which is an improvement from the revision specified in RFC 3176. Additionally, the switch hardware allows you to set the hardware sampling rate independently for each module on the switch, instead of requiring one global value for the entire switch. The switch software also allows you to set the individual port sampling rates, so you can fine-tune the sFlow statistics gathering. Per the RFC, sFlow sampling is done on ingress only.

NOTE

On the BlackDiamond 8800 family of switches, sFlow and mirroring are mutually exclusive. You can enable either sFlow, or mirroring, but not both.

However, you should be aware of a few limitations in the current release. The current release supports:

● Generic port statistics reported to the sFlow collector

● Non-extended data

● Only those packets that do not match an ACL rule are considered for sampling

● Only port-based sampling

● No MIB support


sFlow

Figure 5: Extremeware XOS sFlow Implementation

page 6

Extremeware XOS sFlow Implementation

Based on sFlow version 5

Switch hardware allows you to set hardware sampling rate independently for each module on the switch

Switch software allows you set the individual port sampling rates

sFlow sampling is done on ingress only

No MIB support


Module 9 sFlow

10

Configuring sFlowExtremeWare XOS allows you to collect sFlow statistics on a per port basis. An agent, residing locally on the switch, sends data to a collector that resides on another machine. You configure the local agent, the address of the remote collector, and the ports of interest for sFlow statistics gathering. You can also modify default values for how frequently on average a sample is taken and the maximum number of samples allowed before throttling the sample gathering.

To configure sFlow on a switch, you must do the following tasks:

● Configure the local agent

● Configure the addresses of the remote collectors

● Enable sFlow globally on the switch

● Enable sFlow on the desired ports

Optionally, you may also change the default values of the following items:

● How often the statistics are collected

● How frequently a sample is taken, globally or per port

● How many samples per second can be sent to the CPU

Configuring the Local AgentThe local agent is responsible for collecting the data from the samplers and sending that data to the remote collector as a series of UDP datagrams. The agent address is stored in the payload of the sFlow data, and is used by the sFlow collector to identify each agent uniquely. By default, the agent uses the management port IP address as it’s IP address. You change the agent IP address by entering the following command:

configure sflow agent {ipaddress} <ip-address>

You unconfigure the agent using this command:

unconfigure sflow agent

Configuring the Remote Collector AddressYou can specify up to four remote collectors to send the sFlow data to. Typically, you would configure the IP address of each collector. You may also specify a UDP port number different from the default value of 6343, and/or a virtual router different from the default of VR-Mgmt. When you configure a collector, the system creates a database entry for that collector that remains until the collector is unconfigured. Configure the remote collector entering the following command:

configure sflow collector {ipaddress} <ip-address> {port <udp-port-number>} {vr <vrname>}

To unconfigure the remote collector and remove it from the database, type the following command:

unconfigure sflow collector {ipaddress} <ip-address> {port <udp-port-number>} {vr <vrname>}


Configuring sFlow

Figure 6: Configuring sFlow

Figure 7: Configuring the Local Agent and Remote Collector Address

page 7

Configuring sFlow

1. Configure the local agent

2. Configure the addresses of the remote collectors

3. Enable sFlow globally on the switch

4. Enable sFlow on the desired ports

page 8

Configuring the Local Agent and Remote Collector Address

To configure the local agent, type the following command:configure sflow agent {ipaddress} <ip-address>

To configure the remote collector address, type the following command:configure sflow collector {ipaddress} <ip-address> {port <udp-port-number>} {vr <vrname>}


Module 9 sFlow

12

Configuring sFlow

Enabling sFlow Globally on the SwitchBefore the switch will start sampling packets for sFlow, you must enable sFlow globally on the switch. To enable sFlow globally, type the following command:

enable sflow

You disable sFlow globally with the following command:

disable sflow

When you disable sFlow globally, the individual ports are also put into the disabled state. If you later enable the global sFlow state, individual ports return to their previous state.

Enabling sFlow on the Desired PortsEnable sFlow on specific ports entering the following command:

enable sflow ports <port_list>

You may enable and disable sFlow on ports irrespective of the global state of sFlow, but samples are not taken until both the port state and the global state are enabled.

To disable sFlow on ports, type the following command:

disable sflow ports <portlist>


Configuring sFlow

Figure 8: Enabling sFlow Globally on the Switch and Specific Ports

page 9

Enabling sFlow Globally on the Switch and Specific Ports

To enable sFlow globally on the switch, type the following command:enable sflow

To enable sFlow on specific ports, type the following command:enable sflow ports <port_list>


Module 9 sFlow

14

Additional sFlow Configuration OptionsThere are three global options that you can configure to different values from the defaults. These affect how frequently the sFlow data is sent to the remote collector, how frequently packets are sampled, and the maximum number of sFlow samples that could be processed in the CPU per second.

You can also configure how frequently packets are sampled per port.

Polling IntervalEach port counter is periodically polled to gather the statistics to send to the collector. If there is more than one counter to be polled, the polling is distributed in such a way that each counter is visited once during each polling interval, and the data flows are spaced in time. For example, assume that the polling interval is 20 seconds and there are 40 counters to poll. Two ports will be polled each second, until all 40 are polled. To configure the polling interval, type the following command:

configure sflow poll-interval <seconds>

Global Sampling RateThis is the rate that newly enabled sFlow ports will have their sample rate set to. Changing this rate will not affect currently enabled sFlow ports. The default sample rate is 8192, so by default sFlow samples one packet out of every 8192 received. You configure the switch to use a different sampling rate with the following command:

configure sflow sample-rate <number>

For example, if you set the sample rate number to 16384, the switch samples one out of every 16384 packets received. Higher numbers mean fewer samples and longer times between samples. If you set the number too low, the number of samples can be very large, which increases the load on the switch. Do not configure the sample rate to a number lower than the default unless you are sure that the traffic rate on the source is low.

Per Port Sampling RateYou can set the sampling rate on individual ports, entering the following command:

configure sflow ports <portlist> sample-rate <number>

Maximum CPU Sample LimitA high number of samples can cause a heavy load on the switch CPU. To limit the load, there is a CPU throttling mechanism to protect the switch. Whenever the limit is reached, the sample rate value is doubled on the slot from which the maximum number of samples are received. For ports on that slot that are sampled less frequently, the sampling rate is not changed; the sub-sampling factor is adjusted downward. To configure the maximum CPU sample limit, type the following command:

configure sflow max-cpu-sample-limit <rate>


Additional sFlow Configuration Options

Figure 9: Additional sFlow Configuration Options

page 10

Additional sFlow Configuration Options

Polling Interval

Global Sampling Rate

Per Port Sampling RateMaximum CPU Sample Limit


Module 9 sFlow

16

Resetting sFlow Values and Verifying sFlow Information

Unconfiguring sFlowYou can reset the any configured values for sFlow to their default values and remove from sFlow any configured collectors and ports by entering the following command:

unconfigure sflow

Displaying sFlow InformationTo display the current configuration of sFlow, type the following command:

show sflow {configuration}

To display the sFlow statistics, type the following command:

show sflow statistics



Figure 10: Resetting sFlow Values and Verifying sFlow Information

Figure 11: show sflow configuration

page 11


To reset configured sFlow values to their default values, type the following command:unconfigure sflow

To display sFlow configuration, enter the following command:show sflow {configuration}

To display sFlow statistics, enter the following command:show sflow statistics


Module 9 sFlow

18


● Define sFlow

● Identify sFlow applications

● List components required for sFlow

● Describe ExtremeWare XOS sFlow implementation

● Sequence the sFlow configuration steps on an Extreme Networks switch

● Configure sFlow on an Extreme Networks switch

● Reset sFlow values to their default values on an Extreme Networks switch

● Display sFlow configuration and statistics related information


Summary

Figure 12: Summary

page 13

SummaryDefine sFlowIdentify sFlow applicationsList components required for sFlowDescribe ExtremeWare XOS sFlow implementationSequence the sFlow configuration steps on an Extreme Networks switchConfigure sFlow on an Extreme Networks switchReset sFlow values to their default values on an Extreme Networks switchDisplay sFlow configuration and statistics related information


Module 9 sFlow

20

1 Module 10 Lab Exercises

ExtremewWare Security Fundamentals Rev 3.0 1


2

Lab 1 – Basic Switch and Routing Configuration

ObjectivesUpon successful completion of this lab, you is able to:

● Clear a switch of all previous configurations

● Assign an SNMP name to the switch

● Configure network VLANs with IP addresses

● Enable VLANs for IP forwarding

● Configure OSPF

● Add switches to Bbone vlan

● Display the following:

■ IP route table on the switch

■ Forwarding database

■ ARP table

■ IP forwarding database

Materials Required● One PC running VT100 terminal emulation software

● TeraTerm Version 3.13 or higher is suggested

● One i-series Extreme Networks® switch with Ethernet interfaces and no existing configuration

● One PC to switch console cable

● One PC to switch Ethernet cable connected to port 2 of the switch

ExtremewWare Security Fundamentals Rev 3.0


Network Diagram

RemarkThere are two cables connected between the switches instead of using an 802.1Q trunk. This is only done to demonstrate dynamic routing protocols due to topology changes in the following labs. Normally you would use only one cable and configure an 802.1Q trunk.



4

Part 1 Clearing the Switch Configuration and Naming the Switch1 As described in the network diagram, cable the switches and PCs.

2 Clear the switch of all previous configuration, by entering the following command:

unconfigure switch all

3 Name the switch according to the following template: EAS_LAB_<team number>, by entering the following command:

configure snmp sysname EAS_LAB_X

Part 2 Configuring the VLANs1 Delete all ports from VLAN default, by entering the following command:

configure default delete port all

2 Depending on which VLANs your switch is connected to, create the VLANs Bbone, Alpha, Beta, Charlie, One, Two, Three, Four, Five, and Six, by entering the following command:

create vlan <name>

Switch VLAN VLAN VLAN Router ID

EAS_LAB_1 Bbone Alpha One 1.1.1.1

EAS_LAB_2 Bbone Alpha Two 2.2.2.2

EAS_LAB_3 Bbone Beta Three 3.3.3.3

EAS_LAB_4 Bbone Beta Four 4.4.4.4

EAS_LAB_5 Bbone Charlie Five 5.5.5.5

EAS_LAB_6 Bbone Charlie Six 6.6.6.6



3 Add the following ports (untagged) to the VLANS, by entering the following command:

configure <vlan name> add port <number>

4 Create the following Routing Interfaces as follows:

N is the number of your Switch.

VLAN EAS_LAB_1 EAS_LAB_2 EAS_LAB_3 EAS_LAB_4 EAS_LAB_5 EAS_LAB_6

Bbone 4 4,5 4,5 4,5 4,5 5

Alpha 3 3

Beta 3 3

Charlie 3 3

One 2

Two 2

Three 2

Four 2

Five 2

Six 2

VLAN IP EAS_LAB_1 EAS_LAB_2 EAS_LAB_3 EAS_LAB_4 EAS_LAB_5 EAS_LAB_6

Bbone 10.0.0.N/24 yes yes yes yes yes yes

Alpha 10.1.0.N/24 yes yes

Beta 10.2.0.N/24 yes yes

Charlie 10.3.0.N/24 yes yes

One 10.1.N.N/24 yes

Two 10.1.N.N/24 yes

Three 10.2.N.N/24 yes

Four 10.2.N.N/24 yes

Five 10.3.N.N/24 yes

Six 10.3.N.N/24 yes



6

5 Configure the PC with the following parameters:

Part 3 Configuring OSPF Routing on the Backbone Area1 Enable IP Forwarding for all VLANs on your switch, by entering the following command:

enable ipforwarding

2 Add all VLANS to the OSPF routing protocol to the backbone area, by entering the following command:

configure ospf add <vlan>

3 Add loopback interfaces for OSPF, by entering the following command:

enable ospf

4 Enable the OSPF Routing Protocol on the switch, by entering the following command:

enable ospf

5 From the PC and switch, verify full network connectivity using ping and traceroute

Part 4 Verifying Switch and Routing Configuration1 Verify your switch configuration, by entering the following commands:

show ipconfigshow iprouteshow fdbshow iparp

2 Display general OSPF information, by entering the following command:

show ospf

3 Display area specific information, by entering the following command:

show ospf area

4 Display OSPF interface information, by entering the following command:

show ospf interfaces

5 Configure the ports in VLAN Bbone at the lowest possible fixed speed, full duplex, and check the impact of this change in the routing table.

6 Save your current configuration in preparation for the next lab exercise.

PC IP Address Subnet MaskDefault Gateway

1 10.1.1.101 255.255.255.0 10.1.1.1

2 10.1.2.102 255.255.255.0 10.1.2.2

3 10.2.3.103 255.255.255.0 10.2.3.3

4 10.2.4.104 255.255.255.0 10.2.4.4

5 10.3.5.105 255.255.255.0 10.3.5.5

6 10.3.6.106 255.255.255.0 10.3.6.6


Lab2 Switch Access

Lab2 Switch Access

Objectives Upon successful completion of this lab, you is able to:

● Create new user account

● Disable SNMP access

● Set the switch idle-timer

● Configure the switch banner message.

● Load the SSH module

● Set-up a connection between an SSH2 client and a SSH2 server.

● Configure the switch as a RADIUS client

Materials Required

● (optional) Packet sniffer or Ethernet Analyzer

● An additional PC/Laptop + cabling is introduced to act as the RADIUS server (10.0.0.100/24).

Trainer info: The RADIUS server (EPICenter recommended) needs all switches pre-configured as clients with the correct shared secret (12secure) and a user account for each switch (user-id team_x with password access)



8

Network Diagram

NOTE

Only on switch 3, add port 1 (This is the port where the RADIUS server is connected) untagged to VLAN Bbone, by entering the following command:

configure Bbone add port 1

Network Physical

.1

VLANCore

10.0.0.0/24

.2

.3

.4

.5

.6

.1

.2

.3

.4

.5

.6

.102

.104

.106

.2

SA_LAB_5

SA_LAB_6

2

VLANA

10.1.0.0/24

.101

.103

.105

VLANB

10.2.0.0/24

VLANC

10.3.0.0/24

VLANTwo

10.1.2.0/24SA_LAB_2

VLANThree

10.2.3.0/24

VLANFour

10.2.4.0/24

VLANFive

10.3.5.0/24

VLANSix

10.3.6.0/24

VLANOne

10.1.1.0/24 .1

.1

.2.2

.3

.3

.4.4

.5

.5

.6 .6

SA_LAB_1

SA_LAB_3

SA_LAB_4

SA_LAB_5

SA_LAB_62

2

2

2

2

4

4

4

4

4

5

5

5

5

5

3

3

3

3

3

3

3

1

.100

SA_LAB_4

SA_LAB_3

SA_LAB_2

SA_LAB_1


Lab2 Switch Access

Part 1 Creating a New User Account, Disabling SNMP Access, and Configuring Idletimeouts1 Create a new administrator account with name “team_x” (x = switch ID number) password “access,”

by entering the following command:

create account admin team_x

2 Prevent SNMP access to the switch, by entering the following command:

disable snmp access

3 Activate the switch idle-timeout feature, by entering the following command:

enable idletimeouts

4 Configure the threshold to 10 minutes, by entering the following command:

configure idletimeouts 10

5 Verify your configuration modifications, by entering the following command:

show management

Part 2 Configuring the Switch Banner Message1 Create the switch banner message that displayed when a login is attempted, by entering the

following commands:

configure banner [Enter]Switch access for Authorized staff only. [Enter]Disconnect now if you have no permission to access. [Enter] E-Mail [email protected] for more information. [Enter][Enter]

● Up to 24 rows of 79 characters wide text can be entered

● Pressing [Enter] at the beginning of a new line saves the previously entered text and enables the login display banner

● Pressing [Enter] at the beginning of the first line clears the login display banner

2 Verify the switch banner message is configured correctly by logging out and then logging in.

Part 3 Installing the SSH2 Module1 Download the ssh module to the switch by entering the following command:

download image <ipaddress of pc> summitX450-11.3.1.1-ssh.xmod vr vr-Default

2 Enable the module by entering the following command:

run update



10

Part 4 Configuring SSH21 Generate an SSH2 key, by entering the following command:

configure ssh2 key

Be patient, this process will take up 10 minutes.

2 After generating the SSH2 key, activate SSH2, by entering the following command:

enable ssh2

3 From your PC, launch the TeraTerm (version 3.13) application and choose ssh as service method. Fill in the switch ip address as host and press OK. You will get the a request to accept the new host key, click the OK button and log in with the earlier created team_x account. The host-key message is shown at the first connection attempt and every time after when the switch has generated new keys.

4 Verify SSH2 configuration steps on the switch by entering the following commands:

show managementshow sessionshow log

5 Set up an SSH2 session with your neighbor’s switch (switch 1 2, switch 3 4 and switch 5 6). At your switch prompt, enter the following command:

ssh2 [email protected] vr vr-default

“x” is the switch number.

6 A request for a password is displayed. Enter the password.

7 You should now be successfully logged into the other switch. Notice the CLI prompt has changed from your switch name to your neighbor’s switch name.

8 Verify on your neighbor’s switch your connection set-up, by entering the following commands:

command show log show session

9 (optional) Verify SSH2 encrypts sent and received data. Using an Ethernet sniffer, capture:

● telnet login switch access

● ssh2 login switch access

You can see the difference in packets between Telnet (plain text) and SSH2 (encrypted) access if you capture login attempts using both protocols. Make sure you disconnect any Telnet or SSH session you have to the other switches when sniffing traffic.

Part 5 Configuring the Switch as a RADIUS ClientThe next step is to include RADIUS as the Authentication protocol for accessing the switch. The RADIUS server (10.0.0.100) is pre-configured by the trainer (accounts, clients & shared secret).

1 Configure your switch as a RADIUS client, by entering the following command:

configure RADIUS mgmt-access primary server 10.0.0.100 client-ip 10.0.0.x vr “VR-Default”

“x” is the switch number

2 Configure the shared-secret “12secure,” by entering the following command:

configure RADIUS mgmt-access primary shared-secret 12secure


Lab2 Switch Access

3 After configuring your switch as a RADIUS client with the specified RADIUS server and shared-secret, enable RADIUS, by entering the following command:

enable RADIUS mgmt-access

4 Confirm the RADIUS settings (default port is 1812, RADIUS enabled etc...), by entering the following command:

show radius

5 Verify RADIUS authentication is working. Create a new ssh2 session to the switch using the team_x account and see if you are being authenticated by RADIUS, by entering the following command:

show session

6 Remove the cable from switch 3 port 1 and make a new connection (either Telnet, SSH2 or console) using the team_x account. Note what happens.

Existing connections stay present when the RADIUS server becomes unreachable. While new connections are (after the timeout interval) authenticated from the local user database.

7 Connect the cable back to port 1 switch 3.


Part 6 Changing the Default SNMPv3 User Password1 Look at the default password assigned to the user initial by entering the following command:

show snmpv3 user initial

2 Change the default SNMPv3 user initial’s password to initialpassword by using the following command:

config snmpv3 add user initial authentication md5 initialpassword

MD5 authentication was specified.

3 Verify the default SNMPv3 user’s initial password was changed by entering the following command:

show snmpv3 user initial



12

Lab 3 DOS Protection

ObjectivesUpon successful completion of this lab exercise, you is able to:

● Configure and enable the DoS-Protect feature.

● Verify the DoS-Protect configuration and status

● Troubleshoot CPU-DoS-Protect

Materials Required● Each workstation should have pre-installed WSTTCP.exe for the purpose of traffic generation and

3Cdeamon to act as SYSLOG server.

Part 1 Configuring DoS-Protect1 On your switch, configure your workstation as the syslog server, by entering the following

commands:

configure syslog add <ip address pc> local7 enable syslog

2 Verify your syslog set-up, by entering the following command:

show log configuration

3 Start the 3CDeamon program on your PC and select the syslog server option.Check if your PC is receiving syslog messages from the switch.

4 Specify the CPU-DoS-Protect alert and notice threshold values to 3000 and 2500 packets per second, by entering the following commands:

configure dos-protect type 13-protect alert-threshold 3000configure dos-protect type 13-protect notify-threshold 2500

5 After configuring the CPU-DoS-Protect threshold values, enable CPU-DoS-Protect by entering the following command:

enable dos-protect

6 Now try and reach the threshold limits by generating traffic towards the switch CPU. At the MS-DOS prompt of your PC, enter the following command:

start wsttcp –t –u –n1000000 10.0.0.x

“x” represents the switch ID.

7 Verify activity and DoS-Protect configuration, by entering the following command:

show dos-protect

8 Check the syslog server or view incoming DoS Protect messages, by entering the following command:

show log


Lab 3 DOS Protection

Troubleshooting DoS-Protect1 Troubleshoot the network state during an active cpu-dos-protect situation on your switch. What is

still reachable and from where? Depending on the destination, your findings could be influenced by the DoS-Protect activity on the other switches.

● Ping from your PC to the switch ip address under attack. Result ___________________________

● Ping or telnet from your PC to another ip address of your switch. Result ___________________

● Ping from your PC to the RADIUS server (10.0.0.100). Result ________________________________

● Ping from your PC to the neighbor’s switch ip address that is under attack by their traffic generation. Result _________________________________________________________________

2 The combination of physical port and destination address determines the ACL rule. In addition to protecting the switch, what can this feature bring to protect clients and server? _________________

As long as an attack is based on a traffic type that requires the switch CPU (like ICMP) the target (server) is protected as soon as the threshold is reached.




14

Lab 4 – Port and MAC Address Security

Objectives Upon successful completion of this Lab Exercise, the student is able to:



● Configure secure-mac features

● Uncofigure port and MAC address based security

Materials Required● The syslog server from Lab 5 is used again . If Lab 5 was skipped you still need to configure a syslog

server on the switch, by entering the following commands:

configure syslog add <ip address pc> local7 enable syslog

Network Diagram

Network Physical

.1

VLANCore

10.0.0.0/24

.2

.3

.4

.5

.6

.1

.2

.3

.4

.5

.6

.102

.104

.106

.2

SA_LAB_5

SA_LAB_6

2

VLANA

10.1.0.0/24

.101

.103

.105

VLANB

10.2.0.0/24

VLANC

10.3.0.0/24

VLANTwo

10.1.2.0/24SA_LAB_2

VLANThree

10.2.3.0/24

VLANFour

10.2.4.0/24

VLANFive

10.3.5.0/24

VLANSix

10.3.6.0/24

VLANOne

10.1.1.0/24 .1

.1

.2.2

.3

.3

.4.4

.5

.5

.6 .6

SA_LAB_1

SA_LAB_3

SA_LAB_4

SA_LAB_5

SA_LAB_62

2

2

2

2

4

4

4

4

4

5

5

5

5

5

3

3

3

3

3

3

3

1

.100

SA_LAB_4

SA_LAB_3

SA_LAB_2

SA_LAB_1


Lab 4 – Port and MAC Address Security

NOTE

The provided CLI examples in this lab show the command information for switch 1; translate the ports and VLANS for your own switch requirements. Example: Instead of 10.1.1.101/32, Team 5 would use 10.3.5.105/32. Refer to the Lab IP Address table found in the front Lab Introduction page.

Part 1 Configuring Lock Learning1 Make sure your switch is sending Syslog messages and that the Syslog server is running on your

workstation.

2 To configure lock-learning on your switch for the port/VLAN that holds your workstation, enter the following command:

configure port 2 vlan one lock-learningThis should prevent any additional MAC addresses (like installing a hub on port 2) from network access.

3 View the lock-learning information for VLAN one, by entering the following command:

show vlan one security

Part 2 Configuring Limit Learning1 For the port(s) in VLAN Bbone set limit-learning to the value 0, by entering the following command:

configure port 4,5 VLAN Bbone limit-learning 0

2 Verify FDB entries are blackholed (Bb), by entering the following command:

show fdb Bbone

3 Check if your syslog server received messages related to blackholing these MAC addresses. Or check the log on your switch, by entering the following command:

show log

Part 3 Configuring Secure-Mac1 The currently blackholed MAC addresses are the addresses from neighboring switches and the

RADIUS server in VLAN Bbone. To allow traffic from your neighbor switches and RADIUS server into your switch, you need to configure secure-mac entries with their respective MAC addresses. To configure secure_mac fdb entries for all those blackholed addresses, enter the following command:

create fdbentry xx:xx:xx:xx:xx:xx vlan Bbone port 4

You need to enter this command for each MAC address you want add.

You can authenticate neighbors based on the MAC address. The combination of limit-learning and secure-mac option is also useful on switch ports intended for end-users because it blocks access and provides the administrator valuable information.



16

2 Save and reboot your switch. Check the post-reboot switch FDB table and switch operation by entering the following commands:

show vlan <vlan name>securityshow logshow fdb <vlan name>show fdb permanent

3 Clear the fdb entries for the VLAN bbone, by entering the following command:

clear fdb bbone

4 Unconfigure lock-learning, by entering the following command:

configure port 4,5 VLAN Bbone unlimited-learning

5 Unconfigure limit-learning, by entering the following command:

configure port 2 VLAN one unlock-learning

6 Remove the secure-mac related entries, by entering the following command:

delete fdbentry all

7 Save your current switch configuration in preparation for the next lab.


Lab 7 – Network Login


ObjectivesUpon successful completion of this lab exercise, you is able to:

● Configure Netlogin on a permanent VLAN.

● Configure the NetLogin Base URL

● Configure the Redirect Page URL

● Configure the NetLogin Banner.

● Configure the switch as DHCP server.

● Verify Netlogin configuration

Optional Materials Additional software is required on the PC that acts as RADIUS server. This PC will now also act as the DNS Name Server 1.

● Trainer:

● Configure the PC as a DNS server. (Bind8, MS W2000 DNS or any other dns server)

● Configure a domain called eas-300.com and add all switch ip addresses belonging to the workstation VLANS (VLAN one, two etc) as host records in this DNS server

● Use the following naming convention for the switches: switchx.eas-300.com.

● Include your PC (RADIUS & DNS server 10.0.0.100) as a host record in the NS1 with the hostname server.eas-300.com



18

Network Diagram

NOTE

The provided CLI example shows the command information for switch 1; translate the variables in the information to your own requirements




3 Name the switch according to the following template:

Network Physical

.1

VLANCore

10.0.0.0/24

.2

.3

.4

.5

.6

.1

.2

.3

.4

.5

.6

.102

.104

.106

.2

NLG_LAB_5

NLG_LAB_6

2

VLANA

10.1.0.0/24

.101

.103

.105

VLANB

10.2.0.0/24

VLANC

10.3.0.0/24

VLANTwo

10.1.2.0/24NLG_LAB_2

VLANThree

10.2.3.0/24

VLANFour

10.2.4.0/24

VLANFive

10.3.5.0/24

VLANSix

10.3.6.0/24

VLANOne

10.1.1.0/24 .1

.1

.2.2

.3

.3

.4.4

.5

.5

.6 .6

NLG_LAB_1

NLG_LAB_3

NLG_LAB_4

NLG_LAB_5

NLG_LAB_62

2

2

2

2

4

4

4

4

4

5

5

5

5

5

3

3

3

3

3

3

3

1

.100Loopxx.1.1.x/24

Loopxx.1.1.x/24

Loopxx.1.1.x/24

Loopxx.1.1.x/24

Loopxx.1.1.x/24

Loopxx.1.1.x/24

Loopxxxx.1.1.x/24

Loopxxxx.1.1.x/24

Loopxxxx.1.1.x/24

Loopxxxx.1.1.x/24

Loopxxxx.1.1.x/24

Loopxxxx.1.1.x/24

NLG_LAB_4

NLG_LAB_3

NLG_LAB_2

NLG_LAB_1



Part 2 Creating the Temporary and Permanent Netlogin VLANs1 Create VLAN temp by entering the following command:

create vlan temp

2 Create VLAN corp by entering the following command:

create vlan corp

3 Remove the ports from the vlan default by entering the following command:

configure vlan default delete ports all

Part 3 Configuring the Temporary and Permanent Netlogin VLANs1 Configure VLAN temp by entering the following commands:

configure vlan “temp” ipaddress 198.162.32.10 255.255.255.0

2 Configure VLAN corp by entering the following commands:

configure vlan corp ipaddress 10.2.0.1 255.255.255.0 configure vlan corp dhcp-address-range 10.2.0.2 - 10.2.0.10configure vlan corp add port 2 untaggedenable ipforwarding corp

3 Remove the ports from the vlan default by entering the following command:

configure vlan default delete ports all

Part 4 Configuring Netlogin DHCP options1 Specify the DHCP options for VLAN temp by entering the following commands:

configure vlan temp dhcp-address-range 198.162.32.20 - 198.162.32.80configure vlan temp dhcp-options default-gateway 198.162.32.1enable dhcp ports

Part 5 Configuring Netlogin1 Configure and enable netlogin on your switch by entering the following commands:

configure netlogin vlan tempenable netlogin web-basedenable netlogin ports 7 web-based

Part 6 Configuring the Network Login options1 If you have a RADIUS server configured, configure the Network Login Re-direct Page URL to point

to it, by entering the following command:

configure netlogin redirect-page http://10.0.0.100

2 On your switch, configure the NetLogin banner message, by entering the following command:

configure banner netlogin “<html><head>Please Login</head></html>”[Enter] (twice)



20

Part 7 Verifying Netlogin Configuration1 From your PC (Ping, Telnet, etc), what is the access status?______________________________

2 Check the status on your switch port, by entering the command:

show netlogin

3 In this current, state all traffic for this port is blocked except for PING and HTTP to the local switch ip addresses.

4 Create netlogin local database account by entering the following command:

create netlogin local-user <team_x>

When prompted, supply password of access.

5 Verify netlogin account was created by entering the following command:

show netlogin local-users

6 Start your PC’s browser and direct it to 10.0.0.x/login “x” is your switch number.

7 Login with the account created in Lab2 (User-ID: team_x with password: access)You are either validated by the RADIUS server (when up) or by the local switch database.

8 Assuming that the authentication was successful, you can check any status changes on your switch port. With the redirect timer running, check status changes on the switch port, by entering the following commands:

show netloginshow netlogin port 2 <vlan name>

9 Were you correctly redirected to another web page? _______________________________

10 Check from your PC (Ping, Telnet, etc) what the available connectivity is once successfully logged in.

11 Check if your existing Netlogin session is disconnected. Direct your web browser to the base-url or switch ip address and login.

12 Once the switch and optional RADIUS server are finished validating, check switch configuration and operation, by entering the following commands:

show netloginshow netlogin port 2 <vlan name>show VLAN <name> dhcpshow log


Lab 8 – QoS

Lab 8 – QoS

ObjectivesUpon successful completion of this Lab Exercise, the student is able to:

● During a looped broadcast storm, configure Policy-based QoS that allows smooth video playback

Materials Required● Two Summit X450 Switches

● Two PCs

● VLC Application for videostreaming

● Movie file



22

Network Diagram

NOTE

The provided CLI example shows the command information for switch 1 and switch 2; translate the variables in the information to your own requirements.

Title:

Version:

ESF Lab 8 QoS

3.0

Extreme RedundancyFundamentals

Switch 1

122

10.0.1.100/24

Switch 2

PC2

PC1

10.0.2.200/24

1

7

7

11

(to be added later)

vlan three10.0.0.x/24

vlan v110.0.1.1/24

vlan v210.0.2.1/24

QoS


Lab 8 – QoS




3 Name the switch according to the following template.

Part 2 Configuring the VLANs1 Delete all ports from VLAN default.

2 Depending on which VLANs your switch is connected to, create the VLANs:

create vlan <name>

3 Add the ports untagged to the following VLANS:

4 To simulate a network running near capacity. limit the port speed on switch 1 by entering the following command:

configure ports 2 auto off speed 10 duplex half

5 Configure the PC with the following parameters:

6 Configure a routing protocol using the following statement:

configure rip add vlan allenable rip

7 Start VLC application on PC 1 to send and PC 2 to receive.

8 Generate broadcast storm on VLAN between the switch by creating a loop by enabling ports 12 and 11 on switches 1 and 2 , respectively. Ping 10.0.0.254 to generate an ARP request that causes a broadcast storm.

9 On PC 2, play the movie file streaming from PC 1.

Switch VLAN v1 VLAN v2 VLAN three

Switch 1 yes yes

Switch 2 yes yes

VLAN Switch 1 Switch 2

v1 7

v2 7

three 2, 12 1, 11

PC IP Address Subnet Mask Default Gateway

1 10.0.1.100 255.255.255.0 10.0.1.1

2 10.0.2.200 255.255.255.0 10.0.2.1



24

Part 3 Configure QoS QP3 on PC VLANs

1 Create a QoS profile QP3 on both switches by entering the following commands on the appropriate switches:

On Switch 1

create qosprofile qp3 configure qosprofile qp3 weight 15configure v1 qosprofile qp3

On Switch 2

create qosprofile qp3 configure qosprofile qp3 weight 15configure v2 qosprofile qp3

2 On PC 2, play the movie file streaming from PC 1.

Part 4 configure ports rate-limit flood

1 On the appropriate switch, configure rate limiting on the ports by entering the following command:

configure ports <port_list> rate-limit flood broadcast 1000

The purpose of this command is to rate-limit the broadcast storm to 1000 packets/sec.

2 Verify that the broadcast storm has been limited by entering the following command:

show port utilization


ESF_Rev3

Documents

route table

draft version

extreme networks

extreme networks

disabling

access control

access control

extreme networks