Add to collection(s) Add to saved
  1. No category
Uploaded by Antonio Esprinet

EVD SmartOmniEdge for Primary Secondary Education v1 1-Elanv1 005

advertisement 
EXTREME VALIDATED DESIGN
Extreme Smart OmniEdge for Primary/Secondary Education
Version 1.1
9035597-01
December 2018
Preface
Contents
Preface........................................................................................................................................5
Extreme Validated Designs ............................................................................................................... 5
Purpose of This Document ................................................................................................................ 5
Target Audience ................................................................................................................................ 6
Authors ............................................................................................................................................... 6
Document History .............................................................................................................................. 6
About Extreme Networks ................................................................................................................... 6
Introduction................................................................................................................................7
Technology Overview................................................................................................................8
Terminology ....................................................................................................................................... 8
Functional Components of Extreme Smart OmniEdge .................................................................... 9
ExtremeSwitching Edge ................................................................................................................... 9
Extreme Extended Edge .................................................................................................................. 9
ExtremeWireless .............................................................................................................................. 9
Network Management Policy and ExtremeControl ......................................................................... 10
Validated Designs – Infrastructure & Topology ......................................................................11
Extreme Smart OmniEdge for Primary/Secondary Education Deployment Model.......................... 11
Hardware and Software Matrix .......................................................................................................... 12
Smart OmniEdge for Primary/Secondary Education – Easy Config Tool ........................................ 12
Preconditions ..................................................................................................................................... 13
ExtremeSwitching Edge Auto-Configuration ..................................................................................... 14
VPEX Full Automation ..................................................................................................................... 14
VPEX Partial Automation ................................................................................................................. 14
MLAG Orchestration Mode .............................................................................................................. 15
District Office / School 1..................................................................................................................... 16
VLANs and Subnets at the District Office ........................................................................................ 17
District Office/School 1 – Configuration ........................................................................................... 19
Wired User Access........................................................................................................................... 39
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
2
Preface
Wireless User Access ...................................................................................................................... 47
Authentication – RADIUS................................................................................................................. 50
Guest Access (Captive Portal)......................................................................................................... 55
Extreme Policy ................................................................................................................................. 56
ExtremeControl Configuration ......................................................................................................... 89
ExtremeWireless Controller Configuration ...................................................................................... 103
ExtremeAnalytics ............................................................................................................................. 140
Remote Site Connectivity via MAN .................................................................................................. 152
Authentication – Netlogin ................................................................................................................. 155
School 2 ............................................................................................................................................. 156
VLANs and Subnets at School 2 ..................................................................................................... 157
School 2 – Configuration.................................................................................................................. 158
Wired User Access........................................................................................................................... 172
Wireless User Access ...................................................................................................................... 178
Authentication – RADIUS................................................................................................................. 180
Remote Site Connectivity via MAN.................................................................................................. 181
Policy and Access Control ............................................................................................................... 184
Authentication – Netlogin ................................................................................................................. 184
School 3 ............................................................................................................................................. 185
VLANs and Subnets at School 3 ..................................................................................................... 186
School 3 – Configuration.................................................................................................................. 187
Wired User Access........................................................................................................................... 203
Wireless User Access ...................................................................................................................... 209
Authentication – RADIUS................................................................................................................. 212
Remote Site Connectivity via MAN .................................................................................................. 213
Policy, Access Control, and Analytics.............................................................................................. 217
Authentication – Netlogin ................................................................................................................. 217
School 4 ............................................................................................................................................. 218
VLANs and Subnets at School 4 ..................................................................................................... 218
School 4 – Base Configuration ........................................................................................................ 219
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
3
Preface
Wired User Access........................................................................................................................... 221
Wireless User Access ...................................................................................................................... 223
Authentication – RADIUS................................................................................................................. 224
Remote Site Connectivity via MAN .................................................................................................. 224
Policy and Access Control ............................................................................................................... 226
Authentication – Netlogin ................................................................................................................. 226
RF-Planning ....................................................................................................................................... 227
Site Survey ....................................................................................................................................... 227
ExtremeWireless RF Planning Tool................................................................................................. 227
Visualization ..................................................................................................................................... 230
Sharing and Exporting...................................................................................................................... 231
Product Lifecycle – Exporting into Other Products .......................................................................... 233
RF Survey Tools .............................................................................................................................. 233
Extreme Management Center Configuration .................................................................................... 234
Adding a ExtremeControl Appliance to Extreme Management Center .......................................... 234
Adding Wireless Controllers to Extreme Management Center ....................................................... 236
Adding Analytics to Extreme Management Center ......................................................................... 238
Site Configuration ............................................................................................................................. 240
Design Considerations....................................................................................................................... 242
Network Time Protocol (NTP) .......................................................................................................... 242
BOOTP Relay Agent ........................................................................................................................ 253
Link Layer Discover Protocol (LLDP) .............................................................................................. 256
Simple Network Management Protocol (SNMPv3) ......................................................................... 257
Domain Name System (DNS).......................................................................................................... 269
RADIUS ............................................................................................................................................ 270
Secure Shell (SSH) .......................................................................................................................... 274
Multicast (IGMP and PIM-SM) ......................................................................................................... 276
Appendix ....................................................................................................................................286
VPEX (Extended Edge) Automation Highlights: ............................................................................... 286
References .................................................................................................................................287
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
4
Preface
Preface
This document provides design and guidance for implementing an Extreme Networks Smart OmniEdge
access layer using Extreme Networks hardware and software. An Extreme Smart OmniEdge network
consists of ExtremeSwitching products, ExtremeWireless, Extreme Management Center, ExtremeControl,
and ExtremeAnalytics.
Extreme Validated Designs
Helping customers consider, select, and deploy network solutions for current and planned needs is our
mission. Extreme Validated Designs offer a fast track to success by accelerating that process.
Validated designs are repeatable reference network architectures that have been engineered and tested
to address specific use cases and deployment scenarios. They document systematic steps and best
practices that help administrators, architects, and engineers plan, design, and deploy physical and virtual
network technologies. Leveraging these validated network architectures accelerates deployment speed,
increases reliability and predictability, and reduces risk.
Extreme Validated Designs incorporate network and security principles and technologies across the
ecosystem of service provider, datacenter, campus, and wireless networks. Each Extreme Validated
Design provides a standardized network architecture for a specific use case, incorporating technologies
and feature sets across Extreme products and partner offerings.
All Extreme Validated Designs follow best-practice recommendations and allow for customer-specific
network architecture variations that deliver additional benefits. The variations are documented and
supported to provide ongoing value, and all Extreme Validated Designs are continuously maintained to
ensure that every design remains supported as new products and software versions are introduced.
By accelerating time-to-value, reducing risk, and offering the freedom to incorporate creative, supported
variations, these validated network architectures provide a tremendous value-add for building and growing
a flexible network infrastructure.
Purpose of This Document
This Extreme validated design provides guidance for designing and implementing an Extreme Smart
OmniEdge network using Extreme hardware and software. It details the Extreme reference architecture
for Smart OmniEdge utilizing Extended Edge, stacked ExtremeSwitching switches, IdentiFi wireless, and
the Extreme Management suite of applications.
It should be noted that not all features such as automation practices, zero-touch provisioning, and
monitoring are included in this document. The design practices documented here follow the best-practice
recommendations but does not intend to cover other variations to the design that are supported in general
by Extreme Networks.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
5
Preface
Target Audience
This document is written for Extreme systems engineers, partners, and customers who design,
implement, and support campus networks. This document is intended for experienced network architects,
engineers, and assumes that the reader has a good understanding of switching and routing features.
Authors
The authors have extensive experience testing Extreme Smart OmniEdge products and solutions. At
Extreme, they focus on developing and validating solution architectures that customers can use in
deployments.
•
Jason Carroll, Staff SQA Engineer
•
Filip Steiger, Staff SQA Engineer
•
Lon Weston, Staff SQA Engineer
The authors would like to acknowledge the following individuals for their technical guidance in developing
this validated design:
•
Paulo Francisco, Wireless Technical Product Manager
•
Donald Grosser, Distinguished Software Systems Engineer
•
Elangomaran Kathirvel, Director of QA Engineering
•
Roger Lapuh, Senior Principal Software Applications Engineer
Document History
Future revisions of this document will include upcoming Smart OmniEdge products and technologies.
Date
July 2018
Dec 2018
Part Number
9035597-00
9035597-01
Description
1.0 - Initial release
1.1 – VPEX Full Automation, VPEX Partial Automation, and
VLAN name changes
About Extreme Networks
Extreme Networks® (NASDAQ: EXTR) networking solutions help the world’s leading organizations
transition smoothly to a world where applications and information reside anywhere. This vision is designed
to deliver key business benefits such as unmatched simplicity, non-stop networking, application
optimization, and investment protection.
Innovative Ethernet and storage networking solutions for datacenter, campus, and service provider
networks help reduce complexity and cost while enabling virtualization and cloud computing to increase
business agility.
To help ensure a complete solution, Extreme Networks ( www.extremenetworks.com) partners with worldclass IT companies and provides comprehensive education, support, and professional services offerings.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
6
Introduction
Introduction
The Smart OmniEdge design detailed in this document is targeted for primary and secondary education
campuses, both single and multi-site. The configurations and design practices documented here are fully
validated and conform to Extreme Networks best practices and recommendations. The intention of this
Extreme Validated Design document is to provide reference configurations and instruction for building a
managed, secure campus network using ExtremeSwitching and Extended Edge switches and
ExtremeWireless architectures.
This document describes the following architectures:
•
Extreme Smart OmniEdge with Extreme Extended Edge in a fully redundant topology
•
Extreme Smart OmniEdge with Extreme Extended Edge in a cascaded topology
•
Extreme Smart OmniEdge with ExtremeSwitching switches utilizing stacking capabilities
•
ExtremeWireless
•
ExtremeManagement, ExtremeControl and ExtremeAnalytics
Note
Additional resources:
•
At-A-Glance, Smart OmniEdge for Primary/Secondary Education
•
Solutions Brief, Smart OmniEdge for Primary/Secondary Education
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
7
Technology Overview
Technology Overview
Terminology
Term
Description
ACL
AD
AP
ARP
BPDU
BSR
CLI
CoS
C-RP
DHCP
EXOS
FDB
IGMP
IP
ISC
ISL
LACP
LAG
LDAP
LLDP
MAC
MAN
MLAG
NTP
OSPF
PIM-SM
PoE
QoS
sFlow
SFP/SFP+
SNMP
UDP
VLAN
VPEX
VR
VRRP
802.1BR
Access Control List
Active Directory
Access Point
Address Resolution Protocol
Bridge Protocol Data Unit
Bootstrap Router
Command-Line Interface
Class of Service for Layer 2
Candidate Rendezvous Point
Dynamic Host Configuration Protocol
Extreme Operating System (also ExtremeXOS)
Filter Database
Internet Group Management Protocol
Internet Protocol
Inter-Switch Connector
Inter-Switch Link
Link Aggregation Control Protocol
Link Aggregation
Lightweight Directory Access Protocol
Link Layer Discovery Protocol
Media Access Control
Metropolitan Area Network
Multi-Chassis Link Aggregation
Network Time Protocol
Open Shortest Path First
Protocol Independent Multicast Sparse Mode
Power over Ethernet
Quality of Service
Sampled Flow
Optical Transceivers
Simple Network Management Protocol
User Datagram Protocol
Virtual Local Area Network
Virtual Port Extender
Virtual Router
Virtual Redundancy Protocol
IEEE Standard to extend a bridge and its management beyond its physical
enclosure
IEEE Standard for port-based Network Access Control
802.1X
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
8
Technology Overview
Functional Components of Extreme Smart OmniEdge
The Extreme Smart OmniEdge Infrastructure provides the means of communication between users,
applications, and devices. Applications such as web browsing, Unified Communications, email,
video surveillance, and digital signage all require an infrastructure that is reliable. The Extreme Smart
OmniEdge provides QOS, Bandwidth, POE, Network Access Control, Redundancy, and Visibility across
local or remote geographical locations. This gives the IT operator an opportunity to provide appropriate
levels of access for different user groups without spoiling connectivity on a shared network.
An Extreme Networks Smart OmniEdge network consists of three main functional areas. These include:
• Two Options for wired user connectivity:
o Traditional ExtremeXOS switches
o 802.1BR based Extended Edge switches (Bridge Port Extenders)
• ExtremeWireless IdentiFi solution
• Extreme Management Center providing Network Policy, Access Control and Analytics
ExtremeSwitching Edge
The ExtremeSwitching series is a scalable cost-effective family of edge switches powered by Extreme
Networks ExtremeXOS, a highly resilient OS providing continuous uptime, manageability and operational
efficiency. ExtremeSwitching provides high-performance routing and switching, flexible stacking, PoE-plus
support and comprehensive security, while extending the benefits of ExtremeXOS to the campus edge.
ExtremeSwitching also provide easy-to-use, yet powerful, management services which include role-based
policies for controlled access to specific network applications.
Extreme Extended Edge
Rather than utilizing a traditional switch for user Access, Extreme Networks customers can use
Controlling Bridges (CBs) to extend the existing port table to V400 Series Bridge Port Extenders (BPEs).
This technology is defined in the IEEE 802.1BR specification. The BPE devices do not participate in the
packet processing, forwarding, or filtering decisions. Instead, they simply forward packets to the CB,
where switching functionality is provided.
The BPE devices are managed like slots in a chassis under a single management domain. From a
management perspective, multiple layers of a traditional network can be reduced, greatly simplifying the
network operation.
ExtremeWireless
ExtremeWireless is simple, fast, and smart, delivering a user experience in unmatched scale and density
at an exceptional level. Intuitive dashboards allow effortless management of the network:
•
With a single click, you can deliver services and new applications with ease.
•
Enable fast roaming with seamless mobility while delivering more throughput with fewer APs.
•
You can be agile through an advanced architecture that assures security with enforcement.
•
Through analytics, user experience can be measured in true detail.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
9
Technology Overview
Access Points can initialize and configure themselves from a centralized appliance. APs can find the
appliance through DHCP which then pushes configurations down. After configuration, each AP can run
independently of an appliance if connectivity is lost. Policy and QoS are performed at the AP level for
clients connecting to a SSID. RF Characteristics can be automatically configured by the AP through
automatic power or channel selection. Band-Steering and Airtime Fairness are also controlled by the
AP.
The ExtremeWireless designs provides the same availability that everyone has come to expect with wired
networks. Appliances have built-in resiliency through the ability to pair controllers together for full
redundancy. If an appliance happens to fail, the second controller can take over the full load
while maintaining connectivity through the APs.
Network Management Policy and ExtremeControl
The deployment of Extreme Networks Management and Access Control Appliances makes the Extreme
Smart OmniEdge possible. These tools – consisting of Extreme Management Center, ExtremeControl,
and ExtremeAnalytics – form the backbone to managing and configuring the functionality of the Extreme
Smart OmniEdge solution.
Extreme Management Center
Extreme Management Center is a single pane of glass management system that provides wired/wireless
visibility and control from the datacenter to the mobile edge. The intelligence, automation, and integration
of this management software enables the IT organization to optimize the efficiency of network operations
and reduce total cost of ownership. Most important, Extreme Management Center provides advanced
network configuration and change management for the wired and wireless infrastructure and allows
centralized creation of policies that follow users and devices across the network. These are not tied to the
physical network and can change based on user, device, time of day, location, and connection type.
ExtremeControl
Extreme's Network Access Control engine, or ExtremeControl, lets you manage secure and automated
access for both BYOD and IoT devices from one convenient dashboard. It makes it easy to roll out
granular policies across your wired and wireless networks to meet industry and company compliance
obligations. Identity-based network access control keeps unauthorized people and devices from
accessing your network. ExtremeControl is integrated with Extreme Management Center to allow for
simple and seamless authentication control and modification in one single application.
ExtremeAnalytics
ExtremeAnalytics lets you understand what applications are running on your network, who is using them
and what the response time is for each application. It gives you granular visibility into network and
application performance, users, locations, and devices. Information from the network and the applications
empowers you to make data-driven decisions.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
10
Validated Designs – Infrastructure & Topology
Validated Designs – Infrastructure & Topology
The following sections describe the deployment model for the Extreme Smart OmniEdge for
Primary/Secondary Education. The network components are spread across a primary location – known as
District Office/School 1 – and three additional school locations (Schools 2, 3, and 4).
Extreme Smart OmniEdge for Primary/Secondary Education
Deployment Model
District Office/School-1
Extended Edge with ExtremeXOS Stack
ExtremeXOS Stack
ExtremeWireless
Bridge Port Extender
Smart OmniEdge
Applications
Controlling Bridges
Metropolitan Area Network (MAN)
OSPF
School-2
Extended Edge
School-3
School-4
Cascaded Extended Edge
ExtremeXOS
Standalone
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
11
Validated Designs – Infrastructure & Topology
Hardware and Software Matrix
The following table shows the actual platforms and software applications used in the Validated Design.
Utilizing other ExtremeSwitching hardware may offer different scale and feature capabilities.
Product
FW Version
X690-48x-2q-4c
22.6.1.4patch1-1 Advanced Edge: VPEX Support
Core: OSPF and PIM-SM Support
22.6.1.4patch1-1 Advanced Edge: VPEX Support
Core: OSPF and PIM-SM Support
22.6.1.4patch1-1 Advanced Edge
22.6.1.4patch1-1 Advanced Edge
1.1.0.41
1.1.0.41
1.1.0.41
1.1.0.41
10.41.07.0014
10.41.07.0014
10.41.07.0014
10.41.07.0014
10.41.07.0014
10.41.07.0014
10.41.07.0014
10.41.07.0014
8.1.5.22
8.1.5.22
8.1.5.22
X590-24x-1q-2c
X440-G2-48p-10G4
X440-G2-48t-10G4
V400-24p-10GE2
V400-24t-10GE2
V400-48p-10GE4
V400-48t-10GE4
Wireless Controller V2110
AP3912i-FCC
AP3915e-FCC
AP3915i-FCC
AP3916ic-FCC
AP3917e-FCC
AP3935e-FCC
AP3935i-FCC
Extreme Management Center
ExtremeControl
ExtremeAnalytics
Enabled License Level
Enabled Feature
Packs
Quad 10G Uplink
Quad 10G Uplink
Smart OmniEdge for Primary/Secondary Education – Easy Config Tool
An Easy Configuration tool is available to use alongside this Validated Design. This is a simple and
efficient way to configure devices used throughout the deployment process. This tool will collect data from
the user regarding their specific device information, such as IP addresses and login credentials. Based on
this data collection, the tool will configure Edge devices and Extended Edge devices and wireless
controllers in a way that replicates the configurations seen in this document. The devices configured, as
well as the design template to follow, can be dictated by the user at runtime. As a prerequisite, each
related device must be powered on and have management access via Telnet or SSH.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
12
Validated Designs – Infrastructure & Topology
Preconditions
Before beginning the configuration of any device in the Extreme Smart OmniEdge validated design, verify
that the following preconditions have been met:
Extended Edge Controlling Bridges
VPEX x690-DO-Left.54 # show licenses
Enabled License Level:
Core
Enabled Feature Packs:
DirectAttach
enable vpex
Licensing requirements on
ExtremeXOS Extended Edge
controlling bridges.
Only issue ‘enable vpex’
command if not using built
in automated configuration
processes and features.
ExtremeSwitching Switches
X440G2-48p-10G4.1 # show licenses
Enabled License Level:
Advanced Edge
Enabled Feature Packs:
DirectAttach Quad 10G Uplink
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Licensing and Feature Pack requirements
on ExtremeSwitching switch.
13
Validated Designs – Infrastructure & Topology
ExtremeSwitching Edge Auto-Configuration
The ExtremeSwitching Edge ExtremeXOS has provided three process/features which simplify the
configuration.
VPEX Full Automation
Performs two functions:
1. Joins standalone switches to an existing stack once connected by dedicated stacking links or
properly configured alternate stacking links.
2. Enables the VPEX feature if BPEs are connected to switches capable of being CBs. If two CBs are
connected to each other and BPEs are connected to each CB, VPEX Full Automation will auto
configure an MLAG and enable VPEX Partial Automation.
Note
The VPEX Full Automation process executes automatically if the following conditions are met;
•
The CB is being powered up for the first time and the configuration has never been saved.
•
The CB configuration has been reset to default and the configuration has never been saved.
•
The CB learns of connected BPE through LLDP while either of the above conditions are true.
To use Smart OmniEdge Easy Configuration Tool or configure everything manually VPEX Full
Automation will need to be suspended. The best way to suspend this process is not to connect any
BPEs to a potential CB and save the base configuration as soon as possible.
VPEX Partial Automation
The Smart OmniEdge Easy Configuration Tool or VPEX Full Automation will enable VPEX Partial
Automation without any user intervention. The VPEX Partial Automation feature will perfom the following
functions:
1. Discovers BPE(s) using LLDP
2. Assigns a slot number to newly connected BPE based on slot availability.
3. Configures the BPE module type.
4. Configures the BPE ports to be LAGs.
5. Configures MLAG ports for dual-homed BPEs in an MLAG setup.
If required, VPEX Partial Automation can be enabled manually with the following command:
enable vpex auto-config
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
14
Validated Designs – Infrastructure & Topology
MLAG Orchestration Mode
In CB MLAG deployments, the CBs can be placed manually into orchestration mode. This is useful for
BPE port configurations, which must be identical on both CBs. Any configuration commands will now be
checkpointed to the MLAG peer switch. To enter orchestration mode, enter the following command:
start orchestration mlag peer_name
After entering orchestration mode, like the existing virtual-router mode, the configuration prompt changes
indicating that commands issued are within this context:
(orchestration DO_SC1_MLAG) Slot-1 VPEX X690-48x-2q-4c #start orchestration mlag
peer_name
To exit orchestration mode, use the following command:
stop orchestration
Since the commands are checkpointed to the other CB, use caution to only use with commands that
needed to be executed on both sides. If the user is not careful, configuring an interface with the same IP
addresses or other configuration issues might be encountered.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
15
Validated Designs – Infrastructure & Topology
District Office / School 1
ExtremeXOS Stack
District Office/School-1
Bridge Port Extenders
Extreme Management Center
ExtremeControl
ExtremeWireless Controllers
MLAGs
ExtremeAnalytics
Redundant Controlling
Bridges
Controlling Bridge 1
Controlling Bridge 2
In many school districts, the District Office is often a high school and is referred to as School 1 in this
document. Here the District Office is shown to have a stack of ExtremeSwitching switches co-existing with
Extreme Extended Edge.
The District Office includes two controlling bridges(CB) and provides uplinks to every bridge port
extender(BPE) in the topology. Because of this configuration, multi-chassis link aggregation (MLAG) can
be used to provide redundancy to all network users.
User access is also provided through an ExtremeSwitching access switch stack. MLAG is also used to
provide full redundancy to network access users.
ExtremeWireless access points can be connected to Power over Ethernet (PoE) capable BPEs and/or
PoE capable stack members.
All Extreme Smart OmniEdge virtual appliances; Extreme Management Center, ExtremeControl,
ExtremeWireless Controllers, and ExtremeAnalytics are connected to the redundant controlling bridges.
These applications are set up to serve the entire school district, while residing in the District Office/School
1.
Controlling Bridge 1 and Controlling Bridge 2 also act as traditional switches when they are not interacting
with Bridge Port Extenders. In this document, for simplicity reasons, we are referring to them as
Controlling Bridge 1 and Controlling Bridge 2 even when they are acting as traditional switches.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
16
Validated Designs – Infrastructure & Topology
Note
Three other schools are described later in this document. Refer to their specific documentation for further
detail about their configurations:
•
School 2 – Controlling bridges with bridge port extenders only with MLAG redundancy.
•
School 3 – Controlling bridges with bridge port extenders in a cascaded configuration with MLAG
redundancy
•
School 4 – Standalone ExtremeSwitching access switch with a single uplink and no redundancy.
VLANs and Subnets at the District Office
Below is list and table grouping VLANs by functionality at the District Office. This functionality includes the
following types:
•
Appliance - VLAN for Extreme Smart OmniEdge Appliances.
•
Management – Used to communicate with Extreme Smart OmniEdge Appliances and routing
protocols.
•
Remote Site Connectivity- Point-to-point interfaces used for connectivity between the District
Office/School 1 and other schools.
•
Local Site Connectivity - VLAN interfaces used to distribute static and directly interfaces into OSPF
and provide OSPF services to the ExtremeWireless controllers.
•
Bridged at Controller – Used for OSPF adjacency between wireless controllers and the wired
school district topology.
•
ISC – VLAN for the MLAG Interswitch Connection
•
Access VLAN - VLANs for wired users, wireless users, and networked devices
Device
VLAN Name
Subnet
Tag
Purpose
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
ExtremeXOS Stack
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
VLAN_0109
VLAN_0109
Lo0
Lo0
Lo0
VLAN_0101
VLAN_0201
VLAN_0102
VLAN_0202
VLAN_0103
VLAN_0203
VLAN_0104
VLAN_0204
VLAN_0105
VLAN_0205
192.168.109.0/24
192.168.109.0/24
192.168.200.1/32
192.168.200.2/32
192.168.200.8/32
192.168.101.0/30
192.168.201.0/30
192.168.101.4/30
192.168.201.4/30
192.168.101.8/30
192.168.201.8/30
192.168.101.12/30
192.168.201.12/30
192.168.101.16/30
192.168.201.16/30
109
109
1001
1001
1001
101
201
102
202
103
203
104
204
105
205
Appliance
Appliance
Management
Management
Management
Remote Site Connectivity
Remote Site Connectivity
Remote Site Connectivity
Remote Site Connectivity
Remote Site Connectivity
Remote Site Connectivity
Remote Site Connectivity
Remote Site Connectivity
Remote Site Connectivity
Remote Site Connectivity
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
17
Validated Designs – Infrastructure & Topology
Device
VLAN Name
Subnet
Tag
Purpose
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
ExtremeXOS Stack
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
ExtremeXOS Stack
Controlling Bridge 1
Controlling Bridge 2
ExtremeXOS Stack
Controlling Bridge 1
Controlling Bridge 2
ExtremeXOS Stack
Controlling Bridge 1
Controlling Bridge 2
ExtremeXOS Stack
Controlling Bridge 1
Controlling Bridge 2
ExtremeXOS Stack
Controlling Bridge 1
Controlling Bridge 2
ExtremeXOS Stack
VLAN_0060
192.168.60.0/24
60
Local Site Connectivity
VLAN_0059
192.168.59.0/24
59
Local Site Connectivity
VLAN_0070
VLAN_0070
vpexmlag
192.168.70.0/30
192.168.70.5/30
169.254.0.0/16
70
70
4089
Bridged at Controller
Bridged at Controller
ISC
VLAN_1600
172.16.0.0/24
1600
Access VLAN
VLAN_1900
172.19.128.0/27
1900
Access VLAN
VLAN_1901
172.19.0.0/19
1901
Access VLAN
VLAN_2200
172.21.0.0/22
2200
Access VLAN
VLAN_1700
172.17.0.0/22
1700
Access VLAN
VLAN_1800
172.18.0.0/19
1800
Access VLAN
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
18
Validated Designs – Infrastructure & Topology
District Office/School 1 – Configuration
1. VPEX Full Automation determines if switches are CB capable
and BPEs connected. If conditions are met, VPEX
functionality is enabled and CBs are rebooted.
5. VPEX Full Automation enables VPEX Partial Automation.
6. VPEX Partial Automation configures a slot number for each
attached BPE, configures the BPE module type, configures
CB ports attached to BPEs as VPEX ports, and enables
MLAG ports with appropriate port IDs.
Bridge Port Extenders
MLAGs
Redundant Controlling
Bridges
Controlling Bridge 1
Controlling Bridge 2
2. VPEX Full Automation configures a LAG between CB1.
3. VPEX Full Automation creates and configures an ISC VLAN, add
LACP port, and configures IP Interface.
4. VPEX Full Automation creates and configures an MLAG ISC, and
configures CBs as peers.
Extended Edge with MLAG Configuration
In order to take advantage of VPEX Full Automation, the following cabling requirements should be met:
•
To create an MLAG for ISC CB1 and CB2 should be cabled together:
•
To enable VPEX mode, the CBs should be cabled to at least one BPE:
Once cabled properly, power-on CB1, CB2, BPE1, and BPE2. After the switches finish running VPEX Full
Automation and VPEX Partial Automation, verify the CBs have been properly configured and are
functioning.
Note
To better control slot numbering, user may decide to allow the BPEs power on one at a time. If all BPEs are
turned on at the same time, there is no mechanism to guarantee slot order. Slot order is determined by which
BPE LLDP message is received first by the CBs.
VPEX Full Automation and VPEX Partial Automation processes can take eight minutes or longer to complete.
Please be patient.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
19
Validated Designs – Infrastructure & Topology
1. Verify VPEX support has been enabled by VPEX Full Automation.
Controlling Bridge 1 and 2
Slot-1 VPEX X690-48x-2q-4c.38 # show vpex
Virtual Port Extender: Enabled
Auto-Configuration:
Disabled
Cascade
Port
Slot
=============
-
Verify VPEX is enabled
• Prompt changes indicating VPEX is enabled.
• Virtual Port Extender indicates enabled.
2. Verify VPEX Full Automation has created and configured a LAG between CB1 and CB2. Verify
LAGs have been configured between the CBs and BPEs.
Controlling Bridge 1 and 2
enable sharing 1:49 grouping 1:49,1:53 algorithm address-based custom lacp
enable sharing 1:47 grouping 1:47 algorithm address-based custom lacp
enable sharing 1:48 grouping 1:48 algorithm address-based custom lacp
Controlling Bridge 1 and 2
Verify LACP configuration
• Verify Agg MBR = Y
• Verify Link State = A
Slot-1 VPEX X690-48x-2q-4c.40 # show sharing
Load Sharing Monitor
Config
Current Agg
Min
Ld Share Dist Ld Share Agg Link Link Up
Master
Master Control Active Algorithm Flags Group
Mbr State Transitions
================================================================================
1:47
1:47
LACP
1
custom
A
1:47
Y
A
1
1:48
1:48
LACP
1
custom
A
1:48
Y
A
2
1:49
1:49
LACP
1
custom
A
1:49
Y
A
2
custom
1:53
Y
A
2
================================================================================
…
3. Verify VPEX Full Automation has created and configured an ISC VLAN, added CB to CB LACP
port, and configured IP interfaces.
Controlling Bridge 1
create vlan "vpexmlag"
configure vlan vpexmlag tag 4089
configure vlan vpexmlag add ports 1:49 tagged
configure vlan vpexmlag ipaddress 169.254.0.1 255.255.0.0
Controlling Bridge 2
create vlan "vpexmlag"
configure vlan vpexmlag tag 4089
configure vlan vpexmlag add ports 1:49 tagged
configure vlan vpexmlag ipaddress 169.254.0.2 255.255.0.0
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
20
Validated Designs – Infrastructure & Topology
Controlling Bridge 1
Slot-1 VPEX X690-48x-2q-4c.42 # show vlan vpexmlag
VLAN Interface with name vpexmlag created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 4089
Description:
None
Virtual router:
VR-Default
IPv4 Forwarding:
Disabled
IPv4 MC Forwarding: Disabled
Verify VPEX Full Automation
Primary IP:
169.254.0.1/16
configured VLAN;
•
VLAN named vpexmlag created
…
•
IP Address configured for VLAN
Ports:
1.
(Number of active ports=1)
•
LAG port added to VLAN.
Tag:
*1:49g
•
I Flag confirms ISC VLAN.
…
Slot-1 VPEX X590-24x-1q-2c.7 # show vlan
Untagged ports auto-move: Inform
---------------------------------------------------------------------------------Name
VID Protocol Addr
Flags
Proto Ports
Virtual
Active router
/Total
---------------------------------------------------------------------------------vpexmlag
4089 169.254.0.1
/16 ------I--------------------- ANY
1 /1
Controlling Bridge 2
Slot-1 VPEX X690-48x-2q-4c.60 # show vlan vpexmlag
VLAN Interface with name vpexmlag created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 4089
Description:
None
Virtual router:
VR-Default
IPv4 Forwarding:
Disabled
IPv4 MC Forwarding: Disabled
Primary IP:
169.254.0.2/16
…
Ports:
1.
(Number of active ports=1)
Tag:
*1:49g
…
Slot-1 VPEX X590-24x-1q-2c.7 # show vlan
Untagged ports auto-move: Inform
---------------------------------------------------------------------------------Name
VID Protocol Addr
Flags
Proto Ports
Virtual
Active router
/Total
---------------------------------------------------------------------------------vpexmlag
4089 169.254.0.2
/16 ------I--------------------- ANY
1 /1
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
21
Validated Designs – Infrastructure & Topology
4. Verify VPEX Full Automation has properly created and configured an MLAG which includes
configuring the CBs as peers, adding the CB  BPE LAGs as MLAG ports, and assigning
appropriate MLAG IDs.
Controlling Bridge 1
create mlag peer "vpexmlag"
configure mlag peer "vpexmlag" ipaddress 169.254.0.2 vr VR-Default
enable mlag port 1:47 peer "vpexmlag" id 5100
enable mlag port 1:48 peer "vpexmlag" id 5101
Controlling Bridge 2
create mlag peer "vpexmlag"
configure mlag peer "vpexmlag" ipaddress 169.254.0.1 vr VR-Default
enable mlag port 1:47 peer "vpexmlag" id 5100
enable mlag port 1:48 peer "vpexmlag" id 5101
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
22
Validated Designs – Infrastructure & Topology
Controlling Bridge 1
Slot-1 VPEX X690-48x-2q-4c.46 # # show
Multi-switch Link Aggregation Peers:
MLAG Peer
:
VLAN
:
Local IP Address :
MLAG ports
:
Checkpoint Status :
Rx-Hellos
:
Rx-Checkpoint Msgs:
Rx-Hello Errors
:
Hello Timeouts
:
Up Time
:
Local MAC
:
Config'd LACP MAC :
Authentication
:
1. Peer name and peer IP address are
configured.
2. Local IP address configured.
mlag
3. Peerpeer
IP address is known.
vpexmlag
vpexmlag
Virtual Router
:
169.254.0.1
Peer IP Address
:
2
Tx-Interval
:
Up
Peer Tx-Interval :
8346
Tx-Hellos
:
1070
Tx-Checkpoint Msgs:
0
Tx-Hello Errors
:
0
Checkpoint Errors :
0d:2h:16m:16s
Peer Conn.Failures:
4. Checkpoint Status is UPPeer MAC
00:04:96:a4:e8:3e
:
5. Hello and Checkpoint Messages incrementing.
None
Current
LACP
MAC
:
6. Error messages are not incrementing but might
None
be present.
VR-Default
169.254.0.2
1000 ms
1000 ms
8355
3320
0
0
0
00:04:96:a5:05:26
00:04:96:a5:05:26
Alternate path information: None
Slot-1 VPEX X690-48x-2q-4c.45 # show mlag ports
Local
Local
Remote
MLAG
Local
Link
Remote
Peer
Fail
Fail
Id
Port
State
Link
Peer
Status Count
Count
================================================================================
5100
1:47
A
Up
vpexmlag
Up
0
0
5101
1:48
A
Up
vpexmlag
Up
0
0
================================================================================
Local Link State: A - Active, D - Disabled, R - Ready, NP - Port not present
Remote Link
: Up - One or more links are active on the remote switch,
Down - No links are active on the remote switch,
N/A - The peer has not communicated link
state
foris Active
this MLAG
1. Local
Link State
2. Remote Link is UP.
port
Number of Multi-switch Link Aggregation Groups
Convergence control
Reload Delay Interval
Reload Delay
Link Up Isolation
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
:
:
:
:
:
3. Peer Status is UP
4. Local and Remote Fail Counts not
2
incrementing.
Conserve Access Lists
30 seconds
Disabled
Off
23
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
Slot-1 VPEX X690-48x-2q-4c.62 # show mlag peer
Multi-switch Link Aggregation Peers:
MLAG Peer
:
VLAN
:
Local IP Address :
MLAG ports
:
Checkpoint Status :
Rx-Hellos
:
Rx-Checkpoint Msgs:
Rx-Hello Errors
:
Hello Timeouts
:
Up Time
:
Local MAC
:
Config'd LACP MAC :
Authentication
:
vpexmlag
vpexmlag
169.254.0.2
2
Up
8506
3336
0
0
0d:2h:18m:54s
00:04:96:a5:05:26
None
None
Virtual Router
:
Peer IP Address
:
Tx-Interval
:
Peer Tx-Interval :
Tx-Hellos
:
Tx-Checkpoint Msgs:
Tx-Hello Errors
:
Checkpoint Errors :
Peer Conn.Failures:
Peer MAC
:
Current LACP MAC :
VR-Default
169.254.0.1
1000 ms
1000 ms
8508
1085
0
0
0
00:04:96:a4:e8:3e
00:04:96:a5:05:26
Alternate path information: None
Slot-1 VPEX X690-48x-2q-4c.63 # show mlag ports
Local
Local
Remote
MLAG
Local
Link
Remote
Peer
Fail
Fail
Id
Port
State
Link
Peer
Status Count
Count
================================================================================
5100
1:47
A
Up
vpexmlag
Up
0
0
5101
1:48
A
Up
vpexmlag
Up
0
0
================================================================================
Local Link State: A - Active, D - Disabled, R - Ready, NP - Port not present
Remote Link
: Up - One or more links are active on the remote switch,
Down - No links are active on the remote switch,
N/A - The peer has not communicated link state for this MLAG
port
Number of Multi-switch Link Aggregation Groups
Convergence control
Reload Delay Interval
Reload Delay
Link Up Isolation
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
:
:
:
:
:
2
Conserve Access Lists
30 seconds
Disabled
Off
24
Validated Designs – Infrastructure & Topology
5. Verify VPEX Full Automation has enabled VPEX Partial Automation.
Controlling Bridge 1 and 2
enable vpex auto-configuration
Controlling Bridge 1 and 2
Slot-1 VPEX X690-48x-2q-4c.50 # show vpex
Virtual Port Extender: Enabled
Auto-Configuration:
Enabled
Cascade
Port
Slot
=============
-
Verify Auto-Configuration is enabled
• Auto-Configuration indicator indicates
enabled.
6. Verify the VPEX Partial Automation properly configures VPEX slots.
Controlling Bridge 1
configure
configure
configure
configure
slot 100 module V400-24p-10GE2
sys-recovery-level slot 100 reset
slot 101 module V400-24t-10GE2
sys-recovery-level slot 101 reset
configure vpex port 1:47 slot 100
configure vpex port 1:48 slot 101
Controlling Bridge 2
configure
configure
configure
configure
slot 100 module V400-24p-10GE2
sys-recovery-level slot 100 reset
slot 101 module V400-24t-10GE2
sys-recovery-level slot 101 reset
configure vpex port 1:47 slot 100
configure vpex port 1:48 slot 101
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
25
Validated Designs – Infrastructure & Topology
Controlling Bridge 1
Slot-1 VPEX X690-48x-2q-4c.52 # show vpex bpe
1. Module type configured.
2. Verify Port State is Enabled
3. Verify Link Sate is Active
Casc
PE
Slot Port
Model
MAC Address
Description
======================================================================================
===========================
100
1:47
V400-24p-10GE2
d8:84:66:f2:af:f6 none
101
1:48
V400-24t-10GE2
d8:84:66:f2:e9:52 none
Slot-1 VPEX X690-48x-2q-4c.53 # show vpex ports
Port
Cascade Ext Port
Link
PECSP
PE
CSPOpen
CSP
Role
#
Port
Slot State State MAC Address
MAC Address
Loc Rem
Flags
======================================================================================
=====
1:47
1:47
100 E
A
d8:84:66:f2:b0:0f d8:84:66:f2:af:f6 1
1
1:48
1:48
101 E
A
d8:84:66:f2:e9:6b d8:84:66:f2:e9:52 1
1
======================================================================================
=====
…
Controlling Bridge 2
Verify MAC addresses for
BPEs match on both CBs.
Slot-1 VPEX X690-48x-2q-4c.70 # show vpex bpe
Casc
PE
Slot Port
Model
MAC Address
Description
======================================================================================
===========================
100
1:47
V400-24p-10GE2
d8:84:66:f2:af:f6 none
101
1:48
V400-24t-10GE2
d8:84:66:f2:e9:52 none
Slot-1 VPEX X690-48x-2q-4c.71 # show vpex ports
Port
Cascade Ext Port
Link
PECSP
PE
CSPOpen
CSP
Role
#
Port
Slot State State MAC Address
MAC Address
Loc Rem
Flags
======================================================================================
=====
1:47
1:47
100 E
A
d8:84:66:f2:b0:0f d8:84:66:f2:af:f6 1
1
1:48
1:48
101 E
A
d8:84:66:f2:e9:6b d8:84:66:f2:e9:52 1
1
======================================================================================
=====
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
26
Validated Designs – Infrastructure & Topology
7. Manually delete all ports from default VLAN, disable MSTP,
and free up ACL resources.
8. Manually configure a loopback interface for routing and device
management.
9. Manually configure a base OSPF configuration.
10. Manually configure VLAN for local site connectivity.
11. Manually configure VLAN for SmartOmniEdge Appliances
12. Manually configure VRRP for local site connectivity and
SmartOmniEdge appliance VLANs.
13. Manually configure OSPF for local site connectivity and
SmartOmniEdge appliance VLANs.
Bridge Port Extenders
MLAGs
Redundant Controlling
Bridges
Controlling Bridge 1
Controlling Bridge 2
7. Remove ports from Default VLAN, disable MSTP, and free up ACL resources.
The default VLAN will not be needed for this EVD so all ports will be removed from the VLAN.
Because of this MSTP instance s0 will also be disabled.
Controlling Bridge 1 and 2
configure
configure
configure
configure
vlan default delete ports all
vr VR-Default delete ports 1:1-36,100:1-52,101:1-26
vr VR-Default add ports 1:1-36,100:1-52,101:1-26
vlan default delete ports 1:1-36,100:1-52,101:1-26
disable stpd s0
configure policy resource-profile default profile-modifier no-mac enable no-ipv6
enable
Controlling Bridge 1 and 2
Slot-1 VPEX X690-48x-2q-4c.8 # show stpd s0
Stpd: s0
Stp: DISABLED
Number of Ports: 0
Rapid Root Failover: Disabled
Operational Mode: MSTP
Default Binding Mode: 802.1D
MSTI Instance: CIST
802.1Q Tag: (none)
Ports: (none)
Participating Vlans: (none)
Verify the following STP variables for s0
Auto-bind Vlans: Default
• STP is disabled
• No Ports participating in STP
…
• No VLANs participating in STP
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
27
Validated Designs – Infrastructure & Topology
8. Configure Loopback VLAN and Interface
The internal loopback interface serves as the primary interface for in-band management in this
topology. It also serves as the interface between the Extreme Network appliances and the devices.
Controlling Bridge 1
create vlan "lo0"
configure vlan lo0 tag 1001
enable loopback-mode vlan lo0
configure vlan lo0 ipaddress 192.168.200.1 255.255.255.255
enable ipforwarding vlan lo0
Controlling Bridge 2
Configuring a system loopback interface
involves creating a VLAN with a tag and
enabled for the following IP services:
loopback mode and IP forwarding.
Loopback interface is configured with a
/32 subnet mask.
create vlan "lo0"
configure vlan lo0 tag 1001
enable loopback-mode vlan lo0
configure vlan lo0 ipaddress 192.168.200.2 255.255.255.255
enable ipforwarding vlan lo0
9. Configure OSPF Base Configuration
With the creation of the loopback interface, now is an appropriate time to create the base configuration for
OSPF routing. OSPF will redistribute any directly connected interfaces and static routes into the routing
table. This will be more critical later when remote schools are attached to the topology.
Controlling Bridge 1
configure ospf routerid 192.168.200.1
enable ospf
enable ospf export direct cost 0 type ase-type-1
enable ospf export static cost 0 type ase-type-1
configure ospf add vlan lo0 area 0.0.0.0
The loopback interface created in the
previous step is configured as the
OSPF Router-ID.
Loopback interfaces is added to area
0.0.0.0
Controlling Bridge 2
configure ospf routerid 192.168.200.2
enable ospf
enable ospf export direct cost 0 type ase-type-1
enable ospf export static cost 0 type ase-type-1
configure ospf add vlan lo0 area 0.0.0.0
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
28
Validated Designs – Infrastructure & Topology
10. Configure VLAN and Interface for Local Site Connectivity on controlling bridges.
Configure two VLANs for local site connectivity on the controlling bridges These VLANs are used to
redistribute directly connected and static routes into OSPF. They are also used by APs for connectivity
to the wireless controllers.
Controlling Bridge 1
Configure local-site VLANs VLAN_0060 and
create vlan "VLAN_0060"
VLAN_0059 with;
configure vlan VLAN_0060 description "VPEX DO/SC1 Local Site Connectivity"
1. VLAN Descriptions
2. VLAN Tag
configure vlan VLAN_0060 tag 60
3. LACP trunk port Added to VLAN
configure vlan VLAN_0060 add ports 1:49 tagged
4. IP Address Configured
configure vlan VLAN_0060 ipaddress 192.168.60.2 255.255.255.0
5. IP Forwarding Enabled for unicast routing
enable ipforwarding vlan VLAN_0060
6. BOOTP Relay Enabled for DHCP
enable bootprelay ipv4 vlan VLAN_0060
7. Iproute Sharing (ECMP)
enable iproute sharing vr VR-Default
create vlan "VLAN_0059"
configure vlan VLAN_0059 description "Stack DO/SC1 Local Site Connectivity"
configure vlan VLAN_0059 tag 59
configure vlan VLAN_0059 add ports 1:49 tagged
configure vlan VLAN_0059 ipaddress 192.168.59.2 255.255.255.0
enable ipforwarding vlan VLAN_0059
enable bootprelay ipv4 vlan VLAN_0059
Controlling Bridge 2
create vlan "VLAN_0060"
configure vlan VLAN_0060 description "VPEX DO/SC1 Local Site Connectivity"
configure vlan VLAN_0060 tag 60
configure vlan VLAN_0060 add ports 1:49 tagged
configure vlan VLAN_0060 ipaddress 192.168.60.3 255.255.255.0
enable ipforwarding vlan VLAN_0060
enable bootprelay ipv4 vlan VLAN_0060
enable iproute sharing vr VR-Default
create vlan "VLAN_0059"
configure vlan VLAN_0059 description "Stack DO/SC1 Local Site Connectivity"
configure vlan VLAN_0059 tag 59
configure vlan VLAN_0059 add ports 1:49 tagged
configure vlan VLAN_0059 ipaddress 192.168.59.3 255.255.255.0
enable ipforwarding vlan VLAN_0059
enable bootprelay ipv4 vlan VLAN_0059
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
29
Validated Designs – Infrastructure & Topology
At the prompt issue show vlan VLAN_0060 (output truncated) and verify:
Controlling Bridge 1
Slot-1 VPEX X690-48x-2q-4c.39 # show vlan VLAN_0060
VLAN Interface with name VLAN_0060 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 60
Description:
VPEX DO/SC1 Local Site Connectivity
Virtual router:
VR-Default
IPv4 Forwarding:
Enabled
IPv4 MC Forwarding: Disabled
Primary IP:
192.168.60.2/24
…
Ports:
1.
(Number of active ports=1)
Tag:
*1:49g
…
Slot-1 VPEX X690-48x-2q-4c.99 # show vlan VLAN_0059
VLAN Interface with name VLAN_0059 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 59
Description:
Stack DO/SC1 Local Site Connectivity
Virtual router:
VR-Default
IPv4 Forwarding:
Enabled
IPv4 MC Forwarding: Disabled
Primary IP:
192.168.59.2/24
…
Ports:
1.
(Number of active ports=2)
Tag:
*1:49g
…
Verify the following items:
1. VLAN Name, State and Tag
2. VLAN Description
3. LACP trunk port Added to VLAN
4. IP Address Configured
5. IP Forwarding Enabled for unicast routing
Controlling Bridge 2
Slot-1 VPEX X690-48x-2q-4c.36 # show vlan VLAN_0060
VLAN Interface with name VLAN_0060 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 60
Description:
VPEX DO/SC1 Local Site Connectivity
Virtual router:
VR-Default
IPv4 Forwarding:
Enabled
IPv4 MC Forwarding: Disabled
Primary IP:
192.168.60.3/24
…
Ports:
1.
(Number of active ports=1)
Tag:
*1:49g
…
Slot-1 VPEX X690-48x-2q-4c.69 # show vlan VLAN_0059
VLAN Interface with name VLAN_0059 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 59
Description:
None
Virtual router:
VR-Default
IPv4 Forwarding:
Enabled
IPv4 MC Forwarding: Disabled
Primary IP:
192.168.59.3/24
…
Ports:
1.
(Number of active ports=2)
Tag:
*1:49g
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
30
Validated Designs – Infrastructure & Topology
11. Configure and Interface for SmartOmniEdge Appliances on controlling bridges.
Configure two VLANs for local site connectivity on the controlling bridges. These VLANs are used to
redistribute directly connected and static routes into OSPF. They are also used by APs for connectivity to
the wireless controllers.
Controlling Bridge 1
create vlan "VLAN_0109"
configure vlan VLAN_0109 description "SmartOmniEdge Appliances"
configure vlan VLAN_0109 tag 109
configure vlan VLAN_0109 add ports 1:49 tagged
configure vlan VLAN_0109 add ports 1:9,1:11,1:13,1:15,1:17,1:19
configure vlan VLAN_0109 ipaddress 192.168.109.2 255.255.255.0
enable ipforwarding vlan VLAN_0109
enable bootprelay ipv4 vlan VLAN_0109
Configure local-site VLANs VLAN_0060 and
VLAN_0059 with;
1. VLAN Descriptions
2. VLAN Tag
3. LACP trunk port Added to VLAN
4. SmartOmniEdge Appl Ports added to VLAN
5. IP Address Configured
6. IP Forwarding Enabled for unicast routing
7. BOOTP Relay Enabled for DHCP
untagged
8. Iproute Sharing (ECMP)
Controlling Bridge 2
create vlan "VLAN_0109"
configure vlan VLAN_0109 description "SmartOmniEdge Appliances"
configure vlan VLAN_0109 tag 109
configure vlan VLAN_0109 add ports 1:49 tagged
configure vlan VLAN_0109 add ports 1:9,1:11,1:13,1:15,1:17,1:19 untagged
configure vlan VLAN_0109 ipaddress 192.168.109.3 255.255.255.0
enable ipforwarding vlan VLAN_0109
enable bootprelay ipv4 vlan VLAN_0109
At the prompt issue show vlan VLAN_0109 (output truncated) and verify:
Controlling Bridge 1
Slot-1 VPEX X690-48x-2q-4c.39 # show vlan VLAN_0109
VLAN Interface with name VLAN_0109 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 109
Description:
SmartOmniEdgeAppliances
Virtual router:
VR-Default
IPv4 Forwarding:
Enabled
IPv4 MC Forwarding: Disabled
Primary IP:
192.168.109.2/24
…
Ports:
7.
(Number of active ports=1)
Untag:
*1:9, *1:11, *1:13, *1:15, *1:17, *1:19
Tag:
*1:49g
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Verify the following items:
1. VLAN Name, State and Tag
2. VLAN Description
3. LACP trunk port Added to VLAN
4. SmartOmniEdge Appl ports added to VLAN
5. IP Address Configured
6. IP Forwarding Enabled for unicast routing
31
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
Slot-1 VPEX X690-48x-2q-4c.39 # show vlan VLAN_0109
VLAN Interface with name VLAN_0109 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 109
Description:
SmartOmniEdgeAppliances
Virtual router:
VR-Default
IPv4 Forwarding:
Enabled
IPv4 MC Forwarding: Disabled
Primary IP:
192.168.109.3/24
…
Ports:
7.
(Number of active ports=1)
Untag:
*1:9, *1:11, *1:13, *1:15, *1:17, *1:19
Tag:
*1:49g
…
12. Configure VRRP on Local Site Connectivity and SmartOmniEdge VLANs on the controlling
bridges.
Configure VRRP for the VLAN to provide the ExtremeWireless IdentiFi APs a common gateway to
reach the ExtremeWireless Controllers.
Controlling Bridge 1
create vrrp vlan VLAN_0060 vrid 60
configure vrrp vlan VLAN_0060 vrid 60 priority 254
configure vrrp vlan VLAN_0060 vrid 60 fabric-routing on
configure vrrp vlan VLAN_0060 vrid 60 add 192.168.60.1
enable vrrp vlan VLAN_0060 vrid 60
create vrrp vlan VLAN_0059 vrid 59
configure vrrp vlan VLAN_0059 vrid 59 fabric-routing on
configure vrrp vlan VLAN_0059 vrid 59 add 192.168.59.1
enable vrrp vlan VLAN_0059 vrid 59
VRRP instance ID for VLAN_0060
Priority is configured to make master
election more reliable.
Fabric-routing is enabled so that
packets don’t have to be routed through
the VRRP master if a more direct route
exists on the receiving interface
The VRRP virtual IP address
create vrrp vlan VLAN_0109 vrid 1
configure vrrp vlan VLAN_0109 vrid 1 priority 254
configure vrrp vlan VLAN_0109 vrid 1 fabric-routing on
configure vrrp vlan VLAN_0109 vrid 1 add 192.168.109.1
enable vrrp vlan VLAN_0109 vrid 1
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
32
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
create vrrp vlan VLAN_0060 vrid 60
configure vrrp vlan VLAN_0060 vrid 60 fabric-routing on
configure vrrp vlan VLAN_0060 vrid 60 add 192.168.60.1
enable vrrp vlan VLAN_0060 vrid 60
create vrrp vlan VLAN_0059 vrid 59
configure vrrp vlan VLAN_0059 vrid 59 priority 254
configure vrrp vlan VLAN_0059 vrid 59 fabric-routing on
configure vrrp vlan VLAN_0059 vrid 59 add 192.168.59.1
enable vrrp vlan VLAN_0059 vrid 59
create vrrp vlan VLAN_0109 vrid 1
configure vrrp vlan VLAN_0109 vrid 1 fabric-routing on
configure vrrp vlan VLAN_0109 vrid 1 add 192.168.109.1
enable vrrp vlan VLAN_0109 vrid 1.
At the prompt, issue show vrrp and verify vlan VLAN_0059, VLAN_0060, and VLAN_0109
configuration.
Controlling Bridge 1
Slot-1 VPEX X690-48x-2q-4c.46 # show vrrp
Virtual
VLAN Name VRID Pri IP Address
State
VLAN_01(En) 0001 254 192.168.109.1
MSTR
VLAN_00(En) 0060 254 192.168.60.1
MSTR
VLAN_00(En) 0059 100 192.168.59.1
BKUP
FR value must be Y on both VRRP
master and backup
Master
MAC Address
TP/TR/TV/P/T
00:00:5e:00:01:01 0 0 0 Y 1
00:00:5e:00:01:3c 0 0 0 Y 1
00:00:5e:00:01:3b 0 0 0 Y 1
/FR/G/HM
Y N N
Y N N
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
…
Controlling Bridge 2
The switch with the highest priority
has MSTR state and the other one BKUP.
Slot-1 VPEX X690-48x-2q-4c.41 # show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
TP/TR/TV/P/T
VLAN_01(En) 0001 100 192.168.109.1
BKUP 00:00:5e:00:01:01 0 0 0 Y 1
VLAN_00(En) 0060 100 192.168.60.1
BKUP 00:00:5e:00:01:3c 0 0 0 Y 1
VLAN_00(En) 0059 254 192.168.59.1
MSTR 00:00:5e:00:01:3b 0 0 0 Y 1
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
/FR/G/HM
Y N N
Y N N
Y N N
33
Validated Designs – Infrastructure & Topology
13. Configure OSPF Local Site Connectivity and SmartOmniEdge Appliance VLANs
This interface will serve as the main routing aggregation point for all the user access VLANs. Therefore, it
is very important that this interface has OSPF enabled.
Controlling Bridge 1
configure ospf add vlan VLAN_0060 area 0.0.0.0
configure ospf vlan VLAN_0060 authentication encrypted md5 60
"#$9PzYK114lHuHzjGF1Dvl3GEu5uSEUA=="
Connectivity VLANs added to area
0.0.0.0
MD5 Authentication was enabled to
provide added security between OSPF
adjacencies.
configure ospf add vlan VLAN_0059 area 0.0.0.0
configure ospf vlan VLAN_0059 authentication encrypted md5 59
configure ospf add vlan VLAN_0109 area 0.0.0.0
configure ospf vlan VLAN_0109 authentication encrypted md5 109
"#$R0wiC0z7m+x9uimpk+s9Wze72v0JAg=="
Controlling Bridge 2
configure ospf add vlan VLAN_0060 area 0.0.0.0
configure ospf vlan VLAN_0060 authentication encrypted md5 60
"#$UUFVAm9buaJUoNv0+9+SKU+c3RlK1A=="
configure ospf add vlan VLAN_0059 area 0.0.0.0
configure ospf vlan VLAN_0059 authentication encrypted md5 59
configure ospf add vlan VLAN_0109 area 0.0.0.0
configure ospf vlan VLAN_0109 authentication encrypted md5 109
"#$lGsOEPnc72kkt/Xg8hKXwX0GAQQwrw=="
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
34
Validated Designs – Infrastructure & Topology
At the prompt, issue show ospf neighbor (output truncated).
Verify that routers see each other and that the state is FULL with MD5 encryption enabled.
Controlling Bridge 1
Slot-1 VPEX X690-48x-2q-4c.53 # show ospf neighbor
Adjacency state between neighbors should be
Neighbor ID
Pri State
Up/Dead Time
Address
Full. OSPF
router state should be DR or BDR.
Interface
BFD Session State
======================================================================================
====
192.168.200.2
1 FULL
/DR
00:00:01:40/00:00:00:00 192.168.59.3
VLAN_0059
None
192.168.200.2
VLAN_0060
None
1 FULL
/DR
00:00:01:52/00:00:00:02
192.168.60.3
192.168.200.2
VLAN_0109
None
…
1 FULL
/DR
00:03:46:48/00:00:00:08
192.168.109.3
Controlling Bridge 2
Slot-1 VPEX X690-48x-2q-4c.48 # show ospf neighbor
Neighbor ID
Pri State
Up/Dead Time
Address
Interface
BFD Session State
======================================================================================
====
192.168.200.1
1 FULL
/BDR
00:00:01:46/00:00:00:01 192.168.59.2
VLAN_0059
None
192.168.200.1
VLAN_0060
None
1 FULL
/BDR
00:00:01:58/00:00:00:02
192.168.60.2
192.168.200.1
VLAN_0109
None
…
1 FULL
/BDR
00:03:47:43/00:00:00:03
192.168.109.2
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
35
Validated Designs – Infrastructure & Topology
ExtremeXOS Stacking Edge Configuration
This document will not describe the procedure for creating an ExtremeXOS stack. This information can be
found in existing GTAC Knowledgebase documentation at How to Create a Stack with ExtremeSwitching.
Once the stack is configured, the process connecting to the Controlling Bridges is similar physically to
connecting the virtual port extenders, but quite different operationally. In this case, there is no CB and
BPE relationship. Any configurations will need to be executed on both the stack and the CBs.
ExtremeXOS Stack
4. On stack remove all ports
from default VLAN.
5. On stack disable policy for
IPv6 and MAC.
6. Disable spanning tree.
Bridge Port Extenders
1. LACP enabled on CBs
and stack ports.
MLAGs
Redundant Controlling
Bridges
Controlling Bridge 1
Controlling Bridge 2
2. On CBs, add LACP port
to Local Site VLAN.
3. On CBs, add LACP ports
to MLAG configuration.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
36
Validated Designs – Infrastructure & Topology
1. Connecting the ExtremeSwitching Stack to the CBs with MLAG
The stack will use the previously configured MLAG ISC. There is no need to create a new one.
Unlike the Extended Edge solution, LACP will need to be enabled on the ExtremeSwitching Stack. A LAG
will not form between the CBs and the ExtremeSwitching stack automatically. The last step is to configure
a new MLAG peer ID when connecting as an MLAG.
When complete, the configuration should look similar to the one below:
Controlling Bridge 1
1. On each CB configure uplink to
Stack with LACP.
2. Enable MLG on LACP port and
assign unique ID.
enable sharing 1:45 grouping 1:45 algorithm address-based L2 lacp
enable mlag port 1:45 peer "vpexmlag" id 1965
Controlling Bridge 2
enable sharing 1:45 grouping 1:45 algorithm address-based L2 lacp
enable mlag port 1:45 peer "vpexmlag" id 1965
ExtremeSwitching Stack
Create a two port LACP LAG with
each physical link going to each
X690 switch.
enable sharing 1:51 grouping 1:51,2:51 algorithm address-based L2 lacp
At the prompt issue show sharing and verify:
Controlling Bridge 1
On both X690 switches, verify ports are LACP
members and the Link State is active.
Slot-1 VPEX X690-48x-2q-4c.26 # show sharing
Load Sharing Monitor
Config
Current Agg
Min
Ld Share Dist Ld Share Agg Link Link Up
Master
Master Control Active Algorithm Flags Group
Mbr State Transitions
================================================================================
1:45
1:45
LACP
1
L2
A
1:45
Y
A
0
================================================================================
…
Note
During these manual configuration steps, the user can choose to utilize mlag orchestration mode. This
mode can be helpful to configure the exact same commands on both CBs. However, do not use this feature
for configurations which need to be unique on CBs such as IP addresses, VRRP configurations, and OSPF
configurations. To enable this mode, refer to mlag orchestration mode operation on Page 16.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
37
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
Slot-1 VPEX X690-48x-2q-4c.18 # show sharing
Load Sharing Monitor
Config
Current Agg
Min
Ld Share Dist Ld Share Agg Link Link Up
Master
Master Control Active Algorithm Flags Group
Mbr State Transitions
================================================================================
1:45
1:45
LACP
1
L2
A
1:45
Y
A
0
================================================================================
On the ExtremeSwitching stack, verify a single
LACP LAG with members each going to separate
X690 switches. Verify that the Link State is active.
ExtremeSwitching Stack
Slot-1 Stack.5 # show sharing
Load Sharing Monitor
Config
Current Agg
Min
Ld Share Dist Ld Share Agg Link Link Up
Master
Master Control Active Algorithm Flags Group
Mbr State Transitions
================================================================================
1:51
1:51
LACP
1
L2
A
1:51
Y
A
1
L2
2:51
Y
A
1
================================================================================
2. Remove ports from Default VLAN, disable MSTP, and free up ACL resources.
The default VLAN will not be needed for this EVD so all ports will be removed from the VLAN.
Because of this MSTP instance, s0 will also be disabled.
Controlling Bridge 1 and 2
configure
configure
configure
configure
vlan default delete ports all
vr VR-Default delete ports 1:1-52,2:1-52,3:1-52,4:1-52
vr VR-Default add ports 1:1-52,2:1-52,3:1-52,4:1-52
vlan default delete ports 1:1-52,2:1-52,3:1-52,4:1-52
disable stpd s0
configure policy resource-profile default profile-modifier no-mac enable no-ipv6
enable
Controlling Bridge 1 and 2
Slot-1 Stack.51 # show stpd s0
Stpd: s0
Stp: DISABLED
Rapid Root Failover: Disabled
Operational Mode: MSTP
MSTI Instance: CIST
802.1Q Tag: (none)
Ports: (none)
Participating Vlans: (none)
Auto-bind Vlans: Default
…
Number of Ports: 0
Default Binding Mode: 802.1D
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Verify the following
STP variables for s0
• STP is disabled
• No Ports participating
in STP
• No VLANs
participating in STP
38
Validated Designs – Infrastructure & Topology
Wired User Access
All access VLANs offer redundancy to the network with the use of configured VRRP gateways. All users’
credentials are authenticated using authentication to ExtremeControl and RADIUS. The following VLAN
types are available at the District Office/School 1:
The Guest_Wired VLAN gives guest users access to the District Office/School 1. This VLAN will be
configured at all schools. This access layer VLAN is typically the most restrictive of all VLANs.
The Admin VLAN provides access layer connectivity to networks administrators. These users will be
assigned an Admin role by Extreme Policy Manger and ExtremeControl. This access layer VLAN is
typically the least restrictive of the access VLANs.
The NonAdmin_Wired VLAN provides access layer connectivity to other authorized users. These users
will be assigned a Student or Faculty role by Extreme Policy Manger and ExtremeControl. Roles can be
more granular than the ones presented here. Most users will access the school district network through
this VLAN.
The Network_Devices VLAN provides access layer connectivity to common network devices such as
printers, VoIP phones, and security cameras.
1. Configure four wired user access
VLANs on X690 switches.
2. Configure four wired AP/user
access VLANs on
ExtremeSwitching stack.
3. Extended Local-Site VLAN_0059
to the stack.
4. Configure all user access ports to
Guest_Wired PVID.
ExtremeXOS Stack
Bridge Port Extenders
6. Configure Loopback interface on
ExtremeSwitching stack.
7. Configure static routes between
the stack and X690 switches.
MLAGs
Redundant Controlling
Bridges
Controlling Bridge 1
Controlling Bridge 2
5. Configure IP Address and IP Services
on wired User Access VLANs.
8. Configure VRRP on X690 switches
for user access VLANs.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
39
Validated Designs – Infrastructure & Topology
The process of adding an access VLAN to the CB/BPE topology involves several steps. First the user
creates the access VLAN and tag on the CBs. After the VLAN is created the Local Site trunk port and
MLAG ports are added as tag members of the access VLAN. Routing functionality will be configured
including IP address, VRRP for a common gateway, and IP forwarding.
For the ExtremeSwitching stack, the layer 2 configuration is also configured on the stack – not just on the
CBs. This includes creating the VLAN with a tag and adding the MLAG port to the VLAN.
Note
During these manual configuration steps, the user can choose to utilize mlag orchestration mode. This
mode can be helpful to configure the exact same commands on both CBs. However, do not use this feature
for configurations which need to be unique on CBs such as IP addresses, VRRP configurations, and OSPF
configurations. To enable this mode, refer to mlag orchestration mode operation on Page 16.
1. Configure four access VLAN and assign ports.
Controlling Bridge 1
create vlan "VLAN_1900"
configure vlan VLAN_1900 description "Wired Guest VLAN"
configure vlan VLAN_1900 tag 1900
configure vlan VLAN_1900 add ports 1:45,1:49 tagged
Four Wired Access VLANs
created. Add LACP Trunk
Port and created LACP
Port to Stack to VLANs.
create vlan "VLAN_1600"
configure vlan VLAN_1600 description "Administrator Access VLAN"
configure vlan VLAN_1600 tag 1600
configure vlan VLAN_1600 add ports 1:45,1:49 tagged
create vlan "VLAN_2200"
configure vlan VLAN_2200 description "Network Devices Access VLAN"
configure vlan VLAN_2200 tag 2200
configure vlan VLAN_2200 add ports 1:45,1:49 tagged
create vlan "VLAN_1700"
configure vlan VLAN_1700 description "Wired Non Administrator Access VLAN"
configure vlan VLAN_1700 tag 1700
configure vlan VLAN_1700 add ports 1:45,1:49 tagged
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
40
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
create vlan "VLAN_1900"
configure vlan VLAN_1900 description "Wired Guest VLAN"
configure vlan VLAN_1900 tag 1900
configure vlan VLAN_1900 add ports 1:45,1:49 tagged
create vlan "VLAN_1600"
configure vlan VLAN_1600 description "Administrator Access VLAN"
configure vlan VLAN_1600 tag 1600
configure vlan VLAN_1600 add ports 1:45,1:49 tagged
create vlan "VLAN_2200"
configure vlan VLAN_2200 description "Network Devices Access VLAN"
configure vlan VLAN_2200 tag 2200
configure vlan VLAN_2200 add ports 1:45,1:49 tagged
create vlan "VLAN_1700"
configure vlan VLAN_1700 description "Wired Non Administrator Access VLAN"
configure vlan VLAN_1700 tag 1700
configure vlan VLAN_1700 add ports 1:45,1:49 tagged
ExtremeSwitching Stack
create vlan "VLAN_1900"
configure vlan VLAN_1900 description "Wired Guest VLAN"
configure vlan VLAN_1900 tag 1900
configure vlan VLAN_1900 add ports 1:51 tagged
Four Wired Access VLANs
created. Add created
LACP ports to VLANs.
create vlan "VLAN_1600"
configure vlan VLAN_1600 description "Administrator Access VLAN"
configure vlan VLAN_1600 tag 1600
configure vlan VLAN_1600 add ports 1:51 tagged
create vlan "VLAN_2200"
configure vlan VLAN_2200 description "Network Devices Access VLAN"
configure vlan VLAN_2200 tag 2200
configure vlan VLAN_2200 add ports 1:51 tagged
create vlan "VLAN_1700"
configure vlan VLAN_1700 description "Wired Non Administrator Access VLAN"
configure vlan VLAN_1700 tag 1700
A fifth VLAN is extended from the X690
configure vlan VLAN_1700 add ports 1:51 tagged
switches to ExtremeSwitching stack for
Layer 3 connectivity to the rest of the
topology.
create vlan "VLAN_0059"
configure vlan VLAN_0059 description "Stack DO/SC1 Local Site Connectivity"
configure vlan VLAN_0059 tag 59
configure vlan VLAN_0059 add ports 1:51 tagged
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
41
Validated Designs – Infrastructure & Topology
After creating VLANs, any port to be used for user access should be configured to have a PVID of
Guest_Wired as the native VLAN.
When complete, the configuration should look similar to the one below:
Controlling Bridge 1
All wired access ports are
added to the Guest_Wired
VLAN as untagged (PVID).
configure vlan VLAN_1900 add ports 1:1-6,1:8,1:10,1:12,1:14,1:16,1:18,1:2044,1:46,1:51-52,1:54-56,1:58-72,100:1-24,101:1-24 untagged
Controlling Bridge 2
configure vlan VLAN_1900 add ports 1:1-8,1:10,1:12,1:14,1:16,1:18,1:20-44,1:46,1:5052,1:54-56,1:58-72,100:1-24,101:1-24 untagged
ExtremeSwitching Stack
configure vlan VLAN_1900 add ports add ports 1:1-50,1:52,2:1-50,2:52,3:1-52,4:1-52
untagged
Caution
When assigning PVID of access ports to Guest_Wired, use caution that previously
configured ports are not reconfigured. These ports might include the following:
•
Local Site LACP Trunk Port
•
Uplink ports between Controlling Bridges and Bridge Port Extenders
•
Uplink ports between the Controlling Bridges and the ExtremeSwitching stack
•
Controlling Bridge ports used for ExtremeWireless Appliance controller,
Windows Server Backup Services.
2. Configure Access VLAN Interface and other routing services.
Controlling Bridge 1
configure vlan VLAN_1900 ipaddress 172.19.128.2 255.255.255.224
enable ipforwarding vlan VLAN_1900
enable bootprelay ipv4 vlan VLAN_1900
configure vlan VLAN_1600 ipaddress 172.16.0.2 255.255.255.0
enable ipforwarding vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1600
1. IP interface for four Wired Access
VLANs configured.
2. IP Forwarding and BootP Relay
enabled.
configure vlan VLAN_1700 ipaddress 172.17.0.2 255.255.252.0
enable ipforwarding vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1700
configure vlan VLAN_2200 ipaddress 172.21.0.2 255.255.252.0
enable ipforwarding vlan VLAN_2200
enable bootprelay ipv4 vlan VLAN_2200
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
42
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
configure vlan VLAN_1900 ipaddress 172.19.128.3 255.255.255.224
enable ipforwarding vlan VLAN_1900
enable bootprelay ipv4 vlan VLAN_1900
configure vlan VLAN_1600 ipaddress 172.16.0.3 255.255.255.0
enable ipforwarding vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1600
configure vlan VLAN_1700 ipaddress 172.17.0.3 255.255.252.0
enable ipforwarding vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1700
configure vlan VLAN_2200 ipaddress 172.21.0.3 255.255.252.0
enable ipforwarding vlan VLAN_2200
enable bootprelay ipv4 vlan VLAN_2200
3. Configure Layer-3 Access to ExtremeSwitching-Stack
Currently, the stack has no Layer-3 connectivity to the District Office. This section will set up that
connectivity.
ExtremeSwitching Stack
configure vlan VLAN_0059 ipaddress 192.168.59.254 255.255.255.0
enable ipforwarding vlan VLAN_0059
enable bootprelay ipv4 vlan VLAN_0059
1. Configure an IP address on the
VLAN that was configured for
Layer-3 connectivity.
2. Configure IP services
ipforwarding and bootprelay.
3. Configure a default static route
utilizing previously configured
VRRP virtual gateway.
configure iproute add default 192.168.59.1
The next step is to configure a loopback interface on the ExtremeSwitching stack for management from
the ExtremeWireless Appliances Controller and enable IP forwarding.
When complete, the configuration should look similar to the one below:
ExtremeSwitching Stack
create vlan "lo0"
configure vlan lo0 tag 1008
enable loopback-mode vlan lo0
configure vlan lo0 ipaddress 192.168.200.8 255.255.255.255
1. Configure a loopback address for
Extreme Management Center
management.
2. Enable IP forwarding.
enable ipforwarding lo0
The final step is to configure a static route to the ExtremeSwitching stack from the CBs. This static route
will later be redistributed to OSPF for accessibility from the other schools.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
43
Validated Designs – Infrastructure & Topology
When complete, the configuration should look similar to the one below:
Controlling Bridge 1
configure iproute add 192.168.200.8 255.255.255.255 192.168.59.254
Configure a static route to
ExtremeSwitching stack Loopback
Interface using the L3-connectivity
VLAN ExtremeSwitching stack IP
address as the gateway.
Controlling Bridge 2
configure iproute add 192.168.200.8 255.255.255.255 192.168.59.254
At the prompt for the stack, issue show vlan VLAN_0059 and verify.
ExtremeSwitching Stack
Verify that VLAN0059 has been
extended to the ExtremeSwitching
stack.
Slot-1 Stack.24 # show VLAN_0059
VLAN Interface with name VLAN_0059 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 59
Verify IP Services have been enabled
Description:
None
on the ExtremeSwitching stack.
Virtual router:
VR-Default
IPv4 Forwarding:
Enabled
IPv4 MC Forwarding: Disabled
Primary IP:
192.168.59.254/24
Verify LACP port to X690 switches
…
added as tagged.
Tag:
*1:51g
Flags:
(*) Active, (!) Disabled, (g) Load Sharing port y
…
At the prompt for the stack, issue show vlan lo0 and verify (output truncated).
ExtremeSwitching Stack
Slot-1 Stack.25 # show vlan lo0
VLAN Interface with name lo0 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 1008
Description:
None
Virtual router:
VR-Default
IPv4 Forwarding:
Enabled
IPv4 MC Forwarding: Disabled
Primary IP:
192.168.200.8/32
…
Loopback:
Enabled
…
Ports:
0.
(Number of active ports=0)…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Verify IP Services have been
enabled on ExtremeSwitching
stack.
Verify /32 Loopback IP Address.
Verify Loopback Mode enabled.
44
Validated Designs – Infrastructure & Topology
At all three prompts, issue show iproute origin static and verify (output truncated).
Controlling Bridge 1
Verify static route to stack from
Controlling Bridges.
x690-DO/SC1-Left.178 # show iproute origin static
Ori Destination
Gateway
Mtr Flags
VLAN
#s
192.168.200.8/32
192.168.59.254 1
UG---S-um--f- VLAN_0059
…
Duration
0d:0h:6m:54s
Controlling Bridge 2
x690-DO/SC1-Right.114 # show iproute origin static
Ori Destination
Gateway
Mtr Flags
VLAN
#s
192.168.200.8/32
192.168.59.254 1
UG---S-um--f- VLAN_0059
…
ExtremeSwitching Stack
Duration
0d:0h:7m:47s
Verify default static route to rest of
topology from Controlling Bridges.
x440G2-DO/SC1-Stack.9 # show iproute origin static
Ori Destination
Gateway
Mtr Flags
VLAN
#s
Default Route
192.168.59.1
1
UG---S-um--f- VLAN_0059
0d:2h:51m:8s
…
Duration
0d:0h:19m:54s
4. Configure Access VLAN VRRP between the X690 switches.
Configure VRRP for the access VLANs in order to provide access VLAN users a virtual gateway
address.
Controlling Bridge 1
create vrrp vlan VLAN_1900 vrid 193
configure vrrp vlan VLAN_1900 vrid 193 fabric-routing on
configure vrrp vlan VLAN_1900 vrid 193 add 172.19.128.1
enable vrrp vlan VLAN_1900 vrid 193
create vrrp vlan VLAN_1600 vrid 160
configure vrrp vlan VLAN_1600 vrid 160 priority 254
configure vrrp vlan VLAN_1600 vrid 160 fabric-routing on
configure vrrp vlan VLAN_1600 vrid 160 add 172.16.0.1
enable vrrp vlan VLAN_1600 vrid 160
create vrrp vlan VLAN_1700 vrid 170
configure vrrp vlan VLAN_1700 vrid 170 fabric-routing on
configure vrrp vlan VLAN_1700 vrid 170 add 172.17.0.1
enable vrrp vlan VLAN_1700 vrid 170
VRRP instance id for wired access
VLANs.
Priority is configured to make master
election more reliable.
Fabric-routing is enabled so that
packets don’t have to be routed through
the VRRP master if a more direct route
exists on the receiving interface
The VRRP virtual IP address
create vrrp vlan VLAN_2200 vrid 210
configure vrrp vlan VLAN_2200 vrid 210 priority 254
configure vrrp vlan VLAN_2200 vrid 210 fabric-routing on
configure vrrp vlan VLAN_2200 vrid 210 add 172.21.0.1
enable vrrp vlan VLAN_2200 vrid 210
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
45
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
create vrrp vlan VLAN_1900 vrid 193
configure vrrp vlan VLAN_1900 vrid 193 priority 254
configure vrrp vlan VLAN_1900 vrid 193 fabric-routing on
configure vrrp vlan VLAN_1900 vrid 193 add 172.19.128.1
enable vrrp vlan VLAN_1900 vrid 193
create vrrp vlan VLAN_1600 vrid 160
configure vrrp vlan VLAN_1600 vrid 160 fabric-routing on
configure vrrp vlan VLAN_1600 vrid 160 add 172.16.0.1
enable vrrp vlan VLAN_1600 vrid 160
create vrrp vlan VLAN_1700 vrid 170
configure vrrp vlan VLAN_1700 vrid 170 priority 254
configure vrrp vlan VLAN_1700 vrid 170 fabric-routing on
configure vrrp vlan VLAN_1700 vrid 170 add 172.17.0.1
enable vrrp vlan VLAN_1700 vrid 170
create vrrp vlan VLAN_2200 vrid 210
configure vrrp vlan VLAN_2200 vrid 210 fabric-routing on
configure vrrp vlan VLAN_2200 vrid 210 add 172.21.0.1
enable vrrp vlan VLAN_2200 vrid 210
At the prompt, issue show vrrp and verify VRRP configuration (output truncated).
Controlling Bridge 1
Slot-1 VPEX X690-48x-2q-4c.51 # show vrrp
Virtual
VLAN Name VRID Pri IP Address
State
VLAN_19(En) 0193 100 172.19.128.1
BKUP
VLAN_16(En) 0160 254 172.16.0.1
MSTR
VLAN_22(En) 0210 254 172.21.0.1
MSTR
VLAN_17(En) 0170 100 172.17.0.1
BKUP
FR value must be Y on both VRRP
master and backup
Master
MAC Address
TP/TR/TV/P/T
00:00:5e:00:01:c1 0 0 0 Y 1
00:00:5e:00:01:a0 0 0 0 Y 1
00:00:5e:00:01:d2 0 0 0 Y 1
00:00:5e:00:01:aa 0 0 0 Y 1
/FR/G/HM
Y N N
Y N N
Y N N
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
Controlling Bridge 2
The switch with the highest priority has
MSTR state and the other one BKUP.
Slot-1 VPEX X690-48x-2q-4c.21 # show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
TP/TR/TV/P/T
VLAN_16(En) 0160 100 172.16.0.1
BKUP 00:00:5e:00:01:a0 0 0 0 Y 1
VLAN_22(En) 0210 100 172.21.0.1
BKUP 00:00:5e:00:01:d2 0 0 0 Y 1
VLAN_17(En) 0170 254 172.17.0.1
MSTR 00:00:5e:00:01:aa 0 0 0 Y 1
VLAN_19(En) 0193 254 172.19.128.1
MSTR 00:00:5e:00:01:c1 0 0 0 Y 1
/FR/G/HM
Y N N
Y N N
Y N N
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
46
Validated Designs – Infrastructure & Topology
Wireless User Access
The Guest_Wireless VLAN gives guest users access to the District Office/School 1. This VLAN is not
configured on the stack or the other schools since all guest wireless traffic is forwarded directly to the
District Office with the Bridged-at-Controller feature in ExtremeWireless. This access layer VLAN is
typically the most restrictive of all VLANs.
The NonAdmin_Wireless VLAN provides access-layer connectivity to other authorized users. These
users will be assigned a Student or Faculty role by Extreme Policy Manger and ExtremeControl. This
VLAN will be bridged at the access point.
ExtremeXOS Stack
1. Configure two wireless user
access VLANs on CBs
2. Configure one wireless user
access VLANs on
ExtremeSwitching stack.
Bridge Port Extenders
MLAGs
Redundant Controlling
Bridges
Controlling Bridge 1
Controlling Bridge 2
3. Configure IP Address and IP Services
on wired User Access VLANs
4. Configure VRRP on Controlling
Bridges for user access VLANs.
Note
During these manual configuration steps, the user can choose to utilize mlag orchestration mode. This
mode can be helpful to configure the exact same commands on both CBs. However, do not use this feature
for configurations which need to be unique on CBs such as IP addresses, VRRP configurations, and OSPF
configurations. To enable this mode, refer to mlag orchestration mode operation on Page 16.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
47
Validated Designs – Infrastructure & Topology
1. Configure two wireless access VLANs and assign ports.
Configure the two access VLANs for wireless users.
VLAN_1901 will only be configured on CBs because it is utilized for Bridged-at-Controller for guest
wireless access. In addition, a VLAN_1901 includes a port which is directly attached to each EWC.
VLAN_1800 is configured on both CBs and the stack. The VLAN_1900 traffic is tunneled directly to
the ExtremeWireless controllers.
Controlling Bridge 1
create vlan "VLAN_1901"
configure vlan VLAN_1901 description "Wireless Guest VLAN"
configure vlan VLAN_1901 tag 1901
configure vlan VLAN_1901 add ports 1:19,1:45,1:49 tagged
Verify the following;
• Two Wireless Access VLANs created.
• Add created LACP ports to VLANs.
• For VLAN_1901 a tagged port is
added to connect to wireless
controller.
create vlan "VLAN_1800"
configure vlan VLAN_1800 description "Wireless Non Administrator Access VLAN"
configure vlan VLAN_1800 tag 1800
configure vlan VLAN_1800 add ports 1:45,1:49 tagged
Controlling Bridge 2
create vlan "VLAN_1901"
configure vlan VLAN_1901 description "Wireless Guest VLAN"
configure vlan VLAN_1901 tag 1901
configure vlan VLAN_1901 add ports 1:19,1:45,1:49 tagged
create vlan "VLAN_1800"
configure vlan VLAN_1800 description "Wireless Non Administrator Access VLAN"
configure vlan VLAN_1800 tag 1800
configure vlan VLAN_1800 add ports 1:45,1:49 tagged
ExtremeSwitching Stack
create vlan "VLAN_1800"
configure vlan VLAN_1800 description "Wireless Non Administrator Access VLAN"
configure vlan VLAN_1800 tag 1800
configure vlan VLAN_1800 add ports 1:51 tagged
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
48
Validated Designs – Infrastructure & Topology
2. Configure Access VLAN Interface and other routing services.
IP addresses for access VLANs are configured on both X690 switches. In addition to the IP address,
IP forwarding and bootprelay are configured for the interfaces.
Controlling Bridge 1
configure vlan VLAN_1901 ipaddress 172.19.0.2 255.255.224.0
enable ipforwarding vlan VLAN_1901
enable bootprelay ipv4 vlan VLAN_1901
configure vlan VLAN_1800 ipaddress 172.18.0.2 255.255.224.0
enable ipforwarding vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1800
Two Wired Access VLANs created. Add
created LACP ports to VLANs.
IP Forwarding and BootP Relay
enabled.
Controlling Bridge 2
configure vlan VLAN_1901 ipaddress 172.19.0.3 255.255.224.0
enable ipforwarding vlan VLAN_1901
enable bootprelay ipv4 vlan VLAN_1901
configure vlan VLAN_1800 ipaddress 172.18.0.3 255.255.224.0
enable ipforwarding vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1800
3. Configure Access VLAN VRRP between X690 switches.
Configure VRRP for the access VLANs in order to provide access VLAN users a virtual gateway
address.
Controlling Bridge 1
create vrrp vlan VLAN_1901 vrid 190
configure vrrp vlan VLAN_1901 vrid 190 priority 254
configure vrrp vlan VLAN_1901 vrid 190 fabric-routing on
configure vrrp vlan VLAN_1901 vrid 190 add 172.19.0.1
enable vrrp vlan VLAN_1901 vrid 190
create vrrp vlan VLAN_1800 vrid 180
configure vrrp vlan VLAN_1800 vrid 180 fabric-routing on
configure vrrp vlan VLAN_1800 vrid 180 add 172.18.0.1
enable vrrp vlan VLAN_1800 vrid 180
VRRP instance id for wireless access
VLANs.
Priority is configured to make master
election more reliable.
Fabric-routing is enabled so that
packets don’t have to be routed through
the VRRP master if a more direct route
exists on the receiving interface
The VRRP virtual IP address
Controlling Bridge 2
create vrrp vlan VLAN_1901 vrid 190
configure vrrp vlan VLAN_1901 vrid 190 fabric-routing on
configure vrrp vlan VLAN_1901 vrid 190 add 172.19.0.1
enable vrrp vlan VLAN_1901 vrid 190
create vrrp vlan VLAN_1800 vrid 180
configure vrrp vlan VLAN_1800 vrid 180 priority 254
configure vrrp vlan VLAN_1800 vrid 180 fabric-routing on
configure vrrp vlan VLAN_1800 vrid 180 add 172.18.0.1
enable vrrp vlan VLAN_1800 vrid 180
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
49
Validated Designs – Infrastructure & Topology
At the prompt, issue show vrrp and verify VRRP configuration (output truncated).
Controlling Bridge 1
VPEX x690-DO/SC1-Left.173 # show vrrp
Virtual
VLAN Name VRID Pri IP Address
VLAN_19(En) 0190 254 172.19.0.1
VLAN_18(En) 0180 100 172.18.0.1
FR value must be Y on both VRRP
master and backup
Master
State MAC Address
TP/TR/TV/P/T
MSTR 00:00:5e:00:01:be 0 0 0 Y 1
BKUP 00:00:5e:00:01:b4 0 0 0 Y 1
/FR/G/HM
Y N N
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
Controlling Bridge 2
The switch with the highest priority has
MSTR state and the other one BKUP.
VPEX x690-DO/SC1-Right.113 # show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
TP/TR/TV/P/T
VLAN_19(En) 0190 100 172.19.0.1
BKUP 00:00:5e:00:01:be 0 0 0 Y 1
VLAN_18(En) 0180 254 172.18.0.1
MSTR 00:00:5e:00:01:b4 0 0 0 Y 1
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
/FR/G/HM
Y N N
Y N N
Authentication – RADIUS
Network login is a security feature that controls admission of user packets and access rights, preventing
unauthorized access into the network. Netlogin offers three authentication types: MAC-based, dot1X and
web-based. Mac-based authentication can be done locally or using a RADIUS server. Mac-based with
RADIUS server and dot1x methods are implemented for this solution.
By itself, netlogin actions consist of allowing or filtering traffic on the ports it is enabled on. Its functionality
can be further enhanced by using policies, which offer a greater variety of actions and granular control of
user packets access to the network.
Netlogin dot1X authentication involves three parties: supplicant, authenticator and authentication server.
The supplicant is the client machine, capable of running 802.1X authentication software. The
authenticator is the network device the client is connected to, configured with netlogin. The authentication
server is usually a third-party RADIUS server.
For clients that can’t run authentication software – like printers, APs, and other wired devices connected
to the network – MAC-based authentication can be used. In this case the supplicant is unware that the
authentication is taking place. The authenticator will use the device’s MAC address to authenticate the
user.
In order for a user to authenticate, the following conditions must be met:
1. The Extreme device is added to Extreme Management Center.
2. Controllers are added to Extreme Management Center and are configured.
3. LDAP configurations are made.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
50
Validated Designs – Infrastructure & Topology
4. The device is added to the correct Control Domain.
5. Policies are created – roles and corresponding services are defined.
6. Policies are enforced on Extreme switches.
7. Access control rules and accept policies are defined.
8. Network devices are added as trusted RADIUS clients for ExtremeControl.
9. Access control settings are enforced on the controllers.
Authentication Process
XMC & NAC
Radius Server
Extreme Switch/Stack
Netlogin Client
Netlogin Client
NAC with LDAP
Radius Server
2. Send authentication
credentials to NAC and try to
authenticate user
3. Send authentication
Request to Radius
4. Authentication Challenge
4. Authentication Challenge
4. Authentication Challenge
5. Challenge Reply
5. Challenge Reply
1. Request network access
and send authentication
credentials
5. Challenge Reply
6. Allow or deny Access
7. Assign policy to netlogin
port on switch/stack
8. Allow or Deny traffic
according to Policy settings
Authentication steps:
1. A user connecting to the switch and requesting network access sends login credentials to the switch.
2. The switch sends the credentials in a RADIUS Request message to the ExtremeControl. Upon seeing
the request, the ExtremeControl verifies its RADIUS server configuration. If a server is present, the
authentication request is sent to it. If no server is found, the LDAP configuration conditions are verified.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
51
Validated Designs – Infrastructure & Topology
If the conditions are all met, the authentication request is sent to the RADIUS server. At this point
ExtremeControl/LDAP is acting as authenticator.
3. When the RADIUS server receives an authentication request it first verifies that the authenticator is in
its trusted client list and that the shared secret received matches the locally configured one, to
determine if it can accept an authentication request from the client. Next, if the client verification
passes, the RADIUS server searches for a Network Access policy whose access conditions are
passed by the Request packet. If an access policy is found, the authentication process can continue. If
not, the user’s login attempt is rejected.
4. For PEAP and TLS authentication, a RADIUS Challenge message is sent to the user.
5. The user must respond to the challenge to complete the authentication process
6. The RADIUS server either allows or denies the user access and sends the response to the
ExtremeControl server.
7. If the user passes authentication, ExtremeControl starts verifying the LDAP attributes and Access
Control Rules one-by-one until the conditions of one of them are met. A Profile and an Accept Policy
for the matched rule are returned for the authenticated user and applied on the switch port to which
the user is connected.
8. All traffic generated by the user is treated according to the services configured for the Role
corresponding to the Accept policy the user matched.
RADIUS Configuration
When user access control is done using policy and netlogin, at least one RADIUS server must be
configured on the access switches. At the District Office/School 1 of the Smart OmniEdge solution, two
RADIUS servers are configured—one primary and one secondary – for redundancy. If the primary server
fails, the authentication requests will be sent to the second RADIUS server. On the switches, the
ExtremeControl engines are configured as RADIUS servers.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
52
Validated Designs – Infrastructure & Topology
When complete, the configuration should look similar to the one below:
Controlling Bridge 1
configure radius 1 server 192.168.109.253 1812 client-ip 192.168.200.1 vr VR-Default
configure radius 1 shared-secret encrypted "#$dZQZibeFVYfCltPMimy6+0KZIIbC/Q=="
configure radius 2 server 192.168.109.248 1812 client-ip 192.168.200.1 vr VR-Default
configure radius 2 shared-secret encrypted "#$iycnW0+5pRr4Pe2ff4X5uCt6m5JRGg=="
configure radius-accounting 1 server 192.168.109.253 1813 client-ip 192.168.200.1 vr
VR-Default
configure radius-accounting 1 shared-secret encrypted
"#$YM0NQLzqot8rYWopHhtQ5r1XKA6pnw=="
configure radius-accounting 1 timeout 10
configure radius-accounting 2 server 192.168.109.248 1813 client-ip 192.168.200.1 vr
VR-Default
configure radius-accounting 2 shared-secret encrypted
"#$nCogm5igQEhQpTnGP1xbU8JCAEj50g=="
configure radius-accounting 2 timeout 10
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 15
configure radius mgmt-access timeout 15
configure radius netlogin timeout 15
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
Controlling Bridge 2
configure radius 1 server 192.168.109.253 1812 client-ip 192.168.200.2 vr VR-Default
configure radius 1 shared-secret encrypted "#$kNgjkKrdw5Po81e0P2ze3fFcm7avFw=="
configure radius 2 server 192.168.109.248 1812 client-ip 192.168.200.2 vr VR-Default
configure radius 2 shared-secret encrypted "#$Yz7YSlLFNary8w+s+wMAC4wZJJCEQg=="
configure radius-accounting 1 server 192.168.109.253 1813 client-ip 192.168.200.2 vr
VR-Default
configure radius-accounting 1 shared-secret encrypted
"#$InzX+lRPtLgxk2e0qL10m72Q36hQeA=="
configure radius-accounting 1 timeout 10
configure radius-accounting 2 server 192.168.109.248 1813 client-ip 192.168.200.2 vr
VR-Default
configure radius-accounting 2 shared-secret encrypted
"#$COv+Ep5nDr+l1SVecObdKUGJVPKvdQ=="
configure radius-accounting 2 timeout 10
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 15
configure radius mgmt-access timeout 15
configure radius netlogin timeout 15
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
53
Validated Designs – Infrastructure & Topology
ExtremeSwitching Stack
configure radius 1 server 192.168.109.253 1812 client-ip 192.168.200.8 vr VR-Default
configure radius 1 shared-secret encrypted "#$fj+WRDBSRHQmPck4VSz2ctesFSFT+A=="
configure radius 2 server 192.168.109.248 1812 client-ip 192.168.200.8 vr VR-Default
configure radius 2 shared-secret encrypted "#$OO+DQtUIKS6fQN7l/JTZ/k+cYqWdxA=="
configure radius-accounting 1 server 192.168.109.253 1813 client-ip 192.168.200.8 vr
VR-Default
configure radius-accounting 1 shared-secret encrypted
"#$ejlaJE6XrNzw8QWseSt/Qsmpj5li+w=="
configure radius-accounting 1 timeout 10
configure radius-accounting 2 server 192.168.109.248 1813 client-ip 192.168.200.8 vr
VR-Default
configure radius-accounting 2 shared-secret encrypted
"#$F6CW350vW+fSZgk2I9MXbhsO0HFGFA=="
configure radius-accounting 2 timeout 10
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 15
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
54
Validated Designs – Infrastructure & Topology
Guest Access ( Captive Portal)
Captive portal provides a way to allow unregistered users to connect to the network as guests. All guests
are redirected to a registration page before being allowed access.
For redirection to occur, the network must be able to identify a guest user’s traffic and assign a policy that
triggers the redirection. In this instance, traffic is assigned the "Unregistered" policy, configured to redirect
web traffic to a specific URL where the policy is applied. The DNS, DHCP, ARP, and http/https redirect
rules for the “Unregistered” Role are configured in Extreme Management Center via Policy, then enforced
onto the corresponding platform.
When an unregistered user attempts to go to the internet, the http/https traffic is intercepted and
redirected to the Extreme Access Control captive portal. In a wired environment, this is the physical switch
port. In a wireless environment, this is either the AP or the controller, depending on the deployment. The
user is then able to fill in the required information that will yield access to the network. Once the captive
portal process is complete, the user is removed from the policy that triggered redirection and put into a
new policy to allow normal traffic flow.
General Flow required for captive portal redirection:
Connect
unregistered user
to the network
•All non-defined users are authenticated
and assigned the Unregistered policy by
default
Unregistered policy
causes redirection
to occur
•Unregistered policy is configured with services that trigger
redirection and allow basic network connectivity services; all other
traffic is denied
User registers to
captive portal
•Captive portal registration page displayed
automatically when user tries to connect to the
internet
Extreme Access
Control reauthenticates user
and assigns new
policy
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
•New assigned policy allows user traffic to
their allocated resources
55
Validated Designs – Infrastructure & Topology
Extreme Policy
Policy provides for the configuration of role-based profiles for securing and provisioning network
resources based upon the role the user or device plays within the enterprise. By first defining the user or
device role, network resources can be granularly tailored to a specific user, system, service, or port-based
context by configuring and assigning rules to the policy role. A policy role can be configured for any
combination of Class of Service, VLAN assignment, or default behavior based upon L2, L3, and L4 packet
fields. Hybrid authentication allows either policy or dynamic VLAN assignment, or both, to be applied
through RADIUS (Remote Authentication Dial In User Service) authorization.
The configuration flow can be reduced to the steps below:
1. Create
Domain
• Multiple domains can be created.
2. Add
devices to
Domain
• In order for a network device to receive the correct policy
configuration from XMC the network device must be added to
the correct domain.
3. Create
Role
• Roles usually model the function the user
has.
4. Create
Service
• Skip to step 5 if using an existing service.
5. Add
Services to
Role
• A role can have none or multiple services that
define how user traffic is treated.
6. Save
Domain
• All unsaved changes will be lost.
7. Enforce
Domain
• The policy domain configuration
is automatically created on the
network devices.
This section assumes that SNMPv3 has been configured. To configure SNMPV3 on the switches,
wireless controllers, and ExtremeWireless appliances controller, refer to the Simple Network Management
Protocol (SNMPv3) section in Design Considerations.
Policy Domain Configuration
The Smart OmniEdge Validated Design contains four main domains created with Extreme Management
Center, each containing a subset of associated roles and sets of rules for each role. These four domains
work to organize the network in an efficient manner, allowing specific policies and rules to apply only
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
56
Validated Designs – Infrastructure & Topology
across desired domains. The domains are: Wired Smart OmniEdge, Wireless Smart OmniEdge, Wired
Smart OmniEdge DO, and Wired Smart OmniEdge DO-Stack.
The “Wired Smart OmniEdge DO” and “Wired Smart OmniEdge DO-Stack” enforce the roles and
services assigned to the wired users accessing District Office/School 1. The “Wireless Smart
OmniEdge” contains the roles and services enforced on the wireless controllers.
1. To create new domains, go to Control  Policy  Open/Manage Domains. Select Create Domain
from the drop-down list and name the new domain:
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
57
Validated Designs – Infrastructure & Topology
Create the four required domains for this validated design: Wired Smart OmniEdge, Wireless Smart
OmniEdge, Wired Smart OmniEdge DO, and Wired Smart OmniEdge DO-Stack.
Click OK to complete domain configuration.
2. To add a network device to a domain, go to Policy  Devices, right click on the display criteria, and
select Assign Device(s) to Domain:
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
58
Validated Designs – Infrastructure & Topology
DO/SC1-Right and DO/SC1-Left are
part of the Wired Smart OmniEdge DO
policy domain. Assignment to a domain
is done based on the VLAN
requirements.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
59
Validated Designs – Infrastructure & Topology
WC1 and WC2 are added to Wireless
Smart OmniEdge policy domain.
Assignment to a domain is done based
on the VLAN requirements.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
60
Validated Designs – Infrastructure & Topology
Role Configuration - Wired Domains
Ten unique roles are configured for the District Office. The same roles and services are used by all the
schools.
The users connecting to the network belong to one of the following categories: administrators, nonadministrators, guests, or network devices.
•
Administrators, whether they use a wireless or a wired connection, are assigned the Administrator role
and are moved to the Admin VLAN.
•
Faculty and student users are non-administrators. Both roles transmit traffic in the same VLAN, but the
wireless traffic is isolated from the wired traffic by being separated into two different VLANs. The
difference between the two non-administrator roles is determined by the policy configuration.
•
Wireless users connecting to the network through captive portal are assigned the Guest Access role.
•
VoIP phones, IP cameras, and printers are assigned their respective roles.
A role has two components that define how user traffic is treated: The Default Actions and the Services.
Only the Access Control, Class of Service, and AP Aware actions are configured in the roles defined for
this solution. The configuration steps for the Administrator role are presented in this section. All roles are
configured in the same manner.
The following roles were created for the Wired Smart OmniEdge DO domain:
1. Administrator Role
The Administrator role is intended for administrative users who have no limitations of services or network
use. The Administrator role is important for allowing IT Administrators complete access to the network so
that they can conduct the required analysis, development, and troubleshooting processes that belong to
their role in the enterprise. There are no rules for this role. In addition, Class of Service (CoS) is
untouched to provide administrators an unbiased network experience. If this were set to a high value, the
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
61
Validated Designs – Infrastructure & Topology
administrator's monitoring tools may not reflect network latency accurately. If the administrators require a
higher priority to ensure network access, then we recommend creating an additional Administrator role for
that purpose. The services associated with the Administrator role are Active Directory Services, Deny
Threats, and Network Management.
This role is used by the Wireless Smart OmniEdge, Wired Smart OmniEdge, Wired Smart OmniEdgeDO, and Wired Smart OmniEdge-DO-Stack domains and is configured with the same services and
Egress VLAN on all of them. Both wireless and wired users with the Administrator role will be added to
VLAN Admin.
a. To create a new role, go to Control Policy  Roles/Services and right-click on Roles:
Name Role and click Ok
to complete role
creation.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
62
Validated Designs – Infrastructure & Topology
b. To configure the default actions for the Administrator role, go to Control Policy 
Roles/Services and select Role. If the options are not displayed, click Show All.
The Contain to VLAN access
control action is selected for
the Administrator role. For this
access control type the VLAN
must be specified.
c. Select the desired CoS value from the drop-down list:
Priority 5 will be applied to
traffic generated by
Administrator users
d. To add services to the Administrator role, click Add/Remove and select from the existing default
services
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
63
Validated Designs – Infrastructure & Topology
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
64
Validated Designs – Infrastructure & Topology
The final Default Actions
and Services configuration
for the Administrator role
e. The Egress VLAN must also be configured for the roles that have access control set to Contain to
VLAN and for roles applied to devices that have other users connected behind them, like an AP or
a VoIP phone. To configure the Egress VLAN entries, go to the VLAN Egress tab and click Add.
Select the desired VLAN and the forwarding state for the port from the drop-down lists.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
65
Validated Designs – Infrastructure & Topology
2. Access Point Role
When this role is applied to the port, all other MACs are passed through without authentication. This is
specifically useful when bridging wireless client traffic at the access point. Although the Access Point role
does not contain any associated services, it does use the Class of Service role High Priority. This CoS
value is the highest available in the network. For Bridged@AP wireless topologies, the AP switch port is
used to forward user traffic into the network. The VLANs associated with the traffic can be assigned
dynamically using the VLAN Egress functionality of the role.
This role is used by the Wired Smart OmniEdge, Wired Smart OmniEdge-DO, and Wired Smart
OmniEdge-DO-Stack domains and does not exist on the Wireless Smart OmniEdge domain.
AP generated traffic is
sent untagged in this
VLAN.
Traffic from Administrator
users connecting to the
wireless network is sent as
tagged in the wired Admin
VLAN, assigned with policy.
Traffic from faculty and student
users connecting to the
wireless network is sent as
tagged in the wired NonAdmin
_Wireless VLAN, assigned with
policy.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
66
Validated Designs – Infrastructure & Topology
3. Deny Access Role
The Deny Access Role is used in ExtremeControl to assign to an end-system that has been denied
access through MAC Registration. The definition of the Deny Access role may vary depending on the
customer environment. This role is used by the Wireless Smart OmniEdge, Wired Smart OmniEdge,
Wired Smart OmniEdge-DO, and Wired Smart OmniEdge-DO-Stack domains.
By default, the Deny Access
role will discard traffic. Basic
connectivity services are
allowed.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
67
Validated Designs – Infrastructure & Topology
4. Guest Access Role
The Guest Access role is intended for guests or other unknown users connecting to the enterprise
network infrastructure. The Guest Access role will be used to enforce the high security of IT assets and
the limited availability of IT resources as determined by the business policy. This role is used by the
Wireless Smart OmniEdge, Wired Smart OmniEdge, Wired Smart OmniEdge-DO, and Wired Smart
OmniEdge-DO-Stack domains.
CoS value 0 is assigned
to Guest traffic
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Only Guest traffic
matching the defined
Services is allowed
68
Validated Designs – Infrastructure & Topology
5. IP Camera Role
The IP Camera role is simply used to define a subset of services that should be applied to any related IP
camera devices on the network. It is used by the Wired Smart OmniEdge, Wired Smart OmniEdge-DO,
and Wired Smart OmniEdge-DO-Stack domains.
Role is configured with CoS
value 6 and traffic is contained
to Network_Devices VLAN.
No services are defined for
this role.
Traffic generated by IP Camera
devices is sent as untagged in
Network_Devices wired VLAN.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
69
Validated Designs – Infrastructure & Topology
6. Printer Role
The Printer Role is simply used to define a subset of services that should be applied to any related printer
devices on the network. The role is used by the Wired Smart OmniEdge, Wired Smart OmniEdge-DO,
and Wired Smart OmniEdge-DO-Stack domains.
Role is configured with CoS
value 3 and traffic is contained
to Network_Devices VLAN.
Services defined for this
role.
Traffic generated by Printer
devices is sent as untagged in
Network_Devices wired VLAN.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
70
Validated Designs – Infrastructure & Topology
7. Faculty Role
The Faculty Role is used to define a subset of services that would be normally be applicable to a user with
privileges pertaining to non-IT employees and personnel.
Role is configured with CoS
value 2 and traffic is contained
to NonAdmin_Wired VLAN.
Services defined for Faculty
role.
Traffic generated by Faculty
users is sent as untagged in
NonAdmin_Wired VLAN.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
71
Validated Designs – Infrastructure & Topology
8. Student Role
The Student role is a non-default role created to define how student traffic is handled.
Role is configured with CoS
value 1 and traffic is contained
to NonAdmin_Wired VLAN.
Services defined for
Student role.
Traffic generated by Student
users is sent as untagged in
NonAdmin_Wired VLAN.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
72
Validated Designs – Infrastructure & Topology
9. Unregistered Role
The Unregistered Role is used in ExtremeControl for end-systems that have yet to pass through MAC
Registration. The definition of the Unregistered role may vary depending on the customer environment.
This role is used by the Wireless Smart OmniEdge, Wired Smart OmniEdge, Wired Smart OmniEdgeDO, and Wired Smart OmniEdge-DO-Stack domains.
By default, the Unregistered
role will discard traffic.
These services are allowed
for the Unregistered role.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
73
Validated Designs – Infrastructure & Topology
10. VoIP Phone Role
This role is applied to the VoIP phones connecting to the network. This role is used by the Wired Smart
OmniEdge, Wired Smart OmniEdge-DO, and Wired Smart OmniEdge-DO-Stack domains.
Voice traffic will be marked
with CoS value 6 and
contained to VLAN
Network_Devices.
Services configured
for VoIP phones
Traffic from Administrator
users connecting behind
the VoIP phone will be sent
with tag in VLAN Admin
Traffic from Faculty and
Student users connecting
behind the VoIP phone
will be sent with tag in
VLAN NonAdmin_Wired.
Traffic from VoIP phones
is sent without tag in
VLAN Network_Devices.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
74
Validated Designs – Infrastructure & Topology
Role Configuration – Wireless Domains
The roles and services created on the wireless domain are enforced on the wireless controller.
1. Administrator Role
The Administrator role is intended for administrative users who have no limitations of services or network
use. The Administrator role is important for allowing IT administrators complete access to the network so
that they can conduct the required analysis, development, and troubleshooting processes that belong to
their role in the enterprise.
Traffic generated by
Administrator users is marked
with CoS value 5 and will be
contained to the wireless
controller Administrator
topology.
Services defined for the
Administrator Role.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
75
Validated Designs – Infrastructure & Topology
2. Deny Access Role
The Deny Access role is used in ExtremeControl as a role to be assigned to an end-system that has been
denied access through MAC Registration. The definition of the Deny Access role may vary depending on
the customer environment.
By default, the Deny Access
role will discard traffic.
Services defined for the
Deny Access role.
3. Guest Access Role
The Guest Access role is intended for guests or other unknown users connecting to the enterprise
network infrastructure. The Guest Access role will be used to enforce the high security of IT assets and
the limited availability of IT resources as determined by the business policy.
All traffic except for traffic
allowed by the service
configuration is filtered.
Services defined for the
Guest Access role.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
76
Validated Designs – Infrastructure & Topology
4. Faculty Role
The Faculty Role is used to define a subset of services that would be normally be applicable to a user with
privileges pertaining to non-IT employees and personnel.
Faculty role traffic is contained to
wireless controller NonAdmin
topology 1800
Services defined for the
Faculty role.
5. Student Role
The Student Role is used to define a subset of services that would be normally be applicable to a user
with privileges pertaining to pupils attending the schools.
Student role traffic is contained to
wireless controller NonAdmin
topology 1800
Services defined for the
Student role.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
77
Validated Designs – Infrastructure & Topology
6. Unregistered Role
The Unregistered Role is used in ExtremeControl for end-systems that have yet to pass through MAC
Registration. The definition of the Unregistered role may vary depending on the customer environment.
All traffic except for traffic
allowed by the service
configuration is filtered.
Redirect function is
enabled for this role and
is used for captive portal
guest access.
Services defined for the
Unregistered role.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
78
Validated Designs – Infrastructure & Topology
7. Captive Portal Redundancy
To have Captive Portal Redundancy between two Access Controls, use a single FQDN address for the
captive portal redirect configuration.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
79
Validated Designs – Infrastructure & Topology
In the DNS server, add both ExtremeControl IPs to the FQDN address. Make sure that all hardware and
applications use the DNS server where the entries reside.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
80
Validated Designs – Infrastructure & Topology
Services Configurations
Extreme Management Center provides a set of default services that cover a wide range of protocols and
applications. Custom services can be added to match specific requirements, and rules can be added to
the existing services. Creating a global role means it is visible and it can be used by all policy domains.
The following non-default services were added for the District Office. Detailed configuration steps are
added for the Deny Admin service. All services are configured in the same manner.
1. Deny Admin Service
The purpose of this service is to deny all management traffic and applications and it is applied to nonadmin roles Faculty and Student.
a. New services can be added from Policy tab Roles/Services  Service Repository Local
Services, right click on Services and select Create Service:
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
81
Validated Designs – Infrastructure & Topology
b. Each service is formed of one or more rules. To add a rule to a service, right-click on the service
name and select Create Rule.
c.
Once created, the rule appears under the service. To configure the rule, click on its name to open
the configuration panel.
Enable Rule for settings to
take effect.
Click Edit to define the type of
traffic the rule will affect.
Define the actions that will be taken
when the user traffic matches the
definition in the Traffic Description
section.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
82
Validated Designs – Infrastructure & Topology
Select Traffic Classification
layer and Type.
Select Traffic Classification
Value.
The Deny Admin service has the following rules defined:
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
83
Validated Designs – Infrastructure & Topology
2. Guest Access Service
This service was created to allow DHCP, DNS, HTTP and ICMP traffic and it is assigned to Guest Access
role in all domains.
3. Network Management Service
This service is applied only to the Administrator role and allows management traffic with a destination of
the network devices in the Smart OmniEdge Validated Design.
4. VoIP Phone Service
The VoIP Phone service is created to allow certain L4 ports used by voice applications. This service is
used by the VoIP Phone role.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
84
Validated Designs – Infrastructure & Topology
Switch and Appliance Restricted Access
Security of the network devices and appliances is of the utmost importance. With Web Services rules
applied to Student and Faculty along with Guest Services applied to Guest Access, HTTP is allowed. To
block access to the switches and appliances, a Global Security Services must be created with a rule to
deny traffic to those particular devices. A subnet or single IP can be entered if a Layer 3 Traffic
Classification is chosen. Layers 2, 4 and 7 can also be selected with the appropriate configuration.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
85
Validated Designs – Infrastructure & Topology
Once the Rule is created, it must be added to the appropriate Roles within their respective Domains. To
add to the appropriate Roles, right-click on the service and select add to roles. Multiple Roles can be
selected as well.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
86
Validated Designs – Infrastructure & Topology
Saving and Enforcing Domain
1. Go to the Control  Policy tab and click Open/Manage Domain(s). Select Save Domain from the
drop-down list.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
87
Validated Designs – Infrastructure & Topology
2. Enforce policy configuration on the domain member network devices. Policy settings are created
automatically.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
88
Validated Designs – Infrastructure & Topology
ExtremeControl Configuration
The Access Control tab provides support for controlling user connection experience and network access
based on a variety of criteria including authentication, user name, MAC-address, time of day, or location.
LDAP Configuration
This solution uses LDAP together with RADIUS and netlogin to control user access to network resources.
LDAP is an application protocol used for accessing and maintaining distributed directory information.
LDAP can be configured through Extreme Management Center via Control  Access Control  AAA
 LDAP Configurations. To display all the necessary LDAP configuration options, the Make Advanced
option must be selected from the menu via the AAA dropdown in Extreme Management Center. To do
this, right-click on the Default option and select Make Advanced.
Click Add to add a new LDAP configuration. Click Add again to add a new LDAP URL.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
89
Validated Designs – Infrastructure & Topology
Enter the information in the fields as shown below and click Save to finish the configuration:
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
90
Validated Designs – Infrastructure & Topology
For redundancy, two LDAP
configurations are made.
Each entry points to a
different third-party LDAP
server, also called Directory
System Agent (DSA)
You can use the Test option to verify that the LDAP server is configured correctly and answering the
request. To test an LDAP configuration, select the desired entry, click Edit, and then click Test. The test
might take a few minutes to complete.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
91
Validated Designs – Infrastructure & Topology
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
92
Validated Designs – Infrastructure & Topology
Next, configure ExtremeControl to use LDAP for interrogating user credentials. To accomplish this, you
must create a new authentication rule to set LDAP as the authentication method. You can add an
authentication rule from Control  AAA Default by clicking Add in the Authentication Rules section.
The rules for Smart OmniEdge were configured as shown in the following pictures.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
93
Validated Designs – Infrastructure & Topology
Select LDAP authentication
from the available options.
Select NTLM authentication as
LDAP Authentication method.
Select the LDAP configuration
previously created.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
94
Validated Designs – Infrastructure & Topology
RADIUS Configuration
Two RADIUS servers are configured for redundancy. In case the primary server fails, the second one is
used for authentication. Both servers are connected to the District Office/School 1.
The Timeout and Number of Retries have the default values. The shared secret must be configured and
must be the same on ExtremeControl and on the RADIUS server. ExtremeControl will check that the
RADIUS server is up at every check interval. Verification is done by using a dummy RADIUS request with
a username and password. The username may or may not exist on the RADIUS server. The
ExtremeControl considers the RADIUS server to be alive whenever the ExtremeControl receives a
RADIUS response, either Reject or Accept. The Health Check parameters can be modified from the
Advanced section of the RADIUS configuration window. The default values are used here.
To configure a RADIUS server, go to Control  Access Control  Configuration  AAA  RADIUS
Servers and click Add to create a new entry:
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
95
Validated Designs – Infrastructure & Topology
Two RADIUS servers are added for redundancy.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
96
Validated Designs – Infrastructure & Topology
ExtremeControl Engine Configuration
Two ExtremeControl engines are connected to District Office in different switches. The use of two engines
assures redundancy. Both ExtremeControl engines are configured identically, and if the primary
ExtremeControl fails the secondary ExtremeControl will take over its attributions without affecting users.
Both engines have authentication and assessment enabled.
To configure ExtremeControl engines, go to Control  Engines  Engine Groups Default.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
97
Validated Designs – Infrastructure & Topology
Trusted RADIUS Clients Configuration for Network Devices
The network devices are acting as RADIUS clients and are configured to use ExtremeControl as RADIUS
servers. The ExtremeControl engines will accept requests only from trusted clients. To be trusted clients,
devices must be added to the Switches tab.
Go to the Control  Access Control  Engines  Engine Groups  Default  Switches tab and click
Add to add a new client device.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
98
Validated Designs – Infrastructure & Topology
Click Advanced Settings and select SNMP. This setting is necessary for dynamic authorization to work.
Access the advanced settings to
configure RADIUS Security shared
secret and re-authentication type.
After all network devices are added, the changes are enforced on both ExtremeControl engines.
Wireless controllers should also be added as ExtremeControl-trusted RADIUS clients. This process is
detailed in the next section.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
99
Validated Designs – Infrastructure & Topology
Access Control Rule Configuration
This solution requires the use of Extreme’s Network Access Control engines, which are configured with 18
unique rules for user authentication and traffic classification. Each rule consists of a name, a set of
conditions, and a set of actions that associates it with an Accept policy. Each Accept policy is mapped to a
role from the Policy tab. Multiple Accept policies can point to the same role. All conditions defined for a
rule must be met; otherwise the rule is not matched.
When ExtremeControl receives an authentication request, all rules are verified in order until one is
matched. When a rule is matched, the existing RADIUS attributes are replaced with the rule’s Accept
policy. The Unregistered rule is placed at the bottom of the access rules list and has a catch-all purpose. It
will be matched by default by all traffic that doesn’t meet all conditions of any of the previous rules.
To create a new rule, go to Control  Access Control  Configuration  Rules and click Add.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
100
Validated Designs – Infrastructure & Topology
After changes are made on the Access Control tab, the configuration must be enforced on the
ExtremeControl engines.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
101
Validated Designs – Infrastructure & Topology
The access control rules configuration for Smart OmniEdge looks like this:
For Faculty and Student access, three rules are created: two for Wired and one for Wireless. Separate
rules are needed because, in the Smart OmniEdge solution, traffic generated by wireless clients is
separated from traffic generated by wired clients and authentication for wired clients can be done with
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
102
Validated Designs – Infrastructure & Topology
802.1x or based on MAC. Users match one of the rules based on authentication method (dot1x or MAC),
group (Faculty or Student) and location. For Wired, the location is generally defined as being from the
Access, whereas the Wireless location is determined by the actual SSID the user is currently connecting
to.
The Printer and VoIP phone roles are created for the printers and VoIP phones connected to the setup,
authenticated by their MAC-addresses. They also must be a part of the defined Printer/VoIP Phones EndSystem group.
All guest users authenticated with captive portal will match the Registered Guests rule. All users that will
use their access credentials to authenticate to captive portal are caught by Web Authenticated Users and
are given Guest access.
ExtremeWireless Controller Configuration
This section includes an easily implemented, efficient solution to service wireless users that require
access to the network. The ExtremeWireless User Access uses two wireless controllers and multiple APs
for redundancy. Each wireless controller is connected to a different ExtremeSwitching device at the
District Office/School 1. This provides redundancy, so that if one of the DO-School 1 switches fails the
other switch can assume control.
At all locations, access points are connected to either the ExtremeSwitching bridge port extenders, stack
or standalone switches. This architecture allows a pair of controllers to control many APs, making the
administration and management of large networks much easier and adding a layer of protection for
network availability.
This solution implements two ExtremeWireless Controller virtual appliances, to maximize flexibility, ease
of installation, and support for a wide variety of APs. Extreme’s virtual appliances have resiliency built in
from the start. Running as active-active pairs, if an appliance happens to fail the other appliance can take
over the full load while maintaining AP connectivity. Failover occurs within milliseconds; APs continue
running without interruption to existing or new client connections.
Virtual Wireless Controller Configuration
Before you configure wireless network access, some basic accessibility settings must be made on the
wireless controllers.
The ExtremeWireless appliance can be managed from a console, from a graphical interface, and from
Extreme Management Center. For this Validated Design, only the graphical interface and Extreme
Management Center configurations are presented. After the initial installation, the management IP
address must be configured from the console. For more details on how to configure the virtual wireless
controller from the console, see the GTAC Knowledge documentation.
To access the configuration graphical interface, enter the following address into the browser
https://<ip_adddress>:5825 .
All configurations are executed only on the primary wireless controller, they are automatically mirrored on
the secondary wireless controller.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
103
Validated Designs – Infrastructure & Topology
The NTP server must be configured to ensure that both wireless controllers have the same time. If the
times are not synchronized, an error will be generated, and the pairing will not be completed. For details,
refer to Network Time Protocol (NTP).
Wireless controllers should be added to Extreme Management Center for Policy and ExtremeControl rules
enforcement.
Pairing Configuration
To ensure redundancy, the two wireless controllers must maintain the same configuration. This is
achieved by configuring pairing. To configure pairing, go to Controller  Administration  Availability.
ExtremeWireless Controller 1 (EWC1):
IP address of the Secondary
Wireless Controller (EWC2)
Primary EWC requires that this
checkbox be selected.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
104
Validated Designs – Infrastructure & Topology
ExtremeWireless Controller 2 (EWC2):
IP address of the Primary
Wireless Controller (EWC1)
Secondary EWC requires that
this checkbox not be selected.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
105
Validated Designs – Infrastructure & Topology
Host Attributes Configurations
The wireless controller’s DNS host name, default gateway, DNS server address(es), and domain name
are configured on the Host Attributes page. The Smart OmniEdge solution uses two DNS servers for
redundancy. The settings must be made on both wireless controllers because they are not
automatically mirrored.
The controller sends the host name query to the first DNS server in the list. If this is not reachable then
the controller sends the host name query to the second DNS server.
The Host Attributes page can be found under Controller  Administration.
EWC1 and EWC2
Configure Host Name and
Domain Name.
Add DNS server IP addresses.
Assign a Default Gateway IP.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
106
Validated Designs – Infrastructure & Topology
Routing Configuration
The virtual wireless controllers are network devices which must be able to route user traffic to the different
appliances and servers used in the Validated Design (ExtremeControl engines, DHCP, DNS, NTP
servers) as well as to the internet. Also, the wireless controllers have networks directly connected that
must be advertised to the rest of the setup. For the Smart OmniEdge solution, dynamic routing using
OSPF was implemented.
First the physical 1 interface must be created on both wireless controllers and on the DO-School 1
switches. This interface is the non-admin interface connecting to the setup, each controller is connected to
different DO-School 1 switches for redundancy. On DO/SC1-Left and DO/SC1-Right vlan, VLAN_0070
was created to connect the wireless controllers to the setup.
1. Create VLAN Interface for EWCs on each District Office/School 1 X690 switch.
Controlling Bridge 1
create vlan "VLAN_0070"
configure vlan VLAN_0070
configure vlan VLAN_0070
configure vlan VLAN_0070
configure vlan VLAN_0070
enable ipforwarding vlan
Note VLAN tag assigned.
tag 70
description "To EWC1"
add ports 1:19 tagged
ipaddress 192.168.70.1 255.255.255.252
VLAN_0070
Configure a /30 point to point IP
interface.
Controlling Bridge 2
create vlan "VLAN_0070"
configure vlan VLAN_0070
configure vlan VLAN_0070
configure vlan VLAN_0070
configure vlan VLAN_0070
enable ipforwarding vlan
tag 70
description "To EWC2"
add ports 1:19 tagged
ipaddress 192.168.70.5 255.255.255.252
VLAN_0070
2. Configure OSPF on created EWC VLANs with simple password authentication
Controlling Bridge 1
Add interface to area
0.0.0.0.
configure ospf add vlan VLAN_0070 area 0.0.0.0
configure ospf vlan VLAN_0070 authentication encrypted simple-password
"#$vmahTN5PuAnn3IAcafb77+rja1ZXKg=="
Controlling Bridge 2
Configure with a simple
encrypted password.
configure ospf add vlan VLAN_0070 area 0.0.0.0
configure ospf vlan VLAN_0070 authentication encrypted simple-password
"#$YRT35jfu6pX6pHH8ifJyEcnP8NN+mQ=="
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
107
Validated Designs – Infrastructure & Topology
3. Configure an interface on Wireless Controllers to connect to the Controlling Bridges.
To create the interface on the Wireless appliance, go to Controller  Network and click New.
EWC1
Configure interface name and
set the Mode to Physical.
Configure a /30 point to point IP
interface.in same subnet as X69 Switch 1
Configure same tag as
Controlling Bridge 1
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Configure interface to be
available for AP Registration
and Management Traffic.
108
Validated Designs – Infrastructure & Topology
EWC2
Configure interface name and
set the Mode to Physical.
Configure a /30 point to point IP
interface.in same subnet as X69 Switch 1
Configure same tag as
Controlling Bridge 1
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Configure interface to be
available for AP Registration
and Management Traffic.
109
Validated Designs – Infrastructure & Topology
4. Enable OSPF on Wireless Controllers to form adjacency with Controlling Bridges.
To enable OSPF globally and on the physical 1 interface go to Controller  Network  Routing
Protocols  OSPF.
Set OSPF Status to ON to enable OSPF globally. Use the New button to make the OSPF interface
configuration.
EWC1 and EWC2
1. Set OSPF Status to On.
3. Change Authentication to
Password.
4. Enter same password as
Controlling Bridges.
5. Select Save.
2. Select New: above
pop-up appears.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
110
Validated Designs – Infrastructure & Topology
5. Verify forwarding table on EWCs.
To verify that the OSPF adjacencies were formed and routes are learned, check the forwarding
table. A new browser page will open, and the routing table of the wireless controller is displayed.
Controller  Network  Routing Protocols  View Forwarding Table
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
111
Validated Designs – Infrastructure & Topology
Wireless Controller Access Control Configuration
The wireless controllers use the ExtremeControl servers to provide multiple services like authentication,
role-based management for users, CoS marking, access control policies, and captive portal. Because of
the VLAN’s role and policy requirements, the wireless controllers have their own domain.
The wireless controllers will use the ExtremeControl engines as RADIUS servers, and both wireless
controllers need to be added in the Switches list. This can be done from:
Control  Access Control  Engines  Engine Groups  Default  Switches  Add
1. Expand to display the two EWC V2110
appliances and select.
2.
3.
4.
5.
6.
Select from Switch Type: Layer 2 RADIUS Only
Select from Primary Engine: IP Primary Engine
Select from Secondary Engine: IP Secondary Engine
Select from Auth. Access Type: Any Access
Select from RADIUS Attributes to Send: Extreme
IdentiFi Wireless
7. Select from RADIUS Accounting: Enabled
8. Select from Policy Domain: Wireless Smart OmniEdge
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
112
Validated Designs – Infrastructure & Topology
Click Advanced Settings to open Advanced Switch Settings
1. Configure RADIUS Security Shared Secret.
2. Configure Reauthentication Type: RFC3576 –
Extreme IdentiFi Wireless.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
113
Validated Designs – Infrastructure & Topology
The wireless controllers will use the ExtremeControl engines as RADIUS servers, to authenticate users
connecting to the secured wireless networks and for integration with DHCP.
To define the ExtremeControl engines for DHCP integration go to VNS  Global  NAC Integration 
New and add both ExtremeControl engines:
Configure DHCP Receiver Address for second NAC:
NAC Server Name: enac2
Address for DHCP Traffic: 192.168.106.248
Both ExtremeControl engines are added, for redundancy.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
114
Validated Designs – Infrastructure & Topology
To define the ExtremeControl engines as RADIUS servers, go to
VNS  Global  Authentication  RADIUS Servers  New
Both ExtremeControl engines are added, for redundancy.
Configure RADIUS Server for second NAC:
NAC Server Name: NAC_2
Hostname/IP: 192.168.106.248
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
115
Validated Designs – Infrastructure & Topology
Captive Portal Configuration
Captive portal is used by the wireless users connecting to the network as guests.
Captive portal must be configured on the ExtremeControl engines. The <Default> captive portal profile is
used for the Smart OmniEdge Validated Design and requires minimum configuration from the Extreme
Management Center Control tab.
Control  Access Control  Configuration  Captive Portals
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
116
Validated Designs – Infrastructure & Topology
Guest Web Access and Authenticated Web Access were selected. The default settings were used for
the rest of the parameters. Enforce configuration on the ExtremeControl engines for the settings to take
effect.
Control  Access Control  Configuration  Captive Portals  Website Configuration
Select: Guest Settings | Guest Web Access
Select: Authentication Settings | Authenticated Web Access
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
117
Validated Designs – Infrastructure & Topology
Wireless AP Discovery
Ensure that the appropriate services on your enterprise network are prepared to support the discovery
process. To use DHCP server for wireless AP discovery, ensure that it supports option 78 (DHCP for SLP
RFC2610). The APs use this method to discover the controller, and option 78 must be set for the subnets
connected to the ports of the controller and the subnets connected to the APs.
Below is an example of how this might be configured in Windows Server 2008.
To configure DHCP option 78 on the DHCP server, right-click on the Scope Options for the scope meant
to service the APs and select Configure Options. Select option 78 and configure the IP addresses of
both wireless controllers. Besides redundancy this also ensures load balancing between the two
appliances. The first value introduced must be 1. This value announces that the following fields represent
IP addresses for wireless controllers. Use the New Value box to enter the addresses, byte by byte. For
the Smart OmniEdge solution the physical 1 interface is used for AP connection.
The AP does not use the DNS information from the initial DHCP offer supplied from the DHCP server.
After the IP setup stage, the AP decides whether to use the static controller IP or start its discovery
methods. If SLP/DNS/VCI discovery is started, the AP sends periodic DHCP informs to get more data to
complete its boot discovery methods. If the DHCP server does not reply to the inform, the process to
contact the controller will fail and start over.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
118
Validated Designs – Infrastructure & Topology
Wireless AP Registration
When the discovery process is successful, the AP registers with the wireless controller. At this point the
controller can be configured with one of the following security modes, which defines how the controller
behaves when registering new/unknown devices:
•
Allow all Wireless APs to connect: If the controller does not recognize the registering serial number, a
new registration record is automatically created for the AP and receives a default configuration. If the
controller recognizes the serial number, it indicates that the registering device is pre-registered with the
controller and uses the existing registration record to authenticate the AP and the existing configuration
record to configure the AP
•
Allow only approved Wireless APs to connect (secure mode): If the controller does not recognize the AP,
the AP's registration record is created in pending state and the administrator is required to manually
approve a pending AP for it to provide active service. The pending AP receives minimum configuration
only, which allows it to maintain an active link with the controller for future state change.
AP  Global  Registration
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
119
Validated Designs – Infrastructure & Topology
To verify the AP availability, go to Reports  APs  AP Availability
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
120
Validated Designs – Infrastructure & Topology
Wireless Network Configuration
For a wireless network to become accessible to users, configurations must be created in the following
sections: Topologies, Roles, WLAN Services, Virtual Networks and Sites. There is a dependency
between the sections and a configuration order must be followed.
1.Configure the
topologies
• Can be Bridged@ AP or Bridged@Controller.The VID used for
the topologies must match the VID configured on the
switches.
2. Enforce Policy
configuration
with NAC
• Verify all Roles and associated policies were created.
3. Create
WLANs
• Maps topology to an SSID; the SSID is seen by the user.
• Sites are used to group the APs based on their physical location. Add APs to
sites and assign the WLAN services they will advertise.
4. Create sites
5. Create VNS
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
• Connects WLANs to Roles; defines
wireless network access type and
authentication
121
Validated Designs – Infrastructure & Topology
1. Topology Configuration
In this section, the physical access provisioning for the user access is created. Every topology is
essentially a VLAN. To add a new topology, go to VNS Topologies and click New.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
122
Validated Designs – Infrastructure & Topology
For the topologies that wireless users will use to connect to the network, one of two modes must be
selected: Bridge Traffic Locally at EWC or Bridge Traffic locally at AP. The topology mode dictates
how the traffic from the clients is going to be treated.
Bridge Traffic Locally at EWC – Users connecting to the wireless network send the traffic to the AP.
The AP encapsulated the traffic and tunnels it to the controller. The controller de-encapsulates the
traffic, processes it and sends to the network over the physical 1 interface in the user access VLAN.
Bridge Traffic locally at AP - Users connecting to the wireless network send the traffic to the AP. The
AP sends the traffic to the network over its management port in the user access VLAN.
In the Smart OmniEdge solution, guest and authenticated wireless user access is possible from all
schools. All Guest users are provisioned with a vlan Bridged@Controller and are placed in the same
network. All authenticated users are provisioned with Bridged@AP vlans and are placed in different
subnets, based on the school they are connected to.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
123
Validated Designs – Infrastructure & Topology
The following user access topologies were configured for the solution:
Administrator Topology
Used by Administrator users connecting to the network and
given the Administrator role. This topology corresponds to
vlan Admin with vid 1600 and is configured on all switches.
A different subnet is used, based on the location. The
routing is done on the switch the AP is connected to.
The Administrator topology is configured as:
•
Name: Administrator
•
Mode: Bridge Traffic Locally at AP
•
VLAN ID: 1600 Tagged
Guest Topology
Used by Guest users connecting to the network and given
the Guest role. Access control is performed by the wireless
controllers. User traffic is routed to the ExtremeWireless
controllers and not forwarded at the switch. The Guest
Wireless VLAN vid 1901 is only configured on DO/School1Left and DO/School1-Right.
The Guest topology is configured as:
•
Name: Guest
•
Mode: Bridge Traffic Locally at EWC
•
VLAN ID: 1901 Tagged
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
124
Validated Designs – Infrastructure & Topology
NonAdmin Topology
Used by NonAdmin users connecting to the network and
given the Student or Faculty role. This topology corresponds
to vlan Wireless NonAdmin with a vid of 1800 and is
configured on all switches. A different subnet is used, based
on the location. The routing is done on the switch the AP is
connected to.
The Administrator topology is configured as:
•
Name: NonAdmin
•
Mode: Bridge Traffic Locally at AP
•
VLAN ID: 1800 Tagged
2. Role Verification
The roles are used for Access Control and will be enforced when ExtremeControl is configured. The
Wireless Smart OmniEdge domain contains the roles and services enforced on the wireless controllers.
To verify the settings from Extreme Management Center after Policy Enforce completion, go to VNS 
Roles and click on each role for detailed configuration.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
125
Validated Designs – Infrastructure & Topology
The following roles are used in the solution:
Administrator Role
This role is applied to the Administrator users connecting to
the network. This role is assigned to users authenticated as
Faculty. The access control is set to contain traffic to
Administrator topology and to mark traffic with CoS priority 5.
Configure in the following manner:
•
Role Name: Administrator
•
Access Control: Containment VLAN
•
VLAN: admin(1600)
•
Default CoS: Network Management
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
126
Validated Designs – Infrastructure & Topology
Deny Access Role
This role is assigned to users who fail authentication. All
traffic is filtered, except for the traffic explicitly allowed by
the policy rules.
Configure in the following manner:
•
Role Name: Deny Access
•
Access Control: Deny
•
Default CoS: No Change
Some traffic must be allowed, by the Deny Access rule, to permit Guest captive portal users to connect to
the network. The services allowed for this role are defined in the Policy Rules section. All traffic, except for
the traffic explicitly allowed by the policy rules, is filtered.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
127
Validated Designs – Infrastructure & Topology
Faculty Role
This role is assigned to users authenticated as Faculty. The
access control is set to contain traffic to NonAdmin topology
and to mark traffic with CoS priority 2.
Configure in the following manner:
•
Role Name: Faculty
•
Access Control: Containment VLAN
•
VLAN: NonAdmin(1800)
•
Default CoS: Bulk Data
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
128
Validated Designs – Infrastructure & Topology
Student Role
This role is assigned to users authenticated as Student. The
access control is set to contain traffic to NonAdmin topology
and to mark traffic with CoS priority 1.
Configure in the following manner:
•
Role Name: Student
•
Access Control: Containment VLAN
•
VLAN: NonAdmin(1800)
•
Default CoS: Best Effort
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
129
Validated Designs – Infrastructure & Topology
Guest Access Role
This role is assigned to users connecting to the network as
Guests through captive portal. Access control is set
containment to Guest topology and traffic is marked with
CoS priority 0.
Configure in the following manner:
•
Role Name: Guest Access
•
Access Control: Containment VLAN
•
VLAN: Guest(1901)
•
Default CoS: Scavenger
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
130
Validated Designs – Infrastructure & Topology
Unregistered Role
This is the initial role allocated by default to all wireless
users. Users can move from this role to Administrator,
Faculty or Student roles through 802.1X authentication, to
Guest role through captive portal, or to Deny Access if
authentication fails. A set of policies are configured to allow
a user connecting to the network to obtain an IP address, to
reach the DNS server, and to access the captive portal.
Configure in the following manner:
•
Role Name: Unregistered
•
Access Control: Deny
•
Default CoS: No Change
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
131
Validated Designs – Infrastructure & Topology
3. WLAN Services Configuration
The RF configuration, authentication settings, and QoS attributes for a wireless network can be
managed under a WLAN service. For the Smart OmniEdge, each school provisions two WLANS
identified by two SSIDs, one for Guest access and one for Administrator and NonAdmin access. The
Guest SSIDs are set to disable authentication mode, which uses the captive portal registration through
policies enforced from Extreme Management Center, and the NonAdmin SSIDs are configured for
802.1X authentication.
To Add a new WLAN service, go to VNS  WLAN Services and click New.
The following WLAN services were configured for District Office/School 1. The WLAN services for
Schools 2, 3, and 4 follow the same pattern.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
132
Validated Designs – Infrastructure & Topology
DO/SC1-Guest
This WLAN binds the DO/SC1-Guest SSID to the Guest
topology and is intended to be used by Guest users
connecting to the network. No privacy is provided, and
access is through captive portal.
Configure in the following manner:
•
Name: DO/SC1-Guest
•
SSID: DO/SC1-Guest
•
Default Topology: Guest(1901)
•
Default CoS: Best Effort
Guest Access uses the captive portal through policies
enforce from Extreme Management Center to initially
register the device that is used to connect to the network.
The Auth&Acct tab is configured in the following manner:
•
•
•
•
•
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Authentication mode: disabled
Enable MAC-based authentication checkbox
Enable RADIUS Accounting checkbox
Add NAC_1 & NAC_2 for MAC-based
Add NAC_1 & NAC_2 for Accounting
133
Validated Designs – Infrastructure & Topology
DO/SC1-NonAdmin
This WLAN binds the DO/SC1-NonAdmin SSID to the
NonAdmin topology.
Configure in the following manner:
•
Name: DO/SC1-NonAdmin
•
SSID: DO/SC1-NonAdmin
•
Default Topology: NonAdmin(1800)
•
Default CoS: No CoS
WPA privacy is configured for this SSID.
Configure in the following manner:
•
Select WPA radio button
•
Select WPA v.2 checkbox
•
Encryption: AES Only
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
134
Validated Designs – Infrastructure & Topology
802.1X authentication is configured for the DO/SC1NonAdmin SSID. The two NAC engines are configured as
RADIUS servers.
Configure in the following manner:
•
Select 802.1x authentication mode
•
Select no HTTP Redirection
•
Select RADIUS Accounting checkbox
•
Add NAC_1 & NAC_2 for Authentication
•
Add NAC_1 & NAC_2 for Accounting
The VSA attributes can be used to customize Access Control rules (for example, the SSID or AP
information can be sent in a TLV and used to match the location of a wireless client trying to
authenticate). To configure the wireless controller to send VSA attributes in the Radius packet, edit
Radius TLVs.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
135
Validated Designs – Infrastructure & Topology
4. Site Configuration
A site provides a way to group Roles, WLANs, and APs under one logical entity for easier
management. For the Smart OmniEdge solution, four sites were created based on location. To
create a new site, go to VNS  Sites and click New.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
136
Validated Designs – Infrastructure & Topology
The DO-School 1 site was configured as below. School 2 through School 4 sites were configured
the same way.
All roles are selected to be downloaded to the APs
connected to DO-School 1.
Configure in following
manner:
the following
manner:
•
Site Name: DO-School 1
•
Select
all the
checkboxes:
RolesAuthentication
to download to
Uncheck
Local RADIUS
member
checkboxAPs
•
Select all checkboxes: Roles to download to
member APs
On the AP Assignments tab all APs physically connected to DO-School 1 are selected.
This APs have the same role and WLAN settings.
Configure in the following manner:
•
Select checkboxes of desired APs
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
137
Validated Designs – Infrastructure & Topology
On the WLAN Assignments tab, select the WLAN services that are supposed to be accessible
from DO-School 1. This selection also enables the APs selected the AP Assignments tab to
advertise these WLANs.
Configure in the following manner:
•
Select AP Radio Checkboxes
•
Select AP Port Checkboxes
5. Virtual Network Configuration
The virtual network configuration binds together the WLANs and the roles, for access control.
There are conceptually hierarchical dependencies on the configuration elements of a VNS and for
service activation, all the pieces will need to be in place, or defined during VNS configuration.
To create a new VNS entry, go to VNS  Virtual Networks and click New.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
138
Validated Designs – Infrastructure & Topology
The following virtual networks are configured for DO-School 1. For School 2 through School 4 the
virtual networks are defined in the same way.
DO/SC1-Guest-WiFi
This VNS is bound to the DO/SC1-Guest WLAN. The
default role for non-authenticated users is Unregistered.
After users connect to captive portal, they are considered
authenticated and the Guest Access role is assigned to
them.
Configure in the following manner:
•
VNS Name: DO/SC1-Guest-Wifi
•
WLAN Service: DO/SC1-Guest
•
Non-Authenticated: Unregistered
•
Authenticated: Guest Access
•
Enable Checkbox Checked
DO/SC1-NonAdmin-WiFi
This VNS is bound to the DO/SC1-NonAdmin WLAN. The
default role for non-authenticated users is Unregistered.
After authentication, a role is assigned by NAC, access
control will be done on the switch because the topology is
bridged@AP.
Configure in the following manner:
•
VNS Name: DO/SC1-NonAdmin-Wifi
•
WLAN Service: DO/SC1-NonAdmin
•
Non-Authenticated: Unregistered
•
Authenticated: Same as non-auth
•
Enable Checkbox Checked
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
139
Validated Designs – Infrastructure & Topology
ExtremeAnalytics
ExtremeAnalytics will be configured to provide detailed flow information for the entire school district. Refer
to the flowchart below:
Add Analytics
Engine to Extreme
Management
Center
•Refer to the Extreme Management Center
Configuration section.
Configure
Application
Telemetry Sources
•Configured on all CBs. Configures a mirror named EAN on all CBs, the mirror
source are the switches' loopback addresses and the destination being the
ExtremeAnalytics Engine IP Address. An ingress and egress telemetry policy
file are created and applied as access lists. sFLOW enabled and configured on
all ports.
Configure
NetFlow Flow on
EWC
•Configured on ExtremeWireless Controllers to
send NetFlow/IpFix information to the
ExtremeAnalytics Engine.
Configure Flow
Locations for
ExtremeAnalytics
•Configure locations and networks
to collect analytics on and send to
ExtremeAnalytics Engine.
Enforce Analytics
Engine
•Enforce Analytics Engine.
Flow collection on extended edge is done on the Controlling Bridges and forward to an ExtremeAnalytics
engine. All access ExtremeSwitching hardware has the capability to utilize ExtremeAnalytics Application
Telemetry feature. However, due to the use of policy, captive portal, and application telemetry, certain
ExtremeSwitching hardware may not be capable of deploying all features simultaneously. Careful
consideration must be given to determine that the appropriate hardware is selected. In scenarios where
not enough resources are available, the upstream ExtremeSwitching switch can collect aggregated flow
information for north-south traffic only. With BPEs north-south and east-west flow information can be
collected at the upstream ExtremeSwitching hardware. Refer to product documentation to determine
hardware capabilities of ExtremeSwitching switches.
Note
Due to hardware resource limitations ExtremeSwitching X440G2 will not support ExtremeAnalytics and wired
captive portal simultaneously. Wireless captive portal is unaffected by these limitations. Consider another
ExtremeSwitching edge solution to run both features simultaneously.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
140
Validated Designs – Infrastructure & Topology
ExtremeAnalytics Application Telemetry Configuration
In this section, add ExtremeSwitching switches as Mirror Sources for sending the flow information to the
ExtremeAnalytics Engine. Go the following location and set the flow selection type to App Telemetry.
Analytics  Configuration  Engines  K-12 BR Analytics  Configuration
Next, each X690 District Office switch will be added as a mirror source, utilizing the switches loopback
address as the source IP. The destination of the mirror will be the ExtremeAnalytics Engine. For
ExtremeSwitching standalone or stack deployments, flow collection will be either handled locally or northsouth only flows can be aggregated at the upstream switches. The determining factor is whether the
hardware selected has the necessary resources to deploy policy, captive portal, and application telemetry
simultaneously.
Analytics  Configuration  Engines  K-12 BR Analytics  Configuration  Application
Telemetry Sources  Add
Select All Device  DO/SC1-Left  Click OK
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
141
Validated Designs – Infrastructure & Topology
Verify that Source IP address is the switch’s loopback address.
Depending on port density, this process can take several minutes.
After adding all X690/X590 switches in the school district, six Application Telemetry Sources should be
configured. Final output should look something like this:
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
142
Validated Designs – Infrastructure & Topology
ExtremeAnalytics NetFlow Configuration
ExtremeAnalytics can also be configured for the ExtremeWireless controllers. In this case NetFlow is used
to support both Application Telemetry and NetFlow simultaneously, Flow Collection Type is changed to
Both.
Analytics  Configuration  Engines  K-12 BR Analytics  Configuration
After changing the Flow Sources, a dialog box should open within the Access Control Integration pane.
Select Add.
Analytics  Configuration  Engines  K-12 BR Analytics  Configuration  Flow Sources
 Add
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
143
Validated Designs – Infrastructure & Topology
Under Flow Source, click the ellipsis (…). Then navigate to My Network  All Devices  WC1 and
click OK.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
144
Validated Designs – Infrastructure & Topology
Select all of the WLANs and click OK. Notice that if a controller is paired to another controller it will
perform the configuration in one step. You will not need to perform this step for the second controller.
Once controllers are added, the Access Control Integration | Flow Sources pane should look like this.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
145
Validated Designs – Infrastructure & Topology
ExtremeAnalytics Location Configuration
Finally, you need to select exactly which networks you want to collect flow information for. This can be
quite broad or narrow depending the school district’s requirements.
The first step is to select a location. This is just a label and there is no requirement that it be a role. You
can define this as you wish. In this example, it is simply identified as K-12 Faculty.
Analytics  Configuration  Locations
Add the subnets that flow collection should monitor.
Analytics  Configuration  Locations  Highlight Create Location  Right Click  Add
Address
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
146
Validated Designs – Infrastructure & Topology
After locations and subnets are added, you will have something that resembles the example below.
Locations are based off roles. User could have created locations based of physical locations. The
important thing to remember is that locations are just a group of subnets not an actual physical location.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
147
Validated Designs – Infrastructure & Topology
ExtremeAnalytics Verification
If everything was configured correctly, ExtremeAnalytics will begin collecting information. The polling
interval is every five minutes. Be sure to give the dashboard enough time to begin populating information.
Analytics  Dashboard and select Insights from the pull down.
Even though the dashboard might not be collecting information, the Application Flows window should
begin to collect information. You can change the polling interval if you want to see updates in real time.
Analytics  Application Flows
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
148
Validated Designs – Infrastructure & Topology
From the switch CLI, you can observe the App Telemetry mirror using the show mirror command.
Controlling Bridges
•
•
•
•
VPEX x690-DO/SC1-Right.8 # show mirror
Tunnel EAN is enabled.
Mirror to Remote IP = Analytic Engine IP
From IP = Loopback address of the switch
Status = Up
DefaultMirror
(Disabled)
Description:
Default Mirror Instance, created automatically
Mirror to port: EAN
(Enabled)
Description:
Mirror to remote IP: 192.168.109.252
From IP
: 192.168.200.2
Status
: Up
VR
: VR-Default
Ping check: On
Mirrors defined:
2
Mirrors enabled:
1 (Maximum 4)
HW filter instances used: 0 (Maximum 128)
HW mirror instances used: 0 ingress, 0 egress (Maximum 4 total, 2 egress)
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
149
Validated Designs – Infrastructure & Topology
Below is an example of what the sFlow configuration might look like. Issue show conf etmon
and show conf | include mirror display sFlow and ERSPAN configuration.
Controlling Bridges
configure sflow poll-interval 60
enable sflow
configure sflow collector 192.168.109.252 port 6343 vr "VR-Default"
configure sflow agent ipaddress 192.168.200.2
enable sflow ports 1:1 ingress
enable sflow ports 1:2 ingress
enable sflow ports 1:3 ingress
enable sflow ports 1:4 ingress
enable sflow ports 1:5 ingress
…
enable sflow ports 110:22 ingress
enable sflow ports 110:23 ingress
enable sflow ports 110:24 ingress
enable sflow ports 110:25 ingress
enable sflow ports 110:26 ingress
create mirror "EAN"
configure mirror EAN to remote-ip 192.168.109.252 from 192.168.200.1
enable mirror EAN
When sFlow App Telemetry is configured in Extreme Management Center, two ACLs are
configured and applied. Issue show config acl and verify that the two access-lists are applied.
You can also verify the access-lists by issuing ls at the prompt. This lists the present file.
Controlling Bridges
configure access-list telemetry any ingress
configure access-list telemetryegress any egress
-rw-r--r--rw-r--r--
1 admin
1 admin
admin
admin
33450 Jun
128 Jun
1 12:25 telemetry.pol
1 12:25 telemetryegress.pol
User can also ssh into ExtremeAnalytics and verify that sFlow and GRE packets are being sent to
Analytics Engine. You should see both sFlow and GRE packets being sent from all configured
sFlow sources.
ExtremeAnalytics Appliance
root@EA.k12.edu:~$ tcpdump -i eth0 proto gre -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:47:48.041661 IP 192.168.200.1 > 192.168.109.252: GREv0, length 64: gre-proto-0x88be
root@EA.k12.edu:~$ tcpdump -i eth0 port 6343 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:49:10.516064 IP 192.168.109.2.56596 > 192.168.109.252.6343: sFlowv5, IPv4 agent
192.168.200.1, agent-id 0, length 1276
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
150
Validated Designs – Infrastructure & Topology
Netflow configuration can be verified from the ExtremeWireless Controller graphical user interface.
Within the wireless controller navigate to VNS  Global  Netflow/MirrorN.
Verify that Netflow Export-Destination IP Address is set to ExtremeAnalytics Engine.
User can also ssh into ExtremeAnalytics and verify that IPFIX packets are being sent to the
Analytics Engine from the wireless controllers.
ExtremeAnalytics Appliance
root@EA.k12.edu:~$ tcpdump -i eth0 port 2095 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:38:05.144505 IP 192.168.70.2.2095 > 192.168.109.252.2095: UDP, length 1180
11:38:28.967082 IP 192.168.70.6.2095 > 192.168.109.252.2095: UDP, length 388
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
151
Validated Designs – Infrastructure & Topology
Remote Site Connectivity via MAN
In this section, VLAN interfaces will be configured to connect the District Office/School 1 to the other three
schools. Since the other schools are not configured at this time, this section is a preparation for
connectivity to the other schools. After the other schools are configured, these VLAN interfaces with
protocols will become fully operational.
Remote Site Connectivity Configuration
In this section, VLAN interfaces will be configured to connect the District Office/School 1 to the other three
schools.
Each Controlling Bridge, in the District Office, will have a single port which will connect to a MAN with
connectivity to all schools. Each port will have five point-to-point VLAN interfaces configured. The
connectivity between the DO/SC1 and all schools will be fully meshed within the simulated WAN cloud.
This configuration offers full redundancy for all schools to the DO/SC1.
1. Configure five VLANs for the remote schools.
Refer to the VLAN names labeled for Remote Site Connectivity for VLAN names in the VLAN Subnet
Matrix above. All port assignments will be tagged.
Controlling Bridge 1
create vlan "VLAN_0101"
configure vlan VLAN_0101 description "To SC2 Left"
configure vlan VLAN_0101 tag 101
configure vlan VLAN_0101 add ports 1:57 tagged
create vlan "VLAN_0102"
configure vlan VLAN_0102 description "To SC3 Left"
configure vlan VLAN_0102 tag 102
configure vlan VLAN_0102 add ports 1:57 tagged
create vlan "VLAN_0103"
configure vlan VLAN_0103 description "To SC4"
configure vlan VLAN_0103 tag 103
configure vlan VLAN_0103 add ports 1:57 tagged
create vlan "VLAN_0104"
configure vlan VLAN_0104 description "To SC2 Right"
configure vlan VLAN_0104 tag 104
configure vlan VLAN_0104 add ports 1:57 tagged
create vlan "VLAN_0105"
configure vlan VLAN_0105 description "To SC3 Right"
configure vlan VLAN_0105 tag 105
configure vlan VLAN_0105 add ports 1:57 tagged
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
152
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
create vlan "VLAN_0201"
configure vlan VLAN_0201 description "To SC2 Right"
configure vlan VLAN_0201 tag 201
configure vlan VLAN_0201 add ports 1:57 tagged
create vlan "VLAN_0202"
configure vlan VLAN_0202 description "To SC3 Right"
configure vlan VLAN_0202 tag 202
configure vlan VLAN_0202 add ports 1:57 tagged
create vlan "VLAN_0203"
configure vlan VLAN_0203 description "To SC4"
configure vlan VLAN_0203 tag 203
configure vlan VLAN_0203 add ports 1:57 tagged
create vlan "VLAN_0204"
configure vlan VLAN_0204 description "To SC2 Left"
configure vlan VLAN_0204 tag 204
configure vlan VLAN_0204 add ports 1:57 tagged
create vlan "VLAN_0205"
configure vlan VLAN_0205 description "To SC3 Left"
configure vlan VLAN_0205 tag 205
configure vlan VLAN_0205 add ports 1:57 tagged
2. Configure ten point-to-point interfaces for the remote schools.
Refer to the subnets labeled for Remote Site Connectivity for VLAN names in the VLAN Subnet Matrix
above. All interfaces are configured as point-to-point interfaces /30 subnets.
Controlling Bridge 1
configure
configure
configure
configure
configure
enable
enable
enable
enable
enable
vlan
vlan
vlan
vlan
vlan
VLAN_0101
VLAN_0102
VLAN_0103
VLAN_0104
VLAN_0105
ipforwarding
ipforwarding
ipforwarding
ipforwarding
ipforwarding
vlan
vlan
vlan
vlan
vlan
ipaddress
ipaddress
ipaddress
ipaddress
ipaddress
192.168.101.1 255.255.255.252
192.168.101.5 255.255.255.252
192.168.101.9 255.255.255.252
192.168.101.13 255.255.255.252
192.168.101.17 255.255.255.252
VLAN_0101
VLAN_0102
VLAN_0103
VLAN_0104
VLAN_0105
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
153
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
configure
configure
configure
configure
configure
enable
enable
enable
enable
enable
vlan
vlan
vlan
vlan
vlan
VLAN_0201
VLAN_0202
VLAN_0203
VLAN_0204
VLAN_0205
ipforwarding
ipforwarding
ipforwarding
ipforwarding
ipforwarding
vlan
vlan
vlan
vlan
vlan
ipaddress
ipaddress
ipaddress
ipaddress
ipaddress
192.168.201.1 255.255.255.252
192.168.201.5 255.255.255.252
192.168.201.9 255.255.255.252
192.168.201.13 255.255.255.252
192.168.201.17 255.255.255.252
VLAN_0201
VLAN_0202
VLAN_0203
VLAN_0204
VLAN_0205
3. Configure five OSPF instances for the remote schools.
OSPF is used to distribute the routes from all subnets district wide. Every VLAN at each location
should be advertised with these links. User access VLANs will be distributed as directly connected
routes. The base OSPF configuration was previously executed in an earlier location in this document.
Controlling Bridge 1
configure ospf add vlan VLAN_0101 area 0.0.0.0
configure ospf vlan VLAN_0101 authentication encrypted md5 101
"#$Gu149gIf1AYT3OwKOnDZtmS4px1XgA=="
configure ospf add vlan VLAN_0102 area 0.0.0.0
configure ospf vlan VLAN_0102 authentication encrypted md5 102
"#$g0hMgvchaO3hswaAYVwljm8tzZex3Q=="
configure ospf add vlan VLAN_0103 area 0.0.0.0
configure ospf vlan VLAN_0103 authentication encrypted md5 103
"#$wFxZ3OrhRTV1BSrMOkBmEKK7LtOl+A=="
configure ospf add vlan VLAN_0104 area 0.0.0.0
configure ospf vlan VLAN_0104 cost 10
configure ospf vlan VLAN_0104 authentication encrypted md5 104
"#$KctAhEoGGuGlz5nHfwf6c3h43MPTfQ=="
configure ospf add vlan VLAN_0105 area 0.0.0.0
configure ospf vlan VLAN_0105 cost 10
configure ospf vlan VLAN_0105 authentication encrypted md5 105
"#$TEXUCLXZYQxSpV3ckjeVUaGgKX0sNw=="
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
154
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
configure ospf add vlan VLAN_0201 area 0.0.0.0
configure ospf vlan VLAN_0201 authentication encrypted md5 201
"#$LaCI0HVIisZwGc6nHkVc/Hd/XZLlfA=="
configure ospf add vlan VLAN_0202 area 0.0.0.0
configure ospf vlan VLAN_0202 authentication encrypted md5 202
"#$0Brc80HYFwOxrW+m6qd2ZxOC2SvYxw=="
configure ospf add vlan VLAN_0203 area 0.0.0.0
configure ospf vlan VLAN_0203 authentication encrypted md5 203
"#$YzEfeBqJUkiBoVCplQPoII235wocEQ=="
configure ospf add vlan VLAN_0204 area 0.0.0.0
configure ospf vlan VLAN_0204 cost 10
configure ospf vlan VLAN_0204 authentication encrypted md5 204
"#$Ebe2LNvTfKsRuEZpWm2DDZFai3jeyg=="
configure ospf add vlan VLAN_0205 area 0.0.0.0
configure ospf vlan VLAN_0205 cost 10
configure ospf vlan VLAN_0205 authentication encrypted md5 205
"#$CPvdZXYXy4VzXrOu19rPOaShHzlJoQ=="
Authentication – Netlogin
At the District Office, authentication with netlogin dot1x and MAC is enabled on all ports except for the
uplink and server ports. The authentication order is dot1x MAC.
When complete the configuration should look similar to the one below:
Controlling Bridge 1 and Controlling Bridge 2
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
enable netlogin ports 1:1-4,1:6,1:8,1:10,1:14,1:16,1:18,1:20-44,1:50-52,1:54-56,1:5872,100:1-24,110:2-24 dot1x
enable netlogin ports 1:1-4,1:6,1:8,1:10,1:14,1:16,1:18,1:20-44,1:50-52,1:54-56,1:5872,100:1-24,110:1-24 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
ExtremeSwitching Stack
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
enable netlogin ports 1:1-50,2:1-50,3:1-50,4:1-50 dot1x
enable netlogin ports 1:1-50,2:1-50,3:1-50,4:1-50 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
155
Validated Designs – Infrastructure & Topology
School 2
School-2
Bridge Port Extenders
MLAGs
Redundant Controller
Bridges
Controlling Bridge 1
Controlling Bridge 2
School 2 includes a pair of ExtremeSwitching X590 switches, which serve as the controlling bridges
(CBs). The V400 devices serve as the bridge port extenders (BPEs). The two CBs provide uplinks to
every BPE in the topology. Because of this configuration, multi-chassis link aggregation (MLAG) can be
used to provide redundancy to all network users.
ExtremeWireless access points can be connected to the ports of Power over Ethernet (PoE) capable
BPEs and/or PoE ports in the stack.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
156
Validated Designs – Infrastructure & Topology
VLANs and Subnets at School 2
Below is list and table grouping VLANs by functionality at School 2. This functionality includes the
following types:
•
Appliance - VLAN for Extreme Smart OmniEdge appliances.
•
Management – Used to communicate with Extreme Smart OmniEdge appliances and routing
protocols.
•
Remote Site Connectivity- Point to point interfaces used for connectivity between School 2 and the
District Office/School 1.
•
Local Site Connectivity - VLAN interfaces used to distribute static and directly interfaces into OSPF
and provide OSPF services to the ExtremeWireless controllers.
•
ISC – VLAN for the MLAG Interswitch Connection for the MLAG Interswitch Connection
•
Access VLAN - VLANs for wired users, wireless users, and networked devices.
Device
VLAN Name
Subnet
Tag
Type
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Lo0
Lo0
VLAN_0101
VLAN_0201
VLAN_0204
VLAN_0104
VLAN_0060
192.168.200.3/32
192.168.200.4/32
192.168.101.0/30
192.168.201.0/30
192.168.201.12/30
192.168.101.12/30
192.168.61.0/24
1003
1004
101
201
204
104
60
Management
Management
Remote Site Connectivity
Remote Site Connectivity
Remote Site Connectivity
Remote Site Connectivity
Local Site Connectivity
vpexmlag
169.254.0.0/16
4089
ISC
VLAN_1600
172.16.10.0/24
1600
Access VLAN
VLAN_1900
172.19.192.0/27
1900
Access VLAN
VLAN_2200
172.21.4.0/22
2200
Access VLAN
VLAN_1700
172.17.4.0/22
1700
Access VLAN
VLAN_1800
172.18.32.0/19
1800
Access VLAN
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
157
Validated Designs – Infrastructure & Topology
School 2 – Configuration
1. VPEX Full Automation determines if switches are CB capable
and BPEs connected. If conditions are met, vpex functionality
is enabled and CBs are rebooted.
5. VPEX Full Automation enables VPEX Partial Automation.
6. VPEX Partial Automation configures a slot number for each
attached BPE, configures the BPE module type, configures
CB ports attached to BPEs as VPEX ports, and enables
MLAG ports with appropriate peer IDs.
Bridge Port Extenders
MLAGs
Redundant Controlling
Bridges
Controlling Bridge 1
Controlling Bridge 2
2. VPEX Full Automation configures a LAG between CB1.
3. VPEX Full Automation creates and configures an ISC VLAN, add
LACP port, and configures IP Interface.
4. VPEX Full Automation creates and configures an MLAG ISC, and
configures CBs as peers.
Extended Edge with MLAG Configuration
In order to take advantage of VPEX Full Automation, the following cabling requirements need to be met:
•
To create an MLAG for ISC CB1 and CB2 should be cabled together:
•
To enable VPEX mode, the CBs should be cabled to at least one BPE:
Once cabled properly, power-on CB1, CB2, BPE1, and BPE2. After switches are finished running VPEX
Full Automation and VPEX Partial Automation, verify the CBs have been properly configured and
functioning.
Note
To better control slot numbering, the user may decide to allow the BPEs power on one at a time. If all BPEs
are turned on at the same time, there is no mechanism to guarantee slot order. Slot order is determined by
which BPE LLDP message is received first by the CBs.
VPEX Full Automation and VPEX Partial Automation processes can take eight minutes or longer to complete.
Please be patient.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
158
Validated Designs – Infrastructure & Topology
1. Verify VPEX support has been enabled VPEX Full Automation.
Controlling Bridge 1 and 2
Slot-1 VPEX X590-24x-1q-2c.16 # show vpex
Virtual Port Extender: Enabled
Auto-Configuration:
Disabled
Cascade
Port
Slot
=============
-
Verify VPEX is enabled
• Prompt changes indicating VPEX is enabled.
• Virtual Port Extender indicates enabled.
2. Verify VPEX Full Automation has created and configured a LAG between CB1 and CB2. Verify
LAGs have been configured between the CBs and BPEs.
Controlling Bridge 1 and 2
enable sharing 1:29 grouping 1:29,1:33 algorithm address-based custom lacp
enable sharing 1:23 grouping 1:23 algorithm address-based custom lacp
enable sharing 1:24 grouping 1:24 algorithm address-based custom lacp
Controlling Bridge 1 and 2
Verify LACP configuration
• Verify Agg MBR = Y
• Verify Link State = A
Slot-1 VPEX X590-24x-1q-2c.10 # show sharing
Load Sharing Monitor
Config
Current Agg
Min
Ld Share Dist Ld Share Agg Link Link Up
Master
Master Control Active Algorithm Flags Group
Mbr State Transitions
================================================================================
1:23
1:23
LACP
1
custom
A
1:23
Y
A
1
1:24
1:24
LACP
1
custom
A
1:24
Y
A
1
1:29
1:29
LACP
1
custom
A
1:29
Y
A
1
custom
1:33
Y
A
1
================================================================================
…
3. Verify VPEX Full Automation has created and configured an ISC VLAN, added aCB to CB LACP
port, and configured IP interfaces.
Controlling Bridge 1
create vlan "vpexmlag"
configure vlan vpexmlag tag 4089
configure vlan vpexmlag add ports 1:29 tagged
configure vlan vpexmlag ipaddress 169.254.0.1 255.255.0.0
Controlling Bridge 2
create vlan "vpexmlag"
configure vlan vpexmlag tag 4089
configure vlan vpexmlag add ports 1:29 tagged
configure vlan vpexmlag ipaddress 169.254.0.2 255.255.0.0
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
159
Validated Designs – Infrastructure & Topology
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.2 # show vlan vpexmlag
VLAN Interface with name vpexmlag created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 4089
Description:
None
Virtual router:
VR-Default
IPv4 Forwarding:
Disabled
IPv4 MC Forwarding: Disabled
Verify VPEX Full Automation
Primary IP:
169.254.0.1/16
configured VLAN;
•
VLAN named vpexmlag created
…
•
IP Address configured for VLAN
Ports:
1.
(Number of active ports=1)
•
LAG port added to VLAN.
Tag:
*1:29g
•
I Flag confirms ISC VLAN.
…
Slot-1 VPEX X590-24x-1q-2c.7 # show vlan
Untagged ports auto-move: Inform
---------------------------------------------------------------------------------Name
VID Protocol Addr
Flags
Proto Ports
Virtual
Active router
/Total
---------------------------------------------------------------------------------vpexmlag
4089 169.254.0.1
/16 ------I--------------------- ANY
1 /1
Controlling Bridge 2
Slot-1 VPEX X590-24x-1q-2c.2 # show vlan vpexmlag
VLAN Interface with name vpexmlag created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 4089
Description:
None
Virtual router:
VR-Default
IPv4 Forwarding:
Disabled
IPv4 MC Forwarding: Disabled
Primary IP:
169.254.0.2/16
…
Ports:
1.
(Number of active ports=1)
Tag:
*1:29g
…
Slot-1 VPEX X590-24x-1q-2c.7 # show vlan
Untagged ports auto-move: Inform
---------------------------------------------------------------------------------Name
VID Protocol Addr
Flags
Proto Ports
Virtual
Active router
/Total
---------------------------------------------------------------------------------vpexmlag
4089 169.254.0.2
/16 ------I--------------------- ANY
1 /1
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
160
Validated Designs – Infrastructure & Topology
4. Verify VPEX Full Automation has properly created and configured an MLAG which includes;
configuring the CBs as peers, adding the CB to BPE LAGs as MLAG ports and assigning
appropriate MLAG IDs.
Controlling Bridge 1
create mlag peer "vpexmlag"
configure mlag peer "vpexmlag" ipaddress 169.254.0.2 vr VR-Default
enable mlag port 1:23 peer "vpexmlag" id 5101
enable mlag port 1:24 peer "vpexmlag" id 5100
Controlling Bridge 2
create mlag peer "vpexmlag"
configure mlag peer "vpexmlag" ipaddress 169.254.0.1 vr VR-Default
enable mlag port 1:23 peer "vpexmlag" id 5101
enable mlag port 1:24 peer "vpexmlag" id 5100
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
161
Validated Designs – Infrastructure & Topology
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.20 # show
Multi-switch Link Aggregation Peers:
MLAG Peer
:
VLAN
:
Local IP Address :
MLAG ports
:
Checkpoint Status :
Rx-Hellos
:
Rx-Checkpoint Msgs:
Rx-Hello Errors
:
Hello Timeouts
:
Up Time
:
Local MAC
:
Config'd LACP MAC :
Authentication
:
1. Peer name and peer IP address are
configured.
2. Local
IP address configured.
mlag
peer
3. Peer IP address is known.
vpexmlag
vpexmlag
Virtual Router
:
169.254.0.1
Peer IP Address
:
2
Tx-Interval
:
Up
Peer Tx-Interval :
5720
Tx-Hellos
:
896
Tx-Checkpoint Msgs:
0
Tx-Hello Errors
:
0
Checkpoint Errors :
0d:1h:33m:11s
Peer Conn.Failures:
4. Checkpoint Status is UPPeer MAC
00:04:96:a3:fa:cc
:
5. Hello and Checkpoint Messages incrementing.
None
Current
LACP
MAC
:
6. Error messages are not incrementing but might
None
be present.
VR-Default
169.254.0.2
1000 ms
1000 ms
5731
6242
0
0
1
00:04:96:a3:fb:18
00:04:96:a3:fb:18
Alternate path information: None
Slot-1 VPEX X590-24x-1q-2c.21 # show mlag ports
Local
Local
Remote
MLAG
Local
Link
Remote
Peer
Fail
Fail
Id
Port
State
Link
Peer
Status Count
Count
================================================================================
5101
1:23
A
Up
vpexmlag
Up
0
0
5100
1:24
A
Up
vpexmlag
Up
0
0
================================================================================
Local Link State: A - Active, D - Disabled, R - Ready, NP - Port not present
Remote Link
: Up - One or more links are active on the remote switch,
Down - No links are active on the remote switch,
N/A - The peer has not communicated link
state
foris Active
this MLAG
1. Local
Link State
2. Remote Link is UP
port
Number of Multi-switch Link Aggregation Groups
Convergence control
Reload Delay Interval
Reload Delay
Link Up Isolation
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
:
:
:
:
:
3. Peer Status is UP
4. Local and Remote Fail Counts not
2
incrementing.
Conserve Access Lists
30 seconds
Disabled
Off
162
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
Slot-1 VPEX X590-24x-1q-2c.15 # show mlag peer
Multi-switch Link Aggregation Peers:
MLAG Peer
:
VLAN
:
Local IP Address :
MLAG ports
:
Checkpoint Status :
Rx-Hellos
:
Rx-Checkpoint Msgs:
Rx-Hello Errors
:
Hello Timeouts
:
Up Time
:
Local MAC
:
Config'd LACP MAC :
Authentication
:
vpexmlag
vpexmlag
169.254.0.2
2
Up
5777
6301
0
0
0d:1h:34m:6s
00:04:96:a3:fb:18
None
None
Virtual Router
:
Peer IP Address
:
Tx-Interval
:
Peer Tx-Interval :
Tx-Hellos
:
Tx-Checkpoint Msgs:
Tx-Hello Errors
:
Checkpoint Errors :
Peer Conn.Failures:
Peer MAC
:
Current LACP MAC :
VR-Default
169.254.0.1
1000 ms
1000 ms
5813
905
0
0
1
00:04:96:a3:fa:cc
00:04:96:a3:fb:18
Alternate path information: None
Slot-1 VPEX X590-24x-1q-2c.16 # show mlag ports
Local
Local
Remote
MLAG
Local
Link
Remote
Peer
Fail
Fail
Id
Port
State
Link
Peer
Status Count
Count
================================================================================
5101
1:23
A
Up
vpexmlag
Up
0
0
5100
1:24
A
Up
vpexmlag
Up
0
0
================================================================================
Local Link State: A - Active, D - Disabled, R - Ready, NP - Port not present
Remote Link
: Up - One or more links are active on the remote switch,
Down - No links are active on the remote switch,
N/A - The peer has not communicated link state for this MLAG
port
Number of Multi-switch Link Aggregation Groups
Convergence control
Reload Delay Interval
Reload Delay
Link Up Isolation
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
:
:
:
:
:
2
Conserve Access Lists
30 seconds
Disabled
Off
163
Validated Designs – Infrastructure & Topology
5. Verify VPEX Full Automation has enabled VPEX Partial Automation.
Controlling Bridge 1 and 2
enable vpex auto-configuration
Controlling Bridge 1 and 2
Slot-1 VPEX X590-24x-1q-2c.16 # show vpex
Virtual Port Extender: Enabled
Auto-Configuration:
Enabled
Cascade
Port
Slot
=============
-
Verify Auto-Configuration is enabled
• Auto-Configuration indicator indicates
enabled.
6. Verify the VPEX Partial Automation properly configured the VPEX slots.
Controlling Bridge 1
configure
configure
configure
configure
slot 100 module V400-48p-10GE4
sys-recovery-level slot 100 reset
slot 101 module V400-24p-10GE2
sys-recovery-level slot 101 reset
configure vpex port 1:23 slot 101
configure vpex port 1:24 slot 100
Controlling Bridge 2
configure
configure
configure
configure
slot 100 module V400-48p-10GE4
sys-recovery-level slot 100 reset
slot 101 module V400-24p-10GE2
sys-recovery-level slot 101 reset
configure vpex port 1:23 slot 101
configure vpex port 1:24 slot 100
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
164
Validated Designs – Infrastructure & Topology
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.25 # show vpex bpe
1. Module type configured.
2. Verify Port State is Enabled
3. Verify Link Sate is Active
Casc
PE
Slot Port
Model
MAC Address
Description
======================================================================================
===========================
100
1:24
V400-48p-10GE4
d8:84:66:f2:d5:11 none
101
1:23
V400-24p-10GE2
d8:84:66:f2:ae:cd none
Slot-1 VPEX X590-24x-1q-2c.26 # show vpex ports
Port
Cascade Ext Port
Link
PECSP
PE
CSPOpen
CSP
Role
#
Port
Slot State State MAC Address
MAC Address
Loc Rem
Flags
======================================================================================
=====
1:23
1:23
101 E
A
d8:84:66:f2:ae:e6 d8:84:66:f2:ae:cd 1
1
1:24
1:24
100 E
A
d8:84:66:f2:d5:42 d8:84:66:f2:d5:11 1
1
======================================================================================
=====
…
Controlling Bridge 2
Verify MAC addresses for
BPEs match on both CBs.
Slot-1 VPEX X590-24x-1q-2c.19 # show vpex bpe
Casc
PE
Slot Port
Model
MAC Address
Description
======================================================================================
===========================
100
1:24
V400-48p-10GE4
d8:84:66:f2:d5:11 none
101
1:23
V400-24p-10GE2
d8:84:66:f2:ae:cd none
Slot-1 VPEX X590-24x-1q-2c.20 # show vpex ports
Port
Cascade Ext Port
Link
PECSP
PE
CSPOpen
CSP
Role
#
Port
Slot State State MAC Address
MAC Address
Loc Rem
Flags
======================================================================================
=====
1:23
1:23
101 E
A
d8:84:66:f2:ae:e6 d8:84:66:f2:ae:cd 1
1
1:24
1:24
100 E
A
d8:84:66:f2:d5:42 d8:84:66:f2:d5:11 1
1
======================================================================================
=====
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
165
Validated Designs – Infrastructure & Topology
7. Manually delete all ports from default VLAN, disable MSTP,
and free up ACL resources.
8. Manually configure a loopback interface for routing and device
management.
9. Manually configure a base OSPF configuration.
10. Manually configure VLAN for local site connectivity.
11. Manually configure VRRP for local site connectivity VLAN.
12. Manually configure OSPF for local site connectivity VLAN.
Bridge Port Extenders
MLAGs
Redundant Controlling
Bridges
Controlling Bridge 1
Controlling Bridge 2
7. Remove ports from Default VLAN, disable MSTP, and free up ACL resources.
The default VLAN will not be needed for this EVD so all ports will be removed from the VLAN.
Because of this MSTP instance s0 will also be disabled.
Controlling Bridge 1 and 2
configure
configure
configure
configure
vlan default delete ports all
vr VR-Default delete ports 1:1-36,100:1-52,101:1-26
vr VR-Default add ports 1:1-36,100:1-52,101:1-26
vlan default delete ports 1:1-36,100:1-52,101:1-26
disable stpd s0
configure policy resource-profile default profile-modifier no-mac enable no-ipv6
enable
Controlling Bridge 1 and 2
Slot-1 VPEX X590-24x-1q-2c.11 # show stpd s0
Stpd: s0
Stp: DISABLED
Number of Ports: 0
Rapid Root Failover: Disabled
Operational Mode: MSTP
Default Binding Mode: 802.1D
MSTI Instance: CIST
802.1Q Tag: (none)
Ports: (none)
Participating Vlans: (none)
Auto-bind Vlans: Default
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Verify the following
STP variables for s0:
• STP is disabled
• No Ports participating in
STP
• No VLANs participating
in STP
166
Validated Designs – Infrastructure & Topology
8. Configure Loopback VLAN and Interface
The internal loopback interface serves as the primary interface for in-band management in this
topology. It also serves as the interface between the Extreme Network appliances and the devices.
Controlling Bridge 1
create vlan "lo0"
configure vlan lo0 tag 1001
enable loopback-mode vlan lo0
configure vlan lo0 ipaddress 192.168.200.3 255.255.255.255
enable ipforwarding vlan lo0
Controlling Bridge 2
Configuring system loopback interface
involves creating a VLAN with a tag and
enabled for the following IP services:
loopback mode and IP forwarding.
Loopback interface is configured with a
/32 subnet mask.
create vlan "lo0"
configure vlan lo0-Right tag 1004
enable loopback-mode vlan lo0
configure vlan lo0 ipaddress 192.168.200.4 255.255.255.255
enable ipforwarding vlan lo0
9. Configure OSPF Base Configuration
With the creation of the loopback interface, it is now possible to create the base configuration OSPF
routing. OSPF will redistribute any directly connected interfaces and static routes into the routing table.
This will be more critical later when remote schools are attached to the topology.
Controlling Bridge 1
configure ospf routerid 192.168.200.3
enable ospf
enable ospf export direct cost 0 type ase-type-1
enable ospf export static cost 0 type ase-type-1
configure ospf add vlan lo0 area 0.0.0.0
The loopback interface created in the
previous step is configured as the
OSPF Router-ID.
Loopback interfaces is added to area
0.0.0.0
Controlling Bridge 2
configure ospf routerid 192.168.200.4
enable ospf
enable ospf export direct cost 0 type ase-type-1
enable ospf export static cost 0 type ase-type-1
configure ospf add vlan lo0 area 0.0.0.0
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
167
Validated Designs – Infrastructure & Topology
10. Configure VLAN and Interface for Local Site Connectivity on Controlling Bridges.
Configure a VLAN for local site connectivity on the controlling bridges This VLAN is used to
redistribute directly connected and static routes into OSPF. It is also used by APs for connectivity to
the wireless controllers.
Controlling Bridge 1
Configure local-site VLAN_0060 with;
create vlan "VLAN_0060"
1. VLAN Descriptions
configure vlan VLAN_0060 description "School 2 Local Site Connectivity"
2. VLAN Tag
3. LACP trunk port Added to VLAN
configure vlan VLAN_0060 tag 60
4. IP Address Configured
configure vlan VLAN_0060 add ports 1:29 tagged
5. IP Forwarding Enabled for unicast routing
configure vlan VLAN_0060 ipaddress 192.168.61.2 255.255.255.0
6. BOOTP Relay Enabled for DHCP
enable ipforwarding vlan VLAN_0060
7. Iproute Sharing (ECMP)
enable bootprelay ipv4 vlan VLAN_0060
enable iproute sharing vr VR-Default
Controlling Bridge 2
create vlan "VLAN_0060"
configure vlan VLAN_0060 description "School 2 Local Site Connectivity"
configure vlan VLAN_0060 tag 60
configure vlan VLAN_0060 add ports 1:29 tagged
configure vlan VLAN_0060 ipaddress 192.168.61.3 255.255.255.0
enable ipforwarding vlan VLAN_0060
enable bootprelay ipv4 vlan VLAN_0060
enable iproute sharing vr VR-Default
At the prompt issue show VLAN_0060 (output truncated) and verify:
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.49 # show vlan VLAN_0060
VLAN Interface with name VLAN_0060 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 60
Description:
School 2 Local Site Connectivity
Virtual router:
VR-Default
IPv4 Forwarding:
Enabled
IPv4 MC Forwarding: Disabled
Primary IP:
192.168.61.2/24
…
Ports:
1.
(Number of active ports=1)
Tag:
*1:29g
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Verify the following items:
1. VLAN Name, State and Tag
2. VLAN Description
3. LACP trunk port Added to VLAN
4. IP Address Configured
5. IP Forwarding Enabled for unicast
routing
168
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
Slot-1 VPEX X590-24x-1q-2c.35 # show vlan VLAN_0060
VLAN Interface with name VLAN_0060 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 60
Description:
School 2 Local Site Connectivity
Virtual router:
VR-Default
IPv4 Forwarding:
Enabled
IPv4 MC Forwarding: Disabled
Primary IP:
192.168.61.3/24
…
Ports:
1.
(Number of active ports=1)
Tag:
*1:29g
…
11. Configure VRRP on Local Site Connectivity VLAN on the Controlling Bridges.
Configure VRRP for the VLAN to provide the ExtremeWireless IdentiFi APs a common gateway to
reach the ExtremeWireless Controllers.
Controlling Bridge 1
create vrrp vlan VLAN_0060 vrid 60
configure vrrp vlan VLAN_0060 vrid 60 priority 254
configure vrrp vlan VLAN_0060 vrid 60 fabric-routing on
configure vrrp vlan VLAN_0060 vrid 60 add 192.168.61.1
enable vrrp vlan VLAN_0060 vrid 60
Controlling Bridge 2
create vrrp vlan VLAN_0060 vrid 60
configure vrrp vlan VLAN_0060 vrid 60 fabric-routing on
configure vrrp vlan VLAN_0060 vrid 60 add 192.168.61.1
enable vrrp vlan VLAN_0060 vrid 60
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
VRRP instance ID for VLAN_0060.
Priority is configured to make master
election more reliable.
Fabric-routing is enabled so that
packets don’t have to be routed through
the VRRP master if a more direct route
exists on the receiving interface
The VRRP virtual IP address
169
Validated Designs – Infrastructure & Topology
At the prompt, issue show vrrp and verify vlan VLAN_0060 configuration.
FR value must be Y on both VRRP
master and backup
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.7 # show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
TP/TR/TV/P/T
VLAN_00(En) 0060 254 192.168.61.1
MSTR 00:00:5e:00:01:3c 0 0 0 Y 1
/FR/G/HM
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
…
Controlling Bridge 2
The switch with the highest priority has
MSTR state and the other one BKUP.
Slot-1 VPEX X590-24x-1q-2c.7# show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
TP/TR/TV/P/T
VLAN_00(En) 0060 100 192.168.61.1
BKUP 00:00:5e:00:01:3c 0 0 0 Y 1
/FR/G/HM
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
…
12. Configure OSPF Local Site Connectivity VLAN
This interface will serve as the main routing aggregation point for all the user access VLANs. Therefore, it
is very important that this interface has OSPF enabled.
Controlling Bridge 1
configure ospf add vlan VLAN_0060 area 0.0.0.0
configure ospf vlan VLAN_0060 authentication encrypted md5 61
"#$9PzYK114lHuHzjGF1Dvl3GEu5uSEUA=="
Connectivity VLANs added to area
0.0.0.0
MD5 Authentication was enabled to
provide added security between OSPF
adjacencies.
Controlling Bridge 2
configure ospf add vlan VLAN_0060 area 0.0.0.0
configure ospf vlan VLAN_0060 authentication encrypted md5 61
"#$UUFVAm9buaJUoNv0+9+SKU+c3RlK1A=="
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
170
Validated Designs – Infrastructure & Topology
At the prompt, issue show ospf neighbor (output truncated).
Verify that routers see each other and that the state is FULL with MD5 encryption enabled.
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.8 # show ospf neighbor
Adjacency state between neighbors should be
Neighbor ID
Pri State
Up/Dead Time
Address
Full. OSPF
router state should be DR or BDR.
Interface
BFD Session State
======================================================================================
====
192.168.200.4
1 FULL
/DR
03:03:01:28/00:00:00:10 192.168.61.3
VLAN_0060
None
…
Controlling Bridge 2
Slot-1 VPEX X590-24x-1q-2c.8 # show ospf neighbor
Neighbor ID
Pri State
Up/Dead Time
Address
Interface
BFD Session State
======================================================================================
====
192.168.200.3
1 FULL
/BDR
03:03:03:06/00:00:00:06 192.168.61.2
VLAN_0060
None
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
171
Validated Designs – Infrastructure & Topology
Wired User Access
All access VLANs offer redundancy to the network with the use of configured VRRP gateways. All user
credentials are authenticated using authentication to ExtremeControl and RADIUS. The following VLAN
types are available at School 2:
The Guest_Wired VLAN gives guest users access to School 2. This VLAN will be configured at all the
schools. This access layer VLAN is typically the most restrictive of all VLANs.
The Admin VLAN provides access layer connectivity to network administrators. These users will be
assigned an Admin role by Extreme Policy Manger and ExtremeControl. This access layer VLAN is
typically the least restrictive of the access VLANs.
The NonAdmin_Wired VLAN provides access layer connectivity to other authorized users. These users
will be assigned a Student or Faculty role by Extreme Policy Manger and ExtremeControl. Roles can be
more granular than the ones presented here. Most users will access the school district network through
this VLAN.
The Network_Devices VLAN provides access layer connectivity to common network devices such as
printers, VoIP phones, or security cameras.
1. Configure four wired user access
VLANs on Controlling Bridges.
2. Configure all user access ports to
Guest_Wired PVID.
Bridge Port Extenders
MLAGs
Redundant Controlling
Bridges
Controlling Bridge 1
Controlling Bridge 2
3. Configure IP Address and IP Services
on wired User Access VLANs
4. Configure VRRP on Controlling
Bridges for user access VLANs.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
172
Validated Designs – Infrastructure & Topology
The process of adding an access VLAN to the CB/BPE topology involves several steps. First, create the
access VLAN and tag on the CBs. Then add the Local Site trunk port and MLAG ports as tag members of
the access VLAN. Routing functionality will be configured including, IP address, VRRP for a common
gateway, and IP forwarding.
Note
During these manual configuration steps, the user can choose to utilize mlag orchestration mode. This
mode can be helpful to configure the exact same commands on both CBs. However, do not use this feature
for configurations which need to be unique on CBs such as IP addresses, VRRP configurations, and OSPF
configurations. To enable this mode, refer to mlag orchestration mode operation on Page 16.
1. Configure four access VLANs and assign ports.
Controlling Bridge 1
create vlan "VLAN_1900"
configure vlan VLAN_1900 description "Wired Guest VLAN"
configure vlan VLAN_1900 tag 1900
configure vlan VLAN_1900 add ports 1:29 tagged
Four Wired Access VLANs created
with tag and description.
Add LACP Trunk port.
create vlan "VLAN_1600"
configure vlan VLAN_1600 description "Administrator Access VLAN"
configure vlan VLAN_1600 tag 1600
configure vlan VLAN_1600 add ports 1:29 tagged
create vlan "VLAN_2200"
configure vlan VLAN_2200 description "Network Devices Access VLAN"
configure vlan VLAN_2200 tag 2200
configure vlan VLAN_2200 add ports 1:29 tagged
create vlan " VLAN_1700"
configure vlan VLAN_1700 description "Wired Non Administrator Access VLAN"
configure vlan VLAN_1700 tag 1700
configure vlan VLAN_1900 add ports 1:29 tagged
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
173
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
create vlan "VLAN_1900"
configure vlan VLAN_1900 description "Wired Guest VLAN"
configure vlan VLAN_1900 tag 1900
configure vlan VLAN_1900 add ports 1:29 tagged
create vlan "VLAN_1600"
configure vlan VLAN_1600 description "Administrator Access VLAN"
configure vlan VLAN_1600 tag 1600
configure vlan VLAN_1600 add ports 1:29 tagged
create vlan "VLAN_2200"
configure vlan VLAN_2200 description "Network Devices Access VLAN"
configure vlan VLAN_2200 tag 2200
configure vlan VLAN_2200 add ports 1:29 tagged
create vlan " VLAN_1700"
configure vlan VLAN_1700 description "Wired Non Administrator Access VLAN"
configure vlan VLAN_1700 tag 1700
configure vlan VLAN_1900 add ports 1:29 tagged
After creating VLANs, any port to be used for user access should be configured to have a PVID of
Guest_Wired as the native VLAN.
When complete the configuration should look similar to the one below:
Controlling Bridge 1
All wired access ports are
added to the Guest_Wired
VLAN as untagged (PVID).
configure vlan VLAN_1900 add ports 1:2-22,100:1-48,101:1-24 untagged
Controlling Bridge 2
configure vlan VLAN_1900 add ports 1:2-22,100:1-48,101:1-24 untagged
Caution
When assigning PVID of access ports to Guest_Wired, use caution that ports with
previous configuration are not reconfigured. These ports might include the following:
•
Local Site LACP Trunk Port
•
Uplink ports between Controlling Bridges and Bridge Port Extenders
•
Uplink ports between X590/X690
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
174
Validated Designs – Infrastructure & Topology
2. Configure Access VLAN Interface and other routing services.
Controlling Bridge 1
configure vlan VLAN_1900 ipaddress 172.19.192.2 255.255.255.224
enable ipforwarding vlan VLAN_1900
enable bootprelay ipv4 vlan VLAN_1900
configure vlan VLAN_1600 ipaddress 172.16.10.2 255.255.255.0
enable ipforwarding vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1600
1. IP interface for four Wired Access
VLANs configured.
2. IP Forwarding and BootP Relay
enabled.
configure vlan VLAN_1700 ipaddress 172.17.4.2 255.255.252.0
enable ipforwarding vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1700
configure vlan VLAN_2200 ipaddress 172.21.4.2 255.255.252.0
enable ipforwarding vlan VLAN_2200
enable bootprelay ipv4 vlan VLAN_2200
Controlling Bridge 2
configure vlan VLAN_1900 ipaddress 172.19.192.3 255.255.255.224
enable ipforwarding vlan VLAN_1900
enable bootprelay ipv4 vlan VLAN_1900
configure vlan VLAN_1600 ipaddress 172.16.10.3 255.255.255.0
enable ipforwarding vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1600
configure vlan VLAN_1700 ipaddress 172.17.4.3 255.255.252.0
enable ipforwarding vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1700
configure vlan VLAN_2200 ipaddress 172.21.4.3 255.255.252.0
enable ipforwarding vlan VLAN_2200
enable bootprelay ipv4 vlan VLAN_2200
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
175
Validated Designs – Infrastructure & Topology
3. Configure Access VLAN VRRP between the X690 switches.
Configure VRRP for the access VLANs to provide access VLAN users a virtual gateway address.
Controlling Bridge 1
create vrrp vlan VLAN_1900 vrid 193
configure vrrp vlan VLAN_1900 vrid 193 fabric-routing on
configure vrrp vlan VLAN_1900 vrid 193 add 172.19.192.1
enable vrrp vlan VLAN_1900 vrid 193
create vrrp vlan VLAN_1600 vrid 160
configure vrrp vlan VLAN_1600 vrid 160 priority 254
configure vrrp vlan VLAN_1600 vrid 160 fabric-routing on
configure vrrp vlan VLAN_1600 vrid 160 add 172.16.10.1
enable vrrp vlan VLAN_1600 vrid 160
create vrrp vlan VLAN_1700 vrid 170
configure vrrp vlan VLAN_1700 vrid 170 fabric-routing on
configure vrrp vlan VLAN_1700 vrid 170 add 172.17.4.1
enable vrrp vlan VLAN_1700 vrid 170
VRRP instance id for wired access
VLANs.
Priority is configured to make master
election more reliable.
Fabric-routing is enabled so that
packets don’t have to be routed through
the VRRP master if a more direct route
exists on the receiving interface
The VRRP virtual IP address
create vrrp vlan VLAN_2200 vrid 210
configure vrrp vlan VLAN_2200 vrid 210 priority 254
configure vrrp vlan VLAN_2200 vrid 210 fabric-routing on
configure vrrp vlan VLAN_2200 vrid 210 add 172.21.4.1
enable vrrp vlan VLAN_2200 vrid 210
Controlling Bridge 2
create vrrp vlan VLAN_1900 vrid 193
configure vrrp vlan VLAN_1900 vrid 193 priority 254
configure vrrp vlan VLAN_1900 vrid 193 fabric-routing on
configure vrrp vlan VLAN_1900 vrid 193 add 172.19.192.1
enable vrrp vlan VLAN_1900 vrid 193
create vrrp vlan VLAN_1600 vrid 160
configure vrrp vlan VLAN_1600 vrid 160 fabric-routing on
configure vrrp vlan VLAN_1600 vrid 160 add 172.16.10.1
enable vrrp vlan VLAN_1600 vrid 160
create vrrp vlan VLAN_1700 vrid 170
configure vrrp vlan VLAN_1700 vrid 170 priority 254
configure vrrp vlan VLAN_1700 vrid 170 fabric-routing on
configure vrrp vlan VLAN_1700 vrid 170 add 172.17.4.1
enable vrrp vlan VLAN_1700 vrid 170
create vrrp vlan VLAN_2200 vrid 210
configure vrrp vlan VLAN_2200 vrid 210 fabric-routing on
configure vrrp vlan VLAN_2200 vrid 210 add 172.21.4.1
enable vrrp vlan VLAN_2200 vrid 210
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
176
Validated Designs – Infrastructure & Topology
At the prompt, issue show vrrp and verify VRRP configuration.
Controlling Bridge 1
FR value must be Y on both VRRP
master and backup
Slot-1 VPEX X590-24x-1q-2c.82 # show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
TP/TR/TV/P/T
VLAN_19(En) 0193 100 172.19.192.1
BKUP 00:00:5e:00:01:c1 0 0 0 Y 1
VLAN_16(En) 0160 254 172.16.10.1
MSTR 00:00:5e:00:01:a0 0 0 0 Y 1
VLAN_22(En) 0210 254 172.21.4.1
MSTR 00:00:5e:00:01:d2 0 0 0 Y 1
VLAN_17(En) 0170 100 172.17.4.1
BKUP 00:00:5e:00:01:aa 0 0 0 Y 1
/FR/G/HM
Y N N
Y N N
Y N N
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
Controlling Bridge 2
The switch with the highest priority has
MSTR state and the other one BKUP.
Slot-1 VPEX X590-24x-1q-2c.74 # show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
TP/TR/TV/P/T
VLAN_19(En) 0193 254 172.19.192.1
MSTR 00:00:5e:00:01:c1 0 0 0 Y
VLAN_16(En) 0160 100 172.16.10.1
BKUP 00:00:5e:00:01:a0 0 0 0 Y
VLAN_22(En) 0210 100 172.21.4.1
BKUP 00:00:5e:00:01:d2 0 0 0 Y
VLAN_17(En) 0170 254 172.17.4.1
MSTR 00:00:5e:00:01:aa 0 0 0 Y
1
1
1
1
/FR/G/HM
Y N N
Y N N
Y N N
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
177
Validated Designs – Infrastructure & Topology
Wireless User Access
No Guest_Wireless VLAN is configured at School 2. Once a user is assigned the role of Guest, their traffic
is directly tunneled to the controller. This bridging at controller functionality eliminates the need to
configure a guest wireless VLAN at School 2.
The NonAdmin_Wireless VLAN provides access layer connectivity to other authorized users. These
users will be assigned Student or Faculty roles by Extreme Policy Manger and ExtremeControl. This
VLAN will be bridged at the access point.
Bridge Port Extenders
MLAGs
Redundant Controlling
Bridges
Controlling Bridge 1
Controlling Bridge 2
1. Configure NonAdmin wireless user
access VLAN
2. Configure IP Address and IP Services
for NonAdmin wireless user Access
VLAN.
3. Configure VRRP for NonAdmin
Wireless user access VLAN.
Note
During these manual configuration steps, user can choose to utilize mlag orchestration mode. This mode
can be helpful to configure the exact same commands on both CBs. However, do not use this feature for
configurations which need to be unique on CBs such as IP addresses, VRRP configurations, and OSPF
configurations. To enable this mode, refer to mlag orchestration mode operation on Page 16.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
178
Validated Designs – Infrastructure & Topology
1. Configure the wireless access VLAN and assign ports.
Configure the NonAdmin Wireless VLAN for wireless users.
Controlling Bridge 1
Wireless Access VLAN created with
tag and description. Add created
create vlan "VLAN_1800"
LACP ports to VLANs.
configure vlan VLAN_1800 description "Wireless Non Administrator Access VLAN"
configure vlan VLAN_1800 tag 1800
configure vlan VLAN_1800 add ports 1:29 tagged
Controlling Bridge 2
create vlan "VLAN_1800"
configure vlan VLAN_1800 description "Wireless Non Administrator Access VLAN"
configure vlan VLAN_1800 tag 1800
configure vlan VLAN_1800 add ports 1:29 tagged
2. Configure Access VLAN Interface and other routing services.
The IP address for the access VLAN will be configured on both X590 switches. In addition to the IP
address, IP forwarding and bootprelay will be configured for the interfaces.
Controlling Bridge 1
configure vlan VLAN_1800 ipaddress 172.18.32.2 255.255.224.0
enable ipforwarding vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1800
Controlling Bridge 2
IP interface added to VLAN.
IP Forwarding and BootP Relay
enabled.
configure vlan VLAN_1800 ipaddress 172.18.32.3 255.255.224.0
enable ipforwarding vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1800
3. Configure Access VLAN VRRP.
Configure VRRP for the access VLAN to provide access VLAN users a virtual gateway address.
Controlling Bridge 1
create vrrp vlan VLAN_1800 vrid 180
configure vrrp vlan VLAN_1800 vrid 180 priority 254
configure vrrp vlan VLAN_1800 vrid 180 fabric-routing on
configure vrrp vlan VLAN_1800 vrid 180 add 172.18.32.1
enable vrrp vlan VLAN_1800 vrid 180
VRRP instance id for wireless access
VLAN.
Priority is configured to make master
election more reliable.
Controlling Bridge 2
Fabric-routing is enabled so that
packets don’t have to be routed through
the VRRP master if a more direct route
exists on the receiving interface
create vrrp vlan VLAN_1800 vrid 180
configure vrrp vlan VLAN_1800 vrid 180 fabric-routing on
configure vrrp vlan VLAN_1800 vrid 180 add 172.18.32.1
enable vrrp vlan VLAN_1800 vrid 180
The VRRP virtual IP address
At the prompt, issue show vrrp and verify VRRP configuration (output truncated).
Controlling Bridge 1
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
179
Validated Designs – Infrastructure & Topology
FR value must be Y on both VRRP
master and backup
Slot-1 VPEX X590-24x-1q-2c.101 # show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
VLAN_18(En) 0180 254 172.18.32.1
MSTR 00:00:5e:00:01:b4
TP/TR/TV/P/T
0 0 Y 1
/FR/G/HM
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
Controlling Bridge 2
Slot-1 VPEX X590-24x-1q-2c.91 # show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
VLAN_18(En) 0180 100 172.18.32.1
BKUP 00:00:5e:00:01:b4
The switch with the highest priority has
MSTR state. The other switch has BKUP.
TP/TR/TV/P/T
0 0 0 Y 1
/FR/G/HM
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
Authentication – RADIUS
At School 2, configure RADIUS on the controlling bridges. When complete, the configuration should look
similar to the one below:
Controlling Bridge 1
configure radius 1 server 192.168.109.253 1812 client-ip 192.168.200.3 vr VR-Default
configure radius 1 shared-secret encrypted "#$FR2HspueIQEkIxIxySAINL4Nqavv7Q=="
configure radius 2 server 192.168.109.248 1812 client-ip 192.168.200.3 vr VR-Default
configure radius 2 shared-secret encrypted "#$nvW9HcCSK15MqhSjtzI3cCkl4szxxQ=="
configure radius-accounting 1 server 192.168.109.253 1813 client-ip 192.168.200.3 vr
VR-Default
configure radius-accounting 1 shared-secret encrypted
"#$BD4euxt8U8/XQtjXlQHSV5eoJLEIoQ=="
configure radius-accounting 1 timeout 10
configure radius-accounting 2 server 192.168.109.248 1813 client-ip 192.168.200.3 vr
VR-Default
configure radius-accounting 2 shared-secret encrypted
"#$hU4GHbjYuMuZxf5T4MYbDnNHC0JDkg=="
configure radius-accounting 2 timeout 10
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 15
configure radius mgmt-access timeout 15
configure radius netlogin timeout 15
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
180
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
configure radius 1 server 192.168.109.253 1812 client-ip 192.168.200.4 vr VR-Default
configure radius 1 shared-secret encrypted "#$FR2HspueIQEkIxIxySAINL4Nqavv7Q=="
configure radius 2 server 192.168.109.248 1812 client-ip 192.168.200.4 vr VR-Default
configure radius 2 shared-secret encrypted "#$nvW9HcCSK15MqhSjtzI3cCkl4szxxQ=="
configure radius-accounting 1 server 192.168.109.253 1813 client-ip 192.168.200.4 vr
VR-Default
configure radius-accounting 1 shared-secret encrypted
"#$BD4euxt8U8/XQtjXlQHSV5eoJLEIoQ=="
configure radius-accounting 1 timeout 10
configure radius-accounting 2 server 192.168.109.248 1813 client-ip 192.168.200.3 vr
VR-Default
configure radius-accounting 2 shared-secret encrypted
"#$hU4GHbjYuMuZxf5T4MYbDnNHC0JDkg=="
configure radius-accounting 2 timeout 10
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 15
configure radius mgmt-access timeout 15
configure radius netlogin timeout 15
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
Remote Site Connectivity via MAN
In this section VLAN interfaces will be configured to connect School 2 to the District Office/School 1.
Remote Site Connectivity Configuration
1. Configure VLANs for connectivity to District Office.
Refer to the VLAN names labeled for Remote Site Connectivity for VLAN names in the VLAN Subnet
Matrix above. All port assignments will be tagged.
Controlling Bridge 1
create vlan "VLAN_0101"
configure vlan VLAN_0101 description “To DO/SC1 Left”
configure vlan VLAN_0101 tag 101
configure vlan VLAN_0101 add ports 1:1 tagged
configure vlan default delete port 1:1
create vlan "VLAN_0204"
configure vlan VLAN_0204 description “To DO/SC1 Right”
configure vlan VLAN_0204 tag 204
configure vlan VLAN_0204 add ports 1:1 tagged
configure vlan default delete port 1:1
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
181
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
create vlan "VLAN_0201"
configure vlan VLAN_0201 description “To DO/SC1 Right”
configure vlan VLAN_0201 tag 201
configure vlan VLAN_0201 add ports 1:1 tagged
configure vlan default delete port 1:1
create vlan "VLAN_0104"
configure vlan VLAN_0104 description “To DO/SC1 Left”
configure vlan VLAN_0104 tag 104
configure vlan VLAN_0104 add ports 1:1 tagged
configure vlan default delete port 1:1
2. Configure point-to-point interfaces to the District Office.
Refer to the subnets labeled for Remote Site Connectivity for VLAN names in the VLAN Subnet Matrix
above. All interfaces are configured as point-to-point interfaces /30 subnets. They are enabled for IP
forwarding.
Controlling Bridge 1
configure vlan VLAN_0101 ipaddress 192.168.101.2 255.255.255.252
enable ipforwarding vlan VLAN_0101
enable bootprelay ipv4 vlan VLAN_0101
configure vlan VLAN_0204 ipaddress 192.168.201.14 255.255.255.252
enable ipforwarding vlan VLAN_0204
enable bootprelay ipv4 vlan VLAN_0204
Controlling Bridge 2
configure vlan VLAN_0201 ipaddress 192.168.201.2 255.255.255.252
enable ipforwarding vlan VLAN_0201
enable bootprelay ipv4 vlan VLAN_0201
configure vlan VLAN_0104 ipaddress 192.168.101.14 255.255.255.252
enable ipforwarding vlan VLAN_0104
enable bootprelay ipv4 vlan VLAN_0104
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
182
Validated Designs – Infrastructure & Topology
3. Configure on OSPF instances at each Controlling Bridge.
OSPF is used to distribute the routes from all subnets district wide. Every VLAN at each location
should be advertised with these links. User access VLANs will be distributed as directly connected
routes. The base OSPF configuration was previously executed in an earlier location in this document.
Controlling Bridge 1
configure ospf add vlan VLAN_0101 area 0.0.0.0
configure ospf vlan VLAN_0101 authentication encrypted md5 101
"#$6dcVzX5McQOGcpgZuWCYPS6J+fGrKQ=="
configure ospf add vlan VLAN_0204 area 0.0.0.0
configure ospf vlan VLAN_0204 cost 10
configure ospf vlan VLAN_0204 authentication encrypted md5 204
"#$KpzPgwPhMwS26VULvxdP7C+EIIMlZA=="
Controlling Bridge 2
configure ospf add vlan VLAN_0201 area 0.0.0.0
configure ospf vlan VLAN_0201 authentication encrypted md5 201
"#$z8LiI9r7IalkdTOjeEXcBCHjp+9H+Q=="
configure ospf add VLAN_0104 area 0.0.0.0
configure ospf vlan VLAN_0104 cost 10
configure ospf vlan VLAN_0104 authentication encrypted md5 104
"#$J6WZBUlHDyInR6OrL/Wv+/cLd9HCrQ=="
At the prompt issue show ospf neighbor (output truncated).
Verify that routers see each other and that the state is FULL with MD5 encryption enabled.
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.58 # show ospf neighbor
ospf
Show ospf
ospfv3
OSPF for IPv6
(Software Update Required) Slot-1 VPEX x590-SC2-Left.6 # show ospf neighbor
Adjacency state between neighbors should be
Neighbor ID
Pri State
Up/Dead Time
Address
Full. OSPF
router state should be DR or BDR.
Interface
BFD Session State
======================================================================================
====
192.168.200.1
1 FULL
/DR
00:00:27:53/00:00:00:03 192.168.101.1
VLAN_0101
None
192.168.200.2
VLAN_0204
None
…
1 FULL
/DR
00:00:27:49/00:00:00:09
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
192.168.201.13
183
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
Slot-1 VPEX X590-24x-1q-2c.59 # show ospf neighbor
Neighbor ID
Pri State
Up/Dead Time
Address
Interface
BFD Session State
======================================================================================
====
192.168.200.1
1 FULL
/DR
00:00:28:03/00:00:00:09 192.168.101.13
VLAN_0104
None
192.168.200.2
VLAN_0201
None
…
1 FULL
/DR
00:00:28:03/00:00:00:05
192.168.201.1
Policy and Access Control
Extreme Management Center, Extreme Control, ExtremeAnalytics, and ExtremeWireless controller
appliances located at the District Office/School 1 will serve School 2 for policy and ExtremeControl rules
enforcement. All required Policy and Access Control configurations were performed as part of the District
Office/School 1 and will apply to the entire school district.
To configure ExtremeAnalytics, follow the same steps presented for District Office/School 1 to add
switches to the Analytics Engine and location configurations.
Authentication – Netlogin
At School 2, authentication with netlogin dot1x and MAC is enabled on all ports except for the uplink and
server ports. The authentication order is dot1x MAC.
When complete the configuration should look similar to the one below:
Controlling Bridge 1 and Controlling Bridge 2
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
enable netlogin ports 1:2-22,1:25-28,1:30-32,1:34-36,100:1-48,100:51-52,110:1-24 dot1x
enable netlogin ports 1:2-22,1:25-28,1:30-32,1:34-36,100:1-48,100:51-52,110:1-24 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
184
Validated Designs – Infrastructure & Topology
School 3
Bridge Port Extenders
Cascade
School-3
MLAG
Redundant Controller
Bridges
Controlling Bridge 1
Controlling Bridge 2
School 3 includes a pair of ExtremeSwitching X590 switches, which serve as the controlling bridges
(CBs). The V400 devices serve as the bridge port extenders (BPEs). The CBs connect only to the first
BPE. The remaining BPEs connect to each other, via LACP, serially in what is referred to as a cascaded
topology. Multi-chassis link aggregation (MLAG) connectivity to the CBs is used to provide redundancy to
all network users.
ExtremeWireless access points can be connected to the ports of Power over Ethernet (PoE) capable
BPEs and/or PoE ports in the stack.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
185
Validated Designs – Infrastructure & Topology
VLANs and Subnets at School 3
Below is a list and table grouping of VLANs by functionality at School 3. This functionality includes the
following types:
•
Appliance - VLAN for Extreme Smart OmniEdge appliances.
•
Management – Used to communicate with Extreme Smart OmniEdge Appliances and routing
protocols.
•
Remote Site Connectivity- Point to point interfaces used for connectivity between School 3 and the
District Office/School 1.
•
Local Site Connectivity - VLAN interfaces used to distribute static and directly interfaces into OSPF
and provide OSPF services to the ExtremeWireless controllers.
•
ISC – VLAN for the MLAG Interswitch Connection for the MLAG Interswitch Connection
•
Access VLAN - VLANs for wired users, wireless users, and networked devices
Device
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
Controlling Bridge 1
Controlling Bridge 2
VLAN Name
Subnet
Tag
Type
Lo0
Lo0
VLAN_0102
VLAN_0202
VLAN_0205
VLAN_0105
VLAN_0060
192.168.200.5/32
192.168.200.6/32
192.168.101.4/30
192.168.201.4/30
192.168.201.16/30
192.168.101.16/30
192.168.62.0/24
1005
1006
102
202
205
105
60
Management
Management
Remote Site Connectivity
Remote Site Connectivity
Remote Site Connectivity
Remote Site Connectivity
Local Site Connectivity
vpexmlag
169.254.0.0/16
4089
ISC
VLAN_1600
172.16.20.0/24
1600
Access VLAN
VLAN_1900
172.19.160.0/27
1900
Access VLAN
VLAN_2200
172.21.8.0/22
2200
Access VLAN
VLAN_1700
172.17.8.0/22
1700
Access VLAN
VLAN_1800
172.18.64.0/19
1800
Access VLAN
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
186
Validated Designs – Infrastructure & Topology
School 3 – Configuration
School-3
Bridge Port Extenders
1. VPEX Full Automation determines if switches are CB capable
and BPEs are connected. If conditions are met, VPEX
functionality is enabled and CBs are rebooted.
5. VPEX Full Automation enables VPEX Partial Automation.
6. VPEX Partial Automation configures a slot number for each
attached BPE, configures the BPE module type, configures
CB ports attached to BPEs as VPEX ports, enables MLAG
ports with appropriate peer IDs, and ports to cascade LAGs as
needed.
MLAG
Redundant Controller
Bridges
Controlling Bridge 1
Controlling Bridge 2
2. VPEX Full Automation configures a LAG between CB1 and CB2.
3. VPEX Full Automation creates and configures an ISC VLAN, adds
an LACP port, and configures IP Interface.
4. VPEX Full Automation creates and configures an MLAG ISC, and
configures CBs as peers.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
187
Validated Designs – Infrastructure & Topology
Extended Edge Cascade with MLAG
In order to take advantage of VPEX Full Automation, the following cabling requirements need to be met:
•
To create an MLAG for ISC, CB1 and CB2 should be cabled together.
•
To enable VPEX mode, the CBs should be cabled to the first BPE in the cascade.
•
To create cascade, continue to cable BPEs in serial manner. Up to 4 BPEs can be configured in
the cascade.
Once cabled properly, power-on CB1, CB2, BPE1, BPE2, BPE3, and BPE4. After the switches are
finished running VPEX Full Automation and VPEX Partial Automation, verify the CBs have been properly
configured and are functioning.
Note
To better control slot numbering, the user may decide to allow the BPEs power on one at a time. If all BPEs
are turned on at the same time, there is no mechanism to guarantee slot order. Slot order is determined by
the BPE LLDP message that is received first by the CBs.
VPEX Full Automation and VPEX Partial Automation processes can take eight minutes or longer to complete.
Please be patient.
1. Verify VPEX support has been enabled for VPEX Full Automation.
Controlling Bridge 1 and 2
Slot-1 VPEX X590-24x-1q-2c.16 # show vpex
Virtual Port Extender: Enabled
Auto-Configuration:
Disabled
Cascade
Port
Slot
=============
-
Verify VPEX is enabled
• Prompt changes indicating VPEX is enabled.
• Virtual Port Extender indicates enabled.
2. Verify VPEX Full Automation has created and configured a LAG between CB1 and CB2. Verify
LAGs have been configured between the CBs and BPEs.
Controlling Bridge 1 and 2
enable
enable
enable
enable
enable
sharing
sharing
sharing
sharing
sharing
1:29 grouping 1:29,1:33 algorithm address-based custom lacp
1:24 grouping 1:24 algorithm address-based custom lacp
100:52 grouping 100:51-52 algorithm address-based custom lacp
101:51 grouping 101:51-52 algorithm address-based custom lacp
102:51 grouping 102:51-52 algorithm address-based custom lacp
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
188
Validated Designs – Infrastructure & Topology
Controlling Bridge 1 and 2
Verify LACP configuration
Slot-1 VPEX X590-24x-1q-2c.10 # show sharing
• Verify Agg MBR = Y
• Verify Link State = A
Load Sharing Monitor
Config
Current Agg
Min
Ld Share Dist Ld Share Agg Link Link Up
Master
Master Control Active Algorithm Flags Group
Mbr State Transitions
================================================================================
1:24
1:24
LACP
1
custom
A
1:24
Y
A
1
1:29
1:29
LACP
1
custom
A
1:29
Y
A
1
custom
1:33
Y
A
1
100:52 100:51
LACP
1
custom
A
100:51
Y
A
1
custom
100:52
Y
A
1
101:51 101:51
LACP
1
custom
A
101:51
Y
A
1
custom
101:52
Y
A
1
102:51 102:51
LACP
1
custom
A
102:51
Y
A
1
custom
102:52
Y
A
1
================================================================================
…
3. Verify VPEX Full Automation has created and configured an ISC VLAN, added CB to CB LACP
port, and configured IP interfaces.
Controlling Bridge 1
create vlan "vpexmlag"
configure vlan vpexmlag tag 4089
configure vlan vpexmlag add ports 1:29 tagged
configure vlan vpexmlag ipaddress 169.254.0.1 255.255.0.0
Controlling Bridge 2
create vlan "vpexmlag"
configure vlan vpexmlag tag 4089
configure vlan vpexmlag add ports 1:29 tagged
configure vlan vpexmlag ipaddress 169.254.0.2 255.255.0.0
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
189
Validated Designs – Infrastructure & Topology
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.2 # show vlan vpexmlag
VLAN Interface with name vpexmlag created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 4089
Description:
None
Virtual router:
VR-Default
IPv4 Forwarding:
Disabled
IPv4 MC Forwarding: Disabled
Verify VPEX Full Automation
Primary IP:
169.254.0.1/16
configured VLAN:
•
VLAN named vpexmlag created
…
•
IP Address configured for VLAN
Ports:
1.
(Number of active ports=1)
•
LAG port added to VLAN.
Tag:
*1:29g
•
I Flag confirms ISC VLAN.
…
Slot-1 VPEX X590-24x-1q-2c.7 # show vlan
Untagged ports auto-move: Inform
---------------------------------------------------------------------------------Name
VID Protocol Addr
Flags
Proto Ports
Virtual
Active router
/Total
---------------------------------------------------------------------------------vpexmlag
4089 169.254.0.1
/16 ------I--------------------- ANY
1 /1
Controlling Bridge 2
Slot-1 VPEX X590-24x-1q-2c.2 # show vlan vpexmlag
VLAN Interface with name vpexmlag created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 4089
Description:
None
Virtual router:
VR-Default
IPv4 Forwarding:
Disabled
IPv4 MC Forwarding: Disabled
Primary IP:
169.254.0.2/16
…
Ports:
1.
(Number of active ports=1)
Tag:
*1:29g
…
Slot-1 VPEX X590-24x-1q-2c.7 # show vlan
Untagged ports auto-move: Inform
---------------------------------------------------------------------------------Name
VID Protocol Addr
Flags
Proto Ports
Virtual
Active router
/Total
---------------------------------------------------------------------------------vpexmlag
4089 169.254.0.2
/16 ------I--------------------- ANY
1 /1
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
190
Validated Designs – Infrastructure & Topology
4. Verify VPEX Full Automation has properly created and configured an MLAG which includes;
configuring the CBs as peers, adding the CB to BPE LAGs as MLAG ports and assigning
appropriate MLAG IDs.
Controlling Bridge 1
create mlag peer "vpexmlag"
configure mlag peer "vpexmlag" ipaddress 169.254.0.2 vr VR-Default
enable mlag port 1:24 peer "vpexmlag" id 5100
Controlling Bridge 2
create mlag peer "vpexmlag"
configure mlag peer "vpexmlag" ipaddress 169.254.0.1 vr VR-Default
enable mlag port 1:24 peer "vpexmlag" id 5100
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
191
Validated Designs – Infrastructure & Topology
Controlling Bridge 1
1. Peer name and peer IP address are
configured.
2. Local IP address configured.
3. Peer IP address is known.
Slot-1 VPEX X590-24x-1q-2c.20 # show mlag peer
Multi-switch Link Aggregation Peers:
MLAG Peer
:
VLAN
:
Local IP Address :
MLAG ports
:
Checkpoint Status :
Rx-Hellos
:
Rx-Checkpoint Msgs:
Rx-Hello Errors
:
Hello Timeouts
:
Up Time
:
Local MAC
:
Config'd LACP MAC :
Authentication
:
vpexmlag
vpexmlag
Virtual Router
:
169.254.0.1
Peer IP Address
:
1
Tx-Interval
:
Up
Peer Tx-Interval :
5720
Tx-Hellos
:
896
Tx-Checkpoint Msgs:
0
Tx-Hello Errors
:
0
Checkpoint Errors :
0d:1h:33m:11s
Peer Conn.Failures:
4. Checkpoint Status is UPPeer MAC
00:04:96:a3:fa:cc
:
5. Hello and Checkpoint Messages incrementing.
None
Current
LACP
MAC
:
6. Error messages are not incrementing but might
None
be present.
VR-Default
169.254.0.2
1000 ms
1000 ms
5731
6242
0
0
1
00:04:96:a3:fb:18
00:04:96:a3:fb:18
Alternate path information: None
Slot-1 VPEX X590-24x-1q-2c.21 # show mlag ports
Local
Local
Remote
MLAG
Local
Link
Remote
Peer
Fail
Fail
Id
Port
State
Link
Peer
Status Count
Count
================================================================================
5100
1:24
A
Up
vpexmlag
Up
0
0
================================================================================
Local Link State: A - Active, D - Disabled, R - Ready, NP - Port not present
Remote Link
: Up - One or more links are active on the remote switch,
Down - No links are active on the remote switch,
N/A - The peer has not communicated link
state for this MLAG
1. Local Link State is Active
port
2. Remote Link is UP.
3. Peer Status is UP
Number of Multi-switch Link Aggregation Groups
Convergence control
Reload Delay Interval
Reload Delay
Link Up Isolation
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
:
:
:
:
:
4. Local and Remote Fail Counts not
1
Conserveincrementing.
Access Lists
30 seconds
Disabled
Off
192
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
Slot-1 VPEX X590-24x-1q-2c.15 # show mlag peer
Multi-switch Link Aggregation Peers:
MLAG Peer
:
VLAN
:
Local IP Address :
MLAG ports
:
Checkpoint Status :
Rx-Hellos
:
Rx-Checkpoint Msgs:
Rx-Hello Errors
:
Hello Timeouts
:
Up Time
:
Local MAC
:
Config'd LACP MAC :
Authentication
:
vpexmlag
vpexmlag
169.254.0.2
1
Up
5777
6301
0
0
0d:1h:34m:6s
00:04:96:a3:fb:18
None
None
Virtual Router
:
Peer IP Address
:
Tx-Interval
:
Peer Tx-Interval :
Tx-Hellos
:
Tx-Checkpoint Msgs:
Tx-Hello Errors
:
Checkpoint Errors :
Peer Conn.Failures:
Peer MAC
:
Current LACP MAC :
VR-Default
169.254.0.1
1000 ms
1000 ms
5813
905
0
0
1
00:04:96:a3:fa:cc
00:04:96:a3:fb:18
Alternate path information: None
Slot-1 VPEX X590-24x-1q-2c.16 # show mlag ports
Local
Local
Remote
MLAG
Local
Link
Remote
Peer
Fail
Fail
Id
Port
State
Link
Peer
Status Count
Count
================================================================================
5100
1:24
A
Up
vpexmlag
Up
0
0
================================================================================
Local Link State: A - Active, D - Disabled, R - Ready, NP - Port not present
Remote Link
: Up - One or more links are active on the remote switch,
Down - No links are active on the remote switch,
N/A - The peer has not communicated link state for this MLAG
port
Number of Multi-switch Link Aggregation Groups
Convergence control
Reload Delay Interval
Reload Delay
Link Up Isolation
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
:
:
:
:
:
2
Conserve Access Lists
30 seconds
Disabled
Off
193
Validated Designs – Infrastructure & Topology
5. Verify VPEX Full Automation has enabled VPEX Partial Automation.
Controlling Bridge 1 and 2
enable vpex auto-configuration
Controlling Bridge 1 and 2
Slot-1 VPEX X590-24x-1q-2c.16 # show vpex
Virtual Port Extender: Enabled
Auto-Configuration:
Enabled
Cascade
Port
Slot
=============
-
Verify Auto-Configuration is enabled
• Auto-Configuration indicator indicates
enabled.
6. Verify the VPEX Partial Automation properly configures VPEX slots.
Controlling Bridge 1
configure
configure
configure
configure
configure
configure
configure
configure
slot 100 module V400-48p-10GE4
sys-recovery-level slot 100 reset
slot 101 module V400-48p-10GE4
sys-recovery-level slot 101 reset
slot 102 module V400-48t-10GE4
sys-recovery-level slot 102 reset
slot 103 module V400-48t-10GE4
sys-recovery-level slot 103 reset
configure
configure
configure
configure
vpex
vpex
vpex
vpex
port
port
port
port
1:24 slot 100
100:52 slot 101
101:51 slot 102
102:52 slot 103
Controlling Bridge 2
configure
configure
configure
configure
configure
configure
configure
configure
slot 100 module V400-48p-10GE4
sys-recovery-level slot 100 reset
slot 101 module V400-48p-10GE4
sys-recovery-level slot 101 reset
slot 102 module V400-48t-10GE4
sys-recovery-level slot 102 reset
slot 103 module V400-48t-10GE4
sys-recovery-level slot 103 reset
configure
configure
configure
configure
vpex
vpex
vpex
vpex
port
port
port
port
1:24 slot 100
100:52 slot 101
101:51 slot 102
102:52 slot 103
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
194
Validated Designs – Infrastructure & Topology
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.25 # show vpex bpe
Module type configured.
Casc
PE
lot Port
Model
MAC Address
Description
======================================================================================
===========================
100
1:24
V400-48p-10GE4
d8:84:66:f2:c3:43 none
101
100:52 V400-48p-10GE4
d8:84:66:f2:cb:8b none
102
101:51 V400-48t-10GE4
d8:84:66:f3:02:64 none
103
102:52 V400-48t-10GE4
d8:84:66:f3:09:39 none
Verify MAC addresses for
BPEs match on both CBs.
Controlling Bridge 2
Slot-1 VPEX X590-24x-1q-2c.19 # show vpex bpe
Casc
PE
Slot Port
Model
MAC Address
Description
======================================================================================
===========================
100
1:24
V400-48p-10GE4
d8:84:66:f2:c3:43 none
101
100:52 V400-48p-10GE4
d8:84:66:f2:cb:8b none
102
101:51 V400-48t-10GE4
d8:84:66:f3:02:64 none
103
102:52 V400-48t-10GE4
d8:84:66:f3:09:39 none
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.26 # show vpex ports
1. Verify Port State is Enabled
2. Verify Link Sate is Active
Port
Cascade Ext Port
Link
PECSP
PE
CSPOpen
CSP
Role
#
Port
Slot State State MAC Address
MAC Address
Loc Rem
Flags
======================================================================================
=====
1:24
1:24
100 E
A
d8:84:66:f2:c3:74 d8:84:66:f2:c3:43 1
1
100:51 100:52 101 E
A
d8:84:66:f2:cb:bc d8:84:66:f2:cb:8b 1
1
MC
100:52 100:52 101 E
A
d8:84:66:f2:cb:bd d8:84:66:f2:cb:8b 1
1
MC
101:51 101:51 102 E
A
d8:84:66:f3:02:95 d8:84:66:f3:02:64 1
1
MC
101:52 101:51 102 E
A
d8:84:66:f3:02:96 d8:84:66:f3:02:64 1
1
MC
102:51 102:52 103 E
A
d8:84:66:f3:09:6b d8:84:66:f3:09:39 1
1
MC
102:52 102:52 103 E
A
d8:84:66:f3:09:6a d8:84:66:f3:09:39 1
1
MC
======================================================================================
=====
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
195
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
Verify MAC addresses for
BPEs match on both CBs.
Slot-1 VPEX X590-24x-1q-2c.20 # show vpex ports
Port
Cascade Ext Port
Link
PECSP
PE
CSPOpen
CSP
Role
#
Port
Slot State State MAC Address
MAC Address
Loc Rem
Flags
======================================================================================
=====
1:24
1:24
100 E
A
d8:84:66:f2:c3:74 d8:84:66:f2:c3:43 1
1
100:51 100:52 101 E
A
d8:84:66:f2:cb:bc d8:84:66:f2:cb:8b 1
1
BC
100:52 100:52 101 E
A
d8:84:66:f2:cb:bd d8:84:66:f2:cb:8b 1
1
BC
101:51 101:51 102 E
A
d8:84:66:f3:02:95 d8:84:66:f3:02:64 1
1
BC
101:52 101:51 102 E
A
d8:84:66:f3:02:96 d8:84:66:f3:02:64 1
1
BC
102:51 102:52 103 E
A
d8:84:66:f3:09:6b d8:84:66:f3:09:39 1
1
BC
102:52 102:52 103 E
A
d8:84:66:f3:09:6a d8:84:66:f3:09:39 1
1
BC
======================================================================================
=====
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
196
Validated Designs – Infrastructure & Topology
School-3
Bridge Port Extenders
7. Manually delete all ports from default VLAN, disable MSTP,
and free up ACL resources.
8. Manually configure a loopback interface for routing and device
management.
9. Manually configure a base OSPF configuration.
10. Manually configure VLAN for local site connectivity.
11. Manually configure VRRP for local site connectivity VLAN.
12. Manually configure OSPF for local site connectivity VLAN.
MLAG
Redundant Controller
Bridges
Controlling Bridge 1
Controlling Bridge 2
7. Remove ports from Default VLAN, disable MSTP, and free up ACL resources.
The default VLAN will not be needed for this EVD so all ports will be removed from the VLAN.
Because of this MSTP instance s0 will also be disabled.
Controlling Bridge 1 and 2
configure
configure
configure
configure
vlan default delete ports all
vr VR-Default delete ports 1:1-36,100:1-52,101:1-26
vr VR-Default add ports 1:1-36,100:1-52,101:1-26
vlan default delete ports 1:1-36,100:1-52,101:1-26
disable stpd s0
configure policy resource-profile default profile-modifier no-mac enable no-ipv6
enable
Controlling Bridge 1 and 2
Slot-1 VPEX X590-24x-1q-2c.11 # show stpd s0
Stpd: s0
Stp: DISABLED
Number of Ports: 0
Rapid Root Failover: Disabled
Operational Mode: MSTP
Default Binding Mode: 802.1D
MSTI Instance: CIST
802.1Q Tag: (none)
Ports: (none)
Participating Vlans: (none)
Verify the following STP variables for s0
Auto-bind Vlans: Default
• STP is disabled
…
• No Ports participating in STP
• No VLANs participating in STP
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
197
Validated Designs – Infrastructure & Topology
8. Configure Loopback VLAN and Interface
The internal loopback interface serves as the primary interface for in-band management in this
topology. It also serves as the interface between the Extreme Network appliances and the devices.
Controlling Bridge 1
create vlan "lo0"
configure vlan lo0 tag 1001
enable loopback-mode vlan lo0
configure vlan lo0 ipaddress 192.168.200.5 255.255.255.255
enable ipforwarding vlan lo0
Controlling Bridge 2
Configuring system loopback interface
involves creating a VLAN with a tag and
is enabled for the following IP services:
loopback mode and IP forwarding.
Loopback interface is configured with a
/32 subnet mask.
create vlan "lo0"
configure vlan lo0 tag 1001
enable loopback-mode vlan lo0
configure vlan lo0 ipaddress 192.168.200.6 255.255.255.255
enable ipforwarding vlan lo0
9. Configure OSPF Base Configuration
With the creation of the loopback interface, it is now possible to create the base configuration OSPF
routing. OSPF will redistribute any directly connected interfaces and static routes into the routing table.
This will be more critical later on when remote schools are attached to the topology.
Controlling Bridge 1
configure ospf routerid 192.168.200.5
enable ospf
enable ospf export direct cost 0 type ase-type-1
enable ospf export static cost 0 type ase-type-1
configure ospf add vlan lo0 area 0.0.0.0
The loopback interface created in the
previous step is configured as the
OSPF Router-ID.
Loopback interfaces is added to area
0.0.0.0
Controlling Bridge 2
configure ospf routerid 192.168.200.6
enable ospf
enable ospf export direct cost 0 type ase-type-1
enable ospf export static cost 0 type ase-type-1
configure ospf add vlan lo0 area 0.0.0.0
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
198
Validated Designs – Infrastructure & Topology
10. Configure VLAN and Interface for Local Site Connectivity on Controlling Bridges.
Configure a VLAN for local site connectivity on the controlling bridges. This VLAN is used to
redistribute directly connected and static routes into OSPF. It is also used by APs for connectivity to
the wireless controllers.
Controlling Bridge 1
Configure local-site VLAN_0060 with:
create vlan "VLAN_0060"
1. VLAN Descriptions
configure vlan VLAN_0060 description "School 3 Local Site Connectivity"
2. VLAN Tag
3. LACP trunk port Added to VLAN
configure vlan VLAN_0060 tag 60
4. IP Address Configured
configure vlan VLAN_0060 add ports 1:29 tagged
5. IP Forwarding Enabled for unicast routing
configure vlan VLAN_0060 ipaddress 192.168.62.2 255.255.255.0
6. BOOTP Relay Enabled for DHCP
enable ipforwarding vlan VLAN_0060
7. Iproute Sharing (ECMP)
enable bootprelay ipv4 vlan VLAN_0060
enable iproute sharing vr VR-Default
Controlling Bridge 2
create vlan "VLAN_0060"
configure vlan VLAN_0060 description "School 3 Local Site Connectivity"
configure vlan VLAN_0060 tag 60
configure vlan VLAN_0060 add ports 1:29 tagged
configure vlan VLAN_0060 ipaddress 192.168.62.3 255.255.255.0
enable ipforwarding vlan VLAN_0060
enable bootprelay ipv4 vlan VLAN_0060
enable iproute sharing vr VR-Default
At the prompt issue show vlan VLAN_0060 (output truncated) and verify:
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.49 # show vlan VLAN_0060
VLAN Interface with name VLAN_0060 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 60
Description:
School 3 Local Site Connectivity
Virtual router:
VR-Default
IPv4 Forwarding:
Enabled
IPv4 MC Forwarding: Disabled
Primary IP:
192.168.63.2/24
…
Ports:
1.
(Number of active ports=1)
Tag:
*1:29g
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Verify the following items:
1. VLAN Name, State and Tag
2. VLAN Description
3. LACP trunk port Added to VLAN
4. IP Address Configured
5. IP Forwarding Enabled for unicast routing
199
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
Slot-1 VPEX X590-24x-1q-2c.35 # show vlan VLAN_0060
VLAN Interface with name VLAN_0060 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 60
Description:
School 3 Local Site Connectivity
Virtual router:
VR-Default
IPv4 Forwarding:
Enabled
IPv4 MC Forwarding: Disabled
Primary IP:
192.168.62.3/24
…
Ports:
1.
(Number of active ports=1)
Tag:
*1:29g
…
11. Configure VRRP on Local Site Connectivity VLAN on the Controlling Bridges.
Configure VRRP for the VLAN to provide the ExtremeWireless IdentiFi APs a common gateway to
reach the ExtremeWireless Controllers.
Controlling Bridge 1
create vrrp vlan VLAN_0060 vrid 60
configure vrrp vlan VLAN_0060 vrid 60 priority 254
configure vrrp vlan VLAN_0060 vrid 60 fabric-routing on
configure vrrp vlan VLAN_0060 vrid 60 add 192.168.62.1
enable vrrp vlan VLAN_0060 vrid 60
Controlling Bridge 2
create vrrp vlan VLAN_0060 vrid 60
configure vrrp vlan VLAN_0060 vrid 60 fabric-routing on
configure vrrp vlan VLAN_0060 vrid 60 add 192.168.62.1
enable vrrp vlan VLAN_0060 vrid 60
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
VRRP instance ID for VLAN VLAN_0060
Priority is configured to make master
election more reliable.
Fabric-routing is enabled so that
packets don’t have to be routed through
the VRRP master if a more direct route
exists on the receiving interface
The VRRP virtual IP address
200
Validated Designs – Infrastructure & Topology
At the prompt, issue show vrrp and verify vlan VLAN_0060 configuration.
FR value must be Y on both VRRP
master and backup
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.7 # show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
TP/TR/TV/P/T
VLAN_00(En) 0060 254 192.168.62.1
MSTR 00:00:5e:00:01:3c 0 0 0 Y 1
/FR/G/HM
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
…
Controlling Bridge 2
The switch with the highest priority has
MSTR state and the other one BKUP.
Slot-1 VPEX X590-24x-1q-2c.7# show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
TP/TR/TV/P/T
VLAN_00(En) 0060 100 192.168.62.1
BKUP 00:00:5e:00:01:3c 0 0 0 Y 1
/FR/G/HM
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
…
12. Configure OSPF Local Site Connectivity VLAN
This interface will serve as the main routing aggregation point for all the user access VLANs. Therefore, it
is very important that this interface has OSPF enabled.
Controlling Bridge 1
configure ospf add vlan VLAN_0060 area 0.0.0.0
configure ospf vlan VLAN_0060 authentication encrypted md5 62
"#$JFhyukUlMfW97SAiO7/iMLqPwEPirQ=="
Connectivity VLANs added to area
0.0.0.0
MD5 Authentication was enabled to
provide added security between OSPF
adjacencies.
Controlling Bridge 2
configure ospf add vlan VLAN_0060 area 0.0.0.0
configure ospf vlan VLAN_0060 authentication encrypted md5 62
"#$29ah8Mlb4X+FbErH8yoiW/nhP7kN8w=="
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
201
Validated Designs – Infrastructure & Topology
At the prompt, issue show ospf neighbor (output truncated).
Verify that routers see each other and that the state is FULL with MD5 encryption enabled.
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.8 # show ospf neighbor
Adjacency state between neighbors should be
Neighbor ID
Pri State
Up/Dead Time
Address
Full. OSPF
router state should be DR or BDR.
Interface
BFD Session State
======================================================================================
====
192.168.200.6
1 FULL
/DR
03:03:01:28/00:00:00:10 192.168.62.3
VLAN_0060
None
…
Controlling Bridge 2
Slot-1 VPEX X590-24x-1q-2c.8 # show ospf neighbor
Neighbor ID
Pri State
Up/Dead Time
Address
Interface
BFD Session State
======================================================================================
====
192.168.200.5
1 FULL
/BDR
03:03:03:06/00:00:00:06 192.168.62.2
VLAN_0060
None
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
202
Validated Designs – Infrastructure & Topology
Wired User Access
All access VLANs offer redundancy to the network with the use of configured VRRP gateways. All user
credentials are authenticated using authentication to ExtremeControl and RADIUS. The following VLAN
types are available at School 3:
The Guest_Wired VLAN gives guest users access to School 3. This VLAN will be configured at all the
schools. This access layer VLAN is typically the most restrictive of all VLANs.
The Admin VLAN provides access layer connectivity to network administrators. These users will be
assigned an Admin role by Extreme Policy Manger and ExtremeControl. This access layer VLAN is
typically the least restrictive of the access VLANs.
The NonAdmin_Wired VLAN provides access layer connectivity to other authorized users. These users
will be assigned a Student or Faculty role by Extreme Policy Manger and ExtremeControl. Roles can be
more granular than the ones presented here. Most users will access the school district network through
this VLAN.
The Network_Devices VLAN provides access layer connectivity to common network devices such as
printers, VoIP phones, or security cameras.
School-3
Bridge Port Extenders
1. Configure four wired user access
VLANs switches.
2. Configure all user access ports to
Guest_Wired PVID.
MLAG
Redundant Controller
Bridges
Controlling Bridge 1
Controlling Bridge 2
3. Configure IP Address and IP Services
on wired User Access VLANs
4. Configure VRRP on for user access
VLANs.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
203
Validated Designs – Infrastructure & Topology
The process of adding an access VLAN to the CB/BPE topology involves several steps. First, create the
access VLAN and tag on the CBs. Then add the Local Site trunk port and MLAG ports as tag members of
the access VLAN. Routing functionality will be configured including, IP address, VRRP for a common
gateway, and IP forwarding.
Note
During these manual configuration steps, the user can choose to utilize mlag orchestration mode. This
mode can be helpful to configure the exact same commands on both CBs. However, do not use this feature
for configurations which need to be unique on CBs such as IP addresses, VRRP configurations, and OSPF
configurations. To enable this mode, refer to mlag orchestration mode operation on Page 16.
1. Configure four access VLAN and assign ports.
Controlling Bridge 1
create vlan "VLAN_1900"
configure vlan VLAN_1900 description "Wired Guest VLAN"
configure vlan VLAN_1900 tag 1900
configure vlan VLAN_1900 add ports 1:29 tagged
Four Wired Access VLANs created
with tag and description.
Add LACP Trunk.
create vlan "VLAN_1600"
configure vlan VLAN_1600 description "Administrator Access VLAN"
configure vlan VLAN_1600 tag 1600
configure vlan VLAN_1600 add ports 1:29 tagged
create vlan "VLAN_2200"
configure vlan VLAN_2200 description "Network Devices Access VLAN"
configure vlan VLAN_2200 tag 2200
configure vlan VLAN_2200 add ports 1:29 tagged
create vlan "VLAN_1700"
configure vlan VLAN_1700 description "Wired Non Administrator Access VLAN"
configure vlan VLAN_1700 tag 1700
configure vlan VLAN_1700 add ports 1:29
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
204
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
create vlan "VLAN_1900"
configure vlan VLAN_1900 description "Wired Guest VLAN"
configure vlan Guest_Wired tag 1900
configure vlan Guest_Wired add ports 1:29 tagged
create vlan "VLAN_1600"
configure vlan VLAN_1600 description "Administrator Access VLAN"
configure vlan VLAN_1600 tag 1600
configure vlan VLAN_1600 add ports 1:29 tagged
create vlan "VLAN_2200"
configure vlan VLAN_2200 description "Network Devices Access VLAN"
configure vlan VLAN_2200 tag 2200
configure vlan VLAN_2200 add ports 1:29 tagged
create vlan "VLAN_1700"
configure vlan VLAN_1700 description "Wired Non Administrator Access VLAN"
configure vlan VLAN_1700 tag 1700
configure vlan VLAN_1700 add ports 1:29 tagged
After creating VLANs, any port which will be used for user access should be configured to have a
PVID of Guest_Wired as the native.
When complete, the configuration should look similar to the one below:
Controlling Bridge 1
All wired access ports are
added to the Guest_Wired
VLAN as untagged (PVID).
configure vlan VLAN_1900 add ports 1:2-23,100:1-48,101:1-48,102:1-48,103:1-48 untagged
Controlling Bridge 2
configure vlan VLAN_1900 add ports 1:2-23,100:1-48,101:1-48,102:1-48,103:1-48 untagged
Caution
When assigning PVID of access ports to Guest_Wired, use caution that ports with
previous configuration are not reconfigured. These ports might include the following:
•
Local Site LACP Trunk Port
•
Uplink ports between Controlling Bridges and Bridge Port Extenders
•
Uplink ports between X590/X690
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
205
Validated Designs – Infrastructure & Topology
2. Configure Access VLAN Interface and other routing services.
Controlling Bridge 1
configure vlan VLAN_1900 ipaddress 172.19.160.2 255.255.255.224
enable ipforwarding vlan VLAN_1900
enable bootprelay ipv4 vlan VLAN_1900
configure vlan VLAN_1600 ipaddress 172.16.20.2 255.255.255.0
enable ipforwarding vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1600
1. IP interface for four Wired Access
VLANs configured.
2. IP Forwarding and BootP Relay
enabled.
configure vlan VLAN_1700 ipaddress 172.17.8.2 255.255.252.0
enable ipforwarding vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1700
configure vlan VLAN_2200 ipaddress 172.21.8.2 255.255.252.0
enable ipforwarding vlan VLAN_2200
enable bootprelay ipv4 vlan VLAN_2200
Controlling Bridge 2
configure vlan VLAN_1900 ipaddress 172.19.160.3 255.255.255.224
enable ipforwarding vlan VLAN_1900
enable bootprelay ipv4 vlan VLAN_1900
configure vlan VLAN_1600 ipaddress 172.16.20.3 255.255.255.0
enable ipforwarding vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1600
configure vlan VLAN_1700 ipaddress 172.17.8.3 255.255.252.0
enable ipforwarding vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1700
configure vlan VLAN_2200 ipaddress 172.21.8.3 255.255.252.0
enable ipforwarding vlan VLAN_2200
enable bootprelay ipv4 vlan VLAN_2200
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
206
Validated Designs – Infrastructure & Topology
3. Configure Access VLAN VRRP between the X690 switches.
Configure VRRP for the access VLANs in order to provide access VLAN users a virtual gateway
address.
Controlling Bridge 1
create vrrp vlan VLAN_1900 vrid 193
configure vrrp vlan VLAN_1900 vrid 193 fabric-routing on
configure vrrp vlan VLAN_1900 vrid 193 add 172.19.160.1
enable vrrp vlan VLAN_1900 vrid 193
create vrrp vlan VLAN_1600 vrid 160
configure vrrp vlan VLAN_1600 vrid 160 priority 254
configure vrrp vlan VLAN_1600 vrid 160 fabric-routing on
configure vrrp vlan VLAN_1600 vrid 160 add 172.16.20.1
enable vrrp vlan VLAN_1600 vrid 160
create vrrp vlan VLAN_1700 vrid 170
configure vrrp vlan VLAN_1700 vrid 170 fabric-routing on
configure vrrp vlan VLAN_1700 vrid 170 add 172.17.8.1
enable vrrp vlan VLAN_1700 vrid 170
VRRP instance id for wired access
VLANs.
Priority is configured to make master
election more reliable.
Fabric-routing is enabled so that
packets don’t have to be routed through
the VRRP master if a more direct route
exists on the receiving interface
The VRRP virtual IP address
create vrrp vlan VLAN_2200 vrid 210
configure vrrp vlan VLAN_2200 vrid 210 priority 254
configure vrrp vlan VLAN_2200 vrid 210 fabric-routing on
configure vrrp vlan VLAN_2200 vrid 210 add 172.21.8.1
enable vrrp vlan VLAN_2200 vrid 210
Controlling Bridge 2
create vrrp vlan VLAN_1900 vrid 193
configure vrrp vlan VLAN_1900 vrid 193 priority 254
configure vrrp vlan VLAN_1900 vrid 193 fabric-routing on
configure vrrp vlan VLAN_1900 vrid 193 add 172.19.160.1
enable vrrp vlan VLAN_1900 vrid 193
create vrrp vlan VLAN_1600 vrid 160
configure vrrp vlan VLAN_1600 vrid 160 fabric-routing on
configure vrrp vlan VLAN_1600 vrid 160 add 172.16.20.1
enable vrrp vlan VLAN_1600 vrid 160
create vrrp vlan VLAN_1700 vrid 170
configure vrrp vlan VLAN_1700 vrid 170 priority 254
configure vrrp vlan VLAN_1700 vrid 170 fabric-routing on
configure vrrp vlan VLAN_1700 vrid 170 add 172.17.8.1
enable vrrp vlan VLAN_1700 vrid 170
create vrrp vlan VLAN_2200 vrid 210
configure vrrp vlan VLAN_2200 vrid 210 fabric-routing on
configure vrrp vlan VLAN_2200 vrid 210 add 172.21.8.1
enable vrrp vlan VLAN_2200 vrid 210
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
207
Validated Designs – Infrastructure & Topology
At the prompt, issue show vrrp and verify VRRP configuration (output truncated).
Controlling Bridge 1
FR value must be Y on both VRRP
master and backup
Slot-1 VPEX X590-24x-1q-2c.50 # show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
TP/TR/TV/P/T
VLAN_19(En) 0193 100 172.19.160.1
BKUP 00:00:5e:00:01:c1 0 0 0 Y 1
VLAN_16(En) 0160 254 172.16.20.1
MSTR 00:00:5e:00:01:a0 0 0 0 Y 1
VLAN_22(En) 0210 254 172.21.8.1
MSTR 00:00:5e:00:01:d2 0 0 0 Y 1
VLAN_17(En) 0170 100 172.17.8.1
BKUP 00:00:5e:00:01:aa 0 0 0 Y 1
/FR/G/HM
Y N N
Y N N
Y N N
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
Controlling Bridge 2
The switch with the highest priority has
MSTR state and the other one BKUP.
Slot-1 VPEX X590-24x-1q-2c.49 # show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
TP/TR/TV/P/T
VLAN_19(En) 0193 254 172.19.160.1
MSTR 00:00:5e:00:01:c1 0 0 0 Y
VLAN_16(En) 0160 100 172.16.20.1
BKUP 00:00:5e:00:01:a0 0 0 0 Y
VLAN_22(En) 0210 100 172.21.8.1
BKUP 00:00:5e:00:01:d2 0 0 0 Y
VLAN_17(En) 0170 254 172.17.8.1
MSTR 00:00:5e:00:01:aa 0 0 0 Y
1
1
1
1
/FR/G/HM
Y N N
Y N N
Y N N
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
208
Validated Designs – Infrastructure & Topology
Wireless User Access
No Guest_Wireless is configured at School 3. Once a user is assigned the role of Guest, their traffic is
directly tunneled to the controller. This bridging at controller functionality eliminates the need to configure
a guest wireless VLAN at School 3.
The NonAdmin_Wireless VLAN provides access layer connectivity to other authorized users. These
users will be assigned Student or Faculty roles by Extreme Policy Manger and ExtremeControl. This
VLAN will be bridged at the access point.
School-3
Bridge Port Extenders
1. Configure NonAdmin wireless
user access VLAN.
MLAG
Redundant Controller
Bridges
Controlling Bridge 1
Controlling Bridge 2
2. Configure IP Address and IP Services
for NonAdmin wireless user Access
VLAN.
3. Configure VRRP for NonAdmin
Wireless user access VLAN.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
209
Validated Designs – Infrastructure & Topology
Note
During these manual configuration steps, the user can choose to utilize mlag orchestration mode. This
mode can be helpful to configure the exact same commands on both CBs. However, do not use this feature
for configurations which need to be unique on CBs such as IP addresses, VRRP configurations, and OSPF
configurations. To enable this mode, refer to mlag orchestration mode operation on Page 16.
1. Configure two wireless access VLAN and assign ports.
Configure the NonAdmin Wireless VLAN for wireless users.
Controlling Bridge 1
Wireless Access VLANs
created. Add created LACP
create vlan "VLAN_1800"
ports to VLANs.
configure vlan VLAN_1800 description "Wireless Non Administrator Access VLAN"
configure vlan VLAN_1800 tag 1800
configure vlan VLAN_1800 add ports 1:29 tagged
Controlling Bridge 2
create vlan "VLAN_1800"
configure vlan VLAN_1800 description "Wireless Non Administrator Access VLAN"
configure vlan VLAN_1800 tag 1800
configure vlan VLAN_1800 add ports 1:29 tagged
2. Configure Access VLAN Interface and other routing services.
The IP address for the access VLAN will be configured on both X690 switches. In addition to the IP
address, IP forwarding and bootprelay will be configured for the interfaces.
Controlling Bridge 1
configure vlan VLAN_1800 ipaddress 172.18.64.2 255.255.224.0
enable ipforwarding vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1800
Controlling Bridge 2
IP interface added to VLAN.
IP Forwarding and BootP Relay
enabled.
configure vlan VLAN_1800 ipaddress 172.18.64.3 255.255.224.0
enable ipforwarding vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1800
3. Configure Access VLAN VRRP.
Configure VRRP for the access VLAN in order to provide access VLAN users a virtual gateway
address.
Controlling Bridge 1
create vrrp vlan VLAN_1800 vrid 180
configure vrrp vlan VLAN_1800 vrid 180 priority 254
configure vrrp vlan VLAN_1800 vrid 180 fabric-routing on
configure vrrp vlan VLAN_1800 vrid 180 add 172.18.64.1
enable vrrp vlan VLAN_1800 vrid 180
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
VRRP instance id for wireless access
VLANs.
Priority is configured to make master
election more reliable.
Fabric-routing is enabled so that
packets don’t have to be routed through
the VRRP master if a more direct route
exists on the receiving interface
210
The VRRP virtual IP address
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
create vrrp vlan VLAN_1800 vrid 180
configure vrrp vlan VLAN_1800 vrid 180 fabric-routing on
configure vrrp vlan VLAN_1800 vrid 180 add 172.18.64.1
enable vrrp vlan VLAN_1800 vrid 180
At the prompt, issue show vrrp and verify VRRP configuration (output truncated).
Controlling Bridge 1
FR value must be Y on both VRRP
master and backup
Slot-1 VPEX X590-24x-1q-2c.26 # show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
TP/TR/TV/P/T
VLAN_18(En) 0180 254 172.18.64.1
MSTR 00:00:5e:00:01:b4 0 0 0 Y 1
/FR/G/HM
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
Controlling Bridge 2
The switch with the highest priority has
MSTR state and the other one BKUP.
Slot-1 VPEX X590-24x-1q-2c.81 # show vrrp
Virtual
Master
VLAN Name VRID Pri IP Address
State MAC Address
TP/TR/TV/P/T
VLAN_18(En) 0180 100 172.18.64.1
BKUP 00:00:5e:00:01:b4 0 0 0 Y 1
/FR/G/HM
Y N N
En-Enabled, Ds-Disabled, Pri-Priority, T-Advert Timer, P-Preempt
TP-Tracked Pings, TR-Tracked Routes, TV-Tracked VLANs, FR-Fabric Routing,
G-Group, HM-Host Mobility
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
211
Validated Designs – Infrastructure & Topology
Authentication – RADIUS
At School 3, configure RADIUS on the controlling bridges. When complete, the configuration should look
similar to the one below:
Controlling Bridge 1
configure radius 1 server 192.168.109.253 1812 client-ip 192.168.200.5 vr VR-Default
configure radius 1 shared-secret encrypted "#$XGt37kRf8M8psbSvSiTubQCvyVWHBQ=="
configure radius 2 server 192.168.109.248 1812 client-ip 192.168.200.5 vr VR-Default
configure radius 2 shared-secret encrypted "#$G5lSW+rhL+xscD51ltcZ73VIhIcSNQ=="
configure radius-accounting 1 server 192.168.109.253 1813 client-ip 192.168.200.5 vr
VR-Default
configure radius-accounting 1 shared-secret encrypted
"#$R0rj9ahA9ZUQbTJQj3rgck+3KX4jaA=="
configure radius-accounting 1 timeout 10
configure radius-accounting 2 server 192.168.109.248 1813 client-ip 192.168.200.5 vr
VR-Default
configure radius-accounting 2 shared-secret encrypted
"#$CWMZWjXL8icEtXnuDadZlwI/S21INw=="
configure radius-accounting 2 timeout 10
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 15
configure radius mgmt-access timeout 15
configure radius netlogin timeout 15
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
212
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
configure radius 1 server 192.168.109.253 1812 client-ip 192.168.200.6 vr VR-Default
configure radius 1 shared-secret encrypted "#$XGt37kRf8M8psbSvSiTubQCvyVWHBQ=="
configure radius 2 server 192.168.109.248 1812 client-ip 192.168.200.6 vr VR-Default
configure radius 2 shared-secret encrypted "#$G5lSW+rhL+xscD51ltcZ73VIhIcSNQ=="
configure radius-accounting 1 server 192.168.109.253 1813 client-ip 192.168.200.6 vr
VR-Default
configure radius-accounting 1 shared-secret encrypted
"#$R0rj9ahA9ZUQbTJQj3rgck+3KX4jaA=="
configure radius-accounting 1 timeout 10
configure radius-accounting 2 server 192.168.109.248 1813 client-ip 192.168.200.5 vr
VR-Default
configure radius-accounting 2 shared-secret encrypted
"#$CWMZWjXL8icEtXnuDadZlwI/S21INw=="
configure radius-accounting 2 timeout 10
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 15
configure radius mgmt-access timeout 15
configure radius netlogin timeout 15
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
Remote Site Connectivity via MAN
In this section, VLAN interfaces will be configured to connect School 3 to the District Office/School 1.
Remote Site Connectivity Configuration
1. Configure VLANs for connectivity to District Office.
Refer to the VLAN names labeled for Remote Site Connectivity for VLAN names in the VLAN Subnet
Matrix above. All port assignments will be tagged.
Controlling Bridge 1
create vlan "VLAN_0102"
configure vlan VLAN_0102 description "To DO/SC1 Left"
configure vlan VLAN_0102 tag 102
configure vlan VLAN_0102 add ports 1:1 tagged
configure vlan default delete port 1:1
create vlan "VLAN_0205"
configure vlan VLAN_0205 description "To DO/SC1 Right"
configure vlan VLAN_0205 tag 205
configure vlan VLAN_0205 add ports 1:1 tagged
configure vlan default delete port 1:1
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
213
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
create vlan "VLAN_0202"
configure vlan VLAN_0202 description "To DO/SC1 Right"
configure vlan VLAN_0202 tag 202
configure vlan VLAN_0202 add ports 1:1 tagged
create vlan "VLAN_0105"
configure vlan VLAN_0105 description "To DO/SC1 Left"
configure vlan VLAN_0105 tag 105
configure vlan VLAN_0105 add ports 1:1 tagged
configure vlan default delete port 1:1
2. Configure point-to-point interfaces to the District Office.
Refer to the subnets labeled for Remote Site Connectivity for VLAN names in the VLAN Subnet Matrix
above. All interfaces are configured as point-to-point interfaces /30 subnets. They are enabled for IP
and IP forwarding.
Controlling Bridge 1
configure vlan VLAN_0102 ipaddress 192.168.101.6 255.255.255.252
enable ipforwarding vlan VLAN_0102
enable bootprelay ipv4 vlan VLAN_0102
configure vlan VLAN_0205 ipaddress 192.168.201.18 255.255.255.252
enable ipforwarding vlan VLAN_0205
enable bootprelay ipv4 vlan VLAN_0205
Controlling Bridge 2
configure vlan VLAN_0202 ipaddress 192.168.201.6 255.255.255.252
enable ipforwarding vlan VLAN_0202
enable bootprelay ipv4 vlan VLAN_0202
configure vlan VLAN_0105 ipaddress 192.168.101.18 255.255.255.252
enable ipforwarding vlan VLAN_0105
enable bootprelay ipv4 vlan VLAN_0105
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
214
Validated Designs – Infrastructure & Topology
3. Configure on OSPF instances at each Controlling Bridge.
OSPF is used to distribute the routes from all subnets district wide. Every VLAN at each location
should be advertised with these links. User access VLANs will be distributed as directly connected
routes. The base OSPF configuration was previously executed in an earlier location in this document.
Controlling Bridge 1
configure ospf add vlan VLAN_0102 area 0.0.0.0
configure ospf vlan VLAN_0102 authentication encrypted md5 102
"#$lFLLiw5bwavpXepHbm0AAZ6L2Xe9Yg=="
configure ospf add vlan VLAN_0205 area 0.0.0.0
configure ospf vlan VLAN_0205 cost 10
configure ospf vlan VLAN_0205 authentication encrypted md5 205
"#$JJcc9sJPReFCDZEEvS38p+lPG3IHRQ=="
Controlling Bridge 2
configure ospf add vlan VLAN_0202 area 0.0.0.0
configure ospf vlan VLAN_0202 authentication encrypted md5 202
"#$YXsRU2vF0ItotbGAOewfdptE9e6Ccw=="
configure ospf add vlan VLAN_0105 area 0.0.0.0
configure ospf vlan VLAN_0105 cost 10
configure ospf vlan VLAN_0105 authentication encrypted md5 105
"#$tYD/qqbf/7JSCSr/C4WnLGYBfgMfdA=="
At the prompt issue show ospf neighbor (output truncated).
Verify that routers see each other and that the state is FULL with MD5 encryption enabled.
Controlling Bridge 1
Slot-1 VPEX X590-24x-1q-2c.56 # show ospf neighbor
ospf
Show ospf
ospfv3
OSPF for IPv6
(Software Update Required) Slot-1 VPEX x590-SC2-Left.6 # show ospf neighbor
Neighbor ID
Pri State
Up/Dead Time
Address
Interface
Adjacency state between neighbors should be
BFD Session State
Full. OSPF router state should be DR or BDR.
======================================================================================
====
192.168.200.1
1 FULL
/DR
00:00:00:27/00:00:00:07 192.168.101.5
VLAN_0102
None
192.168.200.2
VLAN_0205
None
1 FULL
/DR
00:00:00:03/00:00:00:03
192.168.201.17
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
215
Validated Designs – Infrastructure & Topology
Controlling Bridge 2
Slot-1 VPEX X590-24x-1q-2c.114 # show ospf neighbor
Neighbor ID
Pri State
Up/Dead Time
Address
Interface
BFD Session State
======================================================================================
====
192.168.200.1
1 FULL
/DR
00:00:00:48/00:00:00:06 192.168.101.17
VLAN_0105
None
192.168.200.2
VLAN_0202
None
1 FULL
/DR
00:00:01:12/00:00:00:02
192.168.201.5
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
216
Validated Designs – Infrastructure & Topology
Policy, Access Control, and Analytics
Extreme Management Center, ExtremeControl, ExtremeAnalytics, and ExtremeWireless controller
appliances located at the District Office/School 1 will serve School 3 for policy and ExtremeControl rules
enforcement. All required Policy and Access Control configurations were performed as part of the District
Office/School 1 and will apply to the entire school district.
To configure ExtremeAnalytics, follow the same steps presented for the District Office/School 1 to add
switches to the Analytics Engine and location configurations.
Authentication – Netlogin
At School 2, authentication with netlogin dot1x and MAC is enabled on all ports except for the uplink and
server ports. The authentication order is dot1x MAC.
When complete, the configuration should look similar to the one below:
Controlling Bridge 1 and Controlling Bridge 2
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
enable netlogin ports 1:2-23,1:25-28,1:30-32,1:34-36,100:1-48,101:1-48,102:1-48,103:148 dot1x
enable netlogin ports 1:2-23,1:25-28,1:30-32,1:34-36,100:1-48,101:1-48,102:1-48,103:148 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
217
Validated Designs – Infrastructure & Topology
School 4
School- 4
ExtremeXOS Standalone
VLANs and Subnets at School 4
Below is a list and table grouping of VLANs by functionality at School 4. This functionality includes the
following types:
•
Management – Used to communicate with Extreme Smart OmniEdge appliances and routing
protocols.
•
Remote Site Connectivity- Point-to-point interfaces used for connectivity between School 4 and the
District Office/School 1.
•
Local Site Connectivity - VLAN interfaces used to distribute static and directly interfaces into OSPF
and provide OSPF services to the ExtremeWireless controllers.
•
Access VLAN - VLANs for wired users, wireless users, and networked devices
Device
ExtremeXOS Standalone
ExtremeXOS Standalone
ExtremeXOS Standalone
ExtremeXOS Standalone
ExtremeXOS Standalone
ExtremeXOS Standalone
ExtremeXOS Standalone
ExtremeXOS Standalone
ExtremeXOS Standalone
VLAN Name
Lo0
VLAN_0103
VLAN_0203
VLAN_0060
VLAN_1600
VLAN_1900
VLAN_2200
VLAN_1700
VLAN_1800
Subnet
192.168.200.7/32
192.168.101.8/30
192.168.201.8/30
192.168.63.0/24
172.16.30.0/24
172.19.224.0/27
172.21.16.0/22
172.17.16.0/22
172.18.96.0/19
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Tag
1007
103
203
60
1600
1900
2200
1700
1800
Type
Management
Remote Site Connectivity
Remote Site Connectivity
Local Site Connectivity
Access VLAN
Access VLAN
Access VLAN
Access VLAN
Access VLAN
218
Validated Designs – Infrastructure & Topology
School 4 – Base Configuration
ExtremeXOS Standalone
1. Configure Loopback Interface for Management
with routing protocols. (OSPF)
Loopback Interface Configuration
1. Configure Loopback VLAN and Interface
The internal loopback interface serves as the primary interface for in-band management in this
topology. It also serves as the interface between the Extreme Network appliances and the devices.
Extreme Standalone Switch
create vlan "lo0”
configure vlan lo0 tag 1001
enable loopback-mode vlan lo0
configure vlan lo0 ipaddress 192.168.200.7 255.255.255.255
enable ipforwarding vlan lo0
2. Configure OSPF Base Configuration
Configuring system loopback interface
involves creating a VLAN with a tag and
is enabled for the following IP services:
loopback mode and IP forwarding.
Loopback interface is configured with a
/32 subnet mask.
With the creation of the loopback interface, it is now possible to create the base configuration OSPF
routing. OSPF will redistribute any directly connected interfaces and static routes into the routing table.
This will be more critical later on when remote schools are attached to the topology.
Extreme Standalone Switch
configure ospf routerid 192.168.200.7
enable ospf
enable ospf export direct cost 0 type ase-type-1
enable ospf export static cost 0 type ase-type-1
configure ospf add vlan lo0 area 0.0.0.0
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
The loopback interface created in the
previous step is configured as the
OSPF Router-ID.
Loopback interfaces is added to area
0.0.0.0
219
Validated Designs – Infrastructure & Topology
Local Site Connectivity Configuration
1. Configure VLAN and Interface for Local Site Connectivity.
Used by APs for connectivity to the wireless controllers. No ports will be in this VLAN until APs are
authenticated by RADIUS/netlogin.
Extreme Standalone Switch
create vlan "VLAN_0060"
configure vlan VLAN_0060 tag 60
configure vlan VLAN_0060 ipaddress 192.168.63.1 255.255.255.0
enable ipforwarding vlan VLAN_0060
enable bootprelay ipv4 vlan VLAN_0060
enable iproute sharing vr VR-Default
Like Previous VLANs, VLAN_0060 consists of
the following:
1. VLAN Tag
2. IP Address Configured
3. IP Forwarding Enabled for unicast routing
4. BOOTP Relay Enabled for DHCP
5. Iproute sharing (ECMP)
At the prompt, issue show vlan VLAN_0060 (output truncated) and verify:
Extreme Standalone Switch
VPEX x590-SC2-Left.14 # show vlan VLAN_0060
VLAN Interface with name VLAN_0060 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 60
Description:
None
Virtual router:
VR-Default
IPv4 Forwarding:
Enabled
IPv4 MC Forwarding: Disabled
Primary IP:
192.168.63.1/24
…
Ports:
0.
(Number of active ports=0)
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Verify the following items:
1. VLAN Name, State and Tag
2. IP Address Configured
3. IP Forwarding Enabled for unicast routing
220
Validated Designs – Infrastructure & Topology
Wired User Access
All user credentials are authenticated using authentication to ExtremeControl and RADIUS. The following
VLAN types are available at School 4:
The Guest_Wired VLAN gives guest users access to. This VLAN will be configured at all the schools.
This access layer VLAN is typically the most restrictive of all VLANs.
The Admin VLAN provides access layer connectivity to network administrators. These users will be
assigned an Admin role by Extreme Policy Manger and ExtremeControl. This access layer VLAN is
typically the least restrictive of the access VLANs.
The NonAdmin_Wired VLAN provides access layer connectivity to other authorized users. These users
will be assigned a Student or Faculty role by Extreme Policy Manger and ExtremeControl. Roles can be
more granular than the ones presented here. Most users will access the school district network through
this VLAN.
The Network_Devices VLAN provides access layer connectivity to common network devices such as
printers, VoIP phones, or security cameras.
1. Configure four wired user access
VLANs.
2. Configure all user access ports to
Guest_Wired PVID.
3. Configure IP Address and IP
Services on wired User Access
VLAN.
ExtremeXOS Standalone
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
221
Validated Designs – Infrastructure & Topology
Four wired access VLANs will be configured on the standalone ExtremeSwitching Access switch. All user
access ports will be assigned to the Guest_Wired VLAN. Finally, an IP interface will be created with
routing services.
1. Configure four access VLAN and assign ports.
Extreme Standalone Switch
create vlan "VLAN_1900"
configure vlan VLAN_1900 description "Wired Guest VLAN"
configure vlan VLAN_1900 tag 1900
Four Wired Access VLANs
created.
create vlan "VLAN_1600"
configure vlan VLAN_1600 description "Administrator Access VLAN"
configure vlan VLAN_1600 tag 1600
create vlan "VLAN_2200"
configure vlan VLAN_2200 description "Network Devices Access VLAN"
configure vlan VLAN_2200 tag 2200
create vlan "VLAN_1700"
configure vlan VLAN_1700 description "Wired Non Administrator Access VLAN"
configure vlan VLAN_1700 tag 1700
After creating VLANs, any port which will be used for user access should be configured to have a
PVID of Guest_Wired as the native VLAN.
When complete, the configuration should look similar to the one below:
Extreme Standalone Switch
All wired access ports are
added to the Guest_Wired
VLAN as untagged (PVID).
configure vlan Guest_Wired add ports 1-48,50-52 untagged
2. Configure Access VLAN Interface and other routing services.
Extreme Standalone Switch
configure vlan VLAN_1900 ipaddress 172.19.224.1 255.255.255.224
enable ipforwarding vlan VLAN_1900
enable bootprelay ipv4 vlan Guest_Wired
configure vlan VLAN_1600 ipaddress 172.16.30.1 255.255.255.0
enable ipforwarding vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1600
1. IP interface for four Wired Access VLANs
configured.
2. IP Forwarding and BootP Relay.enabled.
configure vlan VLAN_2200 ipaddress 172.17.16.1 255.255.252.0
enable ipforwarding vlan VLAN_2200
enable bootprelay ipv4 vlan VLAN_2200
configure vlan VLAN_1700 ipaddress 172.21.16.1 255.255.252.0
enable ipforwarding vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1700
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
222
Validated Designs – Infrastructure & Topology
Wireless User Access
No Guest_Wireless is configured at School 4. Once a user is assigned the role of Guest, their traffic is
directly tunneled to the controller. This bridging at controller functionality eliminates the need to configure
a guest wireless VLAN at School 4.
The NonAdmin_Wireless VLAN provides access layer connectivity to other authorized users. These
users will be assigned Student or Faculty roles by Extreme Policy Manger and ExtremeControl. This
VLAN will be bridged at the access point.
1. Configure NonAdmin wireless user access
VLAN.
2. Configure IP Address and IP Services for
NonAdmin wireless user Access VLAN.
ExtremeXOS Standalone
1. Configure two wireless access VLAN and assign ports.
Configure the NonAdmin Wireless VLAN for wireless users.
Extreme Standalone Switch
Wireless Access VLANs
created.
create vlan "VLAN_1800"
configure vlan VLAN_1800 description "Wireless Non Administrator Access VLAN"
configure vlan VLAN_1800 tag 1800
2. Configure Access VLAN Interface and other routing services.
IP addresses for access VLANs will be configured on both X690 switches. In addition to the IP
address, IP forwarding and bootprelay will be configured for the interfaces.
Extreme Standalone Switch
configure vlan VLAN_1800 ipaddress 172.18.96.1 255.255.224.0
enable ipforwarding vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1800
IP interface added to VLAN.
IP Forwarding and BootP Relay
enabled.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
223
Validated Designs – Infrastructure & Topology
Authentication – RADIUS
At School 4, configure RADIUS on the standalone switch. When complete, the configuration should look
similar to the one below:
Extreme Standalone Switch
configure radius 1 server 192.168.109.253 1812 client-ip 192.168.200.7 vr VR-Default
configure radius 1 shared-secret encrypted "#$LRw0VJ5uiUiCft+sV6BvOeVCn2VCFQ=="
configure radius 2 server 192.168.109.248 1812 client-ip 192.168.200.7 vr VR-Default
configure radius 2 shared-secret encrypted "#$UUb+13H6Gkl6wNik4PI6T9SidnM/9g=="
configure radius-accounting 1 server 192.168.109.253 1813 client-ip 192.168.200.7 vr
VR-Default
configure radius-accounting 1 shared-secret encrypted
"#$J74EvAcCJinoBEhRJvEQ4rjTVAT/eQ=="
configure radius-accounting 1 timeout 10
configure radius-accounting 2 server 192.168.109.248 1813 client-ip 192.168.200.7 vr
VR-Default
configure radius-accounting 2 shared-secret encrypted
"#$6LZ9ileR2UEq/TtqfyZwbgzEFZ3roQ=="
configure radius-accounting 2 timeout 10
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 15
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
Remote Site Connectivity via MAN
In this section, VLAN interfaces will be configured to connect School 4 to the District Office/School 1.
Remote Site Connectivity Configuration
1. Configure VLANs for connectivity to District Office.
Refer to the VLAN names labeled for Remote Site Connectivity for VLAN names in the VLAN Subnet
Matrix above. All port assignments will be tagged.
Extreme Standalone Switch
create vlan "VLAN_0103"
configure vlan VLAN_0103 tag 103
configure vlan VLAN_0103 add ports 49 tagged
configure vlan default delete port 49
create vlan "VLAN_0203"
configure vlan VLAN_0203 tag 203
configure vlan VLAN_0203 add ports 49 tagged
configure vlan default delete port 49
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
224
Validated Designs – Infrastructure & Topology
2. Configure point-to-point interfaces to the District Office.
Refer to the subnets labeled for Remote Site Connectivity for VLAN names in the VLAN Subnet Matrix
above. All interfaces are configured as point-to-point interfaces /30 subnets. They are enabled for IP
forwarding.
Extreme Standalone Switch
configure vlan VLAN_0103 ipaddress 192.168.103.2 255.255.255.252
enable ipforwarding vlan VLAN_0103
enable bootprelay ipv4 vlan VLAN_0103
configure vlan VLAN_0203 ipaddress 192.168.201.10 255.255.255.252
enable ipforwarding vlan VLAN_0203
enable bootprelay ipv4 vlan VLAN_0203
3. Configure on OSPF instances at each Controlling Bridge.
OSPF is used to distribute the routes from all subnets district wide. Every VLAN at each location
should be advertised with these links. User access VLANs will be distributed as directly connected
routes. The base OSPF configuration was previously executed in an earlier location in this document.
Extreme Standalone Switch
configure ospf add vlan VLAN_0103 area 0.0.0.0
configure ospf vlan VLAN_0103 authentication encrypted md5 103
"#$cQx/fkysLFXVdxPqX+wmjI3Cx8uTIA=="
configure ospf add vlan VLAN_0203 area 0.0.0.0
configure ospf vlan VLAN_0203 authentication encrypted md5 203
"#$tQFlCFOsc5f7g+sN2rqeco7DeC5qSA=="
At the prompt issue show ospf neighbor (output truncated).
Verify that routers see each other and that the state is FULL with MD5 encryption enabled.
Extreme Standalone Switch
X440G2-SC4.16 # show ospf neighbor
ospf
Show ospf
ospfv3
OSPF for IPv6
(Software Update Required) Slot-1 VPEX x590-SC2-Left.6 # show ospf neighbor
Adjacency state between neighbors should be
Neighbor ID
Pri State
Up/Dead Time
Address
Full. OSPF
router state should be DR or BDR.
Interface
BFD Session State
======================================================================================
====
192.168.200.1
1 FULL
/DR
02:13:54:19/00:00:00:07 192.168.101.9
VLAN_0103
None
192.168.200.2
VLAN_0203
None …
1 FULL
/DR
01:20:08:39/00:00:00:03
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
192.168.201.9
225
Validated Designs – Infrastructure & Topology
Policy and Access Control
Extreme Management Center, ExtremeControl, ExtremeAnalytics, and ExtremeWireless controller
appliances located at the District Office/School 1 will serve School 4 for policy and ExtremeControl rules
enforcement. All required Policy and Access Control configurations were performed as part of the District
Office/School 1 and will apply to the entire school district.
To configure ExtremeAnalytics, follow the same steps presented for the District Office/School 1 to add
switches to the Analytics Engine and location configurations.
Authentication – Netlogin
At School 4, authentication with netlogin dot1x and MAC is enabled on all ports except for the uplink and
server ports. The authentication order is dot1x MAC.
When complete, the configuration should look similar to the one below:
Extreme Standalone Switch
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
enable netlogin ports 1-48,50-52 dot1x
enable netlogin ports 1-48,50-52 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
226
Validated Designs – Infrastructure & Topology
RF-Planning
When designing a wireless network, a thorough RF plan is vital to the success of the deployment. This
process involves an extensive site survey and use of the Extreme Networks™ Planning Tool. Extreme
Wireless RF-Planning can further be enhanced with the use of the Ekahau Site Survey tool and hardware.
Site Survey
Site Survey is perhaps the most important step in RF design. It validates the wireless deployment’s
expected coverage experience. A thorough site survey analyzes sufficient signal strength throughout the
covered area and allows for channel planning to reduce co-channel interference.
Site Surveys are extremely important to new wireless deployments and when replacing or upgrading
installed wireless gear. Products from different vendors or even across product generations of the same
vendor often have different transmission characteristics. These changes can include technological
advances, the number of transmit and receive chains, and differences in radiation pattern. Never assume
that replacing one piece of equipment for another, at the same installation points, will result in the same
experience as the previous install.
An AP-on-a-stick physical site survey is the preferred method to thoroughly assess a site’s RF design
requirements. Testing an AP’s proposed location provides true measurement and representation of the
signal propagation and coverage to be expected. This method considers actual site characteristics such
as obstructions to the RF signal, absorption by walls, and impact of any other architectural materials.
If a physical site survey is not possible, at minimum, a predictive survey should be performed. The
predictive model often provides a first-pass view of the number of APs required to cover a site or a firstpass validation of whether installing a target AP family in pre-existing spots will provide the required
coverage. The predictive model also provides greater insight into proper channel configuration to obtain a
performance optimized experience.
ExtremeWireless RF Planning Tool
The ExtremeWireless RF Planning Tool is a predictive survey tool made available to Extreme Network
customers. The RF Planning tool is available online at https://wirelessplanner.extremenetworks.com.
Access to the tool is free, but user registration is required. Users can create a set of access credentials for
the tool. Registration provides storage of saved models for later reference.
Once registered, the user is directed to provide the country of installation. Country selection is very
important because the tool can customize requirements to applicable regulatory restrictions of the country
identified. Regulatory restrictions can apply to channel availability, power levels, or even equipment
availability. If country certification is required but not yet available for a device, it may not be available for
selection.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
227
Validated Designs – Infrastructure & Topology
After providing a few more details, you are provided with the working Canvas. Modeling steps include:
1. Floor Plan Outline and Scale
a. You can either design a floor plan outline or upload a floor plan image representative of the site
being designed.
b. The tool allows for multi-floor designs within the same project, but note that it only considers
one floor at a time. It does not consider or model cross-floor propagation.
c. Scale can be defined by mapping a line of pixels into a corresponding distance. A simple way
to determine an approximate scale is to determine the width of a doorway. In the United States
the typical width of doorway is 3 feet, which can be used as reference for a 1-meter (3 ft.) line.
2. Identify and map any known RF obstructions.
a. Consider include wall materials, escape routes (stairways), and restrooms (washrooms).
b. The more detailed your model is, the more accurate the predictive model will be.
c. Do not assume free-space (no walls) unless you are in fact planning for a true open area.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
228
Validated Designs – Infrastructure & Topology
3. Access Point Placement
a. The tool support for the entire portfolio of Wave 1 and Wave 2 access points from
ExtremeWireless and ExtremeWireless WiNG is available. (Due to regulatory restrictions, not
all APs are available in all regions.)
b. Placement is primarily assessed based on a coverage objective.
c. Automatic AP placement is available for a set of devices, primarily internal-antenna models,
using a set of heuristic algorithms to determine the best placement for the APs from an RF
coverage perspective. Only one AP model type at a time can be selected for auto-placement,
but models can share with other available AP models that already pre-determined (pinned).
This method provides the simplest way to determine how many APs will be required to cover a
floor-plan area. After the automatic wizard runs, APs locations can be manually adjusted to a
more correct installation location. When this is done, the AP is pinned to the selected location.
d. Manual placement provides a more fine-controlled method for AP placements; you individually
place each AP into its corresponding installation point. This can be the starting step for a model
that starts from an existing installation design. You can manually select from the available
models to complete the coverage to the desired targets.
e. Automatic AP placement can be rerun after APs are manually placed or pinned. This ensures
that the proposed installation model does not require any additional devices for fine tuning.
Alternatively, you can also define exclusion areas in which to the algorithm will not attempt to
place APs.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
229
Validated Designs – Infrastructure & Topology
Visualization
Several visualization tools are available to help you visualize the resulting coverage on both 2.4GHz and
5.0Ghz frequencies:
1. RF Coverage Heatmap – provides assessment of signal strength coverage of the floor plan.
2. Channel Plan – provides an optimized view of a representative channel plan to reduce co-channel
interference.
3. Location Visualization – provides an assessment of the deployment’s readiness to support fidelity in
triangulation. The tool provides the ability to recommend where to install full-size sensors to improve
location fidelity, augmenting without impacting the current deployment for coverage. The additional
added benefit of full-time sensors is that they can perform double-duty by complementing optional
Wireless Intrusion Detection and Prevention integration solutions.
4. Link Speed – provides a generalized link speed estimate for typical clients based on the signal
coverage metrics.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
230
Validated Designs – Infrastructure & Topology
5. Provides visualization of the angle of orientation for the AP-Camera model (AP3916i).
6. Provides an assessment of Bluetooth Low Energy coverage for models that support iBeacon transmit
functions (for example, AP391xx and AP7632/62).
Sharing and Exporting
After the model provides your desired coverage characteristics, installed devices, and placement
suggestions, you can conveniently share this information – with a partner or customer, or for placing
orders – by exporting the model as a PDF or as a Microsoft Word document.
The resulting document includes all of the details provided in the model: the criteria used as input for the
model, the representative floor plan of installation locations, the snapshot of RF coverage, and Channel
Plan heatmaps.
More important, these documents provide a summarized Bill of Materials (BOM) listing the corresponding
types and number of APs determined for site coverage. The PDF document is Extreme Networks branded
and can be shared directly with the customer or partner. The Microsoft Word document allows for editing,
re-arranging, or even branding of the final report.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
231
Validated Designs – Infrastructure & Topology
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
232
Validated Designs – Infrastructure & Topology
Product Lifecycle – Exporting into Other Products
The model representation can be directly exported for use by ExtremeWireless management tools such
as ExtremeCloud, ExtremeCloud Appliance, and Extreme Management Center. This capability allows
reuse of a predictive model into an actual deployed model. This allows users to map actual deployed
equipment into the predicted installation instances. The details of the floor plans are preserved – saving
time in getting visibility of the actual installation deployment.
RF Survey Tools
Conducting a site survey with the ExtremeWireless™ RF Planning Tool can be enhanced with the use of
third-party survey tools. The key part to a new deployment is providing a predictive or active survey
assessment as part of the design.
Predictive and active site surveys can be done using a variety of third-party tools such as Ekahau,
Netscout’s AirMagnet tool, and others. Attributes from an Ekahau survey can be imported directly into the
ExtremeWireless and ExtremeCloud products.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
233
Validated Designs – Infrastructure & Topology
Extreme Management Center Configuration
Adding a ExtremeControl Appliance to Extreme Management Center
To add a new ExtremeControl engine to Extreme Management Center, go to Control  Engines, rightclick on Default, and click Add Engine.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
234
Validated Designs – Infrastructure & Topology
Enter the IP address of the engine. The Engine will also automatically be added to Devices with the Add
Engine to Devices check box.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
235
Validated Designs – Infrastructure & Topology
Adding Wireless Controllers to Extreme Management Center
Like all network devices, the wireless controllers can be managed from Extreme Management Center.
This step is necessary for the access control configuration. To add a device to Extreme Management
Center, go to Network  Devices  Device  Add Device. This step uses the same SNMPv3 profile
you used previously.
The wireless controllers are added under the Appliances site.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
236
Validated Designs – Infrastructure & Topology
To discover a controller, navigate to Wireless  Network  Wireless Network  Controllers 
and select Discover All Controllers from the drop-down list.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
237
Validated Designs – Infrastructure & Topology
Adding Analytics to Extreme Management Center
From Extreme Management Center, navigate to:
Extreme Management  Analytics  Overview 
 Add Engine
Provide the IP address of the ExtremeAnalytics Engine, a user-friendly name, and configured SNMP
profile. Click OK
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
238
Validated Designs – Infrastructure & Topology
The ExtremeAnalytics engine appears in the Overview Pane. Locate the green indicator, confirming that
the engine is operational. You should also see basic engine processing data.
Click the Enforce button at the bottom of the web page to fully deploy the ExtremeAnalytics Engine.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
239
Validated Designs – Infrastructure & Topology
Site Configuration
Extreme Management Center provides the possibility to break a larger network into smaller, more
manageable pieces by grouping switches under sites. This logical separation, which can be done based
on physical location or purpose, can help users understand more complex networks by allowing them to
concentrate on smaller segments.
To create a site, go to the Devices tab, right-click on World site, go to Maps/Sites and select Create
Site. Enter a site name and click OK.
Five sites were created to group devices based on their physical locations.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
240
Validated Designs – Infrastructure & Topology
Adding a Device to the Site Configuration
To add a device to a site, right-click on the site name and select Add Device.
The District Office-School 1 site contains all network devices placed in the area with the same name.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
241
Validated Designs – Infrastructure & Topology
Design Considerations
Network Time Protocol (NTP)
Deploying the Extreme Networks’ Smart OmniEdge solution requires time synchronization between
Extreme’s applications, switches, and other network components to function properly and communicate
efficiently. Log and syslog events also benefit when all network applications and components are
synchronized, along with synchronization of alarm events generated within Extreme Management Center.
Effective synchronization often means faster and easier resolution of network problems.
To maintain optimal synchronization within the ecosystem of Extreme’s Smart OmniEdge Solution, we
recommend the use of NTP for Extreme Management Center, Extreme Access Control, ExtremeAnalytics,
ExtremeWireless Controllers, Extreme switches, and any third-party servers (such as RADIUS servers).
Note
Configuration for third-party RADIUS servers is not documented in this section.
Extreme Management Center
Extreme Management Center NTP configuration is executed during installation using the command-line
interface. Once the appliance is installed, log in to the console as root. The install process starts with a
series of configuration questions. The administrator is prompted for NTP configuration under the
<Configure Date and Time Settings> section of the install. If the administrator chooses to change the
settings after install, a simple run of the dateconfig script can be executed. The dateconfig script is located
in /usr/postinstall.
Please enter a NTP Server IP Address (Required): <ntp_ip_address_2>
Would you like to add another server (y/n) [n]?
=============================================================================
NTP Servers
=============================================================================
These are the currently specified NTP servers:
<ntp_ip_address_1>
<ntp_ip_address_2>
Enter 0 or any key other than a valid selection to complete NTP configuration and
continue.
If you need to make a change, enter the appropriate number from the
choices listed below.
0. Accept the current settings and continue
1. Restart NTP server selection
2. Set date and time manually
=============================================================================
Enter selection [0]:
================================================================================
Set Time Zone
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
242
Validated Designs – Infrastructure & Topology
================================================================================
You will now be asked to enter the time zone information for this system.
Available time zones are stored in files in the /usr/share/zoneinfo directory.
Please select from one of the following example time zones:
1. US Eastern
2. US Central
3. US Mountain
4. US Pacific
5. Other - Shows a graphical list
================================================================================
Enter selection [1]:
Current default time zone: 'America/New_York'
Local time is now:
Thu Jun 21 15:30:00 EDT 2018.
Universal Time is now: Thu Jun 21 19:30:00 UTC 2018.
Print the following to the console if synchronization is successful after the selection of the timezone with
the post install script <dateconfig>:
The time was successfully synchronized to the server at <ntp_ip_address_1>
rsyslog start/running, process 21801
* Starting NTP server ntpd
[ OK ]
The command <ntpq -np> will also display pertinent information about NTP deamon operation and
performance – including statistics about delay, offset, and jitter.
root@XMC:/# ntpq -np
remote
refid
st t when poll reach
delay
offset jitter
==============================================================================
0.ubuntu.pool.n .POOL.
16 p
64
0
0.000
0.000
0.000
1.ubuntu.pool.n .POOL.
16 p
64
0
0.000
0.000
0.000
2.ubuntu.pool.n .POOL.
16 p
64
0
0.000
0.000
0.000
3.ubuntu.pool.n .POOL.
16 p
64
0
0.000
0.000
0.000
ntp.ubuntu.com .POOL.
16 p
64
0
0.000
0.000
0.000
*<ntp_ip_address_1> 129.6.15.29
2 u
45
64 377
2.867
1.833
0.751
+<ntp_ip_address_2> 129.6.15.29
2 u
37
64 377
2.669
2.899
3.512
[ OK ]
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
243
Validated Designs – Infrastructure & Topology
ExtremeControl
ExtremeControl NTP configuration is executed during installation within the command-line interface. Once
the appliance is installed, log in to the console as root. The install process starts with a series of
configuration questions. The administrator is prompted for NTP configuration under the <Configure Date
and Time Settings> section of the install. If the administrator chooses to change the settings after install,
a simple run of the dateconfig script can be executed. The dateconfig script is located in /usr/postinstall.
================================================================================
Configure Date And Time Settings
================================================================================
The engine date and time can be set manually or using an external
Network Time Protocol (NTP) server. It is strongly recommended that
NTP is used to configure the date and time to ensure accuracy of time
values for SNMP communications and logged events. Up to 5
server IP addresses may be entered if NTP is used.
================================================================================
Do you want to use NTP (y/n) [y]? y
Please enter a NTP Server IP Address [<ntp_ip_address_1>]: <ntp_ip_address_1>
Would you like to add another server (y/n) [y]?
Please enter a NTP Server IP Address [<ntp_ip_address_2>]: <ntp_ip_address_2>
Would you like to add another server (y/n) [n]?
=============================================================================
NTP Servers
=============================================================================
These are the currently specified NTP servers:
<ntp_ip_address_1>
<ntp_ip_address_2>
Enter 0 or any key other than a valid selection to complete NTP configuration and
continue.
If you need to make a change, enter the appropriate number from the
choices listed below.
0. Accept the current settings and continue
1. Restart NTP server selection
2. Set date and time manually
=============================================================================
Enter selection [0]:
================================================================================
Set Time Zone
================================================================================
You will now be asked to enter the time zone information for this system.
Available time zones are stored in files in the /usr/share/zoneinfo directory.
Please select from one of the following example time zones:
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
244
Validated Designs – Infrastructure & Topology
1. US Eastern
2. US Central
3. US Mountain
4. US Pacific
5. Other - Shows a graphical list
================================================================================
Enter selection [1]:
Current default time zone: 'America/New_York'
Local time is now:
Thu Jun 21 19:38:04 EDT 2018.
Universal Time is now: Thu Jun 21 23:38:04 UTC 2018.d
Print the following to the console if synchronization is successful after the selection of the timezone with
the post install script <dateconfig>:
The time was successfully synchronized to the server at <ntp_ip_address_1>
rsyslog start/running, process 2123
* Starting NTP server ntpd
[ OK ]
The command <ntpq -np> will also display pertinent information about the NTP deamon operation and
performance – including statistics about delay, offset, and jitter.
root@NAC:/# ntpq -np
remote
refid
st t when poll reach
delay
offset jitter
==============================================================================
0.ubuntu.pool.n .POOL.
16 p
64
0
0.000
0.000
0.000
1.ubuntu.pool.n .POOL.
16 p
64
0
0.000
0.000
0.000
2.ubuntu.pool.n .POOL.
16 p
64
0
0.000
0.000
0.000
3.ubuntu.pool.n .POOL.
16 p
64
0
0.000
0.000
0.000
ntp.ubuntu.com .POOL.
16 p
64
0
0.000
0.000
0.000
#<ntp_ip_address_1> 129.6.15.29
2 u
48
64 377
2.445 -11.077
0.910
#<ntp_ip_address_2> 129.6.15.29
2 u
42
64 377
2.715
-2.139
2.747
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
245
Validated Designs – Infrastructure & Topology
ExtremeAnalytics
ExtremeAnalytics NTP configuration is executed during installation within the command-line interface.
Once the appliance is installed, log in to the console as root. The install process starts with a series of
configuration questions. The administrator is prompted for NTP configuration under the <Configure Date
and Time Settings> section of the install. If the administrator chooses to change the settings after install,
a simple run of the dateconfig script can be executed. The dateconfig script is located in /usr/postinstall.
Configure Date And Time Settings
================================================================================
The engine date and time can be set manually or using an external
Network Time Protocol (NTP) server. It is strongly recommended that
NTP is used to configure the date and time to ensure accuracy of time
values for SNMP communications and logged events. Up to 5
server IP addresses may be entered if NTP is used.
================================================================================
Do you want to use NTP (y/n) [n]? y
Please enter a NTP Server IP Address (Required): <ntp_ip_address_1>
Would you like to add another server (y/n) [n]? y
Please enter a NTP Server IP Address (Required): <ntp_ip_address_2>
Would you like to add another server (y/n) [n]?
=============================================================================
NTP Servers
=============================================================================
These are the currently specified NTP servers:
<ntp_ip_address_1>
<ntp_ip_address_2>
Enter 0 or any key other than a valid selection to complete NTP configuration and
continue.
If you need to make a change, enter the appropriate number from the
choices listed below.
0. Accept the current settings and continue
1. Restart NTP server selection
2. Set date and time manually
=============================================================================
Enter selection [0]:
================================================================================
Set Time Zone
================================================================================
You will now be asked to enter the time zone information for this system.
Available time zones are stored in files in the /usr/share/zoneinfo directory.
Please select from one of the following example time zones:
1. US Eastern
2. US Central
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
246
Validated Designs – Infrastructure & Topology
3. US Mountain
4. US Pacific
5. Other - Shows a graphical list
================================================================================
Enter selection [1]:
Current default time zone: 'America/New_York'
Local time is now:
Thu Jun 21 21:10:23 EDT 2018.
Universal Time is now: Fri Jun 22 01:10:23 UTC 2018.
================================================================================
Print the following to the console if synchronization is successful after the selection of the timezone with
the post install script <dateconfig>:
The time was successfully synchronized to the server at <ntp_ip_address_1>
rsyslog start/running, process 27186
* Starting NTP server ntpd
[ OK ]
The command <ntpq -np> will also display pertinent information about the NTP daemon operation and
performance – including statistics about delay, offset, and jitter.
root@EA:/# ntpq -np
remote
refid
st t when poll reach
delay
offset jitter
==============================================================================
0.ubuntu.pool.n .POOL.
16 p
64
0
0.000
0.000
0.000
1.ubuntu.pool.n .POOL.
16 p
64
0
0.000
0.000
0.000
2.ubuntu.pool.n .POOL.
16 p
64
0
0.000
0.000
0.000
3.ubuntu.pool.n .POOL.
16 p
64
0
0.000
0.000
0.000
ntp.ubuntu.com .POOL.
16 p
64
0
0.000
0.000
0.000
+<ntp_ip_address_1> 132.163.96.2
2 u
48
64 377
2.359 -26.569
8.534
*<ntp_ip_address_2> 132.163.96.2
2 u
37
64 377
2.530 -27.124 28.495
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
247
Validated Designs – Infrastructure & Topology
ExtremeWireless Controllers
ExtremeWireless Controller NTP configuration is accessed through the User Interface located at
Controller  Network  Network Time. In the Network Time panel, the timezone and up to 3 NTP
servers can be added. After filling in the fields, click Apply.
To verify NTP server settings, log in to the console and enter the command <time>. Then enter the
command <show ntpip>. The following output should be displayed:
EWC1.SQA.net:time# show ntpip
ntpip 1 <ntp_ip_address_1>
ntpip 2 <ntp_ip_address_2>
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
248
Validated Designs – Infrastructure & Topology
Extreme Switches
Extreme Switch NTP configuration is executed through the command-line-interface. NTP is enabled on
VLANs that provide access to the NTP servers and is also enabled on the VR associated with those
VLANs. To enable on all VLANs simply enter the command enable ntp all. Following are examples
of the NTP configuration within this Validated Design:
District Office/School 1 Controlling Bridge 1
enable ntp vr VR-Default
enable ntp broadcast-client vr VR-Default
enable ntp vlan VLAN_0059
enable ntp vlan VLAN_0060
enable ntp vlan VLAN_0101
enable ntp vlan VLAN_0102
enable ntp vlan VLAN_0103
enable ntp vlan VLAN_0104
enable ntp vlan VLAN_0105
enable ntp vlan VLAN_0109
enable ntp vlan VLAN_1600
enable ntp vlan VLAN_1700
enable ntp vlan VLAN_1800
enable ntp vlan VLAN_1900
enable ntp vlan VLAN_1901
enable ntp vlan VLAN_2200
enable ntp vlan to_isp
configure ntp server add <ntp_ip_address_1> vr VR-Default
configure ntp server add <ntp_ip_address_2> vr VR-Default
District Office/School 1 Controlling Bridge 2
enable ntp vr VR-Default
enable ntp broadcast-client vr VR-Default
enable ntp vlan VLAN_0059
enable ntp vlan VLAN_0060
enable ntp vlan VLAN_0201
enable ntp vlan VLAN_0202
enable ntp vlan VLAN_0203
enable ntp vlan VLAN_0204
enable ntp vlan VLAN_0205
enable ntp vlan VLAN_0109
enable ntp vlan VLAN_1600
enable ntp vlan VLAN_1700
enable ntp vlan VLAN_1800
enable ntp vlan VLAN_1900
enable ntp vlan VLAN_1901
enable ntp vlan VLAN_2200
configure ntp server add <ntp_ip_address_1> vr VR-Default
configure ntp server add <ntp_ip_address_2> vr VR-Default
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
249
Validated Designs – Infrastructure & Topology
District Office/School 1 ExtremeSwitching Stack
enable ntp vr VR-Default
enable ntp broadcast-client vr VR-Default
enable ntp vlan VLAN_0059
configure ntp server add <ntp_ip_address_1> vr VR-Default
configure ntp server add <ntp_ip_address_2> vr VR-Default
School 2 Controlling Bridge 1
enable ntp vr VR-Default
enable ntp broadcast-client vr VR-Default
enable ntp vlan VLAN_0060
enable ntp vlan VLAN_0101
enable ntp vlan VLAN_0204
enable ntp vlan VLAN_1600
enable ntp vlan VLAN_1700
enable ntp vlan VLAN_1800
enable ntp vlan VLAN_1900
enable ntp vlan VLAN_2200
configure ntp server add <ntp_ip_address_1> vr VR-Default
configure ntp server add <ntp_ip_address_2> vr VR-Default
School 2 Controlling Bridge 2
enable ntp vr VR-Default
enable ntp broadcast-client vr VR-Default
enable ntp vlan VLAN_0060
enable ntp vlan VLAN_0104
enable ntp vlan VLAN_0201
enable ntp vlan VLAN_1600
enable ntp vlan VLAN_1700
enable ntp vlan VLAN_1800
enable ntp vlan VLAN_1900
enable ntp vlan VLAN_2200
configure ntp server add <ntp_ip_address_1> vr VR-Default
configure ntp server add <ntp_ip_address_2> vr VR-Default
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
250
Validated Designs – Infrastructure & Topology
School 3 Controlling Bridge 1
enable ntp vr VR-Default
enable ntp broadcast-client vr VR-Default
enable ntp vlan VLAN_0060
enable ntp vlan VLAN_0102
enable ntp vlan VLAN_0205
enable ntp vlan VLAN_1600
enable ntp vlan VLAN_1700
enable ntp vlan VLAN_1800
enable ntp vlan VLAN_1900
enable ntp vlan VLAN_2200
configure ntp server add <ntp_ip_address_1> vr VR-Default
configure ntp server add <ntp_ip_address_2> vr VR-Default
School 3 Controlling Bridge 2
enable ntp vr VR-Default
enable ntp broadcast-client vr VR-Default
enable ntp vlan VLAN_0060
enable ntp vlan VLAN_0105
enable ntp vlan VLAN_0202
enable ntp vlan VLAN_1600
enable ntp vlan VLAN_1700
enable ntp vlan VLAN_1800
enable ntp vlan VLAN_1900
enable ntp vlan VLAN_2200
configure ntp server add <ntp_ip_address_1> vr VR-Default
configure ntp server add <ntp_ip_address_2> vr VR-Default
School 4 – ExtremeSwitching Standalone
enable ntp vr VR-Default
enable ntp broadcast-client vr VR-Default
enable ntp vlan lo0
enable ntp vlan VLAN_0060
enable ntp vlan VLAN_0103
enable ntp vlan VLAN_0203
enable ntp vlan VLAN_1600
enable ntp vlan VLAN_1700
enable ntp vlan VLAN_1800
enable ntp vlan VLAN_1900
enable ntp vlan VLAN_2200
configure ntp server add <ntp_ip_address_1> vr VR-Default
configure ntp server add <ntp_ip_address_2> vr VR-Default
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
251
Validated Designs – Infrastructure & Topology
To verify the NTP daemon is synched with the NTP server, enter the command <show ntp sysinfo>:
Slot-1 VPEX x690-DO/SC1-Left.19 # show ntp sys-info
System Peer
: <ntp_ip_address_2>
System Peer Mode
: Client
Leap Indicator
: 00
Stratum
: 3
Precision
: -23
Root Distance
: 0.04980 second
Root Dipersion
: 0.12390 second
Reference ID
: [<ntp_ip_address_2>]
Referene Time
: ded7ab3a.7a287160 Fri, Jun 22 2018 13:07:06.477
System Flags
: Monitor, NTP, Kernel, Stats
Jitter
: 0.034592 second
Stability
: 0.000 ppm
Broadcast Delay
: 0.007996 second
Auth Delay
: 0.000000 second
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
252
Validated Designs – Infrastructure & Topology
BOOTP Relay Agent
The ExtremeXOS BootPRelay module is Extreme Networks’ DHCP Relay agent. It is now enhanced to
optionally insert the secondary addresses of the interfaces.
A DHCP Relay agent relays DHCP requests from the client to the DHCP server and relays the DHCP
replies from the server to the client. It acts as a proxy and can reduce the number of DHCP servers
required in the network. The DHCP relay agent inserts its own IP address in the giaddr field (gateway
address) of the DHCP request. The DHCP server looks into this IP address, identifies the DHCP client’s
subnet, and assigns an IP address accordingly.
We recommend that BootPrelay be configured for both ExtremeControl engines and the redundant DHCP
servers if redundancy with DHCP servers is present. BootPrelay must also be enabled on the VLANs in
which DHCP packets will traverse. The following configuration is the bootPrelay configuration for this
Validated Design:
District Office/School 1 Controlling Bridge 1
configure bootprelay add 192.168.109.249
configure bootprelay add 192.168.109.253
configure bootprelay add 192.168.109.248
configure bootprelay add 192.168.109.247
enable bootprelay ipv4 vlan VLAN_0059
enable bootprelay ipv4 vlan VLAN_0060
enable bootprelay ipv4 vlan VLAN_0109
enable bootprelay ipv4 vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1900
enable bootprelay ipv4 vlan VLAN_1901
enable bootprelay ipv4 vlan VLAN_2200
vr
vr
vr
vr
VR-Default
VR-Default
VR-Default
VR-Default
vr
vr
vr
vr
VR-Default
VR-Default
VR-Default
VR-Default
District Office/School 1 Controlling Bridge 2
configure bootprelay add 192.168.109.249
configure bootprelay add 192.168.109.253
configure bootprelay add 192.168.109.248
configure bootprelay add 192.168.109.247
enable bootprelay ipv4 vlan VLAN_0059
enable bootprelay ipv4 vlan VLAN_0060
enable bootprelay ipv4 vlan VLAN_0109
enable bootprelay ipv4 vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1900
enable bootprelay ipv4 vlan VLAN_1901
enable bootprelay ipv4 vlan VLAN_2200
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
253
Validated Designs – Infrastructure & Topology
District Office/School 1 ExtremeSwitching Stack
configure bootprelay add 192.168.109.249 vr VR-Default
configure bootprelay add 192.168.109.253 vr VR-Default
configure bootprelay add 192.168.109.248 vr VR-Default
enable bootprelay ipv4 vlan VLAN_0059
School 2 Controlling Bridge 1
configure bootprelay add 192.168.109.249
configure bootprelay add 192.168.109.253
configure bootprelay add 192.168.109.248
configure bootprelay add 192.168.109.247
enable bootprelay ipv4 vlan VLAN_0060
enable bootprelay ipv4 vlan VLAN_0101
enable bootprelay ipv4 vlan VLAN_0204
enable bootprelay ipv4 vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1900
enable bootprelay ipv4 vlan VLAN_2200
vr
vr
vr
vr
VR-Default
VR-Default
VR-Default
VR-Default
vr
vr
vr
vr
VR-Default
VR-Default
VR-Default
VR-Default
vr
vr
vr
vr
VR-Default
VR-Default
VR-Default
VR-Default
School 2 Controlling Bridge 2
configure bootprelay add 192.168.109.249
configure bootprelay add 192.168.109.253
configure bootprelay add 192.168.109.248
configure bootprelay add 192.168.109.247
enable bootprelay ipv4 vlan VLAN_0060
enable bootprelay ipv4 vlan VLAN_0101
enable bootprelay ipv4 vlan VLAN_0204
enable bootprelay ipv4 vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1900
enable bootprelay ipv4 vlan VLAN_2200
School 3 Controlling Bridge 1
configure bootprelay add 192.168.109.249
configure bootprelay add 192.168.109.253
configure bootprelay add 192.168.109.248
configure bootprelay add 192.168.109.247
enable bootprelay ipv4 vlan VLAN_0060
enable bootprelay ipv4 vlan VLAN_0102
enable bootprelay ipv4 vlan VLAN_0205
enable bootprelay ipv4 vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1900
enable bootprelay ipv4 vlan VLAN_2200
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
254
Validated Designs – Infrastructure & Topology
School 3 Controlling Bridge 2
configure bootprelay add 192.168.109.249
configure bootprelay add 192.168.109.253
configure bootprelay add 192.168.109.248
configure bootprelay add 192.168.109.247
enable bootprelay ipv4 vlan VLAN_0060
enable bootprelay ipv4 vlan VLAN_0105
enable bootprelay ipv4 vlan VLAN_0202
enable bootprelay ipv4 vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1900
enable bootprelay ipv4 vlan VLAN_2200
vr
vr
vr
vr
VR-Default
VR-Default
VR-Default
VR-Default
School 4 – ExtremeSwitching Standalone
configure bootprelay add 192.168.109.249 vr VR-Default
configure bootprelay add 192.168.109.253 vr VR-Default
configure bootprelay add 192.168.109.248 vr VR-Default
enable bootprelay ipv4 vlan VLAN_0060
enable bootprelay ipv4 vlan VLAN_0103
enable bootprelay ipv4 vlan VLAN_0203
enable bootprelay ipv4 vlan VLAN_1600
enable bootprelay ipv4 vlan VLAN_1700
enable bootprelay ipv4 vlan VLAN_1800
enable bootprelay ipv4 vlan VLAN_1900
enable bootprelay ipv4 vlan VLAN_2200
To view statistics on requests relayed, enter the command <show bootprelay>:
Slot-1 VPEX x690-DO/SC1-Left.47 # show bootprelay
Bootprelay : Disabled on virtual router "VR-Default", but enabled on some VLANs
Include Secondary : Disabled
DHCP Relay Agent Information Option : Disabled on virtual router "VR-Default"
Bootprelay servers for virtual router "VR-Default":
Destination: 192.168.109.249 192.168.109.253 192.168.109.248 192.168.109.247
DHCP/BOOTP relay statistics for virtual router "VR-Default"
Received from client =
3502 Received from server
Requests relayed
=
12 Responses relayed
DHCP Discover
=
1760 DHCP Offer
DHCP Request
=
2 DHCP Ack
DHCP Decline
=
0 DHCP NAck
DHCP Release
=
0
DHCP Inform
=
1740
=
=
=
=
=
3
3
1
2
0
Note: Default Remote-ID : System MAC Address
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
255
Validated Designs – Infrastructure & Topology
Link Layer Discover Protocol (LLDP)
LLDP is enabled by default in ExtremeXOS and is an integral part of the process for the initial discovery of
Extreme’s Bridge Port Extenders (BPEs). Each BPE will initially be discovered using a TLV extension to
the LLDP protocol along with certain LLDP-MED TLVs that specify serial number, model name, hardware
version, and firmware version. The Port Extension Control and Status Protocol (PE-CSP) is a simple
request/response protocol that runs over ECP and is initiated upon detection of a bridge port extender via
the LLDP protocol.
The Link Layer Discovery Protocol (LLDP), defined by IEEE standard 802.1ab, provides a standard
method for discovering physical network devices and their capabilities within a given network
management domain. LLDP-enabled network devices include repeaters, bridges, access points, routers,
and wireless stations, and LLDP enables these devices to do the following:
•
Advertise device information and capabilities to other devices in the management domain.
•
Receive and store device information received from other network devices in the management
domain.
LLDP-discovered information can be used to do the following:
•
Discover information from all LLDP-compatible devices in a multivendor environment.
•
Trigger universal port profiles that can configure a switch port for a remote device.
•
Supply identity information that can be used for authentication and identity management
•
Provide device information to SNMP (Simple Network Management Protocol) compatible network
management systems such as Extreme Management Center or Ridgeline. These systems can
present the information in inventory reports and topology maps.
No additional steps are needed to configure LLDP for initial BPE discovery after slot and VPEX port
configuration. To view LLDP neighbors, enter the command <show lldp neighbors>:
Slot-1 VPEX x690-DO/SC1-Left.56 # show lldp neighbors
Neighbor
Neighbor
Neighbor
Port
Chassis ID
Port ID
TTL
Age
System Name
===============================================================================
1:7
00:1F:45:FB:72:C2 ge.1.47
120
22
Not-Advertised
1:45
02:04:96:A0:A7:2E 1:51
120
21
x440G2-DO/SC1-Stack
1:46
64:6A:52:9E:0C:00 64:6A:52:9E:0C:64 120
6
VSP-8404
1:47
D8:84:66:88:98:44 25
120
1
V400-24p-10GE2
1:48
00:02:23:05:17:00 25
120
2
V400-24t-10GE2
1:49
00:04:96:A5:05:26 1:49
120
26
x690-DO/SC1-Right
1:53
00:04:96:A5:05:26 1:53
120
26
x690-DO/SC1-Right
1:57
64:6A:52:9E:0C:00 64:6A:52:9E:0C:00 120
6
VSP-8404
100:13 D8:84:66:E3:25:BC eth0
120
6
DO-SC1-AP2-AP3935i
100:14 B4:2D:56:25:72:27 eth0
120
1
DO-SC1-AP1-AP3917e
===============================================================================
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
256
Validated Designs – Infrastructure & Topology
Simple Network Management Protocol (SNMPv3)
SNMPv3 is an enhanced standard for SNMP that improves the security and privacy of SNMP access to
managed devices and provides sophisticated control of access to the device MIB. The prior standard
versions of SNMP, SNMPv1, and SNMPv2c, provided no privacy and little security.
SNMPv3 is designed to be secure against:
•
Modification of information, where an in-transit message is altered.
•
Masquerades, where an unauthorized entity assumes the identity of an authorized entity.
•
Message stream modification, where packets are delayed and/or replayed.
•
Disclosure, where packet exchanges are sniffed (examined) and information is learned about the
contents.
You can use the access control subsystem to configure whether access to a managed object in a local
MIB is allowed for a remote principal. The access control scheme allows you to define access policies
based on MIB views, groups, and multiple security levels. In addition, the SNMPv3 target and notification
MIBs provide a more procedural approach for generating and filtering of notifications. SNMPv3 objects are
stored in non-volatile memory unless specifically assigned to volatile storage. Objects defined as
permanent cannot be deleted.
SNMP is disabled by default. If you choose to enable SNMP, the switch follows the interactive script
asking you if you want to enable SNMPv1/v2c and/or SNMPv3. SNMP access for a VR has global SNMP
status that includes all SNMPv1v2c, SNMPv3 default users and default group status. However, trap
receiver configuration and trap enabling/disabling are independent of global SNMP access and are still
forwarded on a VR that is disabled for SNMP access.
For Extreme Management Center to take advantage of the more secure and robust SNMPv3 XMC, the
controlling bridges and wireless controllers must be configured for the proper matching credentials and
user name. In Extreme Management Center, administration profiles are required to communicate to the
network devices and wireless controllers. The following steps are required to create an Administration
Profile (CLI Credentials  Profiles  SNMP Credentials).
Extreme Management Center Profile Configuration - Switching
Profiles are used to define access to the devices in the network by creating identities used for
authentication when performing SNMP queries and sets and identities for CLI operations.
A profile can be configured with the SNMP version to be used and the read and write user and security
level. It also points to a set of CLI credentials.
In the Smart OmniEdge solution, a profile that uses SNMPv3 was created and is used by all network
devices. For CLI, SSH access is enabled. Authentication for CLI is done via RADIUS server. A different
SNMPv3 profile is used by the wireless controllers.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
257
Validated Designs – Infrastructure & Topology
To create new CLI credentials, go to Administration  CLI Credentials and click Add.
Only SSH is permitted for management connections to the network devices. Telnet access is disabled.
1.
2.
3.
4.
5.
6.
7.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Configure a Description
Configure a User Name
Configure SSH as the Type.
Configure a Login Password.
Configure an Enable Password.
Configure a Configuration Password.
Click Save
258
Validated Designs – Infrastructure & Topology
To create a new profile, go to Administration  Profiles and select Add to create a custom SNMP
profile:
1. Configure a Profile Name
2. Select SNMP Version – SNMPv3
3. Select New…
4. Add SNMP Credential Window Appears.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
259
Validated Designs – Infrastructure & Topology
1.
2.
3.
4.
5.
6.
7.
8.
Configure a Credential Name.
Select from SNMP Version: SNMPv3.
Configure a User Name.
Select from Authentication Type: SHA.
Configure an Authentication Password.
Select form Privacy Type: AES.
Configure a Privacy Password.
Click Save.
The same SNMPv3 user with the same authentication protocol and password and the same privacy
protocol and password must be created on the network device.
Configure the created profile with the new SNMP and CLI credential:
Use the newly created xmc_snmpuser
for Read/Write/Max Access.
Use AuthPriv for Read Security/Write
Security/Max Security.
Use the newly created
radiusmgmt CLI credentials.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
260
Validated Designs – Infrastructure & Topology
Switch Configuration – Extreme Management Center Administration Profile
After the administration profile is configured in Extreme Management Center, the same credentials must
be configured on the device for Extreme Management Center to manage and configure the device.
By default, the SNMPv3 engine-ID is present within the <snmpMaster configuration> module. To match
the credentials configured within the Extreme Management Center administrative profile, enter the
command <configure snmpv3 add user xmc_v3 authentication sha privacy aes 128>.
You will be prompted with a series of password entries that must match the passwords within the
administrator profile for Authentication and Privacy. (extreme1234 is the password used for this Validated
Design.)
After executing the above command, you should receive output similar to the following when you issue the
command <show snmp configuration>:
configure snmpv3 engine-id 03:00:04:96:a0:89:e8
configure snmpv3 add user "xmc_v3" engine-id 80:00:07:7c:03:00:04:96:a0:89:e8
authentication sha auth-encrypted localized-key
23:24:65:74:7a:6d:6b:74:34:34:61:65:50:54:42:4a:2f:30:78:32:59:72:53:72:43:44:33:4e:55
:42:35:59:56:41:35:72:30:66:39:65:53:53:6a:4e:38:4d:48:4d:38:33:39:30:77:3d privacy
aes 128 privacy-encrypted localized-key
23:24:7a:6c:6b:67:50:5a:6c:64:75:51:71:41:76:2b:2b:4c:4b:4d:34:6e:33:56:45:67:37:49:30
:75:74:66:4a:71:71:39:57:51:70:43:72:44:41:42:67:6e:32:38:77:5a:32:78:34:3d
Enter the following commands to complete the SNMPv3 configuration for this Validated Design. The
following shows commands and their output.
configure snmpv3 add group "v3group" user "xmc_v3" sec-model usm
configure snmpv3 add access "v3group" sec-model usm sec-level priv read-view
"defaultAdminView" write-view "defaultAdminView" notify-view "defaultAdminview"
configure snmpv3 add community "private" name "private" user "v1v2c_rw"
configure snmpv3 add community "public" name "public" user "v1v2c_ro"
configure snmpv3 add target-addr "TVsnmpuser" param "TV1snmpuser" ipaddress
192.168.109.254 transport-port 162 tag-list "TVInformTag"
configure snmpv3 add target-params "TV1snmpuser" user "snmpuser" mp-model snmpv3 secmodel usm sec-level priv
configure snmpv3 add notify "TVInformTag" tag "TVInformTag" type inform
enable snmp access
disable snmp access snmp-v1v2c
enable snmp access snmpv3
disable snmpv3 default-group
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
261
Validated Designs – Infrastructure & Topology
To show SNMP configuration, enter the command <show configuration snmp>:
#
# Module snmpMaster configuration.
#
configure snmpv3 engine-id 03:00:04:96:a4:e8:3e
configure snmpv3 add user "xmc_v3" engine-id 80:00:07:7c:03:00:04:96:a4:e8:3e
authentication sha auth-encrypted localized-key
23:24:4d:42:76:43:6a:70:48:67:6b:59:6c:4f:4f:4b:59:59:70:74:71:37:55:70:69:77:2b:4e:4c
:54:45:4e:66:66:4f:75:45:43:6a:39:61:6b:36:30:30:79:45:70:75:62:47:33:49:3d privacy
aes 128 privacy-encrypted localized-key
23:24:56:50:74:30:33:37:33:66:74:75:4c:7a:65:37:2f:48:34:34:61:2b:6f:72:36:58:5a:52:57
:77:48:73:35:51:41:73:75:46:74:54:4a:6a:6e:6e:32:6a:58:57:71:76:38:73:51:3d
configure snmpv3 add group "v3group" user "xmc_v3" sec-model usm
configure snmpv3 add access "v3group" sec-model usm sec-level priv read-view
"defaultAdminView" write-view "defaultAdminView" notify-view "defaultAdminview"
configure snmpv3 add community "private" name "private" user "v1v2c_rw"
configure snmpv3 add community "public" name "public" user "v1v2c_ro"
configure snmpv3 add target-addr "TVsnmpuser" param "TV1snmpuser" ipaddress
192.168.109.254 transport-port 162 tag-list "TVInformTag"
configure snmpv3 add target-params "TV1snmpuser" user "snmpuser" mp-model snmpv3 secmodel usm sec-level priv
configure snmpv3 add notify "TVInformTag" tag "TVInformTag" type inform
enable snmp access
disable snmp access snmp-v1v2c
enable snmp access snmpv3
disable snmpv3 default-group
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
262
Validated Designs – Infrastructure & Topology
Extreme Management Center Profile Configuration - Wireless Controllers
Profiles are used to define access to the wireless controllers in the network by creating identities used for
authentication when performing SNMP queries and sets and identities for CLI operations.
A profile can be configured with the SNMP version to be used for the read and write user and security
level. It also points to a set of CLI credentials for the wireless controllers.
In the Smart OmniEdge solution, a profile that uses SNMPv3 was created and is used by Extreme
Management Center for the wireless controllers. For CLI, SSH access is enabled. Authentication for CLI is
done via RADIUS server.
To create new CLI credentials, go to Administration  CLI Credentials and click Add.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
263
Validated Designs – Infrastructure & Topology
Only SSH is permitted for management connections to the network devices. Telnet access is disabled.
1.
2.
3.
4.
5.
6.
7.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Configure a Description
Configure a User Name
Configure SSH as the Type.
Configure a Login Password.
Configure an Enable Password.
Configure a Configuration Password.
Click Save
264
Validated Designs – Infrastructure & Topology
To create a new Wireless Profile for the wireless controllers, go to Administration  Profiles and click
Add.
1. Configure a Profile Name
2. Select SNMP Version – SNMPv3
3. Select New…
4. Add SNMP Credential Window Appears.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
265
Validated Designs – Infrastructure & Topology
1.
2.
3.
4.
5.
6.
7.
8.
Configure a Credential Name.
Select from SNMP Version: SNMPv3.
Configure a User Name.
Select from Authentication Type: SHA.
Configure an Authentication Password.
Select form Privacy Type: DES.
Configure a Privacy Password.
Click Save.
The same SNMPv3 user with the same authentication protocol and password and the same privacy
protocol and password must be created on the ExtremeWireless Controllers.
Configure the created profile with the new SNMP and CLI credential:
Use the newly created snmpuserewc for
Read/Write/Max Access.
Use AuthPriv for Read Security/Write
Security/Max Security.
Use the newly created
radiusmgmt CLI credentials.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
266
Validated Designs – Infrastructure & Topology
ExtremeWireless Controller SNMPv3 Configuration
Extreme Management Center uses non-default SNMPv3 credentials to manage wireless controllers. The
same SNMPv3 user, password, authentication, and privacy protocols must be configured on both Extreme
Management Center and on the wireless controllers.
To configure SNMPv3 on the wireless controllers go to Controller  Network  SNMP  SNMPv3 
Add User Account.
EWC1 and EWC2
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
267
Validated Designs – Infrastructure & Topology
The Add SNMPv3 User Account window appears.
Credentials must match those created in the
Basic Extreme Management Center section
of this document.
Authentication Password: snmppasssha123
Privacy Password: snmppassdes456
SNMPv3 User Account Created
and enabled.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
268
Validated Designs – Infrastructure & Topology
Domain Name System (DNS)
To obtain captive portal redundancy, DNS is used to provide one URL address for both ExtremeControl
engines. If one engine is unreachable the second engine will take over because both are associated with
the same FQDN.
Essentially, both ExtremeControl engine IPs are added to the same FQDN within the domain of the DNS
server. Additional configuration is required on the external DHCP server which is detailed in the Captive
Portal Redundancy subsection in the section for the District Office/School 1.
As an added layer of security, select the use Fully Qualified Domain Name checkbox to hide the IP
addresses of the ExtremeControl servers when an unregistered user is redirected. This is located in
Extreme Management Center: Access Control  Configuration  Captive Portals  Network
Settings.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
269
Validated Designs – Infrastructure & Topology
RADIUS
Login Management Configuration
For full network administration security, we recommend RADIUS authentication for Extreme Management
Center, ExtremeWireless Controllers, and Extreme device login. The use of an external RADIUS server is
recommended to authenticate user access to Extreme’s appliances and switches for administrative
purposes.
To configure login authentication for Extreme Management Center, go to Administration  Users, set
the Authentication Method to RADIUS, and enter the IP addresses of the redundant RADIUS servers.
RADIUS servers must be configured for the Extreme Management Center user in Active Directory. Set the
Authentication Type to RADIUS in the Authentication Method panel and enter the primary and secondary
IP addresses of the RADIUS servers.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
270
Validated Designs – Infrastructure & Topology
When a new user is added, an associated Authorization Group – with the appropriate capabilities – must
be created in the Authorization Groups window.
To configure SSH access to Extreme Management Center, click Manage SSH Configuration under SSH
Configuration. A popup will appear with appropriate fields to configure the port, primary and secondary
RADIUS servers, and the SSH user that should have access.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
271
Validated Designs – Infrastructure & Topology
ExtremeWireless Controllers
Users connecting to the wireless controllers for management operations can be authenticated locally or by
using a RADIUS server. To enable the use of a RADIUS server, go to Controller  Administration 
Login Management. Click the Configure button and enable RADIUS.
In the Login Authentication dialog, verify that RADIUS is enabled.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
272
Validated Designs – Infrastructure & Topology
Go to the RADIUS Authentication tab to select the ExtremeControl engines as RADIUS servers. The NAS
IP address is the address used by the wireless controller when sending RADIUS requests and is one of
the wireless controller’s interfaces. This address must be in the Switch list on ExtremeControl. Select PAP
as the authentication type. After configuring all fields, use the Test button to verify authentication.
Configure RADIUS Authentication for a second
NAC with the same values:
NAS IP Address: 192.168.109.251
NAS identifier: EWC1
Auth Type: PAP
To test RADIUS connectivity:
Enter Credentials:
User ID: admin
Password: extreme
Click Test
Test of both RADIUS servers should return
Successful.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
273
Validated Designs – Infrastructure & Topology
ExtremeSwitching
To configure login authentication on ExtremeSwitching, <mgmt-access> must be configured on the
switch. With RADIUS <mgmt-access> enabled within the <aaa> module, any Administrator user that tries
to connect to the network device via SSH, Telnet, or console will be authenticated first against the
ExtremeControl configuration.
Enter the command <enable radius mgmt-access>. The command should be present within the aaa
configuration module after execution:
configure radius 1 server 192.168.109.253 1812 client-ip 192.168.200.1 vr VR-Default
configure radius 1 shared-secret encrypted "#$/ypcBfx8EIF2LWYdNI8s43RpczWx0Q=="
configure radius 2 server 192.168.109.248 1812 client-ip 192.168.200.1 vr VR-Default
configure radius 2 shared-secret encrypted "#$cru/E2aDkLExef/+GgdtIpPE8My86Q=="
configure radius-accounting 1 server 192.168.109.253 1813 client-ip 192.168.200.1 vr
VR-Default
configure radius-accounting 1 shared-secret encrypted
"#$ptyf4X9trw2v2vkohFGFy01cEnsiZw=="
configure radius-accounting 1 timeout 10
configure radius-accounting 2 server 192.168.109.248 1813 client-ip 192.168.200.1 vr
VR-Default
configure radius-accounting 2 shared-secret encrypted
"#$DxnMfpS4f7LKOUBJFkhjKWg9aRUVrg=="
configure radius-accounting 2 timeout 10
configure radius dynamic-authorization 1 server 192.168.109.253 client-ip
192.168.200.1 vr VR-Default shared-secret encrypted
"#$uvGqcNWvFXFKq03zFwcRRNc/t6pPZQ=="
configure radius dynamic-authorization 2 server 192.168.109.248 client-ip
192.168.200.1 vr VR-Default shared-secret encrypted
"#$+pEQhFKsrDP0VMCFdp3SxfcwuA0LzA=="
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 15
configure radius mgmt-access timeout 15
configure radius netlogin timeout 15
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
enable radius dynamic-authorization
Secure Shell (SSH)
SSH is disabled by default. We recommend the disabling of Telnet access to network devices and enable
SSH for security and authentication purposes.
Secure Shell 2 (SSH2) is a feature of the ExtremeXOS software that enables you to encrypt session data
between a network administrator using SSH2 client software and the switch, or to send encrypted data
from the switch to an SSH2 client on a remote system.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
274
Validated Designs – Infrastructure & Topology
Enter the command <enable ssh2>. The following output will be generated:
enable ssh2
WARNING: Generating new server host key
This could take up to 1 minute and cannot be cancelled.
.....................
Key Generated.
Enter the
Design.
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
Continue? (y/N) Yes
following commands to complete the SSH configuration for this Validated
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
ssh2
dh-group minimum 1
enable cipher aes128-cbc
enable cipher 3des-cbc
enable cipher blowfish-cbc
enable cipher cast128-cbc
enable cipher aes192-cbc
enable cipher aes256-cbc
enable cipher arcfour
enable cipher rijndael-cbc@lysator.liu.se
enable cipher arcfour256
enable cipher arcfour128
enable mac hmac-md5-etm@openssh.com
enable mac hmac-ripemd160-etm@openssh.com
enable mac hmac-sha1-96-etm@openssh.com
enable mac hmac-md5-96-etm@openssh.com
enable mac hmac-md5
enable mac hmac-ripemd160
enable mac hmac-ripemd160@openssh.com
enable mac hmac-sha1-96
enable mac hmac-md5-96
enable pk-alg ssh-dss
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
275
Validated Designs – Infrastructure & Topology
You should see the following output after entering the command <show config exsshd>:
enable ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
configure ssh2
dh-group minimum 1
enable cipher aes128-cbc
enable cipher 3des-cbc
enable cipher blowfish-cbc
enable cipher cast128-cbc
enable cipher aes192-cbc
enable cipher aes256-cbc
enable cipher arcfour
enable cipher rijndael-cbc@lysator.liu.se
enable cipher arcfour256
enable cipher arcfour128
enable mac hmac-md5-etm@openssh.com
enable mac hmac-ripemd160-etm@openssh.com
enable mac hmac-sha1-96-etm@openssh.com
enable mac hmac-md5-96-etm@openssh.com
enable mac hmac-md5
enable mac hmac-ripemd160
enable mac hmac-ripemd160@openssh.com
enable mac hmac-sha1-96
enable mac hmac-md5-96
enable pk-alg ssh-dss
Multicast (IGMP and PIM-SM)
Multicast has many applications. However, for most schools the primary use case is for video delivery
and security camera applications. In this design, IGMP and IGMP snooping will be configured for
Layer 2 multicast. PIM sparse mode will be used to route multicast routing.
Internet Group Management Protocol
IGMP and IGMP snooping should be enabled by default. If they are not enabled, you can enable them by
issuing the following commands:
All Controlling Bridges and ExtremeSwitching Access Switches
enable igmp
enable igmp snooping
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
276
Validated Designs – Infrastructure & Topology
Enable IP Multicast Forwarding
In order to route multicast traffic, IP Multicast Forwarding must be enabled on all forwarding VLANs in the
school district. Configuration should resemble the following:
District Office/School 1– Controlling Bridge 1
enable
enable
enable
enable
enable
enable
enable
enable
enable
enable
enable
enable
enable
enable
enable
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
"VLAN_0059"
"VLAN_0060"
"VLAN_0101"
"VLAN_0102"
"VLAN_0103"
"VLAN_0104"
"VLAN_0105"
"VLAN_0109"
"VLAN_1600"
"VLAN_1700"
"VLAN_1800"
"VLAN_1900"
"VLAN_1901"
"VLAN_2200"
"lo0"
District Office/School 1– Controlling Bridge 2
enable
enable
enable
enable
enable
enable
enable
enable
enable
enable
enable
enable
enable
enable
enable
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
"VLAN_0059"
"VLAN_0060"
"VLAN_0201"
"VLAN_0202"
"VLAN_0203"
"VLAN_0204"
"VLAN_0205"
"VLAN_0109"
"VLAN_1600"
"VLAN_1700"
"VLAN_1800"
"VLAN_1900"
"VLAN_1901"
"VLAN_2200"
"lo0"
District Office/School 1 – ExtremeSwitching Stack
enable ipmcforwarding vlan "VLAN_0059"
enable ipmcforwarding vlan "lo0"
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
277
Validated Designs – Infrastructure & Topology
School 2 – Controlling Bridge 1
enable
enable
enable
enable
enable
enable
enable
enable
enable
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
"VLAN_0060"
"VLAN_0101"
"VLAN_0204"
"VLAN_1600"
"VLAN_1700"
"VLAN_1800"
"VLAN_1900"
"VLAN_2200"
"lo0"
School 2 – Controlling Bridge 2
enable
enable
enable
enable
enable
enable
enable
enable
enable
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
"VLAN_0060"
"VLAN_0104"
"VLAN_0201"
"VLAN_1600"
"VLAN_1700"
"VLAN_1800"
"VLAN_1900"
"VLAN_2200"
"lo0"
School 3 – Controlling Bridge 1
enable
enable
enable
enable
enable
enable
enable
enable
enable
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
"VLAN_0060"
"VLAN_0102"
"VLAN_0205"
"VLAN_1600"
"VLAN_1700"
"VLAN_1800"
"VLAN_1900"
"VLAN_2200"
"lo0"
School 3 – Controlling Bridge 2
enable
enable
enable
enable
enable
enable
enable
enable
enable
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
"VLAN_0060"
"VLAN_0105"
"VLAN_0202"
"VLAN_1600"
"VLAN_1700"
"VLAN_1800"
"VLAN_1900"
"VLAN_2200"
"lo0"
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
278
Validated Designs – Infrastructure & Topology
School 4 – ExtremeSwitching Standalone
enable
enable
enable
enable
enable
enable
enable
enable
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
ipmcforwarding
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
"lo0"
"VLAN_0060"
"VLAN_0103"
"VLAN_0203"
"VLAN_1600"
"VLAN_1700"
"VLAN_1800"
"VLAN_2200"
Create Rendezvous Point Policy File
Before PIM Sparse Mode can be enabled, an rp_list.pol file must be created for dynamic RP multicast
group assignment. The steps below create a very simple CR-P file that covers the entire multicast group
range.
Create an rp_list.pol file on each District Office switch:
1. At the prompt issue vi rp_list.pol.
2. Press the ‘i’ key on the keyboard.
3. Enter the following RP
District Office/School 1 - Controlling Bridges 1 and 2
entry rp_list {
if match any {
}
then {
nlri 224.0.0.0/4;
}
}
4. Press the Esc key on the keyboard.
5. Save the rp-list.pol file by entering wq!.
6. Verify that the file has been created by entering ls at the prompt.
District Office/School 1 Controlling Bridges 1 and 2
Slot-1 VPEX x690-DO-Left.46 # ls
-rw-r--r-1 admin
admin
62 Jun
1 08:42 rp_list.pol
PIM Sparse Mode C-BSR and C-RP Configuration
The two District Office controlling bridges will serve as both candidate bootstrap routers and candidate
rendezvous points. The CBSR and CRP should use the loopback interface created. PIM-SM will also be
enabled on the VLAN_0060 VLAN to facilitate the BSR and RP election process. The rp_list.pol file
should be referenced in the CRP configuration.
When complete, the configuration should look similar to the one below:
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
279
Validated Designs – Infrastructure & Topology
District Office/School 1 Controlling Bridge 1
configure pim add vlan "VLAN_0060" sparse
configure pim add vlan "lo0" sparse
configure pim crp vlan "lo0" "rp_list" 192
enable pim iproute sharing
enable pim
configure pim cbsr vlan "lo0"
District Office/School 1 Controlling Bridge 2
configure pim add vlan "VLAN_0060" sparse
configure pim add vlan "lo0" sparse
configure pim crp vlan "lo0" "rp_list" 192
enable pim iproute sharing
enable pim
configure pim cbsr vlan "lo0"
At the prompt, enter show pim (output truncated) and verify that the following things are true.
District Office/School 1 Controlling Bridge 1
1. PIM is enabled.
2. PIM CRP is enabled and the ‘c’ flag is set
on configured VLANs.
3. VLAN VLAN_0060 sees a neighbor.
4. VLAN s loO of CBs are BSR CANDIDATES.
5. Verify BSR is selected.
Slot-1 VPEX X690-48x-2q-4c.180 # show pim
PIM Enabled, Version 2
PIM CRP Enabled on 1 interfaces
BSR state
: CANDIDATE ; BSR Hash Mask : 255.255.255.252
Current BSR Info
: 192.168.200.2 (Priority 0) expires after 103 sec
Configured BSR Info : 192.168.200.1 (Priority 0) in vlan lo0
…
VLAN
Cid
VLAN_0060
lo0
IP Address
2 192.168.60.2
3 192.168.200.1
Designated
Router
/ 24 192.168.60.3
/ 32 192.168.200.1
Flags
Hello J/P
Int
Int
rifms------- 30
60
rifmsc------ 30
60
Nbrs
1
0
District Office/School 1 Controlling Bridge 2
Slot-1 VPEX X690-48x-2q-4c.135 # show pim
PIM Enabled, Version 2
PIM CRP Enabled on 1 interfaces
BSR state
: ELECTED ; BSR Hash Mask : 255.255.255.252
Current BSR Info
: 192.168.200.2 (Priority 0) expires after 27 sec
Configured BSR Info : 192.168.200.2 (Priority 0) in vlan lo0
…
VLAN
VLAN_0060
lo0
Cid
IP Address
2 192.168.60.3
3 192.168.200.2
Designated
Router
/ 24 192.168.60.3
/ 32 192.168.200.2
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
Flags
Hello J/P
Int
Int
rifms------- 30
60
rifmsc------ 30
60
Nbrs
1
0
280
Validated Designs – Infrastructure & Topology
At the prompt, enter show pim rp-set and verify that both switches see each other as Candidate
Rendezvous Points (C-RP).
District Office/School 1 Controlling Bridge 1
1. Verify both C-RPs are configured to act as the RP
Slot-1 VPEX X690-48x-2q-4c.181 # show pim rp-set
for the entire 224.0.0.0/4 Multicast Address Range.
Group
Mask
C-RP
Origin
2.Priority
Both C -RPs are
Timeout
seen on both routers.
224.0.0.0
240.0.0.0
192.168.200.1
Bootstrap 192
92
224.0.0.0
240.0.0.0
192.168.200.2
Bootstrap 192
92
District Office/School 1 Controlling Bridge 2
Slot-1 VPEX X690-48x-2q-4c.137 #
Group
Mask
C-RP
224.0.0.0
240.0.0.0
192.168.200.1
224.0.0.0
240.0.0.0
192.168.200.2
Origin
Priority
Bootstrap 192
Bootstrap 192
Timeout
134
134
Configure PIM-SM Interfaces
Like OSPF, these interfaces will act as the main aggregation point for routed multicast traffic. PIM-SM
will be configured on all interfaces in the topology. PIM-SM has already been enabled at the District
Office/School 1 and will be enabled at the remaining schools.
When complete, the configuration should look similar to the one below:
District Office/School 1– Controlling Bridge 1
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
pim
pim
pim
pim
pim
pim
pim
pim
pim
pim
pim
pim
pim
pim
pim
add
add
add
add
add
add
add
add
add
add
add
add
add
add
add
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
"VLAN_0109" sparse
"lo0" sparse
"VLAN_0101" sparse
"VLAN_0104" sparse
"VLAN_0103" sparse
"VLAN_0105" sparse
"VLAN_0102" sparse
"VLAN_0060" sparse
"VLAN_0059" sparse
"VLAN_1900" sparse
"VLAN_1600" sparse
"VLAN_2200" sparse
"VLAN_1700" sparse
"VLAN_1901" sparse
"VLAN_1800" sparse
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
281
Validated Designs – Infrastructure & Topology
District Office/School 1– Controlling Bridge 2
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
configure
pim
pim
pim
pim
pim
pim
pim
pim
pim
pim
pim
pim
pim
pim
pim
add
add
add
add
add
add
add
add
add
add
add
add
add
add
add
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
"VLAN_0109" sparse
"lo0" sparse
"VLAN_0204" sparse
"VLAN_0201" sparse
"VLAN_0203" sparse
"VLAN_0205" sparse
"VLAN_0202" sparse
"VLAN_0060" sparse
"VLAN_0059" sparse
"VLAN_1600" sparse
"VLAN_2200" sparse
"VLAN_1700" sparse
"VLAN_1900" sparse
"VLAN_1901" sparse
"VLAN_1800" sparse
School 2 – Controlling Bridge 1
configure pim add vlan "VLAN_0060" sparse
configure pim add vlan "VLAN_0101" sparse
configure pim add vlan "VLAN_0204" sparse
configure pim add vlan "VLAN_1600" sparse
configure pim add vlan "VLAN_1700" sparse
configure pim add vlan "VLAN_1800" sparse
configure pim add vlan "VLAN_1900" sparse
configure pim add vlan "VLAN_2200" sparse
configure pim add vlan "lo0" sparse
enable pim iproute sharing
enable pim
School 2 – Controlling Bridge 2
configure pim add vlan "VLAN_0060" sparse
configure pim add vlan "VLAN_0104" sparse
configure pim add vlan "VLAN_0201" sparse
configure pim add vlan "VLAN_1600" sparse
configure pim add vlan "VLAN_1700" sparse
configure pim add vlan "VLAN_1800" sparse
configure pim add vlan "VLAN_1900" sparse
configure pim add vlan "VLAN_2200" sparse
configure pim add vlan "lo0" sparse
enable pim iproute sharing
enable pim
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
282
Validated Designs – Infrastructure & Topology
School 3 – Controlling Bridge 1
configure pim add vlan "VLAN_0060" sparse
configure pim add vlan "VLAN_0102" sparse
configure pim add vlan "VLAN_0205" sparse
configure pim add vlan "VLAN_1600" sparse
configure pim add vlan "VLAN_1700" sparse
configure pim add vlan "VLAN_1800" sparse
configure pim add vlan "VLAN_1900" sparse
configure pim add vlan "VLAN_2200" sparse
configure pim add vlan "lo0" sparse
enable pim iproute sharing
enable pim
School 3 – Controlling Bridge 2
configure pim add vlan "VLAN_0060" sparse
configure pim add vlan "VLAN_0105" sparse
configure pim add vlan "VLAN_0202" sparse
configure pim add vlan "VLAN_1600" sparse
configure pim add vlan "VLAN_1700" sparse
configure pim add vlan "VLAN_1800" sparse
configure pim add vlan "VLAN_1900" sparse
configure pim add vlan "VLAN_2200" sparse
configure pim add vlan "lo0" sparse
enable pim iproute sharing
enable pim
School 4 – ExtremeSwitching Standalone
configure pim
configure pim
configure pim
configure pim
configure pim
configure pim
configure pim
configure pim
configure pim
enable pim
add
add
add
add
add
add
add
add
add
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
"VLAN_1600" sparse
"VLAN_2200" sparse
"VLAN_1700" sparse
"VLAN_1800" sparse
"VLAN_1900" sparse
"VLAN_0060" sparse
"lo0" sparse
"VLAN_0103" sparse
"VLAN_0203" sparse
passive
passive
passive
passive
passive
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
283
Validated Designs – Infrastructure & Topology
At the prompt, enter show pim (output truncated) and verify:
District Office/School 1– Controlling Bridge 1
1. rifms flags set for all interfaces.
2. All interfaces see a neighbor except the loopback.
3. Loopback interface also has the c flag set.
VPEX x690-DO/SC1-Left.46 # show pim
PIM Enabled, Version 2
…
VLAN_0109
1 192.168.109.2 / 24 192.168.109.3
rifms------- 30
60
lo0
3 192.168.200.1 / 32 192.168.200.1
rifmsc------ 30
60
VLAN_0101
5 192.168.101.1 / 30 192.168.101.2
rifms------- 30
60
VLAN_0104
8 192.168.101.13 / 30 192.168.101.14 rifms------- 30
60
VLAN_0103
7 192.168.101.9 / 30 192.168.101.10 rifms------- 30
60
VLAN_0105
9 192.168.101.17 / 30 192.168.101.18 rifms------- 30
60
VLAN_0102
6 192.168.101.5 / 30 192.168.101.6
rifms------- 30
60
VLAN_0060
2 192.168.60.2
/ 24 192.168.60.3
rifms------- 30
60
VLAN_0059
4 192.168.59.2
/ 24 192.168.59.3
rifms------- 30
60
VLAN_1900
13 172.19.128.2
/ 27 172.19.128.3
rifms------- 30
60
VLAN_1600
10 172.16.0.2
/ 24 172.16.0.3
rifms------- 30
60
VLAN_2200
15 172.21.0.2
/ 22 172.21.0.3
rifms------- 30
60
VLAN_1700
11 172.17.0.2
/ 22 172.17.0.3
rifms------- 30
60
VLAN_1901
14 172.19.0.2
/ 19 172.19.0.3
rifms------- 30
60
VLAN_1800
12 172.18.0.2
/ 19 172.18.0.3
rifms------- 30
60
…
Flags : r - Router PIM Enabled, i - Interface PIM Enabled, f - Interface,
Forwarding Enabled, m - Interface Multicast Forwarding Enabled,
s - Sparse mode, d - Dense mode, c - CRP enabled,
t - Trusted Gateway configured, n - Multinetted VLAN,
p - Passive Mode, S - Source Specific Multicast, b - Border.
R - State Refresh Enabled.
…
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
1
0
1
1
1
1
1
1
1
1
1
1
1
1
1
284
Validated Designs – Infrastructure & Topology
District Office/School 1– Controlling Bridge 2
VPEX x690-DO/SC1-Right.157 # show pim
PIM Enabled, Version 2
…
VLAN_0109
1 192.168.109.3 / 24 192.168.109.3
rifms------- 30
60
lo0
3 192.168.200.2 / 32 192.168.200.2
rifmsc------ 30
60
VLAN_0204
8 192.168.201.13 / 30 192.168.201.14 rifms------- 30
60
VLAN_0201
5 192.168.201.1 / 30 192.168.201.2
rifms------- 30
60
VLAN_0203
7 192.168.201.9 / 30 192.168.201.10 rifms------- 30
60
VLAN_0205
9 192.168.201.17 / 30 192.168.201.18 rifms------- 30
60
VLAN_0202
6 192.168.201.5 / 30 192.168.201.6
rifms------- 30
60
VLAN_0060
2 192.168.60.3
/ 24 192.168.60.3
rifms------- 30
60
VLAN_0059
4 192.168.59.3
/ 24 192.168.59.3
rifms------- 30
60
VLAN_1600
11 172.16.0.3
/ 24 172.16.0.3
rifms------- 30
60
VLAN_2200
12 172.21.0.3
/ 22 172.21.0.3
rifms------- 30
60
VLAN_1700
13 172.17.0.3
/ 22 172.17.0.3
rifms------- 30
60
VLAN_1900
10 172.19.128.3
/ 27 172.19.128.3
rifms------- 30
60
VLAN_1901
14 172.19.0.3
/ 19 172.19.0.3
rifms------- 30
60
VLAN_1800
15 172.18.0.3
/ 19 172.18.0.3
rifms------- 30
60
…
Flags : r - Router PIM Enabled, i - Interface PIM Enabled, f - Interface,
Forwarding Enabled, m - Interface Multicast Forwarding Enabled,
s - Sparse mode, d - Dense mode, c - CRP enabled,
t - Trusted Gateway configured, n - Multinetted VLAN,
p - Passive Mode, S - Source Specific Multicast, b - Border.
R - State Refresh Enabled.
1
0
1
1
1
1
1
1
1
1
1
1
1
1
1
…
The same commands can also be issued at School 2, School 3, and School 4 to verify locally.
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
285
Appendix
Appendix
VPEX (Extended Edge) Automation Highlights:
VPEX Full Automation terminates
Yes
No
Start
Is the switch
VPEX capable?
Yes
No
Does a
configuraton
exist?
Is a BPE
connected to the
switch?
No
Yes
After 4 minutes:
• Delete VLAN
vpexmlag (4089).
• Disable sharing on
any ports that were
enabled.
• Start VPEX Partial
Automation feature.
• VPEX Full Automation
Terminates
No
Is a VPEX
enabled neighbor
present?
• Enable VPEX
mode on switch.
• Reboot switch.
• Create VLAN
vpexmlag (4089).
• Convert Links on
CBs into a LAG.
Yes
Configures BPEs:
• CBs discover BPEs via
LLDP.
• CB Configures BPE
model and assigns a
slot number.
• CB configures LACP
between CB.
• CB enables MLAG
ports with port IDs.
• In cascaded topologies
LACP is configured
between BPEs.
• In MLAG topologies
CBs will have matching
BPE configurations.
Configures MLAG
between the peers:
• 169.254.0.1 is
assigned to the MLAG
peer losest MAC.
• 169.254.0.2 is
assigned to the MLAG
peer with the highest
MAC.
• Enable the MLAG and
wait for peer ‘UP’
• Start VPEX Partial
Automation feature.
• VPEX Full Automation
termnates.
End
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
286
References
References
1.
ExtremeSwitching Campus Switches
https://www.extremenetworks.com/products/switching/campus-switching/
https://documentation.extremenetworks.com/exos_22.6/EXOS_User_Guide_22_6.pdf
https://documentation.extremenetworks.com/exos_commands_22.6/EXOS_Command_Reference_22_6.
pdf
2.
ExtremeWireless Campus Solutions
https://www.extremenetworks.com/products/wireless/
https://documentation.extremenetworks.com/wireless/v10_41/UG/Wireless_User_Guide.pdf
https://documentation.extremenetworks.com/wireless/v10_41/CLI/Wireless/Open_Source_Declaration/c_
about-this-guide.shtml
https://documentation.extremenetworks.com/wireless/v10_41/Integration_Guide/Wireless_Integration_G
uide.pdf
3.
Extreme Management Center
https://www.extremenetworks.com/product/management-center/
https://documentation.extremenetworks.com/netsight/8.1/9035435_InstallationGuide.pdf
https://documentation.extremenetworks.com/netsight/8.1/9035223-03_XMC.pdf
4.
ExtremeControl
https://www.extremenetworks.com/product/extremecontrol/
https://documentation.extremenetworks.com/netsight/8.1/9035440-01_ExtremeControl.pdf
5.
ExtremeAnalytics
https://www.extremenetworks.com/product/extremeanalytics/
https://documentation.extremenetworks.com/netsight/8.1/9035426_Analytics_Deployment.pdf
https://documentation.extremenetworks.com/netsight/8.1/9035425-01_ExtremeAnalytics.pdf
6.
Extreme Management Center, ExtremeControl, ExtremeAnalytics Virtual Engine Installation Guide
https://documentation.extremenetworks.com/netsight/8.1/9035427_EMC_AC_AA_Virtual_Engine_Install
_Guide.pdf
7.
GTAC Knowledge
https://gtacknowledge.extremenetworks.com/
Extreme Smart OmniEdge for Primary/Seconda ry Education
9035597-01
287
Related documents
data comms help
data comms help
VLANs and Switching
VLANs and Switching
CCNA3 Skills Exam 2
CCNA3 Skills Exam 2
Northampton Community College CISC271a – CCNA 3
Northampton Community College CISC271a – CCNA 3
Switching and Routing Phase 1
Switching and Routing Phase 1
CIS 238 Final
CIS 238 Final
Download
advertisement