Вы находитесь на странице: 1из 65

Switch Management

ENA 12.6: Switch Operation,


Configuration and Management
2011 Extreme Networks, Inc. All rights reserved

Switch Management
Student Objectives
Understand and configure switch management
Understand and configure secure switch management
SSH2, HTTPS, SNMPv3 and RADIUS

Understand and perform configuration and image management


Understand the ExtremeXOS file system
Access the BootStrap and BootROM switch utilities
Install and use Extreme management tools
Legacy CLI, ScreenPlay with CLI Proxy, Ridgeline

Slide 2

Switch Management Overview


Switch Management

ENA 12.6: Switch Operation, Configuration and Management

Management Access Methods


Command Line Interface (CLI)

Terminal Server

Console Port Connection


DB-9 serial cable: 9600, 8, N, 1

Telnet and SSH2


8 concurrent sessions
Nested Telnet/SSH2 supported

Web

IP Network

HTTP and HTTPS

SNMP
SNMPv1, v2 and SNMPv3
Management Station

IP Access
In band
Any VLAN (with associated ports) configured with an IP address

Out of band
Mgmt VLAN (containing 10/100 UTP port)

Slide 4

Switch Login
Two access levels:
Administrator
Full access to the switchs CLI or WebUI

User
Read-only access to the switchs CLI or WebUI
Can change own password, ping, telnet etc.
Cannot run show configuration command

Up to 16 accounts
Default accounts
admin
user

password: <none> - Administrator level


password: <none> - User level

Passwords:
Case sensitive
Password policy configures complexity,
history, age and min-length
Not configured by default

Fail Safe account


Used for recovery
If password is lost, return switch to Extreme Networks
Slide 5

CLI - Syntax Helper


<tab> and <?> keys
display the next set
of command options.
<spacebar> can also
be used by entering
the following:
enable cli spacecompletion

Slide 6

CLI - Command Prompt


The command prompt indicates four elements:

Unsaved configuration changes


Switch name
Number of commands executed during this session
Privilege level
# indicates administrator level access
> indicates user level access

* SummitX460-24t.6 #
New change to switch
configuration not saved

Privilege Level
Switch SNMP Sysname
Number of next command to
be executed

Slide 7

CLI - Command History

Displays all commands entered


Stored in the command history buffer
Content of buffer is displayed by entering the history command
Use and keys to scroll within the command history buffer
Slide 8

CLI Failsafe Login


The account of last resort
Access the ExtremeXOS switch when the admin password has been lost.
Never displayed but always present.
Changes to the failsafe account and password are immediately stored in NVRAM, not in the
configuration file.

To access the switch using the failsafe account, you must be


connected using a permitted method:

Slide 9

Remote Logging: Syslog


configure syslog {add} [<ipaddress> | <ipPort>]
{vr <vr_name>} [local0 ...local7] {<severity>}
enable syslog

Remote logging

IP Network

Syslog Server
Slide 10

Verifying the Management Configuration


show management
The display
includes:
States for :
Telnet/SSH2
Web (HTTP/HTTPS)
SNMPv1/2

Authorized SNMP
station list

SNMP v1/2 trap


receiver list
RMON polling
configuration
SNMP statistics

Slide 11

Verifying the Switch Status


show switch
The display
includes:
SNMP device info
System MAC
Switch Type
Date & Time
State
Software info
Image files loaded,
booted and selected

Configuration info
Config file selected
and booted

Slide 12

Switch Virtual Routers


An emulation of a physical router.
A single physical switch split into multiple virtual routers (VRs) with a
separate logical forwarding table.

System Virtual Routers


VR-mgmt

VR-default

"mgmt" vlan

"default" vlan

Management Ethernet Port

Data Ports

User created Virtual Routers are supported core class switches

Commands may require a virtual router argument


Identifies the group of ports that are connected to the target device.
Slide 13

Command with the VR Argument

10.1.10.100

Slide 14

10.1.10.100

VR-mgmt

VR-default

"mgmt" vlan

"default" vlan

Management Ethernet Port

Data Ports

Assigning IP Addresses
IP Addresses are assigned to VLANs.

Each switch has two pre-configured VLANs


Mgmt contains the management port. Default contains all data ports.

Assigning an IP address creates a router interface for the VLAN in the


corresponding virtual router.
Switch needs an IP address for the following:
Switch Management
Download ExtremeXOS images or backup configuration files.

Routing

Slide 15

Image File Management


Switch Management

ENA 12.6: Switch Operation, Configuration and Management

Software Images
User selectable image
Two image locations supported:
Primary and secondary images

Fallback feature for verifying upgrades.

RAM
2

Running Image

Compressed executable code


Images are compressed to preserve
space on the flash

Loaded at boot time


The image is uncompressed and
loaded and boot time

Running Configuration
boot
NVRAM
1

Uncompress selected image

Load uncompressed image into RAM and start running

Slide 17

Primary Image
Secondary Image
File System

Switch Version & Hardware Info


show version
The display
includes:
Switch serial number
BootROM
Software image
version

BootROM Version
Serial Number
Image Version

Slide 18

Interpreting ExtremeXOS Image File Names


Image name identifies the
switch type.

File extensions identify the


image type.

bd10K-12.6.2.10.xos

summitX-12.6.2.10.xos

For BD10K

bd8800-12.6.2.10.xos
For BD8K series switches

summitX-12.6.2.10.xos
For SummitX series switches eg.
X480, X450e, X250e etc.

Slide 19

For a software image

summitX-12.6.2.10-ssh.xmod
For a software module

bd10K-1.0.1.6-bootroma.xbr
summitX-pmon-1.0.3.1.xtr
For a software BootRom

Interpreting ExtremeXOS Version Strings


<Switch Platform>-<Version>-<Package Name>

bd10K-12.6.2.10-ssh.xmod
<Major>.<Minor>.<Patch>.<Build>

Core image (.xos) and software module (.xmod) version


strings must match.
Available Modules
SSH2, LegacyCLI, CNA

Slide 20

Selecting Active Image Files for the Next Reboot

Select the image file to be


used after next reboot:
use image primary
RAM

Save the configuration:

Running Image

save configuration

Reboot the switch:


reboot

Verify that the correct image


file is in use:
show switch

show version

Slide 21

Running Configuration
boot

NVRAM
Primary Image
Secondary Image
File Sytem

Upgrading a switch
Images must be downloaded to the
non-active location:

RAM

1. download image <ip> <filename>


vr <vrname> secondary

Install image to flash


2. install image secondary
Step 1 will ask if you wish to install the image
automatically

Select the image to use on the next


reboot:

Running Image
Running Configuration
boot

NVRAM
Primary Image

Secondary Image
File System

3. use image secondary

The switch must reboot for the new


image to become active:
4. reboot

Verify that the correct image file is in


use:
5. show switch
Slide 22

RAM
Non-Persistent Storage

1
TFTP server

Configuration File Management


Switch Management

ENA 12.6: Switch Operation, Configuration and Management

Verifying the Switch Configuration


show configuration
Displays the current
changes to the default
configuration running in
RAM
Displayed as CLI commands
Grouped by module eg:
VLAN, FDB, OSPF etc.

show conf detail


Displays the current configuration
running in RAM (Inc. defaults)

show conf ospf detail


Displays the current OSPF
configuration running in RAM (Inc.
defaults)

Slide 24

Storing Configurations
Configuration files store a version of the configuration on the flash
ExtremeXOS configuration files are stored in XML format
Loaded a boot based on configuration file selected
The active configuration running in RAM should be saved before rebooting

Configurations can be saved to any file name


save configuration test
Saves a file called test.cfg to the flash

save configuration primary


Saves a file called primary.cfg to the flash
Command arguments primary and secondary provide compatibility
with the ExtremeWare CLI

Configuration files can be copied to and from the switch


The tftp command is used to copy files
The upload command is used to save the running configuration
in RAM to a TFTP server in CLI command format

Slide 25

-- -- -- -- -- -- - --- -- - -- - - - -- - - - --- --- -- - - -- - - - --

XML

primary.cfg

Selecting Configuration Files


Select the configuration file to
use:
use configuration test.cfg
If the file test.cfg does not exist, the
factory default configuration will be
loaded

RAM
Running Image

Running Configuration

Save the configuration:


save configuration test.cfg

Reboot the switch:


reboot

Verify that the correct


configuration file is in use:
show switch

Slide 26

boot

NVRAM
Primary Image
Secondary Image
File System: test.cfg

Displaying the Current Configuration File Selection


show switch
Displays the currently
selected and booted
configuration files

Active on next reboot


Currently running
Factory Default
indicates a new switch or
one where the configuration
has been cleared
(unconfigured)

Slide 27

Copying a Configuration file to & from a TFTP Server


Copying a configuration file to a TFTP
server

NVRAM
Primary Image

1. tftp put <ip> vr <vrname> test.cfg

Secondary Image

If no VR is specified, VR-Mgmt is used.

File System: test.cfg

Copying a configuration file from a TFTP


server
2

2. tftp get <ip> vr <vrname> new.cfg


If no VR is specified, VR-mgmt is used.

TFTP server

Select the configuration file to use on the


next reboot:

NVRAM
Primary Image

3. use configuration new

Secondary Image

The switch must reboot for the new


configuration to become active:

File System: test.cfg


File System: new.cfg

4. reboot

Verify that the correct configuration file is


in use:
5. show switch

boot

4
RAM

Running Image
Running Configuration

Slide 28

Copying the Running Configuration to & from a TFTP Server

Copying the running configuration to a


script file on a TFTP server
1. upload configuration <ip> new.xsf vr
<vrname>

RAM
Running Image
Running Configuration

If no VR is specified, VR-Mgmt is used

.XSF (XOS Script File) , .TXT or anything else can be


used as the filename extension

Copying a configuration script file from a


TFTP server
2. tftp get <ip> vr <vrname> new.xsf

Applying a configuration script file to the


running RAM configuration

TFTP server
NVRAM
Primary Image

Secondary Image
File System: new.xsf

3. load script new


RAM
Running Image

Running Configuration
Slide 29

Resetting a Switch To Factory Defaults


unconfigure switch
Returns a switch to factory defaults, except:
User accounts
Including the failsafe account
SummitStack configuration
Date and time

unconfigure switch all


Returns a switch to factory defaults, except:
Date and time

When login after reboot and


prompts for:
Telnet enabled or disabled

SNMP enabled or disabled


Data ports enabled or disabled
Failsafe account username and
password change and access method

Slide 30

File System Management


Switch Management

ENA 12.6: Switch Operation, Configuration and Management

Listing Files
UNIX like file system
ls
Lists the files on the
switch file system &
includes:
Configuration files (CFG)
Script Files (XSF)
Policy Files (POL)

Permissions

Slide 32

Owner

Size

Edit Date & Time

Filename

Copying, Renaming, and Removing Files


To copy a file:
cp primary.cfg old.cfg

To rename or move a file:


mv old.cfg secondary.cfg

To delete a file:
rm old.cfg

To delete all files starting with


sec:
rm sec*

To delete all cfg files:


rm *.cfg

For chassis based switches with dual MSMs, the action takes
place on both primary and backup MSM.

Slide 33

BootStrap and BootROM


Switch Management

ENA 12.6: Switch Operation, Configuration and Management

BootStrap Menu Options


The BootStrap menu is
usually accessed by
mistake or if there is a boot
problem with the switch
To access the BootStrap:
Power cycle the switch while
holding the <spacebar>
down
When BootStrap prompt
appears, release the
<spacebar>
Type <h> at the prompt for
command options
To exit the BootStrap type
boot at the prompt

The BootStrap and BootROM can only be accessed through the


console port
Console Port
Slide 35

BootROM Menu Options


The BootROM menu is
usually accessed if there
is a boot problem with the
switch
Loss of connectivity due to
configuration error
Corrupted flash or image

To access the BootROM:


Power cycle the switch

When the Running POST


message appears, press and
hold the <spacebar>
Type <h> at the prompt for
command options

Slide 36

Using the BootROM to change boot options


To boot from the primary
image:
boot 1
Over-rides the configured selected
image

To boot from the secondary


image:
boot 2

To boot from the test.cfg


configuration file using the
configured image:
config test.cfg
boot

To boot from with the factory


default configuration using the
configured image:
config none
boot
Slide 37

Upgrading the BootROM


The BootROM is responsible for booting the switch.
It tells the switch which image and configuration to use.

The BootROM verifies the software signature and denies incompatible


software.
Upgrading the BootROM is sometimes required for new major image
versions
Check release notes before upgrading the BootROM

To upgrade the BootRom:


download bootrom <ip> pmon_summit_sxls-2.0.1.0.xtr
vr <vr-name>
The switch may not boot if the BootROM is corrupted:
Due to interrupting the download process
Wrong BootRom downloaded
The switch must be returned to Extreme Networks.

TFTP Server
Slide 38

Lab 1 - Switch Management Lab


Identify ExtremeXOS software, switch boot images, and
configuration files.
Save the switch configuration.
Assign an IP address to a VLAN.
Backup the switch configuration.
Download a software image.
Upload the current configuration as an ASCII formatted
command script.
View and run simple configuration command scripts.
TFTP Server
Access the BootStrap and BootROM menus.
Lab Group PC

Management
10.45.230.22

Management
10.45.230.4X

SwitchX

Slide 39

Mgmt
10.45.230.10X

Secure Management
Extreme Networks Solution

ENA 12.6: Switch Operation, Configuration and Management

Authenticating Switch Management Users


Users should login to a switch using their
Windows username and password
Provides an audit trail of configuration changes
and commands run if required

Authentication Options
RADIUS operation requires:
RADIUS Server with Active Directory or LDAP integration

Microsoft's IAS on Windows Server platforms provides a RADIUS service


Each switchs RADIUS client configured & enabled

TACACS+ operation requires:


TACACS+ Server with Active Directory or LDAP integration

Ciscos Access Control Server (ACS) for Windows Server


Each switchs TACACS+ client configured & enabled

Restrictions
Can only use RADIUS or TACACS+ no both
Slide 41

Configuring RADIUS Authenticated Access


To configure the RADIUS client for
authenticated management access:
configure radius mgmt-access
primary server <ip> client-ip
<vlan-ip>

configure radius mgmt-access


primary shared-secret <secrettext>

To enable RADIUS for auth. mgmt.:


enable radius mgmt-access

To verify the RADIUS configuration:


show radius mgmt-access

RADIUS for authenticated access


supports:
Primary and secondary RADIUS servers
Configurable RADIUS UDP port

Selectable NAS-IP (VLAN IP address)


Slide 42

Configuring Secure CLI Access with SSH2


Download the matching SSH2
module image to the switch
To enable the SSH2 process:
run update
Another option is to reboot the switch at
this stage

To enable SSH2 access:


enable ssh2
This will generate a key used to encrypt
data between the switch and the client
Usually takes 1 min. approx

To verify SSH2 access:


show management

To re-generate the SSH2 key:


configure ssh2 key

Slide 43

Managing a Switch with Secure SNMPv3


SNMPv3 provides a secure method of managing switches
from SNMP based network management platforms
Extremes SNMPv3 implementation supports:
User Security Model (USM)

Multiple user accounts with encrypted authentication


HMAC-MD5-96, HMAC-SHA-96
View-based Access Control Model (VACM)
Each user can be restricted to specific MIB sections for R/O and R/W
access
Privacy (encrypted communication)
DES, 3DES and AES 128/192/256
3DES and AES require the SSH2 module loading

Extreme switches support SNMPv1, v2 and v3 access at the same time


All are enabled by default

Slide 44

Configuring Secure SNMPv3 Access


It is recommended that you enable
3DES or AES privacy.

This process assumes that SSH2 has


been enabled previously

To enable the SNMP process to use


3DES and AES encryption:
restart process snmpmaster

Create an SNMPv3 user account:


conf snmpv3 add user <username> authentication md5 <key>
privacy aes 256 <key>

Configure the users rights:


conf snmpv3 add group <groupname> user <user-name> secmodel <snmp-security>

To verify SNMPv3 access:


show snmpv3 user <user-name>
show snmpv3 group admin user
<user-name>

Slide 45

Managing a Switch with the ScreenPlay WebUI


ScreenPlay provides a Web User Interface (WebUI)
for managing and monitoring an ExtremeXOS
switch
Support both HTTP and HTTPS access
HTTPS access requires the SSH2 module

Web access is disabled by default

Monitor key information via the Dashboard


Switch information:
Type, OS Version, configuration loaded

Slot information, status and temperature


License level
Management access state

Configure:
Ports, VLANs, stacking, SNMP, dynamic ACLs

Detailed monitoring:
Event log, port statistics (table & chart views), QoS Monitor

Administer user accounts, sessions and access the CLI


Slide 46

Configuring Secure Web Access


It is recommended that you enable
HTTPS for ScreenPlay access

This process assumes that SSH2 has


been enabled previously

To enable the HTTPS process:


restart process thttpd

Generate the certificate used for


HTTPS access:
configure ssl certificate
privkeylen 1024 country <code>
organization <org-name> commonname <switch-name>
The common name is usually the switch
name

To enable HTTPS access:


enable web https

To verify HTTPS access:


show ssl
Slide 47

Lab 2 Secure Switch Management Lab


Configure and enable Syslog
Configure and enable RADIUS authenticated access
Configure and enable SSH2 secure CLI access
Configure and enable HTTPS secure web access
Configure and enable SNMPv3 secure SNMP access

Ethernet
Management Port
Console Port
Terminal

Slide 48

Management Tools
Extreme Networks Solution

ENA 12.6: Switch Operation, Configuration and Management

Managing a Switch with the Legacy CLI


The LegacyCLI provides a Cisco style interface for managing and
monitoring an ExtremeXOS switch via the CLI
Supports the following modes
User EXEC and Privileged EXEC CLI command modes
Privileged mode is accessed by the enable command

Training mode
Displays the equivalent Extreme command for a given Legacy CLI command
Helps transition to the Extreme standard CLI

Deferred mode
Allows you to enter a group of commands for deferred execution.
Commands are stored in a buffer
When exiting deferred mode you choose to execute or abandon the command

Switch configuration is performed via the Configuration Terminal in


Privileged mode
Supports legacy port numbering
0/5 specifies port 5 on a standalone switch
1/5 specifies slot 1 in a modular switch or SummitStack and port 5

Slide 50

Configuring Legacy CLI Access


Download the matching LegacyCLI
module image to the switch
To enable the LegacyCLI:
configure cli style legacy
permanent
LegacyCLI starts in User EXEC mode

To enter Privileged mode:


enable

To enter Configuration mode:


configure terminal

To view available commands:


Use the <tab> or <?> keys

To scroll through CLI history:


Use <> and <> keys

Slide 51

Accessing the CLI with the ScreenPlay WebUI


The ScreenPlay WebUI
can optionally provide
access the a switchs CLI
Requires the installation of
the Java based CLI Proxy
software on the
management client

Supported platforms:
Windows
Linux
Unix

Slide 52

Simplify Your Network Using Ridgeline

Providing a common management platform


that simplifies the deployment and management of
Extreme Networks products and solutions.
Enterprise

Data Center

Manage and secure


converged networks

Virtualization
Management

Wired, wireless and


security device
configuration and
management

Track, secure , police


virtual machines in the
Data Center

Track and secure users


across the network

VM Inventory, location
and history

Service
Provider
Point & click service
provisioning of E-Line
or E-LAN services
Import existing services
(Service Reconciliation)

Unified Network Management System

Unification of EPICenter and Ridgeline SA


Unified Product Line
Ridgeline
Service
Advisor

EPICenter

Comprehensive set of features in


the base product.
Allows Extreme to build and
deliver features and solutions
rapidly
Helps drive down cost across
different business functions

Feature Packs
Carefully designed feature packs
Specific content for different
verticals
Allows customers to purchase
and use content that are key and
essential to their business needs

Essential Tools at Your Fingertips

Operational
Simplicity
Intuitive user
interface
Topology view with
alarms
Configuration
management
Dynamic reporting

Voice Class
Availability
Intelligent alarm
system
Real-time statistics
Network service
visualization

Comprehensive
Security
Role based access
control
Secure management
protocol
Audit log

Service
Extensibility
Flexible scripting
Universal port
management
3rd Party Integration
framework

Ridgeline Server Requirements (Windows)


Microsoft Windows 7, Vista, Windows XP Professional
with SP1 or later, or Windows 2003, 2008 Server
Both 32-bit and 64-bit versions are supported
Windows 7 is supported on 32-bit installations only

1 GHz or greater Pentium-compatible processor


2 GHz recommended

2 GB RAM minimum, 4 GB recommended


4 GB is a requirement to manage large numbers of device (1000+)

2 GB disk space available, NTFS file system


recommended
2 GB swap for the 32-bit version of Ridgeline
4 GB swap for the 64-bit version

Ridgeline Server & Client Requirements


Java Based Application (JRE1.6)
Server platforms
Vista, Windows XP, Server 2003/2008, Solaris 10, Red Hat 5.0 Linux

Client platforms
Vista , Windows XP, Server 2003/2008, Solaris 10, Red Hat 5.0 Linux
Browser: IE 6.0 or higher, Mozilla Firefox 1.5 or higher

Auto update of clients


Detects new versions of client
Auto-updates clients, reducing deployment time

Ridgeline Product Licensing


RidgelineTM 3.0 Base
All the enterprise features covered earlier including EAPS
Provisioning, Scripting, Events and Alerts, Topology Views,
Universal Port Manager, Identity Reporting, Configuration
Mgmt, etc..

Security
Feature Pack1

Data Center
Feature Pack

Identity and
Role-based
Policies

VM lifecycle
Management

Includes Identity
Mgmt.
Auto provision
users and devices.
Logically segment
users based on
identity for
seamless mobility.

Includes XNV.
VM provisioning at
the network level.
Centralized
network
visualization of
virtual machine
(VM) inventory, VM
location history.

Service
Advisor
Feature Pack
Service
engineering and
fulfillment
Point and click
provisioning:
E-Line, E-LAN,
vMAN/PB, & PBB
Provisioning, VPLS
Monitoring

Ridgeline Product Licensing


RidgelineTM 3.0 Base 50
Add
50

Add
250

Up
To
2000

Security
Feature Pack1

Data Center
Feature Pack

Base 50

Base 50

Add
50

Add
250

Up
To
2000

Add
50

Add
250

Up
To
2000

Service
Advisor
Feature Pack
Up to 2000

Ridgeline Base Product is required for all feature packs


New: Ridgeline 3.0 Base-10 is available for free with NO SUPPORT
Product evaluation license is available with base content, and all feature
packs

Slide 59

Installing Ridgeline
Run the Ridgeline
installation program
Configure the Ridgeline
ports
Web service
Database service

Install the relevant


licenses
Log on to Ridgeline
Java will be installed
automatically if not already
present on the client machine

Configuring Ridgeline for secure SNMPv3 Access


Specify SNMPv3
settings when adding a
device to the Ridgeline
inventory
Set SNMP to Version 3

Specify the user


Set the privacy protocol
and level
Set the authentication
protocol

All settings must


match those
configured on the
switch

Slide 61

Lab 2 Secure Switch Management Lab


This lab provides you with a hands-on experience
enabling and configuring Syslog, RADIUS, SSH2, HTTPS
and SNMPv3. At the end of this lab, you will be able to:

Configure and enable the RADIUS client on your switch


Configure and enable Syslog and SNTP on you switch
Configure and enable SSH2 on your switch for secure CLI access
Configure and enable HTTPS on your switch for secure Web access
Configure and enable SNMPv3 on your switch.
TFTP Server
Lab Group PC

Management
10.45.230.22

Management
10.45.230.4X

AD/Radius Server
Management
10.45.230.6X

SwitchX

Slide 62

Mgmt
10.45.230.10X

Lab 3 Management Tools Lab


This lab provides you with a hands-on experience
installing and configuring the following Extreme Networks
Management tools:

Legacy CLI
ScreenPlay
Web CLI Proxy
Ridgeline
TFTP Server
Lab Group PC
Management
10.45.230.22

Management
10.45.230.4X

SwitchX

Slide 63

Mgmt
10.45.230.10X

Ridgeline Server
Management
10.45.230.5X

Switch Management Summary


You should now:
Understand and be able to configure switch management
Understand and be able to configure secure switch management
SSH2, HTTPS, SNMPv3 and RADIUS

Understand and perform configuration and image management


Understand the ExtremeXOS file system
Be able to access the BootStrap and BootROM switch utilities
Be able to install and use Extreme management tools
Legacy CLI, ScreenPlay with CLI Proxy, Ridgeline

Slide 64

2011 Extreme Networks, Inc.


All rights reserved

Вам также может понравиться