You are on page 1of 258

Summit 200 Series Switch Installation and User Guide

Software Version 6.2e.2

Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 http://www.extremenetworks.com
Published: June 2003 Part Number: 100149-00 Rev 01

©2003 Extreme Networks, Inc. All rights reserved. Extreme Networks and BlackDiamond are registered trademarks of Extreme Networks, Inc. in the United States and certain other jurisdictions. ExtremeWare, ExtremeWare Vista, ExtremeWorks, ExtremeAssist, ExtremeAssist1, ExtremeAssist2, PartnerAssist, Extreme Standby Router Protocol, ESRP, SmartTraps, Alpine, Summit, Summit1, Summit4, Summit4/FX, Summit7i, Summit24, Summit48, Summit 200 Series, Summit 200-24, Summit 200-48, Summit Virtual Chassis, SummitLink, SummitGbX, SummitRPS and the Extreme Networks logo are trademarks of Extreme Networks, Inc., which may be registered or pending registration in certain jurisdictions. The Extreme Turbodrive logo is a service mark of Extreme Networks, which may be registered or pending registration in certain jurisdictions. Specifications are subject to change without notice. NetWare and Novell are registered trademarks of Novell, Inc. Merit is a registered trademark of Merit Network, Inc. Solaris is a trademark of Sun Microsystems, Inc. F5, BIG/ip, and 3DNS are registered trademarks of F5 Networks, Inc. see/IT is a trademark of F5 Networks, Inc. “Data Fellows”, the triangle symbol, and Data Fellows product names and symbols/logos are trademarks of Data Fellows. F-Secure SSH is a registered trademark of Data Fellows.

All other registered trademarks, trademarks and service marks are property of their respective owners.

2

Contents

Preface
Introduction Conventions Related Publications xiii xiv xiv

Chapter 1

Summit 200 Series Switch Overview
Summit 200 Series Switches Summary of Features Summit 200-24 Switch Physical Features Summit 200-24 Switch Front View Summit 200-24 Switch Rear View Summit 200-48 Switch Physical Features Summit 200-48 Switch Front View Summit 200-48 Switch Rear View Mini-GBIC Type and Hardware/Software Support Mini-GBIC Type and Specifications 15 15 16 16 18 19 19 21 22 22

Chapter 2

Switch Installation
Determining the Switch Location Following Safety Information Installing the Switch Rack Mounting Free-Standing Stacking the Switch and Other Devices Connecting Equipment to the Console Port Powering On the Switch Checking the Installation 27 28 28 28 29 29 29 30 31

Summit 200 Series Switch Installation and User Guide

3

Contents

Logging In for the First Time Installing or Replacing a Mini-Gigabit Interface Connector (Mini-GBIC) Safety Information Preparing to Install or Replace a Mini-GBIC Removing and Inserting a Mini-GBIC

31 32 32 32 33

Chapter 3

ExtremeWare Overview
Summary of Features Virtual LANs (VLANs) Spanning Tree Protocol Quality of Service Unicast Routing Load Sharing ESRP-Aware Switches Software Licensing Feature Licensing Security Licensing for Features Under License Control SSH2 Encryption Software Factory Defaults 35 36 36 37 37 37 37 38 38 39 39 40

Chapter 4

Accessing the Switch
Understanding the Command Syntax Syntax Helper Command Shortcuts Summit 200 Series Switch Numerical Ranges Names Symbols Line-Editing Keys Command History Common Commands Configuring Management Access User Account Administrator Account Default Accounts Creating a Management Account Domain Name Service Client Services Checking Basic Connectivity Ping Traceroute 41 42 42 42 43 43 43 44 44 46 46 47 47 48 49 50 50 50

4

Summit 200 Series Switch Installation and User Guide

Contents

Chapter 5

Managing the Switch
Overview Using the Console Interface Using Telnet Connecting to Another Host Using Telnet Configuring Switch IP Parameters Disconnecting a Telnet Session Controlling Telnet Access Using Secure Shell 2 (SSH2) Enabling SSH2 Using SNMP Accessing Switch Agents Supported MIBs Configuring SNMP Settings Displaying SNMP Settings Authenticating Users RADIUS Client Configuring TACACS+ Using Network Login Using Network Login in Campus Mode Using Network Login in ISP Mode DHCP Server on the Switch Network Login Configuration Commands Displaying Network Login Settings Disabling Network Login Using EAPOL Flooding Using the Simple Network Time Protocol Configuring and Using SNTP SNTP Configuration Commands SNTP Example 53 54 54 54 54 56 57 57 57 58 58 58 58 60 60 60 65 66 67 69 70 70 70 71 71 72 72 75 75

Chapter 6

Configuring Ports on a Switch
Enabling and Disabling Switch Ports Configuring Switch Port Speed and Duplex Setting Switch Port Commands Load Sharing on the Switch Load-Sharing Algorithms Configuring Switch Load Sharing Load-Sharing Example Verifying the Load-Sharing Configuration Switch Port-Mirroring 77 77 79 80 80 81 82 82 82

Summit 200 Series Switch Installation and User Guide

5

Contents Port-Mirroring Commands Port-Mirroring Example Extreme Discovery Protocol EDP Commands 83 83 84 84 Chapter 7 Virtual LANs (VLANs) Overview of Virtual LANs Benefits Types of VLANs Port-Based VLANs Tagged VLANs VLAN Names Default VLAN Renaming a VLAN Configuring VLANs on the Switch VLAN Configuration Commands VLAN Configuration Examples Displaying VLAN Settings MAC-Based VLANs MAC-Based VLAN Guidelines MAC-Based VLAN Limitations MAC-Based VLAN Example Timed Configuration Download for MAC-Based VLANs 85 85 86 86 88 90 90 91 91 91 92 92 93 93 94 94 94 Chapter 8 Forwarding Database (FDB) Overview of the FDB FDB Contents FDB Entry Types How FDB Entries Get Added Associating a QoS Profile with an FDB Entry Configuring FDB Entries FDB Configuration Examples Displaying FDB Entries 97 97 97 98 98 99 100 100 Chapter 9 Access Policies Overview of Access Policies Access Control Lists Rate Limits Routing Access Policies Using Access Control Lists Access Masks 101 101 101 102 102 102 6 Summit 200 Series Switch Installation and User Guide .

Contents Access Lists Rate Limits How Access Control Lists Work Access Mask Precedence Numbers Specifying a Default Rule The permit-established Keyword Adding Access Mask. and Rate Limit Entries Deleting Access Mask. Access List. Access List. and Rate Limit Entries Verifying Access Control List Configurations Access Control List Commands Access Control List Examples Using Routing Access Policies Creating an Access Profile Configuring an Access Profile Mode Adding an Access Profile Entry Deleting an Access Profile Entry Applying Access Profiles Routing Access Policies for RIP Routing Access Policies for OSPF Making Changes to a Routing Access Policy Removing a Routing Access Policy Routing Access Policy Commands 102 103 104 104 104 104 105 106 106 106 110 114 114 114 114 115 115 115 117 118 118 119 Chapter 10 Network Address Translation (NAT) Overview Internet IP Addressing Configuring VLANs for NAT NAT Modes Configuring NAT Configuring NAT Rules Creating NAT Rules Creating Static and Dynamic NAT Rules Creating Portmap NAT Rules Creating Auto-Constrain NAT Rules Advanced Rule Matching Configuring Timeouts Displaying NAT Settings Disabling NAT 121 122 122 123 124 124 125 125 125 126 126 127 127 128 Summit 200 Series Switch Installation and User Guide 7 .

1p and DiffServ) Traffic Groupings Configuring DiffServ Physical and Logical Groupings Verifying Configuration and Performance QoS Monitor Displaying QoS Profile Information Modifying a QoS Configuration Traffic Rate-Limiting Dynamic Link Context System DLCS Guidelines DLCS Limitations DLCS Commands 143 144 144 144 144 145 145 145 146 146 147 148 150 152 153 153 153 154 154 154 155 155 155 8 Summit 200 Series Switch Installation and User Guide .Contents Chapter 11 Ethernet Automatic Protection Switching Overview of the EAPS Protocol Fault Detection and Recovery Restoration Operations Summit 200 Series Switches in Multi-ring Topologies Commands for Configuring and Monitoring EAPS Creating and Deleting an EAPS Domain Defining the EAPS Mode of the Switch Configuring EAPS Polling Timers Configuring the Primary and Secondary Ports Configuring the EAPS Control VLAN Configuring the EAPS Protected VLANs Enabling and Disabling an EAPS Domain Enabling and Disabling EAPS Unconfiguring an EAPS Ring Port Displaying EAPS Status Information 129 131 132 133 134 135 135 135 136 137 137 138 138 138 138 Chapter 12 Quality of Service (QoS) Overview of Policy-Based Quality of Service Applications and Types of QoS Voice Applications Video Applications Critical Database Applications Web Browsing Applications File Server Applications Configuring QoS for a Port or VLAN Traffic Groupings Access List Based Traffic Groupings MAC-Based Traffic Groupings Explicit Class of Service (802.

Contents Chapter 13 Status Monitoring and Statistics Status Monitoring Port Statistics Port Errors Port Monitoring Display Keys Setting the System Recovery Level Logging Local Logging Remote Logging Logging Configuration Changes Logging Commands RMON About RMON RMON Features of the Switch Configuring RMON Event Actions 157 159 159 160 161 161 162 163 163 164 165 165 165 166 167 Chapter 14 Spanning Tree Protocol (STP) Overview of the Spanning Tree Protocol Spanning Tree Domains Defaults STPD BPDU Tunneling STP Configurations Configuring STP on the Switch STP Configuration Example Displaying STP Settings Disabling and Resetting STP 169 169 170 170 170 172 175 175 175 Chapter 15 IP Unicast Routing Overview of IP Unicast Routing Router Interfaces Populating the Routing Table Subnet-Directed Broadcast Forwarding Proxy ARP ARP-Incapable Devices Proxy ARP Between Subnets Relative Route Priorities Configuring IP Unicast Routing Verifying the IP Unicast Routing Configuration 177 178 179 180 180 181 181 181 182 182 Summit 200 Series Switch Installation and User Guide 9 .

Contents IP Commands Routing Configuration Example Displaying Router Settings Resetting and Disabling Router Settings Configuring DHCP/BOOTP Relay Verifying the DHCP/BOOTP Relay Configuration UDP-Forwarding Configuring UDP-Forwarding UDP-Forwarding Example ICMP Packet Processing UDP-Forwarding Commands 183 187 188 189 190 190 190 191 191 191 192 Chapter 16 Interior Gateway Routing Protocols Overview RIP Versus OSPF Overview of RIP Routing Table Split Horizon Poison Reverse Triggered Updates Route Advertisement of VLANs RIP Version 1 Versus RIP Version 2 Overview of OSPF Link-State Database Areas Point-to-Point Support Route Re-Distribution Configuring Route Re-Distribution OSPF Timers and Authentication Configuring RIP RIP Configuration Example Displaying RIP Settings Resetting and Disabling RIP Configuring OSPF Configuring OSPF Wait Interval Displaying OSPF Settings OSPF LSD Display Resetting and Disabling OSPF Settings 193 194 194 195 195 195 195 195 195 196 196 197 200 201 201 202 203 205 206 206 206 211 212 212 213 10 Summit 200 Series Switch Installation and User Guide .

and Resetting IGMP Functions 215 216 217 217 Appendix A Safety Information Important Safety Information Power Power Cord Connections Lithium Battery 219 219 220 220 220 Appendix B Technical Specifications Summit 200-24 Switch Summit 200-48 Switch 223 226 Appendix C Appendix D Supported Standards Software Upgrade and Boot Options Downloading a New Image Rebooting the Switch Saving Configuration Changes Returning to Factory Defaults Using TFTP to Upload the Configuration Using TFTP to Download the Configuration Downloading a Complete Configuration Downloading an Incremental Configuration Scheduled Incremental Configuration Download Remember to Save Upgrading and Accessing BootROM Upgrading BootROM Accessing the BootROM menu Boot Option Commands 231 232 232 233 233 234 234 234 234 235 235 235 235 236 Summit 200 Series Switch Installation and User Guide 11 . Disabling.Contents Chapter 17 IP Multicast Groups and IGMP Snooping Overview Configuring IGMP and IGMP Snooping Displaying IGMP Snooping Configuration Information Clearing.

Contents Appendix E Troubleshooting LEDs Using the Command-Line Interface Port Configuration VLANs STP Debug Tracing TOP Command Contacting Extreme Technical Support 233 234 235 236 237 237 237 237 Index Index of Commands 12 Summit 200 Series Switch Installation and User Guide .

describes guide conventions. follow the release notes. It assumes a basic working knowledge of: • Local area networks (LANs) • Ethernet concepts • Ethernet switching and bridging concepts • Routing concepts • Internet Protocol (IP) concepts • Simple Network Management Protocol (SNMP) NOTE If the information in the release notes shipped with your switch differs from the information in this guide. and lists other publications that may be useful. Summit 200 Series Switch Installation and User Guide 13 . Introduction This guide provides the required information to install the Summit 200 series switch and configure the ExtremeWare™ software running on the Summit 200 series switch. This guide is intended for use by network administrators who are responsible for installing and setting up network equipment.Preface This preface provides an overview of this guide.

Do not press the Return or Enter key when an instruction simply says “type. Related Publications The publications related to this one are: • ExtremeWare Release Notes • Summit 200 Series Switch Release Notes Documentation for Extreme Networks products is available on the World Wide Web at the following location: • http://www. Important features or instructions. and then press the Return or Enter key. Table 1: Notice Icons Icon Notice Type Note Alerts you to. When you see the word “enter” in this guide. such as [Return] or [Esc]. Caution Risk of personal injury. Warning Risk of severe personal injury. or represents information as it appears on the screen. Example: Press [Ctrl]+[Alt]+[Del]. If you must press two or more keys simultaneously.. you must type something. Table 2: Text Conventions Convention Screen displays The words “enter” and “type” [Key] names Description This typeface indicates command syntax. or loss of data.” Key names are written with brackets.com/ 14 Summit 200 Series Switch Installation and User Guide .. system damage.Conventions Table 1 and Table 2 list conventions that are used throughout this guide. the key names are linked with a plus sign (+). Words in italicized type Italics emphasize a point or denote new terms at the place where they are defined in the text.extremenetworks.

MAC QoS.1 Summit 200 Series Switch Overview This chapter describes the features and functionality of the Summit 200 series switches: • Summit 200 Series Switches on page 15 • Summary of Features on page 15 • Summit 200-24 Switch Physical Features on page 16 • Summit 200-48 Switch Physical Features on page 19 • Mini-GBIC Type and Hardware/Software Support on page 22 Summit 200 Series Switches The Summit 200 series switches include the following switch models: • Summit 200-24 switch • Summit 200-48 switch Summary of Features The Summit 200 series switches support the following ExtremeWare features: • Virtual local area networks (VLANs) including support for IEEE 802.1Q and IEEE 802.1p • Spanning Tree Protocol (STP) (IEEE 802.1D) • Quality of Service (QoS) including support for IEEE 802.Aware support • Ethernet Automated Protection Switching (EAPS) support • Routing Information Protocol (RIP) version 1 and RIP version 2 • Open Shortest Path First (OSPF) routing protocol • DiffServ support Summit 200 Series Switch Installation and User Guide 15 . and four hardware queues • Wire-speed Internet Protocol (IP) routing • DHCP/BOOTP Relay • Network Address Translation (NAT) • Extreme Standby Router Protocol (ESRP) .1p.

or 1000BASE-ZX Small Form Factor pluggable (SFP) Gigabit Interface Connectors (GBICs)—also known as mini-GBICs—using LC optical fiber connectors.Summit 200 Series Switch Overview • Access-policy support for routing protocols • Access list support for packet filtering • Access list support for rate-limiting • IGMP snooping to control IP multicast traffic • Load sharing on multiple ports • RADIUS client and per-command authentication support • TACACS+ support • Network Login • Console command-line interface (CLI) connection • Telnet CLI connection • SSH2 connection • Simple Network Management Protocol (SNMP) support • Remote Monitoring (RMON) • Traffic mirroring for ports Summit 200-24 Switch Physical Features The Summit 200-24 switch is a compact enclosure (see Figure 1) one rack unit in height (1.45 mm) that provides 24 autosensing 10BASE-T/100BASE-TX ports using RJ-45 connectors. Summit 200-24 Switch Front View Figure 1 shows the Summit 200-24 switch front view. 16 Summit 200 Series Switch Installation and User Guide . Figure 1: Summit 200-24 switch front view 10/100 Mbps ports Mini-GBIC port status LEDs Unit stacking Console ID LED port 1000-baseT ports Mini-GBIC ports LC24001A NOTE See Table 5 for information about supported mini-GBIC types and distances. 1000BASE-LX. It also provides two 10/100/1000BASE-T Gigabit Ethernet uplink ports using RJ-45 connectors and two optical ports that also allow Gigabit Ethernet uplink connections through Extreme 1000BASE-SX.75 inches or 44.

both mini-GBIC ports. The switch also has four Gigabit Ethernet uplink ports. using optical fibers with LC connectors. NOTE Only mini-GBICs that have been certified by Extreme Networks (available from Extreme Networks) should be inserted into the mini-GBIC receptacles on the Summit 200 series switch. These ports are labeled 25 and 26 on the front panel of the switch. Full-Duplex The Summit 200-24 switch provides full-duplex support for all ports. Two of the ports are 10/100/1000BASE-T ports using RJ-45 connectors. NOTE For information on the mini-GBIC. Only two of the four Gigabit Ethernet uplink ports can be active at one time. see “Mini-GBIC Type and Hardware/Software Support” on page 22. Summit 200 Series Switch Installation and User Guide 17 . 1000BASE-LX. or 1000BASE-ZX mini-GBICs. Summit 200-24 Switch LEDs Table 3 describes the light emitting diode (LED) behavior on the Summit 200-24 switch. you can use both 1000BASE-T ports. For example. doubles the bandwidth available on a link.or full-duplex operation. or a combination of one 1000BASE-T port and one mini-GBIC. All 10/100 Mbps ports on the Summit 200-24 switch autonegotiate for half. Full-duplex allows frames to be transmitted and received simultaneously and. The other two ports are unpopulated receptacles for mini-SFP GBICs. Console Port Use the console port (9-pin.Summit 200-24 Switch Physical Features NOTE See “Summit 200-24 Switch LEDs” on page 17 for more details. The Summit 200-24 switch supports the use of 1000BASE-SX. “D” type connector) for connecting a terminal and carrying out local management. in effect. Port Connections The Summit 200-24 switch has 24 10BASE-T/100BASE-TX ports using RJ-45 connectors for communicating with end stations and other devices over 10/100Mbps Ethernet.

Link is not present or the port is disabled. The Summit switch POST is in progress. port is enabled. 1000BASE-T link is selected. Summit 200-24 Switch Rear View Figure 2 shows the rear view of the Summit 200-24 switch. mini-GBIC is present and being used for the Gigabit Ethernet uplink. the switch is using the RJ-45 port for the Gigabit Ethernet uplink. and there is activity on the port. Unit Stacking ID Number LED Color N/A Indicates When several Summit 200-24 switches are interconnected (stacked). The Summit switch has failed its POST or an overheat condition is detected. Indicates The Summit switch is operating normally. Figure 2: Summit 200-24 switch rear view Power socket LC24002 18 Summit 200 Series Switch Installation and User Guide . Media-Selection (Fiber) LEDs (Ports 25 and 26) Color Green Off Indicates Fiber link is selected. Link is present. Amber blinking A failed condition is present on the fan. port is enabled. Port Status LEDs (Ports 1–26) Color Green Green blinking Off Indicates Link is present. which is the default. each switch will be assigned a unique stacking ID number that will be visible in the unit stacking ID number LED.Summit 200 Series Switch Overview Table 3: Summit 200-24 switch LED behavior Unit Status LED (MGMT LED) Color Green solid Green blinking Amber Fan LED Color Green Indicates The fan is operating normally. The switch acting as the stack master will be assigned the number 0.

75 inches or 44. The power supply operates down to 90 V. 1000BASE-LX.Summit 200-48 Switch Physical Features Power Socket The Summit 200-24 switch automatically adjusts to the supply voltage. NOTE The Summit 200-24 switch certification and safety label is located on the bottom of the switch. Figure 3: Summit 200-48 switch front view Console port 10/100 Mbps ports Mini-GBIC ports 1000-baseT ports LC48001 NOTE See Table 5 for information about supported mini-GBIC types and distances. or 1000BASE-ZX SFP mini-GBICs using optical fibers with LC connectors. Summit 200-48 Switch Front View Figure 3 shows the Summit 200-48 switch front view. It also provides two 10/100/1000BASE-T Gigabit Ethernet uplink ports using RJ-45 connectors and two optical ports that also allow Gigabit Ethernet uplink connections through Extreme 1000BASE-SX. Serial Number Use this serial number for fault-reporting purposes. Summit 200 Series Switch Installation and User Guide 19 . MAC Address This label shows the unique Ethernet MAC address assigned to this device. Summit 200-48 Switch Physical Features The Summit 200-48 switch is a compact enclosure (see Figure 3) one rack unit in height (1. NOTE See “Summit 200-48 Switch LEDs” on page 21 for more details.45 mm) that provides 48 autosensing 10BASE-T/100BASE-TX ports using RJ-45 connectors.

NOTE For information on the mini-GBIC. For example. Only two of the four Gigabit Ethernet uplink ports can be active at one time. both mini-GBIC ports. The other two ports are unpopulated receptacles for mini-SFP GBICs. Two of the ports are 10/100/1000BASE-T ports using RJ-45 connectors. The switch also has four Gigabit Ethernet uplink ports. or ACL ingress ports and egress port. or a combination of one 1000BASE-T port and one mini-GBIC. must belong to the same port group. 20 Summit 200 Series Switch Installation and User Guide . “D” type connector) for connecting a terminal and carrying out local management. port group 2 consists of ports 25 through 48 and port 50. 1000BASE-LX. Port group 1 consists of ports 1 through 24 and port 49. NOTE Only mini-GBICs that have been certified by Extreme Networks (available from Extreme Networks) should be inserted into the mini-GBIC receptacles on the Summit 200 series switch. Full-Duplex The Summit 200-48 switch provides full-duplex support for all ports. All 10/100 Mbps ports on the Summit 200-48 switch autonegotiate for half. using optical fibers with LC connectors. you can use both 1000BASE-T ports.Summit 200 Series Switch Overview Console Port Use the console port (9-pin. all ports specified as mirrored ports and mirroring port. or 1000BASE-ZX mini-GBICs. see “Mini-GBIC Type and Hardware/Software Support” on page 22.or full-duplex operation. doubles the bandwidth available on a link. in effect. The Summit 200-48 switch supports the use of 1000BASE-SX. Full-duplex allows frames to be transmitted and received simultaneously and. These ports are labeled 49 and 50 on the front panel of the switch. Port Connections The Summit 200-48 switch has 48 10BASE-T/100BASE-TX ports using RJ-45 connectors for communicating with end stations and other devices over 10/100Mbps Ethernet. NOTE When configuring the Summit 200-48 switch.

Summit 200 Series Switch Installation and User Guide 21 . mini-GBIC is present and being used for the Gigabit Ethernet uplink. 1000BASE-T link is selected. the switch is using the RJ-45 port for the Gigabit Ethernet uplink. Amber blinking A failed condition is present on the fan. Media-Selection (Fiber) LEDs (Ports 49 and 50) Color Green Off Indicates Fiber link is selected. Figure 4: Summit 200-48 switch rear view Power socket LC48002 Power Socket The Summit 200-48 switch automatically adjusts to the supply voltage. Port Status LEDs (Ports 1–50) Color Green Green blinking Off Indicates Link is present. and there is activity on the port.Summit 200-48 Switch Physical Features Summit 200-48 Switch LEDs Table 4 describes the LED behavior on the Summit 200-48 switch. Link is present. The Summit switch POST is in progress. Summit 200-48 Switch Rear View Figure 4 shows the rear view of the Summit 200-48 switch. Link is not present or the port is disabled. port is enabled. Table 4: Summit 200-48 switch LED behavior Unit Status LED (MGMT LED) Color Green solid Green blinking Amber Fan LED Color Green Indicates The fan is operating normally. The power supply operates down to 90 V. port is enabled. Indicates The Summit switch is operating normally. The Summit switch has failed its POST or an overheat condition is detected.

NOTE The Summit 200-48 switch certification and safety label is located on the bottom of the switch. which conforms to the 1000BASE-LX standard. the LX mini-GBIC.3z standard.000 Standard 1000BASE-SX (850 nm optical window) Media Type 50/125 µm multimode fiber 50/125 µm multimode fiber 62. The system uses identifier bits to determine the media type of the mini-GBIC that is installed. MAC Address This label shows the unique Ethernet MAC address assigned to this device. Table 5: Mini-GBIC types and distances Mhz•Km Rating 400 500 160 200 400 500 500 — — Maximum Distance (Meters) 500 550 220 275 550 550 550 5.5/125 µm multimode fiber 10/125 µm single-mode fiber 1000BASE-ZX (1550 nm optical window) 10/125 µm single-mode fiber 22 Summit 200 Series Switch Installation and User Guide . This section describes the mini-GBIC types and specifications. which conforms to the 1000BASE-SX standard.000 50. Mini-GBIC Type and Hardware/Software Support The Summit 200 series switch supports the SFP GBIC. and the ZX mini-GBIC. Mini-GBIC Type and Specifications Table 5 describes the mini-GBIC type and distances for the Summit 200 series switches. also known as the mini-GBIC.5/125 µm multimode fiber 1000BASE-LX (1310 nm optical window) 50/125 µm multimode fiber 50/125 µm multimode fiber 62.Summit 200 Series Switch Overview Serial Number Use this serial number for fault-reporting purposes.5/125 µm multimode fiber 62. The Summit 200 series switches support only the SFP mini-GBIC. NOTE Only mini-GBICs that have been certified by Extreme Networks (available from Extreme Networks) should be inserted into the mini-GBIC receptacles on the Summit 200 series switch. a long-haul mini-GBIC that conforms to the IEEE 802. in three types: the SX mini-GBIC.

There is no minimum attenuation or minimum cable length restriction. Thus. Measure cable plant losses with a 1310 nm light source and verify this to be within budget.5 dB remains available for cable induced attenuation.5 dB 830 nm –21 dBm –4 dBm 860 nm –9.Mini-GBIC Type and Hardware/Software Support SX Mini-GBIC Specifications Table 6 describes the specifications for the SX mini-GBIC. Table 7: LX mini-GBIC specifications Parameter Transceiver Optical output power Center wavelength Receiver Optical input power sensitivity Optical input power maximum Operating wavelength General Total system budget 13. connectors. the 1000BASE-SX standard specifies supported distances of 275 meters over 62.25 dB/km) Extreme Networks recommends that 3 dB of the total budget be reserved for losses induced by cable splices. While 8. connectors.5 micron multimode fiber and 550 meters over 50 micron multimode fiber.5 dB 1270 nm –23 dBm –3 dBm 1355 nm –9.5 dBm 830 nm 850 nm –4 dBm 860 nm Minimum Typical Maximum Total optical system budget for the SX mini-GBIC is 11. and operating margin. Summit 200 Series Switch Installation and User Guide 23 . Table 6: SX mini-GBIC specifications Parameter Transceiver Optical output power Center wavelength Receiver Optical input power sensitivity Optical input power maximum Operating wavelength General Total system budget 11. There is no minimum attenuation or minimum cable length restriction. LX Mini-GBIC Specifications Table 7 describes the specifications for the LX mini-GBIC.5 dB. 10.5 dBm 1275 nm 1310 nm –3 dBm 1355 nm Minimum Typical Maximum Total optical system budget for the LX mini-GBIC is 13. and operating margin.5 dB.5 dB remains available for cable-induced attenuation. When calculating the maximum distance attainable using optical cable with a specified loss per kilometer (for example 0. Extreme Networks recommends that 3 dB of the total budget be reserved for losses induced by cable splices.

03 21.0 dB ZX GBIC Rev.0 dB LX70 20. 03 LX100 XM_041 24 Summit 200 Series Switch Installation and User Guide .5 dB 27. and LX100). Figure 5: Total optical system budgets for long range GBICs ZX GBIC 19.0 dB 25. 03 ZX GBIC Rev. ZX Rev 03. LX70. NOTE The ZX mini-GBIC is equivalent to the ZX Rev 03 GBIC.5 dB ZX GBIC Rev.0 dB LX70 23. Extreme Networks recommends that 3 dB of the total budget be reserved for losses induced by cable splices.0 dB LX100 LX70 ZX GBIC 24.0 dB LX100 23. and operating margin. Figure 5 shows the total optical system budget between long range GBICs in various end-to-end combinations (ZX.0 dB ZX GBIC 23. 03 29.5 dB ZX GBIC ZX GBIC Rev.0 dB 18.25 dB/km).5 dB 19.0 dB LX70 LX100 30.Summit 200 Series Switch Overview ZX Mini-GBIC Specifications Table 8 describes the specifications for the ZX mini-GBIC.0 dB ZX GBIC 21. connectors. Table 8: ZX mini-GBIC specifications Parameter Transceiver Optical output power Center wavelength Receiver Optical input power sensitivity Optical input power maximum Operating wavelength 1540 nm 1550 nm –23 dBm –3 dBm 1570 nm –2 dBm 1540 nm 0 dBm 1550 nm 3 dBm 1570 nm Minimum Typical Maximum Long Range GBIC System Budgets Measure cable plant losses with a 1550 nm light source and verify this to be within budget. 03 LX70 22.0 dB LX100 ZX GBIC Rev.0 dB 24. When calculating the maximum distance attainable using optical cable with a specified loss per kilometer (for example 0.

Mini-GBIC Type and Hardware/Software Support Table 9 lists the minimum attenuation requirements to prevent saturation of the receiver for each type of long range GBIC. Table 9: Minimum attenuation requirements Receivers GBIC Type LX70 LX100 Transceivers ZX (prior to Rev 03) ZX Rev 03 ZX mini LX70 9 dB 8 dB 2 dB 5 dB 6 dB LX100 13 dB 12 dB 6 dB 9 dB 10 dB ZX (prior to Rev 03) 7 dB 6 dB 0 dB 3 dB 4 dB ZX Rev 03 7 dB 6 dB 0 dB 3 dB 4 dB ZX mini 9 dB 8 dB 2 dB 5 dB 6 dB Summit 200 Series Switch Installation and User Guide 25 .

Summit 200 Series Switch Overview 26 Summit 200 Series Switch Installation and User Guide .

Alternately. • No objects are placed on top of the unit. • Air-flow around the unit and through the vents in the side of the case is not restricted. Two mounting brackets are supplied with the switch. When deciding where to install the switch.2 Switch Installation This chapter describes the following topics: • Determining the Switch Location on page 27 • Following Safety Information on page 28 • Installing the Switch on page 28 • Connecting Equipment to the Console Port on page 29 • Powering On the Switch on page 30 • Checking the Installation on page 31 • Logging In for the First Time on page 31 • Installing or Replacing a Mini-Gigabit Interface Connector (Mini-GBIC) on page 32 CAUTION Use of controls or adjustments of performance or procedures other than those specified herein can result in hazardous radiation exposure. the device can be rack-mounted in a wiring closet or equipment room. Determining the Switch Location The Summit 200 series switch is suited for use in the office. ensure that: • The switch is accessible and cables can be connected easily. You should provide a minimum of 1 inch (25 mm) clearance. where it can be free-standing or mounted in a standard 19-inch equipment rack. • Units are not stacked more than four high if the switch is free-standing. Summit 200 Series Switch Installation and User Guide 27 . • Water or moisture cannot enter the case of the unit.

read the safety information provided in w of this guide. 8 Connect the switch to the redundant power supply (if applicable). with the front facing you. or before carrying out any maintenance procedures. or placed free-standing on a tabletop. 7 Secure the switch with suitable screws (not provided). 3 Locate a mounting bracket over the mounting holes on one side of the unit. 2 Remove the existing screws from the sides of the case (retain the screws for Step 4).Switch Installation Following Safety Information Before installing or removing any components of the switch. or to attach the switch to a wall. Rack Mounting CAUTION Do not use the rack mount kits to suspend the switch from under a table or desk. To rack mount the Summit 200 series switch: 1 Place the switch upright on a hard flat surface. Figure 6: Fitting the mounting bracket LC24003 5 Repeat steps 2 through 4 for the other side of the switch. as shown in Figure 6. 4 Insert the screws and fully tighten with a suitable screwdriver. Installing the Switch The Summit 200 series switch switch can be mounted in a rack. 9 Connect cables. 28 Summit 200 Series Switch Installation and User Guide . 6 Insert the switch into the 19-inch rack.

Connecting Equipment to the Console Port Free-Standing The Summit 200 series switch is supplied with four self-adhesive rubber pads. Apply the pads to the underside of the device by sticking a pad in the marked area at each corner of the switch. Connecting Equipment to the Console Port Connection to the console port is used for direct local management. Do not set the switch console port flow control to XON/XOFF. Place the devices on top of one another. This procedure is described in the documentation supplied with the terminal. Appropriate cables are available from your local supplier. pinouts for a DB-9 male console connector are described in Table 10. NOTE This relates only to stacking the devices directly one on top of one another. To make your own cables. The switch console port settings are set as follows: • Baud rate—9600 • Data bits—8 • Stop bit—1 • Parity—None • Flow control—None NOTE If you set the switch console port flow control to XON/XOFF rather than None. ensuring that the corners align. Table 10: Console Connector Pinouts Function DCD (data carrier detect) RXD (receive data) TXD (transmit data) DTR (data terminal ready) GND (ground) DSR (data set ready) Pin Number 1 2 3 4 5 6 Direction In In Out Out — In Summit 200 Series Switch Installation and User Guide 29 . Stacking the Switch and Other Devices You can place up to four Summit switches on top of one another. The terminal connected to the console port on the switch must be configured with the same settings. you will be unable to access the switch. Apply the pads to the underside of the device by sticking a pad at each corner of the switch.

Figure 7: Null-modem cable pin-outs Summit Cable connector: 9-pin female PC/Terminal Cable connector: 25-pin male/female Screen Shell TxD 3 RxD 2 Ground 5 RTS 7 CTS 8 DSR 6 DCD 1 DTR 4 1 3 2 7 4 20 5 6 8 Screen RxD TxD Ground RTS DTR CTS DSR DCD ser_sum1 Figure 8 shows the pin-outs for a 9-pin to 9-pin PC-AT null-modem serial cable.Switch Installation Table 10: Console Connector Pinouts (continued) Function RTS (request to send) CTS (clear to send Pin Number 7 8 Direction Out In Figure 7 shows the pin-outs for a 9-pin to RS-232 25-pin null-modem cable. Turn the on/off switch to the on position. 30 Summit 200 Series Switch Installation and User Guide . Figure 8: PC-AT serial null-modem cable pin-outs Summit Cable connector: 9-pin female PC-AT Serial Port Cable connector: 9-pin female Screen Shell DTR 4 TxD 3 RxD 2 CTS 8 Ground 5 DSR 6 RTS 7 DCD 1 Shell Screen DCD 1 RxD 2 TxD 3 DTR 4 Ground 5 DSR 6 RTS 7 CTS 8 ser_sum2 Powering On the Switch To turn on power to the switch. connect the AC power cable to the switch and then to the wall outlet.

the MGMT LED is amber. the MGMT LED is solid green.67. enter the default user name admin to log on with administrator privileges. 5 Assign an IP address and subnetwork mask for VLAN default by typing config vlan default ipaddress 123. “Summit 200 Series Switch Overview”. Summit200-24) in its prompt. the command-line prompt displays the name of the switch (for example. refer to the ExtremeWare Software User Guide.0 Your changes take effect immediately. 3 At the login prompt. see Chapter 1. 4 At the password prompt. the device performs a Power On Self-Test (POST).45. To configure the IP settings manually.Checking the Installation Checking the Installation After turning on power to the Summit 200 series switch. see Chapter 4. you can log in to the switch and configure an IP address for the default VLAN (named default).255. 2 At your terminal. all ports are temporarily disabled. admin. If the switch fails the POST. The default name. has no password assigned. During the POST. follow these steps: 1 Connect a terminal or workstation running terminal-emulation software to the console port. For example: login: admin Administrator capabilities allow you to access all switch functions. When you have successfully logged on to the switch.255. the port LED is off. Logging In for the First Time After the Summit 200 series switch completes the POST. Once operational. by typing save NOTE For more information on saving configuration changes. NOTE For more information on switch security. it is operational. If the switch passes the POST. NOTE For more information on the LEDs. “Accessing the Switch”. and the MGMT LED flashes. The MGMT LED flashes until the switch successfully passes the POST. Summit 200 Series Switch Installation and User Guide 31 . press [Return] one or more times until you see the login prompt. press [Return]. 6 Save your configuration changes so that they will be in effect after the next switch reboot.8 255.

• Prepare and clean an external attenuator. Avoid direct eye exposure to beam. • Do not stretch the fiber. read the safety information in this section. logout of the switch by typing logout NOTE After two incorrect login attempts. Safety Information Before you install or replace a mini-GBIC. NOTE Remove the LC fiber-optic connector from the mini-GBIC prior to removing the mini-GBIC from the switch. • Inspect and clean the fiber tips. if needed. You must wait a few minutes before attempting to log in again. the Summit 200 series switch locks you out of the login facility. Mini-GBICs are a class 1 laser device. 32 Summit 200 Series Switch Installation and User Guide .Switch Installation 7 When you are finished using the facility. Once you complete all of the described tasks. Installing or Replacing a Mini-Gigabit Interface Connector (Mini-GBIC) This section describes the safety precautions and preparation steps that you must perform before inserting and securing a mini-GBIC. • Connect one end of the link to the Tx port. WARNING! Mini-GBICs can emit invisible laser radiation. Extreme Networks recommends the following when installing or replacing mini-GBICs on an active network: • Use the same type of mini-GBIC at each end of the link. • Make sure the bend radius of the fiber is not less than 2 inches. Use only devices approved by Extreme Networks. coupler. Without an attenuator. you are ready to install or replace a mini-GBIC. measure the total loss from the Tx port to the other side of the link. complete the following tasks before inserting the mini-GBIC: • Disable the port that is needed to install or replace the mini-GBIC. and connectors. Preparing to Install or Replace a Mini-GBIC To ensure proper installation. In addition to the previously described tasks.

To correct this problem. and pull the mini-GBIC out of the SFP receptacle on the switch. rotate the front handle down and pull the mini-GBIC out of the slot. Figure 9: Mini-GBIC modules Module A Module B XM_024 Mini-GBICs are a 3. NOTE If you see an amber blinking Mini-GBIC port status LED on your Summit 200 series switch. the mini-GBIC installed in your switch is one that is not approved or supported by Extreme Networks. Figure 9 shows the two types of mini-GBIC modules.3 V Class 1 laser device. WARNING! Mini-GBICs can emit invisible laser radiation. Summit 200 Series Switch Installation and User Guide 33 . NOTE Remove the LC fiber-optic connector from the mini-GBIC prior to removing the mini-GBIC from the switch. gently press and hold the black plastic tab at the bottom of the connector to release the mini-GBIC. Use only devices approved by Extreme Networks. Removing a Mini-GBIC To remove a mini-GBIC similar to the one labeled “Module A” in Figure 9. To remove a mini-GBIC similar to the one labeled “Module B” in Figure 9. or insert mini-GBICs into your Summit 200 series switch without powering off the system.Installing or Replacing a Mini-Gigabit Interface Connector (Mini-GBIC) Removing and Inserting a Mini-GBIC You can remove mini-GBICs from. Avoid direct eye exposure to beam. ensure that you install a mini-GBIC that is approved and supported by Extreme Networks.

To insert a mini-GBIC connector: 1 Holding the mini-GBIC by its sides. indicating the mini-GBIC is securely seated in the SFP receptacle. insert the mini-GBIC into the SFP receptacle on the switch.Switch Installation Inserting a Mini-GBIC NOTE Mini-GBICs can be installed in the SFP mini-GBIC receptacles for ports 25 and 26 on the Summit 200 series switches. 34 Summit 200 Series Switch Installation and User Guide . If the mini-GBIC has a handle. 2 Push the mini-GBIC into the SFP receptacle until you hear an audible click. push up on the handle to secure the mini-GBIC.

1Q and IEEE 802. MAC QoS.1p.3 ExtremeWare Overview This chapter describes the following topics: • Summary of Features on page 35 • Software Licensing on page 38 • Security Licensing for Features Under License Control on page 39 • Software Factory Defaults on page 40 ExtremeWare is the full-featured software operating system that is designed to run on the Summit 200 series switch.1p • Spanning Tree Protocol (STP) (IEEE 802. Summary of Features The Summit 200 series switch supports the following ExtremeWare features: • Virtual local area networks (VLANs) including support for IEEE 802.1D) • Quality of Service (QoS) including support for IEEE 802. This section describes the supported ExtremeWare features for the Summit 200 series switch.Aware support • Ethernet Automated Protection Switching (EAPS) support • Routing Information Protocol (RIP) version 1 and RIP version 2 • Open Shortest Path First (OSPF) routing protocol • Diffserv support • Access-policy support for routing protocols • Access list support for packet filtering • Access list support for rate-limiting • IGMP snooping to control IP multicast traffic • Load sharing on multiple ports Summit 200 Series Switch Installation and User Guide 35 . and four hardware queues • Wire-speed Internet Protocol (IP) routing • DHCP/BOOTP Relay • Network Address Translation (NAT) • Extreme Standby Router Protocol (ESRP) .

A single spanning tree can span multiple VLANs. Spanning Tree Protocol The Summit 200 series switch supports the IEEE 802.and topology-independent devices that communicate as if they were on the same physical local area network (LAN). only VLAN Marketing devices receive the frame. 36 Summit 200 Series Switch Installation and User Guide .ExtremeWare Overview • RADIUS client and per-command authentication support • TACACS+ support • Network Login • Console command-line interface (CLI) connection • Telnet CLI connection • SSH2 connection • Simple Network Management Protocol (SNMP) support • Remote Monitoring (RMON) • Traffic mirroring for ports Virtual LANs (VLANs) ExtremeWare has a VLAN feature that enables you to construct your broadcast domains without being restricted by physical connections. NOTE For more information on STP. STP enables you to implement parallel paths for network traffic. which is a bridge-based mechanism for providing fault tolerance on networks. Implementing VLANs on your network has the following three advantages: • They help to control broadcast traffic. NOTE For more information on VLANs.1D Spanning Tree Protocol (STP). see Chapter 14. • They provide extra security. • They ease the change and movement of devices on networks. A VLAN is a group of location. Devices in VLAN Marketing can only communicate with devices on VLAN Sales using routing services. see Chapter 7. “Spanning Tree Protocol (STP)”. If a device in VLAN Marketing transmits a broadcast frame. • Redundant paths are enabled if the main traffic paths fail. and ensure that: • Redundant paths are disabled when the main paths are operational. “Virtual LANs (VLANs)”.

For example. “Configuring Ports on a Switch”. the fail-over times seen for traffic local to the segment may appear longer. These features enable you to specify service levels for different traffic groups. and priority. see Chapter 6. Static IP routes are maintained in the routing table. NOTE For more information on Quality of Service. If Extreme switches running ESRP are connected to layer 2 switches that are not manufactured by Extreme Networks (or Extreme switches that are not running ExtremeWare 4. NOTE For information on load sharing. see Chapter 15. No configuration of this feature is necessary. but are connected on a network that has other Extreme switches running ESRP are ESRP-aware. see Chapter 12. VLANs see the load-sharing group as a single virtual port. all traffic is assigned the “normal” QoS policy profile. you can create other QoS policies and rate-limiting access control lists and apply them to different traffic types so that they have different maximum bandwidth. When ESRP-aware switches are attached to ESRP-enabled switches.Summary of Features Quality of Service ExtremeWare has Quality of Service (QoS) features that support IEEE 802.0 or above). ESRP-Aware Switches Extreme switches that are not running ESRP. Load Sharing Load sharing allows you to increase bandwidth and resiliency by using a group of ports to carry traffic in parallel between systems. Unicast Routing The Summit 200 series switch can route IP traffic between the VLANs that are configured as virtual router interfaces. “IP Unicast Routing”. The algorithm also guarantees packet sequencing between clients. “Quality of Service (QoS)”. The following routing protocols are supported: • RIP version 1 • RIP version 2 • OSPF NOTE For more information on IP unicast routing. By default. and four queues.1p. If needed. MAC QoS. depending on the application involved Summit 200 Series Switch Installation and User Guide 37 . the ESRP-aware switches reliably perform fail-over and fail-back scenarios in the prescribed recovery times. The sharing algorithm allows the switch to use multiple ports as a single logical port.

and are not transferable. As such. if only a single VLAN is involved. Keys are stored in NVRAM and. feature support is separated into two sets: Edge and Advanced Edge. In ExtremeWare version 6. and reconfigurations. ESRP will not function correctly if the ESRP-aware switch interconnection port is configured for a protocol-sensitive VLAN using untagged traffic.2e.ExtremeWare Overview and the FDB timer used by the other vendor’s layer 2 switch. but the recovery times vary. Layer 3 routing functions include support for: • IP routing using RIP version 1 and/or RIP version 2 • IP routing between directly attached VLANs • IP routing using static routes Advanced Edge Functionality The Advanced Edge license enables support of additional functions. The VLANs associated with the ports connecting an ESRP-aware switch to an ESRP-enabled switch must be configured using an 802. once entered. Keys are typically unique to the switch.2. including: • Rate-limiting ACLs • IP routing using OSPF • EAPS Edge (cannot be a core node on the ring) • Network Login • RADIUS and TACACS+ command authentication • Network Address Translation (NAT) Enabling the Advanced Edge Functionality To enable the Advanced Edge software feature license. Summit 200 series switches have Edge functionality without the requirement of a license key. software upgrades. ESRP can be used with layer 2 switches from other vendors. Edge Functionality Edge functionality requires no license key.1Q tag on the connecting port. Edge functionality includes all switching functions. or. use the following command: enable license advanced-edge <license_key> where license_key is an integer. as untagged using the protocol filter any. 38 Summit 200 Series Switch Installation and User Guide . persist through reboots. access list. Software Licensing Some Extreme Networks products have capabilities that are enabled by using a license key. and ESRP-aware functions. and also includes all available layer 3 QoS. Edge is a subset of Advanced Edge. The following sections describe the features that are associated with license keys. Feature Licensing Summit 200 series switches support software licensing for different levels of functionality.

Security Licensing for Features Under License Control

NOTE The command unconfig switch all does not clear licensing information. Once it is enabled on the switch, this license cannot be disabled.

Verifying the Advanced Edge License
To verify the Advanced Edge license, use the show switch command.

Obtaining an Advanced Edge License
You can order the desired functionality from the factory, using the appropriate model of the desired product. If you order licensing from the factory, the switch arrives packaged with a certificate that contains the unique license key(s), and instructions for enabling the correct functionality on the switch. The certificate is typically packaged with the switch documentation. Once the license key is entered, it should not be necessary to enter the information again. However, we recommend keeping the certificate for your records. You can upgrade the Advanced Edge licensing of an existing product by purchasing a voucher for the desired product and functionality. Please contact your supplier to purchase a voucher. The voucher contains information and instructions on obtaining a license key for the switch using the Extreme Networks Support website at: http://esupport.extremenetworks.com or by phoning Extreme Networks Technical Support at: • (800) 998-2408 • (408) 579-2826

Security Licensing for Features Under License Control
Certain additional ExtremeWare security features, such as the use of Secure Shell (SSH2) encryption, might be under United States export restriction control. Extreme Networks ships these security features in a disabled state. In order to enable the use of these features, you must first obtain an export license, which you can do through Extreme Networks (at no extra charge).

SSH2 Encryption
ExtremeWare version 6.0 and above supports the SSH2 protocol. SSH2 allows the encryption of Telnet session data. The encryption methods used are under U.S. export restriction control. To obtain information on enabling SSH2 encryption, access the Extreme Networks Support website at: http://esupport.extremenetworks.com Fill out a contact form to indicate compliance or noncompliance with the export restrictions. If you are in compliance, you will be given information that will allow you to enable security features.

Summit 200 Series Switch Installation and User Guide

39

ExtremeWare Overview

Software Factory Defaults
Table 11 shows factory defaults for ExtremeWare features supported on the Summit 200 series switch. Table 11: ExtremeWare Software Feature Factory Defaults for the Summit 200 Series
Item Serial or Telnet user account Telnet SSH2 SNMP SNMP read community string SNMP write community string RMON BOOTP QoS 802.1p priority 802.3x flow control Virtual LANs 802.1Q tagging Spanning Tree Protocol Forwarding database aging period IP Routing RIP OSPF IGMP IGMP snooping NTP DNS EAPS NAT Network Login RADIUS TACACS+ Port Mirroring Default Setting admin with no password and user with no password Enabled Disabled Enabled public private Disabled Enabled on the default VLAN (default) All traffic is part of the default queue Recognition enabled Enabled on Gigabit Ethernet ports Two VLANs predefined. VLAN named default contains all ports and belongs to the STPD named s0 All packets are untagged on the default VLAN (default) Disabled for the switch; enabled for each port in the STPD 300 seconds (5 minutes) Disabled Disabled Disabled Enabled Enabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled

NOTE For default settings of individual ExtremeWare features, see the applicable individual chapters in this guide.

40

Summit 200 Series Switch Installation and User Guide

4

Accessing the Switch

This chapter describes the following topics: • Understanding the Command Syntax on page 41 • Line-Editing Keys on page 43 • Command History on page 44 • Common Commands on page 44 • Configuring Management Access on page 46 • Domain Name Service Client Services on page 49 • Checking Basic Connectivity on page 50

Understanding the Command Syntax
This section describes the steps to take when entering a command. Refer to the sections that follow for detailed information on using the command-line interface. When entering a command at the prompt, ensure that you have the appropriate privilege level. Most configuration commands require you to have the administrator privilege level. To use the command-line interface (CLI), follow these steps: 1 Enter the command name. If the command does not include a parameter or values, skip to step 3. If the command requires more information, continue to step 2. 2 If the command includes a parameter, enter the parameter name and values. 3 The value part of the command specifies how you want the parameter to be set. Values include numerics, strings, or addresses, depending on the parameter. 4 After entering the complete command, press [Return]. NOTE If an asterisk (*) appears in front of the command-line prompt, it indicates that you have outstanding configuration changes that have not been saved. For more information on saving configuration changes, see Appendix D, “Software Upgrade and Boot Options”.

Summit 200 Series Switch Installation and User Guide

41

Accessing the Switch

Syntax Helper
The CLI has a built-in syntax helper. If you are unsure of the complete syntax for a particular command, enter as much of the command as possible and press [Return]. The syntax helper provides a list of options for the remainder of the command. The syntax helper also provides assistance if you have entered an incorrect command.

Command Completion with Syntax Helper
ExtremeWare provides command completion by way of the [Tab] key. If you enter a partial command, pressing the [Tab] key posts a list of available options, and places the cursor at the end of the command.

Abbreviated Syntax
Abbreviated syntax is the most unambiguous, shortest allowable abbreviation of a command or parameter. Typically, this is the first three letters of the command. In command tables throughout this guide, abbreviated syntax is noted using bold characters.

NOTE When using abbreviated syntax, you must enter enough characters to make the command unambiguous and distinguishable to the switch.

Command Shortcuts
All named components of the switch configuration must have a unique name. Components are named using the create command. When you enter a command to configure a named component, you do not need to use the keyword of the component. For example, to create a VLAN, you must enter a unique VLAN name:
create vlan engineering

Once you have created the VLAN with a unique name, you can then eliminate the keyword vlan from all other commands that require the name to be entered. For example, on the stand-alone switch, instead of entering the command
config vlan engineering delete port 1-3,6

you could enter the following shortcut:
config engineering delete port 1-3,6

Summit 200 Series Switch Numerical Ranges
Commands that require you to enter one or more port numbers on a Summit 200 series switch use the parameter <portlist> in the syntax. A portlist can be a range of numbers, for example:
port 1-3

You can add additional port numbers to the list, separated by a comma:
port 1-3,6,8

42

Summit 200 Series Switch Installation and User Guide

Line-Editing Keys

Names
All named components of the switch configuration must have a unique name. Names must begin with an alphabetical character and are delimited by whitespace, unless enclosed in quotation marks.

Symbols
You may see a variety of symbols shown as part of the command syntax. These symbols explain how to enter the command, and you do not type them as part of the command itself. Table 12 summarizes command syntax symbols. Table 12: Command Syntax Symbols
Symbol Description

< > (angle brackets) Enclose a variable or value. You must specify the variable or value. For example, in the syntax config vlan <name> ipaddress <ip_address> you must supply a VLAN name for <name> and an address for <ip_address> when entering the command. Do not type the angle brackets. [ ] (square brackets) Enclose a required value or list of required arguments. One or more values or arguments can be specified. For example, in the syntax use image [primary | secondary] you must specify either the primary or secondary image when entering the command. Do not type the square brackets. | (vertical bar) Separates mutually exclusive items in a list, one of which must be entered. For example, in the syntax config snmp community [read-only | read-write] <string> you must specify either the read or write community string in the command. Do not type the vertical bar. { } (braces) Enclose an optional value or a list of optional arguments. One or more values or arguments can be specified. For example, in the syntax reboot {<date> <time> | cancel} you can specify either a particular date and time combination, or the keyword cancel to cancel a previously scheduled reboot. If you do not specify an argument, the command will prompt, asking if you want to reboot the switch now. Do not type the braces.

Line-Editing Keys
Table 13 describes the line-editing keys available using the CLI. Table 13: Line-Editing Keys
Keystroke Backspace Delete or [Ctrl] + D [Ctrl] + K Description Deletes character to left of cursor and shifts remainder of line to left. Deletes character under cursor and shifts remainder of line to left. Deletes characters from under cursor to end of line.

Summit 200 Series Switch Installation and User Guide

43

To clear the banner. Commands specific to a particular feature are described in the other chapters of this guide. Clears screen and movers cursor to beginning of line. You can enter up to 24 rows of 79-column text that is displayed before the login prompt of each session. When toggled on. Configures a user account password.Accessing the Switch Table 13: Line-Editing Keys (continued) Keystroke Insert Left Arrow Right Arrow Home or [Ctrl] + A End or [Ctrl] + E [Ctrl] + L [Ctrl] + P or Up Arrow [Ctrl] + N or Down Arrow Description Toggles on and off. Generates the SSH2 host key. Passwords must have a minimum of 1 character and can have a maximum of 32 characters. inserts text and shifts previous text to right. Table 14: Common Commands Command clear session <number> config account <username> {encrypted} {<password>} Description Terminates a Telnet session from the switch. Displays next command in command history buffer and places cursor at end of command. Configures the banner string. Displays previous command in command history buffer and places cursor at end of command. User names and passwords are case-sensitive. Moves cursor to right. Moves cursor to first character in line. press [Return] at the beginning of the first line. config banner config ports <portlist> auto off {speed [10 | 100 | 1000]} duplex [half | full] config ssh2 key {pregenerated} 44 Summit 200 Series Switch Installation and User Guide . Command History ExtremeWare “remembers” the last 49 commands you entered. Press [Return] at the beginning of a line to terminate the command and apply the banner. You can display a list of these commands by using the following command: history Common Commands Table 14 describes common commands used to manage the switch. Moves cursor to last character in line. Moves cursor to left. Manually configures the port speed and duplex setting of one or more ports on a switch.

all—ExtremeWare logs an error to the syslog. critical—ExtremeWare logs an error to the syslog. You cannot set the year past 2036. the password is between 0 and 16 characters. noautodst—Disables automatic Daylight Savings Time change. Deletes a VLAN. Once disabled. Disables pausing of the screen display when a show command output reaches the end of the page. Disables logging of CLI commands to the Syslog.minutes from GMT time. The format of gmt_offset is +/. config timezone <gmt_offset> {autodst | noautodst} Configures the time zone information to the configured offset from GMT time. • The default setting is none. Creates a user account. console sessions remain open until the switch is rebooted or you logoff. Disables the timer that disconnects all sessions. The default setting is autodst. Disables BOOTP for one or more VLANs. and reboots the system after any exception. Deletes a user account. Disables a port on the switch. Creates a VLAN. config time <date> <time> Configures the system date and time. create vlan <name> delete account <username> delete vlan <name> disable bootp vlan [<name> | all] disable cli-config-logging disable clipaging disable idletimeouts disable ports <portlist> Summit 200 Series Switch Installation and User Guide 45 . and reboots the system after critical exceptions. Telnet sessions remain open until you close the Telnet client.Common Commands Table 14: Common Commands (continued) Command config sys-recovery-level [none | critical | all] Description Configures a recovery option for instances where an exception occurs in ExtremeWare. Specify one of the following: • • none—Recovery without system reboot. This command is available to admin-level users and to users with RADIUS command authorization. The format is as follows: mm/dd/yyyy hh:mm:ss The time uses a 24-hour clock format. Specify: • • autodst—Enables automatic Daylight Savings Time change. The username is between 1 and 32 characters. config vlan <name> ipaddress <ip_address> {<mask>} create account [admin | user] <username> {encrypted} {<password>} Configures an IP address and subnet mask for a VLAN.

By default. Displays the user-configured banner.Accessing the Switch Table 14: Common Commands (continued) Command disable ssh2 disable telnet disable web enable bootp vlan [<name> | all] enable cli-config-logging Description Disables SSH2 Telnet access to the switch. Disables web access. enable clipaging enable idletimeouts enable ssh2 {access-profile [<access_profile> | none]} {port <tcp_port_number>} enable telnet {access-profile [<access_profile> | none]} {port <tcp_port_number>} enable web history show banner unconfig switch {all} Configuring Management Access ExtremeWare supports the following two levels of management: • User • Administrator In addition to the management levels. As a result. By default. Enables pausing of the screen display when show command output reaches the end of the page. Enables Telnet access to the switch. with the exception of: 46 Summit 200 Series Switch Installation and User Guide . Enables SSH2 Telnet sessions. User Account A user-level account has viewing access to all manageable parameters. “Managing the Switch”. Enables BOOTP for one or more VLANs. Enables a timer that disconnects all sessions (both Telnet and console) after 20 minutes of inactivity. By default. The default setting is enabled. Enables web server on the switch for Network Login support. and date and time information) to the factory defaults. Resets all switch parameters (with the exception of defined user accounts. The default setting is disabled. Telnet uses TCP port number 23. Displays the previous 49 commands entered on the switch. all parameters are reset to default settings. the web server is enabled. you can optionally use an external RADIUS server to provide CLI command authorization checking for each command. the switch erases the currently selected configuration image in flash memory and reboots. The default setting is enabled. Disables Telnet access to the switch. If you specify the keyword all. For more information on RADIUS. see “RADIUS Client” in Chapter 5. SSH2 uses TCP port number 22. Enables the logging of CLI configuration commands to the Syslog for auditing purposes.

the user logged on by way of the Telnet connection is notified that the session has been terminated. This user can view (but not change) all manageable parameters. it indicates that you have outstanding configuration changes that have not been saved. Table 15: Default Accounts Account Name admin user Access Level This user can access and change all manageable parameters. If you have logged on with administrator capabilities.Configuring Management Access • User account database. with the following exceptions: • • This user cannot view the user account database. It can also add and delete users. If an asterisk (*) appears in front of the command-line prompt. If you have logged on with user capabilities. For example: *Summit200-24:19# Default Accounts By default. The admin account cannot be deleted. the command-line prompt ends with a (#) sign. The administrator can disconnect a management session that has been established by way of a Telnet connection. Summit 200 Series Switch Installation and User Guide 47 . For example: Summit200-24:2> Administrator Account An administrator-level account can view and change all switch parameters. For example: Summit200-24:18# Prompt Text The prompt text is taken from the SNMP sysname setting. and change the password assigned to the account name. A user-level account can use the ping command to test device reachability. the command-line prompt ends with a (>) sign. as shown in Table 15. If this happens. The number that follows the colon indicates the sequential line/command number. This user cannot view the SNMP community strings. and change the password associated with any account name. • SNMP community strings. the switch is configured with two accounts. Changing the Default Password Default accounts do not have passwords assigned to them. Passwords must have a minimum of four characters and can have a maximum of 12 characters.

or enter the password that you have configured for the admin account. follow these steps: 1 Log in to the switch as admin. To add a password to the default user account. contact your local technical support representative. or enter the password that you have configured for the admin account. press [Return]. or you can create new names and passwords for the accounts. To create a new account. 5 Re-enter the new password at the prompt. To add a password to the default admin account.Accessing the Switch NOTE User names and passwords are case-sensitive. 2 At the password prompt. 5 Re-enter the new password at the prompt. You can use the default names (admin and user). 5 Re-enter the password at the prompt. Passwords can have a minimum of 0 characters and can have a maximum of 31 characters. 3 Add a new user by using the following command: create account [admin | user] <username> 4 Enter the password at the prompt. who will advise on your next course of action. follow these steps: 1 Log in to the switch using the name admin. 3 Add a default admin password by entering the following command: config account admin 4 Enter the new password at the prompt. Creating a Management Account The switch can have a total of 16 management accounts. follow these steps: 1 Log in to the switch using the name admin. NOTE If you forget your password while logged out of the command-line interface. press [Return]. 2 At the password prompt. 3 Add a default user password by entering the following command: config account user 4 Enter the new password at the prompt. 2 At the password prompt. 48 Summit 200 Series Switch Installation and User Guide . press [Return].

Displays the DNS configuration. config dns-client default-domain <domain_name> config dns-client delete <ipaddress> nslookup <hostname> show dns-client Summit 200 Series Switch Installation and User Guide 49 . executing ping bar searches for bar. Up to three name servers can be configured. Displays the IP address of the requested host. use the following command: delete account <username> NOTE The account name admin cannot be deleted.com. Use the following command to see the accounts: show accounts Deleting an Account To delete a account.com.foo. the nslookup utility can be used to return the IP address of a hostname. you must have administrator privileges. To delete an account. Table 16 describes the commands used to configure DNS.Domain Name Service Client Services Viewing Accounts To view the accounts that have been created. Table 16: DNS Commands Command config dns-client add <ipaddress> Description Adds a DNS name server(s) to the available server list for the DNS client. you must have administrator privileges. Domain Name Service Client Services The Domain Name Service (DNS) client in ExtremeWare augments the following commands to allow them to accept either IP addresses or host names: • telnet • download [bootrom | configuration | image] • upload configuration • ping • traceroute In addition. Removes a DNS server. if the default domain is configured to be foo. For example. Configures the domain that the DNS client uses if a fully qualified domain name is not entered.

If both the start_size and end_size are specified.Accessing the Switch Checking Basic Connectivity The switch offers the following commands for checking basic connectivity: • ping • traceroute Ping The ping command enables you to send Internet Control Message Protocol (ICMP) echo messages to a remote IP device. packets of start_size are sent. the switch continues to send ping messages until interrupted. per packet. Specifies the name of the host. The traceroute command syntax is: traceroute [<ip_address> | <hostname>] {from <src_ipaddress>} {ttl <TTL>} {port <port>} where: ip_address hostname Specifies the IP address of the destination endstation. the address of the transmitting interface is used. The ping command is available for both the user and administrator privilege level. Press any key to interrupt a ping request. you must first configure DNS.<end_size>}} [<ip_address> | <hostname>] {from <src_address> | with record-route | from <src_ipaddress> with record-route} Options for the ping command are described in Table 17. Specifies the size of the ICMP request. transmits ICMP requests using 1 byte increments. you must first configure DNS. Uses the specified source address in the ICMP packet. To use the hostname. Decodes the list of recorded routes and displays them when the ICMP echo reply is received. If no end_size is specified. Specifies the hostname of the destination endstation. If not specified. This option can be interrupted by pressing any key. The ping command syntax is: ping {continuous} {size <start_size> {. 50 Summit 200 Series Switch Installation and User Guide . Specifies the IP address of the host. Traceroute The traceroute command enables you to trace the routed path between the switch and a destination endstation. <ipaddress> <hostname> from with record-route If a ping request fails. To use the hostname. Table 17: Ping Command Parameters Parameter continuous size Description Specifies ICMP echo messages to be sent continuously.

Checking Basic Connectivity from ttl port Uses the specified source address in the ICMP packet. Summit 200 Series Switch Installation and User Guide 51 . Uses the specified UDP port number. If not specified. Configures the switch to trace up to the time-to-live number of the switch. the address of the transmitting interface is used.

Accessing the Switch 52 Summit 200 Series Switch Installation and User Guide .

— SNMP access using ExtremeWare Enterprise Manager or another SNMP manager. — SSH2 using the CLI interface.5 Managing the Switch This chapter describes the following topics: • Overview on page 53 • Using the Console Interface on page 54 • Using Telnet on page 54 • Using Secure Shell 2 (SSH2) on page 57 • Using SNMP on page 58 • Authenticating Users on page 60 • Using Network Login on page 66 • Using EAPOL Flooding on page 71 • Using the Simple Network Time Protocol on page 72 Overview Using ExtremeWare. The switch supports up to the following number of concurrent user sessions: • One console session • Eight Telnet sessions • Eight SSH2 sessions Summit 200 Series Switch Installation and User Guide 53 . • Access the switch remotely using TCP/IP through one of the switch ports. you can manage the switch using the following methods: • Access the CLI by connecting a terminal (or workstation with terminal-emulation software) to the console port. Remote access includes: — Telnet using the CLI interface.

If idletimeouts are enabled. See “Configuring Switch IP Parameters” on page 54 for more information. Connecting to Another Host Using Telnet You can Telnet from the current CLI session to another host using the following command: telnet [<ipaddress> | <hostname>] {<port_number>} If the TCP port number is not specified. you must configure the switch IP parameters. RS-232 port labeled console. Up to eight active Telnet sessions can access the switch concurrently. the Telnet session defaults to port 23. you will see the switch prompt and you may log in. Configuring Switch IP Parameters To manage the switch by way of a Telnet connection or by using an SNMP Network Manager. located on the front of the Summit 200 series switch. 54 Summit 200 Series Switch Installation and User Guide . you must add the following information to the BOOTP server: • Switch Media Access Control (MAC) address. found on the rear label of the switch • IP address • Subnet address mask (optional) Once this is done. Once the connection is established. Check the user manual supplied with the Telnet facility if you are unsure of how to do this.Managing the Switch Using the Console Interface The CLI built into the switch is accessible by way of the 9-pin. Using Telnet Any workstation with a Telnet facility should be able to communicate with the switch over a TCP/IP network. If a connection to a Telnet session is lost inadvertently. you must specify the IP address of the device that you want to manage. You can then start managing the switch without further configuration. Using a BOOTP Server If you are using IP and you have a Bootstrap Protocol (BOOTP) server set up correctly on your network. the IP address and subnet mask for the switch will be downloaded automatically. Once the connection is established. you must first configure the switch IP parameters. Only VT100 emulation is supported. Telnet is enabled by default. Before you can start a Telnet session. the Telnet connection will time out after 20 minutes of inactivity. To open the Telnet session. the switch terminates the session within two hours. you will see the switch prompt and you can log in.

The switch can be assigned multiple IP addresses. “Virtual LANs (VLANs)”. you must configure the IP address of the VLAN using the command-line interface. 3 At the login prompt. even if the configuration has been saved. 2 At your terminal. enter them at the login prompt.Using Telnet You can enable BOOTP on a per-VLAN basis by using the following command: enable bootp vlan [<name> | all] By default. NOTE For more information on DHCP/BOOTP relay. Ensure that you have entered a user name and password with administrator privileges. To assign IP parameters to the switch. IP addresses are always assigned to a VLAN. see Chapter 7. To retain the IP address through a power cycle. If you configure the switch to use BOOTP. the BOOTP server must be capable of differentiating its relay based on the gateway portion of the BOOTP packet. “IP Unicast Routing”. or Web interface. • Assign an IP address and subnet mask to a VLAN. you must enter the IP parameters for the switch in order for the SNMP Network Manager. enter your user name and password. follow these steps: 1 Connect a terminal or workstation running terminal-emulation software to the console port. All VLANs within a switch that are configured to use BOOTP to get their IP address use the same MAC address. Manually Configuring the IP Settings If you are using IP without a BOOTP server. use the default user name admin to log in with administrator privileges. Telnet software. press [Return] one or more times until you see the login prompt. The default user names have no passwords assigned. see Chapter 15. Therefore. To use Telnet or an SNMP Network Manager. — If you are logging in for the first time. or Web interface to communicate with the device. — If you have been assigned a user name and password with administrator privileges. To configure the IP settings manually. and it must be assigned an IP address and subnet mask. if you are using BOOTP relay through a router. NOTE For information on creating and configuring VLANs. The switch comes configured with a default VLAN named default. you must perform the following tasks: • Log in to the switch with administrator privileges. the switch IP address is not retained through a power cycle. BOOTP is enabled on the default VLAN. Note that they are both case-sensitive. Telnet. you must have at least one VLAN on the switch. Summit 200 Series Switch Installation and User Guide 55 . For example: login: admin Administrator capabilities enable you to access all switch functions.

1 7 Save your configuration changes so that they will be in effect after the next switch reboot.45.67.255. 5 Assign an IP address and subnetwork mask for the default VLAN by using the following command: config vlan <name> ipaddress <ipaddress> {<subnet_mask>} For example: config vlan default ipaddress 123. the user logged in by way of the Telnet connection is notified that the session has been terminated.0 Your changes take effect immediately. When you have successfully logged in to the switch. the command identical to the one above would be: config vlan default ipaddress 123. Using CIDR notation. you can express a subnet mask by using dotted decimal notation.67. 2 Determine the session number of the session you want to terminate by using the following command: show session 3 Terminate the session by using the following command: clear session <session_number> 56 Summit 200 Series Switch Installation and User Guide .67.Managing the Switch 4 At the password prompt. the command-line prompt displays the name of the switch in its prompt. CIDR uses a forward slash plus the number of bits in the subnet mask.45. when configuring any IP addresses for the switch.8 / 24 6 Configure the default route for the switch using the following command: config iproute add default <gateway> {<metric>} For example: config iproute add default 123. by typing: save 8 When you are finished using the facility. NOTE As a general rule. or by using classless inter-domain routing notation (CIDR). follow these steps: 1 Log in to the switch with administrator privileges. log out of the switch by typing: logout or quit Disconnecting a Telnet Session An administrator-level account can disconnect a Telnet management session. If this happens.255. To terminate a Telnet session.45.8 255. enter the password and press [Return].

12 or above. Telnet services are enabled on the switch. export restrictions. you must first obtain a security license. It is highly recommended that you use the F-Secure® SSH client products from Data Fellows corporation. NOTE SSH2 is compatible with the Data Fellows SSH2 client version 2. To enable SSH2. use the following command: enable ssh2 {port <tcp_port_number>} An authentication key must be generated for each SSH2 session. Using Secure Shell 2 (SSH2) Secure Shell 2 (SSH2) is a feature of ExtremeWare that allows you to encrypt Telnet session data between the switch and a network administrator using SSH2 client software. use the following command: config ssh2 key {pregenerated} If you do not select automatic key generation. “ExtremeWare Overview”. which you can do through Extreme Networks.Using Secure Shell 2 (SSH2) Controlling Telnet Access By default. refer to the Data Fellows website at: http://www. Enabling SSH2 Because SSH2 is currently under U. The ExtremeWare SSH2 switch application is based on the Data Fellows™ SSH2 server implementation. This can be done automatically by the switch or by the client application. To have the key generated by the switch. at the console port use the following: enable telnet You must be logged in as an administrator to enable or disable Telnet. SSH2 is not compatible with SSH1. Summit 200 Series Switch Installation and User Guide 57 . These applications are available for most operating systems.S. you are prompted to enter the key when you enable SSH2. To display the status of Telnet.0.datafellows. use the following command: show management You can choose to disable Telnet by using the following command: disable telnet To re-enable Telnet on the switch. For more information. before enabling SSH2. The procedure for obtaining a security license key is described in Chapter 3.com.

and deleted using the RMON2 trapDestTable MIB variable. The community string for all authorized trap receivers must be configured on the 58 Summit 200 Series Switch Installation and User Guide . The default read-write community string is private. Digital Signature Standard. at least one VLAN must have an IP address assigned to it.ssh. Each Network Manager provides its own user interface to the management facilities. • Community strings—The community strings allow a simple method of authentication between the switch and the remote Network Manager.fi/pub/ssh. Supported MIBs In addition to private MIBs. There are two types of community strings on the switch. You can have a maximum of 16 trap receivers configured for each switch. The supported cipher is 3DES-CBC. The supported key exchange is DSA. Once these tasks are accomplished.Managing the Switch You can specify a TCP port number to be used for SSH2 communication.cs. For additional information on the SSH protocol refer to [FIPS-186] Federal Information Processing Standards Publication (FIPSPUB) 186.hut. If not. Configuring SNMP Settings The following SNMP parameters can be configured on the switch: • Authorized trap receivers—An authorized trap receiver can be one or more network management stations on your network. ensure that the client is configured for any nondefault TCP port information that you have configured on the switch. Also. copy the key to the SSH2 client application. General technical information is also available from http://www. you may form an SSH2-encrypted session with the switch. By default the TCP port number is 22. 18 May 1994. It assumes you are already familiar with SNMP management. The switch sends SNMP traps to all trap receivers. the switch supports the standard MIBs listed in Appendix C. provided the Management Information Base (MIB) is installed correctly on the management station. as described in RFC 2021. This can be downloaded from: ftp://ftp. Entries in this list can also be created. Accessing Switch Agents To have access to the SNMP agent residing in the switch. The default read-only community string is public. Read community strings provide read-only access to the switch. The following sections describe how to get started if you want to use an SNMP manager.fi. modified. refer to the following publication: The Simple Book by Marshall T. Using SNMP Any Network Manager running the Simple Network Management Protocol (SNMP) can manage the switch. A total of eight community strings can be configured on the switch. After you obtain the SSH2 key value. Read-write community strings provide read and write access to the switch. Rose ISBN 0-13-8121611-9 Published by Prentice Hall.

Using SNMP switch for the trap receiver to receive switch-generated traps. or broadcast address. Each community string can have a maximum of 127 characters. Turns on SNMP support for the switch. you can enter an optional location for this switch. A maximum of 255 characters is allowed. Deletes the IP address of a specified trap receiver or all authorized trap receivers. • System contact (optional)—The system contact is a text field that enables you to enter the name of the person(s) responsible for managing the switch. Configures the name of the switch. The sysname appears in the switch prompt. Table 18 describes SNMP configuration commands. The IP address can be a unicast. The default name is the model name of the switch (for example. Disables SNMP on the switch. The default sysname is the model name of the device (for example. A maximum of 32 characters is allowed. Restores default values to all SNMP-related entries. Table 18: SNMP Configuration Commands Command config snmp add trapreceiver <ipaddress> community <string> Description Adds the IP address of a specified trap receiver. • System name—The system name is the name that you have assigned to this switch. Prevents SNMP traps from being sent from the switch. • System location (optional)—Using the system location field. community strings). Adds an SNMP read or read/write community string. Does not clear the SNMP trap receivers that have been configured. Disabling SNMP access does not affect the SNMP configuration (for example. Configures the location of the switch. and can be enclosed by double quotation marks. Configures the name of the system contact. The default read-write community string is private. Summit200-24). config snmp community [read-only | read-write] <string> config snmp delete trapreceiver [<ip_address> community <string> | all] config snmp syscontact <string> config snmp syslocation <string> config snmp sysname <string> disable snmp access disable snmp traps enable snmp access enable snmp traps unconfig management Summit 200 Series Switch Installation and User Guide 59 . The default read-only community string is public. A maximum of 16 trap receivers is allowed. Turns on SNMP trap support. multicast. A maximum of 255 characters is allowed. SNMP community strings can contain up to 127 characters. Summit1 switch).

The RADIUS server implementation automatically negotiates the per-command authentication capability with the switch. the switch uses its local database for authentication. For examples on per-command RADIUS configurations. but access to the RADIUS primary an secondary server fails. Per-Command Authentication Using RADIUS The RADIUS implementation can be used to perform per-command authentication.Managing the Switch Displaying SNMP Settings To display the SNMP settings configured on the switch. if the primary does not respond. http. or the console. The privileges assigned to the user (admin versus nonadmin) at the RADIUS server take precedence over the configuration in the local switch database. You can define a primary and secondary RADIUS server for the switch to contact. 60 Summit 200 Series Switch Installation and User Guide . the request is relayed to the primary RADIUS server. If the RADIUS client is enabled. and SNMP • SNMP community strings • Authorized SNMP station list • SNMP trap receiver list • RMON polling configuration • Login statistics Authenticating Users ExtremeWare provides two methods to authenticate users who login to the switch: • Radius client • TACACS+ RADIUS Client Remote Authentication Dial In User Service (RADIUS. use the following command: show management This command displays the following information: • Enable/disable state for Telnet. Per-command authentication allows you to define several levels of user capabilities by controlling the permitted command sets based on the RADIUS username and password. and then to the secondary RADIUS server. NOTE You cannot configure RADIUS and TACACS+ at the same time. When a user attempts to login using Telnet. The ExtremeWare RADIUS client implementation allows authentication for Telnet or console access to the switch. You do not need to configure any additional switch parameters to take advantage of this capability. see “Configuring RADIUS Client” on page 61. RFC 2138) is a mechanism for authenticating and centrally administrating access to network nodes. SSH2.

The client IP address is the IP address used by the RADIUS server for communicating back to the switch.Authenticating Users Configuring RADIUS Client You can define primary and secondary server communication information. [<ipaddress> | <hostname>] — The IP address or hostname of the server being configured. the RADIUS port number to use when talking to the RADIUS server. Specify the following: • [primary | secondary] — Configure either the primary or secondary RADIUS server. Disables RADIUS accounting. The default port value is 1645. Configures the RADIUS accounting server. • • • The accounting server and the RADIUS authentication server can be the same. Disables the RADIUS client. RADIUS commands are described in Table 19. config radius-accounting [primary | secondary] shared-secret {encrypted} <string> disable radius disable radius-accounting Configures the authentication string used to communicate with the RADIUS accounting server. Table 19: RADIUS Commands Command config radius [primary | secondary] server [<ipaddress> | <hostname>] {<udp_port>} client-ip <ipaddress> Description Configures the primary and secondary RADIUS server. Specify the following: • [primary | secondary] — Configure either the primary or secondary RADIUS server. config radius [primary | secondary] shared-secret {encrypted} <string> config radius-accounting [primary | secondary] server [<ipaddress> | <hostname>] {<udp_port>} client-ip <ipaddress> Configures the authentication string used to communicate with the RADIUS server. Summit 200 Series Switch Installation and User Guide 61 . • • • The RADIUS server defined by this command is used for user name authentication and CLI command authentication. The default UDP port setting is 1645. <udp_port> — The UDP port to use to contact the RADIUS server. and for each RADIUS server. client-ip <ipaddress> — The IP address used by the switch to identify itself when communicating with the RADIUS server. client-ip <ipaddress> — The IP address used by the switch to identify itself when communicating with the RADIUS server. The default UDP port setting is 1646. [<ipadress> | <hostname>] — The IP address or hostname of the server being configured. <udp_port> — The UDP port to use to contact the RADIUS server.

The example shows excerpts from the client and user configuration files. The RADIUS client must also be enabled. When used with a RADIUS server that supports ExtremeWare CLI authorization. pm2.1. each CLI command is sent to the RADIUS server for authentication before it is executed.3:256 #pm1 #pm2 #merit.txt #Client Name #---------------#10. all CLI logins are sent to the RADIUS servers for authentication. enable radius-accounting show radius show radius-accounting unconfig radius {server [primary | secondary]} unconfig radius-accounting {server [primary | secondary]} RADIUS RFC 2138 Attributes The RADIUS RFC 2138 optional attributes supported are as follows: • User-Name • User-Password • Service-Type • Login-IP-Host RADIUS Server Configuration Example (Merit) Many implementations of RADIUS server use the publicly available Merit© AAA server application.-------------. The user configuration file (users) defines username. and access level. Displays the current RADIUS client configuration and statistics. password.2. When enabled. The client configuration file (ClientCfg. ClientCfg. Displays the current RADIUS accounting client configuration and statistics Unconfigures the radius client configuration.Managing the Switch Table 19: RADIUS Commands (continued) Command enable radius Description Enables the RADIUS client. Unconfigures the radius accounting client configuration.^):-}! type nas hmoemreilte. 62 Summit 200 Series Switch Installation and User Guide . available on the World Wide Web at: http://www. and service type information.ses testing type proxy v1 [prefix] -------pfx pm1. source name.edu/aaa Included below are excerpts from relevant portions of a sample Merit RADIUS server implementation. Enables RADIUS accounting.txt) defines the authorized source machine.--------test type = nas v2 %^$%#*(&!(*&)+ type=nas :-):-(.merit.edu/homeless #homeless Key [type] [version] --------------.

as well as in source code format.203. additional keywords are available for Profile-Name and Extreme-CLI-Authorization.extremenetworks. Summit 200 Series Switch Installation and User Guide 63 . Commands are separated by a comma (. If authorization is enabled without specifying a valid profile.52. To use per-command authentication. you must add the following type to the client file: type:extreme:nas + RAD_RFC + ACCT_RFC Within the users configuration file. which uses the deny keyword.com/extreme/support/otherapps.htm or by contacting Extreme Networks technical support. Service-Type = Administrative Filter-Id = "unlim" samuel Password = "password". enable the CLI authorization function and indicate a profile name for that user. A named profile is linked with a user through the users file. CLI commands can be defined easily in a hierarchal manner by using an asterisk (*) to indicate any possible subsequent entry.202. you can use RADIUS to perform per-command authentication to differentiate user capabilities. The parser performs exact string matches on other text to validate commands. To do so. the user is unable to perform any commands. Looking at the following example content in profiles for the profile named PROFILE1. use the Extreme-modified RADIUS Merit software that is available from the Extreme Networks web server at http://www.41 10.1.edu #anyoldthing:1234 10. This file contains named profiles of exact or partial strings of CLI commands. the following attributes are associated with the user of this profile: • Cannot use any command starting with enable.14 users user Password Filter-Id = admin Password Filter-Id = eric moretesting whoknows? andrew-linux eric eric samf type=Ascend:NAS v1 type=NAS+RAD_RFC+ACCT_RFC type=nas type=nas type=nas type=nas = "" "unlim" = "". • Cannot issue the disable ipforwarding command.merit.1.1. A profile with the deny keyword allows use of all commands except the listed commands. Service-Type = Administrative Filter-Id = "unlim" RADIUS Per-Command Configuration Example Building on this example configuration. A profile with the permit on keywords allows use of only the listed commands.) or newline.42 10.0.Authenticating Users #xyz. Next. Service-Type = Administrative Filter-Id = "unlim" albert Password = "password". For all clients that use RADIUS per-command authentication.203. The software is available in compiled format for Solaris™ or Linux™ operating systems. Service-Type = Administrative "unlim" Password = "".3 10. define the desired profiles in an ASCII configuration file called profiles.

configure rip add } 64 Summit 200 Series Switch Installation and User Guide . show fdb delete *. Profile-Name "Profile2" Filter-Id = "unlim" Extreme:Extreme-CLI-Authorization = Enabled Contents of the file “profiles”: PROFILE1 deny { enable *. Service-Type = Administrative. a user associated with this profile can use any enable command. but is unable to perform any commands. disable ipforwarding show switch } PROFILE2 { enable *. configure iproute *. Service-Type = Administrative. Profile-Name = "Profile1" Filter-Id = "unlim" Extreme:Extreme-CLI-Authorization = Enabled gerald Password = "". We know from the users file that this applies to the users albert and lulu. Service-Type = Administrative Filter-Id = "unlim" Password = "". We also know from the users file that gerald has these capabilities. Service-Type = Administrative. In PROFILE2. Service-Type = Administrative.Managing the Switch • Cannot issue a show switch command. The following lists the contents of the file users with support for per-command authentication: user Password = "" Filter-Id = "unlim" Password = "". • Can perform all other commands. clear counters show management } PROFILE3 deny { create vlan *. disable *. but can perform no other functions on the switch. Profile-Name = "Profile1" Filter-Id = "unlim" Extreme:Extreme-CLI-Authorization = Enabled lulu Password = "". Profile-Name = "" Filter-Id = "unlim" Extreme:Extreme-CLI-Authorization = Enabled admin eric albert Password = "". We also know that eric is able to log in. because he has no valid profile assigned. the clear counter command and the show management command.

You can configure two TACACS+ servers. Table 20 describes the commands that are used to configure TACACS+. Disables CLI command authorization. Table 20: TACACS+ Commands Command config tacacs [primary | secondary] server [<ipaddress> | <hostname>] {<udp_port>} client-ip <ipaddress> Description Configure the server information for a TACACS+ server. • • • config tacacs [primary | secondary] shared-secret {encrypted} <string> config tacacs-accounting [primary | secondary] server [<ipaddress> | <hostname>] {<udp_port>} client-ip <ipaddress> config tacacs-accounting [primary | secondary] shared-secret {encrypted} <string> disable tacacs disable tacacs-accounting disable tacacs-authorization enable tacacs Configures the shared secret string used to communicate with the TACACS+ server.0. Disables TACACS+. The ExtremeWare version of TACACS+ is used to authenticate prospective users who are attempting to administer the switch. Disables TACACS+ accounting. Summit 200 Series Switch Installation and User Guide 65 .0. NOTE You cannot use RADIUS and TACACS+ at the same time.Authenticating Users Configuring TACACS+ Terminal Access Controller Access Control System Plus (TACACS+) is a mechanism for providing authentication.0. secondary server address. To remove a server. authorization. specifying the primary server address. <udp_port> — Optionally specifies the UDP port to be used. TACACS+ is used to communicate between the switch and an authentication database. <ipaddress> | <hostname> — Specifies the TACACS+ server. Specify the following: • primary | secondary — Specifies primary or secondary server configuration. all CLI logins are sent to one of the two TACACS+ server for login name authentication and accounting. Enables TACACS+. similar in function to the RADIUS client. Once enabled. Configures the shared secret string used to communicate with the TACACS+ accounting server. client-ip — Specifies the IP address used by the switch to identify itself when communicating with the TACACS+ server. and UDP port number to be used for TACACS+ sessions. Configures the TACACS+ accounting server. use the address 0. and accounting on a centralized server. You can use the same server for accounting and authentication.

each command is transmitted to the remote TACACS+ server for authorization before the command is executed. If accounting is use. a RADIUS server to provide a user database or specific configuration details. • The web server on the switch provides user authentication. When enabled. Unconfigures the TACACS+ accounting client configuration. When network login is enabled on a port in a VLAN. 66 Summit 200 Series Switch Installation and User Guide . per VLAN basis and uses an integration of DHCP. This is the only address that the client can reach in a non-authenticated state. Displays the current TACACS+ configuration and statistics. These two network login modes have the following functional similarities: • Until authentication takes place.Managing the Switch Table 20: TACACS+ Commands (continued) Command enable tacacs-accounting Description Enables TACACS+ accounting. This mode is for the roaming user who will not always be using the same port for authentication. Enables CLI command authorization. • ISP mode—ISP mode is used when the port and VLAN used will remain constant. ports are moved into a forwarding state and moved to the VLAN configuration on the RADIUS server. • Each mode requires the user to open a web browser with the IP address of the switch. that port will not forward any packets until authentication takes place. enable tacacs-authorization show tacacs show tacacs-accounting unconfig tacacs {server [primary | secondary]} unconfig tacacs-accounting {server [primary | secondary]} Using Network Login Network login is a feature designed to control the admission of user packets into a network by giving addresses only to users that have been properly authenticated. • After authentication takes place. the TACACS+ client must also be enabled. sometimes. Network login has two modes of operation: • Campus mode—Campus mode is used when a port in a VLAN will move to another VLAN when authentication has been completed successfully. ports on the VLAN are kept in a non-forwarding state. user authentication over the web interface. Unconfigures the TACACS+ client configuration. Displays the current TACACS+ accounting client configuration and statistics. NOTE Windows authentication is not supported via network login. All network settings are configured for that VLAN. Network login is controlled by an administrator on a per port. and.

the username is auto. 0.207. network login can be enabled on one port for each VLAN. ENCAPS) NOTE These settings are for the Merit 3. 3 Enable network login on the port. The RADIUS server must also contain entries in the user file for a permanent VLAN. See “RADIUS Client” on page 60.207. This VLAN will be used for authentication through a RADIUS server.16. ENCAPS) 205 string (1. For example: auto Authentication-Type = Unix-PW. Example Configuration Using Campus Mode This example creates a permanent VLAN named corp on the switch.16" Extreme:Extreme-Netlogin-Url-Desc = "Extreme Networks Home" In this example. follow these steps: 1 Configure the switch as a RADIUS client. and the description of that URL.243 and the IP address of the Summit 200 Series Switch Installation and User Guide 67 .201. ENCAPS) The following optional configuration parameters can also be specified: Extreme. per VLAN basis. In this case.37.26.6 version of RADIUS. A port that is tagged can belong to more than one VLAN. using the command: enable netlogin ports <portlist> vlan <name> NOTE Network login is used on a per port.attr Extreme-Netlogin-Vlan 203 string (1.attr Extreme.37. Configuring Campus Mode To configure the switch to use network login in campus mode. The RADIUS server is 10.Using Network Login Using Network Login in Campus Mode Campus mode requires: • A DHCP server • A RADIUS server configuration The RADIUS server must have the following options configured in its dictionary file for network login: Extreme. the permanent VLAN is corp. using this command: config vlan <name> dhcp-address-range <ipaddress1> . The syntax of these settings will vary based on the type of RADIUS server that you are using.attr Extreme-Netlogin-Url Extreme-Netlogin-Url-Desc 204 string (1. 2 Configure a DHCP range for the port or ports in the VLAN on which you want to enable network login. 0.<ipaddress2> The switch will assign a temporary DHCP address within the DHCP range to the client. and the URL to be redirected to is the Extreme Networks home page http://192. the URL to be redirected to after authentication has taken place. Service-Type = login Filter-Id = "unlim" Extreme:Extreme-Netlogin-Vlan = "corp" Extreme:Extreme-Netlogin-Url = "http://192. 0.

7 Enter the username and password configured on the RADIUS server.201. In this example. 3 Log in to Windows. A dialog box opens requesting a username and password. Choose the Ethernet adapter that is connected to the port on which network login is enabled. After the user has successfully logged in.20.201. The secret is “secret”. At this point.26.20 . the user will plug into port 9. the user will be redirected to the URL configured on the RADIUS server. 6 Click the network login link.168.201. You can find the adapter number using the command ipconfig/all.168.243 client-ip 10.Managing the Switch switch is 10.168.0.0. 68 Summit 200 Series Switch Installation and User Guide . — Windows NT/2000—use the ipconfig command line utility. NOTE It is important to use the IP address of a VLAN that is reachable from anywhere on the network A page will open with a link for network login.168. the client will have its temporary IP address.201.26. Use the command ipconfig/release to release the IP configuration and ipconfig/renew to get the temporary IP address from the switch. Network login is enabled on the port.11. 2 Plug into the port that has network login enabled. the user will follow these steps: 1 Set up the Windows IP configuration for DHCP. If you have more than one Ethernet adapter.1/24 temporary dhcp-address-range 192. In this example. A temporary VLAN named temporary is created and port 9 is added.100 netlogin ports 9 vlan temporary User Login Using Campus Mode To log in as a user from the client. 5 Bring up the web browser and enter the IP address of the switch. the client should have obtained the IP address 192.0. Use the buttons to release the IP configuration and renew the DHCP lease. This is done differently depending on the version of Windows the user is running: — Windows 9x—use the winipcfg tool.11/24 radius primary server 10.26. create config config config enable create config config config enable vlan corp corp ipaddress 10. 4 Release any old IP settings and renew the DHCP lease. specify the adapter by using a number for the adapter following the ipconfig command.0.26.11 radius primary shared-secret secret radius vlan temporary temporary add port 9 temporary ipaddress 192.192.

non-forwarding state: • The user successfully logs out using the logout web browser window. the following takes place: • Authentication is done through the RADIUS server. This VLAN will be used for authentication through RADIUS.201. Example Configuration Using ISP Mode This example creates a permanent VLAN named corp on the switch. create vlan corp config corp ipaddress 10. Using Network Login in ISP Mode In ISP mode. The secret is “secret”.201. You can verify this using the show vlan command.11/24 config radius primary server 10. • The link from the user to the switch’s port is lost.26. there are several ways that a port can return to a non-authenticated.243 client-ip 10. per VLAN basis. Configuring ISP Mode Configure the switch to use network login in ISP mode. a RADIUS server might be used to provide user authentication.26. Extreme Networks recommends that you do not log out until the login process is completed. Network login is enabled on the port. For more information on the show vlan command. NOTE Because network login is sensitive to state changes during the authentication process. • An administrator changes the port state.201. using this command: enable netlogin ports <portlist> vlan <name> NOTE Network login is used on a per port. A port that is tagged can belong to more than one VLAN. No Extreme-specific lines are required for the dictionary or the user file. network login can be enabled on one port for each VLAN.11 Summit 200 Series Switch Installation and User Guide 69 .201. the connection information configured on the RADIUS server is returned to the switch: — The permanent VLAN — The URL to be redirected to (optional) — The URL description (optional) • The port is moved to the permanent VLAN. The login process is completed when you receive a permanent address.26. Port 9 is added to the VLAN corp. • After successful authentication.Using Network Login During the user login process. After a successful login has been achieved. see “Displaying VLAN Settings” on page 92.26.26.201.11.243 and the IP address of the switch is 10. The radius server is 10. In this case.

use the following command: show netlogin info {ports <portlist> vlan <name>} Example #show netlogin info ports 9 vlan temporary Port 9: VLAN: temporary Port State: Not Authenticated 70 Summit 200 Series Switch Installation and User Guide . Enables network login on a specified port in a VLAN. Configures the timer value in seconds returned as part of the DHCP response. DHCP is enabled on a per port. Configures the DHCP options returned as part of the DHCP response by a switch configured as a DHCP server. The default value is 30 seconds. Disables DHCP on a specified port in a VLAN. Disables network login on a specified port in a VLAN. Configures the timer value in seconds returned as part of the DHCP response for clients attached to network enabled ports. use one of the following commands: enable dhcp ports <portlist> vlan <name> disable dhcp ports <portlist> vlan <name> Network Login Configuration Commands Table 21 describes the commands used to configure network login. per VLAN basis. To enable or disable DHCP on a port in a VLAN. Table 21: Network Login Configuration Commands Command config vlan <name> dhcp-address-range <ipaddress1> . disable dhcp ports <portlist> vlan <name> disable netlogin ports <portlist> vlan <name> enable dhcp ports <portlist> vlan <name> enable netlogin ports <portlist> vlan <name> Displaying Network Login Settings To display the network login settings.<ipaddress2> config vlan <name> dhcp-lease-timer <lease-timer> config vlan <name> dhcp-options [default-gateway | dns-server | wins-server] <ipaddress> config vlan <name> netlogin-lease-timer <lease-timer> Description Configures a set of DHCP addresses for a VLAN.Managing the Switch config enable config enable radius primary shared-secret secret radius corp add port 9 netlogin ports 9 vlan corp DHCP Server on the Switch A DHCP server with limited configuration capabilities is included in the switch to provide IP addresses to clients. Enables DHCP on a specified port in a VLAN.

and the authenticating server.1x port authentication access control process: the supplicant. the user is using campus mode and no authentication has taken place. Under certain conditions.1x) uses Extensible Authentication Protocol (EAP) as the underlying mechanism for transferring information between the three network entities engaged in the IEEE 802. The following example enables EAPOL frame flooding on a Summit 200 series switch: enable eapol-flooding When EAPOL flooding is enabled on the switch. or EAPOL. Therefore. the authenticator. Summit 200 series switches do not forward EAPOL frames. No packets sent by the user on port 9 will get past the port until authentication takes place. the port state displays as not authenticated.1D). you can verify that status by using the command: show config The following example disables EAPOL frame flooding on a Summit 200 series switch: disable eapol-flooding You can verify the current EAPOL flooding state by using the command: show eapol-flooding Table 22 describes the commands used to configure EAPOL flooding. use the following command: disable netlogin ports <portlist> vlan <name> Using EAPOL Flooding Port-based Network Access Control (IEEE 802. #show netlogin info ports 9 vlan corp Port 9: VLAN: corp Port State: Authenticated Temp IP: Unknown DHCP: Not Enabled User: auto MAC: 00:10:A4:A9:11:3B Disabling Network Login Network login must be disabled on a port before you can delete a VLAN that contains that port. the show command displays the port state as authenticated.Using EAPOL Flooding Temp IP: Unknown DHCP: Not Enabled User: Unknown MAC: Unknown In this example. After authentication has taken place and the permanent IP address is obtained. By default (per IEEE 802. To disable network login. you might opt to change this behavior to support an upstream central authenticator by enabling the switch to flood the EAPOL frame on the VLAN associated with the ingress port. The encapsulating mechanism used for communication between the supplicant and the authenticator is referred to as EAP Over LANs. Summit 200 Series Switch Installation and User Guide 71 .

Managing the Switch Table 22: EAPOL Flooding Configuration Commands Command disable eapol-flooding enable eapol-flooding show eapol-flooding Description Disables EAPOL flooding on the switch. skip this step. If the primary server does not respond within 1 second. the switch queries the secondary server (if one is configured). Using the Simple Network Time Protocol ExtremeWare supports the client portion of the Simple Network Time Protocol (SNTP) Version 3 based on RFC1769. SNTP can be used by the switch to update and synchronize its internal clock from a Simple Network Time Protocol server. otherwise. or if it is not synchronized. follow these steps: 1 Identify the host(s) that are configured as SNTP server(s). the switch sends out a periodic query to the indicated SNTP server. or the switch listens to broadcast SNTP updates. 2 Configure the Greenwich Mean Time (GMT) offset and Daylight Savings Time preference.minutes from the GMT time. the switch supports the configured setting for Greenwich Mean time (GMT) offset and the use of Daylight Savings Time. it restarts the query process. The network time information is automatically saved into the on-board real-time clock. When enabled. You must identify the method that should be used for the switch being configured. These features have been tested for year 2000 compliance. 3 Enable the SNTP client using the following command: enable sntp-client Once enabled. The default setting is enabled. Automatic Daylight Savings Time (DST) changes can be enabled or disabled. In addition. the switch waits for the sntp-client update interval before querying again. The command syntax to configure GMT offset and usage of Daylight Savings is as follows: config timezone <GMT_offset> {autodst | noautodst} The GMT_OFFSET is in +/. configure the switch to use the SNTP server(s). If the switch listens to SNTP broadcasts. The options are for the SNTP server to send out broadcasts. Enables EAPOL flooding on the switch. Additionally. 4 If you would like this switch to use a directed query to the SNTP server. 72 Summit 200 Series Switch Installation and User Guide . If the switch cannot obtain the time. identify the preferred method for obtaining SNTP updates. Configuring and Using SNTP To use SNTP. use the following command: config sntp-client [primary | secondary] server [<ip_address> | <hostname>] NTP queries are first sent to the primary server. Enables network login on a specified port in a VLAN. To configure the switch to use a directed query. the switch sends out a periodic query to the SNTP servers defined later (if configured) or listens to broadcast SNTP updates from the network. A combination of both methods is possible. or for switches using SNTP to query the SNTP server(s) directly.

Table 23 describes GMT offsets. Iceland. Morocco -6:00 -7:00 -8:00 -9:00 -10:00 -360 -420 -480 -540 -600 CST—Central Standard MST—Mountain Standard PST—Pacific Standard YST—Yukon Standard AHST—Alaska-Hawaii Standard CAT—Central Alaska HST—Hawaii Standard -11:00 -12:00 -660 -720 NT—Nome IDLW—International Date Line West Summit 200 Series Switch Installation and User Guide 73 . Brazil. NY. the interval for which the SNTP client updates the real-time clock of the switch can be changed using the following command: config sntp-client update-interval <seconds> The default sntp-client update-interval value is 64 seconds. Argentina. WA USA Azores. the switch should be configured with the appropriate offset to GMT based on geographical location. Daylight Savings Time. NTP updates are distributed using GMT time. To properly display the local time in logs and other timestamp information. Peru. and the current local time. Guyana. Portugal. Cape Verde Islands Cities London. New York. Scotland. Lima.Using the Simple Network Time Protocol 5 Optionally. CA. 6 You can verify the configuration using the following commands: — show sntp-client This command provides configuration and statistics associated with SNTP and its connectivity to the SNTP server. Mexico Saskatchewan. Ireland. CA. Table 23: Greenwich Mean Time Offsets GMT Offset in Hours +0:00 GMT Offset Common Time Zone in Minutes References +0 GMT—Greenwich Mean UT or UTC—Universal (Coordinated) WET—Western European -1:00 -2:00 -3:00 -4:00 -5:00 -60 -120 -180 -240 -300 AST—Atlantic Standard EST—Eastern Standard WAT—West Africa AT—Azores Brasilia. — show switch This command indicates the GMT offset. Casablanca. Columbia. Lisbon. Buenos Aires. Reykjavik. Canada Los Angeles. Edinburgh. Caracas. England. Trevor City. MI USA Mexico City. Cupertino. Seattle. Dublin. Georgetown. La Paz Bogota.

Oslo. Harare. Allahabad. SWT—Swedish Winter Norway EET—Eastern European. Saudi Arabia. Rome. Russia. Russia Zone 2 Athens. Kenya. Germany. Amsterdam. Fiji. India +2:00 +120 +3:00 +180 +4:00 +5:00 +5:30 +6:00 +7:00 +8:00 +9:00 +10:00 +240 +300 +330 +360 +420 +480 +540 +600 ZP4—Russia Zone 3 ZP5—Russia Zone 4 IST—India Standard Time ZP6—Russia Zone 5 WAST—West Australian Standard CCT—China Coast. Zimbabwe Kuwait. Moscow. Jerusalem. UAE. Tehran. Spain. Muscat. Pune. Israel. Kabul New Delhi. Helsinki. MET—Middle European Austria. Belgium. Bern. Greece. Volgograd. Russia Zone 7 JST—Japan Standard. The Netherlands. FWT—French Winter Brussels. Madrid. Marshall Islands 74 Summit 200 Series Switch Installation and User Guide . Russia Zone 1 BT—Baghdad. Sweden.Managing the Switch Table 23: Greenwich Mean Time Offsets (continued) GMT Offset in Hours +1:00 GMT Offset Common Time Zone in Minutes References +60 CET—Central European Cities Paris. Russia Zone 8 EAST—East Australian Standard GST—Guam Standard Russia Zone 9 +11:00 +12:00 +660 +720 IDLE—International Date Line East NZST—New Zealand Standard NZT—New Zealand Wellington. Nairobi. Switzerland. New Zealand. Tblisi. Turkey. Istanbul. Iran Abu Dhabi. Finland. Berlin. MEWT—Middle European Winter Stockholm. Italy. Riyadh. France. Vienna.

1. If the primary server does not respond within 1 second. Table 24: SNTP Configuration Commands Command config sntp-client [primary | secondary] server [<ipaddress> | <host_name>] Description Configures an SNTP server for the switch to obtain time information. CA.0. Configures the interval between polling for time information from SNTP servers. or if it is not synchronized.0.1.Using the Simple Network Time Protocol SNTP Configuration Commands Table 24 describes SNTP configuration commands. The commands to configure the switch are as follows: config config enable config config timezone -480 autodst sntp-client update interval 1200 sntp-client sntp-client primary server 10. Enables Simple Network Time Protocol (SNTP) client functions. Queries are first sent to the primary server. the switch queries the second server. and an update occurs every 20 minutes. Disables SNTP client functions. config sntp-client update-interval <seconds> disable sntp-client enable sntp-client show sntp-client SNTP Example In this example.2 Summit 200 Series Switch Installation and User Guide 75 . the switch queries a specific SNTP server and a backup SNTP server. Displays configuration and statistics for the SNTP client.1 sntp-client secondary server 10. The switch is located in Cupertino. The default setting is 64 seconds.

Managing the Switch 76 Summit 200 Series Switch Installation and User Guide .

5. Configuring Switch Port Speed and Duplex Setting By default. Summit 200 Series Switch Installation and User Guide 77 . the switch is configured to use autonegotiation to determine the port speed and duplex setting for each port. The copper-medium Gigabit Ethernet ports can be configured as 10/100/1000 Mbps ports.5. You can manually configure the duplex setting and the speed of 10/100 Mbps ports. all ports are enabled. and 12 through 15 on a Summit 200 series switch. use the following command: disable ports 3. By default.12-15 Even though a port is disabled. and their speed cannot be modified. You can also configure each port for a particular speed (either 10 Mbps or 100 Mbps). the ports autonegotiate port speed.6 Configuring Ports on a Switch This chapter describes the following topics: • Enabling and Disabling Switch Ports on page 77 • Load Sharing on the Switch on page 80 • Switch Port-Mirroring on page 82 • Extreme Discovery Protocol on page 84 Enabling and Disabling Switch Ports By default. to disable ports 3. use the following command: [enable | disable] ports <portlist> For example. NOTE The fiber-medium Gigabit Ethernet ports on the switch are statically set to 1 Gbps. 10BASE-T and 100BASE-TX ports can connect to either 10BASE-T or 100BASE-T networks. To enable or disable one or more ports. the link remains enabled for diagnostic purposes.

you may need to turn autonegotiation off on a Gigabit Ethernet port. To configure port speed and duplex setting. Even though a Gigabit Ethernet port runs only at full duplex. and enabled by default. Turning Off Autonegotiation for a Gigabit Ethernet Port In certain interoperability situations. you must specify the duplex setting. the 10/100 Mbps ports autonegotiate the duplex setting. Under certain conditions. You can also verify the current autopolarity status by using the command: show ports {<portlist>} info detail 78 Summit 200 Series Switch Installation and User Guide . The autopolarity feature is supported only on the 10BASE-T and 100BASE-TX switch ports. the system displays a message indicating that the specified port is not supported by this feature. use the following command: config ports <portlist> auto on Flow control is supported only on Gigabit Ethernet ports. When autonegotiation is turned on. It is enabled or disabled as part of autonegotiation. When the autopolarity feature is disabled. crossover cable) used to make the connection to the switch port. you can verify that status by using the command: show config This command will list the ports for which the feature has been disabled. flow control is enabled. When autopolarity is disabled on one or more Ethernet ports. you might opt to turn autopolarity off on one or more 10BASE-T and 100BASE-TX ports. By default. The following example turns autonegotiation off for port 25 (a Gigabit Ethernet port) on a stand-alone Summit 200-24 switch: config ports 25 auto off duplex full Turning Off Autopolarity Detection for an Ethernet Port The autopolarity detection feature allows the system to detect and respond to the Ethernet cable type (straight-through vs. If autonegotiation is set to off. When the autopolarity feature is enabled. The following example turns autopolarity off for ports 3-5 on a Summit 200 series switch: config ports 3-5 auto-polarity off NOTE If you attempt to invoke this command on a Gigabit Ethernet switch port. flow control is disabled.Configuring Ports on a Switch All ports on a stand-alone switch can be configured for half-duplex or full-duplex operation. use the following command: config ports <portlist> auto off {speed [10 | 100 | 1000]} duplex [half | full] To configure the system to autonegotiate. the system causes the Ethernet link to come up regardless of the cable type connected to the port. the link will come up only when a crossover cable is connected to the port.

Even when disabled. • • • config ports <portlist> display-string <string> Configures a user-defined string for a port. Disables a port. duplex—The duplex setting (half. speed—The speed of the port. Configures the part of the packet examined by the switch when selecting the egress port for transmitting load-sharing data. on—Enables the autopolarity detection feature. Table 25: Switch Port Commands Command config ports <portlist> auto off {speed [10 | 100 | 1000]} duplex [half | full] Description Changes the configuration of a group of ports. config ports <all | portlist> auto-polarity <off | Disables or enables the autopolarity detection on> feature for one or more Ethernet ports. Defines a load-sharing group of ports. Disables a load-sharing group of ports. This feature is available using the address-based load-sharing algorithm. address-based. several numbers separated by commas. only. identified as a number. uses addressing information as criteria for egress port selection. config sharing address-based [mac_source | mac_destination | mac_source_destination | ip_source | ip_destination | ip_source_destination] disable ports <portlist> disable sharing <port> enable ports <portlist> enable sharing <port> grouping <portlist> {address-based} restart ports <portlist> show ports {<portlist>} collisions Summit 200 Series Switch Installation and User Guide 79 . The string is displayed in certain show commands (for example. Enables autonegotiation for the particular port type. the link is available for diagnostic purposes. Specify the following: • all—Specifies that the feature is either disabled or enabled for all of the Ethernet ports on the switch. portlist—Specifies that the feature is either disabled or enabled for one or more ports. or ranges of numbers (two numbers separated by a hyphen).3z for Gigabit Ethernet ports. Resets autonegotiation for one or more ports by resetting the physical link. show port all info). Specify the following: • • • config ports <portlist> auto on auto off—The port will not autonegotiate the settings. The ports specified in <portlist> are grouped to the master port.3u for 10/100 Mbps ports or 802. Displays real-time collision statistics. off—Disables the autopolarity detection feature. 802. Enables a port.or full-duplex). The optional load-sharing algorithm.Enabling and Disabling Switch Ports Switch Port Commands Table 25 describes the switch port commands. The string can be up to 16 characters.

and bandwidth utilization information. For example. If the failed port becomes active again. Displays detailed system-related information.Configuring Ports on a Switch Table 25: Switch Port Commands (continued) Command show ports {<portlist>} configuration show ports {<portlist>} info {detail} show ports {<portlist>} packet show ports {<portlist>} rxerrors show ports {<portlist>} stats show ports {<portlist>} txerrors show ports {<portlist>} utilization Description Displays the port configuration. Load-Sharing Algorithms Load-sharing algorithms allow you to select the distribution technique used by the load-sharing group to determine the output port selection. You can configure the address-based load-sharing algorithm on the Summit 200 series switch. This feature is supported between Extreme Networks switches only. VLANs see the load-sharing group as a single logical port. Clears the user-defined display string from a port. If a port in a load-sharing group fails. Displays real-time receive error statistics. Displays real-time transmit error statistics. Displays a histogram of packet statistics. but may be compatible with third-party trunking or link-aggregation algorithms. Algorithm selection is not intended for use in predictive traffic engineering. show sharing address-based unconfig ports <portlist> display-string <string> Load Sharing on the Switch Load sharing with switches allows you to increase bandwidth and resiliency by using a group of ports to carry traffic in parallel between switches. Displays real-time port utilization information. 80 Summit 200 Series Switch Installation and User Guide . Check with an Extreme Networks technical representative for more information. Most load-sharing algorithms guarantee packet sequencing between clients. Use the [Spacebar] to toggle between packet. Displays real-time port statistics. Displays the address-based load sharing configuration. traffic is redistributed to include that port. NOTE Load sharing must be enabled on both ends of the link or a network loop may result. The load-sharing algorithms do not need to be the same on both ends. traffic is redistributed to the remaining ports in the load-sharing group. The sharing algorithm allows the switch to use multiple ports as a single logical port. byte.

the switch uses the MAC source address. as follows: — IP packets—Use the source and destination MAC and IP addresses. using the following command: config sharing address-based [mac_source | mac_destination | mac_source_destination | ip_source | ip_destination | ip_source_destination] where: mac_source mac_destination Indicates that the switch should examine the MAC source address. Indicates that the switch should examine the IP destination address. To verify your configuration. IP source address. • For Layer 3 load sharing. This is the reference port used in configuration commands. Summit 200 Series Switch Installation and User Guide 81 . — All other packets—Use the source and destination MAC address. It can be thought of as the logical port representing the entire port group. use the following command: show sharing address-based Configuring Switch Load Sharing To set up a switch to load share among ports. Addressing information is based on the packet protocol. the switch uses the IP destination address. you must create a load-sharing group of ports. You can control the field examined by the switch for IP address-based load sharing. MAC destination address. The first port in the load-sharing group is configured as the “master” logical port. only. and IP destination address. This feature is available for the address-based load-sharing algorithm. the switch examines a specific place in the packet to determine which egress port to use for forwarding traffic: • For Layer 2 load sharing.Load Sharing on the Switch The address-based load-sharing algorithm uses addressing information to determine which physical port in the load-sharing group to use for forwarding traffic out of the switch. mac_source_destination Indicates that the switch should examine the MAC source ip_source ip_source_destination ip_destination Indicates that the switch should examine the IP source address. Indicates that the switch should examine the MAC destination address. Indicates that the switch should examine the IP source address and destination address. Configured IP Address-Based Load Sharing When you configure load sharing. and destination address.

As a result. 82 Summit 200 Series Switch Installation and User Guide . you should always reference the master logical port of the load-sharing group (port 9 in the previous example) when configuring or viewing VLANs. is copied to the monitor port. logical port number. To define a load-sharing group. The monitor port can be connected to a network analyzer or RMON probe for packet analysis. NOTE Do not disable a port that is part of a load-sharing group. The traffic filter is defined by the physical port. When using load sharing. you assign a group of ports to a single. To enable or disable a load-sharing group.Configuring Ports on a Switch The following rules apply to the Summit 200 series switch: • Ports on the switch must be of the same port type. logical port 9 represents physical ports 9 through 12. • Ports on the switch are divided into a maximum of six groups. Disabling the port prevents it from forwarding traffic. and uses the first port in the group as the master logical port 9: enable sharing 9 grouping 9-12 In this example. regardless of VLAN configuration. if you use 100 Mbps ports. The system uses a traffic filter that copies a group of traffic to the monitor port. Switch Port-Mirroring Port-mirroring configures the switch to copy all traffic associated with one or more ports. a partner switch does not receive a valid indication that the port is not in a forwarding state. VLANs configured to use other ports in the load-sharing group will have those ports deleted from the VLAN when load sharing becomes enabled. but still allows the link to initialize. meaning that all data that traverses the port. Verifying the Load-Sharing Configuration The screen output resulting from the show ports configuration command lists the ports that are involved in load sharing and the master logical port identity. all ports on the switch must be 100 Mbps ports. • Port-based and round-robin load sharing algorithms do not apply. Load-Sharing on a Summit 200 Series Switch The following example defines a load-sharing group that contains ports 9 through 12. and the partner switch will continue to forward packets. For example. use the following commands: enable sharing <port> grouping <portlist> {address-based} disable sharing <port> Load-Sharing Example This section provides an example of how to define load-sharing on a Summit 200 series switch.

NOTE Frames that contain errors are not mirrored. mirror three or fewer ports at any given time. Dedicates a port to be the mirror output port. Displays the port-mirroring configuration. Port group 1 consists of ports 1 through 24 and port 49. Once a port is specified as a monitor port. Port-Mirroring Commands Switch port-mirroring commands are described in Table 26. Up to eight mirroring definitions can be added. Deletes a particular mirroring filter definition. NOTE For optimum performance. On the Summit 200-48 switch. Disables port-mirroring. it cannot be used for any other function. across VLANs when routing). The mirrored port always transmits tagged frames. Table 26: Switch Port-Mirroring Configuration Commands Command config mirroring add ports <portlist> config mirroring delete ports <portlist> disable mirroring enable mirroring to <port> tagged show mirroring Description Adds a single mirroring filter definition. Port-Mirroring Example The following example selects port 3 as the mirror port and sends all traffic coming into or out of the switch on port 1 to the mirror port: enable mirroring to port 3 tagged config mirroring add port 1 Summit 200 Series Switch Installation and User Guide 83 .Switch Port-Mirroring Up to eight mirroring filters and one monitor port can be configured. The default port tag will be added to any untagged packets as they are mirrored. port group 2 consists of ports 25 through 48 and port 50. all ports specified by mirror filters as well as the mirror output port must belong to the same port group. while preserving the ability of a single protocol analyzer to track and differentiate traffic within a broadcast domain (VLAN) and across broadcast domains (for example. This allows you to mirror multiple ports or VLANs to a mirror port.

EDP is used to by the switches to exchange topology information. Table 27: EDP Commands Command disable edp ports <portlist> enable edp ports <portlist> show edp Description Disables the EDP on one or more ports. Displays EDP information. Information communicated using EDP includes: • Switch MAC address (switch ID).Configuring Ports on a Switch Extreme Discovery Protocol The Extreme Discovery Protocol (EDP) is used to gather information about neighbor Extreme Networks switches. • Switch VLAN-IP information. EDP Commands Table 27 lists EDP commands. • Switch IP address. • Switch software version information. The default setting is enabled. 84 Summit 200 Series Switch Installation and User Guide . • Switch port number. Enables the generation and processing of EDP messages on one or more ports.

Benefits Implementing VLANs on your networks has the following advantages: • VLANs help to control traffic—With traditional networks. LAN segments are not restricted by the hardware that physically connects them. congestion can be caused by broadcast traffic that is directed to all network devices. The segments are defined by flexible user groups you create with the command-line interface. network administrators spend much of their time dealing with moves and changes. the traffic must cross a routing device. • VLANs ease the change and movement of devices—With traditional networks. Any set of ports (including all ports on the switch) is considered a VLAN.7 Virtual LANs (VLANs) This chapter describes the following topics: • Overview of Virtual LANs on page 85 • Types of VLANs on page 86 • VLAN Names on page 90 • Configuring VLANs on the Switch on page 91 • Displaying VLAN Settings on page 92 • MAC-Based VLANs on page 93 Setting up Virtual Local Area Networks (VLANs) on the switch eases many time-consuming tasks of network administration while increasing efficiency in network operations. • VLANs provide extra security—Devices within each VLAN can only communicate with member devices in the same VLAN. Summit 200 Series Switch Installation and User Guide 85 . If a device in VLAN Marketing must communicate with devices in VLAN Sales. regardless of whether they require it. Overview of Virtual LANs The term “VLAN” is used to refer to a collection of devices that communicate as if they were on the same physical LAN. If users move to a different subnetwork. the addresses of each endstation must be updated manually. VLANs increase the efficiency of your network because each VLAN can be set up to contain only those devices that must communicate with each other.

and port 25 are part of VLAN Finance. Ports 1 through 24. and port 26 are part of VLAN Sales. ports 1 through 8. The Summit 200 series switch supports L2 port-based VLANs. For example. and ports 17 through 24 are part of VLAN Marketing. 2 Cable the two switches together using one port on each switch per VLAN. on the Summit 200-24 switch in Figure 10. and port 26 on the Summit 200-24 switch also belong to VLAN Sales. 86 Summit 200 Series Switch Installation and User Guide . The two switches are connected using slot 8. Figure 11 illustrates a single VLAN that spans a BlackDiamond switch and a Summit 200-24 switch. you must do two things: 1 Assign the port on each switch to the VLAN. ports 9 through 16. Figure 10: Example of a port-based VLAN on the Summit 200-24 switch Marketing Finance Sales LC24004 For the members of the different IP VLANs to communicate.Virtual LANs (VLANs) Types of VLANs VLANs can be created according to the following criteria: • Physical port • 802. Spanning Switches with Port-Based VLANs To create a port-based VLAN that spans two switches. port 4 on system 1 (the BlackDiamond switch). A port can be a member of only one port-based VLAN. and port 26 on system 2 (the Summit 200-24 switch). This means that each VLAN must be configured as a router interface with a unique IP address. a VLAN name is given to a group of one or more ports on the switch.1Q tag • MAC address • A combination of these criteria Port-Based VLANs In a port-based VLAN. the traffic must be routed by the switch. All ports on the BlackDiamond switch belong to VLAN Sales.

as well. all ports on slot 1 are part of VLAN Accounting. and port 25 are part of VLAN Engineering. Figure 12: Two port-based VLANs spanning two switches System 1 System 2 1 2 3 4 A B 5 6 7 8 Accounting 1 1 2 2 Engineering 3 3 4 4 LC24006 Summit 200 Series Switch Installation and User Guide 87 . ports 1 through 8.Types of VLANs Figure 11: Single port-based VLAN spanning two switches System 1 1 2 3 4 A B 5 6 7 8 Sales 1 2 3 4 LC24005 To create multiple VLANs that span two switches in a port-based VLAN. and port 26 are part of VLAN Accounting. a port on system 1 must be cabled to a port on system 2 for each VLAN you want to have span across the switches. On system 1. On system 2. Figure 12 illustrates two VLANs spanning two switches. ports 17 through 24. all ports on slot 8 are part of VLAN Engineering. At least one port on each switch must be a member of the corresponding VLANs.

you decide whether each port will use tagging for that VLAN. Uses of Tagged VLANs Tagging is most commonly used to create VLANs that span switches. and may also lead to connectivity problems if non-802. by the port configuration for that VLAN. port 6. Not all ports in the VLAN must be tagged. slot 8. and system 2. In a port-based VLAN.1Q tag defined. the server must have a Network Interface Card (NIC) that supports 802. you can create multiple VLANs that span multiple switches. multiple VLANs can span multiple switches using one or more trunks. All additional VLAN membership for the port must be accompanied by tags. Each dedicated port must be connected to a port that is a member of its VLAN on the next switch. VLAN Engineering spans system 1 and system 2 by way of a connection between system 1. port 25.1Q VLAN tag.1Q tagging. This may affect packet error counters in other devices. Each switch must have a dedicated port for each VLAN.1Q tagging. the switch determines (in real time) if each destination port should use tagged or untagged packet formats for that VLAN. The switch adds and strips tags. Using tags. Using this configuration. NOTE The use of 802. In addition to configuring the VLAN tag for the port. called the VLANid. slot 1. Another benefit of tagged VLANs is the ability to have a port be a member of multiple VLANs. in a daisy-chained fashion. NOTE Packets arriving tagged with a VLANid that is not configured on a port will be discarded. 88 Summit 200 Series Switch Installation and User Guide . Using tags. port 26 and system 2.1Q tagged packets may lead to the appearance of packets slightly bigger than the current IEEE 802. A single port can be a member of only one port-based VLAN. Tagged VLANs Tagging is a process that inserts a marker (called a tag) into the Ethernet frame. The device must have a NIC that supports 802. The default mode of the switch is to have all ports assigned to the VLAN named default with an 802. As ports are added to a VLAN with an 802. multiple VLANs can span two switches with a single trunk. as shown in Figure 12. As traffic from a port is forwarded out of the switch.518 bytes.1Q bridges or routers are placed in the path. as required. The tag contains the identification number of a specific VLAN. The Summit 200 series switch supports L2 tagged VLANs.Virtual LANs (VLANs) VLAN Accounting spans system 1 and system 2 by way of a connection between system 1. The switch-to-switch connections are typically called trunks. This is particularly useful if you have a device (such as a server) that must belong to multiple VLANs.3/Ethernet maximum of 1. port 6. Assigning a VLAN Tag Each VLAN may be assigned an 802.1Q VLAN tag (VLANid) of 1 assigned. each VLAN requires its own pair of trunk ports.

1Q tagging.1Q Tagged server M M 1 M = Marketing S = Sales M 2 S S = Tagged port Marketing & Sales S 3 S 4 System 2 LC24007 Figure 14 is a logical diagram of the same network. Port 2 Slot 7. • The trunk port on each switch is tagged. Figure 13: Physical diagram of tagged and untagged traffic System 1 M S S 1 2 3 4 A B 5 6 7 8 50015 802. Figure 14: Logical diagram of tagged and untagged traffic Marketing System 1 Ports 1-8 System 2 Slot 1. Summit 200 Series Switch Installation and User Guide 89 . Ports 1-8 & 17-24 System 1 Port 16 * Port 25 * System 2 Slot 1. Port 1 * Sales System 1 Ports 17-24 & 26 System 2 Slot 1. Port 3 & 4 Slot 7.Types of VLANs Figure 13 illustrates the physical view of a network that uses tagged and untagged traffic. • The server connected to port 16 on system 1 has a NIC that supports 802. Ports 9-16 & 25-32 *Tagged Ports SH_007 In Figure 13 and Figure 14: • The trunk port on each switch carries traffic for both VLAN Marketing and VLAN Sales.

with the stipulation that only one of its VLANs uses untagged traffic. Mixing Port-Based and Tagged VLANs You can configure the switch using a combination of port-based and tagged VLANs. or that contains a space. • All other stations use untagged traffic. Quotation marks can be used to enclose a VLAN name that does not begin with an alphabetical character. The traffic that comes from and goes to the other stations on this network is not tagged. or other special character. packets arriving on a port with an 802. In other words. If another switch is connected to it. VLAN names are locally significant. comma. VLAN Names Each VLAN is given a name that can be up to 32 characters. VLAN names can use standard alphanumeric characters.Virtual LANs (VLANs) • The server connected to port 16 on system 1 is a member of both VLAN Marketing and VLAN Sales. A given port can be a member of multiple VLANs. the switch determines if the destination port requires the frames to be tagged or untagged. The following characters are not permitted in a VLAN name: • Space • Comma • Quotation mark VLAN names must begin with an alphabetical letter. 90 Summit 200 Series Switch Installation and User Guide . Traffic coming from and going to the trunk ports is tagged. That is.1Q tag containing a VLANid of zero are treated as untagged. a port can simultaneously be a member of one port-based VLAN and multiple tag-based VLANs. As data passes out of the switch. • The default VLAN is untagged on all ports. NOTE You should use VLAN names consistently across your entire network. VLAN names used on one switch are only meaningful to that switch. All traffic coming from and going to the server is tagged. • It contains all the ports on a new or initialized switch. Default VLAN The switch ships with one default VLAN that has the following properties: • The VLAN name is default. It has an internal VLANid of 1. NOTE For the purposes of VLAN classification. the VLAN names have no significance to the other switch.

if any ports in this VLAN will use a tag. it cannot be changed back to default. NOTE Each IP address and mask assigned to a VLAN must represent a unique IP subnet. untagged port(s).1Q tag. Assigns a numerical VLANid. config vlan <name> delete port <portlist> {tagged | untagged} {nobroadcast} config vlan <name> ipaddress <ipaddress> {<mask>} config vlan <name> tag <vlanid> Deletes one or more ports from a VLAN. VLAN Configuration Commands Table 28 describes the commands used to configure a VLAN. 4 Assign one or more ports to the VLAN. Table 28: VLAN Configuration Commands Command Description config vlan <name> add port <portlist> {tagged Adds one or more ports to a VLAN. the original name is recreated. Specify nobroadcast to prevent the switch from forwarding broadcast. Although the switch accepts a name change.Configuring VLANs on the Switch Renaming a VLAN To rename an existing VLAN. ports are untagged. 3 Assign a VLANid. As you add each port to the VLAN. Configuring VLANs on the Switch This section describes the commands associated with setting up VLANs on the switch. and unknown unicast traffic. Summit 200 Series Switch Installation and User Guide 91 . use the following command: config vlan <old_name> name <new_name> The following rules apply to renaming VLANs: • Once you change the name of the default VLAN. • You cannot create a new VLAN named default. 2 Assign an IP address and mask (if applicable) to the VLAN. decide if the port will use an 802. Assigns an IP address and an optional mask to the VLAN. By default. You can | untagged} {nobroadcast} specify tagged port(s). • You cannot change the VLAN name MacVlanDiscover. Configuring a VLAN involves the following steps: 1 Create and name the VLAN. if needed. multicast. once it is rebooted. You cannot configure the same IP subnet on different VLANs. The valid range is from 2 to 4094 (1 is used by the default VLAN).

Ports 1 through 3 are tagged. ports are added as untagged. Removes port-based VLAN monitoring. 92 Summit 200 Series Switch Installation and User Guide . VLAN Configuration Examples The following Summit 200 series switch example creates a tag-based VLAN named video. Removes a VLAN.7 Displaying VLAN Settings To display VLAN settings. The VLAN uses both tagged and untagged ports. create config config config vlan sales sales tag 120 sales add port 1-3 tagged sales add port 4. Note that when not explicitly specified. Resets the IP address of the VLAN. and ports 4 and 7 are untagged.Virtual LANs (VLANs) Table 28: VLAN Configuration Commands (continued) Command config vlan <old_name> name <new_name> create vlan <name> delete vlan <name> unconfig ports <portlist> monitor vlan <name> unconfig vlan <name> ipaddress Description Renames a previously configured VLAN. use the following command: show vlan {<name>} {detail} The show command displays summary information about each VLAN. which includes: • Name • VLANid • How the VLAN was created • IP address • STPD information • QoS profile information • Ports assigned • Tagged/untagged status for each port • How the ports were added to the VLAN • Number of VLANs configured on the switch Use the detail option to display the detailed format. It assigns the VLANid 1000. with the VLANid 120. Ports 4 through 8 are added as tagged ports to the VLAN. create vlan video config video tag 1000 config video add port 4-8 tagged The following Summit 200 series switch example creates a VLAN named sales. Creates a named VLAN.

For example. Upon removal of the configured MAC-to-VLAN endstation. In each room. the user plugs into one of the designated ports on the switch and is mapped to the appropriate VLAN. and the configured MAC-to-VLAN mapped station enters on the repeater. • Partial configurations of the MAC to VLAN database can be downloaded to the switch using the timed download configuration feature. the following configuration allows MAC 00:00:00:00:00:aa to enter into the VLAN only on ports 10 and 11 because of membership in group 100: * Summit48:50 # show mac Port Vlan 10 MacVlanDiscover 11 MacVlanDiscover 12 MacVlanDiscover 13 MacVlanDiscover 14 MacVlanDiscover Total Entries in Database:2 Mac Vlan 00:00:00:00:00:aa sales 00:00:00:00:00:01 sales 2 matching entries Group 100 100 any any any Group 100 any State Discover Discover Discover Discover Discover • The group “any” is equivalent to the group “0”. • Groups are used as a security measure to allow a MAC address to enter into a VLAN only when the group mapping matches the port mapping. MAC-Based VLAN Guidelines When using the MAC-to-VLAN mapping. Connectivity is maintained to the network with all of the benefits of the configured VLAN in terms of QoS. Connecting to a layer-2 repeater device can cause certain addresses to not be mapped to their respective VLAN if they are not correctly configured in the MAC-VLAN configuration database. Ports that are configured as “any” allow any MAC address to be assigned to a VLAN. consider the following guidelines: • A port can only accept connections from an endstation/host and should not be connected to a layer-2 repeater device. If a repeater device is connected to a MAC-Based VLAN port. regardless of group association.MAC-Based VLANs MAC-Based VLANs MAC-Based VLANs allow physical ports to be mapped to a VLAN based on the source MAC address learned in the FDB. Summit 200 Series Switch Installation and User Guide 93 . any endstation that is attached to the repeater can be mapped to that VLAN while the configured endstation is active in that VLAN. and protocol support. You can configure the source MAC address-to-VLAN mapping either offline or dynamically on the switch. As an example. This feature allows you to designate a set of ports that have their VLAN membership dynamically determined by the MAC address of the end station that plugs into the physical port. all other endstations lose connectivity. you could use this application for a roaming user who wants to connect to a network from a conference room. routing.

The timed downloads are configurable in 24 hour intervals. a timed TFTP configuration download allows you to download incremental configuration files from a primary or secondary server at specified time intervals. use the following command: show switch 94 Summit 200 Series Switch Installation and User Guide . use the following command: download configuration every <hour:minute> To display timed download information. • The MAC-to-VLAN database is stored in memory. the the VLAN associations are lost during a reboot and you must perform an incremental download of the MAC-to-VLAN database to recover the VLAN associations. the MAC address is associated with the most recent VLAN entry in the MAC-to-VLAN database. three VLANs are created: engineering. per the configured primary and secondary servers. The MAC address 00:00:00:00:00:01 has a group number of 10 associated with it. and sales. enable enable enable config config config mac-vlan mac-vlan mac-vlan mac-vlan mac-vlan mac-vlan mac-group any ports 10-15 mac-group 10 ports 16-17 mac-group 200 ports 18-20 add mac-address 00:00:00:00:00:01 mac-group 10 engineering add mac-address 00:00:00:00:00:02 mac-group any marketing add mac-address 00:00:00:00:00:03 mac-group 200 sales Timed Configuration Download for MAC-Based VLANs To allow centralized control of MAC-based VLANs over multiple switches. allowing it to be plugged into any port that is in MacVlanDiscover mode (ports 10-15 in this case). The MAC address 00:00:00:00:00:03 has a group number of 200 associated with it and can only be inserted into ports 18 through 20. It is not stored in NVRAM. If this is attempted. • The MAC-to-VLAN mapping can only be associated with VLANs that exist on the switch. the configuration is automatically downloaded immediately after booting. marketing.Virtual LANs (VLANs) MAC-Based VLAN Limitations The following list contains the limitations of MAC-based VLANs: • Ports participating in MAC VLANs must first be removed from any static VLANs. use the following command: config download server [primary | secondary] [<host_name> | <ip_address>] <filename> To enable timed interval downloads. MAC-Based VLAN Example In this following example. • The feature is intended to support one client per physical port. To configure the primary and/or secondary server and file name. As a result. Once a client MAC address has successfully registered. The MAC address 00:00:00:00:00:02 has a group number of “any” or “0” associated with it. and can only be assigned to a VLAN if inserted into ports 16 or 17. When a switch reboots. only. • A MAC address cannot be configured to associate with more than 1 VLAN. A single MAC address is associated with each VLAN. the VLAN association remains until the port connection is dropped or the FDB entry ages out.

the downloaded file is an ASCII file that consists of CLI commands used to configure the most recent MAC-to-VLAN database. . This feature is different from the normal download configuration command in that it allows incremental configuration without the automatic rebooting of the switch. The following example shows an incremental configuration file for MAC-based VLAN information that updates the database and saves changes: config config config . .MAC-Based VLANs Example In relation to MAC-based VLANs. config config save mac-vlan add mac-address 00:00:00:00:00:01 mac-group any engineering mac-vlan add mac-address 00:00:00:00:ab:02 mac-group any engineering mac-vlan add mac-address 00:00:00:00:cd:04 mac-group any sales mac-vlan add mac-address 00:00:00:00:ab:50 mac-group any sales mac-vlan add mac-address 00:00:00:00:cd:60 mac-group any sales Summit 200 Series Switch Installation and User Guide 95 .

Virtual LANs (VLANs) 96 Summit 200 Series Switch Installation and User Guide .

It uses the information in this database to decide whether a frame should be forwarded or filtered. This means that they do not age. the device has not transmitted. • Permanent entries—Permanent entries are retained in the database if the switch is reset or a power off/on cycle occurs.8 Forwarding Database (FDB) This chapter describes the following topics: • Overview of the FDB on page 97 • Configuring FDB Entries on page 99 • Displaying FDB Entries on page 100 Overview of the FDB The switch maintains a database of all media access control (MAC) addresses received on all of its ports.047 layer 3 FDB entries. and an identifier for the VLAN to which the device belongs. but they are still deleted if the switch is reset. Dynamic entries are deleted from the database if the switch is reset or a power off/on cycle occurs. FDB Entry Types The Summit 200 series switch supports up to 8. This prevents the database from becoming full with obsolete entries by ensuring that when a device is removed from the network. nonaging entries. refer to “Configuring FDB Entries” later in this chapter. A permanent entry can either be a unicast or multicast MAC address. • Nonaging entries—If the aging time is set to zero. All entries entered by way of the command-line Summit 200 Series Switch Installation and User Guide 97 . Entries in the database are removed (aged-out) if. The system administrator must make entries permanent. its entry is deleted from the database. For more information about setting the aging time. an identifier for the port on which it was received.191 layer 2 FDB entries and 2. Frames destined for devices that are not in the FDB are flooded to all members of the VLAN. FDB Contents Each FDB entry consists of the MAC address of the device. The following are four types of entries in the FDB: • Dynamic entries—Initially. all entries in the database are dynamic. all aging entries in the database are defined as static. after a period of time (aging time).

Associating a QoS Profile with an FDB Entry You can associate a QoS profile with a MAC address (and VLAN) of a device that will be dynamically learned. How FDB Entries Get Added Entries are added into the FDB in the following two ways: • The switch can learn entries. — A port goes down (link down). 98 Summit 200 Series Switch Installation and User Guide .Forwarding Database (FDB) interface are stored as permanent. it can be aged out of the database. — A VLAN identifier (VLANid) is changed. and so on). The Summit 200 series switches support a maximum of 64 permanent entries. Blackhole entries are treated like permanent entries in the event of a switch reset or power off/on cycle. — A port mode is changed (tagged/untagged). and the port identifier on which the source packet is received. — A port is disabled. permanent entries stay the same as when they were created. Blackhole entries are useful as a security measure or in special circumstances where a specific destination address must be discarded. Once created. Blackhole entries are never aged-out of the database. • Blackhole entries—A blackhole entry configures the switch to discard packets with a specified MAC destination address. NOTE For more information on QoS. the permanent entry store is not updated when any of the following take place: — A VLAN is deleted. the VLAN. — A port QoS setting is changed. or the command-line interface (CLI). The switch applies the QoS profile as soon as the FDB entry is learned. For example. an SNMP Network Manager. The FDB treats the entry like a dynamic entry (it is learned. • You can enter and update entries using a MIB browser. — A port enters blocking state. The system updates its FDB with the source MAC address from a packet. refer to Chapter 12. — A port is deleted from a VLAN.

Creates a permanent static FDB entry. name—VLAN associated with MAC address. Specify the following: • • • • • mac_address—Device MAC address. When no options are specified. The range is 15 through 1. qosprofile—QoS profile associated with destination MAC address of the egress port. • • dest-mac—The blackhole MAC address matches the egress destination MAC address. create fdbentry <mac_address> vlan Creates a blackhole FDB entry. the command clears all FDB entries.Configuring FDB Entries Configuring FDB Entries To configure entries in the FDB. create fdbentry <mac_address> vlan <name> dynamic {{qosprofile <qosprofile> {ingress-qosprofile <qosprofile>}} | {ingress-qosprofile <qosprofile> {qosprofile <qosprofile>}} Creates a permanent dynamic FDB entry. delete fdbentry {<mac_address> vlan <name> | all} Deletes one or all permanent FDB entries. Assigns a packet with the specified MAC address and VLAN to a specific QoS profile.000 seconds. use the commands listed in Table 29. Table 29: FDB Configuration Commands Command clear fdb [{<mac_address> | vlan <name> | ports <portlist>}] config fdb agingtime <number> Description Clears dynamic FDB entries that match the filter. If you only specify the ingress QoS profile. the source MAC address of an ingress packet and the destination MAC address of an egress packet are examined for QoS profile assignment. packets are multicast to the multiple destinations. using colon separated bytes. A value of 0 indicates that the entry should never be aged out.000. the egress QoS profile defaults to none. Configures the FDB aging time. Specify: <name> blackhole {source-mac | dest-mac • source-mac—The blackhole MAC address | both} matches the ingress source MAC address. The default value is 300 seconds. create fdbentry <mac_address> vlan <name> ports [<portlist> | all] {{qosprofile <qosprofile> {ingress-qosprofile <qosprofile>}} | {ingress-qosprofile <qosprofile> {qosprofile <qosprofile>}} If more than one port number is associated with a permanent MAC entry. If both profiles are specified. ingress-qosprofile—QoS profile associated with the source MAC address of the ingress port. and vice-versa. both—The blackhole MAC address matches the ingress source MAC address or the egress destination MAC address. portlist—Port numbers associated with MAC address. Summit 200 Series Switch Installation and User Guide 99 .

only broadcast traffic. the command displays all FDB entries. • VLAN name is marketing. including the ingress and egress QoS profiles. This example associates the QoS profile qp2 with a dynamic entry that will be learned by the FDB: create fdbentry 00:A0:23:12:34:56 vlan net34 dynamic qosprofile qp2 This entry has the following characteristics: • MAC address is 00A023123456. 100 Summit 200 Series Switch Installation and User Guide . • VLAN name is net34. use the following command: show fdb {<mac_address> | vlan <name> | ports <portlist> | permanent} where: mac_address vlan <name> ports <portlist> permanent Displays the entry for a particular MAC address. Displays all permanent entries.Forwarding Database (FDB) Table 29: FDB Configuration Commands (continued) Command disable learning port <portlist> Description Disables MAC address learning on one or more ports for security purposes. Displays the entries for a VLAN. EDP traffic. The default setting is enabled. Displays the entries for a slot and port combination. • The entry will be learned dynamically. • QoS profile qp2 will be applied when the entry is learned. If you enter this command with no options specified. Enables MAC address learning on one or more ports. • Port number for this device is 4. enable learning port <portlist> FDB Configuration Examples The following example adds a permanent entry to the FDB: create fdbentry 00:E0:2B:12:34:56 vlan marketing port 4 The permanent entry has the following characteristics: • MAC address is 00:E0:2B:12:34:56. Displaying FDB Entries To display FDB entries. are forwarded. If MAC address learning is disabled. and packets destined to a permanent MAC address matching that port number.

These forwarded packets can also be modified by changing the 802. Each packet arriving on an ingress port is compared to the access list in sequential order and is either forwarded to a specified QoS profile or dropped.1p value and/or the DiffServe code point. Rate Limits Rate limits are almost identical to access control lists. Using access lists has no impact on switch performance.9 Access Policies This chapter describes the following topics: • Overview of Access Policies on page 101 • Using Access Control Lists on page 102 • Using Routing Access Policies on page 114 • Making Changes to a Routing Access Policy on page 118 • Removing a Routing Access Policy on page 118 • Routing Access Policy Commands on page 119 Overview of Access Policies Access policies are a generalized category of features that impact forwarding and route forwarding decisions. Excess packets are either dropped. Access policies are used primarily for security and quality of service (QoS) purposes. or modified by resetting their DiffServ code point. Summit 200 Series Switch Installation and User Guide 101 . Incoming packets that match a rate limit access control list are allowed as long as they do not exceed a pre-defined rate. The three categories of access policies are: • Access control lists • Rate limits • Routing access policies Access Control Lists Access control lists are used to perform packet filtering and forwarding decisions on incoming traffic.

Each access mask is created with a unique name and defines a list of fields that will be examined by any access control list that uses that mask (and by any rate limit that uses the mask). unique precedence number associated with it. you must specify a value for each of the fields that make up the access mask used by the list. 102 Summit 200 Series Switch Installation and User Guide . but are sometimes more efficient and easier to implement than access lists. The capabilities of routing access policies are specific to the type of routing protocol involved. depending on which features are enabled on the switch. or to trust only specific sources for routes or ranges of routes. such as RIP or OSPF. The following sections describe how to use access control lists. The access list also includes a list of values to compare with the incoming packets. Access masks can be shared multiple access control lists. An access mask consists of a combination of the following thirteen fields: • Ethernet destination MAC address • Ethernet source MAC address • VLANid • IP Type of Service (TOS) or DiffServ code point • Ethertype • IP protocol • IP destination address and netmask • Layer 4 destination port • IP source address and netmask • Layer 4 source port. and a list of values to compare with the values found in the packet.Access Policies Routing Access Policies Routing access policies are used to control the advertisement or recognition of routing protocols. Using Access Control Lists Each access control list consists of an access mask that selects which fields of each incoming packet to examine. Routing access policies can be used to ‘hide’ entire networks. using different lists of values to examine packets. or ICMP type and/or ICMP code • TCP session initiation bits (permit-established keyword) • Egress port • Ingress ports An access mask can also have an optional. and an action to take for packets that match. Access Lists Each entry that makes up an access list contains a unique name and specifies a previously created access mask. When you create an access list. Access Masks There are between twelve and fourteen access masks available in the Summit 200 series switch.

Excess packets are not forwarded. You can send the packet to a particular QoS profile. and arrive at a rate below the limit. and modify the packet’s 802. the rate limit value can be set at 1. On a 100 Mbps port (100BASE-TX). For packets that match a particular list. if required for your implementation. but modify the packet’s DiffServe code point. a rate limit includes a list of values to compare with the incoming packets and an action to take for packets that match. you can specify the following actions: • Drop—Drop the packets. Each port will have its own rate limit defined separately. which is to say the rate limit value can be set at 8. you can configure the rate limit value in the range from 1 Mbps to 100 Mbps in 1 Mbps increments. • Permit—Forward the packet. 24. you must specify a value for each of the fields that make up the access mask used by the list. Rate Limits Each entry that makes up a rate limit contains a unique name and specifies a previously created access mask. NOTE Unlike an access list. 16.Using Access Control Lists For packets that match a particular access control list. 4 … 100 Mbps. which is to say. • Permit with rewrite—Forward the packet. Summit 200 Series Switch Installation and User Guide 103 . you can configure the rate limit value in the range from 8 Mbps to 1000 Mbps in increments of 8 Mbps. Matching packets are not forwarded. Additionally. due to hardware constraints. • Permit-established—Drop the packet if it would initiate a new TCP session (see. You can send the packet to a particular QoS profile. On a 1000 Mbps port (Gigabit Ethernet uplink port). a rate limit can only be applied to a single port. and modify the packet’s 802. For packets that match a particular list and arrive at a rate that exceeds the limit. 32 … 1000 Mbps. NOTE The rate limit specified in the command line does not precisely match the actual rate limit imposed by the hardware. See the release notes for the exact values of the actual rate limits.1p value and/or DiffServe code point. a rate limit specifies an action to take when matching packets arrive at a rate above the limit you set. Like an access list.1p value and/or DiffServe code point. “The permit-established Keyword” on page 104). 2. you can specify the following actions: • Drop—Drop the packets. 3. you can specify the following action: • Permit—Forward the packet. When you create a rate limit.

1. If there is a conflict. Specifying a Default Rule You can specify a default access control list to define the default access to the switch.0/24 permit The permit-established Keyword The permit-established keyword is used to directionally control attempts to open a TCP session. Precedence numbers range from 1 to 25. 104 Summit 200 Series Switch Installation and User Guide . If no other access control list entry is satisfied. The first access mask defined without a specified precedence has the highest precedence.x subnet even while the above default rule is in place: create access-mask ip_src_mask source-ip/24 precedence 1000 create access-list TenOneTwo ip_src_mask source-ip 10.2. the packet is dropped. If the access list is of type deny. If no default rule is specified. It is possible that a packet will match more than one access control list.Access Policies How Access Control Lists Work When a packet arrives on an ingress port. the fields of the packet corresponding to an access mask are compared with the values specified by the associated access lists to determine a match. A permit access list can also apply a QoS profile to the packet and modify the packet’s 802. they will all be carried out. Subsequent masks without a specified precedence have a lower precedence. Access Mask Precedence Numbers The access mask precedence number determines the order in which each rule is examined by the switch and is optional. You should use an access mask with a low precedence for the default rule access control list. you should not apply this rule to the Summit 200 series switch port used as a management port. When a match is found. and so on. the actions of the access list using the higher precedence access mask are applied. you can create additional entries using precedence numbers. the packet is forwarded. The following access control list example shows an access control list that will forward traffic from the 10.1p value and the DiffServe code point.2. Session initiation can be explicitly blocked using this keyword. the packet is processed. If the list is of type permit.1. but an access mask without a precedence specified has a higher precedence than any access mask with a precedence specified. NOTE If your default rule denies traffic. the default behavior is to forward the packet. with the number 1 having the highest precedence. The following example shows an access control list that is used to specify an default rule to explicitly deny all traffic: create access-mask ingress_mask ports precedence 25000 create acess-list DenyAll ingress_mask ports 2-26 deny Once the default behavior of the access control list is established. the default rule is used to determine whether the packet is forwarded or dropped. If the resulting actions of all the matches do not conflict. Access control list entries are evaluated from highest precedence to lowest precedence.600.

for a total of 1014 rules (254*3+126*2).. To add a rate limit entry. use the following command: create access-list <name> . The permit-established keyword denies the access control list. reducing the number available. a global rule (an access control list using an access mask without “ports” defined). access lists. and Rate Limit Entries Entries can be added to the access masks. use the following command: create rate-limit <name> . or create a new entry with a new unique name. The features are: • RIP • IGMP or OSPF (both would share a single mask) • DiffServ examination • QoS monitor The maximum number of access list allowed by the hardware is 254 for each block of eight 10/100 Mbps Ethernet ports and 126 for each Gbps Ethernet port. you must specify an access mask to use. refer to “Using the Permit-Established Keyword” on page 110. Adding Access Mask. Maximum Entries If you try to create an access mask when no more are available. and has the SYN=1 and ACK=0 flags set. and rate limits. will require 5 rules. Three access masks are constantly used by the system.. leaving a maximum of 13 user-definable access masks. you must supply a unique name using the create command. The maximum number of rate-limiting rules allowed is 315 (63*5). When the feature is disabled. the system will issue a warning message. the system will use one access mask..Using Access Control Lists NOTE For an example of using the permit-established keyword. Access List. However.. For example. Summit 200 Series Switch Installation and User Guide 105 . and supply a number of optional parameters (see Table 30 for the full command syntax). one for each of the 5 blocks of ports on the hardware. Most user entered access list commands will require multiple rules on the hardware. To add an access list entry. To add an access mask entry. To add an entry. For access lists and rate limits. To modify an existing entry. the mask will again be available... use the following command: create access-mask <name> . For each of the following features that you enable. This number is part of the total access control list rules (1014). you must delete the entry and retype it. Having a permit-established access control list blocks all traffic that matches the TCP source/destination. enabling some features causes the system to use additional access masks.

use the following command: delete rate-limit <name> Verifying Access Control List Configurations To verify access control list settings. and Rate Limit Entries Entries can be deleted from access masks. access lists. you can view the access list configuration. Access List. ACL ingress and egress ports must belong to the same port group. To delete an access mask entry. port group 2 consists of ports 25 through 48 and port 50. Port group 1 consists of ports 1 through 24 and port 49. and rate limits. use the following command: delete access-mask <name> To delete an access list entry. An access mask entry cannot be deleted until all the access lists and rate limits that reference it are also deleted. use the following command: delete access-list <name> To delete a rate limit entry. To view the access list configuration use the following command: show access-list {name | ports <portlist>} To view the rate limit configuration use the following command: show rate-limit {name | ports <portlist>} To view the access mask configuration use the following command: show access-mask {name} Access Control List Commands Table 30 describes the commands used to configure access control lists.Access Policies Deleting Access Mask. NOTE On the Summit 200-48 switch. 106 Summit 200 Series Switch Installation and User Guide .

ipprotocol—Specify an IP protocol. code-point—Specifies the DiffServ code point value. dest-mac—Specifies the destination MAC address. vlan—Specifies the VLANid. source-mac—Specifies the source MAC address. ARP. tos—Specifies the IP precedence value. • • • • • • • • • • • • • • • • • • • • Summit 200 Series Switch Installation and User Guide 107 . so that the switch can prioritize packets accordingly. permit—Specifies the packets that match the access list description are permitted to be forward by this switch. dest-L4port—Specify the destination port. Any field specified in the access mask must have a corresponding value specified in the access list. ethertype—Specify IP. An optional QoS profile can be assigned to the access list. icmp-code—Specify the ICMP code. The access list name can be between 1 and 31 characters.1p value for matching packets. A mask length of 32 indicates a host entry. Options include: • <name>—Specifies the access control list name. or the hex value to match. egressport—Specify the egress port ports—Specifies the ingress port(s) on which this rule is applied. access-mask—Specifies the associated access mask. icmp-type—Specify the ICMP type. The list is applied to all ingress packets. source-ip—Specifies an IP source address and subnet mask. or the protocol number dest-ip—Specifies an IP destination address and subnet mask. permit-established—Specifies a uni-directional session establishment is denied.Using Access Control Lists Table 30: Access Control List Configuration Commands Command create access-list <name> access-mask <access-mask name> {dest-mac <dest_mac>} {source-mac <src_mac>} {vlan <name>} {ethertype [IP | ARP | <hex_value>]} {tos <ip_precedence> | code-point <code_point>} {ipprotocol [tcp|udp|icmp|igmp|<protocol_num>]} {dest-ip <dest_IP>/<mask length>} {dest-L4port <dest_port>} {source-ip <src_IP>/<mask length>} {source-L4port <src_port> | {icmp-type <icmp_type>} {icmp-code <icmp_code>}} {egressport <port>} {ports <portlist>} [permit {qosprofile <qosprofile>} {set code-point <code_point>} {set dot1p <dot1p_value>} | permit-established | deny] Description Creates an access list. source-L4port—Specify the source port. set—Modify the DiffServ code point and/or the 802. deny—Specifies the packets that match the access list description are filtered (dropped) by the switch.

source-mac—Specifies the source MAC address field. vlan—Specifies the VLANid field. source-L4port—Specifies the source port field. The mask specifies which packet fields to examine. icmp-type—Specify the ICMP type field. ipprotocol—Specifies the IP protocol field. source-ip—Specifies the IP source address field and subnet mask. Options include: • <access-mask name>—Specifies the access mask name. ethertype—Specifies the Ethertype field. You must supply the subnet mask. icmp-code—Specify the ICMP code field. permit-established—Specifies the TCP SYN/ACK bit fields. • • • • • • • • • • • • • • • • • 108 Summit 200 Series Switch Installation and User Guide . egressport—Specify the egress port ports—Specifies the ingress port(s) on which this rule is applied. tos—Specifies the IP precedence field. The range is 1 to 25. You must supply the subnet mask.Access Policies Table 30: Access Control List Configuration Commands (continued) Command create access-mask <access-mask name> {dest-mac} {source-mac} {vlan} {ethertype} {tos | code-point} {ipprotocol} {dest-ip /<mask length>} {dest-L4port} {source-ip /<mask length>} {source-L4port | {icmp-type} {icmp-code}} {permit-established} {egressport} {ports} {precedence <number>} Description Creates an access mask. The access mask name can be between 1 and 31 characters. dest-L4port—Specifies the destination port field. dest-mac—Specifies the destination MAC address field. code-point—Specifies the DiffServ code point field. precedence—Specifies the access mask precedence number. dest-ip—Specifies the IP destination field and subnet mask.600.

• exceed-action—Action to take for matching packets that exceed the rate. dest-mac—Specifies the destination MAC address. tos—Specifies the IP precedence value. from 1 to 31 characters. Options include: • • <rule_name>—Specifies the rate limit name. ethertype—Specify IP.1p value for matching. A mask length of 32 indicates a host entry. The rule is applied to all ingress packets. source-L4port—Specify the source port. access-mask—Specifies the associated access mask. vlan—Specifies the VLANid. specify a value from 8 to 1000 Mbps in increments of 8 Mbps. limit—Specifies the rate limit <rate_in_Mbps>—The rate limit. so that the switch can prioritize packets accordingly. icmp-code—Specify the ICMP code. For 1000 Mbps ports. or the protocol number dest-ip—Specifies the IP destination address and subnet mask.Using Access Control Lists Table 30: Access Control List Configuration Commands (continued) Command create rate-limit <rule_name> access-mask <access-mask name> {dest-mac <dest_mac>} {source-mac <src_mac>} {vlan <name>} {ethertype [IP | ARP | <hex_value>]} {tos <ip_precedence> | code-point <code_point>} {ipprotocol [tcp|udp|icmp|igmp|<protocol_num>]} {dest-ip <dest_IP>/<mask length>} {dest-L4port <dest_port>} {source-ip <src_IP>/<mask length>} {source-L4port <src_port> | {icmp-type <icmp_type>} {icmp-code <icmp_code>}} {egressport <port>} {port <port number>} permit {qosprofile <qosprofile>} {set code-point <code_point>} {set dot1p <dot1p_value>} limit <rate_in_Mbps> {exceed-action [drop | set code-point <code_point>} Description Creates a rate limit. code-point—Specifies the DiffServ code point value. forwarded. dest-L4port—Specify the destination port. • • • • • • • • • • • • • • • • • • • Summit 200 Series Switch Installation and User Guide 109 . icmp-type—Specify the ICMP type. For 100 Mbps ports. or the hex value to match. source-ip—Specifies the IP source address and subnet mask. ARP. specify a value from 1 to 100 Mbps in 1 Mbps increments. ipprotocol—Specify an IP protocol. set—Modify the DiffServ code point or the 802. permit—Specifies the packets that match the access list description are permitted to be forward by this switch. source-mac—Specifies the source MAC address. packets. An optional QoS profile can be assigned to the access list. Any field specified in the access mask must have a corresponding value specified in the rate limit. egressport—Specify the egress port port—Specifies the ingress port to which this rule is applied.

100. • The NET10 VLAN is connected to port 2 and the NET20 VLAN is connected to port 10 • The IP addresses for NET10 VLAN is 10. are defined.100 NET20 VLAN LC24008 The following sections describe the steps used to configure the example. • IPForwarding is enabled. • The IP address for NET20 VLAN is 10.10. Displays access-list information. FTP. and HTTP) to be established in one direction.10.10.10.20.10.1 10.100 and 10.10.10.10. Deletes an access mask.10. Figure 15: Permit-established access list example topology 10.1/24. Any access lists or rate limits that reference this mask must first be deleted.1/24. The switch. Deletes a rate limit.20. Displays access-list information. 110 Summit 200 Series Switch Installation and User Guide .20.10.10.Access Policies Table 30: Access Control List Configuration Commands (continued) Command delete access-list <name> delete access-mask <name> Description Deletes an access list. delete rate-limit <name> show access-list {<name> | ports <portlist>} show access-mask {<name>} show rate-limit {<name> | ports <portlist>} Access Control List Examples This section presents three access control list examples: • Using the permit-establish keyword • Filtering ICMP packets • Using a rate limit Using the Permit-Established Keyword This example uses an access list that permits TCP sessions (Telnet.20. shown in Figure 15. NET10 VLAN and NET20 VLAN.100 NET10 VLAN 10.10. • The workstations are configured using addresses 10.1 10. is configured as follows: • Two VLANs. Displays access-list information.

20.10.100/32 source-ip 10. it is technically not an IP data packet.20. UDP traffic is still blocked. Figure 16: Access control list denies all TCP and UDP traffic 10.20.10.10. such as ping traffic.10. create an access-mask that examines the IP protocol field for each packet. The following commands create the access control list: create access-mask ip_addr_mask ipprotocol dest-ip/32 source-ip/32 ports precedence 20000 create access-list tcp1_2 ip_addr_mask ipprotocol tcp dest-ip 10.100/32 ports 10 permit qp1 Figure 17 illustrates the outcome of this access list.100/32 ports 2 permit qp1 create access-list tcp2_1 ip_addr_mask ipprotocol tcp dest-ip 10. The following commands creates the access mask and access lists: create access-mask ipproto_mask ipprotocol ports precedence 25000 create access-list denytcp ipproto_mask ipprotocol tcp ports 2. an access list must be defined for each direction of the traffic flow. Then create two access-lists. ICMP data traffic. Although ICMP is used in conjunction with IP.10. Summit 200 Series Switch Installation and User Guide 111 .10 deny create access-list denyudp ipproto_mask ipprotocol udp ports 2.10 deny Figure 16 illustrates the outcome of the access control list.100 NET20 VLAN TCP UDP ICMP LC24009 Step 2—Allow TCP traffic.10.100 NET10 VLAN 10. Because each session is bi-directional. one that blocks UDP.10. one that blocks all TCP.Using Access Control Lists Step 1—Deny IP Traffic. Thus.10.100/32 source-ip 10.20.10. is not affected.10.10.10.1 10. The next set of access list commands permits TCP-based traffic to flow.1 10. First.

Use the permit-established keyword to allow only host A to be able to establish a TCP session to host B and to prevent any TCP sessions from being initiated by host B. and the desired affect.Permit-Established Access List.10. actual data can be passed. 112 Summit 200 Series Switch Installation and User Guide .100 Step 3 . NOTE This rule has a higher precedence than the rule “tcp2_1” and “tcp1_2”.20.10.10. SYN/ACK.100 EW_035 SYN SYN / ACK ACK Host A Host B EW_036 An access list that uses the permit-established keyword filters the SYN packet in one direction. as illustrated in Figure 18.10. Figure 19 shows the final outcome of this access list.100/32 dest-L4port 23 ports 10 permit-established NOTE This step may not be intuitive. Figure 18 shows an illustration of the handshake that occurs when host A initiates a TCP session to host B. and ACK packets. Figure 18: Host A initiates a TCP session to host B 10. The commands for this access control list is as follows: create access-mask tcp_connection_mask ipprotocol dest-ip/32 dest-L4port permit-established ports precedence 1000 create access-list telnet-deny tcp_connection_mask ipprotocol tcp dest-ip 10. Pay attention to the destination and source address.Access Policies Figure 17: Access list allows TCP traffic TCP UDP ICMP 10.10. When a TCP session begins. there is a three-way handshake that includes a sequence of a SYN. the ingress port that the rule is applied to. After this sequence.

10.20.10.100 EW_037 Example 2: Filter ICMP Packets This example creates an access list that filters out ping (ICMP echo) packets.10. Ingress traffic on port 2 in excess of the rate limit will be dropped.0/24 port 2 permit qp1 set code-point 7 limit 10 exceed-action drop Summit 200 Series Switch Installation and User Guide 113 .10.10.10.10. ICMP echo packets are defined as type 8 code 0.10.1 10.20.10.10.x subnet to 10 Mbps on ingress port 2.10.100 10. The commands to create this rate limit is as follows: create access-mask port2_mask source-ip/24 ports precedence 100 create rate-limit port2_limit port2_mask source-ip 10.10. The commands to create this access control list is as follows: create access-mask icmp_mask ipprotocol icmp-type icmp-code create access-list denyping icmp_mask ipprotocol icmp icmp-type 8 icmp-code 0 deny The output for this access list is shown in Figure 20. Ingress traffic on port 2 below the rate limit is sent to QoS profile qp1 with its DiffServ code point set to 7.Using Access Control Lists Figure 19: Permit-established access list filters out SYN packet to destination SYN SYN 10.100 NET20 VLAN ICMP LC24010 Example 3: Rate-limiting Packets This example creates a rate limit to limit the incoming traffic from the 10.100 NET10 VLAN 10. Figure 20: ICMP packets are filtered out 10.1 10.10.20.

you must perform the following steps: 1 Create an access profile. use the following command: config access-profile <access_profile> mode [permit | deny | none] Adding an Access Profile Entry Next. An access profile has a unique name and contains a list of IP addresses and associated subnet masks. To create an access profile. The operation is compared with each entry in the list. 2 Configure the access profile to be of type permit. Each entry must have a permit or deny attribute.Access Policies Using Routing Access Policies To use routing access policies. you must configure the access profile mode. If it does not match all specified entries in the list. the operation is permitted. Three modes are available: • Permit—The permit access profile mode permits the operation. the operation is either permitted or denied. Entries are IP addresses and subnet masks 4 Apply the access profile. the operation is denied. If no match is found. You must give the access profile a unique name (in the same manner as naming a VLAN. as long as it matches any entry in the access profile. the operation is implicitly denied. protocol filter. If the operation does not match any entries in the list. or none. 114 Summit 200 Series Switch Installation and User Guide . Creating an Access Profile The first thing to do when using routing access policies is to create an access profile. deny. • None—Using the none mode. as long as it matches any entry in the access profile. Once a match is found. or Spanning Tree Domain). The access profile mode determines whether the items in the list are to be permitted access or denied access. use the following command: create access-profile <access_profile> type ipaddress Configuring an Access Profile Mode After the access profile is created. depending on the configuration of the matched entry. To configure the access profile mode. using the following command: config access-profile <access_profile> add {<seq_number>} {permit | deny} [ipaddress <ipaddress> <mask> {exact}] The following sections describe the config access-profile add command. the access profile can contain a combination of permit and deny entries. • Deny—The deny access profile mode denies the operation. 3 Add entries to the access profile. configure the access profile.

128.251. Deleting an Access Profile Entry To delete an access profile entry. the same logic applies. apply it to one or more routing protocols or VLANs.251. 141. When an access profile is applied to a protocol function (for example. 141. it is not necessary to specify a type for each entry. If you have configured the access profile mode to be permit or deny. it is added as a permit entry. Each entry is assigned a value of 5 more than the sequence number of the last entry.28/32). If you do not specify the entry type.Using Routing Access Policies Specifying Subnet Masks The subnet mask specified in the access profile command is interpreted as a reverse mask. entries are sequenced in the order they are added.128/27 represents any host from subnet 141. A profile can be used by multiple routing protocol functions or VLANs. but the configuration is more tricky. If the IP address represents all addresses in a subnet address that you want to deny or permit.24.24. In other words. then configure the mask to cover only the subnet portion (for example. To configure an import filter policy. use a mask of /32 (for example. For example.251.0/24). the switch can be configured to use an access profile to determine: • Trusted Neighbor—Use an access profile to determine trusted RIP router neighbors for the VLAN on the switch running RIP. If you are using off-byte boundary subnet masking. Permit and Deny Entries If you have configured the access profile mode to be none.10. Routing Access Policies for RIP If you are using the RIP protocol. the address 141. The keyword exact can be used when you wish to match only against the subnet address.24. To configure a trusted neighbor policy. and ignore all addresses within the subnet. use the following command: config rip vlan [<name> | all] trusted-gateway [<access_profile> | none] • Import Filter—Use an access profile to determine which RIP routes are accepted as valid routes. A reverse mask indicates the bits that are significant in the IP address. the export of RIP routes) or a VLAN. but a protocol function or VLAN can use only one access profile. If you do not specify a sequence number. This policy can be combined with the trusted neighbor policy to accept selected routes only from a set of trusted neighbors. use the following command: config access-profile <access_profile> delete <seq_number> Applying Access Profiles Once the access profile is defined. a reverse mask specifies the part of the address that must match the IP address to which the profile is applied. Sequence Numbering You can specify the sequence number for each access profile entry. If you configure an IP address that is an exact match that is specifically denied or permitted.251. you must specify each entry type as either ‘permit’ or ‘deny’. this forms an access policy. use the following command: config rip vlan [<name> | all] import-filter [<access_profile> | none] Summit 200 Series Switch Installation and User Guide 115 .

The RIP protocol is used to communicate with other routers on the network.1.10 / 24 Backbone (RIP) 10. but no access to the router that connects to the Internet.11 / 24 Switch being configured 10. Figure 21: RIP access policy example Internet 10. The IP address of the local interface connected to the corporate backbone is 10.0.1 / 24 10. The administrator wants to allow all internal access to the VLANs on the switch.0.2.1.0. Engsvrs and Backbone. a switch is configured with two VLANs. using the following command: config rip vlan [<name> | all] export-filter [<access_profile> | none] Examples In the example shown in Figure 21.Access Policies • Export Filter—Use an access profile to determine which RIP routes are advertised into a particular VLAN.10/24. The remote router that connects to the Internet has a local interface connected to the corporate backbone. therefore.10/32 rip vlan backbone trusted-gateway nointernet 116 Summit 200 Series Switch Installation and User Guide .0.1. the commands to build the access policy for the switch would be: create config config config access-profile nointernet ipaddress access-profile nointernet mode deny access-profile nointernet add 10.0.0.12 / 24 10.0.0.0.0.1 / 24 Engsvrs Sales LC24011 Assuming the backbone VLAN interconnects all the routers in the company (and. the Internet router does not have the best routes for other local subnets).

To configure a direct filter policy.1. use the following command: config ospf area <area_id> external-filter [<access_profile> | none] NOTE If any of the external routes specified in the filter have already been advertised. if the administrator wants to restrict any user belonging to the VLAN Engsvrs from reaching the VLAN Sales (IP address 10.0/24).1. use the following command: config ospf area <area_id> interarea-filter [<access_profile> | none] • External Filter—For switches configured to support multiple OSPF areas (an ABR function). Access policies for OSPF are intended to extend the existing filtering and security capabilities of OSPF (for example.2. link authentication and the use of IP address ranges). As a result. all routes to the Internet will be done through external routes. To configure an external filter policy. Suppose the network administrator wishes to only allow access to certain internet addresses falling within the range 192. an access profile can be used to limit the routes that are advertised into OSPF for the switch as a whole. the additional access policy commands to build the access policy would be: create config config config access-profile nosales ipaddress access-profile nosales mode deny access-profile nosales add 10. an access profile can be applied to an OSPF area that filters a set of OSPF external routes from being advertised into that area.Using Routing Access Policies In addition. If you are using the OSPF protocol. an access profile can be applied to an OSPF area that filters a set of OSPF inter-area routes from being sourced from any other areas. Routing Access Policies for OSPF Because OSPF is a link-state protocol. use the following command: config ospf direct-filter [<access_profile> | none] Example Figure 22 illustrates an OSPF network that is similar to the network used previously in the RIP example.1. In this example.2. To configure an ASBR filter policy. access to the Internet is accomplished by using the ASBR function on the switch labeled Internet. use the following command: config ospf asbr-filter [<access_profile> | none] • Direct Filter—For switches configured to support direct route re-distribution into OSPF.0/24 rip vlan backbone import-filter nosales This configuration results in the switch having no route back to the VLAN Sales. an access profile can be used to limit the routes that are advertised into OSPF for the switch as a whole. the switch can be configured to use an access profile to determine any of the following: • Inter-area Filter—For switches configured to support multiple OSPF areas (an ABR function).0/24 to the internal backbone. • ASBR Filter—For switches configured to support RIP and static route re-distribution into OSPF.1. To configure an inter-area filter policy. those routes will remain until the associated LSAs in that area time-out. Summit 200 Series Switch Installation and User Guide 117 . the access policies associated with OSPF are different in nature than those associated with RIP.

1 / 24 Engsvrs area 0.1.0. All the commands that apply an access profile to form an access policy also have the option of choosing none as the access profile. the propagation of the change depends on the protocol and policy involved.2.0.0.0.0.1 / 24 Sales area 0.0/24 ospf asbr-filter okinternet Making Changes to a Routing Access Policy You can change the routing access policy by changing the associated access profile.1. or disabling and re-enabling OSPF on the switch. NOTE Changes to profiles applied to OSPF typically require rebooting the switch.0 10.11 / 24 10.Access Policies Figure 22: OSPF access policy example Internet Switch being configured 10.1. Using the none option removes any access profile of that particular type from the protocol or VLAN.0. the commands would be as follows: create config config config access-profile okinternet ipaddress access-profile okinternet mode permit access-profile okinternet add 192. However.0.1. Propagation of changes applied to RIP access policies depends on the protocol timer to age-out entries.0.0.0. and. you must remove the access profile from the routing protocol or VLAN. Removing a Routing Access Policy To remove a routing access policy.1.1 10.0. therefore.10 / 24 Backbone (OSPF) area 0.2 LC24012 To configure the switch labeled Internet. removes the access policy.12 / 24 10.0. 118 Summit 200 Series Switch Installation and User Guide .

config ospf area <area_id> interarea-filter [<access_profile> | none] config ospf asbr-filter [<access_profile> | none] Summit 200 Series Switch Installation and User Guide 119 . none—Permits and denies access on a per-entry basis. Otherwise. The default setting is permit. <ipaddress> <mask>—An IP address and mask. The per-entry attribute only takes effect if the access-profile mode is none. Configures the router to use the access policy to limit the routes that are advertised into OSPF for the switch as a whole for switches configured to support RIP and static route re-distribution into OSPF. config access-profile <access_profile> mode [permit | deny | none] Configures the access profile to be one of the following: • • • permit—Allows the addresses that match the access profile description. config ospf area <area_id> external-filter [<access_profile> | none] Configures the router to use the access policy to determine which external routes are allowed to be exported into the area.Routing Access Policy Commands Routing Access Policy Commands Table 31 describes the commands used to configure routing access policies. Table 31: Routing Access Policy Configuration Commands Command config access-profile <access_profile> add {<seq_number>} {permit | deny} [ipaddress <ipaddress> <mask> {exact}] Description Adds an entry to the access profile. Specify one of the following: • <seq-number>—The order of the entry within the access profile. {permit | deny}—Per-entry permit or deny specification. If the attribute “exact” is specified for an entry. deny—Denies the addresses that match the access profile description. subnets within the address range do not match entry against entry. If no sequence number is specified. This router must be an ABR. the new entry is added to the end of the access-profile and is automatically assigned a value of 5 more than the sequence number of the last entry. The explicit sequence number. the overall access profile type takes precedence. then a exact match with address and mask is performed. Configures the router to use the access policy to determine which inter-area routes are allowed to be exported into the area. and permit or deny attribute should be specified if the access profile mode is none. • • config access-profile <access_profile> delete Deletes an access profile entry using the <seq_number> sequence number. This router must be an ABR. Each entry must be added to the profile as either type permit or deny.

Access Policies Table 31: Routing Access Policy Configuration Commands (continued) Command config ospf direct-filter [<access_profile> | none] Description Configures the router to use the access policy to limit the routes that are advertised into OSPF for the switch as a whole for switches configured to support direct route re-distribution into OSPF. one or more addresses can be added to it. Specify the following: • delete access-profile <access_profile> show access-profile <access_profile> ipaddress—A list of IP address and mask pairs. Deletes an access profile. 120 Summit 200 Series Switch Installation and User Guide . config rip vlan [<name> | all ] export-filter [<access-profile> | none] config rip vlan [<name> | all] import-filter [<access_profile> | none] config rip vlan [<name> | all] trusted-gateway Configures RIP to use the access list to [<access_profile> | none] determine which RIP neighbor to receive (or reject) the routes. and the profile can be used to control a specific routing protocol. Configures RIP to ignore certain routes received from its neighbor. Configures RIP to suppress certain routes when performing route advertisements. Once the access profile is created. create access-profile <access_profile> type [ipaddress] Creates an access profile. Displays access-profile related information for the switch.

to be converted to another set of IP addresses. Figure 23: NAT Overview Inside NAT switch Outside Private Network Outgoing Outgoing Internet Incoming Incoming EW_078 Summit 200 Series Switch Installation and User Guide 121 . typically private IP addresses.10 Network Address Translation (NAT) This chapter covers the following topics: • Overview on page 121 • Internet IP Addressing on page 122 • Configuring VLANs for NAT on page 122 • Configuring NAT on page 124 • Configuring NAT Rules on page 124 • Creating NAT Rules on page 125 • Displaying NAT Settings on page 127 • Disabling NAT on page 128 Overview NAT is a feature that allows one set of IP addresses. typically public Internet IP addresses. This conversion is done transparently by having a NAT device rewrite the source IP address and Layer 4 port of the packets.

Internet IP Addressing When implementing NAT in an Internet environment. form a unique identifier which allows hosts (as well as the NAT switch) to distinguish between separate conversations. One VLAN is configured as inside. in combination with the IP addresses.0/12—Reserved Class B private address space 192. These ranges have been reserved specifically for networks not directly attached to the Internet. The NAT switch maintains a connection table to map the return packets on the outside VLAN back into their corresponding inside sessions. 122 Summit 200 Series Switch Installation and User Guide . NOTE The NAT modes in ExtremeWare support translating traffic initiating only from inside addresses. NAT rules are associated with a single outside VLAN.0. Any unmatched traffic will be routed normally and not be translated. The other type of VLAN is configured as outside.0. traffic from that VLAN destined for an outside VLAN is translated only if it has a matching NAT rule. The mappings between inside and outside IP addresses are done via rules that specify the IP subnets involved and the algorithms used to translate the addresses.168. Both TCP and UDP have Layer 4 port numbers ranging from 1 to 65535. use the following command: config nat vlan <name> [inside | outside | none] When a VLAN is configured to be inside. assuming that the rules and routing are set up properly. The ranges are as follows: • • • 10.0/8—Reserved Class A private address space 172. Multiple rules per outside VLAN are allowed. it is strongly recommended that you use one of the reserved private IP address ranges for your inside IP addresses.0. Any number of inside VLANs can use a single outside VLAN. it cannot run at line-rate. Similarly. Using IP addresses within these ranges prevents addressing conflicts with public Internet sites to which you want to connect.16. you must configure at least two separate VLANs involved. and corresponds to the private IP addresses you would like to translate into other IP addresses. To configure a VLAN as an inside or outside VLAN. These Layer 4 ports. assuming that you have created proper rules.0/16—Reserved Class C private address space Configuring VLANs for NAT You must configure each VLAN participating in NAT as either an inside or outside VLAN. a single inside VLAN can use any number of different outside VLANs. NAT operates by replacing the inside IP packet’s source IP and Layer 4 port with an outside IP and Layer 4 port. The rules take effect in the order they are displayed using the show command. Because all traffic destined for an outside VLAN runs through the central processing unit (CPU).0. which corresponds to the public (probably Internet) IP addresses you want the inside addresses translated to.Network Address Translation (NAT) You can configure NAT to conserve IP address space by mapping a large number of inside (private) addresses to a much smaller number of outside (public) addresses. In implementing NAT.

Because this mode requires a 1-to-1 mapping of internal to external addresses. it cannot run at line-rate. NAT Modes There are four different modes used to determine how the outside IP addresses and Layer 4 ports are assigned. it does not make efficient use of the external address space. The limitation is based on the ratio of inside to outside IP addresses.Configuring VLANs for NAT When a VLAN is configured to be outside. ICMP traffic is translated and allowed to pass. Because this mode does not rely on Layer 4 ports. this may cause a small performance penalty. Port-mapping Port-mapping gives you the most efficient use of the external address space. you would need to make several rules using the same inside and outside IP addresses. This guarantees that no single inside host can prevent other traffic from flowing through the NAT device. first-serve basis to the inside IP addresses. Auto-constraining The auto-constraining algorithm for port-mapping limits the number of outside Layer 4 ports a single inside host can use simultaneously. all NAT functions are disabled and the VLAN operates normally. When a VLAN is configured to be none. one for each Layer 4 port range. each inside IP address uses a single outside IP address. As each new connection is initiated from the inside. • • • • Static mapping Dynamic mapping Port-mapping Auto-constraining Static Mapping When static mapping is used. only the IP address is rewritten. Because this mode does not rely on Layer 4 ports. When the last session for a specific inside IP address closes. However. so it is possible to map specific source Layer 4 port ranges on the inside to specific outside source ranges. The outside IP address and Layer 4 port space is evenly distributed to all possible inside hosts. that outside IP address can be used by other hosts. Because the routed traffic runs through the CPU. the NAT device picks the next available source Layer 4 port on the first available outside IP address. In this case. You must add a dynamic NAT rule for the same IP address range to allow for ICMP traffic. the NAT device uses ports off of the next outside IP address. it routes all traffic destined for inside VLANs. ICMP traffic is translated and allowed to pass. Some systems reserve certain port ranges for specific types of traffic. Dynamic mapping is different in that the number of inside hosts can be greater than the number of outside hosts. The outside IP addresses are allocated on a first-come. When all ports on a given IP address are in use. But it is useful when you have a small number of hosts that need to have their IP addresses rewritten without conflicting with other hosts. Summit 200 Series Switch Installation and User Guide 123 . Dynamic Mapping Dynamic mapping is similar to static mapping in that the Layer 4 ports are not rewritten during translation. ICMP traffic is not translated in this mode. The Layer 4 ports are not changed.

ICMP traffic is not translated in this mode.<number>}]} {destination <ipaddress>/<mask> {l4-port [any | <number> {. Configuring NAT The behavior of NAT is determined by the rules you create to translate the IP addresses. The first IP address specifies private side IP addresses and the second IP address specifies the public side IP address. All following rules are ignored. You must attach each rule to a specific VLAN.<number>}]}} to <ipaddress> [/<mask> | <netmask> | . or both.<ipaddress>] {[tcp | udp | both] [portmap {<min> . use the commands listed in Table 32. [any | <ipaddress> [/<bits>| <netmask>]] {l4-port [any | <number> {. For outgoing (inside to outside) packets. use the following command: enable nat Configuring NAT Rules To configure NAT rules. config nat delete vlan <outside_vlan> map source Deletes a NAT translation rule. For most configurations.<number>}]}} to <ipaddress> [/<mask> | <netmask> | . it is not recommended that this mode be used when a large number of inside hosts are being translated to a small number of outside IP addresses.<number>}]} {destination <ipaddress>/<mask> {l4-port [any | <number> {. make sure that the outside IP addresses specified in the rule are part of the outside VLAN’s subnet range. The options specified on the NAT rule determine the algorithm used to translate the inside IP addresses to the outside IP addresses. so that the switch can proxy the address resolution protocol (ARP) for those addresses. All rules are processed in order. The default setting for min is 1024. To enable NAT functionality. Table 32: NAT Configuration Commands Command config nat add vlan <outside_vlan> map source [any | <ipaddress> [/<bits>| <netmask>]] {l4-port [any | <number> {.<max>} | auto-constrain]} 124 Summit 200 Series Switch Installation and User Guide . The range of number is 1 to 65535. All return packets must arrive on the same outside VLAN on which the session went out. You must add a dynamic NAT rule for the same IP address range to allow for ICMP traffic.<max>} | auto-constrain]} Description Adds a NAT translation rule that translates private IP addresses to public IP addresses on the outside VLAN. the first rule to match is processed. Use portmap to specify port translations and specify either TCP or UDP port translation. The default setting for max is 65535.Network Address Translation (NAT) Because of the large number of simultaneous requests that can be made from a web browser.<ipaddress>] {[tcp | udp | both] [portmap {<min> .

and a subnet of inside IP addresses.52.8.31 Creating Portmap NAT Rules To configure portmap NAT rules. For information on how to use some of the more advanced rule matching features.8. you can either specify an IP address and netmask or a starting and ending IP range to determine the IP addresses the switch will translate the inside IP addresses to.168. Portmap NAT Rule Example config nat add out_vlan_2 map source 192.12/32 to 216.8.168. you may specify the range of L4 ports the switch chooses on the translated IP addresses. and auto-constrain).52.1. If the netmask for both the source and NAT addresses are not both /32.52.168. use this command: config nat [add | delete] vlan <outside_vlan> map source [any | <ipaddress> [/<bits> | <netmask>]] to <ip> [/<mask> | <netmask> | .Creating NAT Rules Creating NAT Rules This section describes how to configure the various types of NAT (static. advanced port and destination matching options have been removed.52.8192 Summit 200 Series Switch Installation and User Guide 125 . portmap. the switch will use static NAT translation. For the outside IP addresses.8.128/25 to 216.<ipaddress>] This is the simplest NAT rule. so a dynamic NAT rule must be specified after the portmap rule in order to allow ICMP packets through without interfering with the portmapping.64/28 tcp portmap 1024 . which get translated to the outside IP address using the specified mode (static in this case).1 .8. Optionally.0/25 to 216.0/24 to 216. If the netmask for both the source and NAT addresses is /32.<ipaddress>] {[tcp |udp | both] portmap {<min> .32/32 Dynamic NAT Rule Example config nat add out_vlan_1 map source 192.2. use this command: config nat [add | delete] vlan <outside_vlan> map source [any | <ipaddress> [/<bits> | <netmask>]] to <ipaddress> [/<mask> | <netmask> | . but there is a performance penalty for doing this. You specify the outside vlan name.52.<max>}} The addition of an L4 protocol name and the portmap keyword tells the switch to use portmap mode.32 /28 both portmap Portmap Min-Max Example config nat add out_vlan_2 map source 192. Remember that portmap mode will only translate TCP and/or UDP. refer to “Advanced Rule Matching” on page 126.2. Creating Static and Dynamic NAT Rules To create static or dynamic NAT rules. Static NAT Rule Example config nat add out_vlan_1 map source 192.216. In the examples in this section.1.168. the switch will use dynamic NAT translation. dynamic.

you can further limit the scope of the NAT rule so that it only applied to specific TCP/UDP Layer 4 port numbers. NAT rules only match connections based on the source IP address of the outgoing packets.<ipaddress>] The addition of the destination optional keyword after the source IP address and mask allows the NAT rule to be applied to only packets with a specific destination IP address. 126 Summit 200 Series Switch Installation and User Guide . or specific outside destination IP addresses. Most installations should use portmap mode. If you use the L4-port command after the source IP/mask.3. Both options may be used together to further limit the rule. NOTE Once a single rule is matched.8.0/24 to 216. the rule will match only if the port(s) specified are the destination L4-ports. the rule will match only if the port(s) specified are the source L4-ports. L4-Port Specific NAT The addition of the L4-port optional keyword after the source IP address and mask allows the NAT rule to be applied only to packets with a specific L4 source or destination port. no other rules are processed.Network Address Translation (NAT) Creating Auto-Constrain NAT Rules To create auto-constrain NAT rules. Destination Specific NAT config nat [add | delete] vlan <outside_vlan> map source [any | <ipaddress> [/<bits> | <netmask>]] {destination <ipaddress/mask>} to <ipaddress> [/<mask> | <netmask> | . If you use the L4-port command after the destination IP/mask.168.64/32 both auto-constrain Advanced Rule Matching By default. Remember that each inside IP address will be restricted in the number of simultaneous connections. Auto-Constrain Example config nat add out_vlan_3 map source 192.52. Using the L4-port and destination keywords. use the following command: config nat [add | delete] vlan <outside_vlan> map source [any | <ipaddress> [/<bits> | <netmask>]] to <ip> [/<mask> | <netmask> | .<ipaddress>] {[tcp | udp | both] auto-constrain} This rule uses auto-constrain NAT.

Configures the timeout for an UDP session. Table 33: NAT Timeout Commands Command config nat finrst-timeout <seconds> Description Configures the timeout for a TCP session that has been torn down or reset. and includes: • The number of rules • The number of current connections • The number of translated packets on the inside and outside VLANs • Information on missed translations To display NAT connection information. The default setting is 120 seconds.UDP or ICMP. Displays NAT timeout settings. the table entries timeout after the configured timeout expires. To display NAT traffic statistics. use the following command: show nat rules {vlan <outside_vlan>} This command displays the NAT rules for a specific VLAN. Rules are displayed in the order they are processed. The default setting is 120 seconds. starting with the first one. Summit 200 Series Switch Installation and User Guide 127 . config nat icmp-timeout <seconds> config nat syn-timeout <seconds> config nat tcp-timeout <seconds> config nat udp-timeout <seconds> config nat timeout <seconds> show nat timeout Displaying NAT Settings To display NAT rules. The default setting is 60 seconds.Displaying NAT Settings Configuring Timeouts When an inside host initiates a session. a session table entry is created. use the following command: show nat stats This command displays statistics for the NAT traffic. use the following command: show nat connections This command displays the current NAT connection table. Table 33 describes the commands used to configure timeout periods. The default setting is 60 seconds. Configures the timeout for any IP packet that is not TCP. The default setting is 600 seconds. The default setting is 3 seconds. Configures the timeout for an entry with an unacknowledged TCP SYN state. including source IP/Layer 4 port mappings from inside to outside. Depending on the type of traffic or the current TCP state. Configures the timeout for an ICMP packet. Configures the timeout for a fully setup TCP SYN session.

use the following command: disable nat 128 Summit 200 Series Switch Installation and User Guide .Network Address Translation (NAT) Disabling NAT To disable NAT.

and includes information on the following topics: • Overview of the EAPS Protocol on page 129 • Summit 200 Series Switches in Multi-ring Topologies on page 133 • Commands for Configuring and Monitoring EAPS on page 134 Overview of the EAPS Protocol The EAPS protocol provides fast protection switching to Layer 2 switches interconnected in an Ethernet ring topology.11 Ethernet Automatic Protection Switching This chapter describes the use of the Ethernet Automatic Protection Switching (EAPS™) protocol. Figure 24: Gigabit Ethernet fiber EAPS MAN ring Transit node Transit node Gigabit Ethernet Fiber EAPS MAN ring Transit node Transit node Master node EW_070 Summit 200 Series Switch Installation and User Guide 129 . such as a Metropolitan Area Network (MAN) or large campuses (see Figure 24).

and is then assigned to an EAPS domain. while all other nodes are designated as transit nodes. like STP. Layer 2 switching and learning mechanisms operate per existing standards on this ring. One port of the master node is designated the master node’s primary port (P) to the ring. Any VLAN that warrants fault protection is configured on all ring ports in the ring. For more information on EDP. thereby avoiding a loop in the ring. you must enable EDP on the switch. NOTE In order to use EAPS. is designated the master node (see Figure 25). but offers the advantage of converging in less than a second when a link in the ring breaks. but the primary/secondary port distinction is ignored as long as the node is configured as a transit node. Figure 25: EAPS operation S4 S3 S5 S2 P S1 Direction of health-check message S6 S Secondary port is logically blocked Master node EW_071 If the ring is complete. NOTE Like the master node.Ethernet Automatic Protection Switching EAPS protection switching is similar to what can be achieved with the Spanning Tree Protocol (STP). the master node blocks the secondary port for all non-control traffic belonging to this EAPS domain. In normal operation. another port is designated as the master node’s secondary port (S) to the ring. 130 Summit 200 Series Switch Installation and User Guide . it unblocks its secondary port and allows data traffic to be transmitted and received through it. On that ring domain. one switch. If the master node detects a break in the ring. each transit node is also configured with a primary port and a secondary port on the ring. or node. the master node logically blocks all data traffic in the transmit and receive directions on the secondary port to prevent a loop. refer to Chapter 6. EAPS operates by declaring an EAPS domain on a single ring.

the protected VLANs carry the actual data traffic. NOTE The control VLAN is not blocked. If the master node does not receive the health-check packet before the fail-period timer expires. the EAPS master node blocks the protected VLANs from accessing its secondary port. Now. This EAPS domain provides protection to one or more data-carrying VLANs called protected VLANs.Overview of the EAPS Protocol Fault Detection and Recovery EAPS fault detection on a ring is based on a single control VLAN per EAPS domain. If the ring is complete. the master node will receive the health-check packet on its secondary port (the control VLAN is not blocked on the secondary port). it declares a “failed” state and opens its logically blocked secondary port on all the protected VLANs. The control VLAN is used only to send and receive EAPS messages. The master node also flushes its forwarding Summit 200 Series Switch Installation and User Guide 131 . traffic can flow through the master’s secondary port. it resets its fail-period timer and continues normal operation. As long as the ring is complete. Figure 26: EAPS fault detection and protection switching Break in ring S4 S4 sends "link down" message to master node S3 S3 sends "link down" message to master node S5 S2 P S1 S S6 Master node opens secondary port to allow traffic to pass Master node EW_072 A master node detects a ring fault in either of two ways: • Polling response • Trap message sent by a transit node Polling The master node transmits a health-check packet on the control VLAN at a user-configurable interval (see Figure 25). Messages sent on the control VLAN must be allowed into the switch for the master node to determine whether the ring is complete. When the master node receives the health-check packet.

When the transit nodes receive the message to flush their forwarding databases. 2 Remember which port has been temporarily blocked. it immediately sends a “link down” message on the control VLAN using its good link to the master node. it will perform these steps: 1 For the port that just came up. To prevent the possibility of a such a temporary loop. it unblocks its secondary port for access by the protected VLANs. 2 If the port state is set to Preforwarding. flush its FDB. the master will receive its health-check packet back on its secondary port. the secondary port on the master node is still open and data could start traversing the transit node port that just came up. unblock all the previously blocked protected VLANs for the port. During the time between when the transit node detects that the link is operable again and when the master node detects that the ring is complete. so that all of the switches can learn the new paths to Layer 2 end stations on the reconfigured ring topology. 132 Summit 200 Series Switch Installation and User Guide . and send a “flush FDB” message to its associated transit nodes. Trap Message Sent by a Transit Node When any transit node detects a loss of link connectivity on any of its ring ports. As long as there is a break in the ring.Ethernet Automatic Protection Switching database (FDB) and sends a message on the control VLAN to all of its associated transit nodes to flush their forwarding databases as well. and will once again declare the ring to be complete. when the transit node detects that its failed link is up again. they perform these steps: 1 Flush their forwarding databases on the protected VLANs. and sends a “flush FDB” message to its associated transit nodes. It will logically block the protected VLANs on its secondary port. and detects that the ring is once again complete. it sends a message to all its associated transit nodes to flush their forwarding databases. Restoration Operations The master node continues sending health-check packets out its primary port even when the master node is operating in the failed state. When the master node receives its health-check packet back on its secondary port. When the master node receives the “link down” message (see Figure 26). 3 Set the state to Preforwarding. When the broken link is restored. flushes its FDB. it immediately declares a “failed” state and performs the same steps described above. the fail-period timer of the master node will continue to expire and the master node will remain in the failed state. put all the protected VLANs traversing that port into a temporary blocked state.

Summit 200 Series Switches in Multi-ring Topologies

Summit 200 Series Switches in Multi-ring Topologies
Figure 27 shows how a data VLAN could span two rings having two interconnecting switches in common. Figure 27: EAPS data VLAN spanning two rings.
S5 S4 S3
(STP root) 4 1 2 5 3

S6 S7

LHS ring
1 2 3 5

RHS ring

S2 P S1 Master node S

S8 S S9 Master node
LC24015

4

P

S 10

In this example, there is one EAPS domain with its own control VLAN running on the ring labeled LHS and another EAPS domain with its own control VLAN running on the ring labeled RHS. A data VLAN that spans both rings acts as a protected VLAN to both EAPS domains. Switches S 5 and S 10 will have two instances of EAPS domains running on them: one for each ring. Summit 200 series switches can be deployed in a multi-ring EAPS topology subject to these guidelines: • Summit 200 series switches can be used as any of the EAPS nodes in the ring except as a node that interconnects the two rings. For example, in the example shown in Figure 27, nodes S 5 and S 10 cannot be Summit 200 series switches. Summit 200 series switches support EAPS Version 1 (EAPSv1) and only support a single EAPS domain per switch. • Depending on the network topology and the versions of EAPS (EAPSv1 vs. EAPSv2) running on the other EAPS nodes, there might be a requirement to configure STP support for EAPSv1 to prevent super loops—in the event of a break in the common link between the nodes interconnecting the rings. For example, in the example shown in Figure 27, a break in the link between nodes S 5 and S 10 would result in a super loop. — Case 1: Summit 200 series switches on a single ring. In this case, EAPSv1 requires no STP support. — Case 2: Summit 200 series switches on a multi-ring network along with ring-connecting switches not running EAPSv2. In this case, the Summit 200 series switches still cannot be ring-connecting nodes, and this implementation requires configuring EAPSv1 plus STP support to prevent super loops. This configuration process is described in the EAPS chapter of the ExtremeWare Software User Guide, Version 7.0.0. — Case 3: Summit 200 series switches on a multi-ring network along with ring-connecting switches running EAPSv2. In this case, the Summit 200 series switches still cannot be ring-connecting nodes, but configuring EAPSv1 plus EAPSv2 means that the “EAPS awareness” of the ring-connecting switches would prevent problems with super-loops without requiring STP support. This configuration process is described in the EAPS chapter of the ExtremeWare Software User Guide, Version 7.1.0.

Summit 200 Series Switch Installation and User Guide

133

Ethernet Automatic Protection Switching

Commands for Configuring and Monitoring EAPS
Table 34 lists the ExtremeWare EAPS commands. Each command is described in detail in the sections that follow. Table 34: EAPS Commands
Command config eaps <name> mode [master | transit] Description Configures the switch as either the EAPS master node or as an EAPS transit node for the specified domain. Configures the values of the polling timers the master node uses for the EAPS health-check packet that is circulated around the ring for the specified EAPS domain. Configures a node port as the primary or secondary port for the specified EAPS domain. Adds the specified control VLAN to the specified EAPS domain, or deletes the specified control VLAN from the specified EAPS domain. Adds the specified protected VLAN to the specified EAPS domain, or deletes the specified protected VLAN from the specified EAPS domain. Creates an EAPS domain with the specified name. Only a singe domain is supported on this platform. Deletes the specified EAPS domain. Disables the EAPS function for an entire switch. Disables the EAPS domain with the specified name. Enables the EAPS function for an entire switch. Enables the EAPS domain with the specified name. Displays EAPS status information. Use the optional domain name parameter to display status information for a specific EAPS domain. Sets the specified port’s internal configuration state to INVALID, causing the port to appear in the state Idle with a port status of Unknown when you use the show eaps {<name>} detail command to display port status information.

config eaps <name> [hellotime <seconds> | failtime <seconds>]

config eaps <name> [primary | secondary] port <port number> config eaps <name> [add | delete] control vlan <name> config eaps <name> [add | delete] protect vlan <name>

config eaps <old_name> name <new_name> Renames an existing EAPS domain. create eaps <name>

delete eaps <name> disable eaps disable eaps <name> enable eaps enable eaps <name> show eaps {<name>} [detail]

unconfig eaps <name> [primary | secondary] port

134

Summit 200 Series Switch Installation and User Guide

Commands for Configuring and Monitoring EAPS

Creating and Deleting an EAPS Domain
Each EAPS domain is identified by a unique domain name. NOTE Only a single EAPS domain per switch is supported by Summit 200 series switches. To create an EAPS domain, use the following command:
create eaps <name>

The name parameter is a character string of up to 32 characters that identifies the EAPS domain to be created. EAPS domain names and VLAN names must be unique; Do not use the same name string to identify both an EAPS domain and a VLAN.The following command example creates EAPS domain eaps_1 on the switch:
create eaps eaps_1

To delete an EAPS domain, use the following command:
delete eaps <name>

The following command example deletes the EAPS domain eaps_1:
delete eaps eaps_1

Defining the EAPS Mode of the Switch
To configure the EAPS node type of the switch, use the following command:
config eaps <name> mode [master | transit]

One node on the ring must be configured as the master node for the specified domain; all other nodes on the ring are configured as transit nodes for the same domain. The following command example identifies this switch as the master node for the domain named eaps_1.
config eaps eaps_1 mode master

The following command example identifies this switch as a transit node for the domain named eaps_1.
config eaps eaps_1 mode transit

Configuring EAPS Polling Timers
To set the values of the polling timers the master node uses for the EAPS health-check packet that is circulated around the ring for an EAPS domain, use the following command:
config eaps <name> [hellotime <seconds> | failtime <seconds>]

NOTE This command applies only to the master node. If you configure the polling timers for a transit node, they will be ignored. If you later reconfigure that transit node as the master node, the polling timer values will be used as the current values.

Summit 200 Series Switch Installation and User Guide

135

Ethernet Automatic Protection Switching

Use the hellotime keyword and its associated seconds parameter to specify the amount of time the master node waits between transmissions of health-check packets on the control VLAN. seconds must be greater than 0 when you are configuring a master node. The default value is one second.

NOTE Increasing the hellotime value keeps the processor from sending and processing too many health-check packets. Increasing the hellotime value should not affect the network convergence time, because transit nodes are already sending “link down” notifications. Use the failtime keyword and its associated seconds parameter to specify the amount of time the master node waits before declaring a failed state and opens the logically blocked VLANs on the secondary port. seconds must be greater than the configured value for hellotime. The default value is three seconds.

NOTE Increasing the failtime value provides more protection against frequent “flapping” between the complete state and the failed state by waiting long enough to receive a health-check packet when the network is congested.

NOTE When the master node declares a failed state, it also flushes its forwarding database (FDB) and sends a “flush FDB” message to all the transit switches on the ring by way of the control VLAN. The reason for flushing the FDB is so that the switches can relearn the new directions to reach Layer 2 end stations via the reconfigured topology. The following command examples configure the hellotime value for the EAPS domain “eaps_1” to 2 seconds and the failtime value to 10 seconds.
config eaps eaps_1 hellotime 2 config eaps eaps_1 failtime 10

Configuring the Primary and Secondary Ports
Each node on the ring connects to the ring through two ring ports. As part of the protection switching scheme, one port must be configured as the primary port; the other must be configured as the secondary port. If the ring is complete, the master node prevents a loop by logically blocking all data traffic in the transmit and receive directions on its secondary port. If the master node subsequently detects a break in the ring, it unblocks its secondary port and allows data traffic to be transmitted and received through it. To configure a node port as primary or secondary, use the following command:
config eaps <name> [primary | secondary] port <port number>

The following command example adds port 2 of the switch to the EAPS domain “eaps_1” as the primary port.
config eaps eaps_1 primary port 2

136

Summit 200 Series Switch Installation and User Guide

Commands for Configuring and Monitoring EAPS

Configuring the EAPS Control VLAN
You must configure one control VLAN for each EAPS domain. The control VLAN is used only to send and receive EAPS messages. NOTE A control VLAN cannot belong to more than one EAPS domain. To configure the EAPS control VLAN for the domain, use the following command:
config eaps <name> add control vlan <name>

NOTE To avoid loops in the network, the control VLAN must NOT be configured with an IP address, and ONLY ring ports may be added to the VLAN.

NOTE When you configure the VLAN that will act as the control VLAN, that VLAN must be assigned a QoS profile of Qp8, and the ring ports of the control VLAN must be tagged. By assigning the control VLAN a QoS profile of Qp8, you ensure that EAPS control VLAN traffic is serviced before any other traffic and that control VLAN messages reach their intended destinations. For example, if the control VLAN is not assigned the highest priority and a broadcast storm occurs in the network, the control VLAN messages might be dropped at intermediate points. Assigning the control VLAN the highest priority prevents dropped control VLAN messages.

NOTE Because the QoS profiles Qp7 and Qp8 share the same hardware queue in the Summit 200 series switch, you must limit the amount of traffic that uses these profiles; otherwise, the Summit 200 series switch may drop EAPS control packets, preventing EAPS from operating reliably. The following command example adds the control VLAN “keys” to the EAPS domain “eaps_1.”
config eaps eaps_1 add control vlan keys

Configuring the EAPS Protected VLANs
You must configure one or more protected VLANs for each EAPS domain. The protected VLANs are the data-carrying VLANs. NOTE When you configure the VLAN that will act as a protected VLAN, the ring ports of the protected VLAN must be tagged (except in the case of the default VLAN).

Summit 200 Series Switch Installation and User Guide

137

use the following command: config eaps <name> add protect vlan <name> NOTE As long as the ring is complete.” config eaps eaps_1 add protect vlan orchid Enabling and Disabling an EAPS Domain To enable a specific EAPS domain. 138 Summit 200 Series Switch Installation and User Guide . which causes the port to appear in the Idle state with a port status of Unknown when you use the show eaps {<name>} detail command to display the status information about the port. use the following command: disable eaps Unconfiguring an EAPS Ring Port Unconfiguring an EAPS port sets its internal configuration state to INVALID. the command displays a summary of status information for all configured EAPS domains. use the following command: enable eaps <name> To disable a specific EAPS domain. use the following command: show eaps {<name>} [detail] If you enter the show eaps command without an argument or keyword.Ethernet Automatic Protection Switching To configure an EAPS protected VLAN. use the following command: unconfig eaps <name> [primary | secondary] port The following command example unconfigures this node’s EAPS primary ring port on the domain eaps_1: unconfig eaps eaps_1 primary port Displaying EAPS Status Information To display EAPS status information. use the following command: enable eaps To disable the EAPS function for the entire switch. use the following command: disable eaps <name> Enabling and Disabling EAPS To enable the EAPS function for the entire switch. You can use the detail keyword to display more detailed status information. the master node blocks the protected VLANs on its secondary port. The following command example adds the protected VLAN “orchid” to the EAPS domain “eaps_1. To unconfigure an EAPS primary or secondary ring port for an EAPS domain.

The following example of the show eaps {<name>} detail command displays detailed EAPS information for a transit node. Table 35 describes the fields and values in the display. The display for a transit node contains information fields that are not shown for a master node. Also. * Baker15:4 # show eaps2 detail Name: "eaps2" (instance=0) State: Complete [Running: Yes] Enabled: Yes Mode: Master Primary port: 14 Port status: Up Tag status: Tagged Secondary port: 13 Port status: Blocked Tag status: Tagged Hello Timer interval: 1 sec Fail Timer interval: 3 sec Eaps Domain has following Controller Vlan: Vlan Name VID "rhsc" 0020 EAPS Domain has following Protected Vlan(s): Vlan Name VID "blue" 1003 "traffic" 1001 Number of Protected Vlans: 2 Summit 200 Series Switch Installation and User Guide 139 . Sat Mar 17 17:03:37 2001 Eaps Domain has following Controller Vlan: Vlan Name VID "rhsc" 0020 EAPS Domain has following Protected Vlan(s): Vlan Name VID "traffic" 1001 Number of Protected Vlans: 1 The following example of the show eaps {<name>} detail command displays detailed EAPS information for a single EAPS domain named “eaps2” on the master node.Commands for Configuring and Monitoring EAPS NOTE The output displayed by this command depends on whether the node is a transit node or a master node. * Summit200-24:39 # show eaps detail EAPS Enabled: Yes Number of EAPS instances: 1 EAPSD-Bridge links: 2 Name: "eaps1" (instance=0) State: Links-Up [Running: Yes] Enabled: Yes Mode: Transit Primary port: 13 Port status: Up Tag status: Tagged Secondary port: 14 Port status: Up Tag status: Tagged Hello Timer interval: 1 sec Fail Timer interval: 3 sec Preforwarding Timer interval: 3 sec Last update: From Master Id 00:E0:2B:81:20:00. some state values are different on a transit node than on a master node. Table 35 describes significant fields and values in the display.

but the configuration is not complete. this count increments by 1. There can only be one EAPS domain on this platform. The maximum count is 255. the command displays one of the following states: • • • [Running: …] Enabled: • • • • Mode: Primary/Secondary port: Idle—The EAPS domain has been enabled. The total number of EAPS bridge links in the system. Indicates whether EAPS is enabled on this domain. The instance number is created internally by the system. The port numbers assigned as the EAPS primary and secondary ports. Name: (Instance= ) State: On a master node. no—EAPS is not enabled. Yes—EAPS is enabled on this domain. but one or both of its ports are down. Number of EAPS domains created. no—EAPS is not enabled. 140 Summit 200 Series Switch Installation and User Guide . but the configuration is not complete.Ethernet Automatic Protection Switching Table 35: show eaps Display Fields Field EAPS Enabled: Description Current state of EAPS on this switch: • • Number of EAPS instances: EAPSD-Bridge links: Yes—EAPS is enabled on the switch. the port distinction indicates which port is blocked to avoid a loop. The configured name for this EAPS domain. and both its ports are up and in the FORWARDING state. Links-Up—This EAPS domain is running. No—This EAPS domain is not running. Preforwarding—This EAPS domain is running. Complete—The ring is in the COMPLETE state for this EAPS domain. On the master node. The configured EAPS mode for this switch: transit or master. On a transit node. Each time a VLAN is added to EAPS. and both of its ports are up. the command displays one of the following states: • • • • Idle—The EAPS domain has been enabled. but one of them is in a temporary BLOCKED state. Yes—This EAPS domain is running. Failed—There is a break in the ring for this EAPS domain. Links-Down—This EAPS domain is running.

but the port is untagged in the control VLAN. 2. Up—The port is up and is forwarding data. indicates the last time the transit node received a hello packet from the master node (identified by its MAC address). Lists the assigned names and VLAN IDs of all the protected VLANs configured on this EAPS domain. Summit 200 Series Switch Installation and User Guide 141 . and the port is tagged in the VLAN. The configured value of the timer. Tagged status of the control VLAN: • • • Hello Timer interval: Fail Timer interval: Preforwarding Timer interval:1 Last update:1 The configured value of the timer. Tagged—The control VLAN has this port assigned to it. but data is blocked from being forwarded. These fields apply only to transit nodes.Commands for Configuring and Monitoring EAPS Table 35: show eaps Display Fields (continued) Field Port status: Description • • • • Tag status: Unknown—This EAPS domain is not running. Displayed only for transit nodes. Vlans:2 EAPS Domain has … Controller Vlans: EAPS Domain has … Protected Number of Protected Vlans: 1. Down—The port is down. Blocked—The port is up. so the port status has not yet been determined. Lists the assigned name and ID of the control VLAN. The configured value of the timer. Undetermined—Either a VLAN has not been added as the control VLAN to this EAPS domain or this port has not been added to the control VLAN. The count of protected VLANs configured on this EAPS domain. Untagged—The control VLAN has this port assigned to it. This value is set internally by the EAPS software. This list is displayed when you use the detail keyword in the show eaps command. they are not displayed for a master node.

Ethernet Automatic Protection Switching 142 Summit 200 Series Switch Installation and User Guide .

Each hardware queue can be programmed by ExtremeWare with bandwidth limitation and prioritization parameters. The switch contains separate hardware queues on every physical port. you can reserve sufficient bandwidth critical to this type of application. Summit 200 Series Switch Installation and User Guide 143 .1p and DiffServ) Traffic Groupings on page 148 — Physical and Logical Groupings on page 152 • Verifying Configuration and Performance on page 153 • Modifying a QoS Configuration on page 154 • Traffic Rate-Limiting on page 154 • Dynamic Link Context System on page 154 Policy-based Quality of Service (QoS) is a feature of ExtremeWare and the Extreme switch architecture that allows you to specify different service levels for traffic traversing the switch. Other applications deemed less critical can be limited so as to not consume excessive bandwidth. Summit 200 series switches support up to four physical queues per port. if voice-over-IP traffic requires a reserved amount of bandwidth to function properly. Using Policy-based QoS. Overview of Policy-Based Quality of Service Policy-based QoS allows you to protect bandwidth for important categories of applications or specifically limit the bandwidth associated with less critical traffic.12 Quality of Service (QoS) This chapter covers the following topics: • Overview of Policy-Based Quality of Service on page 143 • Applications and Types of QoS on page 144 • Configuring QoS for a Port or VLAN on page 145 • Traffic Groupings on page 146 — MAC-Based Traffic Groupings on page 147 — Explicit Class of Service (802. using QoS. Policy-based QoS is an effective control mechanism for networks that have heterogeneous traffic patterns. The bandwidth limitation and prioritization parameters that modify the forwarding behavior of the switch affect how the switch transmits traffic for a given hardware queue on a physical port. For example. you can specify the service level that a particular traffic type receives.

For example. and sensitivity and impact of packet loss. Voice Applications Voice applications typically demand small amounts of bandwidth. Key QoS parameters for video applications include minimum bandwidth. Using even the most complex traffic groupings has no cost in terms of switch performance. in the playback of stored video streams. You can establish a minimum bandwidth using a priority less than that of delay-sensitive applications. going from Gigabit Ethernet to Fast Ethernet). Video Applications Video applications are similar in needs to voice applications. QoS has no impact on switch performance. and possibly buffering (depending upon the behavior of the application). It is important to understand the behavior of the video application being used. Applications and Types of QoS Different applications have different QoS requirements. However. The most important QoS parameter to establish for voice applications is minimum bandwidth.Quality of Service (QoS) NOTE As with all Extreme switch products.” with the expectation that the end-stations will buffer significant amounts of video-stream data. some applications can transmit large amounts of data for multiple streams in one “spike. sensitivity to latency and jitter. This can present a problem to the network infrastructure. because it must be capable of buffering the transmitted spikes where there are speed differences (for example. the bandwidth must be constant and predictable because voice applications are typically sensitive to latency (inter-packet delay) and jitter (variation in inter-packet delay). such as those associated with ERP. depending on the encoding. with the exception that bandwidth requirements are somewhat larger. Behavioral aspects to consider include bandwidth needs. you can monitor the performance of the application to determine if the actual behavior of the applications matches your expectations. priority. Consider them as general guidelines and not strict recommendations. Critical Database Applications Database applications. The following applications are ones that you will most commonly encounter and need to prioritize: • Voice applications • Video applications • Critical database applications • Web browsing applications • File server applications General guidelines for each traffic type are given below and summarized in Table 36. typically do not demand significant bandwidth and are tolerant of delay. Once QoS parameters are set. It is very important to understand the needs and behavior of the particular applications you wish to protect or limit. followed by priority. 144 Summit 200 Series Switch Installation and User Guide .

In addition. however small packet-loss may have a large impact on perceived performance due to the nature of TCP. jitter. although file server applications are very tolerant of latency. priority Minimum bandwidth. RED can be used to reduce session loss if the queue that floods Web traffic becomes over-subscribed. The relevant parameter for protecting browser applications is minimum bandwidth. priority. ERP applications that use a browser front-end may be more important than retrieving daily news information. Table 36: Traffic Type and QoS Guidelines Traffic Type Voice Video Database Web browsing File server Key QoS Parameters Minimum bandwidth. For example. Summit 200 Series Switch Installation and User Guide 145 . Table 36 summarizes QoS guidelines for the different types of network traffic. Half-duplex operation on links can make delivery of guaranteed minimum bandwidth impossible. RED Minimum bandwidth Configuring QoS for a Port or VLAN Table 37 lists the commands used to configure QoS. Allows you to configure a VLAN to use a particular QoS profile. depending on the network operating system and the use of TCP or UDP. In addition. large dataflows from the server to the browser client). and some packet loss. maximum bandwidth for non-critical applications. jitter. Table 37: QoS Configuration Commands Command config ports <portlist> qosprofile <qosprofile> config vlan <name> qosprofile <qosprofile> Description Configures one or more ports to use a particular QoS profile. file serving typically poses the greatest demand on bandwidth. The relevant parameter for preventing non-critical browser applications from overwhelming the network is maximum bandwidth. Most browser-based applications are distinguished by the dataflow being asymmetric (small dataflows from the browser client. and some packet loss. buffering (varies) Minimum bandwidth Minimum bandwidth for critical applications. NOTE Full-duplex links should be used when deploying policy-based QoS. Web-based applications are generally tolerant of latency. Traffic groupings can typically be distinguished from each other by their server source and destinations.Configuring QoS for a Port or VLAN Web Browsing Applications QoS needs for Web browsing applications cannot be generalized into a single category. File Server Applications With some dependencies on the network operating system. An exception to this may be created by some Java™ -based applications.

TCP/UDP port information. The supported traffic groupings are listed in Table 38. such as 802. Traffic is typically grouped based on the applications discussed starting on page 144. The groupings are listed in order of precedence (highest to lowest).1P Destination Address MAC-Based Groupings • • • Permanent Dynamic Blackhole Physical/Logical Groupings • • Source port VLAN Access List Based Traffic Groupings Access list based traffic groupings are based on any combination of the following items: • IP source or destination address • TCP/UDP or other layer 4 protocol • TCP/UDP port information • MAC source or destination address • VLANid Access list based traffic groupings are defined using access lists. the more specific traffic grouping takes precedence. there is a predetermined precedence for which traffic grouping will apply. Access lists are discussed in detail in Chapter 9. In general. Table 38: Traffic Groupings by Precedence IP Information (Access Lists) Grouping • Access list precedence determined by user configuration Explicit Packet Class of Service Groupings • • DiffServ (IP TOS) 802. A traffic grouping is a classification of traffic that has one or more attributes in common. you assign traffic a grouping to the profile. By supplying a named QoS profile at the end of the access list command syntax. By default. and VLANid) • Destination MAC (MAC QoS groupings) • Explicit packet class of service information. The four types of traffic groupings are described in detail on the following pages. all traffic groupings are placed in the QoS profile Qp1.Quality of Service (QoS) Traffic Groupings Once a QoS profile is modified for bandwidth and priority.1p or DiffServ (IP TOS) • Physical/logical configuration (physical source port or VLAN association) In the event that a given packet matches two or more grouping criteria. This level of packet filtering has no impact on performance. you can prescribe the bandwidth management and priority handling for that traffic grouping. 146 Summit 200 Series Switch Installation and User Guide . Traffic groupings are separated into the following categories for discussion: • Access list based information (IP source/destination.

are as follows: • Permanent • Dynamic • Blackhole Permanent MAC addresses Permanent MAC addresses can be assigned a QoS profile whenever traffic is destined to the MAC address. If the MAC address entry already exists in the FDB. defined below. the port is assigned the specified QoS profile. MAC-based traffic groupings are configured using the following command: create fdbentry <mac_address> vlan <name> [blackhole | port <portlist> | dynamic] qosprofile <qosprofile> The MAC address options. use either the command show fdb permanent or the command show qosprofile <qosprofile> Summit 200 Series Switch Installation and User Guide 147 . This can be done when you create a permanent FDB entry. For example: create fdbentry 00:11:22:33:44:55 vlan default port 4 qosprofile qp2 Dynamic MAC Addresses Dynamic MAC addresses can be assigned a QoS profile whenever traffic is destined to the MAC address. For example: create fdbentry 00:11:22:33:44:55 vlan default dynamic qosprofile qp3 The QoS profile is assigned when the MAC address is learned. Use the following command to clear the FDB: clear fdb Blackhole MAC Address Using the blackhole option configures the switch to not forward any packets to the destination MAC address on any ports for the VLAN specified. If a client's location moves. the assigned QoS profile moves with the device. you can clear the forwarding database so that the QoS profile can be applied when the entry is added again. For any port on which the specified MAC address is learned in the specified VLAN.Traffic Groupings MAC-Based Traffic Groupings QoS profiles can be assigned to destination MAC addresses. The blackhole option is configured using the following command: create fdbentry 00:11:22:33:44:55 vlan default blackhole Verifying MAC-Based QoS Settings To verify any of the MAC-based QoS settings.

Configuring 802.1Q VLAN ID. See Chapter 9.1p information can be preserved across a routed switch boundary and DiffServ code points can be observed or overwritten across a layer 2 switch boundary. without repeating what can be complex traffic grouping policies at each switch location.1p bits can be used to prioritize the packet. The Summit 200 series switch 148 Summit 200 Series Switch Installation and User Guide . NOTE Re-marking DiffServ code points is supported through access lists. That information includes: • IP DiffServ code points. for more information.1Q type 8100 802. the traffic is mapped to various hardware queues on the egress port of the switch.1p priority bits that are part of a tagged Ethernet packet. Figure 28: Ethernet Packet Encapsulation 802.1Q type field.1p priority field is located directly following the 802. formerly known as IP TOS bits • Prioritization bits used in IEEE 802. The 802.1p priority markings or DiffServ capabilities are not impacted by the switching or routing configuration of the switch.Quality of Service (QoS) Explicit Class of Service (802.1Q VLAN ID Destination address Source address IP packet CRC EW_024 Observing 802. as shown in Figure 28. When a packet arrives at the switch.1p prioritization information is detected by the switch. the switch examines the 802. and assign it to a particular QoS profile.1p priority 802. The 802.1p priority field maps it to a specific hardware queue when subsequently transmitting the packet.1p Priority Extreme switches support the standard 802.1p packets An advantage of explicit packet marking is that the class of service information can be carried throughout the network infrastructure. The documented capabilities for 802.1p Information When ingress traffic that contains 802. and preceding the 802. For example. “Access Policies”. 802. Another advantage is that end stations can perform their own packet marking on an application-specific basis. and refers to information contained within a packet intended to explicitly determine a class of service.1p and DiffServ) Traffic Groupings This category of traffic groupings describes what is sometimes referred to as explicit packet marking. The Summit 200 series switch has the capability of observing and manipulating packet marking information with no performance penalty.

This is explained in more detail in the following paragraphs. you can configure the 802. you will use an access list to set the 802. 802. Table 39: 802.1p priority information. The value for priority is an integer between 0 and 7. The transmitting hardware queue determines the bandwidth management and priority characteristics used when transmitting packets.1p priority.1p prioritization values can be mapped to a QoS profile. See Chapter 9.1Q tag.1p priority information is not replaced or manipulated. This behavior is not affected by the switching or routing configuration of the switch.1p value. Configuring 802. You will use the set dot1p <dot1p_value> parameter of the create access list command to replace the value. You can configure the priority to be a number between 0 and 7.1p Priority When a packet is transmitted by the switch.1p priority value to QoS profile is shown in Table 39.1Q VLAN tags. 802.1p priority value for 802.1p Priority Information By default.1p Priority Value-to-QoS Profile to Hardware Queue Default Mapping Priority Value QoS Profile 0 1 2 3 4 5 6 7 Qp1 Qp2 Qp3 Qp4 Qp5 Qp6 Qp7 Qp8 Hardware Queue Priority Value 1 1 2 2 3 3 4 4 802. To replace 802. using the following command: config vlan <name> priority <number> Replacing 802. The default mapping of each 802. “Access Policies”.1p Configuration Commands Command config vlan <name> priority <number> Description Configures the 802. for more information on using access lists. Table 40: 802.1p priority field that is placed in the 802. The packet is then placed on the queue that corresponds to the new 802.1p Commands Table 40 shows the command used to configure 802. Summit 200 Series Switch Installation and User Guide 149 .1p priority information.1p value. the switch is capable of replacing the 802. and the information observed on ingress is preserved when transmitting the packet.Traffic Groupings supports four hardware queues. To control the mapping of 802. However.1p prioritization values to hardware queues.

the switch examines the first six of eight TOS bits. now also called the DiffServ field. The TOS field is used by the switch to determine the type of service provided to the packet. Observing DiffServ code points as a traffic grouping mechanism for defining QoS policies and overwriting the Diffserv code point fields are supported in the Summit 200 series switch. and determines the forwarding characteristics of a particular code point. Some of the commands are described in more detail in the following paragraphs. called the code point. 150 Summit 200 Series Switch Installation and User Guide .Quality of Service (QoS) Configuring DiffServ Contained in the header of every IP packet is a field for IP Type of Service (TOS). enable diffserv examination ports [<portlist> | Enables the diffserv field of an ingress IP packet all] to be examined by the switch in order to select a QoS profile. The switch can assign the QoS profile used to subsequently transmit the packet based on the code point. The QoS profile controls a hardware queue used when transmitting the packet out of the switch. Figure 29 shows the encapsulation of an IP packet header. The default setting is disabled. Observing DiffServ Information When a packet arrives at the switch on an ingress port. Table 41: DiffServ Configuration Commands Command Description disable diffserv examination ports [<portlist> | Disables the examination of the diffserv field in all] an IP packet. Figure 29: IP packet header encapsulation 0 1 2 3 4 5 6 7 DiffServ code point 0 Version bits IHL Type-of-service Flags Protocol Source address Destination address Options (+ padding) Data (variable) EW_023 31 Total length Fragment offset Identification Time-to-live Header checksum Table 41 lists the commands used to configure DiffServ.

See “Maximum Entries” on page 105 for more information. for more information. You will use the set code-point parameter of the create access list command to replace the value. This is done with no impact on switch performance. Summit 200 Series Switch Installation and User Guide 151 . “Access Policies”. To replace the DiffServ code point. for more information on using access lists. Changing DiffServ Code point assignments in the QoS Profile The DiffServ code point has 64 possible values (26 = 64). “Access Policies”. See Chapter 9. you will use an access list to set the new code point value. To view DiffServ information. See Chapter 9. by default it is disabled. To display the DiffServ configuration. Table 42: Default Code Point-to-QoS Profile Mapping Code Point 0-7 8-15 16-23 24-31 32-39 40-47 48-55 56-63 QoS Profile Qp1 Qp2 Qp3 Qp4 Qp5 Qp6 Qp7 Qp8 You can change the QoS profile assignment for a code point by using an access list. DiffServ Examples For information on the access list and access mask commands in the following examples. By default. the values are grouped and assigned to the default QoS profiles listed in Table 42. use the following command: enable diffserv examination ports [<portlist> | all] NOTE DiffServ examination requires one access mask while it is enabled. “Access Policies”. use the following command: show ports <portlist> info {detail} NOTE The show ports command displays only the default code point mapping.Traffic Groupings Viewing DiffServ information can be enabled or disabled. Replacing DiffServ Code Points An access list can be used to change the DiffServ code point in the packet prior to the packet being transmitted by the switch. see Chapter 9.

all devices on VLAN servnet require use of the QoS profile qp4.x is assigned the DiffServe code point 23 and the 802. The command to configure this example is as follows: config vlan servnet qosprofile qp4 Verifying Physical and Logical Groupings To verify settings on ports or VLANs.Quality of Service (QoS) Use the following command to use the DiffServe code point value to assign traffic to the hardware queues: enable diffserv examination ports all In the following example. To configure a source port traffic grouping.1. all the traffic from network 10.1.2.0/24 permit qp3 set code-point 23 set dot1p 2 Physical and Logical Groupings Two traffic groupings exist in this category: • Source port • VLAN Source port A source port traffic grouping implies that any traffic sourced from this physical port uses the indicated QoS profile when the traffic is transmitted out to any other port. use the following command: show qosprofile <qosprofile> The same information is also available for ports or VLANs using one of the following commands: show ports <portlist> info {detail} or show vlan 152 Summit 200 Series Switch Installation and User Guide . use the following command: config vlan <name> qosprofile <qosprofile> For example. all traffic sourced from port 7 uses the QoS profile named qp3 when being transmitted.2. To configure a VLAN traffic grouping.1p value of 2: create access-mask SriIpMask source-ip/24 create access-list TenOneTwo access-mask SrcIpMask source-ip 10. config ports 7 qosprofile qp3 VLAN A VLAN traffic grouping indicates that all intra-VLAN switched traffic and all routed traffic sourced from the named VLAN uses the indicated QoS profile. use the following command: config ports <portlist> qosprofile <qosprofile> In the following modular switch example.

you can use the QoS monitor to determine whether the application performance meets your expectations.1p value. The view real-time switch per-port performance. sorted by 802. it is updated each second. on each monitored port. NOTE The QoS monitor displays the statistics of incoming packets. NOTE The QoS monitor requires one access mask until it exits. The QoS monitor keeps track of the number of frames and the frames per second. NOTE The QoS monitor can display up to four ports at a time. Real-Time Performance Monitoring The real-time display scrolls through the given portlist to provide statistics. Any priority changes within the switch are not reflected in the display. See “Maximum Entries” on page 105 for more information. use the following command: show ports {<portlist>} qosmonitor The QoS monitor rate screen (packets per second). You can choose screens for packet count and packets per second. The real-time display corresponds to the 802. Displaying QoS Profile Information The QoS monitor can also be used to verify the QoS configuration and monitor the use of the QoS policies that are in place.1p values of the incoming packets. QoS Monitor The QoS monitor is a utility that monitors the incoming packets on a port or ports.Verifying Configuration and Performance Verifying Configuration and Performance Once you have created QoS policies that manage the traffic through the switch. does not display any results for at least five seconds. To display QoS information on the switch. use the following command: show qosprofile <qosprofile> Displayed information includes: • QoS profile name • Minimum bandwidth • Maximum bandwidth Summit 200 Series Switch Installation and User Guide 153 . Once the rate is displayed.

This information is available for use by ExtremeWare Enterprise Manager (EEM) version 2. Dynamic Link Context System The Dynamic Link Context System (DLCS) is a feature that snoops WINS NetBIOS packets and creates a mapping between a user name. as the configuration must be in place before an entry is made in the MAC FDB. • For physical and logical groupings of a source port or VLAN. clear the MAC FDB using the command clear fdb. a specific type of access control list. For DLCS to operate within ExtremeWare. the user or end station must allow for automatic DLCS updates. 154 Summit 200 Series Switch Installation and User Guide . re-apply the QoS profile to the source port or VLAN. the timing of the configuration change depends on the traffic grouping involved. • show ports <portlist> info {detail}—Displays information including QoS information for the port. For permanent destination MAC-based grouping. Refer to the ExtremeWare Enterprise Manager or ExtremeWare EPICenter documentation for more information. Modifying a QoS Configuration If you make a change to the parameters of a QoS profile after implementing your configuration. as documented. and the switch/port. Traffic that matches a rate limit is constrained to the limit set in the access control list. The following rules apply: • For destination MAC-based grouping (other than permanent). • show switch—Displays information including PACE enable/disable information. Traffic Rate-Limiting The Summit 200 series switch rate-limiting method is based on creating a rate limit. • show vlan—Displays the QoS profile assignments to the VLAN. re-apply the QoS profile to the static FDB entry. This command should also be issued after a configuration is implemented. This feature should only be used in conjunction with the EEM Policy System or ExtremeWare EPICenter Policy System.Quality of Service (QoS) • Priority • A list of all traffic groups to which the QoS profile is applied Additionally. as documented. “Access Policies”. QoS information can be displayed from the traffic grouping perspective by using one or more of the following commands: • show fdb permanent—Displays destination MAC entries and their QoS profiles. DLCS can detect when an end station boots up or a user logs in or out. Based on the information in the packet. Rate limits are discussed in Chapter 9. the IP address or MAC address.1 or later or ExtremeWare EPICenter in setting policies that can be applied to users and can dynamically follow a user's location. DLCS provides you with valuable information on a user’s location and associated network attributes. and dynamically maps the end station name to the current IP address and switch/port. You can also save and reboot the switch. You can also save and reboot the switch.

DLCS Limitations Consider the following limitations concerning data received from WINS snooping: • DLCS does not work for the WINS server. if the switch is rebooted. This information is still stored in the policy-server.Dynamic Link Context System DLCS Guidelines Follow these guidelines when using DLCS: • Only one user is allowed on one workstation at a given time. you must explicitly delete configuration parameters from the EEM or ExtremeWare EPICenter Policy Applet user interface. You must delete the mapping of the host-to-IP address through the EEM Policy Manager or ExtremeWare EPICenter Policy Manager. along with the data that has been learned. To delete the information from the policy system. • DLCS is not supported on hosts that have multiple NIC cards. • A user can be logged into many workstations simultaneously. the old host-to-IP address mapping is never deleted. the command to add the WINS server is rejected. • IPQoS is not supported to a WINS server that is serving more than one VLAN. and the host is not immediately rebooted. Displays ports which are snooping WINS packets. the old entry does not age out unless the host is rebooted or a user login operation is performed after the host is moved. • An IP-address can be learned on only one port in the network at a given time. Summit 200 Series Switch Installation and User Guide 155 . Disables snooping of DLCS packets. • DLCS information is dynamic. As a workaround. or when an end-station is shutdown. and there are IPQoS rules defined for that server. If you attempt to add a WINS server to serve more than one VLAN. • DLCS mapping is flushed when a user logs in or logs out. DLCS Commands The DLCS commands are described in Table 43. you can delete the switch that was rebooted from the list of managed devices in the EEM or EPICenter Inventory Applet. the information is lost. • Multiple IP-addresses can be learned on the same port. • When the IP address of a host is changed. therefore. and re-add the switch to the Inventory Manager. Enables port on which DLCS packets are snooped. Disables port on which DLCS packets are snooped. Table 43: DLCS Configuration Commands Command clear dlcs disable dlcs disable dlcs ports <port-number> enable dlcs enable dlcs ports <port-number> show dlcs Description Clears learned DLCS data. Enables snooping of DLCS packets. This is because the WINS server does not send NETBIOS packets on the network (these packets are address to itself). • When the host is moved from one port to another port on a switch.

Quality of Service (QoS) 156 Summit 200 Series Switch Installation and User Guide .

see the appropriate chapter in this guide. Summit 200 Series Switch Installation and User Guide 157 . NOTE For more information about show commands for a specific ExtremeWare feature. This information may be useful for your technical support representative if you have a problem. ExtremeWare includes many show commands that display information about different switch functions and facilities. Status Monitoring The status monitoring facility provides information about the switch. In this way.13 Status Monitoring and Statistics This chapter describes the following topics: • Status Monitoring on page 157 • Port Statistics on page 159 • Port Errors on page 159 • Port Monitoring Display Keys on page 160 • Setting the System Recovery Level on page 161 • Logging on page 161 • RMON on page 165 Viewing statistics on a regular basis allows you to see how well your network is performing. you will see trends emerging and notice problems arising before they cause major network faults. If you keep simple daily records. statistics can help you get the best out of your network.

Priorities include critical. Specify the priority option to filter the log to display message with the selected priority or higher (more critical). Table 44: Status Monitoring Commands Command show diag show log {<priority>} Description Displays software diagnostics. notice. If not specified. and the priority level of messages being sent to the syslog host. show version Displays the hardware and software versions currently running on the switch. This command disables the CLI paging feature. and time zone Operating environment (fans) NVRAM configuration information Scheduled reboot information show version show switch show config show diag show gdb show iparp show ipfdb show ipstats show iproute show igmp snooping detail show memory detail show log show log config show memory {detail} show switch Displays the output for the following commands: It also displays the output from internal debug commands. all messages are displayed. sysContact MAC address Current time and time. info. 158 Summit 200 Series Switch Installation and User Guide . including the syslog host IP address. emergency. warning. the priority level of messages being logged locally. system uptime. sysLocation. including: • • • • • • show tech-support • • • • • • • • • • • • sysName. Displays the current switch information. Specify the detail option to view task-specific memory usage.Status Monitoring and Statistics Table 44 describes commands that are used to monitor the status of the switch. alert. and debug. Displays the current system memory information. Displays the current snapshot of the log. error. Displays the log configuration.

— Active (the link is present at this port). This number includes bytes contained in the Frame Check Sequence (FCS). Port Errors The switch keeps track of errors for each port. • Transmitted Byte Count (Tx Byte Count)—The total number of data bytes successfully transmitted by the port. including bad or lost frames. regardless of whether a device connected to the port participated in any of the collisions. Options are: — Ready (the port is ready to accept a link). — Active (the link is present at this port). • Received Broadcast (RX Bcast)—The total number of frames received by the port that are addressed to a broadcast address. Options are: — Ready (the port is ready to accept a link). • Transmitted Packet Count (Tx Pkt Count)—The number of packets that have been successfully transmitted by the port. To view port statistics. • Transmit Late Collisions (TX Late Coll)—The total number of collisions that have occurred after the port’s transmit window has expired. • Transmit Collisions (TX Coll)—The total number of collisions seen by the port. use the following command: show ports <portlist> stats The following port statistic information is collected by the switch: • Link Status—The current status of the link. • Received Byte Count (RX Byte Count)—The total number of bytes that were received by the port. and it is refreshed approximately every 2 seconds. Summit 200 Series Switch Installation and User Guide 159 . • Received Multicast (RX Mcast)—The total number of frames received by the port that are addressed to a multicast address. Values are displayed to nine digits of accuracy.Port Statistics Port Statistics ExtremeWare provides a facility for viewing port statistic information. The summary information lists values for the current counter against each port on each operational module in the system. — Chassis (the link is connected to a Summit Virtual Chassis). To view port transmit errors. • Received Packet Count (Rx Pkt Count)—The total number of good packets that have been received by the port. use the following command: show ports <portlist> txerrors The following port transmit error information is collected by the system: • Port Number • Link Status—The current status of the link. but excludes bytes in the preamble.

• Transmit Parity Frames (TX Parity)—The bit summation has a parity mismatch. Clears all counters.522 bytes. 160 Summit 200 Series Switch Installation and User Guide . • Receive Alignment Errors (RX Align)—The total number of frames received by the port that occurs if a frame has a CRC error and does not contain an integral number of octets. Exits from the screen. To view port receive errors. • Receive Fragmented Frames (RX Frag)—The total number of frames received by the port were of incorrect length and contained a bad FCS value. Port Monitoring Display Keys Table 45 describes the keys used to control the displays that appear when you issue any of the show port commands. use the following command: show ports <portlist> rxerrors The following port receive error information is collected by the switch: • Receive Bad CRC Frames (RX CRC)—The total number of frames received by the port that were of the correct length. • Receive Frames Lost (RX Lost)—The total number of frames received by the port that were lost because of buffer overflow in the switch. Displays the next page of ports. • Receive Undersize Frames (RX Under)—The total number of frames received by the port that were less than 64 bytes long. • Transmit Errored Frames (TX Error)—The total number of frames that were not completely transmitted by the port because of network errors (such as late collisions or excessive collisions).Status Monitoring and Statistics • Transmit Deferred Frames (TX Deferred)—The total number of frames that were transmitted by the port after the first transmission attempt was deferred by other network traffic. Table 45: Port Monitoring Display Keys Key(s) U D [Esc] or [Return] 0 [Space] Description Displays the previous page of ports. Cycles through the following screens: • • • Packets per second Bytes per second Percentage of bandwidth Available using the show port utilization command only. but contained a bad FCS value. • Receive Jabber Frames (RX Jab)—The total number of frames received by the port that was of greater than the support maximum length and had a Cyclic Redundancy Check (CRC) error. • Receive Oversize Frames (RX Over)—The total number of good frames received by the port greater than the supported maximum length of 1.

minutes. To remove log entries of all levels (including warning or critical). Table 46: Fault Levels Assigned by the Switch Level Critical Warning Informational Debug Description A desired switch function is inoperable. along with the time (hours. Information that is useful when performing detailed troubleshooting procedures. using the following command: config sys-recovery-level [none | critical | all] where: none critical all Configures the level to recovery without a system reboot. • Fault level—Table 46 describes the three levels of importance that the system can assign to a fault. NOTE Extreme Networks recommends that you set the system recovery level to critical. log entries that are assigned a critical or warning level remain in the log after a switch reboot. Configures ExtremeWare to log an error into the syslog and automatically reboot the system after a critical exception. The switch may need to be reset. Each entry in the log contains the following information: • Timestamp—The timestamp records the month and day of the event. A noncritical error that may lead to a function failure. and seconds) in the form HH:MM:SS. The default setting is none. Logging The switch log tracks all configuration and fault information pertaining to the device. If the event was caused by a user. use the following command: clear log static • Subsystem—The subsystem refers to the specific functional area to which the error refers. Summit 200 Series Switch Installation and User Guide 161 . Table 47 describes the subsystems. Configures ExtremeWare to log an error into the syslog and automatically reboot the system after any exception. By default. Actions and events that are consistent with expected behavior. This allows ExtremeWare to log an error to the syslog and automatically reboot the system after a critical exception. Issuing a clear log command does not remove these static entries. the user name is also provided.Setting the System Recovery Level Setting the System Recovery Level You can configure the system to automatically reboot after a software task exception.

STP Brdg SNMP Telnet VLAN Port • Message—The message contains the log information with text that is specific to the problem. all messages are displayed. only messages of critical priority are displayed. Examples include low table space and queue overflow. If you enable the log display on a terminal connected to the console port. When using a Telnet connection. fan failure. and configuration mode. your settings will remain in effect even after your console session is ended (unless you explicitly disable the log display). Port management-related configuration. if your Telnet session is disconnected (because of the inactivity timer.Status Monitoring and Statistics Table 47: Fault Log Subsystems Subsystem Syst Description General system-related information. the log display is automatically halted. VLAN-related configuration information. notice. Examples include an STP state change. To turn on the log display. use the following command: config log display {<priority>} If priority is not specified. 162 Summit 200 Series Switch Installation and User Guide . alert. Bridge-related functionality. Priorities include (in order) critical. If not specified. or for other reasons). Real-Time Display In addition to viewing a snapshot of the log. You must restart the log display by using the enable log display command. and debug. security violations. you can configure the system to maintain a running real-time display of log messages on the console.000 messages in its internal log. error. Examples include memory. Examples include port statistics and errors. STP information. power supply. info. Local Logging The switch maintains 1. emergency. Examples include community string violations. Information related to Telnet login and configuration performed by way of a Telnet session. SNMP information. warning. use the following command: enable log display To configure the log display. You can display a snapshot of the log at any time by using the following command: show log {<priority>} where: priority Filters the log to display message with the selected priority or higher (more critical). overheat condition.

Each log entry includes the user account name that performed the change and the source IP address of the client (if Telnet was used). use the following command: disable cli-config-logging CLI configuration logging is enabled by default. Specifies the syslog facility level for local use. Options include local0 through local7. To enable remote logging. emergency. warning. Filters the log to display message with the selected priority or higher (more critical). 2 Enable remote logging by using the following command: enable syslog 3 Configure remote logging by using the following command: config syslog {add} <ipaddress> <facility> {<priority>} where: ipaddress facility priority Specifies the IP address of the syslog host. NOTE Refer to your UNIX documentation for more information about the syslog host facility. Summit 200 Series Switch Installation and User Guide 163 . info. the switch supports remote logging by way of the UNIX syslog host facility. error. follow these steps: 1 Configure the syslog host to accept and log messages. Logging Configuration Changes ExtremeWare allows you to record all configuration changes and their sources that are made using the CLI by way of Telnet or the local console. use the following command: enable cli-config-logging To disable configuration logging. only critical priority messages are sent to the syslog host. If not specified. alert. Configuration logging applies only to commands that result in a configuration change.Logging Remote Logging In addition to maintaining an internal log. Priorities include (in order) critical. and debug. notice. To enable configuration logging. The changes are logged to the system log.

Enables the log display. and debug. Configures the syslog host address and filters messages sent to the syslog host. Options include: • • • host name/ip—The IP address or name of the syslog host. Enables logging to a remote syslog host.Status Monitoring and Statistics Logging Commands Use the commands described in Table 48 to configure or reset logging options. config syslog {add} <host name/ip> <facility> {<priority>} config syslog delete <host name/ip> <facility> {<priority> Deletes a syslog host address. facility—The syslog facility level for local use (local0 . info. only critical priority messages and are sent to the syslog host. facility—The syslog facility level for local use (local0 . Table 48: Logging Commands Command clear counters clear log {static} config log display {<priority>} Description Clears all switch statistics and port counters. emergency. priority—Filters the log to display messages with the selected priority or higher (more critical). only critical priority messages and are sent to the syslog host. Enables the logging of CLI configuration commands to the Syslog for auditing purposes. notice. warning. error. informational priority messages and higher are displayed. warning. Disables logging to a remote syslog host. alert. info. the critical log messages are also cleared. Priorities include critical. Up to 4 syslog servers can be configured. Clears the log. • • disable cli-config-logging disable log display disable syslog enable cli-config-logging Disables configuration logging. enable log display enable syslog 164 Summit 200 Series Switch Installation and User Guide . emergency. Priorities include critical.local7). Priorities include critical. Configures the real-time log display. error. If not specified. The default setting is enabled. alert. notice. Specify the priority option to filter the log to display messages with the selected priority or higher (more critical). If not specified.local7). notice. or to display or clear the log. error. and debug. warning. priority—Filters the log to display messages with the selected priority or higher (more critical). If not specified. info. Disables the log display. alert. emergency. and debug. If static is specified.

and can manage the probe by in-band or out-of-band connections. Summit 200 Series Switch Installation and User Guide 165 . the switch supports these four groups: • Statistics • History • Alarms • Events This section describes these groups and discusses how they can be used. remotely controlled device or software agent that continually collects statistics about a LAN segment or VLAN. show log config RMON Using the Remote Monitoring (RMON) capabilities of the switch allows network administrators to improve system efficiency and reduce the load on the network. warning. and debug. and have enabled RMON on the switch. The following sections explain more about the RMON concept and the RMON features supported by the switch. alert. and the priority level of messages being sent to the syslog host. Priorities include critical. or when a predefined threshold is crossed. the priority level of messages being logged locally. emergency. The workstation does not have to be on the same network as the probe. A typical RMON setup consists of the following two components: • RMON probe—An intelligent. which allows you to monitor LANs remotely. info. all messages are displayed. If not specified.RMON Table 48: Logging Commands (continued) Command show log {<priority>} Description Displays the current snapshot of the log. including the syslog host IP address. Displays the log configuration. About RMON RMON is the common abbreviation for the Remote Monitoring Management Information Base (MIB) system defined by the Internet Engineering Task Force (IETF) documents RFC 1271 and RFC 1757. Specify the priority option to filter the log to display message with the selected priority or higher (more critical). RMON Features of the Switch Of the nine groups of IETF Ethernet RMON statistics. The probe transfers the information to a management workstation on request. NOTE You can only use the RMON features of the system if you have an RMON management application. error. • Management workstation—Communicates with the RMON probe and collects the statistics from it. notice.

Alarms The Alarms group provides a versatile. to send an SNMP trap to the receivers listed in the trap receiver table. Extreme’s approach has been to build an inexpensive RMON probe into the agent of each system. and to establish baseline information indicating normal operating parameters. a stand-alone probe must be attached to a nonsecure port. because a probe must be able to see all traffic. Implementing RMON in the switch means that all ports can have security features enabled. This allows RMON to be widely deployed around the network without costing more than traditional network management. you can depend on the Event group for notification. To enable or disable the collection of RMON statistics on the switch. Events The Events group creates entries in an event log and/or sends SNMP traps to the management workstation. Alarms inform you of a network performance problem and can trigger automated action responses through the Events group. In addition. The RMON traps are defined in RFC 1757 for rising and falling thresholds. The group features user-defined sample intervals and bucket counters for complete customization of trend analysis.Status Monitoring and Statistics Statistics The RMON Ethernet Statistics group provides traffic and error statistics showing packets. The group is useful for analysis of traffic patterns and trends on a LAN segment or VLAN. use the following command: [enable | disable] rmon 166 Summit 200 Series Switch Installation and User Guide . The switch accurately maintains RMON statistics at the maximum line rate of all of its ports. alarm thresholds can be autocalibrated or set manually. statistics can be related to individual ports. Also. Both rising and falling thresholds are supported. general mechanism for setting threshold and sampling intervals to generate events on any RMON variable. and errors on a LAN segment or VLAN. The action taken can be configured to ignore it. multicasts. bytes. events can trigger other actions. to log the event. which provides a mechanism for an automated response to certain occurrences. and standalone RMON probes traditionally have been expensive. Configuring RMON RMON requires one probe per LAN segment. History The History group provides historical views of network performance by taking periodic samples of the counters supplied by the Statistics group. Through the SNMP traps. or to both log and send a trap. Information from the Statistics group is used to detect changes in traffic and error patterns in critical areas of the network. and thresholds can be on the absolute value of a variable or its delta value. Effective use of the Events group saves you time. Rather than having to watch real-time graphs for important occurrences. broadcasts. An event is triggered by an RMON alarm. For example. Therefore.

Event Actions The actions that you can define for each alarm are shown in Table 49. even in the disabled state. the switch response to RMON queries and sets for alarms and events. Summit 200 Series Switch Installation and User Guide 167 .RMON By default. Send trap. you must configure one or more trap receivers. RMON is disabled. as described in Chapter 5. “Managing the Switch”. High Threshold To be notified of events using SNMP traps. By enabling RMON. place entry in RMON log. However. the switch begins the processes necessary for collecting switch statistics. Table 49: Event Actions Action No action Notify only Notify and log Send trap to all trap receivers.

Status Monitoring and Statistics 168 Summit 200 Series Switch Installation and User Guide .

1D specification. Spanning Tree Domains The switch can be partitioned into multiple virtual bridges. Summit 200 Series Switch Installation and User Guide 169 .1D bridge specification defined by the IEEE Computer Society. NOTE STP is a part of the 802. and ensure that: • Redundant paths are disabled when the main paths are operational. Overview of the Spanning Tree Protocol STP is a bridge-based mechanism for providing fault tolerance on networks. A port can belong to only one STPD. • Redundant paths are enabled if the main path fails. To explain STP in terms used by the 802. Once the STPD is created. Each virtual bridge can run an independent Spanning Tree instance. Each STPD has its own root bridge and active path. The following sections explain more about STP and the STP features supported by ExtremeWare. then all those VLANs must belong to the same STPD. one or more VLANs can be assigned to it.14 Spanning Tree Protocol (STP) This chapter describes the following topics: • Overview of the Spanning Tree Protocol on page 169 • Spanning Tree Domains on page 169 • STP Configurations on page 170 • Configuring STP on the Switch on page 172 • Displaying STP Settings on page 175 • Disabling and Resetting STP on page 175 Using the Spanning Tree Protocol (STP) functionality of the switch makes your network more fault tolerant. If a port is a member of multiple VLANs. Each Spanning Tree instance is called a Spanning Tree Domain (STPD). the switch will be referred to as a bridge. STP allows you to implement parallel paths for network traffic.

use the following command: [enable | disable] ignore-bpdu vlan <name> If you have a known topology and have switches outside of your network within your STPD. switch Z. for example. and switch M. switch Y. no data can be transmitted or received on the blocked port • Within any given STPD. as appropriate.1D values. All STP parameters default to the IEEE 802. This is known as BPDU tunneling. switch B. use this feature to keep the root bridge within your network. Defaults The default device configuration contains a single STPD called s0. STPD BPDU Tunneling You can configure ExtremeWare to allow a BDPU to traverse a VLAN without being processed by STP. and switch M. STP Configurations When you assign VLANs to an STPD. switch Z. • Marketing is defined on all switches (switch A. all VLANs belonging to it use the same spanning tree NOTE Ensure that multiple STPD instances within a single switch do not see each other in the same broadcast domain. To enable and disable BPDU tunneling on a VLAN. pay careful attention to the STP configuration and its effect on the forwarding of VLAN traffic. If you delete an STPD. and switch M. • Personnel is defined on switch A. and switch M). The default VLAN is a member of STPD s0. another external bridge is used to connect VLANs belonging to separate STPDs. switch B. • Manufacturing is defined on switch Y. This could happen if. switch Z. You must remove all VLANs associated with the STP before deleting the STPD. the VLANs that were members of that STPD are also deleted. 170 Summit 200 Series Switch Installation and User Guide . switch B. even if STP is enabled on the port. The following four VLANs have been defined: • Sales is defined on switch A. and switch M.Spanning Tree Protocol (STP) The key points to remember when configuring VLANs and STP are: • Each VLAN forms an independent broadcast domain • STP blocks paths to create a loop-free environment • When STP blocks a path. The example network shown in Figure 30 uses VLAN tagging for trunk connections. • Engineering is defined on switch Y.

STP Configurations Two STPDs are defined: • STPD1 contains VLANs Sales and Personnel. The VLAN Marketing. Personnel. Engineering. communicates using all five switches. the connection between switch A and switch B is put into blocking state. After STP converges. because STP has already blocked the port connection between switch A and switch B. Figure 30: Multiple Spanning Tree Domains Sales. • STPD2 contains VLANs Manufacturing and Engineering. The topology has no loops. but not assigned to either STPD1 or STPD2. and all bridging loops are prevented. you must be extra careful when configuring your VLANs. and between switch Y and switch Z. and the connection between switch Y and switch Z is put into blocking state. STP could configure the topology in a number of ways to make it loop-free. In Figure 30. Personnel. Marketing Manufacturing. STP configures each STPD such that there are no active loops in the topology. The VLAN Marketing is a member of the default STPD. Manufacturing. Figure 31 illustrates a network that has been incorrectly set up using a single STPD so that the STP configuration disables the ability of the switches to forward VLAN traffic. all the VLANs can communicate. Marketing LC24013 When the switches in this configuration start up. Within a single STPD. Marketing Switch A Switch Y Switch B Switch M Switch Z STPD 1 STPD 2 Sales. which has not been assigned to either STPD1 or STPD2. Engineering. Summit 200 Series Switch Installation and User Guide 171 .

For example. and VLAN Sales. a name used to identify a VLAN cannot be used when you create an STPD or a QoS profile. • The tagged trunk connections for three switches form a triangular loop that is not permitted in an STP topology. STP can block traffic between switch 1 and switch 3 by disabling the trunk ports for that connection on each switch. follow these steps: 1 Create one or more STP domains using the following command: create stpd <stpd_name> NOTE STPD. the traffic for VLAN marketing will not be able to traverse the switches. • All VLANs in each switch are members of the same STPD. if the trunk for VLAN marketing on switches 1 and 3 is blocked. Configuring STP on the Switch To configure STP. Sales & Engineering Switch 1 Switch 2 Switch 3 Sales & Engineering LC24014 The tag-based network in Figure 31 has the following configuration: • Switch 1 contains VLAN Marketing and VLAN Sales.Spanning Tree Protocol (STP) Figure 31: Tag-based STP configuration Marketing & Sales Marketing. and QoS profile names must all be unique. 2 Add one or more VLANs to the STPD using the following command: config stpd <stpd_name> add vlan <name> 172 Summit 200 Series Switch Installation and User Guide . • Switch 3 contains VLAN Marketing. Switch 2 has no ports assigned to VLAN marketing. VLAN Engineering. • Switch 2 contains VLAN Engineering and VLAN Sales. VLAN. Therefore.

Table 50 shows the commands used to configure STP. The default setting is 15 seconds. The following parameters can be configured on each STPD: • Hello time • Forward delay • Max age • Bridge priority The following parameters can be configured on each port: • Path cost • Port priority NOTE The device supports the RFC 1493 Bridge MIB. Table 50: STP Configuration Commands Command config stpd <stpd_name> add vlan <name> config stpd <stpd_name> forwarddelay <value> Description Adds a VLAN to the STPD. you must add the VLAN to a STPD that is disabled.Configuring STP on the Switch 3 Enable STP for one or more STP domains using the following command: enable stpd {<stpd_name>} NOTE All VLANs belong to a STPD. you can optionally configure STP parameters for the STPD. The default setting is 2 seconds. The range is 1 through 10. Specifies the time (in seconds) that the ports in this STPD spend in the listening and learning states when the switch is the Root Bridge. Summit 200 Series Switch Installation and User Guide 173 . The default STP parameters are adequate for most networks. The range is 4 through 30. If you do not want to run STP on a VLAN. Parameters of only the s0 default STPD are accessible through this MIB. CAUTION You should not configure any STP parameters unless you have considerable knowledge and experience with STP. config stpd <stpd_name> hellotime <value> Specifies the time delay (in seconds) between the transmission of BPDUs from this STPD when it is the Root Bridge. Once you have created the STPD.

you can make it more or less likely to become the root port. This command is useful when multiple VLANs share the same physical ports. The range is 0 through 31. or equal to 2 * (Forward Delay –1). Enables the STP protocol on one or more ports.535. By changing the priority of the port. Configures the switch to ignore the STP protocol. The range is 6 through 40. For a 100 Mbps port. If STPD is enabled for a port. as follows: • • config stpd <stpd_name> ports priority <value> <portlist> For a 10 Mbps port. The default setting is disabled. enable ignore-stp vlan <vlan name> enable stpd {<stpd_name>} enable stpd ports {<portlist>} 174 Summit 200 Series Switch Installation and User Guide . config stpd <stpd_name> priority <value> Specifies the priority of the STPD. The range is 0 through 65. The default setting is enabled. The range is 1 through 65. When created. and wish to keep the root bridge within your network. the default cost is 100. or equal to 2 * (Hello Time + 1) and less than. The default setting is 16.768 Hello time—2 seconds Forward delay—15 seconds enable ignore-bpdu vlan <name> Configures the switch to ignore STP BPDUs. and not block traffic for the VLAN(s).768. bridge protocol data units (BPDUs) will be generated on that port if STP is enabled for the associated STPD. Specifies the priority of the port in this STPD. The default setting is disabled. where 0 indicates the highest priority. By changing the priority of the STPD. you can make it more or less likely to become the root bridge. This command is useful when you have a known topology with switches outside your network. The default setting is disabled. The default setting is 20 seconds. The default setting is 32. which prevents ports in the VLAN from becoming part of an STPD. Note that the time must be greater than. an STPD has the following default parameters: • • • Bridge priority—32.535. config stpd <stpd_name> ports cost <value> <portlist> Specifies the path cost of the port in this STPD. Enables the STP protocol for one or all STPDs. The switch automatically assigns a default path cost based on the speed of the port.Spanning Tree Protocol (STP) Table 50: STP Configuration Commands (continued) Command config stpd <stpd_name> maxage <value> Description Specifies the maximum age of a BPDU in this STPD. but only some of the VLANs require STP protection. where 0 indicates the lowest priority. create stpd <stpd_name> Creates an STPD. the default cost is 19.

It disables STP on ports 1 through 7 and port 12. cannot be deleted. Allows the switch to recognize STP BPDUs. Table 51: Commands to Disable or Reset STP Command delete stpd <stpd_name> Description Removes an STPD. use the following command: show stpd <stpd_name> port <portlist> This command displays the following information: • STPD port configuration • STPD state (root bridge. or for all STPDs. Restores default STP values to a particular STPD or to all STPDs. create stpd backbone_st config stpd backbone_st add vlan manufacturing enable stpd backbone_st disable stpd backbone_st port 1-7. use the following command: show stpd {<stpd_name>} This command displays the following information: • STPD name • Bridge ID • STPD configuration information To display the STP state of a port. The default STPD.12 Displaying STP Settings To display STP settings. and so on) • STPD port state (forwarding. Disabling STP on one or more ports puts those ports in forwarding state. An STPD can only be removed if all VLANs have been deleted from it. Disables STP on one or more ports. Allows a VLAN to use STP port information.Displaying STP Settings STP Configuration Example The following Summit 200 series switch example creates and enables an STPD named Backbone_st. blocking. Disables the STP mechanism on a particular STPD. It assigns the Manufacturing VLAN to the STPD. and so on) Disabling and Resetting STP To disable STP or return STP settings to their defaults. use the commands listed in Table 51. disable ignore-bpdu vlan <name> disable ignore-stp vlan <name> disable stpd [<stpd_name> | all] disable stpd ports <portlist> unconfig stpd {<stpd_name>} Summit 200 Series Switch Installation and User Guide 175 . all BPDUs received on those ports will be disregarded. s0.

Spanning Tree Protocol (STP) 176 Summit 200 Series Switch Installation and User Guide .

refer to Chapter 16.15 IP Unicast Routing This chapter describes the following topics: • Overview of IP Unicast Routing on page 177 • Proxy ARP on page 180 • Relative Route Priorities on page 181 • Configuring IP Unicast Routing on page 182 • IP Commands on page 183 • Routing Configuration Example on page 187 • Displaying Router Settings on page 188 • Resetting and Disabling Router Settings on page 189 • Configuring DHCP/BOOTP Relay on page 190 • UDP-Forwarding on page 190 This chapter assumes that you are already familiar with IP unicast routing. refer to the following publications for additional information: • RFC 1256—ICMP Router Discovery Messages • RFC 1812—Requirements for IP Version 4 Routers NOTE For more information on interior gateway protocols. and determines the best path for each of its routes. Overview of IP Unicast Routing The switch provides full layer 3. Summit 200 Series Switch Installation and User Guide 177 . IP unicast routing. The switch dynamically builds and maintains a routing table. It exchanges routing information with other routers on the network using either the Routing Information Protocol (RIP) or the Open Shortest Path First (OSPF) protocol. If not. Each host using the IP unicast routing functionality of the switch must have a unique IP address assigned. In addition. the default gateway assigned to the host must be the IP address of the router interface.

0. Both the VLAN switching and IP routing function occur within the switch.11 192.35.207.207.207.36.35.0 Finance 192.36. ports 3 and 5 are assigned to Personnel. Personnel belongs to the IP network 192. a switch is depicted with two VLANs defined.35.IP Unicast Routing Router Interfaces The routing software and hardware routes IP traffic between router interfaces.36.1 192. Ports 2 and 4 are assigned to Finance.207.207. Figure 32: Routing between VLANs 192. Traffic within each VLAN is switched using the Ethernet MAC addresses.36. As you create VLANs with IP addresses belonging to different IP subnets. Finance and Personnel. You cannot configure the same IP address and subnet on different VLANs.207.0. A router interface is simply a VLAN that has an IP address assigned to it.13 192. In Figure 32.1.207.35. NOTE Each IP address and mask assigned to a VLAN must represent a unique IP subnet.12 192. you can also choose to route between the VLANs.207.207.1.207. its router interface is assigned IP address 192.36.207.1 192. Traffic between the two VLANs is routed using the IP addresses.36.14 EW_090 178 Summit 200 Series Switch Installation and User Guide .35.206. the router interface for Finance is assigned the IP address 192.35. Finance belongs to the IP network 192.0 Personnel 2 3 4 5 192.

Summit 200 Series Switch Installation and User Guide 179 . If the VLAN is subsequently deleted. by way of routing protocol packets or by ICMP redirects exchanged with other routers. configured by the administrator — Locally. by way of routes entered by the administrator: — Default routes. Multiple Routes When there are multiple. Static routes are used to reach networks not advertised by routers. conflicting choices of a route to a particular destination. • Statically. You must manually delete the configured default route. later in this chapter) • Static routes • Directly attached network interfaces that are not active. to control which routes you want advertised by the router. Static routes can also be used for security reasons.Overview of IP Unicast Routing Populating the Routing Table The switch maintains an IP routing table for both network routes and host routes. the router picks the route using the following criteria (in the order specified): • Directly attached network interfaces • ICMP redirects (refer to Table 55. Static routes are never aged out of the routing table. Static Routes Static routes are manually entered into the routing table. The table is populated from the following sources: • Dynamically. by way of interface addresses assigned to the system — By other static routes. as configured by the administrator NOTE If you define a default route and then delete the VLAN on the subnet associated with the default route. the routing table contains only networks that are reachable. Using dynamic routes. If these are still equal. the invalid default route entry remains. Dynamic routes are aged out of the table when an update for the network is not received for a period of time. Dynamic Routes Dynamic routes are typically learned by way of RIP or OSPF. as determined by the routing protocol. the static route entries using that subnet must be deleted manually. using one of the following commands: [enable | disable] rip export static [enable | disable] ospf export static The default setting is disabled. An IP subnet is associated with a single VLAN by its IP address and subnet mask. A static route must be associated with a valid IP subnet. the router picks the route with the longest matching network mask. Routers that use RIP or OSPF exchange information in their routing tables in the form of advertisements. You can decide if you want all static routes to be advertised.

This allows the switch to forward subnet-directed broadcast packets at wire-speed. Route sharing is useful only in instances where you are constrained for bandwidth. In OSPF.IP Unicast Routing NOTE If you define multiple default routes. if the packets have IP-options configured). IP route sharing can be used with static routes or with OSPF routes. Subnet-Directed Broadcast Forwarding You can enable or disable the hardware forwarding of subnet-directed broadcast IP packets. To use IP route sharing. The switch supports proxy ARP for this type of network configuration. use the following command: enable iproute sharing Next. The latter option allows you to improve CPU forwarding performance by having upper layers. You can also configure the VLAN router interface to either forward and process all subnet-directed broadcast packets. You can also configure blackhole routes. To enable or disable broadcast packet processing. Proxy ARP can also be used to achieve router redundancy and simplify IP client configuration. Using route sharing makes router troubleshooting more difficult because of the complexity in predicting the path over which the traffic will travel. If multiple default routes have the same lowest metric. this capability is referred to as equal cost multipath (ECMP) routing. the system picks one of the routes. IP Route Sharing IP route sharing allows multiple equal-cost routes to be used concurrently. To enable or disable hardware forwarding. The section describes some example of how to use proxy ARP with the switch. ignore broadcast packet processing (for example. use the following command: [enable | disable] ipforwarding fast-direct-broadcast [vlan <vlan_name>] The entries are added to the IP forwarding table as standard entries and you can view them using the show ipfdb command. or to simply forward these packets after they have been added to the IP forwarding database. ExtremeWare supports unlimited route sharing across static routes and up to eight ECMP routes for OSPF. such as UDP and TCP. the route that has the lowest metric is used. use the following command: [enable | disable] ipforwarding ignore-broadcast vlan <vlan_name> Proxy ARP Proxy Address Resolution Protocol (ARP) was first invented so that ARP-capable devices could respond to ARP Request packets on behalf of ARP-incapable devices. 180 Summit 200 Series Switch Installation and User Guide . configure static routes and/or OSPF as you would normally. Traffic to these destinations is silently dropped. This is typically not the case using Extreme switches.

do not attempt any manipulation unless you are expertly familiar with the possible consequences.45. When the IP host tries to communicate with the host at address 100.0.255.102.67. and the switch routes the packets to 100. the system responds to ARP Requests on behalf of the device as long as the following conditions are satisfied: • The valid IP ARP Request is received on a router interface.255. it is desirable to configure the IP host with a wider subnet than the actual subnet mask of the segment. Proxy ARP can be used so that the router answers ARP Requests for devices outside of the subnet. Relative Route Priorities Table 52 lists the relative priorities assigned to routes depending upon the learned source of the route. As a result.0 and mask 255. an IP host is configured with a class B address of 100. the IP hosts communicates as if the two hosts are on the same subnet. the switch formulates an ARP Response using the configured MAC address in the packet. The switch is configured with the IP address 100. The switch is also configured with a proxy ARP entry of IP address 100.Relative Route Priorities ARP-Incapable Devices To configure the switch to respond to ARP Requests on behalf of devices that are incapable of doing so.101.102. you must configure the IP address and MAC address of the ARP-incapable device using the use the following command: config iparp add proxy <ipaddress> {<mask>} <mac_address> {always} Once configured.101. Summit 200 Series Switch Installation and User Guide 181 . using its own MAC address.101.255. • The target IP address matches the IP address configured in the proxy ARP table.0. The switch answers on behalf of the device at address 100. • The proxy ARP table entry indicates that the system should always answer this ARP Request.101. Proxy ARP Between Subnets In some networks.0.102.101.0. CAUTION Although these priorities can be changed. communication with devices outside of the subnet are proxied by the router. All subsequent data packets from 100.103 and a mask of 255.0. For example.101.67. Once all the proxy ARP conditions are met.103 are sent to the switch. without the always parameter.67. regardless of the ingress VLAN (the always parameter must be applied). the host communicates as if all devices are local. In reality.101.0.255.45.1 and a mask of 255. and sends out an IP ARP Request.45.

use the following command: config iproute priority [rip | bootp | icmp | static | ospf-intra | ospf-inter | ospf-as-external | ospf-extern1 | ospf-extern2] <priority> Configuring IP Unicast Routing This section describes the commands associated with configuring IP unicast routing on the switch. 182 Summit 200 Series Switch Installation and User Guide . 3 Configure a default route using the following command: config iproute add default <gateway> {<metric>} Default routes are used when the router has no other dynamic or static route to the requested destination. 4 Turn on IP routing for one or all VLANs using the following command: enable ipforwarding {vlan <name>} 5 Turn on RIP or OSPF using one of the following commands: enable rip enable ospf Verifying the IP Unicast Routing Configuration Use the show iproute command to display the current configuration of IP unicast routing for the switch. 2 Assign each VLAN that will be using routing an IP address using the following command: config vlan <name> ipaddress <ipaddress> {<mask>} Ensure that each VLAN has a unique IP address. and includes how each route was learned. The show iproute command displays the currently configured routes.IP Unicast Routing Table 52: Relative Route Priorities Route Origin Direct BlackHole Static ICMP OSPFIntra OSPFInter RIP OSPFExtern1 OSPFExtern2 BOOTP Priority 10 50 1100 1200 2200 2300 2400 3200 3300 5000 To change the relative route priority. and for each VLAN. To configure routing. follow these steps: 1 Create and configure two or more VLANs.

Deletes an entry from the ARP table. and the port and VLAN for each host. Adds a permanent entry to the ARP table. config bootprelay add <ipaddress> config bootprelay delete [<ipaddress> | all] config iparp add <ipaddress> <mac_address> Adds the IP destination address to forward BOOTP packets. IP Commands Table 53 describes the commands used to configure basic IP settings. The default setting is 20 minutes. • show ipfdb—Displays the hosts that have been transmitting or receiving packets. Disables routing for one or all VLANs. When mac_address is not specified.IP Commands Additional verification commands include: • show iparp—Displays the IP ARP table of the system. config iparp add proxy <ipaddress> {<mask>} {<mac_address>} {always} config iparp delete <ipaddress> config iparp delete proxy [<ipaddress> {<mask>} | all] config iparp timeout <minutes> disable bootp vlan [<name> | all] disable bootprelay disable ipforwarding {vlan <name>} Summit 200 Series Switch Installation and User Guide 183 . When mask is not specified.255 is assumed. all dynamic IP FDB entries are removed. the switch answers ARP Requests without filtering requests that belong to the same subnet of the receiving router interface. Table 53: Basic IP Commands Command clear iparp {<ipaddress> <mask> | vlan <vlan>} Description Removes dynamic entries in the IP ARP table. Disables the generation and processing of BOOTP packets. The maximum aging time is 32. Disables the forwarding of BOOTP requests. If no options are specified. Specify the IP address and MAC address of the entry. Permanent IP ARP entries are not affected.255.767 minutes. Deletes one or all proxy ARP entries. • show ipconfig—Displays configuration information for one or more VLANs. Specify the IP address of the entry. When always is specified. an address with the mask 255.255. the MAC address of the switch is used in the ARP Response. Configures the IP ARP timeout period. Removes one or all IP destination addresses for forwarding BOOTP packets. clear ipfdb {<ipaddress> <netmask> | vlan <name>} Removes the dynamic entries in the IP forwarding database. Configures proxy ARP entries. A setting of 0 disables ARP aging.

The default setting for ipforwarding is disabled. Use the unicast-only or multicast-only options to specify a particular traffic type. enable bootprelay enable ipforwarding {vlan <name>} enable ipforwarding broadcast {vlan <name>} enable loopback-mode vlan [<name> | all] Table 54 describes the commands used to configure the IP route table. and no Internet Control Message Protocol (ICMP) message is generated. ipforwarding must be enabled on the VLAN.255. Enables a loopback mode on an interface. As a result. config iproute add default <gateway> {<metric>} 184 Summit 200 Series Switch Installation and User Guide . even if no ports are defined in the VLAN. Use a value of 255. the default metric of 1 is used. If not specified. A default gateway must be located on a configured IP interface. Enables the forwarding of BOOTP and Dynamic Host Configuration Protocol (DHCP) requests. Disables loopback-mode on an interface. Enables IP routing for one or all VLANs.IP Unicast Routing Table 53: Basic IP Commands (continued) Command disable ipforwarding broadcast {vlan <name>} disable loopback-mode vlan [<name> | all] enable bootp vlan [<name> | all] Description Disables routing of broadcasts to other networks.255 for mask to indicate a host entry. All traffic destined for the configured IP address is dropped. Enables the generation and processing of BOOTP packets on a VLAN to obtain an IP address for the VLAN from a BOOTP server. The default setting is disabled. enables broadcast forwarding for all VLANs. To enable. Adds a blackhole address to the routing table.255. enables routing for all VLANs that have been configured with an IP address. Table 54: Route Table Configuration Commands Command config iproute add <ipaddress> <mask> <gateway> <metric> config iproute add blackhole <ipaddress> <mask> Description Adds a static address to the routing table. If no argument is provided. Enables forwarding IP broadcast traffic for one or all VLANs. If no metric is specified. the subnet is always advertised as one of the available routes. both unicast and multicast traffic uses the default route. The default setting is enabled for all VLANs. If loopback is enabled. Adds a default gateway to the routing table. the router interface remains in the UP state. If no argument is provided.

Table 55: ICMP Configuration Commands Command config irdp [multicast | broadcast] Description Configures the destination address of the router advertisement messages.800 seconds. preference—The preference level of the router. Disables the strict source route IP option. Summit 200 Series Switch Installation and User Guide 185 . An ICMP Router Discover Protocol (IRDP) client always uses the router with the highest preference level. config irdp <mininterval> <maxinterval> <lifetime> <preference> • • • disable icmp parameter-problem {vlan <name>} Disables the generation of ICMP messages for the parameter problem packet type. Deletes a default gateway from the routing table. Disables the record route IP option. The default setting is multicast. rtlookup [<ipaddress> | <hostname>] Table 55 describes the commands used to configure IP options and the ICMP protocol. The default setting is disabled. Disables load sharing for multiple routes. Enables load sharing if multiple routes to the same destination are available. Configures the router advertisement message timers. The default setting is 600 seconds. maxinterval—The maximum time between router advertisements. disable ip-option loose-source-route disable ip-option record-route disable ip-option record-timestamp disable ip-option strict-source-route Disables the loose source route IP option. using seconds. Deletes a blackhole address from the routing table. Specify: • mininterval—The minimum amount of time between router advertisements. The default setting is 450 seconds. Only paths with the same lowest cost are shared. Change this setting to encourage or discourage the use of this router. Performs a look-up in the route table to determine the best route to reach an IP address. lifetime—The default setting is 1. The default setting is 0. Changes the priority for all routes from a particular route origin.IP Commands Table 54: Route Table Configuration Commands (continued) Command config iproute delete <ipaddress> <mask> <gateway> config iproute delete blackhole <ipaddress> <mask> config iproute delete default <gateway> config iproute priority [rip | bootp | icmp | static | ospf-intra | ospf-inter | ospf-as-external | ospf-extern1 | ospf-extern2] <priority> disable iproute sharing enable iproute sharing Description Deletes a static address from the routing table. Disables the record timestamp IP option.

The default setting is enabled. Enables the generation of an ICMP timestamp response (type 14. The default setting is enabled. code 3) when a TPC or UDP request is made to the switch. the command applies to all IP interfaces. The default setting is enabled. If a VLAN is not specified. IP multicast packets do not trigger ICMP time exceeded messages.IP Unicast Routing Table 55: ICMP Configuration Commands (continued) Command disable ip-option use-router-alert enable icmp address-mask {vlan <name>} Description Disables the generation of the router alert IP option. and host unreachable messages (type 3.The default setting is enabled. enable icmp port-unreachables {vlan <name>} Enables the generation of ICMP port unreachable messages (type 3. Enables the record timestamp IP option. code 0) when an ICMP address mask request is received. the command applies to all IP interfaces. Enables the modification of route table information when an ICMP redirect message is received. ICMP packet processing on one or all VLANs. Enables the loose source route IP option. Enables the generation of an ICMP address-mask reply (type 18. Enables the record route IP option. Enables the generation of ICMP network unreachable messages (type 3. code 0). and no application is waiting for the request. code 1) when a packet cannot be forwarded to the destination because of unreachable route or host. If a VLAN is not specified. the command applies to all IP interfaces. Enables the generation of an ICMP time exceeded message (type 11) when the TTL field expires during forwarding. enable icmp redirects {vlan <name>} enable icmp time-exceeded {vlan <name>} enable icmp timestamp {vlan <name>} enable icmp unreachables {vlan <name>} enable icmp useredirects enable ip-option loose-source-route enable ip-option record-route enable ip-option record-timestamp 186 Summit 200 Series Switch Installation and User Guide . If a VLAN is not specified. If a VLAN is not specified. If a VLAN is not specified. or access policy denies the request. The default setting is enabled. the command applies to all IP interfaces. enable icmp parameter-problem {vlan <name>} Enables the generation of an ICMP parameter-problem message (type 12) when the switch cannot properly process the IP header or IP option information. the command applies to all IP interfaces. the command applies to all IP interfaces. the command applies to all IP interfaces. Enables the generation of an ICMP redirect message (type 5) when a packet must be forwarded out on the ingress port. If a VLAN is not specified. The default setting is enabled. The default setting is enabled. This option applies to the switch when it is not configured for routing. The default setting is disabled. If a VLAN is not specified. code 0) when an ICMP timestamp request is received.

12 192.35. Ports 3 and 5 reach the router by way of the VLAN Personnel.207.1. unconfig icmp unconfig irdp Routing Configuration Example Figure 33 illustrates a switch that has two VLANs defined as follows: • Finance — Contains ports 2 and 4.11 192.207.0 Finance 192.207.36. — IP address 192.36. • Personnel — Contains ports 3 and 5. Resets all ICMP settings to the default values.207.36.207. Resets all router advertisement settings to the default values.207. Summit 200 Series Switch Installation and User Guide 187 .207.14 EW_090 In this configuration.1. all IP traffic from stations connected to ports 2 and 4 have access to the router by way of the VLAN Finance. Enables the switch to generate the router alert IP option with routing protocol packets.207.13 192.35.35. Enables the generation of ICMP router advertisement messages on one or all VLANs.0 Personnel 2 3 4 5 192.Routing Configuration Example Table 55: ICMP Configuration Commands (continued) Command enable ip-option strict-source-route enable ip-option use-router-alert enable irdp {vlan <name>} Description Enables the strict source route IP option.1 192. The default setting is enabled.36.35.35.1 192. Figure 33: Unicast routing configuration example 192.207.36.207. — IP address 192.

Table 56: Router Show Commands Command show iparp {<ipaddress | vlan <name> | permanent} show iparp proxy {<ipaddress> {<mask>}} show ipconfig {vlan <name>} show ipconfig {vlan <name>} {detail} show ipfdb {<ipaddress> <netmask> | vlan <name> } show iproute {priority | vlan <vlan> | permanent | <ipaddress> <netmask> | origin [direct | static | blackhole | rip | bootp | icmp | ospf-intra | ospf-inter | ospf-as-external | ospf-extern1 | ospf-extern2]} {sorted} show ipstats {vlan <name>} Description Displays the IP Address Resolution Protocol (ARP) table. VLAN. You can filter the display by IP address.1 config Personnel ipaddress 192.36. Displays IP statistics for the CPU of the system.1 config rip add vlan Finance config rip add vlan Personnel enable ipforwarding enable rip Displaying Router Settings To display settings for various IP routing components. use the commands listed in Table 56.IP Unicast Routing The example in Figure 33 is configured as follows: create vlan Finance create vlan Personnel config Finance add port 2. or permanent entries. Displays IP configuration settings.5 config Finance ipaddress 192. all IP FDB entries are displayed. Displays the contents of the IP forwarding database (FDB) table. Displays the proxy ARP table.207.207. Displays configuration information for one or all VLANs. 188 Summit 200 Series Switch Installation and User Guide .35. If no option is specified.4 config Personnel add port 3. Displays the contents of the IP routing table or the route origin priority.

Disables the changing of routing table information when an ICMP redirect message is received. Disables routing of broadcasts to other networks. Resets all ICMP settings to the default values. If a VLAN is not specified. disable icmp parameter-problem {vlan <name>} disable icmp port-unreachables {vlan <name>} disable icmp redirects {vlan <name>} disable icmp time-exceeded {vlan <name>} disable icmp timestamp {vlan <name>} disable icmp unreachables {vlan <name>} disable icmp useredirects disable ipforwarding {vlan <name>} disable ipforwarding broadcast {vlan <name>} disable irdp {vlan <name>} unconfig icmp unconfig irdp Summit 200 Series Switch Installation and User Guide 189 . use the commands listed in Table 57 Table 57: Router Reset and Disable Commands Command clear iparp {<ipaddress> | vlan <name>} clear ipfdb {<ipaddress> <netmask> | vlan <name>] disable bootp vlan [<name> | all] disable bootprelay disable icmp address-mask {vlan <name>} Description Removes dynamic entries in the IP ARP table. If a VLAN is not specified.Resetting and Disabling Router Settings Resetting and Disabling Router Settings To return router settings to their defaults and disable routing functions. the command applies to all IP interfaces. Disables routing for one or all VLANs. Disables the generation of ICMP redirect messages. Resets all router advertisement settings to the default values. Disables the generation of ICMP network unreachable messages and host unreachable messages. the command applies to all IP interfaces. Disables the generation of ICMP timestamp response messages. Disables the generation and processing of BOOTP packets. If a VLAN is not specified. Removes the dynamic entries in the IP forwarding database. the command applies to all IP interfaces. If a VLAN is not specified. all IP FDB entries are removed. Disables the generation of router advertisement messages on one or all VLANs. Disables the generation of ICMP time exceeded messages. Disables the generation of an ICMP address-mask reply messages. If a VLAN is not specified. Permanent IP ARP entries are not affected. the command applies to all IP interfaces. Disables the generation of ICMP port unreachable messages. Disables the generation of ICMP parameter-problem messages. the command applies to all IP interfaces. the command applies to all IP interfaces. Disables the forwarding of BOOTP requests. If no options are specified. the command applies to all IP interfaces. If a VLAN is not specified. If a VLAN is not specified.

such as multiple DHCP relay services from differing sets of VLANs. as appropriate. if the previous bootprelay functions are adequate. it is handled according to guidelines in RFC 1542. To configure the relay function. However. If the UDP-forwarding is used for BOOTP or DHCP forwarding purposes. • If the UDP profile includes other types of traffic. including DHCP services between Windows NT servers and clients running Windows 95. use the following command: config bootprelay delete {<ipaddress> | all} Verifying the DHCP/BOOTP Relay Configuration To verify the DHCP/BOOTP relay configuration. do not configure or use the existing bootprelay function. you may continue to use them. you can configure the switch to forward Dynamic Host Configuration Protocol (DHCP) or BOOTP requests coming from clients on subnets being serviced by the switch and going to hosts on different subnets. 2 Enable the DHCP or BOOTP relay function. UDP-Forwarding UDP-forwarding is a flexible and generalized routing utility for handling the directed forwarding of broadcast UDP packets. use the following command: show ipconfig This command displays the configuration of the BOOTP relay service. and the addresses that are currently configured. these packets have the IP destination address modified as configured. The following rules apply to UDP broadcast packets handled by this feature: • If the UDP profile includes BOOTP or DHCP. to be directed to different DHCP servers. This feature can be used in various applications. NOTE UDP-forwarding only works across a layer 3 boundary. UDP-forwarding allows applications. using the following command: config bootprelay add <ipaddress> To delete an entry. follow these steps: 1 Configure VLANs and IP unicast routing.IP Unicast Routing Configuring DHCP/BOOTP Relay Once IP unicast routing is configured. using the following command: enable bootprelay 3 Configure the addresses to which DHCP or BOOTP requests should be directed. 190 Summit 200 Series Switch Installation and User Guide . and changes are made to the IP and UDP checksums and decrements to the TTL field.

and destination IP address or VLAN. UDP-Forwarding Example In this example.2 labdhcp add 67 vlan labsvrs marketing udp-profile backbonedhcp operations udp-profile backbonedhcp labuser udp-profile labdhcp ICMP Packet Processing As ICMP packets are routed or generated. port-unreachables. redirects.1. per-VLAN basis.1. UDP packets directed toward a VLAN use an all-ones broadcast on that VLAN. The commands for this configuration are as follows: create create config config config config config config udp-profile backbonedhcp udp-profile labdhcp backbonedhcp add 67 ipaddress 10. Access lists are described in Chapter 9. you can apply access lists to restrict forwarding behavior.1. and where they are to be forwarded. all incoming traffic from the VLAN that matches the UDP profile is handled as specified in the UDP-forwarding profile. As a result.1.1) and a backup server (with IP address 10. You must give the profile a unique name. time-stamp. Next. the VLAN Marketing and the VLAN Operations are pointed toward a specific backbone DHCP server (with IP address 10. Additionally. A VLAN can make use of a single UDP-forwarding profile. Each named profile may contain a maximum of eight “rules” defining the UDP port. The controls include the disabling of transmitting ICMP messages associated with unreachables. The profile describes the types of UDP packets (by port number) that are used.1 backbonedhcp add 67 ipaddress 10. the VLAN LabUser is configured to use any responding DHCP server on a separate VLAN called LabSvrs. Summit 200 Series Switch Installation and User Guide 191 . the first thing you must do is create a UDP-forward destination profile. For ICMP packets typically generated or observed as part of the routing function.UDP-Forwarding Configuring UDP-Forwarding To configure UDP-forwarding. or topology information.2). parameter-problems. you can take various actions to control distribution.1. in the same manner as a VLAN. and address-mask requests. host. or Spanning Tree Domain. For ICMP packets that are typically routed. protocol filter. You would alter the default settings for security reasons: to restrict the success of tools that can be used to find an important application. configure a VLAN to make use of the UDP-forwarding profile.1.1.1. time-exceeded. you can assert control on a per-type. A maximum of ten UDP-forwarding profiles can be defined.

Deletes a forwarding entry from the specified udp-profile name. All broadcast packets sent to <udp_port> are forwarded to either the destination IP address (unicast or subnet directed broadcast) or to the specified VLAN as an all-ones broadcast. Assigns a UDP-forwarding profile to the source VLAN. the switch picks up any broadcast UDP packets that matches with the user configured UDP port number. config udp-profile <profile_name> delete <udp_port> [vlan <name> | ipaddress <dest_ipaddress>] config vlan <name> udp-profile <profile_name> create udp-profile <profile_name> delete udp-profile <profile_name> show udp-profile {<profile_name>} unconfig udp-profile vlan [<name> | all] 192 Summit 200 Series Switch Installation and User Guide . or VLAN and the source VLANs to which the profile is applied. input rules of UDP port. Table 58: UDP-Forwarding Commands Command config udp-profile <profile_name> add <udp_port> [vlan <name> | ipaddress <dest_ipaddress>] Description Adds a forwarding entry to the specified UDP-forwarding profile name. and forwards those packets to the user-defined destination. Displays the profile names. Once the UDP profile is associated with the VLAN. Removes the UDP-forwarding profile configuration for one or all VLANs. You must use a unique name for the UDP-forwarding profile. Creates a UDP-forwarding profile. Deletes a UDP-forwarding profile. destination IP address. appropriate DHCP/BOOTP proxy functions are invoked. If the UDP port is the DHCP/BOOTP port number.IP Unicast Routing UDP-Forwarding Commands Table 58 describes the commands used to configure UDP-forwarding.

Summit 200 Series Switch Installation and User Guide 193 . and is widely deployed and understood. refer to the following publications for additional information: • RFC 1058—Routing Information Protocol (RIP) • RFC 1723—RIP Version 2 • RFC 2328—OSPF Version 2 • Interconnections: Bridges and Routers by Radia Perlman ISBN 0-201-56332-0 Published by Addison-Wesley Publishing Company Overview The switch supports the use of two interior gateway protocols (IGPs). The distance-vector algorithm has been in use for many years. the Routing Information Protocol (RIP) and the Open Shortest Path First (OSPF) protocol for IP unicast routing. RIP is a distance-vector protocol. based on the Bellman-Ford (or distance-vector) algorithm. If not.16 Interior Gateway Routing Protocols This chapter describes the following topics: • Overview on page 193 • Overview of RIP on page 194 • Overview of OSPF on page 196 • Route Re-Distribution on page 201 • Configuring RIP on page 203 • RIP Configuration Example on page 205 • Displaying RIP Settings on page 206 • Resetting and Disabling RIP on page 206 • Configuring OSPF on page 206 • Displaying OSPF Settings on page 212 • Resetting and Disabling OSPF Settings on page 213 This chapter assumes that you are already familiar with IP unicast routing.

• Route updates multicast only when changes occur. NOTE Both RIP and OSPF can be enabled on a single VLAN. a router using RIP always selects the path that has the least number of hops. The biggest advantage of using RIP is that it is relatively simple to understand and implement. and solves a number of problems associated with using RIP on today’s complex networks.Interior Gateway Routing Protocols OSPF is a link-state protocol. OSPF offers many advantages over RIP. Overview of RIP RIP is an Interior Gateway Protocol (IGP) first used in computer routing in the Advanced Research Projects Agency Network (ARPAnet) as early as 1969. verifying that all routers have a consistent network map. To determine the best path to a distant network. Using a distance-vector protocol. Each router that data must traverse is considered to be one hop. Each router builds a shortest path tree. RIP has a number of limitations that can cause problems in large networks. • Support for load balancing to multiple routers based on the actual cost of the link. • Faster convergence. • Routing decisions based on hop count. using itself as the root. The link-state protocol ensures that updates sent to neighboring routers are acknowledged by the neighbors. each router creates a unique routing table from summarized information obtained from neighboring routers. and it has been the de facto routing standard for many years. Using a link-state protocol. based on the Dijkstra link-state algorithm. 194 Summit 200 Series Switch Installation and User Guide . including: • No limitation on hop count. no concept of areas or boundaries. • Flat networks. every router maintains an identical routing table created from information obtained from all routers in the autonomous system. OSPF is a newer Interior Gateway Protocol (IGP). no concept of link costs or delay. including: • A limit of 15 hops between the source and destination networks. • A large amount of bandwidth taken up by periodic broadcasts of the entire routing table. • Slow convergence. • Support for hierarchical topologies where the network is divided into areas. RIP Versus OSPF The distinction between RIP and OSPF lies in the fundamental differences between distance-vector protocols and link-state protocols. The details of RIP and OSPF are explained later in this chapter. It is primarily intended for use in homogeneous networks of moderate size.

RIP version 2 packets can be multicast instead of being broadcast. but are configured to not route IP or are not configured to run RIP. Split Horizon Split horizon is a scheme for avoiding problems caused by including routes in updates sent to the router from which the route was learned. RIP Version 1 Versus RIP Version 2 A new version of RIP. Only those VLANs that are configured with an IP address and are configured to route IP and run RIP have their subnets advertised. but may also result in more RIP-related traffic. In this case. do not have their subnets advertised by RIP. but the route uses a hop count of 16. Route Advertisement of VLANs VLANs that are configured with an IP address. poison reverse is a scheme for eliminating the possibility of loops in the routed topology.Overview of RIP Routing Table The routing table in a router using RIP contains an entry for every known destination network. This will generally result in faster convergence. Triggered Updates Triggered updates occur whenever a router changes the metric for a route. reducing the load on hosts that do not support routing protocols. which allows for optimization of routes in certain environments. • Multicasting. the router assumes the connection between it and its neighbor is no longer available. and it is required to send an update message immediately. Each routing table entry contains the following information: • IP address of the destination network • Metric (hop count) to the destination network • IP address of the next router • Timer that tracks the amount of time since the entry was last updated The router exchanges an update message with each neighbor every 30 seconds (default value). expands the functionality of RIP version 1 to include: • Variable-Length Subnet Masks (VLSMs). called RIP version 2. even if it is not yet time for a regular update message to be sent. If a router does not receive an update message from its neighbor within the route timeout period (180 seconds by default). defining it as unreachable. or if there is a change to the overall routed topology (also called triggered updates). Summit 200 Series Switch Installation and User Guide 195 . a router advertises a route over the same interface that supplied the route. • Support for next-hop addresses. Poison Reverse Like split horizon. Split horizon omits routes learned from a neighbor in updates sent to that neighbor.

using itself as the root. The shortest path tree provides the route to each destination in the autonomous system. When several equal-cost routes to a destination exist. NOTE A Summit 200 series switch can support up to two non-passive OSPF interfaces. each router constructs a tree of shortest paths. also known as an autonomous system (AS). From the link-state database (LSDB). each router transmits a link-state advertisement (LSA) on each of its interfaces. LSAs are collected by each router and entered into the LSDB of each router. OSPF uses flooding to distribute LSAs between routers. In addition. In a link-state routing protocol. Once all LSAs are received. All routers within an area have the exact same LSDB. Table 59: LSA Type Numbers Type Number 1 2 3 4 5 7 9 10 11 Description Router LSA Network LSA Summary LSA AS summary LSA AS external LSA NSSA external LSA Link local Area scoping AS scoping 196 Summit 200 Series Switch Installation and User Guide . Link-State Database Upon initialization. The cost of a route is described by a single metric.Interior Gateway Routing Protocols NOTE If you are using RIP with supernetting/Classless Inter-Domain Routing (CIDR). the router uses the LSDB to calculate the best routes for use in the IP routing table. and cannot be a designated or a backup designated router. RIP route aggregation must be turned off. each router maintains a database describing the topology of the autonomous system. Any change in routing information is sent to all of the routers in the network. Each participating router has an identical database maintained from the perspective of that router. Overview of OSPF OSPF is a link-state protocol that distributes routing information between routers belonging to a single IP domain. traffic can be distributed among them. Table 59 describes LSA type numbers. you must use RIPv2 only.

A timeout value of zero leaves the system in overflow state until OSPF is disabled and re-enabled. When the LSDB size limit is reached. • Ensuring that all routers have identical LSAs. The topology within an area is hidden from the rest of the autonomous system. in seconds. A limit value of zero disables the functionality. Summit 200 Series Switch Installation and User Guide 197 . At minimum a well-interconnected subsection of your OSPF network needs to support opaque LSAs to maintain reliability of their transmission. Normally. after which the system ceases to be in overflow state. timeout Specifies the timeout. Opaque LSAs Opaque LSAs are a generic OSPF mechanism used to carry auxiliary information in the OSPF database. we recommend that all routers on your OSPF network support opaque LSAs. To configure OSPF database overflow. In the event that you experience interoperability problems. OSPF database overflow flushes the same LSAs from all the routers. which maintains consistency. OSPF database overflow flushes LSAs from the LSDB. you can disable opaque LSAs across the entire system using the following command: disable ospf capability opaque-lsa To re-enable opaque LSAs across the entire system. which ensures that all routers have a consistent view of the network. Routing within the area is determined only by the topology of the area. Routers that do not support opaque LSAs do not store or flood them. and reduces the computations needed to maintain the LSDB. Hiding this information enables a significant reduction in LSA traffic. Areas OSPF allows parts of a network to be grouped together into areas. Consistency is achieved by: • Limiting the number of external LSAs in the database of each router. use the following command: config ospf ase-limit <number> {timeout <seconds>} where: number Specifies the number of external LSAs (excluding the default LSAs) that the system supports before it goes into overflow state. support for opaque LSAs is auto-negotiated between OSPF neighbors.Overview of OSPF Database Overflow The OSPF database overflow feature allows you to limit the size of the LSDB and to maintain a consistent LSDB across all the routers in the domain. Opaque LSAs are most commonly used to support OSPF traffic engineering. use the following command: enable ospf capability opaque-lsa If your network uses opaque LSAs.

All areas in an autonomous system must be connected to the backbone. also called the backbone. you must configure the area for the VLAN. and then expand into other areas. or other autonomous systems. you must create the area first using the following command: create ospf area <areaid> Stub Areas OSPF allows certain areas to be configured as stub areas. • Autonomous System Border Router (ASBR)—An ASBR acts as a gateway between OSPF and other routing protocols.0. It is responsible for exchanging summary advertisements with other ABRs. Not-So-Stubby-Areas (NSSA) NSSAs are similar to the existing OSPF stub area configuration option. Every ABR hears the area summaries from all other ABRs.0. • External routes originating from the NSSA can be propagated to other areas. but have the following two additional capabilities: • External routes originating from an ASBR connected to the NSSA can be advertised within the NSSA.0.0. Stub areas are used to reduce memory consumption and computation requirements on OSPF routers. use the following command: config ospf vlan <name> area <areaid> If this is the first instance of the OSPF area being used. The CLI command to control the NSSA function is similar to the command used for configuring a stub area. The area that connects to a stub area can be the backbone area. A stub area is connected to only one other area. The ABR then forms a picture of the distance to all networks outside of its area by examining the collected advertisements. If you want to configure the VLAN to be part of a different OSPF area. • Area Border Router (ABR)—An ABR has interfaces in multiple areas. and adding in the backbone distance to each advertising router. you should start with area 0.0) Any OSPF network that contains more than one area is required to have an area configured as area 0.0.0. When a VLAN is configured to run OSPF. Backbone Area (Area 0. as follows: config ospf area <area_id> nssa {summary | nosummary} stub-default-cost <cost> {translate} 198 Summit 200 Series Switch Installation and User Guide .0.0. When designing networks. including the backbone area. The backbone allows summary information to be exchanged between ABRs. External route information is not distributed into stub areas. You can create a maximum of 7 non-zero areas.Interior Gateway Routing Protocols The three types of routers defined by OSPF are as follows: • Internal Router (IR)—An internal router has all of its interfaces within the same area.

with one ABR connected to the backbone. Summit 200 Series Switch Installation and User Guide 199 . where translation is to be enforced. Virtual Links In the situation when a new area is introduced that does not have a direct physical attachment to the backbone. When configuring an OSPF area as an NSSA. • NSSA. A virtual link must be established between two ABRs that have a common area. Figure 34 illustrates a virtual link. Virtual links can be configured through normal areas. NOTE Virtual links can not be configured through a stub or NSSA area. The option should not be used on NSSA internal routers. • Stub area. External routes can be distributed into normal areas. if the connection between ABR1 and the backbone fails.Overview of OSPF The translate option determines whether type 7 LSAs are translated into type 5 LSAs. A virtual link provides a logical path between the ABR of the disconnected area and the ABR of the normal area that connects to the backbone. Normal Area A normal area is an area that is not: • Area 0. a virtual link is used. in Figure 35. the connection using ABR2 provides redundancy so that the discontiguous area can continue to communicate with the backbone using the virtual link. the translate should only be used on NSSA border routers. Figure 34: Virtual link using Area 1 as a transit area Virtual link ABR ABR Area 2 Area 1 Area 0 EW_016 Virtual links are also used to repair a discontiguous backbone area. For example. If translate is not used on any NSSA border router in a NSSA. Doing so inhibits correct operation of the election algorithm. one of the ABRs for that NSSA is elected to perform translation (as indicated in the NSSA specification).

An OSPF point-to-point link supports only zero to two OSPF routers and does not elect a DR or BDR. This is the default setting. Does not operate with more than two routers on the same VLAN. PPP is an example of a point-to-point link. Synchronizes faster than a broadcast link because routers do not elect a DR or BDR.Interior Gateway Routing Protocols Figure 35: Virtual link providing redundancy Virtual link Area 2 ABR 2 ABR 1 Area 1 Area 0 Area 3 EW_017 Point-to-Point Support You can manually configure the OSPF link type for a VLAN. Table 60: OSPF Link Types Link Type Auto Number of Routers Description Varies ExtremeWare automatically determines the OSPF link type based on the interface type. OSPF attempts to operate. 200 Summit 200 Series Switch Installation and User Guide . If you have three or more routers on the VLAN. OSPF will fail to synchronize if the neighbor is not configured. not per-link. but may not be reliable. Table 60 describes the link types. Ethernet is an example of a broadcast link. Routers must elect a designated router (DR) and a backup designated router (BDR) during synchronization. Broadcast Any Point-to-point Up to 2 NOTE The number of routers in an OSPF point-to-point link is determined per-VLAN. If there is a mismatch. NOTE All routers in the VLAN must have the same OSPF link type.

and from RIP to OSPF.0 ABR Area 121. Then you can configure the routes to export from OSPF to RIP and the routes to export from RIP to OSPF.0. Summit 200 Series Switch Installation and User Guide 201 . you must first configure both protocols and then verify the independent operation of each. To run OSPF and RIP simultaneously. including static routes. Figure 36: Route re-distribution OSPF AS Backbone Area 0. between the two routing protocols. are discreet configuration functions.Route Re-Distribution Route Re-Distribution Both RIP and OSPF can be enabled simultaneously on the switch.2.4 ASBR ASBR RIP AS EW_019 Configuring Route Re-Distribution Exporting routes from OSPF to RIP. Route re-distribution allows the switch to exchange routes. Figure 36 is an example of route re-distribution between an OSPF autonomous system and a RIP autonomous system.0.3.

static. direct. or you can simply choose ospf. and direct routes injected into OSPF. cost-type. and direct routes by way of LSA to other OSPF routers as AS-external type 1 or type 2 routes. You can choose which types of OSPF routes are injected. If you add more VLANs to the area. and OSPF-learned routes into the RIP domain. which will inject all learned OSPF routes regardless of type. you must configure the timers and authentication for the new VLANs explicitly. static. and direct (interface) routes to OSPF using the following commands: enable ospf export [static | rip | direct] [cost <metric> [ase-type-1 | ase-type-2] {tag <number>}] disable ospf export [static | rip | direct] These commands enable or disable the exporting of RIP. or route maps can be sued for selective insertion. The default setting is disabled. Use 0 if you do not have specific requirements for using a tag.Interior Gateway Routing Protocols Re-Distributing Routes into OSPF Enable or disable the exporting of RIP. The same cost. direct. 202 Summit 200 Series Switch Installation and User Guide . The cost metric is inserted for all RIP-learned. If the cost metric is set to 0. OSPF Timers and Authentication Configuring OSPF timers and authentication on a per-area basis is a shorthand for applying the timers and authentication to each VLAN in the area at the time of configuration. The tag value is used only by special routing applications. the cost is inserted from the route. The default setting is disabled.1Q VLAN tagging. and OSPF-learned routes into the RIP domain using the following commands: enable rip export [static | direct | ospf | ospf-intra | ospf-inter | ospf-extern1 | ospf-extern2] cost <metric> tag <number> disable rip export [static | direct | ospf | ospf-intra | ospf-inter | ospf-extern1 | ospf-extern2] These commands enable or disable the exporting of static. Verify the configuration using the command: show ospf Re-Distributing Routes into RIP Enable or disable the exporting of static. and tag values can be inserted for all the export routes. The tag value in this instance has no relationship with 802. static.

If no VLAN is specified. The default setting is v2only. The default setting is 30 seconds. v1only—Transmit RIP v1 format packets to the broadcast address. Configures the cost (metric) of the interface. When RIP is disabled on the interface. v2only—Accept only RIP v2 format packets. any—Accept both RIP v1 and v2 packets.Configuring RIP Configuring RIP Table 61 describes the commands used to configure RIP. The default setting is 180 seconds. When an IP interface is created. The default setting is 120 seconds. Configures the route timeout. If no VLAN is specified. config rip updatetime {<seconds>} config rip vlan [<name> | all] cost <number> enable rip Changes the periodic RIP update timer. config rip txmode [none | v1only | v1comp | v2only] {vlan <name>} Changes the RIP transmission mode for one or all VLANs. the setting is applied to all VLANs. The default setting is any. Specify: • • • • none—Drop all received RIP packets. Configures the RIP garbage time. The default setting is disabled. per-interface RIP configuration is disabled by default. Table 61: RIP Configuration Commands Command config rip add vlan [<name> | all] Description Configures RIP on an IP interface. v1comp—Transmit RIP v2 format packets to the broadcast address. Specify: • • • • none—Do not transmit any packets on this interface. Disables RIP on an IP interface. Summit 200 Series Switch Installation and User Guide 203 . The timer granularity is 10 seconds. The default setting is 1. Enables RIP. config rip delete vlan [<name> | all] config rip garbagetime {<seconds>} config rip routetimeout {<seconds>} config rip rxmode [none | v1only | v2only | any] Changes the RIP receive mode for one or all {vlan <name>} VLANs. v2only—Transmit RIP v2 format packets to the RIP multicast address. the setting is applied to all VLANs. the parameters are not reset to their defaults. v1only—Accept only RIP v1 format packets.

If you enable poison reverse and split horizon. The following rules apply when using RIP aggregation: • Subnet routes are aggregated to the nearest class network route when crossing a class boundary. or changes the metric of a route. no routes are aggregated. Triggered updates are a mechanism for immediately notifying a router’s neighbors when the router adds or deletes routes. If aggregation is enabled. even when crossing a class boundary. Enables the split horizon algorithm for RIP. Default setting is enabled. If aggregation is disabled. Specify one of the following: • • static—Static routes direct—Interface routes (only interfaces that have IP forwarding enabled are exported) ospf—All OSPF routes ospf-intra—OSPF intra-area routes ospf-inter—OSPF inter-area routes ospf-extern1—OSPF AS-external route type 1 ospf-extern2—OSPF AS-external route type 2 • • • • • The metric range is 0–15. If always is not specified. enable rip poisonreverse enable rip splithorizon enable rip triggerupdates 204 Summit 200 Series Switch Installation and User Guide . The default setting is enabled. Enables the split horizon with poison-reverse algorithm for RIP. poison reverse takes precedence. If set to 0. RIP uses the route metric obtained from the route origin. Enables triggered updates. The default setting is enabled. the behavior is the same as in RIP v1. RIP adds a default route if there is a reachable default route in the route table. If always is specified. enable rip originate-default {always} cost <metric> {tag <number>} Configures a default route to be advertised by RIP if no other default route is advertised. subnet routes are never aggregated. RIP always advertises the default route to its neighbors. • • • The default setting is disabled. enable rip export [static | direct | ospf | ospf-intra | ospf-inter | ospf-extern1 | ospf-extern2] metric <metric> {tag <number>} Enables RIP to redistribute routes from other routing functions. Within a class boundary. The switch summarizes subnet routes to the nearest class network route.Interior Gateway Routing Protocols Table 61: RIP Configuration Commands (continued) Command enable rip aggregation Description Enables aggregation of subnet information on interfaces configured to send RIP v2 or RIP v2-compatible traffic.

RIP Configuration Example

RIP Configuration Example
Figure 37 illustrates a switch that has two VLANs defined as follows: • Finance, which contains ports 2 and 4 and has the IP address 192.207.35.1 • Personnel, which contains ports 3 and 5 and has the IP address 192.207.36.1 Figure 37: RIP configuration example

192.207.35.1 192.207.35.0 Finance

192.207.36.1 192.207.36.0 Personnel

2

3

4

5

192.207.35.11 192.207.36.12

192.207.35.13 192.207.36.14
EW_090

In this configuration, all IP traffic from stations connected to ports 2 and 4 have access to the router by way of the VLAN Finance. Ports 3 and 5 reach the router by way of the VLAN Personnel. The example in Figure 37 is configured as follows:
create vlan Finance create vlan Personnel config Finance add port 2,4 config Personnel add port 3,5 config Finance ipaddress 192.207.35.1 config Personnel ipaddress 192.207.36.1 enable ipforwarding config rip add vlan all enable rip

Summit 200 Series Switch Installation and User Guide

205

Interior Gateway Routing Protocols

Displaying RIP Settings
To display settings for RIP, use the commands listed in Table 62. Table 62: RIP Show Commands
Command show rip {detail} show rip stat {detail} show rip stat vlan <name> show rip vlan <name> Description Displays RIP configuration and statistics for all VLANs. Displays RIP-specific statistics for all VLANs. Displays RIP-specific statistics for a VLAN. Displays RIP configuration and statistics for a VLAN.

Resetting and Disabling RIP
To return RIP settings to their defaults, or to disable RIP, use the commands listed in Table 63. Table 63: RIP Reset and Disable Commands
Command config rip delete [vlan <name> | all] Description Disables RIP on an IP interface. When RIP is disabled on the interface, the parameters are not reset to their defaults. Disables RIP. Disables the RIP aggregation of subnet information on a RIP v2 interface. Disables the distribution of non-RIP routes into the RIP domain.

disable rip disable rip aggregation disable rip export [static | direct | ospf | ospf-intra | ospf-inter | ospf-extern1 | ospf-extern2] metric <metric> {tag <number>} disable rip originate-default disable rip poisonreverse disable rip splithorizon disable rip triggerupdates unconfig rip {vlan <name>}

Disables the advertisement of a default route. Disables poison reverse. Disables split horizon. Disables triggered updates. Resets all RIP parameters to match the default VLAN. Does not change the enable/disable state of the RIP settings. If no VLAN is specified, all VLANs are reset.

Configuring OSPF
Each switch that is configured to run OSPF must have a unique router ID. It is recommended that you manually set the router ID of the switches participating in OSPF, instead of having the switch automatically choose its router ID based on the highest interface IP address. Not performing this configuration in larger, dynamic environments could result in an older link state database remaining in use.

206

Summit 200 Series Switch Installation and User Guide

Configuring OSPF

Table 64 describes the commands used to configure OSPF.

Table 64: OSPF Configuration Commands
Command config ospf add vlan <name> area <areaid> link-type [auto | broadcast | point-to-point] {passive} Description Configures the OSPF link type. Specify one of the following: • auto—ExtremeWare automatically determines the OSPF link type based on the interface type. broadcast—Broadcast link, such as Ethernet. Routers must elect a DR and a BDR during synchronization. point-to-point—Point-to-point link type, such as PPP.

The default setting is auto. The passive parameter indicates that the interface does not send or receive OSPF packets. config ospf vlan <name> neighbor add <ipaddress> config ospf vlan <name> neighbor delete <ipaddress> Configures the IP address of a point-to-point neighbor. Deletes the IP address of a point-to-point neighbor.

config ospf [area <areaid> | vlan [<name> | all]] Configures the cost metric of one or all cost [automatic | <number>] VLAN(s). If an area is specified, the cost metric is applied to all VLANs currently within that area. When automatic is specified, the advertised cost is determined from the OSPF metric table and corresponds to the active highest bandwidth port in the VLAN. config ospf [vlan <name> | area <areaid> | virtual-link <routerid> <areaid>] authentication [simple-password <password> | md5 <md5_key_id> <md5_key>| none | encrypted [simple-password <password> | md5 <md5_key_id> <md5_key>] Specifies the authentication password (up to eight characters) or Message Digest 5 (MD5) key for one or all interfaces (VLANs) in an area. The md5_key is a numeric value with the range 0 to 65,536. When the OSPF area is specified, authentication information is applied to all OSPF interfaces within the area.

Summit 200 Series Switch Installation and User Guide

207

Interior Gateway Routing Protocols

Table 64: OSPF Configuration Commands (continued)
Command config ospf [vlan <name> | area <areaid> | virtual-link <routerid> <areaid>] timer <retransmission_interval> <transmission_delay> <hello_interval> <dead_interval> Description Configures the timers for one interface or all interfaces in the same OSPF area. The following default, minimum, and maximum values (in seconds) are used: • retransmission_interval Default: 5 Minimum: 0 Maximum: 3,600 • transmission_delay Default: 1 Minimum: 0 Maximum: 3,600 • hello _interval Default: 10 Minimum: 1 Maximum: 65,535 • dead_interval Default: 40 Minimum: 1 Maximum: 2,147,483,647 config ospf add virtual-link <routerid> <areaid> Adds a virtual link to another ABR. Specify the following: • • config ospf add vlan <name> area <areaid> {passive} routerid—Far-end router interface number. areaid—Transit area used for connecting the two end-points.

Enables OSPF on one or all VLANs (router interfaces). The <areaid> specifies the area to which the VLAN is assigned. The passive parameter indicates that the interface does not send or receive OSPF packets. Configures a range of IP addresses in an OSPF area. If advertised, the range is exported as a single LSA by the ABR. Deletes a range of IP addresses in an OSPF area. Configures an OSFP area as a normal area. The default setting is normal. Configures an OSPF area as a NSSA.

config ospf area <areaid> add range <ipaddress> <mask> [advertise | noadvertise] [type 3 | type 7] config ospf area <areaid> delete range <ipaddress> <mask> config ospf area <areaid> normal config ospf area <areaid> nssa [summary | nosummary] stub-default-cost <cost> {translate} config ospf area <areaid> stub [summary | nosummary] stub-default-cost <cost>

Configures an OSPF area as a stub area.

config ospf asbr-filter [<access_profile> | none] Configures a route filter for non-OSPF routes exported into OSPF. If none is specified, no RIP and static routes are filtered. config ospf ase-limit <number> {timeout <seconds>} config ospf ase-summary add <ipaddress> <mask> cost <cost> {<tag_number>} Configures OSPF database overflow. Configures an aggregated OSPF external route using the IP addresses specified.

208

Summit 200 Series Switch Installation and User Guide

Configuring OSPF

Table 64: OSPF Configuration Commands (continued)
Command config ospf ase-summary delete <ipaddress> <mask> config ospf delete virtual-link <routerid> <areaid> config ospf delete vlan [<name> | all] config ospf direct-filter [<access_profile> | none] config ospf lsa-batching-timer <timer_value> Description Deletes an aggregated OSPF external route. Removes a virtual link. Disables OSPF on one or all VLANs (router interfaces). Configures a route filter for direct routes. If none is specified, all direct routes are exported if ospf export direct is enabled. Configures the OSPF LSA batching timer value. The range is between 0 (disabled) and 600 seconds, using multiples of 5 seconds. The LSAs added to the LSDB during the interval are batched together for refresh or timeout. The default setting is 30 seconds. Configures the automatic interface costs for 10 Mbps, 100 Mbps, and 1 Gbps interfaces. The default cost for 10 Mbps is 10, for 100 Mbps is 5, and for 4 Gbps is 1. Configures the OSPF router ID. If automatic is specified, the switch uses the largest IP interface address as the OSPF router ID. The default setting is automatic. Configures the minimum number of seconds between Shortest Path First (SPF) recalculations. The default setting is 3 seconds. Changes the area ID of an OSPF interface (VLAN).

config ospf metric-table <10M_cost> <100M_cost> <1G_cost>

config ospf routerid [automatic | <routerid>]

config ospf spf-hold-time {<seconds>}

config ospf vlan <name> area <areaid>

Summit 200 Series Switch Installation and User Guide

209

transitdelay—The length of time it takes to transmit an LSA packet over the interface. the OSPF router is considered to be an ASBR. The default value is 40 seconds. • • • • create ospf area <areaid> disable ospf capability opaque-lsa enable ospf enable ospf capability opaque-lsa enable ospf export direct [cost <metric> [ase-type-1 | ase-type-2] {tag <number>}] Creates an OSPF area. enable ospf export rip [cost <metric> [ase-type-1 | ase-type-2] {tag <number>}] 210 Summit 200 Series Switch Installation and User Guide . The default tag number is 0. Once enabled. unnecessary retransmissions will result. Enables OSPF opaque LSA support.Interior Gateway Routing Protocols Table 64: OSPF Configuration Commands (continued) Command config ospf vlan <vlan> timer <rxmtinterval> <transitdelay> <hellointerval> <routerdeadinterval> [<waitinterval>] Description Configures the OSPF wait interval. Once enabled. This interval should be a multiple of the hello interval. The default tag number is 0. routerdeadinterval—The interval after which a neighboring router is declared down due to the fact that hello packets are no longer received from the neighbor. hellointerval—The interval at which routers send hello packets. setting the waitinterval to smaller values can help OSPF routers on a broadcast network to synchronize more quickly at the expense of possibly electing an incorrect DR or BDR. The default setting is disabled. This interval is required by the OSPF standard to be equal to the routerdeadinterval. Smaller times allow routers to discover each other more quickly. Enables the distribution of RIP routes into the OSPF domain. Area 0 does not need to be created. The default value is 5 seconds. Specify the following: • rxmtinterval—The length of time that the router waits before retransmitting an LSA that is not acknowledged. The transit delay must be greater than 0. This value should not be set to less than the hellointerval. Enables the distribution of local interface (direct) routes into the OSPF domain. The default value is 10 seconds. Under some circumstances. the OSPF router is considered to be an ASBR. waitinterval—The interval between the interface coming up and the election of the DR and BDR. but also increase network traffic. If you set an interval that is too short. Enables OSPF process for the router. Interface routes which correspond to the interface that has OSPF enabled are ignored. It exists by default. The default setting is disabled. The default value is equal to the routerdeadinterval. Disables OSPF opaque LSA support.

The transit delay must be greater than 0. use the following command: config ospf vlan <vlan> timer <rxmtinterval> <transitdelay> <hellointerval> <routerdeadinterval> [<waitinterval>] You can configure the following parameters: • Retransmit interval (RxmtInterval)—The length of time that the router waits before retransmitting an LSA that is not acknowledged. • Hello interval (HelloInterval)—The interval at which routers send hello packets. CAUTION Do not configure OSPF timers unless you are comfortable exceeding OSPF specifications. • Dead router wait interval (RouterDeadInterval)—The interval after which a neighboring router is declared down due to the fact that hello packets are no longer received from the neighbor. The default setting is disabled. This interval should be greater than the hello interval. If always is specified. enable ospf originate-default {always} cost <metric> [ase-type-1 | ase-type-2] {tag <number>} Configuring OSPF Wait Interval ExtremeWare allows you to configure the OSPF wait interval. If it is close to the hello interval. Non-standard settings might not be reliable under all circumstances. NOTE The OSPF standard specifies that wait times are equal to the dead router wait interval. Smaller times allow routers to discover each other more quickly. Summit 200 Series Switch Installation and User Guide 211 . rather than using the router dead interval. The default value is equal to the dead router wait interval. If you set an interval that is too short. OSPF always advertises the default route. To specify the timer intervals. • Transit delay (TransitDelay)—The length of time it takes to transmit an LSA packet over the interface. If always is not specified. but also increase network traffic. The default value is 5 seconds. OSPF adds the default LSA if there is a reachable default route in the route table.Configuring OSPF Table 64: OSPF Configuration Commands (continued) Command enable ospf export static [cost <metric> [ase-type-1 | ase-type-2] {tag <number>}] Description Enables the distribution of static routes into the OSPF domain. unnecessary retransmissions will result. but might not elect the correct DR or BDR. Configures a default external LSA to be generated by OSPF. The default value is 40 seconds. • Router wait interval (WaitInterval)—The interval between the interface coming up and the election of the DR and BDR. if no other default route is originated by OSPF by way of RIP and static route re-distribution. the network synchronizes very quickly. The default value is 10 seconds. This interval should be a multiple of the hello interval. the OSPF router is considered to be an ASBR. The default tag number is 0. Once enabled.

Displays virtual link information about a particular router or all routers. Displays information about all OSPF interfaces. Displays information about one or all OSPF interfaces. The stats option displays the number of matching LSAs. use the commands listed in Table 65. Displays the OSPF external route aggregation configuration. 212 Summit 200 Series Switch Installation and User Guide . one line per LSA. You can specify multiple search criteria and only results matching all of the criteria are displayed. Displays information about all OSPF areas. The default setting is all with no detail. The summary option displays several important fields of matching LSAs. This allows you to control the displayed entries in large routing tables. Displays a table of the current LSDB. but not any of their contents. the default is to display in the summary format. A common use of this command is to omit all optional parameters. resulting in the following shortened form: show ospf lsdb The shortened form displays all areas and all types in a summary format. If detail is specified. each entry includes complete LSA information. show ospf virtual-link {<areaid> <routerid> } OSPF LSD Display ExtremeWare provides several filtering criteria for the show ospf lsdb command. If not specified.Interior Gateway Routing Protocols Displaying OSPF Settings To display settings for OSPF. To display the current link-state database. use the following command: show ospf lsdb [detail | summary | stats] area [all | <areaid>[/<len>]] lstype [all | as-external | external-type7 | network | router | summary-asb | summary-net] [lsid <id>[/<len>]] [routerid <id>[/<len>]] The detail option displays all fields of matching LSAs in a multi-line format. Displays information about a particular OSPF area. Table 65: OSPF Show Commands Command show ospf show ospf area {detail} show ospf area <areaid> show ospf ase-summary show ospf interfaces {detail} show ospf interfaces {vlan <name> | area <areaid>} show ospf lsdb {detail} area [<areaid> | all] [router | network | summary-net | summary-asb | as-external | external-type7 |all] Description Displays global OSPF information. You can filter the display using the area ID and LSA type.

Disables OSPF process in the router. Disables exporting of statically configured routes into the OSPF domain. use the commands listed in Table 66. A non-empty area cannot be deleted. the associated OSPF area and OSPF interface information is removed.Resetting and Disabling OSPF Settings Resetting and Disabling OSPF Settings To return OSPF settings to their defaults. Once an OSPF area is removed. The backbone area cannot be deleted. disable ospf disable ospf export direct disable ospf export rip disable ospf export static unconfig ospf {vlan <name> | area <areaid>} Resets one or all OSPF interfaces to the default settings. Disables exporting of local interface (direct) routes into the OSPF domain. Table 66: OSPF Reset and Disable Commands Command delete ospf area [<areaid> | all] Description Deletes an OSPF area. Summit 200 Series Switch Installation and User Guide 213 . Disables exporting of RIP routes in the OSPF domain.

Interior Gateway Routing Protocols 214 Summit 200 Series Switch Installation and User Guide .

and group registration is maintained. When configured to use IGMP snooping.x). IGMP query should be enabled when the switch is configured to perform IP unicast routing. and is enabled by default. all IGMP and IP multicast traffic floods within a given VLAN. Version 2 Overview To constrain the flooding of multicast traffic. configure Summit 200 series switch interfaces to use Internet Group Management Protocol (IGMP) snooping so that multicast traffic is forwarded only to interfaces associated with IP multicast entities. see the following publications: • RFC 1112—Host Extension for IP Multicasting • RFC 2236—Internet Group Management Protocol. a Summit 200 series switch “snoops” on IGMP transmissions to keep track of multicast groups and member ports. The switch sends a query to determine which ports want to remain in the multicast group. IGMP snooping expects at least one device in the network to generate periodic IGMP query messages. It does not require multicast routing to be enabled. IGMP snooping optimizes the usage of network bandwidth and prevents multicast traffic from being flooded to parts of the network that do not need it. The switch does not reduce any IP multicast traffic in the local multicast domain (224. If Summit 200 Series Switch Installation and User Guide 215 . a single IP host responds to the query. However.17 IP Multicast Groups and IGMP Snooping This chapter describes the following topics: • Overview on page 215 • Configuring IGMP and IGMP Snooping on page 216 • Displaying IGMP Snooping Configuration Information on page 217 • Clearing. the switch stops forwarding IP multicast packets to any port. and Resetting IGMP Functions on page 217 For more information on IP multicast groups and IGMP snooping. the switch can be configured to disable the generation of period IGMP query packets.0. the router queries the multicast group to see if the group is still in use. If the group is still active. Periodically. the switch removes the IGMP snooping entry after 10 seconds. Without an IGMP querier. If IGMP snooping is disabled. IGMP is a protocol used by an IP host to register its IP multicast group membership with a router. Disabling. IGMP is enabled by default on the switch.0. When a port sends an IGMP leave message. IGMP snooping is a layer 2 function of the switch.

in seconds.647 seconds (68 years). Timers are based on RFC 2236. the router does not receive any responses to the query. The range is 10 to 2. If no VLAN is specified.483. The range is 10 to 2. between the last IGMP group report message from the host and the current time. The default setting is enabled.647 seconds (68 years). IGMP is enabled on all router interfaces. • • config igmp snooping <router_timeout> <host_timeout> Configures the IGMP snooping timers. in seconds.483. between the last time the router was discovered and the current time. The default setting is 260 seconds. the router ignores the leave message. The default setting is 260 seconds. but the port that requests removal is removed from the IGMP snooping table. The default setting is 10 seconds. 216 Summit 200 Series Switch Installation and User Guide .IP Multicast Groups and IGMP Snooping other members of the VLAN want to remain in the multicast group. The range is 1 to 25 seconds. Table 67: IGMP and IGMP Snooping Commands Command config igmp <query_interval> <query_response_interval> <last_member_query_interval> Description Configures the IGMP timers.647 seconds (68 years). The default setting is 1 second. Timers should be set to approximately 2.483. Specify the following: • router_timeout—The interval. The default setting is 125 seconds. Specify the following: • query_interval—The amount of time. and the router immediately removes the VLAN from the multicast group.147.147. If the last port within a VLAN sends an IGMP leave message. • enable igmp {vlan <name>} Enables IGMP on a router interface. the system waits between sending out General Queries.5 times the router query interval in use on the network. The range is 1 to 2.147. in seconds. query_response_interval—The maximum response time inserted into the periodic General Queries. The range is 1 to 25 seconds. Configuring IGMP and IGMP Snooping Table 67 describes the commands used to configure IGMP and IGMP snooping on the Summit 200 series switches. host_timeout—The interval. last_member_query_interval—The maximum response time inserted into a Group-Specific Query sent in response to a Leave group message.

Disables IGMP snooping. Specify the forward-mcrouter-only option to have the switch forward all multicast traffic to the multicast router only. Disabling IGMP snooping allows all IGMP and IP multicast traffic to flood within a given VLAN. Specify the with-proxy option to enable the IGMP snooping proxy. If no VLAN is specified. Enabling the proxy allows the switch to suppress duplicate “join” requests on a group to prevent forwarding to the connected layer 3 switch. Displaying IGMP Snooping Configuration Information To display IGMP snooping registration information and a summary of all IGMP timers and states. enabling the proxy also enables snooping. No IGMP query is generated. use the commands listed in Table 68. Table 68: IGMP Disable and Reset Commands Command clear igmp snooping {vlan <name>} disable igmp {vlan <name>} Description Removes one or all IGMP snooping entries. The default setting is enabled. Disabling. the switch forwards all multicast traffic to any IP router. Resets all IGMP settings to their default values and clears the IGMP group table. and Resetting IGMP Functions To clear IGMP snooping entries. This command is useful for troubleshooting purposes. IGMP is disabled on all router interfaces. use the following command: show igmp snooping {vlan <name>} {detail} Clearing. but the switch continues to respond to IGMP queries received from other devices.Displaying IGMP Snooping Configuration Information Table 67: IGMP and IGMP Snooping Commands (continued) Command enable igmp snooping {forward-mcrouter-only} {with-proxy} Description Enables IGMP snooping on the switch. otherwise. The proxy also suppresses superfluous IGMP “leave” messages so that they are forwarded only when the last member leaves the group. Disables the router-side IGMP processing on a router interface. disable IGMP or IGMP snooping. If snooping is not enabled. disable igmp snooping unconfig igmp Summit 200 Series Switch Installation and User Guide 217 . or return IGMP settings to their defaults.

IP Multicast Groups and IGMP Snooping 218 Summit 200 Series Switch Installation and User Guide .

Summit 200 Series Switch Installation and User Guide 219 . • The unit must be connected to a grounded outlet to comply with European safety standards. see Appendix B. • The socket outlet must be near the unit and easily accessible. You can only remove power from the unit by disconnecting the power cord from the outlet. Power The Summit 200 series switch has one power input on the switch. and removal of the unit and components must be done by qualified service personnel only.A Safety Information Important Safety Information WARNING! Read the following safety information thoroughly before installing your Extreme Networks switch. NOTE For more information about the temperature and humidity ranges for the Summit 200 series switches. • The unit must be grounded. removal of parts. Installation. Failure to follow this safety information can lead to personal injury or damage to the equipment. Too much humidity can cause a fire. Too little humidity can produce electrical shock and fire. Service personnel are people having appropriate technical training and experience necessary to be aware of the hazards to which they are exposed when performing a task and of measures to minimize the danger to themselves or other people.and humidity-controlled indoor area free or airborne materials that can conduct electricity. Do not connect the power supply unit to an AC outlet without a ground connection. Install the unit only in a temperature. maintenance.

this unit must be powered by 230 V (2P+T) via an isolation transformer ratio 1:1. as recommended by the manufacturer. Type SVT or SJT. When not in use. • Denmark—The supply plug must comply with section 107-2-D1. 220 Summit 200 Series Switch Installation and User Guide . Power Cord The power cord must be approved for the country where it is used: • USA and Canada — The cord set must be UL-listed and CSA-certified. with the secondary connection point labeled Neutral. 18 AWG (1. Never look directly at the fiber port or fiber cable ends when they are powered on. This is a Class 1 laser device. replace dust cover. • Argentina—The supply plug must comply with Argentinian standards. — The minimum specification for the flexible cord is No. — The cord set must have a rated current capacity of at least the amount rated for each specific product. Connections Fiber Optic ports—Optical Safety. If your supplies are of IT type. 125 V) configuration. — The AC attachment plug must be an Earth-grounding type with a NEMA 5-15P (10 A. standard DK2-1a or DK2-5a. or personal injury. The conditions are only maintained if the equipment to which it is connected also operates under SELV conditions. replace the lithium battery with the same or equivalent type. WARNING! Use only for data communications applications that require optical fiber. 3-conductor. • France and Peru only—This unit cannot be powered from IT† supplies. If service personnel disregard the instructions and attempt to replace the bq4830/DS1644. • Switzerland—The supply plug must comply with SEV/ASE 1011. Lithium Battery The battery in the bq4830/DS1644 device is encapsulated and not user-replaceable. property damage. connected directly to ground. Using this module in ways other than those described in this manual can result in intense heat that can cause fire.5 mm2). • The appliance coupler (the connector to the unit and not the wall plug) must have a configuration for mating with an EN60320/IEC320 appliance inlet. Never look at the transmit LED/laser through a magnifying device while it is powered on. Use only with the appropriate connector.Safety Information • This unit operates under Safety Extra Low Voltage (SELV) conditions according to IEC 950.

• Disposal requirements vary by country and by state.035 grams. • Two types of batteries are used interchangeably: — CR chemistry uses manganese dioxide as the cathode material. • If you are disposing of large quantities. • No hazardous compounds are used within the battery module. Replace only with the same or equivalent type recommended by the manufacturer. contact a local waste-management service. Therefore. Dispose of used batteries according to the manufacturer’s instructions. they can typically be disposed of as normal waste. — BR chemistry uses poly-carbonmonofluoride as the cathode material. Summit 200 Series Switch Installation and User Guide 221 . • The weight of the lithium contained in each coin cell is approximately 0.Important Safety Information WARNING! Danger of explosion if battery is incorrectly replaced. • Lithium batteries are not listed by the Environmental Protection Agency (EPA) as a hazardous waste.

Safety Information 222 Summit 200 Series Switch Installation and User Guide .

Rev.0/1. Rev. noncondensing Standards: EN60068 to Extreme IEC68 schedule AC Line Frequency: 50 Hz to 60 Hz Input Voltage Options: 90 VAC to 264 VAC. not Rev.B Technical Specifications This appendix provides technical specifications for the following Summit 200 series switches: • Summit 200-24 Switch on page 223 • Summit 200-48 Switch on page 226 Summit 200-24 Switch Physical and Environmental Dimensions Height: 1.57 cm) Weight: 5.1 W (Listed by supply type) Digital supplies. OL and earlier: 60° to 65° C (140° to 149° F) Power-One supplies.44 cm) Width: 17.0 A 24. OM and later: 75° C (167° F) Weight Temperature and Humidity Power Heat Dissipation. C1: 70° to 75° C (158° to 167° F) Power-One supplies.75 inches (4. C1: Not drifting: 65° to 70° C (149° to 158° F) Drifting: 50° C (122° F) Digital supplies.94 cm) Depth: 8. Watts/BTU Temperature switch power-off Summit 200 Series Switch Installation and User Guide 223 .72 lbs (2.6 kg) Operating Temperature: 0° to 40° C (32° to 104° F) Storage Temperature: –40° to 70 ° C (–40° to 158° F) Operating Humidity: 10% to 95% relative humidity.1 inches (20.3 inches (43. auto-ranging Current Rating: 100-120/200-240 VAC 2. Rev.

60950-00 (Canadian Safety) Low Voltage Directive (LVD) TUV-R GS Mark by German Notified Body EN60950:2000 (European Safety) CB Scheme IEC60950:2000 with all country deviations (International Safety) Mexico NOM/NYCE (Product Safety and EMC Approval) Australia/New Zealand AS/NZS 3260 (ACA DoC. Emissions and Immunity) Mexico NOM/NYCE (Product Safety and EMC Approval) GOST (Russia) Taiwan CNS 13438:1997 Class A (BSMI Approval. 4. Emissions) International Country Specific Certification Marks CE (European Community) TUV/GS (German Notified Body) TUV/S (Argentina) 224 Summit 200 Series Switch Installation and User Guide . 6. 3. listed (US Safety) CAN/CSA-C22. 5. 11 (European Immunity) EN 61000-3-2.Technical Specifications Safety Certifications North America Europe UL 60950 3rd Edition. -3 (Europe Harmonics and Flicker) IEC/CISPR 22:1997 Class A (International Emissions) IEC/CISPR 24:1998 (International Immunity) IEC/EN 61000-4-2 Electrostatic Discharge IEC/EN 61000-4-3 Radiated Immunity IEC/EN 61000-4-4 Transient Bursts IEC/EN 61000-4-5 Surge IEC/EN 61000-4-6 Conducted Immunity IEC/EN 61000-4-11 Power Dips and Interruptions Japan Class A (VCCI Registration Emissions) Australia/New Zealand AS/NZS 3548 (ACA DoC. Safety of ITE) Argentina S-Mark GOST (Russia) FCC 21 CFR subpart (J) (Safety of Laser Products) CDRH Letter of Approval (US FDA Approval) EN60825-2 (European Safety of Lasers) International Country Specific Laser Safety North America Europe Electromagnetic Compatibility North America Europe FCC 47 CFR Part 15 Class A (US Emissions) ICES-003 Class A (Canada Emissions) 89/336/EEC EMC Directive ETSI/EN 300 386:2001 (EU Telecommunications Emissions and Immunity) EN55022:1998 Class A (European Emissions) EN55024:1998 includes IEC/EN 61000-2. Emissions) Korean MIC Mark (MIC Approval.2 No.

Summit 200-24 Switch GOST (Russian Federation) ACN 090 029 066 C-Tick (Australian Communication Authority) Underwriters Laboratories (USA and Canada) MIC (South Korea) BSMI. Republic of Taiwan NOM (Mexican Official Normalization. Electronic Certification and Normalization) Summit 200 Series Switch Installation and User Guide 225 .

Technical Specifications Summit 200-48 Switch Physical and Environmental Dimensions Height: 1.0 W (Listed by supply type) Digital supplies.2 No. not Rev.00 cm) Weight: 9. noncondensing Standards: EN60068 to Extreme IEC68 schedule AC Line Frequency: 50 Hz to 60 Hz Input Voltage Options: 90 VAC to 264 VAC.44 cm) Width: 17.0 A 48. C1: Not drifting: 65° to 70° C (149° to 158° F) Drifting: 50° C (122° F) Digital supplies. Rev. Rev.4 kg) Operating Temperature: 0° to 40° C (32° to 104° F) Storage Temperature: –40° to 70 ° C (–40° to 158° F) Operating Humidity: 10% to 95% relative humidity. Safety of ITE) Argentina S-Mark GOST (Russia) FCC 21 CFR subpart (J) (Safety of Laser Products) CDRH Letter of Approval (US FDA Approval) EN60825-2 (European Safety of Lasers) Weight Temperature and Humidity Power Heat Dissipation. Rev. 60950-00 (Canadian Safety) Low Voltage Directive (LVD) TUV-R GS Mark by German Notified Body EN60950:2000 (European Safety) CB Scheme IEC60950:2000 with all country deviations (International Safety) Mexico NOM/NYCE (Product Safety and EMC Approval) Australia/New Zealand AS/NZS 3260 (ACA DoC. OL and earlier: 60° to 65° C (140° to 149° F) Power-One supplies.2 inches (31.94 cm) Depth: 12.7 lbs (4. listed (US Safety) CAN/CSA-C22.0/1.3 inches (43. OM and later: 75° C (167° F) Safety Certifications North America Europe UL 60950 3rd Edition. C1: 70° to 75° C (158° to 167° F) Power-One supplies.75 inches (4. Watts/BTU Temperature switch power-off International Country Specific Laser Safety North America Europe 226 Summit 200 Series Switch Installation and User Guide . auto-ranging Current Rating: 100-120/200-240 VAC 2.

-3 (Europe Harmonics and Flicker) IEC/CISPR 22:1997 Class A (International Emissions) IEC/CISPR 24:1998 (International Immunity) IEC/EN 61000-4-2 Electrostatic Discharge IEC/EN 61000-4-3 Radiated Immunity IEC/EN 61000-4-4 Transient Bursts IEC/EN 61000-4-5 Surge IEC/EN 61000-4-6 Conducted Immunity IEC/EN 61000-4-11 Power Dips and Interruptions Japan Class A (VCCI Registration Emissions) Australia/New Zealand AS/NZS 3548 (ACA DoC. 3. 5.Summit 200-48 Switch Electromagnetic Compatibility North America Europe FCC 47 CFR Part 15 Class A (US Emissions) ICES-003 Class A (Canada Emissions) 89/336/EEC EMC Directive ETSI/EN 300 386:2001 (EU Telecommunications Emissions and Immunity) EN55022:1998 Class A (European Emissions) EN55024:1998 includes IEC/EN 61000-2. Electronic Certification and Normalization) Summit 200 Series Switch Installation and User Guide 227 . 6. Emissions) International Country Specific Certification Marks CE (European Community) TUV/GS (German Notified Body) TUV/S (Argentina) GOST (Russian Federation) ACN 090 029 066 C-Tick (Australian Communication Authority) Underwriters Laboratories (USA and Canada) MIC (South Korea) BSMI. Emissions and Immunity) Mexico NOM/NYCE (Product Safety and EMC Approval) GOST (Russia) Taiwan CNS 13438:1997 Class A (BSMI Approval. 4. 11 (European Immunity) EN 61000-3-2. Emissions) Korean MIC Mark (MIC Approval. Republic of Taiwan NOM (Mexican Official Normalization.

Technical Specifications 228 Summit 200 Series Switch Installation and User Guide .

MD5 authentication) RFC 2154 OSPF with Digital Signatures (password.1p) Packet priority IEEE 802.C Supported Standards ExtremeWare supports the following standards for the Summit 200 series switch. criticals stored across reboots Summit 200 Series Switch Installation and User Guide 229 . Standards and Protocols RFC 1058 RIP RFC 1723 RIP v2 RFC 1112 IGMP RFC 2236 IGMP v2 RFC 2328 OSPF v2 (incl.3 MAU MIB RFC 1724 RIP v2 MIB RFC 1850 OSPF v2 MIIB ExtremeWare Enterprise MIB HTML and Telnet management RFC 2138 RADIUS RFC 2925 Ping MIB RFC 2233 Interface MIB RFC 2096 IP Forwarding Table MIB 999 local messages.1Q VLAN tagging RFC 2474 DiffServ Precedence RFC 783 TFTP RFC 1542 BootP RFC 854 Telnet RFC 768 UDP RFC 791 IP RFC 792 ICMP RFC 793 TCP RFC 826 ARP RFC 2068 HTTP RFC 2131 BootP/DHCP relay RFC 2030 Simple Network Time Protocol RFC 1256 Router discovery protocol RFC 1812 IP router requirement RFC 1519 CIDR Management and Security RFC 1157 SNMP v1/v2c RFC 1213 MIB II RFC 1354 IP forwarding table MIB RFC 1493 Bridge MIB RFC 2037 Entity MIB RFC 1573 Evolution of Interface RFC 1643 Ethernet MIB RFC 1757 Four groups of RMON ExtremeWare VLAN Configuration private MIB RFC 2021 RMON probe configuration RFC 2239 802.1D-1998 (802. MD-5) RFC 1587 NSSA option RFC 1765 OSPF Database Overflow RFC 2370 OSPF Opaque LSA Option RFC 1122 Host requirements IEEE 802.

Supported Standards 230 Summit 200 Series Switch Installation and User Guide .

D Software Upgrade and Boot Options This appendix describes the following topics: • Downloading a New Image on page 231 • Saving Configuration Changes on page 232 • Using TFTP to Upload the Configuration on page 233 • Using TFTP to Download the Configuration on page 234 • Upgrading and Accessing BootROM on page 235 • Boot Option Commands on page 236 Downloading a New Image The image file contains the executable code that runs on the switch. you should upgrade the software running on your system. Summit 200 Series Switch Installation and User Guide 231 . As new versions of the image are released. use the following command: download image [<ipaddress> | <hostname>] <filename> {primary | secondary} where: ipaddress hostname filename primary secondary Specifies the IP address of the TFTP server.) Specifies the filename of the new image. Downloading a new image involves the following steps: • Load the new image onto a TFTP server on your network (if you will be using TFTP). • Download the new image to the switch using the download image command: To download the image. It comes preinstalled from the factory. Specifies the hostname of the TFTP server. Specifies the secondary image. Specifies the primary image. (You must enable DNS to use this option. The image is upgraded by using a download procedure from either a Trivial File Transfer Protocol (TFTP) server on the network.

To retain the settings. when the switch will be rebooted. the switch boots to factory default settings. The configuration that is not in the process of being saved is unaffected. use the following command: reboot {time <date> <time> | cancel} where: date time Specifies the date when the switch will be rebooted The date is entered in the format mm/dd/yyyy. If you have made a mistake. you can tell the switch to use the secondary configuration on the next reboot. you can select into which configuration area you want the changes saved. The switch can store two different configurations: a primary and a secondary. the reboot occurs immediately following the command. using a 24-hour clock. When you save configuration changes. and have them load when you reboot the switch. Rebooting the Switch To reboot the switch. Saving Configuration Changes The configuration is the customized set of parameters that you have selected to run on the switch. use the following command: use configuration [primary | secondary] The configuration takes effect on the next reboot. If you do not specify a reboot time. the changes are saved to the configuration area currently in use. 232 Summit 200 Series Switch Installation and User Guide . The time is entered in the format hh:mm:ss. Specifies the time of day. To save the configuration. use the following command: save {configuration} {primary | secondary} To use the configuration. NOTE If the switch is rebooted while in the middle of a configuration save. use the cancel option.Software Upgrade and Boot Options The switch can store up to two images: a primary and a secondary. and any previously scheduled reboots are cancelled. As you make configuration changes. When you download a new image. If you do select not an image space. you must save the configuration to nonvolatile storage. the new settings are stored in run-time memory. Settings that are stored in run-time memory are not retained by the switch when the switch is rebooted. If you do not specify the configuration area. or you must revert to the configuration as it was before you started making changes. you must select into which image space (primary or secondary) the new image should be placed. the system uses the primary image space. To cancel a previously scheduled reboot.

use the following command: unconfig switch This command resets the entire configuration. and cannot include any spaces. the current configuration is immediately uploaded to the TFTP server. use the following command: unconfig switch all Using TFTP to Upload the Configuration You can upload the current configuration to a TFTP server on your network. and later download a copy of the file to the same switch. • Send a copy of the configuration file to the Extreme Networks Technical Support department for problem-solving purposes. with the exception of user accounts and passwords that have been configured. Specifies the time of day you want the configuration automatically uploaded on a daily basis. • Automatically upload the configuration file every day. The filename can be up to 255 characters long. Because the filename is not changed. commas. To upload the configuration. use the following command: upload configuration [<ipaddress> | <hostname>] <filename> {every <time>} where: ipaddress hostname filename Specifies the IP address of the TFTP server. or to one or more different switches. The uploaded ASCII file retains the command-line interface (CLI) format.) Specifies the name of the ASCII file. and the date and time. (You must enable DNS to use this option. so that the TFTP server can archive the configuration on a daily basis. quotation marks. If not specified. This allows you to: • Modify the configuration using a text editor.Using TFTP to Upload the Configuration Returning to Factory Defaults To return the switch configuration to factory defaults. or special characters. the configured file stored in the TFTP server is overwritten every day. every <time> To cancel a previously scheduled configuration upload. use the following command: upload configuration cancel Summit 200 Series Switch Installation and User Guide 233 . To erase the currently selected configuration image and reset all switch parameters. Specifies the hostname of the TFTP server.

You typically use this type of download in conjunction with the upload config command. the switch is automatically rebooted. use the following command: config download server [primary | secondary] [<hostname> | <ipaddress>] <filename> To enable scheduled incremental downloads.Software Upgrade and Boot Options Using TFTP to Download the Configuration You can download ASCII files that contain CLI commands to the switch to modify the switch configuration. you are prompted to reboot the switch. use the following command: download configuration [<hostname> | <ipaddress>] <filename> After the ASCII configuration is downloaded by way of TFTP. To download an incremental configuration. As part of the scheduled incremental download. and automatically executes the commands. without requiring a reboot of the switch. To configure the primary and/or secondary TFTP server and filename. You could use this feature to update the configuration of the switch regularly from a centrally administered TFTP server. use the following command: download configuration [<hostname> | <ipaddress>] <filename> {incremental} Scheduled Incremental Configuration Download You can schedule the switch to download a partial or incremental configuration on a regular basis. If your CLI connection is through a Telnet connection (and not the console port). and is not retained if the switch has a power failure. When the switch completes booting. and take effect at the time of the download. but the command executes normally. Three types of configuration scenarios that can be downloaded: • Complete configuration • Incremental configuration • Scheduled incremental configuration Downloading a Complete Configuration Downloading a complete configuration replicates or restores the entire configuration to the switch. The downloaded configuration file is stored in current switch memory during the rebooting process. you can optionally configuration a backup TFTP server. Downloading an Incremental Configuration A partial or incremental change to the switch configuration may be accomplished by downloaded ASCII files that contain CLI commands. your connection is terminated when the switch reboots. These commands are interpreted as a script of CLI commands. use the following command: download configuration every <hour (0-23)> 234 Summit 200 Series Switch Installation and User Guide . it treats the downloaded configuration file as a script of CLI commands. As part of the complete configuration download. To download a complete configuration. which generates a complete switch configuration in an ASCII format.

Upgrading and Accessing BootROM

To display scheduled download information, use the following command:
show switch

To cancel scheduled incremental downloads, use the following command:
download configuration cancel

Remember to Save
Regardless of which download option is used, configurations are downloaded into switch runtime memory, only. The configuration is saved only when the save command is issued, or if the configuration file, itself, contains the save command. If the configuration currently running in the switch does not match the configuration that the switch used when it originally booted, an asterisk (*) appears before the command line prompt when using the CLI.

Upgrading and Accessing BootROM
The BootROM of the switch initializes certain important switch variables during the boot process. If necessary, BootROM can be upgraded, after the switch has booted, using TFTP. In the event the switch does not boot properly, some boot option functions can be accessed through a special BootROM menu.

Upgrading BootROM
Upgrading BootROM is done using TFTP (from the CLI), after the switch has booted. Upgrade the BootROM only when asked to do so by an Extreme Networks technical representative. To upgrade the BootROM, use the following command:
download bootrom [<hostname> | <ipaddress>] <filename>]

Accessing the BootROM menu
Interaction with the BootROM menu is only required under special circumstances, and should be done only under the direction of Extreme Networks Customer Support. The necessity of using these functions implies a non-standard problem which requires the assistance of Extreme Networks Customer Support. To access the BootROM menu, follow these steps: 1 Attach a serial cable to the console port of the switch. 2 Attach the other end of the serial cable to a properly configured terminal or terminal emulator, power cycle the switch while depressing the spacebar on the keyboard of the terminal. As soon as you see the BootROM-> prompt, release the spacebar. You can see a simple help menu by pressing h. Options in the menu include — Selecting the image to boot from — Booting to factory default configuration

Summit 200 Series Switch Installation and User Guide

235

Software Upgrade and Boot Options

For example, to change the image that the switch boots from in flash memory, press 1 for the image stored in primary or 2 for the image stored in secondary. Then, press the f key to boot from newly selected on-board flash memory. To boot to factory default configuration, press the d key for default and the f key to boot from the configured on-board flash.

Boot Option Commands
Table 69 lists the CLI commands associated with switch boot options. Table 69: Boot Option Commands
Command config download server [primary | secondary] [<hostname> | <ipaddress>] <filename> Description Configures the TFTP server(s) used by a scheduled incremental configuration download.

download bootrom [<hostname> | <ipaddress>] Downloads a BOOT ROM image from a TFTP <filename> server. The downloaded image replaces the BOOT ROM in the onboard FLASH memory.

NOTE If this command does not complete successfully, it could prevent the switch from booting.
download configuration [<hostname> | <ipaddress>] <filename> {incremental} download configuration cancel download configuration every <hour> Downloads a complete configuration. Use the incremental keyword to specify an incremental configuration download. Cancels a previously scheduled configuration download. Schedules a configuration download. Specify the hour using a 24-hour clock, where the range is 0 to 23. Downloads a new image from a TFTP server over the network. If no parameters are specified, the image is saved to the current image. Reboots the switch at the date and time specified. If you do not specify a reboot time, the reboot happens immediately following the command, and any previously scheduled reboots are cancelled. To cancel a previously scheduled reboot, use the cancel option. Saves the current configuration to nonvolatile storage. You can specify the primary or secondary configuration area. If not specified, the configuration is saved to the primary configuration area. Displays the current configuration to the terminal. You can then capture the output and store it as a file.

download image [<ipaddress> | <hostname>] <filename> {primary | secondary}

reboot {time <date> <time> | cancel}

save {configuration} {primary | secondary}

show configuration

236

Summit 200 Series Switch Installation and User Guide

Boot Option Commands

Table 69: Boot Option Commands (continued)
Command upload configuration [<ipaddress> | <hostname>] <filename> {every <time>} Description Uploads the current run-time configuration to the specified TFTP server. If every <time> is specified, the switch automatically saves the configuration to the server once per day, at the specified time. If the time option is not specified, the current configuration is immediately uploaded. Cancels a previously schedule configuration upload. Configures the switch to use a particular configuration on the next reboot. Options include the primary configuration area or the secondary configuration area. Configures the switch to use a particular image on the next reboot.

upload configuration cancel use configuration [primary | secondary]

use image [primary | secondary]

Summit 200 Series Switch Installation and User Guide

237

Software Upgrade and Boot Options

238

Summit 200 Series Switch Installation and User Guide

E Troubleshooting

If you encounter problems when using the switch, this appendix might be helpful. If you have a problem not listed here or in the release notes, contact your local technical support representative.

LEDs
Power LED does not light: Check that the power cable is firmly connected to the device and to the supply outlet. On powering-up, the MGMT LED lights amber: The device has failed its Power On Self Test (POST) and you should contact your supplier for advice. A link is connected, but the Port Status LED does not light: Check that: • All connections are secure. • Cables are free from damage. • The devices at both ends of the link are powered-up. • Both ends of the Gigabit link are set to the same autonegotiation state. Both sides of the Gigabit link must be enabled or disabled. It the two are different, typically the side with autonegotiation disabled will have the link LED lit, and the side with autonegotiation enabled will not be lit. The default configuration for a Gigabit port is autonegotiation enabled. This can be verified by entering the following command:
show port config

Switch does not power up: All products manufactured by Extreme Networks use digital power supplies with surge protection. In the event of a power surge, the protection circuits shut down the power supply. To reset, unplug the switch for 1 minute, plug it back in, and attempt to power up the switch. If this does not work, try using a different power source (different power strip/outlet) and power cord.

Summit 200 Series Switch Installation and User Guide

233

234 Summit 200 Series Switch Installation and User Guide . Try accessing the device through a different port. check the connections and network cabling at the port. Check that the community strings configured for the system and Network Manager are the same. A network problem may be preventing you accessing the device over the network. Check that the port through which you are trying to access the device has not been disabled. no parity. Try accessing the device through the console port. a problem with the original port is indicated. and that the IP address of the Trap Receiver is configured properly on the system. subnet mask and default router are correctly configured. If you attempt to log in and the maximum number of Telnet sessions are being used. 8 data bits. Re-examine the connections and cabling. The Telnet workstation cannot access the device: Check that the device IP address. The settings are 9600 baud. Check that SNMP access was not disabled for the system. you should receive an error message indicating so. subnet mask.Troubleshooting Using the Command-Line Interface The initial welcome prompt does not display: Check that your terminal or terminal emulator is correctly configured. and that the device has been reset. Check that SNMP access was not disabled for the system. Check that the community strings configured for the device and the Network Manager are the same. Check that Telnet access was not disabled for the switch. If it is enabled. no flow control. Check the settings on your terminal or terminal emulator. you may need to press [Return] several times before the welcome prompt appears. If you can now access the device. 1 stop bit. The SNMP Network Manager cannot access the device: Check that the device IP address. Traps are not received by the SNMP Network Manager: Check that the SNMP Network Manager's IP address and community string are correctly configured. The SNMP Network Manager or Telnet workstation can no longer access the device: Check that Telnet access or SNMP access is enabled. and default router are correctly configured. Check that the device IP address is correctly recorded by the SNMP Network Manager (refer to the user documentation for the Network Manager). For console port access. Check that the port through which you are trying to access the device is in a correctly configured VLAN. Ensure that you enter the IP address of the switch correctly when invoking the Telnet facility. and that the device has been reset.

Port Configuration No link light on 10/100 Base port: If patching from a hub or switch to another hub or switch. ensure that you are using a CAT5 cross-over cable. with a new password. contact your supplier. This will return all configuration information (including passwords) to the initial values. but in half duplex mode. This is a CAT5 cable that has pins 1 and 2 on one end connected to pins 3 and 6 on the other end. This is characteristic of a duplex mismatch between devices. Always verify that the Extreme switch and the network device match in configuration for speed and duplex. Alternatively. the switch establishes the link in half duplex mode using the correct speed. Because the other network device is not participating in auto-negotiation (and does not advertise its capabilities). you must manually delete the entry from the FDB if you want to remove it. In the case where no one knows a password for an administrator level user. Therefore. another user having administrator access level can log in. Viewing statistics using the show port rx command on the Extreme switch may display a constant increment of CRC errors. The Extreme switch 10/100 physical interface uses a method called parallel detection to bring up the link. Though causing no harm. another user having administrator access level can log in and initialize the device. parallel detection on the Extreme switch is only able to sense 10 Mbps versus 100 Mbps speed. and not the duplex mode. Default and Static Routes: If you have defined static or default routes. delete your user name. which is the default setting on the Extreme switch). You should manually delete the routes if no VLAN IP address is capable of using them. You forget your password and cannot log in: If you are not an administrator. those routes will remain in the configuration independent of whether the VLAN and VLAN IP address that used them remains. NOTE A mismatch of duplex mode between the Extreme switch and another network device will cause poor network performance. the FDB entry will remain. Summit 200 Series Switch Installation and User Guide 235 . Excessive RX CRC errors: When a device that has auto-negotiation disabled is connected to an Extreme switch that has auto-negotiation enabled. The only way to establish a full duplex link is to either force it at both sides. This is NOT a problem with the Extreme switch. and create a new user name for you.Using the Command-Line Interface Permanent entries remain in the FDB: If you have made a permanent entry in the FDB (which requires you to specify the VLAN to which it belongs and then delete the VLAN). the Extreme switch links at the correct speed. or run auto-negotiation on both sides (using full duplex as an advertised capability.

If a name contains whitespaces. VLANs. These ports need to be set to auto off (using the command config port <port #> auto off) if you are connecting it to devices that do not support auto-negotiation. VLAN configuration can be verified by using the following command: show vlan <name> The solution for this error is to remove port 1 from the VLAN currently using untagged traffic on the port. starts with a number. 1000BASE-SX does not work with single-mode fiber (SMF). All gigabit fiber cables are of the cross-over type. the command would be Summit200-24:30 # config vlan default del port 1 which should now allow you to re-enter the previous command without error as follows: Summit200-24:31 # config vlan red add port 1 VLAN names: There are restrictions on VLAN names.Troubleshooting No link light on Gigabit fiber port: Check to ensure that the transmit fiber goes to the receive fiber side of the other device. The system first tries the default route with the lowest cost metric. VLANs You cannot add a port to a VLAN: If you attempt to add a port to the “default” VLAN and get an error message similar to Summit200-24:28 # config vlan default add port 1 ERROR: There is a protocol conflict with adding port 1 untagged to VLAN default you already have a VLAN using untagged traffic on this port. The Extreme switch has auto-negotiation set to on by default for gigabit ports. and vice-versa. you must use quotation marks whenever referring to the VLAN name. ping) through that VLAN or route IP traffic. If this were the “default” VLAN. or contains non-alphabetical characters. 236 Summit 200 Series Switch Installation and User Guide . It is necessary to have an IP address associated with a VLAN if you intend to manage (Telnet. Only one VLAN using untagged traffic can be configured on a single physical port. SNMP. You can also configure multiple default routes for the system. They cannot contain whitespaces and cannot start with a numeric value unless you use quotation marks around the name. Ensure that you are using multi-mode fiber (MMF) when using a 1000BASE-SX Mini-GBIC. IP Addresses and default routes: The system can have an IP address for each configured VLAN.

or turn off STP for the switch ports of the endstation and devices to which it is attempting to connect. The show debug-tracing command can be applied to one or all VLANs.extremenetworks. Specify that the endstation entries are static or permanent. Specify that STP has been disabled for that VLAN.com You can also visit the support website at: • http://www. TOP Command The top command is a utility that indicates CPU utilization by process.asp to download software updates (requires a service contract) and documentation. Debug Tracing ExtremeWare includes a debug-tracing facility for the switch. contact Extreme Networks technical support. Summit 200 Series Switch Installation and User Guide 237 . and then reboot the endstation.Debug Tracing STP You have connected an endstation directly to the switch and the endstation fails to boot correctly: The switch has STP enabled. Contacting Extreme Technical Support If you have a network issue that you are unable to resolve. and the endstation is booting before the STP initialization process is complete. You can contact technical support by phone at: • (800) 998-2408 • (408) 579-2826 or by email at: • support@extremenetworks. Extreme Networks maintains several Technical Assistance Centers (TACs) around the world to answer networking questions and resolve network problems. The switch keeps aging out endstation entries in the switch Forwarding Database (FDB): Reduce the number of topology changes by disabling STP on those systems that do not use redundant paths.com/extreme/support/techsupport. as follows: show debug-tracing {vlan <name>} The debug commands should only be used under the guidance of Extreme Networks technical personnel.

Troubleshooting 238 Summit 200 Series Switch Installation and User Guide .

OSPF areas. reverse mask accounts creating deleting viewing adding access lists access masks rate limits Address Resolution Protocol. FDB alarm actions Alarms. understanding Command-Line Interface. RMON area 0.1p configuration commands (table) 149 autonegotiation autopolarity detection feature. displaying 105 107 106 101 110 113 110 104 106 46 105 106 101 115 48 49 49 105 105 105 47 38 97 167 166 198 197 189 181 181 181 181 180 181 183 B backbone area. Summit 200 series switch symbols syntax helper using command history shortcuts syntax. OSPF blackhole entries. description of responding to ARP requests table. FDB boot option commands (table) BOOTP and UDP-Forwarding relay. See CLI common commands (table) communicating with devices outside subnet complete configuration download configuration downloading downloading complete downloading incremental logging primary and secondary 22 224 227 44 42 43 43 42 43 42 44 42 41 44 181 234 234 234 234 163 232 Summit 200 Series Switch Installation and User Guide 239 . OSPF ARP clearing entries communicating with devices outside subnet configuring proxy ARP incapable device proxy ARP between subnets proxy ARP. description access profiles.Index Numerics 802. configuring using BootROM menu. See ARP admin account Advanced Edge functionality aging entries. Ethernet ports 77 78 A access control lists adding configuration commands (table) deleting description examples ICMP filter example permit-established example permit-established keyword verifying settings access levels access masks adding deleting access policies. accessing prompt upgrading BPDU tunneling 198 98 236 190 190 54 235 235 235 170 C cable types and distances certification marks Summit 200-24 switch Summit 200-48 switch CLI command history command shortcuts line-editing keys named components numerical ranges.

See DNS domains. 20 E EAP EAPOL IEEE 802. OSPF default passwords settings STP domain users default VLAN delete access list access masks rate limit deleting a session DHCP and UDP-Forwarding relay. See FDB free-standing installation full-duplex 98 97 98 99 99 97 100 100 97 97 97 97 98 38 38 38 39 39 39 145 78 29 17. See EAP Extreme Discovery Protocol See EDP ExtremeWare factory defaults 40 features 15. description DLCS configuration commands (table) description guidelines limitations DNS configuration commands (table) description Domain Name Service. Spanning Tree Protocol downloading incremental configuration dynamic entries. displaying 138 switch mode. About This Guide creating access lists access masks rate limits 232 234 233 29. connecting equipment to controlling Telnet access conventions notice icons. See IP route sharing errors. and QoS database overflow. configuring 135 ring port.Index saving changes schedule download uploading to file console port. defining 135 ECMP. autopolarity detection feature 78 Events. 54 57 xiv xiv 105 105 105 D database applications. unconfiguring 138 show eaps display fields (table) 140 status information. About This Guide text. port 159 establishing a Telnet session 54 Ethernet ports. configuring server DiffServ. FDB dynamic routes 144 197 47 40 170 47 90 106 106 106 56 190 190 70 150 223 226 77 195 56 194 155 154 155 155 49 49 169 234 97 179 polling timers.1x port authentication EAPOL flooding EAPS commands (table) domain. and QoS flow control Forwarding Database. RMON 166 export restrictions security licensing 39 SSH2 encryption protocol 39 Extensible Authentication Protocol. 35 F FDB adding an entry aging entries blackhole entries configuration commands (table) configuring contents creating a permanent entry example displaying dynamic entries entries non-aging entries permanent entries QoS profile association feature licensing Advanced Edge functionality description Edge functionality license keys ordering verifying file server applications. configuring dimensions Summit 200-24 switch Summit 200-48 switch disabling a switch port disabling route advertising (RIP) disconnecting a Telnet session distance-vector protocol. creating and deleting enabling and disabling a domain enabling and disabling on a switch 71 71 71 134 135 138 138 G Greenwich Mean Time offset offset values (table) 73 240 Summit 200 Series Switch Installation and User Guide . See IP route sharing EDP commands (table) 84 description 84 electromagnetic compatibility Summit 200-24 switch 224 Summit 200-48 switch 226 enabling a switch port 77 environmental requirements Summit 200-24 switch 223 Summit 200-48 switch 226 Equal Cost Multi-Path (ECMP) routing.

router IP address. 22 93 94 93 93 94 94 46 81 54 22 58 157 179 Summit 200 Series Switch Installation and User Guide 241 . description master port verifying the configuration local logging log display logging and Telnet commands (table) configuration changes description fault level local message real-time display remote subsystem timestamp logging in 224 226 17 21 39 38 38 38 39 39 39 43 196 194 80 81 80 80 81 82 162 162 162 164 163 161 161 162 162 162 163 161 161 31. entering IP multicast groups and IGMP snooping IP route sharing IP TOS configuration commands (table) IP unicast routing basic IP commands (table) BOOTP relay configuration examples configuring default gateway description DHCP relay disabling ECMP enabling IP route sharing proxy ARP reset and disable commands (table) resetting router interfaces router show commands (table) routing table configuration commands (table) dynamic routes multiple routes populating static routes settings. 22 223 226 166 K keys line-editing port monitoring 43 160 L laser safety certifications Summit 200-24 switch Summit 200-48 switch LEDs Summit 200-24 switch Summit 200-48 switch license keys licensing Advanced Edge functionality description Edge functionality license keys ordering verifying line-editing keys link-state database link-state protocol. displaying described resetting image downloading primary and secondary upgrading installation free-standing rack verifying interfaces. description load sharing algorithms configuring description load-sharing group. displaying verifying the configuration IRDP 185 88 71 71 216 215 217 217 217 215 217 231 232 231 29 28 31 178 55 215 180 150 183 190 187 182 177 37 190 189 182 180 180 189 189 178 188 184 179 179 179 179 188 182 187 M MAC address MAC-based VLANs description example groups guidelines limitations timed configuration download management access master port.1Q IEEE 802. RMON 19. 48 I ICMP configuration commands (table) IEEE 802.1x EAP Over LANs (EAPOL) Extensible Authentication Protocol (EAP) IGMP configuration commands (table) description disabling reset and disable commands (table) snooping configuration information. See port-mirroring monitoring the switch multiple routes 19.Index H hardware address heat dissipation Summit 200-24 switch Summit 200-48 switch History. load sharing maximum Telnet session media types and distances MIBs mirroring.

displaying show commands (table) stub area virtual link wait interval. 143 150 147 152 152 98 145 150 P passwords default forgetting 47 48 242 Summit 200 Series Switch Installation and User Guide . SNMP protocol analyzers. use with port-mirroring proxy ARP communicating with devices outside subnet conditions configuring description MAC address in response responding to requests subnets table. See NSSA NSSA. FDB Not-So-Stubby_Area. See OSPF 90 124 126 126 127 66 66. 196 213 212 182 208 200 196 199 198 197 200 201 213 213 198 117 212 212 198 199 211 Q QoS 802. 67 67 67 68 70 67 71 66. See NAT network login campus mode configuration example configuring user login configuration commands (table) DHCP server disabling ISP mode configuration example configuring RADIUS server configuration settings. FDB permit-established keyword ping command poison reverse port autonegotiation autopolarity detection feature configuring on Summit 200 series switch connections enabling and disabling errors. STP receive errors statistics. displaying public community. viewing STP state. displaying STPD membership Summit 200 series switch switch commands (table) transmit errors port-based VLANs port-mirroring and protocol analyzers description example switch configuration commands (table) power supply specifications Summit 200-24 switch Summit 200-48 switch powering on the switch power-off specifications Summit 200-24 switch Summit 200-48 switch primary image private community. viewing monitoring display keys priority.1p priority applications blackhole configuration commands (table) database applications description DiffServ. 69 69 69 67 70 97 permanent entries. configuring 197 54 194 198 197 198 207 197 197 194. OSPF Open Shortest Path First.1p configuration commands (table) 802.Index N names. See OSPF opening a Telnet session OSPF advantages area 0 areas backbone area configuration commands (table) consistency database overflow description disabling display filtering enabling hello interval link type link-state database normal area NSSA opaque LSAs point-to-point links redistributing routes reset and disable commands (table) resetting router types routing access policies settings. 20 77 159 160 173 160 159 175 169 77 79 159 86 83 82 83 83 223 226 30 223 226 232 58 83 181 181 181 180 181 181 181 188 58 O opaque LSAs. VLANs NAT configuration commands (table) creating rules rule matching timeout commands (table) Network Address Translation. displaying non-aging entries. SNMP 97 104 50 195 77 78 77 17. configuring examples MAC address source port VLAN FDB entry association file server applications IP TOS configuration commands (table) 149 148 144 147 145 144 36.

Index monitor description real-time display traffic groupings access list blackhole by precedence (table) explicit packet marking MAC address source port VLAN verifying video applications voice applications web browsing applications Quality of Service. populating routing. 65 61 61 60 62 60 63 62 60 61 105 154 106 160 163 91 233 181 115 194 203 205 194 195 182 194 195 201 206 115 195 206 206 195 195 195 167 166 166 165 History group probe Statistics group route sharing. See QoS 153 153 146 146 147 146 148 147 152 152 153 144 144 145 R rack mounting the switch RADIUS and TACACS+ client configuration configuration commands (table) description Merit server configuration (example) per-command authentication per-command configuration (example) RFC 2138 attributes servers TCP port rate limits adding and QoS deleting receive errors remote logging Remote Monitoring. deleting shortcuts. See RMON renaming a VLAN reset to factory defaults responding to ARP requests reverse mask RIP advantages configuration commands (table) configuration example description disabling route advertising enabling limitations poison reverse redistributing routes reset and disable commands (table) routing access policies routing table entries settings. See console port sessions. See SNMP SNMP community strings configuration commands (table) configuring settings. OSPF routing access policies access profile applying changing configuring creating types configuration commands (table) deny examples OSPF RIP none OSPF permit removing RIP using Routing Information Protocol. displaying show commands (table) split horizon triggered updates version 2 RMON alarm actions Alarms group Events group features supported 28 60. displaying supported MIBs system contact system location system name trap receivers using SNTP configuration commands (table) configuring Daylight Savings Time description example Greenwich Mean Time offset configuring offset values (table) SNTP servers 223 226 219 232 234 232 39 39 56 42 58 59 58 60 58 59 59 59 58 58 75 72 72 72 75 72 73 72 Summit 200 Series Switch Installation and User Guide 243 . See IP unicast routing 166 165 166 178 198 115 118 114 114 114 119 114 117 116 114 117 114 118 115 114 179 S safety certifications Summit 200-24 switch Summit 200-48 switch safety information saving configuration changes scheduling configuration download secondary image security licensing description obtaining serial port. See IP route sharing router interfaces router types. See RIP routing table. command Simple Network Management Protocol.

See TACACS+ 244 Summit 200 Series Switch Installation and User Guide . enabling and disabling ports 77 static routes 179 statistics port 159 RMON 166 status monitoring commands (table) 158 described 157 STP and VLANs 170 BPDU tunneling 170 bridge priority 173 configurable parameters 173 configuration commands (table) 173 configuration example 175 configuring 172 default domain 170 description 36 disable and reset commands (table) 175 displaying settings 175 domains 169 examples 170 forward delay 173 hello time 173 max age 173 overview 169 path cost 173 port priority 173 port state. Extreme Networks support website 39 TCP port number 58 stand-alone switch. specifying 65 tagging. 65 configuration commands (table) 65 description 65 servers. SNMP 224 17 19 17 19 223 223 18 223 19 223 223 227 226 226 226 19 226 226 21 22 20 226 21 226 226 21 22 226 226 161 157 165 79 41 163 59 59 59 T TACACS+ and RADIUS 60. displaying 175 stub area. supported 22 port configuration 77 powering on 30 rack mounting 28 stacking with other devices 29 verifying load sharing 82 verifying the installation 31 Summit 200-24 switch certification marks 224 dimensions 223 electromagnetic compatibility 224 environmental requirements 223 front view 16 heat dissipation 223 laser safety certifications LEDs MAC address port connections power socket power supply specifications power-off specifications rear view safety certifications serial number temperature and humidity weight Summit 200-48 switch certification marks dimensions electromagnetic compatibility environmental requirements front view heat dissipation laser safety certifications LEDs MAC address port connections power safety certifications power socket power supply specifications power-off specifications rear view serial number temperature and humidity weight switch logging monitoring RMON features switch port commands (table) syntax. Extreme Networks support website 39 Spanning Tree Protocol. SNMP system location.Index socket. OSPF 198 Summit 200 series switch free-standing installation 29 installing 28 load sharing 81 load sharing example 82 location 27 media distances. VLAN 88 technical support 237 Telnet connecting to another host 54 controlling access 57 disconnecting a session 56 logging 162 maximum sessions 54 opening a session 54 using 54 temperature and humidity Summit 200-24 223 Summit 200-48 226 Terminal Access Controller Access Control System Plus. 21 software licensing security features 39 SSH2 protocol. understanding syslog host system contact. See STP speed. SNMP system name. power 19. supported 22 media types. ports 78 split horizon 195 SSH2 protocol authentication key 57 description 57 enabling 57 licensing.

MAC-based VLANs traceroute command traffic groupings traffic rate-limiting transmit errors triggered updates trunks 231 233 94 50 146 154 159 195 88 types UDP-Forwarding voice applications. and QoS viewing accounts Virtual LANs. OSPF VLAN tagging VLANs and STP assigning a tag benefits configuration commands (table) configuration examples configuring default description disabling route advertising displaying settings MAC-based description example groups guidelines limitations timed configuration download mixing port-based and tagged names port-based renaming routing tagged trunks 31 144 49 199 88 170 88 85 91 92 91 90 36 195 92 93 94 93 93 94 94 90 90 86 91 182 88 88 Summit 200 Series Switch Installation and User Guide 245 . and QoS weight Summit 200-24 Summit 200-48 145 223 22 U UDP-Forwarding and BOOTP and DHCP configuration commands (table) configuring description example profiles VLANs upgrading the image uploading the configuration user account users access levels authenticating creating default viewing 190 190 192 191 190 191 191 191 231 233 47 46 60 48 47 49 V verifying the installation video applications. See VLANs virtual link.Index TFTP server using timed configuration download. QoS 86 191 144 W web browsing applications.

Index 246 Summit 200 Series Switch Installation and User Guide .

164 83 83 127 127 127 127 127 127 122. 209 Summit 200 Series Switch Installation and User Guide 247 . 119 208 208 208 117. 135 config eaps mode 134. 189 clear log 164 clear session 44. 137 config fdb agingtime 99 config igmp query_interval 216 config igmp snooping 216 config iparp add 183 config iparp add proxy 181. 183 config iparp delete 183 config iparp delete proxy 183 config iparp timeout 183 config iproute add config iproute add blackhole config iproute add default config iproute delete config iproute delete blackhole config iproute delete default config iproute priority config irdp config log display config mirroring add config mirroring delete config nat finrst-timeout config nat icmp-timeout config nat syn-timeout config nat tcp-timeout config nat timeout config nat udp-timeout config nat vlan config osfp area nssa config osfp ase-limit config ospf add virtual-link config ospf add vlan config ospf add vlan area link-type config ospf area add range config ospf area delete range config ospf area external-filter config ospf area interarea-filter config ospf area normal config ospf area nssa config ospf area stub config ospf asbr-filter config ospf ase-limit config ospf ase-summary add config ospf ase-summary delete config ospf authentication config ospf cost config ospf delete virtual-link config ospf delete vlan config ospf direct-filter 184 184 56. 138 config eaps delete control vlan 134 config eaps delete protect vlan 134 config eaps failtime 135 config eaps hellotime 134. 119. 234. 136. 119 config access-profile delete 115. 190 config bootprelay delete 183. 208 208 208 209 207 207 209 209 117. 185 185 162.Index of Commands C clear counters 164 clear dlcs 155 clear fdb 99. 136. 147 clear igmp snooping 217 clear iparp 183. 56 config access-profile 119 config access-profile add 114. 135 config eaps primary port 134. 184 185 185 185 182. 137 config eaps secondary port 134. 119 117. 190 config dns-client add 49 config dns-client default-domain 49 config dns-client delete 49 config download server 94. 189 clear ipfdb 183. 124 198 197 208 208 207 208 208 117. 236 config eaps <old-name> name <new-name> 134 config eaps add control vlan 134 config eaps add protect vlan 134. 120. 119 config access-profile mode 114 config account 44 config banner 44 config bootprelay add 183. 182.

48 134. 108 114. 183. 135 99 213 106. 147 99 99 198. 75 44. 72 192 192 91 91 70 70 70 45. 189 45. 120 115. 120 45. 135 99. 182 91. 56. 91. 164 45 70 150 155 155 71. 206 203 203 203 203 203 203 116. 120 79. 92 70 149 145. 164 164 45. 174 192 45. 79 79 79 145. 152 61 61 61 61 203 203. 161 65 65 config tacacs-accounting config tacacs-accounting shared-secret config time config timezone config udp-profile add config udp-profile delete config vlan add port config vlan delete port config vlan dhcp-address-range config vlan dhcp-lease-timer config vlan dhcp-options config vlan ipaddress config vlan name config vlan netlogin-lease-timer config vlan priority config vlan qosprofile config vlan tag config vlan udp-profile configure eaps failtime create access-list create access-mask create access-profile type create account create eaps create fdbentry create fdbentry blackhole create fdbentry dynamic create ospf area create rate-limit create stpd create udp-profile create vlan 65 65 45 45. 72 248 Summit 200 Series Switch Installation and User Guide . 57 172. 173 173 173 174 174 174 174 163.Index of Commands config ospf lsa-batching-timer config ospf metric-table config ospf originate-default config ospf routerid config ospf spf-hold-time config ospf timer config ospf vlan config ospf vlan area config ospf vlan neighbor add config ospf vlan neighbor delete config ospf vlan timer config ports auto off config ports auto on config ports auto-polarity config ports display-string config ports qosprofile config radius server config radius shared-secret config radius-accounting config radius-accounting shared-secret config rip add config rip delete config rip garbagetime config rip routetimeout config rip rxmode config rip txmode config rip updatetime config rip vlan cost config rip vlan export-filter config rip vlan import-filter config rip vlan trusted-gateway config sharing address-based config snmp add trapreceiver config snmp community config snmp delete trapreceiver config snmp syscontact config snmp syslocation config snmp sysname config sntp-client config sntp-client server config sntp-client update-interval config ssh2 key config stpd add vlan config stpd forwarddelay config stpd hellotime config stpd maxage config stpd port cost config stpd port priority config stpd priority config syslog config syslog delete config sys-recovery-level config tacacs config tacacs shared-secret 209 209 211 209 209 208 209 198 207 207 210. 92 45. 110 120 45 134. 152 91 192 134 105. 210 105. 120 115. 163. 211 44. 110 106. 189 183. 110 175 192 45. 78. 81 59 59 59 59 59 59 72 75 73. 107 105. 79 78. 109 172. 92 D delete access-list delete access-mask delete access-profile delete account delete eaps delete fdbentry delete ospf area delete rate-limit delete stpd delete udp-profile delete vlan disable bootp disable bootprelay disable cli-config-logging disable clipaging disable dhcp ports vlan disable diffserv examination ports disable dlcs disable dlcs ports disable eapol-flooding 106.

190 enable cli-config-logging 46. 79 disable radius 61 disable radius-accounting 61 disable rip 206 disable rip aggregation 206 disable rip export 179.Index of Commands disable eaps 134. 82 disable snmp access 59 disable snmp traps 59 disable sntp-client disable ssh2 disable stpd disable stpd port disable syslog disable tacacs disable tacacs-accounting disable tacacs-authorization disable telnet disable web download bootrom download configuration download configuration cancel download configuration every download configuration incremental download image 75 46 175 175 164 65 65 65 46. 213 disable ports 45. 57 46 49. 72 enable eaps 134. 236 235. 234. 163. 213 disable ospf export static 202. 189 disable ipforwarding fast-direct-broadcast 180 disable ipforwarding ignore-broadcast 180 disable ip-option loose-source-route 185 disable ip-option record-route 185 disable ip-option record-timestamp 185 disable ip-option strict-source-route 185 disable ip-option use-router-alert 186 disable iproute sharing 185 disable irdp 189 disable learning port 99 disable log display 164 disable loopback-mode vlan 184 disable mirroring 83 disable nat 128 disable netlogin ports vlan 70 disable ospf 213 disable ospf capability opaque-lsa 197. 94. 236 234 49. 151 enable dlcs 155 enable dlcs ports 155 enable eapol-flooding 71. 189 disable ipforwarding broadcast 184. 202. 184 enable bootp vlan 55 enable bootprelay 184. 138 disable edp ports 84 disable icmp 189 disable icmp address-mask 189 disable icmp parameter-problem 185 disable icmp port-unreachables 189 disable icmp redirects 189 disable icmp time-exceeded 189 disable icmp timestamp 189 disable icmp unreachables 189 disable icmp useredirects 189 disable idletimeouts 45 disable igmp 217 disable igmp snooping 217 disable ignore-bpdu 170 disable ignore-bpdu vlan 175 disable ignore-stp vlan 175 disable ipforwarding 183. 236 94. 231. 236 E enable bootp 46. 206 disable rip originate-default 206 disable rip poisonreverse 206 disable rip splithorizon 206 disable rip triggerupdates 206 disable rmon 166 disable sharing 79. 236 49. 184 enable ipforwarding broadcast 184 enable ipforwarding fast-direct-broadcast 180 enable ipforwarding ignore-broadcast 180 enable ip-option loose-source-route 186 enable ip-option record-route 186 enable ip-option record-timestamp 186 enable ip-option strict-source-route 187 enable ip-option use-router-alert 187 enable iproute sharing 185 Summit 200 Series Switch Installation and User Guide 249 . 77. 210 disable ospf export 179 disable ospf export direct 213 disable ospf export rip 202. 164 enable clipaging 46 enable dhcp ports 70 enable diffserv examination ports 150. 138 enable edp ports 84 enable icmp address-mask 186 enable icmp parameter-problem 186 enable icmp port-unreachables 186 enable icmp redirects 186 enable icmp time-exceeded 186 enable icmp timestamp 186 enable icmp unreachables 186 enable icmp useredirects 186 enable idletimeouts 46 enable igmp 216 enable igmp snooping 217 enable ignore-bpdu 170 enable ignore-bpdu vlan 174 enable ignore-stp vlan 174 enable ipforwarding 182. 234.

79 62 62 182. 232. 57 173. 60 158 83 127 127 127 127 202. 236 106. 57 46 Q quit 56 R reboot restart ports rtlookup 232. 50 250 Summit 200 Series Switch Installation and User Guide . 110 120 49 46 236 237 158 155 49 71. 210 179 202. 210 197. 110 106. 188. 190 183. 211 77. 152. 82 59 59 72. 72 134. 165 158. 138 84 100 147. 164 184 83 124 70 210 182. 212 212 212 212 212 212 79 80. 188 188 183. 188 182. 151. 162. 165 57. 236 79 185 S save show access-list show access-mask show access-profile show accounts show banner show configuration show debug-tracing show diagnostics show dlcs show dns-client show eapol-flooding show eaps show edp show fdb show fdb permanent show igmp snooping show iparp show iparp proxy show ipconfig show ipfdb show iproute show ipstats show log show log config show management show memory show mirroring show nat connections show nat rules show nat stats show nat timeout show ospf show ospf area show ospf ase-summary show ospf interfaces show ospf lsdb show ospf virtual-link show ports collisions show ports configuration show ports info show ports packet show ports qosmonitor show ports rxerrors 56. 204 204 204 204 204 166 180 79. 160 H history 44. 75 46. 164 65 66 66 46. 154 80 153 80. 82 80. 202. 188 188 158. 154 217 183. 210 202. 46 L logout 56 N nslookup 49 P ping 49. 203 204 179. 174 174 163.Index of Commands enable irdp enable learning port enable license advanced-edge enable log display enable loopback-mode vlan enable mirroring enable nat enable netlogin ports enable osfp export direct enable ospf enable ospf capability opaque-lsa enable ospf export enable ospf export rip enable ospf export static enable ports enable radius enable radius-accounting enable rip enable rip aggregation enable rip export enable rip originate-default enable rip poisonreverse enable rip splithorizon enable rip triggerupdates enable rmon enable route sharing enable sharing enable snmp access enable snmp traps enable sntp-client enable ssh2 enable stpd enable stpd port enable syslog enable tacacs enable tacacs-accounting enable tacacs-authorization enable telnet enable web 187 100 38 162.

152. 189 59 213 80 92 62 62 206 175 46. 189 217 187. 233 233 66 66 192 92 49. 159 80. 152. 94.Index of Commands show ports stats show ports txerrors show ports utilization show qosprofile show radius show radius-accounting show rate-limit show rip show rip stat show rip vlan show session show sharing address-based show sntp client show sntp-client show stpd show stpd port show switch show tacacs show tacacs-accounting show tech-support show udp-profile show version show vlan 80. 235 66 66 158 192 158 92. 237 237 Summit 200 Series Switch Installation and User Guide 251 . 159 80 147. 54 49. 154 T telnet traceroute 49. 233. 237 233. 154. 50 U unconfig eaps unconfig eaps primary port unconfig eaps secondary port unconfig icmp unconfig igmp unconfig irdp unconfig management unconfig ospf unconfig ports display-string unconfig ports monitor vlan unconfig radius unconfig radius-accounting unconfig rip unconfig stpd unconfig switch unconfig switch all unconfig tacacs unconfig tacacs-accounting unconfig udp-profile unconfig vlan ipaddress upload configuration upload configuration cancel use configuration use image 134 138 138 187. 158. 153 62 62 106. 81 73 75 175 175 73. 237 232. 110 206 206 206 56 80.

Index of Commands 252 Summit 200 Series Switch Installation and User Guide .