ESF Rev3

Extreme Security Fundamentals Rev3.
Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.com Published March 2006 Part number: ESF-300/3
2005 Extreme Networks, Inc. All Rights Reserved. Alpine, Altitude, BlackDiamond, EPICenter, Ethernet Everywhere, Extreme Ethernet Everywhere, Extreme Networks, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, GlobalPx Content Director, the Go Purple Extreme Solution Partners Logo, ServiceWatch, Summit, the Summit7i Logo, and the Color Purple, among others, are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and other countries. Other names and marks may be the property of their respective owners. 2005 Extreme Networks, Inc. All Rights Reserved. Specifications are subject to change without notice. The ExtremeWare XOS operating system is based, in part, on the Linux operating system. The machine-readable copy of the corresponding source code is available for the cost of distribution. Please direct requests to Extreme Networks for more information at the following address: Software Licensing Department 3585 Monroe Street Santa Clara CA 95051 NetWare and Novell are registered trademarks of Novell, Inc. Merit is a registered trademark of Merit Network, Inc. Solaris and Java are trademarks of Sun Microsystems, Inc. F5, BIG/ip, and 3DNS are registered trademarks of F5 Networks, Inc. see/ IT is a trademark of F5 Networks, Inc.
All other registered trademarks, trademarks and service marks are property of their respective owners.
Extreme Security Fundamentals Rev3.0
[Draft Version variable]
Module 1 Introduction and Orientation

Extreme Security Fundamentals ...................................................................................................2 Target Audience ....................................................................................................................2 Module Content ....................................................................................................................2 Introductions ..............................................................................................................................4 Facilities ....................................................................................................................................6 Student Kit ................................................................................................................................8 Administrative ..........................................................................................................................10 Course Prerequisite ...................................................................................................................12 High-level Student Objectives.....................................................................................................14 Agenda ....................................................................................................................................16 Agenda ....................................................................................................................................18 Introduction to the Extreme Networks Certification Program ..........................................................20 Certification Levels:.............................................................................................................20 Extreme Networks Associate (Level 1) .........................................................................................22 Extreme Networks Specialist (Level 2).........................................................................................24 First-Level TAC Bypass with ENS Certification .......................................................................24 ENS Exam ..........................................................................................................................24 ENA Certification Curriculum .....................................................................................................26 Extreme Introduction to Data Networking (EDN-100/3) ...........................................................26 Extreme Introduction to IP Routing (EIP-100/2).....................................................................26 Extreme Configuration Fundamentals (ECF-200/5) .................................................................26 ENS Certification Curriculum .....................................................................................................28 Extreme Security Fundamentals (ESF-300/3).........................................................................28 Extreme Redundancy Fundamentals (ERF-300/2) ..................................................................28 Extreme Multicast Routing (EMR-300/2) ...............................................................................28 Extreme Interior Gateway Protocols (EIGP-300/2)...................................................................28 Supportive Curriculum ...............................................................................................................30 Border Gateway Protocol Concepts and Configuration (BGP-220c) ...........................................30 ExtremeWare Unified Access (EUA-310/3) ............................................................................30 EPICenter 5.0 Tutorial.........................................................................................................30 Summary..................................................................................................................................32
Module 2 Security and Traffic Engineering

Student Objectives ......................................................................................................................2 Network Security Importance .......................................................................................................4 Layers of Security .......................................................................................................................6 Networked Resources ..................................................................................................................8 Protected Resources ..............................................................................................................8 Critical Resources .................................................................................................................8 Major Network Threats...............................................................................................................10 ExtremeWare XOS Security Features ...........................................................................................12 Network Security Implementation Sequence .........................................................................................................14 Traffic Engineering....................................................................................................................16 Purpose..............................................................................................................................16 ExtremeWare XOS Traffic Engineering Features ......................................................................16 Summary..................................................................................................................................18
Module 3 Switch Access

Student Objectives ......................................................................................................................2 Default Switch Access Options .....................................................................................................4 Safe Defaults Setup Method...................................................................................................4 Switch Access Options.................................................................................................................6 Five Types of Switch Access...................................................................................................6 Disabling Switch Access Options ............................................................................................6 Management Accounts ................................................................................................................8 Administrator Level Account...................................................................................................8 User Level Account ...............................................................................................................8 Logging Out of a Session........................................................................................................8 Creating Management Accounts..................................................................................................10 Displaying Management Accounts (admin level only) ..............................................................10 Deleting an Account (admin level only)..................................................................................10 Creating a Failsafe Account........................................................................................................12 Managing Passwords .................................................................................................................14 Specifying Password Parameters.................................................................................................16 Displaying Password Policy ........................................................................................................18 Configuring the Login Display Banner..........................................................................................20 Displaying the Login Banner.......................................................................................................20 Configuring the Switch Idle Timeout............................................................................................22 Disabling Switch Idle Timeout ..............................................................................................22 Viewing Idletimeout Status...................................................................................................22 Displaying Active Switch Sessions ..............................................................................................24 Clearing Specific Telnet Sessions .........................................................................................24 Using Access Control Lists (ACLs) to Control Telnet Access ...........................................................26 Sample ACLs that Control Telnet Access ...............................................................................26 Configuring Telnet to Use ACL Policies..................................................................................26 SNMP Access ...........................................................................................................................28 Accessing Switch Agents......................................................................................................28 Supported MIBs ..................................................................................................................28 Enabling and Disabling SNMPv1/v2c and SNMPv3 ......................................................................30 Configurable SNMPv1/v2c Parameters ........................................................................................32 Authorized Trap Receivers....................................................................................................32 Community Strings ..............................................................................................................32 Displaying SNMP Settings .........................................................................................................34 SNMPv3 ..................................................................................................................................36 SNMPv3 Security......................................................................................................................38 USM Timeliness Mechanisms...............................................................................................38 SNMPv3 Users .........................................................................................................................40 Creating SNMPv3 Users.......................................................................................................40 Displaying SNMPv3 Users....................................................................................................40 Deleting SNMPv3 Users.......................................................................................................40 SNMPv3 Groups .......................................................................................................................42 Displaying SNMPv3 Groups..................................................................................................42 Associating Users with SNMPv3 Groups ................................................................................42 Deleting an SNMPv3 Group..................................................................................................42 SNMP Security Models and Levels..............................................................................................44
SNMPv3 MIB Access Control .....................................................................................................46 Displaying MIB Views ..........................................................................................................46 SNMPv3 Notification: Target Addresses ......................................................................................48 Configuring Target Address ..................................................................................................48 Displaying Target Addresses .................................................................................................48 Deleting Target Addresses ....................................................................................................48 SNMPv3 Notification: Target Parameters.....................................................................................50 Displaying Target Parameters ...............................................................................................50 Deleting Target Parameters ..................................................................................................50 SNMPv3 Notification: Filter Profiles and Filters ...........................................................................52 Displaying SNMPv3 Notification ...........................................................................................52 Deleting and Removing SNMPv3 Filters ................................................................................52 SNMPv3 Notification: Tags ........................................................................................................54 Displaying SNMPv3 Notification Tags ...................................................................................54 Deleting SNMPv3 Notification Tags ......................................................................................54 Configuring Notifications .....................................................................................................54 Secure Shell 2 (SSH2) ..............................................................................................................56 SSH2 Module Request ........................................................................................................56 Installing the SSH2 Module .......................................................................................................58 Downloading the module to the switch ..................................................................................58 Activating the Installed Modular Software Package .......................................................................60 Uninstalling the Module.......................................................................................................60 Private Key, Public Key, and Host Key ........................................................................................62 Configuring SSH2 .....................................................................................................................64 Enabling SSH2 ...................................................................................................................64 Using ACLs to Control SSH2 Access ...........................................................................................66 Sample SSH2 Policies .........................................................................................................66 Configuring SSH2 to Use ACL Policies ..................................................................................66 Logging in with SSH2 Client ......................................................................................................68 SSH2 Connection Settings ...................................................................................................68 Host Key Acceptance...........................................................................................................68 Valid User and Password Entry .............................................................................................68 Secure Copy Protocol 2 (SCP2) ..................................................................................................70 Switch as SSH2 Client ..............................................................................................................72 Verifying SSH2 .........................................................................................................................74 Troubleshooting SSH2...............................................................................................................76 Secure Socket Layer (SSL) .........................................................................................................78 Enabling and Disabling SSL .......................................................................................................80 Creating Certificates and Private Keys .........................................................................................80 Downloading a Certificate Key from a TFTP Server .......................................................................82 Displaying SSL Information ..................................................................................................82 Downloading a Private Key from a TFTP Server ............................................................................84 Configuring Pre-generated Certificates and Keys ..........................................................................84 Authenticating Users Logging into Switch....................................................................................86 RADIUS ...................................................................................................................................88 RADIUS Packet Format........................................................................................................88 RADIUS Authentication Process .................................................................................................90
Configuring the RADIUS Client...................................................................................................92 Configuring the Shared Secret Password for RADIUS Servers.........................................................92 Enabling and Disabling RADIUS .................................................................................................94 Verifying the RADIUS Client .................................................................................................94 Troubleshooting RADIUS .....................................................................................................94 Configuring RADIUS Accounting.................................................................................................96 Configuring the RADIUS Accounting Timeout Value................................................................96 Configuring the Shared Secret Password for RADIUS Accounting Servers..................................96 Verifying the RADIUS Accounting .........................................................................................96 RADIUS Server Support .............................................................................................................98 Using RADIUS Servers with Extreme Networks Switches .............................................................100 Extreme RADIUS...............................................................................................................100 Merit RADIUS Server Configuration Example .............................................................................102 Summary................................................................................................................................104
Module 4 ACLs and Policies

Student Objectives ..................................................................................................................108 EXOS Packet Filtering Structure and Components ......................................................................110 How to Use Policies ................................................................................................................110 How to Edit Policy Entries/Rules...............................................................................................112 Types of Policies .....................................................................................................................112 Access Control List..................................................................................................................114 ACL Overview..........................................................................................................................114 Static ACL - ACL Policy File .....................................................................................................116 ACL Policy Syntax and Example................................................................................................118 Apply ACL Policies and Display ACL Information ........................................................................118 ACL Rule Evaluation Process....................................................................................................120 Rule Types and Evaluation Precedence .....................................................................................120 Rule Precedence Among Interface Types ...................................................................................122 Conserving ACL Masks and Rules on BlackDiamond 8800 and Summit X450 only ........................122 Conserving ACL Masks and Rules Examples...............................................................................124 Dynamic ACL..........................................................................................................................126 Dynamic ACL Match Conditions and Actions ..............................................................................126 Dynamic ACL Action Modifiers .................................................................................................128 Configuring Dynamic ACL Rules and Examples ..........................................................................130 Hands-on Lab #1: Static ACL (ACL Policy) ................................................................................132 Hands-on Lab #2: Static ACL (ACL Policy) ................................................................................134 Hands-on Lab #3: Dynamic ACLs .............................................................................................136 Hands-on Lab #4: Dynamic ACLs .............................................................................................136 Routing Policies......................................................................................................................138 Routing Policy Syntax and Example ..........................................................................................140 Routing Policy Rule Evaluation Process .....................................................................................140 Routing Policy Match Conditions ..............................................................................................142 Autonomous System (AS) Regular Expressions ...........................................................................142 Routing Policy Action Statements .............................................................................................144 Applying Routing Policies ........................................................................................................144 Hands-on Lab #5: Routing Policies...........................................................................................146
Module 5 Denial of Service Attacks and Countermeasures

Student Objectives ......................................................................................................................2 What are DoS Attacks? ................................................................................................................4 Two Common DoS Attack Modes...................................................................................................6 Asymmetrical........................................................................................................................6 Distributed ...........................................................................................................................6 Different Types of DoS Attacks .....................................................................................................8 TCP-SYN Flood example ............................................................................................................10 DoS Attack Countermeasures .....................................................................................................12 Basic DoS Countermeasures.................................................................................................12 Network Transport Level Issues.............................................................................................12 IP Broadcast Forwarding Control.................................................................................................14 DoS-Protect ..............................................................................................................................16 How CPU-DoS-Protect Works................................................................................................18 Implementing DoS-Protect .........................................................................................................20 Simulated Mode..................................................................................................................20 Configuring Denial of Service Protection......................................................................................22 Specifying DoS Protect Parameters .......................................................................................22 Configuring Trusted Ports.....................................................................................................22 Enabling or Disabling DoS Protection ....................................................................................22 Verifying DoS-Protect Settings....................................................................................................24 Displaying CPU-DoS-Protect Settings ....................................................................................24 Troubleshooting CPU-DoS-Protect...............................................................................................26 Actions to Take When Under DoS Attack .....................................................................................28 References: DoS Threats and Countermeasures ......................................................................28 Summary..................................................................................................................................30
Module 6 Port and MAC Address Security

Student Objectives ......................................................................................................................2 MAC-Based Security....................................................................................................................4 Forwarding Database (FDB) ....................................................................................................4 FDB Entry Types .........................................................................................................................6 Port Address Security ..................................................................................................................8 Limiting Dynamic MAC Addresses...............................................................................................10 Limit-Learning: How Does it Work? .............................................................................................12 Configuring Limit-Learning.........................................................................................................14 Adding MAC Address Limit-Learning .....................................................................................14 Removing MAC Address Limit-Learning .................................................................................14 Creating and Deleting FDB entries ........................................................................................14 Limiting MAC Addresses with ESRP............................................................................................16 Lock-Learning...........................................................................................................................18 Lock-Learning Enabled ........................................................................................................18 Configuring Lock-Learning .........................................................................................................20 Adding Lock-Learning ..........................................................................................................20 Removing Lock-Learning ......................................................................................................20 Verifying MAC Security Information.............................................................................................22 MAC Security Information for a Specified VLAN .....................................................................22
Detailed MAC Security Information for a Specified Port ..........................................................22 Verifying MAC Security Information.............................................................................................24 FDB Table Entries ...............................................................................................................24 Logs...................................................................................................................................24 Disabling MAC Address Learning ................................................................................................26 Disabling Egress Flooding ..........................................................................................................28 Guidelines for Enabling or Disabling Egress Flooding ..............................................................28 Enabling and Disabling Egress Flooding on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only .....................................................................................................................30 Enabling Egress Flooding .....................................................................................................30 Disabling Egress Flooding ....................................................................................................30 Disabling Egress Flooding on the BlackDiamond 10K Switch Only .................................................32 Displaying Learning and Flooding Settings...................................................................................34 Layer 3 Blackholes ....................................................................................................................36 Configuring a Layer 3 Blackhole ...........................................................................................36 Configuring a Layer 3 Default Blackhole ................................................................................36 Deleting Layer 3 Blackholes .................................................................................................36 Verifying Layer 3 Blackholes.................................................................................................36 Summary..................................................................................................................................38
Module 7 Network Login1

Student Objectives ......................................................................................................................2 Network Login Overview ...............................................................................................................4 Authentication Types .............................................................................................................4 Authentication Advantages and Disadvantages ...............................................................................6 Web-Based Authentication .....................................................................................................6 MAC-Based Authentication.....................................................................................................6 Authentication Advantages and Disadvantages ...............................................................................8 802.1x Authentication...........................................................................................................8 General Network Login Commands..............................................................................................10 Enabling or Disabling Network Login on the Switch ................................................................10 Enabling or Disabling Network Login on a Specific Port ..........................................................10 Configuring the Move Fail Action ..........................................................................................10 Displaying Network Login Settings ........................................................................................10 DHCP Server Authentication Role ...............................................................................................12 Enabling and Disabling DHCP Server ..........................................................................................12 Setting the DHCP Lease Timer .............................................................................................12 DHCP Server Commands............................................................................................................14 Removing DHCP Server Configurations ..................................................................................14 Displaying DHCP Configuration.............................................................................................14 Web Based Network Login Sequence...........................................................................................16 Network Login Operational Modes...............................................................................................18 Multiple Supplicant Support ................................................................................................18 Network Login Design Considerations ..........................................................................................20 Authenticating Users .................................................................................................................22 Vendor Specific Attributes (VSA) Types Used By Network Login ...............................................22 RADIUS Attributes Used By Network Login..................................................................................24 Network Login RADIUS Extensions .............................................................................................26
Extreme Radius Implementation Configuration Example..........................................................26 Local Database Authentication ...................................................................................................28 Configuring Local Database Authentication ..................................................................................30 Creating a Local Netlogin User Name and Password Only ........................................................30 Specifying a Destination VLAN in a Local NetLogin Account..........................................................32 Adding VLANs when Creating a Local Netlogin Account ..........................................................32 Adding VLANs at a Later Time ..............................................................................................32 Modifying an Existing Local Netlogin Account ..............................................................................34 Updating the Local Netlogin Password ..................................................................................34 Updating VLAN Attributes ....................................................................................................34 Displaying Local Netlogin Accounts.......................................................................................34 Deleting a Local Netlogin Account ........................................................................................34 802.1x Authentication...............................................................................................................36 Interoperability Requirements...............................................................................................36 802.1x Network Login Configuration Example..............................................................................38 Configuring Guest VLANs ...........................................................................................................40 Guest VLAN scenario ...........................................................................................................40 Configuring a Guest VLAN..........................................................................................................42 Enabling a Guest VLAN........................................................................................................42 Modifying the Supplicant Response Timer .............................................................................42 Disabling a Guest VLAN .......................................................................................................42 Post-authentication VLAN Movement ..........................................................................................42 Web-Based Authentication .........................................................................................................44 HTTPS Support...................................................................................................................44 Configuring Web-Based Authentication.......................................................................................46 Configuring the Base URL ....................................................................................................46 Configuring the Redirect Page ..............................................................................................46 Configuring Session Refresh .................................................................................................46 Configuring Logout Privilege.................................................................................................46 Web-Based Network Login Configuration Example ........................................................................48 Web-Based Authentication User Login.........................................................................................50 MAC-Based Authentication ........................................................................................................52 Configuring MAC-Based Authentication .......................................................................................54 Associating a MAC Address to a Specific Port ........................................................................54 Adding and Deleting MAC Addresses.....................................................................................54 Displaying the MAC Address List ..........................................................................................54 Secure MAC Configuration Example ............................................................................................56 MAC-Based Network Login Configuration Example.......................................................................58 Netlogin MAC-Based VLANs .......................................................................................................60 Netlogin MAC-Based VLANs Rules and Restrictions................................................................60 Configuring Netlogin MAC-Based VLANs......................................................................................62 Configuring the Port Mode ...................................................................................................62 Displaying Netlogin MAC-Based VLAN Information .......................................................................64 FDB Information .................................................................................................................64 VLAN and Port Information ..................................................................................................64 Netlogin MAC-Based VLAN Example ...........................................................................................66 Disconnecting Network Login Sessions ........................................................................................68 Automatic Netlogin logouts occur when: ................................................................................68
CLI Network Login Logouts...................................................................................................68 Summary..................................................................................................................................72
Module 8 Policy-Based QoS

Student Objectives ......................................................................................................................2 What is Quality of Service?...........................................................................................................4 Switch Platforms and QoS......................................................................................................4 QoS is not Class of Service (CoS) ............................................................................................4 When Do You Need QoS? .............................................................................................................6 Two Major Benefits of QoS ...........................................................................................................8 Latency Control.....................................................................................................................8 Congestion Management ........................................................................................................8 Five Traffic Types and QoS Guidelines ........................................................................................10 Policy-Based QoS......................................................................................................................12 Policy-Based QoS Support on an Extreme Network Switch.......................................................12 Configuring Policy-Based QoS ....................................................................................................14 Configuring QoS on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only16 QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only......18 QoS Profiles on the BlackDiamond 10K Switch............................................................................20 ....................................................................................................... QoS Building Block: Profile22 Creating a QoS Profile (BlackDiamond 8800 family of switches and Summit X450 Only) ...........22 Configuring QoS Profile Weight.............................................................................................22 QoS Building Block: Traffic Groupings ........................................................................................24 QoS Building Block: QoS Policy..................................................................................................26 Precedence of Traffic Groupings .................................................................................................28 ACL-Based Traffic Groupings......................................................................................................30 Explicit Class of Service Traffic Groupings ...................................................................................32 Advantages of Explicit Class of Service..................................................................................32 Packet Diagram...................................................................................................................32 802.1p Information...................................................................................................................34 802.1p information on the BlackDiamond 10K only ...............................................................34 Observing 802.1p information ..............................................................................................34 Changing the Default 802.1p Mapping..................................................................................34 Replacing 802.1p Priority Information ........................................................................................36 DiffServ....................................................................................................................................38 DiffServ Information on the BlackDiamond 10K Only....................................................................38 Observing DiffServ Information ...................................................................................................38 Configuring DiffServ ..................................................................................................................40 Diffserv Code Point Mapping ................................................................................................40 Changing the Default DiffServ Code Point Mapping ................................................................40 Replacing DiffServ Code Points ............................................................................................40 Default 802.1p Priority Value-To-Diffserv Code Point Mapping ......................................................42 BlackDiamond 8800 Family of Switches and the Summit X450 Switch DiffServ Example ................44 BlackDiamond 10K Switch DiffServ Example...............................................................................46 Physical and Logical Groupings ..................................................................................................48 Source Port ........................................................................................................................48 VLAN .................................................................................................................................48 Verifying Physical and Logical Groupings ...............................................................................48
BlackDiamond 8800 Family of Switches and Summit X450 Switch QOS Profile Display ............50 BlackDiamond 10K Switch Display .............................................................................................52 Verifying QoS Configuration and Performance ..............................................................................54 Monitoring PerformanceBlackDiamond 10K Switch Only .....................................................54 Displaying QoS Profile Information on the BlackDiamond 10K Switch Only...............................54 Displaying QoS Profile Information on the BlackDiamond 8800 Family of Switches and Summit X450 Switch Only ...............................................................................................................54 Other Useful QoS Display Commands..........................................................................................56 Egress Traffic Rate LimitingBlackDiamond 8800 Family and Summit X450 Switch Only ..............58 Bi-Directional Rate ShapingBlackDiamond 10K Switch Only......................................................60 Viewing Discarded Traffic Statistics ......................................................................................60 Black Diamond 10K Bandwidth Settings .....................................................................................62 Configuring Bi-Directional Rate Shaping......................................................................................64 Modifying a QoS Policy ..............................................................................................................66 Assigning Policy-Based QoS: Review ...........................................................................................68 Summary..................................................................................................................................70
Module 9 sFlow
Student Objectives ......................................................................................................................2 sFlow .........................................................................................................................................4 Applications .........................................................................................................................4 Additional Information ...........................................................................................................4 sFlow Components ................................................................................................................6 Network Equipment...............................................................................................................6 Software Applications ............................................................................................................6 Configuring sFlow......................................................................................................................10 Configuring the Local Agent .................................................................................................10 Configuring the Remote Collector Address .............................................................................10 Configuring sFlow......................................................................................................................12 Enabling sFlow Globally on the Switch ..................................................................................12 Enabling sFlow on the Desired Ports .....................................................................................12 Additional sFlow Configuration Options .......................................................................................14 Polling Interval ...................................................................................................................14 Global Sampling Rate ..........................................................................................................14 Per Port Sampling Rate .......................................................................................................14 Maximum CPU Sample Limit ...............................................................................................14 Resetting sFlow Values and Verifying sFlow Information ................................................................16 Unconfiguring sFlow ............................................................................................................16 Displaying sFlow Information................................................................................................16 Summary..................................................................................................................................18
Module 10 Lab Exercises

Lab 1 Basic Switch and Routing Configuration ............................................................................2 Objectives ............................................................................................................................2 Materials Required ................................................................................................................2 Network Diagram...................................................................................................................3 Remark ................................................................................................................................3 Part 1 Clearing the Switch Configuration and Naming the Switch...............................................4 Part 2 Configuring the VLANs.................................................................................................4 Part 3 Configuring OSPF Routing on the Backbone Area ...........................................................6 Part 4 Verifying Switch and Routing Configuration....................................................................6 Lab2 Switch Access ...................................................................................................................7 Objectives ...........................................................................................................................7 Materials Required ................................................................................................................7 Network Diagram...................................................................................................................8 Part 1 Creating a New User Account, Disabling SNMP Access, and Configuring Idletimeouts........9 Part 2 Configuring the Switch Banner Message ........................................................................9 Part 3 Installing the SSH2 Module .........................................................................................9 Part 4 Configuring SSH2 .....................................................................................................10 Part 5 Configuring the Switch as a RADIUS Client..................................................................10 Part 6 Changing the Default SNMPv3 User Password..............................................................11 Lab 3 DOS Protection................................................................................................................12 Objectives ..........................................................................................................................12 Materials Required ..............................................................................................................12 Part 1 Configuring DoS-Protect.............................................................................................12 Troubleshooting DoS-Protect ................................................................................................13 Lab 4 Port and MAC Address Security ......................................................................................14 Objectives .........................................................................................................................14 Materials Required ..............................................................................................................14 Network Diagram.................................................................................................................14 Part 1 Configuring Lock Learning..........................................................................................15 Part 2 Configuring Limit Learning .........................................................................................15 Part 3 Configuring Secure-Mac .............................................................................................15 Lab 7 Network Login...............................................................................................................17 Objectives ..........................................................................................................................17 Optional Materials ...............................................................................................................17 Network Diagram.................................................................................................................18 Part 1 Clearing the Switch Configuration and Naming the Switch.............................................18 Part 2 Creating the Temporary and Permanent Netlogin VLANs................................................19 Part 3 Configuring the Temporary and Permanent Netlogin VLANs ...........................................19 Part 4 Configuring Netlogin DHCP options .............................................................................19 Part 5 Configuring Netlogin ..................................................................................................19 Part 6 Configuring the Network Login options ........................................................................19 Part 7 Verifying Netlogin Configuration..................................................................................20 Lab 8 QoS .............................................................................................................................21 Objectives ..........................................................................................................................21 Materials Required ..............................................................................................................21 Network Diagram.................................................................................................................22 Part 1 Clearing the Switch Configuration and Naming the Switch.............................................23 Part 2 Configuring the VLANs...............................................................................................23
10
Extreme Security Fundamentals Rev 3.0
Extreme Security Fundamentals

The ExtremeRedundancy Fundamentals training class is designed to provide students with the ability to identify, describe, and use the security and traffic engineering features available with ExtremeWare XOSTM release 11.3.
Target Audience
The primary audiences for this class are end-users, partners, and Extreme Networks technical personnel that are seeking ENA certification.
Module Content
Module one presents an introduction to the course content, training facilities, student objectives, course prerequisites, agenda, and certification curriculum.
Extreme Security Fundamentals
Figure 1: Module Content
Introductions
Provide your name, company, job title, and experience. Please share your previous networking experience as well as any Extreme Networks product exposure. This helps the instructor to adjust the class according to student skill sets.
Introductions
Figure 2: Introduction
Facilities
Familiarize yourself with the facilities, particularly where the Emergency Exits and First Aid Stations are. Pick up a name badge from the receptionist if available. Telephones are found near the student lounge (if there are any). The instructor provides the training site telephone number where messages can be sent. However, only urgent messages are immediately posted for the attention of the student concerned. The instructor specifies any special parking considerations when necessary.
Facilities
Figure 3: Facilities
Student Kit
The illustration lists the contents of the student kit.
Student Kit
Figure 4: Student Kit
Administrative
The instructor circulates a class roster during the student introductions. Each student should check his or her own information on the Class Roster. When all information is verified, initial your name. Ensure that your name is spelled correctly the way you want it to be on the certificate at the completion of this course. Breaks are typically 15 minutes each and lunch is about an hour. However, the times may vary at the discretion of the instructor. Please silence all pagers and cell phones by turning off the audio beeps and/or muting the volume. At the instructor's discretion, pagers/phones in vibrate mode are permitted. If you need to take a phone call, go outside the classroom in consideration of the other students. Questions are encouraged at any time. Lab exercises are performed after each major topic is discussed. A student completing all the requirements of the Extreme Networks Associate (ENA) is certified and provided an Extreme Networks Certified Training Certificate.
10
Administrative
Figure 5: Administrative
11
Course Prerequisite
To be successful in this class, students must have ENA certification or the equivalent experience.
12
Course Prerequisite
Course Knowledge Prerequisites

LAN fundamentals TCP/IP, IP addressing, and subnet masking Switching, bridging, and routing concepts Attendance in Extreme Networks courses Introduction to Data Networking Introduction to IP Routing Extreme Configuration Fundamentals ENA Certification or equivalent
page 7
Figure 6: Course Pre-requisite
13
High-level Student Objectives

The illustrations list the high-level student objectives for this course.
14
High-level Student Objectives
Overall Objectives
Students will be able to: Identify the steps necessary for securing a network Identify potential threats to the network Describe and configure port based security Describe and configure MAC-based security Setup encrypted and authenticated sessions between a
client machine and switch
Describe and configure Netlogin
page 8
Figure 7: Student Objectives
Overall Objectives (cont)

Students will be able to: Describe and configure access control lists Describe and configure policy-based Quality of Service
(QoS)
Describe and configure sFlow
page 9
Figure 8: Student Objectives Continued
15
Agenda
16
Agenda
Day 1 - Agenda
Module 1 - Introduction and Orientation Module 2 Security and Traffic Engineering Lab1 Lab Environment Familiarization LUNCH Module 3 Switch Access Lab2 Switch access
page 10
Module 4 ExtremeWare Access Control List Lab3 ACL
Figure 9: Day 1 - Agenda
Day 2 Agenda
Module 6 Denial of Service Lab5 CPU-DOS feature (Optional) Module 7 MAC address security Lab6 Port & MAC Address Security (Optional) LUNCH Module 8 Netlogin Lab 7 Netlogin ISP & Campus mode
page 11
Figure 10: Day 2 - Agenda
17
Agenda
18
Agenda
Day 3 Agenda
Module 9 Policy-based QoS Lab 8 PB QoS Module 10 sFlow Course Wrap-Up Certificate Evaluation Others
page 12
Figure 11: Day 3- Agenda
19
Introduction to the Extreme Networks Certification Program

Career certification is available from many of places. But we're talking about Extreme Networks certification, an innovative, comprehensive approach to certification. Our lab-intensive learning environments and hands-on exam requirements mean that you become Extreme Networks-certified with proven experience and skills to successfully deploy and manage Extreme Networks products in a variety of network environments. The Extreme Networks certification program authenticates your skill set and supercharges your IT career, bringing measurable benefits to you, your department, and your company.
Certification Levels:

Level 1 Extreme Networks Associate (ENA) Level 2 Extreme Networks Specialist (ENS)
20
Introduction to the Extreme Networks Certification Program
Figure 12: Introduction to Extreme Networks Certification Program
Figure 13: Extreme Networks Certification Program
21
Extreme Networks Associate (Level 1)

The Extreme Networks Associate (ENA) certification confirms your knowledge of the Extreme Networks product portfolio and configuring and managing Extreme Networks switches in layer-2 and layer-3 environments. The certification is intended for individuals responsible for the installation, configuration, and management of Extreme Networks products.
Receive your ENA Certification

The ENA Certification level establishes the foundation for all Extreme Networks certification program levels. Successful completion of the ECF training course in full provides ENA certification. A certificate with a unique certification number is issued immediately. ENA certification is valid for 2 years. Alternatively, an 80-question exam can be taken to validate the candidates' knowledge of basic Extreme Networks hardware configuration using the ExtremeWare command line interface (CLI). Extreme Networks Authorized Training Partners (ATP) administer the ENA certification tests. The cost of the exam is one training voucher. Candidates who achieve a score of 75% or greater are awarded the distinction of Extreme Networks Associate. Follow these steps to register for the ECF training class or the stand-alone Extreme Networks Associate exam: 1 Direct your web browser to www.extremenetworks.com. 2 From the web page you can select an Extreme Networks ATP test center in your region. 3 Be sure to bring valid, government issued photo identification to the testing location.
22
Extreme Networks Associate (Level 1)
Figure 14: Extreme Networks Associate (Level 1)
23
Extreme Networks Specialist (Level 2)

The Extreme Networks Specialist (ENS) certification represents a solid foundation of networking skills for individuals responsible for advanced configuring, managing, maintaining, and troubleshooting of Extreme Networks products. The pre-requisite for this certification is completion of the ENA certification level. ENS certified skills include:

Configure Extreme Networks advanced redundancy features. Configure Extreme Networks advanced multicast routing features. Configure Extreme Networks switches in complex routing environments. Configure Extreme Networks switches advanced security features. Troubleshoot Extreme Networks switches for layer-2 and layer-3 networking problems.
ENS certification is valid for 2 years. The exam is administered by selected Extreme Networks Authorized Training Partners.
First-Level TAC Bypass with ENS Certification

ENS certified customers with a valid service contract have direct access to Tier 2 Technical Assistance Center (TAC) support. They are able to bypass Level 1 TAC.
ENS Exam
Scheduling this exam is similar to scheduling the ENA exam. Direct your web browser to www.extremenetworks.com. From the web page you can select an Extreme Networks ATP test center in your region. The ENS exam is a 4-hour hands-on exam performed at and guided by one of Extreme Networks ATP test centers. The exam is comprised of four parts. One part consists of 30 multiple choice questions. The other three parts consists of hands-on practical exams based on three of the four training classes in the ENS curriculum. Candidates must achieve a score of 75% to be certified. The price for this exam is a single one-day training voucher. Successful candidates receive an ENS certificate with a unique certification number immediately upon passing the exam. Be sure to bring a valid, government issued, photo identification to the testing location.
24
Extreme Networks Specialist (Level 2)
Figure 15: Extreme Networks Specialist (Level 2)
Figure 16: Extreme Networks Specialist (Level 2) Continued
25
ENA Certification Curriculum

The curriculum consists of instructor led courses, which provide students with the skill level described in the certification overview. The courses are grouped so you can easily determine which courses are needed for a certain certification level.
Extreme Introduction to Data Networking (EDN-100/3)

This training is intended for people who are new to networking, or those that want to refresh their knowledge. This course does not include specific Extreme Networks features, but covers the basic concepts and principles of Data Networking. Topics include: History of Networking, The OSI model, Ethernet, Ethernet devices (NIC, repeater, hub, bridge, switch). The knowledge gained from this course is prerequisite for attending ECF-200/5.
Extreme Introduction to IP Routing (EIP-100/2)

This course is intended for people that need to have a foundation on IP and IP-routing protocols. The content of this course is a prerequisite for attending the ECF-200 course and includes: TCP/IP overview, IP-addressing, IP-subnetting, TCP/IP applications, the principles of routing, and an overview of the RIP and OSPF routing protocols. The knowledge gained from this course is prerequisite for attending ECF200/5.
Extreme Configuration Fundamentals (ECF-200/5)

This course is designed for people responsible for the installation, configuration, management, support, and troubleshooting of the Extreme Networks family of switch products. Students receive an overview of Extreme Networks software, the switch command line interface, the hardware features, and the software features. Students learn to:

Login to the switch and create new user accounts. Download software updates and backup configuration files. Configure layer-2 switching functions. Create port-based, protocol-based, and tagged VLANS. Create vMan VLAN tunnels. Configure the Spanning Tree Protocol. Configure basic RIP and OSPF functions.
Students are also introduced to advanced features. This course is based primarily on ExtremeWare XOS.
26
ENA Certification Curriculum
Figure 17: ENA Certification Curriculum
27
ENS Certification Curriculum

Extreme Security Fundamentals (ESF-300/3)
This course is tailored for those people who need to implement and maintain security in the network with features as such ACLs, QoS, DoS protection, network login and NAT. The knowledge that can be obtained from the ECF-200/5 course is a prerequisite for attending the ESF training.
Extreme Redundancy Fundamentals (ERF-300/2)

This course is intended for people who build and maintain redundant networks using advanced features such as EMISTP, EAPS, ESRP, and VRRP. The knowledge that can be obtained from the ECF200/5 course is a prerequisite for the ERF training.
Extreme Multicast Routing (EMR-300/2)

This course covers multicasting concepts and operation and Extreme Networks Multicast Features including the IGMP, PIM-DM, and PIM-SM protocols. Additional multicasting protocols are also presented. The knowledge that can be obtained from the ECF-200/5 course is a prerequisite for attending the EMR training. This course is based primarily on ExtremeWare XOS.
Extreme Interior Gateway Protocols (EIGP-300/2)

This course is designed for those individuals responsible for the installation, configuration, management, support, and use of the Extreme Networks switches in a routed environment. This course is ideal for individuals who are familiar with layer-3 routing but desire a more comprehensive discussion on how to set up an OSPF network using Extreme Networks products. The knowledge that can be obtained from the ECF-200/5 course is a prerequisite for the EIGP training. This course is based primarily on ExtremeWare XOS.
28
ENS Certification Curriculum
Figure 18: ENS Certification Curriculum
29
Supportive Curriculum
The following courses are currently elective.
Border Gateway Protocol Concepts and Configuration (BGP-220c)

This course is designed for Internet Service Providers (ISP), individuals connecting to ISPs, and those that want to configure BGP4 on the Extreme Networks family of switch products.
ExtremeWare Unified Access (EUA-310/3)

The course is designed to provide students with the skills to design, configure, manage, support, and use the Extreme Networks SummitTM 300-48 and the AltitudeTM 300 for both wireless and wired secure network access.
EPICenter 5.0 Tutorial

This is a task-based interactive tool for learning how to use EPICenter software to efficiently manage, monitor, and configure your network. The tutorial includes seven modules and is presented using text, video, demonstrations, quizzes, and interactive scenarios. It is available on CD-ROM.
30
Supportive Curriculum
Figure 19: Supportive Curriculum
Figure 20: Certification and Curriculum Updates
31
Summary
32
Summary
Figure 21: Summary
33
34
ExtremeWare Security Fundamentals Student Guide Rev. 3.0
Student Objectives
Module two introduces you to the importance of network security and how ExtremeWare XOS handles various types of network threats. Also this module explains traffic engineering, and its dual function in network security and network optimization. Upon completion of this module, the successful student will be able to:

Identify four major threats to network security. For a green field network deployment, sequence the security implementation steps. Describe ExtremeWare XOS security features. Identify three requirements for secure remote access. Describe three traffic engineering goals. Identify ExtremeWare XOS traffic engineering features.
Student Objectives
Student Objectives
Upon completion of this module, the successful student will be able to: Identify four major threats to network security. Sequence the security implementation steps for a green field network deployment. Describe ExtremeWare XOS security features. Identify three requirements for secure remote access. Describe three traffic engineering goals Describe ExtremeWare XOS traffic engineering features.
page 2
Network Security Importance

With the growing dependence of businesses on data networks, it is important to have a secure network to address any potential threat. There are high costs associated with a down network.
When a network is down or compromised due to a virus or other attack, the consequences include:
Productivity Loss When a network is down, workers can not access internal resources to perform their work. Productivity loss for an enterprise size company can be immense.
Revenue Loss If the business conducts web based business transactions or relies heavily on the data network for revenue generation, even one hour of network downtime is damaging.
Confidential Data Loss Any confidential and proprietary data stored on the internal network is potentially accessible by malicious individuals.
Customer Confidence Loss Your current customers will lose faith in your companys ability to manage and protect their interests, resulting in a major credibility loss.
NOTE
This course addresses the protection and optimization of the network. It does not go into corporate security policies. Every corporation has a different security policy to meet their needs.
NOTE
Physical site security is not a major topic in this course. It is assumed you have physically protected all network nodes and critical servers.

Consequences of a compromised network

Productivity Loss Revenue Loss Confidential Data Loss Customer Confidence Loss
page 3
Figure 2: Network Security Importance
Layers of Security
It is useful to approach network security in terms of layers. At each layer, you can impose restrictions on the associated layer host (PC client machine, web server, device) to limit the any potential attack initiated at or against it. For example, if an insecure PC client machine in the internal user layer is used to launch a network attack, you can configure the switch to route suspect data packets out of the network resulting in minimal impact on the other layers. 1 Outside Layer Outside refers to the public and private network you do not control. You must assume all outside hosts are potentially infected and hostile. A customer accessing your website can be considered a host from the outside. 2 Demilitarized Zone (DMZ) The DMZ is the network area that is between an outside network and the internal network. In the DMZ, you can configure specific ports to allow certain types of network traffic through. For example, web servers in the DMZ are typically accessible through Transmission Control Protocol (TCP) ports 80 and 443. As the switch administrator, you should only open specific ports in the firewall to allow only the services that need to available from the outside. 3 Remote Access Layer The remote access layer allows a host from the outside layer to access services available on the internal network. Users remotely accessing the internal network require the same level of unrestricted access to internal network resources. Three major components for securing remote access are authentication, encryption, and intrusion detection. Authentications primary function is to ensure a user is authorized to access the internal network. User verification is typically based on a username and password. Encryption makes the data sent to and from a remote user to the internal network illegible, only allowing those authorized to read the data. Allowing remote access is a point of entry and weakness for an internal network. Intrusion detection systems enable the network administrator to monitor the remote access points for any potential attacks. Secondarily, the intrusion detection system will collect data associated with an attack, data which may be used for possible future criminal prosecution. 4 Internal User Layer At the internal user layer, end users require access to internally networked resources and outside resources. Unfortunately, internal end users are often targets of attack. An internal user may unwittingly launch a virus that would propagate throughout the network and possibly shut down critical business services. As a network administrator, you must seamlessly allow end-user authentication, providing them access to the resources required for their work while limiting their access to resources they do not need. 5 Internal Administration Layer Network switch administrators require extensive access to networked resources to keep the network running smoothly and efficiently. Just like limiting network access to internal end users, internal administrators should only have access to the network services and servers they are responsible for. Network administrators with extensive privileges and rights have the potential to cause major damage to a network.
Layers of Security
Layers of Security
1. Outside Layer 2. Demilitarized Zone (DMZ) 3. Remote Access Layer 4. Internal User Layer 5. Internal Administration Layer
page 4
Figure 3: Layers of Security
Networked Resources
Protected Resources
Protected resources are the resources that end users need to perform their work. Protected resources are not servers located in the DMZ but are servers located in the internal network vulnerable to attacks from compromised internal hosts. There should never be a direct connection from any remote access host to a protected resource without encryption, otherwise, the data transmitted and received is sent in the clear. Access to a protected resource from the internet should only be accessible from a server in the DMZ. All remotely accessed data requests from a protected resource must go through the server in the DMZ. The server in the DMZ then accesses the data on the protected resource on behalf of the remote client. Protected resources also act as a front end for the critical servers.
Critical Resources
Primary domain controllers, database servers, email servers, and other servers essential to the business are considered critical resources. To minimize any potential threat to the critical resource, it is a good security practice to have a front end protected resource to serve as a buffer between the end user and critical resource. For example, an end user accesses a website and enters queries. These queries are then sent to the actual backend database.
Networked Resources
Networked Resources
Protected Resources Critical Resources
page 5
Figure 4: Networked Resource
Major Network Threats

The open architecture of the Internet Protocol (IP) makes it a highly efficient, cost-effective, and flexible communications protocol for local and global communications. It has been widely adopted, not only on the global Internet, but also in the internal networks of large corporations. The IP protocol suite, including TCP/IP, was designed to provide reliable and scalable communications over real-world networks. Criminals now see the corporate network as a new opportunity. Industrial espionage has moved online. The IP protocol, while very tolerant of random errors, is vulnerable to a number of malicious attacks. The most common threats to the network are:
Route Table Poisoning Every host on an IP-based network has a routing table that tells the IP software hot to forward packets. Core network routers generally maintain their routing tables dynamically using a routing protocol, enabling routers to exchange routing information with each other. Route table poisoning occurs when an attacker intentionally sends bogus information to a router. With the route table corrupted, the network may experience network congestion, network looping, or even network misdirection to an exploited system (allowing the attacker to sniff the packets).
Denial of Service (DoS) DoS attacks are designed to knock hosts or networks offline, making their services unavailable. DoS attacks primarily target a specific operating system with the intention of crashing the host. Typically, the DoS attack attempts to overwhelm a target with a flood of traffic which occupies the processing power of the router or consumes major network bandwidth. DoS attacks can be launched from single or multiple maliciously controlled hosts.
Packet Mistreatment Packet mistreatment refers to attacks on live packet traffic. An attacker alters the packet parameters that subsequently causes the distorted packet to be mishandled by the network and/or receiving client. For example, changing the destination IP address in a large set of packets can cause localized network congestion. A martian attack is also another example of packet mistreatment. A martian packet has a source address that does not have its return traffic routed back to the sender.
Unauthorized Access Unauthorized access to the network is a major security issue. Once inside an internal network where the security maybe lighter, a malicious hacker may steal confidential data or launch attacks from systems regarded safe. Wireless data traffic busily streaming through access points can provide a malicious hacker with enough information to crack 128bit WEP keys. All points of network entries are also points of weakness. NOTE
Domain Name Server (DNS) attacks are also common. DNS is the distributed database on the Internet that translates between IP addresses and host names, as well as mapping e-mail and name servers to Internet domains. DNS attacks slow or cripple the Internet. While DNS hacking is a potential issue for any network, Extreme Networks devices do not implement DNS services, therefore not subject to these particular attacks.
10

Route Table Poisoning Denial of Service (DoS) Packet Mistreatment Unauthorized Access
page 6
Figure 5: Major Network Threats
11
ExtremeWare XOS Security Features

Major ExtremeWare security features include
Switch Access Options Extreme Networks employs a number of mechanism that protect the AlpineTM, BlackDiamond, and SummitTM from unauthorized access, which includes a combination of:

In-Band / Out-of-Band node management Switch Administrator Access Profiles and User Authentication
Secure Communication Protocols ExtremeWare supports many standard secure communication protocols such as Simple Network Management Protocol version 3 (SNMPv3), Secure Shell version 2 (SSH2), Secure File Transfer Program version 2 (SFTP2), Secure Copy Program version 2 (SCP2), Message Digest 5 (MD5), and others. For example, when OSPF and BGP have both been configured for MD5 and access profiles, route table poisoning is minimized. The MD5 and access profile configuration ensures routing table updates only come from legitimate sources.
DoS-Protect DoS-Protect is an administrator configurable feature that detects and filters out possible DoS generated traffic.
Blackhole Options It is possible to forward suspect data packets to a blackhole configured on a switch where they are promptly discarded. For example, a malicious IP packet flood can be immediately sent to a blackhole, minimizing the attacks influence on network performance.
Port and Mac-Based Security ExtremeWare also allows security options based on ports and MAC addresses. For example with MAC limit-learning enabled, you can limit the number of dynamically learned MAC addresses allowed per virtual port.
Network Login Network Login requires a user to authenticate their username and password. When the user is authenticated, the user is placed on a preapproved and specific port on the Virtual Local Area Network (VLAN).
Access Control Lists and Access Profiles An access control list (ACL) enables a switch to identify specific network traffic and decide to block or forward the packets. The ACL criteria is configured by the network administrator. An access profile is similar to an ACL but it only deals with management and control packets destined to or sent by a switch.
12

Switch Access Options Secure Communication Protocols DoS-Protect Feature Blackhole Options Port and MAC-Based Security Network Login Access Control Lists (ACL) Access Profiles
page 7
Figure 6: ExtremeWare Security Features
13
Network Security Implementation Sequence

Here are the recommended steps for implementing security for a greenfield deployment of an enterprise class network. 1 Power the switch. 2 Change the default administrator password. 3 Enable DOS protection. 4 Enable RADIUS. 5 Create Access Profiles. 6 Configure SNMP settings. 7 Turn off web configuration. 8 Enable SSHv2. 9 Turn off Telnet. 10 Plug cables into the network. 11 Configure MAC security. 12 Configure the switch. 13 Configure the management network. 14 Configure routing. 15 Configure ACLs and martian specific ACLs. 16 Configure the Syslog server. 17 Configure the RADIUS server. 18 Configure the EPICenter server.
14

1. 2. 3. 4. 5. 6. 7. 8. 9.
page 8
Power the switch. Change the administrator password. Enable DOS protection. Enable RADIUS. Create Access Profiles. Configure SNMP settings. Turn off web configuration. Enable SSHv2. Turn off Telnet.
Figure 7: Network Security Implementation Sequence
Network Security Implementation Sequence (cont)

10. Plug cables into the network. 11. Configure MAC security. 12. Configure the switch. 13. Configure management network. 14. Configure routing. 15. Configure ACLs and martian specific ACLs. 16. Configure the Syslog server. 17. Configure the RADIUS server. 18. Configure the EPICenter server.
page 9
Figure 8: Network Security Implementation Sequence (cont)
15
Traffic Engineering
In addition to identifying any potential security threat and implementing an appropriate security policy, networks should also address traffic engineering needs. With the increasing use of time sensitive data applications such as Voice over IP (VoIP) and streaming media, tuning the network for minimal congestion and maximum efficiency are important.
Purpose
Traffic engineering has three primary goals: 1 Optimize network usage 2 Optimize network performance 3 Increase the robustness of the network infrastructure
ExtremeWare XOS Traffic Engineering Features

ExtremeWare enables network optimization and tuning with the following major ExtremeWare features:

Access Profiles Quality of Service (QoS) By configuring QoS parameters, a network administrator can prioritize traffic flows, ensuring time sensitive packets are transmitted and received at high priority.
Policy Based Routing Routing based on source and/or destination ip information on port number is known as policy based routing.
16
Traffic Engineering
Traffic Engineering Goals

Optimize network usage Optimize network performance Increase the robustness of the network infrastructure
page 10
Figure 9: Traffic Engineering Goals
ExtremeWare XOS Traffic Engineering Features

Access Profiles Quality of Service (QoS) Policy Based Routing
page 11
Figure 10: ExtremeWare Traffic Engineering Features
17
Summary
Module two presented the importance of network security and how ExtremeWare handles various types of network threats. Traffic engineering concepts were also introduced.
You should now be able to:

Identify four major threats to network security. For a green field network deployment, sequence the security implementation steps. Describe ExtremeWare XOS security features. Identify three requirements for secure remote access. Describe three traffic engineering goals. Identify ExtremeWare XOS traffic engineering features.
18
Summary
Summary
Identify four major threats to network security. Sequence the security implementation steps for a green field network deployment. Describe ExtremeWare XOS security features. Identify three requirements for secure remote access. Describe three traffic engineering goals Describe ExtremeWare XOS traffic engineering features.
page 12
Figure 11: Summary
19
20
Student Objectives
Upon completion of this module, the successful student will be able to:

Identify the five switch access options Configure Safe-Default-Script Disable nonessential switch access options Create management accounts on the switch Configure a Failsafe Account Manage Passwords Configure an Access Control List (ACL) to control telnet access Display management accounts Configure the banner that displays during login attempts Configure switch idle timeouts View active switch sessions Configure SNMPv3 Configure SSH2 Configure an ACL to control SSH2 access Configure SCP2 Describe RADIUS Configure the RADIUS client Configure RADIUS accounting Describe TACACS+
Student Objectives
Student Objectives
Upon completion of this module, the successful student will be able to: Identify the five switch access options Configure Safe-Default-Script Disable nonessential switch access options Create management accounts on the switch Configure a Failsafe Account Manage Passwords Configure an Access Control List (ACL) to control telnet access Display management accounts Configure the banner that displays during login attempts Configure switch idle timeouts
page 2
Student Objectives
View active switch sessions Configure SNMPv3 Configure SSH2 Configure an ACL to control SSH2 access Configure SCP2 Describe RADIUS Configure the RADIUS client Configure RADIUS accounting Describe TACACS+
page 3
Figure 2: Student Objectives (cont)
Default Switch Access Options

The following are enabled by default:

Telnet access SNMP access All ports enabled
Safe Defaults Setup Method

Upon initially booting up the switch through the console port, a safe default script is implemented. To manually run the interactive safe default script that prompts you to choose to enable or disable SNMP, Telnet, Web access, and enabled ports, enter the following command: configure safe-default-script NOTE
The safe default script is also implemented when the unconfigure switch all command is entered and the switch is rebooted.
Default Switch Access Options
Figure 3: Configuring Safe Default Script
Switch Access Options

Five Types of Switch Access
Extreme Networks switches have five switch access options:

Console SSH2 Telnet HTTP (via ExtremeWare Vista web-based management application) SNMPv3 NOTE
Not all configuration is possible using the Extreme Ware Vista interface
The console can be used for direct local management, and the port settings are as follows:

Baud rate - 9600 Data bits - 8 Stop bit - 1 Parity - None Flow Control - XON/XOFF
The PC/Terminal connected to the switch's console port must be configured with the same settings. The CLI console port connection requires a serial crossover cable (a.k.a. Null modem) with DB9 female connectors.
The 9-pin serial port labeled as modem on some switches does not allow any connectivity to the device.
Disabling Switch Access Options

Depending on your security needs, it is possible to disable ssh2, telnet, and snmp access options. However, console access can not be disabled and is always enabled. To disable the switch access option, enter the following command: disable disable disable disable [switch access option] ssh2 telnet snmp access
Switch Access Options
Configuring Safe Default Script
page 4
Figure 4: Five Types of Switch Access Options
Figure 5: Disabling Switch Access Option
Management Accounts
By default, the switch is configured with two default user accounts, admin and user. The switch can have a total of 16 management accounts. You can use the default names (admin and user), or you can create new names and passwords for the accounts. Passwords can have a minimum of 0 characters and a maximum of 32 characters.
Administrator Level Account

An administrator level account has both read and write access to all manageable parameters. With this level, you can also add and delete users, as well as change the password associated with any account name (to erase the password, issue the unconfigure switch all command). An administrator can perform the following functions:

View and edit all switch parameters. Add and delete accounts, and change the password associated with any account name. Disconnect a management session that has been established by a Telnet connection. When a switch administrator cancels a users Telnet session, the user is notified that the session has been terminated. The command syntax to cancel a Telnet connection is: clear session <id>
An administrator level count login is indicated by the command-line prompt that ends with a pound sign (#). Prompt type: Summit450 #
User Level Account

A user level account has viewing access to all manageable parameters, with the exception of the following:

Showing the switch configuration Showing switch management details Showing and configuring user account database Showing and configuring SNMP community strings
A user level account can use the ping command to test if a device is reachable. Also, a user level account end user can change the password assigned to its own account. A user level account login is indicated by the command-line prompt that ends with a greater than (>) sign. Prompt type: Summit450>
Logging Out of a Session

To log out of a session, enter one of the following commands: exit logout
Management Accounts
Management Accounts
Administration account can
- View and change anything - Add/Remove users - Change user passwords - Can disconnect Telnet sessions Prompt type: SummitX450 #
User account can

- View anything except: - Show switch configuration - Show switch management - User accounts - SNMP community strings - Use PING - Change own password Prompt type: SummitX450>
page 7
Figure 6: Management Accounts
Creating Management Accounts

To create a management account, enter the following command: create account [admin | user] <name> {encrypted} {<password>} To delete an account, type the following command: delete account <name> Only users with admin level status can create and delete accounts. The encrypted option should not be used for manual account creation and switch access. The encrypted option is reserved for use by the switch. It is a system option for the switch to TFPT server uploads and downloads, not for users. If the encrypted option is used while creating a new account through the CLI, the switch assumes that the username and password are encrypted and not in clear text.
Displaying Management Accounts (admin level only)

To view the management accounts associated with the switch, enter the following command: show account The fields displayed are:

User Name Access (read write or read only) Number of successful and failed login attempts per account
Deleting an Account (admin level only)

To delete an account, type the following command: delete account <name>
10
Creating Management Accounts
Figure 7: Creating Management Accounts
Figure 8: Displaying Management Accounts
11
Creating a Failsafe Account

The failsafe account is the account of last resort to access your switch. This account is never displayed by the show account command, but it is always present on the switch. To configure the account name and password for the failsafe account, enter the following command: configure failsafe-account You will be prompted for the failsafe account name and prompted twice to specify the password for the account. After entering the failsafe password, the failsafe account is immediately saved to NVRAM.
NOTE
The information that you use to configure the failsafe account cannot be recovered by Extreme Networks. Technical support cannot retrieve passwords or account names for this account. Protect this information carefully.
To access your switch using the failsafe account, you must connect to the serial port of the switch. You cannot access the failsafe account through any other port. At the switch login prompt, carefully enter the failsafe account name. If you enter an erroneous account name, you cannot re-enter the correct name. Once you have entered the failsafe account name, you are prompted to enter the password. You will have three tries to enter the password correctly. Once you have successfully logged in to the failsafe account, you see the following prompt: failsafe> From here, you have the following four command choices:

LoginUse this command to access the switch CLI. You will have full administrator capabilities. RebootUse this command to reboot the current MSM (MSM on modular switches only). HelpUse this command to display a short help text. ExitUse this command to exit the failsafe account and return to the login prompt.
Typically, you use the Login command to correct the problem that initially required you to use the failsafe account.
12
Creating a Failsafe Account
Figure 9: Creating a Failsafe Account
Figure 10: Logging in Failsafe Account
13
Managing Passwords
When you first access the switch you, have a default account. You configure a password for your default account. As you create other accounts, you configure passwords for those accounts. Beginning with ExtremeWare XOS version 11.2, the software allows you to apply additional security to the passwords. You can enforce a specific format and minimum length for the password. Additionally, you can age out the password, prevent a user from employing a previously used password, and lock users out of the account after three consecutive failed login attempts.
Applying a Password to the Default Admin Account

Default accounts do not have passwords assigned to them. Passwords can have a minimum of 0 character and can have a maximum of 32 characters. Passwords are case-sensitive; user names are not case-sensitive. To add a password to the default admin account: 1 Log in to the switch using the name admin. 2 At the password prompt, press [Return]. 3 Add a default admin password of green by entering the following commands: configure account admin password: green Reenter password: green
Applying a Password to the Default User Account

To add a password to the default user account: 1 Log in to the switch using the name admin. 2 At the password prompt, press [Return], or enter the password that you have configured for the admin account. 3 Add a default user password by blue entering the following commands:
configure account user password: blue Reenter password: blue If you forget your password while logged out of the CLI, contact your local technical support representative, who will advise on your next course of action.
NOTE
The entered passwords are not displayed on the screen.
14
Managing Passwords
Figure 11: Applying a Password to the Default Admin Account
Figure 12: Applying a Password to the Default User Account
15
Specifying Password Parameters

You can increase the security of your system by enforcing password restrictions, which will make it more difficult for unauthorized users to access your system. You can specify that each password must include at least two characters of each of the following four character types:

Upper-case A-Z Lower-case a-z 0-9 !, @, #, $, %, ^, *, (, )
To set this format for the password, enter the following command:
configure account [all | <name>] password-policy char-validation [none | all-chargroups]
You can enforce a minimum length for the password and set a maximum time limit, after which the password will not be accepted. To set a minimum length for the password, issue the following command:
configure account [all | <name>] password-policy min-length [<num_characters> | none]
To age out the password after a specified time, issue the following command:
configure account [all | <name>] password-policy max-age [<num_days> | none]
You can block users from employing previously used passwords by issuing the command:
configure account [all | <name>] password-policy history [<num_passwords> | none]
By default, the system terminates a session once the user has 3 consecutive failed login attempts. The user may then launch another session (which again would terminate after 3 consecutive failed login attempts). To increase security, you can lock users out of the system entirely after 3 failed consecutive login attempts. To use this feature, issue the following command:
configure account [all | <name>] password-policy lockout-on-login-failures [on | off]
NOTE
If you are not working on SSH, you can configure the number of failed logins that trigger lockout, using the configure cli max-failed-logins <num-of-logins> command. (This command also sets the number of failed logins that terminate the particular session.)
Once locked out (using the configure account password-policy lockout-on-login-failures command), the users account must be specifically re-enabled by an administrator. To re-enable a locked-out account, issue the following command: clear account [all | <name>] lockout Selecting the all option affects the setting of all existing and future new accounts. The default admin
account and failsafe accounts are never locked out, no matter how many consecutive failed login attempts.
16
Specifying Password Parameters
Figure 13: Specifying Password Parameters
17
Displaying Password Policy

To display the accounts and any applied password security, issue the following command:
show accounts password-policy
18
Displaying Password Policy
Figure 14: Displaying Password Policy
19
Configuring the Login Display Banner

ExtremeWare XOS switches allow the admin to configure a banner that is displayed when a login is attempted. It is important for the banner to indicate that switch access is only for authorized users. The primary purpose of the login display banner is to build up a legal case against the unauthorized user. To configure the login display banner, enter the following commands: configure banner [Enter] Switch access for Authorized staff only. [Enter] Disconnect now if you have no permission to access. [Enter] E-Mail xxx@yyyyy.com for more information. [Enter] [Enter]

Up to 24 rows of 79 characters wide text can be entered Pressing [Enter] at the beginning of a new line saves the previously entered text and enables the login display banner Pressing [Enter] at the beginning of the first line clears the login display banner
Displaying the Login Banner

To display the configured banner, enter the following command: show banner
20
Displaying the Login Banner
Figure 15: Configuring the Login Display Banner
Figure 16: Displaying the Login Banner
21
Configuring the Switch Idle Timeout

ExtremeWare has the option of enabling a timer that disconnects Telnet, HTTP and console sessions after a specific time of inactivity. By default the idle timeout is disabled, to enable the idle timeout feature, enter the following commands: configure idletimeout <minutes> emable idletimeout
The minutes of inactivity can range from 1 minute to 240 minutes, the default setting is 20 minutes.
Disabling Switch Idle Timeout

To disable the switch idle timeout, enter the following command: disable idletimeout
Viewing Idletimeout Status

To view the idle time-outs status, enter in the following command: show management
22
Configuring the Switch Idle Timeout
Figure 17: Configuring, Enabling, and Displaying Switch Idletimeout
23
Displaying Active Switch Sessions

To view active switch sessions, enter the following command: show session
Clearing Specific Telnet Sessions

To terminate a specific telnet session, enter the following command: clear session <number> Number corresponds to the session ID number visible in the output of the show session command.
24
Displaying Active Switch Sessions
Figure 18: Displaying and Clearing Specific Telnet Sessions
25
Using Access Control Lists (ACLs) to Control Telnet Access

By default, Telnet services are enabled on the switch. You can restrict Telnet access by using an access control list (ACL) and implementing an ACL policy. You configure an ACL policy to permit or deny a specific list of IP addresses and subnet masks for the Telnet port. There are two methods to load ACL policies to the switch:
You can create the policy directly on the switch. Enter the following command to launch a VI like editor to create the policy file: edit policy To transfer a policy that you created using a text editor on another system to the switch, enter the following command: tftp
Sample ACLs that Control Telnet Access

MyAccessProfile.pol
The switch permits connections from the subnet 10.203.133.0/24 and denies connections from all other addresses.
MyAccessProfile_2.pol
The switch does not permit connections from the subnet 10.203.133.0/24 but accepts connections from all other addresses.
Configuring Telnet to Use ACL Policies

Once the policy file is on the switch, a telnet access profile must be configured. To apply the ACL to the telnet access profile, enter the following command: configure telnet access-profile [<access_profile> | none] Use the none option to remove a previously configured ACL.
NOTE
Extreme Advanced Security: Access Control Lists goes into more detail about ACLs, Access Profile, Policy Manager, and CLEARFlow.
26
Using Access Control Lists (ACLs) to Control Telnet Access
Figure 19: MyAccessProfile.pol
Figure 20: MyAccessProfile_2.pol
27
SNMP Access
Any network manager program running the Simple Network Management Protocol (SNMP) can manage the switch, provided the Management Information Base (MIB) is installed correctly on the management station. Each network manager program provides its own user interface to the management facilities. Please note, when using a network manager program to create a VLAN, Extreme Networks does not support the SNMP create and wait operation. To create a VLAN with SNMP, use the create and go operation. The following sections describe how to get started if you want to use an SNMP manager. It assumes you are already familiar with SNMP management. If not, refer to the following publication: The Simple Book by Marshall T. Rose ISBN 0-13-8121611-9 Published by Prentice Hall.
Accessing Switch Agents

To access the SNMP agent residing in the switch, at least one VLAN must have an assigned IP address. By default, SNMP access and SNMPv1/v2c traps are enabled. SNMP access and SNMP traps can be disabled and enabled independentlyyou can disable SNMP access but still allow SNMP traps to be sent, or vice versa.
Supported MIBs
In addition to private MIBs, the switch supports standard MIBs. Please refer to ExtremeWare XOS Concepts Guide Software Version 11.3 Appendix D for a listing of supported MIBs.
28
SNMP Access
SNMP Access
At least one VLAN per switch must have an IP address IT can then access the SNMP agent from the management workstation
10.1.6.1
10.1.4.1
IP Network/ Intranet
10.1.5.1
NMS
page 22
Any SNMP based network manager can manage a switch The Switch MIB should be installed correctly on the management workstation
Figure 21: SNMP Access
29
Enabling and Disabling SNMPv1/v2c and SNMPv3

ExtremeWare XOS can concurrently support SNMPv1/v2c and SNMPv3. The default is both types of SNMP enabled. Network managers can access the device with either SNMPv1/v2c methods or SNMPv3. To enable concurrent support, type the following command:
enable snmp access
To prevent any type of SNMP access, type the following command:

disable snmp access
To prevent access using SNMPv1/v2c methods and allow access using SNMPv3 methods only, type the following commands:
enable snmp access disable snamp access snmp-v1v2c
There is no way to configure the switch to simultaneously allow SNMPv1/v2c access and prevent SNMPv3 access. Most of the commands that support SNMPv1/v2c use the keyword snmp; most of the commands that support SNMPv3 use the keyword snmpv3. After a switch reboot, all slots must be in the "Operational" state before SNMP can manage and access the slots. To verify the current state of the slot, type the following command: show slot
30
Enabling and Disabling SNMPv1/v2c and SNMPv3
Figure 22: Disabling SNMPv1/v2c but Allowing SNMPv3
31
Configurable SNMPv1/v2c Parameters

Authorized Trap Receivers
An authorized trap receiver can be one or more network management stations on your network. The switch sends SNMPv1/v2c traps to all configured trap receivers. You can specify a community string and UDP port individually for each trap receiver. To add all community strings to the switch, type the following command: configure snmp add community To configure a trap receiver on a switch, type the following command: configure snmp add trapreceiver <ip_address> community [[hex <hex_community_name>] | <community_name>] {port <port_number>} {from <src_ip_address>} {mode <trap_mode> [enhanced | standard]} To delete a trap receiver, type the following command: configure snmp delete trapreceiver Entries in the trap receiver list can also be created, modified, and deleted using the RMON2 trapDestTable MIB table, as described in RFC 2021.
Community Strings
The community strings allow a simple method of authentication between the switch and the remote network manager. There are two types of community strings on the switch:
Read community strings provide read-only access to the switch. The default read-only community string is public. Read-write community strings provide read- and-write access to the switch. The default readwrite community string is private.
As these two community strings are well known, it is highly recommended to change the default community strings when implementing SNMP. To change the read only and readwrite SNMP community strings, enter the following commands: configure snmp community readonly (new-community-name) configure snmp community readwrite (new-community-name2)
Additional SNMPv1/v2c Configurable Parameters
System contact (optional)The system contact is a text field that enables you to enter the name of the person(s) responsible for managing the switch. System name (optional)The system name enables you to enter a name that you have assigned to this switch. The default name is the model name of the switch (for example, BD-1.2). System location (optional)Using the system location field, you can enter the location of the switch.
32

Authorized Trap Receivers Authorized Managers Community Strings (should change the default values) Read only 10.1.4.1 Read / Write
10.1.6.1
IP Network/ Intranet NMS
page 24
10.1.5.1
Figure 23: Configurable SNMPv1/v2c Parameters
33
Displaying SNMP Settings

To display SNMP settings for the switch, type the following command: show management This command displays the following information:

Enable/disable state for Telnet and SNMP access Login statistics

Enable/disable state for idle timeouts Maximum number of CLI sessions
SNMP community strings SNMP trap receiver list SNMP trap receiver source IP address SNMP statistics counter Enable/disable state for Remote Monitoring (RMON)
34
Displaying SNMP Settings
Figure 24: Displaying SNMP Settings
35
SNMPv3
SNMPv3 is an enhanced standard for SNMP that improves the security and privacy of SNMP access to managed devices and provides sophisticated control of access to the device MIB. The prior standard versions of SNMP, SNMPv1 and SNMPv2c, provided no privacy and little security. The SNMPv3 standards for network management were primarily driven by the need for greater security and access control. The new standards use a modular design and model management information by cleanly defining a message processing (MP) subsystem, a security subsystem, and an access control subsystem. The MP subsystem helps identify the MP model to be used when processing a received Protocol Data Unit (PDU), which are the packets used by SNMP for communication. The MP layer helps in implementing a multilingual agent, so that various versions of SNMP can coexist simultaneously in the same network. The security subsystem features the use of various authentication and privacy protocols with various timeliness checking and engine clock synchronization schemes. SNMPv3 is designed to be secure against:

Modification of information, where an in-transit message is altered. Masquerades, where an unauthorized entity assumes the identity of an authorized entity. Message stream modification, where packets are delayed and/or replayed. Disclosure, where packet exchanges are sniffed (examined) and information is learned about the contents.
The access control subsystem provides the ability to configure whether access to a managed object in a local MIB is allowed for a remote principal. The access control scheme allows you to define access policies based on MIB views, groups, and multiple security levels. In addition, the SNMPv3 target and notification MIBs provide a more procedural approach for generating and filtering of notifications. SNMPv3 objects are stored in non-volatile memory unless specifically assigned to volatile storage. Objects defined as permanent cannot be deleted.
NOTE
In SNMPv3, many objects can be identified by a human-readable string or by a string of hexadecimal octets. In many commands, you can use either a character string, or a colon-separated string of hexadecimal octets to specify objects. To indicate hexadecimal octets, use the keyword hex in the command.
Message Processing
A particular network manager may require messages that conform to a particular version of SNMP. The choice of the SNMPv1, SNMPv2c, or SNMPv3 MP model can be configured for each network manager as its target address is configured. To configured the mp-model selection, enter the following command:
configure snmpv3 add target-params [[hex <hex_param_name>] | <param_name>] user [[hex <hex_user_name>] | <user_name>] mp-model [snmpv1 | snmpv2c | snmpv3] sec-model [snmpv1 | snmpv2c | usm] {sec-level [noauth | authnopriv | priv]} {volatile}
36
SNMPv3
SNMPv3
Enhanced SNMP standard Improved SNMP security and privacy Modular design using subsystems Message Processing (MP) Security Access Control
page 26
Figure 25: SNMPv3
37
SNMPv3 Security
In SNMPv3 the User-Based Security Model (USM) for SNMP was introduced. USM deals with security related aspects like authentication, encryption of SNMP messages, and defining users and their various access security levels. This standard also encompasses protection against message delay and message replay.
USM Timeliness Mechanisms

An Extreme Networks switch has one SNMPv3 engine, identified by its snmpEngineID. The first four octets are fixed to 80:00:07:7C, which represents the Extreme Networks vendor ID. By default, the additional octets for the snmpEngineID are generated from the device MAC address. Every SNMPv3 engine necessarily maintains two objects: SNMPEngineBoots, which is the number of reboots the agent has experienced and SNMPEngineTime, which is the local time since the engine reboot. The engine has a local copy of these objects and the latestReceivedEngineTime for every authoritative engine it wants to communicate with. Comparing these objects with the values received in messages and then applying certain rules to decide upon the message validity accomplish protection against message delay or message replay. In a chassis, the snmpEngineID is generated using the MAC address of the MSM with which the switch boots first. The snmpEngineID can be configured from the command line, but once the snmpEngineID is changed, default users will be reverted back to their original passwords/keys, and non-default users will be reset to the security level of no authorization, no privacy. To set the snmpEngineID, enter the following command:
configure snmpv3 engine-id <hex_engine_id>
SNMPEngineBoots can also be configured from the command line. SNMPEngineBoots can be set to any desired value but will latch on its maximum, 2147483647. To set the SNMPEngineBoots, type the following command:
configure snmpv3 engine-boots <(1-2147483647)>
38
SNMPv3 Security
Figure 26: Configuring SNMPv3 engine-id
39
SNMPv3 Users
Creating SNMPv3 Users
Users are created by specifying a user name. Depending on whether the user will be using authentication and/or privacy, you would also specify an authentication protocol (MD5 or SHA) with password or key, and/or privacy (DES) password or key. To create a user, type the following command:
configure snmpv3 add user [[hex <hex_user_name>] | <user_name>] {authentication [md5 | sha] [hex <hex_auth_password> | <auth_password>]} {privacy [hex <hex_priv_password> | <priv_password>]} {volatile}
A number of default, permanent users are initially available. The default user names are: admin, initial, initialmd5, initialsha, initialmd5Priv, initialshaPriv. The default password for admin is password. For the other default users, the default password is the user name.
Displaying SNMPv3 Users

To display information about a user, or all users, type the following command: show snmpv3 user {[[hex <hex_user_name>] | <user_name>]}
Deleting SNMPv3 Users

To delete a user, type the following command:
configure snmpv3 delete user [all-non-defaults | [[hex <hex_user_name>] | <user_name>]]
NOTE
The SNMPv3 specifications describe the concept of a security name. In the ExtremeWare XOS implementation, the user name and security name are identical. In this manual, both terms are used to refer to the same thing.
40
SNMPv3 Users
Figure 27: Displaying SNMPv3 Users
41
SNMPv3 Groups
Groups are used to manage access for the MIB. You use groups to define the security model, the security level, and the portion of the MIB that members of the group can read or write. To underscore the access function of groups, groups are defined by typing the following command:
configure snmpv3 add access [[hex <hex_group_name>] | <group_name>] {sec-model [snmpv1 | snmpv2c | usm]} {sec-level [noauth | authnopriv | priv]} {read-view [[hex <hex_read_view_name>] | <read_view_name>]} {write-view [[hex <hex_write_view_name>]] | <write_view_name>]} {notify-view [[hex <hex_notify_view_name]] | <notify_view_name>]} {volatile}
The view names associated with a group define a subset of the MIB (subtree) that can be accessed by members of the group. The read view defines the subtree that can be read, write view defines the subtree that can be written to, and notify view defines the subtree that notifications can originate from.
Displaying SNMPv3 Groups

A number of default (permanent) groups are already defined. These groups are: admin, initial, v1v2c_ro, v1v2c_rw. To display information about the access configuration of a group or all groups, type the following command:
show snmpv3 access {[[hex <hex_group_name>] | <group_name>]}
Associating Users with SNMPv3 Groups

Users are associated with groups by entering the following command:
configure snmpv3 add group [[hex <hex_group_name>] | <group_name>] user [[hex <hex_user_name>] | <user_name>] {sec-model [snmpv1| snmpv2c | usm]} {volatile} To show which users are associated with a group, enter the following command: show snmpv3 group {[[hex <hex_group_name>] | <group_name>] {user [[hex <hex_user_name>] | <user_name>]}}
Deleting an SNMPv3 Group

To delete a group, type the following command:
configure snmpv3 delete access [all-non-defaults | {[[hex <hex_group_name>] | <group_name>] {sec-model [snmpv1 | snmpv2c | usm] sec-level [noauth | authnopriv | priv]}}]
When you delete a group, you do not remove the association between the group and users of the group. To delete the association between a user and a group, type the following command:
configure snmpv3 delete group {[[hex <hex_group_name>] | <group_name>]} user [allnon-defaults | {[[hex <hex_user_name>] | <user_name>] {sec-model [snmpv1|snmpv2c|usm]}}]
42
SNMPv3 Groups
Figure 28: Displaying SNMPv3 Groups
43
SNMP Security Models and Levels

For compatibility, SNMPv3 supports three security models:

SNMPv1no security SNMPv2ccommunity strings based security SNMPv3USM security
The default is USM. You can select the security model based on the network manager in your network. The three security levels supported by USM are:

noAuthnoPrivNo authentication, no privacy. This is the case with existing SNMPv1/v2c agents. AuthnoPrivAuthentication, no privacy. Messages are tested only for authentication. AuthPrivAuthentication, privacy. This represents the highest level of security and requires every message exchange to pass the authentication and encryption tests.
When a user is created, an authentication method is selected, and the authentication and privacy passwords or keys are entered. When MD5 authentication is specified, HMAC-MD5-96 is used to achieve authentication with a 16-octet key, which generates an 128-bit authorization code. This authorization code is inserted in msgAuthenticationParameters field of SNMPv3 PDUs when the security level is specified as either AuthnoPriv or AuthPriv. Specifying SHA authentication uses the HMAC-SHA protocol with a 20-octet key for authentication. For privacy, a 16-octet key is provided as input to DES-CBS encryption protocol, which generates an encrypted PDU to be transmitted. DES uses bytes 1-7 to make a 56 bit key. This key (encrypted itself) is placed in msgPrivacyParameters of SNMPv3 PDUs when the security level is specified as AuthPriv.
44
SNMP Security Models and Levels
SNMP Security Models

SNMPv1 No security SNMPv2c Community strings based security SNMPv3 USM security
page 30
Figure 29: SNMP Security Models
SNMPv3 Security Levels

noAuthnoPriv No authentication, No Privacy AuthnoPriv - Authentication, No Privacy AuthPriv Authentication, Privacy
page 31
Figure 30: SNMPv3 Security Levels
45
SNMPv3 MIB Access Control

SNMPv3 provides a fine-grained mechanism for defining which parts of the MIB can be accessed. This is referred to as the View-Based Access Control Model (VACM). MIB views represent the basic building blocks of VACM. They are used to define a subset of the information in the MIB. Access to read, to write, and to generate notifications is based on the relationship between a MIB view and an access group. The users of the access group can then read, write, or receive notifications from the part of the MIB defined in the MIB view as configured in the access group. A view name, a MIB subtree/mask, and an inclusion or exclusion define every MIB view. For example, there is a System group defined under the MIB-2 tree. The Object Identifier (OID) for MIB-2 is 1.3.6.1.2, and the System group is defined as MIB-2.1.1, or directly as 1.3.6.1.2.1.1. To define a MIB view which includes only the System group, enter the following subtree/mask combination: 1.3.6.1.2.1.1/1.1.1.1.1.1.1.0 The mask can also be expressed in hex notation (this is used for the ExtremeWare XOS CLI): 1.3.6.1.2.1.1/fe To define a view that includes the entire MIB-2, enter the following subtree/mask: 1.3.6.1.2.1.1/1.1.1.1.1.0.0.0 which, in the CLI, is: 1.3.6.1.2.1.1/f8 When you create the MIB view, you can choose to include the MIB subtree/mask or to exclude the MIB subtree/mask. To create a MIB view, enter the following command:
configure snmpv3 add mib-view [[hex <hex_view_name>] | <view_name>] subtree <object_identifier> {/<subtree_mask>} {type [included | excluded]} {volatile}
After the view has been created, you can repeatedly use the configure snmpv3 add mib-view command to include and/or exclude MIB subtree/mask combinations to precisely define the items you want to control access to.
Displaying MIB Views

In addition to the user-created MIB views, there are three default views. These default views are of storage type permanent and cannot be deleted, but they can be modified. The default views are: defaultUserView, defaultAdminView, and defaultNotifyView. To show MIB views, enter the following command:
show snmpv3 mib-view {[[hex <hex_view_name>] | <view_name>] {subtree <object_identifier>}} To delete a MIB view, enter the following command: configure snmpv3 delete mib-view [all-non-defaults | {[[hex <hex_view_name>] | <view_name>] {subtree <object_identifier>}}]
MIB views that are used by security groups cannot be deleted.
46
SNMPv3 MIB Access Control
Figure 31: Displaying MIB Views
47
SNMPv3 Notification: Target Addresses

SNMPv3 can use either SNMPv1 traps or SNMPv2c notifications to send information from an agent to the network manager. The terms trap and notification are used interchangeably in this context. Notifications are messages sent from an agent to the network manager, typically in response to some state change on the agent system. With SNMPv3, you can define precisely which traps you want sent, to which receiver by defining filter profiles to use for the notification receivers. To configure notifications, you configure a target address for the target that receives the notification, a target parameters name, and a list of notification tags. The target parameters specify the security and MP models to use for the notifications to the target. The target parameters name also points to the filter profile used to filter the notifications. Finally, the notification tags are added to a notification table so that any target addresses using that tag will receive notifications.
Configuring Target Address

A target address is similar to the earlier concept of a trap receiver. To configure a target address, enter the following command:
configure snmpv3 add target-addr [[hex <hex_addr_name] | <addr_name>] param [[hex <hex_param_name] | <param_name>] ipaddress [[<ip_address> {<netmask>}] | <ip_address>] {transport-port <port_number> {from <src_ip_address>} {tag-list <tag_list>} {volatile}
In configuring the target address you supply an address name that identifies the target address, a parameters name that indicates the MP model and security for the messages sent to that target address, and the IP address and port for the receiver. The parameters name also is used to indicate the filter profile used for notifications. The from option sets the source IP address in the notification packets. The tag-list option allows you to associate a list of tags with the target address. The tag defaultNotify is set by default.
Displaying Target Addresses

To display target addresses, enter the following command:
show snmpv3 target-addr {[[hex <hex_addr_name>] | <addr_name>]}
Deleting Target Addresses

To delete a single target address or all target addresses, enter the following command:
configure snmpv3 delete target-addr [{[[hex <hex_addr_name>] | <addr_name>]} | all]
48
SNMPv3 Notification: Target Addresses
Figure 32: Configuring Target Address
Figure 33: Displaying Target Addresses
49
SNMPv3 Notification: Target Parameters

Target parameters specify the MP model, security model, security level, and user name (security name) used for messages sent to the target address. The target parameter name used for a target address points to a filter profile used to filter notifications. When you specify a filter profile, you associate it with a parameter name, so you must create different target parameter names if you use different filters for different target addresses. To create a target parameter name and to set the message processing and security settings associated with it, enter the following command:
configure snmpv3 add target-params [[hex <hex_param_name>] | <param_name>] user [[hex <hex_user_name>] | <user_name>] mp-model [snmpv1 | snmpv2c | snmpv3] sec-model [snmpv1 | snmpv2c | usm] {sec-level [noauth | authnopriv | priv]} {volatile}
Displaying Target Parameters

To display the options associated with a target parameters name or all target parameters names, enter the following command:
show snmpv3 target-params {[[hex <hex_target_params>] | <target_params>]}
Deleting Target Parameters

To delete one or all the target parameters, enter the following command:
configure snmpv3 delete target-params [{[[hex <hex_param_name>] | <param_name>]} | all]
50
SNMPv3 Notification: Target Parameters
Figure 34: Configuring Target Parameters
Figure 35: Displaying Target Parameters
51
SNMPv3 Notification: Filter Profiles and Filters

A filter profile is a collection of filters that specifies which notifications should be sent to a target address. A filter is defined by a MIB subtree and mask and by whether that subtree and mask is included or excluded from notification. When you create a filter profile, you are associating only a filter profile name with a target parameter name. The filters that make up the profile are created and associated with the profile using a different command. To create a filter profile, enter the following command:
configure snmpv3 add filter-profile [[hex <hex_profile_name>] | <profile_name>] param [[hex <hex_param_name>]] | <param_name>] {volatile}
After the profile name has been created, you associate filters with it using the following command:
configure snmpv3 add filter [[hex <hex_profile_name>] | <profile_name>] subtree <object_identifier> {/<subtree_mask>} type [included | excluded] {volatile}
You can add filters together, including and excluding different subtrees of the MIB until your filter meets your needs.
Displaying SNMPv3 Notification

To display the association between parameter names and filter profiles, enter the following command:
configure snmpv3 add filter [[hex <hex_profile_name>] | <profile_name>] subtree <object_identifier> {/<subtree_mask>} type [included | excluded] {volatile}
To display the filters that belong a filter profile, enter the following command:
show snmpv3 filter {[[hex <hex_profile_name>] | <profile_name>] {{subtree} <object_identifier>}
Deleting and Removing SNMPv3 Filters

To delete a filter or all filters from a filter profile, enter the following command:
configure snmpv3 delete filter [all | [[hex <hex_profile_name>] | <profile_name>] {subtree <object_identifier>}]]
To remove the association of a filter profile or all filter profiles with a parameter name, enter the following command:
configure snmpv3 delete filter-profile [all |[[hex <hex_profile_name>] | <profile_name>] {param [[hex <hex_param_name>] | <param_name>}]]
52

Filter Profile Collection of filters specifying which notifications are sent to a target address Filter Identifies MIB subtree and mask, determines if subtree and mask is included with or excluded from notification Possible to combine filters together Selectively include or exclude different subtrees of the MIB
page 35
Figure 36: SNMPv3 Notification: Filter Profiles and Filters
53
SNMPv3 Notification: Tags

When you create a target address, either you associate a list of notification tags with the target or by default, the defaultNotify tag is associated with the target. When the system generates notifications, only those targets associated with tags currently in the standard MIB table, called snmpNotifyTable, are notified. To add an entry to the table, enter the following command:
configure snmpv3 add notify [[hex <hex_notify_name>] | <notify_name>] tag [[hex <hex_tag>] | <tag>] {volatile}
Any targets associated with tags in the snmpNotifyTable are notified, based on the filter profile associated with the target.
Displaying SNMPv3 Notification Tags

To display the notifications that are set, enter the following command:
show snmpv3 notify {[[hex <hex_notify_name>] | <notify_name>]}
Deleting SNMPv3 Notification Tags

To delete an entry from the snmpNotifyTable, enter the following command:
configure snmpv3 delete notify [{[[hex <hex_notify_name>] | <notify_name>]} | allnon-defaults]
You cannot delete the default entry from the table, so any targets configured with the defaultNotify tag will always receive notifications consistent with any filter profile specified.
Configuring Notifications
Because the target parameters name points to a number of objects used for notifications, configure the target parameter name entry first. You can then configure the target address, filter profiles and filters, and any necessary notification tags.
54
SNMPv3 Notification: Tags
Figure 37: Configuring and Displaying SNMPv3 Notification Tags
55
Secure Shell 2 (SSH2)

Regular Telnet session data is sent in the clear, allowing anyone with a packet sniffer tool to view the IP packets. Secure Shell 2 (SSH2) is a feature that allows you to encrypt Telnet session data between an SSH2 client and the SSH2 server that resides on the switch. Configuration and policy files may also be transferred to the switch using the Secure Copy Protocol 2 (SCP2) or the Secure File Transfer Protocol (SFTP). Beginning with ExtremeWare XOS 11.2, you can also use SSH2 to connect to other devices from the switch. The ExtremeWare XOS CLI provides a command that enables the switch to function as an SSH2 client, sending commands to a remote system via an SSH2 session. The ExtremeWare XOS SSH2 switch application also works with SSH2 client (version 2.x or later) from SSH Communication Security, and with (version 2.5 or later) from OpenSSH. The SFTP file transfer protocol is required for file transfer using SCP2.
SSH2 Module Request

SSH2 functionality is not present in the base ExtremeWare XOS software image, but is available as an additional, installable module. Before you can access any SSH2 commands, you must install this additional software module. Without the software module, the SSH2 commands do not appear on the command line. As a result of SSH2 being under U.S. export restrictions, you must request the SSH2 module from Extreme Networks before you can enable SSH2 on the switch. The procedure for this can be found on the Extreme Networks e-support website.
http://www.extremenetworks.com/go/security.htm
56
Secure Shell 2 (SSH2)

Encrypts Telnet session data between SSH2 client and SSH2 server residing on the switch Requires SSH2 software module Supports 3DES and Blowfish encryption standards
SSH Client SSH Server
SSH Connection SSH Authentication SSH transport TCP/IP, IPX/SPX
SSH Connection SSH Authentication SSH transport TCP/IP, IPX/SPX
Ethernet
page 37
Figure 38: Secure Shell 2 (SSH2)
57
Installing the SSH2 Module

In addition to the functionality available in the ExtremeWare XOS core image, you can add functionality to your switch by installing modular software packages. Modular software packages are contained in files named with the file extension.xmod, while the core images use the file extension.xos. Modular software packages are built at the same time as core images and are designed to work in concert with the core image, so the version number of a modular software package must match the version number of the core image that it will be running with. The modular software package for Secure Shell (SSH) named as follows:
bd10K-11.2.0.18-ssh.xmod
can run only with the core image named:

bd10K-11.2.0.18.xos
You can install a modular software package on the active partition or on the inactive partition. You would install on the active partition if you want to add the package functionality to the currently running core image without having to reboot the switch. You would install on the inactive partition if you want the functionality available after a switch reboot.Downloading a new image involves the following steps:

Loading the new module onto a TFTP server on your network (if you are using TFTP). Loading the new module onto an external compact flash memory card (if you are using the external compact flash slot). This method is available only on modular switches. For more information about installing the external compact flash memory card into the external compact flash slot of the MSM, please refer to the Extreme Networks Consolidated XOS Hardware Installation Guide.
Selecting the partition to use when downloading an image.
Downloading the module to the switch
To download the module to the switch, enter the following command: download image [[<hostname> | <ipaddress>] <filename> {{vr} <vrname>} | memorycard <filename>] {<partition>} {msm <slotid>}
Before the download begins, the switch asks if you want to install the module immediately after the download is finished. If you install the module to the active partition, you must reboot the switch. If you install the module to the inactive partition, you do not need to reboot the switch. Enter y to install the image after download. Enter n to install the image at a later time.
58
Installing the SSH2 Module
Installing the SSH Module

Download SSH2 Module to the Switch download image [[<hostname> | <ipaddress>] <filename> {{vr} <vrname>} | memorycard <filename>] {<partition>} {msm <slotid>}
page 38
Figure 39: Installing the SSH2 Module
59
Activating the Installed Modular Software Package

If you download and install the software module on the active partition, the switch automatically reboots after the download and installation is completed. The following message appears when downloading and installing on the active partition:
Image will be installed to the active partition, a reboot required. Do you want to continue? (y or n)
Enter y to continue the installation and reboot the switch. Enter n to cancel. If you install the module at a later time, the module is still downloaded and saved to the switch, but you must use enter following command to install the software: install image <fname> {<partition>} {msm <slotid>} {reboot} NOTE
Unlike ExtremeWare, the download image command in ExtremeWare XOS causes the switch to use the newly downloaded software image during the next switch reboot. To modify or reset the software image used during a switch reboot, issue the use image command.
You activate the installed modular software package either by rebooting the switch or by entering the following command: run update
Uninstalling the Module

You can uninstall packages by issuing the following command: uninstall image <fname> <partition> {msm <slotid>} {reboot}
60
Activating the Installed Modular Software Package
Activating the SSH2 Module

Reboot the switch or type: run update
page 39
Figure 40: Activating the Installed Module
61
Private Key, Public Key, and Host Key

SSH2 session establishment relies on keys that are exchanged between an SSH2 client and SSH2 server. Three keys are used in SSH2: private key, public key, and host key. In public-key authentication, publicprivate key pairs are used to identify a user to an SSH2 server. A user creates both a public and private key, and then transfers a copy of the public key to the SSH2 server to which the user wants secure access. The public and private keys must be correct for the server to allow the connection.
private key is one of two keys used in public-key encryption. The user keeps the private key secret and uses it to encrypt outgoing messages and decrypt incoming messages. The private key is stored in the users local machine and is used to verify the identity of the user when the user attempts to connect to the SSH2 server. public key is one of two keys used in public-key encryption. The user releases a copy of this key to the public to allow anyone to use it for encrypting messages to be sent to the user and for decrypting messages received from the user.
When a client connects to a server, the server sends a host key to the client (the server keeps the private key secret). The first time the client connects to a server, the clients user is asked if they want to save the host key. If the user chooses to save the host key, the client adds the key to its host key database. Each time the client connects to that server, the client expects to receive the same key. If the server sends a different host key, the client is alerted to the fact that there may be a problem, which could be anything from a corrupt key file to a fraudulent server. The client then takes the action that it is required to accept or reject the connection host key is the public key in a public-private key pair that is used to identify a server to a client in SSH2 connections. The SSH2 client saves the host key in a database.
62
Private Key, Public Key, and Host Key
Three Keys Used In SSH2

Private Key Stored locally with SSH2 client Used to verify user to SSH2 server Encrypts outgoing messages and decrypts incoming messages Public Key Released to the public by user Encrypts messages sent to user and decrypts message from user Host Key Sent by SSH2 server to SSH2 client SSH2 client saves Host key
page 40
Figure 41: Three Keys Used In SSH2
63
Configuring SSH2
There are two steps in successfully configuring SSH2: 1 Generating the host key on the SSH2 server 2 Enabling SSH2 on the switch An authentication key must be generated before the switch can accept incoming SSH2 sessions. To have the key generated by the switch, enter the following command: configure ssh2 key You are prompted to enter information to be used in generating the key, you should enter random letters and numbers. The key generation process takes approximately ten minutes. Once the key has been generated, you should save your configuration to preserve the host key. The key generation process generates the SSH2 private host key. The SSH2 public host key is derived from the private host key, and is automatically transmitted to the SSH2 client at the beginning of an SSH2 session. To use a key that has been previously created, enter the following command: configure ssh2 key pregenerated You is then prompted to enter the previous key. It is recommended you cut and paste in the previously generated host key.
NOTE
The pregenerated key must be one that was generated by the switch. To get such key, you can use the command show configuration exsshd to display the key on the console. Copy the key to a text editor and remove the carriage return/line feeds from the key. Finally, copy and paste the key into the command line. The key must be entered as one line.
Enabling SSH2
To enable SSH2, enter the following command: enable ssh2 {access-profile [<access_profile> | none]} {port <tcp_port_number>} {vr [<vr_name> | all | default]} To disable SSH2, enter the following command: disable ssh2 You can also specify a TCP port number to be used for SSH2 communication. By default the TCP port number is 22. Beginning with ExtremeWare XOS 11.2, the switch accepts IPv6 connections. Before you initiate a session from an SSH2 client, ensure that the client is configured for any nondefault access list or TCP port information that you have configured on the switch. Once these tasks are accomplished, you may establish an SSH2-encrypted session with the switch. Clients must have a valid user name and password on the switch in order to log in to the switch after the SSH2 session has been established.
64
Configuring SSH2
Figure 42: Configuring and Enabling SSH2
65
Using ACLs to Control SSH2 Access

You can restrict SSH2 access by creating and implementing an ACL policy. You configure an ACL policy to permit or deny a specific list of IP addresses and subnet masks for the SSH2 port. There are two methods to load ACL policies to the switch:
Use the edit policy command to launch a VI-like editor on the switch. You can create the policy directly on the switch. Use the tft[ command to transfer a policy that you created using a text editor on another system to the switch.
Sample SSH2 Policies

The following are sample policies that you can apply to restrict SSH2 access.
MyAccessProfile.pol
For this example , the switch permits connections from the subnet 10.203.133.0/24 and denies connections from all other addresses.
MyAccessProfile_2.pol
In this example, the switch does not permit connections from the subnet 10.203.133.0/24 but accepts connections from all other addresses.
Configuring SSH2 to Use ACL Policies

This section assumes that you have already loaded the policy on the switch. To configure SSH2 to use an ACL policy to restrict access, enter the following command: enable ssh2 {access-profile [<access_profile> | none]} {port <tcp_port_number>} {vr [<vr_name> | all | default]} Use the none option to remove a previously configured ACL.
66
Using ACLs to Control SSH2 Access
Figure 43: MyAccessProfile.pol
Figure 44: MyAccessProfile_2.pol
67
Logging in with SSH2 Client

SSH2 Connection Settings
Now that the SSH2 server on the switch has been configured and enabled, you can now login using an SSH2 client. Make your SSH2 connection settings are correct for:

Host: IP address of the switch Service: SSH selected TCP port: SSH default port number is 22
Host Key Acceptance

After the SSH2 client establishes a connection with the SSH2 server, you is asked if you want to accept the SSH2 server host key. You must accept the host key.
Valid User and Password Entry

Once the host key is accepted, you is asked to enter a valid switch username and password to complete the SSH2 logon.
68
Logging in with SSH2 Client
Figure 45: SSH2 connection settings
Figure 46: Host Key Acceptance
69
Secure Copy Protocol 2 (SCP2)

In ExtremeWare XOS version 11.0 or later, the SCP2 protocol is supported for transferring configuration, and policy files to the switch from the SCP2 client. The user must have administrator-level access to the switch. The switch can be specified by its switch name or IP address. ExtremeWare XOS only allows SCP2 to transfer to the switch files named as follows:

*.cfgExtremeWare XOS configuration files *.polExtremeWare XOS policy files
In the following examples, you are using a Linux system to move files to and from the switch at 192.168.0.120, using the switch administrator account admin.You are logged into your Linux system as user. To transfer the primary configuration file from the switch to your current Linux directory using SCP2, enter the following command:
[user@linux-server]# scp2 admin@192.168.0.120:/config/primary.cfg primary.cfg
To copy the policy filename test.pol from your Linux system to the switch, enter the following command: [user@linux-server]# scp2 test.pol admin@192.168.0.120:/config/test.pol
70

Uses SSH2 protocol for data transfers and authentication Requires admin level access to switch Corrupts uploaded configuration files
page 46
Figure 47: Secure Copy Protocol 2 (SCP2)
71
Switch as SSH2 Client

Beginning with ExtremeWare XOS 11.2, an Extreme Networks switch can function as an SSH2 client. This means you can connect from the switch to a remote device running an SSH2 server and send commands to that device. You can also use SCP2 to transfer files to and from the remote device. You do not need to enable SSH2 or generate an authentication key to use the SSH2 and SCP2 commands from the ExtremeWare XOS CLI.
NOTE
The BlackDiamond 8800 family of switches and the Summit X450 switch do not support user-created VRs.
To send commands to a remote system using SSH2, enter the following command: ssh2 {cipher [3des | blowfish]} {port <portnum>} {compression [on | off]} {user <username>} {debug <debug_level>} {<username>@} [<host> | <ipaddress>] {<remote command>} {vr <vr_name>} The remote commands can be any command acceptable by the remote system. You can specify the login user name as a separate argument or as part of the user@host specification. If the login user name for the remote system is the same as your user name on the switch, you can omit the username parameter entirely. For example, to obtain a directory listing from a remote Linux system with IP address 10.10.0.2 using SSH2, enter the following command: ssh2 admin@10.10.0.2 ls To initiate a file copy from a remote system to the switch using SCP2, enter the following command: scp2 {cipher [3des | blowfish]} {port <portnum>} {debug <debug_level>} <user>@ [<hostname> | <ipaddress>]:<remote_file> <local_file> {vr <vr_name>} For example, to copy the configuration file test.cfg on host system1 to the switch, enter the following command: scp2 admin@system1:/config/test.cfg localtest.cfg To initiate a file copy to a remote system from the switch using SCP2, enter the following command: scp2 {cipher [3des | blowfish]} {port <portnum>} {debug <debug_level>} <local_file> <user>@ [<hostname> | <ipaddress>]:<remote_file> {vr <vr_name>} For example, to copy the configuration file engineering.cfg from the switch to host system1, enter the following command:
scp2 engineering.cfg admin@system1:/config/engineering.cfg
72
Switch as SSH2 Client
Figure 48: Switch as SSH2 Client
73
Verifying SSH2
Troubleshooting SSH2 requires you to look at the SSH2 server (switch) and SSH2 client (remotely connected PC). You can start the SSH2 troubleshooting process by verifying SSH2 is setup and configured correctly on the switch. To verify the host key generation is valid, enter the following command: show management The SSH Access field should indicate key valid and specify the enabled tcp port number.
74
Verifying SSH2
Figure 49: Verifying SSH2
75
Troubleshooting SSH2
To view the fully generated SSH2 host key, enter the following command: show configuration
When SSH2 sessions are not set-up properly, the syslog file, can provide you with SSH related information. To view the syslog file, enter the following command: show log
If the SSH2 is correctly configured and enabled on the switch, you should look at the SSH2 client setup. Please consult with the documentation that accompanies the SSH2 client software. You should verify the following are correct and valid:

SSH2 client is using valid user name and password on switch SSH2 host IP address and other SSH2 connection settings
76
Troubleshooting SSH2
Figure 50: show configuration
Figure 51: show log
77
Secure Socket Layer (SSL)

Secure Socket Layer (SSLv3) is a feature of ExtremeWare XOS that allows you to authenticate and encrypt data over an SSL connection to provide secure communication. The existing web server in ExtremeWare XOS allows HTTP clients to access the network login page. By using HTTPS on the web server, clients securely access the network login page using an HTTPS enabled web browser. Since SSL encrypts the data exchanged between the server and the client, you protect your data, including network login credentials, from unwanted exposure. HTTPS access is provided through SSL and the Transport Layer Security (TLS1.0). These protocols enable clients to verify the authenticity of the server to which they are connecting, thereby ensuring that users are not compromised by intruders. Similar to SSH2, before you can use any SSL commands, you must first download and install the separate Extreme Networks SSH software module (ssh.xmod). This additional module allows you to configure both SSH2 and SSL on the switch. SSL is packaged with the SSH module; therefore, if you do not install the module, you are unable to configure SSL. If you try to execute SSL commands without installing the module first, the switch notifies you to download and install the module. You must upload or generate a certificate for SSL server use. Before you can upload a certificate, you must purchase and obtain an SSL certificate from an Internet security vendor. The following security algorithms are supported:
RSA for public key cryptography (generation of certificate and public-private key pair, certificate signing). RSA key size between 1024 and 4096 bits. Symmetric ciphers (for data encryption): RC4, DES, and 3DES. Message Authentication Code (MAC) algorithms: MD5 and SHA.
78
Secure Socket Layer (SSL) .
Secure Socket Layer (SSL)

Data Authentication Data Encryption Used for HTTPS access Requires SSH2 software module
page 51
Figure 52: Secure Socket Layer (SSL)
79
Enabling and Disabling SSL

This section describes how to enable and disable SSL on your switch. Please keep in mind the following guidelines when using SSL:
To use SSL with web-based login (secure HTTP access, HTTPS) you must specify the HTTPS protocol when configuring the redirect URL. If you are downloading the SSH module for the first time and want to immediately use SSL for secure HTTPS web-based login, restart the http process after installing the SSH module.
To enable SSL and allow secure HTTP (HTTPS) access on the default port (443), enter the following command: enable web https To disable SSL and HTTPS, enter the following command: disable web https NOTE
Prior to ExtremeWare XOS 11.2, the Extreme Networks SSH module did not include SSL. To use SSL for secure HTTPS web-based login, you must upgrade your core software image to ExtremeWare XOS 11.2 or later, install the SSH module that works in concert with that core software image, and reboot the switch.
Creating Certificates and Private Keys

When you generate a certificate, the certificate is stored in the configuration file, and the private key is stored in the EEPROM. The certificate generated is in PEM format. To create a self-signed certificate and private key that can be saved in the EEPROM, enter the following command: configure ssl certificate privkeylen <length> <country code> organization <org_name> common-name <name> Make sure to specify the following:

Country code (maximum size of 2 characters) Organization name (maximum size of 64 characters) Common name (maximum size of 64)
Any existing certificate and private key is overwritten. The size of the certificate depends on the RSA key length (privkeylen) and the length of the other parameters (country, organization name, and so forth) supplied by the user. If the RSA key length is 1024, then the certificate is approximately 1 kb. For an RSA key length of 4096, the certificate length is approximately 2 kb, and the private key length is approximately 3 kb.
80
Creating Certificates and Private Keys .
Figure 53: Enabling SSL
81
Downloading a Certificate Key from a TFTP Server

You can download a certificate key from files stored in a TFTP server. If the operation is successful, any existing certificate is overwritten. After a successful download, the software attempts to match the public key in the certificate against the private key stored. If the private and public keys do not match, the switch displays a warning message similar to the following: Warning: The Private Key does not match with the Public Key in the certificate. This warning acts as a reminder to also download the private key. Downloaded certificates and keys are not saved across switch reboots unless you save your current switch configuration. Once you issue the save command, the downloaded certificate is stored in the configuration file and the private key is stored in the EEPROM. To download a certificate key from files stored in a TFTP server, enter the following command: download ssl <ip_address> certificate <cert file> NOTE
For security measures, you can only download a certificate key in the VR-Mgmt virtual router.
To see whether the private key matches with the public key stored in the certificate, enter the following command:
Displaying SSL Information

show ssl This command also displays:

HTTPS port configured. This is the port on which the clients will connect. Length of the RSA key (the number of bits used to generate the private key). Basic information about the stored certificate.
82
Downloading a Certificate Key from a TFTP Server
Figure 54: Displaying SSL Information
83
Downloading a Private Key from a TFTP Server

To download a private key from files stored in a TFTP server, enter the following command: download ssl <ip_address> privkey <key file> If the operation is successful, the existing private key is overwritten. After the download is successful, a check is performed to find out whether the private key downloaded matches the public key stored in the certificate. If the private and public keys do not match, the switch displays a warning message similar to the following: Warning: The Private Key does not match with the Public Key in the certificate. This warning acts as a reminder to also download the corresponding certificate.
NOTE
For security reasons, when downloading private keys, Extreme Networks recommends obtaining a pre-generated key rather than downloading a private key from a TFTP server.
Downloaded certificates and keys are not saved across switch reboots unless you save your current switch configuration. Once you issue the save command, the downloaded certificate is stored in the configuration file and the private key is stored in the EEPROM.
Configuring Pre-generated Certificates and Keys

To get the pre-generated certificate from the user, enter the following command: configure ssl certificate pregenerated You can copy and paste the certificate into the command line followed by a blank line to end the command. This command is also used when downloading or uploading the configuration. Do not modify the certificate stored in the uploaded configuration file because the certificate is signed using the issuers private key. The certificate and private key file should be in PEM format and generated using RSA as the cryptography algorithm. To get the pre-generated private key from the user, enter the following command: configure ssl privkey pregenerated You can copy and paste the key into the command line followed by a blank line to end the command. This command is also used when downloading or uploading the configuration. The private key is stored in the EEPROM. The certificate and private key file should be in PEM format and generated using RSA as the cryptography algorithm.
84
Configuring Pre-generated Certificates and Keys .
Figure 55: Configuring Switch to Receive Pregenerated SSL Certificate from User
85
Authenticating Users Logging into Switch

ExtremeWare XOS provides three methods to authenticate users who login to the switch:

RADIUS TACACS+ Local database of accounts and passwords
RADIUS, TACACS+, local database of accounts and passwords, and SSH are management access security features that control access to the management functions available on the switch. These features help ensure that any configuration changes to the switch can be done only by authorized users.RADIUS versus TACACS+ Terminal Access Controller Access Control System Plus (TACACS+) is a Cisco proprietary AAA implementation similar in function to RADIUS.
Table 1: Differences between RADIUS and TACACS+

RADIUS CPU cycle and Memory Demands Low TACACS+ High
Routing Protocol
UDP, best effort delivery. Default port number 1646. Encrypts password in access-request packet. Rest of RADIUS packet containing username, authorized services, and accounting fields are sent in clear Industry Standard RADIUS AAA server combines authentication and authorization. Accessaccept packets sent by RADIUS server to the client contains authorization information, making it difficult to decouple authentication and authorization.
TCP, connection oriented. Default port number 49. Entire TACACS+ packet encrypted
Encryption AAA protocol
Cisco proprietary TACACS+ separates authentication, authorization, and accounting services. Enables AAA services to be spread over multiple servers. For example, possible to use Kerberos for an authentication server and TACACS+ server for authorization and accounting. AppleTalk Remote Access Net Bios Frame Protocol Control Novell Asynchronous Services Interface X.25 PAD connection
AAA architecture
Legacy Protocols Support
NOTE
RADIUS and TACACS+ cannot be active at the same time on an Extreme Networks switch.
86
Authenticating Users Logging into Switch .
Authenticating Users Logging into Switch

RADIUS TACACS+ Local database of accounts and passwords
page 55
Figure 56: Authenticating Users Logging into Switch
87
RADIUS
The RADIUS protocol is developed by Livingston Enterprises, Inc., as an access authentication, authorization, and accounting (AAA) protocol. The RADIUS specification is described in RFCs 2138 and 2865.
Authentication: The process of validating the claimed identity of an end user or a device, such as a host, server, switch, router, and so on. Authorization: The act of granting access rights to a user, groups of users, system, or a process. Accounting: The methods to establish who, or what, performed a certain action, such as tracking user connection and logging system users.
RADIUS is a client/server protocol, with the Extreme Networks switch as the client. The RADIUS client is known as a Network Access Server (NAS). The RADIUS server is usually a daemon process running on a UNIX or Windows machine. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver services to the user. The password is hidden using the RSA Message Digest Algorithm MD5. Communication between a client (NAS) and a RADIUS server is based on the connectionless User Datagram Protocol (UDP) service. The RADIUS enabled devices instead of the transmission protocol handle potential issues, related to server availability. The RADIUS implementation can be used to perform per-command authentication allowing you to define several levels of user capabilities by controlling the permitted command sets based on the RADIUS username and password. You do not need to configure any additional switch parameters to take advantage of this capability. The RADIUS server implementation automatically negotiates the percommand authentication capability with the switch.
RADIUS Packet Format

One RADIUS packet is encapsulated in the UDP data field where the UDP Destination Port is 1645 (RFC2138) or 1812 (RFC2865). The early deployment of RADIUS is done using port 1645, which conflicts with the datametrics service.
88
RADIUS
RADIUS
Authorization, Authentication & Accounting (AAA) protocol Distributed access control with centrally stored authentication information. Requires Radius Client (NAS) / Radius Server IP/UDP based Per-Command authentication (server)
page 56
Figure 57: Remote Authentication Dial-In User Service (RADIUS)
89
RADIUS Authentication Process

You define a primary and secondary RADIUS server for the switch to contact. When a user attempts to log in using Telnet, HTTP, or the console, the request is relayed to the primary RADIUS server and then to the secondary RADIUS server, if the primary does not respond. If the RADIUS client is enabled, but access to the RADIUS primary and secondary server fails, the switch uses its local database for authentication. Beginning with ExtremeWare XOS 11.2, you can specify one pair of RADIUS servers for switch management and another pair for network login. The privileges assigned to the user (admin versus nonadmin) at the RADIUS server take precedence over the configuration in the local switch database. When a switch is configured to act as RADIUS client, any user connected to the switch presents its authentication information. Here are the steps in the RADIUS Authentication Process. 1 When the switch (client) obtains the authentication information, it creates an Access-Request. The Access Request contains the following attributes:

user's name user's password ID of the RADIUS client
2 The Access-Request is submitted to the RADIUS server via the network. If no response is returned within a length of time, the request is resent. The client can also forward requests to a secondary RADIUS server in the event that the primary RADIUS server is down or unreachable. 3 When the RADIUS server receives the request, it validates the sending client. A request from a client for which the RADIUS server does not have the shared secret password, the request is discarded. If the client is valid, the RADIUS server consults a database of users to find the user whose name matches the request.
If any condition is not met, the RADIUS server sends an Access-Reject response indicating that this user request is invalid. If all conditions are met the RADIUS server sends an Access-Accept response indicating that this user request is valid. If all conditions are met and the RADIUS server wishes to issue a challenge to which the user must respond, the RADIUS server sends an Access-Challenge response.
4 If the RADIUS client receives an Access-Challenge and supports challenge/response, it prompt the user for a response. The client then resubmits the original Access-Request with a new request ID, with the User-Password Attribute replaced by the response. 5 The server can respond to this new Access-Request with an Access-Accept, an Access-Reject, or another Access-Challenge.
90
RADIUS Server User

Packet type Access request (1) Username, Password Access Accept (2), Reject (3), Challenge (11) User-service, Frame protocol Packet type Access request (1) response Access Accept (2) Reject (3) Challenge (11) User-service, Frame protocol
RADIUS Client vlan
page 57
Note: Username and Radius exchanges are sent in the clear. Only the password is encrypted.
Figure 58: RADIUS Authentication Process
91
Configuring the RADIUS Client

To configure the switch as a RADIUS client, enter the following command: configure radius {mgmt-access | netlogin} [primary | secondary] server [<ipaddress> | <hostname>] {<udp_port>} client-ip [<ipaddress>] {vr <vr_name>} To configure the primary RADIUS server, specify primary. To configure the secondary RADIUS server, specify secondary. By default, switch management and network login use the same primary and secondary RADIUS servers for authentication. To specify one pair of RADIUS servers for switch management and another pair for network login, make sure to specify the mgmt-access or netlogin keywords. To configure the timeout for a Radius server to fail to respond, type the following command: configure radius {mgmt-access | netlogin} timeout <seconds> If the timeout expires, another authentication attempt will be made. After three failed attempts to authenticate, the alternate server will be used. After six failed attempts, local user authentication will be used. If you do not specify the mgmt-access or netlogin keywords, the timeout interval applies to both switch management and netlogin RADIUS servers.
Configuring the Shared Secret Password for RADIUS Servers

In addition to specifying the RADIUS server IP information, RADIUS also contains a means to verify communication between network devices and the server. The shared secret is a password configured on the network device and RADIUS server, used by each to verify communication. To configure the shared secret for RADIUS servers, type the following command: configure radius {mgmt-access | netlogin} [primary | secondary] sharedsecret {encrypted} <string> If you do not specify the mgmt-access or netlogin keywords, the secret applies to both the primary or secondary switch management and netlogin RADIUS servers. Do not use the encrypted keyword to set the shared secret. The encrypted keyword is primarily for the output of the show configuration command, so the shared secret is not revealed in the command output. To configure the shared secret password, type the following command: configure radius [primary | secondary] shared-secret {encrypted} <string>
92
Configuring the Shared Secret Password for RADIUS Servers
Figure 59: Configuring the RADIUS Client
Figure 60: Configuring the Shared Secret Password for RADIUS Servers
93
Enabling and Disabling RADIUS

After server information is entered, you can start and stop RADIUS authentication as many times as necessary without needing to reconfigure server information. To enable RADIUS authentication, type the following command: enable radius {mgmt-access | netlogin} If you do not specify the mgmt-access or netlogin keywords, RADIUS authentication is enabled on the switch for both management and network login. To disable RADIUS authentication, type the following command: disable radius {mgmt-access | netlogin} If you do not specify the mgmt-access or netlogin keywords, RADIUS authentication is disabled on the switch for both management and network login.
Verifying the RADIUS Client

To display the RADIUS Client configuration on the switch, enter the following command: show radius
Troubleshooting RADIUS
RADIUS troubleshooting is not limited to the switch (RADIUS client). The configuration files required on the RADIUS server need to be properly configured. RADIUS Server log files will provide additional information on the RADIUS Client and RADIUS server communication.
94
Enabling and Disabling RADIUS
Figure 61: Enabling and Verifying the RADIUS Client
95
Configuring RADIUS Accounting

Extreme Networks switches are capable of sending RADIUS accounting information. As with RADIUS authentication, you can specify two servers for receipt of accounting information. You can configure RADIUS accounting servers to be the same as the RADIUS authentication servers, but this is not required. To specify RADIUS accounting servers, type the following command: configure radius-accounting {mgmt-access | netlogin} [primary | secondary] server [<ipaddress> | <hostname>] {<tcp_port>} client-ip [<ipaddress>] {vr <vr_name>} To configure the primary RADIUS accounting server, specify primary. To configure the secondary RADIUS accounting server, specify secondary. By default, switch management and network login use the same primary and secondary RADIUS servers for accounting. To specify one pair of RADIUS accounting servers for switch management and another pair for network login, make sure to specify the mgmt-access or netlogin keywords.
Configuring the RADIUS Accounting Timeout Value

To configure the timeout if a server fails to respond, type the following command: configure radius-accounting {mgmt-access | netlogin} timeout <seconds> If the timeout expires, another authentication attempt will be made. After three failed attempts to authenticate, the alternate server will be used.
Configuring the Shared Secret Password for RADIUS Accounting Servers

RADIUS accounting also uses the shared secret password mechanism to validate communication between network access devices and RADIUS accounting servers. To specify shared secret passwords for RADIUS accounting servers, type the following command: configure radius-accounting {mgmt-access | netlogin} [primary | secondary] shared-secret {encrypted} <string>
Verifying the RADIUS Accounting

To display the RADIUS Client configuration on the switch, enter the following command: show radius-accounting
96
Configuring RADIUS Accounting
Figure 62: Configuring and Verifying RADIUS Accounting
97
RADIUS Server Support

You can define primary and secondary server communication information and, for each RADIUS server, the RADIUS port number to use when talking to the RADIUS server. The default port value is 1812 for authentication and 1813 for accounting. The client IP address is the IP address used by the RADIUS server for communicating back to the switch. NOTE
For information on how to use and configure your RADIUS server, please refer to the documentation that came with your RADIUS server.
RADIUS RFC 2138 Attributes

The RADIUS RFC 2138 optional attributes supported are as follows:

User-Name User-Password Service-Type Login-IP-Host
RADIUS RFC 3580 Attributes

The RFC 3580 attributes for Netlogin 802.1x supported are as follows:

EAP-Message Message-Authenticator State Termination-Action Session-Timeout NAS-Port-Type Calling-Station-ID
98

Primary or Secondary Server RADIUS Port Parameter Default Authentication: 1812 Default Accounting: 1813 Client IP Address RADIUS RFC 2138 RADIUS RFC 3580
page 62
Figure 63: RADIUS Server Support
99
Using RADIUS Servers with Extreme Networks Switches

Extreme Networks switches have two levels of user privilege:

Read-only Read-write
Because no command line interface (CLI) commands are available to modify the privilege level, access rights are determined when you log in. For a RADIUS server to identify the administrative privileges of a user, Extreme Networks switches expect a RADIUS server to transmit the Service-Type attribute in the Access-Accept packet, after successfully authenticating the user. Extreme Networks switches grant a RADIUS-authenticated user read-write privilege if a Service-Type value of 6 is transmitted as part of the Access-Accept message from the RADIUS server. Other ServiceType values or no value, result in the switch granting read-only access to the user. Different implementations of RADIUS handle attribute transmission differently. You should consult the documentation for your specific implementation of RADIUS when you configure users for read-write access.
Extreme RADIUS
Extreme Networks provides its users, free of charge, a radius server based on Merit RADIUS. Extreme RADIUS provides per-command authentication capabilities in addition to the standard set of radius features. Source code for Extreme RADIUS can be obtained from the Extreme Networks Technical Assistance Center and has been tested on Red Hat Linux. When Extreme RADIUS is up and running, the two most commonly changed files will be users and profiles. The users file contains entries specifying login names and the profiles used for per-command authentication after they have logged in. Sending a HUP signal to the RADIUS process is sufficient to get changes in the users file to take place. Extreme RADIUS uses the file named profiles to specify command lists that are either permitted or denied to a user based on their login identity. Changes to the profiles file require the RADIUS server to be shutdown and restarted. Sending a HUP signal to the RADIUS process is not enough to force changes to the profiles file to take effect. When you create command profiles, you can use an asterisk to indicate any possible ending to any particular command. The asterisk cannot be used as the beginning of a command. Reserved words for commands are matched exactly to those in the profiles file. Due to the exact match, it is not enough to simply enter sh for show in the profiles file, the complete word must be used. Commands can still be entered in the switch in partial format. When you use per-command authentication, you must ensure that communication between the switch(es) and radius server(s) is not lost. If the RADIUS server crashes while users are logged in, they will have full administrative access to the switch until they log out. Using two RADIUS servers and enabling idle timeouts on all switches will greatly reduce the chance of a user gaining elevated access due to RADIUS
100

Two levels of user privilege
Read-only Read-write
Free RADIUS Servers
Extreme Networks provides a RADIUS server based on Merit

RADIUS
Cistron RADIUS FreeRadius

Commercial RADIUS Servers
Extreme Networks EPICenter RSA ACE Funk Software Steel Belted Radius
page 63
Figure 64: Using RADIUS Servers with Extreme Networks Switches
101
Merit RADIUS Server Configuration Example

Many implementations of RADIUS server use the publicly available Merit AAA server application. To get a copy, search for the server on the website at: www.merit.edu The sample displayed are excerpts from relevant portions of a sample Merit RADIUS server implementation. The example shows excerpts from the client and user configuration files. The client configuration file (ClientCfg.txt) defines the authorized source machine, source name, and access level. The user configuration file (users) defines username, password, and service type information.
102
Figure 65: Merit RADIUS Server Configuration Example
103
Summary

Identify the five switch access options Configure Safe-Default-Script Disable nonessential switch access options Create management accounts on the switch Configure a Failsafe Account Manage Passwords Configure an Access Control List (ACL) to control telnet access Display management accounts Configure the banner that displays during login attempts Configure switch idle timeouts View active switch sessions Configure SNMPv3 Configure SSH2 Configure an ACL to control SSH2 access Configure SCP2 Describe RADIUS Configure the RADIUS client Configure RADIUS accounting Describe TACACS+
104
Summary
page 64
Figure 66: Summary
TACACS+
Cisco proprietary AAA protocol TCP based Support legacy protocols On an Extreme Networks switch, RADIUS and TACACS+ can not be active at the same time
page 65
Figure 67: Summary (cont)
105
106
107
Student Objectives

Describe EXOS Packet Filtering Structure and Components Know how to use policies and edit policy files Describe the differences between ACL policies and Routing policies Understand Dynamic ACL and Static ACL (ACL Policy File), matching conditions, syntax, and troubleshooting Understand ACL rule evaluation process Understand routing policies Routing policy syntax and rule evaluation process Routing policy match conditions and actions Know how to apply routing policies Practice hands-on labs to reinforce the concept
108
Internal Draft Only
Student Objectives
109
EXOS Packet Filtering Structure and Components

When you create a policy file, name the file with the policy name that you will use when applying the policy, and use .pol as the filename extension. For example, the policy name boundary refers to the text file boundary.pol. The Policy Manager is responsible for maintaining a set of policy files/statements in a policy database and communicating these policy statements to the applications that request them.
How to Use Policies

A policy is created by writing a text file that contains a series of rule entries describing match conditions and actions to take. Prior to release 11.0, all policies were created by writing a text file on a separate machine and then downloading it to the switch. Once on the switch, the file was then loaded into a policy database to be used by applications on the switch. With release 11.0, policy text files can also be created and edited directly on the switch through the built-in vi-like editor.
110
Internal Draft Only
How to Use Policies
Figure 69: EXOS Packet Filtering Structure and Components
Figure 70: How to Use Policies
111
How to Edit Policy Entries/Rules

The vi-like editor is a built-in tool on ExtremeWare XOS. To edit a policy file on the switch by launching the editor, use the following command: #edit policy <filename>.
Types of Policies
There are two types of policies: ACL Policy and Routing Policy.
Policies are used by the access control list (ACL) application to perform packet filtering and forwarding decisions on packets. The ACL application will program these policies into the packet filtering hardware on the switch. Packets can be dropped, forwarded, moved to a different QoS profile, or counted, based on the policy statements provided by the policy manager. Policies are also used by the routing protocols to control the advertisement, reception, and use of routing information by the switch. Using policies, a set of routes can be selectively permitted (or denied) based on their attributes, for advertisements in the routing domain. The routing protocol application can also modify the attributes of the routing information, based on the policy statements. ExtremeWare XOS does not prohibit mixing ACL policy and routing policy entries in a single policy file. However, it is strongly recommended that you write separate policy files for ACL entries and for routing entries. ACLs can be created in two ways. One method is to use the ACL policy file mentioned above, which is created and applied to a list of ports or VLANs/interfaces. This method can be persistent across switch reboots, can contain a large number of rule entries, and are all applied at the same time. The other way to create Dynamic ACLs. Dynamic ACLs do not persist across a reboot and consist of only a single rule. Multiple dynamic ACLs can be applied to an interface, and the precedence of the ACLs is determined as they are being configured. Details will be discovered later in this module.
112
Internal Draft Only
Types of Policies
Figure 71: How to Edit Policy Entries/Rules
Figure 72: Types of Polices
113
Access Control List

ACLs can be created in two ways: ACL Policy and Dynamic ACL. The ACL policy creates a policy file and applies it to a list of ports or VLANs/interfaces. This method can be persistent across switch reboots, can contain a large number of rule entries, and are all applied at the same time.
The Dynamic ACL does not persist across a reboot and consist of only a single rule. Multiple dynamic ACLs can be applied to an interface, and the precedence of the ACLs is determined as they are being configured.
ACL Overview
ACLs are used to perform packet filtering and forwarding decisions on incoming traffic.
Each packet arriving on an ingress port is compared to the access list applied to that port and is either permitted or denied. Permitted packets can also be forwarded to a specified QoS profile. On the BD10K and DB12K platforms, egress packets can also be filtered. This is a new feature in ExtremeWare EXOS 11.3.
Additionally, you can configure the switch to count permitted and denied (dropped) packets, log packet headers, mirror traffic to a monitor port, send the packet to a QoS profile, and, for the BlackDiamond 8800 family and Summit X450 switches only, meter the packets to control bandwidth.
ACLs in ExtremeWare XOS apply to all traffic. This is somewhat different from the behavior in ExtremeWare. For example, if you deny all the traffic to a port, no traffic, including control packets, such as OSPF or RIP, will reach the switch and the adjacency will be dropped. You must explicitly allow those type of packets (if desired). In ExtremeWare, an ACL that denied all traffic would allow control packets (those bound for the CPU) to reach the switch.
Using ACLs has no impact on switch performance.
ACLs are created in two different ways: One method is to create an ACL is to use the CLI to specify a single rule, called a dynamic ACL. Dynamic ACLs do not persist across a reboot and consist of only a single rule. Multiple dynamic ACLs can be applied to an interface, and the precedence of the ACLs is determined as they are being configured. The second method to create an ACL policy file and apply that ACL policy file to a list of ports, a VLAN, or to all interfaces. This method creates ACLs that can be persistent across switch reboots, can contain a large number of rule entries, and are all applied at the same time.
114
Internal Draft Only
ACL Overview
Figure 73: ACL Overview
115
Static ACL - ACL Policy File

Match Conditions:
You can specify multiple, single, or zero match conditions. If no match condition is specified, all packets match the rule entry. Among the match conditions commonly used are:

IP source address and mask IP destination address and mask TCP or UDP source port range TCP or UDP destination port range
Actions:
The action is either permit or deny or no action is specified. No action specified permits the packet. The deny action drops the packet.
Action Modifiers:
The action modifiers are count <countername>, qosprofile <qosprofilename>, and meter <metername>. The count action increments the counter named in the condition. The QoS profile action forwards the packet to the specified QoS profile; The meter action modifier associates a rule entry with an ACL meter, and is only available on BD 8810 and Summit X450 platforms. (Metering is a QoS feature and is not discussed into details in this course.)
ACL Match Operators:

You can also use the operators <, <=, >, and >= to specify match conditions. For example, the match condition, source-port > 190, will match packets with a source port greater than 190. Be sure to use a space before and after an operator. Here on the right is a table of all the possible match conditions.
See these fields on the lower slide of the next page. Prefix:IP source and destination address prefixes. To specify the address prefix, use the notation prefix/prefix-length. For a host address, prefix-length should be set to 32. Number: Numeric value, such as TCP or UDP source and destination port number, IP protocol number. Range:A range of numeric values, such as TCP or UDP port number ranges. To specify the numeric range, use the notation: number-number. Bit-field: Used to match specific bits in an IP packet, such as TCP flags and the fragment flag.MAC: 6-byte hardware address
116
Internal Draft Only
Static ACL - ACL Policy File
Figure 74: ACL Policy File
Figure 75: ACL Policy File Match Conditions
117
ACL Policy Syntax and Example

This example policy file contains two rule entries: The first entry denies all the UDP packets from the 10.203.134.0/24 subnet that are destined for the host 140.158.18.16, with source port 190 and a destination port in the range of 1200 to 1250. The second entry denies ICMP echo request packets from the 10.203.134.0/24 subnet, and increments the counter icmpcnt.
Apply ACL Policies and Display ACL Information

To apply an ACL policy, use the following command: #configure access-list <aclname> [any | ports <portlist> | vlan <vlanname>] {ingress} Here supply the <aclname> option with the ACL policy name. If you use the any keyword, the ACL is applied to all the interfaces and is referred to as the wildcard ACL. This ACL is evaluated for any ports without specific ACLs, and it is also applied to any packets that do not match the specific ACLs applied to the interfaces. If an ACL is already configured on an interface, the command will be rejected and an error message displayed. To remove an ACL from an interface, use the following command: #unconfigure access-list {any | ports <portlist> | vlan <vlanname>} {ingress} To see if a policy file is syntactically correct, use the following command: #check policy <policy-name> To display which interfaces have ACLs configured, and which ACL is on which interface, use the following command: #show access-list To display the ACL counters, use the following command: #show access-list counter {<countername>} {any | ports <portlist> | vlan <vlanname>} {ingress} To clear the access list counters, use the following command: #clear access-list counter {<countername>} {any | ports <portlist> | vlan <vlanname>} {ingress} When a policy file is changed (such as adding, deleting an entry, adding/deleting/modifying a statement), the information in the policy database does not change until the policy is refreshed. The user must refresh the policy so that the latest copy of policy is used. When the policy is refreshed, the new policy file is read, processed, and stored in the server database. Any clients that use the policy are updated. Use the following command to refresh the policy: #refresh policy <policy-name> For ACL policies only, during the time that an ACL policy is refreshed, packets on the interface are blackholed, by default. This is to protect the switch during the short time that the policy is being applied to the hardware. It is conceivable that an unwanted packet could be forwarded by the switch as the new ACL is being setup in the hardware. You can disable this behavior. To control the behavior of the switch during an ACL refresh, use commands: #enable/disable access-list refresh blackhole.
118
Internal Draft Only
Apply ACL Policies and Display ACL Information
Figure 76: ACL Policy Syntax and Example
Figure 77: Apply ACL Policies and Display ACL Information
119
ACL Rule Evaluation Process

Dynamic ACLs have a higher precedence than any ACLs applied using policy files. The precedence among any dynamic ACLs is determined as they are configured.
Often an ACL will have a rule entry at the end of the ACL with no match conditions. This entry will match any packets not otherwise processed, so that user can specify an action to overwrite the default permit action.
Rule Types and Evaluation Precedence

Types of Rules:
An ACL is a policy file that contains one or more rules. In ExtremeWare XOS, each rule can be one of following types:
L2 rulea rule containing only Layer 2 (L2) matching conditions, such as Ethernet MAC address and Ethernet type. L3 rulea rule containing only Layer 3 (L3) matching conditions, such as source or destination IP address and protocol. L4 rulea rule containing both Layer 3 (L3) and Layer 4 (L4) matching conditions, such as TCP/ UDP port number.
When an ACL file contains both L2 and L3/L4 rules, for BlackDiamond 10K,

L3/L4 rules have higher precedence over L2 rules. L3/L4 rules are evaluated before any L2 rules. The precedence among L3/L4 rules is determined by their relative position in the ACL file. Rules are evaluated sequentially from top to bottom. The precedence among L2 rules is determined by their position in the ACL file. Rules are evaluated sequentially from top to bottom.
It is recommended that L2 and L3/L4 rules be grouped together for easy debugging.
For BD 8810 and Summit X450, rule precedence is solely determined by the rules relative order in the policy file. L2, L3, and L4 rules are evaluated in the order found in the file.
120
Internal Draft Only
Rule Types and Evaluation Precedence
Figure 78: ACL Rule Evaluation Process on BlackDiamond10K
Figure 79: Rule Types and Evaluation Precedence
121
Rule Precedence Among Interface Types

Precedence among interface types: 1 2 3 4 Port-based ACL has highest precedence, followed by VLAN-based ACL and then the wildcard ACL. If the ACL is configured on a port, the port-based ACL is evaluated first. If the ACL is configured on the VLAN to which the port belongs, then VLAN-based ACL is evaluated next. If the wildcard (any) ACL is configured, the wildcard ACL is evaluated last.
For example, a physical port 1:2 is member port of a VLAN yellow. The ACL evaluation is performed in the following sequence: 1 2 3 If the ACL is configured on port 1:2, the port-based ACL is evaluated and the evaluation ends. If the ACL is configured on the VLAN yellow, the VLAN-based ACL is evaluated and the evaluation process terminates. If the wildcard ACL is configured, the wildcard ACL is evaluated and evaluation process terminates.
Conserving ACL Masks and Rules on BlackDiamond 8800 and Summit X450 only
An ACL mask defines a unique match criteria and relative rule precedence, and are automatically generated based on the contents of an ACL policy. Only adjacent rules within the policy that have identical match criteria will utilize the same ACL mask, therefore, list all rules with the same match criteria together unless relative precedence with other policy rules is required. There are 16 ACL masks supported per port, 128 rules supported per Gigabit Ethernet port, and 1024 rules supported per 10 Gigabit Ethernet port. As you can see, it is important to conserve and carefully plan the use of ACL masks to avoid exhausting the masks available on the BD8800 and Summit X450 switches. To display the number of masks and rules used by a particular port: #show access-list usage [acl-mask | acl-rule] port <port> Additionally, certain non-ACL features allocate ACL masks and use ACL rules in order to function. Here are is a list by feature

dot1p examination1 mask, 8 rules (default enabled) DiffServ examination1 mask, 64 rules for 10G ports; 0 masks, 0 rules for 1G ports (default disabled) IGMP snooping2 masks, 2 rules (default enabled) IP interface2 masks, 2 rules (default disabled) VLAN QoS1 mask, 1 rule per VLAN (default disabled) port QoS1 mask, 1 rule (default disabled) VRRP1 mask, 1 rule EAPS1 master config + 1 transit config masks, 1 + number of transit-mode EAPS domains on the port rules ESRP1 mask, 1 rule LLDP1 mask, 1 rule Netlogin1 mask, 1 rule IPv61 mask, 1 rule
122
Internal Draft Only
Conserving ACL Masks and Rules on BlackDiamond 8800 and Summit X450 only
Figure 80: Rule Precedence Among Interface Types
Figure 81: Conserving ACL Masks and Rules on BlackDiamond 8800 and Summit X450
123
Conserving ACL Masks and Rules Examples

Here are some examples about the number of ACL masks used: Sample_policy1.pol consumes three masks. However, since rule entries two and three have the same action, their relative precedence doesn't matter, and they could be swapped without affecting the results of the policy. Sample_policy2.pol accomplishes the same goal, but uses two masks. The order of rule entries is important. Different rule orders can have different meanings. In the second example, the only difference between sample_policy20.pol and sample_policy21.pol is that rule entries two and three are swapped. Sample_policy20.pol consumes three masks since there are no adjacent rules with the same match criteria. Sample_policy21.pol consumes two masks since rules one and three are adjacent and have identical match criteria. However, these two policies have different meanings because of precedence. In sample_policy20, all telnet traffic is permitted; in sample_policy21, telnet traffic may be denied if they are from host 2.2.2.2.
124
Internal Draft Only
Conserving ACL Masks and Rules Examples
Figure 82: Conserving ACL Masks and Rules Examples
Figure 83: Conserving ACL Masks and Rules Examples
125
Dynamic ACL
Dynamic ACLs are created using the CLI. They use a similar syntax as the ACL Policy, and can accomplish the same actions as single rule entries used in ACL policy files. Once a dynamic ACL rule has been created, it can be applied to a port, VLAN, or to the wildcard any interface. More than one ACLs can be applied to an interface. When the ACL is applied, you will specify the precedence of the rule among the dynamic ACL rules. Dynamic ACLs have a higher precedence than ACLs applied using a policy file.
Dynamic ACL Match Conditions and Actions

Match Conditions:
The match conditions for Dynamic ACLs are the same as those for ACL Policies. Notice that, for protocol matching, you can either use the protocol name (such as ICMP) or the protocol number (such as 1 for ICMP).
Actions:
permitthe packet is forwarded. denythe packet is dropped. The default action is permit, so if no action is specified in a rule entry, the packet is forwarded.
126
Internal Draft Only
Dynamic ACL Match Conditions and Actions
Figure 84: Dynamic ACL
Figure 85: Dynamic ACL Match Conditions and Actions
127
Dynamic ACL Action Modifiers

Action Modifiers:
Additional actions can also be specified, independent of whether the packet is dropped or forwarded. These additional actions are called action modifiers. Not all action modifiers are available on all switches, and not all are available for both ingress and egress ACLs. The action modifiers are: count <countername>increments the counter named in the action modifier (ingress only) To count packets: When the ACL entry match conditions are met, the specified counter is incremented. The counter value can be displayed by the command: #show access-list counter {<countername>}{any|ports<portlist>|vlan <vlanname>}{ingress|egress} loglogs the packet header To log packets. Packets are logged only when they go to the CPU, so packets in the fastpath are not automatically logged. You must use both the mirror-cpu action modifier and the log or log-raw action modifier if you want to log both slowpath and fastpath packets that match the ACL rule entry. Additionally, KERN:INFO messages are not logged by default. You must configure the EMS target to log these messages. log-rawlogs the packet header in hex format. meter <metername>takes action depending on the traffic rate (BlackDiamond 8800 family and Summit X450 switches only). To meter packets: BlackDiamond 8800 Family and Summit X450 OnlyFor the BlackDiamond 8800 family and Summit X450 switches, the meter <metername> action modifier associates a rule entry with an ACL meter. See the section, ACL MeteringBlackDiamond 8800 Family and Summit X450 Only on page 271 for more information. mirrorsends a copy of the packet to the monitor (mirror) port (ingress only). To mirror packets: You must enable port-mirroring on your switch. See the section, Switch Port Mirroring on page 130. If you attempt to apply a policy that requires port-mirroring, you will receive an error message if port-mirroring is not enabled. mirror-cpumirrors a copy of the packet to the CPU in order to log it qosprofile <qosprofilename> forwards the packet to the specified QoS profile (ingress only). redirect <ipv4 addr>forwards the packet to the specified IPv4 address (BlackDiamond 10K only). To redirect packets: BlackDiamond 10K OnlyPackets are forwarded to the IPv4 address specified, without modifying the IP header. The IPv4 address must be in the IP ARP cache, otherwise the packet is forwarded normally. Only fast path traffic can be redirected. You may want to create a static ARP entry for the redirection IP address, so that there will always be a cache entry. replace-dot1preplace the packets 802.1p field with the value from the associated QoS profile (BlackDiamond 10K ingress only). replace-dscpreplace the packets DSCP or 802.1p field with the value from the associated QoS profile (BlackDiamond 10K ingress only). See the slide on the right for an example.
128
Internal Draft Only
Dynamic ACL Action Modifiers
Figure 86: Dynamic ACL Action Modifiers
129
Configuring Dynamic ACL Rules and Examples

In contrast to the ACL policy file entries, dynamic ACLs are created directly in the CLI. Use the following command to create a dynamic ACL: #create access-list <dynamic-rule> <conditions> <actions> You may specify multiple match conditions and actions to take. Multiple match conditions are seperated by semi-colons; multiple actions are also seperated by semi-colons.
Slides on the right page demonstrate how to configure dynamic ACL rules.
130
Internal Draft Only
Configuring Dynamic ACL Rules and Examples
Figure 87: Configuring Dynamic ACL Rules
Figure 88: Configuring Dynamic ACL Example
131
Hands-on Lab #1: Static ACL (ACL Policy)

Switch Configuration: 1 Create ACL rule entries in Notepad and save the file as test. The rules should prevent TCP connections from being established from the 10.10.20.0/24 subnet, but allow established connections to continue, and allow TCP connections to be established to that subnet. Permit all other packets and increment the counter default. entry permit-established { if { source-address 10.10.20.0/24; protocol TCP; tcp-flags syn; } then { deny; Count syn; } } entry default { if { } then { permit; count default; } } Save the above file as test.txt. 2 TFTP the test.txt file to the switch and rename it as test.pol, and verify the policy file syntax and integrity. #tftp 192.168.1.2 -g l test.pol -r test.txt If your physical connection is through one of the data ports (instead of the Management port), then use command: #tftp 192.168.1.2 -v vr-default -g l test.pol -r test.txt (Same applies to the following labs.) #check policy test (Do not use .pol extension)
3 Apply test.pol policy file to all ports and interfaces. #configure access-list test any 4 Verify by using command: #show access-list counter To use the built-in vi-like editor on switch to create or edit a policy file, use the command #edit policy test.pol
132
Internal Draft Only
133

1 Create ACL rule entries in Notepad. #entry letgo { if { destination-address 192.20.1.0/24; source-address 192.10.1.0/24; protocol tcp; destination-port 23; } then { permit; count letgo; } } #entry denyall{ if { } then { deny; count denyall; } } Save the above file as class.txt. 2 TFTP the class.txt file to the switch and rename it as test.pol, and verify the policy file syntax and integrity. #tftp 192.168.1.2 -g l class.pol -r class.txt #check policy class (Do not use .pol extension) 3 Apply class.pol policy file to all ports and interfaces. #configure access-list class port 2:1-2:5 4 Verify by using command: #show access-list
134
Internal Draft Only
135
Hands-on Lab #3: Dynamic ACLs

Switch Configuration on BD10K: #conf default delete port all #create access-list dacl1 "source-address 1.1.2.100/32; protocol icmp" deny;count c1" #create access-list dacl2 "source-address 1.1.2.100/32" permit; qosprofile qp8; count c2 #config access-list add dacl1" first ports 2:1-2:5 ingress #config access-list add "dacl2" after dacl1 ports 2:1-2:5 ingress #show access-list port 2:1-5 ingress

Switch Configuration: #create access-list dacl1 destination-address 192.168.1.1/24; protocol tcp count c1; redirect 192.168.1.100" #create access-list dacl2 destination-address 192.168.1.1/24" deny; count c2 #config access-list add dacl1" first vlan v100 #config access-list add "dacl2" last vlan v100
Use command #show access-list vlan vlan100 to verify result.
136
Internal Draft Only
137
Routing Policies
Routing polices :

are used to control the advertisement or reception of routes using routing protocols may hide entire networks or trust specific sources for routes or ranges of routes may modify and filter routing information received and advertised by a switch
138
Internal Draft Only
Routing Policies
Figure 89: Routing Policies Overview
139
Routing Policy Syntax and Example

The policy file contains one or more policy rule entries. Each routing policy entry consists of: 1 A policy entry rule name, unique within the same policy. 2 Zero or one match type. If no type is specified, the match type is all, so all match conditions must be satisfied. 3 Zero or more match conditions. If no match condition is specified, every condition matches. 4 Zero or more actions. If no action is specified, the packet is permitted by default.
Routing Policy Rule Evaluation Process

Routing policy rule entries are evaluated in order, from the beginning of the file to the end, as follows: 1 If a match occurs, the action in the then statement is taken: a if the action contains an explicit permit or deny, the evaluation process terminates. b if the action does not contain an explicit permit or deny, then the action is an implicit permit, and the evaluation process terminates. 2 If a match does not occur, then the next policy entry is evaluated. 3 If no match has occurred after evaluating all policy entries, the default action is deny.
140
Internal Draft Only
Routing Policy Rule Evaluation Process
Figure 90: Routing Policy Syntax and Example
Figure 91: Routing Policy Rule Evaluation Process
141
Routing Policy Match Conditions

There are two possible choices for the match type:

match allAll the match conditions must be true for a match to occur. This is the default. match anyIf any match condition is true, then a match occurs.
The slide on the right shows the possible policy entry match conditions. Please note that these match conditions only apply to routing policies, not ACL policies. For ACL policies, there is only match all.
Autonomous System (AS) Regular Expressions

Autonomous system regular expressions: The AS-path keyword uses a regular expression string to match against the autonomous system (AS) path. The top slide on the right lists the regular expressions that can be used in the match conditions for Border Gateway Path (BGP) AS path and community. The bottom slide explains the usage of each regular expression character.
Examples
The following AS-Path statement matches AS paths that contain only (begin and end with) AS number 65535: as-path "^65535$ The following AS-Path statement matches AS paths beginning with AS number 65535, ending with AS number 14490, and containing no other AS paths: as-path "^65535 14490$ The following AS-Path statement matches AS paths beginning with AS number 1, followed by any AS number from 2 - 8, and ending with either AS number 11, 13, or 15: as-path "^1 2-8 [11 13 15]$" The following AS-Path statement matches AS paths beginning with AS number 111 and ending with any AS number from 2 - 8: as-path "111 [2-8]$" The following AS-Path statement matches AS paths beginning with AS number 111 and ending with any additional AS number, or beginning and ending with AS number 111: as-path "111.?"
142
Internal Draft Only
Autonomous System (AS) Regular Expressions
Figure 92: Routing Policy Match Conditions
Figure 93: Autonomous System (AS) Regular Expressions
143
Routing Policy Action Statements

The slide on the right shows a list of routing policy action statements.
Applying Routing Policies

To apply a routing policy, use the command appropriate to the client. Different routing protocols support different ways to apply policies, but there are some generalities.
Policies applied with commands that use the keyword import-policy control the routes imported to the protocol from the switch routing table. The following are examples for the BGP and RIP protocols:
#configure bgp import-policy [<policy-name> | none] #configure rip import-policy [<policy-name> | none]
Commands that use the keyword route-policy control the routes advertised or received by the protocol. For BGP and RIP, here are some examples:
#configure bgp neighbor [<remoteaddr>|all]{address-family[ipv4-unicast|ipv4-multicast]}route-policy [in|out][none|<policy>] #configure bgp peer-group <peer-group-name> route-policy [in | out] [none | <policy>] #configure rip vlan [<vlan-name> | all] route-policy [in | out] [<policy-name> | none]
Other examples of commands that use route policies include: #configure ospf area <area-identifier> external-filter [<policy-map> |none] #configure ospf area <area-identifier> interarea-filter [<policy-map> | none] #configure rip vlan [<vlan-name> | all] trusted-gateway [<policy-name> | none]
To remove a routing policy, use the none option in the command.
144
Internal Draft Only
Applying Routing Policies
Figure 94: Routing Policy Action Statements
Figure 95: Applying Routing Policies
145
Hands-on Lab #5: Routing Policies

Switch Configuration:
1 Create a rule entry by using any text editor: #entry RouteRule { if match all { route-origin rip } then { cost 10 } }
Save the file as RouteRule.txt
2 TFTP the file to the switch, and rename it as RouteRule.pol. Verify the policy file syntax and integrity. #tftp 192.168.1.2 -g -r RouteRule.pol #check policy RouteRule
3 Apply RouteRule.pol policy file to all VLANs. #configure rip vlan all route-policy RouteRule.pol in
146
Internal Draft Only
Hands-on Lab #5: Routing Policies
147
148
Student Objectives
Upon completion of this module, the successful student is able to:

Describe DoS attacks Describe two common DoS attack modes Describe at least five different types of DoS attacks Describe DoS countermeasures Describe IP broadcast forwarding Configure IP broadcast forwarding Describe DoS-Protect Sequence the steps for required to implement DoS-Protect Configure DoS-Protect Verify DoS-Protect Troubleshoot DoS-Protect Identify appropriate actions to take during a DoS attack
Student Objectives
Student Objectives
Describe DoS attacks Describe two common DoS attack modes Describe at least five different DoS attack types Describe basic DoS countermeasures Describe IP broadcast forwarding Configure IP broadcast forwarding
page 2
Student Objectives
Describe DoS-Protect Sequence the steps required to implement DoS-Protect Configure DoS-Protect Verify DoS-Protect Troubleshoot DoS-Protect Identify appropriate actions to take during a DoS attack
page 3
What are DoS Attacks?

A Denial-of-Service (DoS) attack occurs when a critical network or computing resource is overwhelmed and rendered inoperative in a way that legitimate requests for service cannot succeed. In its simplest form, a Denial of Service attack is indistinguishable from normal heavy traffic. There are some operations in any switch or router that are more costly than others, and although normal traffic is not a problem, exception traffic must be handled by the switchs CPU in software. Some packets that the switch processes in the CPU software include:
Learning new traffic (BlackDiamond 10K switch only; the BlackDiamond 8800 family of switches and the Summit X450 switch learn in hardware) Routing and control protocols including ICMP, BGP, OSPF, STP, EAPS, ESRP, and so forth Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, and so forth) Other packets directed to the switch that must be discarded by the CPU
If any one of these functions is overwhelmed, the CPU may be too busy to service other functions and switch performance will suffer. Even with very fast CPUs, there will always be ways to overwhelm the CPU with packets requiring costly processing.

Objective to overwhelm systems with bogus or defective network traffic Potential to take network systems offline Can cost companies millions in damages
page 4
Figure 3: What are DoS Attacks?
Two Common DoS Attack Modes

Asymmetrical
Some DoS attacks can be executed with limited resources against a large, sophisticated web site network. This type of attack is sometimes called an asymmetric attack because a hacker with an old PC and a slow modem attempts to crash an advanced computer system that has lots of resources. One of the earlier defenses against asymmetrical based DoS attacks was to monitor the traffic volume from a single source and to block traffic if a suspiciously high volume was detected.
Distributed
Distributed DoS attack tools were written to evade asymmetrical countermeasures. Using a wide array of individual computers that have been maliciously hi jacked, DoS traffic from different IP addresses simultaneously target the intended system. Distributed DoS attack tools freely available include Trinoo, Tribal Flood Network, mstream, and Stacheldraght.

Asymmetrical Distributed
page 5
Figure 4: Two Common DoS Attack Modes
Different Types of DoS Attacks

Teardrop Attacks (aka Newtear, Syndrop, Boink, Jolt)
Target the IP mechanisms involved in the reassembly of packets. In normal packets fragments, each packet fragment looks like the original IP packet with the exception of an offset field that specifies which bytes of the original packet are included, enabling the receiving system to reassemble all of the data in the proper sequence. Teardrop attack creates packet fragments with false overlapping offset fields that makes it impossible to reassemble the altered packet fragments, causing the PC system to crash or reboot.
Oversized Packet Attacks (aka Ping of Death)

Sometimes referred to as ping of death attacks, oversized packet attacks a known bug in some TCP/ IP implementations by sending packets that exceed the maximum 65,535 bytes of data allowed by IP specification. When it first emerged, this type of attack caused crashes, hangs, or reboots in affected systems. However, most operating system vendors have now addressed this issue.
Martian Attacks
Use invalid IP source and/or IP destination addresses to overwhelm a router, data packets accumulate in router, causing the system to crash or reboot.
Other Common DoS Attacks

UDP Flood attacks take advantage of UDP mechanisms by creating bogus UDP connections. When a connection is established between two UDP services, each of which produces output, the combined effect can produce a high number of packets resulting in DoS to legitimate users. Octopus attacks attempt to open as many TCP sockets on a remote host as it would allow. Aimed to overwhelm the remote host. Winfreeze attacks take advantage of a device that will allow ICMP redirect packets to modify its routing table.
Different Types of DoS Attacks
DoS Attack Types

SYN-ACK Attack or TCP-SYN Flooding Teardrop Attacks Smurf Attacks Oversized Packet Attacks Martian Attacks Other
page 6
Figure 5: DoS Attack Types
TCP-SYN Flood example

SYN-ACK Attacks or TCP-SYN Flooding (aka Syn4, Neptune, Land, Stream)
Exploit TCP/IP 3-way handshake process. By only initiating the SYN and not responding to the PCs SYN-ACK, this attack forces a server to store huge numbers of packets in its backlog queue. This creates data overflow and may disable the PCs CPU.
10
TCP-SYN Flood example
TCP SYN Flood example

1 10.10.10.1 3 10.10.10.2
1.
2 4 6
TCP SYN from 10.10.10.1 to 10.10.10.2 Change address from 10.10.10.1 to 20.20.20.1 TCP SYN, ACK from 10.10.10.2 to 10.10.10.1 No longer there TCP SYN from 20.20.20.1 to 10.10.10.2 Change address from 20.20.20.1 to 30.30.30.1 TCP SYN, ACK from 10.10.10.2 to 20.20.20.1 No longer there
2.
20.20.20.1
3.
5
4.
30.30.30.1
5.
page 7
6.
Figure 6: TCP-SYN Flood Example
11
DoS Attack Countermeasures

DoS Attack countermeasures should be deployed at all levels across the inter-networking infrastructure, including taking specific actions at the LAN level and addressing issues at the network transport level. At the LAN level, system administrators can take a number of preventive measures to guard against the disabling effects of DoS attacks. These preventive measures range from maintaining solid overall administrative and security procedures to implementing specific safeguards targeted at countering each of the various types of DoS attacks. While it is virtually impossible to completely eliminate spoofing of IP packets, system administrators can effectively reduce the risk of internally launched spoofed IP attacks by instituting filtering actions that restrict the flow of data input if they have source addresses from within the internal network. In addition, administrators can reduce the risk of being used as an intermediary in spoofed IP DoS attacks by installing filters to restrict the external flow of IP packets with source addresses that do not originate within the internal network.
Basic DoS Countermeasures
Ingress address filtering: At the router level, ensure incoming packets from the local network segment have an IP address that matches the local network's IP NETID. This scheme will not eliminate all address spoofing attacks, it will cut down on the vast majority of them. Prevent broadcast amplification: Block any inbound traffic addressed to the broadcast address, stopping broadcast amplication. Turn off unused TCP and UDP services: Most systems come with more services on by default than any actual use. By shutting off unnecessary services, ports are no longer accessible the outside. This protection must be applied on a server-by-server basis. ACL entries: Prevent IP address spoofing IP Broadcast forwarding: Disable this feature ExtremeWare XOS DoS-Protect feature: Enable this feature
Network Transport Level Issues

While actions taken by LAN administrators are key to laying the groundwork for preventing and combating DoS attacks, they must also be supplemented by comprehensive countermeasures instituted at the network transport level. These network transport issues fall into two categories:
Actively policing data flows to identify DoS attacks and protect users and subnets against their impacts Protecting the infrastructures equipment to ensure resiliency against DoS attacks.
12

Ingress Address Filtering Prevent Broadcast Amplification Turn off unused TCP and UDP services ACL entries Verify IP Broadcast forwarding is disabled DoS-Protect
page 8
Figure 7: DoS Attack Countermeasures
13
IP Broadcast Forwarding Control

Some DoS attacks are based on routing policies, it is important to maintain tight controls over basic policy disciplines such as IP-broadcast forwarding controls, ICMP and IP response options.
IP Forwarding Broadcast
IP forwarding must first be enabled before IP broadcast forwarding can be enabled. When IP broadcast forwarding is enabled, your network can be used as a broadcast amplification site that floods other networks with DoS attacks such as the smurf attack. Controlling ICMP distribution on a per-type, perVLAN basis, restricts the success of tools that can be used to find an application, host, or topology information). To disable the IP forwarding broadcast, enter the following command: disable ipforwarding broadcast
ICMP Unreachable Message

When a packet cannot be forwarded to the destination because of unreachable route or host, an unreachable message is generated. If the switch is overwhelmed with unreachable routes or hosts, the unreachable messages will slow down switch cpu performance. The default setting for unreachable ICMP network unreachable messages is enabled. To disable the generation of ICMP network unreachable messages (type 3, code 0), and host unreachable messages (type 3, code 1) disable icmp unreachables {vlan <name>}
ICMP Port Unreachable Message

When a TPC or UDP request is made to the switch, and no application is waiting for the request or access policy denies the request, an ICMP port unreachable message (type 3, code 3) is generated. To disable the generation of ICMP port unreachable messages (type 3, code 3), enter the following command. disable icmp port-unreachables {vlan <vlan name>}
ICMP Userredirects
Disables the modification of route table information when an ICMP redirect message is received, enter the following command (the default setting is disabled): disable icmp useredirects
14

To disable the IP forwarding broadcast, disable ipforwarding broadcast To disable the generation of ICMP network unreachable (type 3, code 0) and host unreachable (type 3, code 1) messages, disable icmp unreachables {vlan <name>} To disable the generation of ICMP port unreachable messages (type 3, code 3), disable icmp port-unreachables {vlan <name>} To disable the modification of route table information when an ICMP redirect message is received, disable icmp useredirects {vlan <name>}
page 9
Figure 8: IP Broadcast Forwarding Control
15
DoS-Protect
DoS Protection is designed to help prevent this degraded performance by attempting to characterize the problem and filter out the offending traffic so that other functions can continue. When a flood of CPU bound packets reach the switch, DoS Protection will count these packets. When the packet count nears the alert threshold, packets headers will be saved. If the threshold is reached, then these headers are analyzed, and a hardware access control list (ACL) is created to limit the flow of these packets to the CPU. This ACL will remain in place to provide relief to the CPU. Periodically, the ACL will expire, and if the attack is still occurring, it will be re-enabled. With the ACL in place, the CPU will have the cycles to process legitimate traffic and continue other services. DoS Protection will send a notification when the notify threshold is reached. You can also specify some ports as trusted ports, so that DoS protection will not be applied to those ports.
16
DoS-Protect
DoS-Protect
Tracks CPU demanding traffic Activated when specified threshold reached Dynamically creates ACL on the fly
page 10
Figure 9: DoS-Protect
17
How CPU-DoS-Protect Works

CPU DoS Protection is designed to prevent degraded CPU performance by attempting to characterize the problem and filter out the offending traffic so that other network functions can continue. 1 Flood of packets are received from the switch, CPU DoS protection counts the incoming packets. 2 Suspicious packet count nears a specified threshold, packets headers are be saved. 3 When the threshold is reached, headers are analyzed. 4 Hardware access control list is created to limit the flow of these packets to the CPU, ACL remains in place to provide relief to the CPU. 5 Periodically, the ACL will expire, and if the attack is still occurring, it is re-enabled. 6 With the ACL in place, the CPU will have the cycles to process legitimate traffic and continue normally.
18
DoS-Protect
How DoS-Protect Works

1. DoS protection counts the incoming packets 2. Suspicious packet counts near threshold, packet headers are saved 3. When threshold is reached, headers are analyzed 4. Hardware ACL is created to limit flow of the suspect packets to the CPU 5. ACL will periodically expire, will be re-enabled if attack is still occurring 6. With ACL in place, CPU has cycles to process legitimate traffic
page 11
Figure 10: How CPU-DoS-Protect Works
19
Implementing DoS-Protect
To properly implement DoS-Protect, you need to enable the simulated mode, configure the DoS-Protect parameters, and then enable DoS-Protect.
Simulated Mode
A conservative and safe way to deploy DoS Protection is to use the simulated mode first to determine the traffic thresholds. In simulated mode, DoS Protection is enabled, but no ACL is generated. Traffic is not discarded. In simulated mode, legitimate traffic is not blocked. Examples include:
Route Loss During this period, the switch may receive lots of routing updates that cause heavy traffic. Configuration or Image Upload/Download
To enable the simulated mode, enter the following command: enable dos-protect simulated
20
1. Learn your network data-streams
enable dos-protect simulated
2. Configure the DoS-Protect parameters configure dos-protect type l3-protect alert-threshold <packets> configure dos-protect type l3-protect notify-threshold <packets> 3. Configure Trusted Ports (optional)
configure dos-protect trusted ports <ports>
4. Enable DoS-Protect
enable dos-protect
page 12
Figure 11: Implementing CPU-DoS-Protect
21
Configuring Denial of Service Protection

Specifying DoS Protect Parameters
After enabling DoS protection, the switch will count the packets handled by the CPU and periodically evaluate whether to send a notification and/or create an ACL to block offending traffic. You can configure a number of the values used by DoS protection if the default values are not appropriate for your situation. The values that you can configure are:

intervalHow often, in seconds, the switch evaluates the DoS counter (default: 1 second) alert thresholdThe number of packets received in an interval that will generate an ACL (default: 4000 packets) notify thresholdThe number of packets received in an interval that will generate a notice (default: 3500 packets) ACL expiration timeThe amount of time, in seconds, that the ACL will remain in place (default: 5 seconds)
To configure the interval at which the switch checks for DoS attacks, enter the following command: configure dos-protect interval <seconds> To configure the alert threshold, enter the following command: configure dos-protect type l3-protect alert-threshold <packets> To configure the notification threshold, enter the following command: configure dos-protect type l3-protect notify-threshold <packets> To configure the ACL expiration time, enter the following command: configure dos-protect acl-expire <seconds
Configuring Trusted Ports

Traffic from trusted ports will be ignored when DoS protect counts the packets to the CPU. If we know that a machine connected to a certain port on the switch is a safe "trusted" machine, and we know that we will not get a DoS attack from that machine, the port where this machine is connected to can be configured as a trusted port, even though a large amount of traffic is going through this port. To configure the trusted ports list, enter the following command: configure dos-protect trusted-ports [ports [<ports> | all] | add-ports [<ports-to-add> | all] | delete-ports [<ports-to-delete> | all] ]
Enabling or Disabling DoS Protection

To enable or disable DoS protection, enter the following commands: enable dos-protect disable dos-protect
22
Configuring Denial of Service Protection
DoS-Protect Parameters Default Values

Interval: 1 second Alert Threshold: 4000 packets Notify Threshold: 3500 packets ACL Expiration Time: 5 seconds
page 13
Figure 12: DoS-Protect Parameters Default Values
23
Verifying DoS-Protect Settings

Displaying CPU-DoS-Protect Settings
To display the CPU-DoS-Protect settings and the status of the CPU-DoS-Protect generated access list, enter the following command: show dos-protect (detail)
24
Verifying DoS-Protect Settings
Displaying DoS-Protect Settings
page 14
Figure 13: Displaying DoS-Protect Settings
25
Troubleshooting CPU-DoS-Protect
Useful Information from the Show cpu-dos-protect Command
During an attack, one can view the status of cpu-dos-protect with the show cpu-dos-protect command. This command shows the user, how long the acl will remain active. Once the timer expires, the acl is deleted, and monitoring of slow path packets will continue. In the event the attack is ongoing, and the flow of slow path packets remains constantly above the threshold, the acl is recreated over and over again.
Determining the IP Destination Address

During a DOS attack the CPU is flooded with slow path packets. CPU-DoS-Protect detects the flood exceeding the set threshold. The acl requires an IP address as a destination, so the switch saves the packets, and uses the source port combined with the destination IP of the majority of packets (it needs 33% of the last 50 packets to go to the same IP address) before it considers the IP address as the destination of the attack.
Local Syslog File

The syslog server in the switch will receive information when messages are set to on. Local logging also records these messages with a maximum of 1000 applying FIFO rules. To view the content of locally logged messages, enter the following command: show log
Remote Syslog File

You can also configure the switch to configure your PC workstation as a syslog server. You need to install 3Coms 3Cdeamon on your PC workstation to serve as the syslog server. After starting the 3CDeamon program on the PC workstation and specifying the syslog server option, configure the switch to add the PC workstation as a syslog server, by entering the following commands: configure syslog add <ip address pc> local7 enable syslog NOTE
There are many 3rd party syslog utilities that help analyze and organize syslog files. Use of syslog analytical tools allows you to search and analyze the data you specify. For example, you can just search for CPU-DoS-Protect related log entries.
26
Troubleshooting CPU-DoS-Protect
Troubleshooting dos-protect
show log
10/07/2003 11:42.15 <DBUG:SYST> DOSprotect notice: this second: raw packets to cpu: 4002 dropped in software: 0 10/07/2003 11:42.15 <DBUG:SYST> DOSprotect: create ACL block from PhysPorts 1:1 to 10.201.30.29 10/07/2003 11:42.15 <WARN:SYST> DOSprotect: possible Denial-of-Service: best guess origin: physport 1:1 mac 00:50:70:50:26:a6 to 10.201.30.29 10/07/2003 11:42.15 <DBUG:SYST> DOSprotect timeout: remove ACL block from PhysPorts 1:1 to 10.201.30.29
page 15
Figure 14: Troubleshooting CPU-DoS-Protect
27
Actions to Take When Under DoS Attack

1 Verify CPU-DoS-Protect is enabled by viewing the log file. show log 2 Check CPU utilization. tbgTask parameter is the idle task. A tbgTask value of 96% means the CPU load is 4%. top 3 Check your IPARP statistics for incomplete IPARP entries. show iparp 4 Check your ICMP statistics, rapid increments of ICMP messages can indicate an attack. show ipstat 5 Check your ACL hit count to help determine the attack direction. show access-list(-monitor)
References: DoS Threats and Countermeasures

http://www.cert.org
Computer Emergency Response Team website maintained by the Carnegie Mellon University.
http://www.rfc-editor.org/
Request for Comments (RFC) documents are accessible here.
28

Check the following Verify DoS-Protect is enabled CPU utilization IPARP statistics ICMP statistics ACL hit count
page 16
Figure 15: Actions to Take When Under DoS Attack
29
Summary

Describe DoS attacks Describe two common DoS attack modes Describe at least five different types of DoS attacks Describe DoS countermeasures Describe IP broadcast forwarding Configure IP broadcast forwarding Describe DoS-Protect Sequence the steps for required to implement DoS-Protect Configure DoS-Protect Verify DoS-Protect Troubleshoot DoS-ProtectIdentify appropriate actions to take during a DoS attack
30
Summary
Summary
Describe DoS attacks Describe two common DoS attack modes Describe at least five different DoS attack types Describe basic DoS countermeasures Describe IP broadcast forwarding Configure IP broadcast forwarding
page 17
Figure 16: Summary
Summary
Describe DoS-Protect Sequence the steps required to implement DoS-Protect Configure DoS-Protect Verify DoS-Protect Troubleshoot DoS-Protect Identify appropriate actions to take during a DoS attack
page 18
Figure 17: Summary
31
32
Student Objectives

Describe the Forwarding Database (FDB) Identify four FDB types List two types of port address security Describe limit-learning Configure limit-learning Identify configuration guideline when implementing limit-learning on ESRP ports. Troubleshoot limit-learning Describe lock-learning Configure lock-learning Troubleshoot lock-learning Disable MAC Address Learning List guidelines when enabling or disabling egress flooding Enable and disable egress flooding on the BlackDiamond 8800 family of switches and the Summit X450 only Enable and disable egress flooding on the BlackDiamond 10K switch only Configure a Layer 3 blackhole
Student Objectives
Student Objectives
Upon completion of this module, the successful student will be able to: Describe the Forwarding Database (FDB) Identify four FDB types List two types of port address security Describe limit-learning Configure limit-learning Identify configuration guideline when implementing limit-learning on ESRP ports Troubleshoot limit-learning
page 2
Student Objectives (cont)

Describe lock-learning Configure lock-learning Troubleshoot lock-learning Disable MAC Address Learning List guidelines when enabling or disabling egress flooding Enable and disable egress flooding on the BlackDiamond 8800 family of switches and the Summit X450 only Enable and disable egress flooding on the BlackDiamond 10K switch only Configure a Layer 3 blackhole
page 3
MAC-Based Security
MAC-based security allows you to control the way the FDB is learned and populated. By managing entries in the FDB, you can block and control packet flows on a per-address basis. MAC-based security allows you to limit the number of dynamically-learned MAC addresses allowed per virtual port. You can also lock the FDB entries for a virtual port, so that the current entries will not change, and no additional addresses can be learned on the port. You can also prioritize or stop packet flows based on the source MAC address of the ingress VLAN or the destination MAC address of the egress VLAN using ACLS. With ACLs, you can also prioritize or stop packet flows based on the source MAC address of the ingress virtual LAN (VLAN) or the destination MAC address of the egress VLAN.
Forwarding Database (FDB)

The switch maintains a database of all MAC addresses received on all of its ports. The database (bridge table) is called the Forwarding Database (FDB). The switch uses the information in the FDB to decide whether a frame should be forwarded or filtered. Frames destined for devices that are not in the FDB are flooded to all ports within the VLAN. Each FDB entry consists of:

MAC address of the device identifier for the port on which it was received identifier for the VLAN to which the device belongs
MAC-Based Security
Mac-Based Security
Manages the way Forwarding Database (FDB) is learned and populated Allows limit to the number of dynamically-learned MAC addresses allowed per virtual port Using ACLs, can prioritize or stop packet flows based on source MAC address of the ingress VLAN or destination MAC address of the egress VLAN
page 4
Figure 3: MAC-Based Security
Forwarding Database (FDB) Entry Components

MAC Address Port Identifier VLAN Identifier
FDB
FDB
page 5
Figure 4: Forwarding Database
FDB Entry Types

FDB entries may be dynamic or static, and the entries may be permanent or non-permanent. The following describes the types of entries that can exist in the FDB:
Dynamic entriesA dynamic entry is learned by the switch by examining packets to determine the source MAC address, VLAN, and port information. The switch then creates or updates an FDB entry for that MAC address. Initially, all entries in the database are dynamic, except for certain entries created by the switch at boot-up. Entries in the database are removed (aged-out) if, after a period of time (aging time), the device has not transmitted. This prevents the database from becoming full with obsolete entries by ensuring that when a device is removed from the network, its entry is deleted from the database. Dynamic entries are flushed and relearned (updated) when any of the following take place:

A VLAN is deleted. A VLAN identifier (VLANid) is changed. A port mode is changed (tagged/untagged). A port is deleted from a VLAN. A port is disabled. A port enters blocking state. A port goes down (link down).
A non-permanent dynamic entry is initially created when the switch identifies a new source MAC address that does not yet have an entry in the FDB. The entry may then be updated as the switch continues to encounter the address in the packets it examines. These entries are identified by the d flag in show fdb output. Dynamic entries agethat is, a dynamic entry is removed from the FDB (aged-out) if the device does not transmit for a specified period of time (the aging time). This aging process prevents the FDB from becoming full with obsolete entries by ensuring that when a device is removed from the network, its entry is deleted from the database. The aging time is configurable.
Static entriesA static entry does not age and does not get updated through the learning process. A static entry is maintained exactly as it was created. Conditions that cause dynamic entries to be updated, such as VLAN or port configuration changes, do not affect static entries. A locked static entry is an entry that was originally learned dynamically, but has been made static (locked) using the MAC address lock-down feature. It is identified by the s, p, and l flags in show fdb output and can be deleted using the delete fdbentry command. If the FDB entry aging time is set to zero, all entries in the database are considered static, non-aging entries. This means that the entries do not age, but they are still deleted if the switch is reset. NOTE
On the BlackDiamond 8800 family of switches (formerly known as Aspen) and the Summit X450 switch, if the same MAC address is detected on another virtual port that is not defined in the static FDB entry for the MAC address, that address is handled as a blackhole entry.
Permanent entriesPermanent entries are retained in the database if the switch is reset or a power off/on cycle occurs. Permanent entries must be created by the system administrator through the CLI. Permanent entries are static, meaning they do not age or get updated.
FDB Entry Types
Forwarding Database (FDB) Entry Types

Dynamic Non-Permanent Dynamic Static Locked Static Permanent
FDB
FDB
page 6
Figure 5: FDB Entry Types
Port Address Security

The switch maintains a database of all media access control (MAC) addresses received on all of its ports. The switch uses the information in this database to decide whether a frame should be forwarded or filtered. MAC address security allows you to control the way the Forwarding Database (FDB) is learned and populated.

Limit-Learning: Limit the number of dynamically learned MAC address allowed per virtual port Lock-Learning: Lock the FDB entries to a virtual port, so FDB entries will not change and no additional addresses can be learned
A virtual port is a switch index ID for a combination of a physical port in a VLAN. Port address security is not foolproof because it is possible for end-users to alter their PCs MAC address and assume the MAC-level identity of another computer (known as spoofing).
NOTE
You can either limit dynamic MAC FDB entries or lock down the current MAC FDB entries, but not both.

Limit-Learning Lock-Learning
page 7
Figure 6: Port Address Security
Limiting Dynamic MAC Addresses

You can set a predefined limit on the number of dynamic MAC addresses that can participate in the network. After the FDB reaches the MAC limit, all new source MAC addresses are blackholed at both the ingress and egress points. These dynamic blackhole entries prevent the MAC addresses from learning and responding to Internet Control Message Protocol (ICMP) and address resolution protocol (ARP) packets. The limit-learning feature lets the network administrator control the number of MAC addresses per physical port who are part of a VLAN (called a virtual port). By limiting the number of MAC addresses per virtual port, you can:

block rogue networks from being added to the corporate backbone prevent a user from adding their own devices (e.g., printer, IP phone) to the network keep foreign switches and illegal wireless snooping devices off the infrastructure NOTE
Blackhole FDB entries added due to MAC security violations on the BlackDiamond 8800 family of switches (formerly known as Aspen) and the Summit X450 switch are removed after each FDB aging period regardless of whether the MAC addresses in question are still sending traffic. If the MAC addresses are still sending traffic, the blackhole entries will be re-added after they have been deleted.
10

Limits the number of dynamically learned MAC addresses per virtual port After specified n number of hosts, subsequently added MAC addresses are blackholed
FDB MAC 1 MAC 2 | |

lSummit
lTOP ROWS: lGREEN l1 l= 1000 Mbps l8 l13 l14 l2 l3 l4
llimit
l100BASE-TX/ l1000BASE-T l5
l6
l7
l8
l1 l2 l3 l4 l5 l6 l7
lBOTTOM ROWS lAMBER l= ACTIVITY lGREEN l= LINK OK lFLASHING GREEN DISABLED l= l9 l10 l11 l12 l13 l14 l15 l16
l9
l10
l11
l12
l1000BASE-X l15
l16
li l5
MAC n more MAC addresses are not allowed and will be blackholed
page 8
Figure 7: Limiting Dynamic MAC Addresses
11
Limit-Learning: How Does it Work?

When the learned limit is reached, all new source MAC addresses are blackholed at the ingress and egress points. This prevents these MAC addresses from learning and responding to Internet control message protocol (ICMP) and address resolution protocol (ARP) packets.
Once the configured MAC limit is reached

switch still learns new MAC addresses switch creates a blackhole fdb entry flag is Bb, B - Engress Blackhole, b - Ingress Blackhole blackholed pockets drop in hardware ASIC FDB aging timer applies
For ports that have learning limit in place, the following traffic will still flow to the port:

Packets destined for permanent MAC addresses and other non-blackholed MAC addresses Broadcast traffic from non-blackholed MAC addresses. EDP traffic
Dynamically learned entries still get aged, and can be cleared. When entries are cleared or aged out after the learning limit has been reached, new entries will then be able to be learned until the limit is reached again.
12

Before limit is reached, dynamic FDB entries are created Once limit is reached, blackholed fdb entries are created Non blackholed traffic still flows to the port
page 9
Figure 8: Limit-Learning: How Does it Work?
13
Configuring Limit-Learning
Adding MAC Address Limit-Learning
To limit the number of dynamic MAC addresses that can participate in the network, enter the following command: configure ports <portlist> vlan <vlan name> [limit-learning <number> | lock-learning | unlimited-learning | unlock-learning] This command specifies the number of dynamically-learned MAC entries allowed for these ports in this VLAN. The range is 0 to 500,000 addresses. When the learned limit is reached, all new source MAC addresses are blackholed at the ingress and egress points. This prevents these MAC addresses from learning and responding to ICMP and ARP packets. Dynamically learned entries still get aged and can be cleared. If entries are cleared or aged out after the learning limit has been reached, new entries will then be able to be learned until the limit is reached again. Permanent static and permanent dynamic entries can still be added and deleted using the create fdbentry and disable flooding port commands. These override any dynamically learned entries. For ports that have a learning limit in place, the following traffic still flows to the port:

Packets destined for permanent MAC addresses and other non-blackholed MAC addresses Broadcast traffic EDP traffic
Traffic from the permanent MAC and any other non-blackholed MAC addresses still flows from the virtual port.
Removing MAC Address Limit-Learning

To remove the learning limit, type the following command: configure ports <portlist> vlan <vlan name> unlimited-learning
Creating and Deleting FDB entries

Limit-learning only applies to dynamic FDB entries, permanent FDB entries are NOT affected by the MAC limit. Permanent static and permanent dynamic entries can still be created and deleted using the respective commands: create fdbentry delete fdbentry These commands also apply to any dynamically learned FDB entries.
14
Configuring Limit-Learning
Figure 9: Adding MAC Address Limit-Learning
Limit-Learning Commands
Adding MAC Address Limit-Learning configure ports <portlist> vlan <vlan name> limitlearning <number> Removing MAC Address Limit-Learning configure ports <portlist> vlan <vlan name> unlimited-learning Creating and Deleting FDB Entries create fdbentry delete fdbentry
page 11
Figure 10: Limit-Learning Commands
15
Limiting MAC Addresses with ESRP

If you configure a MAC address limit on VLANS that have ESRP enabled, you should add an additional back-to-back link (that has no MAC address limit on these ports) between the ESRP-enabled switches. Doing so prevents ESRP PDU from being dropped due to MAC address limit settings. In the diagram on the slide Switch 1 & and 2 are ESRP-enabled switches, while Switch 3 is an ESRPaware (regular layer 2) switch. Configuring a MAC address limit on all ports of Switch 3 might prevent ESRP communication between Switch 1 and Switch 2. To resolve this, you should add a back-to-back link between Switch1 and Switch2.
16
Limiting MAC Addresses with ESRP
Limiting MAC Addresses on ESRP Ports

Switch 1
VLAN 1
Master
Switch 3
H/A
No address limit on Host Attach Ports link

H/A
Work Station
page 12
Switch 2
Figure 11: Limiting MAC Addresses with ESRP
17
Lock-Learning
In addition to limit-learning on virtual ports, you can lock down the existing dynamic FDB entries and prevent (per port per VLAN basis) any additional learning.
Lock-Learning Enabled
FDB entries (within the specified VLAN and ports) are converted to locked static entries and the learning limit to zero, so that no new entries can be learned.

All new dynamic source MAC addresses are blackholed. Locked entries do not get aged, but can be cleared. Dynamic entries active at time of lock-learning remain in the FDB after the switch is reset or a power off/on cycle occurs. Permanent static entries can still be added and deleted. Permanent dynamic entries do not override locked static entries.
For ports that have lock-learning in effect, the following traffic will still flow to the port:

Packets destined for the permanent MAC and other non-blackholed MAC addresses Broadcast traffic from non-blackholed MAC addresses EDP traffic NOTE
You can either limit dynamic MAC FDB entries per vlan/port, or lock down the current MAC FDB entries per vlan/ port, but not both.
18
Lock-Learning
is
Lock-Learning
Once enabled, existing FDB entries converted to locked static entries Learning limit set to zero New entries blackholed
TOP ROW S: GREEN 1 2 3 4 5
1
= 10 00 M b ps 6 7 8
100BASE-TX/ 1000BASE-T
BO TTOM ROW S AM BER GREEN FLASHING GREEN 9
= A CTIVIT Y = LINK O K = DISAB LE D
10
11
12
13
14
1000BASE-X
15
16
10 11 12 13 14 15 1 6
5i
Unknown MAC
Known MAC
page 13
Figure 12: Lock-Learning
Summit
19
Configuring Lock-Learning
Adding Lock-Learning
In contrast to limiting learning on virtual ports, you can lock down the existing dynamic FDB entries and prevent any additional learning using the lock-learning option from the following command: configure ports <portlist> vlan <vlan name> [limit-learning <number> | lock-learning | unlimited-learning | unlock-learning] This command causes all dynamic FDB entries associated with the specified VLAN and ports to be converted to locked static entries. It also sets the learning limit to zero, so that no new entries can be learned. All new source MAC addresses are blackholed.
NOTE
Blackhole FDB entries added due to MAC security violations on the BlackDiamond 8800 family of switches and the Summit X450 switch are removed after each FDB aging period regardless of whether the MAC addresses in question are still sending traffic. If the MAC addresses are still sending traffic, the blackhole entries will be re-added after they have been deleted.
Locked entries do not get aged, but can be deleted like a regular permanent entry. For ports that have lock-down in effect, the following traffic still flows to the port:

Packets destined for the permanent MAC and other non-blackholed MAC addresses Broadcast traffic EDP traffic
Traffic from the permanent MAC still flows from the virtual port.
Removing Lock-Learning
To remove MAC address lock down, type the following command: configure ports <portlist> vlan <vlan name>unlock-learning] When you remove the lock down using the unlock-learning option, the learning-limit is reset to unlimited, and all associated entries in the FDB are flushed.
20
Configuring Lock-Learning
Figure 13: Adding Lock-Learning
Lock-Learning Commands
Adding Lock-Learning configure ports <portlist> vlan <vlan name> locklearning Removing Lock-Learning configure ports <portlist> vlan <vlan name>unlocklearning]
page 15
Figure 14: Limit-Learning Commands
21
Verifying MAC Security Information

MAC Security Information for a Specified VLAN
To display the MAC security information for the specified VLAN, enter the following command: show vlan <name> security
Detailed MAC Security Information for a Specified Port

To display detailed information, including MAC security information, for the specified port, enter the following command: show port <portlist> info detail
22
Figure 15: show vlan <name> security
Figure 16: show port <portlist> info detail
23

FDB Table Entries
To display the FDB table entries that match the filters, enter the following command: show fdb {<mac_addr> {netlogin [all | mac-based]}| permanent {netlogin [all | mac-based]} | ports <port_list> {netlogin [all | mac-based]}| vlan <vlan_name> {netlogin [all | mac-based]} | stats | netlogin {all | macbased]}} When no options are specified, the command displays all FDB entries.
Logs
To display the local switch log, enter the following command: show log {chronological} {<priority>}

Chronological: displays messages in ascending chronological order. Priority: filters the log to display messages with the selected priority or higher (more critical). Priorities include alert, critical, debug, emergency, error, info, notice, and warning.
By default, log entries that are assigned a critical or warning level remain in the log after a switch reboot. Issuing a clear log command does not remove these static entries. To remove log entries of all levels (including warning or critical), enter the following command: clear log static
24
Verifying MAC Security Information (Additional Commands)

FDB Table Entries show fdb {<mac_addr> {netlogin [all | mac-based]}| permanent {netlogin [all | mac-based]} | ports <port_list> {netlogin [all | mac-based]}| vlan <vlan_name> {netlogin [all | mac-based]} | stats | netlogin {all | mac-based]}}
Log show log {chronological} {<priority>}
page 18
Figure 17: Verifying MAC Security Information (Additional Commands)
25
Disabling MAC Address Learning

By default, MAC address learning is enabled on all ports. To disable learning on specific ports, enter the following command: disable learning ports <portlist> If MAC address learning is disabled, only broadcast traffic, EDP traffic, and packets destined to a permanent MAC address matching that port number, are forwarded. Use this command in a secure environment where access is granted via permanent FDBs per port. Disabling learning on a port causes the MAC addresses to flood (unless you disable egress flooding) because those addresses will not be present in the FDB during a destination lookup.
NOTE
On BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only, when Mac Address Learning is disabled, packets with unknown source MAC addresses are dropped.
26

To disable MAC address learning
disable learning ports <portlist>
page 19
Figure 18: Disabling MAC Address Learning
27
Disabling Egress Flooding

With ExtremeWare XOS software version 11.2, you can enable or disable egress flooding. Under default conditions, when the system does not find a match in the FDB for a unicast/multicast/broadcast MAC address in a packet received in a given port, the system forwards that frame to every port in the VLAN (known as Layer 2 flooding). However, you can enhance security and privacy as well as improving network performance by disabling Layer 2 egress flooding on some packets. This is particularly useful when you are working on an edge device in the network. Limiting flooded egress packets to selected interfaces is also known as upstream forwarding.
NOTE
Disabling egress flooding can affect many protocols, such as IP and ARP among others.
Figure 18 illustrates a case where you want to disable Layer 2 egress flooding on specified ports to enhance security and network performance. In this example, the three ports are in an ISP-access VLAN. Ports 1 and 2 are connected to clients 1 and 2, respectively, and port 3 is an uplink to the ISP network. Because clients 1 and 2 are in the same VLAN, client 1 could possible learn about the other clients traffic by sniffing client 2s broadcast traffic; client 1 could then possibly launch an attack on client 2. However, when you disable all egress flooding on ports 1 and 2, this sort of attack is impossible, for the following reasons:

Broadcast and multicast traffic from the clients is forwarded only to the uplink port. Any packet with unlearned destination MAC addresses is forwarded only to the uplink port. One client cannot learn any information from the other client. Because egress flooding is disabled on the access ports, the only packets forwarded to each access port are those packets that are specifically targeted for one of the ports. There is no traffic leakage.
In this way, the communication between client 1 and client 2 is controlled. If client 1 needs to communicate with client 2 and has that IP address, client 1 sends out an ARP request to resolve the IP address for client 2.
Guidelines for Enabling or Disabling Egress Flooding

The following guidelines apply to enabling and disabling egress flooding:
Egress flooding can be disabled on ports that are in a load-sharing group. If that is the situation, the ports in the group take on the egress flooding state of the master port; each member port of the loadsharing group has the same state as the master port. FDB learning is independent of egress flooding; either can be enabled or disabled independently. Disabling unicast (or all) egress flooding to a port also stops packets with unknown MAC addresses to be flooded to that port. Disabling broadcast (or all) egress flooding to a port also stops broadcast packets to be flooded to that port.
28
Upstream Forwarding or Disabling Egress Flooding Example
page 20
Figure 19: Guidelines for Enabling or Disabling Egress Flooding
Guidelines for Enabling or Disabling Egress Flooding

Egress flooding can be disabled on ports that are in a load-sharing group FDB learning is independent of egress flooding Disabling unicast (or all) egress flooding to a port also stops packets with unknown MAC addresses to be flooded to that port Disabling broadcast (or all) egress flooding to a port also stops broadcast packets to be flooded to that port
page 21
Figure 20: Guidelines for Enabling or Disabling Egress Flooding
29
Enabling and Disabling Egress Flooding on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
You can enable or disable egress flooding for unicast, multicast, or broadcast MAC addresses, as well as for all packets on the ports of the BlackDiamond 8800 family of switches (formerly known as Aspen) or the Summit X450 switch. Disabling multicasting egress flooding does not affect those packets within an IGMP membership group at all; those packets are still forwarded out. If IGMP snooping is disabled, multicast packets with static FDB entries are forwarded according to the FDB entry.
Enabling Egress Flooding

You enable egress flooding for these switches using the following command: enable flooding [all_cast | broadcast | multicast | unicast] port [<port_list> | all]

To disable flooding for these switches, enter the following command: disable flooding [all_cast | broadcast | multicast | unicast] port [<port_list> | all]
30

enable flooding [all_cast | broadcast | multicast | unicast] port [<port_list> | all]

disable flooding [all_cast | broadcast | multicast | unicast] port [<port_list> | all]
page 22
Figure 21: Enabling and Disabling Egress Flooding on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
31
Disabling Egress Flooding on the BlackDiamond 10K Switch Only

You must enable or disable egress flooding on all packets on the specified port or ports. You cannot specify broadcast, unicast, or multicast packets; the egress flooding command applies to all packets. Disabling multicasting egress flooding does not affect those packets within an IGMP membership group at all; those packets are still forwarded out. If IGMP snooping is disabled, multicast packets are not flooded. Issue the following command to enable egress flooding on the BlackDiamond 10K switch:
enable flooding all_cast port [<port_list> | all]
To disable egress flooding on the BlackDiamond 10K switch, issue this command:
disable flooding all_cast port [<port_list> | all]
NOTE
When you disable egress flooding on the BlackDiamond 10K switch, you also turn off broadcasting.
32
Disabling Egress Flooding on the BlackDiamond 10K Switch Only
Enabling and Disabling Egress Flooding on the BlackDiamond 10K Switch Only

enable flooding all_cast port [<port_list> | all]

disable flooding all_cast port [<port_list> | all]
page 23
Figure 22: Enabling and Disabling Egress Flooding on the BlackDiamond 10K Switch Only
33
Displaying Learning and Flooding Settings

To display the status of MAC learning and egress flooding, enter the following command: show ports {mgmt | <port_list>} information {detail} NOTE
The BlackDiamond 10K switch has an additional flag: p - Load Sharing Algorithm, port-based.
34
Displaying Learning and Flooding Settings
QB_Mariner.4 > show port 3:1 info Port Diag Flags Link Link Num Num Num Jumbo QOS Load State UPS STP VLAN Proto Size profile Master =========================================================================== ===== 3:1 P Em------e-- ready 0 0 1 1 9216 =========================================================================== ===== Flags : a - Load Sharing Algorithm address-based, D - Port Disabled, e - Extreme Discovery Protocol Enabled, E - Port Enabled, f - Flooding Enabled, g - Egress TOS Enabled, j - Jumbo Frame Enabled, l - Load Sharing Enabled, m - MACLearning Enabled, n - Ingress TOS Enabled, o - Dot1p Replacement Enabled, P - Software redundant port(Primary), q - Background QOS Monitoring Enabled, R - Software redundant port(Redundant), s - diffserv Replacement Enabled, v - Vman Enabled, f - Unicast Flooding Enabled M - Multicast Flooding Enabled, B - Broadcast Flooding Enabled
Figure 23: Displaying Learning and Flooding Settings
35
Layer 3 Blackholes
Blackholes may be configured at Layer 3. At Layer 3, the blackhole address is stored in the routing table. All traffic destined for a configured blackhole IP address is silently dropped and no Internet Control Message Protocol (ICMP) message is generated.
Blackhole entries are:

treated like permanent entries in the event of a switch reset or power off/on cycle never aged out of the forwarding database
Configuring a Layer 3 Blackhole

To configure a layer 3 blackhole for a specific IP address, enter the following command: configure iproute add blackhole [<ipNetmask> | <ipadress> <mask>] {vr <vrname>} {multicast-only | unicast-only}
Configuring a Layer 3 Default Blackhole

A default blackhole route is for discarding traffic to the unknown destination. The default blackhole routes origin is b or blackhole and the gateway IP address for this route is 0.0.0.0. To add a default layer 3 blackhole route, enter the following command: configure iproute add blackhole {ipv4} default {vr <vrname>} {multicastonly | unicast-only}
Deleting Layer 3 Blackholes

To delete a blackhole address from the routing table, enter the following command: configure iproute delete blackhole [<ipNetmask> | <ipaddress> <mask>] {vr <vrname>} To delete a default blackhole route from the routing table, enter the following command: configure iproute delete blackhole default {vr <vrname>}
Verifying Layer 3 Blackholes

To view Layer 3 Blackhole information, enter the following command: show iproute Blackhole routes are flagged with a B or b.
36
Layer 3 Blackholes
Layer 3 Blackholes
Blackholes maybe configured at Layer 3 All traffic destined for a configured blackhole IP address is dropped No ICMP message is generated
page 25
Figure 24: Layer 3 Blackholes
Layer 3 Blackhole Commands

Configuring Layer 3 Blackhole for Specific IP Address configure iproute add blackhole <ip address> mask Configuring Layer 3 Default Blackhole configure iproute add blackhole default Deleting Layer 3 Blackhole for Specific IP Address
configure iproute delete blackhole <ip address> mask
Deleting Layer 3 Default Blackhole for Specific IP Address

configure iproute delete blackhole default
Verifying Layer 3 Blackholes

show iproute
page 26
Figure 25: Layer 3 Blackhole Commands
37
Summary

Describe the Forwarding Database (FDB) Identify four FDB types List two types of port address security Describe limit-learning Configure limit-learning Identify configuration guideline when implementing limit-learning on ESRP ports. Troubleshoot limit-learning Describe lock-learning Configure lock-learning Troubleshoot lock-learning Disable MAC Address Learning List guidelines when enabling or disabling egress flooding Enable and disable egress flooding on the BlackDiamond 8800 family of switches and the Summit X450 only Enable and disable egress flooding on the BlackDiamond 10K switch only Configure a Layer 3 blackhole
38
Summary
Summary
Describe the Forwarding Database (FDB) Identify four FDB types List two types of port address security Describe limit-learning Configure limit-learning Identify configuration guideline when implementing limit-learning on ESRP ports Troubleshoot limit-learning
page 28
Figure 26: Summary
Summary
Describe lock-learning Configure lock-learning Troubleshoot lock-learning Disable MAC Address Learning List guidelines when enabling or disabling egress flooding Enable and disable egress flooding on the BlackDiamond 8800 family of switches and the Summit X450 only Enable and disable egress flooding on the BlackDiamond 10K switch only Configure a Layer 3 blackhole
page 29
39
40
Module 7 Network Login
Student Objectives

Describe Network Login List three Network Login authentication types Identify the advantages and disadvantages of Web-Based Authentication Identify the advantages and disadvantages of MAC-Based Authentication Identify the advantages and disadvantages of 802.1x Describe the DHCP server authentication role Configure DHCP server Describe the Network Login sequence Describe Campus Mode Describe ISP Mode Describe multiple supplicant support Identify Network Login design considerations List methods of authenticating network login users Identify RADIUS attributes used bye Network Login Configure Network Login with local database authentication Configure Network Login with 802.1x authentication Configure Network Login with Web-Based authentication Terminate a Network Login session Display Network Login information
Student Objectives
Student Objectives
Describe Network Login List three Network Login authentication types Identify the advantages and disadvantages of WebBased Authentication Identify the advantages and disadvantages of MACBased Authentication Identify the advantages and disadvantages of 802.1x Describe the DHCP server authentication role Configure DHCP server Describe the Network Login sequence
page 2
Describe Campus Mode Describe ISP Mode
Student Objectives
Describe multiple supplicant support Identify Network Login Design considerations List methods of authenticating network login users Identify RADIUS attributes used by Network Login Configure Network Login with local database authentication Configure Network Login with 802.1x authentication Configure Network Login with Web-Based authentication Terminate a Network Login session Display Network Login information
page 3
Network Login Overview

ExtrmeWare XOS 11.3 supports Network Login. Network login controls the admission of user packets into a network by allowing MAC addresses from users that are properly authenticated. Network login is controlled on a per port basis. When network login is enabled on a port, that port does not forward any packets until authentication takes place. Network login is capable of three types of authentication: web-based, MAC-based, and 802.1x. In addition, network login has two different modes of operation: Campus mode and ISP mode. The authentication types and modes of operation can be used in any combination. When web-based network login is enabled on a switch port, that port is placed into a non-forwarding state until authentication takes place. To authenticate, a user must open a web browser and provide the appropriate credentials. These credentials are either approved, in which case the port is placed in forwarding mode, or not approved, in which case the port remains blocked. You can initiate user logout by submitting a logout request or closing the logout window. The following capabilities are included with network login:

Web-based login using HTTP available on each port Web-based login using HTTPSif you install the SSH software module that includes SSLavailable on each port Multiple supplicants for web-based, MAC-based, and 802.1x authentication on each port
Authentication Types
Authentication is handled as a web-based process, MAC-based process, or as described in the IEEE 802.1x specification. Web-based network login does not require any specific client software and can work with any HTTP-compliant web browser. By contrast, 802.1x authentication may require additional software installed on the client workstation, making it less suitable for a user walk-up situation, such as a cyber-caf or coffee shop.1 Extreme Networks supports a smooth transition from web-based to 802.1x authentication. MAC-based authentication is used for supplicants that do not support a network login mode, or supplicants that are not aware of the existence of such security measures, for example an IP phone. If a MAC address is detected on a MAC-based enabled network login port, an authentication request is sent once to the AAA application. AAA tries to authenticate the MAC address against the configured Remote Authentication Dial In User Server (RADIUS) server and its configured parameters (timeout, retries, and so on) or the configured local database.The credentials used for this are the supplicants MAC address in ASCII representation and a locally configured password on the switch. If no password is configured the MAC address is also used as the password. You can also group MAC addresses together using a mask.
1.

Authenticates network user Controlled on a per port basis Three types of authentication Web-Based MAC-Based 802.1x Two modes of operation Campus ISP
page 4
Figure 3: Network Login Overview
General Network Login Commands

Enabling or disabling network login
enable netlogin [{dot1x} {mac} {web-based}] disable netlogin [{dot1x} {mac} {web-based}]
Enabling or disabling network login on a specific port

enable netlogin ports <portlist> [{dot1x} {mac} {web-based}] enable netlogin ports <portlist> [{dot1x} {mac} {webbased}]
Displaying network login settings

page 5
show netlogin {port <portlist> vlan <vlan_name>} {dot1x {detail}} {mac} {web-based}
Figure 4: Three Authentication Types
Authentication Advantages and Disadvantages

Web-Based Authentication
Advantages
Works with any operating system that is capable of obtaining an IP address using DHCP. There is no need for special client side software; only a web browser is needed.
Disadvantages
The login process involves manipulation of IP addresses and must be done outside the scope of a normal computer login process. It is not tied to a Windows login. The client must bring up a login page and initiate a login. Supplicants cannot be re-authenticated transparently. They cannot be re-authenticated from the authenticator side. This method is not as effective in maintaining privacy protection.
MAC-Based Authentication
Advantages

Works with any operating system or network enabled device. Works silently. The user, client, or device does not know that it gets authenticated. Ease of management. A set of devices can easily be grouped by the vendor part of the MAC address.
Disadvantages

There is no re-authentication mechanism. The FDB aging timer determines the logout. Security is based on the MAC address of the client, so the network is more vulnerable to spoofing attacks.
Network Login Operational Modes

Two Modes Campus ISP Differences Port / VLAN movement RADIUS server requirement DHCP server requirement Possible to have Campus and ISP mode enabled ports on the same switch
page 6
Figure 5: Web-Based Authentication
Network Login Design Considerations

All unauthenticated MACs will be seeing broadcasts and multicasts sent to the port Network login must be disabled on a port before that port can be deleted from a VLAN Campus mode on BlackDiamond 8800 and Summit X450 VLAN display issue
page 7
Figure 6: MAC-Based Authentication

802.1x Authentication
Advantages

In cases where the 802.1x is natively supported, login and authentication happens transparently. Authentication happens at Layer 2. It does not involve getting a temporary IP address and subsequent release of the address to obtain a permanent IP address. Allows for periodic, transparent re-authentication of supplicants.
Disadvantages

802.1x native support is available only on newer operating systems, such as Windows XP. 802.1x requires an Extensible Authentication Protocol (EAP) -capable RADIUS Server. Most current RADIUS servers support EAP, so this is not a major disadvantage. Transport Layer Security (TLS) and Tunneled TLS (TTLS) authentication methods involve Public Key Infrastructure (PKI), which adds to the administrative requirements.

Network login VLAN port can not be part of the following protocols Ethernet Automatic Protection Switching (EAPS) Extreme Standby Router Protocol (ESRP) Spanning Tree Protocol (STP) Link Aggregation
page 8
Figure 7: 802.1x Authentication

Enabling or Disabling Network Login on the Switch
By default netlogin is disabled. To enable or disable network login, use one of the following commands and specify the authentication method: enable netlogin [{dot1x} {mac} {web-based}] disable netlogin [{dot1x} {mac} {web-based}]
Enabling or Disabling Network Login on a Specific Port

By default, all methods of network login are disabled on all ports. To enable network login on a port, type the following command to specify the ports and the authentication method: enable netlogin ports <portlist> [{dot1x} {mac} {web-based}] Network login must be disabled on a port before you can delete a VLAN that contains that port. To disable network login, type the following command: disable netlogin ports <portlist> [{dot1x} {mac} {web-based}]
Configuring the Move Fail Action

If network login fails to perform Campus mode login, you can configure the switch to authenticate the client in the original VLAN or deny authentication even if the user name and password are correct. For example, this may occur if a destination VLAN does not exist. To configure the behavior of network login if a VLAN move fails, type the following command: configure netlogin move-fail-action [authenticate | deny] By default, the setting is deny. The following describes the parameters of this command if two clients want to move to a different untagged VLAN on the same port:
authenticateNetwork login authenticates the first client that requests a move and moves that client to the requested VLAN. Network login authenticates the second client but does not move that client to the requested VLAN. The second client moves to the first clients authenticated VLAN. denyNetwork login authenticates the first client that requests a move and moves that client.
Network login does not authenticate the second client.
Displaying Network Login Settings

To display the network login settings and parameters, type the following command: show netlogin {port <portlist> vlan <vlan_name>} {dot1x {detail}} {mac} {web-based}
10
Multiple Supplicant Support

Multiple clients can be individually authenticated on the same port Multiple clients can be connected to a single port of authentication server through a hub or layer-2 switch Multiple supplicants are supported in ISP mode for both web-based and 802.1x authentication
page 9
Figure 8: General Network Login Commands
11
DHCP Server Authentication Role

Dynamic Host Control Protocol (DHCP) is required for web-based network login because the underlying protocol used to carry authentication request-response is HTTP. The client requires an IP address to send and receive HTTP packets. Before the client is authenticated, however, the only connection that exists is to the authenticator. As a result, the authenticator must be furnished with a temporary DHCP server to distribute the IP address. The switch responds to DHCP requests for unauthenticated clients when DHCP parameters such as dhcp-address-range and dhcp-options are configured on the netlogin VLAN. The switch can also answer DHCP requests following authentication if DHCP is enabled on the specified VLAN. If netlogin clients are required to obtain DHCP leases from an external DHCP server elsewhere on the network, DHCP should not be enabled on the VLAN. The DHCP allocation for network login has a short time duration of 10 seconds and is intended to perform web-based network login only. As soon as the client is authenticated, it is deprived of this address. The client must obtain an operational address from another DHCP server in the network. DHCP is not required for 802.1x, because 802.1x uses only Layer 2 frames (EAPOL) or MAC-based network login.
NOTE
The built in DHCP server is only meant to provide temporary DCHP leases used in network login, it is not meant to replace a fully dedicated DHCP server.
Enabling and Disabling DHCP Server

DHCP is enabled on a per port, per VLAN basis. To enable or disable DHCP on a port in a VLAN, use one of the following commands: enable dhcp ports <portlist> vlan <vlan_name> disable dhcp ports <portlist> vlan <vlan name>
Setting the DHCP Lease Timer

To set how long the IP address lease assigned by the server exists, enter the following command: configure vlan <vlan_name> dhcp-lease-timer <lease-timer>
12
Enabling and Disabling DHCP Server
Three Authentication Types

Web-based MAC-based 802.1x
page 10
Figure 9: DHCP Server Authentication Role
Advantages Works with any operating system that has a DHCP client Disadvantages Client must bring up a login page and initiate a login Supplicants cannot be re-authenticated transparently Not effective in maintaining privacy protection
page 11
Figure 10: DHCP Server Commands
13
DHCP Server Commands

To configure the range of IP addresses assigned by the DHCP server, enter the following command: configure vlan <vlan_name> dhcp-address-range <ipaddress1> - <ipaddress2> To remove the address range information, enter the following command: unconfigure vlan <vlan_name> dhcp-address-range
To set the default gateway, Domain Name Servers (DNS) addresses, or Windows Internet Naming Service (WINS) server, enter the following command:
configure vlan <vlan_name> dhcp-options [default-gateway | dns-server | wins-server] <ipaddress>
Removing DHCP Server Configurations

To remove the default gateway, DNS server addresses, and WINS server information for a particular VLAN, enter the following command: unconfigure vlan <vlan_name> dhcp-options To remove all the DHCP information for a particular VLAN, enter the following command: unconfigure vunconfigure vlan <vlan_name> dhcp lan <vlan_name> dhcp-options You can clear the DHCP address allocation table selected entries, or all entries. You would use this command to troubleshoot IP address allocation on the VLAN. To clear entries, enter the following command: clear vlan <vlan_name> dhcp-address-allocation [[all {offered | assigned | declined | expired}] | <ipaddress>] Displaying DHCP Information
Displaying DHCP Configuration

To display the DHCP configuration, including the DHCP range, DHCP lease timer, network login lease timer, DHCP-enabled ports, IP address, MAC address, and time assigned to each end device, enter the following command:
show dhcp-server {vlan <vlan_name>}
The next two commands were retained for compatibility with earlier versions of ExtremeWare. To view only the address allocation of the DHCP server on a VLAN, enter the following command:
show vlan <vlan_name> dhcp-address-allocation
To view only the configuration of the DHCP server on a VLAN, enter the following command:
show vlan <vlan_name> dhcp-config
14
Network Login Sequence for Web Based Authentication

DHCP Server Radius Client Web Server
RADIUS Server DHCP Server
1 2
DHCP request
Switch Port is placed in temporary VLAN
Temporary IP address
Start WEB Browser
Request Username/Password
Provide Username/Password
7 8 page 12 9 10
DHCP release DHCP request Allow forwarding on port and assign VLAN
Check Username/Password
Figure 11: DHCP Server Commands
15
Web Based Network Login Sequence

Network Login can be broken down and examined in a sequential fashion if you understand the basics of the feature. 1 Network Login has been enabled on a switch port. Switch detects connection on the switch port, but that port is placed in a non-forwarding mode until authentication takes place. No packets get past the switch in the meantime, preventing DOS attacks and other abuses from entering the network. 2 The Client PC requires an IP address. By powering on the PC the client issues a DHCP request. 3 The switch responds as a temporary DHCP server, providing a temporary IP address with a short DHCP lease time. 4 To authenticate, the client user must open a web browser. 5 The switch sends a Login web page. 6 User enters username and a password. 7 The Switch, configured as a RADIUS client, forwards the client credentials in a request to the RADIUS server. 8 When the RADIUS server validates the client, the switch unblocks the port and implements VLAN assignment and possibly an Access Policy. 9 The Network Login switch (temporary DHCP server) set a very low DHCP lease timer, releases the temporary TCP/IP information. 10 This causes the client to send a new DHCP request. The client is now on the appropriate VLAN and gets the required TCP/IP information from the real DHCP server. When the authentication by the RADIUS server fails, the port remains in non-forwarding state. Three failed login attempts will disable the port for a configured length of time.
16
Web Based Network Login Sequence
Network Login: Example of Components

<< Base-URL (initial login page)
1) Login-attempt
<< Log-Out Window
2) Successful login
3) Redirect after authenticated

page 13
<< Re-Direct URL Description
<< Re-Direct URL (loaded after successful login)
Figure 12: Network Login Sequence
DHCP Server Authentication Role

Required for web-based network login Provides temporary IP address Not required for 802.1x
page 14
Figure 13: Network Login: Example of Components
17

Network login supports two modes of operation, Campus and ISP. Campus mode is intended for mobile users who tend to move from one port to another and connect at various locations in the network. ISP mode is meant for users who connect through the same port and VLAN each time (the switch functions as an ISP). In Campus mode, the clients are placed into a permanent VLAN following authentication with access to network resources. For wired ports, the port is moved from the temporary to the permanent VLAN. In ISP mode, the port and VLAN remain constant. Before the supplicant is authenticated, the port is in an unauthenticated state. After authentication, the port forwards packets. You do not explicitly configure the mode of operation; rather, the presence of any Extreme Networks Vendor Specific Attribute (VSA) that has a VLAN name or VLAN ID (any VLAN attribute) in the RADIUS server determines the mode of operation. If a VLAN attribute is present, it is assumed to be Campus mode. If a VLAN attribute is not present, it is assumed to be ISP mode.
Campus and ISP modes compared

Campus Mode Port / Vlan Movement VSA or VLAN ID in RADIUS Server Radius Server Yes Yes Required ISP Mode No No Optional, can use local switch database Optional, can use static IP addresses
DHCP Server
Required
Multiple Supplicant Support

An important enhancement over the IEEE 802.1x standard is that ExtremeWare XOS supports multiple clients (supplicants) to be individually authenticated on the same port. This feature makes it possible for two or more client stations to be connected to the same port, with some being authenticated while others are not. A port's authentication state is the logical OR of the individual MAC's authentication states. In other words, a port is authenticated if any of its connected clients is authenticated. Multiple clients can be connected to a single port of authentication server through a hub or layer-2 switch. Multiple supplicants are supported in ISP mode for both web-based and 802.1x authentication. On the BlackDiamond 10K switch, multiple supplicants are supported in Campus mode only if all supplicants move to the same VLAN. On the BlackDiamond 8800 family of switches and the Summit X450 switch, multiple supplicants are supported in Campus mode if you configure and enable netlogin MAC-based VLANs. Netlogin MAC-based VLANs are not supported on the BlackDiamond 10K switch or 10 Gigabit Ethernet ports.
18

Enabling DHCP Server
enable dhcp ports <portlist> vlan <vlan_name>
Disabling DHCP Server

disable dhcp ports <portlist> vlan <vlan_name>
Setting the DHCP Lease Server

configure vlan <vlan_name> dhcp-lease-timer <lease-timer>
page 15
Figure 14: Network Login Operational Modes

DHCP address range
configure vlan corp dhcp-address-range 10.201.26.150 10.201.26.160
DHCP options default gateway, DNS server, and WINS server

configure corp dhcp-options default-gateway 10.201.26.1 configure corp dhcp-options dns-server 10.0.1.1 configure corp dhcp-options wins-server 10.0.1.1
Displaying DHCP Configuration

show dhcp-server {vlan <vlan_name>}
page 16
Figure 15: Multiple Supplicant Support
19

When designing and configuring Network Login, please consider the following limitations.
All unauthenticated MACs will be seeing broadcasts and multicasts sent to the port if even a single MAC is authenticated on that port. Network login must be disabled on a port before that port can be deleted from a VLAN. In Campus mode on the BlackDiamond 8800 family of switches and the Summit X450 switch, with untagged VLANs and the netlogin ports mode configured as port-mode, after the port moves to the destination VLAN, the original VLAN for that port is not displayed. A network login VLAN port should not be a part of following protocols:

Ethernet Automatic Protection Switching (EAPS) Extreme Standby Router Protocol (ESRP) Spanning Tree Protocol (STP) Link Aggregation
20
Requires the configuration of Switch DNS name Default redirect page Session refresh Logout-privilege If redirected URL is https, Extreme Networks XOS requires the SSH software module
page 17
Figure 16: Network Login Design Considerations
Web-Based Authentication Commands
Configuring the Base URL

configure netlogin base-url <url>
Configuring the Redirect Page

configure netlogin redirect-page <url>
Configuring Session Refresh

enable netlogin session-refresh {<minutes>}
Configuring Logout Privilege

enable netlogin logout-privilege
page 18
Figure 17: Network Login Design Considerations
21
Authenticating Users
Network login uses two methods to authenticate users trying to access the network:

RADIUS servers Local database
All three network login protocols, web-based, MAC-based, and 802.1x netlogin, support RADIUS authentication. Only web-based and MAC-based netlogin support local database authentication.
Vendor Specific Attributes (VSA) Types Used By Network Login

You can create two types of user accounts on your RADIUS server for authenticating network login users: netlogin-only enabled and netlogin-only disabled. A netlogin-only disabled user can log in using network login and can also access the switch using Telnet or SSH. A netlogin-only enabled user can only log in using network login and cannot access the switch using the same login.
For information on how to use and configure your RADIUS server, please refer to the documentation that came with your RADIUS server. Add the following line to the RADIUS server users file for netlogin-only disabled users:
Extreme:Extreme-Netlogin-Only = Disabled Add the following line to the RADIUS server users file for netlogin-only enabled users: Extreme:Extreme-Netlogin-Only = Enabled Table 1 contains the Vendor Specific Attribute (VSA) definitions for web-based, MAC-based, and 802.1x network login. The Extreme Network Vendor ID is 1916.
Table 1: VSA Definitions for Web-based, MAC-based, and 802.1x network login
VSA Extreme: NetloginExtended-VLAN Vendor Type 211 Type String Sent-in Access-Accept Description Name or ID of the destination VLAN after successful authentication (must already exist on switch). NOTE: When using this attribute, specify whether the port should be moved tagged or untagged to the VLAN. Extreme: NetloginVLAN-Name Extreme: NetloginVLAN-ID Extreme: Netlogin-URL Extreme: NetloginURL-Desc Extreme: Netlogin-Only 203 209 204 205 206 String Integer String String Integer Access-Accept Access-Accept Access-Accept Access-Accept Access-Accept Name of destination VLAN after successful authentication (must already exist on switch). ID of destination VLAN after successful authentication (must already exist on switch). Destination web page after successful authentication. Text description of network login URL attribute. Indication of whether the user can authenticate using other means, such as telnet, console, SSH, or Vista. A value of 1 (enabled) indicates that the user can only authenticate via network login. A value of zero (disabled) indicates that the user can also authenticate via other methods.
22
Web-Based Network Login Configuration Example
page 19
Figure 18: Authenticating Users
Web-Based Authentication User Login

1. Set up user for DHCP client 2. Plug into the port that has web-based network login enabled 3. Log in to Windows 4. Release IP settings and renew the DHCP lease 5. Launch browser and open any URL 6. User is redirected to specified URL, click on Network Login 7. Enter username and password
page 20
Figure 19: VSA Types Used By Network Login
23
RADIUS Attributes Used By Network Login

Table 2 contains the standard RADIUS attributes used by network login.
Table 2: Standard RADIUS attributes used by network login

Attribute IETF: Tunnel-Type IETF: Tunnel-Medium-Type Attribute Value 64 65 Type Integer Integer Sent-in Access-Accept Access-Accept Description Specifies the tunneling protocol that is used. Specifies the transport medium used when creating a tunnel for protocols (for example, VLANs) that can operate over multiple transports. Specifies the VLAN ID of the destination VLAN after successful authentication; used to derive the VLAN name.
IETF: Tunnel-Private-Group-ID
81
String
Access-Accept
The NetLogin-Url and NetLogin-Url-Desc attributes are used in case of Web-based login as the page to use for redirection after a successful login. Other authentication methods will ignore these attributes. The other attributes are used in the following order to determine the destination VLAN to use:

Extreme: Netlogin-Extended-VLAN (VSA 211) Extreme: Netlogin-VLAN-Name (VSA 203) Extreme: Netlogin-VLAN-ID (VSA 209) IETF: Tunnel-Private-Group-ID representing the VLAN TAG as a string, but only if IETF: TunnelType == VLAN(13) and IETF: Tunnel-Medium-Type == 802 (6).
If none of the previously described attributes are present ISP mode is assumed, and the client remains in the configured VLAN.
24
RADIUS Attributes Used By Network Login
Advantages Works with any operating system or network enabled device Works transparently, client does not know that it gets
authenticated
Ease of management
Disadvantages No re-authentication mechanism Security is based on MAC address, MAC address spoofing
possible
page 21
Figure 20: RADIUS Attributes Used By Network Login
25
Network Login RADIUS Extensions

Requires support for Extreme Networks vendor specific attributes

Extreme Radius based on Merit AAA server implementation Alternate 3rd party Radius server such as Steel Belted Radius
Extreme Radius Implementation Configuration Example
26
Network Login RADIUS Extensions
Network Login Radius Extensions

# NETLOGIN CAMPUS USER campus Password = "campus", Service-Type = login, Profile-Name = "PROFILE1" Filter-Id = "unlim" Extreme:Extreme-Netlogin-Only = Disabled Extreme:Extreme-CLI-Authorization = Enabled Extreme:Extreme-Netlogin-Vlan = "corp" Extreme:Extreme-Netlogin-Url = "http://www.yahoo.com" Extreme:Extreme-Netlogin-Url-Desc = "Yahoo Home # NETLOGIN ISP USER isp Password = "isp", Service-Type = login, Profile-Name = "PROFILE1" Filter-Id = "unlim" Extreme:Extreme-Netlogin-Only = Enabled Extreme:Extreme-CLI-Authorization = Enabled #
page 17
Extreme:Extreme-Netlogin-Url = "http://www.extremenetworks.com Extreme:Extreme-Netlogin-Url-Desc = "Extreme Networks Home"
Figure 21: Network Login RADIUS Extensions
27
Local Database Authentication

You can configure the switch to use its local database for web-based and MAC-based network login authentication. 802.1x network login does not support local database authentication. Local authentication essentially mimics the functionality of the remote RADIUS server locally. This method of authentication is useful in the following situations:
If both the primary and secondary (if configured) RADIUS servers timeout or are unable to respond to authentication requests. If no RADIUS servers are configured. If the RADIUS server used for network login authentication is disabled.
If any of the above conditions are met, the switch checks for a local user account and attempts to authenticate against that local account. For local authentication to occur, you must configure the switchs local database with a user name and password for network login. Beginning with ExtremeWare XOS 11.3 you can also specify the destination VLAN to enter upon a successful authentication.
NOTE
If you have a BlackDiamond 8800 family switch or a Summit X450 switch, you can also use local database authentication in conjunction with netlogin MAC-based VLANs.
28
MAC-Based Authentication Commands
Associating a MAC Address to a specific port

configure netlogin add mac-list [<mac> {<mask>} | default] {encrypted} {<password>} {ports <port_list>}
Removing MAC Addresses

configure netlogin delete mac-list [<mac> {<mask>} | default]
Displaying the MAC Address List

show netlogin mac-list
page 23
Figure 22: Local Database Authentication
29
Configuring Local Database Authentication

Creating a Local Netlogin User Name and Password Only
To create a local netlogin user name and password, type the following command and specify the <user-name> parameter: create netlogin local-user <user-name> {encrypted <password>} {vlan-vsa [[{tagged | untagged} [<vlan_name>] | <vlan_tag>]]} User names are not case-sensitive; passwords are case-sensitive. User names must have a minimum of 1 character and a maximum of 32 characters. Passwords must have a minimum of 0 characters and a maximum of 32 characters. If you use RADIUS for authentication, Extreme Networks recommends that you use the same user name and password for both local authentication and RADIUS authentication. If you attempt to create a user name with more than 32 characters, the switch displays the following messages: %% Invalid name detected at '^' marker. %% Name cannot exceed 32 characters. If you attempt to create a password with more than 32 characters, the switch displays the following message after you re-enter the password: Password cannot exceed 32 characters The encrypted option is used by the switch to encrypt the password. Do not use this option through the command line interface (CLI). After you enter a local netlogin user name, press [Enter]. The switch prompts you twice to enter the password.
30
Configuring Local Database Authentication
Figure 23: Creating a Local Netlogin User Name and Password
31
Specifying a Destination VLAN in a Local NetLogin Account

If you configure a local netlogin account with a destination VLAN, upon successful authentication, the client transitions to the permanent, destination VLAN. You can specify the destination VLAN when you initially create the local netlogin account or at a later time.
Adding VLANs when Creating a Local Netlogin Account

To specify the destination VLAN when creating the local netlogin account, type the following command and specify the vlan-vsa option with the associated parameters: create netlogin local-user <user-name> {encrypted <password>} {vlan-vsa [[{tagged | untagged} [<vlan_name>] | <vlan_tag>]]} Where the following is true:

taggedSpecifies that the client be added as tagged untaggedSpecifies that the client be added as untagged vlan_nameSpecifies the name of the destination VLAN vlan_tagSpecifies the VLAN ID, tag, of the destination VLAN
The following example:

Creates a new local netlogin user name Creates a password associated with the local netlogin user name Adds the VLAN test1 as the destination VLAN
Adding VLANs at a Later Time

To specify the destination VLAN after you created the local netlogin account, type the following command: configure netlogin local-user <user-name> {vlan-vsa [[{tagged | untagged} [<vlan_name>] | <vlan_tag>]] | none]} Where the following is true:

taggedSpecifies that the client be added as tagged untaggedSpecifies that the client be added as untagged vlan_nameSpecifies the name of the destination VLAN vlan_tagSpecifies the VLAN ID, tag, of the destination VLAN noneSpecifies that the VSA 211 wildcard (*) is applied, only if you do not specify tagged or untagged
32
Specifying a Destination VLAN in a Local NetLogin Account
Figure 24: Specifying a Destination VLAN in a Local Netlogin Account
33
Modifying an Existing Local Netlogin Account

After you create a local netlogin user name and password, you can update the following attributes of that account:

Password of the local netlogin account Destination VLAN attributes including: adding clients tagged or untagged, the name of the VLAN, and the VLAN ID
Updating the Local Netlogin Password

To update the password of an existing local netlogin account, type the following command:
configure netlogin local-user <user_name>
Where user_name specifies the name of the existing local netlogin account. After you enter the local netlogin user name, press [Enter]. The switch prompts you to enter a password. At the prompt enter the new password and press [Enter]. The switch then prompts you to reenter the password. After you complete these steps, the password has been updated.
Updating VLAN Attributes

You can add a destination VLAN, change the destination VLAN, or remove the destination VLAN from an existing local netlogin account. To make any of these VLAN updates, type the following command: configure netlogin local-user <user-name> {vlan-vsa [[{tagged | untagged} [<vlan_name>] | <vlan_tag>]] | none]}
Displaying Local Netlogin Accounts

To display a list of local netlogin accounts on the switch, including VLAN information, type the following command: show netlogin local-users
Deleting a Local Netlogin Account

To delete a local netlogin user name and password, type the following command: delete netlogin local-user <user-name>
34
Modifying an Existing Local Netlogin Account
Figure 25: Displaying Local Netlogin Accounts
35
802.1x authentication methods govern interactions between the supplicant (client) and the authentication server. The most commonly used methods are Transport Layer Security (TLS); Tunneled TLS (TTLS), which is a Funk/Certicom standards proposal; and PEAP. TLS is the most secure of the currently available protocols, although TTLS is advertised to be as strong as TLS. Both TLS and TTLS are certificate-based and require a Public Key Infrastructure (PKI) that can issue, renew, and revoke certificates. TTLS is easier to deploy, as it requires only server certificates, by contrast with TLS, which requires client and server certificates. With TTLS, the client can use the MD5 mode of user name/password authentication. If you plan to use 802.1x authentication, refer to the documentation for your particular RADIUS server, and 802.1x client on how to set up a PKI configuration.
Interoperability Requirements
For network login to operate, the user (supplicant) software and the authentication server must support common authentication methods. Not all combinations provide the appropriate functionality.
Supplicant Side
The supported 802.1x clients (supplicants) are Windows 2000 SP4 native client, Windows XP native clients, and Meetinghouse AEGIS. A Windows XP 802.1x supplicant can be authenticated as a computer or as a user. Computer authentication requires a certificate installed in the computer certificate store, and user authentication requires a certificate installed in the individual user's certificate store. By default, the Windows XP machine performs computer authentication as soon as the computer is powered on, or at link-up when no user is logged into the machine. User authentication is performed at link-up when the user is logged in. Windows XP also supports guest authentication, but this is disabled by default. Refer to relevant Microsoft documentation for further information. The Windows XP machine can be configured to perform computer authentication at link-up even if user is logged in.
Authentication Server Side

The RADIUS server used for authentication must be EAP-capable. Consider the following when choosing a RADIUS server:

Types of authentication methods supported on RADIUS, as mentioned previously. Need to support VSAs. Parameters such as Extreme-Netlogin-Vlan-Name (destination vlan for port movement after authentication) and Extreme-NetLogin-Only (authorization for network login only) are brought back as VSAs. Need to support both EAP and traditional user name-password authentication. These are used by network login and switch console login respectively.
36
Configuring Netlogin MAC-Based VLANs

Configuring the Port Mode
configure netlogin ports [all <port_list>] mode [mac-based-vlans | port-based-vlans]
page 27
Figure 26: 802.1x Authentication
37
802.1x Network Login Configuration Example

In the following sample configuration, any lines marked (Default) represent default settings and do not need to be explicitly configured.
The following example is for the FreeRADIUS server; the configuration might be different for your RADIUS server: #RADIUS Server Setting, in this example the user name is eaptest eaptest Auth-Type := EAP, User-Password == "eaptest" Session-Timeout = 120, Termination-Action =1
38
Figure 27: 802.1x Network Login Configuration Example
39
Configuring Guest VLANs

802.1x authentication supports the concept of guest VLANs. A guest VLAN provides limited or restricted network access if a supplicant does not respond to the 802.1x authentication requests sent by the switch. You configure a guest VLAN only on netlogin ports with 802.1x enabled; movement to a guest VLAN is not supported on netlogin ports with MAC-based or web-based authentication. 802.1x must be the only authentication method enabled on the port for movement to guest VLAN. A port always moves untagged into the guest VLAN. With a guest VLAN configured, if a supplicant does not have 802.1x enabled and does not respond to 802.1x authentication requests sent by the switch, the supplicant moves to a guest VLAN. Upon entering the guest VLAN, the supplicant gains limited network access. You configure the amount of network access granted to clients in the guest VLAN. If a supplicant responds to 802.1x authentication requests, the supplicant gains network accesses based on its credentials.
NOTE
The supplicant does not move to a guest VLAN if it fails authentication after an 802.1x exchange; the supplicant moves to the guest VLAN only if it does not respond to an 802.1x authentication request.
Guest VLAN scenario

Suppose you have a meeting that includes company employees and visitors from outside the company. In this scenario, your employees have 802.1x enabled supplicants (clients) but your visitors do not. By configuring a guest VLAN, when your employees log into the network, they are granted network access (based on their user credentials and 802.1x enabled clients). However, when the visitors attempt to log into the network, they are granted limited network access because they do not have 802.1x enabled clients. The visitors might be able to reach the Internet, but they are unable to access your network. By default, the switch uses the supplicant response timer and attempts to authenticate the supplicant every 30 seconds for a maximum of three tries. If the supplicant does not respond to the authentication requests, the supplicant moves to the guest VLAN. The number of authentication attempts is not a userconfigured parameter. The port moves out of the guest VLAN if, during subsequent authentications, the port is successfully authenticated and the RADIUS server indicates a different VLAN to move to.
40
Configuring Guest VLANs
Netlogin MAC-Based VLAN Example
page 29
Figure 28: 802.1x Guest VLANs
41
Configuring a Guest VLAN

Enabling a Guest VLAN
To enable the guest VLAN, type the following command: enable netlogin dot1x guest-vlan ports [all | <ports>]
Modifying the Supplicant Response Timer

To modify the supplicant response timer, type the following command and specify the supp-resptimeout parameter: configure netlogin dot1x timers [{server-timeout <server_timeout>} {quietperiod <quiet_period>} {reauth-period <reauth_period>} {supp-resp-timeout <supp_resp_timeout>}] The default supplicant response timeout is 30 seconds. The number of authentication attempts is not a user-configured parameter.
Disabling a Guest VLAN

To disable the guest VLAN, type the following command: disable netlogin dot1x guest-vlan ports [all | <portlist>]
Post-authentication VLAN Movement

Once the client has been successfully authenticated and the port has been moved to a VLAN, the client can move to a VLAN other than the one it was authenticated on. This occurs when the RADIUS server sends a message to the client telling it of the new VLAN during 802.1x re-authentication. The client remains authenticated during this transition. This occurs on both untagged and tagged VLANs. For example, suppose a client submits the required credentials for network access; however, the client is not running the current, approved anti-virus software or the client has not installed the appropriate software updates. If this occurs, the client is authenticated but has limited network access until the problem is resolved. After you update the clients anti-virus software, or install the software updates, the RADIUS server re-authenticates the client by sending ACCESS-ACCEPT messages with the accompanying VLAN attributes, thereby allowing the client to enter its permanent VLAN with full network access. This is normal and expected behavior; no configuration is necessary.
42
Post-authentication VLAN Movement
Figure 29: Configuring a Guest VLAN
43
For web-based authentication, you need to configure the switch DNS name, default redirect page, session refresh, and logout-privilege. URL redirection requires the switch to be assigned a DNS name. The default name is network-access.net. Any DNS query coming to the switch to resolve switch DNS name in unauthenticated mode is resolved by the DNS server on the switch in terms of the interface (to which the network login port is connected to) IP-address.
HTTPS Support
To support https in a URL redirect, you must first download and install the separate Extreme Networks SSH software module (ssh.xmod). This additional module allows you to configure both SSH2 and SSL on the switch.
44
Authentication method between supplicant and authentication server Common methods include: Transport Layer Security (TLS) Tunneled Transport Layer Security (TTLS) Protected Extensible Authentication Protocol (PEAP)
page 31
Figure 30: Web-Based Authentication
45
Configuring Web-Based Authentication

Configuring the Base URL
To configure the network login base URL, type the following command: configure netlogin base-url <url> Where <url> is the DNS name of the switch. For example, configure netlogin base-url networkaccess.net makes the switch send DNS responses back to the netlogin clients when a DNS query is made for network-access.net.
Configuring the Redirect Page

To configure the network login redirect page, type the following command: configure netlogin redirect-page <url> Where <url> defines the redirection information for the users once logged in. You must configure a complete URL starting with http:// or https:// By default, the redirect URL value is http://www.extremenetworks.com. This redirection information is used only in case the redirection info is missing from RADIUS server. For example, configure netlogin base-url http://www.extremenetworks.com redirects all users to this URL after they get logged in.
Configuring Session Refresh

To enable or disable the network login session refresh, use one of the following commands: enable netlogin session-refresh {<minutes>} disable netlogin session-refresh Where <minutes> ranges from 1 - 255. The default setting is 3 minutes. The command enable netlogin session-refresh makes the logout window refresh itself at every configured time interval. Session refresh is disabled by default. When you configure the network login session refresh for the logout window, ensure that the FDB aging timer is greater than the network login session refresh timer.
Configuring Logout Privilege

To enable or disable network login logout privilege, use one of the following commands: enable netlogin logout-privilege disable netlogin logout-privilege These commands turn the privilege for netlogin users to logout by popping up (or not popping up) the logout window. Logout-privilege is enabled by default.
46
Configuring Web-Based Authentication
page 32
Figure 31: Web-Based Authentication Commands
47

The following configuration example shows both the Extreme Networks switch configuration and the Radius server entries needed to support the example. VLAN corp is assumed to be a corporate subnet which has connections to DNS, WINS servers, network routers, and so on. VLAN temp is a temporary VLAN and is created to provide connections to unauthenticated network login clients. Unauthenticated ports belong to the VLAN temp. This kind of configuration provides better security as unauthenticated clients do not connect to the corporate subnet and will not be able to send or receive any data. They have to get authenticated in order to have access to the network.
ISP ModeNetwork login clients connected to ports 1:10 - 1:14, VLAN corp, will be logged into the network in ISP mode. This is controlled by the fact that the VLAN in which they reside in unauthenticated mode and the RADIUS server Vendor Specific Attributes (VSA), ExtremeNetlogin-Vlan, are the same, corp. So there will be no port movement. Also if this VSA is missing from RADIUS server, it is assumed to be ISP Mode. Campus ModeOn the other hand, clients connected to ports 4:1 - 4:4, VLAN temp, will be logged into the network in Campus mode since the port will move to the VLAN corp after getting authenticated. A port moves back and forth from one VLAN to the other as its authentication state changes.
Both ISP and Campus mode are not tied to ports but to a user profile. In other words, if the VSA
Extreme:Extreme-Netlogin-Vlan represents a VLAN different from the one in which the user
currently resides, then VLAN movement will occur after login and after logout. In following example, it is assumed that campus users are connected to ports 4:1-4:4, while ISP users are logged in through ports 1:10-1:14. The following example is for the FreeRADIUS server; the configuration might be different for your RADIUS server: #RADIUS Server Setting (VSAs)(optional) Extreme:Extreme-Netlogin-Only = Enabled (if no CLI authorization) Extreme:Extreme-Netlogin-Vlan = "corp" (destination vlan for CAMPUS mode network login)
48
Figure 32: Web-Based Network Login Configuration Example
49

1 Set up the Windows IP configuration for DHCP. 2 Plug into the port that has web-based network login enabled. 3 Log in to Windows. 4 Release any old IP settings and renew the DHCP lease.
The idea of explicit release/renew is required to bring the network login client machine in the same subnet as the connected VLAN. When using we-based authentication, this requirement is mandatory after every logout and before login again as the port moves back and forth between the temporary and permanent VLANs. At this point, the client will have its temporary IP address. In this example, the client should have obtained the an IP address in the range 198.162.32.20 - 198.162.32.80.
5 Bring up the browser and enter any URL as http://www.123.net or http://1.2.3.4 or switch IP address as http://<IP address>/login (where IP address could be either temporary or Permanent VLAN Interface for Campus Mode). URL redirection redirects any URL and IP address to the network login page. This is significant where security matters most, as no knowledge of VLAN interfaces is required to be provided to network login users, as they can login using a URL or IP address. URL redirection requires that the switch is configured with a DNS client. A page opens with a link for Network Login. 6 Click the Network Login link. A dialog box opens requesting a user name and password. 7 Enter the user name and password configured on the RADIUS server. After the user has successfully logged in, the user will be redirected to the URL configured on the RADIUS server. During the user login process, the following takes place:

Authentication is done through the RADIUS server. After successful authentication, the connection information configured on the RADIUS server is returned to the switch:

The permanent VLAN The URL to be redirected to (optional) The URL description (optional)
The port is moved to the permanent VLAN.
After a successful login has been achieved, there are several ways that a port can return to a nonauthenticated, non-forwarding state:

The user successfully logs out using the logout web browser window. The link from the user to the switchs port is lost. There is no activity on the port for 20 minutes. An administrator changes the port state. NOTE
Because network login is sensitive to state changes during the authentication process, Extreme Networks recommends that you do not log out until the login process is complete. The login process is complete when you receive a permanent address.
50
Configuring a Guest VLAN
page 34
Figure 33: Web-Based Authentication User Login
51
MAC-based authentication is used for supplicants that do not support a network login mode, or supplicants that are not aware of the existence of such security measure, for example an IP phone. If a MAC address is detected on a MAC-Based enabled netlogin port, an authentication request will be sent once to the AAA application. AAA tries to authenticate the MAC address against the configured radius server and its configured parameters (timeout, retries, and so on) or the local database. The credentials used for this are the supplicants MAC address in ASCII representation, and a locally configured password on the switch. If no password is configured, the MAC address is used as the password. You can also group MAC addresses together using a mask. You can configure a MAC list or a table of MAC entries to filter and authenticate clients based on their MAC addresses. If there a match is found in the table of MAC entries, authentication occurs. If no match is found in the table of MAC entries, and a default entry exists, the default will be used to authenticate the client. All entries in the list are automatically sorted in longest prefix order. All passwords are stored and showed encrypted. Beginning with ExtremeWare XOS 11.3, you can associate a MAC address with one or more ports. By learning a MAC address, the port confirms the supplicant before sending an authorization request to the RADIUS server. This additional step protects your network against unauthorized supplicants because the port accepts only authorization requests from the MAC address learned on that port. The port blocks all other requests that do not have a matching entry.
52
RADIUS Servers Web-based MAC-based 802.1x Local database Web-based MAC-based
page 35
Figure 34: MAC-Based Authentication
53
Configuring MAC-Based Authentication

Associating a MAC Address to a Specific Port
You can configure the switch to accept and authenticate a client with a specific MAC address. Only MAC addresses that have a match for the specific ports are sent for authentication. For example, if you associate a MAC address with one or more ports, only authentication requests for that MAC address received on the port(s) are sent to the configured RADIUS server or local database. The port(s) block all other authentication requests that do not have a matching entry. This is also known as secure MAC. To associate a MAC address with one or more ports, specify the ports option when using the following command: configure netlogin add mac-list [<mac> {<mask>} | default] {encrypted} {<password>} {ports <port_list>} You must enable MAC-based netlogin on the switch and the specified ports. If MAC-based netlogin is not enabled on the specified port(s), the switch displays a warning message similar to the following: WARNING: Not all specified ports have MAC-Based NetLogin enabled.
Adding and Deleting MAC Addresses

To add a MAC address to the table, type the following command: configure netlogin add mac-list [<mac> {<mask>} | default] {encrypted} {<password>} {ports <port_list>}
To remove a MAC address from the table, type the following command:
configure netlogin delete mac-list [<mac> {<mask>} | default]
Displaying the MAC Address List

To display the MAC address table, type the following command: show netlogin mac-list When a client needs authentication the best match will be used to authenticate to the server. MACbased authentication is VR aware, so there is one MAC list per VR. Assume we have a supplicant with MAC address 00:04:96:05:40:00, and the switch displays the sample table The user name used to authenticate against the Radius server would be 000496000000, as this is the supplicants MAC address with the configured mask applied.
54
Configuring MAC-Based Authentication
Supported VSA Types

VSA Extreme: Netlogin-Extended-VLAN Extreme: Netlogin-VLAN-Name Extreme: Netlogin-VLAN-ID Extreme: Netlogin-URL Extreme: Netlogin-URL-Desc Extreme: Netlogin-Only
(partial list)
Vendor Type 211 203 209 204 205 206
Type String String Integer String String Integer
page 36
Figure 35: MAC-Based Authentication Commands
55
Secure MAC Configuration Example

The following configuration example shows how to configure secure MAC on your Extreme Networks switch. To configure secure MAC, do the following:

Create a VLAN used for netlogin Configure the VLAN for netlogin Enable MAC-based netlogin on the switch Enable MAC-based netlogin on the ports used for authentication Specify one or more ports to accept authentication requests from a specific MAC address
In the following example, authentication requests from MAC address:

00:00:00:00:00:10 are only accepted on ports 1:1 through 1:5 00:00:00:00:00:11 are only accepted on ports 1:6 through 1:10 00:00:00:00:00:12 are accepted on all other ports
56
Secure MAC Configuration Example
Figure 36: Secure MAC Configuration Example
57
MAC-Based Network Login Configuration Example

The following configuration example shows the Extreme Networks switch configuration needed to support the MAC-based network login example.
The following example is for the FreeRADIUS server; the configuration might be different for your RADIUS server: #RADIUS Server Setting 00E018A8C540 Auth-Type := Local,
User-Password == "00E018A8C540"
58
MAC-Based Network Login Configuration Example
Figure 37: MAC-Based Network Login Configuration Example
59
Netlogin MAC-Based VLANs

Currently, network login allows only a single, untagged VLAN to exist on a port. This limits the flexibility for untagged supplicants because they must be in the same VLAN. Beginning with ExtremeWare XOS 11.3, the BlackDiamond 8800 family of switches and the Summit X450 switch support netlogin MAC-based VLANs. Netlogin MAC-based VLANs allow a port assigned to a VLAN to operate in a MAC-based fashion. This means that each individual untagged supplicant, identified by its MAC address, can be in different VLANs. Netlogin MAC-based VLAN utilizes VSA information from both the netlogin local database and the RADIUS server. After successfully performing the Campus mode of operation, the supplicant is added untagged to the destination VLAN. To support this feature, you must configure the netlogin ports mode of operation.
Netlogin MAC-Based VLANs Rules and Restrictions
You must configure and enable netlogin on the switch and before you configure netlogin MACbased VLANs. If you attempt to configure the ports mode of operation before enabling netlogin, the switch displays an error message similar to the following:
ERROR: The following ports do not have NetLogin enabled; 1
10 Gigabit Ethernet ports such as those on the 10G4X I/O module and the uplink ports on the Summit X450 switch do not support netlogin MAC-based VLANs. If you attempt to configure netlogin MAC-based VLANs on 10 Gigabit Ethernet ports, the switch displays an error message similar to the following:
ERROR: The following ports do not support the MAC-Based VLAN mode; 1, 2, 10
You can have a maximum of 1,024 MAC addresses per I/O module or per Summit X450 switch.
60
Netlogin MAC-Based VLANs

Supported by web-based and MAC-based authentication Occurs when: Both primary and secondary RADIUS servers timeout or do
not respond to authentication requests
No RADIUS servers are configured RADIUS server used for network login authentication is
disabled
page 39
Figure 38: Netlogin MAC-Based VLANs
61

Configuring the Port Mode
To support netlogin MAC-based VLANs on a netlogin port, you must configure that ports mode of operation. To specify MAC-based operation, type the following command and specify mac-basedvlans: configure netlogin ports [all | <port_list>] mode [mac-based-vlans | portbased-vlans] By default, the netlogin ports mode of operation is port-based-vlans. If you modify the mode of operation to mac-based-vlans and later disable all netlogin protocols on that port, the mode of operation automatically returns to port-based-vlans. When you change the netlogin ports mode of operation, the switch deletes all currently known supplicants from the port and restores all VLANs associated with that port to their original state. In addition, by selecting mac-based-vlans, you are unable to manually add or delete untagged VLANs from this port. Netlogin now controls these VLANs. With netlogin MAC-based operation, every authenticated client has an additional FDB flag that indicates a translation MAC address. If the supplicants requested VLAN does not exist on the port, the switch adds the requested VLAN.
62
Creating a Local Netlogin Username and Password
page 40
Figure 39: Configuring Netlogin MAC-Based VLANs
63
Displaying Netlogin MAC-Based VLAN Information

The following commands display important information for netlogin MAC-based VLANs.
FDB Information
To view FDB entries, type the following command: show fdb netlogin [all | mac-based-vlans] By specifying netlogin, you see only FDB entries related to netlogin or netlogin MAC-based VLANs. The flags associated with netlogin include:
vIndicates the FDB entry was added because the port is part of a MAC-Based virtual port/VLAN combination. nIndicates the FDB entry was added by network login.
VLAN and Port Information

To view the VLANs that netlogin adds temporarily in MAC-based mode, type the following command: show ports <port_list> information detail By specifying information and detail, the output displays the temporarily added VLANs in netlogin MAC-based mode. To confirm this, review the following output of this command:

VLAN cfgThe term MAC-based appears next to the tag number. Netlogin port modeThis output was added to display the port mode of operation. Mac based appears and the network login port mode of operation.
To view information about the ports that are temporarily added in MAC-based mode for netlogin, due to discovered MAC addresses, type the following command:
show vlan detail
By specifying detail, the output displays detailed information including the ports associated with the VLAN. The flags associated with netlogin include:

aIndicates an authenticated network login port. uIndicates an unauthenticated network login port. mIndicates that the netlogin port operates in MAC-based mode.
64
Displaying Netlogin MAC-Based VLAN Information
Specifying a Destination VLAN in a Local Netlogin Account
page 41
Figure 40: Displaying Netlogin MAC-Based VLAN Information
65

The following example configures the netlogin MAC-based VLAN feature:
Expanding upon the previous example, you can also utilize the local database for authentication rather than the RADIUS server: create netlogin local-user 000000000012 vlan-vsa untagged default create netlogin local-user 000000000010 vlan-vsa untagged users12
66
Figure 41: Netlogin MAC-Based VLAN Example
67
Disconnecting Network Login Sessions

Automatic Netlogin logouts occur when:

User initiates log-out by using the Logout Pop-Up window User inactivity for the configured session refresh-interval, if session-refresh is enabled Physical link state change on the users port
CLI Network Login Logouts

terminating a netlogin session
To terminate a netlogin session from the switch, enter the following command: clear session <number>
An administrator-level account can disconnect a management session that has been established. To view active sessions on the switch, enter the following command: show session The show session command lists the following parameters

The login date and time The user name The type of session
terminating a netlogin session using a specific port and vlan

To terminate a netlogin that uses a specific port and vlan, enter the following command: clear netlogin port <number> vlan <name>
globally disabling netlogging

To disable the netlogin feature on the switch, enter the following command: disable netlogin
New users will be prevented from authenticating if Netlogin is disabled. Users with authenticated sessions will not be disconnected if disabled, they will be prevented from logging in if they logout. Default value is enabled
68

User logouts User inactivity Physical link state change on users port CLI
clear session <session #> clear netlogin state ports <#> vlan <name> cisable netlogin
page 14
Figure 42: Disconnecting Netlogin Sessions
69
Verifying Network Login

General Network Login Information
To display netlogin information, enter the following command: show netlogin Parameters displayed include:

Whether netlogin is enabled or disabled. Base-URL Default redirect page logout privileges setting Netlogin session-refresh setting and time
Network Login Information for a Specific Port in a VLAN

To display netlogin information for a specific port in a VLAN, enter the following command: show netlogin ports <portlist> vlan <vlan_name> Parameters displayed include:

Port and VLAN for which the information is displayed Port state: Authenticated or Not Authenticated Temporary IP assigned, if known DHCP state: Enabled or Disabled User name, if known MAC address of the attached client, if know
Network Login Activity

To view netlogin activity on the switch, enter the following command: show log
70
Verifying Network Login
Figure 43: show netlogin
Network Login Verification

show log
05/03/2001 16:33.39 <WARN:SYST> bootprelay.c 184: bootprelay_input: Sending DHCP NAK to 00:10:a4:a9:11:3b(corp) 05/03/2001 16:33.39 <WARN:SYST> netlogin.c 792: netloginChangePortVlanAndState: Unblocking vlan corp port 9 05/03/2001 16:33.39 <CRIT:SYST> netloginChangePortVlanAndState: Released IP 10.201.26.150 05/03/2001 16:33.39 <CRIT:SYST> netloginChangePortVlanAndState: Vlan 05/03/2001 16:33.33 <INFO:USER> admin logged in through netlogin (00:10:a4:a9:11:3b tempip 10.201.26.150)
page 16
Figure 44: show log
71
Summary

Describe Network Login List three Network Login authentication types Identify the advantages and disadvantages of Web-Based Authentication Identify the advantages and disadvantages of MAC-Based Authentication Identify the advantages and disadvantages of 802.1x Describe the DHCP server authentication role Configure DHCP server Describe the Network Login sequence Describe Campus Mode Describe ISP Mode Describe multiple supplicant support Identify Network Login design considerations List methods of authenticating network login users Identify RADIUS attributes used bye Network Login Configure Network Login with local database authentication Configure Network Login with 802.1x authentication Configure Network Login with Web-Based authentication Terminate a Network Login session Display Network Login information
72
Summary
Summary
Describe Network Login List three Network Login authentication types Identify the advantages and disadvantages of WebBased Authentication Identify the advantages and disadvantages of MACBased Authentication Identify the advantages and disadvantages of 802.1x Describe the DHCP server authentication role Configure DHCP server Describe the Network Login sequence
page 46
Describe Campus Mode Describe ISP Mode
Figure 45: Summary
Summary
Describe multiple supplicant support Identify Network Login Design considerations List methods of authenticating network login users Identify RADIUS attributes used bye Network Login Configure Network Login with local database authentication Configure Network Login with 802.1x authentication Configure Network Login with Web-Based authentication Terminate a Network Login session
page 47
Display Network Login information
73
74
Student Objectives

Define QoS Identify two major benefits of QoS Identify five major traffic types Describe policy-based QoS Sequence the three steps required to assign QoS attributes Define QoS profile Describe QoS profile parameters Configure QoS profile Identify differences between configuring QoS on BlackDiamond 8800 Family of Switches and Summit X$50 with configuring QoS on a BlackDiamond 10K Define traffic grouping Sequence traffic groupings in order of precedence (highest to lowest) Describe IP-based traffic grouping Describe destination MAC address traffic grouping Configure destination MAC address traffic grouping Describe Explicit Class of Service traffic grouping Configure Explicit Class of Service traffic grouping Describe physical and logical groupings Describe QoS policy Verify QoS traffic grouping priority settings Reset priority setting to default values Monitor QoS Modify a QoS policy Configure Egress Traffic Rate Limiting on the Black Diamond 8800 family of switches and Summit X450 Configure Bi-Directional Rate Shaping on the BlackDiamond 10K switch
Student Objectives
Student Objectives
Upon completion of this module, the successful student will be able to: Define QoS Identify two major benefits of QoS Identify five major traffic types Sequence the three steps required to assign QoS attributes Define QoS profile Describe QoS profile parameters Configure QoS profile
page 2
Student Objectives
Define traffic grouping Sequence traffic groupings in order of precedence (highest to lowest) Describe IP-based traffic grouping Describe destination MAC address traffic grouping Configure destination MAC address traffic grouping Describe Explicit Class of Service traffic grouping Configure Explicit Class of Service traffic grouping Describe physical and logical traffic groupings Describe QoS Policy
page 3
Figure 2: Student Objectives (cont) Figure 3:
What is Quality of Service?

QoS is a set of protocols and mechanisms that facilitate the delivery of delay and bandwidth sensitive material across data networks. To enable QoS requires the cooperation of all network layers from top to bottom, as well as every network element from end to end. Any QoS assurances are only as good as the weakest link in the chain between sender and receiver. QoS does not create bandwidth, QoS only manages bandwidth according to application demands and network management settings. QoS in the Ethernet networks is fundamentally creating unequal access in an essentially equal access network. Policy-based Quality of Service (QoS) is a feature of ExtremeWare XOS and the Extreme Networks switch architecture that allows you to specify different service levels for traffic traversing the switch. Policy-based QoS is an effective control mechanism for networks that have heterogeneous traffic patterns. Using Policy-based QoS, you can specify the service level that a particular traffic type receives. Policy-based QoS allows you to protect bandwidth for important categories of applications or to specifically limit the bandwidth associated with less critical traffic. For example, if voice-over-IP (VoIP) traffic requires a reserved amount of bandwidth to function properly, using policy-based QoS, you can reserve sufficient bandwidth critical to this type of application. Other applications deemed less critical can be limited so as to not consume excessive bandwidth.
Switch Platforms and QoS

On the BlackDiamond 10K switch, the switch contains separate hardware queues on every physical port. On the BlackDiamond 8800 family of switches (formerly known as Aspen) and the Summit X450 switch, the switch has two default queues (based on flows), and you can configure up to six additional queues. Each queue is programmed by ExtremeWare XOS with specific parameters that modify the forwarding behavior of the switch and affect how the switch transmits traffic for a given queue on a physical port. The switch tracks and enforces the specified parameters on every queue for every port. When two or more queues on the same physical port are contending for transmission, the switch prioritizes use so long as the respective queue management parameters are satisfied. Up to eight queues per port are available.
QoS is not Class of Service (CoS)

QoS is not the same as Class of Service (CoS). When CoS assigns a priority to a traffic flow (such as 802.1p), the network elements involved in transporting this information just know that it is more, or less, important than other CoS traffic flow. It does not provide any assurance that the information is provided with a guaranteed bandwidth or network service.
NOTE
Policy-based QoS has no impact on switch performance. Using even the most complex traffic groupings has no cost in terms of switch performance.
QoS consists of mechanisms and protocols designed to facilitate the delivery of delay and bandwidth sensitive material across data networks.
page 4
In an Ethernet Network, QoS is used to create unequal access in an essentially equal-access network.
Figure 4: What is QoS?
When Do You Need QoS?

When network traffic needs a guarantee of underlying network performance, QoS provides a solution. This typically relates to the amount of bandwidth required, but other factors, such as priority, are also taken into account. Historically, the lack of bandwidth was mainly a concern of WAN technologies, as Local Area Network technologies were developing at such a faster pace and were delivering bandwidths of 10, 100 and 1000Mbps. In the LAN, administrators are able to over-provision the available bandwidth to ensure that all network traffic receives adequate service. The availability of high performance LAN technologies and hardware means that some organizations can provide the levels of service required by their applications by simply over-provisioning their LAN infrastructure. This provides a simple, but not managed, solution to their requirements. Throwing bandwidth at the issue of application performance does provide a simple solution, but it does not resolve the underlying issue of supporting the ever-increasing demands of new applications (voice, web, video, etc.) in an efficient and controlled manner. QoS based networks enable administrators to manage application traffic with a great degree of control. In this environment, an application is assured that its requirement for bandwidth, priority, latency and delay can be provided
NOTE
QoS does not increase the available bandwidth; it ensures that it is used in a controlled manner. The network designer still has to make sure that the network has sufficient capacity and throughput to deliver the service required.
When Do You Need QoS?
When do you need QoS?

If a network provides enough bandwidth for all applications/users,
then QoS is unnecessary

100Mbps Desktop Links 1 . . . 10 Gigabit Server Link
Not Oversubscribed Configuration
No QoS Required
If there is insufficient bandwidth... ...and the network has an oversubscribed configuration, then QoS can provide prioritized traffic for applications sensitive to the resultant latencies or delays.
100Mbps Desktop Links 1 . . 16 Gigabit Server Link
page 5
Oversubscribed Configuration
QoS Might Make Sense
Figure 5: When Do You Need QoS?
Two Major Benefits of QoS

Latency Control
Latency, a synonym for delay, describes how much time it takes for a packet of data to get from one point to another. Jitter is the variation in the time between packets arriving. Latency control provides consistent end-to-end delay to traffic flows. The most important QoS parameter for a delay sensitive application is minimum bandwidth, followed by priority. QoS provides control over bandwidth availability to ensure that latency parameters are met. In the early days of LAN technology, the majority of traffic required a reliable, error free environment rather than guaranteed throughput. While there has always been the requirement for a fast and efficient network, the measurement for this speed was often how long a user was prepared to wait for a response once a request was issued. As long as the network provided a fast enough response, it was suitable. Modern LAN infrastructures carry traffic that were originally designed to run over several different technologies, each with their own characteristics. The modern network has to provide each of these applications with the characteristics it requires, which may not have been part of its own original design. Unlike the original characteristics of error free with non-deterministic access provided by Ethernet, many of the newer applications are time sensitive, and the overall latency of the network is important.
Latency Sensitive Applications include:

Desktop Video Conferencing Multicast Streaming Video Real-Time Data Feeds SNA, TN3270
Congestion Management
Another benefit of QoS is its ability to manage the sharing of available bandwidth between different types of traffic. This is typically by allocating a maximum or minimum percentage of the available bandwidth to a specified class of traffic. The example highlights the QoS ability to allocate specific bandwidth to different traffic groups. QoS can only share what is available; the network designer has to ensure that the overall bandwidth is adequate.
Two Major Benefits of QoS
Latency Control
Provides consistent end-to-end delay of traffic flows Important QoS parameter for delay sensitive applications is minimum bandwidth
Link Latency Switch Latency (Packet Size/Link Speed)
Link Latency (Packet Size/Link Speed)
Switch Latency
Link Latency (Packet Size/Link Speed)
page 6
Figure 6: Latency Control
Congestion Management
Important traffic bypasses congestion
A B C
100Mbps Links
200Mbps Trunk
Option 1 Traffic Group A gets QP2 Other Traffic Groups get QP1 Option 2 Traffic Group A gets MinBW=50% Other Traffic Groups get MinBW=25%
Multiple Traffic Groups are allowed equal access to congested resources

200Mbps Trunk
A B C
100Mbps Links
Option 1 All Traffic Groups get MinBW=33%
page 7
Figure 7: Congestion Management
Five Traffic Types and QoS Guidelines

General guidelines for each traffic type are given. Consider them as general guidelines and not strict recommendations. Once QoS parameters are set, you can monitor the performance of the application to determine if the actual behavior of the applications matches your expectations. When setting QoS parameters, you should consider bandwidth needs, sensitivity to latency and jitter, and sensitivity to packet loss.
Voice Applications
Voice applications, or voice over IP (VoIP), typically demand small amounts of bandwidth. However, the bandwidth must be constant and predictable because voice applications are typically sensitive to latency (inter-packet delay) and jitter (variation in inter-packet delay). The most important QoS parameter to establish for voice applications is minimum bandwidth, followed by priority.
Video Applications
Video applications are similar in needs to voice applications, with the exception that bandwidth requirements are somewhat larger, depending on the encoding. It is important to understand the behavior of the video application being used. For example, in the playback of stored video streams, some applications can transmit large amounts of data for multiple streams in one spike, with the expectation that the endstations will buffer significant amounts of video-stream data. This can present a problem to the network infrastructure, because the network must be capable of buffering the transmitted spikes where there are speed differences (for example, going from gigabit Ethernet to Fast Ethernet). Key QoS parameters for video applications include minimum bandwidth and priority, and possibly buffering (depending upon the behavior of the application).
Critical Database Applications

Database applications, such as those associated with Enterprise Resource Planning (ERP), typically do not demand significant bandwidth and are tolerant of delay. You can establish a minimum bandwidth using a priority less than that of delay-sensitive applications.
Web Browsing Applications

QoS needs for web browsing applications can not be easily categorized. Enterprise resource planning (ERP) front end applications may require minimum bandwidth, while basic web browsing may require maximum bandwidth.
File Server Applications

File serving typically poses the greatest demand on bandwidth, although file server applications are very tolerant of latency, jitter, and some packet loss (depending on network OS and use of TCP or UDP). NOTE
Full-duplex links should be used when deploying policy-based QoS. Half-duplex operation on links can make delivery of guaranteed minimum bandwidth impossible.
10
Five Traffic Types and QoS Guidelines
Traffic Type and QoS Guidelines

Traffic Type Voice Video Database Web browsing Key QoS Parameters
Minimum Bandwidth, priority Minimum Bandwidth, priority, buffering (varies) Minimum Bandwidth Minimum Bandwidth for critical applications, maximum bandwidth for non-critical applications Minimum Bandwidth
File Server
page 8
Figure 8: Traffic Type and QoS Guidelines
11
Policy-Based QoS
The main benefit of QoS is that it allows you to have control over the types of traffic that receive enhanced service from the system. For example: If video traffic requires a higher priority than data traffic, using QoS you can assign a different QoS profile to those VLANs that are transmitting video traffic. This QoS profile will assign the video traffic more than a simple high priority, it will provide it with a service level from the underlying network. The specified QoS profile will provide the video traffic with additional characteristics such as maximum or minimum bandwidth guarantees. As with all Extreme Networks Switch products, Policy-Based QoS has zero impact on switch performance. Using even the most complex traffic groupings is costless in terms of switch performance.
Policy-Based QoS Support on an Extreme Network Switch

An Extreme Network switch can:
Assign different service levels to traffic by specifying bandwidth management and prioritization parameters to hardware queues Track and enforce minimum and maximum percentage of bandwidth utilization, transmitted on every hardware queue, for every port. Prioritize bandwidth use, when two or more hardware queues on the same physical port are contending for transmission (as long as their respective bandwidth management parameters are satisfied)
12
Policy-Based QoS
Policy-Based QoS
Specify different service levels to traffic traversing the switch Prioritize bandwidth use between queues in the same port Up to 8 physical queues per port
page 9
Voice Video Web File Transfer
Voice = service level 1 Video = service level 2 Web = service level 3 File transfer = service level 4
Figure 9: Policy-Based QoS
Policy-Based QoS
Contains separate hardware queues on every physical port specifies each queues bandwidth management and
prioritization parameters
Tracks and enforce minimum and max percentage bandwidth use by hardware queue
QP1 to 8
port port port
QP1 to 8
Switch
page 10
QP1 to 8
13
Configuring Policy-Based QoS

Assigning QoS attributes is a three-step process, which consists of defining three interrelated QoS building blocks. To configure QoS, you define how your switch responds to different categories of traffic by creating and configuring QoS profiles. You then group traffic into categories (according to the needs of the application, as previously discussed) and assign each category to a QoS profile. Configuring QoS is a three-step process: 1 Configure the QoS profile. QoS profile A class of service that is defined through minimum and maximum bandwidth parameters and prioritization settings on the BlackDiamond 10K switch or through configuration of buffering and scheduling settings on the BlackDiamond 8800 family of switches and the Summit X450 switch. The level of service that a particular type of traffic or traffic grouping receives is determined by assigning it to a QoS profile. The names of the QoS profiles are QP1 through QP8; these names are not configurable. 2 Create traffic groupings. Traffic grouping Classification of traffic types that have one or more attributes in common. Some attributes include:

a physical port a VLAN IP Layer 4 port information
Traffic groupings transmitting out of the same port that are assigned to a particular QoS profile share the assigned bandwidth and prioritization characteristics, resulting in sharing the class of service. 3 Apply QoS policy. QoS policy The combination that results from assigning a traffic grouping to a QoS profile. After applying the QoS policy, you should monitor the performance of the application to determine whether the policies are achieving the desired results. Later in the module, we will go into more detail about QoS monitoring options.
14
1. Create a QoS profile 2. Assign one or more traffic grouping

page 11
3. Apply QoS Policy
Figure 11: Configuring Policy-Based QoS
QoS Building Block: QoS Profile

Defines level of service by specifying traffic attributes Does not alter switch behavior until assigned to traffic grouping QoS profile links to the identical hardware queue across all switch physical ports Eight default QoS profiles are supported, QP1 through QP8
page 12
15
Configuring QoS on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
The BlackDiamond 8800 family of switches and the Summit X450 switch allow dynamic creation and deletion of QoS queues, with Q1 and Q8 always available, rather than the 8 fixed queues on the BlackDiamond 10K switch. NOTE
The sFlow application uses QP2 to sample traffic on the BlackDiamond 8800 family of switches and the Summit X450 switch. Any traffic grouping using QP2 may encounter unexpected results when sFlow is enabled.
The following considerations apply only to QoS on the BlackDiamond 8800 family of switches and the Summit X450 switch:
The BlackDiamond 8800 family of switches and the Summit X450 switch do not support QoS monitor. The following QoS features share resources on the BlackDiamond 8800 family of switches and the Summit X450 switch:

ACLs DiffServ dot1p VLAN-based QoS Port-based QoS
You may receive an error message when configuring a QoS feature in the above list on the BlackDiamond 8800 family of switches and the Summit X450 switch; it is possible that the shared resource is depleted. In this case, unconfigure one of the other QoS features and reconfigure the one you are working on.
16
Configuring QoS on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
Configuring QoS on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only Able to dynamically create and delete QoS queues Default queues Q1 and Q8 always available Does not support QoS monitor command Command that monitors QoS running in the background Following QoS features share the switch resources ACLs DiffServ Dot1p VLAN-based QoS Port-based QoS
page 13
Figure 13: Assigning Policy-Based QoS
17
QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
The BlackDiamond 8800 family of switches and the Summit X450 switch have two default queues, QP1 and QP8, which are based on traffic flows. QP1 has the lowest priority, and QP8 has the highest priority. You can configure up to six additional QoS profiles, or queues, on the switch, QP2 through QP7. Creating a queue dynamically will not cause loss of traffic. You can also modify the default parameters of each QoS profile. The names of the QoS profiles, QP1 through QP8, are not configurable. The parameters that make up a QoS profile on the BlackDiamond 8800 family of switches and the Summit X450 switch include:
BufferThis parameter is the maximum amount of packet buffer memory available to all packets associated with the configured QoS profile within all affected ports. All QoS profiles use 100% of available packet buffer memory by default. You can configure the buffer amount from 1 to 100%, in whole integers. Regardless of the maximum buffer setting, the system does not drop any packets if any packet buffer memory remains to hold the packet and the current QoS profile buffer use is below the maximum setting. NOTE
Use of all 8 queues on all ports may result in insufficient buffering to sustain 0 packet loss throughput during full-mesh connectivity with large packets.
WeightThis parameter is the relative weighting for each QoS profile; 1 through 16 are the available weight values. The default value for each QoS profile is 1, giving each queue equal weighting. When you configure a QoS profile with a weight of 4, that queue is serviced 4 times as frequently as a queue with a weight of 1. However, if you configure all QoS profiles with a weight of 16, each queue is serviced equally but for a longer period of time.
Finally, you configure the scheduling method that the entire switch will use to empty the queues. The scheduling applies globally to the entire switch, not to each port. You can configure the scheduling to be strict priority, which is the default, or weighted round robin. In the strict priority method, the switch services the higher-priority queues first. As long as a queued packet remains in a higher-priority queue, any lower-priority queues are not serviced. If you configure the switch for weighted-round-robin scheduling, the system services all queues based on the weight assigned to the QoS profile. The hardware services higher-weighted queues more frequently, but lower-weighted queues continue to be serviced at all times. When configured to do so, the priority of a QoS profile can determine the 802.1p bits used in the priority field of a transmitted packet. The priority of a QoS profile determines the DiffServ code point value used in an IP packet when the packet is transmitted. A QoS profile switch does not alter the behavior of the switch until it is assigned to a traffic grouping. The default QoS profiles cannot be deleted. The settings for the default QoS parameters on the BlackDiamond 8800 family of switches and the Summit X450 switch are summarized in the following table.
18
QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only QP1 and QP8 Default Queues Can neither be deleted nor renamed QoS Profile Parameters Buffer Weight Scheduling Method
page 14
Figure 14: QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
Table 1: Default BlackDiamond 8800 and Summit X450 Switch Only QoS Parameters
Profile name QP1 QP8 Priority Low High Buffer 100% 100% Weight 1 1
19
QoS Profiles on the BlackDiamond 10K Switch

The BlackDiamond 10K switch has 8 hardware queues for each egress port. The QoS profiles, QP1 to QP8, map to these hardware queues. A QoS profile on the BlackDiamond 10K switch defines a class of service by specifying traffic behavior attributes, such as bandwidth. The parameters that make up a QoS profile on the BlackDiamond 10K switch include:
Minimum bandwidthThe minimum total link bandwidth that is reserved for use by a hardware queue on a physical port (each physical port has eight hardware queues, corresponding to a QoS profile). The minimum bandwidth value is configured either as a percentage of the total link bandwidth or using absolute committed rates in Kbps or Mbps. Bandwidth unused by the queue can be used by other queues. The minimum bandwidth for all queues should add up to less than 100%. The default value on all minimum bandwidth parameters is 0%. Maximum bandwidthThe maximum total link bandwidth that can be transmitted by a hardware queue on a physical port (each physical port has eight hardware queues, corresponding to a QoS profile). The maximum bandwidth value is configured either as a percentage of the total link bandwidth or using absolute peak rates in Kbps or Mbps. The default value on all maximum bandwidth parameters is 100%. PriorityThe level of priority assigned to a hardware egress queue on a physical port. There are eight different available priority settings and eight different hardware queues. By default, each of the default QoS profiles is assigned a unique priority. You use prioritization when two or more hardware queues on the same physical port are contending for transmission on the same physical port, only after their respective bandwidth management parameters have been satisfied. If two hardware queues on the same physical port have the same priority, a round-robin algorithm is used for transmission, depending on the available link bandwidth.
When configured to do so, the priority of a QoS profile can determine the 802.1p bits used in the priority field of a transmitted packet. The priority of a QoS profile determines the DiffServ code point value used in an IP packet when the packet is transmitte).
A QoS profile does not alter the behavior of the switch until it is assigned to a traffic grouping. Recall that QoS profiles on the BlackDiamond 10K switch are linked to hardware queues. There are multiple hardware queues per physical port. By default, a QoS profile links to the identical hardware queue across all the physical ports of the switch. The default QoS profiles cannot be deleted. Also by default, a QoS profile maps directly to a specific hardware queue across all physical ports.
20
QoS Profiles on the BlackDiamond 10K Switch
QoS Profiles on the BlackDiamond 10K Switch 8 hardware queues for each egress port linked QP1 through QP8 QoS Profile Parameters Minimum bandwidth Maximum bandwidth Priority
802.1p bits based DiffServe code point based
page 15
Figure 15: QoS Profiles on the BlackDiamond 10K
Table 2: Black Diamond 10K Default QoS Parameter

Profile name QP1 QP2 QP3 QP4 QP5 QP6 QP7 QP8 Hardware queue Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7 Priority Low LowHi Normal NormalHi Medium MediumHi High HighHi Minimum bandwidth 0% 0% 0% 0% 0% 0% 0% 0% Maximum bandwidth 100% 100% 100% 100% 100% 100% 100% 100%
21
QoS Building Block: Profile

Creating a QoS Profile (BlackDiamond 8800 family of switches and Summit X450 Only)
To create a QoS profile, enter the following command: create qosprofile [qp2 | ap3 | qp4 | qp5 | qp6 | qp7] To delete a QoS profile, enter the following command: delete qosprofile [qp2 | ap3 | qp4 | qp5 | qp6 | qp7] You cannot delete the default QoS profiles QP1 and QP8.
Configuring QoS Profile Weight

To modify the QoS profile weight, type the following command: configure qosprofile <qosprofile> {maxbuffer <percent>} {weight <value>} The maxbuffer parameter configures the maximum amount of packet buffer, by percentage, that the packets associated with the specified QoS profile can consume. Regardless of the setting for this parameter, the system does not drop any packets as long as packet buffer memory remains available and the current buffer use of the specified QoS profile is below the specified maxbuffer setting. The weight parameter configures the relative weighting for each QoS profile. Because each QoS profile has a default weight of 1, all QoS profiles have equal weighting. If you configure a QoS profile with a weight of 4, that specified QoS profile is services 4 times as frequently as the remaining QoS profiles, which still have a weight of 1. If you configure all QoS profiles with a weight of 16, each QoS profile is serviced equally but for a longer period.
22
QoS Building Block: Profile
QoS Building Block: Profile Create a QoS Profile* create qosprofile [qp2 |qp3 | qp4 | qp5 | qp6 | qp7]
Configure QoS Profile Weight configure qosprofile <qosprofile> {maxbuffer <percent>} {weight <value>}
page 16
*BlackDiamond 8800 and Summit X450 only
Figure 16: QoS Building Block: Profile
23
QoS Building Block: Traffic Groupings

After a QoS profile has been created or modified, you assign a traffic grouping to the profile. A traffic grouping is a classification of traffic that has one or more attributes in common. Traffic is typically grouped based on the needs of the applications. Traffic groupings are separated into the following categories

ACL-based information Explicit packet class of service information, such as 802.1p or DiffServ (IP TOS) Physical/Logical configuration (physical source port or VLAN association
24

Classification of traffic type based on one or more common attributes Needs an assigned QoS profile in order to modify switch behavior Traffic groupings transmitting out of the same port and assigned to a particular QoS profile share the same class of service
page 17
Figure 17: QoS Building Block: Traffic Groupings
Traffic Grouping Types

ACL-based information Explicit packet class of service information 802.1p DiffServ (IP TOS) Physical/Logical configuration Physical source port VLAN association
page 18
Figure 18: Traffic Grouping Types
25
QoS Building Block: QoS Policy

The combination of a traffic grouping and a QoS profile creates a QoS policy.
26

Assigning a QoS Profile to a Traffic Grouping activates a QoS Policy
VLAN Urgent
Example:
London:3 # config vlan urgent qosprofile QP4 The traffic grouping category of logical traffic grouping vlan urgent was assigned a QoS profile of QP4.
page 19
Figure 19: QoS Building Block: QoS Policy
27
Precedence of Traffic Groupings

In the event that a given packet matches two or more grouping criteria, there is a predetermined precedence for which traffic grouping applies. The supported traffic groupings, by precedence, are listed in the following:
Access list groupings (ACLs)

IP ACL MAC ACL DiffServ (IP TOS) 802.1p Source port VLAN NOTE
Explicit packet class of service groupings

Physical/logical groupings

The source port and VLAN QoS apply only to untagged packets, and 802.1p QoS applies only to tagged packets. If you use 802.1p or DiffServ QoS in conjunction with ACLs, you must configure the 802.1p or DiffServ action within the ACL itself.
In general, the more specific traffic grouping takes precedence. Those groupings listed at the top of the table are evaluated first. By default, all traffic groupings are placed in the QoS profile QP1. The groupings are listed in order of precedence (highest to lowest). The three types of traffic groupings are described in detail on the following pages.
NOTE
On the BlackDiamond 8800 family of switches and the Summit X450 switch, the precedence of IP ACL or MAC ACL depends on specifications in the ACL file itself.
28
Precedence of Traffic Groupings
Figure 20: Traffic Groupings In Default Precedence
29
ACL-Based Traffic Groupings

ACL-based traffic groupings are defined using access lists. By supplying a named QoS profile on an ACL rule, you can prescribe the bandwidth management and priority handling for that traffic grouping. This level of packet filtering has no impact on performance. ACL-based traffic groupings are based on any combination of the following items:

IP source or destination address IP protocol TCP flag TCP/UDP or other Layer 4 protocol TCP/UDP port information IP fragmentation MAC source or destination address Ethertype
30
ACL-Based Traffic Groupings

Defined by access lists Specify a named QoS profile in the ACL rule Parameters IP source or destination address IP protocol TCP flag TCP/UDP or other Layer 4 protocol IP fragmentation MAC source or destination address Ethertype
page 21
Figure 21: ACL-Based Traffic Groupings
31
Explicit Class of Service Traffic Groupings

This category of traffic groupings describes what is sometimes referred to as explicit packet marking, and refers to information contained within a packet intended to explicitly determine a class of service. That information includes:

Prioritization bits used in IEEE 802.1p packets IP Differentiated Services (DiffServ) code points, formerly known as IP Type of Service (TOS) bits
Advantages of Explicit Class of Service
Class of service information can be carried through the network infrastructure, without repeating what may be complex traffic grouping policies at each switch location. End stations can perform their own packet marking on an application-specific basis Extreme Networks switch products have the capability of observing and manipulating packet marking information with no performance penalty.
The documented capabilities for 802.1p priority markings or DiffServ capabilities (if supported) are not impacted by the switching or routing configuration of the switch. For example, 802.1p information may be preserved across a routed switch boundary and DiffServ code points may be observed or overwritten across a layer 2 switch boundary.
Packet Diagram
Extreme Networks switches support the standard IEEE 802.1p priority bits that are part of a tagged Ethernet packet. The 802.1p bits can be used to prioritize the packet and to assign that packet to a particular QoS profile. When a tagged packet arrives at the switch, the switch examines the 802.1p priority field and maps the packet to a specific queue when subsequently transmitting the packet. The 802.1p priority field is located directly following the 802.1Q type field and preceding the 802.1Q VLAN ID, as shown in Figure 20.
32

802.1Q Ethernet Frame
DA SA
TPI TAG
Type
Data
FCS
6 bytes
6 bytes 2 bytes 2 bytes 3 bits for 802.1p
2 bytes
46 - 1500 bytes 6 bits DSCP

Ver ECN
4 bytes
DiffServ IP Packet
Total Length DiffServ IHL Frag. Offset Flags Identifier Header Checksum Protocol TTL Source Address Destination Address
Information includes
IP DiffServ code points (former IP TOS bits) Prioritization bits used in IEEE 802.1p packets
Extreme switches can observe and manipulate packet

page 22
marking information with no performance penalty in the hardware
Figure 22: Explicit Class of Service Traffic Groupings
33
802.1p Information
802.1p information on the BlackDiamond 10K only
If a port is in more than one virtual router, you cannot use the QoS 802.1p features. The default VLAN DiffServ examination mappings apply on ports in more than one VR. If you attempt to configure examining or replacing 802.1p information on a port that is in more than one virtual router, the system returns the following message: Warning: Port belongs to more than one VR. Port properties related to diff serv and code replacement will not take effect.
Observing 802.1p information

When ingress traffic that contains 802.1p prioritization information is detected by the switch, that traffic is mapped to various queues on the egress port of the switch. The BlackDiamond 10K switch supports 8 hardware queues by default; you can modify the characteristics of each queue. By default, the BlackDiamond 8800 family of switches and the Summit X450 switch support 2 queues based on flows; you can define up to 6 additional queues. The transmitting queue determines the characteristics used when transmitting packets. To control the mapping of 802.1p prioritization values to queues, 802.1p prioritization values can be mapped to a QoS profile. The default mapping of each 802.1p priority value to QoS profile is shown in the table 3.
Changing the Default 802.1p Mapping

By default, a QoS profile is mapped to a queue, and each QoS profile has configurable parameters. In this way, an 802.1p priority value seen on ingress can be mapped to a particular QoS profile. To change the mapping of 802.1p priority value to QoS profile, enter the following command: configure dot1p type <dot1p_priority> {qosprofile} <qosprofile>
34
Table 3: Default 802.1 priority value-to-QoS profile mapping

Priority value 0 1 2 3 4 5 6 7 BlackDiamond 10K switch default QoS profile QP1 QP2 QP3 QP4 QP5 QP6 QP7 QP8 BlackDiamond 8800 family of switches and Summit X450 switch default QoS profile QP1 QP1 QP1 QP1 QP1 QP1 QP1 QP8
Changing the Default 802.1p Mapping

To change the mapping of 802.1p priority value to QoS profile: configure dot1p type <dot1p_priority>qosprofile <qosprofile>
page 23
Figure 23: Traffic Groupings - Destination MAC Address
35
Replacing 802.1p Priority Information

By default, 802.1p priority information is not replaced or manipulated, and the information observed on ingress is preserved when transmitting the packet. This behavior is not affected by the switching or routing configuration of the switch. NOTE
In the BlackDiamond 8800 family of switches and the Summit X450 switch, 802.1p replacement uses existing flow classifiers. If this feature is enabled and the flow classifier has been defined (traffic groupings), the related flow classifier causes the replacement.
However, the switch is capable of inserting and/or overwriting 802.1p priority information when it transmits an 802.1Q tagged frame. If 802.1p replacement is enabled, the 802.1p priority information that is transmitted is determined by the queue that is used when transmitting the packet. The 802.1p replacement configuration is based on the ingress port. To replace 802.1p priority information, enter the following command: enable dot1p replacement ports [<port_list> | all] The port in this command is the ingress port. This command affects only that traffic based on explicit packet class of service information and physical/logical configuration. To disable this feature, enter the following command: disable dot1p replacement ports [<port_list> | all] NOTE
On the BlackDiamond 8800 family of switches and the Summit X450 switch, only QP1 and QP8 exist by default; you must create QP2 to QP7. If you have not created these QPs, the replacement feature will not take effect.
The 802.1p priority information is replaced according to the queue that is used when transmitting from the switch. The mapping is described in Table 4. This mapping cannot be changed.
36

To replace 802.1p priority information: enable dot1p replacement ports [<port_list> | all]
To disable 802.1p priority information: disable dot1p replacement ports [<port_list> | all]
page 24
Figure 24: Replacing 802.1p Priority Information
Table 4: Queue-to-802.1p priority replacement value

802.1p priority replacement value 0 1 2 3 4 5 6 7 BlackDiamond 10K switch hardware queue Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7 BlackDiamond 8800 family of switches and Summit X450 switch 802.1p queue Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8
37
DiffServ
Contained in the header of every IP packet is a field for IP Type of Service (TOS), now also called the Differentiated Services (DiffServ) field. The DiffServ field is used by the switch to determine the type of service provided to the packet. Observing DiffServ code points as a traffic grouping mechanism for defining QoS policies and overwriting the Diffserv code point fields are supported.
DiffServ Information on the BlackDiamond 10K Only

The default VLAN DiffServ examination mappings apply on ports in more than one VR. If you attempt to configure examining or replacing DiffServ information on a port that is in more than one virtual router, the system returns the following message: Warning: Port belongs to more than one VR. Port properties related to diff serv and code replacement will not take effect.
Observing DiffServ Information

When a packet arrives at the switch on an ingress port and this feature is enabled, the switch examines the first six of eight TOS bits, called the DiffServ code point. The switch can then assign the QoS profile used to subsequently transmit the packet based on the code point. The QoS profile controls which queue is used when transmitting the packet out of the switch and determines the forwarding characteristics of a particular code point. Examining DiffServ information can be enabled or disabled; by default it is disabled. To enable DiffServ examination, enter the following command:
enable diffserv examination port [<port_list> | all]
To disable DiffServ examination, enter the following command: disable diffserv examination port [<port_list> | all]
38
Observing DiffServ Information
Diffserv Replacement
In order to make DiffServ replacement take effect, dot1p replacement has to be enabled on the same port.
Code point
QoS Profile Hardware i-chipset Queue qp1 Q0 qp2 Q1 qp3 Q2 qp4 Q3 qp5 Q4 qp6 Q5 qp7 ==== Q6 qp7 Q6 qp8 Q7
Priority Code point 0 1 2 3 4 5 6 6 7 0 8 16 24 32 40 48 56 CP = 50 port 24 port 9 CP = 10 31 QP7 port 3 CP = 31
0- 7 8 - 15 10 16 - 23 24 - 31 32 - 39 40 - 47 48 - 55 56 - 63
* London: 2 # enable diffserv exam port 9 * London: 3 # config diffserv exam code_point 10 qosp qp7 port 9 * London: 4 # enable dot1p replacement port 3
page 25
* London: 5 # enable diffserv replace port 3 * London: 6 # config diffserv replace priority vpri 6 code-point 31 port 3
Figure 25: DiffServ Replacement
Observing Diffserv Information

* London: 3 # enable diffserv examination ports 9 * London: 4 # config diffserv examination code-point 1 qosprofile qp3 ports 9
Code point
0- 7 8 - 15 16 - 23 24 - 31 32 - 39 40 - 47 48 - 55 56 - 63
QoS Profile
qp1 qp2 qp3 qp4 qp5 qp6 qp7 qp8
Hardware Queue
Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7
port 9
port n
page 26
CP = 1 QP3
CP = 1
Figure 26: Observing Diffserv Information
39
Configuring DiffServ
Diffserv Code Point Mapping
Because the DiffServ code point uses six bits, it has 64 possible values (26 = 64). By default, the values are grouped and assigned to the default QoS profiles listed in Table 5.
Changing the Default DiffServ Code Point Mapping

You can change the QoS profile assignment for each of the 64 code points using the following command: configure diffserv examination code-point <code-point> {qosprofile} <qosprofile> Once assigned, the rest of the switches in the network prioritize the packet using the characteristics specified by the QoS profile.
Replacing DiffServ Code Points

The switch can be configured to change the DiffServ code point in the packet prior to the packet being transmitted by the switch. This is done with no impact on switch performance. The DiffServ code point value used in overwriting the original value in a packet is determined by the QoS profile. You enter the QoS profile you want to use to determine the replacement DiffServ code point value. To replace DiffServ code points, you must enable DiffServ replacement using the following commands enable diffserv replacement ports [<port_list> | all] The port in this command is the ingress port. This command affects only that traffic based on explicit packet class of service information and physical/logical configuration. To disable this feature, enter the following command: disable diffserv replacement ports [<port_list> | all]
40
Table 5: Default DiffServ code point-to-QoS profile mapping

Code point 0-7 8-15 16-23 24-31 32-39 40-47 48-55 56-63 BlackDiamond 10K switch QoS profile QP1 QP2 QP3 QP4 QP5 QP6 QP7 QP8 BlackDiamond 8800 family of switches and the Summit X450 switch QoS profile QP1 QP1 QP1 QP1 QP1 QP1 QP1 QP8
Configuring DiffServ
To change the QoS profile assignment for each of the 64 code points: configure diffserv examination code-point <codepoint> {qosprofile} <qosprofile> To replace DiffServe code point, DiffServ replacement must be enabled:: enable diffserv all] replacement ports [<port_list> |
page 27
Figure 27: Configuring DiffServ
41
Default 802.1p Priority Value-To-Diffserv Code Point Mapping

The default QoS profile to DiffServ code point mapping is shown in Table 6, and the default 802.1p priority value to code point mapping is described in Table 6. You change the DiffServ code point mapping, using either the QoS profile or the 802.1p value, to any code point value using the following command: configure diffserv replacement [{qosprofile} <qosprofile> | priority <value>] code-point <code_point> NOTE
Extreme Networks recommends that you use the qosprofile <qosprofile> value to configure this parameter.
By doing so, the queue used to transmit a packet determines the DiffServ value replaced in the IP packet. To view currently configured DiffServ information, enter the following command: show diffserv [examination | replacement]
42
Default 802.1p Priority Value-To-Diffserv Code Point Mapping
Table 6: Default 802.1p priority value-to-DiffServ code point mapping

BlackDiamond 10K switch QoS profile QP1 QP2 QP3 QP4 QP5 QP6 QP7 QP8 BlackDiamond 8800 family of switches and the Summit X450 switch QoS profile QP1 QP1 QP1 QP1 QP1 QP1 QP1 QP8 802.1p priority value 0 1 2 3 4 5 6 7 Code point 0 8 16 24 32 40 48 56
Figure 28: show diffserv replacement
43
BlackDiamond 8800 Family of Switches and the Summit X450 Switch DiffServ Example
In this example on the BlackDiamond 8800 family of switches and the Summit X450 switch, we use DiffServ to signal a class of service throughput and assign any traffic coming from network 10.1.2.x with a specific DiffServ code point. This allows all other network switches to send and observe the Diffserv code point instead of repeating the same QoS configuration on every network switch. To configure the switch, follow these steps: 1 Using ACLs, assign a traffic grouping for traffic from network 10.1.2.x to QP3:
configure access-list qp3sub any
The following is a sample policy file example:

#filename: qp3sub.pol
entry QP3-subnet { if { source-address 10.1.2.0/24 } then { Qosprofile qp3; } 2 Configure the switch so that other switches can signal calls of service that this switch should observe by entering the following:
enable diffserv examination ports all
44
BlackDiamond 8800 Family of Switches and the Summit X450 Switch DiffServ Example
Black Diamond 8800 Family of Switches and the Summit X450 Switch DiffServ Example
#filename: qp3sub.pol entry QP3-subnet { if { source-address 10.1.2.0/24 } then { Qosprofile qp3; }
1. Using ACLs, assign a traffic grouping for traffic from network 10.1.2.x to QP3: configure access-list qp3sub any 2. Configure the switch so that other switches can signal calls of service that switch should observe enable diffserv examination ports all
page 29
Figure 29: BlackDiamond 8800 Family of Switches and the Summit X450 Switch DiffServ Example
45
BlackDiamond 10K Switch DiffServ Example

In this example on the BlackDiamond 10K switch, we use DiffServ to signal a class of service throughput and assign any traffic coming from network 10.1.2.x with a specific DiffServ code point. This allows all other network switches to send and observe the Diffserv code point instead of repeating the same QoS configuration on every network switch. To configure the switch, follow these steps: 1 Using ACLs, assign a traffic grouping for traffic from network 10.1.2.x to QP3:
configure access-list qp3sub any
The following is a sample policy file example:

#filename: qp3sub.pol
entry QP3-subnet { if { source-address 10.1.2.0/24 } then { Qosprofile qp3; replace-dscp; } 2 Configure the switch so that other switches can signal calls of service that this switch should observe by entering the following:
enable diffserv examination ports all
NOTE
The switch only observes the DiffServ code points if the traffic does not match the configured access list. Otherwise, the ACL QoS setting overrides the QoS DiffServ configuration.
46
BlackDiamond 10K Switch DiffServ Example
Black Diamond 10K DiffServ Example

#filename: qp3sub.pol entry QP3-subnet { if { source-address 10.1.2.0/24 } then { Qosprofile qp3; replace-dscp }
1. Using ACLs, assign a traffic grouping for traffic from network 10.1.2.x to QP3: configure access-list qp3sub any 2. Configure the switch so that other switches can signal calls of service that switch should observe enable diffserv examination ports all
page 30
Figure 30: BlackDiamond 10K Switch DiffServ Example
47
Physical and Logical Groupings

Two traffic groupings exist in this category: Source port and VLAN.
Source Port
A source port traffic grouping implies that any traffic sourced from this physical port uses the indicated QoS profile when the traffic is transmitted out to any other port. To configure a source port traffic grouping, enter the following command: configure ports <port_list> {qosprofile} <qosprofile> In the following modular switch example, all traffic sourced from slot 5 port 7 uses the QoS profile named QP8 when being transmitted. configure ports 5:7 qosprofile qp8 NOTE
On the BlackDiamond 10K switch, this command applies only to untagged packets. On the BlackDiamond 8800 family of switches and the Summit X450 switch, this command applies to all packets.
VLAN
A VLAN traffic grouping indicates that all intra-VLAN switched traffic and all routed traffic sourced from the named VLAN uses the indicated QoS profile. To configure a VLAN traffic grouping, enter the following command: configure vlan <vlan_name> {qosprofile} <qosprofile> For example, all devices on VLAN servnet require use of the QoS profile QP1. The command to configure this example is as follows: configure vlan servnet qosprofile qp1 NOTE
On the BlackDiamond 10K switch, this command applies only to untagged packets. On the BlackDiamond 8800 family of switches and the Summit X450 switch, this command applies to all packets.
Verifying Physical and Logical Groupings

You can display QoS settings on the ports or VLANs. To verify settings on ports or VLANs, enter the following command: show ports {mgmt | <port_list>} information {detail} To ensure that you display the QoS information, you must use the detail variable.
On the BlackDiamond 10K switch, the screen displays both ingress and egress QoS settings. The 10Gbps ports have 8 ingress queues, and the 1 Gbps ports have 2 ingress queues.
48
Physical & Logical Traffic Groupings

Physical port or VLAN
Source Port VLAN
page 31
Figure 31: Traffic Groupings: Physical and Logical
Configuring Physical and Logical Groupings

To configure source port traffic grouping: configure ports <port_list> {qosprofile} <qosprofile> To configure VLAN traffic grouping: configure vlan <vlan_name> {qosprofile} <qosprofile> To verify QoS settings on the ports or VLANs: show ports {mgmt | <port_list>} information {detail}
page 32
Figure 32: Configuring Physical and Logical Groupings
49
BlackDiamond 8800 Family of Switches and Summit X450 Switch QOS Profile Display
You display which QoS profile, if any, is configured on the BlackDiamond 8800 family of switches and the Summit X450 switch using the show ports <port_list> information detail command. Following is a sample output of this command for an BlackDiamond 8810 switch: NOTE
To ensure that you display the QoS information, you must use the detail variable.
50
Port:
8:1 Virtual-router: VR-Default Type: EW Random Early drop: Disabled Admin state: Enabled with auto-speed sensing auto-duplex Link State: Active Link Counter: Up 1 time(s) VLAN cfg: Name: Default, Internal Tag = 1, MAC-limit = No-limit STP cfg: s0(disable), Tag=(none), Mode=802.1D, State=FORWARDING Protocol: Name: Default Protocol: ANY Trunking: Load sharing is not enabled. EDP: Enabled DLCS: Unsupported lbDetect: Unsupported Learning: Enabled Flooding: Enabled Jumbo: Disabled BG QoS monitor: Unsupported Egress Port Rate: No-limit Broadcast Rate: No-limit Multicast Rate: No-limit Unknown Dest Mac Rate: No-limit QoS Profile: Qp3 Configured by user Ingress Rate Shaping : Unsupported Ingress IPTOS Examination: Disabled Egress IPTOS Replacement: Disabled Egress 802.1p Replacement: Disabled NetLogIn: Disabled Smart redundancy: Enabled Software redundant port: Disabled Match all protocols.
51
BlackDiamond 10K Switch Display

You display information on the egress QoS profiles and the ingress QoS profiles (shown as Ingress Rate Shaping), as well as the minimum and maximum available bandwidth and priority on the BlackDiamond 10 K switch using the show ports <port_list> information detail command. The display is slightly different for a 1 Gbps port and for a 10 Gbps port. Following is sample output of this command for a BlackDiamond 10K switch 10 Gbps port:
52
BlackDiamond 10K Switch Display
Port:
8:1 Virtual-router: VR-Default Type: XENPAK Random Early drop: Disabled Admin state: Enabled with 10G full-duplex Link State: Ready Link Counter: Up 0 time(s) VLAN cfg: STP cfg: Protocol: Trunking: Load sharing is not enabled. EDP: Enabled DLCS: Unsupported lbDetect: Unsupported Learning: Enabled Flooding: Enabled Jumbo: Disabled BG QoS monitor: Unsupported QoS Profile: None configured Queue: Qp1 MinBw=0% MaxBw=100% Pri=1 Qp2 MinBw=0% MaxBw=100% Pri=2 Qp3 MinBw=0% MaxBw=100% Pri=3 Qp4 MinBw=0% MaxBw=100% Pri=4 Qp5 MinBw=0% MaxBw=100% Pri=5 Qp6 MinBw=0% MaxBw=100% Pri=6 Qp7 MinBw=0% MaxBw=100% Pri=7 Qp8 MinBw=0% MaxBw=100% Pri=8 Ingress Rate Shaping : support IQP1-8 IQP1 MinBw= 0% MaxBw=100% Pri=1 IQP2 MinBw= 0% MaxBw=100% Pri=2 IQP3 MinBw= 0% MaxBw=100% Pri=3 IQP4 MinBw= 0% MaxBw=100% Pri=4 IQP5 MinBw= 0% MaxBw=100% Pri=5 IQP6 MinBw= 0% MaxBw=100% Pri=6 IQP7 MinBw= 0% MaxBw=100% Pri=7 IQP8 MinBw= 0% MaxBw=100% Pri=8 Ingress IPTOS: Disabled Egress IPTOS: Replacement disabled Egress 802.1p: Replacement disabled Smart Redundancy: Unsupported VLANs monitored for stats: Unsupported Software redundant port: Unsupported jitter-tolerance: Unsupported
Unsupported
53
Verifying QoS Configuration and Performance

You can display a variety of QoS measures using the CLI.
Monitoring PerformanceBlackDiamond 10K Switch Only

After you have created QoS policies that manage the traffic through the switch, you can use the QoS monitor on the BlackDiamond 10K switch to determine whether the application performance meets your expectations. QoS features performance monitoring with a snapshot display of the monitored ports. To view switch performance per port, enter the following command: show ports <port_list> qosmonitor {ingress | egress} {no-refresh} NOTE
You must specify ingress to view the ingress rate-shaping performance. By default, this command displays the egress performance.
Displaying QoS Profile Information on the BlackDiamond 10K Switch Only

To display QoS information on the BlackDiamond 10K switch, enter the following command: show qosprofile {ingress | egress} {ports [ all | <port_list>]} Displayed information includes:

QoS profile name Minimum bandwidth Maximum bandwidth Priority
Displaying QoS Profile Information on the BlackDiamond 8800 Family of Switches and Summit X450 Switch Only
To display QoS information on the BlackDiamond 8800 family of switches and the Summit X450 switch, enter the following command:
show qos profile
Displayed information includes:

QoS profiles configured Weight Maximum buffer percent
54

Black Diamond 10k Only show ports <port_list> qosmonitor {ingress | egress} {no-refresh} show qosprofile {ingress | egress} {ports | all | <port_list>]} Black Diamond 8800 Family of Switches and Summit X450 Only show qos profile
page 35
Figure 33: Verifying QoS Configuration and Performance
55
Other Useful QoS Display Commands

Additionally, QoS information can be displayed from the traffic grouping perspective by using one or more of the following commands: To display the QoS profile assignments to the VLAN, enter the following command, show vlan To displays information including QoS for the port, enter the following command, show ports <list> info {detail} To display policy files that may affect QoS, enter the following command, show policy detail
56
Other Useful QoS Display Commands
Other Useful QoS Display Commands To display destination QoS profile assignments to the VLAN: show vlan To display information including QoS for the port: show ports <list> info {detail} To display policy file information: show policy {detail}
page 36
Figure 34: Other Useful QoS Display Commands
57
Egress Traffic Rate LimitingBlackDiamond 8800 Family of Switches and Summit X450 Switch Only
You can configure the maximum egress traffic allowed per port by specifying the committed rate, or you can allow the egress traffic to pass an unlimited flow. You can limit egress traffic on a 1 Gbps port in increments of 64 Kbps; on a 10 Gbps port, you can limit egress traffic in increments of 1 Mbps. Optionally, you can also configure a maximum burst size, which is higher than the limit, allowed to egress the specified port(s) for a burst, or short duration. The default behavior is to have no limit on the egress traffic per port. To configure an egress traffic rate limit for a port or groups of ports, enter the following command: configure ports <port_list> rate-limit egress [no-limit | <cir-rate> [Kbps | Mbps | Gbps] {max-burst-size <burst-size> [Kb | Mb]}]
Syntax Description
port_list no-limit cir-rate max-burst-size Specifies one or more ports or slots and ports. Specifies traffic be transmitted without limit; use to reconfigure or unconfigure previous rate-limiting parameters. Specifies the desired rate limit in Kbps, Mbps, or Gbps. Specifies amount of traffic above the cir-rate that is allowed to burst (for a short duration) from the port in K bits (Kb) or M bits (Mb).
To view the configured egress port rate-limiting behavior, issue the following command:
show ports {mgmt | <port_list>} information {detail}
You must use the detail parameter to display the Egress Port Rate configuration and, if configured, the Max Burst size. You can also display this information using the following command: show configuration vlan
58
Egress Traffic Rate LimitingBlackDiamond 8800 Family of Switches and Summit X450 Switch Only
Egress Traffic Rate Limiting* Possible to configure maximum egress traffic allowed per port Limit egress traffic on 1Gbps port in 64Kbp increments 10Gbps port in 1Mbps increments Configurable maximum burst rate
page 37
*BlackDiamond 8800 Family of Switches and Summit X450 Switch Only
Figure 35: Egress Traffic Rate Limiting - BlackDiamond 8800 Family of Switches and Summit X450 Switch Only
Figure 36: Egress Traffic Rate Limiting Sample Configuration
59
Bi-Directional Rate ShapingBlackDiamond 10K Switch Only

With software version 11.0, you can configure and display bi-directional rate shaping parameters. on the BlackDiamond 10K switch. Bi-directional rate shaping allows you to manage bandwidth on Layer 2 and Layer 3 traffic flowing to each port on the switch and from there to the backplane. You can configure up to 8 ingress queues, which send traffic to the backplane, per physical port on the I/O module. By defining minimum and maximum bandwidth for each queue, you define committed and peak information rates for each queue. You can define different priorities for each queue for each port. Rate shaping on the ingress port allows the switch to enforce how much traffic from a particular port can ingress to the system. Bi-directional rate shaping on the BlackDiamond 10K switch controls the traffic from the ingress ports to the backplane and provides guaranteed minimum rates. The number of queues from the ingress port to the backplane differs between I/O modules. The 1 Gbps I/O module has 2 queues from the ingress port to the backplane, and the 10 Gbps I/O module has 8 queues from the ingress port to the backplane. You set minimum bandwidth, maximum bandwidth, and priority for each queue for each port. Use prioritization when two or more hardware queues on the same physical port are contending for transmission, only after their respective bandwidth management parameters have been satisfied. Once the priorities are satisfied, the switch uses a round-robin system to empty the queues to the backplane. Table 7 displays the mapping of the ingress queues and the priority value for each I/O module.
Viewing Discarded Traffic Statistics

Using bi-directional rate shaping, excess traffic is discarded at the I/O module and does not traverse to the backplane.To view statistics on the discarded traffic, enter one of the following commands: show ports qosmonitor show ports information The 802.1p value is mapped to the ingress queue. For untagged ports, use port- or VLAN-based QoS to map traffic to the ingress queue.
60
Bi-Directional Rate ShapingBlackDiamond 10K Switch Only
Bi-directional Rate Shaping

Allows Committed Information Rate (CIR) -type services over
Ethernet
Each service has bi-directional bandwidth management

(min%,max%) All existing classifications (e.g. DiffServ) and queues can be
used for 8 classes of service in both directions.

B I- D I R E C T I O N A L
page 39
Max Min Min
15Mb/s 10Mb/s 5Mb/s
Q0 Q6 Q7
Port
Figure 37: Bi-Directional Rate Shaping Table 7: Ingress queue mapping for I/O modules on the BlackDiamond 10k Switch
I/O module 1 Gbps module 10 Gbps module Ingress queues IQP1 IQP2 IQP1 IQP2 IQP3 IQP4 IQP5 IQP6 IQP7 IQP8 Priority value 1 to 4 5 to 8 1 2 3 4 5 6 7 8
61
Black Diamond 10K Bandwidth Settings

You apply ingress QoS profile (IQP or rate shaping) values on the BlackDiamond 10K switch as either a percentage of bandwidth or as an absolute value in Kbps or Mbps. IQP bandwidth settings are in turn applied to queues on physical ports. The impact of the bandwidth setting is determined by the port speed (1 or 10 Gbps). NOTE
You may see slightly different bandwidths because the switch supports granularity down to 62.5 Kbps.
Maximum Bandwidth Settings

The maximum bandwidth settings determine the port bandwidth available to each of the ingress port queues.
Minimum Bandwidth Settings

The minimum bandwidth settings, or maximum committed rate settings, determine the port bandwidth reserved for each of the ingress port queues. Table 8 displays the maximum committed rates available for each port on each BlackDiamond 10K switch I/O module. Please note that these maximum committed rates vary with the number of active ports on each I/O module. The rates shown in Table 8 are what you can expect when you all running all ports at traffic level. If you are using fewer ports, you will have higher committed rates available for each port. And, the maximum committed rate is reached when you are running traffic on only one port.
NOTE
Cumulative percentages of minimum bandwidth of the queues on a given port should not exceed 100%
If you choose a setting not listed in the tables, the setting is rounded up to the next value. If the actual bandwidth used is below the minimum bandwidth, the additional bandwidth is not available for other queues on that physical port.
62
Black Diamond 10K Bandwidth Settings
Black Diamond 10K Bandwidth Settings Ingress QoS profile values must be entered as either percentage of bandwidth or absolute value in Kpbs or Mbps Bandwidth settings applied to queues on physical ports Port speed (1 or 10Gbps) affects bandwidth
page 40
Figure 38: Black Diamond 10K Bandwidth Settings
Table 8: Maximum committed rates per port for I/0 module on the BlackDiamond 10k Switch
I/O module 1 Gbps module 10 Gbps module MSM configuration Single MSM Dual MSM Single MSM Dual MSM Maximum committed rate 200 Mbps 400 Mbps 2 Gbps 4 Gbps
63
Configuring Bi-Directional Rate Shaping

Bi-directional rate shaping allows you to manage bandwidth on layer 2 and layer 3 traffic flowing both to and from the switch. By defining minimum and maximum bandwidth for each queue, you can define:

committed information rates for each queue different ingress and egress rates
You can then provide traffic groupings (such as physical port, VLAN,.1P, DiffServ, IP address, or layer 4 flow) for the predefined QoS Profiles, directing specific types of traffic to the desired queue. The maximum bandwidth or rate defined in the BlackDiamond 10K switch ingress QoS profile defines the rate limit for ingress traffic on rate-shaped ports. You set minimum and maximum rates for each port on the ingress port, using either percentage of total bandwidth or absolute values for committed and peak rates in Kbps or Mbps. You also set the priority level for each queue. To define rate shaping on a port, you assign a minimum and maximum bandwidth or rate plus a priority value to each queue on the ingress port, enter the following command to define rate shaping:
configure qosprofile ingress <iqp> [{committed_rate <committed_bps> [k | m]} {maxbw <maxbw_number>} {minbw <minbw_number>} {peak_rate <peak_bps> [k | m} {priority [<priority> | <priority_number]}] ports [<port_list> | all]
If you choose to use committed rate and peak rate values, be aware of the interactions between the values and the command line interface (CLI) management system. You can enter any integer from 0 in the CLI; however, functionally the switch operates only in multiples of 62.5 Kbps. Also note that the CLI system does not accept decimals. Rate shaping is disabled by default on all ports; the system does use existing 802.1p, port, and VLAN values to assign packets to the ingress queue. The rate shaping function is used to assign specific priorities by absolute rates or percentages of the bandwidth. To enable this rate shaping feature, use the configuration command. To disable the rate shaping, enter the following command: unconfigure qosprofile ingress ports all To display the parameters for rate shaping (the values for the IQPs), enter the following commands:
show qosprofile {ingress | egress} {ports [ all | <port_list>]} show ports {mgmt | <port_list>} information {detail}
Additionally, you can monitor the performance on the BlackDiamond 10K switch by using the following command: show ports <port_list> qosmonitor {ingress | egress} {no-refresh} NOTE
You must specify ingress to view ingress rate shaping performance.
64
Configuring Bi-Directional Rate Shaping
Configuring Bi-Directional Rate Shaping To enable and configure rate shaping on a port:
configure qosprofile ingress <iqp> [{committed_rate <committed_bps> [k | m]} {maxbw <maxbw_number>} {minbw <minbw_number>} {peak_rate <peak_bps> [k | m} {priority [<priority> | <priority_number]}] ports [<port_list> | all]
To disable rate shaping:

unconfigure qosprofile ingress ports all
To display rate shaping parameters:

show qosprofile {ingress | egress} {ports [ all|<port_list>]} show ports {mgmt | <port_list> information {detail}
page 41
show ports <port_list> qosmonitor {ingress | egress} {no-refresh}
Figure 39: Configuring Bi-Directional Rate Shaping
65
Modifying a QoS Policy

If you make a change to the parameters of a QoS profile after a QoS policy has been created (by applying a QoS profile to a traffic grouping), the timing of the configuration change depends on the traffic grouping involved. To have a change in QoS profile effect a change in the QoS policy, the following rules apply:
For destination MAC-based grouping (other than permanent), you must clear the MAC FDB. To clear the MAC FDB, enter the following command. clear fdb This command should also be issued after a policy is first formed, as the policy must be in place before an entry is made in the MAC FDB.
For permanent destination MAC-based grouping, re-apply the QoS profile to the static FDB entry For physical and logical groupings of a source port or VLAN, re-apply the QoS profile to the source port or VLAN
66

To have a change in QoS profile effect a change in the Qos Policy, you should: clear the fdb for MAC-based grouping re-apply the QoS profile to the static FDB entry for
permanent destination MAC-based grouping
re-apply the QoS profile to the source port or VLAN for

physical and logical groupings of a source port
page 42
Figure 40: Modifying a QoS Policy
67
Assigning Policy-Based QoS: Review

Step 1 Make a QoS profile
QoS profile A class of service that is defined through minimum and maximum bandwidth parameters, configuration of buffering, and prioritization settings. The bandwidth and level of service that a particular type of traffic or traffic grouping receives is determined by assigning it to a QoS profile.
Step 2 Create a Traffic grouping.

These are a classification or traffic type that has one or more attributes in common. These can range from a physical port to a VLAN to IP Layer 4 port information. Traffic groupings are assigned to QoS profiles to modify switch-forwarding behaviour. Traffic groupings transmitting out of the same port that are assigned to a particular QoS profile share the assigned bandwidth and prioritization characteristics, and hence share the class of service.
Step 3 Create a QoS policy

Assign one or more traffic groupings to a QoS profile to create a QoS policy.
68
Assigning Policy-Based QoS: Review
Assigning Policy-Based QoS Review

1. 2.
Configure a default QoS Profile Assign one or more traffic groupings to a QoS profile to create a QoS Policy
Classification
Packets IN
Ordered Hierarchy Layer 1,2,3,4, .1p, IP DiffServ packet info
QoS Profile
QpX - Eessential Traffic Packet 5% Min/100% Max
Policy
High Priority
Packets Out
Qp1 Best Effort Traffic Packet 0% Min/100% Max
Low Priority
page 43
Figure 41: Assigning Policy-Based QoS
69
Summary

Define QoS Identify two major benefits of QoS Identify five major traffic types Describe policy-based QoS Sequence the three steps required to assign QoS attributes Define QoS profile Describe QoS profile parameters Configure QoS profile Identify differences between configuring QoS on BlackDiamond 8800 Family of Switches and Summit X$50 with configuring QoS on a BlackDiamond 10K Define traffic grouping Sequence traffic groupings in order of precedence (highest to lowest) Describe IP-based traffic grouping Describe destination MAC address traffic grouping Configure destination MAC address traffic grouping Describe Explicit Class of Service traffic grouping Configure Explicit Class of Service traffic grouping Describe physical and logical groupings Describe QoS policy Verify QoS traffic grouping priority settings Reset priority setting to default values Monitor QoS Modify a QoS policy Configure Egress Traffic Rate Limiting on the Black Diamond 8800 family of switches and Summit X450 switch Configure Bi-Directional Rate Shaping on the BlackDiamond 10K switch
70
Summary
Summary
Upon completion of this module, the successful student will be able to: Define QoS Identify two major benefits of QoS Identify five major traffic types Describe policy-based QoS Sequence the three steps required to assign QoS attributes Define QoS profile Describe QoS profile parameters Configure QoS profile Identify differences between configuring QoS on BlackDiamond 8800 Family of Switches and Summit X$50 with configuring QoS on a BlackDiamond 10K Define traffic grouping Sequence traffic groupings in order of precedence (highest to lowest)
page 44
Figure 42: Summary
Summary
Describe IP-based traffic grouping Describe destination MAC address traffic grouping Configure destination MAC address traffic grouping Describe Explicit Class of Service traffic grouping Configure Explicit Class of Service traffic grouping Describe physical and logical groupings Describe QoS policy Verify QoS traffic grouping priority settings Reset priority setting to default values Monitor QoS Modify a QoS policy Configure Egress Traffic Rate Limiting on the Black Diamond 8800 family of switches and Summit X450 switch
page 45
Configure Bi-Directional Rate Shaping on the BlackDiamond 10K switch
71
72
10 Module 9 sFlow
Module 9 sFlow
Student Objectives

Define sFlow Identify sFlow applications List components required for sFlow Describe ExtremeWare XOS sFlow implementation Sequence the sFlow configuration steps on an Extreme Networks switch Configure sFlow on an Extreme Networks switch Reset sFlow values to their default values on an Extreme Networks switch Display sFlow configuration and statistics related information
Student Objectives
Student Objectives
Upon completion of this module, the successful student will be able to: Identify four major threats to network security. Sequence the security implementation steps for a green field network deployment. Describe ExtremeWare XOS security features. Identify three requirements for secure remote access. Describe three traffic engineering goals Describe ExtremeWare XOS traffic engineering features.
page 2
Module 9 sFlow
sFlow
sFlow is a technology for monitoring traffic in data networks containing switches and routers. It relies on statistical sampling of packets from high-speed networks, plus periodic gathering of the statistics. A User Datagram Protocol (UDP) datagram format is defined to send the information to an external entity for analysis. sFlow consists of a Management Information Base (MIB) and a specification of the packet format for forwarding information to a remote agent.
Applications
Network Troubleshooting
sFlows enables the viewing of network traffic. Normal traffic would serve as a baseline metric. Irregular network traffic patterns would be visible, facilitating analysis and resolution.
Controlling Congestion
Using sFlow, it is possible to monitor traffic flows through ports. Highly subscribed links could be identified with their associated traffic sources. sFlow data could help determine the appropriate response such as selective bandwitdh provisioning or traffic priority.
Security and Audit Trail Analysis

sFlow provides network-wide information gathering and route tracing data. Such information generated by possible internal and external sourced threats can be identified and controlled.
Route Profiling
Active traffic routes and flow sFlow data can be analyzed, enabling a network administrator the ability to optimize and tune the network routing.
Accounting and Billing for Usage

sFlow data is also useful when determining network service charges to clients. It is possible to give customers an itemized breakdown of their traffic, with top client applications highlighted.
Additional Information
Details of sFlow specifications can be found in RFC 3176, and specifications and more information can be found at the following website: http://www.sflow.org
sFlow
sFlow
Traffic monitoring technology Supported by various switch and router manufacturers Applications Network Troubleshooting Controlling Congestion Security and Audit Trail Analysis Route Profiling Accounting and Billing for Usage
page 3
Figure 2: sFlow
http://www.sflow.org
page 4
Figure 3: http://www.sflow.org
Module 9 sFlow
sFlow Components
sFlow solution consists of network equipment and software applications.
Network Equipment
At the network management software level of a switch, an sFlow Agent software process resides. The switching and routing ASICs feed traffic data to the sFlow Agent. sFlow Agent performs minimal processing, it just packages data into sFlow datagrams that are immediately forwarded.
Software Applications
Actual sFlow Datagrams are captured sFlow Collector applications. sFLow applications provide a variety of functionality, including: ntework traffic analysis, troubleshooting, audi trail security analysis, and accounting for billing.
sFlow
sFlow Components
Network Equipment sFlow Agents Software Applications sFlow Collectors
page 5
Figure 4: sFlow Components
Module 9 sFlow
Extremeware XOS sFlow Implementation

The ExtremeWare XOS implementation is based on sFlow version 5, which is an improvement from the revision specified in RFC 3176. Additionally, the switch hardware allows you to set the hardware sampling rate independently for each module on the switch, instead of requiring one global value for the entire switch. The switch software also allows you to set the individual port sampling rates, so you can fine-tune the sFlow statistics gathering. Per the RFC, sFlow sampling is done on ingress only.
NOTE
On the BlackDiamond 8800 family of switches, sFlow and mirroring are mutually exclusive. You can enable either sFlow, or mirroring, but not both.
However, you should be aware of a few limitations in the current release. The current release supports:

Generic port statistics reported to the sFlow collector Non-extended data Only those packets that do not match an ACL rule are considered for sampling Only port-based sampling No MIB support
sFlow
Extremeware XOS sFlow Implementation

Based on sFlow version 5 Switch hardware allows you to set hardware sampling rate independently for each module on the switch Switch software allows you set the individual port sampling rates sFlow sampling is done on ingress only No MIB support
page 6
Figure 5: Extremeware XOS sFlow Implementation
Module 9 sFlow
Configuring sFlow
ExtremeWare XOS allows you to collect sFlow statistics on a per port basis. An agent, residing locally on the switch, sends data to a collector that resides on another machine. You configure the local agent, the address of the remote collector, and the ports of interest for sFlow statistics gathering. You can also modify default values for how frequently on average a sample is taken and the maximum number of samples allowed before throttling the sample gathering. To configure sFlow on a switch, you must do the following tasks:

Configure the local agent Configure the addresses of the remote collectors Enable sFlow globally on the switch Enable sFlow on the desired ports
Optionally, you may also change the default values of the following items:

How often the statistics are collected How frequently a sample is taken, globally or per port How many samples per second can be sent to the CPU
Configuring the Local Agent

The local agent is responsible for collecting the data from the samplers and sending that data to the remote collector as a series of UDP datagrams. The agent address is stored in the payload of the sFlow data, and is used by the sFlow collector to identify each agent uniquely. By default, the agent uses the management port IP address as its IP address. You change the agent IP address by entering the following command: configure sflow agent {ipaddress} <ip-address> You unconfigure the agent using this command: unconfigure sflow agent
Configuring the Remote Collector Address

You can specify up to four remote collectors to send the sFlow data to. Typically, you would configure the IP address of each collector. You may also specify a UDP port number different from the default value of 6343, and/or a virtual router different from the default of VR-Mgmt. When you configure a collector, the system creates a database entry for that collector that remains until the collector is unconfigured. Configure the remote collector entering the following command: configure sflow collector {ipaddress} <ip-address> {port <udp-port-number>} {vr <vrname>} To unconfigure the remote collector and remove it from the database, type the following command: unconfigure sflow collector {ipaddress} <ip-address> {port <udp-portnumber>} {vr <vrname>}
10
Configuring sFlow
Configuring sFlow
1. Configure the local agent 2. Configure the addresses of the remote
collectors
3. Enable sFlow globally on the switch 4. Enable sFlow on the desired ports
page 7
Figure 6: Configuring sFlow
Configuring the Local Agent and Remote Collector Address

To configure the local agent, type the following command: configure sflow agent {ipaddress} <ipaddress> To configure the remote collector address, type the following command: configure sflow collector {ipaddress} <ip-address> {port <udp-port-number>} {vr <vrname>}
page 8
Figure 7: Configuring the Local Agent and Remote Collector Address
11
Module 9 sFlow
Configuring sFlow
Enabling sFlow Globally on the Switch
Before the switch will start sampling packets for sFlow, you must enable sFlow globally on the switch. To enable sFlow globally, type the following command: enable sflow You disable sFlow globally with the following command: disable sflow When you disable sFlow globally, the individual ports are also put into the disabled state. If you later enable the global sFlow state, individual ports return to their previous state.
Enabling sFlow on the Desired Ports

Enable sFlow on specific ports entering the following command: enable sflow ports <port_list> You may enable and disable sFlow on ports irrespective of the global state of sFlow, but samples are not taken until both the port state and the global state are enabled. To disable sFlow on ports, type the following command: disable sflow ports <portlist>
12
Configuring sFlow
Enabling sFlow Globally on the Switch and Specific Ports

To enable sFlow globally on the switch, type the following command: enable sflow To enable sFlow on specific ports, type the following command: enable sflow ports <port_list>
page 9
Figure 8: Enabling sFlow Globally on the Switch and Specific Ports
13
Module 9 sFlow
Additional sFlow Configuration Options

There are three global options that you can configure to different values from the defaults. These affect how frequently the sFlow data is sent to the remote collector, how frequently packets are sampled, and the maximum number of sFlow samples that could be processed in the CPU per second. You can also configure how frequently packets are sampled per port.
Polling Interval
Each port counter is periodically polled to gather the statistics to send to the collector. If there is more than one counter to be polled, the polling is distributed in such a way that each counter is visited once during each polling interval, and the data flows are spaced in time. For example, assume that the polling interval is 20 seconds and there are 40 counters to poll. Two ports will be polled each second, until all 40 are polled. To configure the polling interval, type the following command: configure sflow poll-interval <seconds>
Global Sampling Rate

This is the rate that newly enabled sFlow ports will have their sample rate set to. Changing this rate will not affect currently enabled sFlow ports. The default sample rate is 8192, so by default sFlow samples one packet out of every 8192 received. You configure the switch to use a different sampling rate with the following command: configure sflow sample-rate <number> For example, if you set the sample rate number to 16384, the switch samples one out of every 16384 packets received. Higher numbers mean fewer samples and longer times between samples. If you set the number too low, the number of samples can be very large, which increases the load on the switch. Do not configure the sample rate to a number lower than the default unless you are sure that the traffic rate on the source is low.
Per Port Sampling Rate

You can set the sampling rate on individual ports, entering the following command: configure sflow ports <portlist> sample-rate <number>
Maximum CPU Sample Limit

A high number of samples can cause a heavy load on the switch CPU. To limit the load, there is a CPU throttling mechanism to protect the switch. Whenever the limit is reached, the sample rate value is doubled on the slot from which the maximum number of samples are received. For ports on that slot that are sampled less frequently, the sampling rate is not changed; the sub-sampling factor is adjusted downward. To configure the maximum CPU sample limit, type the following command: configure sflow max-cpu-sample-limit <rate>
14

Polling Interval Global Sampling Rate Per Port Sampling Rate Maximum CPU Sample Limit
page 10
Figure 9: Additional sFlow Configuration Options
15
Module 9 sFlow
Resetting sFlow Values and Verifying sFlow Information

Unconfiguring sFlow
You can reset the any configured values for sFlow to their default values and remove from sFlow any configured collectors and ports by entering the following command: unconfigure sflow
Displaying sFlow Information

To display the current configuration of sFlow, type the following command: show sflow {configuration} To display the sFlow statistics, type the following command: show sflow statistics
16

To reset configured sFlow values to their default values, type the following command: unconfigure sflow
To display sFlow configuration, enter the following command: show sflow {configuration}
page 11
To display sFlow statistics, enter the following command: show sflow statistics
Figure 10: Resetting sFlow Values and Verifying sFlow Information
Figure 11: show sflow configuration
17
Module 9 sFlow
Summary

18
Summary
Summary
page 13
Figure 12: Summary
19
Module 9 sFlow
20
ExtremewWare Security Fundamentals Rev 3.0
Lab 1 Basic Switch and Routing Configuration

Objectives
Upon successful completion of this lab, you is able to:

Clear a switch of all previous configurations Assign an SNMP name to the switch Configure network VLANs with IP addresses Enable VLANs for IP forwarding Configure OSPF Add switches to Bbone vlan Display the following:

IP route table on the switch Forwarding database ARP table IP forwarding database
Materials Required
One PC running VT100 terminal emulation software
TeraTerm Version 3.13 or higher is suggested
One i-series Extreme Networks switch with Ethernet interfaces and no existing configuration One PC to switch console cable One PC to switch Ethernet cable connected to port 2 of the switch
Lab 1 Basic Switch and Routing Configuration
Network Diagram
Remark
There are two cables connected between the switches instead of using an 802.1Q trunk. This is only done to demonstrate dynamic routing protocols due to topology changes in the following labs. Normally you would use only one cable and configure an 802.1Q trunk.
Part 1 Clearing the Switch Configuration and Naming the Switch

1 As described in the network diagram, cable the switches and PCs. 2 Clear the switch of all previous configuration, by entering the following command: unconfigure switch all 3 Name the switch according to the following template: EAS_LAB_<team number>, by entering the following command: configure snmp sysname EAS_LAB_X
Part 2 Configuring the VLANs

1 Delete all ports from VLAN default, by entering the following command: configure default delete port all 2 Depending on which VLANs your switch is connected to, create the VLANs Bbone, Alpha, Beta, Charlie, One, Two, Three, Four, Five, and Six, by entering the following command: create vlan <name>
Switch EAS_LAB_1 EAS_LAB_2 EAS_LAB_3 EAS_LAB_4 EAS_LAB_5 EAS_LAB_6 VLAN Bbone Bbone Bbone Bbone Bbone Bbone VLAN Alpha Alpha Beta Beta Charlie Charlie VLAN One Two Three Four Five Six Router ID 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 5.5.5.5 6.6.6.6
Lab 1 Basic Switch and Routing Configuration 3 Add the following ports (untagged) to the VLANS, by entering the following command: configure <vlan name> add port <number>
VLAN Bbone Alpha Beta Charlie One Two Three Four Five Six 2 2 2 2 2 2 EAS_LAB_1 4 3 EAS_LAB_2 4,5 3 3 3 3 3 EAS_LAB_3 4,5 EAS_LAB_4 4,5 EAS_LAB_5 4,5 EAS_LAB_6 5
4 Create the following Routing Interfaces as follows:

VLAN Bbone Alpha Beta Charlie One Two Three Four Five Six IP 10.0.0.N/24 10.1.0.N/24 10.2.0.N/24 10.3.0.N/24 10.1.N.N/24 10.1.N.N/24 10.2.N.N/24 10.2.N.N/24 10.3.N.N/24 10.3.N.N/24 yes yes yes yes yes yes EAS_LAB_1 yes yes EAS_LAB_2 yes yes yes yes yes yes EAS_LAB_3 yes EAS_LAB_4 yes EAS_LAB_5 yes EAS_LAB_6 yes
N is the number of your Switch.
Module 10 Lab Exercises 5 Configure the PC with the following parameters:

Default Gateway 10.1.1.1 10.1.2.2 10.2.3.3 10.2.4.4 10.3.5.5 10.3.6.6
PC 1 2 3 4 5 6
IP Address 10.1.1.101 10.1.2.102 10.2.3.103 10.2.4.104 10.3.5.105 10.3.6.106
Subnet Mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
Part 3 Configuring OSPF Routing on the Backbone Area

1 Enable IP Forwarding for all VLANs on your switch, by entering the following command: enable ipforwarding 2 Add all VLANS to the OSPF routing protocol to the backbone area, by entering the following command: configure ospf add <vlan> 3 Add loopback interfaces for OSPF, by entering the following command: enable ospf 4 Enable the OSPF Routing Protocol on the switch, by entering the following command: enable ospf 5 From the PC and switch, verify full network connectivity using ping and traceroute
Part 4 Verifying Switch and Routing Configuration

1 Verify your switch configuration, by entering the following commands: show show show show ipconfig iproute fdb iparp
2 Display general OSPF information, by entering the following command: show ospf 3 Display area specific information, by entering the following command: show ospf area 4 Display OSPF interface information, by entering the following command: show ospf interfaces 5 Configure the ports in VLAN Bbone at the lowest possible fixed speed, full duplex, and check the impact of this change in the routing table. 6 Save your current configuration in preparation for the next lab exercise.
Lab2 Switch Access
Lab2 Switch Access

Objectives
Upon successful completion of this lab, you is able to:

Create new user account Disable SNMP access Set the switch idle-timer Configure the switch banner message. Load the SSH module Set-up a connection between an SSH2 client and a SSH2 server. Configure the switch as a RADIUS client
Materials Required

(optional) Packet sniffer or Ethernet Analyzer An additional PC/Laptop + cabling is introduced to act as the RADIUS server (10.0.0.100/24). Trainer info: The RADIUS server (EPICenter recommended) needs all switches pre-configured as clients with the correct shared secret (12secure) and a user account for each switch (user-id team_x with password access)
Network Diagram
Network
.101 VLAN One 10.1.1.0/24 .1 .1
Physical
2 .1 3 4 .2SA_LAB_1
SA_LAB_1
.1
.102 VLAN Tw o .2 10.1.2.0/24 .2
VLAN A 10.1.0.0/24
.2
3 2 .2
SA_LAB_2
SA_LAB_2
4
.103 VLAN .3 Three .3 10.2.3.0/24
.100
5 2
SA_LAB_3
.3
.3
SA_LAB_3
1 3 3 4 5
.104 .4 VLAN Four .4 10.2.4.0/24
VLAN B 10.2.0.0/24
.4
VLAN Core 10.0.0.0/24

2 .4
SA_LAB_4
SA_LAB_4
4 3
.105 VLAN .5 Five .5 10.3.5.0/24 2
SA_LAB_5
.5
.5 3 3 .6 2
SA_LAB_5
4
.106 .6 VLAN Six 10.3.6.0/24 .6
VLAN C 10.3.0.0/24
.6
SA_LAB_6
SA_LAB_6
NOTE
Only on switch 3, add port 1 (This is the port where the RADIUS server is connected) untagged to VLAN Bbone, by entering the following command:
configure Bbone add port 1
Lab2 Switch Access
Part 1 Creating a New User Account, Disabling SNMP Access, and Configuring Idletimeouts
1 Create a new administrator account with name team_x (x = switch ID number) password access, by entering the following command: create account admin team_x 2 Prevent SNMP access to the switch, by entering the following command: disable snmp access 3 Activate the switch idle-timeout feature, by entering the following command: enable idletimeouts 4 Configure the threshold to 10 minutes, by entering the following command: configure idletimeouts 10 5 Verify your configuration modifications, by entering the following command: show management
Part 2 Configuring the Switch Banner Message

1 Create the switch banner message that displayed when a login is attempted, by entering the following commands: configure banner [Enter] Switch access for Authorized staff only. [Enter] Disconnect now if you have no permission to access. [Enter] E-Mail xxx@yyyyy.com for more information. [Enter] [Enter]

Up to 24 rows of 79 characters wide text can be entered Pressing [Enter] at the beginning of a new line saves the previously entered text and enables the login display banner Pressing [Enter] at the beginning of the first line clears the login display banner
2 Verify the switch banner message is configured correctly by logging out and then logging in.
Part 3 Installing the SSH2 Module

1 Download the ssh module to the switch by entering the following command: download image <ipaddress of pc> summitX450-11.3.1.1-ssh.xmod vr vr-Default 2 Enable the module by entering the following command: run update
Part 4 Configuring SSH2

1 Generate an SSH2 key, by entering the following command: configure ssh2 key Be patient, this process will take up 10 minutes. 2 After generating the SSH2 key, activate SSH2, by entering the following command: enable ssh2 3 From your PC, launch the TeraTerm (version 3.13) application and choose ssh as service method. Fill in the switch ip address as host and press OK. You will get the a request to accept the new host key, click the OK button and log in with the earlier created team_x account. The host-key message is shown at the first connection attempt and every time after when the switch has generated new keys. 4 Verify SSH2 configuration steps on the switch by entering the following commands: show management show session show log 5 Set up an SSH2 session with your neighbors switch (switch 1 At your switch prompt, enter the following command: ssh2 team_x@10.0.0.x vr vr-default x is the switch number. 6 A request for a password is displayed. Enter the password. 7 You should now be successfully logged into the other switch. Notice the CLI prompt has changed from your switch name to your neighbors switch name. 8 Verify on your neighbors switch your connection set-up, by entering the following commands: command show log show session 9 (optional) Verify SSH2 encrypts sent and received data. Using an Ethernet sniffer, capture:

2, switch 3
4 and switch 5
6).
telnet login switch access ssh2 login switch access
You can see the difference in packets between Telnet (plain text) and SSH2 (encrypted) access if you capture login attempts using both protocols. Make sure you disconnect any Telnet or SSH session you have to the other switches when sniffing traffic.
Part 5 Configuring the Switch as a RADIUS Client

The next step is to include RADIUS as the Authentication protocol for accessing the switch. The RADIUS server (10.0.0.100) is pre-configured by the trainer (accounts, clients & shared secret). 1 Configure your switch as a RADIUS client, by entering the following command: configure RADIUS mgmt-access primary server 10.0.0.100 client-ip 10.0.0.x vr VR-Default x is the switch number 2 Configure the shared-secret 12secure, by entering the following command: configure RADIUS mgmt-access primary shared-secret 12secure
10
Lab2 Switch Access 3 After configuring your switch as a RADIUS client with the specified RADIUS server and sharedsecret, enable RADIUS, by entering the following command: enable RADIUS mgmt-access 4 Confirm the RADIUS settings (default port is 1812, RADIUS enabled etc...), by entering the following command: show radius 5 Verify RADIUS authentication is working. Create a new ssh2 session to the switch using the team_x account and see if you are being authenticated by RADIUS, by entering the following command: show session 6 Remove the cable from switch 3 port 1 and make a new connection (either Telnet, SSH2 or console) using the team_x account. Note what happens. Existing connections stay present when the RADIUS server becomes unreachable. While new connections are (after the timeout interval) authenticated from the local user database. 7 Connect the cable back to port 1 switch 3. 8 Save your current configuration in preparation for the next lab exercise.
Part 6 Changing the Default SNMPv3 User Password

1 Look at the default password assigned to the user initial by entering the following command: show snmpv3 user initial 2 Change the default SNMPv3 user initials password to initialpassword by using the following command: config snmpv3 add user initial authentication md5 initialpassword MD5 authentication was specified. 3 Verify the default SNMPv3 users initial password was changed by entering the following command: show snmpv3 user initial
11
Lab 3 DOS Protection

Objectives
Upon successful completion of this lab exercise, you is able to:

Configure and enable the DoS-Protect feature. Verify the DoS-Protect configuration and status Troubleshoot CPU-DoS-Protect
Materials Required
Each workstation should have pre-installed WSTTCP.exe for the purpose of traffic generation and 3Cdeamon to act as SYSLOG server.
Part 1 Configuring DoS-Protect

1 On your switch, configure your workstation as the syslog server, by entering the following commands: configure syslog add <ip address pc> local7 enable syslog 2 Verify your syslog set-up, by entering the following command: show log configuration 3 Start the 3CDeamon program on your PC and select the syslog server option. Check if your PC is receiving syslog messages from the switch. 4 Specify the CPU-DoS-Protect alert and notice threshold values to 3000 and 2500 packets per second, by entering the following commands: configure dos-protect type 13-protect alert-threshold 3000 configure dos-protect type 13-protect notify-threshold 2500 5 After configuring the CPU-DoS-Protect threshold values, enable CPU-DoS-Protect by entering the following command: enable dos-protect 6 Now try and reach the threshold limits by generating traffic towards the switch CPU. At the MS-DOS prompt of your PC, enter the following command: start wsttcp t u n1000000 10.0.0.x x represents the switch ID. 7 Verify activity and DoS-Protect configuration, by entering the following command: show dos-protect 8 Check the syslog server or view incoming DoS Protect messages, by entering the following command: show log
12
Lab 3 DOS Protection
Troubleshooting DoS-Protect
1 Troubleshoot the network state during an active cpu-dos-protect situation on your switch. What is still reachable and from where? Depending on the destination, your findings could be influenced by the DoS-Protect activity on the other switches.

Ping from your PC to the switch ip address under attack. Result ___________________________ Ping or telnet from your PC to another ip address of your switch. Result ___________________ Ping from your PC to the RADIUS server (10.0.0.100). Result ________________________________ Ping from your PC to the neighbors switch ip address that is under attack by their traffic generation. Result _________________________________________________________________
2 The combination of physical port and destination address determines the ACL rule. In addition to protecting the switch, what can this feature bring to protect clients and server? _________________ As long as an attack is based on a traffic type that requires the switch CPU (like ICMP) the target (server) is protected as soon as the threshold is reached. 3 Save your current configuration in preparation for the next lab exercise.
13
Lab 4 Port and MAC Address Security

Objectives
Upon successful completion of this Lab Exercise, the student is able to:

Configure limit-learning Configure lock-learning Configure secure-mac features Uncofigure port and MAC address based security
Materials Required
The syslog server from Lab 5 is used again . If Lab 5 was skipped you still need to configure a syslog server on the switch, by entering the following commands: configure syslog add <ip address pc> local7 enable syslog
Network Diagram
Network
.101 VLAN One 10.1.1.0/24 .1 .1
Physical
2 .1 3 4 .2SA_LAB_1
SA_LAB_1
.1
.102 VLAN Tw o .2 10.1.2.0/24 .2
VLAN A 10.1.0.0/24
.2
3 2 .2
SA_LAB_2
SA_LAB_2
4
.103 VLAN .3 Three .3 10.2.3.0/24
.100
5 2
SA_LAB_3
.3
.3
SA_LAB_3
1 3 3 4 5
.104 .4 VLAN Four .4 10.2.4.0/24
VLAN B 10.2.0.0/24
.4
VLAN Core 10.0.0.0/24

2 .4
SA_LAB_4
SA_LAB_4
4 3
.105 VLAN .5 Five .5 10.3.5.0/24 2
SA_LAB_5
.5
.5 3 3 .6 2
SA_LAB_5
4
.106 .6 VLAN Six 10.3.6.0/24 .6
VLAN C 10.3.0.0/24
.6
SA_LAB_6
SA_LAB_6
14
Lab 4 Port and MAC Address Security
NOTE
The provided CLI examples in this lab show the command information for switch 1; translate the ports and VLANS for your own switch requirements. Example: Instead of 10.1.1.101/32, Team 5 would use 10.3.5.105/32. Refer to the Lab IP Address table found in the front Lab Introduction page.
Part 1 Configuring Lock Learning

1 Make sure your switch is sending Syslog messages and that the Syslog server is running on your workstation. 2 To configure lock-learning on your switch for the port/VLAN that holds your workstation, enter the following command: configure port 2 vlan one lock-learning This should prevent any additional MAC addresses (like installing a hub on port 2) from network access. 3 View the lock-learning information for VLAN one, by entering the following command: show vlan one security
Part 2 Configuring Limit Learning

1 For the port(s) in VLAN Bbone set limit-learning to the value 0, by entering the following command: configure port 4,5 VLAN Bbone limit-learning 0 2 Verify FDB entries are blackholed (Bb), by entering the following command: show fdb Bbone 3 Check if your syslog server received messages related to blackholing these MAC addresses. Or check the log on your switch, by entering the following command: show log
Part 3 Configuring Secure-Mac

1 The currently blackholed MAC addresses are the addresses from neighboring switches and the RADIUS server in VLAN Bbone. To allow traffic from your neighbor switches and RADIUS server into your switch, you need to configure secure-mac entries with their respective MAC addresses. To configure secure_mac fdb entries for all those blackholed addresses, enter the following command: create fdbentry xx:xx:xx:xx:xx:xx vlan Bbone port 4 You need to enter this command for each MAC address you want add. You can authenticate neighbors based on the MAC address. The combination of limit-learning and secure-mac option is also useful on switch ports intended for end-users because it blocks access and provides the administrator valuable information.
15
Module 10 Lab Exercises 2 Save and reboot your switch. Check the post-reboot switch FDB table and switch operation by entering the following commands: show show show show vlan <vlan name>security log fdb <vlan name> fdb permanent
3 Clear the fdb entries for the VLAN bbone, by entering the following command: clear fdb bbone 4 Unconfigure lock-learning, by entering the following command: configure port 4,5 VLAN Bbone unlimited-learning 5 Unconfigure limit-learning, by entering the following command: configure port 2 VLAN one unlock-learning 6 Remove the secure-mac related entries, by entering the following command: delete fdbentry all 7 Save your current switch configuration in preparation for the next lab.
16
Lab 7 Network Login
Lab 7 Network Login

Objectives
Upon successful completion of this lab exercise, you is able to:

Configure Netlogin on a permanent VLAN. Configure the NetLogin Base URL Configure the Redirect Page URL Configure the NetLogin Banner. Configure the switch as DHCP server. Verify Netlogin configuration
Optional Materials
Additional software is required on the PC that acts as RADIUS server. This PC will now also act as the DNS Name Server 1.
Trainer:

Configure the PC as a DNS server. (Bind8, MS W2000 DNS or any other dns server) Configure a domain called eas-300.com and add all switch ip addresses belonging to the workstation VLANS (VLAN one, two etc) as host records in this DNS server Use the following naming convention for the switches: switchx.eas-300.com. Include your PC (RADIUS & DNS server 10.0.0.100) as a host record in the NS1 with the hostname server.eas-300.com
17
Network Diagram
Network
.101 VLAN One 10.1.1.0/24 .1 .1 Loopx x.1.1.x/24 Loopxx xx.1.1.x/24 2 .1 3 4 .2 NLG_LAB_1
Physical
NLG_LAB_1
.1
.102 VLAN Tw o .2 10.1.2.0/24 .2
VLAN A 10.1.0.0/24
.2
3 2 .2
NLG_LAB_2
Loopx x.1.1.x/24 Loopxx xx.1.1.x/24
NLG_LAB_2
4
.103 VLAN .3 Three .3 10.2.3.0/24
Loopx x.1.1.x/24
Loopxx xx.1.1.x/24 .3
.100 2
NLG_LAB_3
.3
NLG_LAB_3
3 3 4 5
.104 .4 VLAN Four .4 10.2.4.0/24
VLAN B 10.2.0.0/24
.4
VLAN Core 10.0.0.0/24

2 .4
NLG_LAB_4
Loopx x.1.1.x/24 Loopxx xx.1.1.x/24
NLG_LAB_4
4 3
.105 .5 VLAN Five .5 10.3.5.0/24
Loopx x.1.1.x/24
Loopxx xx.1.1.x/24 2 .5
NLG_LAB_5
.5
NLG_LAB_5
3 3 4
.106 .6 VLAN Six 10.3.6.0/24 .6
VLAN C 10.3.0.0/24
.6 .6 Loopxx xx.1.1.x/24
NLG_LAB_6
Loopx x.1.1.x/24
NLG_LAB_6
NOTE
The provided CLI example shows the command information for switch 1; translate the variables in the information to your own requirements

1 As described in the network diagram, cable the switches and PCs. 2 Clear the switch of all previous configuration, by entering the following command: unconfigure switch all 3 Name the switch according to the following template:
18
Lab 7 Network Login
Part 2 Creating the Temporary and Permanent Netlogin VLANs

1 Create VLAN temp by entering the following command: create vlan temp 2 Create VLAN corp by entering the following command: create vlan corp 3 Remove the ports from the vlan default by entering the following command: configure vlan default delete ports all
Part 3 Configuring the Temporary and Permanent Netlogin VLANs

1 Configure VLAN temp by entering the following commands: configure vlan temp ipaddress 198.162.32.10 255.255.255.0 2 Configure VLAN corp by entering the following commands: configure vlan corp configure vlan corp configure vlan corp enable ipforwarding ipaddress 10.2.0.1 255.255.255.0 dhcp-address-range 10.2.0.2 - 10.2.0.10 add port 2 untagged corp
3 Remove the ports from the vlan default by entering the following command: configure vlan default delete ports all
Part 4 Configuring Netlogin DHCP options

1 Specify the DHCP options for VLAN temp by entering the following commands: configure vlan temp dhcp-address-range 198.162.32.20 - 198.162.32.80 configure vlan temp dhcp-options default-gateway 198.162.32.1 enable dhcp ports
Part 5 Configuring Netlogin

1 Configure and enable netlogin on your switch by entering the following commands: configure netlogin vlan temp enable netlogin web-based enable netlogin ports 7 web-based
Part 6 Configuring the Network Login options

1 If you have a RADIUS server configured, configure the Network Login Re-direct Page URL to point to it, by entering the following command: configure netlogin redirect-page http://10.0.0.100 2 On your switch, configure the NetLogin banner message, by entering the following command: configure banner netlogin <html><head>Please Login</head></html> [Enter] (twice)
19
Part 7 Verifying Netlogin Configuration

1 From your PC (Ping, Telnet, etc), what is the access status?______________________________ 2 Check the status on your switch port, by entering the command: show netlogin 3 In this current, state all traffic for this port is blocked except for PING and HTTP to the local switch ip addresses. 4 Create netlogin local database account by entering the following command: create netlogin local-user <team_x> When prompted, supply password of access. 5 Verify netlogin account was created by entering the following command: show netlogin local-users 6 Start your PCs browser and direct it to 10.0.0.x/login x is your switch number. 7 Login with the account created in Lab2 (User-ID: team_x with password: access) You are either validated by the RADIUS server (when up) or by the local switch database. 8 Assuming that the authentication was successful, you can check any status changes on your switch port. With the redirect timer running, check status changes on the switch port, by entering the following commands: show netlogin show netlogin port 2 <vlan name> 9 Were you correctly redirected to another web page? _______________________________ 10 Check from your PC (Ping, Telnet, etc) what the available connectivity is once successfully logged in. 11 Check if your existing Netlogin session is disconnected. Direct your web browser to the base-url or switch ip address and login. 12 Once the switch and optional RADIUS server are finished validating, check switch configuration and operation, by entering the following commands: show show show show netlogin netlogin port 2 <vlan name> VLAN <name> dhcp log
20
Lab 8 QoS
Lab 8 QoS
Objectives
Upon successful completion of this Lab Exercise, the student is able to:
During a looped broadcast storm, configure Policy-based QoS that allows smooth video playback
Materials Required

Two Summit X450 Switches Two PCs VLC Application for videostreaming Movie file
21
Network Diagram
QoS
PC1 10.0.1.100/24 vlan v1 10.0.1.1/24
Switch 1
2 12 (to be added later) vlan three 10.0.0.x/24
11
Switch 2
7 vlan v2 10.0.2.1/24
PC2 10.0.2.200/24
Extreme Redundancy Fundamentals Title: ESF Lab 8 QoS 3.0
Version:
NOTE
The provided CLI example shows the command information for switch 1 and switch 2; translate the variables in the information to your own requirements.
22
Lab 8 QoS

1 As described in the network diagram, cable the switches and PCs. 2 Clear the switch of all previous configuration, by entering the following command: unconfigure switch all 3 Name the switch according to the following template.
Part 2 Configuring the VLANs

1 Delete all ports from VLAN default. 2 Depending on which VLANs your switch is connected to, create the VLANs: create vlan <name>
Switch Switch 1 Switch 2 VLAN v1 yes yes VLAN v2 VLAN three yes yes
3 Add the ports untagged to the following VLANS:

VLAN v1 v2 three 2, 12 Switch 1 7 7 1, 11 Switch 2
4 To simulate a network running near capacity. limit the port speed on switch 1 by entering the following command: configure ports 2 auto off speed 10 duplex half 5 Configure the PC with the following parameters:
PC 1 2 IP Address 10.0.1.100 10.0.2.200 Subnet Mask 255.255.255.0 255.255.255.0 Default Gateway 10.0.1.1 10.0.2.1
6 Configure a routing protocol using the following statement: configure rip add vlan all enable rip 7 Start VLC application on PC 1 to send and PC 2 to receive. 8 Generate broadcast storm on VLAN between the switch by creating a loop by enabling ports 12 and 11 on switches 1 and 2 , respectively. Ping 10.0.0.254 to generate an ARP request that causes a broadcast storm. 9 On PC 2, play the movie file streaming from PC 1.
23
Part 3 Configure QoS QP3 on PC VLANs

1 Create a QoS profile QP3 on both switches by entering the following commands on the appropriate switches: On Switch 1 create qosprofile qp3 configure qosprofile qp3 weight 15 configure v1 qosprofile qp3 On Switch 2 create qosprofile qp3 configure qosprofile qp3 weight 15 configure v2 qosprofile qp3 2 On PC 2, play the movie file streaming from PC 1.
Part 4 configure ports rate-limit flood

1 On the appropriate switch, configure rate limiting on the ports by entering the following command: configure ports <port_list> rate-limit flood broadcast 1000 The purpose of this command is to rate-limit the broadcast storm to 1000 packets/sec. 2 Verify that the broadcast storm has been limited by entering the following command: show port utilization
24

ESF Rev3

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ESF Rev3

Uploaded by

Copyright:

Available Formats

Extreme Security Fundamentals Rev3.

Extreme Security Fundamentals Rev3.0

[Draft Version variable]

Module 1 Introduction and Orientation

Module 2 Security and Traffic Engineering

Extreme Security Fundamentals Rev3.0

Module 3 Switch Access

Extreme Security Fundamentals Rev3.0

[Draft Version variable]

Extreme Security Fundamentals Rev3.0

Module 4 ACLs and Policies

Extreme Security Fundamentals Rev3.0

[Draft Version variable]

Module 5 Denial of Service Attacks and Countermeasures

Module 6 Port and MAC Address Security

Extreme Security Fundamentals Rev3.0

Module 7 Network Login1

Extreme Security Fundamentals Rev3.0

[Draft Version variable]

Extreme Security Fundamentals Rev3.0

CLI Network Login Logouts...................................................................................................68 Summary..................................................................................................................................72

Module 8 Policy-Based QoS

Extreme Security Fundamentals Rev3.0

[Draft Version variable]

Extreme Security Fundamentals Rev3.0

Module 10 Lab Exercises

Extreme Security Fundamentals Rev3.0

Module 1 Introduction and Orientation

Extreme Security Fundamentals Rev 3.0

Module 1 Introduction and Orientation

Extreme Security Fundamentals

Extreme Security Fundamentals Rev 3.0

Extreme Security Fundamentals

Figure 1: Module Content

Extreme Security Fundamentals Rev 3.0

Module 1 Introduction and Orientation

Extreme Security Fundamentals Rev 3.0

Extreme Security Fundamentals Rev 3.0

Module 1 Introduction and Orientation

Extreme Security Fundamentals Rev 3.0

Extreme Security Fundamentals Rev 3.0

Module 1 Introduction and Orientation

Extreme Security Fundamentals Rev 3.0

Figure 4: Student Kit

Extreme Security Fundamentals Rev 3.0

Module 1 Introduction and Orientation

Extreme Security Fundamentals Rev 3.0

Extreme Security Fundamentals Rev 3.0

Module 1 Introduction and Orientation

Extreme Security Fundamentals Rev 3.0

Course Knowledge Prerequisites

Figure 6: Course Pre-requisite

Extreme Security Fundamentals Rev 3.0

Module 1 Introduction and Orientation

High-level Student Objectives

Extreme Security Fundamentals Rev 3.0

High-level Student Objectives

Describe and configure Netlogin

Figure 7: Student Objectives

Overall Objectives (cont)

Describe and configure sFlow

Figure 8: Student Objectives Continued