Initial Switch

Configuration
ExtremeXOS™ Operation and
Configuration, Version 12.1

© 2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.
 Student Objectives

Upon completion of this module, you will be able to:

Login to the switch.
Interpret the system prompt.
Assign a name to the switch.
Use the syntax help function.
Create a new user account.
Describe the SNMP, SNTP, and logging management features.

Slide 2
 Initial Switch Configuration

Connect to the console port.

• DB-9, DTE, 9600, N, 8, 1, XON/XOFF
A new switch boots and prompts for:
• Telnet enabled or disabled
• SNMP enabled or disabled
• All data ports enabled or disabled
• Failsafe account and password change
• Failsafe access on management port

Console

Switch

Slide 3
 CLI Access

Telnet Connection Console Port Connection

Dedicated Ethernet management - DB-9 serial cable
port or Ethernet data port: - 9600, 8, N, 1, X
- Up to 8 Sessions
- IP must be configured
- Nested Telnet
- SSH (requires additional s/w module)

Slide 4
 CLI Organization

# PROMPT

clear configure create delete disable download enable exit history logout
First-tier
Commands
nslookup ping quit reboot restart rtlookup show traceroute upload use

accounts configuration rip vlan protocol log stpd switch qosfile ipstats
Second-tier
Commands
fdb iparp memory management iparp iproute ports version session

Third-tier configuration stats collisions errors packet utilization port number

Commands

Slide 5
 Syntax Helper
VLAB-R1-X450-24x.2 # show Using the tab key
access-list access-list info displays the next set
accounts show accounts of command options.
bandwidth Bandwidth resource
banner Netlogin Banner Using the question
bgp Display BGP global configuration information mark (?) at the end of
bootprelay Show the bootp relay information the command displays
cfm Configure IEEE 802.1ag specific settings
the next set of
checkpoint-data Checkpoint Data
clear-flow CLEAR-Flow
command options.
configuration System configuration
cpu-monitoring CPU Utilization Statistics
debug debug command

VLAB-R1-X450-24x.2 # show ports ?

anomaly anomaly statistics
collisions Displays collision statistics
configuration Display the port configuration
information Displays port information
packet histogram of packet statistics
qosmonitor QOS
redundant Display all software redundant ports on the system
rxerrors receive error statistics
sharing sharing
stack-ports Stacking Ports
statistics Port statistics
txerrors Displays transmit error statistics

Slide 6
 Abbreviated Syntax
VLAB-R1-X450-24x.2 # sh ipc Abbreviation of a
Use Redirects : Disabled command, parameter,
IpOption LSRR : Enabled or value:
IpOption SSRR : Enabled
IpOption RR : Enabled • # show ipconfig
IpOption TS : Enabled • # sh ipc
IpOption RA : Enabled
Route Sharing : Disabled Entering port values
Originated Packets : Don't require ipforwarding
• Separated by
IP Fwding into LSP : Disabled
commas, (1,2,4)
Unicast Reverse Path : Disabled
Max Shared Gateways : Current: 4 Configured: 4 • Specify a range (1-9)
• Specify all ports (all)l
IRDP:
Advertisement Address: 255.255.255.255 Maximum
Interval: 600
Minimum Interval: 450 Lifetime: 1800 Preference: 0

VLAN IP Address Flags nSIA

Default 10.1.0.1 /24 E-----MPuRX------- 0

Flags: (A) Address Mask Reply Enabled (B) BOOTP Enabled

(b) Broadcast Forwarding Enabled, (E) Interface Enabled
(f) Forwarding Enabled (g) Ignore IP Broadcast Enabled
(h) Directed Broadcast Forwarding by Hardware Enabled
Press <SPACE> to continue or <Q> to quit:

Slide 7
# history

CLI Command - History

Displays all commands entered

• Stored in the command history buffer
• Content of buffer is displayed by entering the history command
history
Use <Up> and <Down> arrow keys to scroll within the command
history buffer

VLAB-R1-X450-24x.7 # history
1 show
2 sh ipc
3 history
4 create vlan ipV6
5 create vlan Finance
6 save
7 history
VLAB-R1-X450-24x.8 #

Slide 8
 Unique Name Identifiers

Names are used as reference keys within the command set.

Unique name identifiers are used for naming VLANs, Spanning Tree
protocol domains, etc.

Blue Green Finance Marketing

Slide 9
 Switch Login
(pending-AAA) login: Two access levels:
Authentication Service (AAA) on the master node is now available
for login. • User / Administrator
login: admin • May login after AAA
password: initialization

ExtremeXOS Up to 16 accounts
Copyright (C) 2000-2007 Extreme Networks. All rights reserved. Passwords:
Protected by US Patent Nos: 6,678,248; 6,104,700; 6,766,482;
6,618,388; 6,034,957; 6,859,438; 6,912,592; 6,954,436; 6,977,891; • Blank
6,980,550; 6,981,174; 7,003,705; 7,017,082; 7,046,665; 7,126,923; • 4 to 12 characters
7,142,509; 7,149,217; 7,152,124; 7,154,861; 7,245,619; 7,245,629;
7,269,135. • Case sensitive
================================================================== You can create two
Press the <tab> or '?' key at any time for completions.
admin accounts, and
Remember to save your configuration changes.
they are identical in
VLAB-R1-X450-24x.1 # their capabilities.
Fail Safe account
• Used for recovery
• If password is lost,
return switch to
Extreme Networks
• May use to login
before AAA
initialization

Slide 10
 CLI - Command Prompt
The command prompt
tells us four things:
• Unsaved configuration
changes
• Switch name

* X450a-24t.6 # • Number of commands

executed during this
session
• Privilege level

New change to switch

configuration not saved
Privilege Level

Switch SNMP Sysname

Number of next command

to be executed

Slide 11
# show session {{detail} {<sessID>}} {history}
# clear session [<sessId> | all]

Management Accounts

User account can:

- View anything except:
Administration account can:
- Switch configuration
- View and change anything
- Switch management
- Add/Remove users
- User accounts
- Change user passwords
- SNMP community strings
- Disconnect Telnet sessions
- Use PING
Prompt type: X450a-24t #
- Change own password
Prompt type: X450a-24t >

Slide 12
# create account [admin | user] <name> {<password>}
# delete account <name>

Creating User Accounts

VLAB-R1-X450-24x.4 # show accounts Display user account
User Name Access LoginOK Failed information with:
-------------------------------- ------ ------- ------
admin R/W 20 0 • show account
user RO 0 0 Only admin-level
test R/W 3 7
users can create or
VLAB-R1-X450-24x.4 # configure account test
password:
delete accounts.
Reenter password: Default accounts have
* VLAB-R1-X450-24x.5 # save no passwords.
The configuration file primary.cfg already exists.
Do you want to save configuration to primary.cfg and overwrite it? • configure account
(y/N) Yes <name>
Saving configuration on master ....... done! • 1 to 32 characters
Configuration saved to primary.cfg successfully.
VLAB-R1-X450-24x.6 # delete account test • case-sensitive
* VLAB-R1-X450-24x.7 # save The default admin
The configuration file primary.cfg already exists. account cannot be
Do you want to save configuration to primary.cfg and overwrite it?
(y/N) Yes
deleted.
Saving configuration on master ....... done! You may create
Configuration saved to primary.cfg successfully password policies.
VLAB-R1-X450-24x.7 #

For security, always configure a password on the default admin account.

Slide 13
# configure failsafe-account

Failsafe Login

The account of last resort to access the ExtremeXOS switch when

the admin password has been lost.
Never displayed but always present.
To access the switch using the failsafe account, you must be
connected using a permitted method:
• all
• control
• serial
• ssh
• telnet
Changes to failsafe account and password are immediately stored
in NVRAM, not in the configuration file.
Note: The information that you use to configure the failsafe account cannot be recovered by Extreme
Networks Technical support. Protect this information carefully.
Slide 14
# configure cli max-sessions <num_sessions>
# configure cli max-failed-logins <max_attempts>

Limiting CLI Sessions and Failed Logins

Limit the number of simultaneous CLI sessions:

• configure cli max-sessions 4
Limit the number of failed login attempts:
• configure cli max-failed-logins 2
Lock out a user after consecutive failed login attempts:
• configure account [all | <name>] password-policy
lockout-on-login-failures on
View the accounts that are currently locked out with the following
command:
• show account
Admin-level user must clear lockout condition:
• clear account [all | <name>] lockout

Slide 15
# configure telnet vr admin_vrouter

Restricting Telnet Access

Restrict which virtual router interfaces listen for Telnet connection

requests:
• configure telnet vr admin_vrouter

Slide 16
 Configuring Management Access

Dedicated management port

IP address required to access switch
Out-of-band management for:
• Telnet
• SSH
• SNMP
• SNTP
• RADIUS
IP Network
• RMON Regional Offices
• Remote logging
• Local logging
Management Station

Slide 17
# enable ssh2
# scp2

Using SSH and SCP

Used to encrypt Telnet sessions between a network administrator

using SSH2 client software and the switch.
Secure copy is included in the SSH module and is used to transfer
files using encrypted data between the switch and an SSH2 client.
• To enable the switch to function as an SSH2 server:
enable ssh2
• To copy a file using secure copy:
scp2 {cipher [3des | blowfish]} {port <portnum>} {debug
<debug_level>} <user>@ [<hostname> |
<ipaddress>]:<remote_file> <local_file> {vr <vr_name>}
• Copy policy and configuration files to the switch using the Secure Copy
Protocol 2 (SCP2).
Note: Installing the SSH module also provides secure web
(HTTPS / SSL) functionality.

Slide 18
 Using SNMP

The switch must have an IP address.

The SNMP agent can then be accessed from a Network Management
Station (NMS).

10.1.4.1

IP Network/
10.1.6.1 Intranet

10.1.5.1
NMS

Any SNMP based network manager can manage a switch.

Switch MIB must be installed correctly on the mgmt workstation.
Slide 19
# enable snmp
# configure snmp

Configuring SNMP System Parameters

Enable SNMP 10.1.4.1

enable snmp access

System name
configure snmp sysname <string>
System location
configure snmp syslocation <string>

System contact 10.1.6.1 IP Network/

configure snmp syscontact <string> Intranet

10.1.5.1 NMS

Slide 20
# configure snmp add community
# configure snmp

Configuring SNMP Access Parameters

Community strings 10.1.4.1

• Default Public and Private

• SNMP read or read/write access
configure snmp add
community [readonly |
readwrite] <string>
Authorized trap receivers
10.1.6.1 IP Network/
• Enable traps
Intranet
enable snmp traps
• Add trap receiver
configure snmp add
trapreceiver <ip_address>
community <string>
10.1.5.1 NMS

Slide 21
 Authenticating Switch Management Users

RADIUS Client
• Remote Authentication Dial In User Service (RADIUS)
• A mechanism for authenticating and centrally administering access to network
nodes
• Allows authentication for Telnet, Vista, or console switch access
TACACS+
• Terminal Access Controller Access Control System Plus
• Similar to the RADIUS Client
• Used to authenticate prospective users attempting to administer the switch
• Used to communicate between the switch and an authentication database
NOTE: You cannot configure RADIUS and TACACS+ at the same
time.

Slide 22
 Logging Features
• Timestamp
• Fault Level
• Subsystem
• Message

Remote logging
enabled Local logging

IP Network/
Intranet

Remote logging
enabled

UNIX syslog host facility ― accepts and logs messages

Slide 23
# configure syslog
# enable syslog

Logging Features

configure syslog {add} [<ipaddress> | <ipPort>]

{vr <vr_name>} [local0 ...local7] {<severity>}
enable syslog

Local logging
IP Network/
Remote logging
Intranet
enabled

Remote logging
enabled

UNIX syslog host facility ― accepts and logs messages

Slide 24
# show log {<severity>}

Displaying Log Messages

Local logging:
• Up to 20,000 messages in the internal log
• Default is 1000 entries
Display log anytime:
• show log {<severity>}

Local logging

IP Network/
Remote logging
enabled
Intranet

Remote logging
enabled

Slide 25
# configure sntp-client
# enable sntp-client

Using SNTP

Simple Network Time Protocol (SNTP) Version 3.

Used to update/synchronize the internal switch clock from a
Network Time Protocol (NTP) server.
When enabled, the switch sends out a periodic query to the NTP
server or the switch listens to broadcast NTP updates.

Console

NTP Server Switch

# configure sntp-client [pri | sec] server [<ip address> | <host name>] {vr <vr_name>}
# enable sntp-client
Slide 26
# show management

Verifying the Management Configuration

VLAB-R1-X450-24x.1 # show management To display the network
CLI idle timeout : Enabled (20 minutes) management
CLI max number of login attempts : 3 configuration,
CLI max number of sessions : 8
CLI paging : Enabled (this session only)
statistics, and SNMP
CLI space-completion : Disabled (this session only) settings:
CLI configuration logging : Disabled • show management
CLI scripting : Disabled (this session only)
CLI scripting error mode : Ignore-Error (this session only) The display includes:
CLI persistent mode : Persistent (this session only) • Enable/disable states
Telnet access : Enabled (tcp port 23 vr all) for Telnet, and SNMP
: Access Profile : not set
SSH Access : ssh module not loaded.
• Authorized SNMP
station list
Web access : Enabled (tcp port 80)
Total Read Only Communities : 1 • SNMP trap receiver
Total Read Write Communities : 1 list
RMON : Disabled • RMON polling
SNMP access : Disabled configuration
: Access Profile Name : not set
SNMP Traps : Enabled • SNMP statistics
SNMP v1/v2c TrapReceivers : None

SNMP stats: InPkts 0 OutPkts 0 Errors 0 AuthErrors 0

Gets 0 GetNexts 0 Sets 0
SNMP traps: Sent 0 AuthTraps Enabled
VLAB-R1-X450-24x.2 #

Slide 27
 Summary

You should now be able to:

Login to the switch.
Interpret the system prompt.
Assign a name to the switch.
Use the syntax help function.
Create a new user account.
Describe the SNMP, SNTP, and logging management features.

Slide 28
 Lab

Turn to the Initial Switch Configuration Lab

in the ExtremeXOS™ Operations and Configuration - Lab Guide Rev. 12.1
and complete the hands-on portion of this module.

Slide 29
Review Questions

© 2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.
This presentation contains forward-looking statements that involve
risks and uncertainties, including statements regarding our
expectations as to products, trends and our performance. There can be
no assurances that any forward-looking statements will be achieved,
and actual results could differ materially from forecasts and estimates.
For factors that may affect our business and financial results please
refer to our filings with the Securities and Exchange Commission,
including, without limitation, under the captions: “Management’s
Discussion and Analysis of Financial Condition and Results of
Operations,” and “Risk Factors,” which is on file with the Securities
and Exchange Commission (http://www.sec.gov). We undertake no
obligation to update the forward-looking information in this release.

© 2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.
©
© 2008
2008 Extreme
Extreme Networks,
Networks, Inc.
Inc. All
All rights
rights reserved.
reserved. ExtremeXOS
ExtremeXOS Operation
Operation and
and Configuration,
Configuration, Version
Version 12.1.
12.1. Part
Part number
number DOC-00919.
DOC-00919.