Académique Documents
Professionnel Documents
Culture Documents
Copyright 20012013 Extreme Networks AccessAdapt, Alpine, Altitude, BlackDiamond, Direct Attach, EPICenter, ExtremeWorks Essentials, Ethernet Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme Solution, ExtremeXOS ScreenPlay, ReachNXT, Ridgeline, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, XNV, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and/or other countries. sFlow is the property of InMon Corporation. iBooks is property of Apple, Inc. Specifications are subject to change without notice. All other registered trademarks, trademarks, and service marks are property of their respective owners. For additional information on Extreme Networks trademarks, please see: www.extremenetworks.com/about-extreme/trademarks.aspx. 120854-00 Rev 1
Table of Contents
Preface 8
Introduction 8
Table of Contents
Overview 107 Viewing Policy Details 107 Creating New Policies 109 Creating Categories for Policies 119 Creating and Managing Roles 120
Table of Contents
The Cleared Alarms and Events Tab 252 Defining Alarms 253 Defining Alarm Profiles 262
Table of Contents
Table of Contents
Preface
This preface provides an overview of this guide, describes guide conventions, and lists other useful publications.
Introduction
This guide provides the required information to use the Ridgeline software. It is intended for use by network managers who are responsible for monitoring and managing Local Area Networks and assumes a basic working knowledge of: Local Area Networks (LANs) Ethernet concepts Ethernet switching and bridging concepts Routing concepts The Simple Network Management Protocol (SNMP) Note If the information in the Release Notes shipped with your software differs from the information in this guide, follow the Release Notes. Extreme Networks Ridgeline is a powerful yet easy-to-use program that facilitates the management of a network of Summit and BlackDiamond switches, as well as selected third-party switches. Ridgeline makes it easy to perform configuration and status monitoring, create virtual LANs (VLANs), in enterprise LANs with Extreme Networks switches. Ridgeline offers a comprehensive set of network management tools that are easy to use from a client workstation configured with a web browser and the Java plug-in. Ridgeline leverages the three-tier client/server architecture framework represented by Java applets. The Ridgeline application and database support Microsoft Windows and Red Hat Enterprise Linux.
Preface
Terminology
When features, functionality, or operation is specific to the Summit or BlackDiamond switch family, the family name is used. Explanations about features and operations that are the same across all Extreme switch product families simply refer to the product as the Extreme Networks device or Extreme Networks switch. Explanations about features that are the same for all devices managed by Ridgeline (both Extreme devices and others) are simply referred to devices. Note Ridgeline does not provide multi-language support.
Conventions
The following tables list text conventions that are used throughout this guide. Table 1: Notice Icons
Icon Notice Type Note Alerts you to... Important features or instructions.
Caution
Warning
Screen displays
Menu > Submenu > Command To access a command available through a submenu of a menu, the menu, submenu, and command are separated by >". [Ctrl] + [Alt] [Ctrl], [Alt]
If you must press two or more keys simultaneously, the key names are separated by a plus sign (+). If you must press, and then release a key, and then press another key, the key names are separated by a comma (,).
Bold text indicates controls on the Ridgeline program (for example, buttons, menu items, tabs, and windows). Italics emphasize a point or denote new terms at the place where they are defined in the text.
Preface
Related Publications
The Ridgeline documentation set includes the following:
Ridgeline Reference Guide (this guide) Ridgeline Installation and Upgrade Guide Ridgeline Release Notes
The Ridgeline Reference Guide, Ridgeline Installation and Upgrade Guide, and Release Notes are in the Ridgeline 4.0\jboss\standalone\deployments\extreme.war\helptext\docs directory in Adobe Acrobat PDF format. You must have Adobe Acrobat Reader version 5.0 or later (available free from www.adobe.com) to view the PDF versions of these manuals. The Ridgeline software also includes context-sensitive online help, available from the Help menu and Help buttons in the Ridgeline program. Other manuals that are useful are: ExtremeWare Software User Guide ExtremeWare Command Reference Guide ExtremeXOS Concepts Guide ExtremeXOS Command Reference Guide For documentation on Extreme Networks products, and for general information about Extreme Networks, see the Extreme Networks website: www.extremenetworks.com. Customers with a support contract can access the Technical Support pages at: www.extremenetworks.com/services/eSupport.asp. The technical support pages provide the latest information on Extreme Networks software products, including the latest Release Notes, information on known problems, downloadable updates or patches as appropriate, and other useful information and resources. Customers without contracts can access manuals at: www.extremenetworks.com/services/ documentation/.
Providing Feedback to Us
We are always striving to improve our documentation and help you work better, so we want to hear from you! We welcome all feedback but especially want to know about: Content errors or confusing or conflicting information. Ideas for improvements to our documentation so you can find the information you need faster. Broken links or usability issues. If you would like to provide feedback to the Extreme Networks Information Development team about this document, please contact us using our short online Feedback form. You can also email us directly at internalinfodev@extremenetworks.com.
10
Figure 1: Ridgeline Home Page The Ridgeline home page displays the version of the software you are running and includes a link that allows you to see the latest software and BootROM images available. A number of dashboard reports appear on the home page, including a Network Status Summary Report and a Device Status Summary report. You can select which reports and graphs appear on the Ridgeline home page, allowing you to create a convenient, at-a-glance view of data relevant to your network (see Modifying the Contents of the Ridgeline Home Page).
The dashboard reports available on the Ridgeline home page can also be accessed from the Reports application. For more information, see Reports Overview.
Figure 2: Dashboard Palette on the Ridgeline Home Page 3 In the dashboard palette, select the dashboard report you want to add, and then drag it to the desired empty area of the Ridgeline home page. 4 After you have finished adding dashboard reports to the Ridgeline home page, click View > Customize home page to hide the dashboard palette. To remove a dashboard report from the Ridgeline home page, click the X in the upper right corner of the dashboard report that you want to remove. The dashboard report is removed from the display. To move a dashboard report to a different location in the display, select and then drag the title bar of the dashboard report to the desired location.
12
Figure 3: Components of the Ridgeline User Interface (Main View Window) The main components of the Ridgeline user interface are:
1Menu bar 2Tabs Shows the available commands in Ridgeline. The commands shown on the menu bar change based on the Ridgeline component that you have selected in the navigation pane. When you click many Ridgeline components, a series of tabs appear, grouping together subfeatures of that component. For example, the Main View component, which shows all devices in your inventory, has tabs for Devices, Links, MLAG, EAPS, and VLANs. The Ridgeline ribbon displays various controls (buttons, drop-down menus, search box) to perform pertinent functions for the selected Ridgeline component. For a selected device group, the graphical representation of the devices and links in the group. For more information about the map view, see Displaying the Network Device Inventory. Table of information about the devices in the selected devices group. Selecting a device in the devices table displays detailed information about the selected device in the device details pane (see below). For more information about the devices table, see Displaying the Network Device Inventory. Detailed information about the device selected in the devices table. For more information about the devices details pane, see Displaying Device Details.
5Devices table
13
7Alarms dashboard
For more information about alarms, see Overview of the Ridgeline Alarm Manager on page 237. 8Navigation Pane Hierarchical view of the Ridgeline components and device/port group folders. For more information about the Ridgeline home page, see The Ridgeline Home Page on page 11. For more information about device/port groups, see Overview of Device Groups and Port Groups on page 60. Major ridgeline features. Ridgeline has seven main component groups: Home, Identity Views, Device Configuration, Network Configuration, Alarms and Events, Administration, and Reports. For more information about the Ridgeline home page, see The Ridgeline Home Page on page 11.
9Ridgeline components
Docked window: click the Ridgeline component name in the navigation pane (for example, Main View, Policies, Alarm Manager, etc.). The component appears docked in the main window. Floating window: place the cursor over the Ridgeline component name in the navigation pane, and then click next to the component name. The component appears as a floating window.
2 Click in the upper right corner of the details window. The floating window is docked on the right side of the main window (see the following figure). If you have multiple detail windows docked, they appear as tabs on the lower right area of the main window.
14
Figure 4: Docked Detail Window 1Docked detail window 2Docked detail window tabs 3 To further minimize the detail window into an icon, click on the upper right of the window. The detail window appears as an icon on upper right area of the main window (see the following figure).
To redisplay a detail window as floating window again, click To remove the detail window, click .
15
Sort the rows in a table Modify the column sizes Move columns around in a table Remove columns from a table
Removing Columns
To remove a column: 1 Click the icon in the upper right corner of the table. The Choose Columns to Display dialog box appears (see the following figure).
16
Figure 6: Selecting Columns to Display in a Table 2 Clear the check box(es) of the column(s) that you want to remove from the table, and then click OK. Columns that cannot be removed from the table are unavailable.
17
Any Ridgeline user with read-only access to this feature can view status information about the network devices currently known to Ridgeline. If you have super-user, administrator, or manager role accessor other roles with write access to this featureyou can add or delete devices from the managed devices in the database. You can also refresh the information in the database for the devices in the Ridgeline inventory manager.
Device Groups
For effective management, you group devices in Ridgeline into one or more device groups. An individual device can belong to multiple device groups. A device group is a set of network devices that have something in common, and that can be managed as a group. For example, devices might be grouped by physical location (building 1, building 2, first floor, second floor) or by functional grouping (engineering, marketing, finance) or by any other criteria that make sense within the managed network environment. When devices are discovered, either automatically or manually, they are added by default to the Main View. You can then move discovered devices to groups, as appropriate. For more information about device groups, see Organizing Devices and Ports Into Groups.
Figure 7: Network Device Inventory Note You must add network devices to the database using the Discover Device or Add Devices commands to make them known to Ridgeline. Until this is done, no devices appear in Ridgeline.
19
By default Ridgeline has only one device group, Main View. You cannot delete or change the name of the Main View device group. The device table appears by default. Click Map to enable the map view. When the map view is enabled, the button is shaded:
To hide the map, click the Map button, so that it is not shaded. To maximize the size of the map (and hide the device table), click the right arrow in the area between the map and device table panes.
To increase/decrease the map size, place the cursor over the two arrows pointing in opposite directions between the map and device table panes until the cursor becomes a double-sided arrow, and then click and drag the table to make as much room as desired to display the map.
A red slash through a device indicates that the device is not reachable through SNMP. A device shown in grey indicates the device has is no longer being managed. Ridgeline does not attempt to communicate with a device in the unmanaged state, nor does it accept traps or syslog messages for the device. If unacknowledged alarms exist for the device, the alarm status is indicated by a small colored alarm on the device icon in the table. You can investigate these through the Alarm Manager (see The Ridgeline Alarm Manager). The icon indicates a stacked device.
20
Disabling alarm propagation for a device means that devices alarm status is not factored into the alarm status for the device group. This lets you base alarm propagation at the device group level on a subset of critical devices while ignoring less critical devices. Devices with alarm propagation disabled show an X through the alarm icon. However, the color of the alarm icon still indicates the correct alarm status for the alarm. You can also disable alarm propagation for the device group, which results in an X over the alarm icon (select the device group, right-click, and then select Alarm Propagation > Off). However, because there is no higher level for alarm status propagation, this has no real meaning. The color of the alarm icon still reflects the worst alarm status of those devices within the device group that have alarm propagation enabled.
21
Name IP Address MAC Address Software Version SNMP version Log On Username SSH Forwarding-Database Polling Device Manager Protocol
The name of the device. The IP address of the device. The device MAC address, if applicable. The firmware version running on the device. The SNMP version (version 1, 2, or 3) used on the device. The device logon name. The setting for SSH2Enabled or disabled. The setting for FDB pollingEnabled or disabled. The protocol used to get access to a non-Ridgeline device manager on the device (HTTP or HTTPS). To use the browser-based management interface provided by the selected device, on the main menu, click Device > Manager (HTML). The groups and subgroups that the device is a member of. The number of Extreme ReachNXT 100-8t switches connected to the device. When the device information was last updated from the switch. The operational status of the deviceSNMP Reachable, SNMP Unreachable, or Unmanaged. The device type (for example, Summit 400-48t). The priority of the highest unacknowledged alarm currently on the device. Whether alarm propagation is on or off for the device. Whether or not user monitoring is enabled for the device. Whether or not VM monitoring is enabled for the device.
Member Of ReachNXT Devices Last Updated Status Type Worst Alarm Alarm Propagation User Monitoring VM Monitoring
22
B Device B IP Address B Port Number/Annotation
An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and some are down.
The name of the device on the other end (the B side) of the link, along with an icon indicating the device status. The IP address of the device on the B side of the link. The number of the port on the B side of the link.
23
Type Discovery Protocol A Port Name B Port Name Device Status Link State Status
The link type; for example, user-created. The protocol used to discover the link, either EDP or LLDP. The name of the port on the A side of the link, along with an icon indicating the port status. The name of the port on the B side of the link, along with an icon indicating the port status. The current status of the device on the A side of the link. Whether the A side of the link is ready to exchange traffic with the B side of the link. An icon indicating the status of the link. The link status icon can be one of the following colors: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline.
Share Details Device Status Link State Status
An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and that some are down.
Information about the port sharing configuration for the port, if applicable The current status of the device on the B side of the link. Whether the B side of the link is ready to exchange traffic with the A side of the link. An icon indicating the status of the link. The link status icon can be one of the following colors: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline.
Share Details Type Name
An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and some are down.
Information about the port sharing configuration for the port, if applicable The link type; for example, user-created, physical link, shared physical link). The device name.
24
25
The following tabs are available: Ports Links MLAG Policies VLANs VLAN Ports EAPS Domains EAPS Shared Ports EAPS Domain Ports EAPS Settings
Ports Tab
The Ports tab displays information about the devices ports:
Port Number Name Actual Speed Actual Duplex Type Port Status Link State The device port number. Port name. Speed of the port; Auto if the speed is auto-negotiated. Duplex of the port, either full or half. Port type; for example, Gigabit, Management, 10/100). Whether the port is enabled or disabled. Whether the port is ready to exchange traffic with the port on the other side of the link (ready).
Links Tab
The Links tab displays information about links the selected device has to other devices.
A Device A IP Address A Port Number/Annotation Share Details The name of the device on one end of the link (the A side), along with an icon indicating the device status. The IP address of the device on the A side of the link. The port number on the A side of the link. Information about the port sharing configuration for the port, if applicable
26
Status
An icon indicating the status of the link. The link status icon can be one of the following colors: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline.
B Device B IP Address B Port Number/Annotation Type Discovery Protocol A Port Name B Port Name Device Status Link State Name Shared Details
An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red line indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and that some are down.
The name of the device on the other end of the link (the B side), along with an icon indicating the device status. The IP address of the device on the B side of the link. The number of the port on the B side of the link. The link type; for example, user-created, physical link, shared physical link. The protocol used to discover the link, either EDP or LLDP. The name of the port on the A side of the link, along with an icon indicating the port status. The name of the port on the B side of the link, along with an icon indicating the port status. The current status of the device on the A side of the link. Whether the A side of the link is ready to exchange traffic with the B side of the link. The device name. Information about the port sharing configuration for the port, if applicable
MLAG Tab
The MLAG (multi-system link aggregation) tab displays the following information:
Status MLAG ID ISC VLAN Tag A Name A IP Address B Name B IP Address MLAG overall status. MLAG ID. Inter-switch connection VLAN tag. Name of MLAG peer A switch. IP address of MLAG peer A switch. Name of MLAG peer B switch. IP address of MLAG peer B switch.
27
Policies Tab
The Policies tab displays the policies that have been set up:
Used For Name Policy Name Policy Direction Port Number Port Name Role or virtual machine. Name of role/virtual machine to which this policy is attached Policy name. The direction of the traffic that the policy applies to (ingress or egress). The device port number. The port name.
VLANs Tab
The VLANs tab displays the following information about VLANs the device is part of:
VLAN Tag The VLAN tag value (if any) or Untagged, along with an icon indicating whether this is a VLAN or VMAN. Indicates this is a VLAN Indicates this is an EAPS-protected VLAN Indicates this is a VMAN Indicates this is an EAPS-protected VMAN VLAN Name The VLAN name. For VLANs with identical values for Tag and Protocol, but different values for Name, this refers to the same VLAN. In such cases, the multiple names appear, separated by a comma. The network name category (if any) that this VLAN belongs to. For more information, see Categorizing VLANs With Network Names. The protocol filter(s) configured for the VLAN. QoS profile name configured for the VLAN on the device, if any. Whether IP forwarding is enabled for the VLAN. The IP address of the VLAN. The subnet mask of the VLAN. The virtual router to which the VLAN is associated on the device. This information is available if the device has HTTP enabled, and runs ExtremeXOS version 12.1 or later. The VLAN type, either VLAN or VMAN. VLAN service type. Possible values are Translation, Translation-Member, VMAN, Translation VMAN, Translation-Member VMAN, Private-Network, Isolated-Subscriber, Non-Isolated Subscriber, Super VLAN, and Sub VLAN. For more information, see Viewing VLAN Services Information. The administrative state of the VLAN, either Enabled, Disabled, or Unknown. This information is available if the device has HTTP enabled, and runs ExtremeXOS version 12.1 or later.
Network Name Protocol Name QOS Profile Name IP Forwarding Enabled VLAN IP Address VLAN IP Mask Virtual Router Type VLAN Services
Admin Status
28
VLAN Ports
The VLAN Ports tab displays the following information:
Port Number Name Tagged Media Type Actual Speed Actual Duplex Configured Speed Configured Duplex State Port number. If the device is a chassis device, then the port number is displayed in slot:port format. The name of the port, if assigned. Whether or not the port belongs to a tagged VLAN. Whether the port is tagged. Port type; for example, Gigabit, Management, 10/100. Speed of the port; Auto if the speed is auto-negotiated. Duplex of the port, either full or half. The configured speed of the port. The configured duplex setting of the port. Whether the port is enabled or disabled.
Domain-Node Name Domain Status Device Mode Primary Port Secondary Port
The lower section of the EAPS Domains tab window has two additional tabs: Details Of Device in Domain Tab Protected VLANs Tab
29
Details Of Device in Domain Tab The Details Of Device in Domain tab displays the following information:
Domain Node Name Enabled Control VLAN Name Control VLAN Tag Control VLAN Network The name of the node given to the device as a member of a domain. Whether this specific node is enabled as an EAPS node. Name of the control VLAN. VLAN tag (ID) of the EAPS control VLAN. The network name of the control VLAN, if one is configured.
Protected VLANs Tab The Protected VLANs tab displays the following information:
Tag VLAN Name The ID of the protected VLAN. The name of the protected VLAN.
The lower section of the EAPS Shared Ports tab contains the following information:
Name Domain Status Other Ports In Domain Name of the EAPS domain that includes the shared port. Current status of the EAPS domain. The other port (besides the shared port) configured in the pair for this EAPS domain.
30
The lower section of the EAPS Domain Ports tab window contains the following information:
Status Of Port In Domain Domain Name Domain Status Device Mode Primary Port Secondary Port Status of the domain port in the EAPS domain. This can be Up, Down, Blocked, or Unknown. The domain node name given to the device as a member of an EAPS domain. Status of the node: Idle, Complete, Failed, Links Up, Links Down, Preforwarding, Init, Precomplete, PreInit, or Unknown. Whether the node acts as a master or transit node for this domain. Primary port number. Secondary port number.
PBB Tab
The PBB tab displays information about PBB components (ISIDs, BVLANs, SVLANs, and CVLANs) that are configured on the device.
31
Type
The type of component in the PBB network, along with an icon indicating the PBB component type. In the Map View, the icons indicate the component is configured on the highlighted device. The icon can be one of the following: Extended Service ID (ISID) Backbone VLAN (BVLAN) Protected BVLAN; that is, a BVLAN protected by an EAPS ring Customer VLAN (CVLAN) Subscriber VLAN (SVLAN)
The configured tag value for the BVLAN/CVLAN/SVLAN; N/A for ISIDs. The tag value of the ISID that the PBB is associated with or bound to. The name of the BVLAN/CVLAN/SVLAN or ISID. The network name category (if any) that this BVLAN/CVLAN/SVLAN belongs to. You can assign a network name to a BVLAN. When a network name is assigned to a BVLAN, the SVLANs and CVLANs associated with the BVLAN are automatically assigned the same network name. See Categorizing VLANs With Network Names for more information. When the device information was last updated from the switch.
Last Updated
VLANs Tab
The VLANs tab contains information about the VLANs configured on the device.
VLAN Tag The VLAN tag value (if any) or Untagged, along with an icon indicating whether this is a VLAN or VMAN: VLAN EAPS-protected VLAN VMAN EAPS-protected VMAN Name The VLAN name. For VLANs with identical values for VLAN Tag and Protocol Filter, but different values for Name, this refers to the same VLAN. In such cases, the multiple names appear, separated by a comma. The network name category (if any) that this VLAN belongs to. See Categorizing VLANs With Network Names for more information. VLAN service type. Possible values are Translation, Translation-Member, VMAN, Translation VMAN, Translation-Member VMAN, Private-Network, Isolated-Subscriber, Non-Isolated Subscriber, Super VLAN, and Sub VLAN. See Viewing VLAN Services Information for more information. The protocol filter(s) configured for the VLAN. Whether IP forwarding is enabled for the VLAN. Date and time that the information about the VLAN was last retrieved from the Ridgeline database.
Network Service
32
The actor that made the last change to the VLAN, either the Ridgeline (System) or a user. The VLAN type, either VLAN or VMAN.
Selecting a VLAN in the table shows information about the following on separate tabs in the lower pane: Devices tab Ports tab Layer 3 Settings tab Links tab VPLS tab
Devices Tab
The Devices tab under the VLAN tab shows the following information:
Device Name IP Address Virtual Router QOS Profile Name Control VLAN Protected VLAN Domain Name Set VLAN Services The name of the device in the VLAN. IP address of the device in the VLAN. The virtual router to which the VLAN is associated on the device. This information is available if the device has HTTP enabled, and runs ExtremeXOS software version 12.1 or later. QoS profile name configured for the VLAN on the device, if any. Whether or not this is a control VLAN. Whether or not this is a protected VLAN. EAPS domains to which the VLANs on the device belong. LAN service type. Possible values are Translation, Translation-Member, VMAN, Translation VMAN, Translation-Member VMAN, Private-Network, Isolated-Subscriber, Non-Isolated Subscriber, Super VLAN, and Sub VLAN. For more information, see Viewing VLAN Services Information. Version of the software running on the device. SNMP version (1, 2, 2C, 3), The device logon name. Whether or not FDB polling is enabled. The protocol used to communicate with this device when using the device-based element manager (ExtremeWare Vista): HTTP or HTTPS. SSH must be enabled on the device. The device type (for example, Summit 400-48t). The administrative state of the VLAN, either Enabled, Disabled, or Unknown. This information is available if the device has HTTP enabled, and runs ExtremeXOS version 12.1 or later.
Software Version SNMP Version Log On Username Forwarding-database Polling Device Manager Protocol Device Type Admin Status
Ports Tab
The Ports tab under the VLAN tab shows the following information:
33
Port Number Name Tagged Media Type Actual Speed Actual Duplex Configured Speed Configured Duplex State
Port number. If the device is a chassis device, then the port number is displayed in slot:port format. The name of the port, if assigned. Whether the port is tagged. The port media, if applicable. Port type; for example, Gigabit, Management, 10/100. Speed of the port; Auto if the speed is auto-negotiated. Duplex of the port, either full or half. The configured speed of the port. The configured duplex setting of the port. Whether the port is enabled or disabled.
Links Tab
The Links tab under the VLAN tab shows the following information:
A Device A IP Address A Port Number/Annotation Share Details Status The name of the device on one end (the A side) of the link, along with an icon indicating the device status. The IP address of the device on the A side of the link. The number of the port on the A side of the link. Information about the port sharing configuration for the port, if applicable An icon indicating the status of the link. The link status icon can be one of the following colors: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline.
34
B Device B IP Address
The name of the device on the other end (the B side) of the link, along with an icon indicating the device status. The IP address of the device on the B side of the link. An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and some are down. The number of the port on the B side of the link. The device name. The protocol used to discover the link, either EDP or LLDP. The name of the port on the A side of the link, along with an icon indicating the port status. The name of the port on the B side of the link, along with an icon indicating the port status. The current status of the device on the A side of the link. Whether the A side of the link is ready to exchange traffic with the B side of the link. The link type (for example, user-created, physical link, shared physical link).
B Port Number/Annotation Name Discovery Protocol A Port Name B Port Name Device Status Link State Type
VPLS Tab
The VPLS tab displays information about the VPLS domains the device belongs to.
VPN ID Service Type Last Refreshed ID of the VPN. The service type configured for the VPLS domain: ethernet. Date and time when the VPLS information was last updated.
35
36
Current connection state of the link; for example, active. Information about the port sharing configuration for the port, if applicable.
If you select the Show VLANs check box, the VLANs configured for the ports that make up the link appear in the table:
VLAN Tag The VLAN tag value (if any) or Untagged, along with an icon indicating whether this is a VLAN or VMAN: VLAN EAPS-protected VLAN VMAN EAPS-protected VMAN VLAN Name The VLAN name. For VLANs with identical values for VLAN Tag and Protocol Name, but different values for VLAN Name, this refers to the same VLAN. In such cases, the multiple names appear, separated by a comma. The network name category (if any) that this VLAN belongs to. See Categorizing VLANs With Network Names for more information. The protocol filter(s) configured for the VLAN. QoS profile name configured for the VLAN on the device, if any. Whether IP forwarding is enabled for the VLAN. IP address for the VLAN. IP mask for the VLAN. The virtual router to which the VLAN is associated on the device. This information is available if the device has HTTP enabled, and runs ExtremeXOS software version 12.1 or later. The VLAN type, either VLAN or VMAN. LAN service type. Possible values are Translation, Translation-Member, VMAN, Translation VMAN, Translation-Member VMAN, Private-Network, Isolated-Subscriber, Non-Isolated Subscriber, Super VLAN, and Sub VLAN. For more information, see Viewing VLAN Services Information. The administrative state of the VLAN, either Enabled or Disabled. This information is available if the device has HTTP enabled, and runs ExtremeXOS software version 12.1 or later.
Network Name Protocol Name QoS Profile Name IP Forwarding Enabled VLAN IP Address VLAN IP Mask Virtual Router Type VLAN Services
Admin Status
37
Figure 14: Port Properties Dialog Box The Port Properties dialog box shows the following information:
Port Number Port Name Media Configured Type Link State Port Status Actual Speed Actual Duplex Load Sharing FDB Polling Status Port number. If the device is a chassis device, then the port number is displayed in slot:port format. Port name, if configured. The media for a redundant port (Primary or Redundant). Port type; for example, Gigabit, Management, 10/100. Whether the port is ready to exchange traffic with the port on the other side of the link. Whether the port is enabled or disabled. Speed of the port; auto if the speed is auto-negotiated. Duplex of the port, either Full or Half. The load sharing state of the port (on or off). Whether the port is being polled: Actively Polled (Edge Port) or Not Polled (Inactive Port)
This display shows additional information that Ridgeline has gathered from the switch agent.
38
1Device Information, Slot Information, Fan And Power Supply Status, and Port Information tabs (tabs only appear if the relevant area of the device is clicked) 2Slots 3Fans and power supplies 4Ports Figure 15: Device Panel (Inventory) Dialog Box You can click the slots, ports, power supplies, and fans on the device image to see information displayed about each selected item in the lower pane in the Device Information and Slot Information tabs (for slots and ports), Port Information tab (for ports), or the Fan and Power Supply Status tab (for power supplies and fans). You can also add additional information about the device in the Additional Info box on the Device Information tab. Type whatever additional information you want to include, and then click Save.
Device Properties
You can view the properties of a device in the Ridgeline inventory database. To display the Device Properties window: 1 In the navigation pane, click Main View or the desired device group. 2 Select the check box in the row of the desired device in devices table. 3 Click Properties. The Device Properties window appears.
39
Figure 16: Device Properties Window The Device Properties window displays a set of tabs at the top of the window, depending on the type and configuration of the device. The following tabs may appear: Properties Syslog Messages Network Clients
The table presents the values of various attributes of the device. These vary depending on the type of device and the features it supports.
40
Time Severity
The time that the message was received. The severity level of the message. Severity levels include the following:
Syslog messages are stored along with traps in the event log. The Ridgeline server keeps a minimum of 10 days of event history. The event log can be a maximum of 30 MB per file and uses two rotating archive files. To retain historical even log records, periodically back up the event log.
Authentication Type The logon type, either network logon or 802.1x. VLAN Name The VLAN to which the port belongs.
Port Properties
The Port Properties window shows several tabs of information about a selected port (see the figure below). To display port properties: 1 In the navigation pane, click Main View or the desired group. 2 Double-click a desired device in devices table. The Device Properties window appears.
41
3 Click the Ports tab. 4 Select a port in the list,and then click Port Properties. The Port Properties dialog box appears.
Figure 17: Port Properties Window The Port Properties dialog box may have up to three tabs: (Port) Properties Operational FDB Network Clients
42
Port MAC Address IP Address(es) Dynamic Static Permanent Forwarding Type Discovered
The port where the MAC address was discovered. The MAC address that defines the entry. IP addresses detected for the MAC address. A green check appears if the entry is dynamic; a red "X" appears if it is not. A green check appears if there is a static entry for the MAC in the permanent FDB; a red "X" appears if there is not. A green check appears if the entry is permanent; a red "X" appears if it is not. The forwarding type: MAC, IP, IPX, MAC/IP, MAC/IPX, or unknown. The date and time at which Ridgeline learned the MAC address.
Select an entry in the table to display additional information about the FDB entry at the bottom of the dialog box:
Port MAC Address Locked Down Secure Blackhole Type Mirrored Questionable Remapped Translated The port on which the MAC address was learned The MAC address that defines the entry Whether the MAC is locked to this port due to a learning limit (Yes/No) Whether the MAC is locked to this port due to a permanent secure entry (Yes/No) Blackhole type (None, Ingress, Egress, both) Whether the MAC is mirrored (Yes/No) Whether the MAC is questionable (Yes/No) Whether the MAC has been remapped (Yes/No) Whether the MAC has been translated (Yes/No)
43
44
2 Under Discovery Information, choose: Vendorselect either Extreme Only for Extreme Network devices only or MIB2 Devices to search for all MIB2-compliant devices. VersionSelect Version 1, Version 2, Version 2C, Version 3 for the version of SNMP that the target devices are using. If you select Version 3, then make selections for V3 Privacy Protocol and Authentication Protocol below. If you select Version 1, then enter a value in the Read Community box. TimeoutType or select the length of time to wait for an SNMP request to complete when attempting to contact the devices within the discovery range. V3 Privacy ProtocolSelect either No Privacy or CBC DES Privacy. The default is No Privacy. Authentication ProtocolSelect No Authentication, MD5 Authentication, or SHA Authentication. The default is MD5 Authentication. Discovery Typeselect SNMP Read CommunitySpecify (or verify) the SNMP read community string so that Ridgeline can retrieve information from any SNMP version 1 devices it discovers. V3 User NameSpecify the principal name used for SNMP V3 authentication and security. The default is initialmd5. V3 Privacy PasswordIf the devices use CBC DES Privacy, type the privacy password. The default is an empty password (no password). Authentication PasswordType the authentication password. The default password is initialmd5. 3 Under IPv4, enter your desired discovery criteria:
RangeSpecify the device address range, such as 10.203.10.20 to 10.203.10.45. IP/Net Mask (CIDR)Specify the device address range, in Classless InterDomain Routing (CIDR) format. The value in the Subnet Mask field is the number of bits to be masked, starting from the high-order (left-hand) octet. Wildcardspecify the device address range using wild cards, such as 10.203.10.* or 10.203.?.?? Valid wildcard characters are *, ?, and - (dash):
* acts as a wildcard for the entire octet (0-255). ? is a wildcard for a single digit (0-9). - lets you specify a range for any octet. You can use this in more than one octet. You cannot
combine the dash with another wildcard in the same octet. 4 To use the discovery criteria, click Add. The discovery criteria is added to the table. To add additional ranges, IP/subnet masks, or wildcard options, click Add. Note There are certain IP addresses that are reserved. You should not include these addresses in your discovery: Class A networks: 0 and 127 are reserved. Class D networks: 224 - 239 are reserved for multicasting. All addresses above 239 are reserved. 255 is reserved for broadcast datagrams for either the host or network portion of the IP address.
45
In addition, certain host addresses may be interpreted as broadcast addresses, depending on the subnetting of your network. IP addresses are processed prior to starting the discovery, and IP addresses that contain "255" in the host portion are eliminated. This is based on the IP address as well as the subnet mask. The following examples show how the various wild-card specifications can be used to specify various IP address ranges:
IP Address Specification 10.203.0.* 10.203.?.?? 10.203.0.1? or 10.203.0.10-19 10.203.0-2.10-30 Addresses Generated polls 10.203.0.0 through 10.203.0.255 polls 10.203.0.0 through 10.203.9.99 both specify the same range: 10.203.0.10 through 10.203.0.19 polls 10.203.0.10 through 10.203.0.30 10.203.1.10 through 10.203.1.30 10.203.2.10 through 10.203.2.30
46
6 To add the device to your inventory, click the check boxes for the desired devices, and then click Add. The Add Device dialog box appears.
Figure 20: Add Device Dialog Box 7 On the Basic Information tab: Poll IntervalSelect the time interval that controls how frequently Ridgeline polls the device(s) for detailed status information. The default setting for the device poll interval is 30 minutes for an Extreme Networks modular chassis and 90 minutes for an Extreme stackable chassis. Note Basic device status information is polled more frequently, and that interval is set as a server property (see Distributed Server Administration). Device LoginType your administrative logon user name. Device PasswordType your administrative logon password. Device Manager ProtocolSelect either HTTP or HTTPS. Additional InfoAny information you want to be included, by default, for all the devices added to the Ridgeline inventory in this operation. Maximum of 255 characters. You can view or change this information later in the Device Panel dialog box (see Device Inventory View on page 38). 8 On the SNMP Information tab, the selections that you made during device discovery appear. If you wish to change them: VersionSelect Version 1, Version 2, Version 2C, Version 3 for the version of SNMP that the target devices are using. If you select Version 3, then make selections for V3 Privacy Protocol and Authentication Protocol below. If you select Version 1, then enter a value in the Read Community box. Write CommunitySpecify (or verify) the SNMP Write Community string so that Ridgeline can retrieve information from any SNMP version 1 devices it discovers. The default (for Extreme Networks devices) is private V3 Privacy ProtocolSelect either No Privacy or CBC DES Privacy. The default is No Privacy. Authentication ProtocolSelect No Authentication, MD5 Authentication, or SHA Authentication. The default is MD5 Authentication. Read CommunitySpecify (or verify) the SNMP read community string so that Ridgeline can retrieve information from any SNMP version 1 devices it discovers. V3 User NameSpecify the principal name used for SNMP V3 authentication and security. The default is initialmd5. V3 Privacy PasswordIf the devices use CBC DES Privacy, type the privacy password. The default is an empty password (no password). Authentication PasswordType the authentication password. The default password is initialmd5.
47
9 Click OK. The Progress And Results dialog box appears. Successfully added devices appear with a check mark, and devices that were not added appear with an X.
Figure 21: Progress And Results Dialog Box 10 Click Close. Newly added device(s) appear in the devices table on the Devices tab under Main View.
48
Figure 22: Add Device Dialog Box 2 On the Basic Information tab, enter information in the following boxes as needed:
Device IP Address Poll Interval The device IP address that Ridgeline uses to access the device. You may also enter a DNS-resolvable host name. Controls how frequently Ridgeline polls the device for detail status information. (Basic device status information is polled more frequently, and that interval is set as a server property in Ridgeline Administration.) The default setting for the device poll interval is 30 minutes for an Extreme modular chassis and 90 minutes for an Extreme stackable chassis. The logon user name that Ridgeline should use to access the device. The logon password that Ridgeline should use to access the device. If you want to use SSH2 for secure Telnet sessions, select Enabled. SSH2 must be configured on the device to allow an SSH2 session. If SSH is not available (SSH enabling key not installed) this option is not available. The protocol used to communicate with this device when using the device-based element manager (ExtremeWare Vista): HTTP or HTTPS. SSH must be enabled on the device. Any additional information you want to be included with this device. Maximum of 255 characters. You can view or change this information later in the Device Panel dialog box (see Device Inventory View on page 38).
3 To configure SNMP information for the device, click the SNMP tab, and then enter information in the following boxes:
Version Read Community Select the SNMP version from the SNMP version (Version 1, Version 2, Version 2C, Version 3), If the device is using SNMP version 1, enter the SNMP read community string for the device. The default (for Extreme Networks devices) is public.
49
If the device is using SNMP version 1, enter the SNMP write community string for the device. The default is private. If the device is using SNMP version 3, enter the principal name used for SNMP V3 authentication and security. The default is initialmd5. If the device is using SNMP version 3, select a SNMP V3 privacy protocol: No Privacy or CBC DES Privacy. The default is No Privacy. If the device is using SNMP version 3, select SNMP V3 privacy password. If the device is using CBC DES Privacy, type the privacy password. The default is no password (an empty string).
Authentication Protocol The SNMP V3 authentication protocol. Select No Authentication, MD5 Authentication, or SHA Authentication. The default is MD5 Authentication. Authentication Password If the device is using SNMP V3 authentication, type the authentication password. The default password is initialmd5.
4 Click Add above Found Device. If the device is found, it appears in the Found Devices table. 5 (Optional) To find additional devices, repeat step 2. 6 In the Found Devices table, select the check box next to the device(s) you want to add to the Ridgeline database. 7 Click Manage. The Progress and Results dialog box appears. If the device is added successfully, the successful status appears in the Status column.
50
database and the switch change table. It also removes all information about VLANs, QoS policy, and virtual chassis connections associated with this device from the Ridgeline database. Note Deleting a device from Ridgeline has no effect on the configuration of the device itself, other than altering the trap receiver table. Note It is recommended that you not delete more than 50 devices at a time. You must have read-write access to delete devices from the Ridgeline database or from device groups. To delete a device: 1 In the navigation pane, click Main View or the desired device group. 2 Select the associated check box for the device you want to delete. 3 Click Delete. You are prompted to confirm the deletion. If you are deleting the device from a device group, you are prompted whether you want to delete the device from only the currently selected group or from all groups.
51
To modify the communications settings for managed devices in the database: 1 In the navigation pane, click Main View or a device group. 2 Select the devices that you want to change communications settings for (you can revise this later). 3 Click Device > Modify Communications Settings. The Modify Communications Settings dialog box appears (see the following figure).
Figure 24: Modify Communications Settings Dialog Box 4 In the table, select the devices you want the changes to apply to by clicking their check boxes.
52
6 Click the SNMP Information tab, and then make selections for the following:
Option Version Write Community V3 Privacy Protocol Authentication Protocol Read Community V3 User Name V3 Privacy Password Authentication Password Description The version of SNMP that Ridgeline uses to access the device. Can be modified if the device is using SNMP version 1. Default is private. Specifies the SNMP V3 privacy protocol. Select either No Privacy or CBC DES Privacy. The default is No Privacy. Specifies the SNMP V3 authentication protocol. Select No Authentication, MD5 Authentication, or SHA Authentication. The default is MD5 Authentication. Can be modified if the device is using SNMP version 1. The default is public. The principal name used for SNMP V3 authentication and security. The default (for Extreme Networks devices) is initialmd5. If the device is using CBC DES Privacy, enter the privacy password. The default is and empty password (no password). If the device is using SNMP V3 Authentication, enter the authentication password. The default password is initialmd5.
7 Click OK.
53
If you have modified the Device Password (under the Basic Information tab) or the SNMP Community strings, on Extreme Networks devices, Ridgeline asks if you want to change those values on the switch as well as in the Ridgeline database. If you change any other values, such as the SNMPv3 settings, Ridgeline does not warn you and does not make changes on the device. This warning does not appear if you have changed only third-party devices. To change the values in the Ridgeline database and on the device itself, click Device and Database. To change the values only in the Ridgeline database, click Database Only. If you have already changed these values on the device, you should select Database Only, as Ridgeline will not be able to communicate with the device until after these settings have been changed in the database. If you change the community string in the database for a device, and do not elect to change it on the device, Ridgeline may no longer be able to communicate with the device. For settings other than the device password and community strings, Ridgeline does not make any changes on the device. To continue to communicate with the device, you must Telnet to the device to make changes. If you change the device password in both the database and the device, Ridgeline can still contact the device via Telnet to open a Telnet session on the device. If you have modified both Extreme Networks and third-party devices, and you select Device and Database, the device configuration occurs only on the Extreme Networks devices.
54
Click Tools > Default Communications Settings. The Default Communications Settings dialog box appears.
Figure 25: Default Communication Settings Dialog Box 2 On the Basic Information tab:
Device Login Device Password SSH The device user name required for Telnet or to use ExtremeWare Vista. The default is admin. The device password. The default is no password. Whether SSH2 should be used for secure Telnet sessions. Select Enabled if Ridgeline should use SSH2s. SSH2 must be configured on the device in order for an SSH2 session to be established between Ridgeline and the device. The default is Disabled. The protocol used to communicate with this device when using the device-based element manager (ExtremeWare Vista): HTTP or HTTPS. SSH must be enabled on the device. The default is HTTP. Any information you want to be included, by default, for all devices added to the Ridgeline inventory. Maximum of 255 characters.
Additional Info
3 Click the SNMP Information tab to make changes to any of the SNMP communication settings (see the figure below). These changes apply to future network devices that you add to the Ridgeline database.
55
4 Click OK to save your changes to the Ridgeline database. A message appears showing you the progress of saving your settings.
56
3 Click Telnet to Device. A Ridgeline Telnet window opens, and a Telnet session to the device is started.
Figure 27: Ridgeline Telnet Window The Ridgeline Telnet window has a top portion that is gray, and a bottom portion that is white. The last 25 lines of Telnet commands and responses always appear in the white portion of the window. As output grows, the older lines scroll up into the gray portion of the window. This makes it easy to tell whether you are viewing the most recent Telnet output.
To copy text in a Ridgeline Telnet window: Select the text, right-click, and then click Copy. To paste text from the clipboard to the command prompt in the Ridgeline Telnet window: Rightclick, and then click Paste. To record the commands and output from a Telnet session: Click Start Recording. To stop the recording: Click Stop Recording.
The recorded Telnet session file is saved in the following directory: On Windows systems: C:\Documents and Settings\<user>\.epicenter On Linux systems: ~<user>/.epicenter The file name is in the format <device_ipaddr>-<date>-<time>.txt; for example: 10_210_12_4-20090113-120302.txt
Providing Device Information for Extreme Networks Support (Show Tech Command)
During a telnet recording session, you record device information that includes troubleshooting information for the device. After you finish a recording you can zip the information and upload it to Extreme Networks eSupport. To record the show tech command and output from a Telnet session:
57
1 In the navigation pane, click Main View or the desired device group. 2 Select the associated check box of the desired device in the device table. 3 Click Telnet to Device. A Ridgeline Telnet window opens, and a Telnet session to the device starts (see Figure 27: Ridgeline Telnet Window on page 57). 4 Click Start Recording. 5 Type the command at the telnet prompt: # show tech This command has the following options:
show tech brief Provides a short description of the device information show tech detailed Provides specific device information
6 Click Stop Recording when the command process ends. The recorded commands and output from the Telnet session are saved to a file on your local system: On Windows systems: C:\Documents and Settings \<user>\.epicenter
The file name is in the format <device_ipaddr>-<date>-<time>.txt; for example: 10_210_12_4-20090113-120302.txt 7 Go to the directory on your local system and zip the file. 8 Upload the zipped file to Extreme Support.
58
5 Type the command upload debug <IP_address> where <IP_address> is the address of the server. When prompted to run the show tech logto file command, type N. The following example shows the command and command messages. BD-12804.2 # upload debug 10.210.16.74 Do you want to run show tech logto file first? (y/N) No .......................... The following files on the MASTER have been uploaded: Tarball Name: BD-12804_AI_09081505.tgz ./show_tech.log.gz ./trace.devmgr.27844 ./trace.nodemgr.27845 Tarball Name: BD-12804_AC_09081505.tgz ./epicenter.cfg ./mullai_torino.cfg ./primary.cfg ./secondary.cfg ./snapshot.cfg ./torino-0404.cfg BD-12804.3 # In this example, two .tgz archives are created: BD-12804_AI_09081505.tgz and BD-12804_AC_09081505.tgz 6 On the server, verify the location of the TFTP folder by clicking Tools > TFTP server configuration. The Configure TFTP Server dialog box (shown below) displays the path to the TFTP folder in the Set TFTP Root field.
Figure 28: Configure TFTP Server If the server uses the default system TFTP server, then the path is: \Program Files\Extreme Networks\Ridgeline 4.0\jboss\standalone\deployments\user.war\tft. 7 Log into the server to retrieve the .tgz files using the protocol that the server requires, Telnet or SSH.
59
Organize your devices and ports into logical groups (see Creating Groups on page 62). For example, you can create a device group, Main Campus, consisting of devices in that location. Within the Main Campus device group, you can create subgroups such as Building 1, Building 2, and so on, and administer and view status of devices within the individual groups. You can create a port group consisting of the voice-over-IP (VoIP) ports on all switches in your network, and monitor status of the ports in the group. Control the scope for performing tasks in Ridgeline View your device groups graphically The Ridgeline network map feature allows you to create diagrams of device groups in your network and display information about them graphically (see Overview of Ridgeline Map Views on page 71).
Figure 29: Displaying a Device Group 1 2 3 4 5 6 Details of selected device Map view of selected group Top-level group Port group Main View Table view of selected group
By default, the Main View contains all of the devices known to Ridgeline. You can create groups and subgroups and populate them with devices from the Main View group. A group can have multiple subgroups below it. The alarm status for the group is indicated on the folder icon next to the group name. Clicking a group shows information about the devices in the table view. In the table view are tabs for displaying information about links between the devices, VLANs, and EAPS configurations. When an advanced license is installed, there are also tabs for VPLS and PBB. Information in the table view can be exported to a Microsoft Excel spreadsheet (see Exporting Group Information). The map view allows you to view a graphical representation of the devices in a top-level device group and its subgroups, as well as the status of links between the devices. For information about creating and using map, see Overview of Ridgeline Map Views on page 71.
61
A given device or port can reside in multiple groups, but not within the same top-level group hierarchy. For example, you can create a top-level device group called North America, with a subgroup Bay Area that has a subgroup Santa Clara Campus. If you place a given switch in the Santa Clara Campus subgroup, you cannot also place the same switch in either of the North America or Bay Area groups. However, if you create a second top-level group called EXOS Switches, which is not a subgroup of the North America group, you can place the switch in the EXOS Switches group, even though the switch also resides in the Santa Clara Campus subgroup of the North America group.
Figure 30: New Group Dialog Box 3 Type a meaningful name and optional description for the new group in the Name and Description boxes respectively. 4 Select Device Group or Port Group depending on which type of group your are creating. 5 In Group location, select the location in the hierarchy where the new group should be placed. 6 Click OK. Adding Devices to Device Groups To add a device to a device group:
62
1 Click Main View, and then select the desired device(s) in the table list. 2 Click Copy To Device Group. The Copy to Group dialog appears (see the following figure). By default, only the top-level groups appear. To display the subgroups within a top-level group, click the plus sign next to the group name.
Figure 31: Copy to Group Dialog Box 3 Select the group in which you want to place the device. Note that a device can be placed in a toplevel group hierarchy only once. For more information about grouping rules, see Group Membership Guidelines. 4 Click OK. Adding Ports to Port Groups The ports that make up a port group can be either from a single device or from multiple devices. You can add ports from: Single device (see Adding Ports from a Single Device to Port Groups on page 63) Multiple devices (see Adding Ports from Multiple Devices to Port Groups on page 65)
Adding Ports from a Single Device to Port Groups
You can add ports to port groups from a single device or multiple devices (see Adding Ports from Multiple Devices to Port Groups on page 65). To add ports from a single device to a port group: 1 Display the device in a table of devices. (One way to do this is to click Main View.)
63
Right-click the device, and then click Open to open the devices detail window (see the following figure). Double-click the device to open the devices detail window shown below. Click the device to view the devices details in the lower pane.
Figure 32: Device Details Window 3 Select the ports that you want to add to the port group. Press [Shift] + click to select a continuous section of ports or press [Ctrl] + click to select individual ports. 4 After selecting the ports, right-click, and then click Copy to Port Group. The Copy to Port Group dialog box appears (see the following figure). Only top-level groups appear. To display subgroups, click the plus sign next to the group name.
Figure 33: Copy to Port Group Dialog Box 5 Select the group in which you want to place the port(s). A port can be placed in a top-level group hierarchy only once. For more information about group rules, see Group Membership Guidelines. 6 Click OK.
64
You can add ports to port groups from multiple devices or a single device (see Adding Ports from a Single Device to Port Groups). To add ports from multiple devices to a port group: 1 Click File > Group > Add ports to port group. The Add ports to port group dialog box appears.
Figure 34: Add Ports to Port Group Dialog Box 2 To view all devices in the inventory, click All Devices; to view only devices in a particular group, click Device Group, click , select the desired group, and then click OK. 3 Select a device by clicking it, and then clicking to move the device into the right pane.
65
4 After you have selected all of the desired devices, click Next. The Add ports to port groupport selection dialog box appears.
Figure 35: Add Ports To Port GroupPort Selection Dialog Box 5 Select the desired ports for the group by clicking the associated check box(es). Press [Shift] + click to select a continuous group of ports; press [Ctrl] + click to select individual ports.
66
6 After you have selected the ports, click Finish. The Copy to Port Group dialog box shown below appears. Only top-level groups appear. To display subgroups, click the plus sign (+) next to the group name.
Figure 36: Copy to Port Group Dialog Box 7 Select the group in which you want to place the port(s). A port can be placed in a top-level group hierarchy only once. For more information about group rules, see Group Membership Guidelines. 8 Click OK. Copying or Moving Groups You can copy or move a device group into another device group, and copy or move a port group into another port group. Note that device groups cannot be moved or copied into port groups and port groups cannot be moved or copied into device groups. Groups cannot be copied or moved to the Main View group. To copy or move a group to another group: 1 Under Device Configuration in the navigation pane, select the group that you want to copy or move. 2 Right-click the group, and then select either Copy to Group or Move to Group. The Copy to Group or Move to Group dialog box appears (see the following figure). By default, just the top-level groups appear. To display the subgroups, click the plus sign next to the group name.
Figure 37: Copy to Group Dialog Box 3 Select the destination group in which you want to copy or move the selected group by clicking it. 4 Click OK. The selected group is moved or copied to the destination group. If the copy or move operation would result in a device or port being placed in a top-level group hierarchy more than once, an error message appears, and the operation is cancelled.
67
Removing Devices or Ports from Groups To remove a device or port from a group: 1 Under Device Configuration in the navigation pane, select the group that contains the device or port that you want to remove.
2 Select the device or port in the table by clicking its associated check box. 3 Click Edit > Delete. Ridgeline prompts you for confirmation to delete the selected devices or ports. For a device, you can choose to delete it from just the selected group or from all groups. If you delete a device from all groups, it is removed from the Ridgeline inventory database. Modifying the Properties of a Group You can change the properties for a device group or port group, including the group name or description. To change the properties for a group: 1 Under Device Configuration in the navigation pane, select the group whose properties you want to modify.
2 Right-click the group, and then click Properties. The Device Group Properties dialog box appears:
68
3 Add or change information in the Name or Description boxes. 4 Click OK to save the changes. Displaying Group Details To display details about a group, click the groups row in the table view of the groups parent group. Information about the selected group appears in the details pane at the bottom of the window.
Figure 39: Group Details Pane 1 Group details pane 2 Selected parent group 3 Selected group in table view Double-click the group row to display the groups devices table with a device details pane at the bottom of the window (see the following figure).
69
Figure 40: Group Details Window 1 Selected device group 2 Other subgroups 3 Selected device with its details pane
70
(Map views are not available for port groups.) If a topology map exists for the group, then it appears in the map view, shown below.
Figure 41: Map View of a Device Group The main components of a Ridgeline Map View are:
1 2 3 4 Details pane Subgroup node Links Device group Detailed information about the item selected in the table (in this example, a sub-group). Within the map view, an icon that represents a subgroup of the currently displayed group. Colored lines that represent connectivity between nodes in the map. A set of devices that have been placed in a Ridgeline group hierarchy. In Ridgeline, you can create groups of ports and devices, although topology maps are supported for device groups only. For information about creating device groups, see Organizing Devices and Ports Into Groups. A device group hierarchy has a top-level group and can have multiple levels of subgroups below it. When you create a map, Ridgeline creates separate maps for the top-level group, as well as for any subgroups. Within the map view, an icon that represents a managed device in the device group.
Device node
72
Zoom controls
The map view offers several zoom controls: Magnifier: Click to enable a circular viewing area that you can move with your cursor. Click again to disable. Zoom in: Click to zoom in. Zoom out. Click to zoom out. Fit content: Click to zoom in/out so as to show all items in the map.
7 8 9 10
Button that enables map view. Map button is shaded when map view is enabled. Saves the current map layout. Saves the current map layout to graphic file in either Scalable Vector Graphics (SVG) or Graphics Interchange Format (GIF) format. The devices and subgroups are laid out in the map in one of the following ways: HierarchicalAutomatically arranges map elements into a hierarchical structure. CircularAutomatically arranges devices in circles around the central nodes. OrganicAutomatically arranges devices by evenly spreading them out away from each other. The graphical representation of the devices and links in the currently selected device group or subgroup. Selecting a device in the map view displays the device details in the lower pane. Table of information about the objects displayed in the map view. Depending upon your selection, this is either subgroup (if the selected group has subgroups) or devices (if the selected group has devices in it). Selecting a device in the object table causes the corresponding icon in the map view to be selected, and detailed information about the selected device appears in the device details pane. For devices, you can click tabs to display information about the devices, links, VLANs, and EAPS rings in the device group.
11
Map View
12
Device table
Map Elements
The following elements can appear on a map: Device Nodes Sub-group Nodes on page 74 User-Defined Nodes on page 77 Text Nodes Clouds Links Unmanaged Nodes
Device Nodes
Device nodes represent the managed devices in the device group. A device node shows the following information:
73
NameThe name of the device as it is kept in the inventory database. AnnotationAn optional, user-supplied annotation for the node. Device type iconA small icon representing the specific device or device product line. If the device is of an unknown type, an unknown device icon (a circle with a question mark) is displayed. IP address for device. Alarm iconThe device alarm status, indicated by the presence of an alarm icon (small bell). The alarm status shows the highest level alarm currently unacknowledged for the device. The color of the bell indicates the severity of the alarm. If no icon appears, then either there are no unacknowledged alarms for the device, or the alarm status is below the alarm status threshold for the view. The alarm status threshold is set in the properties window for the map, and specifies the lowest severity level at which an alarm status icon should appear for a device node on the map. For more information about map properties, see Specifying Map Properties. If the alarm icon has an X through it, alarm propagation has been disabled for this device; the alarm status of this device does not influence the aggregate alarm status displayed for the map in which this node is located. To enable/disable alarm propagation, select a device group under Device Configuration in the navigation pane, right-click, and then click Alarm propagation > On/Off, as desired. Device statusindicated by the icon.
Red slash through the icondevice is down. Gray icondevice is offline. Icon without a red slash or gray colordevice is up.
Sub-group Nodes
A sub-group node represents a child map of the current map. It appears as a rectangular icon (see the following figure). Clicking the plus sign (+) expands the sub-group. When you click a sub-group in the left navigation pane, the map of its root group appears in the map view with the selected group opened, and all other sub-groups closed.
74
1Sub-group node icon (in this example, named Building 1) 2Control for expanding the sub-group to show its devices and groups Figure 42: Sub-group Node (Collapsed)
75
1Sub-group node (expanded) 2Control for collapsing the sub-group (see the preceding figure) Figure 43: Sub-group (Expanded) The sub-group node icon shows the following information:
The name of the node (sub-group), which can edited by changing the group's name. The sub-group alarm status, indicated by the presence of an alarm icon (small bell). The alarm status shows the highest level alarm currently unacknowledged for any device within the subgroup. If multiple devices within the sub-group have unacknowledged alarms, the icon indicates the most severe alarm among all those devices. The color of the bell indicates the severity of the alarm. If the alarm icon has an X through it, the alarm propagation has been disabled for this sub-group; the alarm status of this sub-group does not influence the aggregate alarm status displayed for higher level maps. To enable/disable alarm propagation for a device group, in the navigation pane, right-click the device group, and then click Alarm propagation > On/Off.
76
User-Defined Nodes
A user-defined node map node can be created by you to represent any other type of node that is not discovered or managed by Ridgeline, such as a server or workstation. A user-defined node shows the name, description, and optional annotation of the node, which can be edited.
Text Nodes
A text map node is a single-line text field that you can place anywhere in a network map. You can use it to create a title for the map, additional annotations for other map elements, comments, etc.
Clouds
A cloud can be added to a map to represent a network. As with user-defined nodes, you can add name, description, and optional annotation to a cloud.
Links
A link represents connectivity between nodes in the map. Links are automatically detected on Extreme Networks devices when EDP or LLDP is enabled on either device. Links can also be detected on thirdparty devices that support LLDP. You can also create links. Note For devices with EDP and/or LLDP disabled or not supported, you can manually add userdefined links to the map to represent connectivity between devices. They are not updated when the map topology changes. The behavior of the system-discovered links does not apply to user-defined links. When a discovered link connects two devices on the same map, the link is annotated with the port number, or slot and port number for each of the endpoints. The appearance of a link shows a variety of information about the link. The width of the link line indicates the link type: Thin line indicates a 10/100 link. Medium line indicates a gigabit link. Thick line indicates a 10 gigabit link. Very thick line indicates a 40 gigabit link. Link shown with a double line indicates a load-shared link. The color of the link line indicates the link status: Green = link is up (both device ports are up). Red = link is down (both device ports are down). If the link is a load shared link, red means that one of the links in it is down.
77
The format of the link annotation provides information about the link: Table 4: Link Annotation Information
Link Appearance Annotation Appearance Endpoints separated by a dash. Endpoints separated by an x. Endpoint is a ?. Endpoint is followed by "lag. p13 lag - p2:1 lag Endpoint is followed by an m. p17 - p2m Example p1:2 - p24 p1:2 x p24 Meaning Automatically created link. User-created link. User-created link with unknown endpoint. Load shared ports. Management port.
Unmanaged Nodes
Unmanaged nodes are devices that are discovered by Ridgeline as being connected to managed devices, but they are not in managed in your inventory For example if you have in your inventory Device A and it is physically connected to Device B, but Device B is not in your managed inventory, then Device B appears in Ridgeline as an unmanaged node on the maps.. An unmanaged nodes appear on the map with a device icon with the text "Unknown," and an exclamation mark (!) on the bottom left corner of the icon.
78
The currently displayed map, click Map > Properties. All maps, click Tools > Options.
Under Information, you can specify the lowest severity level for which an alarm status icon appears for a device node. In the map, the devices alarm status is represented by an alarm icon (small bell). The alarm status shows the highest level alarm currently unacknowledged for the device. The color of the bell indicates the severity of the alarm. Under Background image, you can specify the background image for the map. Ridgeline includes a number of sample background images, and you can add your own. To add an image to the list of available background images, place it in the <Ridgeline_install_dir>\jboss \standalone\deployments\extreme.war\gifs\topologyBackgroundImages Under Link label, you can specify what appears on the text caption on links. This can be either the port numbers (for example, p1-p2), or the port number with the port name in parentheses. Under Appearance, you can specify the size of the text used in the captions for the map title, objects, and links, as well as the background color of the map. Under Hide nodes, you can choose to hide access points and/or unknown devices (which are not added to the Ridgeline inventory). After specifying properties for the map, click OK to apply the new properties. Click Restore Global Map Settings to reset the map properties to the globally set values.
79
Hierarchicalautomatically arranges map elements into a hierarchical structure. Circularautomatically arranges devices in circles around the central nodes. OrganicAutomatically arranges devices by evenly spreading them out away from each other.
Click Save after you are finished to retain the map layout.
80
2 Click Map > New > Link. The New Link dialog box appears.
Figure 45: New Link Dialog Box 3 There are two sections, Side A and Side B, representing a device on either end of the link. For each side of the link: a In Name, select the device for this side of the link. The Name list contains the name and IP address of each object in the device group. b Optionally, in Port number, select a port on the device for the end point of the link. If you select the Show VLANs check box, the VLANs that the selected port is a member of appear. c Instead of selecting a port, you can specify a text annotation to describe this side of the link on the map. To do this, select Annotation, and then type the text in the box. 4 Click OK to create the link on the map.
81
1 Select the two devices in the map view. 2 Click Map > Clear inactive links from > Selected two devices. Removing Inactive Links from Maps in a Device Group To remove the inactive links on a map in the top-level group and subgroups of a device group: 1 Display the map view of the device group. 2 Click Map > Clear inactive links from > Selected primary group and its subgroups. Removing Inactive Links in Maps for All Devices in a Group To remove the inactive links for all the devices in all device groups, click Map > Clear inactive links from > All devices.
User-Defined Nodes. User-defined nodes represent any type of node that is not discovered or managed by Ridgeline, such as a server or workstation. To add a user-defined node to your map, click Map > New > Node. The New Node dialog box appears.
Figure 46: New Node Dialog Box Type the name, optional description, and annotation for the node, and then click OK. Text Boxes. Text boxes can be used to create a title for the map, additional annotations for other map elements, comments, etc. To add a text box to your map, click Map > New > Text box. A new text box with the words Type here appears on the map. Double-click the text box and replace the Type here text with your own text. Clouds. Clouds can be added to a map to represent a network. To add a cloud to your map, click Map > New > Cloud. The New Cloud dialog box appears.
82
Figure 47: New Cloud Dialog Box Type the name, optional description, and annotation for the cloud, and then click OK. To delete any of these graphic elements, select the object, right-click, and then click Delete.
2 Click the desired device in the map. 3 Right-click the desired device in the map, right-click, and then click Device Annotation. The Device Annotation dialog box appears. Figure 48: Device Annotation Dialog Box
4 In the Annotation box, type the annotation for the device. 5 Click OK.
Saving Maps
To save your map changes, click .
Exporting Maps
You can export a map view to a Scalable Vector Graphics (SVG) or Graphics Interchange Format (GIF) file.
83
To export a map to a SVG or GIF file: 1 Display the map view that you want to export. 2 Click . Note If you have started the Ridgeline client using a Remote Desktop Client (RDC) connection, ensure that the display on the client system is set to use 15-bit color.
84
VLANs and VMANs. Using Ridgeline provisioning windows, you can create a VLAN or vMAN simply by selecting the devices, ports, and tagging options you want, then validate and deploy the VLAN or VMAN configuration by clicking a button. See Configuring VLANs and Configuring VMANs. Backbone VLANs (BVLANs) for Provider Backbone Bridge (PBB) networks. Ridgelines provisioning interface helps you configure a PBB network by facilitating the creation of BVLANs on selected devices, ports, or links. See Configuring BVLANs. E-Line and E-LAN services. Using the service provisioning wizard, you can create and modify E-Line (point-to-point) and E-LAN (multipoint-to-multipoint) services. You can select the devices and ports that make up the service, specify traffic mapping options, create and apply bandwidth profiles, then validate the configuration and deploy it on your network. See Configuring Ethernet Services. EAPS domains. You can use the EAPS provisioning feature to configure EAPS domains, including specifying member links, the EAPS master node, primary and secondary ports, control VLAN, hello timer, and fail timer parameters. Your configuration is validated by the software before it is deployed to managed devices. See Configuring EAPS.
Figure 49: Unsuccessful VLAN Provisioning Ridgeline handles errors encountered during the provisioning process in the following ways:
If Ridgeline is not able to establish connectivity to one of the target switches, then it does not proceed with the provisioning tasks on any of them. If commands that were validated by Ridgeline are subsequently not accepted by the switch, for example if the switch responds to a command with an error message, then Ridgeline retracts the commands that it had entered prior to the error, and halts the provisioning process. Any commands entered on the other target switches are automatically retracted to what was in the previous configuration.
86
While the commands are being retracted, if the switch goes offline (are no longer managed by Ridgeline), the commands continue to be retracted until they have all been removed. If the device becomes unreachable, or it is not possible to log on to the device, then the retraction process for the device fails, and Ridgeline displays an error message. Note Only one provisioning request can be processed on the Ridgeline server at a time. If you attempt multiple provisioning requests at the same time, such as simultaneously from two different Ridgeline clients, an error message appears.
Figure 50: Ridgeline Audit Log with Provisioning Tab Selected 1Quick Filter button. Click to display options to filter the provisioning task list by time period and/or search terms. 2List of provisioning tasks. 3Progress and Results pane for the selected provisioning task. Double-click the selected task to display the Progress and Results information in a separate window.
87
For more information about the audit log, see Using the Ridgeline Audit Log.
88
E-Line Service
An E-Line service is a point-to-point Ethernet Virtual Connection (EVC) that can be implemented in a service provider network, as illustrated in the following figure. E-Line services can be created to support Ethernet Private Line (EPL) and Ethernet Virtual Private Line (EVPL) services. In an E-Line service, two UNI ports connected to customer equipment (CE) devices form the endpoints for the service. Customer traffic entering the service provider network at one UNI port is associated with the EVC. The UNI ports are associated with each other so that customer traffic in the E-Line service is exchanged only between the two UNI ports.
Figure 51: E-Line Service When Ridgeline provisions an E-Line service, it also adds the VLAN, VMAN, or PBB BVLAN to an EAPS domain on the devices where the VLAN/VMAN/BVLAN is configured.
E-LAN Service
An E-LAN service is a multipoint-to-multipoint EVC, as illustrated below. An E-LAN service can have two or more UNI ports connected to CE devices. E-LAN services can be created to support Ethernet Private LAN (EP-LAN) and Ethernet Virtual Private LAN (EVP-LAN) services.
90
Bandwidth Profiles
By default, an E-Line or E-LAN service provides best-effort service for customer traffic on the UNI ports. In some cases, such as when the UNI ports in an Ethernet service have different line rates, you can specify bandwidth profiles and apply them to the UNI ports. A bandwidth profile can specify values for Committed Information Rate (CIR), Committed Burst Size (CBS), Excess Information Rate (EIR), Excess Burst Size (EBS), and single/dual-rate profile settings. You can apply bandwidth profiles to all UNI ports in the service, or to selected UNI ports.
Create an Ethernet service Modify settings for Ethernet services Create and assign customer names to services Create and apply bandwidth profiles)
For more information about Ridgelines network resource provisioning feature, see Provisioning Network Resources.
91
2 Click New > E-Line or E-LAN. The E-Line or E-LAN Service Provisioning wizard appears (see the following figure).
Figure 53: E-Line Service Provisioning WizardE-Service Configure Tab 3 Type a name for the new E-Line or E-LAN service in the Name box. 4 Optionally, type a description for the service in the Description box. 5 Select the customer who use this service from the Customer list. For information about adding a customer to this list, see Creating a Customer Profile. 6 Select the transport type to be used with this service from the Transport Type list: 802.1Q (VLAN), 802.1ad (PB/VMAN), or 802.1ah (PBB). 7 Select the UNI ports for this service. Click the + next to a device to view its ports. An E-Line service must consist of two UNI ports. An E-LAN service can have two or more UNI ports. Devices that do not support Ethernet services are unavailable.
92
8 Click Next. For BVLANs, the Device Settings tab appears (see the following figure). Otherwise, the Traffic Mapping tab appears (see the following figure). Skip to Step 12.
Figure 54: E-Line Service Provisioning WizardDevice Settings Tab 9 Select the BVLAN in the 802.1ah(PBB) list, and type ISID and ISID name in the ISID and ISID Name boxes. 10 Under Device-specific settings, specify whether traffic is tagged or untagged for some or all devices: a Select either Use the same settings on all devices or Customize the settings per device. b If you selected Customize the settings per device, select a device, and then for Traffic, click either Port based or SVLAN or CVLAN. Type a name and tag for the selected device in the Name and Tag boxes. Repeat for each device. c If you selected Use the same settings on all devices, for Traffic, click either Port based or SVLAN or CVLAN. Type a name and tag for the device(s) in the Name and Tag boxes. 11 Skip to step 16.
93
12 In the first list, select the VLAN or VMAN to be used as the transport method for the service.
Figure 55: E-Line Service Provisioning WizardTraffic Mapping Tab 13 Under Port Specific Settings, specify whether traffic is tagged or untagged for both UNI ports, or for a selected UNI port: a Select either Use the same settings on all ports or Customize the settings per port. b If you selected Customize the settings per port, select a port, and then for Traffic, click either Tagged or Untagged. Repeat for each port. c If you selected Use the same settings on all ports, for Traffic, click either Tagged or Untagged. 14 Optionally, select a bandwidth profile to use one or more ports in the service from the Bandwidth Profile list. For information about setting up bandwidth profiles, see Creating a Bandwidth Profile. 15 Indicate whether to enable the service after it has been provisioned on the target devices. If you want to deploy the service immediately after successful validation, without a separate deployment step, select If validation has no errors, continue automatically to creating the new service.
94
Figure 56: E-Line Service Provisioning WizardValidation Tab 17 If the validation is successful, click Finish to deploy the service to the target devices. Otherwise, click Back to go back to the previous tab and modify the settings.
95
18 Click Finish. After Ridgeline successfully validates the selected options, it verifies network connectivity to the target switches. If a connection can be established to all of the target switches, Ridgeline deploys the configuration commands, and then saves the configuration file on each switch. Finally, Ridgeline updates its own database with information about the configuration changes on the switches. The information in the is logged in the Ridgeline Audit Log. For more information, see Viewing Logged Information about Provisioning Tasks.
Figure 58: Ethernet Service Properties Dialog Box 5 To change the name or description, click Edit name / description, make the desired changes, and then click OK. 6 To change the customer, click Edit customer, make the desired changes, and then click OK. For more information about creating customer profiles, see Creating Customer Profiles on page 99. 7 To delete the bandwidth profile, click Delete bandwidth profile. When prompted, confirm the deletion. 8 To add bandwidth profiles, click Add bandwidth profiles. For more information about adding bandwidth profiles, see Creating Bandwidth Profiles on page 100.
96
9 To add ports, click Add ports. See Adding Ports on page 97. Note You can only add and delete ports for E-LAN services, not E-Line services. 10 To delete ports, click Delete ports. See Deleting Ports on page 98. 11 Click Cancel to close the dialog box. Adding Ports You can add and delete (see Deleting Ports on page 98) ports to an E-LAN serviced after it has been created. To add ports to an E-LAN service: 1 2 3 4 In the navigation pane, click Main View or a desired device group. Click the Services tab. Select the E-LAN service to add ports to by clicking its check box. Click Add Ports. The Add Ports dialog box appears (see the following figure).
Figure 59: Add Ports Dialog BoxAdd Ports Tab 5 Select the ports to add to the service. Click the check box for a device to select all of its ports, or click the + next to a device to see its list of ports. 6 Click Next. The Traffic Mapping tab appears. 7 For each added port: a For Traffic, select either Tagged or Untagged. b Select a bandwidth profile from the Bandwidth Profile list. For more information about bandwidth profiles, see Creating Bandwidth Profiles on page 100. 8 Indicate whether to enable the service after it has been provisioned on the target devices. If you want to deploy the service immediately after successful validation, without a separate deployment step, select If validation has no errors, continue automatically to creating the new service.
97
9 Click Next. Thje Validation tab appears. 10 If the validation is successful, click Next. The Results tab appears. 11 Click Finish. Deleting Ports You can add (see Adding Ports on page 97) and delete ports to an E-LAN serviced after it has been created. Context for the current task 1 2 3 4 In the navigation pane, click Main View or a desired device group. Click the Services tab. Select the E-LAN service to delete ports from by clicking its check box. Click Delete Ports. The Delete Ports dialog box appears (see the following figure).
Figure 60: Delete Ports Dialog BoxDelete Ports Tab 5 6 7 8 Select the ports to delete by clicking their check boxes. Click Next. The Validation tab appears. If the validation is successful, click Next. The Results tab appears. Click Finish.
98
Ridgeline onlyremoves the service from the Ridgeline database Ridgeline and devicesremoves the service from the devices and the Ridgeline database
99
4 Click New to create a new customer profile, or select an existing profile under Customer profiles, and then click Edit. The Customer Settingsdialog box appears (see the following figure).
Figure 62: Customer Settings Dialog Box 5 Type contact information for the customer. When you are done, click Add (for a new customer profile) or Modify (for an existing customer profile). 6 Click OK. After you create a customer profile, you can apply it to an Ethernet service. See Modifying Ethernet Services on page 96.
100
3 Click Add Bandwidth Profiles. The Edit bandwidth profile dialog box appears (see the following figure).
Figure 63: Edit Bandwidth Dialog Box 4 On the Add Bandwidth tab, in the Bandwidth Profile list, select New profile. The Bandwidth Profile dialog box appears (see the following figure).
101
5 Click New. The Bandwidth Profile dialog box appears (see the following figure).
Figure 65: Bandwidth Profile Dialog Box 6 Type a name for the bandwidth profile in the Bandwidth Profile Name box and specify settings for the following parameters:
Quality Profile
The quality of service (QoS) feature that allows you to configure a switch to provide differ levels of service to different groups of traffic.Range of 18. For more information, see the ExtremeXOS Concepts Guide. Selects single rate. Selects dual rate.
The average rate for service traffic up to which the network delivers the service traffic and committed to meeting the performance objectives defined by the CoS Service Attribute. Y can specify the CIR in Kbps, Mbps, or Gbps.
Committed Burst Size (CBS) Excess Information Rate (EIR) Excess Burst Size (EBS)
The maximum allowed size for a burst of service traffic sent at the UNI speed to remain CI conformant. You can specify the CBS in Kb, Mb, or Gb. The average rate of service traffic up to which the network may deliver service traffic but without any performance objectives. You can specify the EIR in Kbps, Mbps, or Gbps. The maximum size of a burst of service traffic sent at the UNI speed to remain EIRconformant. You can specify the EBS in Kb, Mb, or Gb.
7 When you are done, click Add (for a new bandwidth profile) or Modify (for an existing bandwidth profile). 8 Click OK. 9 On the Edit Bandwidth dialog box, you can apply the new bandwidth profile to the Ethernet service (see Modifying Ethernet Services on page 96) or click Cancel to exit the dialog box and use the profile later.
102
1Map view 2Details panel 3Services table Figure 66: Services Tab
Services Table
The Services table on the Services tab (see Viewing Ethernet Services Information on the Services Tab on page 102) shows the following information.
Name The configured name of the Ethernet service, and an icon indicating its condition. The icon can be one of the following: Both ports in the E-Line service are up. One or both ports in the E-Line service are down. The E-Line service is disabled. All ports in the E-LAN service are up. At least two ports in the E-LAN service are up, but others are down. All or all but one of the ports in the E-LAN service are down. The E-LAN service is disabled. Status The current status of the Ethernet service: UP if all UNI ports in the service are up, DOWN if all UNI ports in the service are down, or PARTIAL if some of the UNI ports are up and others are down. Whether the Ethernet service is currently enabled or disabled.
Operational Status
103
Customer Name Transport Type Transport Name Transport Tag Transport Network Service End Points Description Ethernet Service Type
The name of the Customer that the service was assigned to, if configured. The transport method specified for the service: 802.1Q (VLAN), 802.1ad (PB/ VMAN), or 802.1ah (PBB). The name of the VLAN, VMAN, or BVLAN used as the transport method. The tag value of the VLAN, VMAN, or BVLAN used as the transport method. The network name of the VLAN, VMAN, or BVLAN used as the transport method, if configured. The number of UNI ports configured for this Ethernet service. For an E-Line service, this is always 2. For an E-LAN service, this can be 2 or more. The configured description of this service, if configured. Whether the selected service is an E-Line or E-LAN service.
Map View
The map view on the Services tab highlights the devices where the selected Ethernet service, VLAN, VMAN, BVLAN, or EAPS domain is configured. You can select a service in the table and display it on the map as an overlay view highlighting all of the devices and links in the map where the selected service is configured.
104
There is also a Ports tab (see Ports Tab on page 105) and a Bandwidth Profile tab (see Bandwidth Profile Tab on page 105). Ports Tab The Ports tab on the Ethernet services details window (see Displaying Ethernet Service Details on page 104) includes the following information:
Number Tagged IP Address Actual Speed Actual Duplex Type Port Status Link State Name Port number. If the device is a chassis device, then the port number is displayed in slot:port format. Whether the port is tagged. The IP address of the device. Speed of the port if known; Auto if the speed is auto-negotiated. Duplex of the port if known, either full or half Type of port. The port state (Enabled or Disabled) The link state. The name of the device.
Bandwidth Profile Tab The Bandwidth tab on the Ethernet services details window (see Displaying Ethernet Service Details) includes the following information. If a bandwidth profile has been applied to an individual port, select the port to display its bandwidth profile settings.
105
Bandwidth Profile Name The name of the bandwidth profile applied to the selected port, if applicable. CIR CIR Unit CBS CBS Unit EIR EIR Unit EBS EBS Unit Rate Quality Profile Committed Information Rate Whether the Committed Information Rate is measured in Kbps, Mbps, or Gbps. Committed Burst Size Whether the Committed Burst Size is measured in Kb, Mb, or Gb. Excess Information Rate Whether the Excess Information Rate is measured in Kbps, Mbps, or Gbps. Excess Burst Size Whether the Excess Burst Size is measured in Kb, Mb, or Gb. Whether a single rate or dual rate profile has been applied to the port. The number the quality profile applied to the port.
106
7 Policies
Overview Viewing Policy Details Creating New Policies Creating Categories for Policies Creating and Managing Roles
This section describes how to set policy statements in the policy database.
Overview
The policy manager is responsible for maintaining a set of policy statements in a policy database and communicating these policy statements to the applications that request them. Policies are used by the routing protocol applications to control the advertisement, reception, and use of routing information by the switch. Using policies, a set of routes can be selectively permitted (or denied) based on their attributes, for advertisements in the routing domain. The routing protocol application can also modify the attributes of the routing information, based on the policy statements. Policies are also used by the access control list (ACL) application to perform packet filtering and forwarding decisions on packets. The ACL application programs these policies into the packet filtering hardware on the switch. Packets can be dropped, forwarded, moved to a different QoS profile, or counted, based on the policy statements provided by the policy manager. Ridgeline supports only ACL based policies. With Ridgelines policy manager, you can create a policy for a role, for identity management role-based access control (see Creating New Policies), or create a policy for virtual port profiles (VPPs) to manage virtual machines (VMs) (see Attaching Policies to VPPs).
Policies
Figure 68: Policy View The policy view displays the following information:
Column Heading Attached Category Description Whether or not the policy is currently attached. The optional category that you have assigned the policy to, making it easier to find. This is for your benefit only; switches do not use it, nor does it affect a policys function (see Creating Categories for Policies on page 119). The name assigned to the policy. The optional description given to the policy when it is created. The type of policy, either virtual-port profile or role. The direction the policy is applied to for the traffic, ingress, egress, or both. The actor that last updated the policy (including Ridgeline (system). The last time the information about the policy was refreshed from the database.
For each selected policy the lower pane has the following tabs: Rule Deployments EXOS Policydisplays the policy code
Rule Tab
In the Policy view (see Viewing Policy Details on page 107) details pane, click the Rule tab to view the following information about the rule(s) attached to the selected policy.
108
Policies
Description The numeric order of the rule in the policy (1, 2, 3, etc.). The optional category that you have assigned the rule to, making it easier to find. This is for your benefit only; switches do not use it, nor does it affect a rule or policy's function (see Creating Categories for Policies on page 119). The name assigned to the rule. The optional description given to the rule when it is created.
Rule Description
Deployments Tab
In the Policy view (see Viewing Policy Details on page 107) details pane, click the Deployments tab to view the following information about the rule(s) attached to the selected policy.
Column Heading Used For Direction Name Description Role or virtual machine. Ingress, egress, or both. Name of the role/virtual machine to which this policy is attached.
109
Policies
2 Click New Policy. The New Policy dialog box appears (see the following figure).
Figure 69: New Policy Dialog Box 3 Type the name of the policy in the Name box. 4 (Optional) Type a description in the Description box. 5 In the Policy Type list, select: Virtual-port profile You can select Ingress or Egress or both. RoleYou can only select Ingress 6 Next to Direction, select the direction the policy applies to: Ingress and/or Egress.
110
Policies
7 Click New to create a rule (You must create at least one rule for a policy). The New Policy Rule dialog box appears (see the following figure). It describes the criteria for the entries: You can specify multiple, single, or zero match conditions. If no match condition is specified all packets match the new entry.
Figure 70: New Policy Rule Dialog BoxMatch Condition Tab 8 Type a name in the Rule Name box. 9 (Optional) Select a category for the rule in the Rule Category list. If the desired category does not exist, you can create one: a In the Rule Category list, click New rule category. The Categorize Policy Rule dialog box appears (see the following figure).
111
Policies
a Click New. The New Category dialog box appears. a Type a name for the new category in the Category Name box. a Click Create. a Click OK. The new category is selected in the Rule Category list. 10 Click a condition to view a detailed description in the lower pane. 11 You can select a condition from the list of Available Match Conditions, and then move each condition to the Selected Match Conditions list on the right. See Attaching Policies to Roles for Identity Management ingress policy match conditions and Policy Match Condition Combinations for XNV ingress and egress match conditions. Note All the conditions must be matched. That is, an implicit AND is included between all the match conditions The following information applies to the match conditions shown in the lists: The letter "L" with a number before each match condition indicates the OSI layer on which these reside (for example, "L2" = OSI layer 2). Conditions that are not compatible with other selections that you have made are not available (grayed out). 12 Click Next. The Match Condition Input tab appears (see the following figure) .
Figure 72: New Policy Rule Dialog BoxMatch Condition Input Tab 13 Provide inputs in the list(s) and box(es) for the match conditions that you selected previously.
112
Policies
14 Click Next. The Action tab appears (see the following figure).
Figure 73: New Policy Rule Dialog BoxAction Tab 15 Under If the match conditions are met, then:, select what should happen if the match conditions are met: The packet is dropped The packet is forwarded 16 If you do not want to add action modifiers, go to Step 18. 17 To select action modifiers: a Click Also include these action modifiers. b Under Available Action Modifiers, select action modifiers and move them to the Selected Action Modifiers list. Clicking an action modifier displays detailed information about it in the lower pane. 18 Click Finish. The New Policy Rule dialog box closes and you are returned to the New Policy dialog box, which now shows the rules that you added to the policy under the Rules tab and the code for the policy under the EXOS Policy tab. 19 Repeat Steps 7 through 18 to create additional rules, if needed. 20 Click OK. The new policy appears in the list as an unattached policy (Attached column value is Unattached). For information about how to attach a policy, see Attaching Policies to VPPs and Attaching Policies to Roles. For information about how to edit a policy, see Editing a Policy.
113
Policies
Figure 74: Save Policy As Dialog Box 4 Choose the policy you want to copy from the Policies list. 5 Choose one of the following:
Save In: RidgelineSaves the policy to the server where Ridgeline is installed. Export to:Changes the policy file format that enables you to take the policy from a Ridgeline installation to another Ridgeline installation.
a Under File Type, select the file type, either: .pol fileThe format used by ExtremeXOS; Ridgeline (nms policy)The format used by Ridgeline b Enter the directory path where you want to save the policy file in the Type the location of the directory box. 6 Type the policy name in the Policy Name box. 7 Click OK. The new policy appears in the policy list. You can now edit this policy as needed (see Editing a Policy).
Editing a Policy
After you have created a policy, you can change it. To edit a policy:
114
Policies
2 Double-click the desired policy in the list. The edit policy dialog box appears (see the following figure).
Figure 75: Edit Policy Dialog Box 3 Make changes as you would when you create a new policy. 4 When you finish making changes, click OK. The revised policy appears in the list. For information about how to attach a policy, see Attaching Policies to VPPs on page 116 and Attaching Policies to Roles on page 117.
Deleting a Policy
To delete a policy: 1 In the navigation pane, click Policies. The Policies view appears. 2 Select the policy that you want to delete from the list of policies by clicking its check box. 3 Click Delete. Note If a policy is in use, you cannot delete that policy. A message appears informing you of this.
115
Policies
Figure 77: Attach Policy to Virtual-Port Profiles Dialog Box 4 Select a VPP from the Available virtual-port profiles table by clicking its check box, and then click Add. The VPP is added to the Selected virtual-port profiles table. 5 Click OK. The policy now appears in the Policy list indicating that it attached (Attached column value is Attached).
116
Policies
Figure 78: Attach Policies To Roles Dialog BoxAttach Policies Tab 4 Select a role from the Role Name list. 5 Move policies from the Available Policies pane to the Selected Policies pane.
117
Policies
6 Click Next. The Results tab appears (see the following figure).
Figure 79: Attach Policies To Roles Dialog BoxResults Tab 7 View the results, and then click Finish. The policy appears in the policy list as attached (Attached column value is Attached).
118
Policies
3 Click Detach Policy From Role. The Detach Policies From Roles dialog box appears (see the following figure).
Figure 80: Detach Policies From Roles Dialog Box 4 5 6 7 8 Select the role to detach from policies under Role Name. Move the policy from the Selected Policies pane to the Available Policies pane. Click Next. The Results tab appears. View the results, and then click Finish. The policy now appears in the list as unattached (Attached column value is Not attached).
119
Policies
3 Click New. The New Category dialog box appears (see the following figure).
Figure 82: Name New Category 4 Type a name in the Category Name box. 5 Click OK. You can now apply the category to policies (see Categorizing Policy Policies on page 120).
Figure 83: Categorize Policy Dialog Box 4 Select a category on the left, and then click Apply. 5 If you need to create a new category, click New, type a name, and then click Create. 6 Click OK. The policy now appears in the list with the category you assigned appearing under the Category column.
120
Policies
121
Physical port 802.1Q tag Protocol sensitivity using Ethernet, LLC SAP, or LLC/SNAP Ethernet protocol filters A combination of these criteria Network name
In the Ridgeline system, a VLAN is defined uniquely by the following: Name 802.1Q tag (if defined) Protocol filters applied to the VLAN As a result, multiple switches are shown as members of the same VLAN whenever all the above are the same. VMANs (Virtual Metropolitan Area Networks) enable a service provider to offer the equivalent of separate and independent virtual bridged LANs to multiple customers over the providers bridged network. Ridgeline can display detailed information about the VMANs configured in your network.
For a more detailed explanation of VLANs and VMANs, see the ExtremeXOS Concepts Guide.
Configuring VLANs
With Ridgeline, you can perform common VLAN configuration tasks, including creating, modifying, and deleting VLANs, as well as configuring VLAN protocol settings. There are two methods you can use for configuring VLANs in Ridgeline: Using Ridgelines network resource provisioning feature Using Ridgelines scripting feature. Additionally, you can optionally assign VLANs a network name, which is a means for categorizing VLANs into logical groups. After assigning one or more VLANs a network name, you can filter the information displayed in the VLAN table based on the network name. This can be useful if you have a large number of VLANs to manage.
Provisioning VLANs
Ridgeline's network resource provisioning feature allows you to create new VLANs simply by selecting the devices, ports, links, and tagging options you want, then validate and deploy the VLAN configuration by clicking a button. You can modify existing VLANs by selecting the VLAN in Network Views windows, changing parameters, and deploying the changes to the devices where the VLAN is configured. The network resource provisioning feature also allows you to change VLAN settings on individual devices, and to remove individual devices from VLANs without affecting the configuration of the devices remaining in the VLAN. For more information on Ridgelines network resource provisioning feature, see Network Resource Provisioning Overview. Creating VLANs To create a VLAN: 1 In the navigation pane, click Main View or the folder containing the devices that you want to configure.
123
2 In the device table, or the map view, click the check boxes for desired devices to select them. For a VLAN, you can select one or more switches, links, or ports.
Figure 84: Selecting Devices to Provision 1Device and port folders 2Selected devices
124
3 Click New > New VLAN. The VLAN dialog box shown below appears.
Figure 85: VLAN Dialog Box In the VLAN dialog box, the selected devices automatically appear under Available Devices. If the device software running on a device does not support the feature you are configuring, the device is unavailable. Type a name for the VLAN in the Name box. If you are creating a tagged VLAN, in Tag, click the numbered list, and then select a numeric value (14095) for the VLAN identifier. Click the + sign next to a device in the Available Devices table list to view its ports. To add the ports to the VLAN, select the ports by clicking the associated check boxes, and then click Add Tagged or Add Untagged. The selected ports are added to the Selected Ports list.
4 5 6 7
125
8 After you have selected all of the desired ports for the VLAN, click OK. The Progress And Results dialog box shown below appears.
Figure 86: Progress and Results Dialog Box 1Verifying connectivity to the selected device(s) 2Deploying the commands on the device
126
3Updating the device information in the database 4Validating command syntax and checking software compatibility 5The validation rules or commands entered on the device for the selected task. Click or collapse the right pane with Creating selected. to expand
Ridgeline validates the options you selected against a set of predefined configuration rules, and ensures that the target switches are running a software version that supports the features that you are provisioning. The following validations are performed: The name length is not longer than 32 characters. The name consists of only alphanumeric characters. No special characters such as # or & are allowed. The tag range is from 1 to 4095. The tag is not present on the selected device. The name is not present on the selected device. Port tag values are valid. The information in the Progress and Results dialog box is logged in the Ridgeline Audit Log. See Viewing Logged Information about Provisioning Tasks for more information. If Ridgeline successfully validates the selected options, it verifies network connectivity to the target switches. If a connection can be established to all of the target switches, Ridgeline deploys the configuration commands, and then saves the configuration file on each switch. Finally, Ridgeline updates its own database with information about the configuration changes on the switches. 9 Click Close. Modifying VLANs For existing VLANs, you can edit settings and deploy the changes to the devices where the VLAN is configured. Control VLANs cannot be modified. To modify a VLAN: 1 In the navigation pane, click Main View. 2 Click the VLAN tab, and then select the VLAN you want to modify by clicking its associated check box. 3 To edit the name or network name, click Edit > Edit Name or Edit > Edit Network Name. Make the needed changes, and then click OK.
127
4 To make other changes to the VLAN, click Properties. The VLAN Properties dialog box appears (see the following figure).
Figure 87: VLAN Properties Dialog Box 5 To change the list of ports:
128
a Click Edit List Of Ports. The Edit Ports dialog box appears (see the following figure).
Figure 88: Edit Ports Dialog Box b To add ports, under Available Devices, click the + next to device to view its ports, select the port(s) by clicking the associated check box(es), and then click Add Tagged or Add Untagged. c To remove ports, under Selected Ports, select the port(s) by clicking the associated check box(es), and then click Remove. d Click OK. 6 To change the list of links:
129
a Click Edit List Of Links. The Edit Links dialog box appears (see the following figure).
Figure 89: Edit Links Dialog Box b To add links, under Available Links, click the link's associated check box, and then click Add Tagged or Add Untagged. c To remove links, under Links in VLAN, click the link's associated check box, and then click Remove. d Click OK. 7 Click Cancel. Deleting VLANs You can delete a single VLAN and protected VLAN. Multiple VLANs cannot be deleted in the same operation, and control VLANs cannot be deleted. To delete a VLAN: 1 2 3 4 In the navigation pane, click Main View. Click the VLANs tab. Select the VLAN you want to delete, and then click Delete. Click Yes when prompted to confirm the deletion. When you delete a VLAN, the software verifies that the services in the VLAN are not being used as transport services in an E-Line or E-LAN service.
130
131
Creating Network Names To create a network name: 1 In the navigation pane, click Main View. 2 On the menu, click Tools > Network Name. The VLAN Network Name dialog box shown below appears.
Figure 90: VLAN Network Name Dialog Box 3 4 5 6 Click New to open the New network name dialog box. Type a network name and click Create. Repeat to create additional network names as desired. Click OK.
You can now assign this network name to VLANs (see Assigning VLANs a Network Name on page 132). Assigning VLANs a Network Name To assign a VLAN a network name: In the navigation pane, click Main View or the device group with the VLAN(s) you want to assign network names to. 2 Click the VLANs tab. 3 In the table, select the VLANs that you want to assign to the network name. Use [Ctrl]+ click to pick multiple VLANs; Press [Shift] + click to pick a continuous set of VLANs. 1
132
4 From the menu, click Tools > Network name. The VLAN Network Name dialog box shown below appears.
Figure 91: VLAN Network Name Dialog Box 5 Under Network name, select the network name that you want to assign to the VLANs, and then click OK. The assigned network name appears in the Network column for the applicable VLANs. You can now easily filter the list to find these VLANs based on this network name (see Filtering the VLANs Table Based on Network Name). Filtering the VLANs Table Based on Network Name With a network name assigned to VLANs (see Assigning VLANs a Network Name on page 132), you can easily find these VLAN by filtering on the network name field. To use the network name to filter the list of VLANs in the VLAN table: 1 In the navigation pane, click Main View or the desired device group. 2 Click the VLANs tab to display the VLANs in the device group.
133
3 Click Quick Filter to display the available quick filters. The quick filter area appears at the top of the table (see the following figure). One of the quick filters is Network.
Figure 92: Filtering the VLAN Table Using the Network Name Quick Filter 4 In the Network quick filter box, select the network name to be used as the filter. You can choose multiple names. The VLAN table then displays only VLANs with the selected network name(s).
134
Figure 93: VLAN Details Window The VLAN details window has the following information:
Tag Network Name Services Protocol Filter IP forwarding Control VLAN EAPS Protection Type Last Updated From Database The VLAN tag value (if any) or Untagged. The network name category (if any) that this VLAN belongs to. See Categorizing VLANs With Network Names for more information. The VLAN name. List of the type of services configured for the network VLAN. The protocol filter(s) configured for the VLAN Whether IP forwarding is enabled for the VLAN. Whether any EAPS control VLAN is present in the list of available VLANs. Whether or not EAPS protection is present. The VLAN type, either VLAN or VMAN. Date and time that the information about the VLAN was last retrieved from the Ridgeline database.
Devices Tab
Short reference description. The Devices tab under the VLAN tab shows the following information:
135
Device Name IP Address Virtual Router QOS Profile Name Control VLAN Protected VLAN Domain Name Set VLAN Services
The name of the device in the VLAN. IP address of the device in the VLAN. The virtual router to which the VLAN is associated on the device. This information is available if the device has HTTP enabled, and runs ExtremeXOS software version 12.1 or later. QoS profile name configured for the VLAN on the device, if any. Whether or not this is a control VLAN. Whether or not this is a protected VLAN. EAPS domains to which the VLANs on the device belong. LAN service type. Possible values are Translation, Translation-Member, VMAN, Translation VMAN, Translation-Member VMAN, Private-Network, Isolated-Subscriber, Non-Isolated Subscriber, Super VLAN, and Sub VLAN. For more information, see Viewing VLAN Services Information. Version of the software running on the device. SNMP version (1, 2, 2C, 3), The device logon name. Whether or not FDB polling is enabled. The protocol used to communicate with this device when using the device-based element manager (ExtremeWare Vista): HTTP or HTTPS. SSH must be enabled on the device. The device type (for example, Summit 400-48t). The administrative state of the VLAN, either Enabled, Disabled, or Unknown. This information is available if the device has HTTP enabled, and runs ExtremeXOS version 12.1 or later.
Software Version SNMP Version Log On Username Forwarding-database Polling Device Manager Protocol Device Type Admin Status
Ports Tab
Short reference description. The Ports tab under the VLAN tab shows the following information:
Port Number Name Tagged Media Type Actual Speed Actual Duplex Configured Speed Configured Duplex State Port number. If the device is a chassis device, then the port number is displayed in slot:port format. The name of the port, if assigned. Whether the port is tagged. The port media, if applicable. Port type; for example, Gigabit, Management, 10/100. Speed of the port; Auto if the speed is auto-negotiated. Duplex of the port, either full or half. The configured speed of the port. The configured duplex setting of the port. Whether the port is enabled or disabled.
136
Links Tab
Short reference description. The Links tab under the VLAN tab shows the following information:
A Device A IP Address A Port Number/Annotation Share Details Status The name of the device on one end (the A side) of the link, along with an icon indicating the device status. The IP address of the device on the A side of the link. The number of the port on the A side of the link. Information about the port sharing configuration for the port, if applicable An icon indicating the status of the link. The link status icon can be one of the following colors: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline. The name of the device on the other end (the B side) of the link, along with an icon indicating the device status. The IP address of the device on the B side of the link. An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and some are down. The number of the port on the B side of the link. The device name. The protocol used to discover the link, either EDP or LLDP. The name of the port on the A side of the link, along with an icon indicating the port status.
B Device B IP Address
137
The name of the port on the B side of the link, along with an icon indicating the port status. The current status of the device on the A side of the link. Whether the A side of the link is ready to exchange traffic with the B side of the link. The link type (for example, user-created, physical link, shared physical link).
138
Translation-Member VLAN Tab If you select a device in the devices table that is a member of a translation VLAN (indicated by Translation-Member in the VLAN Service column) the Translation-Member VLAN tab appears. The Translation-Member VLAN tab contains the following information: Tag value of the Translation VLAN to which the member belongs The name of the network to which the Translation VLAN belongs The name of the Translation VLAN to which the member belongs The tagged and untagged ports configured in the Translation VLAN Private VLAN Tab If you select a device in the devices table that has a private VLAN configured (indicated by Private in the VLAN Service column) the Private VLAN tab appears. The Private-Network VLAN tab contains the following information: Name of the Private VLAN Network name of the Private VLAN List of Tagged, Untagged, and Translated Ports in the Private-Network VLAN Th table lists the following information about the isolated and non-isolated subscribers:
Tag Type Network Name Ports Tag value of the subscriber VLAN Whether the subscriber VLAN is isolated or non-isolated Network name of the Private VLAN Name of the subscriber VLAN List of the tagged and untagged ports in the subscriber VLAN
Isolated-Subscriber VLAN Tab If you select a device in the devices table that is an isolated subscriber member of a private VLAN (indicated by Isolated-Subscriber in the VLAN Service column) the Isolated-Subscriber VLAN tab appears. The Isolated-Subscriber VLAN tab contains the following information: Tag value of the Private-Network VLAN Network name of the Private-Network VLAN Name of the Private-Network VLAN Name of the Private VLAN List of Tagged, Untagged, and Translated ports associated with the Private-Network VLAN
139
Non-Isolated Subscriber VLAN Tab If you select a device in the devices table that is a non-isolated subscriber member of a private VLAN (indicated by Non-Isolated Subscriber in the VLAN Service column) the Non-Isolated Subscriber VLAN tab appears. The Non-Isolated Subscriber VLAN tab contains the following information: Tag value of the Private-Network VLAN Network name of the Private-Network VLAN Name of the Private-Network VLAN Name of the Private VLAN List of Tagged, Untagged, and Translated ports associated with the Private-Network VLAN Super VLAN Tab If you select a device in the devices table that has a super VLAN configured (indicated by Super VLAN in the VLAN Service column) the Super VLAN tab appears. The Super VLAN tab contains the following information: The name of the Super VLAN Network name of the Super VLAN The tagged and untagged ports in the Super VLAN The table lists the following information about the Sub VLANs of this Super VLAN:
Tag Network Sub Range Proxy Name Ports Tag value of the Sub VLAN Name of the network to which the Translation VLAN member belongs Range of IP addresses in the Sub VLAN Status of the VLAN proxy, either Enabled or Disabled Name of the Sub VLAN List of the tagged and untagged ports in the Sub VLAN
Sub VLAN Tab If you select a device in the devices table that has a sub VLAN configured (indicated by Sub VLAN in the VLAN Service column) the Sub VLAN tab appears. The Sub VLAN tab contains the following information: Sub VLAN information: IP address range of the Sub VLAN VLAN proxy status of Sub VLAN, either Enabled or Disabled Super VLAN information: The name of the Super VLAN Tag value of the Super VLAN
140
Network name of the Super VLAN The tagged and untagged ports in the Super VLAN
141
Overview of VMANs
Virtual Metropolitan Area Networks (VMANs), which are also known as Provider Bridge Networks (PBNs), are defined by the IEEE 802.1ad standard, which is an amendment to the IEEE 802.1Q VLAN standard. Metropolitan area network (MAN) service providers can use a VMAN to carry VLAN traffic from multiple customers across a common Ethernet network. A VMAN uses Provider Bridges (PBs) to create a Layer 2 network that supports VMAN traffic. VMAN technology is sometimes referred to as VLAN stacking or Q-in-Q. VMANs enable a service provider to offer the equivalent of separate and independent virtual bridged LANs to multiple customers over the providers bridged network. Note The term VMAN is an Extreme Networks term that became familiar to Extreme Networks customers before the PBN standard was complete. The VMAN term is used in Ridgeline and also in this content to support customers who are familiar with this term. The term PBN is also used to establish the relationship between this industry standard technology and the Extreme Networks VMAN feature. For a more detailed explanation of VMANs, see the ExtremeXOS Concepts Guide. Ridgelines network resource provisioning feature allows you to create new VMANs (see Creating VMANs) and modify existing VMANs (see Modifying VMANs) in your network. Ridgeline can display detailed information about VMANs in device tables and maps (see Viewing VMAN Information).
Configuring VMANs
Using Ridgeline, you can perform common VMAN configuration tasks, including creating (see Creating VMANs on page 143), modifying (see Modifying VMANs on page 146), and deleting VMANs (see Deleting VMANs on page 148), as well as configuring VMAN protocol settings.
Additionally, you can optionally assign VMANs a network name, which is a means for categorizing them into logical groups (see Categorizing VMANs With Network Names on page 149). After assigning one or more VMANs a network name, you can filter the information displayed in the VLAN table based on the network name. This can be useful if you have a large number of VLANs to manage. Ridgelines network resource provisioning feature allows you to create new VMANs on a group of devices or on a single device. You select the devices, ports, links, and tagging options you want, and then validate and deploy the VMAN configuration. You can modify existing VMANs, changing parameters and deploying the changes to the devices where the VLAN is configured. Network resource provisioning also allows you to remove a single device from a VMAN, or modify the VMAN settings on a single device. For more information on Ridgelines network resource provisioning feature, see Provisioning Network Resources.
Creating VMANs
To create a VMAN: 1 In the navigation pane, click Main View or a device group. 2 Select one or more devices, links, or ports by clicking the their check boxes.
143
3 From the menu, click Services > New > VMAN. The VMAN provisioning dialog box appears (see the following figure)
Figure 94: VMAN Provisioning Dialog Box In the VMAN provisioning dialog box, the selected devices automatically appear in the Available Devices table. You can provision VMANs only on Extreme Networks switches running ExtremeXOS 12.1 or later. Devices that do not support VMANs are unavailable. Note When a device is running ExtremeXOS version ealier than 12.1, Ridgeline shows VMANs configured in the device as VLANs. To display VMANs properly, upgrade the switches to version 12.1 or later. 4 Type a name for the VMAN in the Name box. 5 Next to Tag: For a tagged VMAN, click the numbered list, and then select a numeric value (14095) for the VMAN identifier. For an untagged VMAN, click Untagged. 6 Enter the Ethertype value. This value is used to specify the ethertype value on the selected device. For appropriate values for the device, see the ExtremeXOS Concepts Guide. 7 Click the + next to a device to view the available ports table for the device. 8 Select the ports, and then click Add tagged or Add untagged. When the VMAN is created, the port is added to the new VMAN, and removed from the default VMAN if it was added as an untagged port.
144
9 When you have finished configuring the VMAN, click OK to start the validation and deployment process. The Progress and Results dialog box appears (see the following figure).
Figure 95: Progress and Results Dialog Box for VMAN Provisioning 10 Click Close. Ridgeline validates the options you selected against a set of predefined configuration rules, and ensures that the target switches are running a version of software that supports the features you are provisioning. The following validations are performed: The name length is not longer than 32 characters. The name consists of only alphanumeric characters. No special characters such as # or & are allowed. The tag range is from 1 to 4095. The tag is not present on the selected device. The name is not present on the selected device. Port tag values are valid. If Ridgeline successfully validates the selected options, it verifies network connectivity to the target switches. If a connection can be established to all of the target switches, Ridgeline deploys the configuration commands, then saves the configuration file on each switch. Finally, Ridgeline updates its own database with information about the configuration changes on the switches. The information in the Progress and Results dialog box is logged in the Ridgeline Audit Log. For more information, see Viewing Logged Information about Provisioning Tasks.
145
Modifying VMANs
For existing VMANs, you can edit settings and deploy the changes to the devices where the VMAN is configured. For a VMAN, you can edit the list of ports or links in the VMAN as well as the name and network name of the VMAN (although not the tag value). If you add ports as untagged to the VMAN, they are removed from the default VLAN before being added to the VMAN you are editing. To modify a VMAN: 1 In the navigation pane, click Main View. 2 Click the VLAN tab. 3 Find the desired VMAN in the list. You can limit the contents of the table to just VMANs by typing VMAN in the search box or by clicking Quick Filter and clicking VMAN in the Services. 4 Select the desired VMAN by clicking it check box. 5 To edit the name or network name, click Edit > Edit Name or Edit > Edit Network Name. Make the needed changes, and then click OK. 6 To make other changes to the VMAN, click Properties. The VMAN Properties dialog box appears (see the following figure).
Figure 96: VMAN Properties Dialog Box 7 To change the list of ports:
146
a Click Edit List Of Ports. The Edit Ports dialog box appears (see the following figure).
Figure 97: Edit Ports Dialog Box b To add ports, under Available Devices, click the + next to device to view its ports, select the port(s) by clicking the associated check box(es), and then click Add Tagged or Add Untagged. c To remove ports, under Selected Ports, select the port(s) by clicking the associated check box(es), and then click Remove. d Click OK. 8 To change the list of links:
147
a Click Edit List Of Links. The Edit Links dialog box appears (see the following figure).
Figure 98: Edit Links Dialog Box b To add links, under Available Links, click the link's associated check box, and then click Add Tagged or Add Untagged. c To remove links, under Links in VLAN, click the link's associated check box, and then click Remove. d Click OK. 9 Click Cancel.
Deleting VMANs
You can delete a single VMAN or protected VMAN at a time. Multiple VMANs cannot be deleted in the same operation, and control VMANs cannot be deleted. . To delete a VMAN: 1 In the navigation pane, click Main View or a device group. 2 Click the VLAN tab. 3 Find the VMAN that you want to delete. You can limit the contents of the table to just VMANs by typing VMAN in the search box or by clicking Quick Filter, and then clicking VMAN in the Services. 4 Select the VMAN that you want to delete by clicking its check box. 5 Click Delete. 6 When prompted, confirm the deletion. When you delete a VMAN, the software verifies that the services in the VMAN are not being used as transport services in an E-Line or E-LAN service.
148
149
Figure 99: VMANs in a Map View The VLANs/VMANs table shows the following information:
VLAN Tag The VMAN tag value (if any) or Untagged, along with an icon indicating whether this is an EAPS-protected VMAN. VMAN EAPS-protected VMAN Name Network Service Protocol Filter IP Forwarding Last Updated From Database Last Updated By Type The VMAN name. The network name category (if any) that this VMAN belongs to. For more information, see Categorizing VMANs With Network Names. List of the type of services configured for the VLAN. For VMANs (PBNs), this is VMAN. The protocol filter(s) configured for the VMAN. Whether IP forwarding is enabled for the VMAN. Date and time that the information about the VMAN was last retrieved from the Ridgeline database. The ID of who last updated the VMAN information. The VLAN type. For VMANs (PBNs), this is VMAN.
Detailed information about the VMAN is available by double-clicking a VMAN (see Displaying VMAN Details on page 151).
150
Figure 100: VMAN Details Window The VMAN details window shows the following information:
Tag The VMAN tag value (if any) or Untagged, along with an icon indicating whether this is an EAPS-protected VMAN. VMAN EAPS-protected VMAN Network Protocol Filter Name Control VMAN EAPS Protection Type Last Updated From Database The network name configured for the VMAN. The protocol filter(s) configured for the VMAN. The name of the VMAN. For an EAPS-protected VMAN, the name of the Control VLAN in the EAPS domain. For an EAPS-protected VMAN, the name of the protected VLAN in the EAPS domain. The VLAN type, in this case VMAN. Date and time that the information about the VMAN was last retrieved from the Ridgeline database.
151
Devices Tab
When you click the Devices tab in the VMAN details window (see Displaying VMAN Details on page 151), the following information appears:
Device Name IP address Virtual Router QOS Profile Name Control VLAN Protected VLAN Domain Name Set VLAN Services The name of the device, and an icon indicating the status of the device. The IP address of the device. The virtual router to which the VMAN is associated on the device QoS profile name configured for the VMAN on the device, if any. Whether this VMAN is configured as an EAPS control VLAN. Whether this VMAN is protected by an EAPS domain. EAPS domains to which the VLANs on the device belong. VLAN service type. Possible values are Translation, Translation-Member, VMAN, Translation VMAN, Translation-Member VMAN, Private-VLAN, Isolated-Subscriber, NonIsolated Subscriber, Super VLAN, and Sub VLAN. This information is available if the device has HTTP enabled, and runs ExtremeXOS software version 12.1 or later. The ExtremeXOS software version running on the device. The SNMP version configured on the device. The user name used to log on to the device Whether FDB polling is enabled on the device. The protocol used for accessing management functions on the device. The type of device. The administrative state of the VMAN, either Enabled or Disabled.
Software Version SNMP Version Log On User Name Forwarding-database Polling Device Manager Protocol Device Type Admin Status
Ports Tab
When you click the Ports tab in the VMAN details window (see Displaying VMAN Details on page 151), the following information appears:
Port Number Name Tagged Media Type Actual Speed Actual Duplex Configured Speed Configured Duplex State Port number. If the device is a chassis device, then the port number is displayed in slot:port format. The name of the port, if configured. Whether the port is tagged. The port media, if applicable. Port type; for example, Gigabit, Mgmt, 10/100. Speed of the port; Auto if the speed is auto-negotiated. Duplex of the port, either full or half. The configured speed of the port. The configured duplex setting of the port. The port state (Enabled or Disabled).
152
Links Tab
When you click the Links tab in the VMAN details window (see Displaying VMAN Details on page 151), the following information appears:
A Device A IP Address A Port Number/Annotation Share Details Status The name of the device on one end (the A side) of the link, along with an icon indicating the device status. The IP address of the device on the A side of the link. The number of the port on the A side of the link. Information about the port sharing configuration, if configured. An icon indicating the status of the link. The link status icon can be one of the following colors: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline.
B Device B IP Address B Port Number/Annotation Name Discovery Protocol A Port Name B Port Name Device Status Link State Type
An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red line indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and that some are down.
The name of the device on the other end (the B side) of the link, along with an icon indicating the device status. The IP address of the device on the B side of the link The number of the port on the B side of the link. The name of the port on the B side of the link, along with an icon indicating the port status. The protocol used to discover the link, either EDP or LLDP. Port name on the A side of the link. Port name on the B side of the link. The current status of the device. The current state of the link The link type; for example, user-created.
153
Overview
Multi-switch link aggregation group (MLAG) takes link aggregation and extends it by allowing one device of a link aggregated group (LAG) to dual home into two separate devices, thus providing failover support for devices. By using the MLAG feature, you can combine ports on two switches to form a single logical connection to another network device. The other network device can be either a server or a switch that is separately configured with a regular LAG (or appropriate server port teaming) to form the port aggregation. MLAG is supported by the following Extreme Networks devices: BlackDiamond 8000 series switches BlackDiamond X8 series switches Summit Family Switches The following figure shows a device dual homed into two devices (MLAG 1). Server 1 treats the two links as a regular link aggregation group (LAG). Devices 2 and 3 participate in the MLAG to create the perception of a LAG. MLAG adds multi-path capability to a LAG, where the number of paths is limited to two. With MLAG, both links dual homed from Device 1 can be actively forwarding traffic. If one device in the MLAG fails, for example, if Device 3 fails, traffic is redistributed back to Device 2, thus allowing for both device and link level redundancy while utilizing both active links. MLAG can be used in conjunction with LAG. MLAG is confined to two switches in the tier that support MLAG. That is, Device 2 and Device 3 need to be from the same vendor. Device 1, on the other hand, treats both the ports as regular LAG ports and can be another vendors device. For example, MLAG can be used in conjunction with NIC teaming where Device 1 could be a server that can be dual homed to two switches operating as an MLAG.
Figure 101: Elements of a Basic MLAG Configuration The basic operation of this feature requires two ExtremeXOS switches interconnected by an interswitch connection (ISC). The ISC is a normal, directly connected, Ethernet connection and it is recommended that you engineer reliability, redundancy where applicable, and higher bandwidth for the ISC connection. Then you logically aggregate ports on each of the two switches by assigning MLAG identifiers (MLAG-ID). Ports with the same MLAG-ID are combined to form a single logical network connection. Each MLAG can be comprised of a single link or a LAG on each switch. When an MLAG port is a LAG, the MLAG port state remains up until all ports in the LAG go down. As long as at least one port in the LAG remains active, the MLAG port state remains active. When an MLAG port (a single port or all ports in a LAG) fails, any associated MAC FDB entries are moved to the ISC, forcing traffic destined to the MLAG to be handled by the MLAG peer switch. Additionally, the MLAG peer switch is notified of the failure and changes its ISC blocking filter (see ISC Blocking Filters on page 156) to allow transmission to the MLAG peer port. In order to reduce failure
155
convergence time, you can configure MLAG to use ACLs for redirecting traffic via the fast convergence-control option. Note For Layer 3 unicast forwarding, you must configure VRRP or ESRP on the peer switches. Each of the two switches maintains the MLAG state for each of the MLAG ports and communicates with the other to learn the MLAG states, MAC FDB, and IP multicast FDB of the peer MLAG switch.
MLAG peers monitor the health of the ISC using a keep-alive protocol that periodically sends healthcheck messages. The frequency of these health-check hellos can be configured.
MLAG Status Checkpointing
Each switch sends its MLAG peer information about the configuration and status of MLAGs that are currently configured over the ISC link. This information is checkpointed over a TCP connection that is established between the MLAG peers after the keep-alive protocol has been bootstrapped.
156
To see if a port is part of an MLAG group or an ISC port, you can view the MLAG table (see MLAG Table View). MLAG information also appears in the map view (see MLAG Map View).
Figure 102: MLAG View The MLAG table view shows the following information:
Status MLAG overall status. There are five status categories: UpEverything is normal: all links under ISC are up and all MLAGs are up DegradedEither one or more ISC links are down and all MLAGs are up or one or more MLAGs are down ProtectingISC is up and one or more MLAG ports are down UnprotectedEither all ISC links are down and all MLAGs are up or one MLAG port is down DownEither all ISC links are down and all MLAGs are down or one or more ISC links are down and all MLAGs are down or All ISC links are up and all MLAGs are down MLAG ID Inter-switch connection VLAN tag Name of MLAG peer A switch IP address of MLAG peer A switch Name of MLAG peer B switch IP address of MLAG peer B switch
157
158
Figure 105: MLAG Peers with LAG peers on Network Map View
Figure 106: MLAG Peers with LAG peers Network Map View Configured with an ISC
159
Figure 107: MLAG Detail Window The following tables appear: MLAG Links Peer Information MLAG Port Details Customer VLANs MLAG Links Table The MLAG Links table has the following information:
A Device A IP address A port number/annotation Share Details Status ISC Link B Device B IP address B port number/annotation Discovery protocol A port name B port name Type Name of peer device with inter-switch connection link IP address of this peer device Port number on which MLAG ports are associated with this MLAG peer switch Shared link details Link status: up or down Box color indicates link status of inter-switch connection link Name of peer device with inter-switch connection link. IP address of this peer device Port number on which MLAG ports associated with this MLAG peer Protocol used to discover MLAG peers MLAG port name to which peer device is attached The MLAG port name on which peer device is attached Type of link: physical or virtual
160
Peer Information Table The Devices table has the following information:
Name IP address ISC VLAN name ISC VLAN Tag ISC VLAN IP address Peer Name VR Port Count Check Point Status Rx Checkpoint Messages Hello Errors Hello Timeouts Up Time Tx Interval Peer Tx Interval Tx Check Point Messages Check Point Errors Peer Connect Errors Name of device IP address of device Name of the inter-switch connection VLAN through which the MLAG peer can be reached Inter-switch connection VLAN tag Inter-switch connection VLAN IP address Name of MLAG peer switch Name of the VR with which the MLAG peer VLAN is associated with Number of MLAG ports associated with this MLAG peer Checkpointing status of this MLAG peer: up or down Number of checkpoint messages received from the MLAG peer switch Number of hello error messages Number of hello time out messages Specifies the time that the connectivity with the MLAG peer switch is up Length of the time, in milliseconds, between transmissions of health check hello packets Transmitting hello Interval of MLAG peer switch in milliseconds Number of transmitted checkpoint messages Number of checkpoint Errors Number of MLAG peer switch connect errors
161
162
Enables network administrators to monitor, secure, and manage virtual machines (VMs) in a centralized and vendor neutral manner. Starting with version 3.1, Ridgeline supports VM management from popular vendors such as VMWare, Citrix, and Microsoft. For the Microsoft System Center Virtual Machine Manager (SCVMM), you must install a Ridgeline XNV agent on the host to enable Ridgeline communicate with Microsoft SCVMM. Note The link to the XNV agent download appears on the Ridgeline Welcome page.
Allows network administrators to import VMs from virtual machine managers (VMMs), such as vCenter, XenServer and Microsoft System Center, in a seamless manner. Once imported, Ridgeline keeps track of inventory changes in the source VMMs. The Ridgeline VMs views show VMs from several vendors and VMMs in one place. The VMs view also shows network location of VMs, such as the switches and ports to which they are currently connected. Allows network administrators to author and attach profiles to VMs. Once attached, Ridgeline ensures that the attached profile is applied to a VM no matter where it moves within the network., enabling administrators to secure and ensure a quality of service level. Enables administrators to view VM movement history within the network.
VM Authentication Process
The XNV feature on a switch supports three methods of authentication: Ridgeline authentication. Network authentication, using a downloaded authentication database stored in the VMMAP file. Local authentication, using a local database created with ExtremeXOS CLI commands. The default VM authentication configuration uses all three methods in the following sequence: Ridgeline server (first choice), network based .map file, and last local database. If a service is not available, the switch tries the next authentication service in the sequence. The following topics describe each authentication process: Ridgeline Authentication Network Authentication Local Authentication Ridgeline Authentication If Ridgeline authentication is enabled and a VM MAC address is detected on a VM-tracking enabled port, the switch sends an Access-Request to the configured Ridgeline server for authentication. When the switch receives a response, the switch does one of the following:
164
When an Access-Accept packet is received with an NVPP, the policies are applied on VM enabled port. When an Access-Accept packet is received and no NVPP file is specified, the port is authenticated and no policy is applied to the port. When an Access-Reject packet is received, the port is unauthenticated and no policy is applied. When an Access-Reject packet indicates that the Ridgeline server timed out or is not reachable, the switch tries to authenticate the VM MAC address based on the next authentication method configured, which can be either network authentication or local authentication.
Network Authentication If network authentication is enabled and a VM MAC address is detected on a VM-tracking enabled port, the switch uses the .map file to authenticate the VM and applies the appropriate policies. Local Authentication If local authentication is enabled and a VM MAC address is detected on a VM-tracking enabled port, the switch uses the local database to authenticate the VM and apply the appropriate policies.
File Synchronization
Ridgelines XNV feature supports file synchronization between XNV-enabled switches and the repository server. The files stored on the repository server include the policy files and the VM-profile mappings. One of the advantages of the repository server is that multiple XNV-enabled switches can use the repository server to collect the network VM configuration files. The XNV feature provides for access to a secondary repository server if the primary repository server is unavailable. Through file synchronization, the VM configuration and policy files are periodically downloaded to the XNV-enabled switches, which allows these switches to continue to support VM connections when the Ridgeline server or the repository server is unavailable. You can also initiate a file synchronization from the XNV-enabled switch.
165
166
2 On the VM_monitoring Devices tab, click Enable VM monitoring. The Enable Monitoring Of VM Information wizard appears (see the following figure).
Figure 109: Enable Monitoring Of VM Information WizardEnable Devices Tab 3 Select the device(s) that you want to enable VM monitoring on by selecting their check box(es). Devices are unavailable for selection if: Device is already enabled for VM monitoring. Device does not support VM monitoring. Device has Identity Management enabled. When all devices in the group belong to all the cases described, the group is disabled. 4 Click Add.
167
5 Click Next. The Enabled Ports tab appears (see the following figure).
Figure 110: Enable Monitoring Of VM Information WizardEnabled Ports Tab 6 Select the ports on the device that you want to enable monitoring by clicking their check boxes. Click the + next to a device to view its ports. Uplink ports, ports that have Netlogin enabled, or ports that are part of LAG, are unavailable for selection. 7 Click Next. The Results tab appears (see the following figure). 8 Review the results, and then click Finish.
Limitations
The following limitations apply to the VM tracking feature:
168
VM tracking authentication cannot be used simultaneously with Network Login authentication on the same port. When VM tracking is configured on a port, all existing learned MAC addresses are flushed. MAC addresses are relearned by the switch, and the appropriate VPP (if any) for each VM is applied. If a VM changes MAC addresses while moving between ports on a switch, the VM remains authenticated on the original port until the original MAC address ages out of the FDB. VM counters are cleared when a VM moves between ports on the same switch because ACLs are deleted and recreated.
169
Figure 111: VM Managers Table The Virtual Machine Manager table automatically updates and supports the following operations: Importing virtual machines from a selected VMM Deleting selected VMMs Editing selected VMMs Updating VMMsUse Updating VMMs to manually update all imported virtual machines and their network information. Note When using VMware, one view per VMM opens. When using Citrix, individual entries for each Resource pool or cluster show. The Virtual Machine Manager provides the following information: Type Name DNS Name IP Address User Name Status Pool Master Last Updated
170
Before adding a new VM manager, you need the following information: IP address or host name of the VM Manager VM Manager vendor User Name Password Note You should have sufficient privileges to retrieve VM inventory information and receive events when inventory information changes. To add a new VM manager: 1 In the navigation pane, click Virtualization Management. 2 Click the VM Managers tab. 3 Click New VM Manager. The New VM Manager dialog box appears (see the following figure)
Figure 112: New VM Manager Dialog BoxConnection Parameters Tab 4 Enter information for the following:
IP Address Or Host Name VendorSelect VMWare, Citrix, or Microsoft User Name Password
171
5 Click Next. The Discovered VM Inventory tab appears (see the following figure). Ridgeline discovers VMs or resource pools and shows the information.
Figure 113: New VM Manager Dialog BoxDiscovered VM Inventory Tab 6 Click Next. The Import VM Managers tab appears briefly and the VM manager(s) are imported appear in the VM Managers tab.
172
5 Make the desired changes. 6 Click OK. 7 This updates the VMM credentials and performs the following operations:
Closes the VMM session and opens a new session Synchronizes Ridgeline with selected VM manager Imports newly discovered VMs Updates existing VMs to reflect updated VMM settings
Deleting VM Managers
To delete a VM manager: 1 2 3 4 5 In the navigation pane, click Virtualization Management. Click the VM Managers tab. Select the VM manager in the list that you want to delete by clicking its check box. Click Delete VM Manager. When prompted, confirm the deletion.
173
3 Click Change Repository Settings. The Extreme Networks Ridgeline dialog box appears (see the following figure).
Figure 115: Extreme Networks Ridgeline Dialog Box 4 Select one of the following credential settings:
Anonymous (least secure option) Anonymous is the default login setting on all XNV switches. It is the least secure setting. Switches running EXOS 12.5 or earlier are set to Anonymous only. Note Custom credentials are not supported by ExtremeXOS 12.5.2 XNV devices and earlier versions. You cannot set credentials on all devices if there is an unsupported switch in the network.
These credentials when the version of EXOS supports it and Anonymous on all other devices Enter your FTP user name and password in the Login and Password boxes. This allows both the switches with ExtremeXOS versions earlier than version 12.6 and version 12.6 and later to operate in a seamless manner by configuring the ExtremeXOS Anonymous user for switches with ExtremeXOS earlier than version 12.6 and switches with EXOS version 12.6 and later to use the configured FTP user name and password Always use these credentials (most secure option)
Set up a custom user name and password for repository synchronization. 5 Click OK after choosing a setting. This applies the settings to all the VM tracking switches. This setting is not configurable if there are already some devices running ExtremeXOS versions earlier than 12.6 and are already enabled for VM-tracking. After enabling this option, the devices with ExtremeXOS versions earlier than 12.6 are unavailable when you start Enable VM-Tracking. The Progress and Results dialog box shows information about how the change is advancing and its completion.
174
6 Click Close.
175
3 Click New > New Virtual-port Profile. The New Virtual-Port Profile dialog box appears (see the following figure).
Figure 116: New Virtual-Port Profile Dialog Box 4 Type a name for the new VPP in the Name box. 5 (Optional) Type a description for the VPP in the Description box. 6 Select an ingress policy by selecting it from the Select Ingress Policies table. Note If you do not see any policies to select, you need to create policies. See Creating New Policies. 7 Select an egress policy by selecting it from the Select Egress Policies table. Note If you do not see any policies to select, you need to create policies. See Creating New Policies. 8 Click OK.
176
Attaching a VPP to a VM
To attach a VPP to a VM: 1 In the navigation pane, click Virtual Port Profiles. 2 Select a VPP to attach a VM to by clicking its check box.
177
3 Click Attach To VMs. The Attach Virtual-Port Profile To VMs dialog box (see the following figure).
Figure 118: Attach Virtual-Port Profile to VMs Dialog Box 4 5 6 7 Select VMs to attach to the VPP from the Available virtual machines table. Click Add. The VM(s) are added to the Selected virtual machines table. Click OK. Review the results and click Close.
178
3 Click Detach From VMs. The Detach Virtual-Port Profile from Virtual Machines dialog box appears (see the following figure). Figure 119: Detach Virtual-Port Profile from Virtual Machines Dialog Box
4 Select the VM(s) to remove by click their check box(es) in the Available virtual machines table. 5 Click Add. The VM(s) to remove appear in the Selected virtual machines table. 6 Click OK.
179
2 Click Attach Policies. The attach policies dialog box appears (see the following figure).
Figure 120: Attach Policies Dialog Box 3 Select a policy from the Ingress Policies table by clicking its check box. 4 Select a policy from the Egress Policies table by clicking its check box. Note If there are no policies to select, you need to create policies. See Creating New Policies. 5 Click OK.
180
3 Click Detach Policies. The detach policies dialog box appears (see the following figure).
Figure 121: Detach a VPP from a Policy 4 Clear the check box(es) for the policies that you want to detach in the Ingress Policies and/or Egress Policies tables. 5 Click OK.
181
3 Click Attach to Role. The Attach Policies To Roles dialog box appears (see the following figure).
Figure 122: Attach Policies To Roles Dialog BoxAttach Policies Tab 4 Select a role from the Role Name list. 5 Move policies from the Available Policies pane to the Selected Policies pane. 6 Click Next. The Results tab appears (see the following figure).
Figure 123: Attach Policies To Roles Dialog BoxResults Tab 7 View the results, and then click Finish. The policy appears in the policy list as attached (Attached column value is Attached).
182
3 Click Detach Policy From Role. The Detach Policies From Roles dialog box appears (see the following figure).
Figure 124: Detach Policies From Roles Dialog Box 4 5 6 7 8 Select the role to detach from policies under Role Name. Move the policy from the Selected Policies pane to the Available Policies pane. Click Next. The Results tab appears. View the results, and then click Finish. The policy now appears in the list as unattached (Attached column value is Not attached).
183
Figure 125: VM Tab You can filter the contents of the VM tab by typing keywords in the search box or by clicking Quick Filter and then selecting an available quick filter. The VM tab shows the following information:
Power Status
Current power status of the VM, which can be: On Off Suspended Unrecognized The VM's name. Mac address of the network interface card (NIC) of the VM (if there is more than one NIC, they are shown as separate rows in the All Table View) Name of the device to which the VM is connected IP Address of the device to which the VM is connected Port number of the device to which the VM is connected Indicates whether the port to which the VM is connected is configured for load sharing or not IP Address of the Physical Host to which the VM belongs Physical Host Name Virtual Port profile (VPP) attached to the VM Ingress policy that is present in the VPP attached to the VM Result of the ingress policy after being applied on the device, which can be one of the possible values Egress policy that is present in the VPP attached to the VM
VM Name VM MAC Address Device Name Device IP Address Port Number Port Load Sharing Host IP Address Host Name Virtual-Port Profile Ingress Policy Ingress Policy Result Egress Policy
184
Result of the egress policy after being applied on the device, which can be one of the possible values
For a selected VM, the details pane (bottom of screen) shows additional information (see VM Details Pane). When you select a VM in the map view, Ridgeline highlights the device and shows the number of VMs currently accessing the switch.
VM Details Pane
For a selected VM on the VMs tab (see Main View VM Tab) of the Main View, detailed VM information appears in the VM details pane:
VM properties
VM Name Power Status Virtual-Port Profile Ingress Policy Egress Policy Host Name Host Connection Status Host Vendor Name
185
VMM Detailstab
Vendor VMM name VMM DNS Name VMM IP Address Data Center VM MAC address VM IP address Device Name Device IP Address Port Number Port Name MLAG ID MLAG Description Port Load Sharing Ingress Policy Result Egress Policy Result Device IP AddressDevice IP where the VM was present Device Name StateOpen or Closed. Open indicates the history record describes the current state of the NIC Port NumberPort on the device Host NameName of the current physical host machine Host IP AddressIP address of the current physical host Date AppearedTime when the VM first appeared on the device Date LeftTime when the VM was removed from the device MLAG ID MLAG description
NIC tab
History tab
MLAG information
186
Figure 128: VM Tab in Detailed Device Pane Click a device in the table to show its detailed view in the lower pane, and then click the VMs tab in the detailed view. The VMs tab in the detailed device view shows the following information:
Power Status Current power status of the VM, which can be: On Off Suspended Unrecognized The VM's name. Mac address of the network interface card (NIC) of the VM (if there is more than one NIC, they are shown as separate rows in the All Table View) Port number of the device to which the VM is connected IP Address of the Physical Host to which the VM belongs Physical Host Name Virtual Port profile (VPP) attached to the VM Ingress policy that is present in the VPP attached to the VM Result of the ingress policy after being applied on the device, which can be one of the possible values Egress policy that is present in the VPP attached to the VM Result of the egress policy after being applied on the device, which can be one of the possible values
Name Mac Address Port Number Host IP Address Host Name Virtual-Port Profile Ingress Policy Ingress Policy Result Egress Policy Egress Policy Result
187
Figure 129: Audit Log VM Tab Ridgeline creates an audit log entry for the following reasons: A virtual port profile has been modified (for example, an update of an ingress or egress policy). A policy has been attached to a VPP. A policy has been detached from a VPP. To enable VM Tracking. To disable VM Tracking ports. To update VM Tracking ports. The VM tab of the audit log shows the following information:
Action Time Action User Name Overall Status Time when the VM policy was attached or detached. Name of the actionAttachment or Detachment. Name of user who performed the attachment or detachment operation. The operation was a Success or it Failed.
188
For more information about the audit log, see Audit Log Overview on page 329.
189
EAPS Overview
The Ethernet Automatic Protection Switching (EAPS) protocol provides fast protection switching to Layer 2 switches interconnected in an Ethernet ring topology, such as a Metropolitan Area Network (MAN) or large campus. For details on how EAPS works, see the ExtremeXOS Concepts Guide. Using Ridgeline, you can configure new EAPS domains, including specifying member links, the EAPS master node, primary and secondary ports, control VLAN, hello timer, and fail timer parameters. Your configuration is validated by the software before it is deployed to managed devices. The EAPS monitoring function in Ridgeline provides a visual way to configure and view the status of your EAPS configurations (EAPS domains) and to verify the configuration of your EAPS-enabled devices. With its multiple status displays and the ability to focus on individual EAPS domains, it can also help you debug EAPS problems on your network. Note Your devices must be running ExtremeWare 7.7 or later, or ExtremeXOS 11.3 or later in order to be recognized by Ridgeline as EAPS nodes. ExtremeXOS 11.6 is required for full EAPS functionality within Ridgeline. Using Ridgeline, you can perform the following EAPS configuration tasks: Create an EAPS domain Modify settings in an EAPS domain Create a shared link Specify protected VLANs, VMANs, and BVLANs
For more information about Ridgelines network resource provisioning feature, see Network Resource Provisioning Overview.
Figure 130: New EAPS Domain Dialog Box 4 Type a name for the new EAPS domain in the Name box. 5 Select the links that to make up the new EAPS domain: a Under Available Devices, for each selected device, click the + show the device's ports. b Select the desired ports by clicking their check boxes. c Click Add. Your selections appear under Selected Ports. 6 Under Control VLAN, type a name and tag value for the control VLAN for the EAPS domain in the Name and Tag boxes, respectively.
191
7 In the Master Node list, select the device that will be the master node for the new EAPS domain. The list of devices in the Master Node list is based on the device(s) you selected in Step 2. 8 In the Primary Port list, select a port. The available ports are based on the selected links and device selected to be the master node. The secondary port is automatically selected as the other port based on the device based on the link. 9 Change the default values in the EAPS Hello Timer and Fail Timer boxes if desired. 10 When you finish configuring the EAPS domain, click OK. The Progress and Results dialog box appears.
Figure 131: Progress and Results Dialog Bog for EAPS Creation 11 Click Close. Ridgeline validates the options you selected against a set of predefined configuration rules, and ensures that the target switches are running a version of software that supports the features you are provisioning. If Ridgeline successfully validates the options you selected, it verifies network connectivity to the target switches. If a connection can be established to all of the target switches, Ridgeline deploys the configuration commands, then saves the configuration file on each switch. Finally, Ridgeline updates its own database with information about the configuration changes on the switches. The information in the Progress and Results dialog box is logged in the Ridgeline Audit Log (see Viewing Logged Information about Provisioning Tasks).
192
2 Click the EAPS tab, and then select the EAPS domain that you want to modify by clicking its check box. For an EAPS domain, you can edit the master nodes and ports and the settings for the Hello and Fail timers.
To change the master nodes/ports, click Edit Master Node. To change the time values, click Edit EAPS timer.
3 Make any necessary changes to the EAPS configuration, and then click OK to validate and deploy the changes. Creating a Shared Link An EAPS shared link is a physical link that carries overlapping VLANs that are protected by more than one EAPS domain. To create an EAPS shared link: 1 In the navigation pane, click Main View or the desired device group. 2 From the menu, click Protocol > New > Shared link. The New Shared Link dialog box appears.
Figure 132: New Shared Link Dialog Box 3 Under Available Links, select the link to make up shared link by clicking its check box. You can specify only one link to be used as a shared link. 4 To change the default values, enter values for the Segment Timeout and Segment Health Interval boxes. 5 For Expiry Action, select either Segment Down or Send Alert.
193
6 Select the Controller Node from the list. 7 When you have finished configuring shared link, click OK to start the validation and deployment process.
Figure 133: Protected VLAN Dialog Box 3 Type a name for the protected VLAN in the Name box. 4 Select a tag in the Tag box. 5 Under Available EAPS Domains, select an EAPS domain for the protected VLAN by clicking its check box. 6 Click Add. The selection appears in EAPS Domains Protecting VLAN. 7 Click OK to start the validation and deployment process. When you create a protected VLAN, the software performs the same validations as those for nonprotected VLANs, and verifies that the ring ports used are configured on all the relevant EAPS domains. To learn what validations are performed for non-protected VLAN, see Creating VLANs on page 123.
194
Figure 134: VLAN Properties Dialog Box 7 To make the following changes:
To edit the list of EAPS domains in the network, click Edit List Of EAPS. To edit the name of the VLAN or VMAN, click Edit Name. To edit the network name, click Edit network name.
The Progress and Results dialog box appears. 8 Make the desired changes, and then click Finish.
195
1 2 3 4 5
In the navigation pane, click Main View or the desired device group. Click the EAPS tab. Select the EAPS domain that you want to delete by clicking its check box. Click Delete. Click Yes when prompted to confirm your deletion of the EAPS domain. Note Note that the Control VLAN is deleted along with the EAPS domain.
Figure 135: EAPS Tab View The EAPS domain table has the following information. .
196
Name
The name of the EAPS domain, and an icon indicating the domain status: Green ringall domains in which this device participates are fully operational. Yellow ringone or more of the domains is not fully operational, but is in a transitional state or an unknown state (as when the device is SNMP unreachable). Red ringone or more of the domains is not operationalif the device has a master in a failed state or a Transit node in a links down state. Grey ringthe EAPS domain is disabled. VLAN tag (ID) of the EAPS control VLAN The Network Name of the control VLAN, if one has been assigned. See Categorizing VLANs With Network Names for more information. When the EAPS domain information was last updated from the Ridgeline database.
For information about details of the EAPS domain, see Displaying EAPS Domain Details on page 200.
197
Figure 136: Icons on an EAPS Node An EAPS node on a map has the following icons:
EAPS Node Status: For an EAPS node the status display shows whether the device is a Master node (M) or Transit node (T) within the EAPS domain. Note that if a node is unreachable, the EAPS node status will reflect the last known node status thus a node that is unreachable may still display Master or Transit node status as green. For a Master node: Green M indicates the domain is complete (all links are up and forwarding). Yellow M indicates the domain is in a transient or start-up state, or in an unknown state (as when the device is SNMP unreachable). Red M indicates the status is failed. For a Transit node: Green T means both ring ports are up and forwarding Yellow T means a ring port is up but blocked Red T means that one or both ring ports are down. Node Alarm Status (shown for all devices): If alarms have occurred on the node and have not yet been acknowledged, the highest severity alarm is indicated with the small bell symbol. The color indicates the severity of the alarm: Green bell is a Normal alarm. Yellow bell is a Warning Light-yellow bell indicates a Minor alarm. Orange bell indicates a Major alarm Red bell indicates a Critical alarm. EAPS Domain Status: A ring below the EAPS node status icon shows that the device is configured for EAPS, and also indicates the state of the EAPS domain of which the device is a member.
198
Green ring indicates that the domain in which this device participates is fully operational. Yellow ring indicates that the domain is not fully operational, but is in a transitional state or an
unknown state (as when the device is SNMP unreachable). Red ring indicates that the domain is not operationalif the device has a master in a Failed state, or a Transit node in a links down state. Grey ring indicates that the EAPS domain is disabled. The following figure shows two examples of nodes that are members of EAPS domains: Node 1 status shows that the device is reachable, that it functions as a Master node (whose status is Complete) in the domain of which it is a member, and the domain of which it is a member is operational. The device also has generated at least one unacknowledged Major alarm. Node 2 status shows that the device is currently unreachable; no alarms have been detected, and the EAPS domain of which it is a member is in a transitional state. It is a Transit node, and its last status indicated that its ring ports were up and forwarding.
Figure 137: Examples of EAPS Nodes Showing Status Link Status Links between devices may be single links (a connection exists between only one port on each device) or bundled links (connections exist between multiple ports on each of the devices.) Single links are shown as a single line. Bundled links are shown with a small box within the link. Green line indicates that the link is up. Red line indicates that the link is down. Yellow line for a bundled link indicates that some links are down and some are up. Grey line indicates that the link status is unknown. Blue line indicates the link is user-created rather than automatically discovered by Ridgeline. indicates the status of a shared link: An icon showing two lines and a circle Green indicates that the link is up. Greyed-out green indicates that the last-known status of the link was up. Red indicates that the link is down.
199
Greyed-out red indicates that the last-known status of the link was down. Yellow indicates that some ports on this link are up and that some are down.
When the map is zoomed in sufficiently, the port endpoints automatically appear for each link.
Figure 138: EAPS Domain Details Window The following information appears about the EAPS domain:
Name Status Last Updated The name of the EAPS domain. Status of the EAPS domain: Can be Idle, Complete, Failed, Links Up, Links Down, Preforwarding, Init, Precomplete, PreInit, or Unknown. When information about the EAPS domain was last updated in the Ridgeline database.
The following information appears about the Control VLAN in the EAPS domain:
Tag Name Network Type VLAN tag (ID) of the EAPS control VLAN The configured name of the EAPS control VLAN The Network name of the EAPS control VLAN, if one has been assigned. For more information about network names, see Categorizing VLANs With Network Names. The VLAN type. For an EAPS control VLAN, this is VLAN.
200
Devices Tab
When you click the Devices tab, the following information appears:
Status/Mode Whether the node acts as a Master (M) or Transit (T) node for this domain, and the status of the domain. For a Master node: Green M indicates the domain is complete (all links are up and forwarding). Yellow M indicates the domain is in a transient or startup state, or in an unknown state (as when the device is SNMP unreachable). Red M indicates the status is failed. For a Transit node: Green T means both ring ports are up and forwarding. Yellow T means a ring port is up but blocked. Red T means that one or both ring ports are down. Name IP address Primary Port Secondary Port Device Enabled Fast Convergence The name of the device, along with an icon indicating the device status. The IP address of the device. Primary port number. Secondary port number. Whether this node is enabled as an EAPS node. Whether the device is enabled for fast convergence. In EAPS fast convergence mode, the link filters on EAPS ring ports are turned off. In this case, an instant notification is sent to the EAPS process if a ports state transitions from up to down or vice-versa. The interval at which the EAPS master polls to check the status of its EAPS member nodes. The interval after a failure is detected before the Failed Timer expires. Action to be taken when Failed Timer expires. Status of the node: Can be Idle, Complete, Failed, Links Up, Links Down, Preforwarding, Init, Precomplete, PreInit, or Unknown. Whether the node acts as a Master or Transit node for this domain. The model number of the Extreme switch. The device groups that the member belongs to.
Hello Timer Failed Timer Failed Timer Action Domain Status Device Mode Device Type Member Of
The following additional information appears: Domain Related Details. Device-specific protected VLANs.
201
Domain Related Details The Devices tab shows the following information related to the EAPS domain in the lower left corner:
Domain Node Name Control VLAN Name Control VLAN Tag Control VLAN Network The name of the node given to the device as a member of a domain. Name of the control VLAN. VLAN tag (ID) of the EAPS control VLAN. The network name of the control VLAN, if one is configured. For information about how to create a network name and assign it to a VLAN, see Categorizing VLANs With Network Names. Status of the primary port: Up, Down, Blocked, or Unknown Status of the secondary port: Up, Down, Blocked, or Unknown
Device-specific Protected VLANs The following information appears in the bottom table about the VLANs that are protected by the EAPS domain on the selected device.
Tag VLAN Name VLAN tag (ID) of the EAPS protected VLAN. Name of the protected VLAN.
Ports Tab
When you click the Ports tab, the following information appears:
Shared Display Device Mode Mode Status in Domain Shared-Port Link ID Neighbor-Port Status Root Blocker Status Shared-Port Status Expiry Action An integer configured on the switch for the shared port Status of the neighboring node: Down, Up, Error The ports status as a root blocker (None or Active) Status of the shared port: Idle, Ready, Blocking, Preforwarding. Action to be taken when the fail timer expires. This applies only to master nodes. Send-alert Sends a critical message to the syslog when the failtimer expires. Open-secondary-port Opens the secondary port when the failtimer expires. The interval at which health check PDUs are sent out each segment port. Time in seconds after which the segment fail timer expires, the fail flag is set, and expiry action is taken. Whether this is a shared port. The port number on the Master or Transit node. Whether the device is a Master or Transit node. Whether the port is a Primary or Secondary port
202
Link State Device Name Device IP address Shared-Port Mode Port Type Device Type Name
State of the common link. The name of the device, along with an icon indicating the device status. The IP address of the device. Whether the node acts as a Controller or a Partner node for this shared link. Port type; for example, Gigabit, Management, 10/100. The model number of the Extreme switch. The name of the port, if configured.
Additionally, information appears about the sharing domains (see Sharing Domains Table). Sharing Domains Table On the Ports tab, for shared ports, Ridgeline displays the following information about the EAPS domains shared on the port:
Name Status Other Ports in Domain Name of the EAPS domain Status of the EAPS domain: Can be Idle, Complete, Failed, Links Up, Links Down, Preforwarding, Init, Precomplete, PreInit, or Unknown. For the selected port, other end domain port participating in the sharing domain
Links Tab
When you click the Links tab, the following information appears:
A Device A IP Address A Port Number/Annotation Status The name of the device on one end (the A side) of the link, along with an icon indicating the device status. The IP address of the device on the A side of the link. The number of the port on the A side of the link. A line indicating the status of the link: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline An icon showing two lines and a circle indicates the status of a shared link: Green indicates that the link is up. Greyed-out green indicates that the last-known status of the link was up. Red indicates that the link is down. Greyed-out red indicates that the last-known status of the link was down. Yellow indicates that some ports on this link are up and that some are down.
203
B Device B IP Address B port Number/Annotation A Port Type B Port Type Discovery Protocol A Port Name B Port Name A Device Status A Link State A Port Status A Port Share Details B Device Status B Link State B Port Status B Port Share Details Type Name
The name of the device on the other end (the B side) of the link, along with an icon indicating the device status. The IP address of the device on the B side of the link The number of the port on the B side of the link. The type of port on the A side of the link. The type of port on the B side of the link. The protocol used to discover the link, either EDP or LLDP. The name of the port on the A side of the link, along with an icon indicating the port status. The name of the port on the B side of the link, along with an icon indicating the port status. The current status of the device on the A side of the link. Whether the A side of the link is ready to exchange traffic with the B side of the link. Whether the port on the A side of the link is enabled or disabled. Information about the port sharing configuration on the A side of the link, if configured. The current status of the device on the B side of the link. Whether the B side of the link is ready to exchange traffic with the A side of the link. Whether the port on the B side of the link is enabled or disabled. Information about the port sharing configuration on the B side of the link, if configured. The link type; for example, user-created. A description of the link in this format: <A device name> <A IP addr> p <port> <B device name> <B IP addr> p <port>
Additionally, the Links tab shows information about the sharing domains in the bottom table (see Sharing Domains Table on page 204). Sharing Domains Table If a link is shared among EAPS domains, Ridgeline displays the following information about the EAPS domains shared on the link in the bottom table of the Links tab:
Name Control VLAN Tag Control VLAN Network Name The name of the EAPS domain shared on selected link. The tag value of the control VLAN for the EAPS domain shared on selected link. The network name of the control VLAN, if one is configured. For information about how to create a network name and assign it to a VLAN, see Categorizing VLANs With Network Names.
204
VLAN tag (ID) of the protected VLAN. The configured name of the protected VLAN The Network Name of the protected VLAN, if one has been assigned. For more information about creating and assigning network names, see Categorizing VLANs With Network Names. The VLAN type, either VLAN or VMAN. The number of nodes in the domain.
205
3 Click Verify EAPS Domains. The EAPS Verification Results dialog box, shown below, appears. Depending on the size of your network and your EAPS configurations, this can take as long as 15 minutes.
Figure 139: EAPS Verification Results Dialog Box The following information appears:
Type Severity Source Description The type of error. See the following table for a list of errors that the EAPS verification process may report. The severity level of the error: Error, Warning, or Information The element that was the source of the error. A more detailed description of the error.
If errors are reported, you can log into the affected device(s) to correct the problems. Once you have corrected any reported errors, you should run the verification again to ensure that the configuration is correct.
Click Refresh to re-run the verification process. Click Save to save the verification results to a file.
The following table lists the error types that may be reported by the EAPS verification process: Table 6: EAPS Verification Error Types
206
Missing Control VLAN Missing Primary Domain Port Missing Secondary Domain Port Mismatched Domain Ports Incomplete VLAN Protection Inconsistent Control VLAN Naming
Missing Link ID Mismatched Link ID Misconfigured Shared Port Mode Shared Port Not Created No Physical Link Shared Port Not Configured
207
The report can also be run from within Ridgeline's Reports feature (see EAPS Summary).
To run the EAPS Log Report, in the navigation pane, click Reports. The reports welcome page opens in your default browser. Click EAPS > EAPS Log. The EAPS Log Report appears.
Figure 141: EAPS Log Report The EAPS Log report displays the following information:
Time Source Type Varbinds Time the event occurred, expressed in the local time zone of the Ridgeline server. IP address of the device and port number (if applicable) that generated the event. Event type (SNMP trap or syslog, including description). Variable data transmitted with a trap, as appropriate.
208
PBB Overview
Virtual metropolitan area networks (VMANs) allow metropolitan area network (MAN) service providers to carry VLAN traffic from multiple customers across a common Ethernet network, known as a provider bridge network. The provider bridge network uses Provider Bridges (PBs) to create a Layer 2 network that supports VMAN traffic. A Provider Backbone Bridge (PBB) network enables VMAN transport over the Internet. PBB is defined by the IEEE 802.1ah Backbone Bridge standard, which is an amendment to the IEEE 802.1Q VLAN standard. This standard allows Internet Service Providers (ISPs) to use Ethernet to create a separate backbone over which the subscribers frames are transported. In a PBB network, data from multiple subscriber networks travels over a common ISP backbone, with traffic from the individual subscriber networks completely separate from each other. The following figure shows a PBB network, which spans a set of ISP switches that serve as Provider Backbone Bridges (PBBs).
Figure 142: PBB Network You can view a PBB network as a Layer 2 network that supports VMAN traffic. The entry points to a PBB network are the access ports on the PBB network edge switches. These ports are designed to receive and transmit VMAN traffic. VMAN traffic that is addressed to locations at other PBB network access points enters a PBB network access port, is switched through the PBB network, and exits at a PBB network access port. If you do not configure any frame manipulation options, the frames that exit the PBB network are identical to the frames that entered the PBB network.
210
VMAN frames (802.1ad format) enter the PBB network through a PBB network access port. The PBB network access port also accepts VLAN frames. To switch the frame through the PBB network, the switch encapsulates the VMAN frame in an 802.1ah frame. Ridgeline can manage and monitor PBB networks by: Configuring BVLANs on managed Extreme Networks devices. Discovering information about a PBB network, including which devices are part of BVLANs and SVLANs, the relationship between the BVLANs and SVLANs, and I-tag and S-tag mapping. Displaying the components of a PBB network (ISIDs, BVLANs, SVLANs, and CVLANs) in Ridgeline Network Views.
Configuring BVLANs
Ridgelines PBB provisioning feature allows you to: Create BVLANs. Edit BVLANs. Delete BVLANs.
Creating BVLANs
To create a BVLAN: 1 In the navigation pane, click Main View. 2 Click the PBB tab.
211
3 Click New > BVLAN. The Create BVLAN dialog box appears (see the following figure).
Figure 143: BVLAN Provisioning Dialog Box You can provision BVLANs only on BlackDiamond 20800 series switches running ExtremeXOS 12.4 or later. Devices that do not support BVLANs are unavailable in the dialog box. Type a name for the BVLAN in the Name box. If you are creating a tagged BVLAN, in Tag, click the numbered list, and then select a numeric value (14095) for the BVLAN identifier. In the Available Device table, click + next to a device to view its ports. For each port or link you want to add to the BVLAN, select the port by click its check box, and click the Add. When the BVLAN is created, the port is added to it, and removed from the default BVLAN if it was added as untagged. When you have finished configuring the BVLAN, click OK to start the validation and deployment process. The Progress and Results dialog box appears (see the following figure).
4 5 6 7
212
1Verifying connectivity to the selected device(s) 2Deploying the commands on the device 3Updating the device information in the database
213
4Validating command syntax and checking software compatibility 5The validation rules or commands entered on the device for the selected task. Click or collapse the right pane with Creating selected. to expand
Ridgeline validates the options you selected against a set of predefined configuration rules, and ensures that the target switches are running a software version that supports the features that you are provisioning. Ridgeline also verifies that tagged ports in SVLANs and CVLANs have not been added to the BVLAN being created: The following validations are performed: The name length is not longer than 32 characters. The name consists of only alphanumeric characters. No special characters such as # or & are allowed. The tag range is from 1 to 4095. The tag is not present on the selected device. The name is not present on the selected device. Port tag values are valid. The information in the Progress and Results dialog box is logged in the Ridgeline Audit Log. See Viewing Logged Information about Provisioning Tasks for more information. If Ridgeline successfully validates the selected options, it verifies network connectivity to the target switches. If a connection can be established to all of the target switches, Ridgeline deploys the configuration commands, and then saves the configuration file on each switch. Finally, Ridgeline updates its own database with information about the configuration changes on the switches.
Modifying BVLANs
For a BVLAN, you can edit the list of ports or links in the BVLAN, as well as the name and network name of the BVLAN (although not the tag value). You can also delete the BVLAN from the devices where it is configured (see Deleting BVLANs on page 216). To modify a BVLAN: 1 2 3 4 In the main navigation pane, click Main View. Click the PBB tab. In the table select the BVLAN that you want to modify by clicking its check box. To edit the name or network name, click Edit Name or Edit Network Name. Make the needed changes, and then click OK.
214
5 To edit the ports, click Edit Ports. The BVLAN Edit Ports dialog box appears (see the following figure).
Figure 145: BVLAN Edit Ports Dialog Box 6 To add and remove ports: Note To select all of the ports for a device, click the check box for the device. To select individual ports, click the plus sign (+) next to a device to view its ports.
To add ports, select the ports under Available Devices by clicking their check boxes, and then click Add. The added ports appear under Selected Ports. To remove ports, select the ports under Selected Ports by clicking their check boxes, and then click Remove. The removed ports appears under Available Devices.
215
7 Click OK. The BVLANs Progress and Results dialog box appears (see the following figure).
Deleting BVLANs
You can only delete a single BVLAN at a time; multiple BVLANs cannot be deleted at the same time. and control BVLANs cannot be deleted. You can delete protected BVLANs. To delete a BVLAN: 1 2 3 4 5 In the navigation pane, click Main View. Click the PBB tab. Select the BVLAN that you want to delete by clicking its check box. Click Delete When prompted, confirm the deletion. When you delete a VLAN, the software verifies that the services in the VLAN are not being used as transport services in an E-Line or E-LAN service.
216
Figure 147: PBB Tab The PBB tab displays the following information. You can filter the contents of the table by typing keywords in the search box or by clicking Quick Filter and selecting available quick filters.
Type The type of component in the PBB network, along with an icon indicating the PBB component type. In the Map View, the icons indicate the component is configured on the highlighted device. The icon can be one of the following: Extended Service ID (ISID) Backbone VLAN (BVLAN) Protected BVLAN; that is, a BVLAN protected by an EAPS ring Customer VLAN (CVLAN) Subscriber VLAN (SVLAN) Tag ISID Name BVLAN Network The configured tag value for the BVLAN/CVLAN/SVLAN; N/A for ISIDs. The tag value of the ISID that the PBB is associated with or bound to. The name of the BVLAN/CVLAN/SVLAN or ISID. The network name category (if any) that this BVLAN/CVLAN/SVLAN belongs to. You can assign a network name to a BVLAN. When a network name is assigned to a BVLAN, the SVLANs, CVLANs, and ISIDs associated with the BVLAN are automatically assigned the same network name. See Categorizing VLANs With Network Names for more information. Date and time that the information about the PBB component was last retrieved from the Ridgeline database.
Last Updated
217
You can select a row in the table and display an overlay view highlighting all of the devices and links in the map where the selected BVLAN, CVLAN, or SVLAN is configured (see the following figure). ISIDs are not shown in the overlay view.
Figure 148: Displaying PBB Components in a Map View Note To view PBB information from an Extreme Networks switch, enable HTTP or HTTPS on the switch.
218
Figure 149: PBB Details Window The PBB Details window shows the following information:
Tag The configured tag value for the PBB VLAN, along with an icon indicating the PBB component type. The icon can be one of the following: Backbone VLAN (BVLAN). Customer VLAN (CVLAN). Subscriber VLAN (SVLAN). Name ISID BVLAN Network The name of the BVLAN, CVLAN, or SVLAN. The tag value of the ISID that the PBB is associated with or bound to. The network name category (if any) that this BVLAN/CVLAN/SVLAN belongs to. You can assign a network name to a BVLAN. When a network name is assigned to a BVLAN, the SVLANs and CVLANs associated with the BVLAN are automatically assigned the same network name. To assign a network name to a BVLAN, select VLAN Network Name from the Tools menu. (This option is not available for SVLANs and CVLANs.) See Categorizing VLANs With Network Names for more information. The PBB component type: BVLAN, CVLAN, or SVLAN. Date and time that the information about the PBB component was last retrieved from the Ridgeline database. The BVLAN is protected by EAPS.
219
Devices/Ports tab Links tab Ports tab VLANs and ISIDs tab
Devices/Ports Tab When you click the Device tab, the following information appears:
Name IP Address SNMP Status Device Type Last Updated The name of the device where the BVLAN, CVLAN, or SVLAN is configured. The IP address of the device. Whether the device is responsive to SNMP. The type of Extreme Networks switch. Date and time that the information about the device was last retrieved from the Ridgeline database.
Links Tab When you click the Links tab, the following information appears about the links that make up the PBB component:
Status A line indicating the status of the link: Green linelink is up. Red linelink is down. Yellow line for a bundled linksome links are down and some are up. Grey linelink status is unknown. Blue linelink is user-created rather than automatically discovered by Ridgeline
A Device A IP Address A Port Name A Port Number/Annotation B Device B IP Address B Port Name
An icon showing a circle and two linesshared link: Greenlink is up. Greyed-out greenlast-known status of the link was up. Red linelink is down. Greyed-out redlast known state was down. Yellowsome ports on this link are up and some are down.
The name of the device on one end (the A side) of the link, along with an icon indicating the device status. The IP address of the device on the A side of the link. The name of the port on the A side of the link, along with an icon indicating the port status. The number of the port on the A side of the link. The name of the device on the other end (the B side) of the link, along with an icon indicating the device status. The IP address of the device on the B side of the link The name of the port on the B side of the link, along with an icon indicating the port status.
220
B port Number/Annotation Discovery Protocol State Type A Device Status A Device Worst Alarm A Port Status A Link State A Port Type A Port Share Details B Device Status B Device Worst Alarm B Port Status B Link State B Port Type B Port Share Details Name
The number of the port on the B side of the link. The protocol used to discover the link, either EDP or LLDP. The current state of the link. The link type; for example, user-created. The current status of the device on the A side of the link. The status of the highest alarm on the device on the A side of the link. Whether the port on the A side of the link is enabled or disabled. Whether the A side of the link is ready to exchange traffic with the B side of the link. The type of port on the A side of the link. Information about the port sharing configuration on the A side of the link, if configured. The current status of the device on the B side of the link. The status of the highest alarm on the device on the B side of the link. Whether the port on the B side of the link is enabled or disabled. Whether the B side of the link is ready to exchange traffic with the A side of the link. The type of port on the B side of the link. Information about the port sharing configuration on the B side of the link, if configured. A description of the link in this format: <A device name> <A IP addr> p <port> <B device name> <B IP addr> p <port>.
Ports Tab When you click the Port tab, Ridgeline displays information about the ports on the selected device, where the selected BVLAN, SVLAN, or CVLAN is configured. The following information appears:
Display Name Type The port number on the device where the BVLAN, CVLAN, or SVLAN is configured. The name of the port, if configured. The speed of the port.
VLANs and ISIDs Tab The VLANs and ISIDs tab displays information about the relationship between the BVLAN, SVLAN, or CVLAN and the ISID. For a BVLAN, the table displays information about the SVLAN/CVLAN and the ISID. For an SVLAN or CVLAN, the table displays information about the BVLAN and the ISID.
Type Tag ISID Name The PBB component type: BVLAN, CVLAN, or SVLAN. The configured tag value for the PBB component. The tag value of the ISID that the PBB component is associated with or bound to. The name of the PBB component.
221
The network name category (if any) that this VLAN belongs to. For more information, see Categorizing VLANs With Network Names. Date and time that the information about the PBB component was last retrieved from the Ridgeline database.
ISID Details
For ISIDs, the following window appears:
Figure 150: ISID Details Window The ISID details window shows the following information:
ISID Name Type Last Updated BVLAN network Name The identifier of the ISID, along with an icon indicating this is an ISID. The configured name of the ISID. ISID. Date and time that the information about the ISID was last retrieved from the Ridgeline database. The name of the BVLAN network.
222
Device Table The Device table displays the following information about the devices where this ISID is configured:
Name IP Address SNMP Status Device type Last Updated The name of the device where the ISID is configured. The IP address of the device. Whether the device is responsive to SNMP. The type of Extreme Networks switch. Date and time that the information about the device was last retrieved from the Ridgeline database.
VLANs Table The VLANs table has the following information for the BVLANs and SVLANs bound to or associated with the ISID on the selected device:
Type Tag ISID Name Network Last Updated The PBB VLAN type: BVLAN or SVLAN, along with an icon indicating the type. The configured tag value for the BVLAN or SVLAN. The tag value of the ISIDs that the BVLAN or SVLAN is associated with or bound to. The name of the BVLAN or SVLAN. The network name category (if any) that this BVLAN or SVLAN belongs to. Date and time that the information about the BVLAN or SVLAN was last retrieved from the Ridgeline database.
223
Overview of VPLS
A Virtual Private LAN Service (VPLS) domain is a Layer 2 multipoint VPN that allows multiple sites to be connected in a single bridged domain over a provider-managed IP/MPLS network. VPLS enables service providers to offer Ethernet private line services that use a simple Layer 2 interface at the customer edge, and benefit from the resilience and scalability of an MPLS/IP core. All customer sites in a VPLS domain appear to be on the same LAN, regardless of their locations. A VPLS-capable network consists of Customer Edge (CE) switches, Provider Edge (PE) switches, and a core MPLS network. MPLS pseudowire (PW) tunnels are logical connections between two label edge routers (LERs) over an label switch routers (LSP). Layer 2 VPN domains are created by adding PWs to each peer LSR to build a fully meshed interconnected VPLS domain, as shown in in the following figure.
PE
PE VPLS Core
PE
PE
Figure 151: Fully Meshed VPLS Domain In a fully meshed VPLS domain, pseudowires must be established between all VPLS peers across the core. For each peer added to a VPLS domain, a PW is signaled that is used to carry traffic from the local LSR to the remote peer LSR. Flood traffic from the local service (broadcast, multicast, and unknown
unicast packets) is replicated and forwarded across all PWs in the VPLS domain. Each peer receives one copy of the packet for delivery to its locally attached service. As MAC learning occurs on PWs, unicast packets to a known destination MAC address are forwarded to the peer over the PW from which the MAC address was learned. For information about hierarchical VPLS, see Hierarchical VPLS (H-VPLS) on page 225. For information about VPLS support in Ridgeline, see VPLS Support in Ridgeline on page 226.
225
MTU
PE
PE VPLS Core
PE
MTU
PE
MTU
Figure 152: H-VPLS (Hub-and-Spoke) Network In a hierarchical VPLS domain, a spoke node (often a Multi-Tenant Unit, or MTU) is only required to establish a pseudowire to a single core PE. A VPLS core node that has multiple spoke pseudowires, but no configured core pseudowires is informally referred to as a hub. This results in a significant reduction in the number of pseudowires that need to be established and maintained. For example, a 10 core PE network with 50 MTU devices per core PE requires almost 260,000 pseudowires using a fully meshed VPLS design. A hierarchical VPLS design requires only 590 pseudowires.
226
Figure 153: VPLS Table in Network Views The VPLS table shows the following information. You can filter the contents of the table by typing keywords in the search box.
VPN ID The name of the VPLS domain, along with an icon indicating its status. VPLS domain is up. VPLS domain is down. Status of the VPLS domain is unknown. Service Type Last Refreshed The service type configured for the VPLS domain: ethernet. Date and time when the VPLS information was last updated.
For the selected VPLS domain, the map view shows an overlay view highlighting all of the devices and links in the map where the selected VPLS domain is configured (see the preceding figure).
227
When you select a VPLS domain from the table, all of the peer devices for the selected VPLS domain are highlighted in the map view. In the Pseudowires table (see Pseudowires Tab on page 230), Ridgeline displays information about the pseudowires in the VPLS domain. When you select a pseudowire from the table, Ridgeline highlights the LSP in use. The links and the end nodes of the LSP are highlighted in the map view.
Figure 154: VPLS Domain Details Window The VPLS Domain details window shows the following information:
VPN ID The name of the VPLS domain, along with an icon indicating its status. VPLS domain is up. VPLS domain is down. VPLS domain status is unknown. Name The name of the VPLS domain
228
The service type configured for the VPLS domain: ethernet. The name of the service configured for the VPLS domain, if set. The number of Customer Edge (CE) devices in the VPLS domain Date and time when the VPLS information was last updated.
The VPLS Domain details window displays two tabs: Nodes Pseudowires
Nodes Tab
When you click the Nodes tab on the VPLS Domain Details window (see Displaying VPLS Details on page 228), the following information appears (see the following figure):
229
The IP address of the device. The name of the VPLS domain. The name of the service configured for the VPLS domain, if set.
Number of Peers The number of devices with a direct connection via a pseudowire. They do not have to be configured in the VPLS domain. VPLS Operational Status VPLS Admin Status Once VPLS is enabled, the status of the VPLS domain. This can be Up, Down, or Other.
The administrative status of the VPLS domain. This can be Up, Down, or Testing. Testing means packets cannot be sent over the VPLS domain.
Dot1q Tag Option Whether the dot1q tag option is included or excluded in this VPLS domain. MTU SNMP Status Device Type Last Updated Maximum Transmission Unit over the VPLS domain Whether the device is responsive over SNMP Model type of the device. When information about the device was last updated.
Pseudowires Tab
When you click the Pseudowires tab of the VPLS Domain Details window (see Displaying VPLS Details on page 228), the following information appears (see the following figure):
230
Status
The current status of the pseudowire. This can be one of the following: Up. The pseudowire is up. Down. The pseudowire could be down if pseudowire signaling is not yet finished, or information available at the service level indicates that the pseudowire is not passing packets. Lower layer down. One or more of the lower-layer interfaces responsible for running the underlying service is not in UP state. Not present. Some component is missing to accomplish the setup of the pseudowire. This could be configuration error, incomplete configuration, or a missing hardware component. Testing. The pseudowire is being tested. Dormant. The pseudowire is not in a condition to pass packets, but is in a pending state, waiting for some external event.
A Node Address A Device Name A IP Address B Node Address B Device Name B IP Address Mode
The address of the node on one side of the pseudowire. The name and current status of the device on one side of the pseudowire. The IP address of the device on one side of the pseudowire. The address of the node on the other side of the pseudowire. The name and current status of the device on the other side of the pseudowire. The IP address of the device on the other side of the pseudowire. Usage of the pseudowire in the LSP. This can be one of the following: Core to core, Spoke to core, Core to spoke.
231
The Pseudowire Details window displays three tabs: General tab (see General Tab on page 232) Configured LSP tab (see Configured LSP Tab on page 234) Path in Use tab (see Path in Use Tab on page 235)
General Tab The General tab of the Pseudowire details window (see Displaying Pseudowire Details on page 231) has two sections, Pseudowire and VPLS service (see the following figure). The Pseudowire section shows the following information:
232
233
Local status
The status of the pseudowire on the local node. This can be: No faults, Not forwarding, Service inbound fault, Service outbound fault, Packet switch network inbound fault, or Packet switch network outbound fault. Date and time the pseudowire was configured. The amount of time the pseudowire has been operational. When information about the pseudowire was last updated.
Configured LSP Tab The Configured LSP tab of the Pseudowire details window (see Displaying Pseudowire Details on page 231) shows details about the transport LSP used with the pseudowire (see the following figure).
Figure 159: Pseudowires Details WindowConfigured LSP Tab The Configured LSP tab displays the following information.
234
The signaling protocol in use for the transport LSP, either LDP or RSVP-TE. The configured name of the LSP. The name of the primary path configured for this LSP. Whether fast reroute is enabled or disabled for the LSP.
If the signaling protocol is RSVP-TE and a path is indicated, then the following additional details appear about the primary and secondary paths:
Order ERO IP address/net mask Type The hop order for the selected LSR in the path. The explicit route object IP address and network mask. The type of device that the LSR is.
Path in Use Tab The Path in Use tab of the Pseudowire details window (see Displaying Pseudowire Details on page 231) displays details about the labels and interfaces used for the currently selected path along the LSP (see the following figure).
235
Ingress label Ingress interface Label Switch Router ID Next hop IP Egress label Egress interface Order
The label applied to packets arriving at the LSR for this path. The interface on the LSR where packets arrive for this path The identifier for this LSR. IP address of the next hop in the LSP. The label applied to packets exiting at the LSR for this path. The interface on the LSR where packets exit for this path The hop order for the selected LSR in the path.
Create a VPLS domain (Create VPLS script) Associate peers with a VPLS domain (Associate VPLS Peers script)
To run a Ridgeline script, in the navigation pane, click Scripts to view the list of available scripts, and then select the script you want to run from the list. To eaily find the two scripts listed above, type VPLS in the search box. For information about using Ridgeline scripts, see Creating a New Ridgeline Script on page 306 and Running a Script on page 310.
236
compatible devices, assuming they can be successfully added to Ridgelines inventory database, Ridgeline supports just the basic MIB-2 traps. Note Ridgeline automatically configures Extreme Networks devices to send traps to the Ridgeline server when those devices are added to the Ridgeline Inventory database; this is not true for non-Extreme Networks devicesyou must manually configure those devices to send traps to the Ridgeline server. To receive syslog messages from a device, the device must be configured to use Ridgeline as a syslog receiver. This is true for both Extreme devices and non-Extreme devices. Not all trap events are supported in older versions of the ExtremeWare software. For information on the switch software required for specific traps, see Event Types for Alarms. The bottom of the Ridgeline screen shows a snapshot of the device alarms information:
Predefined Alarms
For convenience, the Ridgeline Alarm Manager provides a number of predefined alarms. For a list of predefined events, see Predefined Events on page 240. These alarms are enabled by default and are active as soon as the Ridgeline server starts up. There are two scalability-related alarms generated when Ridgeline receives a flood of traps/syslog messages from devices: Incoming SNMP traps reached maximumAlarm is published by Ridgeline if one device sends 50 or more SNMP traps in 30 seconds or the Ridgeline server receives more than 275 SNMP traps per minute. Syslog messages reached maximumThis alarm occurs when a higher number of syslog messages floods the Ridgeline server. You can change the threshold limits for high trap/syslog rate alarms under Ridgeline Administration server properties (see Scalability Properties on page 356): Traps per Device in 1/2 Minute Total Traps Accepted per Minute Syslog messages per Device in 1/2 Minute Total syslog messages Accepted per Minute These include the following alarms:
Name Virus Alert Category Security Severity Major Profile Block Traffic Profile Type System
238
Exploit Alert Reconnaissance Alert Port Scan Alert DoSandDDoS Alert PolicyViolation Alert Host Sweep Alert Configuration Baseline Difference Wireless Controller over voltage MLAG peer down Wireless Controller high temparature Redundancy Member Down Wireless Controller Fan under speed Stack Member Overheat Link Failed MAC Address Detected On Locked Port Pse main power usage below threshold Incoming Snmp traps reached maximum Power Supply Failed Wireless Controller under voltage Redundant Power Supply failed Device SNMP unreachable BGP Prefix Maximum Exceeded Wireless Controller System panic event Enhanced DOS Threshold Reached Device HTTP unreachable Wireless Controller low temparature AP to Wireless Controller connectivity lost MAC Address Learning Limit Exceeded Redundancy Critical Resource Down Port Failed Overheat detected Pse main power usage above threshold Fan Failed Server load balancer unit activated MAC Address Detected On Unauthorized Port Server load balancer unit deactivated Syslog messages reached maximum
Security Security Security Security Security Security Security Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default
Major Major Major Major Major Major Major Major Major Major Minor Major Minor Major Minor Minor Major Major Major Minor Major Minor Major Minor Major Major Minor Minor Minor Major Major Minor Major Major Minor Major Major
Block Traffic Profile Block Traffic Profile Block Traffic Profile Block Traffic Profile Block Traffic Profile Block Traffic Profile Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default
System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System
239
DOS Threshold Reached BGP Prefix Reached Threshold Wireless Controller over temperature
Predefined Events
For convenience, the Ridgeline Alarm Manager provides a number of predefined events. For a list of predefined alarms, see Predefined Alarms on page 238. These events are enabled by default and are active as soon as the Ridgeline server starts up. These include the following events:
Name OSPF Neighbor State Change Dsx1 Line Status Change [Wireless Controller Event]User authentication failed VM Undetected [Wireless Controller Event]POE read failure Redundancy Critical Resource Down Notice Custom Event Wireless AP Added ESRP Master Re-election After MSM Failover Free RADIUS Down CPU Utilization Falling Threshold Wireless Counter Measure Stopped BGP M2 Threshold Reached EAPS Segment Timer Expiry Flag Set OSPF Virtual Neighbor State Change VM Detected EDP Neighbor Removed Mobility Up Device Reboot Wireless Client Netlogin Client Associated [Wireless Controller Event]User authentication success Threat Action Result Warning [Wireless Controller Event]POE initialization failure Configuration Restore Failed Profile Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Type SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap Syslog NMS generated SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap Syslog SNMP Trap NMS generated
240
Authentication Failed CPU Utilization Rising Threshold FTP Server Config Error Identity Management Memory Level Change BGP M2 Max Exceeded Virus Alert Extreme Mpls Tunnel Status Change EAPS Last Status Change Configuration Backup Failed Wireless AP Updated BGP Established Mobility Down Health Check Failed Stack Member Down Netlogin Authentication Failure [Wireless Controller Event]User successful login Dsx1 No Loss of Master Clock OSPF Interface Config Error Mobility Peer Up Wireless AP Removed EGPNbrLoss Dsx1 Loss of Master Clock Port Scan Alert Free RADIUS Up Extreme Mpls LdpSession StatusChange OSPF Interface State Change ELRP VLAN Loop Detected Virus Alert Cleared [Wireless Controller Event]Over temparature EAPS Configuration Change OSPF Virtual Interface Config Error MSM Failover Occured Information Configuration Backup OK [Wireless Controller Event]Failed login attempt - authentication failed Stacking Link Down UPM Profile Execution
Default Default Default Default Default Block Traffic Profile Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Block Traffic Profile Default Default Default Default
SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap
Unblock Traffic Profile SNMP Trap Default Default Default Default Default Default Default Default Default SNMP Trap SNMP Trap SNMP Trap SNMP Trap Syslog NMS generated SNMP Trap NMS generated SNMP Trap
241
OSPF LSDB Approaching Overflow SNMP Reachable Redundancy Member Down Netlogin User Login [Wireless Controller Event]High temparature Redundancy Adoption Exceeded Reach Device Unplugged event Rogue Access Point Found Invalid Policy Definition PolicyViolation Alert Ping Test Failed Warm Start SLB Unit Removed Reach Software Upgraded event Redundancy Member Misconfigured Cold Start PoE PSU Status Changed PolicyViolation Alert Cleared One Shot Event No Longer Valid Debug [Wireless Controller Event]Failed login attempt - access violation Reachability unknown [Wireless Controller Event]Low temparature OSPF LSDB Overflow SLB Unit Added DOS Threshold Cleared Netlogin User Logout Ping Test Completed EAPS Root Blocker Status Change [Wireless Controller Event]Failed login attempt - no such user role HTTP Reachable Syslog Flood MAC Address Detected On Unauthorized Port OSPF Max_Age LSA Redundancy License Changed Link Up EAPS Shared Port Status Change
Default Default Default Default Default Default Default Default Default Block Traffic Profile Default Default Default Default Default Default Default
SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap
Unblock Traffic Profile SNMP Trap Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default NMS generated Syslog SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap
242
[Wireless Controller Event]Over voltage DOS Threshold Reached Extreme Vpls Status Change MAC Unmapped SNMP Unreachable Main Power Usage On Reconnaissance Alert OSPF Virtual Interface State Change [Wireless Controller Event]User logged out MAC Address Detected On Locked Port [Wireless Controller Event]Under voltage MAC Mapped EAPS Segment Timer Expiry Flag Cleared Redundancy Critical Resource Up Enhanced DOS Threshold Cleared Reconnaissance Alert Cleared HTTP Unreachable Pse Port On/Off Redundancy Member Up EDP Neighbor Added Link Down Radio Detected [Wireless Controller Event]Server unreachable event Power Supply Failed Processor State Change Trap OSPF Originate LSA Main Power Usage Off Configuration Baseline Difference [Wireless Controller Event]System clock reset EAPS Fail Timer Expired Flag Set DoSandDDoS Alert Fan Failed Stacking Port Status Changed Reach Device plugged event Smarttrap CPU Health Check Failed Device Warning From EPI Center
Default Default Default Default Default Default Block Traffic Profile Default Default Default Default Default Default Default Default
SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap
Unblock Traffic Profile SNMP Trap Default Default Default Default Default Default Default Default Default Default Default Default Default Default Block Traffic Profile Default Default Default Default Default Default NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap NMS generated
243
EAPS State Change [Wireless Controller Event]Auto upgrade module is enabled [Wireless Controller Event]System panic event [Wireless Controller Event]Fan under-speed OSPF Virtual Interface TX Retransmit Entity MIB Changed ESRP State Change for ExtremeXOS Stack Member Status Changed Redundant Power Supply OK Unapproved AP Detected Exploit Alert Cleared [Wireless Controller Event]Wireless client EAP authentication successful BGP Prefix Max Exceeded Epicenter Script Event OSPF TX_Retransmit Policy Configuration Start MAU Changed for ExtremeXOS [Wireless Controller Event]Auto upgrade module is disabled EAPS Link Down Ring Complete Wireless Probe Info Added Unapproved AP Removed ESRP StateChange Syslog Flood Cleared Port Diagnostics [Wireless Controller Event]AP reset Invalid Login SummitWM Log Change MAC Address Learning Limit Exceeded Script Backgroud Command Failed Ping Probe Failed Device Policy Configuration EAPS Fail Timer Expired Flag Cleared High Trap Count Cleared SummitWM Altitude Tunnel Alarm DoSandDDoS Alert Cleared Slot Change
Default Default Default Default Default Default Default Default Default Default
SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap
Unblock Traffic Profile SNMP Trap Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default SNMP Trap SNMP Trap NMS generated SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap NMS generated SNMP Trap NMS generated SNMP Trap
244
VM VPP SYNC Failed Fan OK OSPF Virtual Interface Receive Bad Packet [Wireless Controller Event]AP to controller connectivity lost Enhanced DOS Threshold Reached Wireless Probe Info Removed Power Supply OK Script Save Config Failed Host Sweep Alert Dsx3 Line Status Change Extreme Pw Status Change Port Down EAPS Primary or Secondary Port Status Change FTP Server Config OK Fan Failed Wireless Port State Changed STP topology change Wireless Off Channel Scan Started [Wireless Controller Event]Wireless client denied association Mobility Peer Down [Wireless Controller Event]AP adopted OSPF Interface Receive Bad Packet Emergency Port Scan Alert Cleared Power Supply Failed Stack Member Overheat Dsx3 Loss of Master Clock Extreme Pw Deleted BGP Backward Transition BGP Prefix Reached Threshold Wireless Client Station Aged Out AUP Alarm [Wireless Controller Event]Wireless client disassociated Alert OSPF Virtual Interface Authentication Failure High Trap Count [Wireless Controller Event]AP unadopted
Default Default Default Default Default Default Default Default Block Traffic Profile Default Default Default Default Default Default Default Default Default Default Default Default Default Default
SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap Syslog
Unblock Traffic Profile SNMP Trap Default Default Default Default Default Default Default Default Default Default Default Default Default SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap Syslog SNMP Trap NMS generated SNMP Trap
245
Eaps State Changed Warning lldp remote table changed Extreme SentriantAG Alarm Overheat Radio Adopted MLAG peer up Wireless Port Boot Failed Exploit Alert MLAG peer up Wireless Off Channel Scan Finished Eaps State Changed Error Critical [Wireless Controller Event]Wireless client associated Ping OK Port Up OSPF Interface Authentication Failure MLAG peer down [Wireless Controller Event]POE state changed Wireless Counter Measure Started Radio Unadopted Error MLAG peer down Extreme ClearFlow Alarm Redundant Power Supply Failed Host Sweep Alert Cleared Overheat Ping failed Configuration Restore OK Dsx3 No Loss of Master Clock STP new root
Default Default Default Default Default Default Default Block Traffic Profile Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default
NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap NMS generated Syslog SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap Syslog NMS generated SNMP Trap SNMP Trap
Unblock Traffic Profile SNMP Trap Default Default Default Default Default NMS generated NMS generated NMS generated SNMP Trap SNMP Trap
246
Standing, abnormal conditions. Standing means that a condition is in force for some length of time with a definite start and end (for example: a missing card, the loss of a neighbor, etc.) A standing condition is not something that is transitory, and while serious, is not something that has a specific lifetime. Invalid logon attempts, the failure of a file download, and a device reboot are not standing conditions: theres nothing to specifically clear invalid logon attempts or a file download does not have a clearing condition. Having a state. Alarms are either outstanding (active, on) or cleared. Associated with two event types: one raising the alarm, another clearing it.
The Outstanding alarms tab (see The Outstanding Alarms Tab on page 247) displays alarms that are active or orphaned until they are cleared either automatically or manually. Automatically cleared alarms are moved to the historical alarms table on the Cleared Alarms and Events tab after five minutes (see The Cleared Alarms and Events Tab on page 252).
Historical alarms are moved to Alarms_Log.txt Historical events are moved to Events_Log.txt Historical syslog message are moved to Syslog_Log.txt
These files are located at . You can change the above conditions in Ridgeline Administration, under server properties: Maximum records to be in alarms/events history Maximum number of days to keep the alarms/events history For information about changing these server properties, see Alarms Properties on page 357..
247
An alarm can be generated due to an SNMP or RMON trap, a syslog message, or based on the results of a poll. By default, all the predefined alarms are enabled; therefore, you may see alarm entries the first time you view the Alarm Manager, even if you have not defined any alarms of your own. Alarms that can be automatically cleared (status = Automatically cleared) move to the historical alarms view after a clearing event after a time period defined in the Timeout on moving cleared alarms to historical (in seconds) property (default is 30 seconds). Similarly, single events move to single events table after the time period defined in the Timeout on moving active events to historical (in hours) property (default is 5 hours). For more information about how to set these properties, see Alarms Properties on page 357, and for more information about events and alarms, see Definition of Alarms and Events on page 246. With alarms, you can: Acknowledge alarms Clear alarms Pause alarms Export alarms Change the received time format Move alarms to the historical alarms table The Outstanding alarms tab displays the following information for each alarm:
Name Severity A name for the alarm type, provided when the alarm is defined. The severity level associated with the alarm when it was defined, indicated by both name and color. The severity levels and the related icons: Minor Major Critical The IP address of the device that generated the trap or responded to a poll. Name of the device that generated the alarm. The date and time at which the alarm was received. This can be shown in absolute or relative time. Click Toggle Time Format to switch between the two time modes. A check mark indicates that this alarm has been acknowledged (see Acknowledging Alarms).
ActiveAlarm condition is active on the device. OrphanedAlarm condition might be active on the device. You must manually clear orphaned alarms or then remain in outstanding table indefinitely. Automatically clearedalarms that can be automatically cleared move into the historical alarms table after a clearing event after a time period defined in the Timeout on moving cleared alarms to historical (in seconds) property. For more information about how to set this property, see Alarms Properties on page 357.
Details Category
Additional details about the alarm. An optional user-defined classification that defaults to Default. For more information, see Creating New Alarm Definitions on page 254.
The alarms list is initially sorted by the date/time received in descending order, so that the most recent alarm appears at the top of the list. You can sort the display by the contents of any column by clicking the column heading. Click the heading a second time to reverse the sort order based on that column.
248
For each selected alarm, additional information appears on the left side of the bottom pane:
Number of events Indicates the number of times that this event/alarm has occurred. Name Severity A name for the alarm type, provided when the alarm is defined. The severity level associated with the alarm when it was defined, indicated by both name and color. The severity levels and the related icons: Normal Warning Minor Major Critical The IP address of the device that generated the trap or responded to a poll. Name of the device that generated the alarm. A check mark indicates that this alarm has been acknowledged (see Acknowledging Alarms).
ActiveAlarm condition is active on the device. OrphanedAlarm condition might be active on the device. You must manually clear orphaned alarms or then remain in outstanding table indefinitely. Automatically clearedAlarms that can be automatically cleared move into the historical alarms table after a clearing event after a time period defined in the Timeout on moving cleared alarms to historical (in seconds) property. For more information about how to set this property, see Alarms Properties on page 357.
Additional details about the alarm. An optional user-defined classification that defaults to Default. For more information, see Creating New Alarm Definitions on page 254. The actor who generated the action on the event/alarm occurrence. Could be either a specific user or the system (Ridgeline). The last time when the alarm was updated. The message that has been configured on the associated alarm profile for this alarm (see Defining Alarms on page 253). The date/time at which the alarm was received.
For each selected alarm, additional information appears on the right side of the bottom pane:
Time Action By Result Note The date/time of all actions taken on the event/alarm occurrence. The name of each action taken on the event/alarm occurrence. The actor who generated the action on the event/alarm occurrence. Could be either a specific user or the system (Ridgeline). The outcome of the action on the event/alarm occurrence (Success or Failure). When acknowledging or unacknowledging an alarm, optional text that you can add (see Acknowledging Alarms on page 249).
Acknowledging Alarms
To acknowledge an alarm:
249
1 Select the alarm(s) that you want to acknowledge. 2 Click Ack. The Acknowledged alarm note dialog box appears. 3 Type an acknowledging note in the box. This text appears in the lower pane of the Outstanding tab (see The Outstanding Alarms Tab on page 247). 4 Click Save. A check mark now appears in the Ack column for the selected alarm(s). The acknowledgement appears in the lower pane of the Outstanding alarms tab (see The Outstanding Alarms Tab on page 247). You can unacknowledge alarms you have previously acknowledged, if needed (see Unacknowledging Alarms on page 250). The Ack or Unack operation may take a few seconds to update the database. When the update is complete, the rows are deselected.
Unacknowledging Alarms
If you have acknowledged an alarm (see Acknowledging Alarms on page 249), you can unacknowledge it. To unacknowledge an alarm: 1 2 3 4 5 Select the alarm(s) that you want to unacknowledge. Click Unack. The Unacknowledged Alarm Note dialog box appears. Type an unacknowledging note in the box. Click Save. The check mark is now cleared from the Ack column for the selected alarm(s). Task step.
The unacknowledgement appears in the lower pane of the Outstanding alarms tab (see The Outstanding Alarms Tab on page 247). You can acknowledge the alarm again, if needed (see Acknowledging Alarms on page 249). The Ack or Unack operation may take a few seconds to update the database. When the update is complete, the rows are deselected.
Clearing Alarms
Clearing alarms moves them from the Outstanding alarms tab, and moves them to the historical alarms table on the Cleared Alarms and Event tab. Note You cannot undo clearing an alarm. To clear an alarm: 1 Select the check box for the desired alarm. The Cleared alarm note dialog box appears.
250
2 Type a note in the box, and then click Save. The alarm moves from the Outstanding tab, and now appears in the Cleared Alarms and Event tab. The note text appears in the Note column in the lower pane for each selected alarm on the Cleared Alarms and Events tab.
Absolute time is a date/time (for example: Mar 13, 2013 03:45:55 EDT). Relative time is an approximate time period relative to now (for example: one week ago).
To change the time format: On either the Outstanding or Cleared Alarms and Events tab, click Toggle Time Format. The received time in the Received column changes between absolute time and relative time format.
251
For each selected alarm, the following additional information appears on the left side of the details pane (bottom).
Number of events Name Severity Indicates the number of times that this event/alarm has occurred. A name for the alarm, provided when the alarm is defined. The severity level associated with the alarm when it was defined, indicated by both name and color. The Severity Levels and the related icons are as follows: Normal Warning Minor Major Critical The IP address of the device that generated the trap or responded to a poll. Name of the device that generated the alarm.
252
Ack Status
A check mark indicates that this alarm has been acknowledged (see Acknowledging Alarms).
ActiveAlarm condition is active on the device. OrphanedAlarm condition might be active on the device. You must manually clear orphaned alarms or then remain in outstanding table indefinitely. Automatically clearedAlarms that can be automatically cleared move into the historical alarms table after a clearing event after a time period defined in the Timeout on moving cleared alarms to historical (in seconds) property. For more information about how to set this property, see Alarms Properties on page 357.
Additional details about the alarm. An optional user-defined classification that defaults to Default. For more information, see Creating New Alarm Definitions on page 254. The actor who generated the action on the event/alarm occurrence. Could be either a specific user or the system (Ridgeline). The last time when the alarm/events was updated. The date/time at which the alarm was received. The message that has been configured on the associated alarm profile for this alarm (see Defining Alarms on page 253).
Additional information appears depending on the type of alarm. If the event for the alarm is based on: SMMP trapsvariable bindings list appears Syslog messagevariable bindings appears with syslog specific message data like: SEV, FAC, and CONTEXT, etc. NMS pollingno variable bindings appear For each selected alarm, the following additional information appears on the right side of the details pane (bottom).
Time Action By Result Note The date/time of all actions taken on the event/alarm occurrence. The name of each action taken on the event/alarm occurrence. The actor who generated the action on the event/alarm occurrence. Could be either a specific user or the system (Ridgeline). The outcome of the action on the event/alarm occurrence (Success or Failure). When acknowledging or unacknowledging an alarm, optional text that you can add (see Acknowledging Alarms on page 249).
Defining Alarms
For convenience, the Ridgeline Alarm Manager provides a number of predefined alarms. These alarms are all enabled by default, and become active immediately when the Ridgeline server starts up. The predefined alarms generate alarm log entries, but no other actions are specified. You can modify the predefined alarms or define your own custom alarms to report errors based on a number of event types under conditions you specify, such as repeated occurrences or exceeding threshold values. You can also specify the actions to occur when an alarm happens, such as sending email, running a program, running a Ridgeline script, or sounding an audible alert.
253
To view current alarm definition, create a new definitions (see Creating New Alarm Definitions on page 254), or to modify existing definitions, click the Alarm and Event Definitions tab (shown below).
Figure 161: Alarm and Event Definitions Tab The Alarm and Event Definitions tab displays the following information:
Name categoryName Severity Profile The name of the alarm. The category to which the alarm belongs (for more information about how categories are set, see Creating New Alarm Definitions on page 254). The severity level of the alarm (minor, major, critical). A defined set of actions (such as, sound alarm, send e-mail, run script) that you can associate with an alarm. There is a default profile that is associated with all predefined alarms. This default profiles single action is to sound an alarm. You can change this default profile and create other profiles (see Defining Alarm Profiles on page 262). The event type that triggers this alarm, such as SNMP trap, etc. Whether the alarm is enabled (green check mark) or disabled (red "X").
Type Enabled
254
2 Click the Alarm and Event Definitions tab. 3 Click New Alarm Definition. The New Alarm Definition dialog box appears.
Figure 162: New Alarm Definition Dialog Box 4 Type a name for the new alarm definition in the Name box. This name appears in the alarm lists and (optionally) elsewhere. This defines the variable alarmName. 5 Make selections for the following settings:
255
Severity
The severity level associated with the alarm, indicated by both name and color: Minor Major Critical This defines the variable alarmSeverity. The severity level also determines the sound that is played as an audible alert.
Category
The category to which the alarm belongs. Alarm categories are arbitrary collections of alarms that you can define according to your needs, and then assign to specific alarm definitions. For example, you might use categories to designate alarms from individual buildings, floors, or workgroups. An ISP might define categories for alarms from a specific customers equipment. By default, all alarms are assigned to the category named Default. This category cannot be deleted. To add or delete categories, click Manage Categories. The Manage Categories dialog box appears: To add a category, type a name in the Category Name box, click Add, and then click Close. The new category appears in the list. To delete a category, select the categorys check box, click Delete, and then click Close. A defined set of actions (such as, sound alarm, send e-mail, run script) that you can associate with an alarm. There is a default profile that is associated with all predefined alarms. This default profiles single action is to sound an alarm. You can create other profiles (see Defining Alarm Profiles on page 262). Select a profile from the list.
Profile
Raise alarm when this event is received Type The type of event that generates the alarm: NMS generated SNMP Trap The selection here controls what events are available in the Name list below. The event type is concatenated with the event name to define the variable eventTypeName. Name The specific event (trap) that should trigger this alarm. Select the event from the list. The event name is concatenated with the event type to define the variable eventTypeName. For a description of the Ridgeline and SNMP events from which you can choose, see Event Types for Alarms on page 537.
256
You can specify that the alarm should be triggered only if the data provided with the event matches a specific pattern. The pattern matching syntax uses regular expressions. You can use * or % to match any sequence of zero or more characters. ? or _ (question mark or underscore) can be used to match any one character. To match one of a set of characters, enclose the characters in brackets. For example, [abcd] matches one of a, b, c, or d.
Issue alarm only when event is received
For example, the following regular expressions can be used for monitoring MPLS removals and insertions using alarm pattern matching:
For removals: *ConfiguredType: 104?*InsertedType: 1?*State: 1* For insertions: *ConfiguredType: 104?*InsertedType: 104?*State: 5*
The required number of times an event must occur before an alarm is generated. You can specify both the number of times the event must occur, and the time frame within which these events must occur. This lets you filter out short-lived or non-repeatable events, and define an alarm that takes action only if the triggering event occurs repeatedly within a defined time frame. Note When you use this control for an SNMP unreachable alarm, note that Ridgeline generates SNMP unreachable alarms only when there are SNMP state changes (reachable to unreachable) occurring for that device according to the configured repetitive occurrence setting. For example, if you configure the Repetitive occurrence specification parameter as 2 times within 15 minutes, Ridgeline does not generate SNMP unreachable alarms if it finds the device is unreachable twice within 15 minutes. Instead, those alarms are generated only when Ridgeline finds state changes (reachable to unreachable) for the device twice within 15 minutes.
For a description of SNMP unreachable and SNMP reachable alarms, see the table in Ridgeline Events on page 547. If you want Ridgeline to generate SNMP unreachable alarms even without a SNMP state change, then edit the management.properties file and change EmitSnmpUnreachableEventAlways from FALSE to TRUE, and then restart the Ridgeline server and database. This change results in continuous SNMP unreachable alarm generation for all unreachable devices on every status poll, but when combined with Repetitive occurrence specification, the alarms will be generated according to the settings. Clear alarm when this event is received Add clearing event Select this check box to enable a defined event that when it occurs clears the alarm. You can then make selections for Type and Name below.
257
Type
The type of event that should clear the alarm: NMS generated SNMP Trap The selection here controls what events are available in the Name list below. Note This control is unavailable if the Add clearing event check box is not selected.
Name
Name of the event to clear the alarm. Note This control is unavailable if the Add clearing event check box is not selected.
Select this check box to exclude the application of this alarm definition on selected devices and/or ports. Leaving this check box clear applies the alarm definition to all devices and ports in the Ridgeline inventory. Under Available Devices, select the check box(es) for the device(s) that you want to exclude, and then click Add. The selected devices appear under Excluded Devices. Note You can filter the list by typing keywords in the search box or selecting a group from the drop-down list.
258
Figure 164: Modify Alarm Definition Dialog Box (User-Created) You can change: Enable or disable the alarm definition.
259
The Profile: A defined set of actions (such as, sound alarm, send e-mail, run script) that you can associate with an alarm. There is a default profile that is associated with all predefined alarms. This default profiles single action is to sound an alarm. You can create other profiles (see Defining Alarm Profiles on page 262). Select a profile from the list. 5 For user-created alarm definitions, you can change the following:
Severity The severity level associated with the alarm, indicated by both name and color: Minor Major
Critical This defines the variable alarmSeverity. The severity level also determines the sound that is played as an alert. Category
The category to which the alarm belongs. Alarm categories are arbitrary collections of alarms that you c define according to your needs, and then assign to specific alarm definitions. For example, you might us categories to designate alarms from individual buildings, floors, or work groups. An ISP might define cat for alarms from a specific customers equipment. By default, all alarms are assigned to the category named Default. This category cannot be deleted. To add or delete categories, click Manage Categories. The Manage Categories dialog box appears. To add a category, type a name in the Category Name box, click Add, and then click Close. The new category appears in the list. To delete a category, select the categorys check box, click Delete, and then click Close.
Profile
A defined set of actions (such as, sound alarm, send e-mail, run script) that you can associate with an al There is a default profile that is associated with all predefined alarms. This default profiles single action sound an alarm. You can create other profiles (see Defining Alarm Profiles on page 262). Select a profile from the list.
Raise alarm when this event is received Type The type of event that generates the alarm: NMS generated SNMP Trap
The selection here controls what events are available in the Name list below. The event type is concaten with the event name to define the variable eventTypeName. Name
The specific event (trap) that should trigger this alarm. Select the event from the list. The event name is concatenated with the event type to define the variable eventTypeName. For a description of the Ridgeline and SNMP events from which you can choose, see Event Types for Ala
Match data within event You can specify that the alarm should be triggered only if the data provided with the event matches a s pattern. The pattern matching syntax uses regular expressions. You can use * or % to match any sequence of zero or more characters. ? or _ (question mark or underscore) can be used to match any one character. To match one of a set of characters, enclose the characters in brackets. For example, [abcd] matche a, b, c, or d.
For example, the following regular expressions can be used for monitoring MPLS removals and insertion alarm pattern matching: For removals: *ConfiguredType: 104?*InsertedType: 1?*State: 1* For insertions: *ConfiguredType: 104?*InsertedType: 104?*State: 5*
260
The required number of times an event must occur before an alarm is generated. You can specify both t number of times the event must occur, and the time frame within which these events must occur. This le filter out short-lived or non-repeatable events, and define an alarm that takes action only if the triggerin occurs repeatedly within a defined time frame. Note: When you use this control for an SNMP unreachable alarm, note that Ridgeline generates SNMP unreachable alarms only when there are SNMP state changes (reachable to unreachable) occurring for t device according to the configured repetitive occurrence setting.
For example, if you configure the Repetitive occurrence specification parameter as 2 times within 15 min Ridgeline does not generate SNMP unreachable alarms if it finds the device is unreachable twice within minutes. Instead, those alarms are generated only when Ridgeline finds state changes (reachable to unreachable) for the device twice within 15 minutes.
For a description of SNMP unreachable and SNMP reachable alarms, see the table in Ridgeline Events on 547 . If you want Ridgeline to generate SNMP unreachable alarms even without a SNMP state change, then ed management.properties file and change EmitSnmpUnreachableEventAlways from FALSE to TRUE, and restart the Ridgeline server and database. This change results in continuous SNMP unreachable alarm generation for all unreachable devices on every status poll, but when combined with Repetitive occurre specification, the alarms will be generated according to the settings. Clear alarm when this event is received Add clearing event Type
Select this check box to enable a defined event that when it occurs clears the alarm. You can then make selections for Type and Name below. The type of event that should clear the alarm: NMS generated SNMP Trap The selection here controls what events are available in the Name list below. Note: This control is unavailable if the Add clearing event check box is not selected.
Name
Name of the event to clear the alarm. Note: This control is unavailable if the Add clearing event check box is not selected.
Scope of specific devices Select this check box to exclude the application of this alarm definition on selected devices and/or ports or ports Leaving this check box clear applies the alarm definition to all devices and ports in the Ridgeline invento Under Available Devices, select the check box(es) for the device(s) that you want to exclude, and then c Add. The selected devices appear under Excluded Devices. Note: You can filter the list by typing keywords in the search box or selecting a group from the drop-do
6 Click OK.
261
262
4 Type a name for the alarm profile in the Name box. 5 (Optional) Type a description of the alarm profile in the Description box. 6 If you want the profile to include sending an e-mail or text message: a Click the Message tab. b Type the desired message in the lower box. c Add system variables to the message as needed by clicking the desired variable in the System variables list. For detailed information about these variables, see Ridgeline Alarm Variables Table. Add variables from the System variables list and add your own text. For Syslog messages, use the eventData variable to display the Syslog message. Note The e-mail header displays the alarm number, alarm name, source IP address, the device name, and ifIndex, severity. The e-mail body displays the alarm time, alarm name, alarm category, severity, source IP address and ifIndex, alarm message, the event name that triggered the alarm, the result of the alarm action, and a URL link to the Ridgeline server. 7 Click the Actions tab. 8 Set the actions that should occur for the profile:
Sound alert Select this check box to sound an audible alert on the client computer when the alarm occurs. The alarm will sound on all Ridgeline clients currently connected to the Ridgeline server. The sound that is played depends on the severity level of the alarm. The alert sound files are located on the Ridgeline server in the \extreme subdirectory of the Ridgeline installation directory, and are named according to the severity level they represent (normal.wav, warning.wav, etc.). Select this check box to indicate that e-mail should be sent, and then enter the e-mail address(es) of the recipients for the e-mail. Separate e-mail addresses in a list with either commas, semicolons, or spaces. If this check box is unavailable, you must first configure your e-mail settings (see E-mail Properties).
Select this check box to indicate that a short e-mail (appropriate for text paging) should be sent, and then enter the e-mail address(es) of the recipients for the e-mail. Separate e-mail addresses in a list with either commas, semicolons, or spaces. Short e-mail provides the alarm number, name and the IP address of the source of the alarm in the subject header. The message body provides alarm name, source of alarm, ifAlias corresponding to the ifIndex in the trap, severity and the alarm message. If this check box is unavailable, you must first configure your e-mail settings (see E-mail Properties).
Select this check box to specify e-mail settings different from the global e-mail settings: SMTP HostThe outgoing mail server name (or IP address). UsernameThe user name for mail server authentication. Sending AddressThe e-mail address that should be used as the sender of the e-mail. PasswordThe password for mail server authentication.
263
Select this check box to specify a program to run when this alarm occurs. Enter the command string for the program in the box below the Add button. To include Alarm Manager variables as arguments in the command string, select a variable from the list, and then click Add. You can also include trap varbinds as arguments in the command string, if the SNMP event that triggers this alarm provides varbinds. For more information on how to include varbinds, see Using Trap Varbinds in a Command String. Note: On a Windows system, if you want to run a program that outputs to the desktop, you must configure the Ridgline server to allow this (see Configuring the Ridgeline Server to Allow Output to the Desktop on page 577). Note: If you want to specify a batch file that outputs to the desktop, you must specify the .bat file within a DOS cmd command:
Select this check box to run a script when this alarm occurs. Click Select Script to select a script from a list of saved scripts. The Macro List dialog box appears. Select a macro in the list, and then click OK. The selected macro appears in the Run a script box. For a list of definitions of the Alarm Manager variables you can use, see Ridgeline Alarm Variables Table. When the script runs as an alarm action, the script results can be saved in the Ridgeline audit log. To save the script to the audit log, enable the Save results in audit Log option in the run-time settings for the script. For more information, see Specifying Run-Time Settings for a Script. Select this check box to forward the trap event that caused this alarm. Ridgeline events such as Config Upload OK, Config Upload Failed, SNMP Unreachable, and SNMP Reachable can be forwarded as traps to an event management system or other system configured to receive traps that Ridgeline servers forward. Note To decipher these events the system that receives them must have the file EXTREMEEPICENTER-MIB.mib. This file is available on the Ridgeline server in Program Files \Extreme Networks\Ridgeline 4.0\jboss\standalone\deployments\extreme.war\mibs. Use these forwarding settings instead of global settingsSelect this check box to specify forwarding settings different from the global settings. For more information about configuring the global settings, see SNMP Properties on page 352. HostThe host name or host IP address of the system to which the trap is forwarded. PortThe port on which the specified host receives traps. CommunityThe community string for the specified host. ConversionThe version of SNMP to which traps are converted (No conversion, Convert trap to SNMPv1, or Convert trap to SNMPv2c).
9 Define which devices the alarm profile applies to: a Click the Scope tab. b To have the profile apply to all devices, clear the Scope on specific devices or ports check box. c To exclude the profile from applying to specific device(s), select the Scope on specific devices or ports check box, select the device(s) to exclude in the Available Devices table by selecting their associated check box(es), and then click Add. 10 Click OK. The new alarm profile appears in the profile list. You can now associate this profile with an alarm definition (see Creating New Alarm Definitions.
Event Types
Ridgeline alarms can be triggered by SNMP traps and Ridgeline events.
264
A Ridgeline event is generated based on the results of periodic polling. In some cases, a condition that causes a Ridgeline event may also generate an SNMP or other trap. Creating an alarm triggered by a Ridgeline event guarantees that the condition is eventually detected by polling even if the corresponding trap is missed. For a description of the Ridgeline and SNMP events supported by the Ridgeline Alarm Manager, see Event Types for Alarms. SNMP traps are notifications from a device of events that occur on a device. Ridgeline must be configured as a trap receiver on the device in order to be notified of these events; this happens automatically on Extreme devices. Certain SNMP events may require additional configuration on the switch in order to enable specific trap conditions. For certain other events, you must do the configuration on the switch using an SNMP configuration tool such as SNMPc (see Configuring SNMP Trap Events. Ridgeline Alarm Variables
Variable Name alarmActions alarmCategory alarmGMTTime alarmID alarmLocalTime alarmName alarmRepeatPeriod alarmRepeatTimes alarmSeverity alarmSource alarmSourceDeviceName alarmSourceIP eventData eventEnterprise eventGenericType eventLogID eventSpecificType eventSpecificTypeStr eventTypeName Description Actions taken when the alarm occurs The user-defined alarm category assigned to the alarm The time at which the alarm occurred, in Greenwich Mean Time An integer number assigned by the Ridgeline Alarm Manager based on the order in which the alarm occurred The time at which the alarm occurred, in local time The name of the alarm as defined in the Name field The time frame within which the repeated events must occur for the alarm to be generated The number of times the event must occur before an alarm is generated The severity level assigned to the alarm ifIndex of the device port The name of the device on which the event(s) occurred (taken from the Ridgeline database) The IP address of the device on which the event(s) occurred The data associated with the trap, or the Syslog message content The Enterprise portion of the Object ID (OID) of the event The SNMP Generic Type number of the trap The ID of the event in Ridgelines event log The SNMP Specific Type number for an enterprise-specific trap The event description The type of event (SNMP Trap, RMON Rising Trap, RMON Falling Trap, or Ridgeline event) concatenated with the Event Name (the SNMP trap name, RMON rule name, or Ridgeline event name)
265
266
16 Configuration Manager
Overview of the Configuration Manager Configuration Summary View Backing up Configurations from Devices Restoring Configurations to Devices Downloading an Incremental Configuration to Devices Creating or Changing Baseline Configurations Deleting Baselines Configuring the TFTP Server
This section explains how to use the Ridgeline Configuration Manager feature for: Backing up configuration settings from one or more devices, on demand or at a scheduled time. Creating baseline configurations for one or more devices. Restoring configuration settings from Ridgeline to a device. Downloading an incremental configuration to one or more devices. Specifying and configuring the TFTP server for uploading and downloading configuration settings and software images.
Configuration Manager
<tftp_root>\ridgeline\configs\<device_address>\mm_dd_yyyy_hh_mm.zip Note Baselining is only valid for devices running ExtremeWare or ExtremeXOS version 11.4 or later. There can only be one baseline file for each device IP address.
Incremental <tftp_root>/ridgeline/incremental Configuration Download file <tftp_root> is the location of the TFTP server. By default, <tftp_root> is <Ridgeline_install_dir>\jboss\standalone\deployments \user.war\tftp. Note If you reconfigured your TFTP root directory (see Configuring the TFTP Server), the baselines subdirectory is located directly below your TFTP server root directory. <Ridgeline_install_dir> is located at:
268
Configuration Manager
Figure 166: Configuration ManagerDevice Configuration Summary View (Tab) The Configuration Summary view shows the configuration activity for each managed device:
Name IP Address MAC Address Device Type Backup Status Device name. The devices IP address. The devices MAC address. Type of Extreme Networks device. The status of the last backup: In Progressbackup currently running Successfullast backup was successfully run Unsuccessfullast backup attempt failed Noneno record exists of a backup occurring
Last Successful Backup Time Most recent date that configuration files were backed up. Next Backup Time Restoration Status The next time that the configuration files are scheduled to be backed up. The status of the last configuration file restoration: In Progressrestoration currently running Successfullast restoration was successfully run Unsuccessfullast restoration attempt failed Noneno record exists of a restoration occurring Most recent date/time that configuration files on the device were restored from a backup. Most recent date/time that a baseline was set for the device. The status of the most recent attempt to set a baseline for the device: In Progressbaseline currently being set Successfullast baseline was successfully set Unsuccessfullast baseline attempt failed Noneno record exists of a baseline being set
To display detailed configuration status and view configuration files and scripts for an individual device:
Select the desired device. Detailed configuration information and files appear in the lower pane of the Device Configuration Summary. Double-click the desired device or click Open. The Configuration Information window appears (see Configuration Information window).
269
Configuration Manager
Figure 167: Configuration Information Window The left side of the Configuration Information window shows the following information:
Name Device Type IP Address MAC Address Software Version Backup File Name Backup Time Name of the Extreme Networks device. Type of Extreme Networks device. The devices IP address. The devices MAC address. The current ExtremeXOS software running on the device. The name of the configuration backup file. Date and time that the backup file was backed up.
270
Configuration Manager
Backup Status
The status of the last backup: In ProgressBackup currently running SuccessfulLast backup was successfully run UnsuccessfulLast backup attempt failed NoneNo record exists of a backup occurring Most recent date that configuration files were backed up. Next scheduled backup time. The name and location of the file that was used to restore a configuration to the device. The status of the last configuration file restoration: In ProgressRestoration currently running SuccessfulLast restoration was successfully run UnsuccessfulLast restoration attempt failed NoneNo record exists of a restoration occurring Most recent date/time that configuration files on the device were successfully restored from a backup.
Last Successful Backup Time Next Backup Time Restoration File Name Restoration Status
Last Tried Restoration File Name of the configuration file that was last used to restore a backup to a device. Name Last Tried Restoration Time Next Restoration Time Baseline File Name Baseline Time Baseline Status Most recent date/time that an attempt was made to restore configuration files on a device from a backup. For scheduled restorations, the next time/date that configuration files on a device will be restored from a backup. The name and location of the designated baseline file name. Most recent date/time that a baseline was set for the device. The status of the most recent attempt to set a baseline for the device: In Progressbaseline currently being set Successfullast baseline was successfully set Unsuccessfullast baseline attempt failed Noneno record exists of a baseline being set For scheduled baselines, the next time/date that a baseline will be established for the device. Name of the incremental configuration file that was used to perform the last attempted incremental backup to a device. The status of the last attempted incremental download (successful, unsuccessful, none) Most recent date/time that an incremental download was attempted on the device.
Next Baseline Time Last Tried Incremental Download File Last Tried Incremental Download Status Last Tried Incremental Download Time
On the right side of the window under Configuration Files are the configuration files. You can view and compare any of the configuration files. Note Click the plus (+) sign next to Backup Files to show all of the individual files. For more information about these files, see Table 7: Configuration File Types and Locations on page 268.
271
Configuration Manager
Viewing Configuration Files You can view the contents of any configuration file with the Configuration Manager built-in viewer. You can also install your own viewer (see Installing a Viewer). To view a configuration file: 1 In the navigation pane, click Configuration Manager. 2 On the Device Configuration Summary tab, double-click a device to display the Configuration Management Details Window. 3 Under the Configuration Files tab, click a file to select it. Note Click the plus (+) sign next to Backup Files to show the files it contains (.txt, .pol, etc.). 4 Click View. The viewer appears displaying the selected file (see the following figure).
Figure 168: View Configuration Window (Ridgeline Default Viewer) Comparing Two Configuration Files You can compare the differences between two configuration files. You can only compare files on a single device. Ridgeline provides a built-in differences viewer, but you can install a different one if you want (see Installing a Viewer on page 273). To view the differences between two configuration files: 1 In the navigation pane, click Configuration Manager. 2 On the Device Configuration Summary tab, double-click a device to display the Configuration Management Details Window.
272
Configuration Manager
3 Under the Configuration Files tab, click a file to select it. Note Click the plus (+) sign next to Backup Files to show the files it contains (.txt, .pol, etc.). 4 Press CTRL + click to select the other desired file. 5 Click View Diff. Ridgeline opens the Difference viewer in a separate window, with the two files you selected shown (see the following figure).
Figure 169: Diff Results Window Installing a Viewer The Configuration Manager configuration file viewing and differences viewing functions each require a viewer application:
Simple viewing uses a text editor to show the contents of a configuration file. Ridgeline contains a built-in text viewer. However, you can use another viewer such as Notepad or WordPad in Windows, or vi in Linux. The view differences function requires a differences viewer to compare and display the differences between two configuration files. Ridgeline contains a built-in differences viewer. However, you can use another differences viewer, such as: For Windows: WinMerge For Linux: sdiff (in /usr/bin/sdiff) To install these viewers:
Install the desired viewer or differences viewer as per the programs instructions.
273
Configuration Manager
2 On the main Ridgeline toolbar, click Tools > Difference Viewer Settings. The Difference Viewer Settings dialog box appears (see the following figure).
Figure 170: Difference Viewer Settings Dialog Box 3 To change the default configuration file viewer: a Clear the Use Default Configuration Viewer check box. b In the Configuration Viewer box, type the path and filename of the viewer you want to use, or click Browse to select a viewer executable file. 4 To set up a difference viewer: a Clear the Use Default Difference Viewer check box. b In the Difference Viewer box, type the path and filename of the difference viewer, or click Browse to select a viewer executable file. 5 Click OK.
274
Configuration Manager
the e-mail notification feature (see Setting Up E-mailed Reports of Backup/Baseline Differences). These reports are saved in the < tftp_root >\ridgeline\configs\reports directory . Since backing files frequently for many devices could eventually use too much disk space, you can set limits on the number of backup files that are kept (see Changing the Archive Limit). Ridgeline optimizes space by only backing up changed files. Note For more information about configuring the TFTP server, see Configuring the TFTP Server.
Figure 171: E-mail Settings Dialog Box 2 Enter information in following boxes: Email toThe e-mail address(es) of the recipient(s) of the report. Separate addresses by commas, semicolons, or spaces. SMTP HostThe outgoing mail server name (or IP address). Sent ByThe e-mail address that should be used as the sender of the e-mail. 3 If your mail server authenticates users before sending out e-mail, select the My server requires authentication check box. If you do not know if your server requires authentication, select this check boxit is ignored if it is not needed: Type your logon information in User Name and Password boxes. Usually, the logon information is the same as what you use to log on to your network. 4 Click OK.
275
Configuration Manager
Figure 172: Backup Operation Dialog Box 3 Select the device(s) that you want to backup: a Under Available Devices, click the check box next to the desired device(s). b Click Add. The device(s) are added to the Selected Devices table.
276
Configuration Manager
4 To back up to the standard location, under Backup File Options, select Default Location. To back up to a different location, select Customized Location, and then type a location in the Configuration Saved At box. Note If you have reconfigured your TFTP root directory (see Configuring the TFTP Server), the configs subdirectory is located directly below your TFTP root directory. 5 To set this backup as the baseline for the selected device(s), select Baseline for this configuration. 6 Under Schedule Options, choose when the backup should occur: Table 8: Backup Scheduling Options
Backup When? Once, immediately Once, at later date/time Procedure
1. Under Schedule Options, select Backup Later. 2. In the Frequency list, select Once. 3. If desired, type an alternative name for the backup in the Task Name box. 4. Select a backup start date in the Start On drop-down list. 5. Select a backup start time in the Time box. 1. Under Schedule Options, select Backup Later. 2. If desired, type a different name for the backup in the Task Name box. 3. In the Frequency list, select Daily, Weekly or Monthly. 4. Select a repeating backup start date in the Start On box. 5. Select a repeating backup start time in the Time box.
7 Click OK.
277
Configuration Manager
2 Click the Global Settings tab. The Global Settings view appears (see the following figure). If a global backup schedule has already been set up, its start date, time, and frequency appear.
Figure 173: Global Settings View (Tab) 3 Click Change Current Global Schedule. The Change Settings dialog box appears (see the following figure).
Figure 174: Change Settings Dialog Box 4 To disable global backups, select No Schedule. Go to Step 6 on page 279. 5 To enable global backups, select Schedule: a Set the frequency, by selecting Once, Daily, Weekly, or Monthly in the Frequency list.
278
Configuration Manager
b Set the start date and time for global backup to begin in the Start On and Time boxes. 6 Click OK. The Global Settings view (tab) appears showing the scheduled backup next to Current Global Backup Schedule.
Figure 175: Configuration Manager Scheduled Tasks View 3 To delete a scheduled task: a Next to the task(s) you wish to delete, select the check box. b Click Delete.
279
Configuration Manager
Figure 176: Change Archive Limit Dialog Box 4 To keep all backups, select No Limit. To limit the number of backup copies, select Number of Copies Per Device To Keep, and then type a number in the box. 5 Click OK.
280
Configuration Manager
Figure 177: Configuration Change Report For each device, the report shows the information about each configuration change it has detected:
Type Configuration Change Switch Log Event Type of change that occurred (add, modify, or delete). Changed lines in the configuration file. Which log event entries (if any) that are related to the configuration change.
281
Configuration Manager
3 Click Restore. The Restore Operation dialog box appears (see the following figure).
Figure 178: Restore Device Configuration Dialog Box 4 Under Select, select a configuration file to restore to the device(s) by clicking the option button next to it. 5 In the Download Configuration To list, choose which area of the device hard disk to download to:
Primaryprimary partition Secondarysecondary partition. Other(ExtremeXOS devices only) allows you to save the configuration under file name other than the standard configuration file name, primary.cfg. Type a name for the restored configuration file in the Enter Configuration File Name box. Current(ExtremeWare devices only) current partition. Non Current(ExtremeWare devices only) use this option if you are unsure of the current partition (primary or secondary) and want to ensure that you download to the non-current partition.
282
Configuration Manager
6 For ExtremeWare devices, to automatically save the current configuration file on the device after the device reboots, select the Save Configuration To check box, and select where to save the current configuration: Currentcurrently active partition Non Currentcurrently inactive partition Primaryprimary partition Secondarysecondary partition 7 Under Schedule Options, choose when to activate the new configuration:
Restore NowDevice reboots and starts immediately using the new configuration. Restore LaterSchedules configuration restoration (and device reboot) for a later time. This scheduled restoration task appears in the Configuration Manager Scheduled Tasks view (tab) (see Figure 175: Configuration Manager Scheduled Tasks View on page 279):
Task NameType a name for the configuration restoration task. This scheduled task name
appears in the Configuration Manager Scheduled Tasks view (tab).
FrequencySelect Once. Start OnChoose a date for the configuration restoration to occur. TimeChoose a time for the configuration restoration to occur.
8 Click OK.
283
Configuration Manager
3 With an ExtremeWare device selected in the list, click Download Incremental To Device. The Download Incremental Configuration dialog box appears:
Figure 179: Download Incremental Configuration Dialog Box The device you selected previously appears under Selected Devices. 4 To select additional devices: a Under Available Devices, select the check box of additional device(s) that you want to download an incremental configuration to. a Click Add. The device appears under Selected Devices. b Repeat until you have added all of the desired devices. 5 Under Selected Devices, select the device by clicking its check box. Available configuration files for the device appear in the bottom table. You can filter this list if needed by typing keywords in the search box above the table. 6 In the bottom table, select a configuration file to download by selecting its check box. 7 Click Save.
284
Configuration Manager
8 Click OK. Note The device is not rebooted, nor is the configuration saved on the device after the download. You can open a Telnet session on the affected devices and execute a save configuration command. Note An error occurs if you attempt an incremental download on a switch running ExtremeWare earlier than version 6.0.
While backing up configuration files, you can set one as the baseline (see Backing up Configuration Files Manually or by Scheduling for a Device or Device Group). Designate an existing configuration file backup as a baseline (see below).
For information about the location and file naming of baseline files, see Configuration File Types and Locations. After creating a baseline for a device, you can restore this baseline configuration to the device at any time. To do so, follow the procedure in Restoring Configurations to Devices. To create a baseline for device(s): 1 In the navigation pane, click Configuration Manager. The Device Configuration Summary view (tab) appears (see Figure 166: Configuration ManagerDevice Configuration Summary View (Tab) on page 269). 2 To select which devices to set a baseline for, click the check box next to the desired device(s). If needed, type keywords in the search box.
285
Configuration Manager
3 Click Baseline > Create. The Create Baseline Configuration dialog box appears (see the following figure).
Figure 180: Create Baseline Configuration Dialog Box 4 Under Available Devices, select the device(s) by selecting their associated check box(es). If needed, filter the list of available devices by typing search terms in the search box or selecting a group from the drop-down list.
286
Configuration Manager
5 Click Add. The device(s) are added to the Selected Devices table. 6 For each selected device, choose a backup configuration file for the baseline: a Under Selected Devices, select a device by clicking its row. b In the Baseline options list, select: Apply latest uploaded configurationThe latest configuration file is used as the baseline, rather than allowing you to choose. Choose any specific configurationYou choose the configuration file for the baseline from the list in the bottom table. Click a row to select a particular configuration file. c Click Apply. Your configuration file choice for the baseline appears in the Selected Devices table in the Selected configuration column. 7 Under Schedule Options, select when to establish the baseline:
MarkAsBaseline NowEstablishes baseline immediately MarkAsBaseline LaterSchedules a later time to set the baseline:
a Type a name for this task in Task Name. This task appears in the Scheduled Task view (tab). b Select Once from the Frequency list. c Select the baseline date in Start On and time in Time. 8 Click OK.
Deleting Baselines
If there is a baseline configuration established for a device, you can remove it. To delete a baseline configuration: 1 2 3 4 In the navigation pane, click Configuration Manager. Click the Device Configuration Summary tab. Select the check box for the device that you want to remove the baseline configuration from. Click Baseline > Delete. The Baseline Status, Baseline Time, Baseline File Name change to None.
287
Configuration Manager
Click Tools > TFTP server configuration. The Configure TFTP Server dialog box appears (see the following figure).
Figure 181: Configure TFTP Server Dialog Box 2 To enable/disable the TFTP server (by default, the embedded TFTP server is enabled):
Click Enable System TFTP Server button to enable the server. Click Disable System TFTP Server to disable the server.
3 If you are going to use a TFTP server other than the Ridgeline TFTP server, enter the root directory of your TFTP server in TFTP Root. The Ridgeline TFTP server root is <Ridgeline_install_dir>deploy\user.war\tftp, where <Ridgeline_install_dir> is the directory where the Ridgeline server is installed. If you are using the Ridgeline TFTP server, the TFTP root directory cannot be changed. 4 Click OK. Ridgeline creates six subdirectories (baselines, bootrom, configs, images, slotImages, and slotBootRom) as children of the directory you specify as the TFTP server root. Note If you change the location of the TFTP root directory after you have saved any configuration image files in any of these directories, Ridgeline will no longer be able to find those files. You must copy the files from the old TFTP root location into the new directories at the new location. Note If you plan to use this TFTP server with other software, such as the ExtremeWare CLI or for any other purpose, be aware of possible differences in the expected locations of the TFTP server and other components such as ExtremeWare software images or configuration files. See the Ridgeline Release Notes for information on any known issues.
288
17 Firmware Manager
Overview of the Firmware Manager The Firmware Manager Main Window Checking for New Software Image Versions Acknowledging Changes to the Software Images List Downloading Software Images to the Ridgeline Server Upgrading the Software or BootROM on Your Devices Specifying Standard Software Versions Updating Software Properties
This topic describes how to use the Ridgeline Firmware Manager:
Obtain the latest software images from the Extreme Networks website. Download and activate on devices and modules new: (To devices) software images and patches/service packs (To devices and modules) BootROM images and modular software packages (To modules) slot software images Specify a standard, recommended software image. Ridgeline compares the image currently running on a device to determine if it is running the recommended or most current image.
Firmware Manager
Acknowledge new software images to highlight changes in the software images list. 4. Download images to Ridgeline server 5. Distribute and activate images to devices/modules Download selected software images to devices and modules, and choose, if desired, to reboot devices to activate the new image.
See Acknowledging Changes to the Software Images List. See Downloading Software Images to the Ridgeline Server.
Figure 182: Firmware Manager WindowDevices Tab The Devices tab shows the following information:
Name IP Address Upgrade Type Name of the device IP address of the device
290
Firmware Manager
Upgrade Status
Shows the status of any software upgrade activity: SuccessfulLast software image upgrade was successful UnsuccessfulLast software image upgrade failed In progressSoftware image upgrade is being currently happening Not StartedNo image upgrade has been initiated for the device The software image version that the device was last upgraded to
Upgraded Version
Available Upgrade Version The most up-to-date software that can be installed on this device. Device Type Type of Extreme Networks device
At the bottom of the window is the Software Status pane, which shows the following information:
Upgrade Status Shows the status of any software upgrade activity: SuccessfulLast software image upgrade was successful UnsuccessfulLast software image upgrade failed In progressSoftware image upgrade is being currently happening Not StartedNo image upgrade has been initiated for the device Indicates whether or not the device has the most up-to-date, device-compatible GA software image installed. Indicates whether or not the device has the most up-to-date, device-compatible GA bootROM image installed. Indicates whether or not the current software version on the device is the version set as the standard version for this device. For more information about setting the standard version, see Specifying Standard Software Versions.
Obsolete Device Image? Obsolete Boot ROM? Deviating with standard version
291
Firmware Manager
Figure 183: Software Image Management Window Software Images Tab The Software Images tab shows the following information:
New Update Indicates if this image has changed since the last time the software information was updated (see Acknowledging Changes to the Software Images List) newer version is available software version has not changed since the last time you acknowledged changes to the list
When you display the software image list for the first time, all images are marked as .
Version Type Version number of the software The software image type: Device Image Device BootROM Image Device Module Image Slot Image (module) Slot BootROM Image The name of the software image.
Name
292
Firmware Manager
Downloaded
Not downloaded on the Ridgeline server. Available on the Ridgeline server in one of the directories:
Description
Supported Hardware PlatformsLists all platforms compatible with the selected software image Detailed Download StatusShows the status (Download Successful, Download in Progress, Download Unsuccessful, etc.) of any software images that you are downloading (see Downloading Software Images to the Ridgeline Server). Note Use the scroll arrow at the bottom of the Supported Hardware Platforms pane to view the Detailed Download Status pane, if it is not visible.
293
Firmware Manager
3 Click Update Software information. The Update Software Information dialog box appears.
Figure 184: Update Software Information Dialog Box 4 There are two ways to retrieve updated software images information: From File in Ridgeline Server: If you do not have access Extreme Networks eSupport website, you can copy the following two files: http://www.extremenetworks.com/products/downloads/ExtremeXosImageList.xml http://www.extremenetworks.com/products/downloads/ExtremeWareImageList.xml to the folder where you installed Ridgeline under Ridgeline 4.0\jboss\standalone \deployments\extreme.war . From Vendor Server: If you have access to Extreme Networks eSupport website, use this option. 5 Click OK. The update to the software images lists continues in the background. A message appears indicating the update is in progress, and then that it has completed successfully. 6 Click Close to close the message.
294
Firmware Manager
3 In the drop-down list, select External Connections. 4 On the Load Information from http://www.extremenetworks.com row (Property Name), under the Property Value column, select the check box.
= software version has not changed since the last time you acknowledged changes to the list = newer version is available To acknowledge changes to the software images list:
1 In the navigation pane, click Firmware Manager. 2 Click the Software Images tab. 3 Click Acknowledge Software Image Updates.
295
Firmware Manager
<tftp_root>\xmod
Where <tftp_root> is the location of the TFTP server. By default, <tftp_root>is Ridgeline 4.0\jboss \standalone\deployments\user.war\tftp\ridgeline
Note You cannot download SSH-capable versions of the software images using the Firmware Manager. To use SSH-capable images, obtain them outside of Ridgeline, and then place them in the images or xmod subdirectory (see Table 9: Downloaded Software Image Locations on page 295). SSH-capable images are subject to export restrictions, and require a special license. To request SSH code, go to eSupport (https://esupport.extremenetworks.com/). For ExtremeXOS, modular software packages (.xmod) also cannot be downloaded using the Firmware Managers image update feature. You must also obtain those images outside of Ridgeline, and then place them in the <tftp_root>/xmod folder for deployment. Note Ridgeline does not have restrictions on the number of user accounts, which includes administrators, but the number of concurrent sessions is limited to 25 users. This can be the same user or different users. To download new software images to the Ridgeline server: 1 In the navigation pane, click Firmware Manager. The Firmware Manager window appears. 2 Click the Software Images tab. 3 Select the check box on the row of the desired software image that you want to download. You can select multiple images. Note You can select multiple consecutive rows of images by clicking the first rows check box to select it, and then pressing Shift + click the last rows check box. 4 Click Download. You are prompted to enter your logon information for Extreme Networks eSupport website. 5 Click OK. A message appears indicating that the selected image(s) are downloading. 6 Click Close. The status of the download appears in the Detailed Download Status pane at the bottom of the screen. Note Use the scroll arrow at the bottom of the Supported Hardware Platforms pane to view the Detailed Download Status pane, if it is not visible. The downloaded software image is now available to install on devices (see Upgrading the Software or BootROM on Your Devices).
296
Firmware Manager
Hitless Upgrading
Ridgeline supports the hitless upgrade feature for device and modular software package images on a BlackDiamond chassis under certain conditions. Hitless upgrade allows a software upgrade without taking a device out of service or losing traffic. A hitless upgrade is an option for: BlackDiamond 6800 series switches with two MSMs installed, running ExtremeWare 7.1.1 or later. BlackDiamond 8800 series switches with two MSMs installed, with BootROM 8.1 or later; or running ExtremeXOS 11.4 or later. BlackDiamond 10808 switches with two MSMs installed, running ExtremeXOS 11.1 or later. BlackDiamond 12804 series switches with two MSMs installed, running ExtremeXOS 11.4 or later. Hitless upgrade is also supported for BootROM images. You can perform a hitless BootROM upgrade for BlackDiamond 10808 switches with two MSMs installed, running ExtremeXOS 11.1 or later.
297
Firmware Manager
Figure 186: Upgrade Software Dialog BoxImage Selection Tab 3 Click a device to select it in the left pane.
298
Firmware Manager
4 If the selected device has modules or is stack master (stacked devices are treated like modules), select a module/stacked device from the Slots drop-down list. Note For stacking devices running ExtremeWare 7.4, 7.5, or 7.6, stack members are treated like modules, and therefore are updated using the appropriate slot image. To upgrade the stack master, select the device image for that switch type; to upgrade a stack member, select the slot image for that switch type. For ExtremeWare 7.7, to upgrade the images of all devices in the stack, select the device image for the stack master. The stack members are upgraded. 5 Under Available Images, select the desired image to use for upgrading the selected device. If needed, filter the list of available software images by typing a search term in the search box. 6 Click Add to move the selected software image to the Selected Image pane. 7 Repeat steps 36 for each device and its slots as needed. 8 Click Next. 9 In the Protocol download list, select the download method to the device(s): TFTP SFTP 10 In the Download to partition list, select which partition to download the image to (only applies to XMOD and ExtremeWare images): Primary Secondary 11 Under Activation, select when the upgraded image becomes the active image on the device(s): Do not activate the software after distribution = download the image, but do not make it the active image Activate the software immediately after distribution = immediately start using the image after downloading Delay the activation for = activate the new image after the designated amount of time in the Mins (minutes) list. 12 To back up the current device configuration before image activation, select Backup configuration before activation. Device configuration files in <tftp_root> location (by default, \Ridgeline 4.0\jboss \standalone\deployment\user.war\tftp\ridgeline\configu) are saved as:
ExtremeWare: text files ExtremeXOS (along with policy files, if any): zip files
For more information about where and how configuration files are stored, and how to restore them to a device if necessary, see Configuration Manager on page 267. 13 To choose a hitless upgrade, select Use Hitless distribution. For limitations of hitless upgrading, see Hitless Upgrading. 14 Click Finish. The Results tab appears informing you of the progress of upgrade(s). To view historical information about software image upgrades, use the Audit Log. For more information about the Audit Log, see Using the Ridgeline Audit Log on page 329.
299
Firmware Manager
Figure 187: Configure Standard (Baseline) Version Dialog Box 5 Click a single device or device group in the list. Each device shows the current standard (baseline) version under Software Version. If no standard version has been set, N/A appears. 6 Select a single device or group in the list, and then click Configure. The Configure Version dialog box appears:
Figure 188: Configure Version Dialog Box 7 Select a standard version from the Available Software Versions list. Your selection appears in the Enter Version box. Note You cannot remove a standard version. 8 Click OK.
300
Firmware Manager
Version
301
Firmware Manager
Status
302
ExtremeXOS CLI commandsExtremeXOS CLI commands in a Ridgeline script are sent to the device, and the response can be used by the script. Note Abbreviated ExtremeXOS commands do not work unless you prefix the shortened command with CLI. Example: To abbreviate show vlan, type CLI sh vlan.
ExtremeXOS CLI scriptsControl structures such as IF..ELSE and DO..WHILE can be used in Ridgeline scripts. See CLI Scripting in the ExtremeXOS Concepts Guide for more information on ExtremeXOS script functionality and syntax. The Tcl scripting language version 8.1. For general information about the Tcl scripting language, see www.tcl.tk. For a list of the Tcl commands that are supported in Ridgeline scripts, see Tcl Support in Ridgeline Scripts. Syntax and constructs from these sources work seamlessly within Ridgeline scripts. For example, the response from a switch to an ExtremeXOS CLI command issued from a script can be processed using Tcl functions.
Figure 190: Ridgeline Scripts View The Scripts tab contains the following information:
304
The script category, if configured. See Categorizing Scripts. The name of the script. Comments or a description of the script. Who last modified the script. When the script was last modified.
The scripts table lists all of the scripts configured in Ridgeline. In the pane below the scripts table is a detailed view of the selected script. Double-clicking a script opens it in the script editor dialog box (see the following figure).
Figure 191: Ridgeline Script Editor Dialog Box The Ridgeline script editor allows you to add content to a script, set values for parameters, specify runtime settings, and indicate which Ridgeline users can run the script.
305
306
2 On the Scripts tab, click New. The new script dialog box appears (see the following figure).
Figure 192: New Script Dialog Box By default, a new script created in Ridgeline contains a metadata section where you can enter a script description and define script sections and metadata that appears on the Overview tab. For more information about metadata, see Metadata Tags. Type the metadata tags #@DetailDescriptionStart and #@DetailDescriptionEnd between the tags #@MetaDataStart and #@MetaDataEnd, and then type a detailed description between these detailed description tags. This description appears on the Description tab. Place variable definition statements in the metadata section (between #@MetaDataStart and #@MetaDataEnd tags). Variables can now be defined by entering values in the Overview tab. A list of system variables appears under System Variables. To add a variable to the script, select the variable, and then double-click or click Add to Script. You can enter ExtremeXOS 12.1 and later CLI scripting commands, Tcl commands, and constructs after the metadata section of the script. For information about what can appear in a Ridgeline script, see Ridgeline Script Reference. If you want to specify run-time settings, click the Run-Time Settings tab and make changes as needed (see Specifying Run-Time Settings for a Script on page 308). To specify which Ridgeline user roles have permission to run the script, and whether or not, and where, the script should appear in the menu or in a shortcut menus, click the Permissions And Menus tab, and make changes as needed (see Specifying Permissions and Run Locations for Scripts on page 309).
6 7
307
8 Click Save As. The Save Script As dialog box appears (see the following figure).
Figure 193: Save Script As Dialog Box 9 Type a name for the script file in the Script Name box and, if desired, a comment about the script in the Script Comment box. 10 Click OK. The script now appears in the script list, and you can run it (see Running a Script on page 310).
308
Figure 194: Run-time Settings Tab On this tab you can specify the following settings: Save configuration in the background after script run successfullyWhether the configuration on the device is saved after the script is run successfully. Timeout if script is not completed on each deviceScript run timeout in seconds. This timeout value applies to each device independently. Save results in audit LogWhether to create an entry in the Ridgeline Audit Log when this script is run. The first two settings apply to all users; the third is available to Ridgeline users with read/write access.
309
In the top table, you can specify the Ridgeline user roles that are able to see and run the script. Select the check boxes for the roles that you wish to enable. In the bottom section, you can set whether or, and where, the script appears in on the menu and in shortcut menus in the given locations. Click Show in Tools-> Run script menu and show in shortcut menus that appears on, and then select the desired locations.
Running a Script
To run a script: 1 In the navigation pane, click Scripts. 2 On the Scripts tab, find the script in the list. If needed, filter the list by typing search terms in the search box.
310
3 Select the script by clicking its check box, and then click Run Script. The Run Script dialog box appears (see the following figure). Note Be sure to select only one script. The Run Script button is unavailable if two or more scripts are selected.
Figure 196: Run Script Dialog Box 4 On the Entity Selection tab, select whether you want to select the device(s) to run the script on through the full list of devices (Devices) or through the device groups (Device Groups). 5 Click Next. 6 On the Device Selection tab, select the device(s) to run the script on. If you selected Device Groups in the previous step, click the + next to a device group to expand it to see its devices. 7 Click Next. 8 On the Choose Order tab, if you have chosen more than one device to run the script on, then you must select the order in which the script is run on the collection of devices. Select either:
System Defined Orderthe order shown The Following Orderan order you choose. Use the up/down arrows on the right to change the order of devices. Note You can view the list of devices in order of name (default) or by IP address (select Show List in the Format: IP Address).
9 Click Next. 10 On theOverviewtab,of the Device Settings tab, set values for any run-time variables defined for the script (for more information about defining run-time variables when creating a script, see Specifying Run-Time Settings for a Script on page 308). If desired, click the Description tab to view the description defined for the script.
311
11 Click Next. 12 On the Run Time Settings tab, make selections for the following Run-Time CommentsIf desired, enter run-time comments in this box. Type a name for the task in the Task Name box below. The task appears on the Script Task tab. Save configuration in the background after running script successfully Save results in Audit LogSelect to have the running of the script noted in the audit log. Timeout if script is not completed on each deviceUse to set a maximum amount of time for the script to run on each device (in seconds). Run now, dont save as a taskSelect to run the script now and not save this as a task. Save as a task and run nowSelect to run the script now and save it as a task. Type a name for the task in the Task Name box below. The task appears on the Script Tasks tab (see Creating Script Tasks on page 316). Save as task. Ill run laterSelect to save running the script as a task. The script does not run at this time. Type a name for the task in the Task Name box below. The task appears on the Script Tasks tab (see Creating Script Tasks on page 316). Click Next. On the Verify Run Script tab, verify your script selections, and then click Next. Click Next. On the Results tab, you see the results of the script including any errors. You can choose any of the following options:
13 14 15 16
Save tasksave the script and its run-time settings on the Script Task tab (see Creating Script Tasks on page 316). Run againrun the script again. Save resultssave the results of the script in text file to a location that you define. 17 Click Close. If you elected to save the script as a script task, you set the script task to run later, manually or on an automated schedule (see ). If you elected to save the script results in the audit log, you can view these results now: In the navigation pane, click Audit Log, click the Scripts tab, and then click Refresh. The results of running the script appear. For more information about viewing items in the audit log, see Audit Log View on page 329.
312
2 From the menu, click File > Import > Import script. The Import Script dialog box appears (see the following figure).
Figure 197: Import Script Dialog Box 3 Type the location of the script file in the Type the location of the file box, or click Browse to navigate to the location. 4 In the Script Name box, type the name of the script file to import. 5 Click OK to import the script into Ridgeline. Note Exported EPICenter 6.0 telnet macros cannot be imported as XML scripts.
Exporting a Script
To save a script, from the menu, click File > Save As. The Save Script As dialog box appears (see the following figure).
313
Figure 198: Save Script As Dialog Box To save/export the script: To the Ridgeline server, click OK. To any location, click Export to, type the location in the Type the location of the directory or click Browse to navigation to the location, and then click OK. The script is saved in XML format.
Deleting a Script
To delete a script: 1 In the navigation pane, click Scripts. 2 In the script table, select one or more scripts you want to delete. 3 Click Delete. 4 Click Yes to confirm the script deletion.
Categorizing Scripts
You can optionally assign scripts to categories, such as VLAN Scripts, Port Scripts, and so on. Placing scripts into logical groups in this way can aid in filtering the scripts in the scripts table. This can be useful when you have a large number of scripts to manage. To assign a script to a category: 1 In the navigation pane, click Scripts. 2 In the script table, select the script that you want to categorize by clicking its check box.
314
3 Click Categorize . The Categorize Script dialog box appears (see the following figure):
Figure 199: Categorize Script Dialog Box 4 To create a new category, click New, type a category name, and then click Create. 5 To assign the script to a category, select the category, and then click Apply. 6 Click OK. The script now appears in the list with the newly assigned category name appearing in the Category column for the script.
315
Figure 200: Script Tasks Table From the Script Tasks tab, you can change a script task's device selections and run-time setting, and specify a schedule for running it. To create a script task: 1 Create a script (see Creating a New Ridgeline Script on page 306). 2 Run the script and designate it as a task (see Running a Script on page 310). 3 Change script settings (device selections, run-time settings), if desired, and set a schedule (see Creating Script Tasks on page 316). You can also delete script tasks (see Deleting Script Tasks on page 318). Creating Script Tasks You can save scripts as task to run later, manually or on an automated schedule. Before you can create a script task, you need to: 1 Create a script (see Creating a New Ridgeline Script on page 306). 2 Run the script and designate it as a task (see Running a Script on page 310). To create a script task: 1 If needed, create a script (see Creating a New Ridgeline Script on page 306). 2 If the script is not already set up as a task, run the script (see Running a Script on page 310). On step 12, select either Save as a task and run now or Save as task. Ill run later. 3 In the navigation pane, click Scripts. 4 Click the Script Tasks tab.
316
5 Double-click or click Open for the desired script task. The script dialog box appears (see the following figure).
Figure 201: Script Dialog Box 6 (Optional) If you want to change the device selections or run-time settings, click the Device and order or Run-Time settings tab, respectively, and then make the desired changes. 7 Click the Schedule tab (see the following figure).
Figure 202: Script Dialog BoxSchedule Tab 8 Schedule the task by selecting: To run onceSelect Run Once, and then enter the date, time, and time zone selections. To repeat on scheduleSelect Run Repeatedly, and then enter the start/end dates and frequency in Start Date, End Date, and Frequency. 9 Click the X to close the dialog box. The message Do you want to save changes to task [my script] appears, where [my script] is the script task name.
317
10 Click Yes. Under the Scheduled column, the schedule status appears: N/ANot scheduled One-timeScheduled to run one time RecurringScheduled to run repeatedly according to your selected scheduled After a script runs, if you elected to save the script results in the audit log, you can view these results: In the navigation pane, click Audit Log, click the Scripts tab, and then click Refresh. The results of running the script appear. For more information about viewing items in the audit log, see Audit Log View on page 329. Deleting Script Tasks If desired, you can delete script tasks that you no longer need. To delete a script task: 1 2 3 4 In the navigation pane, click Scripts. Click the Script Tasks tab. Select the task by clicking its check box. If the script task that you want to delete has a scheduled set up for it (Scheduled = Recurring or One-time), then you must remove the schedule:
a Click Open. The edit script task dialog box appears. b Click the Schedule tab. c Click No Schedule. d Click Save, and then close the dialog box. 5 Click Delete. 6 When prompted, confirm the deletion by clicking Yes.
Metadata Tags Ridgeline-Specific Scripting Constructs Tcl Support in Ridgeline Scripts Entering Special Characters Line Continuation Character Case Sensitivity in Ridgeline Scripts Reserved Words in Ridgeline Scripts ExtremeXOS CLI Scripting Commands Supported in Ridgeline Scripts Ridgeline-Specific System Variables
318
Metadata Tags A Ridgeline script may contain a metadata section, which can serve as a usability aid in the script interface. The metadata section, if present, is the first section of a Ridgeline script, followed by the script logic section, which contains the CLI commands and control structures in the script. The metadata section is delimited between #@MetaDataStart and #@MetaDataEnd tags. A metadata section is optional in a Ridgeline script. You can use metadata tags to specify the description of the script, as well as parameters that the script user can input. The information specified by the metadata tags appears in the Overview tab for the script. Note Ridgeline script metadata tags are backwards-compatible with Ridgeline UPM profile metadata tags.
#@MetaDataStart and #@MetaDataEnd
Indicates the beginning and end of the metadata section of the script. In order for description information and variable input fields to appear in the Overview tab for a script, the corresponding metadata tags must appear in the metadata section. Example
#@MetaDataStart # @SectionStart (description = Protocal Configuration Section) Set var protocolSelection eaps # @SectionEnd # @SectionStart (description = vlan tag section) Set var vlanTag 100 #@MetaDataEnd
#@ScriptDescription
Specifies a one-line description of the script. The description specified with this tag cannot contain a newline character. Example #@ScriptDescription This is a VLAN configuration script.
#@DetailDescriptionStart and #@DetailDescriptionEnd
Specifies the beginning and end of the detailed description of the script. The detailed description can be multiple lines or multiple paragraphs. Each line in the description should be commented. The detailed description is shown in the Script View tab in the script editor window. Example
319
#@DetailDescriptionStart #This script performs configuration upload from Ridgeline to the switch. #The script only supports tftp. #This script does not support third party devices. #@DetailDescriptionEnd
#@SectionStart and #@SectionEnd
Specifies the beginning and end of a section within the metadata part of a script. If this is the last section of the metadata, ending with a #@MetaDataEnd tag, then the #@SectionEnd tag is not required. Once a section starts with the #@SectionStart tag, the previous section is automatically ended. Example # @SectionStart (description = Protocol Configuration Section) Set var protocolSelection eaps # @SectionEnd
#@VariableFieldLabel
Defines user-input variables for the script. For each variable defined with the #@VariableFieldLabel tag, you specify the variables description, scope, type, and whether it is required.
Description Scope Type readonly validValues Required Label that appears as the prompt for this parameter in the Overview tab Whether the parameter is device-specific or global (uses the same value for all devices) Valid values: global, device. Default value is global. Parameter data type. This determines how the parameter input field is shown in the Overview tab. Valid value: String (shows the parameter input field as a text field in the Overview tab). Whether the parameter is read-only and cannot be modified by the user. Valid values: Yes, No. Default value is No. Lists all possible values a parameter can take. All values should be separated by command and put into square bracket. Whether specifying the parameter is required to run the script. Valid values: Yes, No.
Example
#@VariableFieldLabel (description = Partition:, scope = global, #required = yes, validValue = [Primary,Secondary], readOnly=false) set var partition Ridgeline-Specific Scripting Constructs This section describes the scripting constructs that are specific to Ridgeline:
320
Specifying the wait time between commands. Printing system variables Configuring a carriage return prompt response Synchronizing the device with Ridgeline Saving the configuration on the device automatically Sending events to Ridgeline Printing a string to a file
After the script executes a command, the sleep command causes the script to wait a specified number of seconds before executing the next statement. Syntax sleep < Example # sleep for 5 seconds after executing a command sleep 5
Printing System Variables
The printSystemVariables command prints the current values of the system variables. Specifically, values for the following variables are printed:
deviceIP deviceName serverName deviceSoftwareVer serverIP serverPort date time abort_on_error CLI.OUT runMode printSystemVariables
A special string within the script, <cr>, indicates a carriage return in response to a prompt for a command.
321
Syntax <cr> Example download image 10.22.22.22 t.txt <cr> //cancel download
Synchronizing the Device with Ridgeline
The PerformSync command manually initiates a synchronization for specified Ridgeline feature areas and scope. Syntax PerformSync [-device <ALL | deviceIp>] [-scope <INVENTORY | TOPOLOGY | UPM | VLAN> ] [-vlan <vlan1,vlan2>] If -device is not specified, the current device (indicated by the $deviceIP system variable) is assumed. if -scope is not specified, INVENTORY scope is assumed. The -vlan option is only applicable if VLAN scope if chosen. The PerformSync command is executed in an asynchronous manner. That is, when the command is executed, Ridgeline moves on to the next command in the script without waiting for the synchronization to complete. Examples # Perform sync for TopologyPerformSync -scope TOPOLOGY If there are multiple VLANs in the -vlan argument, enclose them in double quotes. For example: PerformSync -scope VLAN -vlan "foo,bar"
Saving the Configuration on the Device Automatically
The run time settings for script may include the option to issue the save command in the background after the script is run successfully on the device. If an error is encountered as a result of the save command, a Save command failed alarm is issued in Ridgeline against the device.
Sending Events to Ridgeline
You can configure a script to send events to Ridgeline from the device where it is run. The events are displayed in the Ridgeline alarm browser. In order for an event to be displayed in the alarm browser, the corresponding event should be added to the alarm definition (if not already present), and the target device should be included in the scope of the alarm (in the alarm definition) prior to sending events. Syntax SendEvent [-subtype <subtype>] message Where <subtype> can be one of the following:
322
Ping failed Ping OK SNMP Reachable SNMP Unreachable Reachability unknown Configuration Upload Failed Configuration Upload OK Custom Event Device Reboot Overheat Fan Failed High Trap Count Policy Configuration Start Policy Configuration End Device Policy Configuration Power Supply Failed Device Warning From Ridgeline Syslog Flood One-Shot Event No Longer Valid Rogue Access Point Found Stacking Link Down Stack Member Down Configuration Download Failed Configuration Download OK EAPS Domain State Changed - ERROR EAPS Domain State Changed - WARNING Scripts, save operation failed A background script execution failed Script event
Example #Send Configuration Download Failed event if error occurs download image 10.210.14.4 image.txt if ($STATUS != 0) then SendEvent -subtype=73 $ {CLI.OUT} endif
Printing a String to a File
323
Syntax
Example # Write Device IP address to file ECHO "device ip is $deviceIP" Note The Tcl puts and ECHO commands have the same function. However, the ECHO command is not case-sensitive, while the puts command is case-sensitive. Tcl Support in Ridgeline Scripts The following Tcl commands are supported in Ridgeline scripts: Table 11: Tcl commands supported in Ridgeline scripts
after append array binary break catch clock close concat continue eof error eval expr fblocked flush for foreach format gets global history if incr info interp join lappend lindex linsert list llength lrange lreplace lsearch lsort namespace open package proc puts read regexp regsub rename return scan seek set split string subst switch tell time trace unset update uplevel upvar variable vwait while
See www.tcl.tk/man/tcl8.2.3/TclCmd/contents.htm for syntax descriptions and usage information for these Tcl commands. Entering Special Characters In a Ridgeline script, you can use the backslash character ( \ ) as the Escape character if you need to enter special characters, such as quotation marks ( ), colon ( : ), or dollar sign ( $ ). Example set var value 100 set var dollar \$value show var dollar >>> $value Note Do not place the backslash character at the end of a line in a Ridgeline script. Line Continuation Character The line continuation character is not supported in Ridgeline scripts. Each command statement should be placed on a single line.
324
Case Sensitivity in Ridgeline Scripts The commands and constructs in a Ridgeline script are not case-sensitive. However, if a command is referenced inside another command, the inner command is case-sensitive. In this instance, the inner command case should match how it appears in the Ridgeline documentation. Example (Usage of the Ridgeline command ECHO) echo hi (valid) echo [echo hi] (error) echo [ECHO hi] (valid) Reserved Words in Ridgeline Scripts The following words cannot be used as variable names in a Ridgeline script. They are reserved by Ridgeline.
Names of system variables (see Ridgeline-Specific System Variables) Names of Ridgeline command extensions (see Ridgeline-Specific Scripting Constructs) Names of ExtremeXOS CLI commands epic_responseFileId Names of Tcl functions
In addition, you should not use a period (.) within a variable name. Use an underscore ( _ ) instead. ExtremeXOS CLI Scripting Commands Supported in Ridgeline Scripts The CLI commands in this section are supported in Ridgeline scripts.
$VAREXISTS $TCL $UPPERCASE show var delete var configure cli mode scripting abort-on-error
$VAREXISTS
Checks if a given variable has been initialized. Switch Compatibility This command is supported on devices running ExtremeXOS 12.1 and higher. Example if ($VAREXISTS(foo)) then show var foo endif
325
$TCL
Evaluates a given Tcl command. The $TCL command is supported within following constructs: set var if while See Tcl Support in Ridgeline Scripts on page 324 for a list of supported Tcl commands. Switch Compatibility This command is supported on devices running ExtremeXOS 11.6 and higher. set var foo $TCL(expr 3+4) if ($TCL(expr 2+2) == 4) then
$UPPERCASE
Converts a given string to upper case. The $UPPERCASE command is supported within following constructs: set var if while Switch Compatibility This command is supported on devices running ExtremeXOS 11.6 and higher. Note The $UPPERCASE command is deprecated in ExtremeXOS 12.1 CLI scripting. The $TCL(string toupper <string>) command should be used instead. Example set var foo $UPPERCASE("foo")
show var
Prints the current value of a specified variable. Switch Compatibility This command is supported on devices running ExtremeXOS 11.6 and higher. Example show var foo
delete var
Deletes a given variable. Only local variables can be deleted; system variables cannot be deleted. Switch Compatibility
326
This command is supported on devices running ExtremeXOS 11.6 and higher. Example
set var foo bar delete var foo if ($VAREXISTS(foo)) then ECHO "this should NOT be printed" else ECHO "Variable deleted." endif
configure cli mode scripting abort-on-error
Configures the script to halt when an error is encountered. If there is a syntax error in the script constructs (set var / if ..then / do..while ), execution stops even if the abort_on_error flag is not configured. Switch Compatibility This command is supported on devices running ExtremeXOS 11.6 and higher. Example
enable cli scripting \$UPPERCASE uppercase # should not print show var abort_on_error Ridgeline-Specific System Variables The following system variables can be set in Ridgeline scripts:
$abort_on_error $CLI.OUT $CLI.SESSION_TYPE $date $deviceIP $deviceLogin $deviceName $deviceSoftwareVer $deviceType $epicenterUser $isExos Whether the script terminates if a CLI error is encountered; 1 aborts on error, 0 continues on error. The output of the last CLI command The type of session for the connection to the device, either Telnet of SSH The current date on the Ridgeline server The IP address of the selected device The name of the login user for the selected device The DNS name of the selected device The version of ExtremeXOS running on the selected device The product type of the selected device The name of the Ridgeline user running the script Whether the device is an ExtremeXOS device. Possible values are True or False
327
Selected port numbers, represented as a string. If the script is not associated with a port, this system variable is not supported. The hostname of the Ridgeline server The hostname of the Ridgeline server The port number used by the Ridgeline web server; for example, 8080 The execution status of the previously executed ExtremeXOS command, 0 if the command was executed successfully, non-zero otherwise The current date on the Ridgeline server Vendor name of the device; for example, Extreme
328
Audit Log View Displaying Audit Log Details Redeploying Profiles or Scripts
Figure 203: Audit Log View The Audit Log View shows information about the deployed UPM profiles, Ridgeline scripts, network provisioning, software image management, and configuration management tasks on separate tabs. Each tab provides filters (see Filtering the Audit Log View on page 330) to limit the information based on the time period deployed, log table contents, or details table contents. The log table contains information about each deployed profile, script, provisioning activity, and software image management task. The details table contains information about the deployment results of a selected profile, script, provisioning activity, or software image management task on each device where it was run.
330
Figure 204: Audit Log Details Window The audit log details pane shows the name of the deployed profile or script, who created it, overall status, and time the item was deployed:
Action Time Name IP Address Results Ports The time that the script or profile was deployed. The name of the device where the profile or script was deployed. IP address of the device. Result of the deployment, successful or unsuccessful. The ports on which the script or profile were deployed.
For software image management and configuration management, the details pane appears on the right side of the window (see the following figure).
331
332
search for a specific IP address, the IP/MAC Address Finder attempts to ping that address from the switches you have included in the search domain.
334
To create a search task: 1 In the navigation pane, click Main View. 2 Click Find IP/MAC. The IP/MAC Address Finder window appears (see the following figure).
Figure 207: IP/MAC Address Finder Window 3 Click New Task. The Create a new IP/MAC Finder Task dialog box appears (see the following figure).
Figure 208: Create a new IP/MAC Finder Task 4 Type a name in the Task Name box. 5 To search for an IP or MAC address or range of address, select one of the following: IPtype a specific IP address in the boxes to the right. MACtype a specific MAC address in the boxes to the right. MAC OUI Wildcardtype the first three octets of a MAC address in the boxes to the right. The last three octets have wildcards. Allsearches for all MAC and IP addresses. Select this option if you want to search devices to show all of their MAC and IP addresses. 6 Click Add.
335
DatabaseSearches the Ridgeline database (inventory of devices) NetworkSearches the network Note A database search is only available if you have MAC polling enabled (see MAC Polling Properties). If you specify a database search, you cannot specify a search domain; the entire Ridgeline database is searched.
8 Under Search Domains, select the devices to search: a In the Source Type list, select: Devices, Device Groups, Ports, or Port Groups. b In the Select Group list, if you select Devices or Ports (as opposed to Device Groups or Port Groups) above, you can select a group here. c Click Add. 9 Click OK. The IP/MAC Address Finder window appears displaying the search results (for detailed information about the information shown on the The IP/MAC Address Finder window, see The IP/MAC Address Finder Window with Search Results on page 336. Note The IP/MAC Address Finder cannot identify a devices own IP address when you search for IP addresses on that device. In other words, it will not find IP address 10.2.3.4 on the switch whose address is 10.2.3.4. It can only find addresses that are in the agents IP Address Translation table, and a devices own address is not included in the table. The IP/MAC Address Finder does find the address on the other switches that have connectivity to the switch with the target IP address, however. Each search task can return a maximum of 2,000 MAC address entries. If a search returns more than 2,000 entries, a warning message appears in the Status box. If you see a warning message, add additional search constraints to reduce the number of returned MAC addresses to less than 2,000.
336
Figure 209: Tasks List Summary The IP/MAC Address Finder window shows you basic information about the tasks you have set up:
Task Name Submitted Search Type Status Ended Search Criteria Addresses to Find Search Domains List of IP/MAC addresses that the search task was configured to find. Devices and ports that the search task was configured to search. TypeThe type of target: Devices, Device Groups, Ports, Port Groups ValueThe name, IP address, or port number of the selected target Device Status: If the target is a device or port, shows the status of the device: Online. OfflineThe manageability status of the device is disabled. MarginalA fan failure or power failure occurs or the device becomes too hot. DownDevice does not respond to SNMP requests. The name you gave the task when you created it. Shows the date and time the task was submitted. The type of search this task performs (Database or Network). Shows the status of the search request (Done, Pending, Warning). Shows the date and time the task was finished.
Search Results
MAC Address. IP Address. SwitchThe switch to which the address is connected. PortThe port to which the address is connected. User The user (name) currently logged in at that address.
337
Clone
To create a search task based on another search task, select the task, and then click Clone. The Create a new IP/MAC Finder Task window appears with the specifications of the selected task already configured. For information about changing the specifications for the search task, see Creating a Search Task. Select a task, and then click Export to export the task details to a text file. For more information about exporting, see Exporting Task Results to a Text File. Select a task, and then click Export Local to export the task details to a text file on your local system. For more information about exporting, see Exporting Task Results to a Text File.
Detail and search result files for a task are saved in the Ridgeline user.war/ AddressFinderResults directory, which is a subdirectory of the Ridgeline installation directory. You can optionally specify a subdirectory within the AddressFinderResults directory by entering the subdirectory name into the Directory field. By default, a search result exported file will be given a name created from the current date, time, and task name. For example, the results for task Task 2 run on April 25, 2006 at 3:52 pm will be saved in a file named 2006_4_25_1552_Task 2.txt. You can change the file name by replacing the name in the File Name field.
If you select Export Local: Select the location where you want the file to be saved. You must provide a file name; it is not predefined for this option. 3 Click the Apply button to save the results, click Reset to clear all the fields, or click Close to close the dialog without saving the file.
338
21 Administering Ridgeline
Overview of User Administration Administration Functions User Administration Adding, Modifying, or Deleting User Accounts Changing Your Password if You Have Super-User or Administrator Rights Changing Your Password if You Have Manager or Monitor Rights Role Administration Adding, Modifying, or Deleting Roles RADIUS Administration Server Properties Administration Distributed Server Administration
This chapter describes how to use the Ridgeline administration functions.
Administration Functions
Ridgeline Access Roles
There are five predefined roles that assign levels of access to Ridgeline functions/groups:
Administering Ridgeline
Super-User
Can create, modify, and delete user accounts, roles, any users password, and groups. Super-users also have read/write access to all other Ridgeline featurescan modify device parameters as well as view status information. This super-user role cannot be modified. This role is assigned to the default user admin. Can create, modify, and delete user accounts and roles, and change users passwords, except for those belonging to super-users or other administrators. By default, administrators also have read/ write access to all other Ridgeline featurescan modify device parameters as well as view status information and statistics. The Administrator roles access to Ridgeline features can be changed or disabled; however, the administrators ability to create, modify, and delete user accounts and roles cannot be changed. Account information is maintained, but no current Ridgeline access. This role cannot be modified. By default, managers have read/write access to all Ridgeline features, but cannot create, modify, and delete user accounts and roles. Can modify device parameters as well as view status information and statistics. The Manager roles access to Ridgeline features can be changed or disabled. Has read-only access to Ridgeline features, Can view status information and statistics. The Monitor roles access to Ridgeline features can be changed or disabled.
Administrator
Disabled Manager
Monitor
The access for each of these roles can be specified on a feature-by-feature basis. With the exception of the disabled role, access to Ridgeline features can be changed or disabled per feature (see Adding or Modifying Roles). Administrators and super-users can also create new roles as needed with any combination of access to features. However, the ability to create, modify, and delete user accounts and roles belongs exclusively to the administrator and super-user roles and cannot be assigned to other roles, either pre-defined or new. The five predefined roles cannot be deleted, nor can the role names be changed. In addition to modifying Ridgeline feature access through roles, users assigned to the administrator or super-user role can disable Ridgeline features globally. When you globally disable a feature, you cannot enable it for any roles. For information about globally enabling or disabling Ridgeline features, see Features Properties.
Ridgeline Users
Users assigned to the administrator or super-user role can create, modify, and delete user accounts and roles, and assign user access levels. There are two default users. All other user names must be added and enabled by a super-user or administrator user:
User admin user Assigned to Role Super-user Monitor Can Be Modified? Only the default password can be changed. This user cannot be deleted. Yes. Default Password admin user
Regardless of your access role, you can change your own password. For information about how to add, delete, and modify user accounts, see User Administration.
340
Administering Ridgeline
User Administration
User administration allows you to: Create, modify, and delete users and roles Change passwords Configure the Ridgeline server as a RADIUS client for user authentication Modify Ridgeline server properties, such as polling rates, timeouts, port assignments, etc. Configure Ridgeline to operate in a distributed server group You must be logged in as a user with the administrator or super-user role to create, modify, and delete user accounts and roles. To access the user administrator functions, in the navigation pane, click Ridgeline Users and Servers. The user administration window appears:
341
Administering Ridgeline
To add a new user, click Add. To modify a user, select the desired user in the list, and then click Edit.
342
Administering Ridgeline
A New User or Modify User dialog box appears with the following fields:
User Name Password The Ridgeline logon name for the user. If you are editing a user, this is filled in and cannot be modified. The password for this user.
Verify Password The password typed a second time for verification. Role The Ridgeline role for this user. There are five default roles (super-user, administrator, disabled, manager, and monitor), along with any additional roles a Ridgeline administrator or super-user may have created. The supper-user role cannot be applied any other users other than the default admin user. Also, the admin users super-user role cannot be changed to another role.
3 For a new user, enter the appropriate information. For an existing user, make the necessary changes to the password or role. Note You can only change the password for the user admin. Also, you cannot delete the admin user. 4 Click OK. The new user information is stored in the Ridgeline database. Note Changes to a users account do not take effect until the next time the user logs on.
Deleting Users
You must be logged on as a user with the administrator or super-user role to delete users. Deleting a user removes all information about the user account from the Ridgeline database. To remove all access privileges for a user without removing the user account from the Ridgeline database, modify the users account, and change the role to disabled (see Adding or Modifying User Accounts). Note You cannot delete the admin user. To delete a user: 1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Users, click Open Users tab. 3 Select the check box next to the desired user, and then click Delete. A confirmation message appears. 4 Click Yes.
343
Administering Ridgeline
1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Users, click Open Users tab. 3 Select the check box next to your user name in the list, and then click Edit. The Modify User dialog box appears. 4 Type your new password into the Password and Verify Password boxes. 5 Click OK. Your new password is stored in the Ridgeline database. Note The change does not take effect until the next time you log on.
Role Administration
If your user role is administrator or super-user, you can add, modify, and delete Ridgeline roles. Roles let you define different combinations of access to Ridgeline features. For each feature, a role can provide read/write, read-only, or disabled access. The Ridgeline server provides five predefined roles:
Super-User Can create, modify, and delete user accounts, roles, and groups. Super-users also have read/ write access to all other Ridgeline featurescan modify device parameters as well as view status information and statistics. In addition, super-users have access to all groups. This super-user role cannot be modified. Can create, modify, and delete user accounts and roles. By default, administrators also have read/write access to all other Ridgeline featurescan modify device parameters as well as view status information and statistics. The administrator roles access to Ridgeline features can be changed or disabled; however, the administrators ability to create, modify, and delete user accounts and roles cannot be changed. Account information is maintained, but no current Ridgeline access. The disabled role cannot be modified.
Administrator
Disabled
344
Administering Ridgeline
Manager
By default, managers have read/write access to all Ridgeline features, but cannot create, modify, and delete user accounts and roles. Can modify device parameters as well as view status information and statistics. The manager roles access to Ridgeline features can be changed or disabled. Has read-only access to Ridgeline features, Can view status information and statistics. The monitor roles access to Ridgeline features can be changed or disabled.
Monitor
Except for the disabled and super-user roles, you can modify the feature access for each of these roles, but you cannot delete them. You can also create new roles with a combination of access to various Ridgeline features. Note In addition to modifying Ridgeline feature access through roles, users assigned to the administrator or super-user role can disable Ridgeline features globally. When you globally disable a feature, you cannot enable it for any roles. For information about globally enabling or disabling Ridgeline features, see Features Properties. To administer roles: 1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Roles, click Open Roles tab. The Roles Administration window appears (see the following figure).
Figure 211: The Roles Administration Window When you select a role, the feature settings for the role appear in the Feature list (lower bottom list).
345
Administering Ridgeline
To add a role, click Add. To modify a role, select the check box next to the desired role, and then click Modify. You cannot modify the super-user or disabled roles. The New Role or Modify Role dialog box appears:
Figure 212: The New Role and Modify Role Dialog Boxes 3 For a new role, type the role name and an optional description. For an existing role, you can change the description. (You cannot change the role name.) 4 For each feature in the table, select the level of access. The levels of access are:
346
Administering Ridgeline
A user with this role cannot access this feature. The icon will not appear in the navigation toolbar when a user with the role logs into Ridgeline. A user with this role has read only access to this feature. This means the user can see any status or statistics displays, but cannot make any changes (such as discovering or adding devices, creating Topology maps, and so on). A user with this role has full access to this feature.
Read/Write
Note For the predefined roles (super-user, administrator, manager, and monitor) you can disable access to Ridgeline features, but you cannot change a feature from read/write to read-only or vice-versa. The super-user, administrator, and manager roles always provide full access to any features for which access is enabled, and the monitor role provides only read-only access to any features for which access is enabled. 5 Click OK to add or modify the role. If features are globally disabled through the server properties (see Features Properties), you cannot select those features when you add or modify a role. The Access column shows Globally Disabled instead of access options.
Deleting Roles
To delete a role: 1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Roles, click Open Roles tab.
347
Administering Ridgeline
Figure 213: Roles Administration Window 4 Select the check box next to the role that you want to delete, and then click Delete. Note You cannot delete any of the predefined roles. You also cannot delete a role that is currently assigned to a user. A confirmation window appears. 5 Click Yes. This removes the role from the Ridgeline database.
RADIUS Administration
If your user role is administrator or super-user, you can enable Ridgeline as a RADIUS client, and change its port or the RADIUS secret. By default RADIUS authentication is disabled. When Ridgeline is enabled as a RADIUS client, Ridgeline requests authentication from an external RADIUS server when users attempt to log on to the Ridgeline server. In this case, the external RADIUS server can also be configured to return role information to Ridgeline along with a successful authentication. If this feature is enabled, you must create corresponding roles in Ridgeline for every role that the RADIUS server may return. If a user is authenticated with a role that Ridgeline does not recognize, the user is given the monitor role by default. Disabling RADIUS in Ridgeline means that Ridgelines RADIUS server is not available for authenticating users, and it does not request user authentication from an external RADIUS server.
348
Administering Ridgeline
Figure 214: RADIUS Administration Window 3 Under RADIUS Configuration, select Enable system as a RADIUS Client. 4 Type the name or IP address of the primary and secondary RADIUS servers in the appropriate Name/Address boxes. It is recommended, but not required, that you set up both a primary and a secondary RADIUS server for authentication. 5 If either RADIUS server uses a different port than the default port (1812), type that port number in the appropriate Port box. Note Ensure that the port you enter matches the port configured for the RADIUS server or Ridgeline cannot access the RADIUS server. 6 Type the RADIUS servers shared secret in the Secret box for both the primary and secondary RADIUS servers. This shared secret is a shared key which the RADIUS server and its clients use to recognize each other and to securely transmit user passwords. Note If the shared secret is changed in either of the RADIUS servers, you must change it for Ridgeline or Ridgeline cannot access the RADIUS server.
349
Administering Ridgeline
7 Click Apply. Note Some configuration may be required on the external RADIUS server to allow Ridgeline to authenticate users with various roles. For information on how to configure an external RADIUS server to perform Ridgeline user authentication, see External RADIUS Server Setup.
Figure 215: RADIUS Administration Page 3 Under RADIUS Configuration, click Disable RADIUS. 4 Click Apply.
350
Administering Ridgeline
Figure 216: Server Properties Configuration Window 3 Select a set of properties from the Select server properties area to configure drop-down menu: Logging SNMP External Connections Device Scalability Alarms Other E-Mail MAC Polling Configuration Management Properties Features 4 Associated fields appear for the selected set of properties. For information about the fields, see the following sections. Note To change the value for a property, click the box under the Property Value column, and then for: True/false properties: click to switch the value. Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value.
5 Click Apply. To undo your changes: To undo your immediate changes, click Reset. To restore the values to the installation default values, click Reset To Defaults. For some changes to take effect, you need to restart the Ridgeline server. For information about restarting the Ridgeline server, see the Ridgeline Installation and Upgrade Guide.
351
Administering Ridgeline
Logging Properties
Note To change the value for a property, click the box under the Property Value column to display a drop-down list of possible values. When you select Logging from the drop-down list, you can set the following properties (see the following figure):
SNMP Properties
Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select SNMP from the drop-down list, you can set the following properties:
352
Administering Ridgeline
Trap conversion
353
Administering Ridgeline
The host name or IP address of the system to which traps should be forwarded. The port on which the specified host receives traps (by default, port 162).
354
Administering Ridgeline
Device Properties
Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select Device from the drop-down list, you can set the following properties:
Accept SysLog Messages With Min Severity Syslog Server Port Poll Devices using Telnet
355
Administering Ridgeline
Telnet Login Timeout Period (in seconds) Use system login/ password for Telnet/SSH
The length of time, in seconds, after which a CLI/Telnet logon request to a switch should time out. The default is 10 seconds; the range is 1 to 30 seconds. Enabling this enables using your Ridgeline logon name and password when you initiate Telnet or SSH2 sessions with the switch. Background functions, including trap handling, polling, and scheduled operations continue to use the Telnet/SSH logon and password configured for the switch using the Inventory Manager.
Scalability Properties
Changing the thread pool size, default thread allocation size, number of SNMP sessions, and the number of traps and syslog messages Ridgeline processes per minute lets you configure the Ridgeline server to provide better performance based on the amount of server resources (number and speed of processors, amount of memory) available. Changing these values should not normally be necessary unless you are managing a very large number of devices (more than 1,000 devices). If you are managing more than 1,000 devices, you should run the Ridgeline server on a system with a 1 GHz or faster processor, and at least 1 GB of physical memory. You may also improve the performance of the Ridgeline server by changing the following parameters. Note Changing the scalability properties on a system without suitable hardware could actually decrease the performance of the Ridgeline server. You should not change the values for traps and syslog messages accepted unless the Ridgeline server reports dropping lots of traps. To see the effects of the current scalability settings, run the Server State Summary Report under Reports > Ridgeline Server. Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select Scalability from the drop-down list, you can set the following properties (see the following figure):
356
Administering Ridgeline
Figure 221: Scalability Properties The following properties affect the scalability of Ridgeline:
Number of Interactive Telnet Sessions Syslog messages per Device in 1/2 Minute This specifies the maximum number of interactive Telnet sessions allowed. This specifies the maximum number of syslog messages that can be received from an individual device in 28 seconds. If more than this number of traps are received within a 28second interval, the excess messages are ignored. The default value is 50, with a range of 20 to 250. This specifies the default number of threads allocated for a process request. The default is 20. This specifies the maximum number of threads available. The default is 40. This specifies the maximum number of syslog messages that Ridgeline can receive in one minute from all managed devices. If more than this number of messages are received within a one-minute interval, the excess messages are ignored. The default is 275; the maximum you can set is 275. This specifies the maximum number of traps that Ridgeline should receive from all managed devices in 55 seconds. Exceeding this limit triggers the alarm, "incoming SNMP traps reached maximum" (see Predefined Alarms on page 238). The default is 275; the maximum you can set is 275. This specifies the number of traps that should be received from an individual device in 28 seconds. Exceeding this limit triggers the alarm, "incoming SNMP traps reached maximum" (see Predefined Alarms on page 238). The default value is 50, with a range of 5 to 60.
Thread Default Allocation Size Thread pool size Total syslog messages Accepted per Minute
Alarms Properties
Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select Alarms from the drop-down list, you can set the following properties (see the following figure):
357
Administering Ridgeline
Other Properties
Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select Other from the drop-down list, you can set the following properties (see the following figure):
358
Administering Ridgeline
Enable Link Up/Link Down Enables correlation between link up and link down traps on a port. When this is enabled Correlation (true), a link down trap that is followed quickly (within 20 seconds) by a link up trap on the same port, is ignored by the Alarm Manager. This feature is disabled (false) by default. IP Qos Rule Precedence Port Tree UI The starting value that the Ridgeline server uses for setting precedence for IP QoS rules. This is an integer between 1 and 25,000. The default value is 10,000. A setting that specifies how ports are identified in the component trees and in selected other locations. You can choose to have the component tree show the port number only, or the port number followed by the port name in parentheses (if a name or display string has been associated with the port). The default is port number only. The URL for accessing ServiceWatch, to allow it to be started from the Ridgeline navigation toolbar, and to run in the main Ridgeline window. For example, if ServiceWatch is running on a system named tampico at port 2000, enter http://tampico:2000 as the ServiceWatch URL, and then restart the Ridgeline server to activate the ServiceWatch integration. For more information about how to restart the Ridgeline server, see the Ridgeline Installation and Upgrade Guide.
359
Administering Ridgeline
Session Timeout Period (in The non-activity timeout period, in minutes, after which the user is required to log back on to minutes) the Ridgeline server. The default is 30 minutes. You can disable the timeout by setting the property to -1. To activate the session timeout period, you must also edit the < >deploy/ extreme.war/client.properties file, and set the epicenter.client.enable.inactivity.monitor setting to true. Show device-image navigation by default Telnet Screen Width Update Type Library on Server This setting can be enabled (true) or disabled (false). The number of columns available on the screen for the Telnet application. The default number of columns is 80. The range is between 40 and 180 columns. This function updates the Ridgeline type library, which is a repository of information about devices (primarily from Extreme Networks) that are supported by Ridgeline. Note If you are adding a third-party device that had been listed as unknown in the Inventory Manager, then after updating the type library, you must log off of Ridgeline, and then log back on again, for the device to appear correctly in the Inventory Manager.
E-mail Properties
To allow the Alarm Manager to send e-mail when alarms occur, you must first configure the server to send e-mail. Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select E-Mail from the drop-down list, you can set the following properties (see the following figure):
360
Administering Ridgeline
Ridgeline implements MAC Address polling using Telnet to retrieve FDB and ARP table data from the applicable devices (devices that support FDB polling and for which FDB polling has been enabled in the Inventory Manager). Telnet requests are initiated in setsrequests are sent to groups devices simultaneously. A MAC address polling cycle is complete when these multiple sets of requests have resulted in the retrieval of FDB table data from all eligible devices. Once a polling cycle finishes, a new polling cycle begins. Individual devices are polled once in each MAC address polling cycle. The interval between polls of the FDB on a given device (the length of time before FDB data is refreshed) is a function of the number of devices being polled per cycle, and the interval between the sets of Telnet polls in a complete polling cycle.
361
Administering Ridgeline
Ridgeline calculates the interval between sets of Telnet requests dynamically, based on the length of time it took for the previous set of Telnet requests to complete. Ridgeline assumes that if a set of Telnet requests takes a long time to complete, it means the Ridgeline server is more heavily loaded than if the requests complete quickly. The system load setting tells Ridgeline whether the calculated interval between sets of Telnet requests should be relatively longer or shorter compared to the perceived Ridgeline server load. Ridgeline uses the system load setting, along with the time it took for the last set of Telnet requests to complete, to determine how long to wait before issuing the next set of Telnet requests. The Server State Summary Report includes poller statistics showing the status of the polling activity (see Server State Summary Report).
362
Administering Ridgeline
Features Properties
Disabling a feature through the server properties disables it for all Ridgeline users, regardless of their role. Features can also be controlled through the roles that users are assigned to (see Role Administration). When you select Features from the drop-down list, you globally control which Ridgeline features are accessible to users (see the following figure).
Adds/removes the associated feature from the navigation pane (left pane) for all Ridgeline users. Adds/removes the entries, if appropriate, from the Device and Tools menus, and from shortcut menus. Makes the feature available/unavailable when creating or modifying roles. (For the Alarm Manager) enables/disables the generation and processing of alarms. However, traps and events are still logged, and traps are still forwarded if required. (For the Alarm Manager or the Configuration Manager) adds/removes the associated report links from the main Reports window (under Logs).
363
Administering Ridgeline
For the desired feature, click the box under the Property Value column to switch between true/false values. 2 Click Apply. You can control the following features:
Alarm Manager Allows users to create, modify, and view alarms. When this feature is disabled, the Alarms command doesnt appear in the Device menu, whether or not a device has been selected. Allows users to view script and profile-related actions, and run some scripts. When this feature is disabled, the Ridgeline navigation toolbar does not display Audit Log under Alarms and Events. Allows users to upload, download, and view configuration files. When this feature is disabled, the Ridgeline navigation toolbar does not display Configuration Manager under Administration. Gives users access to the browser-based ExtremeXOS ScreenPlay or ExtremeWare Vista device management interfaces. Allows users to create and modify EAPS domains. Monitoring EAPS domains is base functionality. When this feature is disabled, users cannot make changes to EAPS domain configurations. Allows users to view the E-Line and E-LAN services created through Ridgeline. When this feature is disabled, users cannot see Ethernet services under Main View when they click Show Services. Allows users to view and upgrade software and bootROM images. When this feature is disabled, the Ridgeline navigation toolbar does not display Firmware Manager under Administration. Allows users to search for IP and MAC addresses on the network. Allows users to create, modify, and view network maps for device groups.
Audit Log
Configuration Manager
Firmware Manager
IP/MAC address finder Maps Monitor network users Network security manager Options PBB monitoring
Allows users access to configure map-related parameters. Allows users to monitor BVLANs and related SVLANs, CVLANs, and ISIDs. When this feature is disabled, users cannot view PBB information in the Main View. Also, PBB provisioning is disabled as well. Allows users to create and modify BVLANs. Allows user to manage network policies. When enabled, users can create, edit, and delete network policies.
Allows users to create, run and view system scripts. When this feature is disabled, the Ridgeline navigation toolbar does not display Scripts under Network Configuration. Allows users to telnet into devices. Provides tools for managing and creating ExtremeXOS profiles in Ridgeline and deploying them on the network. When this feature is disabled (check box cleared), the Ridgeline navigation toolbar does not display Universal Port Profile Manager under Network Configuration.
364
Administering Ridgeline
Virtualization management
Enables network administrators to monitor, secure, and manage virtual machines (VMs). When this feature is disabled, the Ridgeline navigation toolbar does not display Virtualization under Network Configuration. Enables displaying of VLAN information throughout Ridgeline. Allows users to create and modify VLANs. Monitoring VLANS is base functionality. When this feature is disabled, users cannot make changes to VLAN configurations, but can still view VLAN configurations. Allows users to create and modify VMANs. Monitoring VMANs is base functionality. When this feature is disabled, users cannot make changes to VMAN configurations, but can still view VMAN configurations. Allows users to view VPLS domains. When this feature is disabled, users cannot view VPLS information in the Main View.
VMAN Provisioning
VPLS monitoring
365
Administering Ridgeline
1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Distributed Server, click Open Distributed Server tab. The Distributed Server Administration window appears:
Figure 228: Distributed Server Administration Window 3 Under Server Group Type, select Server Group Manager. The controls in Server Group Manager area are now available. 4 Under Server Group Manager, type the shared secret in the Secret box. The secret is a shared key that allows the cooperating Ridgeline servers to recognize each other and to securely transmit server data. The default shared secret is secret. Note If you change the secret in one Ridgeline server, you must also change it for all other servers in the group. 5 Type a value (in minutes) for the desired frequency of communication between the server group manager and the other server group members in the Poll Interval (Mins) box. The default is 10 minutes. 6 Add the members of the server group: a Click Add. b Type the host name or IP address of the group member server in the Server box. A server group member does not need to have a DNS-translatable host name.
366
Administering Ridgeline
c Type the port used to communicate with the server member in the Port box. This port must match the HTTP port configured for the server group member. d Click OK to add this server to the server group. Servers added to the server group must be configured as server group members (see Configuring a Server Group Member on page 367). Note To delete a server from the server group, select the server, and then click Delete. 7 Click Apply
Figure 229: Distributed Server Administration Window 3 Under Server Group Type, click Server Group Member. The controls in Server Group Member area are now available. 4 Under Server Group Member, type the host name or IP address of the server that acts as the server group manager in the Server Group Manager box.
367
Administering Ridgeline
5 Under Server Group Member, type the port number for communication with the server group manager in the Port box. This port number must match the HTTP port configured for the Ridgeline server acting as the server group manager. The default is port 8080. 6 Under Server Group Member, type the shared secret in the Secret box. The secret is a shared key that allows the cooperating Ridgeline servers to recognize each other and to securely transmit server data. The default shared secret is secret. Note If you change the secret for one Ridgeline server, you must also change it for all other servers in the group. 7 Click Apply.
368
Make sure that SNMP is enabled on switches, so that you can add devices into Ridgeline's inventory. Enable HTTP or HTTPS on the devices to be managed by the UPM. To enable HTTP on the device, use the command: enable web http
To enable HTTPS on the device, use the command: enable web https
UPM Functions
Ridgeline UPM is organized into two functional areas: The Network Profiles tab, where you can view, enable, disable, edit configuration, run, and delete the profiles deployed on the Extreme devices. You can also change the profile event binding or port binding configuration on switches. The Managed Profiles tab, where you can import, export, create, view, edit, save, delete, test, and deploy profiles. In addition, you can use the Ridgeline Audit Log to view the profile actions performed on the network devices by Ridgeline, and redeploy profiles to devices where you had deployed them earlier. For ease of profile management with a large network of devices, use device groups and port groups whenever possible to facilitate the profile deployment.
370
Dynamic profile
Device profile User Profile Ridgeline profile Non-Ridgeline profile Deployed profile
Profile environment variables Variables (or parameters) used in the profile commands, such as $VLAN or $ports System variables Scripting Variables that ExtremeXOS provides during runtime. Profiles can use them without defining them first. A capability of the ExtremeXOS CLI to execute a set of commands, with values for certain command parameters being automatically substituted by the system, others being userdefined (system and user-defined variables). Scripting also provides control structures such as IF/THEN/ELSE and data manipulation functions. Any CLI command can be used in a script. In addition, a script may have extensions that are needed for and only relevant to the Universal Port and its profiles, such as persistent/non-persistent mode.
371
Port Groups
Figure 231: Universal Port Manager Network Profiles View The buttons on the Network Profiles tab provide the following functions: Note All buttons except View are active only when the device is HTTP-reachable.
372
View
Enable Profile
Disable Profile
Delete
Save As
View Diff
Edit Configuration
Quick Filter Device Group Filter Sync Device Update All View Results
373
The Filtered Profiles On HTTP-Reachable Devices table displays the following information about the profile on the network: Note An HTTP-reachable device that does not have any profile does not appear in this table. A device that is not HTTP reachable, and Ridgeline is not sure about any profile existing on the device or not, is shown in this table with profile Unknown.
Profile Name Name of the profile on the device. Click on the profile name link to open the profile details. A profile on a switch may show up multiple times in the table. For example, if a profile is bound to a DEVICE-DETECT and DEVICE-UNDETECT event on a switch, the profile will appear twice. In ExtremeXOS, the state of the profile. Enabled or Disabled. Event that triggers the profile to run. The EMS filter associated with the profile, if the Trigger Event for the profile is a log message. If the profile is not triggered by a log message, then N/A is displayed in this column. Ports on which the profile was configured to run on or is bound to. Name of the device to which the profile was deployed. IP Address of the device to which the profile was deployed. The time at which the UPM information was last updated. The time at which the UPM last attempted to update information. The type of profile. Non-RidgelineThe profile was not deployed by Ridgeline. RidgelineThe profile was deployed by Ridgeline or imported to Ridgeline.
Ports Device Name IP Address Device Last Reached Last Attempt to Reach Device Profile Type
374
Profile Status
Status of the Ridgeline profile on the device. MissingThe profile deployed by Ridgeline is missing from the device. Same as DeployedThe profile in the device is same as the one deployed by Ridgeline. DifferentThe profile in the device is different from the one deployed by Ridgeline. N/AThe profile is not saved in the Ridgeline. Indicates whether the device can be reached using HTTP. Down or HTTP unreachableThe device is not operational or Ridgeline is not able to reach the device using HTTP. To find out why Ridgeline can not reach the device, select a profile on this device and then click Update Device View. Verify the update device view results to see whether any error message is displayed. HTTP reachableRidgeline is able to reach the device using HTTP. Profile state based on availability in Ridgeline. Status of the switch (HTTP/HTTPS reachability), which contains the respective UPM profile.
The following icons are used in the Filtered Profiles On HTTP-Reachable Devices table: Table 16: Icons in the Filtered Profiles on HTTP-Reachable Devices Table
The profile was deployed by Ridgeline and is same as the one in Ridgeline.
The status of the profile deployed by Ridgeline is unknown because the device is unreachable or has been put offline.
375
Figure 232: Profile Details Dialog Box The Profile Details dialog box provides the following details:
Profile Name State Profile type Last Modified on device Status Description Name of the profile. State of the profile on the device. Shows whether the profile is enabled or disabled. Indicates whether the profile is an Ridgeline profile or not. Shows the time on which the profile was last modified on the device. Shows the Ridgeline status of the profile. This is the description you have added in the script for this profile.
Creation of VLAN for VOIP Installation The VLAN name to create IP Address of the VLAN/Netmask The Ports to add to this vlan. VLAN Tag
376
DHCP Address Range - Starting IP to allocate DHCP Address Range - Ending IP to allocate Lease Timer (secs) - Default 7200 seconds DHCP Gateway Profile configuration on device Trigger Events Shows the trigger events configured in the profile. If the event is bound to a timer, the details are displayed here. If the trigger event for the profile is a log message, the EMS filter associated with the profile is displayed here. Shows the ports to which the trigger events are bound.
Ports
Time when Universal Port Manager Information was last updated Device last reached Last Attempt to reach device Shows the time at which Ridgeline reached the device last time. Shows the time at which Ridgeline tried to reach the device.
Note In Ridgeline, the Timer details always show the time interval and the time at which the profile was first executed. However, on the switch, the show upm timer command shows the time interval and the time when the profile is scheduled to be executed next.
Use the Overview and Script View tabs (see the following figure) to switch between the script variables and the script. Click Save As to save the profile in Ridgeline. The View Diff button is active only if the deployed profile is different from the one saved in Ridgeline. The Run button is active only when the profile is enabled on the device. Use the search bar at the end of the script view to find or highlight text in the script.
377
Figure 233: Script View Tab If information is unavailable in the Profile Details dialog box, click Update All.
378
1 In the navigation pane, click Universal Port Profile Manager 2 On the Network Profiles tab, find the profile using the filters (for information about using filters, see Group Filters and Quick Filters on page 374). 3 Select the profile from the Filtered Profiles On HTTP-Reachable Devices list, and then click the Save As. The Save Profile As dialog box appears (see the following figure):
Figure 234: Save Profile As Dialog Box 4 Type version information in the Profile version box, and then click Save. Note The profile name cannot contain special characters or spaces. The profile version can contain spaces. The profile is saved in Ridgeline and is available on the Managed Profiles tab.
379
3 Select the profile from the Filtered Profiles On HTTP-Reachable Devices list, and then click Save As. The Save Profile As dialog box appears (see the following figure).
Figure 235: Save Profile As Dialog Box 4 Click Export to. 5 Type or browse to the location where you want to save the profile, and then click Save. The profile is saved to the selected location.
380
3 Select the profile from the Filtered Profiles On HTTP-Reachable Devices list, and then click Run. The Run Profile dialog box appears (see the following figure).
Figure 236: Run Profile Dialog Box 4 In the Testing Events tab, in the Trigger Events list, select the Trigger Events. You can review the profile using the Overview and ScriptView tabs. 5 If needed, enter the values for the variables. Ridgeline lists any variables that are used in the profile and that are meaningful for the selected event. 6 Click Run. The Test Results area displays the result. Note When a profile runs on the selected device, all operations in the profile script are executed on the test device. No rollback is performed at the end of the session or when you close the Run Profile dialog box. The following figure shows the results of a successful run:
381
Figure 237: Run Profile Dialog Box with a Successful Run The following figure shows the results of a failed run attempt:
Figure 238: Run Profile Dialog Box with a Failed Run Attempt
382
1 In the navigation pane, click Universal Port Profile Manager. 2 On the Network Profiles tab, click Update All. The Ridgeline server obtains the profiles on the network to update the Ridgeline database. After you start the manual update, going to other functions in Ridgeline does not stop the update action. 3 To view the results of the update, click View Results. The Update View Results dialog box appears (see the following figure).
The results are stored until you exit the Ridgeline client or overwritten by another update action.
Editing Profiles
You can edit the configuration details of a profile deployed on the network, unbind previous events, and bind new events. To edit the profile configuration: 1 In the navigation pane, click Universal Port Profile Manager. 2 On the Network Profiles tab, find the profile using the filters (for information about using filters, see Group Filters and Quick Filters on page 374).
383
3 Select the profile from the Filtered Profiles on HTTP Reachable Devices list, and then click Edit Configuration. The Edit Profile Configuration dialog box appears (see the following figure).
Figure 240: Edit Profile Configuration Dialog Box Choose Type Tab The trigger events configured for the profile are preselected. If you bind a profile to a USER-REQUEST event: If the profile is disabled, the profile is not executed at the time of deployment. If the profile is enabled, the profile will be executed at the time of deployment. Note If a profile is bound to a user request event, and the profile is disabled, you should enable the profile from the Network Profiles tab and then click Run to run the script. The Run button is active only if the switch is HTTP reachable, and the profile is available on the switch. If you select User Request or a timer event as the trigger event, the Deploy Type tab appears (see the following figure). For critical details on timer events, see Profile Trigger Events.
384
4 If needed, modify the trigger events, and then click Next. The Deploy Type tab appears with the ports on which the profile is already deployed (see the following figure).
Figure 241: Edit Profile Configuration Dialog BoxDeploy Type Tab 5 If needed, select new ports on which you want to deploy the profile. The Selected Ports table displays the updated ports list. 6 Click Next. The Verify tab appears (see the following figure).
385
7 Review the deployment details, and then click Next. The Validation tab appears with the validation results (see the following figure). For the details about profile validation, see the Using the Profile Deployment Wizard.
Figure 243: Edit Profile Configuration Dialog BoxValidation Tab 8 Review the validation results, and then click Next. The Deploy tab appears with the results (see the following figure).
Figure 244: Edit Profile Configuration Dialog BoxDeploy Tab 9 Click Finish.
386
Import Delete
387
Click a profile in the Filtered Profiles table. The Devices Deployed To table displays the following details: Table 19: Columns in the Devices Deployed To Table
Column Device Name IP Address Profile Name Ridgeline Profile Status Description Name of the device to which the profile was deployed. IP address of the device to which the profile was deployed. Name of the profile. The icon indicates the Ridgeline status of the profile on the device. Status of the Ridgeline profile on the device. Different than deployedThe profile on the device is different from the one deployed by Ridgeline. Same as deployedThe profile on the device is same as the one deployed by Ridgeline. MissingThe profile deployed by Ridgeline is missing from the device. Indicates whether the device is reachable using HTTP. The time at which Ridgeline tried to reach the device. For example: Mar 12, 2007 03:24 PM PDT. The time at which the device was last reached. For example: Mar 12, 2007 03:24 PM PDT. This may be different from Last Attempt to Reach Device.
Ability to Reach Device Last Attempt to Reach Device Device Last Reached
388
Figure 246: Save Profile As Dialog Box 5 To rename the profile, change the name in the Profile Name box. Note The profile name should not contain special characters or spaces. The profile version may contain spaces. To save the profile as a new version, change the version information in the Profile Version box. 6 Click OK. The profile is saved with the new name or version.
389
1 In the navigation pane, click Universal Port Profile Manager. 2 Click the Managed Profiles tab. 3 Click Import. The Import Profile dialog box appears (see the following figure).
Figure 247: Import Profile Dialog Box Profiles imported are managed by Ridgeline. You can display information about the imported profiles using the Managed Profiles tab. Note The profile name cannot contain special characters or spaces. The profile version may contain spaces.
390
Figure 248: Save Profile As Dialog Box 4 Click Export To. 5 Type the location of the directory, or browse to it, where you want to save the profile. 6 Click OK. The profile is exported from Ridgeline and saved in the directory you specified.
391
3 Click New. The New profile dialog box appears (see the following figure).
392
4 Click the Script View tab to open the script editor (see the following figure).
Figure 250: New Profile Dialog Box (Script Editor) By default, the script editor contains the following metadata content:
# @MetaDataStart # @ScriptDescription Default profile description. # @MetaDataEnd 5 Type ExtremeXOS commands after the metadata. A simple profile can even contain a single ExtremeXOS command, such as: create vlan voice 6 Click Save. The Save Profile As dialog box appears. 7 Type a name and version for the new profile, and then click OK.
393
8 Define a variable and use it to make the command easier to use. For example: set var vlanName voice-gen_tel create vlan $vlanName Note The vlanName variable in the set variable line does not contain $. But, when you use the variable, you need to add $ before it. The script has become more usable now. If you use the vlanName elsewhere in the script, and you refer to your newly defined variable $vlanName, the same script can be used for creating other VLANs by simply changing the variable value voice-gen_tel to your new VLAN, like voice-gen_tel2; for example, if you also add ports to VLAN voice-gen_tel.
set var vlanName voice-gen_tel create vlan $vlanName conf vlan $vlanName tag $vlanTag conf vlan $vlanName ipaddress $vlanIP conf vlan $vlanName add ports $portsValue If you want to change the VLAN voice-gen_tel to voice-gen_tel2, you only need to change the line set var vlanName voice-gen_tel to set var vlanName voice-gen_tel2, without changing it anywhere else.
394
9 Move the vlanName variable definition to Ridgeline UPM metadata section and provide a userfriendly description. This section starts with # @ MetaDataStart and ends with # @MetaDataEnd. # @MetaDataStart # @ScriptDescription "Creation of VLAN for VOIP Installation" # @VariableFieldLabel "The VLAN name to create" set var vlanName voice-gen_tel # @MetaDataEnd create vlan $vlanName conf vlan $vlanName tag $vlanTag conf vlan $vlanName ipaddress $vlanIP conf vlan $vlanName add ports $portsValue The variable now appears on the Overview tab (see the following figure).
Figure 251: New Profile Dialog BoxOverview Tab with Variable Control The following profile contains the full content of the profile that can be used to create VLAN for provisioning switches for using the VoIP script pre-packaged with Ridgeline. Note Since this profile is intended to be run on a switch only once, it should be bound to a USER-REQUEST event.
# @MetaDataStart # @ScriptDescription "Creation of VLAN for VOIP Installation" # @VariableFieldLabel "The VLAN name to create" set var vlanName voice-gen_tel # @VariableFieldLabel "IP Address of the VLAN/NetMask" set var vlanIP xxx.xxx.xxx.xxx/xx # @VariableFieldLabel "The Ports to add to this vlan. Use 1, 2, 3, 5-6 format" set var portsValue xx # @VariableFieldLabel "VLAN Tag" set var vlanTag xx # @VariableFieldLabel "DHCP Address Range - Starting IP to allocate" set var dhcpStartAddr xxx.xxx.xxx.xxx # @VariableFieldLabel "DHCP Address Range - Ending IP to allocate" set var dhcpEndAddr xxx.xxx.xxx.xxx # @VariableFieldLabel "Lease Timer (secs) - Default 7200 seconds" set var dhcpLeaseTimer 7200 # @VariableFieldLabel "DHCP Gateway" set var gateway xxx.xxx.xxx.xxx Ridgeline 4.0 Service Pack 1 Reference Guide 395 # @MetaDataEnd
Figure 252: New Profile Dialog BoxOverview Tab with Variable Control You can update the variables using the Overview tab. To edit the script or add metadata, use the Script View tab. 4 Click Save to save the changes or click Save As to save the profile with a different name or version.
396
The metadata is case insensitive. You can use # @MetaDataStart or # @METADATASTART. Do not leave space between @ and the metadata tags. Note The metadata information is commented out using # mark and will not be recognized by the ExtremeXOS. Ridgeline can manage a profile without metadata. If you do not use the metadata, UPM will not create the page where you can modify the variables.
Profile Templates
Ridgeline includes some pre-defined profile templates. You can use the profile templates as baselines for creating new profiles. You can find the pre-defined profiles in Ridgeline in <Ridgeline_install_directory>\jboss\standalone\deployments\user.war \upm_profiles.
397
4 Click Test. The Test Profile wizard appears (see the following figure).
User RequestSelect this to deploy the profile now. This selection does not allow you bind the event to a port and the Port Selection tab does not appear. If you bind a profile to a USER-REQUEST event, the profile is executed at the time of deployment, even if the profile is disabled in Ridgeline. If a network profile is bound to a user request event and the profile is disabled, to run the profile again, you should enable the profile from the Network Profiles tab, and then click Run to run the script. Other Trigger EventsSelect the other trigger events you want to configure for the profile.
6 Click Next. The Test Profile tab appears. 7 Select how your want to pick the device to test the profile on: DevicesThrough the full list of devices Device GroupsThrough device groups
8 Click Next. The Select Devices tab appears. 9 Select a device to test the profile by clicking its check box. 10 Click Next. The Verify tab appears. 11 Verify your selections, and then click Next. The Validation tab appears. If the profile passes validation green check mark appears under Validation Results. 12 If desired, type any comments you want to appear in the audit log in the Comments box.
398
13 Click Next. The Test Profile wizard final page appears (see the following figure)
Figure 254: Test Profile Wizard Final Page 14 Click Save an. The profile is saved to the server, deployed to the device, and tested. The results of these actions appear under Test results 15 Click Close.
399
Figure 255: Trigger Events Page This page contains the following configuration items: Click Next to open the search devices page.
Figure 256: Search for Devices Page The search devices page offers the following search types: DevicesSelect this to search individual devices on the network. Device groupsSelect this to search the devices based on the device groups you have defined in Ridgeline. Port groupsSelect this to search the devices based on the port groups you have defined in Ridgeline.
400
Click Next to open the Device Selection page. The device selection page: Lists devices, if you have selected Devices in the previous page. Lists device groups and devices, if you have selected Device groups in the previous page. Lists port groups and devices, if you have selected Port Groups in the previous page. All ports in the selected port group will be preselected. Incompatible devices are grayed out. Incompatible devices are devices that are running ExtremeWare or ExtremeXOS versions earlier than 12.0, or Summit X150 series devices. You can select the devices that are down, offline, or unreachable at the time of device selection. But you will not be able to deploy to these devices at the time of validation; unless these devices are online and reachable.
Figure 257: Device Selection Page Select the devices and then click Next to open the Ports Selection page. The ports selection page contains two tables. The Deploy to Ports lists the devices and ports. After you select the ports from this table, it is displayed in the Selected Ports table. You can select all ports in the device by selecting the check box near the device. To select individual ports, select the device check box, expand the port list tree and then select individual ports from the tree. You can also use the Select All button to select all ports on the devices.
401
Figure 258: Ports Selection Page If you select port groups, the ports in the selected ports groups will be preselected. For the USERREQUEST event and timer event, the ports as shown as N/A. After you select the ports, click Next to review the deployment information. The Deployment Information review page appears.
Figure 259: Deployment Information Review Page The page provides details of the Devices, IP address of the devices, and the ports you have selected to deploy the profile.
402
If the information is correct, click Validate to validate the profile on the selected ports. The validation results page appears. During validation, the following things are done: Ridgeline will update the details with selected device. Ridgeline checks whether a profile with the same name is already on the switch. If the profile is already on the switch, Ridgeline gives you an option to proceed with the selection. If you choose to proceed, Ridgeline will delete the profile on the switch first, then push the profile to the switch with the new bindings. Ridgeline will make sure that no two profiles are bound to the same device events on the same port. For example: If Profile A is bound to port 1 for the event DEVICE-DETECTED, then you cannot bind Profile B to port 1 for the event DEVICE-DETECTED. But you can bind profile B to port 1 for another event DEVICE-UNDETECTED. Figure 260: Validation Results Page
The results page displays the validation status and validation results. The following details appears in the Validation Results Table:
Name IP Address Ports Name of the device on which the profile was validated. IP Address of the device on which the profile was validated. Ports on which the profile was validated.
403
Displays the result of the validation. If the device already contains a profile with the same name, a check box appears in this column. Select the check box if you want to replace the profile.
If validation has issues, you can see the details in the Details field. Select a row in the table to view the details of the validation. If validation has issues, and you need to replace profile in the device, a check box will appear in the Replace Existing Profiles column. Use Select All to select all the check boxes and use Clear All to clear all the check boxes. Deployment Information section allows you to configure whether the profile should be enabled or disabled after the deployment. Select Enable profile on all devices to enable the profile on all the devices on which the profile is being deployed. You can also enter comments that appear in the Audit Log. Click Deploy to deploy the profile to the selected devices. The deployment results page appears with the status and result of the deployment.
Figure 261: Deployment Results This page provides the following details:
Name IP Address Name of the device on which the profile was deployed. IP address of the device on which the profile was deployed.
404
Ports on which the profile was deployed. Displays the status and result of the deployment. If the deployment fails on a device, a check box appears in this column. To deploy again, select the check box and click the deploy again button. You can use the Select All and Clear All buttons to select multiple devices to deploy the profile again. Select the device from the table to view the details of the deployment. If you have issues with the deployment, you can see the details in this field.
Details
Click the Finish button to complete deploying the profile. If you have issues with the deployment, select the devices using the check boxes in the Deploy Again column and then click Deploy again. If you need to deploy to more than one device, use the Select All button to select all the check boxes. You will be taken to the Deployment Information Review Page. The following image shows the validation results page with errors:
Figure 262: Validation Results Page with Error In this example, two devices contain profiles with the same name. Select the check boxes using the Select All button, then click the Deploy button to continue. The Details field shows the reason for the validation failure on the two devices. 1 In the navigation pane, click Universal Port Profile Manager. 2 Click the Managed Profiles tab. 3 Select the profile to deploy in the Filtered Profiles table.
405
4 Click Deploy. The Deploy Profile wizard appears (see the following figure).
406
User RequestSelect this to deploy the profile now. This selection does not allow you bind the event to a port and the Port Selection tab does not appear. If you bind a profile to a USER-REQUEST event, the profile is executed at the time of deployment, even if the profile is disabled in Ridgeline. If a network profile is bound to a user request event and the profile is disabled, to run the profile again, you should enable the profile from the Network Profiles tab, and then click Run to run the script. Scheduled TimeSelect this to set the time at which the profile should be run. This is the time for ExtremeXOS Timer-AT event. For critical details about timer events, see Profile Trigger Events. The scheduled time event does not allow port binding. If you select this event, the Port Selection page does not appear. Enter the time in the At box; enter the date in the On box; To repeat, enter the time value in Continue Every and the time period in the box to the right (select Seconds, Minutes, Hours, Days, Weeks). Other Trigger EventsSelect the other trigger events you want to configure for the profile. Note If (required) appears next to a trigger event, it indicates that this event is referred to in the profile script. The event selection is, however, not enforced.
6 Click Next. The Choose Type tab appears. 7 Select how you want to pick the device to test the profile on:
DevicesThrough the full list of devices Device GroupsThrough device groups Port GroupsThrough port groups
8 Click Next. The Deploy tab appears. 9 Select a device to test the profile by clicking its check box. 10 Click Next. The Verify tab appears. 11 Verify your selections, and then click Next. The Validation tab appears. If the profile passes validation green check mark appears under Validation Results. The results of the validation appear in the box in the middle of the wizard page. 12 If you are attempting to deploy one or more profiles to a device that already has a profile with the same name, you can choose to replace the existing profile. Select the desired profiles that you want to overwrite. In the Replace Existing Profile column, if you want to select all of the profiles, click Select All; if you want to de-select all profiles, click Clear All. 13 Set whether you want the profile enabled after being deployed, by clicking either Enable profile on all devices or Disable profile on all devices. 14 If desired, type any comments you want to appear in the audit log for this deployment of the profile in the Comments box. 15 Click Next. The Deploy tab appears. If the profile is deployed successfully, a green check mark appears under Deployment Results. 16 Click Finish.
407
DEVICE-UNDETECT
USER-AUTHENTICATED
USER-UNAUTHENTICATED
TIMER-AT
USER-REQUEST
LOG-MESSAGE
408
Common Variables
The following table shows the variables that are always available for use by any script. These variables are set up for use before a script or profile is executed. Table 22: Common Variables
Variable Syntax $STATUS $CLI.USER $CLI.SESSION_TYPE $EVENT.NAME $EVENT.TIME $EVENT.TIMER_TYPE $EVENT.TIMER_NAME $EVENT.TIMER_DELTA $EVENT.PROFILE Definition Status of last command execution. User Name who is executing this CLI. Type of session of the user. This is the event that triggered this profile. For a list of triggers, see Profile Trigger Events on page 408. Time this event occurred. The time will be in seconds since epoch. PERIODIC or NON_PERIODIC. Name of the timer that the Universal Port is invoking. Time difference when the timer fired and when the actual shell was run in seconds. Name of the profile that is being run currently.
409
$EVENT.DEVICE_MANUFAC The manufacturer of the device. TURER_NAME $EVENT.DEVICE_MODEL_N Model name of the device AME
410
412
When a query is sent to Active Directory, it searches user attributes. Based on the LDAP attributes the switch receives, Identity Management places these attributes under a configured role. If they match those on the server, they are classified under the authenticated role. Identity Management classifies role attributes that cannot be identified as unauthenticated userconfigured roles.
Employee Company = Extreme Priority 3 Engineer Company = Extreme Department = Eng Priority 2 Sales Company = Extreme Department = Sales Priority 1 Can access customer information The Sales role does not automatically inherit the Company match condition from Employee.
EX_idm_0003
Engineers will inherit Can access intranet and will be able to also access the development subnet.
Figure 265: Roles and Policies Policies Routing protocol applications use policies to control the use of routing information on a switch. With Ridgeline you create policies which you can attach to roles. When you define policies, you can selectively permit (or deny) a set of routes based on their attributes for advertisements of the routing domain. The routing protocol application can modify routing information attributes based on policy statements. You attach a policy to a VM where you can enable tracking on a switch on which Identity Management is enabled. Ridgeline supports two policy types: Identity Management VM mobility
Role Hierarchy
You can create roles in a hierarchy to reflect different organizational and functional structures. The following figure illustrates a typical role hierarchy.
413
Employees
(Company == XYZCORP)
Policy 1: Allow common file shares Policy 2: Allow access to time-sheet application
Sales
Managers
Engineers
Figure 266: Hierarchical Role Management Example To create a role hierarchy, you define one or more roles as child roles derived from a parent role. Ridgeline supports a maximum of five levels. A parent role can have up to eight children but a child cannot have more than one parent. Multiple inheritances are not allowed. In a hierarchy, only policies are inherited, not the match criteria from parent roles. Below is a diagram of the role hierarchy.
Parent Role
Children Roles
EX_roles_01
Role Inheritance
Child roles inherit the policies of the parent role in the hierarchy. When an identity is assigned to a role, the policies and rules defined by that role and all higher roles in the hierarchy are applied.
414
When the parent role is deleted or when the parent-child relationship is deleted, the child role no longer inherits the parents role policies and policies are immediately removed from all identities mapped to the child role. Since the maximum role hierarchy depth allowed is five levels, the maximum number of policies and dynamic ACLs that can be applied to a role is 40 (five role levels x eight policies/rules per role). Note The LDAP query can be disabled for specific types of netlogin users. When the software makes the final determination of which default or user-configured role applies to the identity, the policies and rules configured for that role are applied to the port to which the identity is attached. This feature supports up to eight policies and dynamic ACL rules per role. The identity's IP address is used to apply the dynamic ACLs and policies. The dynamic ACLs or policies that are associated to roles should not have any source IP address specified because the Identity Management feature will dynamically insert the identity's IP address as the source IP address. When a dynamic ACL or policy is added to a role, it is immediately installed for all identities mapped to that role. Effective configuration of the dynamic ACLs and policies ensures that intruders are avoided at the port of entry on the edge switch, thereby increasing security and reducing noise in the network.
The following lists LDAP role match criteria you can assign to the switch: Location Company Country Department Employee ID State Title Email
If the Active Directory fails to respond when queried, the next configured Active Directory server is contacted. If successful, all further LDAP queries are sent to this LDAP server. All LDAP servers should be configured to synchronize the user information available in each of them.
415
2 The Network-Users Devices tab appears (see the following figure). Ridgeline lists the available devices and ports.
416
3 Click Enable User Monitoring. The Enable Monitoring Of Network-User Information wizard appears (see the following figure).
Figure 269: Enable Monitoring Of Network-User Information Wizard Note Devices that cannot be set up with identity management do not appear on the list. Devices must be up and reachable and running ExtremeXOS v12.6 or later. 4 To filter the list, type search terms in the search box or make a selection from the Device Group Selector list. 5 Under Enable monitoring on which devices?, select the check box(es) next to the desired device(s). 6 Click Add. Your selected devices appear in the Selected Devices table. 7 Click Next. The Enable Ports tab appears. 8 To choose ports: Note Uplink ports are automatically excluded.
For all of a devices ports, select the check box next to the device. For individual ports, click the plus sign (+) next to the device, and then select the check boxes next to the desired ports. Note You must choose a minimum of one port on each device.
417
9 Click Next. The Connection Type tab appears. 10 In the Connection type list, select either http or https. 11 Click Next. The Results tab appears. Your monitored device(s) and port(s) appear in the Results pane. 12 Click Finish.
Disabling Monitoring
You can disable monitoring on selected edge switches. When you do this, all identity related configurations are removed, including roles, LDAP settings, attached roles-policies, and Black List and White List entries that exist. Disabling monitoring on a switch does not remove the settings from the Ridgeline database; this allows you to reapply them later, if needed. To enable monitoring, see Enabling Monitoring on Devices and Ports on page 415. To disable monitoring on a switch: 1 In the navigation pane, click Network User Devices. 2 On the Network-Users Devices tab, select the devices on which you want to disable monitoring by clicking their check boxes. 3 Click Disable User Monitoring. 4 When prompted, confirm the deletion.
418
3 On the Network-Users Devices tab, click Edit Ports. The Edit Ports of Network-Users devices dialog box appears (see the following figure).
Figure 270: Edit Ports of Network-Users Devices Dialog Box 4 On the Monitor Ports tab, make your revised selections for which ports to monitor. To select all ports for a device, click the check box next to the device; to select individual ports, click the plus sign (+) next to the device to display its individual ports. 5 Click Next. The Connection Type tab appears. 6 Select either HTTP or HTTPS as the protocol to use for user identity management. 7 Click Next. The Results tab appears displaying the success or failure of your redeployment of monitoring on ports. Click a row in the Results table, to see more details. 8 Click Finish.
419
3 Click Enable Role Access. The Enable Role-Based Access Control dialog box appears (see the following figure).
Figure 271: Enable Role-Based Access Control Dialog Box 4 On the Network-users Devices tab, select the device on which you want to enable role-based access control. Note Devices that are unavailable (grayed out) and not selected (checked) do not support this feature. Devices that are already selected (checked) have role-based access control already enabled.
420
5 To change the client IP address for communicating with the directory server(s):
To make changes, click Next The Advanced Settings tab appears (see the following figure). To skip making changes, go to Step 11.
Figure 272: Enable Role-Based Access Control Dialog BoxAdvanced Settings Tab 6 Select the directory server to modify, by selecting its name in the Directory Server Name list. 7 Select a device to change the client IP address for by clicking its check box in the first table under Communicating with the Directory Server. 8 In the second table, select the client IP address that you want to change to. 9 Click Save. 10 Repeat Steps 6 through 9 as needed. 11 Click Finish. 12 You are warned that existing ID management configurations on the device will be lost. Click OK.
421
Creating Roles
You can configure role-based access control in Ridgeline. Start by defining a network user role (see Creating New Roles on page 422), which includes defining match criteria for users and groups of users that need to access information on the network. You also set priorities for these roles.
A role can: Be independent of a parent or a child. Have children. Have only one parent.
422
2 On the Roles tab, click New Role. The New Role dialog box appears (see the following figure).
Figure 273: New Role Dialog Box 3 Type a the role name and an optional description in the Name and Description boxes. Note A role name can have a maximum of 32 characters and can contain only alphabetic characters, hyphens, and underscores. All other special characters are invalid. A role name cannot have spaces, begin with a number, be assigned to a an existing name, be authenticated and unauthenticated. 4 Set a priority using the Priority slider. 5 If desired, set other role(s) as children to this role: a Click Edit. The Edit Children roles dialog box appears b Select the desired roles to set as children by clicking their check boxes. c Click OK. The children roles appear in the Child Roles box. 6 To set which devices and users get assigned this role, define match criteria for the role: Note If you want to create a role with the same or similar conditions of an already existing role, you can do this quickly by selecting the existing role from the Copy Conditions From list. The match conditions area displays the conditions of the selected role. You can edit these conditions if desired (see the following substeps) or skip to Step 7.
423
b Choose the operator in the middle column: Equals, Not Equals, Contains. a Type a value for the match criteria in the third column. a To add additional match conditions, click Add. A new row appears. Repeat Step 5. Note You can add a maximum of 16 conditions. Note To remove a match condition, click next to the match condition.
7 Click OK. The list under the Roles tab displays the new role.
424
3 Click New Child Role. The Create Child Role dialog box appears (see the following figure).
Figure 274: Create Child Role Dialog Box In Parent Role, the selected role parent appears (see figure). 4 Type a the role name and an optional description in the Name and Description boxes. Note A role name can have a maximum of 32 characters and can contain only alphabetic characters, hyphens, and underscores. All other special characters are invalid. A role name cannot have spaces, begin with a number, be assigned to a an existing name, be authenticated and unauthenticated. 5 Set a priority using the Priority slider. 6 If desired, set other role(s) as children to this role: a Click Edit. The Edit Children roles dialog box appears b Select the desired roles to set as children by clicking their check boxes. c Click OK. The children roles appear in the Child Roles box. 7 To set which devices and users get assigned this role, define match criteria for the role. You can manually define these conditions or you can copy them:
From the parent roleSelect the Inherit Parent Criteria check box. From other rolesSelect a role from the Copy Conditions From list.
The match conditions area displays the conditions from the selected role. You can edit these conditions if desired (see the following substeps) or skip to Step 8.
425
b Choose the operator in the middle column: Equals, Not Equals, Contains. a Type a value for the match criteria in the third column. a To add additional match conditions, click Add. A new row appears. Repeat Step 5. Note You can add a maximum of 16 conditions. To remove a match condition, click to the match condition. 8 Click OK. The list under the Roles tab displays the new role. next
426
String String
To create an LLDP role: Follow the procedure for either creating a role (see Creating New Roles on page 422) or creating a child role (see Creating Child Roles on page 424). 2 Select one or more of the LLDP attributes in the match conditions area listed in the table above. 3 Click OK. 1
Identity management checks with the directory server to verify that the username attribute is a valid User Name. To create a user-defined role: Follow the procedure for either creating a role (see Creating New Roles on page 422) or creating a child role (see Creating Child Roles on page 424). 2 Select one or more of the user-defined attributes in the match conditions area listed in the table above. 3 Click OK. 1
427
Deleting Roles
When you delete a role definition, the changes are attached on all switches enabled with Identity Management. To delete a role: 1 2 3 4 In the navigation pane, click Roles. On the Roles tab, select the desired role to delete by clicking its check box. Click Delete. When prompted to confirm the deletion, click Yes.
Editing Roles
You can edit role parameters and priority for parent-child relationships. Editing a role automatically attaches it to the corresponding updated roles for all the switches that are enabled with Identity Management. You can change a parent role to that of a child role or move an existing child role to a different existing parent role. To edit a role: 1 In the navigation pane, click Roles. 2 On the Roles tab, select a role to edit by clicking its check box.
428
3 Click Edit Role. The Edit roles dialog box appears (see the following figure).
Figure 275: Edit Roles Dialog 4 You can change the following: Select a different parent role from the Parent Role list. To select different children roles, click Edit. The Edit children roles dialog box appears. Select different child roles, and then click OK. Set a different priority by moving the Priority slider. 5 Click OK.
429
Viewing Roles
To view created roles: 1 In the navigation pane, click the Roles tab. 2 Click the Roles tab. The existing roles appear in a hierarchy (see the following figure). Parent roles have plus signs (+) next to them that you can click to show their child roles.
For each role the following information is shown: NameThe role's name. PriorityThe priority assigned to the role. Priorities can have values from 1 to 255. One (1) is the highest priority The priority of the role determines the role to which a user is mapped. The default priority is 255. A device is assigned the lesser priority role value whenever there is a conflict. If both roles have equal priority or the default priority, the last role created is assigned the higher priority. AttachedWhether or not the role is attached. For a selected role, detailed information appears in the details pane (see Viewing Role Details on page 430).
430
431
3 Click Attach to Role. The Attach Policies To Roles dialog box appears (see the following figure).
Figure 278: Attach Policies To Roles Dialog BoxAttach Policies Tab 4 Select a role from the Role Name list. 5 Move policies from the Available Policies pane to the Selected Policies pane. 6 Click Next. The Results tab appears (see the following figure).
Figure 279: Attach Policies To Roles Dialog BoxResults Tab 7 View the results, and then click Finish. The policy appears in the policy list as attached (Attached column value is Attached).
432
433
The following LDAP Client configurations are optional on the switch: Client IP addressVLAN IP address through which the switch can connect to LDAP servers Client VRVirtual routers through which the switch can connect to an LDAP server Although these settings are optional, you can override them. With multiple LDAP server configurations, EXOS selects the active LDAP server based on the following logic: The first configured server is initially contacted and marked as the Active server. If this server times out, the second server is contacted. If the connection succeeds, the second server is marked Active and all further LDAP requests are sent to the second server and so on. Configuring LDAP server settings internally, deploys the settings to all Identity Management enabled switches. If you add LDAP server settings without Identity Management enabled switches, later when you enable Identity Management, Ridgeline uses the configured server settings for deployment.
434
3 Click New. The New Directory Server dialog box appears (see the following figure).
Figure 281: New Directory Server Dialog Box 4 You can add servers by: To select from a list of an existing servers, click I want to select from servers discovered in the network (see first figure). To provide the information about a server yourself, click I want to provide the server details (see second figure). 5 Click Next. The Add Server tab appears (see the following figures). The tab appears differently depending on your selection in Step 4.
Figure 282: New Directory Server Dialog BoxAdd Servers Tab (Select Server)
435
Figure 283: New Directory Server Dialog BoxAdd Servers Tab (Provide Server Information) 6 If you want to select a server, select a server in the list by clicking its check box and select the security mechanism by making a selection from the Security Mechanism list. Note If you need to change the server name or security mechanism, make the desired changes, and then click Save. 7 If you want to provide server details for an existing server, enter the details of the server, including the server name, IP address or DNS name, Port number, and security mechanism. 8 Click the Next. The Results tab appears showing the success or failure of adding the directory server.
436
ACL-source-address type for role-based-access-control devices (see Changing ACL-SourceAddress Type on page 437) Kerberos age-out times (see Changing Kerberos-Age-Out-Time Settings on page 438)
Access Global settings from the Global Settings tab under Network User Devices in the navigation pane (see the following figure)
Figure 285: Edit Directory-Server Settings Dialog Box 4 Change the Base DN if desired. 5 Type a different name in the Username box if desired. 6 Type a new password and re-enter it in the Password and Confirm Password boxes. 7 Click OK to apply the changes to the directory server.
437
1 In the navigation pane, click Network User Devices. 2 Click the Global Settings tab. 3 Click ACL Soure-Address Type. The Edit ACL Source Address Type dialog box appears (see the following figure).
Figure 286: Edit ACL Source Address Type Dialog Box 4 Under ACL Type, select: IPChoose this if you have devices running ExtremeXOS 12.5, or 12.6, or both. MACChoose this if all role-based-access-control devices are running ExtremeXOS 12.6. If the devices do not meet the criterion, this option unavailable. 5 Click OK.
Figure 287: Edit Kerberos Time Settings Dialog Box 4 Set the duration of the age-out timer, by typing a value in Aging Time. This timer controls when all inactive users are deleted from the device. 5 For Force-Aging Time (The amount of time after which all users, active and inactive, are deleted from the device), choose one of the following:
NeverNo time limit. InType the time limit in the Minutes box.
The range for both aging time and force aging time is 1 to 65535 minutes.
438
6 Click OK.
Active Identities
The Active Identities lists all of the users and devices connected to the switches that have Identity Management enabled and are being monitored by Ridgeline. To view active and inactive users, in the navigation pane, click Active Identities. The Active Identities has two tabs: Active Users and ThreatsLists the currently active users (see Active Users and Threats Tab on page 439). Inactive and Active UsersLists the inactive users, the users that have disconnected from the monitored switches, and users who failed authorization (see Inactive and Active Users Tab on page 440). Active Users and Threats Tab The following figure shows the Active users and threats tab under Active Identities.
Figure 288: Active Users and Threats Tab The Active Users and Threats tab shows the following information.
439
Security Threat
Shows the worst threat state that corresponds to the identity. Threats are indicated as protection unsuccessful, protection successful, or undo protection successful, the identity threat icon changes to reflect the new threat state. The login name of the human user, or None if it is a device user, along with an icon indicating the status of the user. The status icon can be one of the following: or or or or or or or or or or The user is active. The last known status of the user is active. The user was unable to log into the network. The user is inactive. Ridgeline has stopped monitoring the switch where the user is connected.
User Name
Role to which the user is attached. For XOS devices running 12.4 or earlier, the Role shows Unknown. Date and time the user logged on to the network. If the switch is running ExtremeXOS 12.3 or earlier, no information is shown and the switch cannot be added to the monitoring list. The port number on the switch where the user connected to the network. The MAC address of the user. The IP address of the switch where the user connected to the network. The IP address assigned to the user. NetBIOS host name. This information is filled only for users identified through Kerberos. For others, it will display N/A. Date and time the user attempted to log in and encountered an authentication failure. If authentication did not fail for the user, this is N/A. Status of the user. This can be one of the following: active, inactive, last known: active, failed log on, inactive user, or stopped monitoring. The name and status of the switch where the user connected to the network. If the switch is running ExtremeXOS 12.3 or earlier, this is shown as Unavailable. Type of user, either Human or Device. The name of the port where the user connected to the network. The device groups the user belongs to, if any. Date and time when information about the user was last received by Ridgeline. The last time Ridgeline polled for information about the user, whether successful or not.
Port Number User's MAC Address Device IP Address User's IP Address Host Name Authentication Method Status Device Name User Type Port Name Member Of Last Updated Last Attempt To Update
Inactive and Active Users Tab The following figure shows the Inactive and Active Users tab under Active Identities.
440
Figure 289: Inactive and Active Users Tab The Inactive and Active Users tab shows the users and devices that are currently logged on, as well as historical information about users and devices that are no longer connected.
Security Threat Shows the worst threat state that corresponds to the identity. Threats are indicated as protection unsuccessful, protection successful, or undo protection successful, the identity threat icon changes to reflect the new threat state. The login name of the human user, or None if it is a device user, along with an icon indicating the status of the user. The status icon can be one of the following: or or or or or Role Log On Time Port Number User's MAC Address Device IP Address User's IP Address Host Name Status Authentication Failed or or or or or The user is active. The last known status of the user is active. The user was unable to log into the network. The user is inactive. Ridgeline has stopped monitoring the switch where the user is connected.
User Name
Role to which the user is attached. For XOS devices running 12.4 or earlier, the Role shows Unknown. Date and time the user logged on to the network. If the switch is running ExtremeXOS 12.3 or earlier, this is shown as Unavailable. Port number on the switch where the user connected to the network. MAC address of the user. IP address of the switch where the user connected to the network. IP address assigned to the user. NetBIOS host name. This information is filled only for users identified through Kerberos. For others, it will display N/A. Status of the user. This can be one of the following: active, inactive, last known: active, failed log on, inactive user, or stopped monitoring. Date and time the user attempted to log in and encountered an authentication failure. If authentication did not fail for the user, this is N/A.
441
Log Off Time User Type Authentication Method Detected by Kerberos Domain Name Device Name Port Name Last attempt to Update Member Of Last Updated
Date and time the user logged off. Type of user, either Human or Device. Authentication method used to gain access to the network. Whether Kerberos snooping was used to obtain information about the user. The domain of the user. If the user was detected by Kerberos, then this is N/A. Name and status of the switch where the user connected to the network. If the switch is running ExtremeXOS 12.3 or earlier, this is shown as Unavailable. Name of the port where the user connected to the network. Last time Ridgeline polled for information about the user, whether successful or not. The device groups the user belongs to, if any. Date and time when information about the user was last received by Ridgeline.
Displaying Network User Details To display details about a specific user or device, under Active Identities, click a row in the table. Information about the selected user or device appears in the details pane. If you double-click the row, the user or device details appear in a separate window (see the following figure).
Figure 290: Network User Details Window The Details window shows the following information:
442
Security Threat
Shows the worst threat state that corresponds to the identity. Threats are indicated as protection unsuccessful, protection successful, or undo protection successful, the identity threat icon changes to reflect the new threat state. The login name of the human user, or None if it is a device user, along with an icon indicating the status of the user. The status icon can be one of the following: or or or or or or or or or or The user is active. The last known status of the user is active. The user was unable to log into the network. The user is inactive. Ridgeline has stopped monitoring the switch where the user is connected.
User Name
Role to which the user is attached. For XOS devices running 12.4 or earlier, the Role shows Unknown. Status of the user. This can be one of the following: active, inactive, last known: active, failed log on, inactive user, or stopped monitoring. Date and time the user logged on to the network. Date and time the user attempted to log in and encountered an authentication failure. If authentication did not fail for the user, this is N/A. Date and time the user logged out of the network. If the user is currently logged in, this is N/A. If Ridgeline was not monitoring the switch when the user logged out, then this is Unknown. The MAC address of the user. The authentication method used to gain access to the network. Whether Kerberos snooping was used to obtain information about the user. The domain of the user. If the user was detected by Kerberos, then this is N/A. The name and status of the switch where the user connected to the network. The IP address of the switch where the user connected to the network. The port number on the switch where the user connected to the network. The name of the port where the user connected to the network. Date and time when information about the user was last received by Ridgeline. The last time Ridgeline polled for information about the user, whether successful or not. The device groups the user belongs to, if any. Type of user, either Human or Device.
User's MAC Address Authentication Method Detected by Kerberos Domain Name Device Name Device IP Address Port Number Port Name Last Updated Last Attempt to Update: Member Of User Type Device Type Device Status Host Name LLDP Capability
NetBIOS host name. This information is filled only for users identified through Kerberos. For others, it will display N/A. The LLDP capability of the device user. This can be one of the following: Avaya phone, General telephone, Router, Bridge, Repeater, WLAN access point, DOCSIS cable service, Station only, or Other.
443
The window also includes the following information about the VLAN(s) that the user is part of: VLAN Tag VLAN Name Users IP address The VLAN tag value (if any) or Untagged The VLAN name. The IP address assigned to the user on the VLAN.
Figure 291: Ridgeline Reports For additional information about reports, refer to Ridgeline Reports.
444
Security Overview
Network security is one of the most important aspects of any enterprise-class network. Security provides authentication and authorization for both access to the network and management access to the network devices. Network administrators must protect their networks from unauthorized external access as well as from internal access to sensitive company information. Extreme Networks products incorporate multiple security features, such as IP access control lists (ACLs) and virtual LANs (VLANs), to protect enterprise networks from unauthorized access. Ridgeline provides multiple features that control and monitor the security features on Extreme Networks products. Using Ridgeline, you can set up VLANs (see Creating VLANs on page 123), and monitor security aspects of your network (see Using the Network Security Manager on page 446).
Finally, you can secure the communication between Ridgeline clients and the Ridgeline server itself by using SSH (HTTPS) instead of the standard HTTP protocol, which is the default.
Exploit attack DoS attack Reconnaissance attack Policy violationBased on the value of the VARBIND ivAlertCategory
ivPortScanAlert
446
ivHostSweepAlert ivSignatureAlertIPPairBased
Exploit attack DoS attack Reconnaissance attack Policy violationBased on the value of the VARBIND ivAlertCategory
ivFileAVAlert
Virus Attack
Predefined Alarms in Ridgeline The following predefined alarms are supported by Ridgeline:
S number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Alarm Name Port Scan Alert Port Scan Alert Cleared Host Sweep Alert Host Sweep Alert Cleared Exploit Alert Exploit Alert Cleared DoSandDDoS Alert DoSandDDoS Alert Cleared Reconnaissance Alert Reconnaissance Alert Cleared Policy Violation Alert Policy Violation Alert Cleared Virus Alert Virus Alert Cleared Purpose To indicate a port scan attack. Alarm indicates port scan attack cleared. To indicate host sweep attack. Alarm indicates host sweep attack cleared. To indicate Exploit attack. Alarm indicates Exploit alert cleared. To indicate DoS and DDoS Attack. DoS and DDoS Attack cleared. Alarm for Reconnaissance attack. Reconnaissance attack cleared. Policy violation attack. Policy violation attack is cleared. Virus attack related alert. Virus alert cleared.
Enabling and Disabling Threat Traps You enable and disable threat traps by using Ridgelines Alarm Manager, see Overview of the Ridgeline Alarm Manager on page 237. Ridgeline Protective Actions The Alarm Manager triggers the execution of predefined scripts to take protective action and notify the Security Manager. Protective action also records inactive users. If an inactive user has more than one record, the latest record is valid.
447
Recognizing Network Security Threats Any time an identity is associated with a threat, Ridgelines Identity Management feature displays icons that indicate the severity of the threat, rogue users, port number, IP addresses, and other pertinent information. To access information about threats, in the navigation pane, click Active Identities, and then click the Active Users and Threats tab (see the figure below). The Security Threat column displays an icon for each identity associated with a threat state. Threat icons are different colors that indicate the nature of the threat:
Cleared No threat New threat Protection unsuccessful Undo protection unsuccessful Protection successful
The Security Threat column shows the security threat state that corresponds to the identity. When threats are indicated as protection unsuccessful, protection successful, or undo protection successful, the Identity Management Users table identity threat icon changes to reflect the new state. The state undo protection successful automatically changes to cleared state when undo protection is successful. Ridgeline monitors the network service providers to retrieve current threat status. If errors occur during enforcement or during conditions where the threat no longer exists, but continues to be reported by the Network Security Manager, you can remove actions using the undo protection action (see Triggering the Undo Protection Action on page 449) or clearing the threat (see Clearing a Threat on page 450).
448
You can also view the inactive and active users table by clicking the Inactive and Active Users tab (see the following figure).
Figure 293: Inactive and Active Users Tab Triggering the Undo Protection Action Note Undo protection is only available for threats in the Protection successful state. 1 In the navigation pane, click Active Identities. 2 Click the Active Users and Threats tab.
449
3 Double-click a threat record from the table with Security Threat as Protection successful. The Active Users and Threats Details Window appears (see the following figure)
Figure 294: Active Users and Threats Details Window 4 On the menu, click Edit > Undo protection. This raises a new threat cleared alarm, changing the threat state to Cleared. If undo protection action is unsuccessful, manually remove the deployed ACLs from the switch. Ridgeline does not automatically remove the deployed ACLs. 5 Click File > Close to close the window. Clearing a Threat Note You can manually clear a threat only if it is in the Undo protection unsuccessful state. To clear a threat: 1 In the navigation pane, click Active Identities. 2 Click the Active Users and Threats tab.
450
3 Double-click the threat management row that you want with Security Threat that is Undo protection unsuccessful (see the following figure). The Active Users and Threats Details window appears (see the following figure).
Figure 295: Threat User Details 4 On the menu, click Edit > Clear. The threat icon for the identity is removed indicating there is no longer a threat. 5 Click File > Close to close the window. Viewing Threat Information on the Dashboard If desired, you can add either, or both, of the following threat reports to the dashboard on the Ridgeline home page: Threats by type in the last 24 hours (report icon = Threats/Type) Threats by user name in the last 24 hours (report icon = Threats/User Name) For information about how to add these reports to the dashboard, see Modifying the Contents of the Ridgeline Home Page on page 12.
451
attribute must be configured to specify the type of user to be authenticated. A more useful implementation is to configure the external RADIUS server to return user role information along with the user authentication. For information about configuring an external RADIUS server, see Configuring an External RADIUS Server for Ridgeline User Authentication on page 452 Configuring an External RADIUS Server for Ridgeline User Authentication Ridgeline uses administrator roles to determine who can access and control your Extreme Networks network equipment through Ridgeline. A users role determines what actions the administrative user is allowed to perform, through Ridgeline or directly on the switch. When users are authenticated through Ridgelines built-in logon process, Ridgeline knows what role each user is assigned and grants access accordingly. If users are going to be authenticated by an external RADIUS authentication service, then that service needs to provide role information along with the users authentication status: If you are using only the predefined roles that are built into Ridgeline, you can configure the RADIUS server with a Service Type attribute to specify one of the built-in administrator roles. If you have created your own custom roles, you can set a Vendor-Specific Attribute (VSA) to send the appropriate role information along with the authentication status of the user. To set up your RADIUS server to provide authentication and authorization for Ridgeline users: 1 Configure Ridgeline to act as a RADIUS client (see Enabling RADIUS for Ridgeline on page 349). 2 In your authentication database, create a group for each administrative role you plan to use in Ridgeline, and then configure the appropriate users with the appropriate group membership. For example, if you want to authenticate both Ridgeline admin and manager users, you must create a group for each one. 3 Within the RADIUS server: Add Ridgeline as a RADIUS client. Create Remote Access Policies for each Ridgeline role, and associate each policy with the appropriate Active Directory group. For example, if you plan to have both Ridgeline admin and manager users, you must create a Remote Access Policy for each one, and then associate each policy with the appropriate group. Edit each Remote Access Policy to configure it with the appropriate Service Type attribute value or VSA for the appropriate Ridgeline role. For a detailed examples of configuring Ridgeline and your RADIUS server to provide user authentication, see: Example: Setting up a VSA to Return Ridgeline Role Information on page 452 Example: Setting the Service Type for a Built-in Ridgeline Role on page 453 Example: Setting up a VSA to Return Ridgeline Role Information The following is an example of how to set up the VSA in Windows 2000 for a custom (user-defined) role named AlarmsOnly. Note that you must have an administrator or super-user role in Ridgeline to perform these steps.
452
This assumes that Ridgeline has been configured as a RADIUS client in Ridgeline administration, and on the RADIUS server. (See External RADIUS Server Setup on page 554 for a detailed walk-through example of how to configure and external RADIUS server for Ridgeline authentication.) In Ridgeline administration, create a role named AlarmsOnly (see Adding or Modifying Roles on page 346). 2 From the Internet Authentication Service (IAS), add or edit a Remote Access Policy. Set up the policy conditions as appropriate. Remote access policies are a set of conditions and connection parameters that are used to grant users remote access permissions and connection usage. 3 Click Edit Profile to edit the remote access policy. Click the Advanced tab and add a VendorSpecific attribute. Setup the attribute with the following values: 1
Vendor code: 1916 Vendor-assigned attribute number: 210 Attribute format: String Attribute value: AlarmsOnly
Once this has been set up, for all users logging in to Ridgeline who match the conditions defined in the remote access policy, a VSA with value AlarmsOnly is passed to Ridgeline. Ridgeline then applies the user role AlarmsOnly to those users to provide feature access as defined by that role. Example: Setting the Service Type for a Built-in Ridgeline Role If you plan to use an external RADIUS server to authenticate Ridgeline users, but you do not want to configure your RADIUS server with a VSA to pass role information (see Example: Setting up a VSA to Return Ridgeline Role Information on page 452), then you must configure your RADIUS servers Service type attribute (in the Remote Access Policy for the users who should have access to Ridgeline) to specify the type of Ridgeline user to be authenticated:
For Users with Role Admin Manager Monitor To disable authentication Set the Service Type to... 6 5 1 "Disabled"
If you do not change from the default (which is to disable authentication), no Ridgeline users can be authenticated. If you set this Service Type in your standard Remote Access Policy, only one type of user can be authenticated using this method. To allow the authentication of multiple types of Ridgeline users, follow the instructions in the this example: Example: Setting up a VSA to Return Ridgeline Role Information, or see the detailed example in Configuring RADIUS for Ridgeline Authentication.
453
454
a To receive the Ridgeline SSH enabler key, fill out the End-User Certification Form at: www.extremenetworks.com/apps/Ridgeline/ssh.asp b After the form is submitted, Extreme Networks reviews the request and respond within two business days. c If your request is approved, an e-mail is sent with the information needed to obtain the sshenabler key file. d Place the ssh-enabler key file in your existing Ridgeline installation directory. This unlocks the Ridgeline SSH-2 features. 3 Enable SSH on the devices that you want Ridgeline to communicate with using SSH rather than Telnet: a In Ridgeline, on the menu, click Device > Modify Communications Settings. b Select the devices you want to configure for SSH.
Figure 296: Configuring Devices to Use SSH for Communication c Select SSH, and select Enabled from the list. d Click OK to have this setting take effect. Note If the SSH enabler module is not installed, you cannot configure SSH on any devices; the SSH setting is still disabled. Ridgeline now uses SSH instead of regular Telnet for direct communications with the device, including Netlogin and polling for the FDB from the Extreme Networks switches. It also uses SFTP for file transfers such as uploading or downloading configuration files to the device.
455
456
the differences between the two files (see Viewing and Comparing Configuration Files for Devices on page 270).
457
switch or router that are more costly than others, and although normal traffic is not a problem, exception traffic must be handled by the switchs CPU in software. Some packets that the switch processes in the CPU software include: Learning new traffic Routing and control protocols including ICMP, BGP and OSPF Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, etc.) Other packets directed to the switch that must be discarded by the CPU If any one of these functions is overwhelmed, the CPU may become too busy to service other functions and switch performance suffers. Even with very fast CPUs, there will always be ways to overwhelm the CPU by with packets requiring costly processing. DoS Protection is designed to help prevent this degraded performance by attempting to characterize the problem and filter out the offending traffic so that other functions can continue. When a flood of packets is received from the switch, DoS Protection counts these packets. When the packet count nears the alert threshold, packets headers are saved. If the threshold is reached, then these headers are analyzed, and a hardware access control list (ACL) is created to limit the flow of these packets to the CPU. With the ACL in place, the CPU has the capacity to process legitimate traffic and continue other services. Once DoS Protection is set up on the switches, you could define an alarm for the traps DOS Threshold cleared and DOS Threshold reached, and have it take an action such as an e-mail notification or sending a page to a network administrator. For information about configuring DoS Protection on your Extreme Network switches, see the ExtremeXOS Concepts Guide. Another example would be to detect a TCP SYN flood as indicating a potential DoS attack. A SYN flood occurs when a malicious entity sends a flood of TCP SYN packets to a host. For each of these SYN requests, the host reserves system resources for the potential TCP connection. If many of these SYN packets are received, the victim host runs out of resources, effectively denying service to any legitimate TCP connection. Using the Alarm Manager, you can detect a potential SYN flood by defining a threshold alarm, using a delta rising threshold rule on the TCP-MIB object tcpPassiveOpens. If this MIB object rises quickly in a short delta period, the system may be under a DoS attack.
458
Ridgeline creates a dynamic log of syslog messages in the Reports feature. Use this log to scan for critical security events such as: Table 27: Security-Based Syslog Messages
Error Message Explanation
<CRIT:IPHS> Possible spoofing You have a duplicate IP address on the network (same as an address on a local interface). attack
or The IP source address equals a local interface on the router and the packet needs to go up the IP stack i.e., multicast/broadcast. In the BlackDiamond, if a multicast packet is looped back from the switch fabric, this message appears. A logon attempt failed for an administrative user attempting to connect to a device using telnet. A card has been removed from the device. This is a possible breach of physical security if this is an unauthorized removal.
USER: Login failed for user through telnet SYST: card.c 1000: Card 3 (type=2) is removed.
A duplicate MAC address appeared on the network. This is a possible <WARN:KERN> fdbCreatePermEntry: Duplicate client spoofing attempt. entry found mac 00:40:26:75:06:c9, vlan 4095
459
Extreme Networks switches can support a maximum of 4095 VLANs. VLANs on Extreme Networks switches can be created according to the following criteria: Physical port 802.1Q tag Protocol sensitivity using Ethernet, LLC SAP, or LLC/SNAP Ethernet protocol filters A combination of these criteria For a more detailed explanation of VLANs, see the ExtremeXOS Concepts Guide. You can create VLANs in Ridgeline using Ridgelines network resource provisioning feature or through scripts. You can monitor the VLANs in your network from Ridgeline Main View or device groups. For more information about how Ridgeline can help you manage the VLANs on your network, see Creating VLANs on page 123.
460
25 Ridgeline Reports
Reports Overview Accessing Ridgeline Reports The Extreme Networks eSupport Export Report Network Status Summary Report Network Users Reports Devices Reports Slots, Stacks and Ports Reports EAPS Reports Log Reports Client Reports MIB Poller Tools Ridgeline Server Reports Adding User-Defined Reports to the Reports Menu Printing Reports Exporting Reports
This chapter describes the predefined reports provided by the Ridgeline Reports feature and covers the following topics: Accessing Reports from Ridgeline or from a browser The Network Summary Report, which is also displayed on the Ridgeline Home page Exporting Ridgeline data for use by the Extreme Networks Technical Assistance Center Viewing predefined Ridgeline status reports from a browser
Reports Overview
The Ridgeline software provides a series of HTML-based reports that present a wide variety of information about your network and the devices Ridgeline is managing. These reports can be accessed from Ridgeline or they can be accessed separately from a standard web browser (see Accessing Ridgeline Reports on page 462). The Ridgeline reports do not require Java capability, and thus can be accessed from browsers that cannot run the full Ridgeline user interface. These reports load quickly, even over a dial-up connection, and can also be printed. Some of these reports are actually tools to access information helpful for debugging problems with Ridgeline or the devices it is managing. With the exception of the Network Summary Report, Ridgelines HTML reports always appear in a browser window, even if you are logged into Ridgeline. See Browser Requirements for Reports in the
Ridgeline Reports
Ridgeline Installation and Upgrade Guide or the Ridgeline Release Notes for a list of supported browsers. The browser configured as the default for your system is the one that is used. The Network Summary Report also appears on the Ridgeline home page (see The Ridgeline Home Page on page 11).
To access the Ridgeline reports from a browser: Start a web browser, and enter the following URL: http://<host>:<port>/ In the URL, replace <host> with the IP address of the Ridgeline server. Replace <port> with the TCP port number that you assigned to the Ridgeline Web Server during installation (by default this is port 8080). 2 On the Ridgeline Welcome page, click Log onto Reports only on the bottom, left of the page. 3 Type your logon credentials on the Extreme Network Report Logon page; use the same username and password that you use to log on to the Ridgeline.
Network Summary
462
Ridgeline Reports
Description Information about the users logged on to the network, including: Logons by username Logon failures by username Logons by device IP address Logon failures by device IP address Logons by user's MAC address Logon failures by users MAC address Threats by type Threats by username See Network Users Reports on page 468.
Devices
Device Inventory Report by Device Group (see Devices by Group Table on page 469) and Device Type (see Devices by Type Table on page 469): By Device (see Device Summary on page 469) Device Details (see Device Details Report on page 470) Power Over Ethernet (see Power over Ethernet Report on page 472) Power Over Ethernet Details (see Power Over Ethernet Details Report on page 472) ReachNXT Devices Report
Overview of devices known to Ridgeline, by Device Group. From this report you can access the Device Details report, and additional subreports such as PoE information for devices that support those features.
Status of ReachNXT devices connected to switches known to Ridgeline. See ReachNXT Devices on page 474. Status of devices by device group. From here you can access status of individual devices (alarms, not responding etc.). See Device Status Report on page 474. Inventory of cards (by type) installed in devices in the Ridgeline database. The Card Summary Report shows details about cards of a given type. From there you can view details about the device hosting the card. The Empty Slots report shows empty slots by device.
Device Status Report by Device Group By Device (see Device Details Report on page 470) Slots, Stacks and Slot Inventory, by Card Type (see Slot Ports Inventory on page 476 ) Card Summaryby Card or All Cards (see Card Summary Report on page 477) Device Details (see Device Details Report on page 470) Slot Details (see Card Details Report on page 477) Empty Slots Report (see Empty Slots Report on page 478)
Stack Inventory (see Stack Inventory Reports Inventory of stacking devices. From this report you can on page 479) access Device Details for the stacking device, or Stack Stack Summary (see Stack Summary Report Details. on page 479) Device Details (see Device Details Report on page 470) Stack Details (see Stack Details Report on page 480) Interface Report Inventory of all ports on devices in the database. See Interface Report on page 482.
463
Ridgeline Reports
Description Summary of inactive ports by device including location, with subreports (by device) showing length of inactivity, VLAN membership etc. See Unused Ports Report on page 483. Summary of EAPS domains known to Ridgeline. See EAPS Summary on page 485. EAPS-related Trap and Syslog entries for devices configured for EAPS. See EAPS Log Report on page 485. Ridgeline alarm log (more information available through Alarm Log Browser feature). See Alarm Log Report on page 486. Ridgeline event log entries. See Event Log on page 487. Syslog entries. See Syslog (System Log) on page 488. Log of configuration management actions (config file uploads/downloads) and results. See The Configuration Management Activity Log on page 489. List of network login activity by device. See Client Reports on page 491. Displays data in a MIB collection. Users with an Administrator role can start or stop a collection. See The MIB Poller Summary on page 505. Provides an interface to query for the value of specific MIB variables. This is available only to users with an Administrator role. See The MIB Query Tool on page 509. Shows a variety of status information about the Ridgeline server. See Server State Summary Report on page 494. Tools to aid in analyzing Ridgeline performance. These are available only to users with an Administrator role. See Debug Ridgeline on page 496.
EAPS
Logs
Alarm
Client Reports
Network Login
MIB Query
Debug Ridgeline
464
Ridgeline Reports
Figure 297: Ridgeline Reports Main Page To view a report, click the report name in the left pane. The report appears in the center pane.
Filtering Reports
Some reports provide filtering, to limit what data appears in the report. To create a filter, select the values to use in the filter from the drop-down lists at the top of the report. The variables you can choose are based on the columns in the report, and vary by report. In some reports, you filter each column by a selected value. In other reports, you select a column name, a comparison operator, and then the value to be used for comparison. In these reports you may often concatenate two conditional statements with a logical operator ("and" or "or") The Alarm Log report is an example of this type of filter specification, as shown below.
Figure 298: Report Filtering for the Alarm Log Report The comparison operators are:
> (greater than) < (less than) <= (greater than or equal) >= (less than or equal)
465
Ridgeline Reports
If the column values are strings, the comparisons are made alphabetically (Mary is greater than Joe; Mary is also greater than Many). Note You can copy and paste a value from the report into a comparison field. To use a second condition to your filter, choose one of the logical operators And or Or.
And Or NIL Include a row in the report only if both conditions are true. Include the row if either one (or both) of the conditions are true. Ignore the second conditional clause of this filter
If you do not want to include a second condition, do not select any values for those fields. Click Submit to run the filtered report. Click Reset to return the filter to its default values.
Sorting Reports
Some reports allow you to sort by columns. Click a column heading to sort the report based on the contents of the column. Clicking once sorts the report in ascending alphabetic or numeric order; clicking a second time reverses the sort order.
466
Ridgeline Reports
Figure 299: Network Status Summary Report This summary shows the following statistics: Down or unreachable devicesThe number of devices known to the Ridgeline server that are not responding to Ridgeline queries. Marginal-condition devicesThe number of devices reported to be in marginal condition (such as a problem with the fan, temperature, or power). Unmanaged devicesThe number of devices that are offline for planned service. Unacknowledged critical alarms in the last 24 hoursThe number of critical alarms in the last 24 hours that have not been acknowledged. Critical or worse syslog message in th last 24 hoursThe number of syslog messages with a priority of critical or worse that occurred in the last 24 hours. The Network Status Summary Report also lists the current version of Ridgeline software running on your machine. Note To verify the latest Ridgeline software version, Ridgeline must access the Extreme Networks website at www.extremenetworks.com. If your network uses a firewall, you can configure HTTP proxy device and port in the Administration feature (see External Connections Properties on page 354).
467
Ridgeline Reports
Server
The server name. Clicking on the server name initiates the Dynamic Reports feature for that server. You can then run any of the available HTML reports. A link that can launch a client connection to the server. Clicking on the Client link launches a client that attempts to connect to that server. The number of devices managed by the server that are up. The number of devices managed by the server that are down. The number of critical alarms that have occurred on devices managed by the server. The date and time of the last update of the server summary information for this server. The status of the server (whether it is responding to the periodic poll).
Launch Client Devices Up Devices Down Critical Alarms Last Update Server Status
Devices Reports
Click the Devices link to display links to the Device Reports. These reports provide a variety of status information about the devices being managed by Ridgeline: Device Inventory ReachNXT devices Device Status
468
Ridgeline Reports
Figure 300: Device Inventory Reports The initial display presents summaries at the device group (see Devices by Group Table on page 469) and the device type level (see Devices by Type Table on page 469). Devices by Group Table The Devices by Group table displays the following information:
Device Group Description Quantity Name of the device group Description of the group as kept in the Ridgeline device inventory Number of devices in the group
Clicking a device group in the table produces the Device Summary report (see Device Summary on page 469). Devices by Type Table The Devices by Type table displays the following information:
Device Type Quantity Type of device Number of devices of this type known to Ridgeline
Clicking a device group in the table produces the Device Summary report (see Device Summary on page 469). Device Summary The Device Summary displays the following information about each device:
469
Ridgeline Reports
Clicking an IP address in the tables produces the Device Details report (see Device Details Report on page 470). Figure 301: Device Summary
Device Group(s) Name IP Address All Ridgeline Device groups to which it belongs (this is displayed only if you select All Devices) Name of the device from the sysName variable IP address of the device Click the IP address to display a table with detailed configuration and status information. This is the same information you can view in the Ridgeline Inventory. Device model Device location from the sysLocation variable Media access control address of the device Device serial number Software version currently running on the device, if known When you add a device into the inventory, you can provide additional information about the device. You can view or change this information later in the Device Panel dialog box (see Device Inventory View on page 38).
Device Details Report The Device Details report shows information about an individual device. If the device includes a PoE blade, you can view a report about that feature (see Device Details Report on page 470).
470
Ridgeline Reports
Figure 302: Device Details Reports This report shows the following information:
Serial Number IP Address Device Group(s) Device Type Name Description Location Contact Boot Time Software Version Primary Image Secondary Image Status Fan Status Power Status Device serial number IP address of the device Device Groups to which this device belongs The device type The name given to the device The description provided for the device The location information for the device The contact information for the device Time of the most recent boot. The version of software currently running on the device The version of software saved as the Primary Image The version of software saved as the Secondary Image Device Status: OK, or marginal Status of fans: OK, marginal, or If there are multiple fans, each is listed (fan 1, fan 2 etc.) Status of power supply modules: OK, marginal, or If there are multiple modules, each is listed (power 1, power 2 etc.)
471
Ridgeline Reports
Power over Ethernet Report The Power Over Ethernet report shows information about the PoE configuration of the device. To view a detailed report on PoE ports, click the Power Over Ethernet Port Details (see Power Over Ethernet Details Report on page 472).
Figure 303: Power over Ethernet Report The report shows the following information about the PoE configuration: Device-level information:
Configuration Power Supply Mode Disconnect Precedence Whether PoE is enabled for the switch. (Enabled or Disabled) The configured power-supply mode: Redundant, Load-Sharing, or N/A (if only one power supply is installed). The method used to determine which port to disconnect when power drain exceeds the power budget: lowest-priority (next port connected causes a shutdown of the lowest priority port) deny-port (next port that attempts to connect is denied power, regardless of priority) The threshold for power utilization compared to the configured maximum for either the allocated power budget per slot, or for system level allocation.
Power Over Ethernet Details Report This report shows power details for each port on the device.
472
Ridgeline Reports
Figure 304: Power over Ethernet Details Report (partial) This report shows the following information:
Port Num Measured Power (mW) Operational Max Power (mW) Reserved Power (mW) Port Type PoE status Operation Status Classification Priority Violation Precedence Port number Measured power on this port Maximum power limit on this port Reserved power limit on this port The user-defined port type Whether power is enabled on this port (Enabled or Disabled) Status of the port (disabled, searching, delivering power, fault, test, other fault) Class association for this port (0,1,2,3,4) Port priority for purposes of power management The limit used to determine power level violation (advertised class, operator limit, max advertised operator, or none)
473
Ridgeline Reports
ReachNXT Devices
The ReachNXT Devices report provides information about the ReachNXT devices connected to ports on switches managed by Ridgeline.
Figure 305: ReachNXT Devices Report The ReachNXT report displays the following information:
Device name Device IP address Port Number Model number Serial number MAC address Software version Description Uplink Port The name of the switch where the ReachNXT device is connected. The IP address of the switch where the ReachNXT device is connected. The number of the port connected to the ReachNXT device. The model number of the ReachNXT device. The serial number of the ReachNXT device. The MAC address of the ReachNXT device. The version of software the ReachNXT device is running. Description of the ReachNXT device, if configured. The uplink port used by the ReachNXT device to connect to the switch
474
Ridgeline Reports
Figure 306: Device Status The Device Status report displays the following information:
Group Description Alarms in last 24 hours Devices not Responding Devices Marginal Devices Offline Devices Up Name of the device group Description of the group as kept in the Ridgeline device inventory Total alarms for all devices in the device group Number of devices in the group that are not responding Number of devices in the group whose operation is marginal Number of devices in the group that are offline Number of devices in the group that are up
Click a Device Group name in the Group column to display the Device Status Report for the devices in the group shows example output.
Figure 307: Device Status (Group detail) The Group Device Status report shows the following information:
Device Name IP Status Last Failure Down Period (d:h:m:s) Boot Time Alarms in last 24 Hours Name of the device from the sysName variable IP address of the device The status of the device: operational, offline, marginal, and not responding Time at which the most recent device failure occurred, expressed in the local time zone of the Ridgeline server Length of time the device was unreachable, reported in days:hours:minutes:seconds Time when the device was last booted, expressed in the local time zone of the Ridgeline server Number of alarms in the last 24 hours from this device
475
Ridgeline Reports
Slot Inventory
Click Slots, Stacks, Ports > Slot Inventory to view the Slot Inventory Reports showing an inventory of the slots and module cards known to Ridgeline. Click a Card Type to view a Card Summary Report for an individual card type (see Card Summary Report on page 477). Click All Cards (at the bottom of the list) to view a Card Summary report showing all cards known to Ridgeline. Click Empty Slots (also at the bottom of the list) to view a report on the empty slots detected by Ridgeline (see Empty Slots Report on page 478).
Figure 308: Slot Inventory Report The Slot Inventory report shows the following information:
Card Types Quantity Type of module cards and empty slots known to Ridgeline Number of modules of a given type. For All Cards, this is the total number of cards in all modular devices known to Ridgeline. For Empty Slots, this is the total number of empty slots detected among the modular devices known to Ridgeline.
476
Ridgeline Reports
Card Summary Report From the Slot Inventory report (see Slot Inventory on page 476), click a Card Type or All Cards to display the Card Summary report for the modules known to Ridgeline. The following figure shows an example of output that appears if you select All Cards. The information shown for an individual card type is the same, except that the Card Type column is not included.
Figure 309: All Cards Card Summary Each Card Summary report displays the following information about each module:
Device Group(s) Device Name Device Address Device Location Card Type Slot Name Card Serial Number Name of all the device groups of which the device is a member Name of the device (where the card resides) from the sysName variable IP address of the device Device location from the sysLocation variable Type of module card (this is displayed only if you select All Cards) Number or letter of the slot where the module card is installed Module card serial number
If you have selected an individual card type, this report shows only modules of the selected type. If you have selected All Cards, the report shows all cards in any of the devices known to Ridgeline. Clicking an IP address displays a device details report (see Device Details Report on page 470). Clicking a Slot Name displays a Card Details report (see Card Details Report on page 477).
Card Details Report
Clicking a Slot Name from the Card Summary Report (see Card Summary Report on page 477) displays the Card Details Report. The Card Details Report shows the following information:
477
Ridgeline Reports
Device Group(s) Device Name Device Address Device Location Device Current Image Slot Type Slot Name Slot Alias Slot Serial Number Slot Primary Image Slot Secondary Image Slot Current Image Slot Boot ROM Slot MSM Mode
The device group. Name of the device. Device IP address. The location information for the device The version and type of the operating system software currently running on the device. The type of module. The name of the slot (for example, Slot-8)
The serial number of the module in the slot. The type and version of the operating system software for the module on the primary hard drive. The type and version of the operating system software for the module on the secondary hard drive. The type and version of the operating system software for the module currently running for the module. The BootROM version installed on the module. The mode that the MSM module is operating in. When there are two MSM modules one is the "Master," and the other is the "Slave." For non-MSM slots, the value is "Not Applicable." Whether or not the slot is operational.
Slot State
Empty Slots Report From the Slot Inventory report (see Slot Inventory on page 476), click Empty Slots to display the Empty Slots summary report for the empty slots known to Ridgeline.
Figure 310: Empty Slots Summary The Empty Slots summary report displays the following information about the empty slots:
Device Group Device Name Device Address Device Location Empty Slots Name of the device group Name of the device from the sysName variable IP address of the device Device location from the sysLocation variable Number or letter of the empty slot(s) on the device
478
Ridgeline Reports
Clicking an IP address displays a device details report (see Device Details Report on page 470).
Figure 311: Stack Inventory The Stack Inventory report shows the following information about module card types and empty slots:
Stack Devices Quantity Type of stacking device Number of devices of a certain type. All Stacks shows total number of stacking devices known to Ridgeline.
Stack Summary Report From the Stack Inventory report (see Stack Inventory Reports on page 479) click a Stack Device type or All Stacks to display the Stack Summary report for the stack devices known to Ridgeline. The following figure shows an example of output that appears if you select All Stacks. The information shown for an individual stack device type is the same, except that the Card Type column does not appear. Clicking a Device Address displays a Stack Details report (see Stack Details Report on page 480).
479
Ridgeline Reports
Figure 312: All Stacks Card Summary Each Stack Summary displays the following information about the device:
Device Group(s) Device Name Device Address Device Location Card Type Slot Name Card Serial Number Name of all the device groups of which the device (stack master) is a member. Name of the device from the sysName variable IP address of the device (link to the Device Details report) Device location from the sysLocation variable Type of stack device (this is displayed only if you select All Stacks) Name of the stacking device, linked to the Stack Details report for the device Stack Device serial number
If you have selected an individual stack device type, this report shows only modules of the selected type. If you have selected All Stacks, the report shows all stacking devices known to Ridgeline. Stack Details Report Clicking a Device Address from the Stack Summary report (see Stack Summary Report on page 479) displays the Stack Details report for the selected device. The following figure shows an example of output.
480
Ridgeline Reports
Figure 313: Stack Details Report Each Stack Details report displays the following information about the stack device:
Device Group(s) Device Name Device Address Device Location Device Current Image Slot Type Slot Name Slot Alias Slot Serial Number Slot Primary Image Slot Secondary Image Slot Current Image Slot BootROM Stack Device serial number The version of software saved as the Primary Image in the stack device The version of software saved as the Secondary Image in the stack device The version of software currently running in the stack device The BootROM version in the stack device. Name of all the device groups of which the device (stack master) is a member. Name of the device from the sysName variable IP address of the stack master device Device location from the sysLocation variable Version of image running on the master device Type of module card (this is displayed only if you select All Cards) Name of the stacking device, linked to the Stack Details report for the device
481
Ridgeline Reports
The mode that the MSM module is operating in. When there are two MSM modules one is the "Master," and the other is the "Slave." For non-MSM slots, the value is "Not Applicable." Whether the slot is operational or not.
Interface Report
To view a report on the status of every port known to the Ridgeline software, click Slots, Stacks, and Ports > Interface Report. The following figure shows an example of output.
Figure 314: Interface Report The Interface Report shows the following information for each interface includes:
IP Address Port Port Name Admin Status Oper Status Configured Speed/Type IP address of the interface Port number of the interface Port name of the interface Interface administrative status (enabled/disabled) Operational status of the interface (ready/active) Nominal (configured) speed of the interface
482
Ridgeline Reports
Actual speed of the interface Whether the port is being actively polled as an edge port, or is not being polled. If the port is not polled, the reason is included (Device Not Supported, Inactive Port, Not Supported, Polling Disabled For Port, or Uplink Port)
You can filter the ports that are displayed in the report. For more information about filtering, see Using Report Filtering
Figure 315: Unused Ports Report You can filter the report by selecting the following:
VLAN Device Group Inactive Days Inactive Hours Select all VLANs or the name of a particular VLAN Select all groups or the name of a particular device group Enter the number of days of inactivity for the requested port(s) Enter the number of hours of inactivity for the requested port(s)
When you complete your selections, click Submit. The report can be saved in csv or xml format, or shown in a single page. The Unused Ports report displays the following information:
483
Ridgeline Reports
Name of the device on which the port resides IP Address of the device on which the port resides Inactive ports on the device The total number of inactive ports on the device. The total number of inactive ports for all devices in the report is displayed at the bottom of the report. Device groups to which this device belongs
Click an entry in the Inactive Ports column to open the Unused Port Reports detail; the following figure shows a portion of example output.
Figure 316: Unused Ports Report: detail You can filter the report by specifying the VLAN, the device group, and the time frame (inactive days, inactive hours). The Unused Port Reports detail displays the following information:
Port Number Port Name Inactive Time Vlan Name Physical Type Number of the unused port An optional name (text string) configured for the port Length of time this port has been inactive Name of the VLAN to which this port belongs Type of port
EAPS Reports
There are two reports available under EAPS: EAPS Summary report EAPS Log report The EAPS Summary report is also available by: In the navigation pane, click Main View, click the EAPS tab, and then click EAPS Summary Report.
484
Ridgeline Reports
EAPS Summary
To view the EAPS Summary report, click EAPS > EAPS Summary. The EAPS Summary report provides a brief overview of the status of the EAPS domains known to Ridgeline. The report shows: The total number of EAPS domains known to Ridgeline The number of Domains currently in an error state The number of domain failures that have occurred in the last 24 hours.
485
Ridgeline Reports
Figure 318: EAPS Log Report The EAPS Log report displays the following information:
Time Source Type Varbinds Time the event occurred, expressed in the local time zone of the Ridgeline server IP address of the device and port number (if applicable) that generated the event Event type (for example, SNMP Trap) Variable data transmitted with a trap
Log Reports
Four reports are provided under Logs: Alarm Event
486
Ridgeline Reports
Figure 319: Alarm Log Report The log can be saved in csv or xml format, or the entire report can be shown in a new page by clicking show all. Note If the Ridgeline database has a large number of alarms, the show all option can take a very long time to complete. The Alarm Log report displays the following information:
Time Name Severity Source Category Acked Event # Time the alarm occurred, expressed in the local time zone of the Ridgeline server) Name of the alarm Severity level of the alarm IP address of the device that generated the alarm Category that the alarm is classified under Whether the alarm has been acknowledged (0 is acknowledged, 1 is not acknowledged) Event ID of the alarm (assigned by the Ridgeline server when the alarm is received)
You can filter on any of the variables shown in the report. For more information about filtering, see Using Report Filtering.
Event Log
To view all the entries in the Ridgeline Event Log, click Log > Event. The following figure shows a portion of example output.
487
Ridgeline Reports
Figure 320: Event Log Report The Event Log report shows the following information:
Time Source Type Varbinds Count Time the event occurred, expressed in the local time zone of the Ridgeline server IP address of the device and port number (if applicable) that generated the event Event type (for example, SNMP Trap) Variable data transmitted with a trap Number of consecutive events (if the same trap occurs at the same time and is received multiple times, only one event is created and the count displays the number of traps)
You can filter the Event Log report. For further information about filtering, see Using Report Filtering. You can filter on any of the variables shown in the report.
488
Ridgeline Reports
Figure 321: Syslog (portion) The Syslog report displays the following information:
Event # Time Source Facility Severity Message Event ID of the syslog entry (assigned by the Ridgeline server when the syslog is received) Time the syslog is received by Ridgeline, expressed in the local time zone of the Ridgeline server IP address of the device that generated the syslog entry Syslog facility Syslog severity level Error message text
You can filter the events that are displayed by constructing a conditional filter using the fields at the top of the page. For more information about filtering, see Using Report Filtering.
489
Ridgeline Reports
Figure 322: Configuration Management Activity Log (portion) The Configuration Management Activity Log displays the following information:
Time Device Activity Descr Time at which the configuration activity occurred, expressed in the local time zone of the Ridgeline server IP address of the device on which the action was taken The action that was attempted A message describing the reason for the status (the error message if the action could not be completed. and the configuration file path.
You can filter the events that are displayed by constructing a conditional filter using the fields at the top of the page. For more information about filtering, see Using Report Filtering.
490
Ridgeline Reports
Client Reports
Five reports are provided under Client Reports: Network Login Current Clients Client History Spoofed Clients Unconnected Clients
Figure 323: Network Login Report The Network Login Report displays the following information:
Device Name IP Address Network Login Activity Name of the device IP address of the device 802.1x network login activity that has occurred on this device
491
Ridgeline Reports
492
Ridgeline Reports
493
Ridgeline Reports
server and its activity, and a set of administrator tools, Debug Ridgeline (see Debug Ridgeline on page 496), available only to users with an administrator or super-user role, that are useful in analyzing Ridgeline performance or activity questions. If you do not have an administrator or super-user role, the Ridgeline debugging tools are not available.
Figure 328: Server State Summary Report (top half) The report presents information in multiple tables. The first table in the report shows the status of the various Ridgeline subsystems:
Subsystem Configuration Current Status The name of the subsystem (TFTP Server, Internal Syslog Server, Internal RADIUS Server, MAC Poller) Whether the subsystem is enabled or disabled Whether the subsystem is running or stopped
494
Ridgeline Reports
The third table in the report provides the number of operations that have occurred in the last minute, the last hour, and the last day (24 hours) for the following operations:
SNMP Queries Database Commits Client Requests Trap Requests Syslog Messages Number of SNMP queries performed by the Ridgeline server Number of database commits performed by the Ridgeline server Number of data requests to the Ridgeline server by all connected clients Number of trap PDUs received by the Ridgeline server Number of syslog messages received by the Ridgeline server
The fourth table in the report shows scalability statistics for the thread pool and the SNMP session pool:
Thread Pool Statistics column
Pool Size Default Allocation Size Currently In Use Maximum In Use at Once Total # of Requests Total # of Wait For Thread Percentage Wait per Request
Thread pool size for the threads that are used to perform server operations (for example, reading data from a device or configuring the devices) Number of threads used to perform a single operation (for example, running a Ridgeline script across a number of devices) Number of threads currently in use Maximum number of threads that are in use at one time Total number of times a thread is requested to perform an operation in the server Total number of times the server has to wait for a thread to become available Percentage of total wait versus total request for threads
Pool Size Default Allocation Size Currently In Use Maximum In Use at Once Total # of Requests Total # of Wait For Thread Percentage Wait per Request
Maximum number of allowed SNMP access sessions to the devices Not applicable Number of SNMP access sessions currently in use Not applicable Total number of times an SNMP object is requested to perform an operation in the server Total number of times the server has to wait for an SNMP object to become available Percentage of total wait versus total number of requests for SNMP objects
The fifth table in the report shows the ports currently in use by the Ridgeline server:
Web Server Trap Receiver Radius Server Port currently used by the Ridgeline web server Port currently used by the Ridgeline server to receive traps Port currently used by the RADIUS server
495
Ridgeline Reports
Telnet Database
Port currently used for Telnet Port currently used for Ridgeline database communication
The last table shows the Ridgeline licenses currently installed, along with their Access Keys (which can be used to obtain a license key from Extreme):
License Status Access Key The type of license (Base-50, Add 50 Devices Upgrade, Security Feature Pack, SSH) Whether this license category is enabled or disabled. The access key for the license (used to obtain a license key from Extreme). See the Ridgeline Release Notes or the Ridgeline Installation and Upgrade Note for instructions on requesting and installing a license key.
If you have administrator or super-user level access to Ridgeline, you can use Ridgeline administration to change the web Server, trap receiver, RADIUS, and telnet ports used by Ridgeline. For more information about changing ports, see Device Properties on page 355. To change the database (and other) ports, see Reconfiguring Ridgeline Ports.
Debug Ridgeline
The Debug Ridgeline report is not really a report, but rather tools to allow a user with an administrator or super-user role to set certain options for the purpose of analyzing Ridgeline performance. If you do not have administrator or super-user role access, you do not see this feature under Ridgeline Server > Debug Ridgeline.. The tools for debugging Ridgeline are described in Using the Ridgeline Debugging Tools on page 511.
496
Ridgeline Reports
\html folder, be sure you also copy the report stylesheet (reportstylesheet.css) into the userdefinedreports directory.
Printing Reports
Ridgeline reports can be printed with your web browsers print function. To print a report, use the web browsers Print button. You can also click show all to print all data from a large .html page.
Exporting Reports
You can export certain Ridgeline reports to either .csv or .xml format. Exporting reports allows you to use various software programs to manipulate the data. The following reports can be exported: Device Reports (Device Inventory) Card Report (Slot Inventory) EAPS Log Report
Report on Device Ports (Interface Reports) Unused Ports Network Login Report Alarm Log Event Log Report Syslog Report Config Management Log Report
From the Reports main page, you can generate a report to be used by Extreme Networks' technical support by selecting the device group from the drop-down list, and then clicking Export.
497
26 Enhancing Ridgeline
Performance
Monitoring and Tuning Ridgeline Performance Tuning the Alarm System Using the MIB Poller Tools Reconfiguring Ridgeline Ports Using the Ridgeline Debugging Tools
This chapter describes how to tune Ridgeline performance and features to more effectively manage your network. It also describes some advanced features that are available to a Ridgeline administrator (a user with an Administrator role) to help analyze Ridgeline or Extreme device operation. These include:
Monitoring and tuning Ridgeline performance Tuning the alarm system Using Device Groups to facilitate workflow Using the Ridgeline MIB Poller tools to maintain MIB variable history Reconfiguring Ridgeline ports Using the Ridgeline debugging tools
To disable Ridgeline management for a device, in the navigation pane, click Main View or the desired device group, select the device, and then click Device > Managing > Off. Note that this does not physically change the device; it just sets Ridgeline to ignore the device as if it were offline. To enable Ridgeline management for the device when it is again reachable, in the navigation pane, click Main View or the desired device group, select the device, and then click Device > Managing > On.
For devices that simply take a long time to sync or to poll on a detail poll cycle, you can reduce the impact by reducing the Detail Poll frequency (lengthening the time between polls) for those devices. The default Detail polling frequency is 3 hours for chassis devices and 7 hours for edge devices.
A global heartbeat poll that gets basic information about device reachability. The poll frequency is 10 minutes for all devices regardless of type. A device-specific detail poll, that polls for more detailed information about the device configuration, such as software version, BootROM version, VLANs configured on the device, etc. This poll can take much longer to complete, so this type of polling is done less frequently, and is configurable on each device individually in Ridgeline. The default poll interval for this type of polling is every 60 minutes for core (chassis) devices and every 90 minutes for edge devices.
The global basic information poll frequency can be changed through the Ridgeline Administration, under the SNMP Server Properties (see SNMP Properties on page 352). Any changes affect all devices in the Ridgeline database. You can also change the timeout and number of retries. Increasing the global SNMP polling interval can reduce the load on your server and your network, at the expense of the timeliness of device state information.
499
You can change the Detail Device Poll interval by,in the navigation pane, clicking Main View or the desired device group, clicking Device > Modify Communications Settings, and then changing the Poll Interval value. You can also make this change in the Add Devices dialog box). Changes here affect only the devices selected for modification. MAC Address Polling Ridgeline provides an option for doing Telnet-based polling of switch FDBs to gather MAC address information about edge ports. This feature is disabled by default. If enabled, its frequency can be modified to reduce the load on the overall system and the network. MAC address polling is enabled or disabled globally through the MAC Polling Server Properties in Ridgeline Administration. If enabled, MAC address polling can then be enabled on a per-device basis. Through the MAC Polling Server Properties (see MAC Polling Properties), you set the amount of load, which determines the amount of elapsed time between sets of FDB polling requests. A complete MAC address polling cycle consists of multiple groups of requests, until all devices with MAC address polling enabled have been polled. You can use the Ridgeline Server State Summary Report (see Server State Summary Report) to see the MAC address polling frequency based on the current setting of the MAC Polling server properties. The Server State Summary report tells you how long it took to complete the most recent polling cycle, as well as the average time it has taken to perform a complete polling cycle. Based on this data you can determine if you need to adjust the MAC Polling System Load factor. Telnet Polling Telnet polling is used for MAC address polling, for retrieving Netlogin information, and for retrieving Alpine power supply IDs. You cannot modify its frequency other than as discussed for MAC polling (see MAC Address Polling on page 500). You can disable Telnet polling entirely, however, in the Devices area of Server Properties in the Ridgeline Administration (see Device Properties on page 355). If you disable Telnet Polling, MAC address polling is also disabled.
500
Percentage Wait per Request statistic is high (greater than 20%) you can consider increasing the maximum thread pool size. You can make this change in the scalability properties under Ridgeline Administration (see Scalability Properties on page 356). You should increase the Thread Pool Size by between 25% to 50%. Do not increase it beyond 100 as an upper limit.
501
4 Click the Enable/Disable. The green check mark in the Enabled column changes to a red "X". Note that disabling alarms that are not likely to occur does not have much performance impact. For example, if you do not use ESRP, the disabling the ESRP State Change alarm is not likely to have an impact, as those alarms should never occur. However, if you do use ESRP, but do not want to know about state changes, disabling that alarm could have some performance impact. One way to determine which alarms could be disabled for maximum performance impact is to look at the alarms that actually do occur within your network. You can use look at the historical alarms list to show you which alarms occur in your network (see The Cleared Alarms and Events Tab on page 252). Click the Name column heading to sort the list. This groups all occurrences of a given alarm together. Using this list you can see which alarms occur in your network, and the volume of alarms generated for each type of event. Another possibility is that a specific device is generating a large number of alarms. If this is the case, you may be able to eliminate some of this load by either reconfiguring, maintaining, or repairing the device to eliminate the fault, or by changing the scope of one or more alarms to remove the problematic device from the alarm scope. By removing a device from the alarm scope, Ridgeline ignores traps for the device, and does not trigger an alarm even though the device itself may still generate those trap events.
502
not available through Ridgelines reports or other status displays, and to accumulate historical data for MIB variables of interest. The collected data can then be exported as a comma-separated text file which can be imported into another program such as a spreadsheet for analysis. You must have an administrator or super-user role to set up and initiate MIB collection or query actions, However, users with other roles can view the results of a collection that has been initiated by an administrator or super-user. There are two separate tools available for retrieving MIB variable data: The MIB Poller Summary displays a MIB collection, or allows an Administrator to load a MIB collection XML file to initiate MIB collection activity. A MIB collection is a historical log of MIB values as defined in the collections.xml file. In a running collection, Ridgeline polls specified devices, retrieves the values of specified MIB variables and saves them in the Ridgeline database. The OIDs and devices to be polled, the poll interval, number of polling cycles and the amount of polled data to be stored is all defined in the Administrator-created collections.xml file. For more information, see The MIB Poller Summary on page 505. The MIB Query tool allows an Administrator to create a one-time MIB query request to retrieve the value of specific variables from a set of specified devices. This is a one-time query, and does not poll repeatedly or store the data it retrieves. For more information, see The MIB Query Tool on page 509. The MIB Query tool is accessible only to users who have an administrator or super-user role.
<?xml version="1.0" encoding="utf-8" ?> <collections> <collection name=" pollingIntervalInSecs=" initialState=" saveData=" maxPollsPerDevice=" deletePercentage=" <table> <oid name=" </table>
503
<table> <oid name=" <oid name=" </table> <scalar> <oid name=" <oid name=" </scalar> <scope ipAddress=" <scope ipAddress="234.234.234.234" /> </collection> </collections> Within the outermost collections statement, you can define multiple individual collections, each bracketed with <collection name= ... > </collection> The collection properties must be defined in the collection statement at the beginning of each collection definition: Table 28: Control properties for a MIB collection specification
name pollingIntervalInSecs initialState saveData maxPollsPerDevice deletePercentage A name for the collection, between 1 255 characters. The interval at which Ridgeline should poll for the variables defined in this collection, between 1 2147483 seconds. Whether this collection should start running immediately upon loading (values are running and stopped) Whether the collected data should be saved to the Ridgeline database (yes or no) The maximum number of poll result sets that should be saved in the database, between 1 2147483647 polls. The percentage of the saved data that should be deleted when the file reaches its specified limit.
Table OIDs are defined in <oid... > statements, included between <table> and </table> statements. OIDs from different tables must be put in separate <table> statements. The label portion of the statement appears in the MIB Collections Detail report, and as a heading in the exported data file. Scalar OIDs are defined in <oid... > statements included between a <scalar> and </scalar> statement. The devices that should be polled are specified by IP address in <scope ipAddress ...> statements, one for each IP address. The completed file must be named collections.xml, and placed in the user/collections directory. The Reload button in the MIB Poller Summary report will load the collections.xml specification, and begin the collection process if the initialState property specifies running.
504
To see an example of an actual collections.xml file, see Viewing the XML Collection Definition on page 508.
Figure 329: The MIB Poller Collection Summary From this page, any user can view the details of the collection, view information about the devices on which data is being collected, view the xml file that defines the collections, and export the current results of the collection. A Ridgeline Administrator can start or stop polling for any or all of the collections, and can reload the collections.xml file. Loading, Starting and Stopping a Collection If a file named collections.xml exists in the Ridgeline servers \jboss\standalone \deployments\user.war\collections folder when the Ridgeline server is started, the collection definitions in the file are loaded automatically. Polling for the collections starts if the initialState property specifies that the collection should be running. If the Ridgeline server is already running when the collections.xml file is placed in the collections directory, then you must click Reload to load the collection definitions. Once you have loaded the collections.xml file, the collections defined in that file continues to be maintained, either running or stopped, until they are replaced by reloading the collections.xml
505
file which has been modified to specify a different set of collections, or until the collections.xml file is removed from the collections directory. You can stop the polling process for a running collection by selecting its check box, and then clicking Stop. To start a stopped collection, select the collection, and then click Start. You can select all the collections in the table by selecting the check box in the column heading. The MIB Collection Detail Report To view the details of a collection, click the collection name, which links to the MIB Collection Detail report for the collection. The following is an example of a Collection Detail Report.
Figure 330: MIB Collection Detail Report The top area of the MIB Collection Detail Report shows the properties of the collection, as defined in the collections.xml file:
506
Collection Name Polling Interval Save Polled Data Scope Status Startup State Poll Saving Limit
The name of the collection The polling interval, in seconds Whether the polled data is being saved in the database (Yes or No) The devices on which polling for this data is being conducted The status of the collection (running or stopped) Whether the poll should be started automatically when it is loaded (running) or should be left in the stopped state The lower boundary of the number of poll results that will be saved in the database. This value is calculated by taking the maximum number of saved polls multiplied by the delete percentage. The actual number of poll data sets in the database at any given time will be somewhere between this value and the maximum poll saving limit. A limit on the number of polls that should be performed. Currently this is always None, the number of polling cycles cannot be limited at this time.
Poll Limit
The two tables below show the scalar and tabular MIB variables (OIDs) for which polling is done. Each variable is identified by its OID and the data label that was provided in the xml file. The MIB Poller Detail Report The MIB Poller Detail report shows the status of the collection for each device in the collection scope.
Figure 331: MIB Collection Detail Report This report shows the following information:
Device Status Message The name of the device. This is also functions as a link to the Device Details report for the device The status of the collection on this device (running, stopped, or error) A message, if appropriate, explaining the status (such as an error message).
To export results for a device, select the device's check box, and then click Export. You can select all devices by selecting the check box in the table column header.
507
Viewing the XML Collection Definition To view the collection definitions, click Show XML in the MIB Collection Poller Summary. This displays the XML that defines the currently loaded collections. The following figure shows an example of the XML for a collection definition.
Figure 332: A MIB Collection definition shown in XML Exporting the Collected Data One of the main purposes for collecting historical MIB data over time is to allow analysis to identify trends or patterns that may provide insights into your network usage. To do this, you need to export the collected MIB data so it can be used by other analysis tools. The MIB Poller Tool allows you to export data as comma separated text and save it to a file. You can export the data from either the MIB Collection Poller Summary report, or from the MIB Poller Poling Detail Report. From the MIB Poller Summary report (see The MIB Poller Summary on page 505), you can export the results for an entire collection: Click Export in the row for the collection whose data you want to export. This exports the results for all devices in the collection into a single text file, and places the text file into a archive (zip) file. From the MIB Poller Polling Detail report (see The MIB Poller Detail Report on page 507) you can export the results for individual devices in a collection. Select the check boxes, and then click Export. This exports the results for the selected devices into a single text file, and places the text file into a archive (zip) file. Once exported, the text file can be imported into another application, such as a spreadsheet, for analysis.
508
Figure 333: MIB Query Example To perform a MIB query: In the first box, type the IP addresses of the devices from which you want to get data. In the second box, type any scalar MIB OIDs you want to retrieve. In the third box, type any Table-based MIB OIDs. Entries must be one item per line. Click Submit to execute the query. The results are returned in XML format in the reports window.
jboss.database.port=10553 radius.port=10559
509
bindingservice.beans.boss.port.111=1056010567, 1056910571 jboss.remoting.port=10555 epicenter.web.port=8080 jboss.webserver.port=8443 agent.port=10556 tcp.port=56983 trap.receiver.port=10550 syslog.port=514 Use the Ridgeline client to set the default ports for the trap receiver and syslog sever. See Server Properties Administration. To change a default port: 1 Stop Ridgeline services (server and database engine). See the Ridgeline Installation and Upgrade Guide. 2 Find the port number in the ridgeline-ports.properties file. The ridgeline-ports.properties file is located at:
3 For each file listed under locations for that port: a Open the file in a text editor. b Search for the port number and change it. c Save and close the file. Note Do not add any extra spaces when editing these files. 4 Restart Ridgeline services (server and database engine). See the Ridgeline Installation and Upgrade Guide. For an example of this procedure, see Example on page 510.
Example
The following shows an example of the procedure for changing the ports used by Ridgeline that are conflicting with other programs (see Reconfiguring Ridgeline Ports on page 509). Port=8443 is conflicting with other programs. The ridgeline-ports.properties file shows:
510
Open each of the three files indicated (server.xml, event.wsdl, nms.wsdl), search for port 8443, change it, and then save each file. If this procedure does not solve your problems, call your Extreme Network's Technical Support representative for help.
511
512
To configure the Ridgeline server as a Syslog server, enter the ExtremeWare command: config syslog < You must enter the IP address of the Ridgeline server, and a facility level, which can be local0 through local7. For more information on these commands, see the ExtremeWare or ExtremeXOS documentation. You can also include a severity in the config syslog command, which filters log messages before they are sent to the Ridgeline Syslog server. The Ridgeline Syslog server then filters the incoming messages based on the severity you set using the Accept SysLog messages with Min Severity property setting in Ridgeline Administration.
The IP address of the system where the Ridgeline server is running. The Ridgeline server trap port. By default this is 10550. (This port is set by the System Trap Receiver Port property. For information about how to set this property, see SNMP Properties on page 352. The Ridgeline server community string. This is a string in the form: ST.< value of IP address >.< value of trap port > The value of the IP address is the decimal equivalent of the hex value of the IP address. For example, if the IP address of the Ridgeline server is 10.0.4.1, you calculate the decimal equivalent:
2 Convert the hex value a000401 into a decimal value, in this case 167773185 . 3 Put the three components together to form the community string: ST.167773185.10550 You can find and verify the value of the community string by using Telnet to log on to an Extreme Networks device that is being managed by Ridgeline, and using the ExtremeXOS or ExtremeWare CLI command show management to display the list of trap receivers configured for that device. The Ridgeline server, and its community string, should be included in this list. To receive RMON traps, ensure that RMON is enabled on the device. For Extreme devices, you can do this through the ExtremeXOS or ExtremeWare command enable rmon.
514
Basic feature support, including front and back panel views if available Third-party device trap support Integrating third-party proprietary device-related tools
Through this framework, integration of third-party devices is accomplished independently of Ridgeline product releases. The integration is achieved by adding or editing XML, text and images files to accomplish different levels of integration. Each aspect of device integration can be performed independently; that is, you can integrate a device into Ridgeline but choose not to integrate trap support in the Alarm Manager, for example. Caution The device integration process may require editing of certain Ridgeline files that can affect the functionality of the Ridgeline server. In some cases, editing these files incorrectly may prevent the Ridgeline server from running. It is strongly recommended that you attempt device integration under the supervision of Extreme Networks support personnel.
2 Create a folder in the Program Files\Extreme Networks\Ridgeline 4.0\jboss \standalone\deployments\extreme.war\gifs directory which is named with the OID of the new Device Type. 3 Create GIF-format (Compuserve Graphics Interchange Format) images for the device, and place these in the OID folder created previously. 4 Create a deviceInfo.txt file for the device and place this in the OID folder created previously. 5 If it does not already exist, create a device icon gif file, named to match the file name provided in the imageIconsFileName tag in the ATL XML file, and add this to the dpsimages.zip file (found in the Program Files\Extreme Networks\Ridgeline 4.0\jboss\standalone \deployments\extreme.war\gifs directory. The Abstract Type Library XML File The Abstract Type Library is a repository for information about the types of devices Ridgeline can recognize. For each device type, an XML file is placed in the jboss\standalone\deployments
515
\extreme.war\ATL\DeviceTypes directory. (There are also ATL subdiretories for Interface Types and Slot Types). XML files in the ATL are organized in a hierarchy, with properties of the device types and devices specified at various levels in this hierarchy. The figure below shows portions of the general hierarchy. When Ridgeline discovers a device, it navigates this hierarchy searching for a match that will provide the properties for the device. XML files for third-party devices extend and further specify properties unique to each device type and device. Extreme Networks devices are also recognized through this same ATL mechanism. When Ridgeline discovers a device, it searches this hierarchy for a match to the device or device type that will provide the properties for the device.
All Devices Extreme.xml
Extreme Summit
Extreme Unmanaged
Summit_WM_100.xml
Summit_WM_1000.xml
Figure 339: ATL XML file hierarchy The 3COM SuperStacker II 1000 is an example of how a third-party device is integrated into Ridgeline for Telnet functionality. There are actually three 3COM devices integrated into Ridgeline, all of which share a number of properties. Therefore, these properties are specified in the 3com.xml file, which is referenced as the parent in the 3Com_SuperstackerII_1100.xml file. The key attributes in an ATL XML file are: Table 29: Attributes Used in an ATL File
TAG Device Type Attribute Name Version Parent Value The name of the device type of the device. This is the main Tag in the file. Must be specified as 1 The parent XML file. For an individual device model, this may be the device type XML file (e.g. in the 3Com_SuperstackerII_1100.xml file, the parent is 3Com.xml). For a device type XML file, such as the 3COM.xml file, the parent is 3rdParty.xml. Contains the sysObjectId tag The OID value of the device, or the enterprise OID (if a device type)
Identity SysobjectID
516
ImageIconsFilename
Vendor
The following are examples of the 3Com_SuperstackerII_1100.xml file and its parent, 3Com.xml. The 3Com.xml file: <?xml version="1.0" encoding="utf-8" ?> <deviceType name="3Com" version="1" parent="3rd Party"> <identity> <sysObjectID protocol="SNMP">43</sysObjectID> </identity> <attributes> <vendor>3Com</vendor> <imageIconsFileName>3comicons.gif</imageIconsFileName> <CLI.LOGIN_PROMPT> login: </CLI.LOGIN_PROMPT> <CLI.PASSWORD_PROMPT> password: </CLI.PASSWORD_PROMPT> <CLI.SHELL_PROMPT> [#>$] </CLI.SHELL_PROMPT> <CLI.MORE_PROMPT> Press|to continue or|to quit: </CLI.MORE_PROMPT> </attributes> </deviceType> The 3Com_SuperstackerII_1100.xml file: <?xml version="1.0" encoding="utf-8" ? > <deviceType name="Super Stacker II 1100" version="1" parent="3Com"> <identity> <sysObjectID protocol="SNMP">43.10.27.4.1.2.1</sysObjectID> </identity> <attributes> <TELNET> true </TELNET> </attributes> </deviceType> Note that in the 3Com.xml file, the sysObjectID is the enterprise OID for 3COM; in the 3Com_SuperstackerII_1100.xml file, it is the OID of the specific 3Com device. Many of the
517
attributes in the 3Com.xml file are related to integration into Telnet. These are discussed in Telnet Integration. The OID folder Device images displayed in inventory and on topology maps, are located in the jboss\standalone \deployments\extreme.war\gifs directory, under directories named by the OID of the device. There are typically three files in these subdirectories: DeviceView.gif, the image (front panel or front and back panel) displayed in the inventory.
MapView.gif, the small image that appears in the topology maps. DeviceInfo.txt, a file that defines the device type, fallback OID (the OID of the next higher level), and other information.
The DeviceInfo.txt file must always be present. The two gif files may or may not be present; if they are not, the gif file specified for the parent OID is used. In fact, for the 3Com SuperStacker II 1100 (directory OID_43.10.27.4.1.2.1), only the DeviceView image is provided. For the MapView image, the generic 3COM image provided in the parent OID directory (OID_43). The DeviceInfo.txt must contain at a minimum the following tags: <?xml version="1.0"?> <ConfigFile> <FallbackOID> Parent SysOID </FallbackOID> <DeviceType> Device Name </DeviceType> </ConfigFile> For the 3Com SuperStacker II 1100 (OID_43.10.27.4.1.2.1) the DeviceInfo.txt file contains these entries: <?xml version="1.0"?> <ConfigFile> <FallbackOID>43</FallbackOID> <DeviceType>3Com Super Stack II Switch 1100 24-port</DeviceType> </ConfigFile> DeviceInfo.txt The file for the parent, OID_43 contains the following entries: <?xml version="1.0"?> <ConfigFile> <FallbackOID>UnknownDevice</FallbackOID> <DeviceType>Generic 3Com</DeviceType> </ConfigFile> Depending on the type of device, other information may also be included. In general, features like Port Location (the ability to click on a port to view port statistics) are not supported for third-party devices.
518
The dpsimages.zip File The dpsimages.zip file contains the images used in Ridgeline inventory. If you are adding a completely new device or device type with its own unique image, you must add that image to this file. The image itself can be the same as the MapView.gif image you added into the OID folder (see The OID folder), but it must be named to match the name specified in the imageIconsFileName tag in the XML file for the device or device type (see Telnet Integration). For example, the dpsimages.zip file included the file 3comicons.gif, which matches the name specified in the 3Com.xml file: <imageIconsFileName>3comicons.gif</imageIconsFileName> If individual devices do not require unique icons, this can be specified in the parent XML file (for the device type) and can be left out of the XML files for individual devices of that type.
Telnet Integration
Ridgeline's third-party integration framework can be used to provide auto-logon when a user (with the appropriate role/permissions) connects to the device from the Ridgeline Telnet window. Telnet integration involves adding some additional tags to the ATL XML file for the device or device type. The following tags can be used to specify Telnet features: Table 30: Tags used for Telnet Integration
TAG CLI.LOGIN_PROMPT Value A value (string) to be displayed as the prompt during login to the device. A value (string) to be displayed as the password prompt during login to the device. Provide the pattern that matches the CLI prompt, for example: summit450# Comments If the device normally displays a specific login prompt, you can enter it here to provide the same interface when logging in from Ridgeline. This tag is required if the device supports Telnet. Similar to the login prompt; you can enter the same prompt used by the device. This tag is optional. Specify the format of the device CLI prompt. You can specify multiple patterns, such as \S[ ][#>] [Test] [Ridgeline] $ This tag is required for Telnet support.
CLI.PASSWORD_PROMPT
CLI.SHELL_PROMPT
CLI.MORE_PROMPT
Provide the pattern that This tag is optional. matches the prompt used by the device to prompt when paging is enabled on the device.
The 3Com.xml file provides an example of the prompts used for Telnet integration: <?xml version="1.0" encoding="utf-8" ?> <deviceType name="3Com"
519
version="1" parent="3rd Party"> <identity> <sysObjectID protocol="SNMP">43</sysObjectID> </identity> <attributes> <vendor>3Com</vendor> <imageIconsFileName>3comicons.gif</imageIconsFileName> <CLI.LOGIN_PROMPT> login: </CLI.LOGIN_PROMPT> <CLI.PASSWORD_PROMPT> password: </CLI.PASSWORD_PROMPT> <CLI.SHELL_PROMPT> [#>$] </CLI.SHELL_PROMPT> <CLI.MORE_PROMPT> Press|to continue or|to quit: </CLI.MORE_PROMPT> </attributes> </deviceType> Note that in the case of 3COM, the Telnet integration is handled at the device type level, since it is the same for all the 3COM devices. Therefore, it is not duplicated in each device ATL XML file, but handled one at the device type (enterprise) level.
Integrating Alarms
Alarm Integration for a third-party device enables Ridgeline users to create alarms based on trap events from the third-party device. To integrate third-party alarms: 1 Add the trap OID for each event to the events.xml file. 2 Place the necessary MIBs in the jboss\standalone\deployments\extreme.war \thirdPartyMibs directory. 3 Specify the third-party MIB filenames in the miblist.txt file in the extreme.war directory. 4 Restart the Ridgeline server. 5 Configure each third-party device to send traps to Ridgeline (see Setting Ridgeline as a Trap Receiver. Once this is done, the third-party event(s) should be selectable from the Name list under Raise alarm when this event is received on the New or Modify Alarm Definition dialog box in the Alarm Manager (see Creating New Alarm Definitions. Alarms can then be defined to take actions upon the occurrence of these events. Editing the Events.xml file Caution Make a backup copy of the events.xml file before editing this file, and make changes carefully. Do not edit the existing entries in this file. Errors in this file may prevent the Ridgeline server from starting up. The Events.xml file is located in the Program Files\Extreme Networks\Ridgeline 4.0\jboss\standalone\deployments\extreme.war directory. Each event entry in the
520
Events.xml file is composed of the Type, SubType, TypeName and SubTypeName, followed by a SNMP V1 or V2 Mapping OID. Table 31: Components of the an Events.xml event entry
Attribute Type Value(s) A non-negative number for a SNMP v1 trap (same as the generic type value of the v1 trap) -2 for an SNMP v2 trap -3 for a syslog event -1 for a Ridgeline event Comments Identifies the type of event (SNMP v1 or v2 trap or and Ridgeline or syslog event. A trap that can be sent as either a v1 or v2 trap should be represented as v1 trap.
SubType
For v1 traps, this should be the same as Together with the Type, uniquely identifies an event. the specific type value For syslog events, this should be the same as the priority value of the syslog message. SNMP trap, Ridgeline, or syslog The name of the specific event, e.g. link down The type of the event. For third-party integration this would be SNMP trap. Together with the Type name, it forms the event name e.g. SNMP trap link down
TypeName SubTypeName
The following is a sample entry for an SNMP V1 trap: <Event Type="6" SubType="117" TypeName="SNMP Trap" SubTypeName="Cisco config changed"> <SNMP_V1_Mapping OID=".1.3.6.1.4.1.9.9.43.2" Generic="6" Specific="1"/> </Event> Adding MIBs to Ridgeline To incorporate MIBs into Ridgeline: 1 Place the MIB file(s) into the Program Files\Extreme Networks\Ridgeline 4.0\jboss \standalone\deployments\extreme.war\thirdPartyMibs directory. The MIB file name must match the MIB definition name. The MIB file names do not need to include file extensions. If they do not have file extensions, .mib is appended to the file name internally. However, if you do provide an extension, it must be .mib or .MIB. 2 Add the MIB file names to the miblist.txt file found in the extreme.war directory. Add any new entries to the end of the file only, do not add them in between existing entries. Make sure each entry is unique. Make sure each MIB file name matches the MIB definition name. 3 Restart the Ridgeline server to have these changes take effect.
521
Ridgeline and the third-party program client and server are installed on the same system. Ridgeline and the third-party client are installed on the same system. Ridgeline is installed on one system, and a remote (web-based) third-party client and server is installed on a different system.
The third-party application must be added to the Tool.xml file located in the Program Files \Extreme Networks\Ridgeline 4.0\jboss\standalone\deployments\extreme.war \ATL\DeviceTypes directory. The format of the entry in the XML file is (using the Summit WM as an example):
<?xml version="1.0" encoding="UTF-8"?> <tools> <tool oid="Summit WM" description="Summit WM launch tool" name="Launch Summit WM"> <contents> https://$deviceIP:5825 </contents> <variable/> <role roleid="3 2 1"/> <context type="device"/> </tool> </tools> After you have integrated the third-party program, you can start the third-party program from Ridgeline by clicking Tools > Applications.
522
By default, communication between the Ridgeline server and its clients is unencrypted. This means the traffic between client and server could easily be captured, including passwords, statistics, and device configurations. PuTTY is used in conjunction with Ridgeline to encrypt (tunnel) communication between a Ridgeline server and clients. PuTTY is a free implementation of an SSH application. PuTTY uses port forwarding to tunnel this traffic. Port forwarding allows data from unsecured applications to be encrypted over a secured tunnel. This section describes in detail a step-by-step example of setting up a PuTTY client on a Windowbased Ridgeline client system. It also describes the installation and configuration of the OpenSSH server on a Windows-based server system where the Ridgeline server is installed.
3 Step 3: Installing OpenSSH Server on page 528. 4 Step 4: Configuring Microsoft Firewall to Allow SSH Connects on page 533. 5 Step 5: Initiating Ridgeline Server/Client Communication on page 535.
524
Figure 340: The Session Settings 2 Configure the PuTTY SSH options. In the Category pane, click SSH, and then under Preferred SSH protocol version, click 2 (see the following figure).
525
3 Under SSH, click X11. In the X display location box, type localhost:0 (see the following figure).
Figure 342: SSH X11 Forwarding 4 Under SSH, click Tunnels (see the following figure).
Figure 343: SSH Tunneling Settings 5 Click Local. 6 In the Source port box, type the HTTP port number you configured when you installed Ridgeline (by default, this is port 8080). 7 In the Destination box, type localhost:<port>, where <port> is the HTTP port you configured at installation (8080 by default).
526
8 Click Add. The source and destination HTTP ports are added to the Forwarded ports box. 9 Click Local again. 10 In the Source port box, type the port number Ridgeline uses as its Telnet port. To determine the port Ridgeline is using as its Telnet port: a In the navigation pane, click Reports. b Click Ridgeline Server > Debug Ridgeline. (You must have Ridgeline administrator or super-user rights to do this). c Click Set logging level. The Debug Configuration page appears, and the Telnet port appears. This is the port you should configure in PuTTY. 11 In the Destination box, type localhost:<port> where <port> is the Ridgeline Telnet port. Click Add. The source and destination HTTP ports are added to the Forwarded ports box. Click Local again. In the Source port box, type the EJB remoting port number, which by default is 10555. In the Destination box, type localhost:<port>, where <port> is the EJB remoting port number, which by default is 10555. 16 In the Category pane, click Session, and then click Save (see the following figure). 12 13 14 15
527
528
Figure 345: Choose Installation Type 4 Click Install from Internet, and then click Next. The Choose Installation Directory dialog box appears:
Figure 346: Choose Installation Directory 5 In the Root Directory box, type C:\cygwin, which is where the OpenSSH will be installed. Under Install For, click All Users so all users have access the SSH server. Click Next. The Select Local Package Directory dialog box appears.
529
Figure 347: Select Local Package Directory 6 In the Local Package Directory box, type C:\cygwin, and then click Next. 7 When the Select Packages dialog box appears (see the following figure). Click View for a full view.
Figure 348: Select Packages 8 Scroll through the list until you find OpenSSH, and then click the word skip so that an X appears in Column B.
530
9 Scroll through the list until you find cygrunsrv, click the word skip so that an X appears in Column B.
10 Click Next to begin the installation. 11 Right-click My Computer, and then click Properties. 12 Click the Advanced tab, and then click Environment Variables. This displays the Environment Variables dialog box:
Figure 349: Adding a System Variable for Cygwin 13 Under System variables, click New to add a new entry to the system variables: Variable name: = CYGWIN Variable value: = ntsec tty Click OK. The new entry appears in the Systems variables table (see the following figure).
531
Figure 350: System Variable for Cygwin Successfully Added 14 From the Environment Variables dialog box, scroll through the System variables list, click Path, and then click Edit.
Figure 351: Path Variable 15 Type ;c:\cygwin\bin to the end of the existing variable string.
532
Figure 352: Modifying the Path Click OK. 16 Double-click the Cygwin icon to open a cygwin window. A black window appears.
Figure 353: Configuring the SSH Server Through Cygwin 17 At the prompt, type ssh-host-config. When the following message prompts appear: privilege separation be used, type yes.
local user, type yes. install sshd as a service, type yes. CYGWIN=, type ntsec tty.
18 When the script finishes, while in the (black) cygwin window, start the sshd service by typing net start sshd.
533
To configure the Windows firewall to allow SSH connections: 1 Open the Windows Control Panel, and then double-click the Windows Firewall icon:
Figure 354: Configuring the Windows Firewall to Allow Port 22 Connections 2 Click the Exceptions tab, and then click Add Port. The Add a Port window appears:
534
Figure 355: Add a Port Window 3 In the Name box, type SSH. 4 In the Port number, type 22. 5 Click TCP. 6 Click OK. The Window's firewall is now configured to allow SSH connections.
535
Figure 356: Creating an SSH session for Ridgeline 3 Log on to Ridgeline using the following URL: http://localhost:8080/ 4 Click the Log on to Ridgeline link, enter your Ridgeline username and password, and then click Log on. PuTTY is now set up to port forward all traffic going to the local host on port 8080. When PuTTY receives a connection request to the local host on port 8080, PuTTY encrypts the information and sends it across the encrypted tunnel to the server.
536
BGP Established
This event is generated when the BGP FSM enters the ESTABLISHED ExtremeWare 6.1.5 state. Not supported in ExtremeXOS Extreme Networks proprietary trap. Indicates that the number of prefixes received over this peer session has reached the maximum configured limit. (BGP4-V2) Extreme Networks proprietary trap. Indicates that the number of prefixes received over this peer session has reached the threshold limit. (BGP4-V2) EXOS 10.1
EXOS 10.1
BGP Prefix Max Exceeded Extreme Networks proprietary trap. Indicates that the number of prefixes received over this peer session has reached the maximum configured limit.
Extreme Networks proprietary trap. Indicates that the DS1 line status ExtremeWare change for the specified interface has been detected. 6.1.8b66/ Not supported in ExtremeXOS Extreme Networks proprietary trap. Indicates that the wanDsx1LossOfMasterClock event for the specified interface has been detected. Extreme Networks proprietary trap. Indicates that the wanDsx1NoLossOfMasterClock event for the specified interface has been detected. Extreme Networks proprietary trap. Indicates that the T3 line status change for the specified interface has been detected. ExtremeWare 6.1.8b66 Not supported in ExtremeXOS ExtremeWare 6.1.8b66 Not supported in ExtremeXOS ExtremeWare 6.1.8b66 Not supported in ExtremeXOS ExtremeWare 6.1.8b66 Not supported in ExtremeXOS ExtremeWare 6.1.8b66 Not supported in ExtremeXOS ExtremeXOS ExtremeXOS
Dsx3 Loss of Master Clock Extreme Networks proprietary trap. Indicates that the wanDsx3LossOfMasterClock event for the specified interface has been detected. Dsx3 No Loss of Master Clock EAPS Configuration change EAPS Last status change Extreme Networks proprietary trap. Indicates that the wanDsx3NoLossOfMasterClock event for the specified interface has been detected. Extreme Networks proprietary trap. Indicates that a change to the EAPS configuration has been detected. Extreme Networks proprietary trap. Indicates that the last EAPS update included a status change.
538
EAPS Root blocker status Extreme Networks proprietary trap. Indicates that the EAPS root change blocker state has changed. EAPS Fail Timer Expired Flag Cleared EAPS Fail Timer Expired Flag Set EAPS Link Down Ring Complete Extreme Networks proprietary trap. Generated when the EAPS domains fail timer is cleared.
Extreme Networks proprietary trap. Generated when the EAPS ExtremeXOS 10.1 domains fail timer expires for the first time, while its state is NOT the failed state. Extreme Networks proprietary trap. Indicates that a transit that is in a ExtremeXOS 10.1 Link Down state has received a Health-Check-Pdu from the Master indicating that the link is complete. This indicates a problem with the transit switch that has issued this trap. Extreme Networks proprietary trap. Generated when an EAPS domain has a state change. Extreme Networks proprietary trap. A new neighbor has been discovered through the Extreme Discovery Protocol (EDP). Extreme Networks proprietary trap. No EDP updates have been received from this neighbor within the configured time-out period, and this neighbor entry has been aged out by the device. An EGP neighbor, for which the device is an EGP peer, is down and the peer relationship no longer exists. An Extreme Networks switch never sends out this trap. ExtremeXOS 10.1 ExtremeWare 6.1 ExtremeXOS 10.1 ExtremeWare 6.1 ExtremeXOS 10.1 None
EGPNbrLoss
ELRP VLAN Loop Detected ESRP Master Re-election After MSM Failover
Extreme Networks proprietary trap. Generated when the ELRP client ExtremeWare 7.3 detects a loop in the VLAN. Not supported in ExtremeXOS Extreme Networks proprietary trap. Indicates this device was elected master when the previous master node failed to resume normal Not supported in operation within the reelect timeout after performing a hitless MSM ExtremeXOS failover. Extreme Networks proprietary trap. Indicates that the ESRP state (master or slave) of a VLAN has changed on the device. Extreme Networks proprietary trap. Indicates that the ESRP state (master or slave) of a VLAN has changed on the device. Extreme Networks proprietary trap. Generated when the DOS threshold is cleared (if enhanced DOS protection is enabled). ExtremeWare 6.0 Not supported in ExtremeXOS ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS
ESRP State Change for ExtremeXOS Enhanced DOS Threshold Cleared Enhanced DOS Threshold Reached Entity MIB Changed
Extreme Networks proprietary trap. Generated when the DOS ExtremeWare 7.3 threshold is crossed for any of the ports (if enhanced DOS protection Not supported in is enabled). ExtremeXOS Indicates a change has been made to a row in a table in the Entity MIB (a row has been added, deleted, or modified). ExtremeWare 7.3
539
Fan OK Health Check Failed Id Manager Memory Usage Level Critical Id Manager Memory Usage Level Normal Id Manager Memory Usage Level High Id Manager Memory Usage Level Maximum Invalid Login
Extreme Networks proprietary trap. This trap indicates that a fan has All transitioned out of a failure state and is now operating correctly. Extreme Networks proprietary trap. The CPU HealthCheck has failed. ExtremeWare 6.1.9 ExtremeXOS 10.1 Extreme Networks proprietary trap. The amount of memory used by the Identity Management feature has reached a critical level. Extreme Networks proprietary trap. The amount of memory used by the Identity Management feature has reached a normal level. Extreme Networks proprietary trap. The amount of memory used by the Identity Management feature has reached a high level. Extreme Networks proprietary trap. The amount of memory used by the Identity Management feature has reached a maximum level. ExtremeXOS 12.4 ExtremeXOS 12.4 ExtremeXOS 12.4 ExtremeXOS 12.4
Extreme Networks proprietary trap. This trap indicates that a user All attempted to login to console or by Telnet but was refused access due to incorrect username or password. The trap is issued after three consecutive failure of log in. Indicates that a link is transitioning to the down state from a previous All active state. Indicates that a port is transitioning from the down state to another (active) state. Extreme Networks proprietary trap. Generated on a port for which lock-learning has been configured, when a new MAC address is learned on that port. Extreme Networks proprietary trap. Generated when a MAC address is learned on a port on which it is not authorized. This happens when the MAC address is statically configured as a 'secure mac' on some other port(s). Extreme Networks proprietary trap. Generated when a new MAC address exceeding the limit is learned on a port on which limitlearning has been configured. Extreme Networks proprietary trap. An MSM Failover occurred. Indicates the PSE Threshold usage indication off, the usage power is below the threshold. At least 500 msec must elapse between notifications being emitted by the same object instance. All ExtremeWare 7.0 SR1 Not supported in ExtremeXOS ExtremeWare 7.0 SR1 Not supported in ExtremeXOS ExtremeWare 7.0 SR1 Not supported in ExtremeXOS ExtremeXOS 10.1 ExtremeXOS 11.1
Link Down Link Up MAC Address Detected On Locked Port MAC Address Detected On Unauthorized Port
MAC Address Learning Limit Exceeded MSM Failover Occurred Main Power Usage Off
540
Not supported in ExtremeXOS Not supported in ExtremeXOS Not supported in ExtremeXOS ExtremeWare 6.1.9 ExtremeXOS 10.1
An ospfIfConfigError trap signifies that a packet has been received ExtremeWare 6.1.9 on a non-virtual interface from a router whose configuration ExtremeXOS 10.1 parameters conflict with this routers configuration parameters. Note that the event optionMismatch should cause a trap only if it prevents an adjacency from forming. An ospfIfRxBadPacket trap signifies that an OSPF packet has been received on a non-virtual interface that cannot be parsed. An ospfIfStateChange trap signifies that there has been a change in the state of a non-virtual OSPF interface. This trap should be generated when the interface state regresses (e.g., goes from Dr to Down) or progresses to a terminal state (i.e., Point-to-Point, DR Other, Dr, or Backup). ExtremeWare 6.1.9 ExtremeXOS 10.1 ExtremeWare 6.1.9 ExtremeXOS 10.1
OSPF LSDB Approaching Overflow OSPF LSDB Overflow OSPF Max_Age LSA OSPF Neighbor State Change
An ospfLsdbApproachingOverflow trap signifies that the number of ExtremeWare 6.1.9 LSAs in the routers link-state database has exceeded ninety percent ExtremeXOS 10.1 of ospfExtLsdbLimit. An ospfLsdbOverflow trap signifies that the number of LSAs in the routers link-state database has exceeded ospfExtLsdbLimit. An ospfMaxAgeLsa trap signifies that one of the LSA in the routers link-state database has aged to MaxAge. ExtremeWare 6.1.9 ExtremeXOS 10.1 ExtremeWare 6.1.9 ExtremeXOS 10.1
An ospfNbrStateChange trap signifies that there has been a change ExtremeWare 6.1.9 in the state of a non- virtual OSPF neighbor. This trap should be ExtremeXOS 10.1 generated when the neighbor state regresses (e.g., goes from Attempt or Full to 1-Way or Down) or progresses to a terminal state (e.g., 2-Way or Full). When an neighbor transitions from or to Full on non-broadcast multi-access and broadcast networks, the trap should be generated by the designated router. A designated router transitioned to Down will be noted by ospfIfStateChange.
541
An ospfOriginateLsa trap signifies that a new LSA has been ExtremeWare 6.1.9 originated by this router. This trap should not be invoked for simple ExtremeXOS 10.1 refreshes of LSAs (which happens every 30 minutes), but instead will only be invoked when an LSA is (re)originated due to a topology change. Additionally, this trap does not include LSAs that are being flushed because they have reached MaxAge. An ospfTxRetransmit trap signifies than an OSPF packet has been retransmitted on a non- virtual interface. All packets that may be retransmitted are associated with an LSDB entry. The LS type, LS ID, and Router ID are used to identify the LSDB entry. An ospfVirtIfAuthFailure trap signifies that a packet has been received on a virtual interface from a router whose authentication key or authentication type conflicts with this routers authentication key or authentication type. ExtremeWare 6.1.9 ExtremeXOS 10.1
OSPF TX_Retransmit
An ospfVirtIfConfigError trap signifies that a packet has been ExtremeWare 6.1.9 received on a virtual interface from a router whose configuration ExtremeXOS 10.1 parameters conflict with this routers configuration parameters. Note that the event optionMismatch should cause a trap only if it prevents an adjacency from forming. An ospfVirtIfRxBadPacket trap signifies that an OSPF packet has been received on a virtual interface that cannot be parsed. ExtremeWare 6.1.9 ExtremeXOS 10.1
OSPF Virtual Interface Receive Bad Packet OSPF Virtual Interface State Change
An ospfVirtIfStateChange trap signifies that there has been a change ExtremeWare 6.1.9 in the state of an OSPF virtual interface. This trap should be ExtremeXOS 10.1 generated when the interface state regresses (e.g., goes from Pointto-Point to Down) or progresses to a terminal state (i.e., Point-toPoint). An ospfVirtIfTxRetransmit trap signifies than an OSPF packet has been retransmitted on a virtual interface. All packets that may be retransmitted are associated with an LSDB entry. The LS type, LS ID, and Router ID are used to identify the LSDB entry. An ospfVirtNbrStateChange trap signifies that there has been a change in the state of an OSPF virtual neighbor. This trap should be generated when the neighbor state regresses (e.g., goes from Attempt or Full to 1-Way or Down) or progresses to a terminal state (e.g., Full). Extreme Networks proprietary trap. Indicates the on board temperature sensor has reported an overheat condition. This indicates the temperature has reached the Overheat threshold. The switch will continue to function until it reaches its shutdown threshold. The system will then shutdown until the unit has sufficiently cooled such that operation may begin again. A cold start trap will be issued when the unit has come back on line. This trap is sent repetitively every 30 seconds until the temperature goes back to normal. ExtremeWare 6.1.9 ExtremeXOS 10.1
Overheat
All
542
Generated when a probe failure is detected when the corresponding ExtremeWare 6.1.9 pingCtlTrapGeneration object is set to probeFailure(0) subject to the Not supported in value of pingCtlTrapProbeFailureFilter. The object ExtremeXOS pingCtlTrapProbeFailureFilter can be used to specify the number of successive probe failures that are required before this notification can be generated. Generated at the completion of a ping test when the corresponding pingCtlTrapGeneration object is set to testCompletion(4). Generated when a ping test is determined to have failed when the corresponding pingCtlTrapGeneration object is set to testFailure(1). In this instance pingCtlTrapTestFailureFilter should specify the number of probes in a test required to have failed in order to consider the test as failed. Extreme Networks proprietary trap. Indicates a change in the PoE PSU for the slot. ExtremeWare 6.1.9 Not supported in ExtremeXOS ExtremeWare 6.1.9 Not supported in ExtremeXOS
Extreme Networks proprietary trap. Indicates the status of ExtremeWare 7.3 Diagnostics for a port. The status indicates whether Diagnostics for a Not supported in particular port failed. ExtremeXOS Extreme Networks proprietary trap. This trap indicates that one or All more sources of power have failed. Presumably a redundant powersupply has taken over. This trap is sent repetitively every 30 seconds until all the power supplies are back to normal condition. Extreme Networks proprietary trap. This trap indicates that one or more previously bad sources of power have come back to life without causing the device to restart. Extreme Networks proprietary trap. This trap indicated a failed processor on a module is detected. Indicates a change in the power delivery status of the PSE port (whether the port is delivering power or not. This notification should be sent on every status change except in the searching mode. At least 500 msec must elapse between notifications emitted by the same object instance. ExtremeXOS 11.1 All
Power Supply OK
Redundant Power Supply Extreme Networks proprietary trap. This trap indicates that the Failed attached redundant power supply device is indicating an alarm condition. This trap is sent repetitively every 30 seconds until the redundant power supply is back to normal condition. Redundant Power Supply Extreme Networks proprietary trap. This trap indicates that the OK attached redundant power supply device is no longer indicating an alarm condition. SLB Unit Added Extreme Networks proprietary trap. Indicates that the server load balancer has activated a group of virtual servers that it normally would not activate. This may be due to the failure of another server load balancer.
ExtremeWare All/ Not supported in EXOS ExtremeWare All/ Not supported in EXOS ExtremeWare 6.1 Not supported in ExtremeXOS
543
Extreme Networks proprietary trap. Indicates that the sending agent ExtremeWare 6.2.2 has become the new root of the Spanning Tree; the trap is sent by a ExtremeXOS 10.1 bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. Extreme Networks proprietary trap. A topologyChange trap is sent ExtremeWare 6.2.2 by a bridge when any of its configured ports transitions from the ExtremeXOS 10.1 Learning state to the Forwarding state, or from the Forwarding state to the Blocking state. The trap is not sent if a newRoot trap is sent for the same transition. Extreme Networks proprietary trap. This trap indicates that the value ExtremeWare All/ of the extremeSlotModuleState for the specified extremeSlotNumber ExtremeXOS 11.1 has changed. Extreme Networks proprietary trap. This trap indicates that the value All of one of the object identifiers (or the value of an object below that in the MIB tree) defined in the extremeSmartTrapRulesTable has changed, and hence a new entry has been created in the extremeSmartTrapInstanceTable. Such a trap is sent at most once every thirty seconds if one or more entry was created in the last thirty seconds. Extreme Networks proprietary trap. Indicates the on board ExtremeWare 7.4 temperature sensor for a stacking member has reported an overheat ExtremeXOS 12.0 condition. This indicates the temperature has reached the Overheat threshold. Extreme Networks proprietary trap. Generated when the operational ExtremeWare 7.4 status of the stacking member changes. ExtremeXOS 12.0 Extreme Networks proprietary trap. Generated when the operational ExtremeWare 7.4 status of the stacking port changes. ExtremeXOS 12.0 Extreme Networks proprietary trap. Indicates that an alarm was generated based on the state of the tunnel connection between a SummitWM device and an Altitude AP. Extreme Networks proprietary trap. Indicates that the log file on a SummitWM device has changed. ExtremeXOS
Slot Change
Smarttrap
Stack Member Status Changed Stacking Port Status Changed SummitWM Altitude Tunnel Alarm SummitWM Log Change UPM Profile Execution Warm Start Wireless AP Added
ExtremeXOS
Extreme Networks proprietary trap. Generated when a UPM profile is ExtremeXOS executed on an Extreme Networks device. Trap indicates that the device has been rebooted without power recycling. An Extreme switch never sends out this trap. Extreme Networks proprietary trap. Generated when a new AP is added to the scan results table. Generated only if the value of extremeWirelessScanSendAPAddedTrap is true. All ExtremeWare 7.3 Not supported in ExtremeXOS
544
Wireless AP Updated
Extreme Networks proprietary trap. Generated when the IEs ExtremeWare 7.3 recorded for an AP in the scan results table change. Generated only if Not supported in the value of extremeWirelessScanSendAPUpdatedTrap is true. ExtremeXOS Extreme Networks proprietary trap. Generated when a client associates to an interface that is web based network login enabled. Extreme Networks proprietary trap. Generated when a client is aged out of the table. ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS
Wireless Client Netlogin Client Associated Wireless Client Station Aged Out
Wireless Counter Measure Extreme Networks proprietary trap. Generated when counter Started measures are started on a wireless interface. Wireless Counter Measure Extreme Networks proprietary trap. Generated when counter Stopped measures are stopped on a wireless interface. Wireless Off Channel Scan Extreme Networks proprietary trap. Generated when an off-channel Finished scan finishes running. Wireless Off Channel Scan Extreme Networks proprietary trap. Generated when an off-channel Started scan starts running. Wireless Port Boot Failed
Extreme Networks proprietary trap. Sent by the platform if a wireless ExtremeWare 7.3 port fails to boot too many times. Not supported in ExtremeXOS Extreme Networks proprietary trap. Generated when a wireless port moves into enabled, disabled, or online state. ExtremeWare 7.3 Not supported in ExtremeXOS
Wireless Port State Changed Wireless Probe Info Added Wireless Probe Info Removed lldp Remote Table Changed
Extreme Networks proprietary trap. Generated when a new station is ExtremeWare 7.3 added to the probe info table. Generated only if the value of Not supported in extremeWirelessProbeInfoSendAddedTrap is true. ExtremeXOS Extreme Networks proprietary trap. Generated when a station is removed from the probe info table. Generated only if the value of extremeWirelessProbeInfoSendRemovedTrap is true. A lldpRemTablesChange notification is sent when the value of lldpStatsRemTableLastChangeTime changes. It can be utilized by an NMS to trigger LLDP remote systems table maintenance polls. Note that transmission of lldpRemTablesChange notifications are throttled by the agent, as specified by the 'lldpNotificationInterval' object. ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeXOS 11.4
545
546
Ridgeline Events
A Ridgeline event is generated by the Ridgeline server based on the results of its periodic polling. In some cases, a Ridgeline event may result from the same condition that could generate an SNMP or other trap. A Ridgeline event has the advantage that it guarantees that the condition will be detected (by polling) even if the corresponding trap is missed. Table 34: Ridgeline Events, Detected Through Polling
Event Configuration Upload Failed Definition The Ridgeline server generates this event when it fails to upload configuration information from a device. This event occurs ONLY when the upload is attempted from Ridgeline, not if it was attempted from Telnet, ExtremeWare Vista or any other method. The Ridgeline server generates this event when it successfully uploads configuration from a device. This event occurs ONLY when the upload is done from Ridgeline, not from Telnet, ExtremeWare Vista or any other method. The Ridgeline server generates this event when it encounters a problem configuring policies on a device using ACL and QoS. The Ridgeline server generates this event for a device when it detects a device reboot (cold start or warm start). Unlike the cold start or warm start SNMP trap, Ridgeline generates this event by polling the device. For Extreme Networks devices only. The Ridgeline server generates this event in one of two situations: If the server detects an infinite loop while walking the devices SNMP MIB (may occur with ExtremeWare 4.1.19b2). If the device has a bad serial number reported through SNMP (may occur with ExtremeWare 6.2.1 on the BlackDiamond 6816). For Extreme Networks devices only. The Ridgeline server generates this event for an Extreme device when it detects, via polling, a transition from fan OK to fan failed condition on the device. Unlike the SNMP Fan Failed trap event, this event is generated only once, based on a state transition. As an alternative, you can detect a Fan Failed condition by using the SNMP Fan Failed trap, which will be generated every 30 seconds until the condition is corrected. The Ridgeline server generates this event when the number of traps received from managed devices exceeds the threshold set in the Scalability properties page in Ridgeline Administration. The Ridgeline server generates this event when the state of communication with the device transitions from unreachable to reachable.
Configuration Upload OK
Fan Failed
HTTP Reachable
547
Overheat
Power Supply Failed Rogue Access Point Found SNMP Reachable SNMP Unreachable
548
D Ridgeline Backup
Ridgeline Log Backups Backing up the Ridgeline Database Installing a Backup Database
This appendix: Describes the Ridgeline Alarm Log and Event Log backup files. Describes the Ridgeline database backup tool, DBBackupToolThe backup utility makes a backup copy of all data in the database. Backing up your database regularly ensures that you will not need to re-enter or recreate all the switch, VLAN, Topology, and Alarm information in the event that the database is corrupted or destroyed.
Files\Extreme Networks \Ridgeline4.0. For Linux: <install_dir>/ deploy/user.war, where <install_dir> is the root
directory of the Ridgeline install, by default /opt/
ExtremeNetworks/ Ridgeline4.0.
Ridgeline Backup
Where <install_dir> is the directory where the Ridgeline software is installed. Substitute the actual directory name in the command. The backup is created in the location <backup_folder_name>/mm_dd_yy_hh_mm_ss_backup. For example: <Ridgeline_4.0_Installation>/database/backup/ 09_04_13_13_44_22_backup. To restore a backup of the database, see Installing a Backup Database on page 550.
550
E Ridgeline Utilities
Package Debug Info Utility Resetting the Admin User Password
This appendix describes several utilities, scripts, and commands shipped with the Ridgeline software and installed on the Ridgeline server.
Use -output-file <FileName> to change the name of the file. (If you specify your own file name, no timestamp is appended. Use -output-dir <DirectoryName> to change the name of the directory where the file will be placed. Use -help for command help.
When the command has finished, a message in the command window indicates where the resulting zip file has been placed (by default, it placed in the Ridgeline installation directory.) The package file is named Ridgeline_Debug_Info_<date>_<time>.zip. For example, a Ridgeline info file created on October 1, 2010 at 3:00 PM is named Ridgeline_Debug_Info_20101001_1500.zip. A log file containing details of the packaging process, PackageDebugInfo.log is placed in the <Ridgeline_install_dir >/logs directory. The zip file contains copies of the existing log, property and debug files for the Ridgeline server as well as information the server keeps about any connected clients. This information can help Extreme Networks technical support staff solve problems you are experiencing with your Ridgeline server.
Ridgeline Utilities
Figure 357: Ridgeline Server Setup Utility Dialog Box (Settings Tab) 2 Click the "admin" password tab (see the following figure).
Figure 358: Ridgeline Server Setup Utility Dialog Box ("admin" password Tab)
552
Ridgeline Utilities
3 Click Reset "admin" password. If Ridgeline is setup as a RADIUS client, this is disabled. Authentication now occurs using the local repository.
553
Step 1. Create an Active Directory User Group for Ridgeline Users on page 554 Step 2. Associate Users with the Ridgeline Group on page 555 Step 3. Enable Ridgeline as a RADIUS Client on page 558 Step 4. Create a Remote Access Policy for Ridgeline Users on page 560 Step 5. Edit the Remote Access Policy to add a VSA on page 565 Step 6. Configure Ridgeline as a RADIUS Client on page 570
Figure 359: Adding a Group 2 3 4 5 6 Type the same group name in each of the two Group Name boxes. Under Group scope, click Global. Under Group type, click Security. Click OK. If you want to authenticate Ridgeline users with more than one role, repeat these steps to create a group that corresponds to each Ridgeline role you use. For example, if you want to authenticate users with an Admin role and users with a Monitor role, you would create a group for each role type such as NMS-Admin and NMS-Monitor.
Associate each user with the appropriate Ridgeline-related group, based on the role you want that user to have within Ridgeline. 2 In the Users list, right-click a user name. The user's Properties dialog box appears (see the following figure).
555
Figure 360: The Properties Dialog Box for a User Name 3 Click the Member Of tab, and then click Add (see the following figure).
556
Figure 361: The Member Of Tab 4 In the Enter the object names to select box, type the name of the Ridgeline-related group this user should be associated with (see the following figure). Click OK to continue.
Figure 362: Adding a Group for the User 5 Click the Dial-in tab, and then click Allow access and the No Callback (see the following figure). Click OK to continue.
557
Figure 363: The Dial-in Tab Configuration Go to Step 3. Enable Ridgeline as a RADIUS Client on page 558.
558
Figure 364: Adding a RADIUS Client to IAS 3 Click Next to continue. 4 From the Client-Vendor list, select RADIUS Standard, and type the shared secret in the Shared Secret and Confirm shared secret boxes (see the following figure). You must use this same shared secret when you configure Ridgeline as a RADIUS client.
Figure 365: Setting the shared secret for a RADIUS client 5 Click Finish. The new Ridgeline client appears in the list of RADIUS Clients under the Internet Authentication Service (see the following figure) .
559
Figure 366: Verify the RADIUS client in IAS Go to Step 4. Create a Remote Access Policy for Ridgeline Users on page 560.
The New Remote Access Policy wizard starts. 2 Click New to continue. 3 Type a name in the Policy name box (see the following figure). If you need to create multiple policies, each must have a unique name, such as NMS-Admin and NMS-Monitor. 4 Click Next.
560
Figure 367: Configuring a Remote Access Policy 5 To configure the access method, click Ethernet, then click Next to continue (see the following figure).
The User or Group Access dialog box appears (see the following figure). This is where you associate a group with this policy. Figure 368: Selecting the Access Method for Network Access
561
Figure 369: The User or Group Access selection 6 Click Group, then click Add.... The Select Groups dialog box appears (see the following figure).
Figure 370: The Select Groups Window 7 Click Locations. The Locations dialog box appears (see the following figure).
562
Figure 371: The Locations Window 8 Select the appropriate domain (the ebcdemo.com domain in this example) where your Ridgeline groups were created. Click OK to continue. This returns you to the Select Groups dialog box, with the selected domain displayed (see the following figure).
Figure 372: The Select Groups Window after Setting the Location 9 Type the name of the group that you want to associate with this remote access policy. Click OK to continue. The User or Group Access dialog box re-appears (see the following figure), with the domain and group you specified shown in the Group name list.
563
Figure 373: The User or Group Access Window after Selecting the Domain and Group 10 Click Next to continue. 11 Select the Authentication Method to be used (see the following figure). From the Type list, select MD5-Challenge, and then click Next.
Figure 374: Setting the Authentication Method for the Policy 12 Click Finish in the final dialog box to complete your configuration of the remote access policy. Go to Step 5. Edit the Remote Access Policy to add a VSA on page 565.
564
Figure 375: Selecting a Remote Access Policy to Edit The Properties dialog box appears (see the following figure).
565
Figure 376: The Properties Dialog Box for a Remote Access Policy 2 Remove the NAS-Port-Type matches Ethernet policy: click NAS-Port-Type matches Ethernet , and then click Remove. 3 Click Windows-Group matches EBCDEMO\Ridgeline policy, and then click Edit Profile. The Edit Dial-in Profile dialog box appears (see the following figure).
566
Figure 377: The Edit Dial-in Profile Window, Authentication Tab 4 Click the Authentication tab, and then click Unencrypted authentication (PAP,SPAP). 5 Click EAPS Methods. The Select EAPS Providers dialog box appears (see the following figure).
Figure 378: The Select EAPS Providers Dialog Box 6 Remove the MD-5 Challenge method: Click MD5-Challenge, and then click Remove. 7 Click OK. This returns you to the Edit Dial-in Profile dialog box. 8 Click the Advanced Tab, and then click Add The Add Attribute dialog box appears (see the following figure).
567
Figure 379: The Add Attribute Dialog Box 9 Click Vendor-Specific, and then click Add. The Multivalued Attribute Information dialog box appears (see the following figure).
Figure 380: The Multivalued Attribute Information Window 10 Click Add. The Vendor-Specific Attribute Information dialog box appears. This is where you add the Ridgeline VSA settings.
568
Figure 381: The Vendor-Specific Attribute Information Window 11 Click Enter Vendor Code, and then type 1916 as the vendor code. 12 Click Yes. It conforms. 13 Click Configure Attribute. The Configure VSA dialog box appears (see the following figure).
Figure 382: Configuring the VSA 14 Type 210 in the Vendor-assigned attribute number box. 15 In the Attribute format list, select String. 16 In the Attribute value box, type an attribute value that matches one of the Ridgeline role names; either a predefines role name, such as Administrator or Monitor, or a user-defined role name. If the attribute value does not match a role, the user defaults to the Monitor role only. Ridgeline roles can be found by in the navigation pane clicking Ridgeline Users And Servers, and then clicking Open Roles tab (see Role Administration on page 344). 17 Click OK to continue. 18 The new attribute appears in the Multivalued Attribute Information window as Vendor code: 1916 with the value set to the role name you entered (Administrator in this example).
569
19 Click OK to continue. 20 In the Edit Dial-in Profile dialog box, click OK again. A warning appears (see the following figure). Click No.
Figure 383: Warning after editing the Remote Access Policy profile The VSA is now configured for this remote access policy. Go to Step 6. Configure Ridgeline as a RADIUS Client on page 570.
Figure 384: RADIUS Administration Window 2 Click Enable system as a RADIUS client. 3 Under Primary RADIUS Server, enter the host name or IP address of your RADIUS server in the Name/Address box. 4 Enter the RADIUS server port in the Port box. 5 Enter the shared secret you used when you set Ridgeline as a RADIUS client in IAS in the Secret box. 6 If you have a secondary RADIUS server, enter that information under Secondary RADIUS Server as well. 7 Click Apply to have this take effect.
570
G Troubleshooting
Troubleshooting Aids About Ridgeline Window Enabling the Java Console Ridgeline Client Issues Ridgeline Database Ridgeline Server Issues VLAN Management Alarm System Ridgeline Inventory Printing Reports Configuration Manager
This appendix describes how to resolve problems you may encounter with Ridgeline.
Troubleshooting Aids
If you are having problems with Ridgeline, there are several things you can do to help prevent or diagnose problems. One of the first things you should do is run the Package Debug Info command. This command packages the various log, property, syslog and other debugging information files and archives them into a zip file. You can e-mail this file to Extreme Networks Technical Support to provide them with detailed information on the state of the Ridgeline server. You can run this command while the server is running, or while the server is stopped. To run the Package Debug Info command, go to <Ridgeline_install_dir >/bin and run (double-click) PackageDebugInfo.exe (PackageDebugInfo.bin in Linux); or click Start > All Programs > Extreme Networks > Ridgeline 4.0 > Package debug Info. In this case, a DOS window appears that displays the progress of the commands as they are executed. For more information about using this command, see Package Debug Info Utility.
In Ridgeline, click Help > About Ridgeline, and then click Details.
Troubleshooting
You can then copy and paste the output information into a text file to send to Extreme Networks Technical Support.
572
Troubleshooting
If you are running Ridgeline on Windows and connecting to Ridgeline from the same system as the Ridgeline server, you can also use the server setup utility to determine the port on which the Ridgeline server is running. Click Start > All Programs > Extreme Networks > Ridgeline 4.0 > Server setup utility. The Ridgelines HTTP port box shows the current server port. Problem: Colors in client interface are incorrect (Windows 2003, Windows XP). The Color Palette must be set for 65536 colors (or True Color). If your display is set for only 256 colors, the colors in Ridgeline may be incorrect. To change the color palette: Click Start, and then Control Panel. Double-click the Display icon in the Control Panel. Click the Settings tab. In the Color quality list, click the appropriate setting. Problem: Browser does not display the Ridgeline Welcome page. Verify the version of the browser you are using. See the system requirements in the Ridgeline Installation and Upgrade Guide or the Ridgeline Release Notes shipped with the software. Problem: Browser client software starts and allows you to log on, but data is missing or other problems occur. Remove the Ridgeline application from the Java Cache. 1 In Windows, click Start, and then click Control Panel. 2 Double-click the Java Control Panel icon. If it is not visible, type Java Control Panel in the search box. 3 On the General tab, under Temporary Internet Files, click View. 4 Select the Ridgeline application in the list and delete it. 5 Click Close. 6 Click OK.
Ridgeline Database
Problem: Database server does not restart after incorrect shutdown If the Ridgeline server is shut down incorrectly, the database may be left in an invalid state. In this case, an Assertion failed error may occur when attempting to restart the server. To recover the database, see Installing a Backup Database on page 550.
573
Troubleshooting
Ping the switch's IP address to verify availability of a route. Use the ping command from a MS DOS or Linux command shell. If the switch is using SNMPv1, verify that the read and write community strings used in Ridgeline match those configured on the switch. If the switch is using SNMPv3, verify that the SNMPv3 parameters configured in Ridgeline match those on the switch. Problem: Need to change SNMP polling interval, SNMP request time-out, or number of SNMP request retries You can change the default values for the SNMP polling interval, the SNMP request time-out, or the number of SNMP request retries, through the Ridgeline Administration Server Properties page. For more information about modifying these properties, see SNMP Properties. For instructions on stopping and starting the Ridgeline server, see the Ridgeline Installation and Upgrade Guide. Problem: Need to change the Telnet or HTTP port numbers used to communicate with managed devices You can change the port numbers for all managed switches through the Ridgeline Administration Server Properties page (see Device Properties). Problem: Telnet polling messages can fill up a devices syslog file The Ridgeline server uses Telnet polling to retrieve certain switch information such as Netlogins, FDB data (if FDB polling is enabled) and power supply information. By default, Ridgeline does status polls every five minutes and detailed polls once every 90 minutes. Each telnet login and logout message is logged to the switchs log file, and eventually fills up the log. In addition, in some cases Ridgeline needs to disable CLI paging so the poller can retrieve the full results of some CLI commands. An entry is created in the switch log for each disable clipaging command, which can also contribute to filling up the log. There are several things you can do to alleviate this problem:
Periodically clear the switchs log file using the ExtremeXOS CLI clear log command. Telnet login and logout messages are Informational level messages. Disable device Telnet polling by clearing the Poll Devices Using Telnet property in the Devices list on the Server Properties page of Ridgeline Administration (see Device Properties). However, if you do this, Ridgeline will not be able to do edge port polling through the MAC Address Poller, and will not be able to get Netlogin information, or Alpine power supply IDs. Increase the polling interval for all Ridgeline polling by changing the value of the SNMP Poll Interval property in the SNMP properties list of the Ridgeline Administration feature (see SNMP Properties). Note that this changes the interval for all SNMP polling as well as Telnet polling. You can set up event filtering to exclude logon/logout events or clipaging enable/disable events from the log: With ExtremeXOS 11.2 and later you can set up filters to suppress the log entries generated by Ridgeline logon and logout of the switch. Use of these filters is based on the assumption that one can trust a logon from the system on which Ridgeline is installed, and from the account Ridgeline uses to log on to the device.
574
Troubleshooting
To set up this filter you use the following four commands, where <EPIC_account > is the account name used by Ridgeline to login to the switch, and < EPIC_ip_addr > is the IP address of the system where the Ridgeline server is installed:
configure log filter DefaultFilter add exclude event aaa.authPass strict-match string <EPIC_account> configure log filter DefaultFilter add exclude event aaa.authPass strict-match string <EPIC_ip_addr> configure log filter DefaultFilter add exclude event aaa.logout strict-match string <EPIC_account> configure log filter DefaultFilter add exclude event aaa.logout strict-match string <EPIC_ip_addr> For example, to set up the filter for a Ridgeline server with IP address 10.255.48.40, and using account name admin to logon to the switch, you enter the following:
configure log filter DefaultFilter strict-match string admin configure log filter DefaultFilter strict-match string 10.255.48.40 configure log filter DefaultFilter strict-match string admin configure log filter DefaultFilter strict-match string 10.255.48.40
add exclude event aaa.authPass add exclude event aaa.authPass add exclude event aaa.logout add exclude event aaa.logout
You can also create a filter to exclude the clipaging commands from the log. An example of such a command in ExtremeWare 7.3.3 or ExtremeWare 7.5 is: configure log filter DefaultFilter add exclude events All match string <EPIC_ip_addr> <EPIC_account>: disable clipaging session For example, to set up the filter for a Ridgeline server with IP address 10.255.48.40, and using account name admin to logon to the switch, you enter the following: configure log filter DefaultFilter add exclude events All match string 10.255.48.40 admin: disable clipaging session Problem: Traps may be dropped during a trap storm' The Ridgeline server limits its processing of traps to be able to reliably handle trap storms from a single or multiple devices. Ridgeline limits its trap processing to 20 traps every 28 seconds from an individual device, and a total of 275 traps every 55 seconds system-wide. Any traps that occur beyond these limits are discarded, but are noted in the epicenter_server.log file. Exceeding the first limit (>20 traps in 28 seconds) is rare, and should be considered abnormal behavior in the managed device. If you are managing a large number of devices, you may reach the total (275) limit in normal circumstances. If you are managing more than 1,000 devices, it is recommended that you increase the total number of traps to 500.
575
Troubleshooting
The trap processing limits can be changed through server properties in the Ridgeline Administration feature (see Scalability Properties). Problem: Ridgeline is not receiving traps If the IP address of an Ridgeline host is changed via DHCP while Ridgeline is running, the system does not receive traps. To fix the problem, you can do a manual sync on all devices, or restart the Ridgeline server. Problem: On a Windows system with multiple NICs, Ridgeline may not receive traps or be able to upload or download configuration files or images In Windows, in a multiple NIC cards environment, the IP address that Ridgeline gets as the primary IP address is determined by the order in which the network connection is listed in the Adapters and Bindings tab in Advanced Settings, and may not be the NIC that is actually connected to the management network. There is no guarantee that the primary IP address that gets registered as a trap receiver on a switch is the IP address of the NIC that Ridgeline actually uses to communicate. You may be able to work around this by changing the order of the IP addresses in the Adapters and Bindings tab in the select the primary IP address for Ridgeline to use: 1 2 3 4 5 Click Start and then click Control Panel. Double-click Network Connections. Click Advanced > Advanced Settings. The Advanced Settings dialog box appears. Click the Adapters and Bindings tab, which shows the connections listed in order. Select the connection you want Ridgeline to use, use the up and down arrow buttons at the right to move it to the top of the list, and then click OK. 6 Restart the Ridgeline server.
VLAN Management
Problem: Multiple VLANs have the same name. A VLAN is defined by the name, its tag value, and its protocol filter definition. Ridgeline allows multiple VLANs of the same name if one of the defining characteristics of one VLAN is different from the other. Problem: Multiple protocols have the same name. Ridgeline allows multiple protocols of the same name if one of the defining characteristics of one protocol is different from the other. Problem: Can only access one of the IP addresses on a VLAN configured with a secondary IP address. Ridgeline does not currently support secondary IP addressing for a VLAN.
Alarm System
Problem: Device is in a fault state that should generate a trap or syslog message, and an alarm is defined to detect it, but the alarm does not appear in the Ridgeline Alarm Manager.
576
Troubleshooting
There are several possible reasons this can occur. Check the following: Make sure that the alarm is defined and enabled. Check that the device is in the alarm scope. Check that SNMP traps are enabled on the device. For a non-Extreme device, make sure you have set Ridgeline as a trap receiver on the device (see Setting Ridgeline as a Trap Receiver on page 514). For an RMON alarm, make sure you have RMON enabled on the device. For Syslog messages, make sure that you have the Ridgeline Syslog server enabled, and that remote logging is enabled on the device with Ridgeline set as a Syslog receiver. The number of traps received by the Ridgeline server may exceed the number of traps it can handle in a given time period, resulting in some traps being dropped (see Ridgeline Server Issues on page 573). You can change the limits for the number of traps the server should accept (per minute and per 1/2 minute) in the Ridgeline Administration feature (see SNMP Properties). Problem: A program specified as an action for an alarm (in the "Run this program, using these system variables as parameters" box) does not get executed. It includes output to the desktop among its functions. You must specifically allow output to the desktop (see Configuring the Ridgeline Server to Allow Output to the Desktop on page 577). To specify a batch file that outputs to the desktop, you must specify the .bat file within a DOS cmd command:cmd /c start <file.bat> where <file.bat> is the batch file you want to run. Problem: E-mail alarm actions generate too much text for a text pager. You can use the Send a short email to this address check box to send an abbreviated message appropriate for a text pager or cell phone. The short email provides only very basic alarm information. For more information about using the email options as an alarm action, see Defining Alarm Profiles on page 262.
577
Troubleshooting
4 5 6 7
Click Local System account. Click theAllow service to interact with desktop check box. Click OK. Restart the Ridgeline server.
Ridgeline Inventory
Problem: Multiple switches have the same name. This is because the sysName of those switches is the same. Typically, Extreme Networks switches are shipped with the sysName set to the type of the switch Summit48, Summit1i, Alpine3808, etc., depending on the type of switch. You can change the way names appear through the Device Tree UI property in the Ridgeline Administration feature (see Other Properties ). You can display devices by name or by IP address and name. Problem: Discovery does not display the MAC address for some devices in discovery results list. In addition, the device is not added to the inventory (primarily happens with workstations). If the MAC address is not found in the first instance of ifPhysAddress, it is not displayed in the discovery results table. However, when the device is selected to be added to the Ridgeline inventory, Ridgeline searches all the ifPhysAddress entries for the device, and uses the MAC address found in this manner. If no MAC address is found in any ifPhysAddress entry, the device is not be added to the Ridgeline database. Problem: Receiving an SNMP not responding error when attempting to add a switch to Ridgeline after rebooting the switch. If a switch has recently been powered on, it may take some time (several minutes) before the device is completely initialized. This is especially true of chassis devices with many blades, or devices with a large number of VLANs configured on the device. It the device has not completed its initialization, Ridgeline may return an error when adding the device. Wait until the device has finished initializing and try adding it again. Problem: The Device Inventory panel shows incorrect information, and the device image is not displayed correctly. This can be caused by a device IP address that is in conflict with another device on the network (a duplicate IP address). Remove the problem device from the Ridgeline inventory, and add it in again with the correct IP address.
Printing
Problem: When printing a topology map from the browser client, or a printing report, the browser can appear to freeze.
578
Troubleshooting
Printing a report or a topology map can cause the browser utilization to become very high (approaching 100%) and can spool a very large amount of memory. There is no current solution other than to wait, and the process will eventually finish.
Reports
Problem: After viewing reports, adding a user-defined report does not appear in the list of reports on the main reports page. The Reports page updates the list of reports when the page is loaded. To update the list, refresh the browser page. Problem: Reports cannot be started. Due to a problem with Windows, sometimes reports cannot be started from the Ridgeline client. To work around this problem, you can either set your browser home page to blank, or you can run the Reports feature directly from the browser: 1 Enter the following URL of the Ridgeline server in the browser: http://< host >:< port >/ In the URL, replace < host > with the name of the system where the Ridgeline server is running. Replace < port > with the TCP port number that you assigned to the Ridgeline server during installation. Do not use localhost as the < host >. 2 On the Ridgeline Welcome page, click the Log on to Reports only. 3 Type your logon credentials into the Username and Password boxes.
Configuration Manager
Problem: Failed to connect to device communicator session message appears when attempting to deploy a configuration to a managed device. This error messages appears when Ridgeline cannot gain Telnet/SSH access to the device with the username/password it has been configured to use: In the navigation pane, click Main View or the device group with the desired device in it. Select the device in the devices table by selecting its check box. Click Device > Modify Communications Settings. The Modify Communications Settings dialog box appears. On the Basic Information tab, check entries in the Device Login and Device Password boxes to ensure that they match what is actually configured on the device.
579