Features of setting ExtremeXOS switches

This article aims to reduce the amount of time required to understand the principles of working with ExtremeXOS (XOS) . When I started getting acquainted with XOS, I really missed such an article on Habré.


Below I will talk about the configuration of Extreme and the problems that I encountered. I hope to help the network engineers who are just starting to work with XOS. Regardless of the switch model, the CLI syntax is exactly the same.


KDPV
Extreme Switch Stand


To business


For hardware virtualization, I use Eve-Ng and a Virtual ExtremeOS ( XOS ) image . You can also use GNS3.


How does the switch setup look like ? In XOS, there is no need to switch operating modes; all commands are entered from the normal mode, marked with # , in the case of the admin account; and > in the case of a user.
For a start, I would like to identify the "basic" principles of teams in EOS. Everything is built on three commands and their antonyms: create , configure , enable ( delete , unconfigure , disable, respectively). That is: we create, we configure, we activate. It looks logical.


create vlan 10
configure vlan 10 ipaddress 192.168.1.1/24

You should also understand that most configurations are configured on the VLAN . That is, in XOS almost everything is tied to VLANs. Even assigning a VLAN to a port occurs in the VLAN configuration, that is, the port hangs on vlan.
I would like to pay special attention to virtual routers ( VR ), which are by default in the switch. There is VR-Default, which owns all the ports, and VR-mgmt, which owns mgmt. port. In XOS, for all commands that send traffic somewhere (ping, ssh, telnet, download, etc.) you must specify VR.


ping vr "VR-Default"192.168.1.1

XOS Switch Update


In XOS, there are two partitions under OS: primary and secondary. Functionally, they are no different, only the names. You can install updates only in the currently inactive section. You can use the inactive argument for this. After the upgrade, a reboot is required, and the switch will boot from another (just updated) partition. This leaves the possibility of a quick rollback, in case of problems, simply by selecting another partition at boot (the one where the old OS remained). Also note that all the images with patches are a complete image, that is, do not put a major version, and then a few minor ones. When loading tftp is used:


downloadimage 192.168.1.1summitX-21.1.4.4-patch1-3.xosvr "VR-Default" inactive

You can find out which section is currently being used by:


showsystemImageSelected:   primaryImageBooted:     secondaryPrimaryver:      22.3.1.4Secondaryver:    21.1.1.4

Switch stacking


To stack XOS switches, you must enable stacking support and reboot the switch:


enable stacking-support
reboot

It is very convenient that switches of different models can be combined into a stack, with the master being the switch with the highest performance. For example, it may be necessary for a stack of 10G switches for 16 ports for servers, to which a 48-port 1G switch is added, to which mgmt.-interfaces are included.
For stacking, switches must have the same OS version. Stacking is performed through certain Ethernet ports, for each model is different, which can be found in the documentation. If you assemble switches using the 1 in 2, 2 in 1 port, then Extreme switches can be stacked using the simplified easy-stack procedure, which itself will bind the mac addresses to the slot number and other settings. In this case, the first will be the switch on which you apply enable stacking, the rest will be assigned numbers along the chain. This is quite a convenient way to save a lot of time. After stacking, the ports will look like SLOT: PORT (1: 1, 2:35).


X440G2-48p-10G4.1 # show stacking
Stack Topology is a Ring
This node isnotin an Active Topology
Node MAC Address    Slot  Stack State  Role     Flags
------------------  ----  -----------  -------  ---
*00:04:96:xx:xx:xx  -     Disabled     Master   ---00:04:96:xx:xx:xx  -     Disabled     Master   ---00:04:96:xx:xx:xx  -     Disabled     Master   ---00:04:96:xx:xx:xx  -     Disabled     Master   ---00:04:96:xx:xx:xx  -     Disabled     Master   ---
* - Indicates this node
Flags:  (C) Candidate for this active topology, (A) Active Node
    (O) node may be in Other active topology
X440G2-48p-10G4.2 # enable stacking
You have not yet configured all required stacking parameters.
Would you like to perform an easy setup for stacking operation? (y/N) Yes
Executing "configure stacking easy-setup" command...
For every node in the 5-node stack, this command will:
- enable stacking
- configure a stack MAC address
- choose and configure a slot number (this node will be assigned to slot 1)
- configure redundancy to minimal (slot 1 will be the master node)
- configure the stacking protocol to enhanced
Upon completion, the stack will automatically be rebooted into the newconfiguration.
Warning: If stacking is already configured, this command will alter that configuration.
Do you wish to proceed? (y/N) Yes
Stacking configurationis complete.  Rebooting...

Updating the stack is that the master is updated, and then he in turn spills the new version into the remaining slots. A reboot is required .


Licensing


Each switch comes with a pre-installed license (edge, advanced edge, core, etc.). Each license has its own set of features that can be activated on the switch, for example, the number of ports that can be used in OSPF. There are also licenses for individual feature. Read more here .
One of the most frequent licenses is the license for feature: Dual-10GB-Uplink . This license for the edge-1G switch allows using 2x 10GbE ports. For example, on X440-G2-48p.
Licenses are available in the personal account on the Extreme website, after which they are activated (without rebooting) and checked by the team.


enable license XXXX-XXXX
show licenses

In the event that different licenses are used in the switch stack, the smallest one will be used .


Customization


A small digression: To see the results of the commands below, as well as any other information, in most cases you can use show, replacing create and configure. For example, show vlan.
Hint: When using show ports, XOS will build a table that is updated every few seconds, which allows you to monitor the status of the interfaces in real time. In order to get output without refreshing, you must use “show ports no-refresh”.
The first thing that comes to mind is that you need to configure this hostname . It would seem to be something like this:


configure hostname Ex_sw_1


But not everything is so simple, in fact it is done this way:


configure snmp sysName Ex-sw-1

Create a VLAN:


create vlan My_Vlan_Five tag 5

Or so, and this is what will be displayed in the config:


create vlan My_Vlan10
configure vlan My_Vlan10 tag 10

Considering the practical experience and realities of the output of commands and XOS settings, I created a rule for myself: in the vlan name, append its tag at the end, which facilitates perception and tuning:


create vlan users-10 tag 10

In XOS there are no such as trunk and access ports. Instead, the following concepts are used: tagged and untagged traffic on an interface tied to vlan. There can be one untagged and many tagged vlans. Ports are numbered (or slot: port on the stack), it's very simple.


configure vlan My_Vlan-5add ports 1 tagged
configure vlan My_Vlan1 add ports 1 untagged

Accordingly, all traffic without a tag coming to the interface will be tagged as “ My_Vlan1 ”.
In this case, vlan can be specified both through < Name > and through < tag >, and in any combination (using vlan_list , that is, numeric by tags). Without an attribute at the end, < untagged > is used:


сonfigure vlan 1,5-10,15-20add ports 1-8, 48 tagged
configure vlan web-110add ports 5
сonfigure vlan 20add ports 30-40,45 untagged

Since most SummitX series switches are L3 switches, this is how SVI is configured:


configure vlan 125 ipaddress 192.168.125.1/24

After that, you need to apply this command, otherwise vlan will remain non-routable:


enable ipforwarding vlan 125enable ipforwarding vlan 10-50,60

To see what vlan is on the interface, you can use the command:


show ports 2 vlan

The following commands are used to view and save the configuration and there are primary and secondary configuration files:


save 
save secondary
showconfiguration

Channel aggregation


One of the inconvenient moments that I met was aggregation of channels. (port-channel). The general essence is as follows: you assign a master port and up to seven secondary interfaces to it. Further, all settings are made only on a specific master port, there are no logical interfaces of the form po1 . The downside is that if you want to change the master port, you need to transfer all the settings to another port with your hands, because when you remove an aggregated channel, the entire config on it flies . The solution to this inconvenience is in this article , but it still does not work out perfectly. In XOS, aggregation is called sharing .
To enable such a port, you need to use the command:


enablesharing[MASTER_PORT]grouping[PORT_LIST][lacp]enablesharing 1 grouping 1-2lacp

On the version lower than 22.X, it is necessary to add the “balancing” algorithm:


enable sharing 1 grouping 1-2 algorithm address-based L2 lacp

OSI Second Level Loop Protection


On the Summit-X commutator in C major version 22.2, the second level loop protection protocol was disabled by default . (STP and others). At the time of this writing, the software recommended by the vendor is 21.1.5.2.


ELRP


In one of my projects, I used the proprietary protocol ELRP , which is designed to detect and prevent loops. During the tests, he showed good results (speed of shutdown of the port at the loop, etc.). This protocol sends multicast PDUs , and if the sender receives it again, then there is a loop.
The interval is responsible for the frequency of the PDU distribution, in this case 2 seconds. In the case of a loop, the port will be blocked for 180 seconds, after which the PDU will be sent again. Alert options: log, trap, log-and-trap. In the case of trap, the snmp trap is sent accordingly.
This protocol is configured per-vlan, as well as most configurations in XOS.


enable elrp-client
configure elrp-client periodic Buh-123 ports allinterval2logdisable-port ingress duration 180

To prevent ELRP from blocking uplink access switches or critical connections, use the command to exclude ports from blocking.


configure elrp-client disable-port exclude35
configure elrp-client disable-port exclude1:1

STP


STP is configured a little wiser, but in general, special problems do not arise. In XOS, this protocol is called “stpd”, in all commands to configure STP, it is used. You can make it per-vlan, using different STP-domains. “Domain-id” and “vlan-id” must match. Ports in STP can be added either manually or using vlan auto-bind. As soon as a port is added to the vlan, this port is automatically added to the STP. Such is the logic. Setting mode: dot1d STP, dot1w - RSTP:


configure stpd "s0" priority 4096
configure stpd s0 mode dot1w
enable stpd s0
enable stpd "s0" auto-bind "VLAN_0005"

VRRP


VRRP is one type of FHRP , an analogue of HSRP in Cisco. For each network (vlan), it is necessary to use a vrid, which can be from 1 to 255. I was pleased with the ability to route traffic from the backup-vrrp-L3 switch using the fabric-routing option. The default priority is 100. Which of the switches has a higher priority becomes the “Master”.


create vrrp vlan test1 vrid 125
configure vrrp vlan test1 vrid 125priority50
configure vrrp vlan test1 vrid 125 fabric-routing onenable vrrp vlan test1 vrid 125

MLAG


About what it is and why, very well described here : it is, in fact, an analogue of Cisco VPC. ISC - connection between mlag-pair switches.


In my case, the following scheme was usually used:


Necessary to create a neighbor (peer), in order to be able to assign specific ports with mlag to a specific neighbor, since Extreme supports the possibility of using multiple neighbors. For ISC, a vlan is needed, used only for ISC and having an IP address. Accordingly, the peer for X670-1 will be X670-2, and the mlag ports will be x440. For operation, it is necessary to create an aggregation channel, on x670 for one port towards x440, and an aggregated channel towards X670-2, in which there will be ALL Vlans participating in the mlag.
On x670:


Enable sharing 1 grouping 1 lacp
create mlag peer "mlag1" 
configure mlag peer "mlag1" ipaddress 10.255.255.2 vr VR-Defaultenable mlag port 1 peer "mlag1" id 1

On x440-stack:


enablesharing 1:51grouping 1:51,2:51lacp

MLAG + VRRP


During testing of commutators on the stand, the problem was found that VRRP takes the master role before all other interfaces (ISC rises first) and protocols rise, which resulted in network downtime of about a minute.
This problem was solved by the following commands, but they are available only with “EXOS 21.1.3.7-patch1-4” and “EXOS 22.3”:


configure mlag ports reload-delay 60enable mlag port reload-delay

Routing


Static routes are defined as follows, there should be no problems. You can set the mask in any version.


configure iproute add 10.0.66.0255.255.255.0172.16.1.1
configure iproute add 10.0.0.1/3210.255.255.255
configure iproute add default 172.16.0.1

Ospf


For routing, in my practice, OSPF with one zone was used. To ensure operability, you must specify a router-id, as well as add each vlan that you want to advertise (by analogy in Cisco: network).


configureospfrouterid 192.168.1.1enableospfconfigureospfaddvlanrouting-5area 0.0.0.0configureospfaddvlanVoip-32area 0.0.0.0passive

The rest of the little things


DHCP Relay


Configured as follows:


configure bootprelay add192.168.12.5 vr VR-Defaultenable bootprelay ipv4 vlan servers-500

When creating a new vlan, you must add it manually to the vlan list with DHCP Relay.


SSH + ACL for SSH


Ssh is included as follows: 


enable ssh2

To restrict access to ssh, you must create a separate policy file of the form NAME.pol and hang it on SSH.


vi ssh.pol

Politics:


Entry AllowTheseSubnets {
ifmatch any {
source-address 192.168.0.0 /16;
source-address 10.255.255.34 /32;
}
Then
{
permit;
}
}

Team to apply policy:


enable ssh2 access-profile ssh.pol

Description + display-string


For ease of configuration and subsequent operation, you can set the "name" and "description" of the interface.


сonfigure port 1 description “thisis port number one”

Interface description will be displayed only in commands like:


show ports description

The name of the interface will replace almost everywhere its number in the output of commands. The name must not contain a space and is limited to a length of 20 characters.


сonfigure port1 display-string UserPort
EXOS-VM.8 # sh port vlan
         Untagged  
Port     /Tagged   VLAN Name(s)
-------- --------  ------------------------------------------------------------
UserPort Untagged  Default2        Untagged  Default3        Untagged  Default

Conclusion


XOS also allows you to automate many actions and adjust the system to your needs, as it natively supports Python and the built-in mechanism for creating and running scripts using command line commands ( CLI-Scripting ).


I am open to suggestions for improving the article and correcting inaccuracies / errors, as well as questions.


UPD : LLDP for IP phones is configured using the commands in this comment .

Tags:

Also popular now: