Mailing List Archive

On Tuesday 06 August 2013 17:24:33 Simon Lockhart wrote:
>
> 3) I'm configuring ACLs for SSH, telnet, etc, using a policy file, and then
> "configure ssh2 access-profile mgmt-acl" in the config. This appears to
> do what I expect, but I then can't edit the policy without removing it from
> the config, and the policy files aren't easy to paste onto the switch when
> building a new config. Is there a better way to do this? (Oh, and Rancid
> doesn't seem to backup the policy files)

# refresh policy <pol>

after you have edited the file should do the trick.

see also the

ExtremeXOS Concepts Guide Software Version 15.3.2

on

http://www.extremenetworks.com/services/software-userguide.aspx

kind regards
Thilo
_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

Hi Simon,

[1]
We are using extreme switches mainly for their layer 2 functionality (EAPS) . Quite frankly I don't trust them
as layer III devices. We are using x650s and x460s. I don't have a ospf problem you are having. It sounds like
it is an mtu issue. There are two ways to set the mtu on these. You can set the mtu to a vlan for routing and
you can set it on the port.

configure ip-mtu 1500 vlan test

(I use the default 1500 for routing and 9000 for switching)

or

enable jumbo-frame ports all
configure jumbo-frame-size 9000

[2]

I have not set up rancid on our switches yet but I do have it set to save the config to a tftp server every time I log in.
The script checks the logs for authenticated events and uploads configs and policies to the tftp server. It works!!
At the server I have a script that moves the files from the tftp directory and sorts them into their own directories.
I included all here..

# Module ems configuration.
#
create log filter AAA_Login
create log filter AAA_Loginconfigure
configure log filter AAA_Login add events AAA.authPass
create log target upm Upload_config
enable log target upm Upload_config
configure log target upm Upload_config filter AAA_Login severity Info



# Module upm configuration.
#
create upm profile Upload_config
enable cli scripting
set var CLI.OUT " "
ls
set var cntrl_cfg 1
set var base_list $TCL(join ${CLI.OUT})
set var base_list $TCL(lsort $base_list)
set var base_list $TCL(split $base_list)
delete var "CLI.OUT"
set var CLI.OUT " "
show switch
set var base_list2 $TCL(split ${CLI.OUT} "\n")
set var baseSystemTime $TCL(clock seconds)
set var systemTime $TCL(clock format $baseSystemTime -format {%Y.%m.%d_%H.%M.%S})
#set var systemTime $TCL(clock format $baseSystemTime -format {%m.%d.%Y_%H.%M.%S})
set var systemname $TCL(lindex $base_list2 1)
set var systemname $TCL(string replace $systemname 0 17 {})
delete var "CLI.OUT"
set var filename "$(systemname)_$(systemTime)_"
delete var systemname
delete var systemtype
delete var systemTime
while ($cntrl_cfg == 1) do
set var configcfg $TCL(lsearch -glob $base_list *cfg*)
set var configcfgFile $TCL(lindex $base_list $configcfg)
set var base_list $TCL(lreplace $base_list $configcfg $configcfg deleted)
tftp put 10.252.7.20 vr VR-Mgmt $(configcfgFile) $(filename)$(configcfgFile)
set var cntrl_cfg $TCL(regexp -nocase {cfg} $base_list)
endwhile
set var CLI.OUT " "
ls
set var base_list $TCL(join ${CLI.OUT})
set var base_list $TCL(lsort $base_list)
set var base_list $TCL(split $base_list)
delete var "CLI.OUT"
set var cntrl_cfg 1
while ($cntrl_cfg == 1) do
set var polcfg $TCL(lsearch -glob $base_list *pol*)
set var polcfgFile $TCL(lindex $base_list $polcfg)
set var base_list $TCL(lreplace $base_list $polcfg $polcfg deleted)
tftp put 10.252.7.20 vr VR-Mgmt $(polcfgFile) $(filename)$(polcfgFile)
set var cntrl_cfg $TCL(regexp -nocase {pol} $base_list)
endwhile
upload config 10.252.7.20 $(filename).xsf VR-Mgmt
delete var base_list
delete var configcfg
delete var configcfgFile
delete var cntrl_cfg
delete var base_list2
delete var filename

.

#

The (.) dot above the # sign is necessary.



Here is the crontab script. It grabs the files from the tftp directory and moves them to /switchconfigs (creates a folder per device)

perl -e'$b="/tftpboot/";$e="/switchconfigs";@l=`ls -1 $b|grep -E "cfg|xsf|pol"|grep -v pxelinux`;foreach(@l){chomp($_);next if(!m/^[[:alnum:]\.-]+\_/);split(/_/,$_);`mkdir -p $e/$_[0]` if(!-f"$e/$_[0]");`mv $b\/$_ $e\/$_[0]`;}'


[3]

After you modify the policy file you have to check it and refresh it. (this is the official way to do it)

(this checks the policy for parsing errors) Not that there are different types of policies. If your policy is an access-list you need to append the "access-list" parameter at the end.

check policy mgmt-acl access-list
refresh mgmt-acl test

Be careful when refreshing policies, especially when you have a stack of 4 switches. We've had issues where we refresh a policy and it took down our six node stack.
The best policy is to modify the policy, check it, then remove from the profile (or interface) and readd.


[4]

I have not seen that error.



Regards,

-LM

-----Original Message-----
From: extreme-nsp [mailto:extreme-nsp-bounces@puck.nether.net] On Behalf Of Simon Lockhart
Sent: Tuesday, August 06, 2013 12:25 PM
To: extreme-nsp@puck.nether.net
Subject: [e-nsp] Extreme newbie questions...

Sorry, two emails in the space of 10 minutes...

A few questions from an Extreme newbie :)

1) Is there a BCP for configuring Extreme switches to be "secure"? There's a
few different templates out there for Cisco, which I've based my current
config templates on, but I've not yet stumbled on anything for Extreme.
Anyone aware of anything?

2) Is anyone using Rancid to backup configs off Extreme switches? I've tried
with an X460 (running 15.3.1.4), and Rancid keeps reporting lines coming
and going - as if it's not coping with the paging on a "show config". Any
hints for making it work properly before I start hacking at the Rancid code?

3) I'm configuring ACLs for SSH, telnet, etc, using a policy file, and then
"configure ssh2 access-profile mgmt-acl" in the config. This appears to do
what I expect, but I then can't edit the policy without removing it from the
config, and the policy files aren't easy to paste onto the switch when
building a new config. Is there a better way to do this? (Oh, and Rancid
doesn't seem to backup the policy files)

4) Anyone seen this error message before? "<Erro:MPLS.DPM.UNEX> =>
Unexpected malloc failure at exd_new_hist:321"? I'm getting this logged a
lot on an X460 running MPLS, but it doesn't _appear_ to be affecting
anything. I've got an SR open with Extreme TAC about it, but they're being
surprisingly quiet about it.

Thanks in advance, :)

Simon
_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

Hello,

On 08/06/2013 10:06 PM, Luis Mercado wrote:
> Hi Simon,
>
> [1]
> We are using extreme switches mainly for their layer 2 functionality (EAPS) . Quite frankly I don't trust them
> as layer III devices. We are using x650s and x460s. I don't have a ospf problem you are having. It sounds like

Funny enough, we are using many X670/X650 and BD8810/8910/X8 as layer 3
devices with VRRP. We have even BGP on our site routers (couples of
X650s using MLAG).
Just my two cents.

Cheers,
Bruno.
_____________________________________________________________________
o
o o o Bruno LEBAYLE - Systems and Communications group
o o o o o E.S.R.F (European Synchrotron Radiation Facility)
o ooo o 6 rue Jules Horowitz BP220 38043 GRENOBLE CEDEX 9
o o o ooooo o o o phone (33)4-7688-2258
o ooo o fax (33)4-7688-2020
o o o o o email lebayle@esrf.fr
o o o
o http://www.esrf.fr
_____________________________________________________________________
_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

We have quite some x480's and some bd8900-xl's that we use, with ospf, ospfv3 and full bgp for ipv4 and ipv6.

Erik Bais

Verstuurd vanaf mijn iPad

Op 7 aug. 2013 om 07:48 heeft "Bruno Lebayle" <lebayle@esrf.fr> het volgende geschreven:

> Hello,
>
> On 08/06/2013 10:06 PM, Luis Mercado wrote:
>> Hi Simon,
>>
>> [1]
>> We are using extreme switches mainly for their layer 2 functionality (EAPS) . Quite frankly I don't trust them
>> as layer III devices. We are using x650s and x460s. I don't have a ospf problem you are having. It sounds like
>
> Funny enough, we are using many X670/X650 and BD8810/8910/X8 as layer 3 devices with VRRP. We have even BGP on our site routers (couples of X650s using MLAG).
> Just my two cents.
>
> Cheers,
> Bruno.
> _____________________________________________________________________
> o
> o o o Bruno LEBAYLE - Systems and Communications group
> o o o o o E.S.R.F (European Synchrotron Radiation Facility)
> o ooo o 6 rue Jules Horowitz BP220 38043 GRENOBLE CEDEX 9
> o o o ooooo o o o phone (33)4-7688-2258
> o ooo o fax (33)4-7688-2020
> o o o o o email lebayle@esrf.fr
> o o o
> o http://www.esrf.fr
> _____________________________________________________________________
> _______________________________________________
> extreme-nsp mailing list
> extreme-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/extreme-nsp

_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

Hell Simon,

On 08/06/2013 06:24 PM, Simon Lockhart wrote:
> Sorry, two emails in the space of 10 minutes...
>
> A few questions from an Extreme newbie :)
>
> 1) Is there a BCP for configuring Extreme switches to be "secure"? There's a
> few different templates out there for Cisco, which I've based my current
> config templates on, but I've not yet stumbled on anything for Extreme.
> Anyone aware of anything?

The VR-Mgmt and a separate out-of-band network where all the management
ports are connected is pretty secure. When you couple this with an
access-list for the ssh access, this seems sufficient in my view.

> 2) Is anyone using Rancid to backup configs off Extreme switches? I've tried
> with an X460 (running 15.3.1.4), and Rancid keeps reporting lines coming
> and going - as if it's not coping with the paging on a "show config". Any
> hints for making it work properly before I start hacking at the Rancid code?

We are using Ridgeline (previous Epicenter) management software which
comes with the automatic tftp of configs. We are also using "expect"
scripts for various needs, and we could have use them for this purpose
as well.

> 3) I'm configuring ACLs for SSH, telnet, etc, using a policy file, and then
> "configure ssh2 access-profile mgmt-acl" in the config. This appears to do
> what I expect, but I then can't edit the policy without removing it from the
> config, and the policy files aren't easy to paste onto the switch when
> building a new config. Is there a better way to do this? (Oh, and Rancid
> doesn't seem to backup the policy files)

By principle, all policies are on our central servers (easier to grep,
copy and so on). They are downloaded on the switches using tftp, so we
don't care of saving the policies on the switch itself.
Ridgeline allows to run commands on sites of switches, which is quite
convenient for spreading policies.
Once downloaded using tftp, a check is recommended, then a refresh for
applying the policy on the port's hardware.

> 4) Anyone seen this error message before? "<Erro:MPLS.DPM.UNEX> =>
> Unexpected malloc failure at exd_new_hist:321"? I'm getting this logged a
> lot on an X460 running MPLS, but it doesn't _appear_ to be affecting
> anything. I've got an SR open with Extreme TAC about it, but they're being
> surprisingly quiet about it.

Sorry, we don't use MPLS.

Cheers,
Bruno.
_____________________________________________________________________
o
o o o Bruno LEBAYLE - Systems and Communications group
o o o o o E.S.R.F (European Synchrotron Radiation Facility)
o ooo o 6 rue Jules Horowitz BP220 38043 GRENOBLE CEDEX 9
o o o ooooo o o o phone (33)4-7688-2258
o ooo o fax (33)4-7688-2020
o o o o o email lebayle@esrf.fr
o o o
o http://www.esrf.fr
_____________________________________________________________________
_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

Oh we are also running ospf v3 for some clients. My issue is not with dynamic routing.
My issue is filtering on these. It's a hack job essentially. There are no built in functions
that handle establish/related (TCP/UDP) between vlans so you have to Filter based on
syn flags and allow 1023 or greater for UDP.


There is no concept of object-group like in cisco or juniper. This means what you can accomplish
with two object groups and a single line acl on a cisco or juniper device, it would take 50 or 60 lines
on an extreme switch policy file. Their filtering its terrible. It's a throwback to the 90s.

We built policy files for a client with 20 vlans on a six node stack (x460s). The filtering is granular
Host to host/ layer 4. After we modify an policy we can't use the refresh feature because the is a risk
That the recompiling takes down the switch. (In our case it took down our switch.) This is a bug that
Is affecting 15.1.2.12 and lower versions. The fix is a patch that requires taking down the entire stack
which means a complete outage.

We do nfs ESX mounts through these switches, which means we have to shut down 100s of VMS prior and
post to maintenance upgrade.

Per extreme networks the refresh feature is not worth it which you have a stack of more than 4 nodes.
The best approach is to remove the policy from the interface after you modify the file and reattach to
the interface after bootup is completed.

Extreme Neworks has seen cases where it takes a 6 node stack 4 hours to come up after reboot because of the
filtering issue. Part of the bootup process is to parse/compile all policies across all slots etc... The fix for that is to remove all
filters from vlan interfaces prior to the reload. Do the reload and reattach the policies to the interfaces after the
reload. What a mess..


My two cents..


-LM


-----Original Message-----
From: Bruno Lebayle [mailto:lebayle@esrf.fr]
Sent: Wednesday, August 07, 2013 1:47 AM
To: Luis Mercado
Cc: Simon Lockhart; extreme-nsp@puck.nether.net
Subject: Re: [e-nsp] Extreme newbie questions...

Hello,

On 08/06/2013 10:06 PM, Luis Mercado wrote:
> Hi Simon,
>
> [1]
> We are using extreme switches mainly for their layer 2 functionality
> (EAPS) . Quite frankly I don't trust them as layer III devices. We
> are using x650s and x460s. I don't have a ospf problem you are having.
> It sounds like

Funny enough, we are using many X670/X650 and BD8810/8910/X8 as layer 3 devices with VRRP. We have even BGP on our site routers (couples of X650s using MLAG).
Just my two cents.

Cheers,
Bruno.
_____________________________________________________________________
o
o o o Bruno LEBAYLE - Systems and Communications group
o o o o o E.S.R.F (European Synchrotron Radiation Facility)
o ooo o 6 rue Jules Horowitz BP220 38043 GRENOBLE CEDEX 9
o o o ooooo o o o phone (33)4-7688-2258
o ooo o fax (33)4-7688-2020
o o o o o email lebayle@esrf.fr
o o o
o http://www.esrf.fr
_____________________________________________________________________

_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

On 08/07/2013 07:26 PM, Luis Mercado wrote:
> Oh we are also running ospf v3 for some clients. My issue is not with dynamic routing.
> My issue is filtering on these. It's a hack job essentially. There are no built in functions
> that handle establish/related (TCP/UDP) between vlans so you have to Filter based on
> syn flags and allow 1023 or greater for UDP.
>
>
> There is no concept of object-group like in cisco or juniper. This means what you can accomplish
> with two object groups and a single line acl on a cisco or juniper device, it would take 50 or 60 lines
> on an extreme switch policy file. Their filtering its terrible. It's a throwback to the 90s.

Remember that Extreme policies are downloaded on FPGA chips, programs
have to remain simple. This guarantees a wirespeed filtering even at
10Gbps. Of course, you cannot build a firewall on these - we are using
Checkpoint and SPLAT (Linux Dell) where intense filtering is needed.
In the 90s, I remember struggling with Cisco5500 that got stuck each
time filtering took place, because the poor CPU of the Supervisor module
was clogged - so there is some progress after all. I guess the situation
will finally become perfect with a powerful CPU per physical port ...
By the way, we also use Clearflow for detecting specific traffic
patterns, and this is clearly an asset for us.

> We built policy files for a client with 20 vlans on a six node stack (x460s). The filtering is granular
> Host to host/ layer 4. After we modify an policy we can't use the refresh feature because the is a risk
> That the recompiling takes down the switch. (In our case it took down our switch.) This is a bug that
> Is affecting 15.1.2.12 and lower versions. The fix is a patch that requires taking down the entire stack
> which means a complete outage.

We have stopped using large stacks (two switches maximum, above this
number we use a chassis) because it's far from perfect in terms of
availability, whatever the manufacturer. Stacks apply to office areas,
but not to data centers in our view. All our core chassis have 2 MSMs,
and all of them are now coupled using MLAG, this is why software
upgrades are not a problem anymore.

Cheers,
Bruno.

> We do nfs ESX mounts through these switches, which means we have to shut down 100s of VMS prior and
> post to maintenance upgrade.
>
> Per extreme networks the refresh feature is not worth it which you have a stack of more than 4 nodes.
> The best approach is to remove the policy from the interface after you modify the file and reattach to
> the interface after bootup is completed.
>
> Extreme Neworks has seen cases where it takes a 6 node stack 4 hours to come up after reboot because of the
> filtering issue. Part of the bootup process is to parse/compile all policies across all slots etc... The fix for that is to remove all
> filters from vlan interfaces prior to the reload. Do the reload and reattach the policies to the interfaces after the
> reload. What a mess..
>
>
> My two cents..
>
>
> -LM
>
>
> -----Original Message-----
> From: Bruno Lebayle [mailto:lebayle@esrf.fr]
> Sent: Wednesday, August 07, 2013 1:47 AM
> To: Luis Mercado
> Cc: Simon Lockhart; extreme-nsp@puck.nether.net
> Subject: Re: [e-nsp] Extreme newbie questions...
>
> Hello,
>
> On 08/06/2013 10:06 PM, Luis Mercado wrote:
>> Hi Simon,
>>
>> [1]
>> We are using extreme switches mainly for their layer 2 functionality
>> (EAPS) . Quite frankly I don't trust them as layer III devices. We
>> are using x650s and x460s. I don't have a ospf problem you are having.
>> It sounds like
>
> Funny enough, we are using many X670/X650 and BD8810/8910/X8 as layer 3 devices with VRRP. We have even BGP on our site routers (couples of X650s using MLAG).
> Just my two cents.
>
> Cheers,
> Bruno.
> _____________________________________________________________________
> o
> o o o Bruno LEBAYLE - Systems and Communications group
> o o o o o E.S.R.F (European Synchrotron Radiation Facility)
> o ooo o 6 rue Jules Horowitz BP220 38043 GRENOBLE CEDEX 9
> o o o ooooo o o o phone (33)4-7688-2258
> o ooo o fax (33)4-7688-2020
> o o o o o email lebayle@esrf.fr
> o o o
> o http://www.esrf.fr
> _____________________________________________________________________
>

--
Bruno LEBAYLE.
_____________________________________________________________________
o
o o o Bruno LEBAYLE - Systems and Communications group
o o o o o E.S.R.F (European Synchrotron Radiation Facility)
o ooo o 6 rue Jules Horowitz BP220 38043 GRENOBLE CEDEX 9
o o o ooooo o o o phone (33)4-7688-2258
o ooo o fax (33)4-7688-2020
o o o o o email lebayle@esrf.fr
o o o
o http://www.esrf.fr
_____________________________________________________________________
_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp