Ridgeline Reference

Ridgeline 4.
0 Service Pack 1 Reference Guide
Copyright 20012013 Extreme Networks AccessAdapt, Alpine, Altitude, BlackDiamond, Direct Attach, EPICenter, ExtremeWorks Essentials, Ethernet Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme Solution, ExtremeXOS ScreenPlay, ReachNXT, Ridgeline, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, XNV, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and/or other countries. sFlow is the property of InMon Corporation. iBooks is property of Apple, Inc. Specifications are subject to change without notice. All other registered trademarks, trademarks, and service marks are property of their respective owners. For additional information on Extreme Networks trademarks, please see: www.extremenetworks.com/about-extreme/trademarks.aspx. 120854-00 Rev 1
Table of Contents
Preface 8
Introduction 8
Chapter 1: Getting Started with Ridgeline 11

The Ridgeline Home Page 11 Ridgeline Window Behavior 13 Modifying Table Views 15
Chapter 2: Managing Your Network Inventory 18

Overview of Ridgeline Device Inventory Management 18 Displaying the Network Device Inventory 19 Viewing Device Status Information 21 Viewing Link Information 22 Displaying Device Details 25 PBB Tab 31 VLANs Tab 32 VPLS Tab 35 Displaying Link Details 36 Displaying Port Details 37 Device Inventory View 38 Device Properties 39 Port Properties 41 Discovering and Adding Network Devices 44 Manually Adding Devices to Ridgeline 48 Deleting Devices from the Inventory 50 Updating Device Information 51 Modifying Communications Settings 51 Configuring Default Access Parameters 54 Opening a Telnet Session to a Device 56
Chapter 3: Organizing Devices and Ports Into Groups 60

Overview of Device Groups and Port Groups 60
Chapter 4: Using Map Views 71

Overview of Ridgeline Map Views 71 Displaying a Map View 72 Map Elements 73 Creating Topology Maps 78
Chapter 5: Provisioning Network Resources 85

Network Resource Provisioning Overview 85 Troubleshooting Provisioning Tasks 86 Viewing Logged Information about Provisioning Tasks 87
Chapter 6: Configuring and Monitoring Ethernet Services 89

Ethernet Service Overview 89 Configuring Ethernet Services 91 Viewing Ethernet Services Information on the Services Tab 102
Chapter 7: Policies 107
Ridgeline 4.0 Service Pack 1 Reference Guide
Table of Contents
Overview 107 Viewing Policy Details 107 Creating New Policies 109 Creating Categories for Policies 119 Creating and Managing Roles 120
Chapter 8: Managing and Monitoring VLANs 122

Overview of Virtual LANs 122 Configuring VLANs 123 Viewing VLAN Information 134 Displaying VLAN Details 135
Chapter 9: Managing and Monitoring VMANs (PBNs) 142

Overview of VMANs 142 Configuring VMANs 142 Viewing VMAN Information 149 Displaying VMAN Details 151
Chapter 10: Managing Multi-Switch Link Aggregation Groups 154

Overview 154 Viewing MLAG Information 156
Chapter 11: Managing Virtual Machines 163

Introduction to the XNV Feature 163 Example XNV Configuration 165 Managing the XNV Feature, VM Tracking 166 Configuring Repository Settings on all VM Tracking Switches 173 Policy Match Condition Combinations 175 Creating a Virtual-Port Profile 175 Attaching and Detaching Policies, VPPs, and VMs 176 Viewing Information on the VMs Tab 183
Chapter 12: Managing and Monitoring EAPS Domains 190

EAPS Overview 190 Viewing EAPS Information 196 Displaying EAPS Domain Details 200 Verifying EAPS Information 205 Running EAPS Reports 207
Chapter 13: Managing PBB Networks with Ridgeline 209

PBB Overview 209 Configuring BVLANs 211 Viewing PBB Information 216 Displaying PBB Details 218
Chapter 14: Managing and Monitoring VPLS Domains 224

Overview of VPLS 224 Viewing VPLS Information 227 Displaying VPLS Details 228 Running VPLS Configuration Scripts 236
Chapter 15: The Ridgeline Alarm Manager 237

Overview of the Ridgeline Alarm Manager 237 The Outstanding Alarms Tab 247
Table of Contents
The Cleared Alarms and Events Tab 252 Defining Alarms 253 Defining Alarm Profiles 262
Chapter 16: Configuration Manager 267

Overview of the Configuration Manager 267 Configuration Summary View 268 Backing up Configurations from Devices 274 Restoring Configurations to Devices 281 Downloading an Incremental Configuration to Devices 283 Creating or Changing Baseline Configurations 285 Deleting Baselines 287 Configuring the TFTP Server 287
Chapter 17: Firmware Manager 289

Overview of the Firmware Manager 289 The Firmware Manager Main Window 290 Checking for New Software Image Versions 293 Acknowledging Changes to the Software Images List 295 Downloading Software Images to the Ridgeline Server 295 Upgrading the Software or BootROM on Your Devices 297 Specifying Standard Software Versions 300 Updating Software Properties 301
Chapter 18: Creating and Executing Ridgeline Scripts 303

Ridgeline Script Overview 303 The Ridgeline Script Interface 304 Managing Ridgeline Scripts 306
Chapter 19: Using the Ridgeline Audit Log 329

Audit Log Overview 329 Audit Log View 329 Displaying Audit Log Details 330 Redeploying Profiles or Scripts 332
Chapter 20: Using the IP/MAC Address Finder 333

Overview of the IP/MAC Address Finder 333 Creating a Search Task 334 The IP/MAC Address Finder Window with Search Results 336 Exporting Task Results to a Text File 338
Chapter 21: Administering Ridgeline 339

Overview of User Administration 339 Administration Functions 339 User Administration 341 Adding, Modifying, or Deleting User Accounts 342 Changing Your Password if You Have Super-User or Administrator Rights 343 Changing Your Password if You Have Manager or Monitor Rights 344 Role Administration 344 Adding, Modifying, or Deleting Roles 346 RADIUS Administration 348 Server Properties Administration 350 Distributed Server Administration 365
Table of Contents
Chapter 22: Using the Universal Port Manager 369

Overview of the Universal Port Profile Manager 369 Network Profiles View 372 Managed Profiles Tab 387 Creating and Editing UPM Profiles 391 Profile Trigger Events 408 Universal Port Event Variables 408
Chapter 23: Using Identity Management 411

Identity Management Software License 412 Overview of Identity Management 412 Role-Based Access Control 412 Enabling Monitoring on Devices and Ports 415 Disabling Monitoring 418 Editing Monitored Device Ports 418 Enabling Role-based Access Control on New Devices 419 Disabling Role-based Access Control 421 Creating Roles 422 Deleting Roles 428 Editing Roles 428 Refreshing Users and Roles 429 Viewing Roles 430 Attaching Policies to Roles 431 Error and Results Handling 433 Managing Global Settings 436 Viewing Network User Information 439 Displaying Identity Management Reports 444
Chapter 24: Managing Network Security 445

Security Overview 445 Management Access Security 445 Monitoring Switch Configuration Changes 456 Using the MAC Address Finder 457 Using Alarms to Monitor Potential Security Issues 457 Device Syslog History 458 Network Access Security with VLANs 459
Chapter 25: Ridgeline Reports 461

Reports Overview 461 Accessing Ridgeline Reports 462 The Extreme Networks eSupport Export Report 466 Network Status Summary Report 466 Network Users Reports 468 Devices Reports 468 Slots, Stacks and Ports Reports 476 EAPS Reports 484 Log Reports 486 Client Reports 491 MIB Poller Tools 493 Ridgeline Server Reports 493 Adding User-Defined Reports to the Reports Menu 496
Table of Contents
Printing Reports 497 Exporting Reports 497
Chapter 26: Enhancing Ridgeline Performance 498

Monitoring and Tuning Ridgeline Performance 498 Tuning the Alarm System 501 Using the MIB Poller Tools 502 Reconfiguring Ridgeline Ports 509 Using the Ridgeline Debugging Tools 511
Appendix A: Configuring Devices for Use With Ridgeline 513

Configuring Ridgeline as a Syslog Receiver 513 Setting Ridgeline as a Trap Receiver 514 The Ridgeline Third-party Device Integration Framework 514
Appendix B: Using SSH for Secure Communication 523

Tunneling Setup Example 523
Appendix C: Event Types for Alarms 537

SNMP Trap Events 537 RMON Rising and Falling Trap Events 547 Ridgeline Events 547
Appendix D: Ridgeline Backup 549

Ridgeline Log Backups 549 Backing up the Ridgeline Database 550 Installing a Backup Database 550
Appendix E: Ridgeline Utilities 551

Package Debug Info Utility 551 Resetting the Admin User Password 552
Appendix F: Configuring RADIUS for Ridgeline Authentication 554

External RADIUS Server Setup 554
Appendix G: Troubleshooting 571

Troubleshooting Aids 571 About Ridgeline Window 571 Enabling the Java Console 572 Ridgeline Client Issues 572 Ridgeline Database 573 Ridgeline Server Issues 573 VLAN Management 576 Alarm System 576 Ridgeline Inventory 578 Printing 578 Reports 579 Configuration Manager 579
Preface
This preface provides an overview of this guide, describes guide conventions, and lists other useful publications.
Introduction
This guide provides the required information to use the Ridgeline software. It is intended for use by network managers who are responsible for monitoring and managing Local Area Networks and assumes a basic working knowledge of: Local Area Networks (LANs) Ethernet concepts Ethernet switching and bridging concepts Routing concepts The Simple Network Management Protocol (SNMP) Note If the information in the Release Notes shipped with your software differs from the information in this guide, follow the Release Notes. Extreme Networks Ridgeline is a powerful yet easy-to-use program that facilitates the management of a network of Summit and BlackDiamond switches, as well as selected third-party switches. Ridgeline makes it easy to perform configuration and status monitoring, create virtual LANs (VLANs), in enterprise LANs with Extreme Networks switches. Ridgeline offers a comprehensive set of network management tools that are easy to use from a client workstation configured with a web browser and the Java plug-in. Ridgeline leverages the three-tier client/server architecture framework represented by Java applets. The Ridgeline application and database support Microsoft Windows and Red Hat Enterprise Linux.
Using Ridgeline Publications Online

You can access Ridgeline publications at the Extreme Networks website (www.extremenetworks.com). Publications are provided in HTML, ePub, and Adobe PDF formats. To navigate this guide online, use the table of contents found in the navigation bar on the left. You can also use the prev | next links at the top and bottom of the page. To download Ridgeline publications in PDF or ePub format, click the links below: Ridgeline Reference Guide PDF Ridgeline Reference Guide ePub Ridgeline 4.0 Installation Guide PDF Ridgeline 4.0 REST API Quick Start PDF
Preface
Terminology
When features, functionality, or operation is specific to the Summit or BlackDiamond switch family, the family name is used. Explanations about features and operations that are the same across all Extreme switch product families simply refer to the product as the Extreme Networks device or Extreme Networks switch. Explanations about features that are the same for all devices managed by Ridgeline (both Extreme devices and others) are simply referred to devices. Note Ridgeline does not provide multi-language support.
Conventions
The following tables list text conventions that are used throughout this guide. Table 1: Notice Icons
Icon Notice Type Note Alerts you to... Important features or instructions.
Caution
Risk of personal injury, system damage, or loss of data.
Warning
Risk of severe personal injury.
Table 2: Text Conventions

Convention Description This typeface represents information as it appears on the screen.
Screen displays
Menu > Submenu > Command To access a command available through a submenu of a menu, the menu, submenu, and command are separated by >". [Ctrl] + [Alt] [Ctrl], [Alt]
If you must press two or more keys simultaneously, the key names are separated by a plus sign (+). If you must press, and then release a key, and then press another key, the key names are separated by a comma (,).
Words in bold type Words in italic type
Bold text indicates controls on the Ridgeline program (for example, buttons, menu items, tabs, and windows). Italics emphasize a point or denote new terms at the place where they are defined in the text.
Preface
Related Publications
The Ridgeline documentation set includes the following:
Ridgeline Reference Guide (this guide) Ridgeline Installation and Upgrade Guide Ridgeline Release Notes
The Ridgeline Reference Guide, Ridgeline Installation and Upgrade Guide, and Release Notes are in the Ridgeline 4.0\jboss\standalone\deployments\extreme.war\helptext\docs directory in Adobe Acrobat PDF format. You must have Adobe Acrobat Reader version 5.0 or later (available free from www.adobe.com) to view the PDF versions of these manuals. The Ridgeline software also includes context-sensitive online help, available from the Help menu and Help buttons in the Ridgeline program. Other manuals that are useful are: ExtremeWare Software User Guide ExtremeWare Command Reference Guide ExtremeXOS Concepts Guide ExtremeXOS Command Reference Guide For documentation on Extreme Networks products, and for general information about Extreme Networks, see the Extreme Networks website: www.extremenetworks.com. Customers with a support contract can access the Technical Support pages at: www.extremenetworks.com/services/eSupport.asp. The technical support pages provide the latest information on Extreme Networks software products, including the latest Release Notes, information on known problems, downloadable updates or patches as appropriate, and other useful information and resources. Customers without contracts can access manuals at: www.extremenetworks.com/services/ documentation/.
Providing Feedback to Us
We are always striving to improve our documentation and help you work better, so we want to hear from you! We welcome all feedback but especially want to know about: Content errors or confusing or conflicting information. Ideas for improvements to our documentation so you can find the information you need faster. Broken links or usability issues. If you would like to provide feedback to the Extreme Networks Information Development team about this document, please contact us using our short online Feedback form. You can also email us directly at internalinfodev@extremenetworks.com.
10
1 Getting Started with Ridgeline

The Ridgeline Home Page Ridgeline Window Behavior Modifying Table Views
If you have not yet installed version 4.0, see the Ridgeline Installation and Upgrade Guide for instructions.
The Ridgeline Home Page

Note If you have not installed Ridgeline version 4.0, see the Ridgeline Installation and Upgrade Guide for instructions. When you first start Ridgeline, the Ridgeline home page appears (see the following figure). You can display the home page at any time by clicking Home on the navigation pane.
Figure 1: Ridgeline Home Page The Ridgeline home page displays the version of the software you are running and includes a link that allows you to see the latest software and BootROM images available. A number of dashboard reports appear on the home page, including a Network Status Summary Report and a Device Status Summary report. You can select which reports and graphs appear on the Ridgeline home page, allowing you to create a convenient, at-a-glance view of data relevant to your network (see Modifying the Contents of the Ridgeline Home Page).
Getting Started with Ridgeline
The dashboard reports available on the Ridgeline home page can also be accessed from the Reports application. For more information, see Reports Overview.
Modifying the Contents of the Ridgeline Home Page

You can add or remove dashboard reports on the Ridgeline home page, and move them to a different location on the display. To add a dashboard report: 1 In the navigation pane, click Home. 2 Click View > Customize home page. The dashboard palette appears at the bottom of the Ridgeline home page (see the following figure).
Figure 2: Dashboard Palette on the Ridgeline Home Page 3 In the dashboard palette, select the dashboard report you want to add, and then drag it to the desired empty area of the Ridgeline home page. 4 After you have finished adding dashboard reports to the Ridgeline home page, click View > Customize home page to hide the dashboard palette. To remove a dashboard report from the Ridgeline home page, click the X in the upper right corner of the dashboard report that you want to remove. The dashboard report is removed from the display. To move a dashboard report to a different location in the display, select and then drag the title bar of the dashboard report to the desired location.
12
Ridgeline Window Behavior

Windows in the Ridgeline user interface are made up of several elements. The following figure shows the components that comprise a typical window in Ridgeline.
Figure 3: Components of the Ridgeline User Interface (Main View Window) The main components of the Ridgeline user interface are:
1Menu bar 2Tabs Shows the available commands in Ridgeline. The commands shown on the menu bar change based on the Ridgeline component that you have selected in the navigation pane. When you click many Ridgeline components, a series of tabs appear, grouping together subfeatures of that component. For example, the Main View component, which shows all devices in your inventory, has tabs for Devices, Links, MLAG, EAPS, and VLANs. The Ridgeline ribbon displays various controls (buttons, drop-down menus, search box) to perform pertinent functions for the selected Ridgeline component. For a selected device group, the graphical representation of the devices and links in the group. For more information about the map view, see Displaying the Network Device Inventory. Table of information about the devices in the selected devices group. Selecting a device in the devices table displays detailed information about the selected device in the device details pane (see below). For more information about the devices table, see Displaying the Network Device Inventory. Detailed information about the device selected in the devices table. For more information about the devices details pane, see Displaying Device Details.
3Ribbon 4Map view
5Devices table
6Device details pane
13
7Alarms dashboard
Displays a snapshot of the device alarms information:
For more information about alarms, see Overview of the Ridgeline Alarm Manager on page 237. 8Navigation Pane Hierarchical view of the Ridgeline components and device/port group folders. For more information about the Ridgeline home page, see The Ridgeline Home Page on page 11. For more information about device/port groups, see Overview of Device Groups and Port Groups on page 60. Major ridgeline features. Ridgeline has seven main component groups: Home, Identity Views, Device Configuration, Network Configuration, Alarms and Events, Administration, and Reports. For more information about the Ridgeline home page, see The Ridgeline Home Page on page 11.
9Ridgeline components
Opening Ridgeline Components in Docked or Floating Windows

You can open a Ridgeline component from the navigation pane as a docked or floating window. To open the a Ridgeline feature as a:
Docked window: click the Ridgeline component name in the navigation pane (for example, Main View, Policies, Alarm Manager, etc.). The component appears docked in the main window. Floating window: place the cursor over the Ridgeline component name in the navigation pane, and then click next to the component name. The component appears as a floating window.
Docking Detail Windows into the Main Window

Double-clicking an entry in the Main View or device/port group table opens a floating window that shows the details for that entry. You can dock these floating windows into the right side of the main window or minimize them into icon, so that you can switch among them. To open and dock a detail window: 1 Double-click an entry in the table of the Main View or device/port group table The details window for that entry appears.
2 Click in the upper right corner of the details window. The floating window is docked on the right side of the main window (see the following figure). If you have multiple detail windows docked, they appear as tabs on the lower right area of the main window.
14
Figure 4: Docked Detail Window 1Docked detail window 2Docked detail window tabs 3 To further minimize the detail window into an icon, click on the upper right of the window. The detail window appears as an icon on upper right area of the main window (see the following figure).
Figure 5: Minimized Detail Window Icons
To redisplay a detail window as floating window again, click To remove the detail window, click .
Modifying Table Views

Much of the information displayed in Ridgeline is in tabular format. You can:
15
Sort the rows in a table Modify the column sizes Move columns around in a table Remove columns from a table
Sorting Table Rows

You can sort the rows of a table according to the contents of any individual column. To sort the rows, click the column heading that you want to use as the sort criteria. Click once to sort in ascending order; click a second time to reverse the sort order. The column currently used as the sort criteria is indicated with a small triangle in the column heading. The direction of the triangle (up or down) indicates whether the sort is ascending or descending.
Resizing Table Columns

You can resize the width of a column: 1 Place the cursor over the line separating the column you want to resize from the column to its right. The cursor turns into a double-headed arrow. 2 Click and hold the left mouse button to grab the column separator, and then drag the separator until the column is the desired width.
Moving Table Columns

To move a column in a table, click and hold the left mouse button over the column heading, and then drag the column to a new location.
Removing Columns
To remove a column: 1 Click the icon in the upper right corner of the table. The Choose Columns to Display dialog box appears (see the following figure).
16
Figure 6: Selecting Columns to Display in a Table 2 Clear the check box(es) of the column(s) that you want to remove from the table, and then click OK. Columns that cannot be removed from the table are unavailable.
17
2 Managing Your Network Inventory

Overview of Ridgeline Device Inventory Management Displaying the Network Device Inventory Viewing Device Status Information Viewing Link Information Displaying Device Details PBB Tab VLANs Tab VPLS Tab Displaying Link Details Displaying Port Details Device Inventory View Device Properties Port Properties Discovering and Adding Network Devices Manually Adding Devices to Ridgeline Deleting Devices from the Inventory Updating Device Information Modifying Communications Settings Configuring Default Access Parameters Opening a Telnet Session to a Device
Overview of Ridgeline Device Inventory Management

Ridgeline keeps a database of all its managed network devices. Ridgeline can discover any devices running MIB-2 compatible agents using SNMPV2 protocol by default. It can manage Extreme Networks switches and can provide information about third-party devices with compatible agents. Note A SummitStack acts as one device in inventory. Ridgeline can also automatically discover Extreme Networks and MIB-2 compatible devices by specific IP address or within a range of IP addresses (see Discovering and Adding Network Devices). You can also add network devices to the Ridgeline database manually (see Manually Adding Devices to Ridgeline). Once in the Ridgeline database, you can assign devices to groups and configure it using Ridgeline. You can receive alarms about faults on the device and view a hierarchical topology layout of the devices known to Ridgeline.
Managing Your Network Inventory
Any Ridgeline user with read-only access to this feature can view status information about the network devices currently known to Ridgeline. If you have super-user, administrator, or manager role accessor other roles with write access to this featureyou can add or delete devices from the managed devices in the database. You can also refresh the information in the database for the devices in the Ridgeline inventory manager.
Device Groups
For effective management, you group devices in Ridgeline into one or more device groups. An individual device can belong to multiple device groups. A device group is a set of network devices that have something in common, and that can be managed as a group. For example, devices might be grouped by physical location (building 1, building 2, first floor, second floor) or by functional grouping (engineering, marketing, finance) or by any other criteria that make sense within the managed network environment. When devices are discovered, either automatically or manually, they are added by default to the Main View. You can then move discovered devices to groups, as appropriate. For more information about device groups, see Organizing Devices and Ports Into Groups.
Displaying the Network Device Inventory

To display the device inventory, in the navigation pane, click Main View. The device inventory appears.
Figure 7: Network Device Inventory Note You must add network devices to the database using the Discover Device or Add Devices commands to make them known to Ridgeline. Until this is done, no devices appear in Ridgeline.
19
By default Ridgeline has only one device group, Main View. You cannot delete or change the name of the Main View device group. The device table appears by default. Click Map to enable the map view. When the map view is enabled, the button is shaded:
To hide the map, click the Map button, so that it is not shaded. To maximize the size of the map (and hide the device table), click the right arrow in the area between the map and device table panes.
Figure 8: Map/Device Table Size Controls
To increase/decrease the map size, place the cursor over the two arrows pointing in opposite directions between the map and device table panes until the cursor becomes a double-sided arrow, and then click and drag the table to make as much room as desired to display the map.
Click a device group name to display the switches in that group.
A red slash through a device indicates that the device is not reachable through SNMP. A device shown in grey indicates the device has is no longer being managed. Ridgeline does not attempt to communicate with a device in the unmanaged state, nor does it accept traps or syslog messages for the device. If unacknowledged alarms exist for the device, the alarm status is indicated by a small colored alarm on the device icon in the table. You can investigate these through the Alarm Manager (see The Ridgeline Alarm Manager). The icon indicates a stacked device.
20
Alarm Propagation to the Device Group

If alarm propagation is enabled, the highest severity unacknowledged alarm status among the devices in the device group is indicated by a small alarm bell next to the device group name under Device Configuration.
Disabling alarm propagation for a device means that devices alarm status is not factored into the alarm status for the device group. This lets you base alarm propagation at the device group level on a subset of critical devices while ignoring less critical devices. Devices with alarm propagation disabled show an X through the alarm icon. However, the color of the alarm icon still indicates the correct alarm status for the alarm. You can also disable alarm propagation for the device group, which results in an X over the alarm icon (select the device group, right-click, and then select Alarm Propagation > Off). However, because there is no higher level for alarm status propagation, this has no real meaning. The color of the alarm icon still reflects the worst alarm status of those devices within the device group that have alarm propagation enabled.
Viewing Device Status Information

When you select a device group under Device Configuration, the panel on the right displays a summary status of the devices in the selected device group.
Figure 9: Device Group Table View The following information appears:
21
Name IP Address MAC Address Software Version SNMP version Log On Username SSH Forwarding-Database Polling Device Manager Protocol
The name of the device. The IP address of the device. The device MAC address, if applicable. The firmware version running on the device. The SNMP version (version 1, 2, or 3) used on the device. The device logon name. The setting for SSH2Enabled or disabled. The setting for FDB pollingEnabled or disabled. The protocol used to get access to a non-Ridgeline device manager on the device (HTTP or HTTPS). To use the browser-based management interface provided by the selected device, on the main menu, click Device > Manager (HTML). The groups and subgroups that the device is a member of. The number of Extreme ReachNXT 100-8t switches connected to the device. When the device information was last updated from the switch. The operational status of the deviceSNMP Reachable, SNMP Unreachable, or Unmanaged. The device type (for example, Summit 400-48t). The priority of the highest unacknowledged alarm currently on the device. Whether alarm propagation is on or off for the device. Whether or not user monitoring is enabled for the device. Whether or not VM monitoring is enabled for the device.
Member Of ReachNXT Devices Last Updated Status Type Worst Alarm Alarm Propagation User Monitoring VM Monitoring
Viewing Link Information

Clicking the Links tab displays information about the links between devices in the device group, as shown below.
22
Figure 10: Links Summary Status The following information appears:

A Device A IP Address A Port Number/Annotation Status The name of the device on one end (the A side) of the link, along with an icon indicating the device status. The IP address of the device on the A side of the link. The number of the port on the A side of the link. An icon indicating the status of the link. The link status icon can be one of the following colors: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline.

B Device B IP Address B Port Number/Annotation
An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and some are down.
The name of the device on the other end (the B side) of the link, along with an icon indicating the device status. The IP address of the device on the B side of the link. The number of the port on the B side of the link.
23
Type Discovery Protocol A Port Name B Port Name Device Status Link State Status
The link type; for example, user-created. The protocol used to discover the link, either EDP or LLDP. The name of the port on the A side of the link, along with an icon indicating the port status. The name of the port on the B side of the link, along with an icon indicating the port status. The current status of the device on the A side of the link. Whether the A side of the link is ready to exchange traffic with the B side of the link. An icon indicating the status of the link. The link status icon can be one of the following colors: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline.

Share Details Device Status Link State Status
An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and that some are down.
Information about the port sharing configuration for the port, if applicable The current status of the device on the B side of the link. Whether the B side of the link is ready to exchange traffic with the A side of the link. An icon indicating the status of the link. The link status icon can be one of the following colors: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline.

Share Details Type Name
An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and some are down.
Information about the port sharing configuration for the port, if applicable The link type; for example, user-created, physical link, shared physical link). The device name.
24
Displaying Device Details

To display details about a device, click the devices row in the devices table. Information about the selected device appears in the lower pane (see Figure 11: Device Group Table View (Devices Tab) on page 25). If you double-click the row, the device details appear in a separate window (see Figure 12: Device Details Window on page 25).
Figure 11: Device Group Table View (Devices Tab)
Figure 12: Device Details Window
25
The following tabs are available: Ports Links MLAG Policies VLANs VLAN Ports EAPS Domains EAPS Shared Ports EAPS Domain Ports EAPS Settings
Ports Tab
The Ports tab displays information about the devices ports:
Port Number Name Actual Speed Actual Duplex Type Port Status Link State The device port number. Port name. Speed of the port; Auto if the speed is auto-negotiated. Duplex of the port, either full or half. Port type; for example, Gigabit, Management, 10/100). Whether the port is enabled or disabled. Whether the port is ready to exchange traffic with the port on the other side of the link (ready).
Links Tab
The Links tab displays information about links the selected device has to other devices.
A Device A IP Address A Port Number/Annotation Share Details The name of the device on one end of the link (the A side), along with an icon indicating the device status. The IP address of the device on the A side of the link. The port number on the A side of the link. Information about the port sharing configuration for the port, if applicable
26
Status
An icon indicating the status of the link. The link status icon can be one of the following colors: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline.

B Device B IP Address B Port Number/Annotation Type Discovery Protocol A Port Name B Port Name Device Status Link State Name Shared Details
An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red line indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and that some are down.
The name of the device on the other end of the link (the B side), along with an icon indicating the device status. The IP address of the device on the B side of the link. The number of the port on the B side of the link. The link type; for example, user-created, physical link, shared physical link. The protocol used to discover the link, either EDP or LLDP. The name of the port on the A side of the link, along with an icon indicating the port status. The name of the port on the B side of the link, along with an icon indicating the port status. The current status of the device on the A side of the link. Whether the A side of the link is ready to exchange traffic with the B side of the link. The device name. Information about the port sharing configuration for the port, if applicable
MLAG Tab
The MLAG (multi-system link aggregation) tab displays the following information:
Status MLAG ID ISC VLAN Tag A Name A IP Address B Name B IP Address MLAG overall status. MLAG ID. Inter-switch connection VLAN tag. Name of MLAG peer A switch. IP address of MLAG peer A switch. Name of MLAG peer B switch. IP address of MLAG peer B switch.
27
Policies Tab
The Policies tab displays the policies that have been set up:
Used For Name Policy Name Policy Direction Port Number Port Name Role or virtual machine. Name of role/virtual machine to which this policy is attached Policy name. The direction of the traffic that the policy applies to (ingress or egress). The device port number. The port name.
VLANs Tab
The VLANs tab displays the following information about VLANs the device is part of:
VLAN Tag The VLAN tag value (if any) or Untagged, along with an icon indicating whether this is a VLAN or VMAN. Indicates this is a VLAN Indicates this is an EAPS-protected VLAN Indicates this is a VMAN Indicates this is an EAPS-protected VMAN VLAN Name The VLAN name. For VLANs with identical values for Tag and Protocol, but different values for Name, this refers to the same VLAN. In such cases, the multiple names appear, separated by a comma. The network name category (if any) that this VLAN belongs to. For more information, see Categorizing VLANs With Network Names. The protocol filter(s) configured for the VLAN. QoS profile name configured for the VLAN on the device, if any. Whether IP forwarding is enabled for the VLAN. The IP address of the VLAN. The subnet mask of the VLAN. The virtual router to which the VLAN is associated on the device. This information is available if the device has HTTP enabled, and runs ExtremeXOS version 12.1 or later. The VLAN type, either VLAN or VMAN. VLAN service type. Possible values are Translation, Translation-Member, VMAN, Translation VMAN, Translation-Member VMAN, Private-Network, Isolated-Subscriber, Non-Isolated Subscriber, Super VLAN, and Sub VLAN. For more information, see Viewing VLAN Services Information. The administrative state of the VLAN, either Enabled, Disabled, or Unknown. This information is available if the device has HTTP enabled, and runs ExtremeXOS version 12.1 or later.
Network Name Protocol Name QOS Profile Name IP Forwarding Enabled VLAN IP Address VLAN IP Mask Virtual Router Type VLAN Services
Admin Status
28
VLAN Ports
The VLAN Ports tab displays the following information:
Port Number Name Tagged Media Type Actual Speed Actual Duplex Configured Speed Configured Duplex State Port number. If the device is a chassis device, then the port number is displayed in slot:port format. The name of the port, if assigned. Whether or not the port belongs to a tagged VLAN. Whether the port is tagged. Port type; for example, Gigabit, Management, 10/100. Speed of the port; Auto if the speed is auto-negotiated. Duplex of the port, either full or half. The configured speed of the port. The configured duplex setting of the port. Whether the port is enabled or disabled.
EAPS Domains Tab

The upper section of the EAPS Domains tab shows information about the device in relation to each of the EAPS domains of which it is a member. The lower section shows information about a selected domain node. Select a node to display domain node details and protected VLAN information. The upper part of the EAPS Domains tab contains the following columns:
Name The name of the EAPS domain where this device is a member (node), and an icon indicating the domain status: Green ringall domains in which this device participates are fully operational. Yellow ringone or more of the domains is not fully operational, but is in a transitional state or an unknown state (as when the device is SNMP unreachable). Red ringone or more of the domains is not operationalif the device has a master in a failed state or a Transit node in a links down state. Grey ringEAPS domain is disabled. The name of the node given to the device as a member of the domain. Status of the node in the domain. This can be Idle, Complete, Failed, Links Up, Links Down, Preforwarding, Init, Precomplete, PreInit, or Unknown. Whether the node acts as a Master or Transit node for this domain. The primary port number. The secondary port number.
Domain-Node Name Domain Status Device Mode Primary Port Secondary Port
The lower section of the EAPS Domains tab window has two additional tabs: Details Of Device in Domain Tab Protected VLANs Tab
29
Details Of Device in Domain Tab The Details Of Device in Domain tab displays the following information:
Domain Node Name Enabled Control VLAN Name Control VLAN Tag Control VLAN Network The name of the node given to the device as a member of a domain. Whether this specific node is enabled as an EAPS node. Name of the control VLAN. VLAN tag (ID) of the EAPS control VLAN. The network name of the control VLAN, if one is configured.
Protected VLANs Tab The Protected VLANs tab displays the following information:
Tag VLAN Name The ID of the protected VLAN. The name of the protected VLAN.
EAPS Shared Ports Tab

The upper section of the EAPS Shared Ports tab shows information about the shared port(s) on this device. The lower section shows information about each of the domains that share the port. Select a shared port to display the sharing information for that port. The upper section of the EAPS Shared Ports tab contains the following information:
Number Shared-Port Status Shared-Port Mode Shared-port Link ID Neighbor-Port Status Root-Blocker Status Shared-Port Expiry Action The port number of the shared port. Status of the shared port: Idle, Ready, Blocking, Preforwarding. Whether the node acts as a Controller or a Partner node for this shared link. An integer configured on the switch for the shared port. Status of the neighboring node: Down, Up, Error. The ports status as a root blocker (None or Active). Action to be taken when the shared port fail timer expires.
The lower section of the EAPS Shared Ports tab contains the following information:
Name Domain Status Other Ports In Domain Name of the EAPS domain that includes the shared port. Current status of the EAPS domain. The other port (besides the shared port) configured in the pair for this EAPS domain.
30
EAPS Domain Ports Tab

The upper part of the EAPS Domain Ports tab shows information about the ports on this device in relation to the EAPS domains to which the device belongs. The lower part shows information about the domains related to a selected port. Select a port to display the domain nodes that are configured on the selected port. The upper part of the EAPS Domain Ports tab window contains the following information:
Number Shared-Port Link ID Shared-Port Mode The number of a port configured for one of the domains sharing a link. An integer ID configured on the switch for the shared port only. Whether the node acts as a controller or a partner node or is unconfigured for the shared port.
The lower section of the EAPS Domain Ports tab window contains the following information:
Status Of Port In Domain Domain Name Domain Status Device Mode Primary Port Secondary Port Status of the domain port in the EAPS domain. This can be Up, Down, Blocked, or Unknown. The domain node name given to the device as a member of an EAPS domain. Status of the node: Idle, Complete, Failed, Links Up, Links Down, Preforwarding, Init, Precomplete, PreInit, or Unknown. Whether the node acts as a master or transit node for this domain. Primary port number. Secondary port number.
EAPS Settings Tab

The EAPS Settings tab lists information about the EAPS configuration on the device. It contains the following information:
EAPS Protocol Enabled Fast Convergence Enabled Last Configuration Updated Last Status Updated Whether the EAPS protocol is enabled on this device (true or false). Whether fast convergence is enabled for this device (true or false). The date of the last configuration update. The date of the last status update.
PBB Tab
The PBB tab displays information about PBB components (ISIDs, BVLANs, SVLANs, and CVLANs) that are configured on the device.
31
Type
The type of component in the PBB network, along with an icon indicating the PBB component type. In the Map View, the icons indicate the component is configured on the highlighted device. The icon can be one of the following: Extended Service ID (ISID) Backbone VLAN (BVLAN) Protected BVLAN; that is, a BVLAN protected by an EAPS ring Customer VLAN (CVLAN) Subscriber VLAN (SVLAN)
Tag ISID Name BVLAN Network
The configured tag value for the BVLAN/CVLAN/SVLAN; N/A for ISIDs. The tag value of the ISID that the PBB is associated with or bound to. The name of the BVLAN/CVLAN/SVLAN or ISID. The network name category (if any) that this BVLAN/CVLAN/SVLAN belongs to. You can assign a network name to a BVLAN. When a network name is assigned to a BVLAN, the SVLANs and CVLANs associated with the BVLAN are automatically assigned the same network name. See Categorizing VLANs With Network Names for more information. When the device information was last updated from the switch.
Last Updated
VLANs Tab
The VLANs tab contains information about the VLANs configured on the device.
VLAN Tag The VLAN tag value (if any) or Untagged, along with an icon indicating whether this is a VLAN or VMAN: VLAN EAPS-protected VLAN VMAN EAPS-protected VMAN Name The VLAN name. For VLANs with identical values for VLAN Tag and Protocol Filter, but different values for Name, this refers to the same VLAN. In such cases, the multiple names appear, separated by a comma. The network name category (if any) that this VLAN belongs to. See Categorizing VLANs With Network Names for more information. VLAN service type. Possible values are Translation, Translation-Member, VMAN, Translation VMAN, Translation-Member VMAN, Private-Network, Isolated-Subscriber, Non-Isolated Subscriber, Super VLAN, and Sub VLAN. See Viewing VLAN Services Information for more information. The protocol filter(s) configured for the VLAN. Whether IP forwarding is enabled for the VLAN. Date and time that the information about the VLAN was last retrieved from the Ridgeline database.
Network Service
Protocol Filter IP Forwarding Last Updated From Database
32
Last Updated By Type
The actor that made the last change to the VLAN, either the Ridgeline (System) or a user. The VLAN type, either VLAN or VMAN.
Selecting a VLAN in the table shows information about the following on separate tabs in the lower pane: Devices tab Ports tab Layer 3 Settings tab Links tab VPLS tab
Devices Tab
The Devices tab under the VLAN tab shows the following information:
Device Name IP Address Virtual Router QOS Profile Name Control VLAN Protected VLAN Domain Name Set VLAN Services The name of the device in the VLAN. IP address of the device in the VLAN. The virtual router to which the VLAN is associated on the device. This information is available if the device has HTTP enabled, and runs ExtremeXOS software version 12.1 or later. QoS profile name configured for the VLAN on the device, if any. Whether or not this is a control VLAN. Whether or not this is a protected VLAN. EAPS domains to which the VLANs on the device belong. LAN service type. Possible values are Translation, Translation-Member, VMAN, Translation VMAN, Translation-Member VMAN, Private-Network, Isolated-Subscriber, Non-Isolated Subscriber, Super VLAN, and Sub VLAN. For more information, see Viewing VLAN Services Information. Version of the software running on the device. SNMP version (1, 2, 2C, 3), The device logon name. Whether or not FDB polling is enabled. The protocol used to communicate with this device when using the device-based element manager (ExtremeWare Vista): HTTP or HTTPS. SSH must be enabled on the device. The device type (for example, Summit 400-48t). The administrative state of the VLAN, either Enabled, Disabled, or Unknown. This information is available if the device has HTTP enabled, and runs ExtremeXOS version 12.1 or later.
Software Version SNMP Version Log On Username Forwarding-database Polling Device Manager Protocol Device Type Admin Status
Ports Tab
The Ports tab under the VLAN tab shows the following information:
33
Port Number Name Tagged Media Type Actual Speed Actual Duplex Configured Speed Configured Duplex State
Port number. If the device is a chassis device, then the port number is displayed in slot:port format. The name of the port, if assigned. Whether the port is tagged. The port media, if applicable. Port type; for example, Gigabit, Management, 10/100. Speed of the port; Auto if the speed is auto-negotiated. Duplex of the port, either full or half. The configured speed of the port. The configured duplex setting of the port. Whether the port is enabled or disabled.
Layer 3 Settings Tab

The Layer 3 Settings tab under the VLAN tab shows the following information:
Device Name IP Address VLAN IP Address VLAN IP Mask IP Forwarding Enabled The name of the device, and an icon indicating the status of the device. The IP address of the device. The IP address of the VLAN. The subnet mask of the VLAN. Whether IP forwarding is enabled for the VLAN.
Links Tab
The Links tab under the VLAN tab shows the following information:
A Device A IP Address A Port Number/Annotation Share Details Status The name of the device on one end (the A side) of the link, along with an icon indicating the device status. The IP address of the device on the A side of the link. The number of the port on the A side of the link. Information about the port sharing configuration for the port, if applicable An icon indicating the status of the link. The link status icon can be one of the following colors: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline.
34
B Device B IP Address
The name of the device on the other end (the B side) of the link, along with an icon indicating the device status. The IP address of the device on the B side of the link. An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and some are down. The number of the port on the B side of the link. The device name. The protocol used to discover the link, either EDP or LLDP. The name of the port on the A side of the link, along with an icon indicating the port status. The name of the port on the B side of the link, along with an icon indicating the port status. The current status of the device on the A side of the link. Whether the A side of the link is ready to exchange traffic with the B side of the link. The link type (for example, user-created, physical link, shared physical link).
B Port Number/Annotation Name Discovery Protocol A Port Name B Port Name Device Status Link State Type
VPLS Tab
The VPLS tab displays information about the VPLS domains the device belongs to.
VPN ID Service Type Last Refreshed ID of the VPN. The service type configured for the VPLS domain: ethernet. Date and time when the VPLS information was last updated.
Under Pseudowires the following information appears:

Status A Node Address A Device Name A IP Address B Node Address B Device Name B IP Address Mode Current operational status of the VPLS node. This can be Up, Down, or Other. IP address of the VPLS node on one end (the A side) of the link. The name of the device on one end (the A side) of the link. IP address of the device on one end (the A side) of the link. IP address of the VPLS node on one end (the Bside) of the link. The name of the device on one end (the B side) of the link. IP address of the device on one end (the B side) of the link. Usage of the pseudowire in the LSP. This can be one of the following: Core to core, Spoke to core, Core to spoke.
35
Displaying Link Details

To display details about a link, click on the links row in the links table. Information about the selected link appears in the lower pane (shown below). If you double-click the row, the link details appear in a separate window.
Figure 13: Link Details Window

Name Link Status State Type Discovery protocol The devices and ports on either side of the link. Current link status (UP, DOWN). Current connection state of the link (Present, Removed). Whether the link is user-created or a discovered physical link. The protocol used to discover the link, either EDP or LLDP.
For each side of the link, the following information appears:

Device IP address Status The name of the device. The IP address of the device The status of the port, enabled or disabled. Port Details Number/Annotation Name Type Status The port number. The port number, if configured. Port type; for example, Gigabit, Management, 10/100. Status of the port: Idle, Ready, Blocking, Preforwarding.
36
Link State Share Details
Current connection state of the link; for example, active. Information about the port sharing configuration for the port, if applicable.
If you select the Show VLANs check box, the VLANs configured for the ports that make up the link appear in the table:
VLAN Tag The VLAN tag value (if any) or Untagged, along with an icon indicating whether this is a VLAN or VMAN: VLAN EAPS-protected VLAN VMAN EAPS-protected VMAN VLAN Name The VLAN name. For VLANs with identical values for VLAN Tag and Protocol Name, but different values for VLAN Name, this refers to the same VLAN. In such cases, the multiple names appear, separated by a comma. The network name category (if any) that this VLAN belongs to. See Categorizing VLANs With Network Names for more information. The protocol filter(s) configured for the VLAN. QoS profile name configured for the VLAN on the device, if any. Whether IP forwarding is enabled for the VLAN. IP address for the VLAN. IP mask for the VLAN. The virtual router to which the VLAN is associated on the device. This information is available if the device has HTTP enabled, and runs ExtremeXOS software version 12.1 or later. The VLAN type, either VLAN or VMAN. LAN service type. Possible values are Translation, Translation-Member, VMAN, Translation VMAN, Translation-Member VMAN, Private-Network, Isolated-Subscriber, Non-Isolated Subscriber, Super VLAN, and Sub VLAN. For more information, see Viewing VLAN Services Information. The administrative state of the VLAN, either Enabled or Disabled. This information is available if the device has HTTP enabled, and runs ExtremeXOS software version 12.1 or later.
Network Name Protocol Name QoS Profile Name IP Forwarding Enabled VLAN IP Address VLAN IP Mask Virtual Router Type VLAN Services
Admin Status
Displaying Port Details

If a port is a member of a port group, you can display details about the port: 1 2 3 4 In the navigation pane, click Main View or any device group. Click the Devices tab. In the lower pane, click the Ports tab. Select a port row, right click, and then click Properties. The Port Properties dialog box appears (see the following figure).
37
Figure 14: Port Properties Dialog Box The Port Properties dialog box shows the following information:
Port Number Port Name Media Configured Type Link State Port Status Actual Speed Actual Duplex Load Sharing FDB Polling Status Port number. If the device is a chassis device, then the port number is displayed in slot:port format. Port name, if configured. The media for a redundant port (Primary or Redundant). Port type; for example, Gigabit, Management, 10/100. Whether the port is ready to exchange traffic with the port on the other side of the link. Whether the port is enabled or disabled. Speed of the port; auto if the speed is auto-negotiated. Duplex of the port, either Full or Half. The load sharing state of the port (on or off). Whether the port is being polled: Actively Polled (Edge Port) or Not Polled (Inactive Port)
Device Inventory View

The Device Inventory shows an active graphical display of the device's front panel, as well as a panel of status information. For some devices, a back panel view may also appear. To display the Device Inventory for a device: 1 2 3 4 In the navigation pane, click Main View or the desired device group. Click the Devices tab. Select a device from the device table by selecting its check box. Click Inventory. The Device Panel dialog box appears.
This display shows additional information that Ridgeline has gathered from the switch agent.
38
1Device Information, Slot Information, Fan And Power Supply Status, and Port Information tabs (tabs only appear if the relevant area of the device is clicked) 2Slots 3Fans and power supplies 4Ports Figure 15: Device Panel (Inventory) Dialog Box You can click the slots, ports, power supplies, and fans on the device image to see information displayed about each selected item in the lower pane in the Device Information and Slot Information tabs (for slots and ports), Port Information tab (for ports), or the Fan and Power Supply Status tab (for power supplies and fans). You can also add additional information about the device in the Additional Info box on the Device Information tab. Type whatever additional information you want to include, and then click Save.
Device Properties
You can view the properties of a device in the Ridgeline inventory database. To display the Device Properties window: 1 In the navigation pane, click Main View or the desired device group. 2 Select the check box in the row of the desired device in devices table. 3 Click Properties. The Device Properties window appears.
39
Figure 16: Device Properties Window The Device Properties window displays a set of tabs at the top of the window, depending on the type and configuration of the device. The following tabs may appear: Properties Syslog Messages Network Clients
The Properties Tab

The Properties tab on the Device Properties dialog box displays configuration and status information about the device. At the top of the dialog box, basic identification information appears:
Name IP Address Device Type MAC Address The name of the device. The IP address of the device. The type of device. The MAC address of the device.
The table presents the values of various attributes of the device. These vary depending on the type of device and the features it supports.
The Syslog Messages Tab

The Syslog Messages tab of the Device Properties dialog box lists information about the last 500 syslog messages received from the device.
40
Time Severity
The time that the message was received. The severity level of the message. Severity levels include the following:
0Emergency 1Alert 2Critical 3Error 4Warning 5Notice 6Information 7Debug

Facility Message The syslog facility reporting the message. The text of the message.
Syslog messages are stored along with traps in the event log. The Ridgeline server keeps a minimum of 10 days of event history. The event log can be a maximum of 30 MB per file and uses two rotating archive files. To retain historical even log records, periodically back up the event log.
The Network Clients Tab

The Network Clients tab on the Device Properties dialog box lists information about the users connected through the device. Note The Network Clients tab only appears when the devices are running ExtremeXOS version 12.4 or earlier.
Port Number User Name IP Address MAC Address The port on the device on which the user is logged in. The login name of the user. The IP address of the users host. The MAC address of the users host.
Authentication Type The logon type, either network logon or 802.1x. VLAN Name The VLAN to which the port belongs.
Port Properties
The Port Properties window shows several tabs of information about a selected port (see the figure below). To display port properties: 1 In the navigation pane, click Main View or the desired group. 2 Double-click a desired device in devices table. The Device Properties window appears.
41
3 Click the Ports tab. 4 Select a port in the list,and then click Port Properties. The Port Properties dialog box appears.
Figure 17: Port Properties Window The Port Properties dialog box may have up to three tabs: (Port) Properties Operational FDB Network Clients
The (Port) Properties Tab

The (Port) Properties tab displays the following information:
Port Number Port Name Media Configured Type Link State Port Status Actual Speed Actual Duplex Load Sharing FDB Polling Status The number of the port. The port name. The media for a redundant port (Primary or Redundant). The type of port. The link status of the port (Uplink or Edge port). Whether the port is enabled or not enabled The speed of the port The duplex setting of the port (Half, Full, or None). The load sharing state of the port (on or off). Whether the port is being polled: Actively Polled (Edge Port) or Not Polled (Inactive Port).
The Operational FDB Tab

The top part of the Operational FDB tab shows the following information for the entries in the FDB:
42
Port MAC Address IP Address(es) Dynamic Static Permanent Forwarding Type Discovered
The port where the MAC address was discovered. The MAC address that defines the entry. IP addresses detected for the MAC address. A green check appears if the entry is dynamic; a red "X" appears if it is not. A green check appears if there is a static entry for the MAC in the permanent FDB; a red "X" appears if there is not. A green check appears if the entry is permanent; a red "X" appears if it is not. The forwarding type: MAC, IP, IPX, MAC/IP, MAC/IPX, or unknown. The date and time at which Ridgeline learned the MAC address.
Select an entry in the table to display additional information about the FDB entry at the bottom of the dialog box:
Port MAC Address Locked Down Secure Blackhole Type Mirrored Questionable Remapped Translated The port on which the MAC address was learned The MAC address that defines the entry Whether the MAC is locked to this port due to a learning limit (Yes/No) Whether the MAC is locked to this port due to a permanent secure entry (Yes/No) Blackhole type (None, Ingress, Egress, both) Whether the MAC is mirrored (Yes/No) Whether the MAC is questionable (Yes/No) Whether the MAC has been remapped (Yes/No) Whether the MAC has been translated (Yes/No)
The Network Clients Tab

The Network Clients tab displays the following information:
Port User Name IP Address Login Type MAC Address VLAN The port on the device on which the user is logged on. The logon name of the user. The IP address of the users host. The logon type, either network logon or 802.1x. The MAC address of the users host. The VLAN to which the port belongs.
43
Discovering and Adding Network Devices

When you first install Ridgeline, the device inventory is empty. The easiest way to populate the inventory database is to have Ridgeline automatically detect and add devices on your network. Note It is recommended that you not add more than 50 devices at a time. To automatically discover devices: 1 Click File > New > Discover Device. The Device Discovery dialog box appears.
Figure 18: Device Discovery Dialog Box
44
2 Under Discovery Information, choose: Vendorselect either Extreme Only for Extreme Network devices only or MIB2 Devices to search for all MIB2-compliant devices. VersionSelect Version 1, Version 2, Version 2C, Version 3 for the version of SNMP that the target devices are using. If you select Version 3, then make selections for V3 Privacy Protocol and Authentication Protocol below. If you select Version 1, then enter a value in the Read Community box. TimeoutType or select the length of time to wait for an SNMP request to complete when attempting to contact the devices within the discovery range. V3 Privacy ProtocolSelect either No Privacy or CBC DES Privacy. The default is No Privacy. Authentication ProtocolSelect No Authentication, MD5 Authentication, or SHA Authentication. The default is MD5 Authentication. Discovery Typeselect SNMP Read CommunitySpecify (or verify) the SNMP read community string so that Ridgeline can retrieve information from any SNMP version 1 devices it discovers. V3 User NameSpecify the principal name used for SNMP V3 authentication and security. The default is initialmd5. V3 Privacy PasswordIf the devices use CBC DES Privacy, type the privacy password. The default is an empty password (no password). Authentication PasswordType the authentication password. The default password is initialmd5. 3 Under IPv4, enter your desired discovery criteria:
RangeSpecify the device address range, such as 10.203.10.20 to 10.203.10.45. IP/Net Mask (CIDR)Specify the device address range, in Classless InterDomain Routing (CIDR) format. The value in the Subnet Mask field is the number of bits to be masked, starting from the high-order (left-hand) octet. Wildcardspecify the device address range using wild cards, such as 10.203.10.* or 10.203.?.?? Valid wildcard characters are *, ?, and - (dash):
* acts as a wildcard for the entire octet (0-255). ? is a wildcard for a single digit (0-9). - lets you specify a range for any octet. You can use this in more than one octet. You cannot
combine the dash with another wildcard in the same octet. 4 To use the discovery criteria, click Add. The discovery criteria is added to the table. To add additional ranges, IP/subnet masks, or wildcard options, click Add. Note There are certain IP addresses that are reserved. You should not include these addresses in your discovery: Class A networks: 0 and 127 are reserved. Class D networks: 224 - 239 are reserved for multicasting. All addresses above 239 are reserved. 255 is reserved for broadcast datagrams for either the host or network portion of the IP address.
45
In addition, certain host addresses may be interpreted as broadcast addresses, depending on the subnetting of your network. IP addresses are processed prior to starting the discovery, and IP addresses that contain "255" in the host portion are eliminated. This is based on the IP address as well as the subnet mask. The following examples show how the various wild-card specifications can be used to specify various IP address ranges:
IP Address Specification 10.203.0.* 10.203.?.?? 10.203.0.1? or 10.203.0.10-19 10.203.0-2.10-30 Addresses Generated polls 10.203.0.0 through 10.203.0.255 polls 10.203.0.0 through 10.203.9.99 both specify the same range: 10.203.0.10 through 10.203.0.19 polls 10.203.0.10 through 10.203.0.30 10.203.1.10 through 10.203.1.30 10.203.2.10 through 10.203.2.30
5 Click Discover. The Discovery Results dialog box appears.
Figure 19: Discovery Results Dialog Box
46
6 To add the device to your inventory, click the check boxes for the desired devices, and then click Add. The Add Device dialog box appears.
Figure 20: Add Device Dialog Box 7 On the Basic Information tab: Poll IntervalSelect the time interval that controls how frequently Ridgeline polls the device(s) for detailed status information. The default setting for the device poll interval is 30 minutes for an Extreme Networks modular chassis and 90 minutes for an Extreme stackable chassis. Note Basic device status information is polled more frequently, and that interval is set as a server property (see Distributed Server Administration). Device LoginType your administrative logon user name. Device PasswordType your administrative logon password. Device Manager ProtocolSelect either HTTP or HTTPS. Additional InfoAny information you want to be included, by default, for all the devices added to the Ridgeline inventory in this operation. Maximum of 255 characters. You can view or change this information later in the Device Panel dialog box (see Device Inventory View on page 38). 8 On the SNMP Information tab, the selections that you made during device discovery appear. If you wish to change them: VersionSelect Version 1, Version 2, Version 2C, Version 3 for the version of SNMP that the target devices are using. If you select Version 3, then make selections for V3 Privacy Protocol and Authentication Protocol below. If you select Version 1, then enter a value in the Read Community box. Write CommunitySpecify (or verify) the SNMP Write Community string so that Ridgeline can retrieve information from any SNMP version 1 devices it discovers. The default (for Extreme Networks devices) is private V3 Privacy ProtocolSelect either No Privacy or CBC DES Privacy. The default is No Privacy. Authentication ProtocolSelect No Authentication, MD5 Authentication, or SHA Authentication. The default is MD5 Authentication. Read CommunitySpecify (or verify) the SNMP read community string so that Ridgeline can retrieve information from any SNMP version 1 devices it discovers. V3 User NameSpecify the principal name used for SNMP V3 authentication and security. The default is initialmd5. V3 Privacy PasswordIf the devices use CBC DES Privacy, type the privacy password. The default is an empty password (no password). Authentication PasswordType the authentication password. The default password is initialmd5.
47
9 Click OK. The Progress And Results dialog box appears. Successfully added devices appear with a check mark, and devices that were not added appear with an X.
Figure 21: Progress And Results Dialog Box 10 Click Close. Newly added device(s) appear in the devices table on the Devices tab under Main View.
Manually Adding Devices to Ridgeline

To add devices to the Ridgeline database manually (without doing a discovery): 1 Click File > New > Add Device. The Add Device dialog box appears.
48
Figure 22: Add Device Dialog Box 2 On the Basic Information tab, enter information in the following boxes as needed:
Device IP Address Poll Interval The device IP address that Ridgeline uses to access the device. You may also enter a DNS-resolvable host name. Controls how frequently Ridgeline polls the device for detail status information. (Basic device status information is polled more frequently, and that interval is set as a server property in Ridgeline Administration.) The default setting for the device poll interval is 30 minutes for an Extreme modular chassis and 90 minutes for an Extreme stackable chassis. The logon user name that Ridgeline should use to access the device. The logon password that Ridgeline should use to access the device. If you want to use SSH2 for secure Telnet sessions, select Enabled. SSH2 must be configured on the device to allow an SSH2 session. If SSH is not available (SSH enabling key not installed) this option is not available. The protocol used to communicate with this device when using the device-based element manager (ExtremeWare Vista): HTTP or HTTPS. SSH must be enabled on the device. Any additional information you want to be included with this device. Maximum of 255 characters. You can view or change this information later in the Device Panel dialog box (see Device Inventory View on page 38).
Device Login Device Password SSH
Device Manager Protocol Additional Info
3 To configure SNMP information for the device, click the SNMP tab, and then enter information in the following boxes:
Version Read Community Select the SNMP version from the SNMP version (Version 1, Version 2, Version 2C, Version 3), If the device is using SNMP version 1, enter the SNMP read community string for the device. The default (for Extreme Networks devices) is public.
49
Write Community V3 User Name V3 Privacy Protocol V3 Privacy Password
If the device is using SNMP version 1, enter the SNMP write community string for the device. The default is private. If the device is using SNMP version 3, enter the principal name used for SNMP V3 authentication and security. The default is initialmd5. If the device is using SNMP version 3, select a SNMP V3 privacy protocol: No Privacy or CBC DES Privacy. The default is No Privacy. If the device is using SNMP version 3, select SNMP V3 privacy password. If the device is using CBC DES Privacy, type the privacy password. The default is no password (an empty string).
Authentication Protocol The SNMP V3 authentication protocol. Select No Authentication, MD5 Authentication, or SHA Authentication. The default is MD5 Authentication. Authentication Password If the device is using SNMP V3 authentication, type the authentication password. The default password is initialmd5.
4 Click Add above Found Device. If the device is found, it appears in the Found Devices table. 5 (Optional) To find additional devices, repeat step 2. 6 In the Found Devices table, select the check box next to the device(s) you want to add to the Ridgeline database. 7 Click Manage. The Progress and Results dialog box appears. If the device is added successfully, the successful status appears in the Status column.
Figure 23: Progress and Results Dialog Box
Deleting Devices from the Inventory

Deleting a device from inventory removes the information about the device from the Ridgeline database; the device can no longer be monitored and managed from the Ridgeline application. If the device is an Extreme Networks device, deleting it removes any SmartTraps rules, both from the
50
database and the switch change table. It also removes all information about VLANs, QoS policy, and virtual chassis connections associated with this device from the Ridgeline database. Note Deleting a device from Ridgeline has no effect on the configuration of the device itself, other than altering the trap receiver table. Note It is recommended that you not delete more than 50 devices at a time. You must have read-write access to delete devices from the Ridgeline database or from device groups. To delete a device: 1 In the navigation pane, click Main View or the desired device group. 2 Select the associated check box for the device you want to delete. 3 Click Delete. You are prompted to confirm the deletion. If you are deleting the device from a device group, you are prompted whether you want to delete the device from only the currently selected group or from all groups.
Updating Device Information

Occasionally, you may want to update the configuration and status information for one or more devices in the Ridgeline database. The sync device operation allows you to manually update information about a device if you believe that the device configuration is not correctly represented in Ridgeline. It updates all information for a selected set of devices, except for the contact information. To refresh the configuration and status information for a device: Select the associated check box(es) for desired device(s). You can select more than one device at a time. 2 Click Sync Device. The Progress And Results dialog box appears showing which devices were updated successfully. 3 Click Close. Ridgeline uses SNMP to retrieve configuration and status information from each selected switch, and updates the Ridgeline database with that information. Note Offline devices display a warning and are not synchronized. For information about how to put a device into the offline state, see Modifying Communications Settings on page 51. 1
Modifying Communications Settings

You can modify the access parameters for an individual device, or to add and delete members of a device group. You must have read-write access to modify device contact information and device groups.
51
To modify the communications settings for managed devices in the database: 1 In the navigation pane, click Main View or a device group. 2 Select the devices that you want to change communications settings for (you can revise this later). 3 Click Device > Modify Communications Settings. The Modify Communications Settings dialog box appears (see the following figure).
Figure 24: Modify Communications Settings Dialog Box 4 In the table, select the devices you want the changes to apply to by clicking their check boxes.
52
5 On the Basic Information tab, make selections for the following:

Option Device IP Address Device Login SSH Description The IP address of the selected device. If multiple devices are selected this box is unavailable. The logon needed to Telnet to the device or to use ExtremeWare Vista. Selects whether Ridgeline should use SSH2 for secure Telnet sessions. SSH2 must be configured on the device in order for an SSH2 session to be established between Ridgeline and the device. If SSH is not available (SSH enabling key not installed) this box is unavailable. Note If you disable SSH on the device, you can no longer make changes to this setting in Ridgeline. Be sure to disable SSH in Ridgeline before you disable it on the device Device Manager Protocol Poll Interval The protocol used to communicate with this device when using the device-based element manager (ExtremeWare Vista): HTTP or HTTPS. SSH must be enabled on the device. Specifies how frequently the Ridgeline server should poll the for detailed device information, such as software version, BootROM version, etc. This also includes EDP and ESRP information for non-i series devices. To avoid a potentially large amount of polling traffic, this detailed polling is only done by default every 3 hours for core (chassis) devices and 7 hours for edge devices. You can change this detailed polling interval by entering a different value in this field. However, it is not recommended that you reduce this value below the default. The password needed to Telnet to the device or to use ExtremeWare Vista. Sets the device to the offline state in the Ridgeline database. The device state can either be offline or online. Any additional information you want to be included with this device. Maximum of 255 characters.
Device Password Offline Additional Info
6 Click the SNMP Information tab, and then make selections for the following:
Option Version Write Community V3 Privacy Protocol Authentication Protocol Read Community V3 User Name V3 Privacy Password Authentication Password Description The version of SNMP that Ridgeline uses to access the device. Can be modified if the device is using SNMP version 1. Default is private. Specifies the SNMP V3 privacy protocol. Select either No Privacy or CBC DES Privacy. The default is No Privacy. Specifies the SNMP V3 authentication protocol. Select No Authentication, MD5 Authentication, or SHA Authentication. The default is MD5 Authentication. Can be modified if the device is using SNMP version 1. The default is public. The principal name used for SNMP V3 authentication and security. The default (for Extreme Networks devices) is initialmd5. If the device is using CBC DES Privacy, enter the privacy password. The default is and empty password (no password). If the device is using SNMP V3 Authentication, enter the authentication password. The default password is initialmd5.
7 Click OK.
53
If you have modified the Device Password (under the Basic Information tab) or the SNMP Community strings, on Extreme Networks devices, Ridgeline asks if you want to change those values on the switch as well as in the Ridgeline database. If you change any other values, such as the SNMPv3 settings, Ridgeline does not warn you and does not make changes on the device. This warning does not appear if you have changed only third-party devices. To change the values in the Ridgeline database and on the device itself, click Device and Database. To change the values only in the Ridgeline database, click Database Only. If you have already changed these values on the device, you should select Database Only, as Ridgeline will not be able to communicate with the device until after these settings have been changed in the database. If you change the community string in the database for a device, and do not elect to change it on the device, Ridgeline may no longer be able to communicate with the device. For settings other than the device password and community strings, Ridgeline does not make any changes on the device. To continue to communicate with the device, you must Telnet to the device to make changes. If you change the device password in both the database and the device, Ridgeline can still contact the device via Telnet to open a Telnet session on the device. If you have modified both Extreme Networks and third-party devices, and you select Device and Database, the device configuration occurs only on the Extreme Networks devices.
Configuring Default Access Parameters

For simplicity in managing multiple devices in large networks, administrators typically use the same logons, passwords, community strings and so on, for multiple devices. Therefore, to save time when adding new devices, Ridgeline provides default values for these communication parameters. To save time when you add your own network devices to the Ridgeline inventory, you can configure the default values to those used in your own network. Ridgeline uses the ExtremeXOS default values for its switches as the defaults in Ridgeline: Log on as admin with no password SSH2 disabled For Cisco devices only, the default Cisco-enabled password (none) Default SNMP v1 community strings public (for read) and private (for write) SNMP V3 user initialmd5 SNMP V3 privacy set to No Privacy, with no password SNMP V3 authentication set to MD5 Authentication, with password initialmd5 You can configure a set of default access parameters for network devices you have not yet discovered. After you configure the default access parameters, the network devices you discover and add to the Ridgeline database have these default parameters. You can change the defaults for any individual device or set of devices when you initially add the devices to Ridgeline, or later by selecting the device in the Main View or device group, and then clicking Device > Modify Communications Settings (see Modifying Communications Settings on page 51). To configure default access parameters:
54
Click Tools > Default Communications Settings. The Default Communications Settings dialog box appears.
Figure 25: Default Communication Settings Dialog Box 2 On the Basic Information tab:
Device Login Device Password SSH The device user name required for Telnet or to use ExtremeWare Vista. The default is admin. The device password. The default is no password. Whether SSH2 should be used for secure Telnet sessions. Select Enabled if Ridgeline should use SSH2s. SSH2 must be configured on the device in order for an SSH2 session to be established between Ridgeline and the device. The default is Disabled. The protocol used to communicate with this device when using the device-based element manager (ExtremeWare Vista): HTTP or HTTPS. SSH must be enabled on the device. The default is HTTP. Any information you want to be included, by default, for all devices added to the Ridgeline inventory. Maximum of 255 characters.
Device Manager Protocol
Additional Info
3 Click the SNMP Information tab to make changes to any of the SNMP communication settings (see the figure below). These changes apply to future network devices that you add to the Ridgeline database.
55
Figure 26: Default Device Communication Settings WindowSNMP Tab

Read Community Write Community V3 User Name V3 Privacy Protocol V3 Privacy Password V3 Authentication Protocol V3 Authentication Password The SNMP community string for devices using SNMP version 1. The default is public. The SNMP community string for devices using SNMP version 1. The default is private. The principal name used for SNMP V3 authentication and security. The default is initialmd5. Specifies the SNMP V3 privacy protocol. Select either No Privacy or CBC DES Privacy. The default is No Privacy. If the device is using CBC DES Privacy, enter the privacy password. The default is no password (an empty string). Specifies the SNMP V3 authentication protocol. Select No Authentication, MD5 Authentication, or SHA Authentication. The default is MD5 Authentication. If the devices is using SNMP V3 Authentication, enter the authentication password. The default password is initialmd5.
4 Click OK to save your changes to the Ridgeline database. A message appears showing you the progress of saving your settings.
Opening a Telnet Session to a Device

You can open a Telnet session on an individual device, and execute commands just as you would from a standard Telnet interface. You can optionally record the commands and output from a Telnet session and save the results to a file. For Extreme Networks devices, Ridgeline automatically logs into the switch based on the device logon name and contact password configured for the device when adding it to the inventory (see Discovering and Adding Network Devices on page 44 or Manually Adding Devices to Ridgeline on page 48). For third-party devices, you need to provide the logon credentials interactively. To open a Telnet session to a device: 1 In the navigation pane, click Main View or the desired device group. 2 Select the associated check box of the desired device in the device table.
56
3 Click Telnet to Device. A Ridgeline Telnet window opens, and a Telnet session to the device is started.
Figure 27: Ridgeline Telnet Window The Ridgeline Telnet window has a top portion that is gray, and a bottom portion that is white. The last 25 lines of Telnet commands and responses always appear in the white portion of the window. As output grows, the older lines scroll up into the gray portion of the window. This makes it easy to tell whether you are viewing the most recent Telnet output.
To copy text in a Ridgeline Telnet window: Select the text, right-click, and then click Copy. To paste text from the clipboard to the command prompt in the Ridgeline Telnet window: Rightclick, and then click Paste. To record the commands and output from a Telnet session: Click Start Recording. To stop the recording: Click Stop Recording.
The recorded Telnet session file is saved in the following directory: On Windows systems: C:\Documents and Settings\<user>\.epicenter On Linux systems: ~<user>/.epicenter The file name is in the format <device_ipaddr>-<date>-<time>.txt; for example: 10_210_12_4-20090113-120302.txt
Providing Device Information for Extreme Networks Support (Show Tech Command)
During a telnet recording session, you record device information that includes troubleshooting information for the device. After you finish a recording you can zip the information and upload it to Extreme Networks eSupport. To record the show tech command and output from a Telnet session:
57
1 In the navigation pane, click Main View or the desired device group. 2 Select the associated check box of the desired device in the device table. 3 Click Telnet to Device. A Ridgeline Telnet window opens, and a Telnet session to the device starts (see Figure 27: Ridgeline Telnet Window on page 57). 4 Click Start Recording. 5 Type the command at the telnet prompt: # show tech This command has the following options:
show tech brief Provides a short description of the device information show tech detailed Provides specific device information
6 Click Stop Recording when the command process ends. The recorded commands and output from the Telnet session are saved to a file on your local system: On Windows systems: C:\Documents and Settings \<user>\.epicenter
On Linux systems: ~<user>/.epicenter
The file name is in the format <device_ipaddr>-<date>-<time>.txt; for example: 10_210_12_4-20090113-120302.txt 7 Go to the directory on your local system and zip the file. 8 Upload the zipped file to Extreme Support.
Providing Device Information for Extreme Network Support

You can log into a device from the server and run ExtremeXOS commands that collect information about the device, save it to an archive and send it to the servers TFTP directory. You can then log into the server and get the archive. To collect information about a device and copy it to the server TFTP directory: 1 In the navigation pane, click Main View or the desired device group. 2 On the Devices tab, select the associated check box of the device from which you want to collect data. 3 Click Telnet to Device (see Figure 27: Ridgeline Telnet Window on page 57). 4 In the Telnet window, type the show tech all logto file command. The following example shows the command and the command messages: BD-12804.1 # show tech all logto file show tech command output is logging into internal-memory ................................................... show tech command output file show_tech.log.gz is saved into internalmemory BD-12804.2 #
58
5 Type the command upload debug <IP_address> where <IP_address> is the address of the server. When prompted to run the show tech logto file command, type N. The following example shows the command and command messages. BD-12804.2 # upload debug 10.210.16.74 Do you want to run show tech logto file first? (y/N) No .......................... The following files on the MASTER have been uploaded: Tarball Name: BD-12804_AI_09081505.tgz ./show_tech.log.gz ./trace.devmgr.27844 ./trace.nodemgr.27845 Tarball Name: BD-12804_AC_09081505.tgz ./epicenter.cfg ./mullai_torino.cfg ./primary.cfg ./secondary.cfg ./snapshot.cfg ./torino-0404.cfg BD-12804.3 # In this example, two .tgz archives are created: BD-12804_AI_09081505.tgz and BD-12804_AC_09081505.tgz 6 On the server, verify the location of the TFTP folder by clicking Tools > TFTP server configuration. The Configure TFTP Server dialog box (shown below) displays the path to the TFTP folder in the Set TFTP Root field.
Figure 28: Configure TFTP Server If the server uses the default system TFTP server, then the path is: \Program Files\Extreme Networks\Ridgeline 4.0\jboss\standalone\deployments\user.war\tft. 7 Log into the server to retrieve the .tgz files using the protocol that the server requires, Telnet or SSH.
59
3 Organizing Devices and Ports Into

Groups
Overview of Device Groups and Port Groups
This section describes how to place devices and ports into logical, hierarchical groups.
Overview of Device Groups and Port Groups

With Ridgeline you can assemble groups of devices and ports, and view information about them or manage them at a group level. The Ridgeline grouping feature allows you to do the following:
Organize your devices and ports into logical groups (see Creating Groups on page 62). For example, you can create a device group, Main Campus, consisting of devices in that location. Within the Main Campus device group, you can create subgroups such as Building 1, Building 2, and so on, and administer and view status of devices within the individual groups. You can create a port group consisting of the voice-over-IP (VoIP) ports on all switches in your network, and monitor status of the ports in the group. Control the scope for performing tasks in Ridgeline View your device groups graphically The Ridgeline network map feature allows you to create diagrams of device groups in your network and display information about them graphically (see Overview of Ridgeline Map Views on page 71).
Displaying Groups under Device Configuration

To display the device and port groups in Ridgeline, click Main View or any of the device/port groups. The following figure shows the display for a device group.
Organizing Devices and Ports Into Groups
Figure 29: Displaying a Device Group 1 2 3 4 5 6 Details of selected device Map view of selected group Top-level group Port group Main View Table view of selected group
By default, the Main View contains all of the devices known to Ridgeline. You can create groups and subgroups and populate them with devices from the Main View group. A group can have multiple subgroups below it. The alarm status for the group is indicated on the folder icon next to the group name. Clicking a group shows information about the devices in the table view. In the table view are tabs for displaying information about links between the devices, VLANs, and EAPS configurations. When an advanced license is installed, there are also tabs for VPLS and PBB. Information in the table view can be exported to a Microsoft Excel spreadsheet (see Exporting Group Information). The map view allows you to view a graphical representation of the devices in a top-level device group and its subgroups, as well as the status of links between the devices. For information about creating and using map, see Overview of Ridgeline Map Views on page 71.
Group Membership Guidelines

Groups can contain only one kind of object: ports cannot be members of device groups, and devices cannot be members of port groups.
61
A given device or port can reside in multiple groups, but not within the same top-level group hierarchy. For example, you can create a top-level device group called North America, with a subgroup Bay Area that has a subgroup Santa Clara Campus. If you place a given switch in the Santa Clara Campus subgroup, you cannot also place the same switch in either of the North America or Bay Area groups. However, if you create a second top-level group called EXOS Switches, which is not a subgroup of the North America group, you can place the switch in the EXOS Switches group, even though the switch also resides in the Santa Clara Campus subgroup of the North America group.
Managing Device Groups and Port Groups

Creating Groups To create a group: 1 Under Device Configuration, click Main View. 2 Click New > Group. The New Group dialog box appears.
Figure 30: New Group Dialog Box 3 Type a meaningful name and optional description for the new group in the Name and Description boxes respectively. 4 Select Device Group or Port Group depending on which type of group your are creating. 5 In Group location, select the location in the hierarchy where the new group should be placed. 6 Click OK. Adding Devices to Device Groups To add a device to a device group:
62
1 Click Main View, and then select the desired device(s) in the table list. 2 Click Copy To Device Group. The Copy to Group dialog appears (see the following figure). By default, only the top-level groups appear. To display the subgroups within a top-level group, click the plus sign next to the group name.
Figure 31: Copy to Group Dialog Box 3 Select the group in which you want to place the device. Note that a device can be placed in a toplevel group hierarchy only once. For more information about grouping rules, see Group Membership Guidelines. 4 Click OK. Adding Ports to Port Groups The ports that make up a port group can be either from a single device or from multiple devices. You can add ports from: Single device (see Adding Ports from a Single Device to Port Groups on page 63) Multiple devices (see Adding Ports from Multiple Devices to Port Groups on page 65)
Adding Ports from a Single Device to Port Groups
You can add ports to port groups from a single device or multiple devices (see Adding Ports from Multiple Devices to Port Groups on page 65). To add ports from a single device to a port group: 1 Display the device in a table of devices. (One way to do this is to click Main View.)
63
2 Do one of the following to display the devices ports:
Right-click the device, and then click Open to open the devices detail window (see the following figure). Double-click the device to open the devices detail window shown below. Click the device to view the devices details in the lower pane.
Figure 32: Device Details Window 3 Select the ports that you want to add to the port group. Press [Shift] + click to select a continuous section of ports or press [Ctrl] + click to select individual ports. 4 After selecting the ports, right-click, and then click Copy to Port Group. The Copy to Port Group dialog box appears (see the following figure). Only top-level groups appear. To display subgroups, click the plus sign next to the group name.
Figure 33: Copy to Port Group Dialog Box 5 Select the group in which you want to place the port(s). A port can be placed in a top-level group hierarchy only once. For more information about group rules, see Group Membership Guidelines. 6 Click OK.
64
Adding Ports from Multiple Devices to Port Groups
You can add ports to port groups from multiple devices or a single device (see Adding Ports from a Single Device to Port Groups). To add ports from multiple devices to a port group: 1 Click File > Group > Add ports to port group. The Add ports to port group dialog box appears.
Figure 34: Add Ports to Port Group Dialog Box 2 To view all devices in the inventory, click All Devices; to view only devices in a particular group, click Device Group, click , select the desired group, and then click OK. 3 Select a device by clicking it, and then clicking to move the device into the right pane.
65
4 After you have selected all of the desired devices, click Next. The Add ports to port groupport selection dialog box appears.
Figure 35: Add Ports To Port GroupPort Selection Dialog Box 5 Select the desired ports for the group by clicking the associated check box(es). Press [Shift] + click to select a continuous group of ports; press [Ctrl] + click to select individual ports.
66
6 After you have selected the ports, click Finish. The Copy to Port Group dialog box shown below appears. Only top-level groups appear. To display subgroups, click the plus sign (+) next to the group name.
Figure 36: Copy to Port Group Dialog Box 7 Select the group in which you want to place the port(s). A port can be placed in a top-level group hierarchy only once. For more information about group rules, see Group Membership Guidelines. 8 Click OK. Copying or Moving Groups You can copy or move a device group into another device group, and copy or move a port group into another port group. Note that device groups cannot be moved or copied into port groups and port groups cannot be moved or copied into device groups. Groups cannot be copied or moved to the Main View group. To copy or move a group to another group: 1 Under Device Configuration in the navigation pane, select the group that you want to copy or move. 2 Right-click the group, and then select either Copy to Group or Move to Group. The Copy to Group or Move to Group dialog box appears (see the following figure). By default, just the top-level groups appear. To display the subgroups, click the plus sign next to the group name.
Figure 37: Copy to Group Dialog Box 3 Select the destination group in which you want to copy or move the selected group by clicking it. 4 Click OK. The selected group is moved or copied to the destination group. If the copy or move operation would result in a device or port being placed in a top-level group hierarchy more than once, an error message appears, and the operation is cancelled.
67
Removing Devices or Ports from Groups To remove a device or port from a group: 1 Under Device Configuration in the navigation pane, select the group that contains the device or port that you want to remove.
2 Select the device or port in the table by clicking its associated check box. 3 Click Edit > Delete. Ridgeline prompts you for confirmation to delete the selected devices or ports. For a device, you can choose to delete it from just the selected group or from all groups. If you delete a device from all groups, it is removed from the Ridgeline inventory database. Modifying the Properties of a Group You can change the properties for a device group or port group, including the group name or description. To change the properties for a group: 1 Under Device Configuration in the navigation pane, select the group whose properties you want to modify.
2 Right-click the group, and then click Properties. The Device Group Properties dialog box appears:
Figure 38: Device Group Properties Dialog Box
Table 3: Device Group Properties

Name Description Type Location The name of the group. The description for the group (optional). Whether this is a device group or a port group. The location within group hierarchy where the group resides. Groups and subgroups within the hierarchy are indicated by a vertical bar (|) between device group names. For example, North America | Bay Area indicates a top-level group North America with a subgroup Bay Area. The date and time the group was last modified. The number of devices or ports and subgroups contained within the group. For device groups, provides a link to the Port Inventory window, listing information about the number of active ports for each device in the group.
Last Modified Contains View Port Inventory
68
3 Add or change information in the Name or Description boxes. 4 Click OK to save the changes. Displaying Group Details To display details about a group, click the groups row in the table view of the groups parent group. Information about the selected group appears in the details pane at the bottom of the window.
Figure 39: Group Details Pane 1 Group details pane 2 Selected parent group 3 Selected group in table view Double-click the group row to display the groups devices table with a device details pane at the bottom of the window (see the following figure).
69
Figure 40: Group Details Window 1 Selected device group 2 Other subgroups 3 Selected device with its details pane
70
4 Using Map Views

Overview of Ridgeline Map Views Displaying a Map View Map Elements Creating Topology Maps
This chapter describes Ridgelines network topology map feature and how you can use it to create graphical representations of device groups in your networks.
Overview of Ridgeline Map Views

Ridgelines network topology map feature allows you to view your network (Ridgeline-managed devices and the links between devices) graphically, as a set of maps. These maps can be organized into sets of submaps that allow you to represent your network as a hierarchical system of campuses, buildings, floors, closets, or whatever logical groupings you want. You can also create additional map views (sets of maps) for different purposes. Ridgelines map view is a graphical representation of a specific device group or the Main View group. When you create a device group, you have the option of selecting the map view of the group, which causes Ridgeline to generate a network topology map, populated with the devices in the group. Ridgeline also adds any links that exist between the device nodes and organizes them into submaps as appropriate. You can customize the resulting maps by moving elements, adding new elements, such as links, user-defined (nodes that arent discovered or managed by Ridgeline) nodes, and text, and customizing the device nodes themselves. Note Links can only be discovered and auto-populated between Extreme Networks devices that have the Extreme Discovery Protocol (EDP) or the Link Layer Discovery Protocol (LLDP) enabled, or on third-party devices with LLDP enabled. Links cannot be discovered on nonExtreme Networks devices that do not run LLDP, or on Extreme Networks devices with EDP and LLDP disabled. In addition, from a managed device node on a map, you can access other Ridgeline functions such as the Alarm Manager, Telnet, or view device details. You can customize the layouts of your maps into hierarchical views using copy-and-paste, or by deleting devices from one map and then adding them to a different map. You can also add and remove user-defined links between devices, as well as user-defined nodes.
Using Map Views
Displaying a Map View

To display the map for a device group, select the device group under Device Configuration in the navigation pane, and then click Map until the button appears shaded indicating that the map view is enabled.
(Map views are not available for port groups.) If a topology map exists for the group, then it appears in the map view, shown below.
Figure 41: Map View of a Device Group The main components of a Ridgeline Map View are:
1 2 3 4 Details pane Subgroup node Links Device group Detailed information about the item selected in the table (in this example, a sub-group). Within the map view, an icon that represents a subgroup of the currently displayed group. Colored lines that represent connectivity between nodes in the map. A set of devices that have been placed in a Ridgeline group hierarchy. In Ridgeline, you can create groups of ports and devices, although topology maps are supported for device groups only. For information about creating device groups, see Organizing Devices and Ports Into Groups. A device group hierarchy has a top-level group and can have multiple levels of subgroups below it. When you create a map, Ridgeline creates separate maps for the top-level group, as well as for any subgroups. Within the map view, an icon that represents a managed device in the device group.
Device node
72
Using Map Views
Zoom controls
The map view offers several zoom controls: Magnifier: Click to enable a circular viewing area that you can move with your cursor. Click again to disable. Zoom in: Click to zoom in. Zoom out. Click to zoom out. Fit content: Click to zoom in/out so as to show all items in the map.
7 8 9 10
Map button Save button Export button Layout control
Button that enables map view. Map button is shaded when map view is enabled. Saves the current map layout. Saves the current map layout to graphic file in either Scalable Vector Graphics (SVG) or Graphics Interchange Format (GIF) format. The devices and subgroups are laid out in the map in one of the following ways: HierarchicalAutomatically arranges map elements into a hierarchical structure. CircularAutomatically arranges devices in circles around the central nodes. OrganicAutomatically arranges devices by evenly spreading them out away from each other. The graphical representation of the devices and links in the currently selected device group or subgroup. Selecting a device in the map view displays the device details in the lower pane. Table of information about the objects displayed in the map view. Depending upon your selection, this is either subgroup (if the selected group has subgroups) or devices (if the selected group has devices in it). Selecting a device in the object table causes the corresponding icon in the map view to be selected, and detailed information about the selected device appears in the device details pane. For devices, you can click tabs to display information about the devices, links, VLANs, and EAPS rings in the device group.
11
Map View
12
Device table
Map Elements
The following elements can appear on a map: Device Nodes Sub-group Nodes on page 74 User-Defined Nodes on page 77 Text Nodes Clouds Links Unmanaged Nodes
Device Nodes
Device nodes represent the managed devices in the device group. A device node shows the following information:
73
Using Map Views
NameThe name of the device as it is kept in the inventory database. AnnotationAn optional, user-supplied annotation for the node. Device type iconA small icon representing the specific device or device product line. If the device is of an unknown type, an unknown device icon (a circle with a question mark) is displayed. IP address for device. Alarm iconThe device alarm status, indicated by the presence of an alarm icon (small bell). The alarm status shows the highest level alarm currently unacknowledged for the device. The color of the bell indicates the severity of the alarm. If no icon appears, then either there are no unacknowledged alarms for the device, or the alarm status is below the alarm status threshold for the view. The alarm status threshold is set in the properties window for the map, and specifies the lowest severity level at which an alarm status icon should appear for a device node on the map. For more information about map properties, see Specifying Map Properties. If the alarm icon has an X through it, alarm propagation has been disabled for this device; the alarm status of this device does not influence the aggregate alarm status displayed for the map in which this node is located. To enable/disable alarm propagation, select a device group under Device Configuration in the navigation pane, right-click, and then click Alarm propagation > On/Off, as desired. Device statusindicated by the icon.
Red slash through the icondevice is down. Gray icondevice is offline. Icon without a red slash or gray colordevice is up.
Sub-group Nodes
A sub-group node represents a child map of the current map. It appears as a rectangular icon (see the following figure). Clicking the plus sign (+) expands the sub-group. When you click a sub-group in the left navigation pane, the map of its root group appears in the map view with the selected group opened, and all other sub-groups closed.
74
Using Map Views
1Sub-group node icon (in this example, named Building 1) 2Control for expanding the sub-group to show its devices and groups Figure 42: Sub-group Node (Collapsed)
75
Using Map Views
1Sub-group node (expanded) 2Control for collapsing the sub-group (see the preceding figure) Figure 43: Sub-group (Expanded) The sub-group node icon shows the following information:
The name of the node (sub-group), which can edited by changing the group's name. The sub-group alarm status, indicated by the presence of an alarm icon (small bell). The alarm status shows the highest level alarm currently unacknowledged for any device within the subgroup. If multiple devices within the sub-group have unacknowledged alarms, the icon indicates the most severe alarm among all those devices. The color of the bell indicates the severity of the alarm. If the alarm icon has an X through it, the alarm propagation has been disabled for this sub-group; the alarm status of this sub-group does not influence the aggregate alarm status displayed for higher level maps. To enable/disable alarm propagation for a device group, in the navigation pane, right-click the device group, and then click Alarm propagation > On/Off.
76
Using Map Views
User-Defined Nodes
A user-defined node map node can be created by you to represent any other type of node that is not discovered or managed by Ridgeline, such as a server or workstation. A user-defined node shows the name, description, and optional annotation of the node, which can be edited.
Text Nodes
A text map node is a single-line text field that you can place anywhere in a network map. You can use it to create a title for the map, additional annotations for other map elements, comments, etc.
Clouds
A cloud can be added to a map to represent a network. As with user-defined nodes, you can add name, description, and optional annotation to a cloud.
Links
A link represents connectivity between nodes in the map. Links are automatically detected on Extreme Networks devices when EDP or LLDP is enabled on either device. Links can also be detected on thirdparty devices that support LLDP. You can also create links. Note For devices with EDP and/or LLDP disabled or not supported, you can manually add userdefined links to the map to represent connectivity between devices. They are not updated when the map topology changes. The behavior of the system-discovered links does not apply to user-defined links. When a discovered link connects two devices on the same map, the link is annotated with the port number, or slot and port number for each of the endpoints. The appearance of a link shows a variety of information about the link. The width of the link line indicates the link type: Thin line indicates a 10/100 link. Medium line indicates a gigabit link. Thick line indicates a 10 gigabit link. Very thick line indicates a 40 gigabit link. Link shown with a double line indicates a load-shared link. The color of the link line indicates the link status: Green = link is up (both device ports are up). Red = link is down (both device ports are down). If the link is a load shared link, red means that one of the links in it is down.
77
Using Map Views
Yellow = load shared links Blue = user-created link.
The format of the link annotation provides information about the link: Table 4: Link Annotation Information
Link Appearance Annotation Appearance Endpoints separated by a dash. Endpoints separated by an x. Endpoint is a ?. Endpoint is followed by "lag. p13 lag - p2:1 lag Endpoint is followed by an m. p17 - p2m Example p1:2 - p24 p1:2 x p24 Meaning Automatically created link. User-created link. User-created link with unknown endpoint. Load shared ports. Management port.
Unmanaged Nodes
Unmanaged nodes are devices that are discovered by Ridgeline as being connected to managed devices, but they are not in managed in your inventory For example if you have in your inventory Device A and it is physically connected to Device B, but Device B is not in your managed inventory, then Device B appears in Ridgeline as an unmanaged node on the maps.. An unmanaged nodes appear on the map with a device icon with the text "Unknown," and an exclamation mark (!) on the bottom left corner of the icon.
Creating Topology Maps

Because a topology map is a graphical representation of a device group, the first step in creating a topology map is to create a device group. For information about creating device groups, see Organizing Devices and Ports Into Groups. When generating the map, Ridgeline creates an icon for each device, and automatically detects links between Extreme Networks devices when EDP or LLDP is enabled on either device. Links can also be detected on third-party devices that support LLDP.
Specifying Map Properties

Map properties include the alarm status that appears on the map, background image, the content of the labels describing links, and the sizing of objects on the map. To specify properties for:
78
Using Map Views
The currently displayed map, click Map > Properties. All maps, click Tools > Options.
The map Properties dialog box appears.
Figure 44: Map Properties Dialog Box
Under Information, you can specify the lowest severity level for which an alarm status icon appears for a device node. In the map, the devices alarm status is represented by an alarm icon (small bell). The alarm status shows the highest level alarm currently unacknowledged for the device. The color of the bell indicates the severity of the alarm. Under Background image, you can specify the background image for the map. Ridgeline includes a number of sample background images, and you can add your own. To add an image to the list of available background images, place it in the <Ridgeline_install_dir>\jboss \standalone\deployments\extreme.war\gifs\topologyBackgroundImages Under Link label, you can specify what appears on the text caption on links. This can be either the port numbers (for example, p1-p2), or the port number with the port name in parentheses. Under Appearance, you can specify the size of the text used in the captions for the map title, objects, and links, as well as the background color of the map. Under Hide nodes, you can choose to hide access points and/or unknown devices (which are not added to the Ridgeline inventory). After specifying properties for the map, click OK to apply the new properties. Click Restore Global Map Settings to reset the map properties to the globally set values.
79
Using Map Views
Laying Out Maps

You can drag map nodes around on the map yourself, or you can have Ridgeline automatically lay out the map nodes for you.
Select one of the following from the Layout list:
Hierarchicalautomatically arranges map elements into a hierarchical structure. Circularautomatically arranges devices in circles around the central nodes. OrganicAutomatically arranges devices by evenly spreading them out away from each other.
Click Save after you are finished to retain the map layout.
Creating User-Defined Links

Links represent connectivity between nodes in the map. When a map is created, links are automatically detected on Extreme Networks devices when EDP or LLDP is enabled on either device. Links can also be detected on third-party devices that support LLDP. In addition to the automatically detected links, you can manually define your own links. This can be useful in situations where you want to represent a link between devices when a real link cannot be detected by Ridgeline. This may be the case if EDP and LLDP are disabled on an Extreme Networks device, if a non-Extreme Networks device does not support LLDP, or if neither EDP or LLDP are supported by the version of software running on the device. On the map view, the endpoints of a user-defined link are separated by an x rather than by a dash -. For example, the link annotation p1:1 - p24indicates an automatically detected link; the annotation p1:1 x p24 indicates a user-defined link. To create a user-defined link: 1 Display the map for the device group: a Click the desired device group under Device Configuration in the navigation pane. b Click Map until the Map button is shaded (enabled).
80
Using Map Views
2 Click Map > New > Link. The New Link dialog box appears.
Figure 45: New Link Dialog Box 3 There are two sections, Side A and Side B, representing a device on either end of the link. For each side of the link: a In Name, select the device for this side of the link. The Name list contains the name and IP address of each object in the device group. b Optionally, in Port number, select a port on the device for the end point of the link. If you select the Show VLANs check box, the VLANs that the selected port is a member of appear. c Instead of selecting a port, you can specify a text annotation to describe this side of the link on the map. To do this, select Annotation, and then type the text in the box. 4 Click OK to create the link on the map.
Removing Inactive Links from Maps

On a topology map, the color of the link line indicates the link status. A red line indicates that the link is inactive (at least one of the ports that make up the link is down). You can remove the inactive links from maps: From between two devices. In the top-level group and subgroups of a device group. For all the devices in all device groups. Removing Inactive Links Between Two Devices from Maps To remove the inactive links on a map between two devices:
81
Using Map Views
1 Select the two devices in the map view. 2 Click Map > Clear inactive links from > Selected two devices. Removing Inactive Links from Maps in a Device Group To remove the inactive links on a map in the top-level group and subgroups of a device group: 1 Display the map view of the device group. 2 Click Map > Clear inactive links from > Selected primary group and its subgroups. Removing Inactive Links in Maps for All Devices in a Group To remove the inactive links for all the devices in all device groups, click Map > Clear inactive links from > All devices.
Adding Graphic Elements to Maps

In addition to devices, links, and background images, you can add other graphic elements to the map to represent objects not managed by Ridgeline. These elements include:
User-Defined Nodes. User-defined nodes represent any type of node that is not discovered or managed by Ridgeline, such as a server or workstation. To add a user-defined node to your map, click Map > New > Node. The New Node dialog box appears.
Figure 46: New Node Dialog Box Type the name, optional description, and annotation for the node, and then click OK. Text Boxes. Text boxes can be used to create a title for the map, additional annotations for other map elements, comments, etc. To add a text box to your map, click Map > New > Text box. A new text box with the words Type here appears on the map. Double-click the text box and replace the Type here text with your own text. Clouds. Clouds can be added to a map to represent a network. To add a cloud to your map, click Map > New > Cloud. The New Cloud dialog box appears.
82
Using Map Views
Figure 47: New Cloud Dialog Box Type the name, optional description, and annotation for the cloud, and then click OK. To delete any of these graphic elements, select the object, right-click, and then click Delete.
Adding Device Annotations

A device annotation is a single line of text that you can add to a device description to provide additional information. The device annotation appears only with the device icon on the map; it does not appear in any other view. To add a device annotation: 1 In the navigation pane, select Main View or the desired device group, and then click Map until the device map appears.
2 Click the desired device in the map. 3 Right-click the desired device in the map, right-click, and then click Device Annotation. The Device Annotation dialog box appears. Figure 48: Device Annotation Dialog Box
4 In the Annotation box, type the annotation for the device. 5 Click OK.
Saving Maps
To save your map changes, click .
Exporting Maps
You can export a map view to a Scalable Vector Graphics (SVG) or Graphics Interchange Format (GIF) file.
83
Using Map Views
To export a map to a SVG or GIF file: 1 Display the map view that you want to export. 2 Click . Note If you have started the Ridgeline client using a Remote Desktop Client (RDC) connection, ensure that the display on the client system is set to use 15-bit color.
84
5 Provisioning Network Resources

Network Resource Provisioning Overview Troubleshooting Provisioning Tasks Viewing Logged Information about Provisioning Tasks
This chapter describes how to use Ridgelines network resource provisioning feature.
Network Resource Provisioning Overview

Ridgelines network resource provisioning feature simplifies network configuration tasks by allowing you to specify devices, ports, and parameters using options in lists in dialog boxes. Ridgeline automatically validates the options youve selected prior to deploying the configuration to managed devices, ensuring that the configuration is correct before it goes into production. Using Ridgeline provisioning windows, you can create a VLAN simply by selecting the devices, ports, and tagging options you want, then validate and deploy the VLAN configuration by clicking a button. You can provision the following kinds of network resources in Ridgeline:
VLANs and VMANs. Using Ridgeline provisioning windows, you can create a VLAN or vMAN simply by selecting the devices, ports, and tagging options you want, then validate and deploy the VLAN or VMAN configuration by clicking a button. See Configuring VLANs and Configuring VMANs. Backbone VLANs (BVLANs) for Provider Backbone Bridge (PBB) networks. Ridgelines provisioning interface helps you configure a PBB network by facilitating the creation of BVLANs on selected devices, ports, or links. See Configuring BVLANs. E-Line and E-LAN services. Using the service provisioning wizard, you can create and modify E-Line (point-to-point) and E-LAN (multipoint-to-multipoint) services. You can select the devices and ports that make up the service, specify traffic mapping options, create and apply bandwidth profiles, then validate the configuration and deploy it on your network. See Configuring Ethernet Services. EAPS domains. You can use the EAPS provisioning feature to configure EAPS domains, including specifying member links, the EAPS master node, primary and secondary ports, control VLAN, hello timer, and fail timer parameters. Your configuration is validated by the software before it is deployed to managed devices. See Configuring EAPS.
Provisioning Network Resources
Troubleshooting Provisioning Tasks

Ridgelines provisioning process makes it easy to identify errors in network configurations and correct them. You can click any of the tasks in the Progress and Results dialog box and display additional information about the validation rules or CLI commands executed for the selected task. If a validation task fails, Ridgeline notes the failure for the task in the Progress and Results dialog box. Click the failed task to display additional information about why it was unsuccessful (see the following figure). Click Back to return to the provisioning dialog box and make any necessary corrections, and then re-deploy the configuration.
Figure 49: Unsuccessful VLAN Provisioning Ridgeline handles errors encountered during the provisioning process in the following ways:
If Ridgeline is not able to establish connectivity to one of the target switches, then it does not proceed with the provisioning tasks on any of them. If commands that were validated by Ridgeline are subsequently not accepted by the switch, for example if the switch responds to a command with an error message, then Ridgeline retracts the commands that it had entered prior to the error, and halts the provisioning process. Any commands entered on the other target switches are automatically retracted to what was in the previous configuration.
86
While the commands are being retracted, if the switch goes offline (are no longer managed by Ridgeline), the commands continue to be retracted until they have all been removed. If the device becomes unreachable, or it is not possible to log on to the device, then the retraction process for the device fails, and Ridgeline displays an error message. Note Only one provisioning request can be processed on the Ridgeline server at a time. If you attempt multiple provisioning requests at the same time, such as simultaneously from two different Ridgeline clients, an error message appears.
Viewing Logged Information about Provisioning Tasks

Ridgeline logs information about the provisioning tasks it has performed on managed devices. You can view this information in the Ridgeline audit log. To display the audit log: 1 In the navigation pane, click Audit Log. 2 Click the Provisioning tab. A list of provisioning tasks that have run on the Ridgeline server appears.
Figure 50: Ridgeline Audit Log with Provisioning Tab Selected 1Quick Filter button. Click to display options to filter the provisioning task list by time period and/or search terms. 2List of provisioning tasks. 3Progress and Results pane for the selected provisioning task. Double-click the selected task to display the Progress and Results information in a separate window.
87
For more information about the audit log, see Using the Ridgeline Audit Log.
88
6 Configuring and Monitoring

Ethernet Services
Ethernet Service Overview Configuring Ethernet Services Viewing Ethernet Services Information on the Services Tab
This chapter describes how to use Ridgeline for: Configuring E-Line and E-LAN services using Ridgelines network resource provisioning feature. Viewing Ethernet service information in Network Views windows and in the Services view. Viewing details about Ethernet services known to Ridgeline.
Ethernet Service Overview

An Ethernet service is a method for provisioning Ethernet connectivity over a wide-area or Metro Ethernet network. Ethernet services can provide customers point-to-point or multipoint-to-multipoint Ethernet connectivity across a service providers network. Service providers set up Ethernet services for their customers at User Network Interface (UNI) ports connecting customer equipment to their network. The actual means of transporting the customer traffic across the service providers network is at the discretion of the service provider. A service provider can configure an Ethernet service to use a specified VLAN, VMAN, or PBB BVLAN as the transport method between the UNI ports to the customer network. Using Ridgeline, you can create E-Line (point-to-point) and E-LAN (multipoint-to-multipoint) Ethernet services. You can select the devices and ports that make up the service, specify traffic mapping options, create and apply bandwidth profiles, and then validate the configuration and deploy it on your network. For Ethernet services using VLAN or VMAN transport methods, Ridgeline adds the UNI ports to the transport VLAN/VMAN on the devices where it is configured. For Ethernet services using a PBB BVLAN as the transport method, Ridgeline creates the SVLANs or CVLANs, maps an ISID to an SVLAN, adds the UNI ports to the SVLAN, then adds the ISID to the BVLAN. Bandwidth profiles, if specified in the Ethernet service configuration, are applied to the UNI ports. Information about the Ethernet services known to Ridgeline is available in the Main View. The Services view (see Viewing Ethernet Services Information) provides at-a-glance information about the Ethernet services, the devices and ports where they are configured, and details about the transport method specified for each service.
Configuring and Monitoring Ethernet Services
E-Line Service
An E-Line service is a point-to-point Ethernet Virtual Connection (EVC) that can be implemented in a service provider network, as illustrated in the following figure. E-Line services can be created to support Ethernet Private Line (EPL) and Ethernet Virtual Private Line (EVPL) services. In an E-Line service, two UNI ports connected to customer equipment (CE) devices form the endpoints for the service. Customer traffic entering the service provider network at one UNI port is associated with the EVC. The UNI ports are associated with each other so that customer traffic in the E-Line service is exchanged only between the two UNI ports.
Figure 51: E-Line Service When Ridgeline provisions an E-Line service, it also adds the VLAN, VMAN, or PBB BVLAN to an EAPS domain on the devices where the VLAN/VMAN/BVLAN is configured.
E-LAN Service
An E-LAN service is a multipoint-to-multipoint EVC, as illustrated below. An E-LAN service can have two or more UNI ports connected to CE devices. E-LAN services can be created to support Ethernet Private LAN (EP-LAN) and Ethernet Virtual Private LAN (EVP-LAN) services.
90
Figure 52: E-LAN Service
Bandwidth Profiles
By default, an E-Line or E-LAN service provides best-effort service for customer traffic on the UNI ports. In some cases, such as when the UNI ports in an Ethernet service have different line rates, you can specify bandwidth profiles and apply them to the UNI ports. A bandwidth profile can specify values for Committed Information Rate (CIR), Committed Burst Size (CBS), Excess Information Rate (EIR), Excess Burst Size (EBS), and single/dual-rate profile settings. You can apply bandwidth profiles to all UNI ports in the service, or to selected UNI ports.
Configuring Ethernet Services

Using Ridgeline, you can perform the following Ethernet service configuration tasks:
Create an Ethernet service Modify settings for Ethernet services Create and assign customer names to services Create and apply bandwidth profiles)
For more information about Ridgelines network resource provisioning feature, see Provisioning Network Resources.
Creating Ethernet Services

To create an Ethernet service: 1 In the navigation pane, click Main View or a device group.
91
2 Click New > E-Line or E-LAN. The E-Line or E-LAN Service Provisioning wizard appears (see the following figure).
Figure 53: E-Line Service Provisioning WizardE-Service Configure Tab 3 Type a name for the new E-Line or E-LAN service in the Name box. 4 Optionally, type a description for the service in the Description box. 5 Select the customer who use this service from the Customer list. For information about adding a customer to this list, see Creating a Customer Profile. 6 Select the transport type to be used with this service from the Transport Type list: 802.1Q (VLAN), 802.1ad (PB/VMAN), or 802.1ah (PBB). 7 Select the UNI ports for this service. Click the + next to a device to view its ports. An E-Line service must consist of two UNI ports. An E-LAN service can have two or more UNI ports. Devices that do not support Ethernet services are unavailable.
92
8 Click Next. For BVLANs, the Device Settings tab appears (see the following figure). Otherwise, the Traffic Mapping tab appears (see the following figure). Skip to Step 12.
Figure 54: E-Line Service Provisioning WizardDevice Settings Tab 9 Select the BVLAN in the 802.1ah(PBB) list, and type ISID and ISID name in the ISID and ISID Name boxes. 10 Under Device-specific settings, specify whether traffic is tagged or untagged for some or all devices: a Select either Use the same settings on all devices or Customize the settings per device. b If you selected Customize the settings per device, select a device, and then for Traffic, click either Port based or SVLAN or CVLAN. Type a name and tag for the selected device in the Name and Tag boxes. Repeat for each device. c If you selected Use the same settings on all devices, for Traffic, click either Port based or SVLAN or CVLAN. Type a name and tag for the device(s) in the Name and Tag boxes. 11 Skip to step 16.
93
12 In the first list, select the VLAN or VMAN to be used as the transport method for the service.
Figure 55: E-Line Service Provisioning WizardTraffic Mapping Tab 13 Under Port Specific Settings, specify whether traffic is tagged or untagged for both UNI ports, or for a selected UNI port: a Select either Use the same settings on all ports or Customize the settings per port. b If you selected Customize the settings per port, select a port, and then for Traffic, click either Tagged or Untagged. Repeat for each port. c If you selected Use the same settings on all ports, for Traffic, click either Tagged or Untagged. 14 Optionally, select a bandwidth profile to use one or more ports in the service from the Bandwidth Profile list. For information about setting up bandwidth profiles, see Creating a Bandwidth Profile. 15 Indicate whether to enable the service after it has been provisioned on the target devices. If you want to deploy the service immediately after successful validation, without a separate deployment step, select If validation has no errors, continue automatically to creating the new service.
94
16 Click Next to start the validation process.
Figure 56: E-Line Service Provisioning WizardValidation Tab 17 If the validation is successful, click Finish to deploy the service to the target devices. Otherwise, click Back to go back to the previous tab and modify the settings.
Figure 57: E-Line Service Provisioning WizardCreate E-Service Tab
95
18 Click Finish. After Ridgeline successfully validates the selected options, it verifies network connectivity to the target switches. If a connection can be established to all of the target switches, Ridgeline deploys the configuration commands, and then saves the configuration file on each switch. Finally, Ridgeline updates its own database with information about the configuration changes on the switches. The information in the is logged in the Ridgeline Audit Log. For more information, see Viewing Logged Information about Provisioning Tasks.
Modifying Ethernet Services

For existing E-Line and E-LAN services, you can edit settings and deploy the changes to the devices where the service is configured. For an Ethernet service, you can edit the name and description of the service, the customer the service is assigned to, bandwidth profile settings, and the UNI ports specified for the service (E-LAN services only). To modify an Ethernet service: 1 In the navigation pane, click Main View or a device group. 2 Click the Services tab. 3 In the table, select the Ethernet service you want to modify by clicking its check box. 4 Click Properties. The Ethernet Service Properties dialog box appears.
Figure 58: Ethernet Service Properties Dialog Box 5 To change the name or description, click Edit name / description, make the desired changes, and then click OK. 6 To change the customer, click Edit customer, make the desired changes, and then click OK. For more information about creating customer profiles, see Creating Customer Profiles on page 99. 7 To delete the bandwidth profile, click Delete bandwidth profile. When prompted, confirm the deletion. 8 To add bandwidth profiles, click Add bandwidth profiles. For more information about adding bandwidth profiles, see Creating Bandwidth Profiles on page 100.
96
9 To add ports, click Add ports. See Adding Ports on page 97. Note You can only add and delete ports for E-LAN services, not E-Line services. 10 To delete ports, click Delete ports. See Deleting Ports on page 98. 11 Click Cancel to close the dialog box. Adding Ports You can add and delete (see Deleting Ports on page 98) ports to an E-LAN serviced after it has been created. To add ports to an E-LAN service: 1 2 3 4 In the navigation pane, click Main View or a desired device group. Click the Services tab. Select the E-LAN service to add ports to by clicking its check box. Click Add Ports. The Add Ports dialog box appears (see the following figure).
Figure 59: Add Ports Dialog BoxAdd Ports Tab 5 Select the ports to add to the service. Click the check box for a device to select all of its ports, or click the + next to a device to see its list of ports. 6 Click Next. The Traffic Mapping tab appears. 7 For each added port: a For Traffic, select either Tagged or Untagged. b Select a bandwidth profile from the Bandwidth Profile list. For more information about bandwidth profiles, see Creating Bandwidth Profiles on page 100. 8 Indicate whether to enable the service after it has been provisioned on the target devices. If you want to deploy the service immediately after successful validation, without a separate deployment step, select If validation has no errors, continue automatically to creating the new service.
97
9 Click Next. Thje Validation tab appears. 10 If the validation is successful, click Next. The Results tab appears. 11 Click Finish. Deleting Ports You can add (see Adding Ports on page 97) and delete ports to an E-LAN serviced after it has been created. Context for the current task 1 2 3 4 In the navigation pane, click Main View or a desired device group. Click the Services tab. Select the E-LAN service to delete ports from by clicking its check box. Click Delete Ports. The Delete Ports dialog box appears (see the following figure).
Figure 60: Delete Ports Dialog BoxDelete Ports Tab 5 6 7 8 Select the ports to delete by clicking their check boxes. Click Next. The Validation tab appears. If the validation is successful, click Next. The Results tab appears. Click Finish.
98
Deleting Ethernet Services

You can delete services from Ridgeline only or Ridgeline and devices. Note You can only delete one service at a time. You cannot delete multiple services in one operation. To delete an Ethernet service: 1 2 3 4 5 In the navigation pane, click Main View or a device group. Click the Services tab. In the list select a service by clicking its check box. Click Delete. When prompted:
Ridgeline onlyremoves the service from the Ridgeline database Ridgeline and devicesremoves the service from the devices and the Ridgeline database
Creating Customer Profiles

When configuring an Ethernet service in Ridgeline, you can associate the service with a specific customer profile. The name of the customer associated with an Ethernet service appears on the Services tab. To create a customer profile and associate it with an Ethernet service: 1 In the navigation pane, click Main View or a device group. 2 Click the Services tab. 3 Click Edit Customer. The Customer dialog box appears (see the following figure).
Figure 61: Customer Dialog Box
99
4 Click New to create a new customer profile, or select an existing profile under Customer profiles, and then click Edit. The Customer Settingsdialog box appears (see the following figure).
Figure 62: Customer Settings Dialog Box 5 Type contact information for the customer. When you are done, click Add (for a new customer profile) or Modify (for an existing customer profile). 6 Click OK. After you create a customer profile, you can apply it to an Ethernet service. See Modifying Ethernet Services on page 96.
Creating Bandwidth Profiles

A bandwidth profile compares traffic received on a UNI port with a series of thresholds, and specifies how the traffic should be forwarded based on those thresholds. A bandwidth profile can specify perport thresholds for Committed Information Rate (CIR), Committed Burst Size (CBS), Excess Information Rate (EIR), and Excess Burst Size (EBS), as well as single/dual-rate profile settings. You can apply bandwidth profiles to all UNI ports in an Ethernet service, or to selected UNI ports. To create a bandwidth profile: 1 In the navigation pane, click Main View or a device group. 2 Click the Services tab.
100
3 Click Add Bandwidth Profiles. The Edit bandwidth profile dialog box appears (see the following figure).
Figure 63: Edit Bandwidth Dialog Box 4 On the Add Bandwidth tab, in the Bandwidth Profile list, select New profile. The Bandwidth Profile dialog box appears (see the following figure).
Figure 64: Bandwidth Profile Dialog Box
101
5 Click New. The Bandwidth Profile dialog box appears (see the following figure).
Figure 65: Bandwidth Profile Dialog Box 6 Type a name for the bandwidth profile in the Bandwidth Profile Name box and specify settings for the following parameters:
Quality Profile
The quality of service (QoS) feature that allows you to configure a switch to provide differ levels of service to different groups of traffic.Range of 18. For more information, see the ExtremeXOS Concepts Guide. Selects single rate. Selects dual rate.
Single rate Dual rate Committed Information Rate (CIR)
The average rate for service traffic up to which the network delivers the service traffic and committed to meeting the performance objectives defined by the CoS Service Attribute. Y can specify the CIR in Kbps, Mbps, or Gbps.
Committed Burst Size (CBS) Excess Information Rate (EIR) Excess Burst Size (EBS)
The maximum allowed size for a burst of service traffic sent at the UNI speed to remain CI conformant. You can specify the CBS in Kb, Mb, or Gb. The average rate of service traffic up to which the network may deliver service traffic but without any performance objectives. You can specify the EIR in Kbps, Mbps, or Gbps. The maximum size of a burst of service traffic sent at the UNI speed to remain EIRconformant. You can specify the EBS in Kb, Mb, or Gb.
7 When you are done, click Add (for a new bandwidth profile) or Modify (for an existing bandwidth profile). 8 Click OK. 9 On the Edit Bandwidth dialog box, you can apply the new bandwidth profile to the Ethernet service (see Modifying Ethernet Services on page 96) or click Cancel to exit the dialog box and use the profile later.
Viewing Ethernet Services Information on the Services Tab

The Services tab displays information about the E-Line and E-LAN services known to Ridgeline. From the Services tab, you can show information about a selected service and its transport method (1), view an overlay map highlighting the devices where the selected item is configured (2), and view details about a selected service, transport method, or EAPS domain (3).
102
1Map view 2Details panel 3Services table Figure 66: Services Tab
Services Table
The Services table on the Services tab (see Viewing Ethernet Services Information on the Services Tab on page 102) shows the following information.
Name The configured name of the Ethernet service, and an icon indicating its condition. The icon can be one of the following: Both ports in the E-Line service are up. One or both ports in the E-Line service are down. The E-Line service is disabled. All ports in the E-LAN service are up. At least two ports in the E-LAN service are up, but others are down. All or all but one of the ports in the E-LAN service are down. The E-LAN service is disabled. Status The current status of the Ethernet service: UP if all UNI ports in the service are up, DOWN if all UNI ports in the service are down, or PARTIAL if some of the UNI ports are up and others are down. Whether the Ethernet service is currently enabled or disabled.
Operational Status
103
Customer Name Transport Type Transport Name Transport Tag Transport Network Service End Points Description Ethernet Service Type
The name of the Customer that the service was assigned to, if configured. The transport method specified for the service: 802.1Q (VLAN), 802.1ad (PB/ VMAN), or 802.1ah (PBB). The name of the VLAN, VMAN, or BVLAN used as the transport method. The tag value of the VLAN, VMAN, or BVLAN used as the transport method. The network name of the VLAN, VMAN, or BVLAN used as the transport method, if configured. The number of UNI ports configured for this Ethernet service. For an E-Line service, this is always 2. For an E-LAN service, this can be 2 or more. The configured description of this service, if configured. Whether the selected service is an E-Line or E-LAN service.
Map View
The map view on the Services tab highlights the devices where the selected Ethernet service, VLAN, VMAN, BVLAN, or EAPS domain is configured. You can select a service in the table and display it on the map as an overlay view highlighting all of the devices and links in the map where the selected service is configured.
Displaying Ethernet Service Details

To display details about an E-Line or E-LAN service, in the navigation pane, click Main View or a device group, click the Services tab, and then click a row in the table. Information about the selected Ethernet service appears in the details pane. If you double-click the row, the Ethernet service details appear in a separate window (see the following figure).
Figure 67: E-Line Service Details Window
104
The Ethernet services details window shows the following information:

Name Description Customer Name Operational Status Service Type Transport Type Tag Name Network Protocol Filter The transport type, either: 802.1Q (VLAN), 802.1ah (PB/VMAN), or 802.1ad (PBB) The tag value of the VLAN, VMAN, or BVLAN used as the transport method. The name of the VLAN, VMAN, or BVLAN used as the transport method. The network name of the VLAN, VMAN, or BVLAN used as the transport method, if configured. The protocol filter configured for the VLAN, VMAN, or BVLAN used as the transport method, if applicable. The name of the Ethernet service. The description of the Ethernet service, if one is configured. The name of the customer configured to use this Ethernet service. For more information, see Creating Customer Profiles on page 99. Enabled or disabled. The Ethernet service type, either E-Line or E-LAN.
There is also a Ports tab (see Ports Tab on page 105) and a Bandwidth Profile tab (see Bandwidth Profile Tab on page 105). Ports Tab The Ports tab on the Ethernet services details window (see Displaying Ethernet Service Details on page 104) includes the following information:
Number Tagged IP Address Actual Speed Actual Duplex Type Port Status Link State Name Port number. If the device is a chassis device, then the port number is displayed in slot:port format. Whether the port is tagged. The IP address of the device. Speed of the port if known; Auto if the speed is auto-negotiated. Duplex of the port if known, either full or half Type of port. The port state (Enabled or Disabled) The link state. The name of the device.
Bandwidth Profile Tab The Bandwidth tab on the Ethernet services details window (see Displaying Ethernet Service Details) includes the following information. If a bandwidth profile has been applied to an individual port, select the port to display its bandwidth profile settings.
105
Bandwidth Profile Name The name of the bandwidth profile applied to the selected port, if applicable. CIR CIR Unit CBS CBS Unit EIR EIR Unit EBS EBS Unit Rate Quality Profile Committed Information Rate Whether the Committed Information Rate is measured in Kbps, Mbps, or Gbps. Committed Burst Size Whether the Committed Burst Size is measured in Kb, Mb, or Gb. Excess Information Rate Whether the Excess Information Rate is measured in Kbps, Mbps, or Gbps. Excess Burst Size Whether the Excess Burst Size is measured in Kb, Mb, or Gb. Whether a single rate or dual rate profile has been applied to the port. The number the quality profile applied to the port.
106
7 Policies
Overview Viewing Policy Details Creating New Policies Creating Categories for Policies Creating and Managing Roles
This section describes how to set policy statements in the policy database.
Overview
The policy manager is responsible for maintaining a set of policy statements in a policy database and communicating these policy statements to the applications that request them. Policies are used by the routing protocol applications to control the advertisement, reception, and use of routing information by the switch. Using policies, a set of routes can be selectively permitted (or denied) based on their attributes, for advertisements in the routing domain. The routing protocol application can also modify the attributes of the routing information, based on the policy statements. Policies are also used by the access control list (ACL) application to perform packet filtering and forwarding decisions on packets. The ACL application programs these policies into the packet filtering hardware on the switch. Packets can be dropped, forwarded, moved to a different QoS profile, or counted, based on the policy statements provided by the policy manager. Ridgeline supports only ACL based policies. With Ridgelines policy manager, you can create a policy for a role, for identity management role-based access control (see Creating New Policies), or create a policy for virtual port profiles (VPPs) to manage virtual machines (VMs) (see Attaching Policies to VPPs).
Viewing Policy Details

To view your available policies, in the navigation pane, click Policies. The Policies view appears (see the following figure).
Policies
Figure 68: Policy View The policy view displays the following information:
Column Heading Attached Category Description Whether or not the policy is currently attached. The optional category that you have assigned the policy to, making it easier to find. This is for your benefit only; switches do not use it, nor does it affect a policys function (see Creating Categories for Policies on page 119). The name assigned to the policy. The optional description given to the policy when it is created. The type of policy, either virtual-port profile or role. The direction the policy is applied to for the traffic, ingress, egress, or both. The actor that last updated the policy (including Ridgeline (system). The last time the information about the policy was refreshed from the database.
Name Description Type Direction Modified By Date Modified
For each selected policy the lower pane has the following tabs: Rule Deployments EXOS Policydisplays the policy code
Rule Tab
In the Policy view (see Viewing Policy Details on page 107) details pane, click the Rule tab to view the following information about the rule(s) attached to the selected policy.
108
Policies
Column Heading Order Category
Description The numeric order of the rule in the policy (1, 2, 3, etc.). The optional category that you have assigned the rule to, making it easier to find. This is for your benefit only; switches do not use it, nor does it affect a rule or policy's function (see Creating Categories for Policies on page 119). The name assigned to the rule. The optional description given to the rule when it is created.
Rule Description
Deployments Tab
In the Policy view (see Viewing Policy Details on page 107) details pane, click the Deployments tab to view the following information about the rule(s) attached to the selected policy.
Column Heading Used For Direction Name Description Role or virtual machine. Ingress, egress, or both. Name of the role/virtual machine to which this policy is attached.
Creating New Policies

You can create a new policy from scratch (this procedure) or you can base it on another existing policy (see Copying a Policy to Create a New Policy). To create a new policy: 1 In the navigation pane, click Policies. The Policies view appears.
109
Policies
2 Click New Policy. The New Policy dialog box appears (see the following figure).
Figure 69: New Policy Dialog Box 3 Type the name of the policy in the Name box. 4 (Optional) Type a description in the Description box. 5 In the Policy Type list, select: Virtual-port profile You can select Ingress or Egress or both. RoleYou can only select Ingress 6 Next to Direction, select the direction the policy applies to: Ingress and/or Egress.
110
Policies
7 Click New to create a rule (You must create at least one rule for a policy). The New Policy Rule dialog box appears (see the following figure). It describes the criteria for the entries: You can specify multiple, single, or zero match conditions. If no match condition is specified all packets match the new entry.
Figure 70: New Policy Rule Dialog BoxMatch Condition Tab 8 Type a name in the Rule Name box. 9 (Optional) Select a category for the rule in the Rule Category list. If the desired category does not exist, you can create one: a In the Rule Category list, click New rule category. The Categorize Policy Rule dialog box appears (see the following figure).
Figure 71: Categorize Policy Rule Dialog Box
111
Policies
a Click New. The New Category dialog box appears. a Type a name for the new category in the Category Name box. a Click Create. a Click OK. The new category is selected in the Rule Category list. 10 Click a condition to view a detailed description in the lower pane. 11 You can select a condition from the list of Available Match Conditions, and then move each condition to the Selected Match Conditions list on the right. See Attaching Policies to Roles for Identity Management ingress policy match conditions and Policy Match Condition Combinations for XNV ingress and egress match conditions. Note All the conditions must be matched. That is, an implicit AND is included between all the match conditions The following information applies to the match conditions shown in the lists: The letter "L" with a number before each match condition indicates the OSI layer on which these reside (for example, "L2" = OSI layer 2). Conditions that are not compatible with other selections that you have made are not available (grayed out). 12 Click Next. The Match Condition Input tab appears (see the following figure) .
Figure 72: New Policy Rule Dialog BoxMatch Condition Input Tab 13 Provide inputs in the list(s) and box(es) for the match conditions that you selected previously.
112
Policies
14 Click Next. The Action tab appears (see the following figure).
Figure 73: New Policy Rule Dialog BoxAction Tab 15 Under If the match conditions are met, then:, select what should happen if the match conditions are met: The packet is dropped The packet is forwarded 16 If you do not want to add action modifiers, go to Step 18. 17 To select action modifiers: a Click Also include these action modifiers. b Under Available Action Modifiers, select action modifiers and move them to the Selected Action Modifiers list. Clicking an action modifier displays detailed information about it in the lower pane. 18 Click Finish. The New Policy Rule dialog box closes and you are returned to the New Policy dialog box, which now shows the rules that you added to the policy under the Rules tab and the code for the policy under the EXOS Policy tab. 19 Repeat Steps 7 through 18 to create additional rules, if needed. 20 Click OK. The new policy appears in the list as an unattached policy (Attached column value is Unattached). For information about how to attach a policy, see Attaching Policies to VPPs and Attaching Policies to Roles. For information about how to edit a policy, see Editing a Policy.
113
Policies
Copying a Policy to Create a New Policy

You can create a new policy from scratch (see Creating New Policies) or you can base it on another existing policy. To copy an existing policy to create a new policy: 1 In the navigation pane, click Policies. 2 Select a policy in the list by clicking its check box. 3 On the menu, click File > Save as. The Save Policy As dialog box appears (see the following figure).
Figure 74: Save Policy As Dialog Box 4 Choose the policy you want to copy from the Policies list. 5 Choose one of the following:
Save In: RidgelineSaves the policy to the server where Ridgeline is installed. Export to:Changes the policy file format that enables you to take the policy from a Ridgeline installation to another Ridgeline installation.
a Under File Type, select the file type, either: .pol fileThe format used by ExtremeXOS; Ridgeline (nms policy)The format used by Ridgeline b Enter the directory path where you want to save the policy file in the Type the location of the directory box. 6 Type the policy name in the Policy Name box. 7 Click OK. The new policy appears in the policy list. You can now edit this policy as needed (see Editing a Policy).
Editing a Policy
After you have created a policy, you can change it. To edit a policy:
114
Policies
In the navigation pane, click Policies.
2 Double-click the desired policy in the list. The edit policy dialog box appears (see the following figure).
Figure 75: Edit Policy Dialog Box 3 Make changes as you would when you create a new policy. 4 When you finish making changes, click OK. The revised policy appears in the list. For information about how to attach a policy, see Attaching Policies to VPPs on page 116 and Attaching Policies to Roles on page 117.
Deleting a Policy
To delete a policy: 1 In the navigation pane, click Policies. The Policies view appears. 2 Select the policy that you want to delete from the list of policies by clicking its check box. 3 Click Delete. Note If a policy is in use, you cannot delete that policy. A message appears informing you of this.
Figure 76: Policy Attached Dialog Box
115
Policies
Attaching Policies to VPPs

You can attach a policy to a role (see Attaching Policies to Roles) or to a VPP. To attach a policy to role: 1 In the navigation pane, click Policies. The Policies view appears. 2 Select the policy you want to attach by clicking it check box. 3 Click Attach to VPP. The Attach Policy to Virtual-Port Profiles dialog box appears (see the following figure).
Figure 77: Attach Policy to Virtual-Port Profiles Dialog Box 4 Select a VPP from the Available virtual-port profiles table by clicking its check box, and then click Add. The VPP is added to the Selected virtual-port profiles table. 5 Click OK. The policy now appears in the Policy list indicating that it attached (Attached column value is Attached).
116
Policies
Attaching Policies to Roles

You can attach a policy to a VPP (see Attaching Policies to VPPs) or a role. You must attach policies to roles before you can attach roles to switches. To attach roles with policies: 1 In the navigation pane, click Policies. 2 Select a policy to a attach to a role by selecting its check box. You can only attach policy to roles that are of the type "role" (see Step 5 in Creating New Policies on page 109). 3 Click Attach to Role. The Attach Policies To Roles dialog box appears (see the following figure).
Figure 78: Attach Policies To Roles Dialog BoxAttach Policies Tab 4 Select a role from the Role Name list. 5 Move policies from the Available Policies pane to the Selected Policies pane.
117
Policies
6 Click Next. The Results tab appears (see the following figure).
Figure 79: Attach Policies To Roles Dialog BoxResults Tab 7 View the results, and then click Finish. The policy appears in the policy list as attached (Attached column value is Attached).
Detaching Policies from VPPs

To detach a policy from a VPP: In the navigation pane, click Policies. Click the policy that you want to detach from VPP by clicking its check box. Click Detach Policy From VPP. Under the Selected virtual-port profiles table, select the VPP that you want to detach by clicking its check box. 5 Click OK. 6 The policy that you detached from the VPP now appears in the Policies list as unattached (Attached column value = Not attached). 1 2 3 4
Detaching Policies from Roles

To detach a policy from a role: 1 In the navigation pane, click Policies. The Policy view appears. 2 Select the policy to detach from a roll by clicking its check box.
118
Policies
3 Click Detach Policy From Role. The Detach Policies From Roles dialog box appears (see the following figure).
Figure 80: Detach Policies From Roles Dialog Box 4 5 6 7 8 Select the role to detach from policies under Role Name. Move the policy from the Selected Policies pane to the Available Policies pane. Click Next. The Results tab appears. View the results, and then click Finish. The policy now appears in the list as unattached (Attached column value is Not attached).
Creating Categories for Policies

You can categorize policies to make it easier for you to find policies. This is for your benefit only; switches do not use it, nor does it affect a policys function. To categorize policies: 1 In the navigation pane, click Policies. The Policies view appears. 2 Click Categorize. The Categorize Policy dialog box appears (see the following figure).
Figure 81: Categorize Policy Dialog Box
119
Policies
3 Click New. The New Category dialog box appears (see the following figure).
Figure 82: Name New Category 4 Type a name in the Category Name box. 5 Click OK. You can now apply the category to policies (see Categorizing Policy Policies on page 120).
Categorizing Policy Policies

You can categorize policies to make it easier for you to find policies. This is for your benefit only; switches do not use it, nor does it affect a policys function. For information about how to create categories, see Creating Categories for Policies on page 119. To categorize policy rules: 1 In the navigation pane, click Policies. The Policies view appears. 2 Select a policy to categorize by clicking it check box. 3 Click Categorize. The Categorize Policy dialog box appears (see the following figure).
Figure 83: Categorize Policy Dialog Box 4 Select a category on the left, and then click Apply. 5 If you need to create a new category, click New, type a name, and then click Create. 6 Click OK. The policy now appears in the list with the category you assigned appearing under the Category column.
Creating and Managing Roles

For information about creating and managing roles, see Using Identity Management.
120
Policies
Viewing Active Policies for Devices

1 In the navigation pane, click Main View or a desired device group. 2 Select the desired device by clicking its check box. 3 In the details pane, click the Policies tab. Policies attached to the device appear in the list. See Policies Tab for more information.
121
8 Managing and Monitoring VLANs

Overview of Virtual LANs Configuring VLANs Viewing VLAN Information Displaying VLAN Details
This chapter describes how to use Ridgeline for: Configuring VLANs using Ridgelines network resource provisioning feature Configuring VLANs using Ridgeline scripts Categorizing VLANs by network name Viewing VLAN details Viewing details about services configured on VLANs
Overview of Virtual LANs

A virtual local area network (VLAN) is a group of location- and topology-independent devices that communicate as if they were on the same physical LAN. Extreme Networks switches have a VLAN feature that enables you to construct broadcast domains without being restricted by physical connections. Ridgeline creates and manages VLANs for Extreme Networks devices only. It does not handle other third-party devices, even though third-party devices can be managed through Ridgeline. Extreme Networks devices can support a maximum of 4095 VLANs per switch. VLANs on Extreme Networks switches can be created according to the following criteria:
Physical port 802.1Q tag Protocol sensitivity using Ethernet, LLC SAP, or LLC/SNAP Ethernet protocol filters A combination of these criteria Network name
In the Ridgeline system, a VLAN is defined uniquely by the following: Name 802.1Q tag (if defined) Protocol filters applied to the VLAN As a result, multiple switches are shown as members of the same VLAN whenever all the above are the same. VMANs (Virtual Metropolitan Area Networks) enable a service provider to offer the equivalent of separate and independent virtual bridged LANs to multiple customers over the providers bridged network. Ridgeline can display detailed information about the VMANs configured in your network.
Managing and Monitoring VLANs
For a more detailed explanation of VLANs and VMANs, see the ExtremeXOS Concepts Guide.
Configuring VLANs
With Ridgeline, you can perform common VLAN configuration tasks, including creating, modifying, and deleting VLANs, as well as configuring VLAN protocol settings. There are two methods you can use for configuring VLANs in Ridgeline: Using Ridgelines network resource provisioning feature Using Ridgelines scripting feature. Additionally, you can optionally assign VLANs a network name, which is a means for categorizing VLANs into logical groups. After assigning one or more VLANs a network name, you can filter the information displayed in the VLAN table based on the network name. This can be useful if you have a large number of VLANs to manage.
Provisioning VLANs
Ridgeline's network resource provisioning feature allows you to create new VLANs simply by selecting the devices, ports, links, and tagging options you want, then validate and deploy the VLAN configuration by clicking a button. You can modify existing VLANs by selecting the VLAN in Network Views windows, changing parameters, and deploying the changes to the devices where the VLAN is configured. The network resource provisioning feature also allows you to change VLAN settings on individual devices, and to remove individual devices from VLANs without affecting the configuration of the devices remaining in the VLAN. For more information on Ridgelines network resource provisioning feature, see Network Resource Provisioning Overview. Creating VLANs To create a VLAN: 1 In the navigation pane, click Main View or the folder containing the devices that you want to configure.
123
2 In the device table, or the map view, click the check boxes for desired devices to select them. For a VLAN, you can select one or more switches, links, or ports.
Figure 84: Selecting Devices to Provision 1Device and port folders 2Selected devices
124
3 Click New > New VLAN. The VLAN dialog box shown below appears.
Figure 85: VLAN Dialog Box In the VLAN dialog box, the selected devices automatically appear under Available Devices. If the device software running on a device does not support the feature you are configuring, the device is unavailable. Type a name for the VLAN in the Name box. If you are creating a tagged VLAN, in Tag, click the numbered list, and then select a numeric value (14095) for the VLAN identifier. Click the + sign next to a device in the Available Devices table list to view its ports. To add the ports to the VLAN, select the ports by clicking the associated check boxes, and then click Add Tagged or Add Untagged. The selected ports are added to the Selected Ports list.
4 5 6 7
125
8 After you have selected all of the desired ports for the VLAN, click OK. The Progress And Results dialog box shown below appears.
Figure 86: Progress and Results Dialog Box 1Verifying connectivity to the selected device(s) 2Deploying the commands on the device
126
3Updating the device information in the database 4Validating command syntax and checking software compatibility 5The validation rules or commands entered on the device for the selected task. Click or collapse the right pane with Creating selected. to expand
Ridgeline validates the options you selected against a set of predefined configuration rules, and ensures that the target switches are running a software version that supports the features that you are provisioning. The following validations are performed: The name length is not longer than 32 characters. The name consists of only alphanumeric characters. No special characters such as # or & are allowed. The tag range is from 1 to 4095. The tag is not present on the selected device. The name is not present on the selected device. Port tag values are valid. The information in the Progress and Results dialog box is logged in the Ridgeline Audit Log. See Viewing Logged Information about Provisioning Tasks for more information. If Ridgeline successfully validates the selected options, it verifies network connectivity to the target switches. If a connection can be established to all of the target switches, Ridgeline deploys the configuration commands, and then saves the configuration file on each switch. Finally, Ridgeline updates its own database with information about the configuration changes on the switches. 9 Click Close. Modifying VLANs For existing VLANs, you can edit settings and deploy the changes to the devices where the VLAN is configured. Control VLANs cannot be modified. To modify a VLAN: 1 In the navigation pane, click Main View. 2 Click the VLAN tab, and then select the VLAN you want to modify by clicking its associated check box. 3 To edit the name or network name, click Edit > Edit Name or Edit > Edit Network Name. Make the needed changes, and then click OK.
127
4 To make other changes to the VLAN, click Properties. The VLAN Properties dialog box appears (see the following figure).
Figure 87: VLAN Properties Dialog Box 5 To change the list of ports:
128
a Click Edit List Of Ports. The Edit Ports dialog box appears (see the following figure).
Figure 88: Edit Ports Dialog Box b To add ports, under Available Devices, click the + next to device to view its ports, select the port(s) by clicking the associated check box(es), and then click Add Tagged or Add Untagged. c To remove ports, under Selected Ports, select the port(s) by clicking the associated check box(es), and then click Remove. d Click OK. 6 To change the list of links:
129
a Click Edit List Of Links. The Edit Links dialog box appears (see the following figure).
Figure 89: Edit Links Dialog Box b To add links, under Available Links, click the link's associated check box, and then click Add Tagged or Add Untagged. c To remove links, under Links in VLAN, click the link's associated check box, and then click Remove. d Click OK. 7 Click Cancel. Deleting VLANs You can delete a single VLAN and protected VLAN. Multiple VLANs cannot be deleted in the same operation, and control VLANs cannot be deleted. To delete a VLAN: 1 2 3 4 In the navigation pane, click Main View. Click the VLANs tab. Select the VLAN you want to delete, and then click Delete. Click Yes when prompted to confirm the deletion. When you delete a VLAN, the software verifies that the services in the VLAN are not being used as transport services in an E-Line or E-LAN service.
130
Running VLAN Configuration Scripts

Ridgeline includes a number of bundled scripts that allow you to specify VLAN configuration settings and deploy them on managed Extreme devices. Using Ridgeline scripts, you can perform the following tasks: Create and configure a new VLAN Modify an existing VLAN Configure protocol settings for a VLAN Delete a VLAN and related configuration settings Assign a VLAN to an EAPS domain To run a VLAN Ridgeline script, click Run Script > VLAN, and select: Create vlan protocol filter Modify VLAN - Layer 3 Create VLAN Modify VLAN - assign to EAPS domain Modify Protocol Filter Delete VLAN Modify VLAN - Basic properties Delete Protocol Filter For information about how to use Ridgeline scripts, see Ridgeline Script Overview on page 303. Note After a VLAN is created, it may take between 1 and 5 minutes for the new VLAN to appear in Ridgeline displays.
Categorizing VLANs With Network Names

A network name is a means for categorizing VLANs into logical groups, which can aid in filtering the information displayed in the VLAN table. This can be useful if you have a large number of VLANs to manage. For example, you can assign VLANs to a category (a network name), such as Building 1, and then use the search box on the VLAN tab to filter the information displayed in the VLAN table to VLANs with the network name Building 1. To do this, you need to: Create a network name. Assign it to one or more VLANs. You can then use the network name to conveniently filter the VLAN list (see Filtering the VLANs Table Based on Network Name).
131
Creating Network Names To create a network name: 1 In the navigation pane, click Main View. 2 On the menu, click Tools > Network Name. The VLAN Network Name dialog box shown below appears.
Figure 90: VLAN Network Name Dialog Box 3 4 5 6 Click New to open the New network name dialog box. Type a network name and click Create. Repeat to create additional network names as desired. Click OK.
You can now assign this network name to VLANs (see Assigning VLANs a Network Name on page 132). Assigning VLANs a Network Name To assign a VLAN a network name: In the navigation pane, click Main View or the device group with the VLAN(s) you want to assign network names to. 2 Click the VLANs tab. 3 In the table, select the VLANs that you want to assign to the network name. Use [Ctrl]+ click to pick multiple VLANs; Press [Shift] + click to pick a continuous set of VLANs. 1
132
4 From the menu, click Tools > Network name. The VLAN Network Name dialog box shown below appears.
Figure 91: VLAN Network Name Dialog Box 5 Under Network name, select the network name that you want to assign to the VLANs, and then click OK. The assigned network name appears in the Network column for the applicable VLANs. You can now easily filter the list to find these VLANs based on this network name (see Filtering the VLANs Table Based on Network Name). Filtering the VLANs Table Based on Network Name With a network name assigned to VLANs (see Assigning VLANs a Network Name on page 132), you can easily find these VLAN by filtering on the network name field. To use the network name to filter the list of VLANs in the VLAN table: 1 In the navigation pane, click Main View or the desired device group. 2 Click the VLANs tab to display the VLANs in the device group.
133
3 Click Quick Filter to display the available quick filters. The quick filter area appears at the top of the table (see the following figure). One of the quick filters is Network.
Figure 92: Filtering the VLAN Table Using the Network Name Quick Filter 4 In the Network quick filter box, select the network name to be used as the filter. You can choose multiple names. The VLAN table then displays only VLANs with the selected network name(s).
Viewing VLAN Information

To view information about VLANs in Ridgeline, in the navigation pane, click Main View or the desired device group, and then click the VLANs tab. A table listing the VLANs in the group appears. In the map view, you can select a VLAN and see an overlay view highlighting all of the devices and links in the map where the selected VLAN is configured (see Displaying a Map View on page 72). You can select the Show Full Path check box to display the path a packet would take across the various VLANs in the network, taking into consideration VLAN services configured on the managed devices, such as subscriber VLANs, Private VLANs, and VMANs. For information about the columns in the VLANs table, see VLANs Tab on page 32. You can filter the contents of the table by: Clicking Quick Filter (see Filtering the VLANs Table Based on Network Name on page 133). The applicable column is filtered by the selected search terms. Typing search terms in the search box. All columns are searched.
134
Displaying VLAN Details

To display details about a VLAN, click the VLANs row in the VLAN table. Information about the VLAN appears in the details window. If you double-click the row, the VLAN details appear in a separate window, as shown in the following figure.
Figure 93: VLAN Details Window The VLAN details window has the following information:
Tag Network Name Services Protocol Filter IP forwarding Control VLAN EAPS Protection Type Last Updated From Database The VLAN tag value (if any) or Untagged. The network name category (if any) that this VLAN belongs to. See Categorizing VLANs With Network Names for more information. The VLAN name. List of the type of services configured for the network VLAN. The protocol filter(s) configured for the VLAN Whether IP forwarding is enabled for the VLAN. Whether any EAPS control VLAN is present in the list of available VLANs. Whether or not EAPS protection is present. The VLAN type, either VLAN or VMAN. Date and time that the information about the VLAN was last retrieved from the Ridgeline database.
Devices Tab
Short reference description. The Devices tab under the VLAN tab shows the following information:
135
Device Name IP Address Virtual Router QOS Profile Name Control VLAN Protected VLAN Domain Name Set VLAN Services
The name of the device in the VLAN. IP address of the device in the VLAN. The virtual router to which the VLAN is associated on the device. This information is available if the device has HTTP enabled, and runs ExtremeXOS software version 12.1 or later. QoS profile name configured for the VLAN on the device, if any. Whether or not this is a control VLAN. Whether or not this is a protected VLAN. EAPS domains to which the VLANs on the device belong. LAN service type. Possible values are Translation, Translation-Member, VMAN, Translation VMAN, Translation-Member VMAN, Private-Network, Isolated-Subscriber, Non-Isolated Subscriber, Super VLAN, and Sub VLAN. For more information, see Viewing VLAN Services Information. Version of the software running on the device. SNMP version (1, 2, 2C, 3), The device logon name. Whether or not FDB polling is enabled. The protocol used to communicate with this device when using the device-based element manager (ExtremeWare Vista): HTTP or HTTPS. SSH must be enabled on the device. The device type (for example, Summit 400-48t). The administrative state of the VLAN, either Enabled, Disabled, or Unknown. This information is available if the device has HTTP enabled, and runs ExtremeXOS version 12.1 or later.
Software Version SNMP Version Log On Username Forwarding-database Polling Device Manager Protocol Device Type Admin Status
Ports Tab
Short reference description. The Ports tab under the VLAN tab shows the following information:
Port Number Name Tagged Media Type Actual Speed Actual Duplex Configured Speed Configured Duplex State Port number. If the device is a chassis device, then the port number is displayed in slot:port format. The name of the port, if assigned. Whether the port is tagged. The port media, if applicable. Port type; for example, Gigabit, Management, 10/100. Speed of the port; Auto if the speed is auto-negotiated. Duplex of the port, either full or half. The configured speed of the port. The configured duplex setting of the port. Whether the port is enabled or disabled.
136
Layer 3 Settings Tab

The Layer 3 Settings tab under the VLAN tab shows the following information:
Device Name IP Address VLAN IP Address VLAN IP Mask IP Forwarding Enabled The devices name. The devices IP address. The IP address of the VLAN. The IP subnet mask. Whether or not IP forwarding is enabled.
Links Tab
Short reference description. The Links tab under the VLAN tab shows the following information:
A Device A IP Address A Port Number/Annotation Share Details Status The name of the device on one end (the A side) of the link, along with an icon indicating the device status. The IP address of the device on the A side of the link. The number of the port on the A side of the link. Information about the port sharing configuration for the port, if applicable An icon indicating the status of the link. The link status icon can be one of the following colors: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline. The name of the device on the other end (the B side) of the link, along with an icon indicating the device status. The IP address of the device on the B side of the link. An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and some are down. The number of the port on the B side of the link. The device name. The protocol used to discover the link, either EDP or LLDP. The name of the port on the A side of the link, along with an icon indicating the port status.
B Device B IP Address
B Port Number/Annotation Name Discovery Protocol A Port Name
137
B Port Name Device Status Link State Type
The name of the port on the B side of the link, along with an icon indicating the port status. The current status of the device on the A side of the link. Whether the A side of the link is ready to exchange traffic with the B side of the link. The link type (for example, user-created, physical link, shared physical link).
Viewing VLAN Services Information

If the VLAN Services column in the table on the VLANs tab indicates that a service is configured for the VLAN, additional information appears in the VLAN details window, next to the Ports tab. Depending on the type of service configured, one of the following tabs may appear: Translation VLAN Translation-Member VLAN Private VLAN Isolated-Subscriber VLAN Non-Isolated Subscriber VLAN Super VLAN Sub VLAN Note If a VLAN configured on one device does not have a service configured for it, but a VLAN configured on a second device does have a service configured for it, and also has the same name, tag, and protocol as the VLAN on the first device, then it may not be clear in Ridgeline which of the VLANs has the service configured on it. Therefore, use different names for VLANs with services and VLANs without services, so that both kinds of VLANs appear correctly in Ridgeline. Translation VLAN Tab If you select a device in the device table that has a translation VLAN configured (indicated by Translation in the VLAN Service column) the Translation VLAN tab appears. The Translation VLAN tab contains the following information: The name of the Translation VLAN The name of the network to which the Translation VLAN belongs The tagged and untagged ports in the Translation VLAN The table lists the following information about the members of the Translation VLAN:
Tag Network Name Ports Tag value of the Translation VLAN member Name of the network to which the Translation VLAN member belongs VLAN name of the Translation VLAN member List of the tagged and untagged ports in the Translation VLAN member
138
Translation-Member VLAN Tab If you select a device in the devices table that is a member of a translation VLAN (indicated by Translation-Member in the VLAN Service column) the Translation-Member VLAN tab appears. The Translation-Member VLAN tab contains the following information: Tag value of the Translation VLAN to which the member belongs The name of the network to which the Translation VLAN belongs The name of the Translation VLAN to which the member belongs The tagged and untagged ports configured in the Translation VLAN Private VLAN Tab If you select a device in the devices table that has a private VLAN configured (indicated by Private in the VLAN Service column) the Private VLAN tab appears. The Private-Network VLAN tab contains the following information: Name of the Private VLAN Network name of the Private VLAN List of Tagged, Untagged, and Translated Ports in the Private-Network VLAN Th table lists the following information about the isolated and non-isolated subscribers:
Tag Type Network Name Ports Tag value of the subscriber VLAN Whether the subscriber VLAN is isolated or non-isolated Network name of the Private VLAN Name of the subscriber VLAN List of the tagged and untagged ports in the subscriber VLAN
Isolated-Subscriber VLAN Tab If you select a device in the devices table that is an isolated subscriber member of a private VLAN (indicated by Isolated-Subscriber in the VLAN Service column) the Isolated-Subscriber VLAN tab appears. The Isolated-Subscriber VLAN tab contains the following information: Tag value of the Private-Network VLAN Network name of the Private-Network VLAN Name of the Private-Network VLAN Name of the Private VLAN List of Tagged, Untagged, and Translated ports associated with the Private-Network VLAN
139
Non-Isolated Subscriber VLAN Tab If you select a device in the devices table that is a non-isolated subscriber member of a private VLAN (indicated by Non-Isolated Subscriber in the VLAN Service column) the Non-Isolated Subscriber VLAN tab appears. The Non-Isolated Subscriber VLAN tab contains the following information: Tag value of the Private-Network VLAN Network name of the Private-Network VLAN Name of the Private-Network VLAN Name of the Private VLAN List of Tagged, Untagged, and Translated ports associated with the Private-Network VLAN Super VLAN Tab If you select a device in the devices table that has a super VLAN configured (indicated by Super VLAN in the VLAN Service column) the Super VLAN tab appears. The Super VLAN tab contains the following information: The name of the Super VLAN Network name of the Super VLAN The tagged and untagged ports in the Super VLAN The table lists the following information about the Sub VLANs of this Super VLAN:
Tag Network Sub Range Proxy Name Ports Tag value of the Sub VLAN Name of the network to which the Translation VLAN member belongs Range of IP addresses in the Sub VLAN Status of the VLAN proxy, either Enabled or Disabled Name of the Sub VLAN List of the tagged and untagged ports in the Sub VLAN
Sub VLAN Tab If you select a device in the devices table that has a sub VLAN configured (indicated by Sub VLAN in the VLAN Service column) the Sub VLAN tab appears. The Sub VLAN tab contains the following information: Sub VLAN information: IP address range of the Sub VLAN VLAN proxy status of Sub VLAN, either Enabled or Disabled Super VLAN information: The name of the Super VLAN Tag value of the Super VLAN
140
Network name of the Super VLAN The tagged and untagged ports in the Super VLAN
141
9 Managing and Monitoring VMANs

(PBNs)
Overview of VMANs Configuring VMANs Viewing VMAN Information Displaying VMAN Details
This chapter describes how to use Ridgeline for: Configuring VMANs using Ridgelines network resource provisioning feature Viewing information about VMANs configured on devices managed by Ridgeline
Overview of VMANs
Virtual Metropolitan Area Networks (VMANs), which are also known as Provider Bridge Networks (PBNs), are defined by the IEEE 802.1ad standard, which is an amendment to the IEEE 802.1Q VLAN standard. Metropolitan area network (MAN) service providers can use a VMAN to carry VLAN traffic from multiple customers across a common Ethernet network. A VMAN uses Provider Bridges (PBs) to create a Layer 2 network that supports VMAN traffic. VMAN technology is sometimes referred to as VLAN stacking or Q-in-Q. VMANs enable a service provider to offer the equivalent of separate and independent virtual bridged LANs to multiple customers over the providers bridged network. Note The term VMAN is an Extreme Networks term that became familiar to Extreme Networks customers before the PBN standard was complete. The VMAN term is used in Ridgeline and also in this content to support customers who are familiar with this term. The term PBN is also used to establish the relationship between this industry standard technology and the Extreme Networks VMAN feature. For a more detailed explanation of VMANs, see the ExtremeXOS Concepts Guide. Ridgelines network resource provisioning feature allows you to create new VMANs (see Creating VMANs) and modify existing VMANs (see Modifying VMANs) in your network. Ridgeline can display detailed information about VMANs in device tables and maps (see Viewing VMAN Information).
Configuring VMANs
Using Ridgeline, you can perform common VMAN configuration tasks, including creating (see Creating VMANs on page 143), modifying (see Modifying VMANs on page 146), and deleting VMANs (see Deleting VMANs on page 148), as well as configuring VMAN protocol settings.
Managing and Monitoring VMANs (PBNs)
Additionally, you can optionally assign VMANs a network name, which is a means for categorizing them into logical groups (see Categorizing VMANs With Network Names on page 149). After assigning one or more VMANs a network name, you can filter the information displayed in the VLAN table based on the network name. This can be useful if you have a large number of VLANs to manage. Ridgelines network resource provisioning feature allows you to create new VMANs on a group of devices or on a single device. You select the devices, ports, links, and tagging options you want, and then validate and deploy the VMAN configuration. You can modify existing VMANs, changing parameters and deploying the changes to the devices where the VLAN is configured. Network resource provisioning also allows you to remove a single device from a VMAN, or modify the VMAN settings on a single device. For more information on Ridgelines network resource provisioning feature, see Provisioning Network Resources.
Creating VMANs
To create a VMAN: 1 In the navigation pane, click Main View or a device group. 2 Select one or more devices, links, or ports by clicking the their check boxes.
143
3 From the menu, click Services > New > VMAN. The VMAN provisioning dialog box appears (see the following figure)
Figure 94: VMAN Provisioning Dialog Box In the VMAN provisioning dialog box, the selected devices automatically appear in the Available Devices table. You can provision VMANs only on Extreme Networks switches running ExtremeXOS 12.1 or later. Devices that do not support VMANs are unavailable. Note When a device is running ExtremeXOS version ealier than 12.1, Ridgeline shows VMANs configured in the device as VLANs. To display VMANs properly, upgrade the switches to version 12.1 or later. 4 Type a name for the VMAN in the Name box. 5 Next to Tag: For a tagged VMAN, click the numbered list, and then select a numeric value (14095) for the VMAN identifier. For an untagged VMAN, click Untagged. 6 Enter the Ethertype value. This value is used to specify the ethertype value on the selected device. For appropriate values for the device, see the ExtremeXOS Concepts Guide. 7 Click the + next to a device to view the available ports table for the device. 8 Select the ports, and then click Add tagged or Add untagged. When the VMAN is created, the port is added to the new VMAN, and removed from the default VMAN if it was added as an untagged port.
144
9 When you have finished configuring the VMAN, click OK to start the validation and deployment process. The Progress and Results dialog box appears (see the following figure).
Figure 95: Progress and Results Dialog Box for VMAN Provisioning 10 Click Close. Ridgeline validates the options you selected against a set of predefined configuration rules, and ensures that the target switches are running a version of software that supports the features you are provisioning. The following validations are performed: The name length is not longer than 32 characters. The name consists of only alphanumeric characters. No special characters such as # or & are allowed. The tag range is from 1 to 4095. The tag is not present on the selected device. The name is not present on the selected device. Port tag values are valid. If Ridgeline successfully validates the selected options, it verifies network connectivity to the target switches. If a connection can be established to all of the target switches, Ridgeline deploys the configuration commands, then saves the configuration file on each switch. Finally, Ridgeline updates its own database with information about the configuration changes on the switches. The information in the Progress and Results dialog box is logged in the Ridgeline Audit Log. For more information, see Viewing Logged Information about Provisioning Tasks.
145
Modifying VMANs
For existing VMANs, you can edit settings and deploy the changes to the devices where the VMAN is configured. For a VMAN, you can edit the list of ports or links in the VMAN as well as the name and network name of the VMAN (although not the tag value). If you add ports as untagged to the VMAN, they are removed from the default VLAN before being added to the VMAN you are editing. To modify a VMAN: 1 In the navigation pane, click Main View. 2 Click the VLAN tab. 3 Find the desired VMAN in the list. You can limit the contents of the table to just VMANs by typing VMAN in the search box or by clicking Quick Filter and clicking VMAN in the Services. 4 Select the desired VMAN by clicking it check box. 5 To edit the name or network name, click Edit > Edit Name or Edit > Edit Network Name. Make the needed changes, and then click OK. 6 To make other changes to the VMAN, click Properties. The VMAN Properties dialog box appears (see the following figure).
Figure 96: VMAN Properties Dialog Box 7 To change the list of ports:
146
a Click Edit List Of Ports. The Edit Ports dialog box appears (see the following figure).
Figure 97: Edit Ports Dialog Box b To add ports, under Available Devices, click the + next to device to view its ports, select the port(s) by clicking the associated check box(es), and then click Add Tagged or Add Untagged. c To remove ports, under Selected Ports, select the port(s) by clicking the associated check box(es), and then click Remove. d Click OK. 8 To change the list of links:
147
a Click Edit List Of Links. The Edit Links dialog box appears (see the following figure).
Figure 98: Edit Links Dialog Box b To add links, under Available Links, click the link's associated check box, and then click Add Tagged or Add Untagged. c To remove links, under Links in VLAN, click the link's associated check box, and then click Remove. d Click OK. 9 Click Cancel.
Deleting VMANs
You can delete a single VMAN or protected VMAN at a time. Multiple VMANs cannot be deleted in the same operation, and control VMANs cannot be deleted. . To delete a VMAN: 1 In the navigation pane, click Main View or a device group. 2 Click the VLAN tab. 3 Find the VMAN that you want to delete. You can limit the contents of the table to just VMANs by typing VMAN in the search box or by clicking Quick Filter, and then clicking VMAN in the Services. 4 Select the VMAN that you want to delete by clicking its check box. 5 Click Delete. 6 When prompted, confirm the deletion. When you delete a VMAN, the software verifies that the services in the VMAN are not being used as transport services in an E-Line or E-LAN service.
148
Categorizing VMANs With Network Names

A network name is a means for categorizing VMANs into logical groups, which can aid in filtering the information displayed in the VLAN table. This can be useful if you have a large number of VMANs to manage. For example, you can assign VMANs to a category (a network name), such as Provider 1, then use the quick filter on the VLAN tab to limit the information displayed in the table to VMANs with the network name Provider 1. For information about how to create a network name and assign it to a VMAN, see Categorizing VLANs With Network Names The procedure is the same for VLANs and VMANs.
Viewing VMAN Information

To view information about VMANs in Ridgeline, in the navigation pane, click Main View or a device group, and then click the VLANs tab. A table listing the VLANs and VMANS in the group appears. You can select a VMAN and display it on the map as an overlay view highlighting all of the devices and links in the map where the selected VMAN is configured (see the following figure). You can limit the contents of the table to just VMANs by typing VMAN in the search box, or clicking Quick Filter, and then selecting VMAN in the Services box.
149
Figure 99: VMANs in a Map View The VLANs/VMANs table shows the following information:
VLAN Tag The VMAN tag value (if any) or Untagged, along with an icon indicating whether this is an EAPS-protected VMAN. VMAN EAPS-protected VMAN Name Network Service Protocol Filter IP Forwarding Last Updated From Database Last Updated By Type The VMAN name. The network name category (if any) that this VMAN belongs to. For more information, see Categorizing VMANs With Network Names. List of the type of services configured for the VLAN. For VMANs (PBNs), this is VMAN. The protocol filter(s) configured for the VMAN. Whether IP forwarding is enabled for the VMAN. Date and time that the information about the VMAN was last retrieved from the Ridgeline database. The ID of who last updated the VMAN information. The VLAN type. For VMANs (PBNs), this is VMAN.
Detailed information about the VMAN is available by double-clicking a VMAN (see Displaying VMAN Details on page 151).
150
Displaying VMAN Details

VMANs are indicated by VMAN in the Type column in the VLAN tab. To display details about a VMAN, click its row in the VLAN tab. Information about the VMAN appears in the details pane. If you doubleclick the row, the VMAN details appear in a separate window (see the following figure). Note To gather VMAN related information the VlanServiceDataCollection task must run successfully. You need XML API support on a device with ExtremeXOS image version 12.1 or later otherwise Ridgeline does not differentiate between VLANS and VMANS.
Figure 100: VMAN Details Window The VMAN details window shows the following information:
Tag The VMAN tag value (if any) or Untagged, along with an icon indicating whether this is an EAPS-protected VMAN. VMAN EAPS-protected VMAN Network Protocol Filter Name Control VMAN EAPS Protection Type Last Updated From Database The network name configured for the VMAN. The protocol filter(s) configured for the VMAN. The name of the VMAN. For an EAPS-protected VMAN, the name of the Control VLAN in the EAPS domain. For an EAPS-protected VMAN, the name of the protected VLAN in the EAPS domain. The VLAN type, in this case VMAN. Date and time that the information about the VMAN was last retrieved from the Ridgeline database.
There are three tabs: Devices Ports Links
151
Devices Tab
When you click the Devices tab in the VMAN details window (see Displaying VMAN Details on page 151), the following information appears:
Device Name IP address Virtual Router QOS Profile Name Control VLAN Protected VLAN Domain Name Set VLAN Services The name of the device, and an icon indicating the status of the device. The IP address of the device. The virtual router to which the VMAN is associated on the device QoS profile name configured for the VMAN on the device, if any. Whether this VMAN is configured as an EAPS control VLAN. Whether this VMAN is protected by an EAPS domain. EAPS domains to which the VLANs on the device belong. VLAN service type. Possible values are Translation, Translation-Member, VMAN, Translation VMAN, Translation-Member VMAN, Private-VLAN, Isolated-Subscriber, NonIsolated Subscriber, Super VLAN, and Sub VLAN. This information is available if the device has HTTP enabled, and runs ExtremeXOS software version 12.1 or later. The ExtremeXOS software version running on the device. The SNMP version configured on the device. The user name used to log on to the device Whether FDB polling is enabled on the device. The protocol used for accessing management functions on the device. The type of device. The administrative state of the VMAN, either Enabled or Disabled.
Software Version SNMP Version Log On User Name Forwarding-database Polling Device Manager Protocol Device Type Admin Status
Ports Tab
When you click the Ports tab in the VMAN details window (see Displaying VMAN Details on page 151), the following information appears:
Port Number Name Tagged Media Type Actual Speed Actual Duplex Configured Speed Configured Duplex State Port number. If the device is a chassis device, then the port number is displayed in slot:port format. The name of the port, if configured. Whether the port is tagged. The port media, if applicable. Port type; for example, Gigabit, Mgmt, 10/100. Speed of the port; Auto if the speed is auto-negotiated. Duplex of the port, either full or half. The configured speed of the port. The configured duplex setting of the port. The port state (Enabled or Disabled).
152
Links Tab
When you click the Links tab in the VMAN details window (see Displaying VMAN Details on page 151), the following information appears:
A Device A IP Address A Port Number/Annotation Share Details Status The name of the device on one end (the A side) of the link, along with an icon indicating the device status. The IP address of the device on the A side of the link. The number of the port on the A side of the link. Information about the port sharing configuration, if configured. An icon indicating the status of the link. The link status icon can be one of the following colors: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline.

B Device B IP Address B Port Number/Annotation Name Discovery Protocol A Port Name B Port Name Device Status Link State Type
An icon showing a circle and two lines indicates a shared link: Green indicates the link is up. Greyed-out green indicates the last-known status of the link was up. Red line indicates the link is down. Greyed-out red indicates the last known state was down. Yellow indicates that some ports on this link are up and that some are down.
The name of the device on the other end (the B side) of the link, along with an icon indicating the device status. The IP address of the device on the B side of the link The number of the port on the B side of the link. The name of the port on the B side of the link, along with an icon indicating the port status. The protocol used to discover the link, either EDP or LLDP. Port name on the A side of the link. Port name on the B side of the link. The current status of the device. The current state of the link The link type; for example, user-created.
153
10 Managing Multi-Switch Link

Aggregation Groups
Overview Viewing MLAG Information
This chapter describes multi-switch link aggregation groups (MLAGs).
Overview
Multi-switch link aggregation group (MLAG) takes link aggregation and extends it by allowing one device of a link aggregated group (LAG) to dual home into two separate devices, thus providing failover support for devices. By using the MLAG feature, you can combine ports on two switches to form a single logical connection to another network device. The other network device can be either a server or a switch that is separately configured with a regular LAG (or appropriate server port teaming) to form the port aggregation. MLAG is supported by the following Extreme Networks devices: BlackDiamond 8000 series switches BlackDiamond X8 series switches Summit Family Switches The following figure shows a device dual homed into two devices (MLAG 1). Server 1 treats the two links as a regular link aggregation group (LAG). Devices 2 and 3 participate in the MLAG to create the perception of a LAG. MLAG adds multi-path capability to a LAG, where the number of paths is limited to two. With MLAG, both links dual homed from Device 1 can be actively forwarding traffic. If one device in the MLAG fails, for example, if Device 3 fails, traffic is redistributed back to Device 2, thus allowing for both device and link level redundancy while utilizing both active links. MLAG can be used in conjunction with LAG. MLAG is confined to two switches in the tier that support MLAG. That is, Device 2 and Device 3 need to be from the same vendor. Device 1, on the other hand, treats both the ports as regular LAG ports and can be another vendors device. For example, MLAG can be used in conjunction with NIC teaming where Device 1 could be a server that can be dual homed to two switches operating as an MLAG.
Managing Multi-Switch Link Aggregation Groups
Figure 101: Elements of a Basic MLAG Configuration The basic operation of this feature requires two ExtremeXOS switches interconnected by an interswitch connection (ISC). The ISC is a normal, directly connected, Ethernet connection and it is recommended that you engineer reliability, redundancy where applicable, and higher bandwidth for the ISC connection. Then you logically aggregate ports on each of the two switches by assigning MLAG identifiers (MLAG-ID). Ports with the same MLAG-ID are combined to form a single logical network connection. Each MLAG can be comprised of a single link or a LAG on each switch. When an MLAG port is a LAG, the MLAG port state remains up until all ports in the LAG go down. As long as at least one port in the LAG remains active, the MLAG port state remains active. When an MLAG port (a single port or all ports in a LAG) fails, any associated MAC FDB entries are moved to the ISC, forcing traffic destined to the MLAG to be handled by the MLAG peer switch. Additionally, the MLAG peer switch is notified of the failure and changes its ISC blocking filter (see ISC Blocking Filters on page 156) to allow transmission to the MLAG peer port. In order to reduce failure
155
convergence time, you can configure MLAG to use ACLs for redirecting traffic via the fast convergence-control option. Note For Layer 3 unicast forwarding, you must configure VRRP or ESRP on the peer switches. Each of the two switches maintains the MLAG state for each of the MLAG ports and communicates with the other to learn the MLAG states, MAC FDB, and IP multicast FDB of the peer MLAG switch.
ISC Blocking Filters

The ISC blocking filters are used to prevent looping and optimize bandwidth utilization. When at least one MLAG peer port is active, the upper layer software initiates a block of traffic that ingresses the ISC port and needs to be forwarded to the local MLAG ports. This is considered to be the steady state condition. In normal steady state operation most network traffic does not traverse the ISC. All unicast packets destined to MLAG ports are sent to the local MLAG port only. However, flood and multicast traffic traverses the ISC but is dropped from MLAG peer port transmission by the ISC blocking filter mechanism. The ISC blocking filter matches all Layer 2 traffic received on the ISC and blocks transmission to all MLAG ports that have MLAG peer ports in the active state. When there are no active MLAG peer ports, the upper layer software initiates an unblocking of traffic that ingresses the ISC port and needs to be forwarded to the local MLAG ports thus providing redundancy. This is considered to be the failed state. Inter-Switch Communication
Keep-alive Protocol
MLAG peers monitor the health of the ISC using a keep-alive protocol that periodically sends healthcheck messages. The frequency of these health-check hellos can be configured.
MLAG Status Checkpointing
Each switch sends its MLAG peer information about the configuration and status of MLAGs that are currently configured over the ISC link. This information is checkpointed over a TCP connection that is established between the MLAG peers after the keep-alive protocol has been bootstrapped.
Viewing MLAG Information

You can view information about an MLAG peer, including an MLAG peer switch state, MLAG group count, and health-check statistics. You can also view each MLAG group, including local port number, local port status, remote MLAG port state, MLAG peer name, MLAG peer status, local port failure count, remote MLAG port failure count, and MLAG peer failure count.
156
To see if a port is part of an MLAG group or an ISC port, you can view the MLAG table (see MLAG Table View). MLAG information also appears in the map view (see MLAG Map View).
MLAG Table View

To view the MLAG table: 1 In the navigation pane, click Main View or the desired device group. 2 Click the MLAG tab. The MLAG view appears (see the following figure).
Figure 102: MLAG View The MLAG table view shows the following information:
Status MLAG overall status. There are five status categories: UpEverything is normal: all links under ISC are up and all MLAGs are up DegradedEither one or more ISC links are down and all MLAGs are up or one or more MLAGs are down ProtectingISC is up and one or more MLAG ports are down UnprotectedEither all ISC links are down and all MLAGs are up or one MLAG port is down DownEither all ISC links are down and all MLAGs are down or one or more ISC links are down and all MLAGs are down or All ISC links are up and all MLAGs are down MLAG ID Inter-switch connection VLAN tag Name of MLAG peer A switch IP address of MLAG peer A switch Name of MLAG peer B switch IP address of MLAG peer B switch
MLAG ID ISC VLAN Tag A Name A IP Address B Name B IP Address
157
MLAG Map View

Click the MLAG tag in the Main View or device group to see the map view. The map provides the following information: MLAG links indicated by gray lines MLAG name and ID on each device node ISC links icon Port number. hover the mouse over the switch icon. Peers indicated by double connecting lines The following figures are examples of MLAG map views including: Basic MLAG map view with a configured ISC MLAG Peers map view with a configured ISC MLAG Peers with LAG peers on network map view without an ISC MLAG Peers with LAG peers on network map view configured with an ISC
Figure 103: Basic MLAG Map View Configured with an ISC
Figure 104: MLAG Peers Map View Configured with an ISC
158
Figure 105: MLAG Peers with LAG peers on Network Map View
Figure 106: MLAG Peers with LAG peers Network Map View Configured with an ISC
MLAG Detail View

To view detailed information about MLAG, double-click a row in the MLAG table. The MLAG Detail window appears (see the following figure).
159
Figure 107: MLAG Detail Window The following tables appear: MLAG Links Peer Information MLAG Port Details Customer VLANs MLAG Links Table The MLAG Links table has the following information:
A Device A IP address A port number/annotation Share Details Status ISC Link B Device B IP address B port number/annotation Discovery protocol A port name B port name Type Name of peer device with inter-switch connection link IP address of this peer device Port number on which MLAG ports are associated with this MLAG peer switch Shared link details Link status: up or down Box color indicates link status of inter-switch connection link Name of peer device with inter-switch connection link. IP address of this peer device Port number on which MLAG ports associated with this MLAG peer Protocol used to discover MLAG peers MLAG port name to which peer device is attached The MLAG port name on which peer device is attached Type of link: physical or virtual
160
Peer Information Table The Devices table has the following information:
Name IP address ISC VLAN name ISC VLAN Tag ISC VLAN IP address Peer Name VR Port Count Check Point Status Rx Checkpoint Messages Hello Errors Hello Timeouts Up Time Tx Interval Peer Tx Interval Tx Check Point Messages Check Point Errors Peer Connect Errors Name of device IP address of device Name of the inter-switch connection VLAN through which the MLAG peer can be reached Inter-switch connection VLAN tag Inter-switch connection VLAN IP address Name of MLAG peer switch Name of the VR with which the MLAG peer VLAN is associated with Number of MLAG ports associated with this MLAG peer Checkpointing status of this MLAG peer: up or down Number of checkpoint messages received from the MLAG peer switch Number of hello error messages Number of hello time out messages Specifies the time that the connectivity with the MLAG peer switch is up Length of the time, in milliseconds, between transmissions of health check hello packets Transmitting hello Interval of MLAG peer switch in milliseconds Number of transmitted checkpoint messages Number of checkpoint Errors Number of MLAG peer switch connect errors
MLAG Port Details

Port Number Name Local Failure Count Local link Status Remote link Status Peer State Remote Failure Count Load Shared Ports The port number Port name (if assigned) Number of ports that are down in the local MLAG port Local MLAG port status. It reflects the status of entire LAG when LAG is used in conjunction with MLAG. Values: active, disabled, ready, and port not present Remote MLAG port status. Values: up, down, and not available Whether the peer is up or down Number of ports that are down in the remote MLAG port Whether the port is shared or not.
161
Customer VLANs Table

VLAN tag VLAN name Network name Protocol name QoS profile name IP forwarding enabled VLAN IP address VLAN IP mask Virtual router Type VLAN Services Admin status VLAN trunk tagging Name assigned to the VLAN Name of network Device protocol Name assigned to the QoS profile configuration Check box: If forwarding is enabled it has a check mark; if disabled the check box is clear. IP address of VLAN IP subnet mask Name of virtual router Type of VLAN Type of VLAN service Status of VLAN
MLAG Device View

In the Main View or desired device group, select a device by clicking its check box, and then click the MLAG tab for a list of MLAGs configured on this device. For details about this view, see Viewing MLAG Information.
162
11 Managing Virtual Machines

Introduction to the XNV Feature Example XNV Configuration Managing the XNV Feature, VM Tracking Configuring Repository Settings on all VM Tracking Switches Policy Match Condition Combinations Creating a Virtual-Port Profile Attaching and Detaching Policies, VPPs, and VMs Viewing Information on the VMs Tab
This section describes Ridgelines Extreme Network Virtualization (XNV).
Introduction to the XNV Feature

Typical data centers support multiple virtual machines (VMs) on a single server. These VMs usually require network connectivity to provide their services to network users and to other VMs. The Ridgeline Extreme Networks Virtualization (XNV) feature:
Enables network administrators to monitor, secure, and manage virtual machines (VMs) in a centralized and vendor neutral manner. Starting with version 3.1, Ridgeline supports VM management from popular vendors such as VMWare, Citrix, and Microsoft. For the Microsoft System Center Virtual Machine Manager (SCVMM), you must install a Ridgeline XNV agent on the host to enable Ridgeline communicate with Microsoft SCVMM. Note The link to the XNV agent download appears on the Ridgeline Welcome page.
Allows network administrators to import VMs from virtual machine managers (VMMs), such as vCenter, XenServer and Microsoft System Center, in a seamless manner. Once imported, Ridgeline keeps track of inventory changes in the source VMMs. The Ridgeline VMs views show VMs from several vendors and VMMs in one place. The VMs view also shows network location of VMs, such as the switches and ports to which they are currently connected. Allows network administrators to author and attach profiles to VMs. Once attached, Ridgeline ensures that the attached profile is applied to a VM no matter where it moves within the network., enabling administrators to secure and ensure a quality of service level. Enables administrators to view VM movement history within the network.
Managing Virtual Machines
VM Port Configuration and Repository Management

To enable XNV capabilities on managed, top-of-rack Extreme Network switches, Ridgeline first needs to enable the VM Tracking feature on switches and their ports that are connected to VM hosts. Ridgeline acts as a central repository of profiles, policies, and profile mappings for switches. Once the VM Tracking feature is enabled on a switch, it periodically synchronizes its repository database from Ridgeline. Ridgeline uses virtual port profiles (VPPs), which are also known as network virtual port profiles (NVPPs). An NVPP contains policy files and ACL rules. Once attached to a VM, these policy and ACL rules are applied to the VM when it enters the switch authentication database. Note Only the Summit X480, X650, and the BlackDiamond 8800 c-series and 8900 modules support egress ACLs. Therefore, VPPs that include egress ACL rules cannot be instantiated on other Summit platforms and BlackDiamond 8800 modules. NVPPs are stored on an FTP server called a repository server. The XNV feature supports file synchronization between XNV-enabled switches and the repository server. One of the advantages of the repository server that storage is centralized for NVPPs. Without the repository server, NVPPs would need to be manually created or copied to each XNV-enabled switch. Local virtual port profiles (LVPPs), which override network policies, must be configured on each switch. LVPPs are recommended for simple network topologies, but NVPPs better facilitate network management for more complex network topologies.
VM Authentication Process
The XNV feature on a switch supports three methods of authentication: Ridgeline authentication. Network authentication, using a downloaded authentication database stored in the VMMAP file. Local authentication, using a local database created with ExtremeXOS CLI commands. The default VM authentication configuration uses all three methods in the following sequence: Ridgeline server (first choice), network based .map file, and last local database. If a service is not available, the switch tries the next authentication service in the sequence. The following topics describe each authentication process: Ridgeline Authentication Network Authentication Local Authentication Ridgeline Authentication If Ridgeline authentication is enabled and a VM MAC address is detected on a VM-tracking enabled port, the switch sends an Access-Request to the configured Ridgeline server for authentication. When the switch receives a response, the switch does one of the following:
164
When an Access-Accept packet is received with an NVPP, the policies are applied on VM enabled port. When an Access-Accept packet is received and no NVPP file is specified, the port is authenticated and no policy is applied to the port. When an Access-Reject packet is received, the port is unauthenticated and no policy is applied. When an Access-Reject packet indicates that the Ridgeline server timed out or is not reachable, the switch tries to authenticate the VM MAC address based on the next authentication method configured, which can be either network authentication or local authentication.
Network Authentication If network authentication is enabled and a VM MAC address is detected on a VM-tracking enabled port, the switch uses the .map file to authenticate the VM and applies the appropriate policies. Local Authentication If local authentication is enabled and a VM MAC address is detected on a VM-tracking enabled port, the switch uses the local database to authenticate the VM and apply the appropriate policies.
File Synchronization
Ridgelines XNV feature supports file synchronization between XNV-enabled switches and the repository server. The files stored on the repository server include the policy files and the VM-profile mappings. One of the advantages of the repository server is that multiple XNV-enabled switches can use the repository server to collect the network VM configuration files. The XNV feature provides for access to a secondary repository server if the primary repository server is unavailable. Through file synchronization, the VM configuration and policy files are periodically downloaded to the XNV-enabled switches, which allows these switches to continue to support VM connections when the Ridgeline server or the repository server is unavailable. You can also initiate a file synchronization from the XNV-enabled switch.
Example XNV Configuration

The following figure displays an XNV topology. It illustrates the following: A VM moves from the server connected to address 11.1.1.1/21 to the server connected to 11.1.1.2/21. The switches automatically move the VPP from 11.1.1.1/21 to 11.1.1.2/21. The policies that were attached to port 11.1.1.1/21 are automatically attached to 11.1.1.2/21 when the VM moves. The VM is not affected by the change from one switch to another and continues to function as if it were still 11.1.1.1/21. The figure also shows: VM authentication using Ridgeline server, network, or local authentication. Ingress and egress port configuration for each VM.
165
Figure 108: Topology of XNV Configuration
Managing the XNV Feature, VM Tracking

The Ridgeline XNV feature requires that target devices are running to ExtremeXOS 12.5.2.1 or later.
Enabling VM Monitoring on Devices

To enable VM monitoring a device: 1 In the navigation pane, click Virtualization Management.
166
2 On the VM_monitoring Devices tab, click Enable VM monitoring. The Enable Monitoring Of VM Information wizard appears (see the following figure).
Figure 109: Enable Monitoring Of VM Information WizardEnable Devices Tab 3 Select the device(s) that you want to enable VM monitoring on by selecting their check box(es). Devices are unavailable for selection if: Device is already enabled for VM monitoring. Device does not support VM monitoring. Device has Identity Management enabled. When all devices in the group belong to all the cases described, the group is disabled. 4 Click Add.
167
5 Click Next. The Enabled Ports tab appears (see the following figure).
Figure 110: Enable Monitoring Of VM Information WizardEnabled Ports Tab 6 Select the ports on the device that you want to enable monitoring by clicking their check boxes. Click the + next to a device to view its ports. Uplink ports, ports that have Netlogin enabled, or ports that are part of LAG, are unavailable for selection. 7 Click Next. The Results tab appears (see the following figure). 8 Review the results, and then click Finish.
Disabling VM Monitoring on Devices

To disable VM monitoring on a switch: 1 In the navigation pane, click Virtualization Management. 2 On the VM-Monitoring Devices tab, select the devices that you want to stop VM monitoring on by clicking their check boxes. 3 Click Disable VM Monitoring. 4 Click OK.
Limitations
The following limitations apply to the VM tracking feature:
168
VM tracking authentication cannot be used simultaneously with Network Login authentication on the same port. When VM tracking is configured on a port, all existing learned MAC addresses are flushed. MAC addresses are relearned by the switch, and the appropriate VPP (if any) for each VM is applied. If a VM changes MAC addresses while moving between ports on a switch, the VM remains authenticated on the original port until the original MAC address ages out of the FDB. VM counters are cleared when a VM moves between ports on the same switch because ACLs are deleted and recreated.
Supported VMMs and VMs

The Virtual Machine Manager lists all virtual machine managers added to and used by Ridgeline. Ridgeline supports only the following versions of VMMs: VMware 5.0 vCenter Server Virtualization Management Citrix (XenServer) 5.6.0 Microsoft System Center Virtual Machine Manager (SCVMM) 2.0.4275.0 Note You must install the Ridgeline XNV agent on the SCVMM host for the Microsoft SCVMM and its virtual machines to be managed by the Ridgeline server. To obtain the Ridgeline XNV agent, go to the Ridgeline Welcome page, click Get Ridgeline XNV agent here, and then follow the installation instructions for RidgelineXNVAgentInstaller.exe. To go to the Ridgeline Welcome page, start a web browser. Type http:// <host>:<port>/ in the URL, replacing <host> with the name of the system where the Ridgeline server is running, and <port> with the TCP port number that you assigned to the Ridgeline Web Server during installation (by default this is port 8080). Communication between the Ridgeline server and the Ridgeline XNV agent (default port 10556) occurs using http protocol.
Virtual Machine Manager

To open the Virtual Machine Manager, in the navigation pane, click Virtualization Management, and then click the VM Managers tab (see the following figure).
169
Figure 111: VM Managers Table The Virtual Machine Manager table automatically updates and supports the following operations: Importing virtual machines from a selected VMM Deleting selected VMMs Editing selected VMMs Updating VMMsUse Updating VMMs to manually update all imported virtual machines and their network information. Note When using VMware, one view per VMM opens. When using Citrix, individual entries for each Resource pool or cluster show. The Virtual Machine Manager provides the following information: Type Name DNS Name IP Address User Name Status Pool Master Last Updated
Adding New VM Managers

When you add a VM Manager, Ridgeline discovers and imports all virtual machines managed by the VM Manager. Once the import is complete, Ridgeline locates imported VMs on the network if XNV-enabled switches are managed by Ridgeline.
170
Before adding a new VM manager, you need the following information: IP address or host name of the VM Manager VM Manager vendor User Name Password Note You should have sufficient privileges to retrieve VM inventory information and receive events when inventory information changes. To add a new VM manager: 1 In the navigation pane, click Virtualization Management. 2 Click the VM Managers tab. 3 Click New VM Manager. The New VM Manager dialog box appears (see the following figure)
Figure 112: New VM Manager Dialog BoxConnection Parameters Tab 4 Enter information for the following:
IP Address Or Host Name VendorSelect VMWare, Citrix, or Microsoft User Name Password
171
5 Click Next. The Discovered VM Inventory tab appears (see the following figure). Ridgeline discovers VMs or resource pools and shows the information.
Figure 113: New VM Manager Dialog BoxDiscovered VM Inventory Tab 6 Click Next. The Import VM Managers tab appears briefly and the VM manager(s) are imported appear in the VM Managers tab.
Editing VM Manager Settings

You can change the following VM manager settings: IP address or host name of the VM manager User Name Password To edit these VM manager settings: 1 2 3 4 In the navigation pane, click Virtualization Management. Click the VM Managers tab. Select the VM manager that you want to edit by clicking its check box. Click Properties. The VM Manager Properties dialog box appears (see the following figure).
Figure 114: VM Manager Properties
172
5 Make the desired changes. 6 Click OK. 7 This updates the VMM credentials and performs the following operations:
Closes the VMM session and opens a new session Synchronizes Ridgeline with selected VM manager Imports newly discovered VMs Updates existing VMs to reflect updated VMM settings
Deleting VM Managers
To delete a VM manager: 1 2 3 4 5 In the navigation pane, click Virtualization Management. Click the VM Managers tab. Select the VM manager in the list that you want to delete by clicking its check box. Click Delete VM Manager. When prompted, confirm the deletion.
Configuring Repository Settings on all VM Tracking Switches

You can configure the repository server with or without credentials. If you configure credentials on the server, you need to update the settings on all VM tracking switches. For more information: Setting up a repository server Setting credentials on a repository server)
Setting Up a Repository Server

Before you can use Ridgeline to configure a repository server, you need to set up an FTP server on another system.
Setting Credentials on a Repository Server

To set credentials on a repository server: 1 In the navigation pane, click Virtualization Management. 2 Click the Settings tab.
173
3 Click Change Repository Settings. The Extreme Networks Ridgeline dialog box appears (see the following figure).
Figure 115: Extreme Networks Ridgeline Dialog Box 4 Select one of the following credential settings:
Anonymous (least secure option) Anonymous is the default login setting on all XNV switches. It is the least secure setting. Switches running EXOS 12.5 or earlier are set to Anonymous only. Note Custom credentials are not supported by ExtremeXOS 12.5.2 XNV devices and earlier versions. You cannot set credentials on all devices if there is an unsupported switch in the network.
These credentials when the version of EXOS supports it and Anonymous on all other devices Enter your FTP user name and password in the Login and Password boxes. This allows both the switches with ExtremeXOS versions earlier than version 12.6 and version 12.6 and later to operate in a seamless manner by configuring the ExtremeXOS Anonymous user for switches with ExtremeXOS earlier than version 12.6 and switches with EXOS version 12.6 and later to use the configured FTP user name and password Always use these credentials (most secure option)
Set up a custom user name and password for repository synchronization. 5 Click OK after choosing a setting. This applies the settings to all the VM tracking switches. This setting is not configurable if there are already some devices running ExtremeXOS versions earlier than 12.6 and are already enabled for VM-tracking. After enabling this option, the devices with ExtremeXOS versions earlier than 12.6 are unavailable when you start Enable VM-Tracking. The Progress and Results dialog box shows information about how the change is advancing and its completion.
174
6 Click Close.
Policy Match Condition Combinations

The table below lists the ingress and policy match condition combinations for Extreme Network Virtualization. The following items provide additional information about the match conditions: ExtremeXOS dynamically inserts the source MAC address in the ingress policy. It does not allow you to manually add a source MAC address in the ingress policy. ExtremeXOS dynamically inserts the destination MAC address in the egress policy. It does not allow you to manually add a destination MAC address in an egress policy. Table 5: XNV Policy with Wide-key Mode (Default XNV Policy)
Ingress Source IP Address Source MAC DMAC dest IP protocol source-port dest-port tcp-flags vlan-ID dot1p ip-tos Ethertype Egress Source MAC dest MAC ethernet-type vlan-id dot1p
Creating a Virtual-Port Profile

To associate a VM with a policy, you must first create a VPP. To create a VPP: 1 On the navigation pane, click Main View or device group. 2 Click the VMs tab.
175
3 Click New > New Virtual-port Profile. The New Virtual-Port Profile dialog box appears (see the following figure).
Figure 116: New Virtual-Port Profile Dialog Box 4 Type a name for the new VPP in the Name box. 5 (Optional) Type a description for the VPP in the Description box. 6 Select an ingress policy by selecting it from the Select Ingress Policies table. Note If you do not see any policies to select, you need to create policies. See Creating New Policies. 7 Select an egress policy by selecting it from the Select Egress Policies table. Note If you do not see any policies to select, you need to create policies. See Creating New Policies. 8 Click OK.
Attaching and Detaching Policies, VPPs, and VMs

The following figure shows the flow for attaching policies, VPPs, and VMs. You can achieve attachment results by creating and performing any of the following: Create a policy and attach it to a VPP. Create a VPP and attach it to a Policy.
176
Create a VPP and attach it to a VM. Create a VM and attach it to a VPP.
Figure 117: Attaching Policies, VPPs, and VMs
Attaching a VPP to a VM
To attach a VPP to a VM: 1 In the navigation pane, click Virtual Port Profiles. 2 Select a VPP to attach a VM to by clicking its check box.
177
3 Click Attach To VMs. The Attach Virtual-Port Profile To VMs dialog box (see the following figure).
Figure 118: Attach Virtual-Port Profile to VMs Dialog Box 4 5 6 7 Select VMs to attach to the VPP from the Available virtual machines table. Click Add. The VM(s) are added to the Selected virtual machines table. Click OK. Review the results and click Close.
Detaching a VPP from a VM

To detach a VPP from a VM: 1 In the navigation pane, click Virtual Port Profiles. 2 Select a VPP to detach from a VM by clicking it check box.
178
3 Click Detach From VMs. The Detach Virtual-Port Profile from Virtual Machines dialog box appears (see the following figure). Figure 119: Detach Virtual-Port Profile from Virtual Machines Dialog Box
4 Select the VM(s) to remove by click their check box(es) in the Available virtual machines table. 5 Click Add. The VM(s) to remove appear in the Selected virtual machines table. 6 Click OK.
Attaching a Policy to a VPP

To attach a policy to a VPP: 1 In the navigation pane, click Virtual Port Profiles.
179
2 Click Attach Policies. The attach policies dialog box appears (see the following figure).
Figure 120: Attach Policies Dialog Box 3 Select a policy from the Ingress Policies table by clicking its check box. 4 Select a policy from the Egress Policies table by clicking its check box. Note If there are no policies to select, you need to create policies. See Creating New Policies. 5 Click OK.
Detaching a VPP from a Policy

To detach a VPP from a policy: 1 In the navigation pane, click Virtual Port Profiles. 2 Select a VPP in the list.
180
3 Click Detach Policies. The detach policies dialog box appears (see the following figure).
Figure 121: Detach a VPP from a Policy 4 Clear the check box(es) for the policies that you want to detach in the Ingress Policies and/or Egress Policies tables. 5 Click OK.

You can attach a policy to a VPP (see Attaching Policies to VPPs) or a role. You must attach policies to roles before you can attach roles to switches. To attach roles with policies: 1 In the navigation pane, click Policies. 2 Select a policy to a attach to a role by selecting its check box. You can only attach policy to roles that are of the type "role" (see Step 5 in Creating New Policies on page 109).
181
3 Click Attach to Role. The Attach Policies To Roles dialog box appears (see the following figure).
Figure 122: Attach Policies To Roles Dialog BoxAttach Policies Tab 4 Select a role from the Role Name list. 5 Move policies from the Available Policies pane to the Selected Policies pane. 6 Click Next. The Results tab appears (see the following figure).
Detaching Policies from Roles

To detach a policy from a role: 1 In the navigation pane, click Policies. The Policy view appears. 2 Select the policy to detach from a roll by clicking its check box.
182
3 Click Detach Policy From Role. The Detach Policies From Roles dialog box appears (see the following figure).
Figure 124: Detach Policies From Roles Dialog Box 4 5 6 7 8 Select the role to detach from policies under Role Name. Move the policy from the Selected Policies pane to the Available Policies pane. Click Next. The Results tab appears. View the results, and then click Finish. The policy now appears in the list as unattached (Attached column value is Not attached).
Viewing Information on the VMs Tab

After successfully discovering VMs and enabling VM Tracking on the switches, Ridgeline shows the mapping between the VMs and the devices they access. All associated policies are listed: Main View VM tab VM details pane Device details VM tab VM monitoring in the audit log
Main View VM Tab

In Main View, the VMs tab lists all VMs that are part of the discovered VMMs and Resource Pools. These do not need to be accessing a device. This is the only view in which you can see all the VMs (see the following figure).
183
Figure 125: VM Tab You can filter the contents of the VM tab by typing keywords in the search box or by clicking Quick Filter and then selecting an available quick filter. The VM tab shows the following information:
Power Status
Current power status of the VM, which can be: On Off Suspended Unrecognized The VM's name. Mac address of the network interface card (NIC) of the VM (if there is more than one NIC, they are shown as separate rows in the All Table View) Name of the device to which the VM is connected IP Address of the device to which the VM is connected Port number of the device to which the VM is connected Indicates whether the port to which the VM is connected is configured for load sharing or not IP Address of the Physical Host to which the VM belongs Physical Host Name Virtual Port profile (VPP) attached to the VM Ingress policy that is present in the VPP attached to the VM Result of the ingress policy after being applied on the device, which can be one of the possible values Egress policy that is present in the VPP attached to the VM
VM Name VM MAC Address Device Name Device IP Address Port Number Port Load Sharing Host IP Address Host Name Virtual-Port Profile Ingress Policy Ingress Policy Result Egress Policy
184
Egress Policy Result Data Center
Result of the egress policy after being applied on the device, which can be one of the possible values
For a selected VM, the details pane (bottom of screen) shows additional information (see VM Details Pane). When you select a VM in the map view, Ridgeline highlights the device and shows the number of VMs currently accessing the switch.
Figure 126: All Map View
VM Details Pane
For a selected VM on the VMs tab (see Main View VM Tab) of the Main View, detailed VM information appears in the VM details pane:
VM properties
VM Name Power Status Virtual-Port Profile Ingress Policy Egress Policy Host Name Host Connection Status Host Vendor Name
Current host tab
185
VMM Detailstab
Vendor VMM name VMM DNS Name VMM IP Address Data Center VM MAC address VM IP address Device Name Device IP Address Port Number Port Name MLAG ID MLAG Description Port Load Sharing Ingress Policy Result Egress Policy Result Device IP AddressDevice IP where the VM was present Device Name StateOpen or Closed. Open indicates the history record describes the current state of the NIC Port NumberPort on the device Host NameName of the current physical host machine Host IP AddressIP address of the current physical host Date AppearedTime when the VM first appeared on the device Date LeftTime when the VM was removed from the device MLAG ID MLAG description
NIC tab
History tab
MLAG information
Device Details with VM Monitoring

The Devices tab in the Main View view shows where VM Monitoring is enabled (see the following figure).
186
Figure 128: VM Tab in Detailed Device Pane Click a device in the table to show its detailed view in the lower pane, and then click the VMs tab in the detailed view. The VMs tab in the detailed device view shows the following information:
Power Status Current power status of the VM, which can be: On Off Suspended Unrecognized The VM's name. Mac address of the network interface card (NIC) of the VM (if there is more than one NIC, they are shown as separate rows in the All Table View) Port number of the device to which the VM is connected IP Address of the Physical Host to which the VM belongs Physical Host Name Virtual Port profile (VPP) attached to the VM Ingress policy that is present in the VPP attached to the VM Result of the ingress policy after being applied on the device, which can be one of the possible values Egress policy that is present in the VPP attached to the VM Result of the egress policy after being applied on the device, which can be one of the possible values
Name Mac Address Port Number Host IP Address Host Name Virtual-Port Profile Ingress Policy Ingress Policy Result Egress Policy Egress Policy Result
187
VM Monitoring Audit Log

The audit log shows VM information. To view the VM audit log information, in the navigation pane, click Audit Log, and then click the VMs tab (see the following figure).
Figure 129: Audit Log VM Tab Ridgeline creates an audit log entry for the following reasons: A virtual port profile has been modified (for example, an update of an ingress or egress policy). A policy has been attached to a VPP. A policy has been detached from a VPP. To enable VM Tracking. To disable VM Tracking ports. To update VM Tracking ports. The VM tab of the audit log shows the following information:
Action Time Action User Name Overall Status Time when the VM policy was attached or detached. Name of the actionAttachment or Detachment. Name of user who performed the attachment or detachment operation. The operation was a Success or it Failed.
The Actions pane shows the following information:

Action Time Virtual Machine Virtual Port Profile Ingress Policy Time when the VM policy was attached or detached Name of the virtual machine Name of the virtual port profile Name of the ingress policy
188
Egress Policy Overall Status
Name of the egress policy Successful or unsuccessful validation
For more information about the audit log, see Audit Log Overview on page 329.
189
12 Managing and Monitoring EAPS

Domains
EAPS Overview Viewing EAPS Information Displaying EAPS Domain Details Verifying EAPS Information Running EAPS Reports
This chapter describes how to use Ridgeline for: Configuring EAPS domains using Ridgelines network resource provisioning feature Viewing table and map views of EAPS domain information Displaying detailed information about individual EAPS domains Verifying the EAPS configurations in your network
Running reports about the EAPS domains in your network
EAPS Overview
The Ethernet Automatic Protection Switching (EAPS) protocol provides fast protection switching to Layer 2 switches interconnected in an Ethernet ring topology, such as a Metropolitan Area Network (MAN) or large campus. For details on how EAPS works, see the ExtremeXOS Concepts Guide. Using Ridgeline, you can configure new EAPS domains, including specifying member links, the EAPS master node, primary and secondary ports, control VLAN, hello timer, and fail timer parameters. Your configuration is validated by the software before it is deployed to managed devices. The EAPS monitoring function in Ridgeline provides a visual way to configure and view the status of your EAPS configurations (EAPS domains) and to verify the configuration of your EAPS-enabled devices. With its multiple status displays and the ability to focus on individual EAPS domains, it can also help you debug EAPS problems on your network. Note Your devices must be running ExtremeWare 7.7 or later, or ExtremeXOS 11.3 or later in order to be recognized by Ridgeline as EAPS nodes. ExtremeXOS 11.6 is required for full EAPS functionality within Ridgeline. Using Ridgeline, you can perform the following EAPS configuration tasks: Create an EAPS domain Modify settings in an EAPS domain Create a shared link Specify protected VLANs, VMANs, and BVLANs
Managing and Monitoring EAPS Domains
Modify protected VLANs, VMANs, and BVLANs Delete an EAPS domain
For more information about Ridgelines network resource provisioning feature, see Network Resource Provisioning Overview.
Creating an EAPS Domain

To create an EAPS domain: In the navigation pane, click Main View or the desired device group that contains the device or ports you want to include. 2 Select a device by clicking its check box. Or, Click the Links tab, and then select two or more links. 3 On the menu, click Protocols > New > EAPS Domain. The New EAPS Domain dialog box appears. 1
Figure 130: New EAPS Domain Dialog Box 4 Type a name for the new EAPS domain in the Name box. 5 Select the links that to make up the new EAPS domain: a Under Available Devices, for each selected device, click the + show the device's ports. b Select the desired ports by clicking their check boxes. c Click Add. Your selections appear under Selected Ports. 6 Under Control VLAN, type a name and tag value for the control VLAN for the EAPS domain in the Name and Tag boxes, respectively.
191
7 In the Master Node list, select the device that will be the master node for the new EAPS domain. The list of devices in the Master Node list is based on the device(s) you selected in Step 2. 8 In the Primary Port list, select a port. The available ports are based on the selected links and device selected to be the master node. The secondary port is automatically selected as the other port based on the device based on the link. 9 Change the default values in the EAPS Hello Timer and Fail Timer boxes if desired. 10 When you finish configuring the EAPS domain, click OK. The Progress and Results dialog box appears.
Figure 131: Progress and Results Dialog Bog for EAPS Creation 11 Click Close. Ridgeline validates the options you selected against a set of predefined configuration rules, and ensures that the target switches are running a version of software that supports the features you are provisioning. If Ridgeline successfully validates the options you selected, it verifies network connectivity to the target switches. If a connection can be established to all of the target switches, Ridgeline deploys the configuration commands, then saves the configuration file on each switch. Finally, Ridgeline updates its own database with information about the configuration changes on the switches. The information in the Progress and Results dialog box is logged in the Ridgeline Audit Log (see Viewing Logged Information about Provisioning Tasks).
Modifying an EAPS Domain

For existing EAPS domains, you can edit settings and deploy the changes to the devices where the EAPS domain is configured. To modify an EAPS domain: 1 In the navigation pane, click Main View or the desired device group, containing the EAPS domain you want to configure.
192
2 Click the EAPS tab, and then select the EAPS domain that you want to modify by clicking its check box. For an EAPS domain, you can edit the master nodes and ports and the settings for the Hello and Fail timers.
To change the master nodes/ports, click Edit Master Node. To change the time values, click Edit EAPS timer.
3 Make any necessary changes to the EAPS configuration, and then click OK to validate and deploy the changes. Creating a Shared Link An EAPS shared link is a physical link that carries overlapping VLANs that are protected by more than one EAPS domain. To create an EAPS shared link: 1 In the navigation pane, click Main View or the desired device group. 2 From the menu, click Protocol > New > Shared link. The New Shared Link dialog box appears.
Figure 132: New Shared Link Dialog Box 3 Under Available Links, select the link to make up shared link by clicking its check box. You can specify only one link to be used as a shared link. 4 To change the default values, enter values for the Segment Timeout and Segment Health Interval boxes. 5 For Expiry Action, select either Segment Down or Send Alert.
193
6 Select the Controller Node from the list. 7 When you have finished configuring shared link, click OK to start the validation and deployment process.
Creating Protected VLANs, VMANs, and BVLANs

An EAPS domain consists of one master node and one or more transit nodes, and includes one control VLAN and one or more protected VLANs. The procedure for creating protected VLANs is the same as for protected VMANs (Virtual Metropolitan Area Networks) and protected BVLANs (Backbone VLANs) used in the configuration of PBB (Provider Backbone Bridge) networks. To create a protected VLAN: 1 In the navigation pane, click Main View. 2 From the menu, select Services > New > Protected VLAN. The Protected VLAN dialog box appears.
Figure 133: Protected VLAN Dialog Box 3 Type a name for the protected VLAN in the Name box. 4 Select a tag in the Tag box. 5 Under Available EAPS Domains, select an EAPS domain for the protected VLAN by clicking its check box. 6 Click Add. The selection appears in EAPS Domains Protecting VLAN. 7 Click OK to start the validation and deployment process. When you create a protected VLAN, the software performs the same validations as those for nonprotected VLANs, and verifies that the ring ports used are configured on all the relevant EAPS domains. To learn what validations are performed for non-protected VLAN, see Creating VLANs on page 123.
194
Modifying Protected VLANs, VMANs, and BVLANs

You can modify the list of EAPS domains, the name, and the network name of protected VLANs VMANs and BVLANs. To modify a protected VLAN, BVLAN, or VMAN: 1 In the navigation pane, click Main View or desired device group. 2 Click the VLAN tab (for VLANs and VMANs) or click the PBB tab (for BVLANs). 3 Find the network that you want to modify in the table. VMANs are denoted with VMAN in the Services column. You can scan for VMANs more easily by clicking on the Services column heading to group all the VMANs together. You can scan for BVLANs more easily by clicking the Type column heading to group all BVLANs together. 4 Double-click the network to open the detail window, and verify that for the selected network EAPS Protection is Present. 5 Close the detail window. 6 With the desired VLAN, BVLAN, or VMAN selected in the list, click Properties to display the VLAN, BVLAN, or VMAN Properties dialog box (shown below).
Figure 134: VLAN Properties Dialog Box 7 To make the following changes:
To edit the list of EAPS domains in the network, click Edit List Of EAPS. To edit the name of the VLAN or VMAN, click Edit Name. To edit the network name, click Edit network name.
The Progress and Results dialog box appears. 8 Make the desired changes, and then click Finish.
Deleting an EAPS Domain

To delete an EAPS domain:
195
1 2 3 4 5
In the navigation pane, click Main View or the desired device group. Click the EAPS tab. Select the EAPS domain that you want to delete by clicking its check box. Click Delete. Click Yes when prompted to confirm your deletion of the EAPS domain. Note Note that the Control VLAN is deleted along with the EAPS domain.
Viewing EAPS Information

To view information about your EAPS domains, in the navigation pane, click Main View or the desired device group, and then click the EAPS tab. A list of EAPs domains for the group appears (see the following figure). In the map pane, you can select an EAPS domain and display an overlay view highlighting all of the devices and links in the map where the selected EAPS domain is configured (see the following figure). For more information about EAPs maps, see The EAPS Map View on page 197.
Figure 135: EAPS Tab View The EAPS domain table has the following information. .
196
Name
The name of the EAPS domain, and an icon indicating the domain status: Green ringall domains in which this device participates are fully operational. Yellow ringone or more of the domains is not fully operational, but is in a transitional state or an unknown state (as when the device is SNMP unreachable). Red ringone or more of the domains is not operationalif the device has a master in a failed state or a Transit node in a links down state. Grey ringthe EAPS domain is disabled. VLAN tag (ID) of the EAPS control VLAN The Network Name of the control VLAN, if one has been assigned. See Categorizing VLANs With Network Names for more information. When the EAPS domain information was last updated from the Ridgeline database.
Control VLAN Tag Control VLAN Network Name Last Updated
For information about details of the EAPS domain, see Displaying EAPS Domain Details on page 200.
The EAPS Map View

The EAPS map view shows the devices in a device group with respect to their EAPS implementation, including the EAPS-related links between devices and a summary status for each device and for each EAPS ring. Note If some of the devices in an EAPS domain are missing from Ridgelines inventory database, those devices do not appear in the EAPS map view, and the EAPS domain status may not correctly reflect the status of the entire domain Additionally, it may be difficult to troubleshoot domain operational problems that occur within nodes or links that do not appear on the map. Therefore, it is strongly recommended that you add all the nodes in your EAPS configuration to your Ridgeline inventory database. The combination of the Control VLAN tag and the VLAN network name identify an EAPS domain. Thus, two EAPS domains that share the same Control VLAN tag but have different VLAN network names are two different EAPS domains. For additional map information, see: EAPS node icons. Link status. EAPS Node Icons EAPS status appears on the map through icons for each device node. The following figure shows the kinds of icons that can appear on an EAPS node.
197
Figure 136: Icons on an EAPS Node An EAPS node on a map has the following icons:
EAPS Node Status: For an EAPS node the status display shows whether the device is a Master node (M) or Transit node (T) within the EAPS domain. Note that if a node is unreachable, the EAPS node status will reflect the last known node status thus a node that is unreachable may still display Master or Transit node status as green. For a Master node: Green M indicates the domain is complete (all links are up and forwarding). Yellow M indicates the domain is in a transient or start-up state, or in an unknown state (as when the device is SNMP unreachable). Red M indicates the status is failed. For a Transit node: Green T means both ring ports are up and forwarding Yellow T means a ring port is up but blocked Red T means that one or both ring ports are down. Node Alarm Status (shown for all devices): If alarms have occurred on the node and have not yet been acknowledged, the highest severity alarm is indicated with the small bell symbol. The color indicates the severity of the alarm: Green bell is a Normal alarm. Yellow bell is a Warning Light-yellow bell indicates a Minor alarm. Orange bell indicates a Major alarm Red bell indicates a Critical alarm. EAPS Domain Status: A ring below the EAPS node status icon shows that the device is configured for EAPS, and also indicates the state of the EAPS domain of which the device is a member.
198
Green ring indicates that the domain in which this device participates is fully operational. Yellow ring indicates that the domain is not fully operational, but is in a transitional state or an
unknown state (as when the device is SNMP unreachable). Red ring indicates that the domain is not operationalif the device has a master in a Failed state, or a Transit node in a links down state. Grey ring indicates that the EAPS domain is disabled. The following figure shows two examples of nodes that are members of EAPS domains: Node 1 status shows that the device is reachable, that it functions as a Master node (whose status is Complete) in the domain of which it is a member, and the domain of which it is a member is operational. The device also has generated at least one unacknowledged Major alarm. Node 2 status shows that the device is currently unreachable; no alarms have been detected, and the EAPS domain of which it is a member is in a transitional state. It is a Transit node, and its last status indicated that its ring ports were up and forwarding.
Figure 137: Examples of EAPS Nodes Showing Status Link Status Links between devices may be single links (a connection exists between only one port on each device) or bundled links (connections exist between multiple ports on each of the devices.) Single links are shown as a single line. Bundled links are shown with a small box within the link. Green line indicates that the link is up. Red line indicates that the link is down. Yellow line for a bundled link indicates that some links are down and some are up. Grey line indicates that the link status is unknown. Blue line indicates the link is user-created rather than automatically discovered by Ridgeline. indicates the status of a shared link: An icon showing two lines and a circle Green indicates that the link is up. Greyed-out green indicates that the last-known status of the link was up. Red indicates that the link is down.
199
Greyed-out red indicates that the last-known status of the link was down. Yellow indicates that some ports on this link are up and that some are down.
When the map is zoomed in sufficiently, the port endpoints automatically appear for each link.
Displaying EAPS Domain Details

To display details about an EAPS domain, click on the domains row in the EAPS table. Information about the EAPS domain appears in the details window. If you click the row, the detail information appears in the lower pane on of the main window. If you double-click the row, the EAPS domain details appear in a separate window, as shown below.
Figure 138: EAPS Domain Details Window The following information appears about the EAPS domain:
Name Status Last Updated The name of the EAPS domain. Status of the EAPS domain: Can be Idle, Complete, Failed, Links Up, Links Down, Preforwarding, Init, Precomplete, PreInit, or Unknown. When information about the EAPS domain was last updated in the Ridgeline database.
The following information appears about the Control VLAN in the EAPS domain:
Tag Name Network Type VLAN tag (ID) of the EAPS control VLAN The configured name of the EAPS control VLAN The Network name of the EAPS control VLAN, if one has been assigned. For more information about network names, see Categorizing VLANs With Network Names. The VLAN type. For an EAPS control VLAN, this is VLAN.
There are four tabs displaying the following information:
200
Devices Ports Links Protected VLANs
Devices Tab
When you click the Devices tab, the following information appears:
Status/Mode Whether the node acts as a Master (M) or Transit (T) node for this domain, and the status of the domain. For a Master node: Green M indicates the domain is complete (all links are up and forwarding). Yellow M indicates the domain is in a transient or startup state, or in an unknown state (as when the device is SNMP unreachable). Red M indicates the status is failed. For a Transit node: Green T means both ring ports are up and forwarding. Yellow T means a ring port is up but blocked. Red T means that one or both ring ports are down. Name IP address Primary Port Secondary Port Device Enabled Fast Convergence The name of the device, along with an icon indicating the device status. The IP address of the device. Primary port number. Secondary port number. Whether this node is enabled as an EAPS node. Whether the device is enabled for fast convergence. In EAPS fast convergence mode, the link filters on EAPS ring ports are turned off. In this case, an instant notification is sent to the EAPS process if a ports state transitions from up to down or vice-versa. The interval at which the EAPS master polls to check the status of its EAPS member nodes. The interval after a failure is detected before the Failed Timer expires. Action to be taken when Failed Timer expires. Status of the node: Can be Idle, Complete, Failed, Links Up, Links Down, Preforwarding, Init, Precomplete, PreInit, or Unknown. Whether the node acts as a Master or Transit node for this domain. The model number of the Extreme switch. The device groups that the member belongs to.
Hello Timer Failed Timer Failed Timer Action Domain Status Device Mode Device Type Member Of
The following additional information appears: Domain Related Details. Device-specific protected VLANs.
201
Domain Related Details The Devices tab shows the following information related to the EAPS domain in the lower left corner:
Domain Node Name Control VLAN Name Control VLAN Tag Control VLAN Network The name of the node given to the device as a member of a domain. Name of the control VLAN. VLAN tag (ID) of the EAPS control VLAN. The network name of the control VLAN, if one is configured. For information about how to create a network name and assign it to a VLAN, see Categorizing VLANs With Network Names. Status of the primary port: Up, Down, Blocked, or Unknown Status of the secondary port: Up, Down, Blocked, or Unknown
Primary Port Status Secondary Port status
Device-specific Protected VLANs The following information appears in the bottom table about the VLANs that are protected by the EAPS domain on the selected device.
Tag VLAN Name VLAN tag (ID) of the EAPS protected VLAN. Name of the protected VLAN.
Ports Tab
When you click the Ports tab, the following information appears:
Shared Display Device Mode Mode Status in Domain Shared-Port Link ID Neighbor-Port Status Root Blocker Status Shared-Port Status Expiry Action An integer configured on the switch for the shared port Status of the neighboring node: Down, Up, Error The ports status as a root blocker (None or Active) Status of the shared port: Idle, Ready, Blocking, Preforwarding. Action to be taken when the fail timer expires. This applies only to master nodes. Send-alert Sends a critical message to the syslog when the failtimer expires. Open-secondary-port Opens the secondary port when the failtimer expires. The interval at which health check PDUs are sent out each segment port. Time in seconds after which the segment fail timer expires, the fail flag is set, and expiry action is taken. Whether this is a shared port. The port number on the Master or Transit node. Whether the device is a Master or Transit node. Whether the port is a Primary or Secondary port
Segment Health Interval Segment Timeout
202
Link State Device Name Device IP address Shared-Port Mode Port Type Device Type Name
State of the common link. The name of the device, along with an icon indicating the device status. The IP address of the device. Whether the node acts as a Controller or a Partner node for this shared link. Port type; for example, Gigabit, Management, 10/100. The model number of the Extreme switch. The name of the port, if configured.
Additionally, information appears about the sharing domains (see Sharing Domains Table). Sharing Domains Table On the Ports tab, for shared ports, Ridgeline displays the following information about the EAPS domains shared on the port:
Name Status Other Ports in Domain Name of the EAPS domain Status of the EAPS domain: Can be Idle, Complete, Failed, Links Up, Links Down, Preforwarding, Init, Precomplete, PreInit, or Unknown. For the selected port, other end domain port participating in the sharing domain
Links Tab
When you click the Links tab, the following information appears:
A Device A IP Address A Port Number/Annotation Status The name of the device on one end (the A side) of the link, along with an icon indicating the device status. The IP address of the device on the A side of the link. The number of the port on the A side of the link. A line indicating the status of the link: A green line indicates that the link is up. A red line indicates that the link is down. A yellow line for a bundled link indicates that some links are down and some are up. A grey line indicates that the link status is unknown. A blue line indicates the link is user-created rather than automatically discovered by Ridgeline An icon showing two lines and a circle indicates the status of a shared link: Green indicates that the link is up. Greyed-out green indicates that the last-known status of the link was up. Red indicates that the link is down. Greyed-out red indicates that the last-known status of the link was down. Yellow indicates that some ports on this link are up and that some are down.
203
B Device B IP Address B port Number/Annotation A Port Type B Port Type Discovery Protocol A Port Name B Port Name A Device Status A Link State A Port Status A Port Share Details B Device Status B Link State B Port Status B Port Share Details Type Name
The name of the device on the other end (the B side) of the link, along with an icon indicating the device status. The IP address of the device on the B side of the link The number of the port on the B side of the link. The type of port on the A side of the link. The type of port on the B side of the link. The protocol used to discover the link, either EDP or LLDP. The name of the port on the A side of the link, along with an icon indicating the port status. The name of the port on the B side of the link, along with an icon indicating the port status. The current status of the device on the A side of the link. Whether the A side of the link is ready to exchange traffic with the B side of the link. Whether the port on the A side of the link is enabled or disabled. Information about the port sharing configuration on the A side of the link, if configured. The current status of the device on the B side of the link. Whether the B side of the link is ready to exchange traffic with the A side of the link. Whether the port on the B side of the link is enabled or disabled. Information about the port sharing configuration on the B side of the link, if configured. The link type; for example, user-created. A description of the link in this format: <A device name> <A IP addr> p <port> <B device name> <B IP addr> p <port>
Additionally, the Links tab shows information about the sharing domains in the bottom table (see Sharing Domains Table on page 204). Sharing Domains Table If a link is shared among EAPS domains, Ridgeline displays the following information about the EAPS domains shared on the link in the bottom table of the Links tab:
Name Control VLAN Tag Control VLAN Network Name The name of the EAPS domain shared on selected link. The tag value of the control VLAN for the EAPS domain shared on selected link. The network name of the control VLAN, if one is configured. For information about how to create a network name and assign it to a VLAN, see Categorizing VLANs With Network Names.
Protected VLANs Tab

When you click the Protected VLANs tab, the following information appears:
204
Tag Name Network
VLAN tag (ID) of the protected VLAN. The configured name of the protected VLAN The Network Name of the protected VLAN, if one has been assigned. For more information about creating and assigning network names, see Categorizing VLANs With Network Names. The VLAN type, either VLAN or VMAN. The number of nodes in the domain.
Type Domain Node Count
Displaying EAPS Details for a Selected Device

For information about displaying EAPS information for an individual device, see Displaying Device Details.
Verifying EAPS Information

Ridgeline lets you verify the EAPS configurations in your network, and provides a report that shows where configuration errors are found. To verify the EAPS configurations in your network: 1 In the navigation pane, click Main View or the desired device group. 2 Click the EAPS tab.
205
3 Click Verify EAPS Domains. The EAPS Verification Results dialog box, shown below, appears. Depending on the size of your network and your EAPS configurations, this can take as long as 15 minutes.
Figure 139: EAPS Verification Results Dialog Box The following information appears:
Type Severity Source Description The type of error. See the following table for a list of errors that the EAPS verification process may report. The severity level of the error: Error, Warning, or Information The element that was the source of the error. A more detailed description of the error.
If errors are reported, you can log into the affected device(s) to correct the problems. Once you have corrected any reported errors, you should run the verification again to ensure that the configuration is correct.
Click Refresh to re-run the verification process. Click Save to save the verification results to a file.
The following table lists the error types that may be reported by the EAPS verification process: Table 6: EAPS Verification Error Types
No Master Node Multiple Master Nodes Disabled EAPS Node
Control VLAN not in QP3 Unprotected Shared Link Duplicate Link ID
Domain List Mismatch Link ID Not Configured Control VLAN Misconfigured
206
Table 6: EAPS Verification Error Types (continued)
Missing Control VLAN Missing Primary Domain Port Missing Secondary Domain Port Mismatched Domain Ports Incomplete VLAN Protection Inconsistent Control VLAN Naming
Missing Link ID Mismatched Link ID Misconfigured Shared Port Mode Shared Port Not Created No Physical Link Shared Port Not Configured
Protected VLAN Misconfigured Shared Port Misconfigured Controller Misconfigured
Running EAPS Reports

You can run the following reports to produce information about the EAPS domains known to Ridgeline: EAPS Summary Report, which provides a brief overview of the status of the EAPS domains (see EAPS Summary Report on page 207). EAPS log report, which shows the EAPS traps and EAPS-related syslog entries that have occurred for a specified device (see EAPS Log Reports on page 208).
EAPS Summary Report

The EAPS Summary Report provides a brief overview of the status of the EAPS domains known to Ridgeline. To run the EAPS Summary Report, on the EAPS tab, click EAPS Summary Report. The report shows: The total number of EAPS domains known to Ridgeline. The number of Domains currently in an error state. The number of domain failures that have occurred in the last 24 hours.
Figure 140: The EAPS Summary Report
207
The report can also be run from within Ridgeline's Reports feature (see EAPS Summary).
EAPS Log Reports

The EAPS log report shows the EAPS traps and EAPS-related syslog entries that have occurred for a specified device. Once you run the report, you can filter it further based on the following: The IP address (must be exact, wildcards are not supported). The type of event (trap or syslog entries): you can enter any keywords that may appear under the Type column as part of the description of the trap or syslog entry. Specific varbinds (enter a keyword that matches the varbind you want to find, such as extremeEapsLastStatusChange.)
Events that occurred within a certain time frame.
To run the EAPS Log Report, in the navigation pane, click Reports. The reports welcome page opens in your default browser. Click EAPS > EAPS Log. The EAPS Log Report appears.
Figure 141: EAPS Log Report The EAPS Log report displays the following information:
Time Source Type Varbinds Time the event occurred, expressed in the local time zone of the Ridgeline server. IP address of the device and port number (if applicable) that generated the event. Event type (SNMP trap or syslog, including description). Variable data transmitted with a trap, as appropriate.
208
13 Managing PBB Networks with

Ridgeline
PBB Overview Configuring BVLANs Viewing PBB Information Displaying PBB Details
This chapter describes how you can use Ridgeline to configure and monitor Provider Backbone Bridge (PBB) networks. PBB networks are a way to transport traffic from multiple customer VMANs over a single backbone network.
PBB Overview
Virtual metropolitan area networks (VMANs) allow metropolitan area network (MAN) service providers to carry VLAN traffic from multiple customers across a common Ethernet network, known as a provider bridge network. The provider bridge network uses Provider Bridges (PBs) to create a Layer 2 network that supports VMAN traffic. A Provider Backbone Bridge (PBB) network enables VMAN transport over the Internet. PBB is defined by the IEEE 802.1ah Backbone Bridge standard, which is an amendment to the IEEE 802.1Q VLAN standard. This standard allows Internet Service Providers (ISPs) to use Ethernet to create a separate backbone over which the subscribers frames are transported. In a PBB network, data from multiple subscriber networks travels over a common ISP backbone, with traffic from the individual subscriber networks completely separate from each other. The following figure shows a PBB network, which spans a set of ISP switches that serve as Provider Backbone Bridges (PBBs).
Managing PBB Networks with Ridgeline
Figure 142: PBB Network You can view a PBB network as a Layer 2 network that supports VMAN traffic. The entry points to a PBB network are the access ports on the PBB network edge switches. These ports are designed to receive and transmit VMAN traffic. VMAN traffic that is addressed to locations at other PBB network access points enters a PBB network access port, is switched through the PBB network, and exits at a PBB network access port. If you do not configure any frame manipulation options, the frames that exit the PBB network are identical to the frames that entered the PBB network.
SVLANs, BVLANs, CVLANs and ISIDs

In a PBB network, a Service VLAN (SVLAN) is configured on each PBB network access port, and a Backbone VLAN (BVLAN) is configured on each network port. The SVLAN is bound to the BVLAN, establishing the connection between the PBB network access ports and the PBB network ports that establish the BVLAN. Traffic from Customer VLANs (CVLANs) is encapsulated with an SVLAN tag and travels through the PBB network, and the SVLAN tag is removed as it exits the service providers network. An Extended Service ID (ISID) is a method for binding one or more SVLANs to a BVLAN. When configuring a PBB network, you can create an ISID and an SVLAN, then associate the SVLAN with the ISID, then bind the ISID to the BVLAN. A given BVLAN can have one or more ISIDs bound to it; an ISID can be bound to only one BVLAN. A given SVLAN can be associated with multiple ISID/BVLAN combinations. On a given device, an SVLAN or CVLAN can be associated with one ISID. Typically, each SVLAN supports VMANs for a different service provider or service instance, with the different VMANs completely separate from each other. Within a PBB network, the VMANs remain untouched. The PBB network functions as a pure Layer 2 network that is transparent to users.
210
VMAN frames (802.1ad format) enter the PBB network through a PBB network access port. The PBB network access port also accepts VLAN frames. To switch the frame through the PBB network, the switch encapsulates the VMAN frame in an 802.1ah frame. Ridgeline can manage and monitor PBB networks by: Configuring BVLANs on managed Extreme Networks devices. Discovering information about a PBB network, including which devices are part of BVLANs and SVLANs, the relationship between the BVLANs and SVLANs, and I-tag and S-tag mapping. Displaying the components of a PBB network (ISIDs, BVLANs, SVLANs, and CVLANs) in Ridgeline Network Views.
Configuring BVLANs
Ridgelines PBB provisioning feature allows you to: Create BVLANs. Edit BVLANs. Delete BVLANs.
Creating BVLANs
To create a BVLAN: 1 In the navigation pane, click Main View. 2 Click the PBB tab.
211
3 Click New > BVLAN. The Create BVLAN dialog box appears (see the following figure).
Figure 143: BVLAN Provisioning Dialog Box You can provision BVLANs only on BlackDiamond 20800 series switches running ExtremeXOS 12.4 or later. Devices that do not support BVLANs are unavailable in the dialog box. Type a name for the BVLAN in the Name box. If you are creating a tagged BVLAN, in Tag, click the numbered list, and then select a numeric value (14095) for the BVLAN identifier. In the Available Device table, click + next to a device to view its ports. For each port or link you want to add to the BVLAN, select the port by click its check box, and click the Add. When the BVLAN is created, the port is added to it, and removed from the default BVLAN if it was added as untagged. When you have finished configuring the BVLAN, click OK to start the validation and deployment process. The Progress and Results dialog box appears (see the following figure).
4 5 6 7
212
Figure 144: Progress and Results Dialog for BVLAN
1Verifying connectivity to the selected device(s) 2Deploying the commands on the device 3Updating the device information in the database
213
4Validating command syntax and checking software compatibility 5The validation rules or commands entered on the device for the selected task. Click or collapse the right pane with Creating selected. to expand
Ridgeline validates the options you selected against a set of predefined configuration rules, and ensures that the target switches are running a software version that supports the features that you are provisioning. Ridgeline also verifies that tagged ports in SVLANs and CVLANs have not been added to the BVLAN being created: The following validations are performed: The name length is not longer than 32 characters. The name consists of only alphanumeric characters. No special characters such as # or & are allowed. The tag range is from 1 to 4095. The tag is not present on the selected device. The name is not present on the selected device. Port tag values are valid. The information in the Progress and Results dialog box is logged in the Ridgeline Audit Log. See Viewing Logged Information about Provisioning Tasks for more information. If Ridgeline successfully validates the selected options, it verifies network connectivity to the target switches. If a connection can be established to all of the target switches, Ridgeline deploys the configuration commands, and then saves the configuration file on each switch. Finally, Ridgeline updates its own database with information about the configuration changes on the switches.
Modifying BVLANs
For a BVLAN, you can edit the list of ports or links in the BVLAN, as well as the name and network name of the BVLAN (although not the tag value). You can also delete the BVLAN from the devices where it is configured (see Deleting BVLANs on page 216). To modify a BVLAN: 1 2 3 4 In the main navigation pane, click Main View. Click the PBB tab. In the table select the BVLAN that you want to modify by clicking its check box. To edit the name or network name, click Edit Name or Edit Network Name. Make the needed changes, and then click OK.
214
5 To edit the ports, click Edit Ports. The BVLAN Edit Ports dialog box appears (see the following figure).
Figure 145: BVLAN Edit Ports Dialog Box 6 To add and remove ports: Note To select all of the ports for a device, click the check box for the device. To select individual ports, click the plus sign (+) next to a device to view its ports.
To add ports, select the ports under Available Devices by clicking their check boxes, and then click Add. The added ports appear under Selected Ports. To remove ports, select the ports under Selected Ports by clicking their check boxes, and then click Remove. The removed ports appears under Available Devices.
215
7 Click OK. The BVLANs Progress and Results dialog box appears (see the following figure).
Figure 146: BVLANs Progress and Results Dialog Box
Deleting BVLANs
You can only delete a single BVLAN at a time; multiple BVLANs cannot be deleted at the same time. and control BVLANs cannot be deleted. You can delete protected BVLANs. To delete a BVLAN: 1 2 3 4 5 In the navigation pane, click Main View. Click the PBB tab. Select the BVLAN that you want to delete by clicking its check box. Click Delete When prompted, confirm the deletion. When you delete a VLAN, the software verifies that the services in the VLAN are not being used as transport services in an E-Line or E-LAN service.
Viewing PBB Information

To view information about PBB networks known to Ridgeline, in the navigation pane, click Main View or a desired device group, and then click the PBB tab. A table listing the ISIDs, BVLANs, CVLANs, and SVLANs in the group appears (see the following figure).
216
Figure 147: PBB Tab The PBB tab displays the following information. You can filter the contents of the table by typing keywords in the search box or by clicking Quick Filter and selecting available quick filters.
Type The type of component in the PBB network, along with an icon indicating the PBB component type. In the Map View, the icons indicate the component is configured on the highlighted device. The icon can be one of the following: Extended Service ID (ISID) Backbone VLAN (BVLAN) Protected BVLAN; that is, a BVLAN protected by an EAPS ring Customer VLAN (CVLAN) Subscriber VLAN (SVLAN) Tag ISID Name BVLAN Network The configured tag value for the BVLAN/CVLAN/SVLAN; N/A for ISIDs. The tag value of the ISID that the PBB is associated with or bound to. The name of the BVLAN/CVLAN/SVLAN or ISID. The network name category (if any) that this BVLAN/CVLAN/SVLAN belongs to. You can assign a network name to a BVLAN. When a network name is assigned to a BVLAN, the SVLANs, CVLANs, and ISIDs associated with the BVLAN are automatically assigned the same network name. See Categorizing VLANs With Network Names for more information. Date and time that the information about the PBB component was last retrieved from the Ridgeline database.
Last Updated
217
You can select a row in the table and display an overlay view highlighting all of the devices and links in the map where the selected BVLAN, CVLAN, or SVLAN is configured (see the following figure). ISIDs are not shown in the overlay view.
Figure 148: Displaying PBB Components in a Map View Note To view PBB information from an Extreme Networks switch, enable HTTP or HTTPS on the switch.
Displaying PBB Details

To display details about a BVLAN, CVLAN, SVLAN (see BVLAN, CVLAN, and SVLAN Details on page 218), or ISID (see ISID Details on page 222), click on a row in the table on the PBB tab. Information about the selected item appears in the details window. If you double-click a row, the details appear a separate window.
BVLAN, CVLAN, and SVLAN Details

On the PBB tab, for BVLANs, CVLANs, and SVLANs, double-clicking a row opens the PBB Details Window (see the following figure).
218
Figure 149: PBB Details Window The PBB Details window shows the following information:
Tag The configured tag value for the PBB VLAN, along with an icon indicating the PBB component type. The icon can be one of the following: Backbone VLAN (BVLAN). Customer VLAN (CVLAN). Subscriber VLAN (SVLAN). Name ISID BVLAN Network The name of the BVLAN, CVLAN, or SVLAN. The tag value of the ISID that the PBB is associated with or bound to. The network name category (if any) that this BVLAN/CVLAN/SVLAN belongs to. You can assign a network name to a BVLAN. When a network name is assigned to a BVLAN, the SVLANs and CVLANs associated with the BVLAN are automatically assigned the same network name. To assign a network name to a BVLAN, select VLAN Network Name from the Tools menu. (This option is not available for SVLANs and CVLANs.) See Categorizing VLANs With Network Names for more information. The PBB component type: BVLAN, CVLAN, or SVLAN. Date and time that the information about the PBB component was last retrieved from the Ridgeline database. The BVLAN is protected by EAPS.
Type Last Updated EAPS Protection
Additionally, the PBB Details windows displays the following tabs:
219
Devices/Ports tab Links tab Ports tab VLANs and ISIDs tab
Devices/Ports Tab When you click the Device tab, the following information appears:
Name IP Address SNMP Status Device Type Last Updated The name of the device where the BVLAN, CVLAN, or SVLAN is configured. The IP address of the device. Whether the device is responsive to SNMP. The type of Extreme Networks switch. Date and time that the information about the device was last retrieved from the Ridgeline database.
Links Tab When you click the Links tab, the following information appears about the links that make up the PBB component:
Status A line indicating the status of the link: Green linelink is up. Red linelink is down. Yellow line for a bundled linksome links are down and some are up. Grey linelink status is unknown. Blue linelink is user-created rather than automatically discovered by Ridgeline

A Device A IP Address A Port Name A Port Number/Annotation B Device B IP Address B Port Name
An icon showing a circle and two linesshared link: Greenlink is up. Greyed-out greenlast-known status of the link was up. Red linelink is down. Greyed-out redlast known state was down. Yellowsome ports on this link are up and some are down.
The name of the device on one end (the A side) of the link, along with an icon indicating the device status. The IP address of the device on the A side of the link. The name of the port on the A side of the link, along with an icon indicating the port status. The number of the port on the A side of the link. The name of the device on the other end (the B side) of the link, along with an icon indicating the device status. The IP address of the device on the B side of the link The name of the port on the B side of the link, along with an icon indicating the port status.
220
B port Number/Annotation Discovery Protocol State Type A Device Status A Device Worst Alarm A Port Status A Link State A Port Type A Port Share Details B Device Status B Device Worst Alarm B Port Status B Link State B Port Type B Port Share Details Name
The number of the port on the B side of the link. The protocol used to discover the link, either EDP or LLDP. The current state of the link. The link type; for example, user-created. The current status of the device on the A side of the link. The status of the highest alarm on the device on the A side of the link. Whether the port on the A side of the link is enabled or disabled. Whether the A side of the link is ready to exchange traffic with the B side of the link. The type of port on the A side of the link. Information about the port sharing configuration on the A side of the link, if configured. The current status of the device on the B side of the link. The status of the highest alarm on the device on the B side of the link. Whether the port on the B side of the link is enabled or disabled. Whether the B side of the link is ready to exchange traffic with the A side of the link. The type of port on the B side of the link. Information about the port sharing configuration on the B side of the link, if configured. A description of the link in this format: <A device name> <A IP addr> p <port> <B device name> <B IP addr> p <port>.
Ports Tab When you click the Port tab, Ridgeline displays information about the ports on the selected device, where the selected BVLAN, SVLAN, or CVLAN is configured. The following information appears:
Display Name Type The port number on the device where the BVLAN, CVLAN, or SVLAN is configured. The name of the port, if configured. The speed of the port.
VLANs and ISIDs Tab The VLANs and ISIDs tab displays information about the relationship between the BVLAN, SVLAN, or CVLAN and the ISID. For a BVLAN, the table displays information about the SVLAN/CVLAN and the ISID. For an SVLAN or CVLAN, the table displays information about the BVLAN and the ISID.
Type Tag ISID Name The PBB component type: BVLAN, CVLAN, or SVLAN. The configured tag value for the PBB component. The tag value of the ISID that the PBB component is associated with or bound to. The name of the PBB component.
221
BVLAN Network Last Updated
The network name category (if any) that this VLAN belongs to. For more information, see Categorizing VLANs With Network Names. Date and time that the information about the PBB component was last retrieved from the Ridgeline database.
ISID Details
For ISIDs, the following window appears:
Figure 150: ISID Details Window The ISID details window shows the following information:
ISID Name Type Last Updated BVLAN network Name The identifier of the ISID, along with an icon indicating this is an ISID. The configured name of the ISID. ISID. Date and time that the information about the ISID was last retrieved from the Ridgeline database. The name of the BVLAN network.
222
Device Table The Device table displays the following information about the devices where this ISID is configured:
Name IP Address SNMP Status Device type Last Updated The name of the device where the ISID is configured. The IP address of the device. Whether the device is responsive to SNMP. The type of Extreme Networks switch. Date and time that the information about the device was last retrieved from the Ridgeline database.
VLANs Table The VLANs table has the following information for the BVLANs and SVLANs bound to or associated with the ISID on the selected device:
Type Tag ISID Name Network Last Updated The PBB VLAN type: BVLAN or SVLAN, along with an icon indicating the type. The configured tag value for the BVLAN or SVLAN. The tag value of the ISIDs that the BVLAN or SVLAN is associated with or bound to. The name of the BVLAN or SVLAN. The network name category (if any) that this BVLAN or SVLAN belongs to. Date and time that the information about the BVLAN or SVLAN was last retrieved from the Ridgeline database.
223
14 Managing and Monitoring VPLS

Domains
Overview of VPLS Viewing VPLS Information Displaying VPLS Details Running VPLS Configuration Scripts
This chapter describes how to use Ridgeline to view information about VPLS domains in your network and to configure VPLS domains using Ridgeline scripts.
Overview of VPLS
A Virtual Private LAN Service (VPLS) domain is a Layer 2 multipoint VPN that allows multiple sites to be connected in a single bridged domain over a provider-managed IP/MPLS network. VPLS enables service providers to offer Ethernet private line services that use a simple Layer 2 interface at the customer edge, and benefit from the resilience and scalability of an MPLS/IP core. All customer sites in a VPLS domain appear to be on the same LAN, regardless of their locations. A VPLS-capable network consists of Customer Edge (CE) switches, Provider Edge (PE) switches, and a core MPLS network. MPLS pseudowire (PW) tunnels are logical connections between two label edge routers (LERs) over an label switch routers (LSP). Layer 2 VPN domains are created by adding PWs to each peer LSR to build a fully meshed interconnected VPLS domain, as shown in in the following figure.
PE
PE VPLS Core
PE
PE
Core Pseudo Wires
Figure 151: Fully Meshed VPLS Domain In a fully meshed VPLS domain, pseudowires must be established between all VPLS peers across the core. For each peer added to a VPLS domain, a PW is signaled that is used to carry traffic from the local LSR to the remote peer LSR. Flood traffic from the local service (broadcast, multicast, and unknown
Managing and Monitoring VPLS Domains
unicast packets) is replicated and forwarded across all PWs in the VPLS domain. Each peer receives one copy of the packet for delivery to its locally attached service. As MAC learning occurs on PWs, unicast packets to a known destination MAC address are forwarded to the peer over the PW from which the MAC address was learned. For information about hierarchical VPLS, see Hierarchical VPLS (H-VPLS) on page 225. For information about VPLS support in Ridgeline, see VPLS Support in Ridgeline on page 226.
Hierarchical VPLS (H-VPLS)

For an overview of VPLS, see Overview of VPLS on page 224. When MPLS is used at the edge of the network, a fully meshed VPLS domain becomes less practical, due to the number of PWs that must be configured between a large number of peers. A hierarchical VPLS (H-VPLS) network can improve network scalability by reducing the number of PWs that need to be configured between peers. In an H-VPLS domain, VPLS domains can be constructed hierarchically in a partial-mesh or hub-andspoke configuration. Within the context of H-VPLS, a spoke is a VPLS connection between two VPLS peers. Typically, one spoke node provides connectivity to the customer VLAN or customer service while its peer, a core node, provides repeater connectivity to other VPLS peers. H-VPLS introduces the concept of core and spoke PW types. In an interconnected fully meshed VPLS domain, all of the PWs are of the type core. In an H-VPLS domain, PWs at the fully meshed core of the network are of the type core, and PWs that connect peers at the edge of the network are of the type spoke. The forwarding rules for spoke and core pseudowires are different. Flood traffic received on a core pseudowire from another full-mesh core PE must not be transmitted over other core pseudowires to other PEs. However, flood traffic received on a core pseudowire is transmitted on all spoke pseudowires in the VPLS domain. Unlike core pseudowires in a fully meshed VPLS, flood traffic received on a spoke pseudowire must be transmitted on all other pseudowires in the VPLS, including pseudowires to other core PEs. The following figure shows an example H-VPLS domain.
225
MTU
PE
PE VPLS Core
PE
MTU
PE
MTU Spoke Pseudo Wire Core Pseudo Wire MTU
MTU
Figure 152: H-VPLS (Hub-and-Spoke) Network In a hierarchical VPLS domain, a spoke node (often a Multi-Tenant Unit, or MTU) is only required to establish a pseudowire to a single core PE. A VPLS core node that has multiple spoke pseudowires, but no configured core pseudowires is informally referred to as a hub. This results in a significant reduction in the number of pseudowires that need to be established and maintained. For example, a 10 core PE network with 50 MTU devices per core PE requires almost 260,000 pseudowires using a fully meshed VPLS design. A hierarchical VPLS design requires only 590 pseudowires.
VPLS Support in Ridgeline

Using Ridgeline, you can configure and monitor both fully meshed and hierarchical VPLS domains (see Hierarchical VPLS (H-VPLS) on page 225). Ridgeline queries managed devices, discovering their roles (if any) in VPLS domains. Information about discovered VPLS domains can be displayed in Main View, along with a visual representation of the role of each device in the network. In Ridgeline maps, you can display overlay views of LSPs, pseudowires (see Pseudowires Tab on page 230), and VPLS domains. Using Ridgeline scripts, you can configure VPLS domains and add peer devices to them. Ridgeline provides detailed information about the status of the VPLS domain, its component services, peer devices, and pseudowires. You can show the outer transport path of a pseudowire in a VPLS domain, as well as the LSP in use by a pseudowires in a VPLS domain. You can select a device and show information about its peers in a given VPLS domain. Note For additional details about VPLS, see the ExtremeXOS Concepts Guide.
226
Viewing VPLS Information

To view information about VPLS domains discovered in Ridgeline, in the navigation pane, click Main View or a device group and, then click the VPLS tab. A table listing the VPLS domains in the group appears (see the following figure).
Figure 153: VPLS Table in Network Views The VPLS table shows the following information. You can filter the contents of the table by typing keywords in the search box.
VPN ID The name of the VPLS domain, along with an icon indicating its status. VPLS domain is up. VPLS domain is down. Status of the VPLS domain is unknown. Service Type Last Refreshed The service type configured for the VPLS domain: ethernet. Date and time when the VPLS information was last updated.
For the selected VPLS domain, the map view shows an overlay view highlighting all of the devices and links in the map where the selected VPLS domain is configured (see the preceding figure).
227
When you select a VPLS domain from the table, all of the peer devices for the selected VPLS domain are highlighted in the map view. In the Pseudowires table (see Pseudowires Tab on page 230), Ridgeline displays information about the pseudowires in the VPLS domain. When you select a pseudowire from the table, Ridgeline highlights the LSP in use. The links and the end nodes of the LSP are highlighted in the map view.
Displaying VPLS Details

To display details about a VPLS domain, on the VPLS tab, click a VPLS domains row in the VPLS table. Information about the VPLS domain appears in the lower pane. If you double-click the row, the VPLS details appear in a separate window (see the following figure).
Figure 154: VPLS Domain Details Window The VPLS Domain details window shows the following information:
VPN ID The name of the VPLS domain, along with an icon indicating its status. VPLS domain is up. VPLS domain is down. VPLS domain status is unknown. Name The name of the VPLS domain
228
Service Type Service Name Customer Sites Last Refreshed
The service type configured for the VPLS domain: ethernet. The name of the service configured for the VPLS domain, if set. The number of Customer Edge (CE) devices in the VPLS domain Date and time when the VPLS information was last updated.
The VPLS Domain details window displays two tabs: Nodes Pseudowires
Nodes Tab
When you click the Nodes tab on the VPLS Domain Details window (see Displaying VPLS Details on page 228), the following information appears (see the following figure):
Figure 155: VPLS Domain Details Nodes Tab

Status Node Address Name Current operational status of the VPLS peer. This can be Up, Down, or Other. IP address of the VPLS peer node. The name and current status of the device.
229
Device IP Address VPLS Name Service Name
The IP address of the device. The name of the VPLS domain. The name of the service configured for the VPLS domain, if set.
Number of Peers The number of devices with a direct connection via a pseudowire. They do not have to be configured in the VPLS domain. VPLS Operational Status VPLS Admin Status Once VPLS is enabled, the status of the VPLS domain. This can be Up, Down, or Other.
The administrative status of the VPLS domain. This can be Up, Down, or Testing. Testing means packets cannot be sent over the VPLS domain.
Dot1q Tag Option Whether the dot1q tag option is included or excluded in this VPLS domain. MTU SNMP Status Device Type Last Updated Maximum Transmission Unit over the VPLS domain Whether the device is responsive over SNMP Model type of the device. When information about the device was last updated.
Pseudowires Tab
When you click the Pseudowires tab of the VPLS Domain Details window (see Displaying VPLS Details on page 228), the following information appears (see the following figure):
Figure 156: VPLS Domain Details Pseudowires Tab
230
Status
The current status of the pseudowire. This can be one of the following: Up. The pseudowire is up. Down. The pseudowire could be down if pseudowire signaling is not yet finished, or information available at the service level indicates that the pseudowire is not passing packets. Lower layer down. One or more of the lower-layer interfaces responsible for running the underlying service is not in UP state. Not present. Some component is missing to accomplish the setup of the pseudowire. This could be configuration error, incomplete configuration, or a missing hardware component. Testing. The pseudowire is being tested. Dormant. The pseudowire is not in a condition to pass packets, but is in a pending state, waiting for some external event.
A Node Address A Device Name A IP Address B Node Address B Device Name B IP Address Mode
The address of the node on one side of the pseudowire. The name and current status of the device on one side of the pseudowire. The IP address of the device on one side of the pseudowire. The address of the node on the other side of the pseudowire. The name and current status of the device on the other side of the pseudowire. The IP address of the device on the other side of the pseudowire. Usage of the pseudowire in the LSP. This can be one of the following: Core to core, Spoke to core, Core to spoke.
Displaying Pseudowire Details

If you double-click a pseudowire in the Pseudowire table on the VPLS tab (see Viewing VPLS Information on page 227), details about the selected pseudowire appear in a separate window (see the following figure).
231
Figure 157: Pseudowire Details WindowGeneral Tab
The Pseudowire Details window displays three tabs: General tab (see General Tab on page 232) Configured LSP tab (see Configured LSP Tab on page 234) Path in Use tab (see Path in Use Tab on page 235)
General Tab The General tab of the Pseudowire details window (see Displaying Pseudowire Details on page 231) has two sections, Pseudowire and VPLS service (see the following figure). The Pseudowire section shows the following information:
232
Figure 158: Pseudowire Details WindowGeneral Tab

Status The current status of the pseudowire. This can be one of the following: Up. The pseudowire is up. Down. The pseudowire could be down if pseudowire signaling is not yet finished, or information available at the service level indicates that the pseudowire is not passing packets. Lower layer down. One or more of the lower-layer interfaces responsible for running the underlying service is not in UP state. Not present. Some component is missing to accomplish the setup of the pseudowire. This could be configuration error, incomplete configuration, or a missing hardware component. Testing. The pseudowire is being tested. Dormant. The pseudowire is not in a condition to pass packets, but is in a pending state, waiting for some external event. A node address A device name A IP address B node address B device name B IP address Mode Transport LSP Config type Rx label Tx label Admin status The address of the node on one side of the pseudowire. The name and current status of the device on one side of the pseudowire. The IP address of the device on one side of the pseudowire. The address of the node on the other side of the pseudowire. The name and current status of the device on the other side of the pseudowire. The IP address of the device on the other side of the pseudowire. Whether the pseudowire is part of a mesh (Core) or hierarchical (Spoke) VPLS domain. The signaling protocol in use for the transport LSP, either LDP, RSVP-TE, or unknown. Whether the configuration for the pseudowire was done manually, or learned through Auto-discovery. The label applied at the ingress of the pseudowire. The label applied at the egress of the pseudowire. The administrative status of the pseudowire. This can be Up, Down, or Testing. Testing means packets cannot be sent over the pseudowire.
233
Local status
The status of the pseudowire on the local node. This can be: No faults, Not forwarding, Service inbound fault, Service outbound fault, Packet switch network inbound fault, or Packet switch network outbound fault. Date and time the pseudowire was configured. The amount of time the pseudowire has been operational. When information about the pseudowire was last updated.
PW Created time PW Up time Last refreshed
The VPLS service section shows the following information:

VPN ID Service Type Customer Sites A number identifying the VPLS domain. The service type configured for the VPLS domain: ethernet. The number of Customer Edge (CE) devices in the VPLS domain
Configured LSP Tab The Configured LSP tab of the Pseudowire details window (see Displaying Pseudowire Details on page 231) shows details about the transport LSP used with the pseudowire (see the following figure).
Figure 159: Pseudowires Details WindowConfigured LSP Tab The Configured LSP tab displays the following information.
234
Transport LSP LSP name Primary path name Fast reroute
The signaling protocol in use for the transport LSP, either LDP or RSVP-TE. The configured name of the LSP. The name of the primary path configured for this LSP. Whether fast reroute is enabled or disabled for the LSP.
If the signaling protocol is RSVP-TE and a path is indicated, then the following additional details appear about the primary and secondary paths:
Order ERO IP address/net mask Type The hop order for the selected LSR in the path. The explicit route object IP address and network mask. The type of device that the LSR is.
Path in Use Tab The Path in Use tab of the Pseudowire details window (see Displaying Pseudowire Details on page 231) displays details about the labels and interfaces used for the currently selected path along the LSP (see the following figure).
Figure 160: Pseudowires Details WindowPath In Use Tab
235
Ingress label Ingress interface Label Switch Router ID Next hop IP Egress label Egress interface Order
The label applied to packets arriving at the LSR for this path. The interface on the LSR where packets arrive for this path The identifier for this LSR. IP address of the next hop in the LSP. The label applied to packets exiting at the LSR for this path. The interface on the LSR where packets exit for this path The hop order for the selected LSR in the path.
Running VPLS Configuration Scripts

Using Ridgeline, you can configure fully meshed and hierarchical (hub-and-spoke) networks (see Overview of VPLS on page 224). VPLS configuration tasks are performed using Ridgelines scripting feature. Using Ridgeline scripts, you can:
Create a VPLS domain (Create VPLS script) Associate peers with a VPLS domain (Associate VPLS Peers script)
To run a Ridgeline script, in the navigation pane, click Scripts to view the list of available scripts, and then select the script you want to run from the list. To eaily find the two scripts listed above, type VPLS in the search box. For information about using Ridgeline scripts, see Creating a New Ridgeline Script on page 306 and Running a Script on page 310.
236
15 The Ridgeline Alarm Manager

Overview of the Ridgeline Alarm Manager The Outstanding Alarms Tab The Cleared Alarms and Events Tab Defining Alarms Defining Alarm Profiles
This chapter describes how to use the Ridgeline Alarm Manager to: View alarms that have occurred Define new alarms and modify current alarm definitions
Overview of the Ridgeline Alarm Manager

The Ridgeline Alarm Manager provides fault detection and alarm handling for the network devices monitored by Ridgeline. This includes Extreme Networks devices and some third-party devices. The Alarm Manager provides a set of predefined, enabled alarms that immediately report conditions such as authentication or logon failures, device problems such as power supply or fan failures, reachability problems, or device reboots. The Alarm Manager also lets you define your own alarms that report errors under conditions you specify, such as repeated occurrences or exceeding threshold values. You can enable and disable individual alarms, and you can specify the actions to be taken when an alarm occurs, such as sending email, running a program, running a Ridgeline script, or sounding an audible alert. Fault detection is based on Simple Network Management Protocol (SNMP) traps, syslog messages, and some limited polling. The Alarm Manager supports SNMP Management Information Base-2 (MIB-2), the Extreme Networks private MIB, and selected traps from other MIBs. For selected third-party devices that have been integrated into Ridgeline through its device integration framework, Ridgeline can support the full set of traps provided by the device. For other MIB-2
The Ridgeline Alarm Manager
compatible devices, assuming they can be successfully added to Ridgelines inventory database, Ridgeline supports just the basic MIB-2 traps. Note Ridgeline automatically configures Extreme Networks devices to send traps to the Ridgeline server when those devices are added to the Ridgeline Inventory database; this is not true for non-Extreme Networks devicesyou must manually configure those devices to send traps to the Ridgeline server. To receive syslog messages from a device, the device must be configured to use Ridgeline as a syslog receiver. This is true for both Extreme devices and non-Extreme devices. Not all trap events are supported in older versions of the ExtremeWare software. For information on the switch software required for specific traps, see Event Types for Alarms. The bottom of the Ridgeline screen shows a snapshot of the device alarms information:
Predefined Alarms
For convenience, the Ridgeline Alarm Manager provides a number of predefined alarms. For a list of predefined events, see Predefined Events on page 240. These alarms are enabled by default and are active as soon as the Ridgeline server starts up. There are two scalability-related alarms generated when Ridgeline receives a flood of traps/syslog messages from devices: Incoming SNMP traps reached maximumAlarm is published by Ridgeline if one device sends 50 or more SNMP traps in 30 seconds or the Ridgeline server receives more than 275 SNMP traps per minute. Syslog messages reached maximumThis alarm occurs when a higher number of syslog messages floods the Ridgeline server. You can change the threshold limits for high trap/syslog rate alarms under Ridgeline Administration server properties (see Scalability Properties on page 356): Traps per Device in 1/2 Minute Total Traps Accepted per Minute Syslog messages per Device in 1/2 Minute Total syslog messages Accepted per Minute These include the following alarms:
Name Virus Alert Category Security Severity Major Profile Block Traffic Profile Type System
238
Exploit Alert Reconnaissance Alert Port Scan Alert DoSandDDoS Alert PolicyViolation Alert Host Sweep Alert Configuration Baseline Difference Wireless Controller over voltage MLAG peer down Wireless Controller high temparature Redundancy Member Down Wireless Controller Fan under speed Stack Member Overheat Link Failed MAC Address Detected On Locked Port Pse main power usage below threshold Incoming Snmp traps reached maximum Power Supply Failed Wireless Controller under voltage Redundant Power Supply failed Device SNMP unreachable BGP Prefix Maximum Exceeded Wireless Controller System panic event Enhanced DOS Threshold Reached Device HTTP unreachable Wireless Controller low temparature AP to Wireless Controller connectivity lost MAC Address Learning Limit Exceeded Redundancy Critical Resource Down Port Failed Overheat detected Pse main power usage above threshold Fan Failed Server load balancer unit activated MAC Address Detected On Unauthorized Port Server load balancer unit deactivated Syslog messages reached maximum
Security Security Security Security Security Security Security Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default
Major Major Major Major Major Major Major Major Major Major Minor Major Minor Major Minor Minor Major Major Major Minor Major Minor Major Minor Major Major Minor Minor Minor Major Major Minor Major Major Minor Major Major
Block Traffic Profile Block Traffic Profile Block Traffic Profile Block Traffic Profile Block Traffic Profile Block Traffic Profile Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default
System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System System
239
DOS Threshold Reached BGP Prefix Reached Threshold Wireless Controller over temperature
Default Default Default
Minor Minor Major
Default Default Default
System System System
Predefined Events
For convenience, the Ridgeline Alarm Manager provides a number of predefined events. For a list of predefined alarms, see Predefined Alarms on page 238. These events are enabled by default and are active as soon as the Ridgeline server starts up. These include the following events:
Name OSPF Neighbor State Change Dsx1 Line Status Change [Wireless Controller Event]User authentication failed VM Undetected [Wireless Controller Event]POE read failure Redundancy Critical Resource Down Notice Custom Event Wireless AP Added ESRP Master Re-election After MSM Failover Free RADIUS Down CPU Utilization Falling Threshold Wireless Counter Measure Stopped BGP M2 Threshold Reached EAPS Segment Timer Expiry Flag Set OSPF Virtual Neighbor State Change VM Detected EDP Neighbor Removed Mobility Up Device Reboot Wireless Client Netlogin Client Associated [Wireless Controller Event]User authentication success Threat Action Result Warning [Wireless Controller Event]POE initialization failure Configuration Restore Failed Profile Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Type SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap Syslog NMS generated SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap Syslog SNMP Trap NMS generated
240
Authentication Failed CPU Utilization Rising Threshold FTP Server Config Error Identity Management Memory Level Change BGP M2 Max Exceeded Virus Alert Extreme Mpls Tunnel Status Change EAPS Last Status Change Configuration Backup Failed Wireless AP Updated BGP Established Mobility Down Health Check Failed Stack Member Down Netlogin Authentication Failure [Wireless Controller Event]User successful login Dsx1 No Loss of Master Clock OSPF Interface Config Error Mobility Peer Up Wireless AP Removed EGPNbrLoss Dsx1 Loss of Master Clock Port Scan Alert Free RADIUS Up Extreme Mpls LdpSession StatusChange OSPF Interface State Change ELRP VLAN Loop Detected Virus Alert Cleared [Wireless Controller Event]Over temparature EAPS Configuration Change OSPF Virtual Interface Config Error MSM Failover Occured Information Configuration Backup OK [Wireless Controller Event]Failed login attempt - authentication failed Stacking Link Down UPM Profile Execution
Default Default Default Default Default Block Traffic Profile Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Block Traffic Profile Default Default Default Default
SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap
Unblock Traffic Profile SNMP Trap Default Default Default Default Default Default Default Default Default SNMP Trap SNMP Trap SNMP Trap SNMP Trap Syslog NMS generated SNMP Trap NMS generated SNMP Trap
241
OSPF LSDB Approaching Overflow SNMP Reachable Redundancy Member Down Netlogin User Login [Wireless Controller Event]High temparature Redundancy Adoption Exceeded Reach Device Unplugged event Rogue Access Point Found Invalid Policy Definition PolicyViolation Alert Ping Test Failed Warm Start SLB Unit Removed Reach Software Upgraded event Redundancy Member Misconfigured Cold Start PoE PSU Status Changed PolicyViolation Alert Cleared One Shot Event No Longer Valid Debug [Wireless Controller Event]Failed login attempt - access violation Reachability unknown [Wireless Controller Event]Low temparature OSPF LSDB Overflow SLB Unit Added DOS Threshold Cleared Netlogin User Logout Ping Test Completed EAPS Root Blocker Status Change [Wireless Controller Event]Failed login attempt - no such user role HTTP Reachable Syslog Flood MAC Address Detected On Unauthorized Port OSPF Max_Age LSA Redundancy License Changed Link Up EAPS Shared Port Status Change
Default Default Default Default Default Default Default Default Default Block Traffic Profile Default Default Default Default Default Default Default
SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap
Unblock Traffic Profile SNMP Trap Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default NMS generated Syslog SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap
242
[Wireless Controller Event]Over voltage DOS Threshold Reached Extreme Vpls Status Change MAC Unmapped SNMP Unreachable Main Power Usage On Reconnaissance Alert OSPF Virtual Interface State Change [Wireless Controller Event]User logged out MAC Address Detected On Locked Port [Wireless Controller Event]Under voltage MAC Mapped EAPS Segment Timer Expiry Flag Cleared Redundancy Critical Resource Up Enhanced DOS Threshold Cleared Reconnaissance Alert Cleared HTTP Unreachable Pse Port On/Off Redundancy Member Up EDP Neighbor Added Link Down Radio Detected [Wireless Controller Event]Server unreachable event Power Supply Failed Processor State Change Trap OSPF Originate LSA Main Power Usage Off Configuration Baseline Difference [Wireless Controller Event]System clock reset EAPS Fail Timer Expired Flag Set DoSandDDoS Alert Fan Failed Stacking Port Status Changed Reach Device plugged event Smarttrap CPU Health Check Failed Device Warning From EPI Center
Default Default Default Default Default Default Block Traffic Profile Default Default Default Default Default Default Default Default
SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap
Unblock Traffic Profile SNMP Trap Default Default Default Default Default Default Default Default Default Default Default Default Default Default Block Traffic Profile Default Default Default Default Default Default NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap NMS generated
243
EAPS State Change [Wireless Controller Event]Auto upgrade module is enabled [Wireless Controller Event]System panic event [Wireless Controller Event]Fan under-speed OSPF Virtual Interface TX Retransmit Entity MIB Changed ESRP State Change for ExtremeXOS Stack Member Status Changed Redundant Power Supply OK Unapproved AP Detected Exploit Alert Cleared [Wireless Controller Event]Wireless client EAP authentication successful BGP Prefix Max Exceeded Epicenter Script Event OSPF TX_Retransmit Policy Configuration Start MAU Changed for ExtremeXOS [Wireless Controller Event]Auto upgrade module is disabled EAPS Link Down Ring Complete Wireless Probe Info Added Unapproved AP Removed ESRP StateChange Syslog Flood Cleared Port Diagnostics [Wireless Controller Event]AP reset Invalid Login SummitWM Log Change MAC Address Learning Limit Exceeded Script Backgroud Command Failed Ping Probe Failed Device Policy Configuration EAPS Fail Timer Expired Flag Cleared High Trap Count Cleared SummitWM Altitude Tunnel Alarm DoSandDDoS Alert Cleared Slot Change
Default Default Default Default Default Default Default Default Default Default
SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap
Unblock Traffic Profile SNMP Trap Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default SNMP Trap SNMP Trap NMS generated SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap NMS generated SNMP Trap NMS generated SNMP Trap
Unblock Traffic Profile SNMP Trap Default SNMP Trap
244
VM VPP SYNC Failed Fan OK OSPF Virtual Interface Receive Bad Packet [Wireless Controller Event]AP to controller connectivity lost Enhanced DOS Threshold Reached Wireless Probe Info Removed Power Supply OK Script Save Config Failed Host Sweep Alert Dsx3 Line Status Change Extreme Pw Status Change Port Down EAPS Primary or Secondary Port Status Change FTP Server Config OK Fan Failed Wireless Port State Changed STP topology change Wireless Off Channel Scan Started [Wireless Controller Event]Wireless client denied association Mobility Peer Down [Wireless Controller Event]AP adopted OSPF Interface Receive Bad Packet Emergency Port Scan Alert Cleared Power Supply Failed Stack Member Overheat Dsx3 Loss of Master Clock Extreme Pw Deleted BGP Backward Transition BGP Prefix Reached Threshold Wireless Client Station Aged Out AUP Alarm [Wireless Controller Event]Wireless client disassociated Alert OSPF Virtual Interface Authentication Failure High Trap Count [Wireless Controller Event]AP unadopted
Default Default Default Default Default Default Default Default Block Traffic Profile Default Default Default Default Default Default Default Default Default Default Default Default Default Default
SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap Syslog
Unblock Traffic Profile SNMP Trap Default Default Default Default Default Default Default Default Default Default Default Default Default SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap Syslog SNMP Trap NMS generated SNMP Trap
245
Eaps State Changed Warning lldp remote table changed Extreme SentriantAG Alarm Overheat Radio Adopted MLAG peer up Wireless Port Boot Failed Exploit Alert MLAG peer up Wireless Off Channel Scan Finished Eaps State Changed Error Critical [Wireless Controller Event]Wireless client associated Ping OK Port Up OSPF Interface Authentication Failure MLAG peer down [Wireless Controller Event]POE state changed Wireless Counter Measure Started Radio Unadopted Error MLAG peer down Extreme ClearFlow Alarm Redundant Power Supply Failed Host Sweep Alert Cleared Overheat Ping failed Configuration Restore OK Dsx3 No Loss of Master Clock STP new root
Default Default Default Default Default Default Default Block Traffic Profile Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default Default
NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap NMS generated SNMP Trap NMS generated Syslog SNMP Trap NMS generated SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap SNMP Trap Syslog NMS generated SNMP Trap SNMP Trap
Unblock Traffic Profile SNMP Trap Default Default Default Default Default NMS generated NMS generated NMS generated SNMP Trap SNMP Trap
Definition of Alarms and Events

The Alarm Manager shows both alarms and events. Events are stateless and serves to track any important activity on the network. Alarms are:
246
Standing, abnormal conditions. Standing means that a condition is in force for some length of time with a definite start and end (for example: a missing card, the loss of a neighbor, etc.) A standing condition is not something that is transitory, and while serious, is not something that has a specific lifetime. Invalid logon attempts, the failure of a file download, and a device reboot are not standing conditions: theres nothing to specifically clear invalid logon attempts or a file download does not have a clearing condition. Having a state. Alarms are either outstanding (active, on) or cleared. Associated with two event types: one raising the alarm, another clearing it.
The Outstanding alarms tab (see The Outstanding Alarms Tab on page 247) displays alarms that are active or orphaned until they are cleared either automatically or manually. Automatically cleared alarms are moved to the historical alarms table on the Cleared Alarms and Events tab after five minutes (see The Cleared Alarms and Events Tab on page 252).
Retention of Historical Alarms and Events

Historical alarms and events are moved to text files when one of the following conditions is met: Event/alarm older than 30 days Historical alarms, events, or syslog messages exceeds 25,000 records, then oldest 10,000 records are moved These conditions are checked at midnight every day. Alarms, events, and syslog message that meet either of these conditions are removed from the database permanently and archived in text files:
Historical alarms are moved to Alarms_Log.txt Historical events are moved to Events_Log.txt Historical syslog message are moved to Syslog_Log.txt
These files are located at . You can change the above conditions in Ridgeline Administration, under server properties: Maximum records to be in alarms/events history Maximum number of days to keep the alarms/events history For information about changing these server properties, see Alarms Properties on page 357..
The Outstanding Alarms Tab

The Outstanding alarms tab displays a summary of the alarms that have occurred. To view outstanding alarms, in the navigation pane, click Alarm Manager, and then click the Outstanding tab. The Outstanding tab displays the last 300 alarms. You can scroll through the pages of this list by clicking Back and Forward.
247
An alarm can be generated due to an SNMP or RMON trap, a syslog message, or based on the results of a poll. By default, all the predefined alarms are enabled; therefore, you may see alarm entries the first time you view the Alarm Manager, even if you have not defined any alarms of your own. Alarms that can be automatically cleared (status = Automatically cleared) move to the historical alarms view after a clearing event after a time period defined in the Timeout on moving cleared alarms to historical (in seconds) property (default is 30 seconds). Similarly, single events move to single events table after the time period defined in the Timeout on moving active events to historical (in hours) property (default is 5 hours). For more information about how to set these properties, see Alarms Properties on page 357, and for more information about events and alarms, see Definition of Alarms and Events on page 246. With alarms, you can: Acknowledge alarms Clear alarms Pause alarms Export alarms Change the received time format Move alarms to the historical alarms table The Outstanding alarms tab displays the following information for each alarm:
Name Severity A name for the alarm type, provided when the alarm is defined. The severity level associated with the alarm when it was defined, indicated by both name and color. The severity levels and the related icons: Minor Major Critical The IP address of the device that generated the trap or responded to a poll. Name of the device that generated the alarm. The date and time at which the alarm was received. This can be shown in absolute or relative time. Click Toggle Time Format to switch between the two time modes. A check mark indicates that this alarm has been acknowledged (see Acknowledging Alarms).
Source IP Source Name Received Ack Status
ActiveAlarm condition is active on the device. OrphanedAlarm condition might be active on the device. You must manually clear orphaned alarms or then remain in outstanding table indefinitely. Automatically clearedalarms that can be automatically cleared move into the historical alarms table after a clearing event after a time period defined in the Timeout on moving cleared alarms to historical (in seconds) property. For more information about how to set this property, see Alarms Properties on page 357.
Details Category
Additional details about the alarm. An optional user-defined classification that defaults to Default. For more information, see Creating New Alarm Definitions on page 254.
The alarms list is initially sorted by the date/time received in descending order, so that the most recent alarm appears at the top of the list. You can sort the display by the contents of any column by clicking the column heading. Click the heading a second time to reverse the sort order based on that column.
248
For each selected alarm, additional information appears on the left side of the bottom pane:
Number of events Indicates the number of times that this event/alarm has occurred. Name Severity A name for the alarm type, provided when the alarm is defined. The severity level associated with the alarm when it was defined, indicated by both name and color. The severity levels and the related icons: Normal Warning Minor Major Critical The IP address of the device that generated the trap or responded to a poll. Name of the device that generated the alarm. A check mark indicates that this alarm has been acknowledged (see Acknowledging Alarms).
Source IP Source Name Ack Status
ActiveAlarm condition is active on the device. OrphanedAlarm condition might be active on the device. You must manually clear orphaned alarms or then remain in outstanding table indefinitely. Automatically clearedAlarms that can be automatically cleared move into the historical alarms table after a clearing event after a time period defined in the Timeout on moving cleared alarms to historical (in seconds) property. For more information about how to set this property, see Alarms Properties on page 357.
Details Category Updated by Last update Message RecievedAtStr
Additional details about the alarm. An optional user-defined classification that defaults to Default. For more information, see Creating New Alarm Definitions on page 254. The actor who generated the action on the event/alarm occurrence. Could be either a specific user or the system (Ridgeline). The last time when the alarm was updated. The message that has been configured on the associated alarm profile for this alarm (see Defining Alarms on page 253). The date/time at which the alarm was received.
For each selected alarm, additional information appears on the right side of the bottom pane:
Time Action By Result Note The date/time of all actions taken on the event/alarm occurrence. The name of each action taken on the event/alarm occurrence. The actor who generated the action on the event/alarm occurrence. Could be either a specific user or the system (Ridgeline). The outcome of the action on the event/alarm occurrence (Success or Failure). When acknowledging or unacknowledging an alarm, optional text that you can add (see Acknowledging Alarms on page 249).
Acknowledging Alarms
To acknowledge an alarm:
249
1 Select the alarm(s) that you want to acknowledge. 2 Click Ack. The Acknowledged alarm note dialog box appears. 3 Type an acknowledging note in the box. This text appears in the lower pane of the Outstanding tab (see The Outstanding Alarms Tab on page 247). 4 Click Save. A check mark now appears in the Ack column for the selected alarm(s). The acknowledgement appears in the lower pane of the Outstanding alarms tab (see The Outstanding Alarms Tab on page 247). You can unacknowledge alarms you have previously acknowledged, if needed (see Unacknowledging Alarms on page 250). The Ack or Unack operation may take a few seconds to update the database. When the update is complete, the rows are deselected.
Unacknowledging Alarms
If you have acknowledged an alarm (see Acknowledging Alarms on page 249), you can unacknowledge it. To unacknowledge an alarm: 1 2 3 4 5 Select the alarm(s) that you want to unacknowledge. Click Unack. The Unacknowledged Alarm Note dialog box appears. Type an unacknowledging note in the box. Click Save. The check mark is now cleared from the Ack column for the selected alarm(s). Task step.
The unacknowledgement appears in the lower pane of the Outstanding alarms tab (see The Outstanding Alarms Tab on page 247). You can acknowledge the alarm again, if needed (see Acknowledging Alarms on page 249). The Ack or Unack operation may take a few seconds to update the database. When the update is complete, the rows are deselected.
Clearing Alarms
Clearing alarms moves them from the Outstanding alarms tab, and moves them to the historical alarms table on the Cleared Alarms and Event tab. Note You cannot undo clearing an alarm. To clear an alarm: 1 Select the check box for the desired alarm. The Cleared alarm note dialog box appears.
250
2 Type a note in the box, and then click Save. The alarm moves from the Outstanding tab, and now appears in the Cleared Alarms and Event tab. The note text appears in the Note column in the lower pane for each selected alarm on the Cleared Alarms and Events tab.
Pausing All Alarms

You can temporarily stop the processing of all enabled alarms. To pause all alarms, click Pause. To resume processing alarms, see Resume Processing All Alarms on page 251.
Resume Processing All Alarms

You can temporarily stop the processing of all enabled alarms (see Pausing All Alarms on page 251). To resume processing all alarms, click Resume.
Changing the Time Format in the Alarm Manager

The received time for alarms and events that appears on the Outstanding and Cleared Alarms and Events tabs can appear in absolute or relative time format (see The Outstanding Alarms Tab on page 247 and The Cleared Alarms and Events Tab on page 252). The default is absolute time.
Absolute time is a date/time (for example: Mar 13, 2013 03:45:55 EDT). Relative time is an approximate time period relative to now (for example: one week ago).
To change the time format: On either the Outstanding or Cleared Alarms and Events tab, click Toggle Time Format. The received time in the Received column changes between absolute time and relative time format.
Moving Alarms to History View

For alarms that can be cleared automatically (on the Outstanding tab, Status = Automatically cleared), you can manually move these alarms to the historical table on the Cleared Alarms and Events tab. To move an alarm to the historical table: 1 In the navigation pane, click Alarm Manager. 2 On the Outstanding tab, select an alarm to move by selecting its check box. (You may select multiple alarms.) 3 Click Move To History. The selected alarm(s) move to the historical table on the Cleared Alarms and Events tab (see The Cleared Alarms and Events Tab on page 252).
251
Exporting Outstanding Alarms List

You can export the outstanding alarms list to a CSV file. To export a list of outstanding alarms: 1 Click Export. 2 Select a file name and location, and then click Save.
The Cleared Alarms and Events Tab

The Cleared Alarms and Events tab displays by default the single events table. To switch between viewing the historical alarms table and the single events table, click the Historical Alarms/Single Events button. The Cleared Alarms and Events tab displays the last 300 alarms. You can scroll through the pages of this list by clicking Back and Forward. The Cleared Alarms and Events tab displays the following information for each alarm/event:
Name Severity A name for the alarm, provided when the alarm is defined. The severity level associated with the alarm when it was defined, indicated by both name and color. The Severity Levels and the related icons are as follows: Minor Major Critical The IP address of the device that generated the trap or responded to a poll. Name of the device that generated the alarm. The date and time at which the alarm was received. Additional details about the alarm.
Source IP Source Name Received Details
For each selected alarm, the following additional information appears on the left side of the details pane (bottom).
Number of events Name Severity Indicates the number of times that this event/alarm has occurred. A name for the alarm, provided when the alarm is defined. The severity level associated with the alarm when it was defined, indicated by both name and color. The Severity Levels and the related icons are as follows: Normal Warning Minor Major Critical The IP address of the device that generated the trap or responded to a poll. Name of the device that generated the alarm.
Source IP Source Name
252
Ack Status
A check mark indicates that this alarm has been acknowledged (see Acknowledging Alarms).
ActiveAlarm condition is active on the device. OrphanedAlarm condition might be active on the device. You must manually clear orphaned alarms or then remain in outstanding table indefinitely. Automatically clearedAlarms that can be automatically cleared move into the historical alarms table after a clearing event after a time period defined in the Timeout on moving cleared alarms to historical (in seconds) property. For more information about how to set this property, see Alarms Properties on page 357.
Details Category Updated by Last update ReceivedAtStr Message
Additional details about the alarm. An optional user-defined classification that defaults to Default. For more information, see Creating New Alarm Definitions on page 254. The actor who generated the action on the event/alarm occurrence. Could be either a specific user or the system (Ridgeline). The last time when the alarm/events was updated. The date/time at which the alarm was received. The message that has been configured on the associated alarm profile for this alarm (see Defining Alarms on page 253).
Additional information appears depending on the type of alarm. If the event for the alarm is based on: SMMP trapsvariable bindings list appears Syslog messagevariable bindings appears with syslog specific message data like: SEV, FAC, and CONTEXT, etc. NMS pollingno variable bindings appear For each selected alarm, the following additional information appears on the right side of the details pane (bottom).
Time Action By Result Note The date/time of all actions taken on the event/alarm occurrence. The name of each action taken on the event/alarm occurrence. The actor who generated the action on the event/alarm occurrence. Could be either a specific user or the system (Ridgeline). The outcome of the action on the event/alarm occurrence (Success or Failure). When acknowledging or unacknowledging an alarm, optional text that you can add (see Acknowledging Alarms on page 249).
Defining Alarms
For convenience, the Ridgeline Alarm Manager provides a number of predefined alarms. These alarms are all enabled by default, and become active immediately when the Ridgeline server starts up. The predefined alarms generate alarm log entries, but no other actions are specified. You can modify the predefined alarms or define your own custom alarms to report errors based on a number of event types under conditions you specify, such as repeated occurrences or exceeding threshold values. You can also specify the actions to occur when an alarm happens, such as sending email, running a program, running a Ridgeline script, or sounding an audible alert.
253
To view current alarm definition, create a new definitions (see Creating New Alarm Definitions on page 254), or to modify existing definitions, click the Alarm and Event Definitions tab (shown below).
Figure 161: Alarm and Event Definitions Tab The Alarm and Event Definitions tab displays the following information:
Name categoryName Severity Profile The name of the alarm. The category to which the alarm belongs (for more information about how categories are set, see Creating New Alarm Definitions on page 254). The severity level of the alarm (minor, major, critical). A defined set of actions (such as, sound alarm, send e-mail, run script) that you can associate with an alarm. There is a default profile that is associated with all predefined alarms. This default profiles single action is to sound an alarm. You can change this default profile and create other profiles (see Defining Alarm Profiles on page 262). The event type that triggers this alarm, such as SNMP trap, etc. Whether the alarm is enabled (green check mark) or disabled (red "X").
Type Enabled
Creating New Alarm Definitions

You can define alarms that report errors under conditions you specify, such as repeated occurrences or exceeding threshold values. You can enable and disable individual alarms (see Enabling and Disabling Alarm Definitions on page 262), and you can specify the actions to be taken when an alarm occurs, such as sending e-mail, running a program, running an Ridgeline script, or sounding an audible alert (see Defining Alarm Profiles on page 262). After creating an alarm definition, you can later modify it (see Modifying Alarm Definitions on page 258). To create a new alarm definition: 1 In the navigation pane, click Alarm Manager.
254
2 Click the Alarm and Event Definitions tab. 3 Click New Alarm Definition. The New Alarm Definition dialog box appears.
Figure 162: New Alarm Definition Dialog Box 4 Type a name for the new alarm definition in the Name box. This name appears in the alarm lists and (optionally) elsewhere. This defines the variable alarmName. 5 Make selections for the following settings:
255
Severity
The severity level associated with the alarm, indicated by both name and color: Minor Major Critical This defines the variable alarmSeverity. The severity level also determines the sound that is played as an audible alert.
Category
The category to which the alarm belongs. Alarm categories are arbitrary collections of alarms that you can define according to your needs, and then assign to specific alarm definitions. For example, you might use categories to designate alarms from individual buildings, floors, or workgroups. An ISP might define categories for alarms from a specific customers equipment. By default, all alarms are assigned to the category named Default. This category cannot be deleted. To add or delete categories, click Manage Categories. The Manage Categories dialog box appears: To add a category, type a name in the Category Name box, click Add, and then click Close. The new category appears in the list. To delete a category, select the categorys check box, click Delete, and then click Close. A defined set of actions (such as, sound alarm, send e-mail, run script) that you can associate with an alarm. There is a default profile that is associated with all predefined alarms. This default profiles single action is to sound an alarm. You can create other profiles (see Defining Alarm Profiles on page 262). Select a profile from the list.
Profile
Raise alarm when this event is received Type The type of event that generates the alarm: NMS generated SNMP Trap The selection here controls what events are available in the Name list below. The event type is concatenated with the event name to define the variable eventTypeName. Name The specific event (trap) that should trigger this alarm. Select the event from the list. The event name is concatenated with the event type to define the variable eventTypeName. For a description of the Ridgeline and SNMP events from which you can choose, see Event Types for Alarms on page 537.
256
Match data within event
You can specify that the alarm should be triggered only if the data provided with the event matches a specific pattern. The pattern matching syntax uses regular expressions. You can use * or % to match any sequence of zero or more characters. ? or _ (question mark or underscore) can be used to match any one character. To match one of a set of characters, enclose the characters in brackets. For example, [abcd] matches one of a, b, c, or d.

Issue alarm only when event is received
For example, the following regular expressions can be used for monitoring MPLS removals and insertions using alarm pattern matching:
For removals: *ConfiguredType: 104?*InsertedType: 1?*State: 1* For insertions: *ConfiguredType: 104?*InsertedType: 104?*State: 5*
The required number of times an event must occur before an alarm is generated. You can specify both the number of times the event must occur, and the time frame within which these events must occur. This lets you filter out short-lived or non-repeatable events, and define an alarm that takes action only if the triggering event occurs repeatedly within a defined time frame. Note When you use this control for an SNMP unreachable alarm, note that Ridgeline generates SNMP unreachable alarms only when there are SNMP state changes (reachable to unreachable) occurring for that device according to the configured repetitive occurrence setting. For example, if you configure the Repetitive occurrence specification parameter as 2 times within 15 minutes, Ridgeline does not generate SNMP unreachable alarms if it finds the device is unreachable twice within 15 minutes. Instead, those alarms are generated only when Ridgeline finds state changes (reachable to unreachable) for the device twice within 15 minutes.
For a description of SNMP unreachable and SNMP reachable alarms, see the table in Ridgeline Events on page 547. If you want Ridgeline to generate SNMP unreachable alarms even without a SNMP state change, then edit the management.properties file and change EmitSnmpUnreachableEventAlways from FALSE to TRUE, and then restart the Ridgeline server and database. This change results in continuous SNMP unreachable alarm generation for all unreachable devices on every status poll, but when combined with Repetitive occurrence specification, the alarms will be generated according to the settings. Clear alarm when this event is received Add clearing event Select this check box to enable a defined event that when it occurs clears the alarm. You can then make selections for Type and Name below.
257
Type
The type of event that should clear the alarm: NMS generated SNMP Trap The selection here controls what events are available in the Name list below. Note This control is unavailable if the Add clearing event check box is not selected.
Name
Name of the event to clear the alarm. Note This control is unavailable if the Add clearing event check box is not selected.
Scope of specific devices or ports
Select this check box to exclude the application of this alarm definition on selected devices and/or ports. Leaving this check box clear applies the alarm definition to all devices and ports in the Ridgeline inventory. Under Available Devices, select the check box(es) for the device(s) that you want to exclude, and then click Add. The selected devices appear under Excluded Devices. Note You can filter the list by typing keywords in the search box or selecting a group from the drop-down list.
6 Click OK. The new alarm definition appears in the list.
Modifying Alarm Definitions

You can modify existing alarm definitions as needed. To modify an alarm definition: 1 2 3 4 In the navigation pane, click Alarm Manager. Click the Alarm and Event Definitions tab. Select the desired alarm definition in the list by clicking its check box. Click Modify. One of the following Modify Event Definition dialog boxes appears depending on whether you are modifying a predefined or a user-created alarm definition.
258
Figure 163: Modify Event Definition Dialog Box (Predefined)
Figure 164: Modify Alarm Definition Dialog Box (User-Created) You can change: Enable or disable the alarm definition.
259
The Profile: A defined set of actions (such as, sound alarm, send e-mail, run script) that you can associate with an alarm. There is a default profile that is associated with all predefined alarms. This default profiles single action is to sound an alarm. You can create other profiles (see Defining Alarm Profiles on page 262). Select a profile from the list. 5 For user-created alarm definitions, you can change the following:
Severity The severity level associated with the alarm, indicated by both name and color: Minor Major
Critical This defines the variable alarmSeverity. The severity level also determines the sound that is played as an alert. Category
The category to which the alarm belongs. Alarm categories are arbitrary collections of alarms that you c define according to your needs, and then assign to specific alarm definitions. For example, you might us categories to designate alarms from individual buildings, floors, or work groups. An ISP might define cat for alarms from a specific customers equipment. By default, all alarms are assigned to the category named Default. This category cannot be deleted. To add or delete categories, click Manage Categories. The Manage Categories dialog box appears. To add a category, type a name in the Category Name box, click Add, and then click Close. The new category appears in the list. To delete a category, select the categorys check box, click Delete, and then click Close.
Profile
A defined set of actions (such as, sound alarm, send e-mail, run script) that you can associate with an al There is a default profile that is associated with all predefined alarms. This default profiles single action sound an alarm. You can create other profiles (see Defining Alarm Profiles on page 262). Select a profile from the list.
Raise alarm when this event is received Type The type of event that generates the alarm: NMS generated SNMP Trap
The selection here controls what events are available in the Name list below. The event type is concaten with the event name to define the variable eventTypeName. Name
The specific event (trap) that should trigger this alarm. Select the event from the list. The event name is concatenated with the event type to define the variable eventTypeName. For a description of the Ridgeline and SNMP events from which you can choose, see Event Types for Ala
Match data within event You can specify that the alarm should be triggered only if the data provided with the event matches a s pattern. The pattern matching syntax uses regular expressions. You can use * or % to match any sequence of zero or more characters. ? or _ (question mark or underscore) can be used to match any one character. To match one of a set of characters, enclose the characters in brackets. For example, [abcd] matche a, b, c, or d.
For example, the following regular expressions can be used for monitoring MPLS removals and insertion alarm pattern matching: For removals: *ConfiguredType: 104?*InsertedType: 1?*State: 1* For insertions: *ConfiguredType: 104?*InsertedType: 104?*State: 5*
260
Issue alarm only when event is received
The required number of times an event must occur before an alarm is generated. You can specify both t number of times the event must occur, and the time frame within which these events must occur. This le filter out short-lived or non-repeatable events, and define an alarm that takes action only if the triggerin occurs repeatedly within a defined time frame. Note: When you use this control for an SNMP unreachable alarm, note that Ridgeline generates SNMP unreachable alarms only when there are SNMP state changes (reachable to unreachable) occurring for t device according to the configured repetitive occurrence setting.
For example, if you configure the Repetitive occurrence specification parameter as 2 times within 15 min Ridgeline does not generate SNMP unreachable alarms if it finds the device is unreachable twice within minutes. Instead, those alarms are generated only when Ridgeline finds state changes (reachable to unreachable) for the device twice within 15 minutes.
For a description of SNMP unreachable and SNMP reachable alarms, see the table in Ridgeline Events on 547 . If you want Ridgeline to generate SNMP unreachable alarms even without a SNMP state change, then ed management.properties file and change EmitSnmpUnreachableEventAlways from FALSE to TRUE, and restart the Ridgeline server and database. This change results in continuous SNMP unreachable alarm generation for all unreachable devices on every status poll, but when combined with Repetitive occurre specification, the alarms will be generated according to the settings. Clear alarm when this event is received Add clearing event Type
Select this check box to enable a defined event that when it occurs clears the alarm. You can then make selections for Type and Name below. The type of event that should clear the alarm: NMS generated SNMP Trap The selection here controls what events are available in the Name list below. Note: This control is unavailable if the Add clearing event check box is not selected.
Name
Name of the event to clear the alarm. Note: This control is unavailable if the Add clearing event check box is not selected.
Scope of specific devices Select this check box to exclude the application of this alarm definition on selected devices and/or ports or ports Leaving this check box clear applies the alarm definition to all devices and ports in the Ridgeline invento Under Available Devices, select the check box(es) for the device(s) that you want to exclude, and then c Add. The selected devices appear under Excluded Devices. Note: You can filter the list by typing keywords in the search box or selecting a group from the drop-do
6 Click OK.
Deleting Alarm Definitions

To delete an alarm definition, select the user-created alarm in the Alarm and Event Definitions tab, and then click Delete. After you verify that you want to delete the alarm, the definition disappears from the list. Note You can only delete user-created alarm definitions. Predefined alarm definitions cannot be deleted.
261
Enabling and Disabling Alarm Definitions

Enabling an alarm definition means that Ridgeline reports alarms when the conditions of that alarm definition are met. Disabling an alarm definition temporarily stops alarms from being reported. To enable/disable an alarm definition: 1 In the navigation pane, click Alarm Manager. 2 Click the Alarm and Event Definitions tab. 3 Select an alarm definition by selecting its check box. 4 Click Enable/Disable to switch between the two states for the alarm definition. The current state of the alarm definition appears in the Enabled column (X = disabled, check mark = enabled).
Defining Alarm Profiles

An alarm profile is a defined set of actions (such as, sound alarm, send e-mail, run script, etc.) that you can associate with one or more alarm definitions. There is a default profile that is associated with all predefined alarm definitions. This default profiles has no action assigned to it. You can create additional alarm profiles. To create a new alarm profile: 1 In the navigation pane, click Alarm Manager. 2 Click the Profiles tab. 3 Click Add. The New Alarm Profile dialog box appears.
Figure 165: New Alarm Profile Dialog Box
262
4 Type a name for the alarm profile in the Name box. 5 (Optional) Type a description of the alarm profile in the Description box. 6 If you want the profile to include sending an e-mail or text message: a Click the Message tab. b Type the desired message in the lower box. c Add system variables to the message as needed by clicking the desired variable in the System variables list. For detailed information about these variables, see Ridgeline Alarm Variables Table. Add variables from the System variables list and add your own text. For Syslog messages, use the eventData variable to display the Syslog message. Note The e-mail header displays the alarm number, alarm name, source IP address, the device name, and ifIndex, severity. The e-mail body displays the alarm time, alarm name, alarm category, severity, source IP address and ifIndex, alarm message, the event name that triggered the alarm, the result of the alarm action, and a URL link to the Ridgeline server. 7 Click the Actions tab. 8 Set the actions that should occur for the profile:
Sound alert Select this check box to sound an audible alert on the client computer when the alarm occurs. The alarm will sound on all Ridgeline clients currently connected to the Ridgeline server. The sound that is played depends on the severity level of the alarm. The alert sound files are located on the Ridgeline server in the \extreme subdirectory of the Ridgeline installation directory, and are named according to the severity level they represent (normal.wav, warning.wav, etc.). Select this check box to indicate that e-mail should be sent, and then enter the e-mail address(es) of the recipients for the e-mail. Separate e-mail addresses in a list with either commas, semicolons, or spaces. If this check box is unavailable, you must first configure your e-mail settings (see E-mail Properties).
Send a long email to this address
Send a short email to this address
Select this check box to indicate that a short e-mail (appropriate for text paging) should be sent, and then enter the e-mail address(es) of the recipients for the e-mail. Separate e-mail addresses in a list with either commas, semicolons, or spaces. Short e-mail provides the alarm number, name and the IP address of the source of the alarm in the subject header. The message body provides alarm name, source of alarm, ifAlias corresponding to the ifIndex in the trap, severity and the alarm message. If this check box is unavailable, you must first configure your e-mail settings (see E-mail Properties).
Use these email settings instead of global setting
Select this check box to specify e-mail settings different from the global e-mail settings: SMTP HostThe outgoing mail server name (or IP address). UsernameThe user name for mail server authentication. Sending AddressThe e-mail address that should be used as the sender of the e-mail. PasswordThe password for mail server authentication.
263
Run program, using these system variables
Select this check box to specify a program to run when this alarm occurs. Enter the command string for the program in the box below the Add button. To include Alarm Manager variables as arguments in the command string, select a variable from the list, and then click Add. You can also include trap varbinds as arguments in the command string, if the SNMP event that triggers this alarm provides varbinds. For more information on how to include varbinds, see Using Trap Varbinds in a Command String. Note: On a Windows system, if you want to run a program that outputs to the desktop, you must configure the Ridgline server to allow this (see Configuring the Ridgeline Server to Allow Output to the Desktop on page 577). Note: If you want to specify a batch file that outputs to the desktop, you must specify the .bat file within a DOS cmd command:
cmd /c start <file.bat>

where <file.bat> is the batch file you want to run. Run a script
Select this check box to run a script when this alarm occurs. Click Select Script to select a script from a list of saved scripts. The Macro List dialog box appears. Select a macro in the list, and then click OK. The selected macro appears in the Run a script box. For a list of definitions of the Alarm Manager variables you can use, see Ridgeline Alarm Variables Table. When the script runs as an alarm action, the script results can be saved in the Ridgeline audit log. To save the script to the audit log, enable the Save results in audit Log option in the run-time settings for the script. For more information, see Specifying Run-Time Settings for a Script. Select this check box to forward the trap event that caused this alarm. Ridgeline events such as Config Upload OK, Config Upload Failed, SNMP Unreachable, and SNMP Reachable can be forwarded as traps to an event management system or other system configured to receive traps that Ridgeline servers forward. Note To decipher these events the system that receives them must have the file EXTREMEEPICENTER-MIB.mib. This file is available on the Ridgeline server in Program Files \Extreme Networks\Ridgeline 4.0\jboss\standalone\deployments\extreme.war\mibs. Use these forwarding settings instead of global settingsSelect this check box to specify forwarding settings different from the global settings. For more information about configuring the global settings, see SNMP Properties on page 352. HostThe host name or host IP address of the system to which the trap is forwarded. PortThe port on which the specified host receives traps. CommunityThe community string for the specified host. ConversionThe version of SNMP to which traps are converted (No conversion, Convert trap to SNMPv1, or Convert trap to SNMPv2c).
Forward trap to another management station
9 Define which devices the alarm profile applies to: a Click the Scope tab. b To have the profile apply to all devices, clear the Scope on specific devices or ports check box. c To exclude the profile from applying to specific device(s), select the Scope on specific devices or ports check box, select the device(s) to exclude in the Available Devices table by selecting their associated check box(es), and then click Add. 10 Click OK. The new alarm profile appears in the profile list. You can now associate this profile with an alarm definition (see Creating New Alarm Definitions.
Event Types
Ridgeline alarms can be triggered by SNMP traps and Ridgeline events.
264
A Ridgeline event is generated based on the results of periodic polling. In some cases, a condition that causes a Ridgeline event may also generate an SNMP or other trap. Creating an alarm triggered by a Ridgeline event guarantees that the condition is eventually detected by polling even if the corresponding trap is missed. For a description of the Ridgeline and SNMP events supported by the Ridgeline Alarm Manager, see Event Types for Alarms. SNMP traps are notifications from a device of events that occur on a device. Ridgeline must be configured as a trap receiver on the device in order to be notified of these events; this happens automatically on Extreme devices. Certain SNMP events may require additional configuration on the switch in order to enable specific trap conditions. For certain other events, you must do the configuration on the switch using an SNMP configuration tool such as SNMPc (see Configuring SNMP Trap Events. Ridgeline Alarm Variables
Variable Name alarmActions alarmCategory alarmGMTTime alarmID alarmLocalTime alarmName alarmRepeatPeriod alarmRepeatTimes alarmSeverity alarmSource alarmSourceDeviceName alarmSourceIP eventData eventEnterprise eventGenericType eventLogID eventSpecificType eventSpecificTypeStr eventTypeName Description Actions taken when the alarm occurs The user-defined alarm category assigned to the alarm The time at which the alarm occurred, in Greenwich Mean Time An integer number assigned by the Ridgeline Alarm Manager based on the order in which the alarm occurred The time at which the alarm occurred, in local time The name of the alarm as defined in the Name field The time frame within which the repeated events must occur for the alarm to be generated The number of times the event must occur before an alarm is generated The severity level assigned to the alarm ifIndex of the device port The name of the device on which the event(s) occurred (taken from the Ridgeline database) The IP address of the device on which the event(s) occurred The data associated with the trap, or the Syslog message content The Enterprise portion of the Object ID (OID) of the event The SNMP Generic Type number of the trap The ID of the event in Ridgelines event log The SNMP Specific Type number for an enterprise-specific trap The event description The type of event (SNMP Trap, RMON Rising Trap, RMON Falling Trap, or Ridgeline event) concatenated with the Event Name (the SNMP trap name, RMON rule name, or Ridgeline event name)
265
Deleting Alarm Profiles

To delete an alarm profile: 1 2 3 4 In the navigation pane, click Alarm Manager. Click the Profiles tab. Select the profile to delete by selecting its check box. Click Delete. You are prompted to confirm the deletion. The alarm profile disappears from the list.
Enabling and Disabling Alarm Profiles

Disabling an alarm profile causing its associated actions to not occur for alarms associated with the profile. To enable/disable an alarm profile: 1 2 3 4 In the navigation pane, click Alarm Manager. Click the Profiles tab. Select an alarm profile by selecting its check box. Click Enable/Disable to switch between the two states for the alarm profile. The current state of the alarm profile appears in the Enabled column (green check mark = enabled, red "X" = disabled).
266
16 Configuration Manager
Overview of the Configuration Manager Configuration Summary View Backing up Configurations from Devices Restoring Configurations to Devices Downloading an Incremental Configuration to Devices Creating or Changing Baseline Configurations Deleting Baselines Configuring the TFTP Server
This section explains how to use the Ridgeline Configuration Manager feature for: Backing up configuration settings from one or more devices, on demand or at a scheduled time. Creating baseline configurations for one or more devices. Restoring configuration settings from Ridgeline to a device. Downloading an incremental configuration to one or more devices. Specifying and configuring the TFTP server for uploading and downloading configuration settings and software images.
Overview of the Configuration Manager

This chapter explains how to use the Ridgeline Configuration Manager feature. With the Ridgeline Configuration Manager you can upload and download files to and from managed devices, either immediately or at scheduled times. It allows you to store the configuration files for tracking of multiple versions, including baseline configuration files. The Configuration Manager supports Extreme Networks devices only, and selected third-party devices For devices running ExtremeXOS, both the current configuration file, scripts, license files, and policy files saved on the switch are uploaded, and saved in .zip format. The individual elements of the zip file (configuration file and policy files) can be inspected individually. The Configuration Manager also supports ExtremeWare devices. You can also view the differences between configuration files, or between policy files (for ExtremeXOS). If a baseline file exists, the Configuration Manager automatically checks for differences whenever a scheduled archive upload is performed. To start the Configuration Manager, in the navigation pane, click Configuration Manager.
Configuration Manager
Configuration File Types and Locations

Table 7: Configuration File Types and Locations
File Format Type and Location ExtremeXOS Format File Type Zip archive (.zip) that includes: Configuration: either ASCI (.xsf) or XML (.txt) [for ExtremeXOS versions earlier than 11.4, XML (.txt) only] Scripts: .xsf Policy: .pol License: .xlic ExtremeWare text (.txt)
Baseline and Configuration Backups File Locations
<tftp_root>\ridgeline\configs\<device_address>\mm_dd_yyyy_hh_mm.zip Note Baselining is only valid for devices running ExtremeWare or ExtremeXOS version 11.4 or later. There can only be one baseline file for each device IP address.
Incremental <tftp_root>/ridgeline/incremental Configuration Download file <tftp_root> is the location of the TFTP server. By default, <tftp_root> is <Ridgeline_install_dir>\jboss\standalone\deployments \user.war\tftp. Note If you reconfigured your TFTP root directory (see Configuring the TFTP Server), the baselines subdirectory is located directly below your TFTP server root directory. <Ridgeline_install_dir> is located at:
For Windows: C:\Program Files\Extreme Networks\Ridgeline4.0. For Linux: <Ridgeline_install_dir> is /opt/ExtremeNetworks/Ridgeline4.0.
Configuration Summary View

To start the Configuration Manager, in the navigation pane, click Configuration Manager. The Device Configuration Summary view (tab) appears (see the figure below). To locate your desired devices, type keywords in the search box or the make a selection from the Group Selector list.
268
Figure 166: Configuration ManagerDevice Configuration Summary View (Tab) The Configuration Summary view shows the configuration activity for each managed device:
Name IP Address MAC Address Device Type Backup Status Device name. The devices IP address. The devices MAC address. Type of Extreme Networks device. The status of the last backup: In Progressbackup currently running Successfullast backup was successfully run Unsuccessfullast backup attempt failed Noneno record exists of a backup occurring
Last Successful Backup Time Most recent date that configuration files were backed up. Next Backup Time Restoration Status The next time that the configuration files are scheduled to be backed up. The status of the last configuration file restoration: In Progressrestoration currently running Successfullast restoration was successfully run Unsuccessfullast restoration attempt failed Noneno record exists of a restoration occurring Most recent date/time that configuration files on the device were restored from a backup. Most recent date/time that a baseline was set for the device. The status of the most recent attempt to set a baseline for the device: In Progressbaseline currently being set Successfullast baseline was successfully set Unsuccessfullast baseline attempt failed Noneno record exists of a baseline being set
Last Successful Restoration Time Baseline Time Baseline Status
To display detailed configuration status and view configuration files and scripts for an individual device:
Select the desired device. Detailed configuration information and files appear in the lower pane of the Device Configuration Summary. Double-click the desired device or click Open. The Configuration Information window appears (see Configuration Information window).
269
Viewing and Comparing Configuration Files for Devices

The Configuration Information window or pane shows all of the backed up files for a particular device and allows you to view the contents of these configuration files (see Viewing Configuration Files) and compare differences between them (see Comparing Two Configuration Files). Ridgeline has a built-in viewer (for viewing configuration files) and differences viewer (for comparing files). However, you can use a different viewer and/or differences viewer. For more information about installing viewers and differences viewers, see Installing a Viewer. You can also delete configuration files (see Backing up Configurations from Devices). To view configuration files: In the navigation pane, click Configuration Manager. The Device Configuration Summary view (tab) appears. 2 Double-click a desired device or click Open. The Configuration Information window appears (see the following figure). 1
Figure 167: Configuration Information Window The left side of the Configuration Information window shows the following information:
Name Device Type IP Address MAC Address Software Version Backup File Name Backup Time Name of the Extreme Networks device. Type of Extreme Networks device. The devices IP address. The devices MAC address. The current ExtremeXOS software running on the device. The name of the configuration backup file. Date and time that the backup file was backed up.
270
Backup Status
The status of the last backup: In ProgressBackup currently running SuccessfulLast backup was successfully run UnsuccessfulLast backup attempt failed NoneNo record exists of a backup occurring Most recent date that configuration files were backed up. Next scheduled backup time. The name and location of the file that was used to restore a configuration to the device. The status of the last configuration file restoration: In ProgressRestoration currently running SuccessfulLast restoration was successfully run UnsuccessfulLast restoration attempt failed NoneNo record exists of a restoration occurring Most recent date/time that configuration files on the device were successfully restored from a backup.
Last Successful Backup Time Next Backup Time Restoration File Name Restoration Status
Last Successful Restoration Time
Last Tried Restoration File Name of the configuration file that was last used to restore a backup to a device. Name Last Tried Restoration Time Next Restoration Time Baseline File Name Baseline Time Baseline Status Most recent date/time that an attempt was made to restore configuration files on a device from a backup. For scheduled restorations, the next time/date that configuration files on a device will be restored from a backup. The name and location of the designated baseline file name. Most recent date/time that a baseline was set for the device. The status of the most recent attempt to set a baseline for the device: In Progressbaseline currently being set Successfullast baseline was successfully set Unsuccessfullast baseline attempt failed Noneno record exists of a baseline being set For scheduled baselines, the next time/date that a baseline will be established for the device. Name of the incremental configuration file that was used to perform the last attempted incremental backup to a device. The status of the last attempted incremental download (successful, unsuccessful, none) Most recent date/time that an incremental download was attempted on the device.
Next Baseline Time Last Tried Incremental Download File Last Tried Incremental Download Status Last Tried Incremental Download Time
On the right side of the window under Configuration Files are the configuration files. You can view and compare any of the configuration files. Note Click the plus (+) sign next to Backup Files to show all of the individual files. For more information about these files, see Table 7: Configuration File Types and Locations on page 268.
271
Viewing Configuration Files You can view the contents of any configuration file with the Configuration Manager built-in viewer. You can also install your own viewer (see Installing a Viewer). To view a configuration file: 1 In the navigation pane, click Configuration Manager. 2 On the Device Configuration Summary tab, double-click a device to display the Configuration Management Details Window. 3 Under the Configuration Files tab, click a file to select it. Note Click the plus (+) sign next to Backup Files to show the files it contains (.txt, .pol, etc.). 4 Click View. The viewer appears displaying the selected file (see the following figure).
Figure 168: View Configuration Window (Ridgeline Default Viewer) Comparing Two Configuration Files You can compare the differences between two configuration files. You can only compare files on a single device. Ridgeline provides a built-in differences viewer, but you can install a different one if you want (see Installing a Viewer on page 273). To view the differences between two configuration files: 1 In the navigation pane, click Configuration Manager. 2 On the Device Configuration Summary tab, double-click a device to display the Configuration Management Details Window.
272
3 Under the Configuration Files tab, click a file to select it. Note Click the plus (+) sign next to Backup Files to show the files it contains (.txt, .pol, etc.). 4 Press CTRL + click to select the other desired file. 5 Click View Diff. Ridgeline opens the Difference viewer in a separate window, with the two files you selected shown (see the following figure).
Figure 169: Diff Results Window Installing a Viewer The Configuration Manager configuration file viewing and differences viewing functions each require a viewer application:
Simple viewing uses a text editor to show the contents of a configuration file. Ridgeline contains a built-in text viewer. However, you can use another viewer such as Notepad or WordPad in Windows, or vi in Linux. The view differences function requires a differences viewer to compare and display the differences between two configuration files. Ridgeline contains a built-in differences viewer. However, you can use another differences viewer, such as: For Windows: WinMerge For Linux: sdiff (in /usr/bin/sdiff) To install these viewers:
Install the desired viewer or differences viewer as per the programs instructions.
273
2 On the main Ridgeline toolbar, click Tools > Difference Viewer Settings. The Difference Viewer Settings dialog box appears (see the following figure).
Figure 170: Difference Viewer Settings Dialog Box 3 To change the default configuration file viewer: a Clear the Use Default Configuration Viewer check box. b In the Configuration Viewer box, type the path and filename of the viewer you want to use, or click Browse to select a viewer executable file. 4 To set up a difference viewer: a Clear the Use Default Difference Viewer check box. b In the Difference Viewer box, type the path and filename of the difference viewer, or click Browse to select a viewer executable file. 5 Click OK.
Backing up Configurations from Devices

For ExtremeXOS devices, the configuration information and any policy files on the device are saved into a zip file. You can back up the configuration information from one device, a group of devices, or all devices (globally). Configuration backups can be done manually, or you can schedule them daily, weekly, or monthly (see Backing up Configuration Files Manually or by Scheduling for a Device or Device Group). All new devices added to the Ridgeline database use the global backup schedule, if one has been set up (see Setting Up, Changing, or Turning Off a Global Backup Schedule), until they are configured with an individual schedule. By default, no global backup is scheduled. Device-specific scheduling takes precedence over global scheduling. When backing up a device with a designated baseline configuration, Ridgeline compares the new archive configuration with the baseline configuration, and sends an e-mail report if differences are found (see Backup Versus Baseline Differences Report). To receive these reports, you must configure
274
the e-mail notification feature (see Setting Up E-mailed Reports of Backup/Baseline Differences). These reports are saved in the < tftp_root >\ridgeline\configs\reports directory . Since backing files frequently for many devices could eventually use too much disk space, you can set limits on the number of backup files that are kept (see Changing the Archive Limit). Ridgeline optimizes space by only backing up changed files. Note For more information about configuring the TFTP server, see Configuring the TFTP Server.
Setting Up E-mailed Reports of Backup/Baseline Differences

If differences are found between the newly backed up configuration and the baseline configuration, Ridgeline can e-mail you a report. You must configure the e-mail notification before you can receive reports. To set up e-mailed reports: 1 Click Tools > E-mail settings. The E-mail settings dialog box appears (see the following figure).
Figure 171: E-mail Settings Dialog Box 2 Enter information in following boxes: Email toThe e-mail address(es) of the recipient(s) of the report. Separate addresses by commas, semicolons, or spaces. SMTP HostThe outgoing mail server name (or IP address). Sent ByThe e-mail address that should be used as the sender of the e-mail. 3 If your mail server authenticates users before sending out e-mail, select the My server requires authentication check box. If you do not know if your server requires authentication, select this check boxit is ignored if it is not needed: Type your logon information in User Name and Password boxes. Usually, the logon information is the same as what you use to log on to your network. 4 Click OK.
275
Backing up Configuration Files Manually or by Scheduling for a Device or Device Group

To back up configuration files manually or set a schedule for a device or device group: In the navigation pane, click Configuration Manager. The Device Configuration Summary view (tab) appears (see Figure 166: Configuration ManagerDevice Configuration Summary View (Tab) on page 269). 2 Click Backup. The Backup Operation dialog box appears (see the following figure). 1
Figure 172: Backup Operation Dialog Box 3 Select the device(s) that you want to backup: a Under Available Devices, click the check box next to the desired device(s). b Click Add. The device(s) are added to the Selected Devices table.
276
4 To back up to the standard location, under Backup File Options, select Default Location. To back up to a different location, select Customized Location, and then type a location in the Configuration Saved At box. Note If you have reconfigured your TFTP root directory (see Configuring the TFTP Server), the configs subdirectory is located directly below your TFTP root directory. 5 To set this backup as the baseline for the selected device(s), select Baseline for this configuration. 6 Under Schedule Options, choose when the backup should occur: Table 8: Backup Scheduling Options
Backup When? Once, immediately Once, at later date/time Procedure
Under Schedule Options, select Backup Now.
1. Under Schedule Options, select Backup Later. 2. In the Frequency list, select Once. 3. If desired, type an alternative name for the backup in the Task Name box. 4. Select a backup start date in the Start On drop-down list. 5. Select a backup start time in the Time box. 1. Under Schedule Options, select Backup Later. 2. If desired, type a different name for the backup in the Task Name box. 3. In the Frequency list, select Daily, Weekly or Monthly. 4. Select a repeating backup start date in the Start On box. 5. Select a repeating backup start time in the Time box.
Schedule repeating backups
7 Click OK.
Setting Up, Changing, or Turning Off a Global Backup Schedule

You can schedule backups of the configuration information for all devices. All new devices added to the Ridgeline database use the global backup schedule, until they are configured with an individual schedule. By default, no global backup is scheduled. To set up a global backup schedule: 1 In the navigation pane, click Configuration Manager. The Device Configuration Summary view (tab) appears (see Figure 166: Configuration ManagerDevice Configuration Summary View (Tab) on page 269).
277
2 Click the Global Settings tab. The Global Settings view appears (see the following figure). If a global backup schedule has already been set up, its start date, time, and frequency appear.
Figure 173: Global Settings View (Tab) 3 Click Change Current Global Schedule. The Change Settings dialog box appears (see the following figure).
Figure 174: Change Settings Dialog Box 4 To disable global backups, select No Schedule. Go to Step 6 on page 279. 5 To enable global backups, select Schedule: a Set the frequency, by selecting Once, Daily, Weekly, or Monthly in the Frequency list.
278
b Set the start date and time for global backup to begin in the Start On and Time boxes. 6 Click OK. The Global Settings view (tab) appears showing the scheduled backup next to Current Global Backup Schedule.
Viewing or Canceling Scheduled Tasks (Backups)

You can view all of your scheduled tasks on Configuration Manager Scheduled Task view (tab). To view or cancel a scheduled task: 1 In the navigation pane, click Configuration Manager. The Device Configuration Summary view (tab) appears (see Figure 166: Configuration ManagerDevice Configuration Summary View (Tab) on page 269). 2 Click the Scheduled Tasks tab. The Scheduled Task view (tab) appears (see the following figure). All scheduled tasks for managed devices appear in the table. If needed, type keywords in the search box to help you find a particular scheduled task.
Figure 175: Configuration Manager Scheduled Tasks View 3 To delete a scheduled task: a Next to the task(s) you wish to delete, select the check box. b Click Delete.
279
Changing the Archive Limit

Since backing files frequently for many devices could eventually use too much disk space, you can set limits on the number of backup files that are kept. To change the number backup files that are kept: 1 In the navigation pane, click Configuration Manager. The Device Configuration Summary view (tab) appears (see Figure 166: Configuration ManagerDevice Configuration Summary View (Tab) on page 269). 2 Click the Global Settings tab. 3 Click Change Current Archive Limit. The Change Archive Limit dialog box appears:
Figure 176: Change Archive Limit Dialog Box 4 To keep all backups, select No Limit. To limit the number of backup copies, select Number of Copies Per Device To Keep, and then type a number in the box. 5 Click OK.
Backup Versus Baseline Differences Report

When Ridgeline performs a scheduled backup of configuration files, it automatically compares the newly backed up configuration with the baseline configuration for the device, if a baseline configuration exists. If differences are found, you can receive an e-mailed report on the differences (see Setting Up Emailed Reports of Backup/Baseline Differences). The report is an Adobe Acrobat PDF file, and is saved in the < tftp_root >\ridgeline\configsdirectory, using the format MM_DD_YYYY_HH_MM.pdf (for example, 03_15/2013_03_50.pdf). The shows an example of this report. The report shows all configuration discrepancies detected for all devices included in the scheduled backup. Note If either the baseline configuration or the backup configuration file for a device is too large, Ridgeline does note the differences.
280
Figure 177: Configuration Change Report For each device, the report shows the information about each configuration change it has detected:
Type Configuration Change Switch Log Event Type of change that occurred (add, modify, or delete). Changed lines in the configuration file. Which log event entries (if any) that are related to the configuration change.
Restoring Configurations to Devices

Restoring configuration information on a device completely removes and replaces the existing configuration information on the device. The device reboots automatically after the restoration finishes. On Extreme Network devices, you can choose that the switch save the current configuration after reboot to the primary, secondary, or current configuration. To restore backed up configuration information to a device: 1 In the navigation pane, click Configuration Manager. The Device Configuration Summary view (tab) appears (see Figure 166: Configuration ManagerDevice Configuration Summary View (Tab) on page 269). 2 To select which devices to restore configuration files to, click the check box next to the desired device.
281
3 Click Restore. The Restore Operation dialog box appears (see the following figure).
Figure 178: Restore Device Configuration Dialog Box 4 Under Select, select a configuration file to restore to the device(s) by clicking the option button next to it. 5 In the Download Configuration To list, choose which area of the device hard disk to download to:
Primaryprimary partition Secondarysecondary partition. Other(ExtremeXOS devices only) allows you to save the configuration under file name other than the standard configuration file name, primary.cfg. Type a name for the restored configuration file in the Enter Configuration File Name box. Current(ExtremeWare devices only) current partition. Non Current(ExtremeWare devices only) use this option if you are unsure of the current partition (primary or secondary) and want to ensure that you download to the non-current partition.
282
6 For ExtremeWare devices, to automatically save the current configuration file on the device after the device reboots, select the Save Configuration To check box, and select where to save the current configuration: Currentcurrently active partition Non Currentcurrently inactive partition Primaryprimary partition Secondarysecondary partition 7 Under Schedule Options, choose when to activate the new configuration:
Restore NowDevice reboots and starts immediately using the new configuration. Restore LaterSchedules configuration restoration (and device reboot) for a later time. This scheduled restoration task appears in the Configuration Manager Scheduled Tasks view (tab) (see Figure 175: Configuration Manager Scheduled Tasks View on page 279):
Task NameType a name for the configuration restoration task. This scheduled task name
appears in the Configuration Manager Scheduled Tasks view (tab).
FrequencySelect Once. Start OnChoose a date for the configuration restoration to occur. TimeChoose a time for the configuration restoration to occur.
8 Click OK.
Downloading an Incremental Configuration to Devices

The Incremental download feature lets you download only selected configuration settings to a device, instead of replacing the entire device configuration file. An incremental configuration download executes only the commands specified in the incremental download file. It does not reset the switch configuration or replace any other configuration settings that may exist in the device. No reboot is necessary. The Ridgeline incremental download does not save the configuration; you must do that manually. Incremental downloads are supported on Extreme Networks devices running ExtremeWare 6.0 or later. You can create or designate a set of configuration information as a baseline configuration for devices running ExtremeWare 6.0 or later or ExtremeXOS 11.4 or later (see Creating or Changing Baseline Configurations). Using an incremental download to execute a baseline configuration provides a known, standard configuration that you can use to ensure that devices are configured into a known state. For example, if you want to set a group of devices to the same basic configuration, you can first set individual IP addresses on each device, and then use the incremental configuration download feature to set all other configuration settings on all devices to a common state. Incremental configuration download files are located at <tftp_root>/ridgeline/incremental directory. To download an incremental configuration to a device: 1 In the navigation pane, click Configuration Manager. 2 Click the Device Configuration Summary tab.
283
3 With an ExtremeWare device selected in the list, click Download Incremental To Device. The Download Incremental Configuration dialog box appears:
Figure 179: Download Incremental Configuration Dialog Box The device you selected previously appears under Selected Devices. 4 To select additional devices: a Under Available Devices, select the check box of additional device(s) that you want to download an incremental configuration to. a Click Add. The device appears under Selected Devices. b Repeat until you have added all of the desired devices. 5 Under Selected Devices, select the device by clicking its check box. Available configuration files for the device appear in the bottom table. You can filter this list if needed by typing keywords in the search box above the table. 6 In the bottom table, select a configuration file to download by selecting its check box. 7 Click Save.
284
8 Click OK. Note The device is not rebooted, nor is the configuration saved on the device after the download. You can open a Telnet session on the affected devices and execute a save configuration command. Note An error occurs if you attempt an incremental download on a switch running ExtremeWare earlier than version 6.0.
Creating or Changing Baseline Configurations

Note Baseline configuration files are not supported for devices running ExtremeXOS versions earlier than 11.4. The purpose of a baseline configuration is to provide a set of known, standard configuration settings you can download to a device to restore it or initialize it to a known state. There are two ways to create a baseline configuration:
While backing up configuration files, you can set one as the baseline (see Backing up Configuration Files Manually or by Scheduling for a Device or Device Group). Designate an existing configuration file backup as a baseline (see below).
For information about the location and file naming of baseline files, see Configuration File Types and Locations. After creating a baseline for a device, you can restore this baseline configuration to the device at any time. To do so, follow the procedure in Restoring Configurations to Devices. To create a baseline for device(s): 1 In the navigation pane, click Configuration Manager. The Device Configuration Summary view (tab) appears (see Figure 166: Configuration ManagerDevice Configuration Summary View (Tab) on page 269). 2 To select which devices to set a baseline for, click the check box next to the desired device(s). If needed, type keywords in the search box.
285
3 Click Baseline > Create. The Create Baseline Configuration dialog box appears (see the following figure).
Figure 180: Create Baseline Configuration Dialog Box 4 Under Available Devices, select the device(s) by selecting their associated check box(es). If needed, filter the list of available devices by typing search terms in the search box or selecting a group from the drop-down list.
286
5 Click Add. The device(s) are added to the Selected Devices table. 6 For each selected device, choose a backup configuration file for the baseline: a Under Selected Devices, select a device by clicking its row. b In the Baseline options list, select: Apply latest uploaded configurationThe latest configuration file is used as the baseline, rather than allowing you to choose. Choose any specific configurationYou choose the configuration file for the baseline from the list in the bottom table. Click a row to select a particular configuration file. c Click Apply. Your configuration file choice for the baseline appears in the Selected Devices table in the Selected configuration column. 7 Under Schedule Options, select when to establish the baseline:
MarkAsBaseline NowEstablishes baseline immediately MarkAsBaseline LaterSchedules a later time to set the baseline:
a Type a name for this task in Task Name. This task appears in the Scheduled Task view (tab). b Select Once from the Frequency list. c Select the baseline date in Start On and time in Time. 8 Click OK.
Deleting Baselines
If there is a baseline configuration established for a device, you can remove it. To delete a baseline configuration: 1 2 3 4 In the navigation pane, click Configuration Manager. Click the Device Configuration Summary tab. Select the check box for the device that you want to remove the baseline configuration from. Click Baseline > Delete. The Baseline Status, Baseline Time, Baseline File Name change to None.
Configuring the TFTP Server

If you already have a TFTP server installed on the system where the Ridgeline server is running, you may choose to use that TFTP server instead of the one provided with Ridgeline. The TFTP server configured through Ridgeline is the one that is used for downloading and uploading from the devices. Note The Configuration Manager may cause multiple devices to contact the TFTP server at once to perform upload or download operations. Some third-party TFTP servers have problems accepting multiple TFTP requests. If you are running a third-party TFTP server and this happens, disable the TFTP server and use the Ridgeline TFTP server. To enable/disable and configure the TFTP server:
287
Click Tools > TFTP server configuration. The Configure TFTP Server dialog box appears (see the following figure).
Figure 181: Configure TFTP Server Dialog Box 2 To enable/disable the TFTP server (by default, the embedded TFTP server is enabled):
Click Enable System TFTP Server button to enable the server. Click Disable System TFTP Server to disable the server.
3 If you are going to use a TFTP server other than the Ridgeline TFTP server, enter the root directory of your TFTP server in TFTP Root. The Ridgeline TFTP server root is <Ridgeline_install_dir>deploy\user.war\tftp, where <Ridgeline_install_dir> is the directory where the Ridgeline server is installed. If you are using the Ridgeline TFTP server, the TFTP root directory cannot be changed. 4 Click OK. Ridgeline creates six subdirectories (baselines, bootrom, configs, images, slotImages, and slotBootRom) as children of the directory you specify as the TFTP server root. Note If you change the location of the TFTP root directory after you have saved any configuration image files in any of these directories, Ridgeline will no longer be able to find those files. You must copy the files from the old TFTP root location into the new directories at the new location. Note If you plan to use this TFTP server with other software, such as the ExtremeWare CLI or for any other purpose, be aware of possible differences in the expected locations of the TFTP server and other components such as ExtremeWare software images or configuration files. See the Ridgeline Release Notes for information on any known issues.
288
17 Firmware Manager
Overview of the Firmware Manager The Firmware Manager Main Window Checking for New Software Image Versions Acknowledging Changes to the Software Images List Downloading Software Images to the Ridgeline Server Upgrading the Software or BootROM on Your Devices Specifying Standard Software Versions Updating Software Properties
This topic describes how to use the Ridgeline Firmware Manager:
Obtain the latest software images from the Extreme Networks website. Download and activate on devices and modules new: (To devices) software images and patches/service packs (To devices and modules) BootROM images and modular software packages (To modules) slot software images Specify a standard, recommended software image. Ridgeline compares the image currently running on a device to determine if it is running the recommended or most current image.
Overview of the Firmware Manager

The Ridgeline Firmware Manager manages versions of ExtremeWare and ExtremeXOS software images, modular software packages, patches/service packs, and BootROM images for upgrading Extreme Network devices as appropriate. Ridgeline stores images and BootROM files, and allows tracking of multiple versions. It can also automatically check the Extreme Networks website and indicate when newer versions of these files are available. The process for viewing available images and upgrading your devices is:
1. View available images View current list of available software images from Extreme Networks: (For devices) software images, modular software packages, and patches/service packs (For devices and modules) BootROM images (For modules) slot software images 2. Check for new image versions Update the software image list by checking for new versions. 3. Acknowledge new image versions See Checking for New Software Image Versions. See Firmware Manager Software Images View.
Firmware Manager
Acknowledge new software images to highlight changes in the software images list. 4. Download images to Ridgeline server 5. Distribute and activate images to devices/modules Download selected software images to devices and modules, and choose, if desired, to reboot devices to activate the new image.
See Acknowledging Changes to the Software Images List. See Downloading Software Images to the Ridgeline Server.
See Upgrading the Software or BootROM on Your Devices.
The Firmware Manager Main Window

To start the Firmware Manager feature, in the navigation pane, click Firmware Manager. The Firmware Manager window has two views (tabs):
Devices Software Images
Firmware Manager Devices View
Figure 182: Firmware Manager WindowDevices Tab The Devices tab shows the following information:
Name IP Address Upgrade Type Name of the device IP address of the device
Software Distribution and Activation Distribution
290
Firmware Manager
Upgrade Status
Shows the status of any software upgrade activity: SuccessfulLast software image upgrade was successful UnsuccessfulLast software image upgrade failed In progressSoftware image upgrade is being currently happening Not StartedNo image upgrade has been initiated for the device The software image version that the device was last upgraded to
Upgraded Version
Available Upgrade Version The most up-to-date software that can be installed on this device. Device Type Type of Extreme Networks device
At the bottom of the window is the Software Status pane, which shows the following information:
Upgrade Status Shows the status of any software upgrade activity: SuccessfulLast software image upgrade was successful UnsuccessfulLast software image upgrade failed In progressSoftware image upgrade is being currently happening Not StartedNo image upgrade has been initiated for the device Indicates whether or not the device has the most up-to-date, device-compatible GA software image installed. Indicates whether or not the device has the most up-to-date, device-compatible GA bootROM image installed. Indicates whether or not the current software version on the device is the version set as the standard version for this device. For more information about setting the standard version, see Specifying Standard Software Versions.
Obsolete Device Image? Obsolete Boot ROM? Deviating with standard version
Firmware Manager Software Images View

The Firmware Manager Software Images tab shows a list of available software images from Extreme Networks. You can choose to have this list updated automatically (see Automatically Checking for New Software Image Versions on page 294) or you can check for updates manually (see Manually Checking for New Software Image Versions on page 293). To search for images in this list, type keywords in the search box.
291
Firmware Manager
Figure 183: Software Image Management Window Software Images Tab The Software Images tab shows the following information:
New Update Indicates if this image has changed since the last time the software information was updated (see Acknowledging Changes to the Software Images List) newer version is available software version has not changed since the last time you acknowledged changes to the list
When you display the software image list for the first time, all images are marked as .
Version Type Version number of the software The software image type: Device Image Device BootROM Image Device Module Image Slot Image (module) Slot BootROM Image The name of the software image.
Name
292
Firmware Manager
Downloaded
Whether this version of software is on your local Ridgeline server:
Not downloaded on the Ridgeline server. Available on the Ridgeline server in one of the directories:
<tftp_root>\images <tftp_root>\bootrom <tftp_root>\slotImages <tftp_root>\slotBootRom <tftp_root>\XMOD
Where <tftp_root> is the location of the TFTP server. By default, <tftp_root> is
Ridgeline 4.0\jboss\standalone\deployments\user.war\tftp \ridgeline.

Status The release status of the software: whether the software is a general availability (GA) software release or obsolete (meaning it has been superseded by a newer general availability release). Description of the software. Indicates the type of device or module the software is intended for.
Description
At the bottom of the window are two more panes:
Supported Hardware PlatformsLists all platforms compatible with the selected software image Detailed Download StatusShows the status (Download Successful, Download in Progress, Download Unsuccessful, etc.) of any software images that you are downloading (see Downloading Software Images to the Ridgeline Server). Note Use the scroll arrow at the bottom of the Supported Hardware Platforms pane to view the Detailed Download Status pane, if it is not visible.
Checking for New Software Image Versions

You can manually search for new software image versions and update the software images list, or set Ridgeline to do this automatically. After checking for new software image versions, any versions that have changed since you last updated the software images list now have a in the New Update column of the Software Image view (tab) of the Firmware Manager. After updating the software images list, you should acknowledge the changes (see Acknowledging Changes to the Software Images List).
Manually Checking for New Software Image Versions

To manually search for new software images: 1 In the navigation pane, click Firmware Manager. 2 Click the Software Images tab.
293
Firmware Manager
3 Click Update Software information. The Update Software Information dialog box appears.
Figure 184: Update Software Information Dialog Box 4 There are two ways to retrieve updated software images information: From File in Ridgeline Server: If you do not have access Extreme Networks eSupport website, you can copy the following two files: http://www.extremenetworks.com/products/downloads/ExtremeXosImageList.xml http://www.extremenetworks.com/products/downloads/ExtremeWareImageList.xml to the folder where you installed Ridgeline under Ridgeline 4.0\jboss\standalone \deployments\extreme.war . From Vendor Server: If you have access to Extreme Networks eSupport website, use this option. 5 Click OK. The update to the software images lists continues in the background. A message appears indicating the update is in progress, and then that it has completed successfully. 6 Click Close to close the message.
Automatically Checking for New Software Image Versions

To enable Ridgeline to automatically search for updated software images: 1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Server Properties, click Open Server Properties tab. The server properties window appears.
Figure 185: Server Properties Window
294
Firmware Manager
3 In the drop-down list, select External Connections. 4 On the Load Information from http://www.extremenetworks.com row (Property Name), under the Property Value column, select the check box.
Acknowledging Changes to the Software Images List

After updating the software images list (see Checking for New Software Image Versions on page 293), you can update the software images list to reflect these changes. When a software image has been updated, the New Update column on the Software Images view (tab) changes from a to a .
= software version has not changed since the last time you acknowledged changes to the list = newer version is available To acknowledge changes to the software images list:
1 In the navigation pane, click Firmware Manager. 2 Click the Software Images tab. 3 Click Acknowledge Software Image Updates.
Downloading Software Images to the Ridgeline Server

To upgrade your devices, you must have the new software or BootROM image stored locally on the Ridgeline server. The Firmware Manager Software Images view (tab) displays a list of the most currently available software and BootROM images, and allows you to download them to your local Ridgeline server. After you download the new images, you can then use the images to upgrade your managed devices and modules. Note To download new software images, you must have a current support contract, user name, and password to access to the Extreme Networks server. For more information about downloading software images from Extreme Networks, see the Ridgeline Release Notes. The following table shows the Ridgeline server locations for the downloaded software image types. Table 9: Downloaded Software Image Locations
Applies To Devices Software Image Type Software image BootROM Slots Software image BootROM Ridgeline Server Location
<tftp_root>\images <tftp_root>\bootrom <tftp_root>\slotImages <tftp_root>\slotBootRom
295
Firmware Manager
Table 9: Downloaded Software Image Locations (continued)

Applies To Devices and slots Software Image Type modular software packages (xmod) Ridgeline Server Location
<tftp_root>\xmod
Where <tftp_root> is the location of the TFTP server. By default, <tftp_root>is Ridgeline 4.0\jboss \standalone\deployments\user.war\tftp\ridgeline
Note You cannot download SSH-capable versions of the software images using the Firmware Manager. To use SSH-capable images, obtain them outside of Ridgeline, and then place them in the images or xmod subdirectory (see Table 9: Downloaded Software Image Locations on page 295). SSH-capable images are subject to export restrictions, and require a special license. To request SSH code, go to eSupport (https://esupport.extremenetworks.com/). For ExtremeXOS, modular software packages (.xmod) also cannot be downloaded using the Firmware Managers image update feature. You must also obtain those images outside of Ridgeline, and then place them in the <tftp_root>/xmod folder for deployment. Note Ridgeline does not have restrictions on the number of user accounts, which includes administrators, but the number of concurrent sessions is limited to 25 users. This can be the same user or different users. To download new software images to the Ridgeline server: 1 In the navigation pane, click Firmware Manager. The Firmware Manager window appears. 2 Click the Software Images tab. 3 Select the check box on the row of the desired software image that you want to download. You can select multiple images. Note You can select multiple consecutive rows of images by clicking the first rows check box to select it, and then pressing Shift + click the last rows check box. 4 Click Download. You are prompted to enter your logon information for Extreme Networks eSupport website. 5 Click OK. A message appears indicating that the selected image(s) are downloading. 6 Click Close. The status of the download appears in the Detailed Download Status pane at the bottom of the screen. Note Use the scroll arrow at the bottom of the Supported Hardware Platforms pane to view the Detailed Download Status pane, if it is not visible. The downloaded software image is now available to install on devices (see Upgrading the Software or BootROM on Your Devices).
296
Firmware Manager
Upgrading the Software or BootROM on Your Devices

Extreme Networks software images contains the executable code that runs on the device and on certain modules. Devices and certain modules are shipped with a software images pre-installed. You can upgrade this image by downloading a new version to the device using the Firmware Manager. You can download an image into either the primary or secondary partition, and specify whether or not the device should be rebooted immediately, or after a specified delay, to use the new image. You can also choose to back up your current device configuration during the upgrade. Note Only the ssh.xmod upgrades are supported. All other xmods, such as ntp.xmod, cna.xmod, etc., are not supported. To install non-SSH xmods, manually transfer the xmod file to the device, and then use the ExtremeXOS install image command to deploy the xmod. Also, ssh.xmods cannot be downloaded using the Firmware Managers image update feature. You must obtain those images outside of Ridgeline, and then place them in the <tftp_root>/xmod folder for deployment. If a BootROM upgrade does not complete successfully, you may not be able to boot the switch. Ridgeline checks that the requested software images or BootROM images: Are appropriate and compatible with target devices and modules That the target devices and modules have sufficient disk space available (For software images) are compatible with BootROM version
Hitless Upgrading
Ridgeline supports the hitless upgrade feature for device and modular software package images on a BlackDiamond chassis under certain conditions. Hitless upgrade allows a software upgrade without taking a device out of service or losing traffic. A hitless upgrade is an option for: BlackDiamond 6800 series switches with two MSMs installed, running ExtremeWare 7.1.1 or later. BlackDiamond 8800 series switches with two MSMs installed, with BootROM 8.1 or later; or running ExtremeXOS 11.4 or later. BlackDiamond 10808 switches with two MSMs installed, running ExtremeXOS 11.1 or later. BlackDiamond 12804 series switches with two MSMs installed, running ExtremeXOS 11.4 or later. Hitless upgrade is also supported for BootROM images. You can perform a hitless BootROM upgrade for BlackDiamond 10808 switches with two MSMs installed, running ExtremeXOS 11.1 or later.
Upgrading a Stacking Device

For Extreme Networks devices that support stacking, you can upgrade the images for the stack master and for individual stack members, as needed. The stack master must be upgraded in a separate operation, using the appropriate device image for the stack master device type. Stack members can be upgraded individually or in groups, using the slot image version of the current device image.
297
Firmware Manager
Upgrading the Software or BootROM Procedure

Note Some upgrades, such as the upgrade from ExtremeWare 6.1e or 7.1e to 7.3e for the Summit 200 24/48, require a special image and steps. If the upgrade is one that requires special operations, an error message appears stating that the upgrade will not be performed. For information about how to perform these upgrade, see the particular versions release notes. Note If you specify an upgrade to an image that is several revisions newer than the image running on the switch, you may need to first upgrade to an intermediate version before you can go to the more recent version. To download new software or BootROM images to devices or modules: 1 In the navigation pane, click Firmware Manager. 2 On either the Software Images or Devices view (tab), click Distribution And Activation. Note If you start from the Devices view (tab), select the check box(es) next to the device(s) that you want to upgrade. The Distribution And Activation Wizard dialog box appears.
Figure 186: Upgrade Software Dialog BoxImage Selection Tab 3 Click a device to select it in the left pane.
298
Firmware Manager
4 If the selected device has modules or is stack master (stacked devices are treated like modules), select a module/stacked device from the Slots drop-down list. Note For stacking devices running ExtremeWare 7.4, 7.5, or 7.6, stack members are treated like modules, and therefore are updated using the appropriate slot image. To upgrade the stack master, select the device image for that switch type; to upgrade a stack member, select the slot image for that switch type. For ExtremeWare 7.7, to upgrade the images of all devices in the stack, select the device image for the stack master. The stack members are upgraded. 5 Under Available Images, select the desired image to use for upgrading the selected device. If needed, filter the list of available software images by typing a search term in the search box. 6 Click Add to move the selected software image to the Selected Image pane. 7 Repeat steps 36 for each device and its slots as needed. 8 Click Next. 9 In the Protocol download list, select the download method to the device(s): TFTP SFTP 10 In the Download to partition list, select which partition to download the image to (only applies to XMOD and ExtremeWare images): Primary Secondary 11 Under Activation, select when the upgraded image becomes the active image on the device(s): Do not activate the software after distribution = download the image, but do not make it the active image Activate the software immediately after distribution = immediately start using the image after downloading Delay the activation for = activate the new image after the designated amount of time in the Mins (minutes) list. 12 To back up the current device configuration before image activation, select Backup configuration before activation. Device configuration files in <tftp_root> location (by default, \Ridgeline 4.0\jboss \standalone\deployment\user.war\tftp\ridgeline\configu) are saved as:
ExtremeWare: text files ExtremeXOS (along with policy files, if any): zip files
For more information about where and how configuration files are stored, and how to restore them to a device if necessary, see Configuration Manager on page 267. 13 To choose a hitless upgrade, select Use Hitless distribution. For limitations of hitless upgrading, see Hitless Upgrading. 14 Click Finish. The Results tab appears informing you of the progress of upgrade(s). To view historical information about software image upgrades, use the Audit Log. For more information about the Audit Log, see Using the Ridgeline Audit Log on page 329.
299
Firmware Manager
Specifying Standard Software Versions

You can specify a standard version of the software for each type of device or group of Extreme Networks devices on your network. Ridgeline uses this information to determine whether an individual device is running this specified standard version. Each device shows either yes or no for Deviating with standard version? in the Software Status pane on the Firmware Manager, Devices tab. To set, change, or remove a standard version: 1 In the navigation pane, click Firmware Manager. The Firmware Manager window appears. 2 Click the Devices tab. 3 Select the device(s) that you want set a standard version for by clicking its check box. 4 Click Configure Standard Version. The Configure Standard (Baseline) Version dialog box appears:
Figure 187: Configure Standard (Baseline) Version Dialog Box 5 Click a single device or device group in the list. Each device shows the current standard (baseline) version under Software Version. If no standard version has been set, N/A appears. 6 Select a single device or group in the list, and then click Configure. The Configure Version dialog box appears:
Figure 188: Configure Version Dialog Box 7 Select a standard version from the Available Software Versions list. Your selection appears in the Enter Version box. Note You cannot remove a standard version. 8 Click OK.
300
Firmware Manager
9 For each device or group, as needed, repeat step 5. 10 Click OK.
Updating Software Properties

You can create or change the properties of the software images in the software images list (for example, image type, version, status, etc.). This can be especially helpful for software images from other vendors, which do not normally have these fields supplied. To update a software image property: 1 In the navigation pane, click Firmware Manager. 2 Click the Software Images tab. The software images view appears. 3 Select a software image by clicking its check box. 4 Click Edit Software Properties. The Update Software Properties dialog box appears, displaying the properties for the selected software image.
Figure 189: Update Software Properties Dialog Box
Table 10: Update Software Properties

Property Image Type Description The type of software image: Unknown Device Image Slot Image Device BootROM Image Slot BootROM Image Device Module Image The software version.
Version
301
Firmware Manager
Table 10: Update Software Properties (continued)

Property Image Sub-type Description The software image sub-type: Base ImageComplete software image (does not need to be installed on another image) Service PackA partial software image designed to address multiple software issues (must be installed on the appropriate base image) PatchA partial software image designed to address a particular software issue (must be installed on the appropriate base image) The release status of the software: Technical ReleaseRelease to enable the customer to review and test the new features, which may not be completely developed. General Distribution General Availability(GA) Normal release status. The software is generally available to the public without restriction. Limited AvailabilityLimited to some targeted customers. ObsoleteSuperseded by a newer GA release. Description of the software image. Minimum memory required to install the software image. The company that produces the software. The device that the software is compatible with. Your selection for Vendor defines the available devices under Device Type.
Status
Description Minimum memory required Vendor Device Type
5 Make the desired changes. 6 Click OK.
302
18 Creating and Executing Ridgeline

Scripts
Ridgeline Script Overview The Ridgeline Script Interface Managing Ridgeline Scripts
This chapter describes the scripting functionality built in to Ridgeline, and how you can use Ridgeline to create scripts and execute them on managed devices.
Ridgeline Script Overview

Ridgeline scripts are files containing CLI commands, control structures, and data manipulation functions. Ridgeline scripts can be executed on one or more devices: simultaneously on multiple devices, or on one device at a time. You can schedule Ridgeline scripts to run on specified devices at specified times, either on a one-time or recurring basis. Scripts can be designated as script tasks that can be executed according to a pre-set schedule. Ridgeline scripts are similar to ExtremeXOS scripts in that they are collections of ExtremeXOS CLI commands and control structures. Ridgeline scripts add some additional commands that are specific to Ridgeline. In general, Ridgeline scripts support syntax and constructs from the following sources:
ExtremeXOS CLI commandsExtremeXOS CLI commands in a Ridgeline script are sent to the device, and the response can be used by the script. Note Abbreviated ExtremeXOS commands do not work unless you prefix the shortened command with CLI. Example: To abbreviate show vlan, type CLI sh vlan.
ExtremeXOS CLI scriptsControl structures such as IF..ELSE and DO..WHILE can be used in Ridgeline scripts. See CLI Scripting in the ExtremeXOS Concepts Guide for more information on ExtremeXOS script functionality and syntax. The Tcl scripting language version 8.1. For general information about the Tcl scripting language, see www.tcl.tk. For a list of the Tcl commands that are supported in Ridgeline scripts, see Tcl Support in Ridgeline Scripts. Syntax and constructs from these sources work seamlessly within Ridgeline scripts. For example, the response from a switch to an ExtremeXOS CLI command issued from a script can be processed using Tcl functions.
Creating and Executing Ridgeline Scripts
Bundled Ridgeline Scripts

Ridgeline includes a number of sample scripts that you can use as templates for your own Ridgeline scripts. These scripts perform such tasks as downloading firmware, uploading/downloading configuration files, and configuring VLANs. The sample scripts included with Ridgeline are available to users with an Administrator role. The XML source files for the scripts are located in the <Ridgeline_install_dir>\jboss\standalone \deployments\user.war\scripting\bundled_scripts.
Script Deployment Results Log File

A log of the script deployment results for the device is stored on the Ridgeline server in the following location: <tftp-server-root>\scripts\<device-ip-address>\<script-name>.log The <tftp-server-root> is by default <Ridgeline_install_dir>\jboss\standalone \deployments\user.war\tftp\ where <Ridgeline_install_dir> is the directory where the Ridgeline server is installed. If the script could not be downloaded to the device, no script deployment results log is generated.
The Ridgeline Script Interface

To display the scripts configured in Ridgeline, in the navigation pane, click Scripts (see the following figure).
Figure 190: Ridgeline Scripts View The Scripts tab contains the following information:
304
Category Name Comments Modified by Date Modified
The script category, if configured. See Categorizing Scripts. The name of the script. Comments or a description of the script. Who last modified the script. When the script was last modified.
The Script Tasks tab contains the following information:

Scheduled Category Name User Name Script name Comments Date modified How often the script task is scheduled to run: One-time, Recurring, or N/A if there is no schedule for the script task. The script category, if configured. The name of the script task. Who created the script task. The name of the script run by the script task. Comments or a description of the script task. When the script was last modified.
The scripts table lists all of the scripts configured in Ridgeline. In the pane below the scripts table is a detailed view of the selected script. Double-clicking a script opens it in the script editor dialog box (see the following figure).
Figure 191: Ridgeline Script Editor Dialog Box The Ridgeline script editor allows you to add content to a script, set values for parameters, specify runtime settings, and indicate which Ridgeline users can run the script.
305
The following tabs appear in the Ridgeline Script Editor window:

Overview Content Description Run-Time Settings Permissions and Menus Displays fields to enter script parameters. The contents of this tab is derived from the metadata specified in the script. Displays the script in a text editor window, where you can modify it directly. Contains descriptive information about the script. The script description is specified in the metadata section of the script. Specifies script settings that are applied when the script is run. Specifies which kind of Ridgeline users can run the script, and whether or not, and where, the option to run the script should appear in the Ridgeline interface, such as on a menu or in a shortcut menu.
Managing Ridgeline Scripts

With scripting, you can: Create an Ridgeline script. Specify run-time settings for a script. Specify permissions and menu locations within Ridgeline for a script. Import scripts. Export scripts. Delete scripts. Run a script on one or more managed devices, with device-specific parameters. Categorize scripts. Configure script tasks.
Creating a New Ridgeline Script

1 In the navigation pane, click Scripts.
306
2 On the Scripts tab, click New. The new script dialog box appears (see the following figure).
Figure 192: New Script Dialog Box By default, a new script created in Ridgeline contains a metadata section where you can enter a script description and define script sections and metadata that appears on the Overview tab. For more information about metadata, see Metadata Tags. Type the metadata tags #@DetailDescriptionStart and #@DetailDescriptionEnd between the tags #@MetaDataStart and #@MetaDataEnd, and then type a detailed description between these detailed description tags. This description appears on the Description tab. Place variable definition statements in the metadata section (between #@MetaDataStart and #@MetaDataEnd tags). Variables can now be defined by entering values in the Overview tab. A list of system variables appears under System Variables. To add a variable to the script, select the variable, and then double-click or click Add to Script. You can enter ExtremeXOS 12.1 and later CLI scripting commands, Tcl commands, and constructs after the metadata section of the script. For information about what can appear in a Ridgeline script, see Ridgeline Script Reference. If you want to specify run-time settings, click the Run-Time Settings tab and make changes as needed (see Specifying Run-Time Settings for a Script on page 308). To specify which Ridgeline user roles have permission to run the script, and whether or not, and where, the script should appear in the menu or in a shortcut menus, click the Permissions And Menus tab, and make changes as needed (see Specifying Permissions and Run Locations for Scripts on page 309).
6 7
307
8 Click Save As. The Save Script As dialog box appears (see the following figure).
Figure 193: Save Script As Dialog Box 9 Type a name for the script file in the Script Name box and, if desired, a comment about the script in the Script Comment box. 10 Click OK. The script now appears in the script list, and you can run it (see Running a Script on page 310).
Specifying Run-Time Settings for a Script

To specify the run-time settings for a script, click the Run-Time Settings tab.
308
Figure 194: Run-time Settings Tab On this tab you can specify the following settings: Save configuration in the background after script run successfullyWhether the configuration on the device is saved after the script is run successfully. Timeout if script is not completed on each deviceScript run timeout in seconds. This timeout value applies to each device independently. Save results in audit LogWhether to create an entry in the Ridgeline Audit Log when this script is run. The first two settings apply to all users; the third is available to Ridgeline users with read/write access.
Specifying Permissions and Run Locations for Scripts

You can specify which Ridgeline user roles have permission to run the script, and whether or not, and where, the script should appear in the menu or in a shortcut menus. To set permissions and menu locations for the script, click the Permissions And Menus tab (see the following figure).
309
Figure 195: Permissions And Menus Tab
In the top table, you can specify the Ridgeline user roles that are able to see and run the script. Select the check boxes for the roles that you wish to enable. In the bottom section, you can set whether or, and where, the script appears in on the menu and in shortcut menus in the given locations. Click Show in Tools-> Run script menu and show in shortcut menus that appears on, and then select the desired locations.
Running a Script
To run a script: 1 In the navigation pane, click Scripts. 2 On the Scripts tab, find the script in the list. If needed, filter the list by typing search terms in the search box.
310
3 Select the script by clicking its check box, and then click Run Script. The Run Script dialog box appears (see the following figure). Note Be sure to select only one script. The Run Script button is unavailable if two or more scripts are selected.
Figure 196: Run Script Dialog Box 4 On the Entity Selection tab, select whether you want to select the device(s) to run the script on through the full list of devices (Devices) or through the device groups (Device Groups). 5 Click Next. 6 On the Device Selection tab, select the device(s) to run the script on. If you selected Device Groups in the previous step, click the + next to a device group to expand it to see its devices. 7 Click Next. 8 On the Choose Order tab, if you have chosen more than one device to run the script on, then you must select the order in which the script is run on the collection of devices. Select either:
System Defined Orderthe order shown The Following Orderan order you choose. Use the up/down arrows on the right to change the order of devices. Note You can view the list of devices in order of name (default) or by IP address (select Show List in the Format: IP Address).
9 Click Next. 10 On theOverviewtab,of the Device Settings tab, set values for any run-time variables defined for the script (for more information about defining run-time variables when creating a script, see Specifying Run-Time Settings for a Script on page 308). If desired, click the Description tab to view the description defined for the script.
311
11 Click Next. 12 On the Run Time Settings tab, make selections for the following Run-Time CommentsIf desired, enter run-time comments in this box. Type a name for the task in the Task Name box below. The task appears on the Script Task tab. Save configuration in the background after running script successfully Save results in Audit LogSelect to have the running of the script noted in the audit log. Timeout if script is not completed on each deviceUse to set a maximum amount of time for the script to run on each device (in seconds). Run now, dont save as a taskSelect to run the script now and not save this as a task. Save as a task and run nowSelect to run the script now and save it as a task. Type a name for the task in the Task Name box below. The task appears on the Script Tasks tab (see Creating Script Tasks on page 316). Save as task. Ill run laterSelect to save running the script as a task. The script does not run at this time. Type a name for the task in the Task Name box below. The task appears on the Script Tasks tab (see Creating Script Tasks on page 316). Click Next. On the Verify Run Script tab, verify your script selections, and then click Next. Click Next. On the Results tab, you see the results of the script including any errors. You can choose any of the following options:
13 14 15 16
Save tasksave the script and its run-time settings on the Script Task tab (see Creating Script Tasks on page 316). Run againrun the script again. Save resultssave the results of the script in text file to a location that you define. 17 Click Close. If you elected to save the script as a script task, you set the script task to run later, manually or on an automated schedule (see ). If you elected to save the script results in the audit log, you can view these results now: In the navigation pane, click Audit Log, click the Scripts tab, and then click Refresh. The results of running the script appear. For more information about viewing items in the audit log, see Audit Log View on page 329.
Importing Scripts into Ridgeline

You can import XML-formatted scripts into Ridgeline. To import a script: 1 In the navigation pane, click Scripts.
312
2 From the menu, click File > Import > Import script. The Import Script dialog box appears (see the following figure).
Figure 197: Import Script Dialog Box 3 Type the location of the script file in the Type the location of the file box, or click Browse to navigate to the location. 4 In the Script Name box, type the name of the script file to import. 5 Click OK to import the script into Ridgeline. Note Exported EPICenter 6.0 telnet macros cannot be imported as XML scripts.
Exporting a Script
To save a script, from the menu, click File > Save As. The Save Script As dialog box appears (see the following figure).
313
Figure 198: Save Script As Dialog Box To save/export the script: To the Ridgeline server, click OK. To any location, click Export to, type the location in the Type the location of the directory or click Browse to navigation to the location, and then click OK. The script is saved in XML format.
Deleting a Script
To delete a script: 1 In the navigation pane, click Scripts. 2 In the script table, select one or more scripts you want to delete. 3 Click Delete. 4 Click Yes to confirm the script deletion.
Categorizing Scripts
You can optionally assign scripts to categories, such as VLAN Scripts, Port Scripts, and so on. Placing scripts into logical groups in this way can aid in filtering the scripts in the scripts table. This can be useful when you have a large number of scripts to manage. To assign a script to a category: 1 In the navigation pane, click Scripts. 2 In the script table, select the script that you want to categorize by clicking its check box.
314
3 Click Categorize . The Categorize Script dialog box appears (see the following figure):
Figure 199: Categorize Script Dialog Box 4 To create a new category, click New, type a category name, and then click Create. 5 To assign the script to a category, select the category, and then click Apply. 6 Click OK. The script now appears in the list with the newly assigned category name appearing in the Category column for the script.
Specifying a Ridgeline Script as an Alarm Action

You can define an alarm to execute a script when the alarm is triggered. For information about how to do this, see Defining Alarm Profiles.
Script Task Overview

When you run a script, you have the option of saving it as a task that appears in the Script Tasks tab (see the following figure). This saves your device selections and run-time setting, and then allows you to manually run the script task at a later time or schedule it to run in the future either once, or on regular basis.
315
Figure 200: Script Tasks Table From the Script Tasks tab, you can change a script task's device selections and run-time setting, and specify a schedule for running it. To create a script task: 1 Create a script (see Creating a New Ridgeline Script on page 306). 2 Run the script and designate it as a task (see Running a Script on page 310). 3 Change script settings (device selections, run-time settings), if desired, and set a schedule (see Creating Script Tasks on page 316). You can also delete script tasks (see Deleting Script Tasks on page 318). Creating Script Tasks You can save scripts as task to run later, manually or on an automated schedule. Before you can create a script task, you need to: 1 Create a script (see Creating a New Ridgeline Script on page 306). 2 Run the script and designate it as a task (see Running a Script on page 310). To create a script task: 1 If needed, create a script (see Creating a New Ridgeline Script on page 306). 2 If the script is not already set up as a task, run the script (see Running a Script on page 310). On step 12, select either Save as a task and run now or Save as task. Ill run later. 3 In the navigation pane, click Scripts. 4 Click the Script Tasks tab.
316
5 Double-click or click Open for the desired script task. The script dialog box appears (see the following figure).
Figure 201: Script Dialog Box 6 (Optional) If you want to change the device selections or run-time settings, click the Device and order or Run-Time settings tab, respectively, and then make the desired changes. 7 Click the Schedule tab (see the following figure).
Figure 202: Script Dialog BoxSchedule Tab 8 Schedule the task by selecting: To run onceSelect Run Once, and then enter the date, time, and time zone selections. To repeat on scheduleSelect Run Repeatedly, and then enter the start/end dates and frequency in Start Date, End Date, and Frequency. 9 Click the X to close the dialog box. The message Do you want to save changes to task [my script] appears, where [my script] is the script task name.
317
10 Click Yes. Under the Scheduled column, the schedule status appears: N/ANot scheduled One-timeScheduled to run one time RecurringScheduled to run repeatedly according to your selected scheduled After a script runs, if you elected to save the script results in the audit log, you can view these results: In the navigation pane, click Audit Log, click the Scripts tab, and then click Refresh. The results of running the script appear. For more information about viewing items in the audit log, see Audit Log View on page 329. Deleting Script Tasks If desired, you can delete script tasks that you no longer need. To delete a script task: 1 2 3 4 In the navigation pane, click Scripts. Click the Script Tasks tab. Select the task by clicking its check box. If the script task that you want to delete has a scheduled set up for it (Scheduled = Recurring or One-time), then you must remove the schedule:
a Click Open. The edit script task dialog box appears. b Click the Schedule tab. c Click No Schedule. d Click Save, and then close the dialog box. 5 Click Delete. 6 When prompted, confirm the deletion by clicking Yes.
Ridgeline Script Reference

This section contains reference information for Ridgeline scripts. It contains the following topics:
Metadata Tags Ridgeline-Specific Scripting Constructs Tcl Support in Ridgeline Scripts Entering Special Characters Line Continuation Character Case Sensitivity in Ridgeline Scripts Reserved Words in Ridgeline Scripts ExtremeXOS CLI Scripting Commands Supported in Ridgeline Scripts Ridgeline-Specific System Variables
318
Metadata Tags A Ridgeline script may contain a metadata section, which can serve as a usability aid in the script interface. The metadata section, if present, is the first section of a Ridgeline script, followed by the script logic section, which contains the CLI commands and control structures in the script. The metadata section is delimited between #@MetaDataStart and #@MetaDataEnd tags. A metadata section is optional in a Ridgeline script. You can use metadata tags to specify the description of the script, as well as parameters that the script user can input. The information specified by the metadata tags appears in the Overview tab for the script. Note Ridgeline script metadata tags are backwards-compatible with Ridgeline UPM profile metadata tags.
#@MetaDataStart and #@MetaDataEnd
Indicates the beginning and end of the metadata section of the script. In order for description information and variable input fields to appear in the Overview tab for a script, the corresponding metadata tags must appear in the metadata section. Example
#@MetaDataStart # @SectionStart (description = Protocal Configuration Section) Set var protocolSelection eaps # @SectionEnd # @SectionStart (description = vlan tag section) Set var vlanTag 100 #@MetaDataEnd
#@ScriptDescription
Specifies a one-line description of the script. The description specified with this tag cannot contain a newline character. Example #@ScriptDescription This is a VLAN configuration script.
#@DetailDescriptionStart and #@DetailDescriptionEnd
Specifies the beginning and end of the detailed description of the script. The detailed description can be multiple lines or multiple paragraphs. Each line in the description should be commented. The detailed description is shown in the Script View tab in the script editor window. Example
319
#@DetailDescriptionStart #This script performs configuration upload from Ridgeline to the switch. #The script only supports tftp. #This script does not support third party devices. #@DetailDescriptionEnd
#@SectionStart and #@SectionEnd
Specifies the beginning and end of a section within the metadata part of a script. If this is the last section of the metadata, ending with a #@MetaDataEnd tag, then the #@SectionEnd tag is not required. Once a section starts with the #@SectionStart tag, the previous section is automatically ended. Example # @SectionStart (description = Protocol Configuration Section) Set var protocolSelection eaps # @SectionEnd
#@VariableFieldLabel
Defines user-input variables for the script. For each variable defined with the #@VariableFieldLabel tag, you specify the variables description, scope, type, and whether it is required.
Description Scope Type readonly validValues Required Label that appears as the prompt for this parameter in the Overview tab Whether the parameter is device-specific or global (uses the same value for all devices) Valid values: global, device. Default value is global. Parameter data type. This determines how the parameter input field is shown in the Overview tab. Valid value: String (shows the parameter input field as a text field in the Overview tab). Whether the parameter is read-only and cannot be modified by the user. Valid values: Yes, No. Default value is No. Lists all possible values a parameter can take. All values should be separated by command and put into square bracket. Whether specifying the parameter is required to run the script. Valid values: Yes, No.
Example
#@VariableFieldLabel (description = Partition:, scope = global, #required = yes, validValue = [Primary,Secondary], readOnly=false) set var partition Ridgeline-Specific Scripting Constructs This section describes the scripting constructs that are specific to Ridgeline:
320
Specifying the wait time between commands. Printing system variables Configuring a carriage return prompt response Synchronizing the device with Ridgeline Saving the configuration on the device automatically Sending events to Ridgeline Printing a string to a file
Specifying the Wait Time Between Commands
After the script executes a command, the sleep command causes the script to wait a specified number of seconds before executing the next statement. Syntax sleep < Example # sleep for 5 seconds after executing a command sleep 5
Printing System Variables
The printSystemVariables command prints the current values of the system variables. Specifically, values for the following variables are printed:
deviceIP deviceName serverName deviceSoftwareVer serverIP serverPort date time abort_on_error CLI.OUT runMode printSystemVariables
Syntax printSystemVariables Example # Display values for system variables

Configuring a Carriage Return Prompt Response
A special string within the script, <cr>, indicates a carriage return in response to a prompt for a command.
321
Syntax <cr> Example download image 10.22.22.22 t.txt <cr> //cancel download
Synchronizing the Device with Ridgeline
The PerformSync command manually initiates a synchronization for specified Ridgeline feature areas and scope. Syntax PerformSync [-device <ALL | deviceIp>] [-scope <INVENTORY | TOPOLOGY | UPM | VLAN> ] [-vlan <vlan1,vlan2>] If -device is not specified, the current device (indicated by the $deviceIP system variable) is assumed. if -scope is not specified, INVENTORY scope is assumed. The -vlan option is only applicable if VLAN scope if chosen. The PerformSync command is executed in an asynchronous manner. That is, when the command is executed, Ridgeline moves on to the next command in the script without waiting for the synchronization to complete. Examples # Perform sync for TopologyPerformSync -scope TOPOLOGY If there are multiple VLANs in the -vlan argument, enclose them in double quotes. For example: PerformSync -scope VLAN -vlan "foo,bar"
Saving the Configuration on the Device Automatically
The run time settings for script may include the option to issue the save command in the background after the script is run successfully on the device. If an error is encountered as a result of the save command, a Save command failed alarm is issued in Ridgeline against the device.
Sending Events to Ridgeline
You can configure a script to send events to Ridgeline from the device where it is run. The events are displayed in the Ridgeline alarm browser. In order for an event to be displayed in the alarm browser, the corresponding event should be added to the alarm definition (if not already present), and the target device should be included in the scope of the alarm (in the alarm definition) prior to sending events. Syntax SendEvent [-subtype <subtype>] message Where <subtype> can be one of the following:
322
1 2 3 4 5 6 7 8 9 10 11 13 14 15 16 17 18 19 20 21 22 23 73 74 100 101 102 103 104
Ping failed Ping OK SNMP Reachable SNMP Unreachable Reachability unknown Configuration Upload Failed Configuration Upload OK Custom Event Device Reboot Overheat Fan Failed High Trap Count Policy Configuration Start Policy Configuration End Device Policy Configuration Power Supply Failed Device Warning From Ridgeline Syslog Flood One-Shot Event No Longer Valid Rogue Access Point Found Stacking Link Down Stack Member Down Configuration Download Failed Configuration Download OK EAPS Domain State Changed - ERROR EAPS Domain State Changed - WARNING Scripts, save operation failed A background script execution failed Script event
Example #Send Configuration Download Failed event if error occurs download image 10.210.14.4 image.txt if ($STATUS != 0) then SendEvent -subtype=73 $ {CLI.OUT} endif
Printing a String to a File
The ECHO command prints a specified string to a file.
323
Syntax
Example # Write Device IP address to file ECHO "device ip is $deviceIP" Note The Tcl puts and ECHO commands have the same function. However, the ECHO command is not case-sensitive, while the puts command is case-sensitive. Tcl Support in Ridgeline Scripts The following Tcl commands are supported in Ridgeline scripts: Table 11: Tcl commands supported in Ridgeline scripts
after append array binary break catch clock close concat continue eof error eval expr fblocked flush for foreach format gets global history if incr info interp join lappend lindex linsert list llength lrange lreplace lsearch lsort namespace open package proc puts read regexp regsub rename return scan seek set split string subst switch tell time trace unset update uplevel upvar variable vwait while
See www.tcl.tk/man/tcl8.2.3/TclCmd/contents.htm for syntax descriptions and usage information for these Tcl commands. Entering Special Characters In a Ridgeline script, you can use the backslash character ( \ ) as the Escape character if you need to enter special characters, such as quotation marks ( ), colon ( : ), or dollar sign ( $ ). Example set var value 100 set var dollar \$value show var dollar >>> $value Note Do not place the backslash character at the end of a line in a Ridgeline script. Line Continuation Character The line continuation character is not supported in Ridgeline scripts. Each command statement should be placed on a single line.
324
Case Sensitivity in Ridgeline Scripts The commands and constructs in a Ridgeline script are not case-sensitive. However, if a command is referenced inside another command, the inner command is case-sensitive. In this instance, the inner command case should match how it appears in the Ridgeline documentation. Example (Usage of the Ridgeline command ECHO) echo hi (valid) echo [echo hi] (error) echo [ECHO hi] (valid) Reserved Words in Ridgeline Scripts The following words cannot be used as variable names in a Ridgeline script. They are reserved by Ridgeline.
Names of system variables (see Ridgeline-Specific System Variables) Names of Ridgeline command extensions (see Ridgeline-Specific Scripting Constructs) Names of ExtremeXOS CLI commands epic_responseFileId Names of Tcl functions
In addition, you should not use a period (.) within a variable name. Use an underscore ( _ ) instead. ExtremeXOS CLI Scripting Commands Supported in Ridgeline Scripts The CLI commands in this section are supported in Ridgeline scripts.
$VAREXISTS $TCL $UPPERCASE show var delete var configure cli mode scripting abort-on-error
$VAREXISTS
Checks if a given variable has been initialized. Switch Compatibility This command is supported on devices running ExtremeXOS 12.1 and higher. Example if ($VAREXISTS(foo)) then show var foo endif
325
$TCL
Evaluates a given Tcl command. The $TCL command is supported within following constructs: set var if while See Tcl Support in Ridgeline Scripts on page 324 for a list of supported Tcl commands. Switch Compatibility This command is supported on devices running ExtremeXOS 11.6 and higher. set var foo $TCL(expr 3+4) if ($TCL(expr 2+2) == 4) then
$UPPERCASE
Converts a given string to upper case. The $UPPERCASE command is supported within following constructs: set var if while Switch Compatibility This command is supported on devices running ExtremeXOS 11.6 and higher. Note The $UPPERCASE command is deprecated in ExtremeXOS 12.1 CLI scripting. The $TCL(string toupper <string>) command should be used instead. Example set var foo $UPPERCASE("foo")
show var
Prints the current value of a specified variable. Switch Compatibility This command is supported on devices running ExtremeXOS 11.6 and higher. Example show var foo
delete var
Deletes a given variable. Only local variables can be deleted; system variables cannot be deleted. Switch Compatibility
326
This command is supported on devices running ExtremeXOS 11.6 and higher. Example
set var foo bar delete var foo if ($VAREXISTS(foo)) then ECHO "this should NOT be printed" else ECHO "Variable deleted." endif
configure cli mode scripting abort-on-error
Configures the script to halt when an error is encountered. If there is a syntax error in the script constructs (set var / if ..then / do..while ), execution stops even if the abort_on_error flag is not configured. Switch Compatibility This command is supported on devices running ExtremeXOS 11.6 and higher. Example
enable cli scripting \$UPPERCASE uppercase # should not print show var abort_on_error Ridgeline-Specific System Variables The following system variables can be set in Ridgeline scripts:
$abort_on_error $CLI.OUT $CLI.SESSION_TYPE $date $deviceIP $deviceLogin $deviceName $deviceSoftwareVer $deviceType $epicenterUser $isExos Whether the script terminates if a CLI error is encountered; 1 aborts on error, 0 continues on error. The output of the last CLI command The type of session for the connection to the device, either Telnet of SSH The current date on the Ridgeline server The IP address of the selected device The name of the login user for the selected device The DNS name of the selected device The version of ExtremeXOS running on the selected device The product type of the selected device The name of the Ridgeline user running the script Whether the device is an ExtremeXOS device. Possible values are True or False
327
$port $serverIP $serverName $serverPort $STATUS $time $vendor
Selected port numbers, represented as a string. If the script is not associated with a port, this system variable is not supported. The hostname of the Ridgeline server The hostname of the Ridgeline server The port number used by the Ridgeline web server; for example, 8080 The execution status of the previously executed ExtremeXOS command, 0 if the command was executed successfully, non-zero otherwise The current date on the Ridgeline server Vendor name of the device; for example, Extreme
328
19 Using the Ridgeline Audit Log

Audit Log Overview Audit Log View Displaying Audit Log Details Redeploying Profiles or Scripts
This chapter describes how to use the Ridgeline Audit Log for: Displaying information about UPM profiles, Ridgeline scripts, network provisioning, and software image management tasks that have been deployed on managed devices. Viewing details about deployed UPM profiles, Ridgeline scripts, network provisioning, and software image management tasks. Correcting and redeploying UPM profiles and Ridgeline scripts.
Audit Log Overview

The Ridgeline Audit Log allows you to view information about the UPM profiles, Ridgeline scripts, network provisioning, and software image management tasks that have been deployed in your network. You can use the Audit Log as a troubleshooting aid to reveal errors when UPM profiles and Ridgeline scripts are deployed unsuccessfully. Using the Audit Log, you can correct the errors and redeploy the profiles or scripts:
Audit Log View Displaying Audit Log Details Redeploying Profiles or Scripts
Audit Log View

To display the Audit Log, in the navigation pane, click Audit Log. The Audit Log appears (see the following figure).
Using the Ridgeline Audit Log
Figure 203: Audit Log View The Audit Log View shows information about the deployed UPM profiles, Ridgeline scripts, network provisioning, software image management, and configuration management tasks on separate tabs. Each tab provides filters (see Filtering the Audit Log View on page 330) to limit the information based on the time period deployed, log table contents, or details table contents. The log table contains information about each deployed profile, script, provisioning activity, and software image management task. The details table contains information about the deployment results of a selected profile, script, provisioning activity, or software image management task on each device where it was run.
Filtering the Audit Log View

To filter any of the audit log lists (tabs): For profiles, scripts, provisioning, VMs, and identity, click Quick Filter. For software image management and configuration management, click Filter by Time. You can filter by time periods: Pre-defined time period (Filter for the past): 1 hour, 6 hours, 12 hours, 24 hours, 25 hours, 7 days, 14 days, 30 days, 6 months, 1 year. From a date to a certain date (Filter for the time period). For profiles, scripts, provisioning, VMs, and identity (Quick Filter), you can type search terms to filter all fields (Log Items) and the Details field only (Details).
Displaying Audit Log Details

To show details for an audit log entry, click a row in the log table. For profiles, scripts, provisioning, VMs, and identity, the details pane appears at the bottom of the window (see the following figure).
330
Figure 204: Audit Log Details Window The audit log details pane shows the name of the deployed profile or script, who created it, overall status, and time the item was deployed:
Action Time Name IP Address Results Ports The time that the script or profile was deployed. The name of the device where the profile or script was deployed. IP address of the device. Result of the deployment, successful or unsuccessful. The ports on which the script or profile were deployed.
For software image management and configuration management, the details pane appears on the right side of the window (see the following figure).
331
Figure 205: Audit LogConfiguration Management Tab Showing Details Pane
Redeploying Profiles or Scripts

If the deployment result for a profile or script was unsuccessful, you can open it from Ridgeline, make corrections, and redeploy it on the device. To open a profile or script, in the navigation pane, click Audit Log, click the Scripts or Profiles tab, select the profile or script in the list, and then click File > Open. The script or profile opens in an editor window. You can then make changes to the profile or script, and then click Rerun to redeploy it. For information on editing UPM profiles, see Modifying or Editing Profiles on page 396. For information on editing Ridgeline scripts, see Creating a New Ridgeline Script on page 306. To redeploy a script or profile from the Audit Log, click Action > Rerun. This starts the deployment wizard for the profile or script.
332
20 Using the IP/MAC Address

Finder
Overview of the IP/MAC Address Finder Creating a Search Task The IP/MAC Address Finder Window with Search Results Exporting Task Results to a Text File
This chapter describes how to use the IP/MAC Address Finder for: Creating search requests for locating specific MAC or IP addresses, and determining the devices and ports where they are located. Creating search requests to identify the MAC and IP addresses on specific devices and ports.
Overview of the IP/MAC Address Finder

Using the IP/MAC Address Finder you can specify a set of Media Access Control (MAC) or Internet Protocol (IP) network addresses, and a set of network devices to query for those addresses. The tool returns a list of the devices and ports associated with those addresses. You can also reverse this search and specify a set of devices and ports, and then search for all MAC and IP addresses that appear on those devices and ports. The IP/MAC Address Finder allows you to: Define and run a search task. View the status of the search task. View the search task results. Export the results to either your local system or the Ridgeline server system. The task definition and results are kept in the task list until you delete them, or until you end your Ridgeline client session. The IP/MAC Address Finder supports two types of searches: DatabaseSearches the Ridgeline database (inventory of devices) NetworkSearches the network If you have configured Ridgeline to do MAC polling, Ridgeline maintains in its own database of the information it learns about edge ports from the switches it polls. (To enable MAC polling, see MAC Polling Properties). In this case, the IP/MAC Address Finder can search for addresses within the database rather than searching over the network. If you do not have MAC polling enabled, the IP/MAC Address Finder always performs a network search. In a network search the IP/MAC Address Finder searches the IP Address Translation Table (the ipNetToMediaTable) in each device agent for IP addresses, and the Forwarding Database (FDB) for MAC addresses of the switches in your search domain to find address information. If you specify a
Using the IP/MAC Address Finder
search for a specific IP address, the IP/MAC Address Finder attempts to ping that address from the switches you have included in the search domain.
ExtremeWare and ExtremeXOS Software Requirements

The IP/MAC Address Finder feature is supported with ExtremeXOS using SSH and Telnet. The IP/MAC Address Finder requires certain versions of ExtremeWare to be running on your Extreme switch in order to retrieve data from an IP address or MAC address search task. The following table lists versions of ExtremeWare and whether or not they are currently supported by the IP/MAC Address Finder. Table 12: ExtremeWare Requirements for Using the IP/MAC Address Finder
ExtremeWare Version 6.1.5 6.1.6 through 6.1.9 6.2 and later Requirements Not supported. Supported using the using the dot1dTpFdbTable. Use the enable snmp dot1dTpFdbTable command to enable the dot1dTpFdbTable on the switch. Fully supported using a private MIB.
Displaying the IP/MAC Address Finder

To display the IP/MAC Address Finder, in the navigation pane, click Main View, and then click Find IP/ MAC. The IP/MAC Address Finder window appears (see the following figure). Initially no search requests tasks appear (see Creating a Search Task).
Figure 206: IP/MAC Address Finder Window
Creating a Search Task

You can create a search task from scratch (this procedure) or base it on a previously created task (see Clone command in The IP/MAC Address Finder Window with Search Results.
334
To create a search task: 1 In the navigation pane, click Main View. 2 Click Find IP/MAC. The IP/MAC Address Finder window appears (see the following figure).
Figure 207: IP/MAC Address Finder Window 3 Click New Task. The Create a new IP/MAC Finder Task dialog box appears (see the following figure).
Figure 208: Create a new IP/MAC Finder Task 4 Type a name in the Task Name box. 5 To search for an IP or MAC address or range of address, select one of the following: IPtype a specific IP address in the boxes to the right. MACtype a specific MAC address in the boxes to the right. MAC OUI Wildcardtype the first three octets of a MAC address in the boxes to the right. The last three octets have wildcards. Allsearches for all MAC and IP addresses. Select this option if you want to search devices to show all of their MAC and IP addresses. 6 Click Add.
335
7 In Search Type, select either:
DatabaseSearches the Ridgeline database (inventory of devices) NetworkSearches the network Note A database search is only available if you have MAC polling enabled (see MAC Polling Properties). If you specify a database search, you cannot specify a search domain; the entire Ridgeline database is searched.
8 Under Search Domains, select the devices to search: a In the Source Type list, select: Devices, Device Groups, Ports, or Port Groups. b In the Select Group list, if you select Devices or Ports (as opposed to Device Groups or Port Groups) above, you can select a group here. c Click Add. 9 Click OK. The IP/MAC Address Finder window appears displaying the search results (for detailed information about the information shown on the The IP/MAC Address Finder window, see The IP/MAC Address Finder Window with Search Results on page 336. Note The IP/MAC Address Finder cannot identify a devices own IP address when you search for IP addresses on that device. In other words, it will not find IP address 10.2.3.4 on the switch whose address is 10.2.3.4. It can only find addresses that are in the agents IP Address Translation table, and a devices own address is not included in the table. The IP/MAC Address Finder does find the address on the other switches that have connectivity to the switch with the target IP address, however. Each search task can return a maximum of 2,000 MAC address entries. If a search returns more than 2,000 entries, a warning message appears in the Status box. If you see a warning message, add additional search constraints to reduce the number of returned MAC addresses to less than 2,000.
The IP/MAC Address Finder Window with Search Results

After search tasks are created and run, they appear in the The IP/MAC Address Finder window (see the following figure). The search task names appear in the left Search pane. Note The specified tasks and their search results remain as long as you are logged in to the Ridgeline client, even if you exit the IP/MAC Address Finder and go to another Ridgeline feature. However, when you exit Ridgeline, all the task specifications and search results are deleted.
336
Figure 209: Tasks List Summary The IP/MAC Address Finder window shows you basic information about the tasks you have set up:
Task Name Submitted Search Type Status Ended Search Criteria Addresses to Find Search Domains List of IP/MAC addresses that the search task was configured to find. Devices and ports that the search task was configured to search. TypeThe type of target: Devices, Device Groups, Ports, Port Groups ValueThe name, IP address, or port number of the selected target Device Status: If the target is a device or port, shows the status of the device: Online. OfflineThe manageability status of the device is disabled. MarginalA fan failure or power failure occurs or the device becomes too hot. DownDevice does not respond to SNMP requests. The name you gave the task when you created it. Shows the date and time the task was submitted. The type of search this task performs (Database or Network). Shows the status of the search request (Done, Pending, Warning). Shows the date and time the task was finished.
Search Results
MAC Address. IP Address. SwitchThe switch to which the address is connected. PortThe port to which the address is connected. User The user (name) currently logged in at that address.
You can perform the following functions:

New Task Cancel Delete Run Create a new search task (see Creating a Search Task). If a search task is in progress (Status = Pending), click Cancel to cancel the task before it has completed. Select a task, and then click Delete to delete an individual task. This deletes the task specification as well as the task results. To run a task again, select a task, and then click Run.
337
Clone
To create a search task based on another search task, select the task, and then click Clone. The Create a new IP/MAC Finder Task window appears with the specifications of the selected task already configured. For information about changing the specifications for the search task, see Creating a Search Task. Select a task, and then click Export to export the task details to a text file. For more information about exporting, see Exporting Task Results to a Text File. Select a task, and then click Export Local to export the task details to a text file on your local system. For more information about exporting, see Exporting Task Results to a Text File.
Export Export Local
Exporting Task Results to a Text File

You can export a tasks detail results or search results to a text file. You can do this from the Tasks List. To export the detail or search results to a file: 1 From the Detailed Task View, click the Export button to save the file on the Ridgeline server. Click the Export Local button to save the file locally. If you select Export, the Export pop-up dialog is displayed. If you select Export Local, a Save File dialog is displayed. 2 Enter a file name and subdirectory name in the fields provided. If you select Export:
Detail and search result files for a task are saved in the Ridgeline user.war/ AddressFinderResults directory, which is a subdirectory of the Ridgeline installation directory. You can optionally specify a subdirectory within the AddressFinderResults directory by entering the subdirectory name into the Directory field. By default, a search result exported file will be given a name created from the current date, time, and task name. For example, the results for task Task 2 run on April 25, 2006 at 3:52 pm will be saved in a file named 2006_4_25_1552_Task 2.txt. You can change the file name by replacing the name in the File Name field.
If you select Export Local: Select the location where you want the file to be saved. You must provide a file name; it is not predefined for this option. 3 Click the Apply button to save the results, click Reset to clear all the fields, or click Close to close the dialog without saving the file.
338
21 Administering Ridgeline
Overview of User Administration Administration Functions User Administration Adding, Modifying, or Deleting User Accounts Changing Your Password if You Have Super-User or Administrator Rights Changing Your Password if You Have Manager or Monitor Rights Role Administration Adding, Modifying, or Deleting Roles RADIUS Administration Server Properties Administration Distributed Server Administration
This chapter describes how to use the Ridgeline administration functions.
Overview of User Administration

To log on to the Ridgeline server, you must have a user name and password. Ridgeline administrators and super-users can create and modify user accounts, passwords, and account permissions. Individual users, regardless of their roles, can change their own password. Note Ridgeline does not have restrictions on the number of user accounts, which includes administrators, but the number of concurrent sessions is limited to 25 users. This can be the same user or different users. By default, Ridgeline provides its own authentication and authorization for Ridgeline users. However, you can configure Ridgeline to act as a Remote Authentication Dial In User Service (RADIUS) client, allowing it to use an external RADIUS server to authenticate Ridgeline users. Finally, administrators and super-users can modify properties that affect the performance and configuration of the Ridgeline server. These properties are stored in the Ridgeline database along with other Ridgeline data.
Administration Functions
Ridgeline Access Roles
There are five predefined roles that assign levels of access to Ridgeline functions/groups:
Administering Ridgeline
Super-User
Can create, modify, and delete user accounts, roles, any users password, and groups. Super-users also have read/write access to all other Ridgeline featurescan modify device parameters as well as view status information. This super-user role cannot be modified. This role is assigned to the default user admin. Can create, modify, and delete user accounts and roles, and change users passwords, except for those belonging to super-users or other administrators. By default, administrators also have read/ write access to all other Ridgeline featurescan modify device parameters as well as view status information and statistics. The Administrator roles access to Ridgeline features can be changed or disabled; however, the administrators ability to create, modify, and delete user accounts and roles cannot be changed. Account information is maintained, but no current Ridgeline access. This role cannot be modified. By default, managers have read/write access to all Ridgeline features, but cannot create, modify, and delete user accounts and roles. Can modify device parameters as well as view status information and statistics. The Manager roles access to Ridgeline features can be changed or disabled. Has read-only access to Ridgeline features, Can view status information and statistics. The Monitor roles access to Ridgeline features can be changed or disabled.
Administrator
Disabled Manager
Monitor
The access for each of these roles can be specified on a feature-by-feature basis. With the exception of the disabled role, access to Ridgeline features can be changed or disabled per feature (see Adding or Modifying Roles). Administrators and super-users can also create new roles as needed with any combination of access to features. However, the ability to create, modify, and delete user accounts and roles belongs exclusively to the administrator and super-user roles and cannot be assigned to other roles, either pre-defined or new. The five predefined roles cannot be deleted, nor can the role names be changed. In addition to modifying Ridgeline feature access through roles, users assigned to the administrator or super-user role can disable Ridgeline features globally. When you globally disable a feature, you cannot enable it for any roles. For information about globally enabling or disabling Ridgeline features, see Features Properties.
Ridgeline Users
Users assigned to the administrator or super-user role can create, modify, and delete user accounts and roles, and assign user access levels. There are two default users. All other user names must be added and enabled by a super-user or administrator user:
User admin user Assigned to Role Super-user Monitor Can Be Modified? Only the default password can be changed. This user cannot be deleted. Yes. Default Password admin user
Regardless of your access role, you can change your own password. For information about how to add, delete, and modify user accounts, see User Administration.
340
Ridgeline and RADIUS Authentication

By default Ridgeline provides its own authentication and authorization for Ridgeline users. However, Ridgeline can be configured to act as a client to an external RADIUS server. RADIUS provides a standard way for Ridgeline and Extreme Networks switches to handle user authentication, unifying ExtremeXOS CLI and Ridgeline user authentication. When Ridgeline acts as a RADIUS client, the external RADIUS server can be configured using a vendor specific attribute (VSA) to provide user role information to Ridgeline along with the logon and password authentication. For additional information about Ridgeline and RADIUS authentication, see Using RADIUS for Ridgeline User Authentication.
Setting Ridgeline Server Properties

A Ridgeline administrator can modify a number of parameters that affect server performance and function. These include communication parameters such as polling intervals, timeouts, port usage, number of retries, and a number of other parameters (see Server Properties Administration.
User Administration

User administration allows you to: Create, modify, and delete users and roles Change passwords Configure the Ridgeline server as a RADIUS client for user authentication Modify Ridgeline server properties, such as polling rates, timeouts, port assignments, etc. Configure Ridgeline to operate in a distributed server group You must be logged in as a user with the administrator or super-user role to create, modify, and delete user accounts and roles. To access the user administrator functions, in the navigation pane, click Ridgeline Users and Servers. The user administration window appears:
341
Figure 210: User Administration Window
Adding, Modifying, or Deleting User Accounts
Adding or Modifying User Accounts

To add users or modify their accounts (change password, Ridgeline access role, or ExtremeWare access): 1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Users, click Open Users tab:
To add a new user, click Add. To modify a user, select the desired user in the list, and then click Edit.
342
A New User or Modify User dialog box appears with the following fields:
User Name Password The Ridgeline logon name for the user. If you are editing a user, this is filled in and cannot be modified. The password for this user.
Verify Password The password typed a second time for verification. Role The Ridgeline role for this user. There are five default roles (super-user, administrator, disabled, manager, and monitor), along with any additional roles a Ridgeline administrator or super-user may have created. The supper-user role cannot be applied any other users other than the default admin user. Also, the admin users super-user role cannot be changed to another role.
3 For a new user, enter the appropriate information. For an existing user, make the necessary changes to the password or role. Note You can only change the password for the user admin. Also, you cannot delete the admin user. 4 Click OK. The new user information is stored in the Ridgeline database. Note Changes to a users account do not take effect until the next time the user logs on.
Deleting Users
You must be logged on as a user with the administrator or super-user role to delete users. Deleting a user removes all information about the user account from the Ridgeline database. To remove all access privileges for a user without removing the user account from the Ridgeline database, modify the users account, and change the role to disabled (see Adding or Modifying User Accounts). Note You cannot delete the admin user. To delete a user: 1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Users, click Open Users tab. 3 Select the check box next to the desired user, and then click Delete. A confirmation message appears. 4 Click Yes.
Changing Your Password if You Have Super-User or Administrator Rights

To change your password, if you have super-user or administrator role rights:
343
1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Users, click Open Users tab. 3 Select the check box next to your user name in the list, and then click Edit. The Modify User dialog box appears. 4 Type your new password into the Password and Verify Password boxes. 5 Click OK. Your new password is stored in the Ridgeline database. Note The change does not take effect until the next time you log on.
Changing Your Password if You Have Manager or Monitor Rights

To change your password, if you have manager or monitor role rights: 1 In the navigation pane, click Change Password. Your user name and Ridgeline role appear, but you cannot change them. 2 Type your new password into the Password and Verify Password boxes. 3 Click Apply. Your new password is stored in the Ridgeline database. Note The change does not take effect until the next time you log on.
Role Administration
If your user role is administrator or super-user, you can add, modify, and delete Ridgeline roles. Roles let you define different combinations of access to Ridgeline features. For each feature, a role can provide read/write, read-only, or disabled access. The Ridgeline server provides five predefined roles:
Super-User Can create, modify, and delete user accounts, roles, and groups. Super-users also have read/ write access to all other Ridgeline featurescan modify device parameters as well as view status information and statistics. In addition, super-users have access to all groups. This super-user role cannot be modified. Can create, modify, and delete user accounts and roles. By default, administrators also have read/write access to all other Ridgeline featurescan modify device parameters as well as view status information and statistics. The administrator roles access to Ridgeline features can be changed or disabled; however, the administrators ability to create, modify, and delete user accounts and roles cannot be changed. Account information is maintained, but no current Ridgeline access. The disabled role cannot be modified.
Administrator
Disabled
344
Manager
By default, managers have read/write access to all Ridgeline features, but cannot create, modify, and delete user accounts and roles. Can modify device parameters as well as view status information and statistics. The manager roles access to Ridgeline features can be changed or disabled. Has read-only access to Ridgeline features, Can view status information and statistics. The monitor roles access to Ridgeline features can be changed or disabled.
Monitor
Except for the disabled and super-user roles, you can modify the feature access for each of these roles, but you cannot delete them. You can also create new roles with a combination of access to various Ridgeline features. Note In addition to modifying Ridgeline feature access through roles, users assigned to the administrator or super-user role can disable Ridgeline features globally. When you globally disable a feature, you cannot enable it for any roles. For information about globally enabling or disabling Ridgeline features, see Features Properties. To administer roles: 1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Roles, click Open Roles tab. The Roles Administration window appears (see the following figure).
Figure 211: The Roles Administration Window When you select a role, the feature settings for the role appear in the Feature list (lower bottom list).
345
Adding, Modifying, or Deleting Roles
Adding or Modifying Roles

To add or modify a user role: 1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Roles, click Open Roles tab:
To add a role, click Add. To modify a role, select the check box next to the desired role, and then click Modify. You cannot modify the super-user or disabled roles. The New Role or Modify Role dialog box appears:
Figure 212: The New Role and Modify Role Dialog Boxes 3 For a new role, type the role name and an optional description. For an existing role, you can change the description. (You cannot change the role name.) 4 For each feature in the table, select the level of access. The levels of access are:
346
Disabled Read Only
A user with this role cannot access this feature. The icon will not appear in the navigation toolbar when a user with the role logs into Ridgeline. A user with this role has read only access to this feature. This means the user can see any status or statistics displays, but cannot make any changes (such as discovering or adding devices, creating Topology maps, and so on). A user with this role has full access to this feature.
Read/Write
Note For the predefined roles (super-user, administrator, manager, and monitor) you can disable access to Ridgeline features, but you cannot change a feature from read/write to read-only or vice-versa. The super-user, administrator, and manager roles always provide full access to any features for which access is enabled, and the monitor role provides only read-only access to any features for which access is enabled. 5 Click OK to add or modify the role. If features are globally disabled through the server properties (see Features Properties), you cannot select those features when you add or modify a role. The Access column shows Globally Disabled instead of access options.
Deleting Roles
To delete a role: 1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Roles, click Open Roles tab.
347
3 Click the Roles tab. The roles administration window appears:
Figure 213: Roles Administration Window 4 Select the check box next to the role that you want to delete, and then click Delete. Note You cannot delete any of the predefined roles. You also cannot delete a role that is currently assigned to a user. A confirmation window appears. 5 Click Yes. This removes the role from the Ridgeline database.
RADIUS Administration
If your user role is administrator or super-user, you can enable Ridgeline as a RADIUS client, and change its port or the RADIUS secret. By default RADIUS authentication is disabled. When Ridgeline is enabled as a RADIUS client, Ridgeline requests authentication from an external RADIUS server when users attempt to log on to the Ridgeline server. In this case, the external RADIUS server can also be configured to return role information to Ridgeline along with a successful authentication. If this feature is enabled, you must create corresponding roles in Ridgeline for every role that the RADIUS server may return. If a user is authenticated with a role that Ridgeline does not recognize, the user is given the monitor role by default. Disabling RADIUS in Ridgeline means that Ridgelines RADIUS server is not available for authenticating users, and it does not request user authentication from an external RADIUS server.
348
Enabling RADIUS for Ridgeline

To enable Ridgeline as a RADIUS client: 1 In the navigation pane, click Ridgeline Users and Servers. 2 Under RADIUS, click Open RADIUS tab. The RADIUS administration window appears (see the figure below).
Figure 214: RADIUS Administration Window 3 Under RADIUS Configuration, select Enable system as a RADIUS Client. 4 Type the name or IP address of the primary and secondary RADIUS servers in the appropriate Name/Address boxes. It is recommended, but not required, that you set up both a primary and a secondary RADIUS server for authentication. 5 If either RADIUS server uses a different port than the default port (1812), type that port number in the appropriate Port box. Note Ensure that the port you enter matches the port configured for the RADIUS server or Ridgeline cannot access the RADIUS server. 6 Type the RADIUS servers shared secret in the Secret box for both the primary and secondary RADIUS servers. This shared secret is a shared key which the RADIUS server and its clients use to recognize each other and to securely transmit user passwords. Note If the shared secret is changed in either of the RADIUS servers, you must change it for Ridgeline or Ridgeline cannot access the RADIUS server.
349
7 Click Apply. Note Some configuration may be required on the external RADIUS server to allow Ridgeline to authenticate users with various roles. For information on how to configure an external RADIUS server to perform Ridgeline user authentication, see External RADIUS Server Setup.
Disabling RADIUS for Ridgeline

To disable the use of RADIUS authentication: 1 In the navigation pane, click Ridgeline Users and Servers. 2 Under RADIUS, click the Open RADIUS tab. The RADIUS administration page appears.
Figure 215: RADIUS Administration Page 3 Under RADIUS Configuration, click Disable RADIUS. 4 Click Apply.
Server Properties Administration

If your user role is administrator or super-user, you can modify properties that affect the function and performance of the Ridgeline server. To modify server properties: 1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Server Properties, click the Open Server Properties tab. The Server properties configuration window appears.
350
Figure 216: Server Properties Configuration Window 3 Select a set of properties from the Select server properties area to configure drop-down menu: Logging SNMP External Connections Device Scalability Alarms Other E-Mail MAC Polling Configuration Management Properties Features 4 Associated fields appear for the selected set of properties. For information about the fields, see the following sections. Note To change the value for a property, click the box under the Property Value column, and then for: True/false properties: click to switch the value. Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value.
5 Click Apply. To undo your changes: To undo your immediate changes, click Reset. To restore the values to the installation default values, click Reset To Defaults. For some changes to take effect, you need to restart the Ridgeline server. For information about restarting the Ridgeline server, see the Ridgeline Installation and Upgrade Guide.
351
Logging Properties
Note To change the value for a property, click the box under the Property Value column to display a drop-down list of possible values. When you select Logging from the drop-down list, you can set the following properties (see the following figure):
Figure 217: Logging Properties

Client Log Level and Server Log level Sets the level of detail to be included in the logs collected at the client machine side and server side (for example, nms_server.log and jboss_server.log), respectively: ALL TRACEProvides more detail than INFO. DEBUG INFODefault value. WARN ERROR FATAL OFFNo logging information Note INFO is the default setting for both the client and server log levels. Generally, you should leave this setting as-is, unless directed to change it by Extreme Networks technical support.
SNMP Properties
Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select SNMP from the drop-down list, you can set the following properties:
352
Figure 218: SNMP Properties

Enable Global Trap Forwarding When global trap forwarding is enabled, traps are forwarded based on the following parameters: Trap conversion Trap forwarding community Trap forwarding host Trap forwarding port The number of SNMP requests that should be attempted before giving up, for a request that has timed out. The default is one. The interval, in minutes, between SNMP polls of a switch to fetch basic device status information. The default is five minutes. The range is one minute to one hour. You can disable all SNMP polling by setting this property to zero. Note This Poll Interval is not the same as the Device Polling Interval you can set through the Inventory Manager. The Device Polling Interval controls the frequency of polling for detailed device information such as software version, BootROM version, and so on. The polling interval set here in the Ridgeline Administration window controls only the basic SNMP status information necessary to ensure SNMP reachability, and is typically performed relatively frequently. System Trap Receiver Port The port on which Ridgeline expects to receive traps. Default is port 10550. Note You must restart the server to enable a change to this property. A notification appears reminding you that a restart is required. Timeout period (in seconds) The length of time, in seconds, to wait for an SNMP poll request to complete before timing out. The default is five seconds. The range is one to 60 seconds. This setting determines the timeout interval only for the first unsuccessful SNMP request; once a request times out, subsequent requests will time out more slowly, based on an exponential timeout back-off algorithm, until it reaches the maximum number of retries. The version of SNMP to which traps should be converted: No conversion: Trap will be sent as is. Convert trap to SNMPv1 Convert trap to SNMPv2c The community string for the specified host.
Number of retries Poll interval (in minutes)
Trap conversion
Trap forwarding community
353
Trap forwarding host Trap forwarding port
The host name or IP address of the system to which traps should be forwarded. The port on which the specified host receives traps (by default, port 162).
External Connections Properties

Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select External Connections from the drop-down list, you can set the following properties (see the following figure).
Figure 219: External Connections Properties

HTTP Proxy Device The IP address or hostname of an HTTP proxy device used to connect to the Extreme Networks website if your network uses a firewall. When an HTTP proxy is configured, all HTTP connections are made through the proxy server rather than directly to Extreme Networks. The port number for the HTTP Proxy, used to connect to the Extreme Networks website if your network uses a firewall. Enabling this specifies that Ridgeline can automatically connect to the Extreme Networks website to update image information using an external (web) connection. The external connection is used by Ridgeline to query the Extreme Networks web site for the latest versions of ExtremeWare software images and BootROM images. It uses this information to determine if the versions running in your switches are current, or are obsolete. This information is shown in the Firmware Manager. This also determines the latest version and patch level of the Ridgeline software, and compare the information to the version currently running. If a newer version is available, it is noted on the basic status page, displayed when you first launch Ridgeline. If you selected Yes to the Automatic Information Updates question when you installed the Ridgeline server, this property will be enabled.
HTTP Proxy Port Load Information from http:// www.extremenetworks.com
354
Device Properties
Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select Device from the drop-down list, you can set the following properties:
Figure 220: Devices Properties

AirDefense Services (ADSP) Server URL Automatically save configuration on device Device HTTP Port Device SSH Port Device Telnet Port Enable Syslog Server URL of the AirDefense Services Platform (ADSP) to manage wireless controllers and access points. Enabling this indicates that Ridgeline automatically saves the configuration to a switch whenever configuration changes are made. This is the default setting. If this setting is disabled, you must use the Save command to save changes to a switch configuration. The port that the Ridgeline server uses to communicate with devices. Default is port 80. The TCP port number that Ridgeline uses to connect with the switch using the SSH protocol. The default is port 22. The port that the Ridgeline server uses to Telnet to a switch. Default is port 23. Enabling this specifies that the Ridgeline server behaves as a Syslog receiver to receive Syslog messages. The default is enabled. On the device side, remote logging must be enabled, and the switch must be configured to log to the Ridgeline server. The default on Extreme switches is that logging is disabled. You can use the Ridgeline Telnet feature or the ExtremeXOS or ExtremeWare command line to configure your switches appropriately. The minimum severity level of messages to be logged in a switch Syslog file. All messages with severity equal to or higher than the selected setting you select are logged. The default is 6: Information. The port used for remote syslog communication from a switch. Default is port 514. Enables CLI/Telnet polling. This disables EDP polling. It also disables polling for Netlogin information, and disables FDB polling for edge port MAC address information.
Accept SysLog Messages With Min Severity Syslog Server Port Poll Devices using Telnet
355
Telnet Login Timeout Period (in seconds) Use system login/ password for Telnet/SSH
The length of time, in seconds, after which a CLI/Telnet logon request to a switch should time out. The default is 10 seconds; the range is 1 to 30 seconds. Enabling this enables using your Ridgeline logon name and password when you initiate Telnet or SSH2 sessions with the switch. Background functions, including trap handling, polling, and scheduled operations continue to use the Telnet/SSH logon and password configured for the switch using the Inventory Manager.
Scalability Properties
Changing the thread pool size, default thread allocation size, number of SNMP sessions, and the number of traps and syslog messages Ridgeline processes per minute lets you configure the Ridgeline server to provide better performance based on the amount of server resources (number and speed of processors, amount of memory) available. Changing these values should not normally be necessary unless you are managing a very large number of devices (more than 1,000 devices). If you are managing more than 1,000 devices, you should run the Ridgeline server on a system with a 1 GHz or faster processor, and at least 1 GB of physical memory. You may also improve the performance of the Ridgeline server by changing the following parameters. Note Changing the scalability properties on a system without suitable hardware could actually decrease the performance of the Ridgeline server. You should not change the values for traps and syslog messages accepted unless the Ridgeline server reports dropping lots of traps. To see the effects of the current scalability settings, run the Server State Summary Report under Reports > Ridgeline Server. Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select Scalability from the drop-down list, you can set the following properties (see the following figure):
356
Figure 221: Scalability Properties The following properties affect the scalability of Ridgeline:
Number of Interactive Telnet Sessions Syslog messages per Device in 1/2 Minute This specifies the maximum number of interactive Telnet sessions allowed. This specifies the maximum number of syslog messages that can be received from an individual device in 28 seconds. If more than this number of traps are received within a 28second interval, the excess messages are ignored. The default value is 50, with a range of 20 to 250. This specifies the default number of threads allocated for a process request. The default is 20. This specifies the maximum number of threads available. The default is 40. This specifies the maximum number of syslog messages that Ridgeline can receive in one minute from all managed devices. If more than this number of messages are received within a one-minute interval, the excess messages are ignored. The default is 275; the maximum you can set is 275. This specifies the maximum number of traps that Ridgeline should receive from all managed devices in 55 seconds. Exceeding this limit triggers the alarm, "incoming SNMP traps reached maximum" (see Predefined Alarms on page 238). The default is 275; the maximum you can set is 275. This specifies the number of traps that should be received from an individual device in 28 seconds. Exceeding this limit triggers the alarm, "incoming SNMP traps reached maximum" (see Predefined Alarms on page 238). The default value is 50, with a range of 5 to 60.
Thread Default Allocation Size Thread pool size Total syslog messages Accepted per Minute
Total Traps Accepted per Minute
Traps per Device in 1/2 Minute
Alarms Properties
Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select Alarms from the drop-down list, you can set the following properties (see the following figure):
357
Figure 222: Alarms Properties

Drop VLAN Port Membership Traps Defines relative/absolute time representation in alarm related views This property disables the VlanService from handling smart traps that are generated by the devices for port additions and deletions on VLANs. By default, time values on the Outstanding and Cleared Alarms And Events tabs are shown in "absolute" values. If you select the check box for this property, then relative times from when the client was started appear instead. Note You must restart the client to enable a change to this property. Maximum number of days Maximum number of days to keep events. When this value is exceeded, older alarms and to keep the alarms/events events are copied to Alarms.txt and Events.txt. For more information, see Retention of history Historical Alarms and Events on page 247. Maximum records to be in Maximum number of records to keep in alarms/events history. When this value is exceeded, alarms/events history excess alarms and events are copied to Alarms.txt and Events.txt. For more information, see Retention of Historical Alarms and Events on page 247. Timeout on moving single events to historical (in hours) Maximum amount of time (in hours) that an event is shown in the Alarm Manager Outstanding view (tab). When an event exceeds this time it is moved to the single events table on the Cleared Alarms and Events tab. The default value is 5 hours, with a range of 1 to 24 hours. For more information about the single events table and the Cleared Alarms and Events tab, see The Cleared Alarms and Events Tab on page 252.
Other Properties
Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select Other from the drop-down list, you can set the following properties (see the following figure):
358
Figure 223: Other Properties

Client Port The TCP port number that a client uses to connect to the Ridgeline server. The default is 0, meaning that the server uses any available port. You can use this setting to specify a fixed port number that the Ridgeline server uses. For example, if the Ridgeline server is behind a firewall, you may need to provide a fixed port number to allow clients to connect thought the firewall. Note You must restart the server to enable a change to this property. A notification appears reminding you that a restart is required. Device Tree UI A setting that specifies how devices are identified in the Component Trees and in selected other locations. You can choose to have the component tree show the device name only, the device name followed by the IP address in parentheses, or the device IP address followed by the device name in parentheses. The default is device name followed by the device IP address. A setting that informs the server how long to wait before querying a switch for a netlogin or a permanent IP address from an 802.1x client. The default is 20 seconds. The timeout period, in seconds, when performing DNS lookup operations for hosts found through DLCS or when importing from an NT Domain Controller. The default is one second.
DHCP Temporary Lease DNS Lookup Timeout Period (in seconds)
Enable Link Up/Link Down Enables correlation between link up and link down traps on a port. When this is enabled Correlation (true), a link down trap that is followed quickly (within 20 seconds) by a link up trap on the same port, is ignored by the Alarm Manager. This feature is disabled (false) by default. IP Qos Rule Precedence Port Tree UI The starting value that the Ridgeline server uses for setting precedence for IP QoS rules. This is an integer between 1 and 25,000. The default value is 10,000. A setting that specifies how ports are identified in the component trees and in selected other locations. You can choose to have the component tree show the port number only, or the port number followed by the port name in parentheses (if a name or display string has been associated with the port). The default is port number only. The URL for accessing ServiceWatch, to allow it to be started from the Ridgeline navigation toolbar, and to run in the main Ridgeline window. For example, if ServiceWatch is running on a system named tampico at port 2000, enter http://tampico:2000 as the ServiceWatch URL, and then restart the Ridgeline server to activate the ServiceWatch integration. For more information about how to restart the Ridgeline server, see the Ridgeline Installation and Upgrade Guide.
Service Watch URL
359
Session Timeout Period (in The non-activity timeout period, in minutes, after which the user is required to log back on to minutes) the Ridgeline server. The default is 30 minutes. You can disable the timeout by setting the property to -1. To activate the session timeout period, you must also edit the < >deploy/ extreme.war/client.properties file, and set the epicenter.client.enable.inactivity.monitor setting to true. Show device-image navigation by default Telnet Screen Width Update Type Library on Server This setting can be enabled (true) or disabled (false). The number of columns available on the screen for the Telnet application. The default number of columns is 80. The range is between 40 and 180 columns. This function updates the Ridgeline type library, which is a repository of information about devices (primarily from Extreme Networks) that are supported by Ridgeline. Note If you are adding a third-party device that had been listed as unknown in the Inventory Manager, then after updating the type library, you must log off of Ridgeline, and then log back on again, for the device to appear correctly in the Inventory Manager.
E-mail Properties
To allow the Alarm Manager to send e-mail when alarms occur, you must first configure the server to send e-mail. Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select E-Mail from the drop-down list, you can set the following properties (see the following figure):
Figure 224: E-mail Properties

Authentication enabled Select this if your mail server authenticates the user before sending out e-mail and enter the username and password of an account that the SMTP server accepts. Usually this is the account you use to log on to your network. If you dont know if your server requires authentication, you can enter the authentication information regardlessit is ignored if it is not needed. The e-mail address that should be used as the sender of the e-mail. The outgoing mail server name (or IP address).
From address SMTP Host
360
MAC Polling Properties

MAC Address polling is used to identify edge ports and get the status of the devices on those ports. MAC Polling must be enabled to see the edge port FDB display in the Inventory Manager and Device Properties displays, and to enable a database-only search in the IP/MAC Address Finder window. Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select MAC Polling from the drop-down list, you can set the following properties (see the following figure):
Figure 225: MAC Polling Properties

Enable MAC Polling System Load Note: This property only appears if you select Enable MAC Polling. Selecting this enables MAC address polling. Polling is disabled by default. Tells Ridgeline how much impact on Ridgeline server performance is acceptable due to the MAC address polling cycle. Ridgeline uses the System Load setting, in conjunction with the length of time it took for the most recent set of Telnet requests to complete, to calculate how long to wait before issuing the next set of Telnet requests. A low value (recommended) means Ridgeline calculates a relatively longer interval before the next set of Telnet requests, to place a lighter load on the Ridgeline server. This in turn means it takes longer for the server to accomplish a complete MAC Address polling cycle. A higher value (greater than 50) results in shorter elapsed times between sets of Telnet requests, at the cost of a heavier load on the Ridgeline server due to MAC address polling. However, if your polling data is frequently out of date, lowering this setting may result in more timely data.
Ridgeline implements MAC Address polling using Telnet to retrieve FDB and ARP table data from the applicable devices (devices that support FDB polling and for which FDB polling has been enabled in the Inventory Manager). Telnet requests are initiated in setsrequests are sent to groups devices simultaneously. A MAC address polling cycle is complete when these multiple sets of requests have resulted in the retrieval of FDB table data from all eligible devices. Once a polling cycle finishes, a new polling cycle begins. Individual devices are polled once in each MAC address polling cycle. The interval between polls of the FDB on a given device (the length of time before FDB data is refreshed) is a function of the number of devices being polled per cycle, and the interval between the sets of Telnet polls in a complete polling cycle.
361
Ridgeline calculates the interval between sets of Telnet requests dynamically, based on the length of time it took for the previous set of Telnet requests to complete. Ridgeline assumes that if a set of Telnet requests takes a long time to complete, it means the Ridgeline server is more heavily loaded than if the requests complete quickly. The system load setting tells Ridgeline whether the calculated interval between sets of Telnet requests should be relatively longer or shorter compared to the perceived Ridgeline server load. Ridgeline uses the system load setting, along with the time it took for the last set of Telnet requests to complete, to determine how long to wait before issuing the next set of Telnet requests. The Server State Summary Report includes poller statistics showing the status of the polling activity (see Server State Summary Report).
Configuration Management Properties

Note To change the value for a property, click the box under the Property Value column, and then for: Multiple choice value properties: click to display a drop-down list of possible values. Freeform choice properties: click in the box to display the cursor, and then type a value. When you select Configuration Management Properties from the drop-down list, you can set the following properties (see the following figure):
Figure 226: Configuration Management Properties

Backup request timeout The amount of time (in seconds) allotted for the a configuration backup operation to occur. If a backup takes more time than allotted through this property, then the operation fails. The default value is 900 seconds. The amount of time (in seconds) allotted for the a configuration restore operation to occur. If a restore takes more time than allotted through this property, then the operation fails. The default value is 900 seconds. After a configuration is restored on a device, the device is rebooted, and then Ridgeline waits for the device to reboot successfully, and then tries to re-sync with the device. This property sets the amount of time allotted for Ridgeline to detect that the device has rebooted after a configuration restore operation.
Restore request timeout
Switch reboot wait time
362
Features Properties
Disabling a feature through the server properties disables it for all Ridgeline users, regardless of their role. Features can also be controlled through the roles that users are assigned to (see Role Administration). When you select Features from the drop-down list, you globally control which Ridgeline features are accessible to users (see the following figure).
Figure 227: Feature Properties Enabling/disabling a feature:
Adds/removes the associated feature from the navigation pane (left pane) for all Ridgeline users. Adds/removes the entries, if appropriate, from the Device and Tools menus, and from shortcut menus. Makes the feature available/unavailable when creating or modifying roles. (For the Alarm Manager) enables/disables the generation and processing of alarms. However, traps and events are still logged, and traps are still forwarded if required. (For the Alarm Manager or the Configuration Manager) adds/removes the associated report links from the main Reports window (under Logs).
By default, all features are globally enabled. To globally enable/disable features:
363
For the desired feature, click the box under the Property Value column to switch between true/false values. 2 Click Apply. You can control the following features:
Alarm Manager Allows users to create, modify, and view alarms. When this feature is disabled, the Alarms command doesnt appear in the Device menu, whether or not a device has been selected. Allows users to view script and profile-related actions, and run some scripts. When this feature is disabled, the Ridgeline navigation toolbar does not display Audit Log under Alarms and Events. Allows users to upload, download, and view configuration files. When this feature is disabled, the Ridgeline navigation toolbar does not display Configuration Manager under Administration. Gives users access to the browser-based ExtremeXOS ScreenPlay or ExtremeWare Vista device management interfaces. Allows users to create and modify EAPS domains. Monitoring EAPS domains is base functionality. When this feature is disabled, users cannot make changes to EAPS domain configurations. Allows users to view the E-Line and E-LAN services created through Ridgeline. When this feature is disabled, users cannot see Ethernet services under Main View when they click Show Services. Allows users to view and upgrade software and bootROM images. When this feature is disabled, the Ridgeline navigation toolbar does not display Firmware Manager under Administration. Allows users to search for IP and MAC addresses on the network. Allows users to create, modify, and view network maps for device groups.
Audit Log
Device Manager EAPS provisioning
Ethernet services monitoring
Firmware Manager
IP/MAC address finder Maps Monitor network users Network security manager Options PBB monitoring
Allows users access to configure map-related parameters. Allows users to monitor BVLANs and related SVLANs, CVLANs, and ISIDs. When this feature is disabled, users cannot view PBB information in the Main View. Also, PBB provisioning is disabled as well. Allows users to create and modify BVLANs. Allows user to manage network policies. When enabled, users can create, edit, and delete network policies.
PBB provisioning Policy management Role-based access control Scripts
Allows users to create, run and view system scripts. When this feature is disabled, the Ridgeline navigation toolbar does not display Scripts under Network Configuration. Allows users to telnet into devices. Provides tools for managing and creating ExtremeXOS profiles in Ridgeline and deploying them on the network. When this feature is disabled (check box cleared), the Ridgeline navigation toolbar does not display Universal Port Profile Manager under Network Configuration.
Telnet Universal-port profile manager
364
Virtualization management
Enables network administrators to monitor, secure, and manage virtual machines (VMs). When this feature is disabled, the Ridgeline navigation toolbar does not display Virtualization under Network Configuration. Enables displaying of VLAN information throughout Ridgeline. Allows users to create and modify VLANs. Monitoring VLANS is base functionality. When this feature is disabled, users cannot make changes to VLAN configurations, but can still view VLAN configurations. Allows users to create and modify VMANs. Monitoring VMANs is base functionality. When this feature is disabled, users cannot make changes to VMAN configurations, but can still view VMAN configurations. Allows users to view VPLS domains. When this feature is disabled, users cannot view VPLS information in the Main View.
VLAN monitoring VLAN provisioning
VMAN Provisioning
VPLS monitoring
Distributed Server Administration

Note The Distributed Server functionality is part of the Ridgeline Base-50 product, a separately licensed feature of the Ridgeline software. If you do not have a Distributed Server license, only Single Server mode and Distributed Group Member modes are enabled. If your user role is administrator or super-user, if you have a Distributed Server license, and if you have multiple Ridgeline servers installed on your network, you can configure these servers to operate in a distributed server mode. Distributed Server mode allows multiple Ridgeline servers, each managing their own sets of devices, to be designated as a server group, and to communicate status between the servers in the group. One server acts as a server group manager, and the other servers act as server group members. Each server in the server group is updated at regular intervals with a list of other servers, and with network summary and status information from the other servers in the group. In distributed server mode, the Ridgeline home page shows status information from the other servers in the group in addition to the standard Network Summary report. To set up multiple Ridgeline servers in distributed server mode: 1 Set up one Ridgeline server as the server group manager (see Configuring a Server Group Manager). 2 Set up one or more Ridgeline servers as server group members (see Configuring a Server Group Member).
Configuring a Server Group Manager

To function as the server group manager, the Ridgeline server must have a host name that is configured through DNS. To configure a Ridgeline server as a server group manager:
365
1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Distributed Server, click Open Distributed Server tab. The Distributed Server Administration window appears:
Figure 228: Distributed Server Administration Window 3 Under Server Group Type, select Server Group Manager. The controls in Server Group Manager area are now available. 4 Under Server Group Manager, type the shared secret in the Secret box. The secret is a shared key that allows the cooperating Ridgeline servers to recognize each other and to securely transmit server data. The default shared secret is secret. Note If you change the secret in one Ridgeline server, you must also change it for all other servers in the group. 5 Type a value (in minutes) for the desired frequency of communication between the server group manager and the other server group members in the Poll Interval (Mins) box. The default is 10 minutes. 6 Add the members of the server group: a Click Add. b Type the host name or IP address of the group member server in the Server box. A server group member does not need to have a DNS-translatable host name.
366
c Type the port used to communicate with the server member in the Port box. This port must match the HTTP port configured for the server group member. d Click OK to add this server to the server group. Servers added to the server group must be configured as server group members (see Configuring a Server Group Member on page 367). Note To delete a server from the server group, select the server, and then click Delete. 7 Click Apply
Configuring a Server Group Member

To configure a Ridgeline server as a server group member: 1 In the navigation pane, click Ridgeline Users and Servers. 2 Under Distributed Server, click Open Distributed Server tab. The Distributed Server Administration window appears:
Figure 229: Distributed Server Administration Window 3 Under Server Group Type, click Server Group Member. The controls in Server Group Member area are now available. 4 Under Server Group Member, type the host name or IP address of the server that acts as the server group manager in the Server Group Manager box.
367
5 Under Server Group Member, type the port number for communication with the server group manager in the Port box. This port number must match the HTTP port configured for the Ridgeline server acting as the server group manager. The default is port 8080. 6 Under Server Group Member, type the shared secret in the Secret box. The secret is a shared key that allows the cooperating Ridgeline servers to recognize each other and to securely transmit server data. The default shared secret is secret. Note If you change the secret for one Ridgeline server, you must also change it for all other servers in the group. 7 Click Apply.
368
22 Using the Universal Port

Manager
Overview of the Universal Port Profile Manager Network Profiles View Managed Profiles Tab Creating and Editing UPM Profiles Profile Trigger Events Universal Port Event Variables
This chapter describes how to use the Universal Port Manager. In Ridgeline, the Universal Port Manager is known as the Profile Manager.
Overview of the Universal Port Profile Manager

The Ridgeline Universal Port Profile Manager (UPM) provides tools for managing and creating ExtremeXOS profiles in Ridgeline and deploying them on the network. Ridgeline UPM provides: A user-friendly profile editor for rapid profile authoring. Centralized monitoring and management of network-wide profiles. A repository for storing your profiles and templates. Prepackaged profile templates and the ability to easily import external profiles. Ability to deploy profile scripts onto multiple devices in a single deployment. Interactive, real-time profile testing and debugging by event simulation. Manual and/or periodic network synchronization to track profile changes on the network. Detailed audit log for all profile change activities done by this Ridgeline server to the network. Importation of profiles from your local machine. Diff tool to find out the network profile changes carried out by users manually or using third-party tools, To start UPM, in the navigation pane, click Universal Port Profile Manager. Users with admin and super-user privileges can create, modify, and deploy profiles (for information about setting roles and permissions, see Overview of User Administration on page 339). All other users can view the profiles and details but cannot modify, run, or test them.
ExtremeXOS Software Requirements

The Universal Port Manager manages profiles from switches with ExtremeXOS version 12.0 or later.
Using the Universal Port Manager
Before you start using Ridgeline UPM:
Make sure that SNMP is enabled on switches, so that you can add devices into Ridgeline's inventory. Enable HTTP or HTTPS on the devices to be managed by the UPM. To enable HTTP on the device, use the command: enable web http
To enable HTTPS on the device, use the command: enable web https
UPM Functions
Ridgeline UPM is organized into two functional areas: The Network Profiles tab, where you can view, enable, disable, edit configuration, run, and delete the profiles deployed on the Extreme devices. You can also change the profile event binding or port binding configuration on switches. The Managed Profiles tab, where you can import, export, create, view, edit, save, delete, test, and deploy profiles. In addition, you can use the Ridgeline Audit Log to view the profile actions performed on the network devices by Ridgeline, and redeploy profiles to devices where you had deployed them earlier. For ease of profile management with a large network of devices, use device groups and port groups whenever possible to facilitate the profile deployment.
Figure 230: Universal Port Manager Window
Understanding UPM Terminology

The following table describes the terminology used by Ridgeline UPM.
370
Table 13: UPM Terminology

Term Profiles Static profile Description Files with commands or scripts that can be run on a switch. A profile that is bound to a USER-REQUEST event. A static profile is an ExtremeXOS term for a profile not bound to any ExtremeXOS event. The changes made to a switch using a static-profile or USER-REQUEST triggered profile is persistent. If you execute the save config command, the configuration changes remain even if you reboot the switch. A profile that is bound to events other than a USER-REQUEST event. The scripts are run only when an event occurs, or when a timer triggers; for example, when a new IP phone is detected on the network. The changes made to a switch by a dynamic profile are not persistent. The changes are lost if you restart the switch. A profile that can be triggered by an LLDP DEVICE-DETECT or DEVICE-UNDETECT event. A profile that can be triggered by a USER-AUTHENTICATED or USERUNAUTHENTICATED event. A switch profile that is saved in Ridgeline. A switch profile that is not saved in Ridgeline. A profile saved in Ridgeline locally and that is deployed on a device on the network. Ridgeline allows you to create a profile and deploy it to devices or to import profiles already existing on a device into Ridgeline. Status of the Ridgeline Profile on a switch. The status can be: Same as Deployed The profile on the switch is the same as the one in Ridgeline. MissingA profile managed by Ridgeline that was deployed to a device is missing from the device. Different than DeployedThe profile on the switch is different from the one in Ridgeline records. N/AThe profile is not saved in Ridgeline. This is a non-Ridgeline profile, so Ridgeline status is not applicable. Event that causes a profile to run. For example, when a user is authenticated, a device is detected, or a timer is triggered. The link between an event and what needs to be executed. The link between the port and the profile execution on the port.
Dynamic profile
Device profile User Profile Ridgeline profile Non-Ridgeline profile Deployed profile
Ridgeline Profile Status
Trigger Event Event Binding Port Binding
Profile environment variables Variables (or parameters) used in the profile commands, such as $VLAN or $ports System variables Scripting Variables that ExtremeXOS provides during runtime. Profiles can use them without defining them first. A capability of the ExtremeXOS CLI to execute a set of commands, with values for certain command parameters being automatically substituted by the system, others being userdefined (system and user-defined variables). Scripting also provides control structures such as IF/THEN/ELSE and data manipulation functions. Any CLI command can be used in a script. In addition, a script may have extensions that are needed for and only relevant to the Universal Port and its profiles, such as persistent/non-persistent mode.
371
Table 13: UPM Terminology (continued)

Term Device Groups Description A set of network devices that have something in common, and that can be managed in Ridgeline as a group. For example, devices might be grouped by physical location (Building 1, Building 2, first floor, second floor) or by functional grouping (Engineering, Marketing, Finance) or by any other criteria that make sense within the managed network environment. You can also organize ports into groups. The ports in a group can be a mix of port types and can come from many different devices. For example, a port group that can be used to connect VoIP phones might contain one port from each of many different devices.
Port Groups
Network Profiles View

The Network Profiles tab provides you details about the profiles deployed on your network.
Figure 231: Universal Port Manager Network Profiles View The buttons on the Network Profiles tab provide the following functions: Note All buttons except View are active only when the device is HTTP-reachable.
372
Table 14: UPM Network Profiles View Function Buttons

Run Runs a profile on a device. Select one profile from the list, and then click this button to run the profile manually by event simulation. See Running a Profile on a Device Manually on page 380. This button is active only when one enabled profile is selected from the table. Views a selected profile. Select a profile from the list, and then click this button to view the profile. This button is not active when the profile is unknown. Enables a profile on a device. Select one or more profiles from the list, and then click this button to enable the profile on the device. This button is active only if one or more disabled profiles are selected. Disables a profile on a device. Select one or more profile from the list, and then click this button to disable the profile on the device. This button is active only if one or more enabled profiles are selected. Deletes a selected profile Select one or more profiles from the list, and then click this button to delete the selected profile. Saves a selected profile under a new name Select one profile from the list, and then click this button to save the profile with a different name. The Save Profile As dialog box appears. See Saving a Profile from the Network to Ridgeline on page 378. This button is active only when you select one profile. Invokes the difference viewer to view the differences between profiles. This button is active only if you have selected only one profile, the profile you have selected is saved in Ridgeline, and the profile on the device is different from the one you have saved in Ridgeline. Allows you to change settings for the profile. Select a profile from the list, and then click this button to edit the profile configuration, such as, event-port bindings. See Editing Profiles on page 383. This button is active only if you select one enabled or disabled profile. The profile should not be missing from the device. Allows you to filter the list. See Group Filters and Quick Filters on page 374. Allows you filter the list by device group. See Group Filters and Quick Filters on page 374. Synchronizes profiles between the network and Ridgeline for the selected device. Click View Results to view the results of the attempted synchronization. Synchronizes profiles between the network and Ridgeline for all devices. Click View Results to view the results of the attempted synchronization. Shows the results of Update All and Sync Device.
View
Enable Profile
Disable Profile
Delete
Save As
View Diff
Edit Configuration
Quick Filter Device Group Filter Sync Device Update All View Results
373
Group Filters and Quick Filters

You can search for profiles deployed to a specific device in a specific device group. The device groups defined in Ridgeline appear on the Device Group Filter button. displayed in the Device group dropdown list. Select All to display the profiles in all devices in all device groups. The device group list does not include device groups that have no devices in them. You can refine the search for a specific profile using the Quick Filter button. The following definitions are available: Table 15: Quick Filter Definitions
Search Parameter Device Name IP Address Profile Name Trigger Event Description Searches for profiles on the selected device. Searches for profiles on devices that have the selected IP address. Searches for the selected profile name. Searches for the selected trigger event associated with the profiles.
The Filtered Profiles On HTTP-Reachable Devices table displays the following information about the profile on the network: Note An HTTP-reachable device that does not have any profile does not appear in this table. A device that is not HTTP reachable, and Ridgeline is not sure about any profile existing on the device or not, is shown in this table with profile Unknown.
Profile Name Name of the profile on the device. Click on the profile name link to open the profile details. A profile on a switch may show up multiple times in the table. For example, if a profile is bound to a DEVICE-DETECT and DEVICE-UNDETECT event on a switch, the profile will appear twice. In ExtremeXOS, the state of the profile. Enabled or Disabled. Event that triggers the profile to run. The EMS filter associated with the profile, if the Trigger Event for the profile is a log message. If the profile is not triggered by a log message, then N/A is displayed in this column. Ports on which the profile was configured to run on or is bound to. Name of the device to which the profile was deployed. IP Address of the device to which the profile was deployed. The time at which the UPM information was last updated. The time at which the UPM last attempted to update information. The type of profile. Non-RidgelineThe profile was not deployed by Ridgeline. RidgelineThe profile was deployed by Ridgeline or imported to Ridgeline.
Profile State Trigger Event EMS Filter Name
Ports Device Name IP Address Device Last Reached Last Attempt to Reach Device Profile Type
374
Profile Status
Status of the Ridgeline profile on the device. MissingThe profile deployed by Ridgeline is missing from the device. Same as DeployedThe profile in the device is same as the one deployed by Ridgeline. DifferentThe profile in the device is different from the one deployed by Ridgeline. N/AThe profile is not saved in the Ridgeline. Indicates whether the device can be reached using HTTP. Down or HTTP unreachableThe device is not operational or Ridgeline is not able to reach the device using HTTP. To find out why Ridgeline can not reach the device, select a profile on this device and then click Update Device View. Verify the update device view results to see whether any error message is displayed. HTTP reachableRidgeline is able to reach the device using HTTP. Profile state based on availability in Ridgeline. Status of the switch (HTTP/HTTPS reachability), which contains the respective UPM profile.
Ability to Reach Device
Profile Validity State Upm Switch Validity State
The following icons are used in the Filtered Profiles On HTTP-Reachable Devices table: Table 16: Icons in the Filtered Profiles on HTTP-Reachable Devices Table
The profile was deployed by Ridgeline and is same as the one in Ridgeline.
The profile is different from what was deployed by Ridgeline.
The profile that was deployed by Ridgeline is missing.
The status of the profile deployed by Ridgeline is unknown because the device is unreachable or has been put offline.
The profile is not a Ridgeline profile.
Viewing Details of a Profile

From the Network Profiles tab, you can view the details of a profile. The details of any timer event bound to profiles can only be viewed from the profile detail dialog box. If a profile is managed by Ridgeline and is missing from the deployed device, profile content will also be missing in the Profile details dialog box. But you can find the last deployed profile content in the Managed Profiles View. The profile details are read-only. Double-click a profile name in the table to open the Profile details dialog box (see the following figure).
375
Figure 232: Profile Details Dialog Box The Profile Details dialog box provides the following details:
Profile Name State Profile type Last Modified on device Status Description Name of the profile. State of the profile on the device. Shows whether the profile is enabled or disabled. Indicates whether the profile is an Ridgeline profile or not. Shows the time on which the profile was last modified on the device. Shows the Ridgeline status of the profile. This is the description you have added in the script for this profile.
Creation of VLAN for VOIP Installation The VLAN name to create IP Address of the VLAN/Netmask The Ports to add to this vlan. VLAN Tag
376
DHCP Address Range - Starting IP to allocate DHCP Address Range - Ending IP to allocate Lease Timer (secs) - Default 7200 seconds DHCP Gateway Profile configuration on device Trigger Events Shows the trigger events configured in the profile. If the event is bound to a timer, the details are displayed here. If the trigger event for the profile is a log message, the EMS filter associated with the profile is displayed here. Shows the ports to which the trigger events are bound.
Ports
Time when Universal Port Manager Information was last updated Device last reached Last Attempt to reach device Shows the time at which Ridgeline reached the device last time. Shows the time at which Ridgeline tried to reach the device.
Note In Ridgeline, the Timer details always show the time interval and the time at which the profile was first executed. However, on the switch, the show upm timer command shows the time interval and the time when the profile is scheduled to be executed next.
Use the Overview and Script View tabs (see the following figure) to switch between the script variables and the script. Click Save As to save the profile in Ridgeline. The View Diff button is active only if the deployed profile is different from the one saved in Ridgeline. The Run button is active only when the profile is enabled on the device. Use the search bar at the end of the script view to find or highlight text in the script.
377
Figure 233: Script View Tab If information is unavailable in the Profile Details dialog box, click Update All.
Viewing Differences Between Profiles

If the deployed profile is different from the profile with the same name that is saved in Ridgeline, you can find the differences between the two profiles. To view the differences, select a profile from the Filtered Profiles On HTTP-Reachable Devices table, and then click View Diff. The Diff function requires a difference viewer. A difference viewer displays the two configuration files simultaneously and indicate the places where they differ. Ridgeline has a default difference viewer. However, you can install another one, if you prefer (see Installing a Viewer).
Saving a Profile from the Network to Ridgeline

To save a profile from the network to Ridgeline:
378
1 In the navigation pane, click Universal Port Profile Manager 2 On the Network Profiles tab, find the profile using the filters (for information about using filters, see Group Filters and Quick Filters on page 374). 3 Select the profile from the Filtered Profiles On HTTP-Reachable Devices list, and then click the Save As. The Save Profile As dialog box appears (see the following figure):
Figure 234: Save Profile As Dialog Box 4 Type version information in the Profile version box, and then click Save. Note The profile name cannot contain special characters or spaces. The profile version can contain spaces. The profile is saved in Ridgeline and is available on the Managed Profiles tab.
Exporting a Profile from the Network

You can save a profile to your local drive for editing outside Ridgeline, or as a backup. To export a profile from the network to your local drive: 1 In the navigation pane, click Universal Port Profile Manager. 2 On the Network Profiles tab, find the profile using the filters (for information about how to use filters, see Group Filters and Quick Filters on page 374).
379
3 Select the profile from the Filtered Profiles On HTTP-Reachable Devices list, and then click Save As. The Save Profile As dialog box appears (see the following figure).
Figure 235: Save Profile As Dialog Box 4 Click Export to. 5 Type or browse to the location where you want to save the profile, and then click Save. The profile is saved to the selected location.
Running a Profile on a Device Manually

You can manually run a profile that is deployed and enabled on a device. Note The running time of a profile cannot exceed the switch run profile timeout value (30 seconds). To run a profile: 1 In the navigation pane, click Universal Port Profile Manager. 2 On the Network Profiles tab, find the profile using the filters (for information about how to use filters, see Group Filters and Quick Filters on page 374).
380
3 Select the profile from the Filtered Profiles On HTTP-Reachable Devices list, and then click Run. The Run Profile dialog box appears (see the following figure).
Figure 236: Run Profile Dialog Box 4 In the Testing Events tab, in the Trigger Events list, select the Trigger Events. You can review the profile using the Overview and ScriptView tabs. 5 If needed, enter the values for the variables. Ridgeline lists any variables that are used in the profile and that are meaningful for the selected event. 6 Click Run. The Test Results area displays the result. Note When a profile runs on the selected device, all operations in the profile script are executed on the test device. No rollback is performed at the end of the session or when you close the Run Profile dialog box. The following figure shows the results of a successful run:
381
Figure 237: Run Profile Dialog Box with a Successful Run The following figure shows the results of a failed run attempt:
Figure 238: Run Profile Dialog Box with a Failed Run Attempt
Updating UPM Information from the Network

The information on the Network Profiles tab is usually kept up-to-date automatically without user intervention using the response to network events and a periodic poll. If you suspect that the information is out of date, you can manually update the information for all devices or for a specific device.
382
1 In the navigation pane, click Universal Port Profile Manager. 2 On the Network Profiles tab, click Update All. The Ridgeline server obtains the profiles on the network to update the Ridgeline database. After you start the manual update, going to other functions in Ridgeline does not stop the update action. 3 To view the results of the update, click View Results. The Update View Results dialog box appears (see the following figure).
Figure 239: Update View Results Dialog Box

Type Date Device IP Address Message The type of message (Alert, Warning, Informational). The date and time at which the update occurred. The name of the device being updated. The IP Address of the device being updated. Details and results of the update.
The results are stored until you exit the Ridgeline client or overwritten by another update action.
Editing Profiles
You can edit the configuration details of a profile deployed on the network, unbind previous events, and bind new events. To edit the profile configuration: 1 In the navigation pane, click Universal Port Profile Manager. 2 On the Network Profiles tab, find the profile using the filters (for information about using filters, see Group Filters and Quick Filters on page 374).
383
3 Select the profile from the Filtered Profiles on HTTP Reachable Devices list, and then click Edit Configuration. The Edit Profile Configuration dialog box appears (see the following figure).
Figure 240: Edit Profile Configuration Dialog Box Choose Type Tab The trigger events configured for the profile are preselected. If you bind a profile to a USER-REQUEST event: If the profile is disabled, the profile is not executed at the time of deployment. If the profile is enabled, the profile will be executed at the time of deployment. Note If a profile is bound to a user request event, and the profile is disabled, you should enable the profile from the Network Profiles tab and then click Run to run the script. The Run button is active only if the switch is HTTP reachable, and the profile is available on the switch. If you select User Request or a timer event as the trigger event, the Deploy Type tab appears (see the following figure). For critical details on timer events, see Profile Trigger Events.
384
4 If needed, modify the trigger events, and then click Next. The Deploy Type tab appears with the ports on which the profile is already deployed (see the following figure).
Figure 241: Edit Profile Configuration Dialog BoxDeploy Type Tab 5 If needed, select new ports on which you want to deploy the profile. The Selected Ports table displays the updated ports list. 6 Click Next. The Verify tab appears (see the following figure).
Figure 242: Edit Profile Configuration Dialog BoxVerify Tab
385
7 Review the deployment details, and then click Next. The Validation tab appears with the validation results (see the following figure). For the details about profile validation, see the Using the Profile Deployment Wizard.
Figure 243: Edit Profile Configuration Dialog BoxValidation Tab 8 Review the validation results, and then click Next. The Deploy tab appears with the results (see the following figure).
Figure 244: Edit Profile Configuration Dialog BoxDeploy Tab 9 Click Finish.
386
Managed Profiles Tab

The Managed Profiles tab provides details of the profiles saved in Ridgeline. In the navigation pane, click Universal Port Profile Manager, and then click the Managed Profiles tab:
Figure 245: Universal Port Profile ManagerManaged Profiles Tab
Function buttons Explanation of information on the Managed Profiles tab
Managed Profiles Function Buttons

The buttons at the top of the Managed Profiles tab provide the following functions: Table 17: UPM Managed Profiles Function Buttons
New Open Save As Creates a new profile in Ridgeline. See Creating UPM Profiles on page 391. Opens a profile. See Modifying or Editing Profiles on page 396. Saves a profile in Ridgeline with a different name, a different version, or exports the profile to your computer. See Renaming Profiles or Saving Profiles as a New Version on page 389. Imports a profile from your computer. See Importing a Profile from a Local Drive into Ridgeline on page 389. Deletes a profile saved in Ridgeline. You cannot delete a profile that has already been deployed. To delete a deployed profile, you need to delete the profile from the switch on the Network Profile tab, return to this tab and then delete the profile.
Import Delete
387
Table 17: UPM Managed Profiles Function Buttons (continued)

Test Deploy Tests the profile on a device. See Profile Testing Wizard on page 397. Initiates deployment of the profile. See Using the Profile Deployment Wizard on page 399.
The Managed Profiles View

The Managed Profile tab displays all the profiles saved in Ridgeline. The Filtered Profiles table displays all the profiles that match the selected filter. The Filtered Profiles table displays the following information based on the search criteria you entered: Table 18: Columns in the Filtered Profiles Table
Column Profile Name Profile Version Date Modified Modified By Deployed Description Name of the profile as saved in Ridgeline. Version of the profile; for example, default or version12. Date on which the profile was last modified. The last Ridgeline user who modified the profile. Whether the profile is deployed.
Click a profile in the Filtered Profiles table. The Devices Deployed To table displays the following details: Table 19: Columns in the Devices Deployed To Table
Column Device Name IP Address Profile Name Ridgeline Profile Status Description Name of the device to which the profile was deployed. IP address of the device to which the profile was deployed. Name of the profile. The icon indicates the Ridgeline status of the profile on the device. Status of the Ridgeline profile on the device. Different than deployedThe profile on the device is different from the one deployed by Ridgeline. Same as deployedThe profile on the device is same as the one deployed by Ridgeline. MissingThe profile deployed by Ridgeline is missing from the device. Indicates whether the device is reachable using HTTP. The time at which Ridgeline tried to reach the device. For example: Mar 12, 2007 03:24 PM PDT. The time at which the device was last reached. For example: Mar 12, 2007 03:24 PM PDT. This may be different from Last Attempt to Reach Device.
Ability to Reach Device Last Attempt to Reach Device Device Last Reached
Icons indicate whether the profiles is deployed:
388
Not deployed Is deployed
Renaming Profiles or Saving Profiles as a New Version

You can rename a managed profile or save a profile as a new version: 1 2 3 4 In the navigation pane, click Universal Port Profile Manager. Click the Managed Profiles. Find the profile you want to rename and select it. Click Save As. The Save Profile As dialog box appears (see the following figure).
Figure 246: Save Profile As Dialog Box 5 To rename the profile, change the name in the Profile Name box. Note The profile name should not contain special characters or spaces. The profile version may contain spaces. To save the profile as a new version, change the version information in the Profile Version box. 6 Click OK. The profile is saved with the new name or version.
Importing a Profile from a Local Drive into Ridgeline

To import a profile from you computer to Ridgeline:
389
1 In the navigation pane, click Universal Port Profile Manager. 2 Click the Managed Profiles tab. 3 Click Import. The Import Profile dialog box appears (see the following figure).
Figure 247: Import Profile Dialog Box Profiles imported are managed by Ridgeline. You can display information about the imported profiles using the Managed Profiles tab. Note The profile name cannot contain special characters or spaces. The profile version may contain spaces.
Exporting a Ridgeline Profile to a Local Drive

To export a profile from Ridgeline to a computer: 1 In the navigation pane, click Universal Port Profile Manager. 2 Click the Managed Profiles tab.
390
3 Click Save As. The Save Profile As window appears.
Figure 248: Save Profile As Dialog Box 4 Click Export To. 5 Type the location of the directory, or browse to it, where you want to save the profile. 6 Click OK. The profile is exported from Ridgeline and saved in the directory you specified.
Creating and Editing UPM Profiles

Ridgeline users with admin or super-user privileges can create (see Creating UPM Profiles on page 391) and modify profiles (see Modifying or Editing Profiles on page 396), while other users can view them. A UPM profile contains ExtremeXOS Script and UPM metadata. You can use any of the CLI commands available in ExtremeXOS in the script. By adding UPM metadata, you can create a convenient dialog for updating variables. For details about ExtremeXOS Universal Port and CLI Scripting, see the ExtremeXOS Concepts Guide.
Creating UPM Profiles

The following example illustrates how to create a UPM profile. 1 In the navigation pane, click Universal Ports Profile Manager. 2 Click the Managed Profiles tab.
391
3 Click New. The New profile dialog box appears (see the following figure).
Figure 249: New Profile Dialog Box
392
4 Click the Script View tab to open the script editor (see the following figure).
Figure 250: New Profile Dialog Box (Script Editor) By default, the script editor contains the following metadata content:
# @MetaDataStart # @ScriptDescription Default profile description. # @MetaDataEnd 5 Type ExtremeXOS commands after the metadata. A simple profile can even contain a single ExtremeXOS command, such as: create vlan voice 6 Click Save. The Save Profile As dialog box appears. 7 Type a name and version for the new profile, and then click OK.
393
8 Define a variable and use it to make the command easier to use. For example: set var vlanName voice-gen_tel create vlan $vlanName Note The vlanName variable in the set variable line does not contain $. But, when you use the variable, you need to add $ before it. The script has become more usable now. If you use the vlanName elsewhere in the script, and you refer to your newly defined variable $vlanName, the same script can be used for creating other VLANs by simply changing the variable value voice-gen_tel to your new VLAN, like voice-gen_tel2; for example, if you also add ports to VLAN voice-gen_tel.
set var vlanName voice-gen_tel create vlan $vlanName conf vlan $vlanName tag $vlanTag conf vlan $vlanName ipaddress $vlanIP conf vlan $vlanName add ports $portsValue If you want to change the VLAN voice-gen_tel to voice-gen_tel2, you only need to change the line set var vlanName voice-gen_tel to set var vlanName voice-gen_tel2, without changing it anywhere else.
394
9 Move the vlanName variable definition to Ridgeline UPM metadata section and provide a userfriendly description. This section starts with # @ MetaDataStart and ends with # @MetaDataEnd. # @MetaDataStart # @ScriptDescription "Creation of VLAN for VOIP Installation" # @VariableFieldLabel "The VLAN name to create" set var vlanName voice-gen_tel # @MetaDataEnd create vlan $vlanName conf vlan $vlanName tag $vlanTag conf vlan $vlanName ipaddress $vlanIP conf vlan $vlanName add ports $portsValue The variable now appears on the Overview tab (see the following figure).
Figure 251: New Profile Dialog BoxOverview Tab with Variable Control The following profile contains the full content of the profile that can be used to create VLAN for provisioning switches for using the VoIP script pre-packaged with Ridgeline. Note Since this profile is intended to be run on a switch only once, it should be bound to a USER-REQUEST event.
# @MetaDataStart # @ScriptDescription "Creation of VLAN for VOIP Installation" # @VariableFieldLabel "The VLAN name to create" set var vlanName voice-gen_tel # @VariableFieldLabel "IP Address of the VLAN/NetMask" set var vlanIP xxx.xxx.xxx.xxx/xx # @VariableFieldLabel "The Ports to add to this vlan. Use 1, 2, 3, 5-6 format" set var portsValue xx # @VariableFieldLabel "VLAN Tag" set var vlanTag xx # @VariableFieldLabel "DHCP Address Range - Starting IP to allocate" set var dhcpStartAddr xxx.xxx.xxx.xxx # @VariableFieldLabel "DHCP Address Range - Ending IP to allocate" set var dhcpEndAddr xxx.xxx.xxx.xxx # @VariableFieldLabel "Lease Timer (secs) - Default 7200 seconds" set var dhcpLeaseTimer 7200 # @VariableFieldLabel "DHCP Gateway" set var gateway xxx.xxx.xxx.xxx Ridgeline 4.0 Service Pack 1 Reference Guide 395 # @MetaDataEnd
Modifying or Editing Profiles

You can edit deployed and undeployed profiles using Ridgeline. To edit a profile deployed to one or more devices, you need to save the profile in Ridgeline with a different name or version, and then edit the saved copy of the profile. Note If two users edit the same profile at the same time, the last saved version of the profile is saved in Ridgeline. The changes are not merged. To modify or edit a profile: 1 In the navigation pane, click Universal Port Profile Manager. 2 Click the Managed Profiles tab. 3 Select the profile from the Filtered Profiles table, and then click Open. The edit profile dialog box appears (see the following figure).
Figure 252: New Profile Dialog BoxOverview Tab with Variable Control You can update the variables using the Overview tab. To edit the script or add metadata, use the Script View tab. 4 Click Save to save the changes or click Save As to save the profile with a different name or version.
Ridgeline UPM Metadata

The Ridgeline UPM editor uses metadata to present the profile in a more usable way. The following table describes the metadata tokens. Table 20: Ridgeline UPM Metadata
Metadata Token # @MetaDataStart # @MetaDataEnd # @ScriptDescription Description Indicates the beginning of the metadata section. This should be the first line in the profile Indicates the end of the metadata section. Description or the purpose of the profile. The description should not contain new line character.
396
Table 20: Ridgeline UPM Metadata (continued)

Metadata Token # @VariableFieldLabel # @SeparatorLine Description Long description of the variables. This will be the title for the field. Should not contain new line character Indicates a section divide.
The metadata is case insensitive. You can use # @MetaDataStart or # @METADATASTART. Do not leave space between @ and the metadata tags. Note The metadata information is commented out using # mark and will not be recognized by the ExtremeXOS. Ridgeline can manage a profile without metadata. If you do not use the metadata, UPM will not create the page where you can modify the variables.
Profile Templates
Ridgeline includes some pre-defined profile templates. You can use the profile templates as baselines for creating new profiles. You can find the pre-defined profiles in Ridgeline in <Ridgeline_install_directory>\jboss\standalone\deployments\user.war \upm_profiles.
Profile Testing Wizard

The profile testing wizard helps you test a profile on a device before actually deploying it on the network. The wizard allows you to edit and run the profile onto a test device. As a part of profile testing, the profile is deployed onto the selected device and run. When you finish, the profile is not removed (undeployed) from the device. If you wish to delete the profile from the device, select the profile from the profiles on the Network Profile tab, and then click Delete. Note When the profile is run onto the selected device, all operations in the profile script are executed against the test device. No rollback is performed at the end of the test session. To test a profile: 1 In the navigation pane, click Universal Port Profile Manager. 2 Click the Managed Profiles tab. 3 Select the profile from the Filtered Profiles table.
397
4 Click Test. The Test Profile wizard appears (see the following figure).
Figure 253: Test Profile Wizard 5 Choose trigger events:
User RequestSelect this to deploy the profile now. This selection does not allow you bind the event to a port and the Port Selection tab does not appear. If you bind a profile to a USER-REQUEST event, the profile is executed at the time of deployment, even if the profile is disabled in Ridgeline. If a network profile is bound to a user request event and the profile is disabled, to run the profile again, you should enable the profile from the Network Profiles tab, and then click Run to run the script. Other Trigger EventsSelect the other trigger events you want to configure for the profile.
6 Click Next. The Test Profile tab appears. 7 Select how your want to pick the device to test the profile on: DevicesThrough the full list of devices Device GroupsThrough device groups
8 Click Next. The Select Devices tab appears. 9 Select a device to test the profile by clicking its check box. 10 Click Next. The Verify tab appears. 11 Verify your selections, and then click Next. The Validation tab appears. If the profile passes validation green check mark appears under Validation Results. 12 If desired, type any comments you want to appear in the audit log in the Comments box.
398
13 Click Next. The Test Profile wizard final page appears (see the following figure)
Figure 254: Test Profile Wizard Final Page 14 Click Save an. The profile is saved to the server, deployed to the device, and tested. The results of these actions appear under Test results 15 Click Close.
Using the Profile Deployment Wizard

To deploy the profile, select the profile from the Filtered Profiles table in the Managed Profiles view and then click the Deploy button. You can also open the deployment wizard from the New Profile Create window. The deployment wizard opens with the Select Trigger Events page. Use this page to configure the trigger events that would run the profile after it is deployed to the devices.
399
Figure 255: Trigger Events Page This page contains the following configuration items: Click Next to open the search devices page.
Figure 256: Search for Devices Page The search devices page offers the following search types: DevicesSelect this to search individual devices on the network. Device groupsSelect this to search the devices based on the device groups you have defined in Ridgeline. Port groupsSelect this to search the devices based on the port groups you have defined in Ridgeline.
400
Click Next to open the Device Selection page. The device selection page: Lists devices, if you have selected Devices in the previous page. Lists device groups and devices, if you have selected Device groups in the previous page. Lists port groups and devices, if you have selected Port Groups in the previous page. All ports in the selected port group will be preselected. Incompatible devices are grayed out. Incompatible devices are devices that are running ExtremeWare or ExtremeXOS versions earlier than 12.0, or Summit X150 series devices. You can select the devices that are down, offline, or unreachable at the time of device selection. But you will not be able to deploy to these devices at the time of validation; unless these devices are online and reachable.
Figure 257: Device Selection Page Select the devices and then click Next to open the Ports Selection page. The ports selection page contains two tables. The Deploy to Ports lists the devices and ports. After you select the ports from this table, it is displayed in the Selected Ports table. You can select all ports in the device by selecting the check box near the device. To select individual ports, select the device check box, expand the port list tree and then select individual ports from the tree. You can also use the Select All button to select all ports on the devices.
401
Figure 258: Ports Selection Page If you select port groups, the ports in the selected ports groups will be preselected. For the USERREQUEST event and timer event, the ports as shown as N/A. After you select the ports, click Next to review the deployment information. The Deployment Information review page appears.
Figure 259: Deployment Information Review Page The page provides details of the Devices, IP address of the devices, and the ports you have selected to deploy the profile.
402
If the information is correct, click Validate to validate the profile on the selected ports. The validation results page appears. During validation, the following things are done: Ridgeline will update the details with selected device. Ridgeline checks whether a profile with the same name is already on the switch. If the profile is already on the switch, Ridgeline gives you an option to proceed with the selection. If you choose to proceed, Ridgeline will delete the profile on the switch first, then push the profile to the switch with the new bindings. Ridgeline will make sure that no two profiles are bound to the same device events on the same port. For example: If Profile A is bound to port 1 for the event DEVICE-DETECTED, then you cannot bind Profile B to port 1 for the event DEVICE-DETECTED. But you can bind profile B to port 1 for another event DEVICE-UNDETECTED. Figure 260: Validation Results Page
The results page displays the validation status and validation results. The following details appears in the Validation Results Table:
Name IP Address Ports Name of the device on which the profile was validated. IP Address of the device on which the profile was validated. Ports on which the profile was validated.
403
Validation Results Replace Existing Profile
Displays the result of the validation. If the device already contains a profile with the same name, a check box appears in this column. Select the check box if you want to replace the profile.
If validation has issues, you can see the details in the Details field. Select a row in the table to view the details of the validation. If validation has issues, and you need to replace profile in the device, a check box will appear in the Replace Existing Profiles column. Use Select All to select all the check boxes and use Clear All to clear all the check boxes. Deployment Information section allows you to configure whether the profile should be enabled or disabled after the deployment. Select Enable profile on all devices to enable the profile on all the devices on which the profile is being deployed. You can also enter comments that appear in the Audit Log. Click Deploy to deploy the profile to the selected devices. The deployment results page appears with the status and result of the deployment.
Figure 261: Deployment Results This page provides the following details:
Name IP Address Name of the device on which the profile was deployed. IP address of the device on which the profile was deployed.
404
Ports Deployment Results Deploy Again
Ports on which the profile was deployed. Displays the status and result of the deployment. If the deployment fails on a device, a check box appears in this column. To deploy again, select the check box and click the deploy again button. You can use the Select All and Clear All buttons to select multiple devices to deploy the profile again. Select the device from the table to view the details of the deployment. If you have issues with the deployment, you can see the details in this field.
Details
Click the Finish button to complete deploying the profile. If you have issues with the deployment, select the devices using the check boxes in the Deploy Again column and then click Deploy again. If you need to deploy to more than one device, use the Select All button to select all the check boxes. You will be taken to the Deployment Information Review Page. The following image shows the validation results page with errors:
Figure 262: Validation Results Page with Error In this example, two devices contain profiles with the same name. Select the check boxes using the Select All button, then click the Deploy button to continue. The Details field shows the reason for the validation failure on the two devices. 1 In the navigation pane, click Universal Port Profile Manager. 2 Click the Managed Profiles tab. 3 Select the profile to deploy in the Filtered Profiles table.
405
4 Click Deploy. The Deploy Profile wizard appears (see the following figure).
Figure 263: Deploy Profile Wizard
406
5 Set the trigger events
User RequestSelect this to deploy the profile now. This selection does not allow you bind the event to a port and the Port Selection tab does not appear. If you bind a profile to a USER-REQUEST event, the profile is executed at the time of deployment, even if the profile is disabled in Ridgeline. If a network profile is bound to a user request event and the profile is disabled, to run the profile again, you should enable the profile from the Network Profiles tab, and then click Run to run the script. Scheduled TimeSelect this to set the time at which the profile should be run. This is the time for ExtremeXOS Timer-AT event. For critical details about timer events, see Profile Trigger Events. The scheduled time event does not allow port binding. If you select this event, the Port Selection page does not appear. Enter the time in the At box; enter the date in the On box; To repeat, enter the time value in Continue Every and the time period in the box to the right (select Seconds, Minutes, Hours, Days, Weeks). Other Trigger EventsSelect the other trigger events you want to configure for the profile. Note If (required) appears next to a trigger event, it indicates that this event is referred to in the profile script. The event selection is, however, not enforced.
6 Click Next. The Choose Type tab appears. 7 Select how you want to pick the device to test the profile on:
DevicesThrough the full list of devices Device GroupsThrough device groups Port GroupsThrough port groups
8 Click Next. The Deploy tab appears. 9 Select a device to test the profile by clicking its check box. 10 Click Next. The Verify tab appears. 11 Verify your selections, and then click Next. The Validation tab appears. If the profile passes validation green check mark appears under Validation Results. The results of the validation appear in the box in the middle of the wizard page. 12 If you are attempting to deploy one or more profiles to a device that already has a profile with the same name, you can choose to replace the existing profile. Select the desired profiles that you want to overwrite. In the Replace Existing Profile column, if you want to select all of the profiles, click Select All; if you want to de-select all profiles, click Clear All. 13 Set whether you want the profile enabled after being deployed, by clicking either Enable profile on all devices or Disable profile on all devices. 14 If desired, type any comments you want to appear in the audit log for this deployment of the profile in the Comments box. 15 Click Next. The Deploy tab appears. If the profile is deployed successfully, a green check mark appears under Deployment Results. 16 Click Finish.
407
Profile Trigger Events

The following table shows the system triggers that can lead to the execution of a particular profile. Table 21: Profile Trigger Events
Trigger DEVICE-DETECT Condition A specific device was detected by the system. You can use this event to automatically configure the LLDP settings when an LLDP enabled device is connected to an LLDP enabled port on an Extreme switch. UPM executes the profile that has been configured for that event on that port. A specific device is no longer present. This could also be triggered by a timeout. This allows the restoration of port properties to a known state. You can use this event to trigger a profile when an LLDP device that was previously detected on the port is removed from the port.This event help to return a port back to its original configuration and ready to accept another UPM event. A specified user was authenticated. Authentication can be configured on the port for security with Extremes netlogin feature. Netlogin enabled ports can authenticate devices in two ways: MAC address based authenticationrequires no interaction from the user. 802.1x authenticationrequires the user to login through an 802.1x client on a PC. A user-authenticated event is triggered when a device or user authenticates successfully through Netlogin and RADIUS. A specified authenticated user has been unauthenticated. This event is triggered when a previously authenticated device or user disconnects from the switch either by logging off the PC or disconnected the device from the port. The specified time for a profile to be triggered has arrived. If the Ridgeline client and the switch are not in the same time zone, then the time that you schedule from the Ridgeline client for a profile to be executed will be different from the time that will be configured on the switch. For example, if the client machine is set to PDT time zone and if the switch is set to use default GMT time zone, an event create to be executed at 12:00:00 p.m. PDT will be scheduled to be executed at 19:00:00 p.m. GMT. In Ridgeline, Timer details will always show the time interval and the time at which the profile was first executed. But on the switch, show upm timer command will show time interval and the time when profile is scheduled to be executed next. The profile is bound to a USER-REQUEST event. Static profile is an ExtremeXOS concept for any profile not bound to any EXOS event. The USER-REQUEST event is an Ridgeline concept, for a static profile in EXOS. The profile is triggered by a specific EMS message encountered on the device. In the current release, profiles triggered by LOG-MESSAGE events can only be viewed in Ridgeline. You cannot run or edit these kinds of profiles in Ridgeline, nor can you save them as managed profiles.
DEVICE-UNDETECT
USER-AUTHENTICATED
USER-UNAUTHENTICATED
TIMER-AT
USER-REQUEST
LOG-MESSAGE
Universal Port Event Variables

This section describes the information available to any profile on execution, based on the event that triggered the profile: Common variables User profile variables
408
Device profile variables
Common Variables
The following table shows the variables that are always available for use by any script. These variables are set up for use before a script or profile is executed. Table 22: Common Variables
Variable Syntax $STATUS $CLI.USER $CLI.SESSION_TYPE $EVENT.NAME $EVENT.TIME $EVENT.TIMER_TYPE $EVENT.TIMER_NAME $EVENT.TIMER_DELTA $EVENT.PROFILE Definition Status of last command execution. User Name who is executing this CLI. Type of session of the user. This is the event that triggered this profile. For a list of triggers, see Profile Trigger Events on page 408. Time this event occurred. The time will be in seconds since epoch. PERIODIC or NON_PERIODIC. Name of the timer that the Universal Port is invoking. Time difference when the timer fired and when the actual shell was run in seconds. Name of the profile that is being run currently.
User Profile Variables

The following table shows the variables available to user profiles. Table 23: User Profile Variables
Variable Syntax $EVENT.USERNAME $EVENT.NUMUSERS $EVENT.USER_MAC $EVENT.USER_PORT $EVENT.USER_VLAN $EVENT.USER_IP Definition Name of user authenticated. This would be a string with the MAC address for MAC-based user-login Authenticated supplicants on this port after this event occurred MAC address of the user Port associated with this event VLAN associated with this event IP address of the user if applicable, else blank
Device Profile Variables

The following table shows the variables available to device profiles.
409
Table 24: Device Profile Variables

Variable Syntax $EVENT.DEVICE Definition Device identification string Possible values for EVENT.DEVICE are: GEN_TEL_PHONE, ROUTER, BRIDGE, REPEATER, WLAN_ACCESS_PT, DOCSIS_CABLE_SER, STATION_ONLY and OTHER. These strings correspond to the devices that the LLDP application recognizes and reports to the Universal Port management application. The IP address of the device (if available). Blank if not available. The MAC address of the device (if available). Blank if not available. The power of the device in watts (if available). Blank if not available.
$EVENT.DEVICE_IP $EVENT.DEVICE_MAC $EVENT.DEVICE_POWER
$EVENT.DEVICE_MANUFAC The manufacturer of the device. TURER_NAME $EVENT.DEVICE_MODEL_N Model name of the device AME
410
23 Using Identity Management

Identity Management Software License Overview of Identity Management Role-Based Access Control Enabling Monitoring on Devices and Ports Disabling Monitoring Editing Monitored Device Ports Enabling Role-based Access Control on New Devices Disabling Role-based Access Control Creating Roles Deleting Roles Editing Roles Refreshing Users and Roles Viewing Roles Attaching Policies to Roles Error and Results Handling Managing Global Settings Viewing Network User Information Displaying Identity Management Reports
This section describes how to use Ridgeline to monitor the logon and network usage of LLDP devices and users connected to managed switches in your network. This information is obtained using the ExtremeXOS Identity Management feature. The Ridgeline Identity Manager provides network-wide viewing and reporting of identities and helps administrators manage network-wide, role-based policies for both users and devices. It applies policies consistently across the network to enable seamless mobility and on-demand access to applications, maintaining business continuity. Using Ridgeline, network managers can: Enable or disable identity monitoring. Monitor active and inactive identities. Define, modify, and delete network-wide policies. Display identity management reports). Create, modify, and delete network-wide roles and apply policies to roles (see Role-Based Access Control on page 412 and Attaching Policies to Roles on page 117. Add, edit, and delete active directory servers.
Using Identity Management
Identity Management Software License

Your software license determines the level of Identity Management available on Ridgeline. If a valid Security FP License is installed, you are allowed to use all the Identity Management features supported by Ridgeline.
Overview of Identity Management

Ridgelines Identity Management feature identifies network users and authorizes them to access devices for specific network services and information. Ridgeline provides role-based user access control to manage this authentication mechanism. The Identity Management feature monitors users that connect to ports on a switch. Ridgeline provides the tools to define users roles, policies, and rules and the necessary components that set the user apart from other network users. These roles, policies, and rules are the criteria that allow access to the information and services the network user needs. The switch identifies the user logon and searches for a match on Active Directory, where the match criteria is configured for that user. The following figure illustrates this concept.
Figure 264: User Matched to a Defined Role
Role-Based Access Control

You enable role-based access control on the switches and ports where user logon data is identified. Then you define user roles that include conditions to match the user who has logged on to the network. Ridgeline also supports context-based roles, where identities can play different roles at different locations.
Roles, Policies, and Rules

Roles Ridgeline's role-based access control supports two default roles: Authenticated Unauthenticated Authenticated identities are those detected through netlogin (using any of the netlogin methods) or through Kerberos snooping.
412
When a query is sent to Active Directory, it searches user attributes. Based on the LDAP attributes the switch receives, Identity Management places these attributes under a configured role. If they match those on the server, they are classified under the authenticated role. Identity Management classifies role attributes that cannot be identified as unauthenticated userconfigured roles.
Employee Company = Extreme Priority 3 Engineer Company = Extreme Department = Eng Priority 2 Sales Company = Extreme Department = Sales Priority 1 Can access customer information The Sales role does not automatically inherit the Company match condition from Employee.
EX_idm_0003
Can access intranet
Can access development subnet
Engineers will inherit Can access intranet and will be able to also access the development subnet.
Figure 265: Roles and Policies Policies Routing protocol applications use policies to control the use of routing information on a switch. With Ridgeline you create policies which you can attach to roles. When you define policies, you can selectively permit (or deny) a set of routes based on their attributes for advertisements of the routing domain. The routing protocol application can modify routing information attributes based on policy statements. You attach a policy to a VM where you can enable tracking on a switch on which Identity Management is enabled. Ridgeline supports two policy types: Identity Management VM mobility
Role Hierarchy
You can create roles in a hierarchy to reflect different organizational and functional structures. The following figure illustrates a typical role hierarchy.
413
Employees
(Company == XYZCORP)
Policy 1: Allow common file shares Policy 2: Allow access to time-sheet application
Sales
Policy 3: Allow CRM applications Policy 4: Deny Engineering resources
(Company == XYZCORP AND Department == Sales)
Managers
Policy 5: Allow access to Finance applications Policy 6: Allow access to HR tools
(Company == XYZCORP AND Department == Sales AND Title contains Manager)
Engineers
Policy 7: Allow access to partner tools
(Company == XYZCORP AND Department == Sales AND Title contains Engineer)

EX_idm_0002
Figure 266: Hierarchical Role Management Example To create a role hierarchy, you define one or more roles as child roles derived from a parent role. Ridgeline supports a maximum of five levels. A parent role can have up to eight children but a child cannot have more than one parent. Multiple inheritances are not allowed. In a hierarchy, only policies are inherited, not the match criteria from parent roles. Below is a diagram of the role hierarchy.
Parent Role
Children Roles
Supports Five Levels
EX_roles_01
Figure 267: Role Hierarchy
Role Inheritance
Child roles inherit the policies of the parent role in the hierarchy. When an identity is assigned to a role, the policies and rules defined by that role and all higher roles in the hierarchy are applied.
414
When the parent role is deleted or when the parent-child relationship is deleted, the child role no longer inherits the parents role policies and policies are immediately removed from all identities mapped to the child role. Since the maximum role hierarchy depth allowed is five levels, the maximum number of policies and dynamic ACLs that can be applied to a role is 40 (five role levels x eight policies/rules per role). Note The LDAP query can be disabled for specific types of netlogin users. When the software makes the final determination of which default or user-configured role applies to the identity, the policies and rules configured for that role are applied to the port to which the identity is attached. This feature supports up to eight policies and dynamic ACL rules per role. The identity's IP address is used to apply the dynamic ACLs and policies. The dynamic ACLs or policies that are associated to roles should not have any source IP address specified because the Identity Management feature will dynamically insert the identity's IP address as the source IP address. When a dynamic ACL or policy is added to a role, it is immediately installed for all identities mapped to that role. Effective configuration of the dynamic ACLs and policies ensures that intruders are avoided at the port of entry on the edge switch, thereby increasing security and reducing noise in the network.
LDAP Attributes and Server Selection

Active Directory provides lightweight directory access protocol (LDAP) service to Ridgeline.
The following lists LDAP role match criteria you can assign to the switch: Location Company Country Department Employee ID State Title Email
If the Active Directory fails to respond when queried, the next configured Active Directory server is contacted. If successful, all further LDAP queries are sent to this LDAP server. All LDAP servers should be configured to synchronize the user information available in each of them.
Enabling Monitoring on Devices and Ports

To disable monitoring, see Disabling Monitoring on page 418. You can also change which ports monitoring is enabled on for a device (see Editing Monitored Device Ports on page 418). To enable monitoring on devices: 1 In the navigation pane, click Network User Devices.
415
2 The Network-Users Devices tab appears (see the following figure). Ridgeline lists the available devices and ports.
Figure 268: Network-Users Devices Tab
416
3 Click Enable User Monitoring. The Enable Monitoring Of Network-User Information wizard appears (see the following figure).
Figure 269: Enable Monitoring Of Network-User Information Wizard Note Devices that cannot be set up with identity management do not appear on the list. Devices must be up and reachable and running ExtremeXOS v12.6 or later. 4 To filter the list, type search terms in the search box or make a selection from the Device Group Selector list. 5 Under Enable monitoring on which devices?, select the check box(es) next to the desired device(s). 6 Click Add. Your selected devices appear in the Selected Devices table. 7 Click Next. The Enable Ports tab appears. 8 To choose ports: Note Uplink ports are automatically excluded.
For all of a devices ports, select the check box next to the device. For individual ports, click the plus sign (+) next to the device, and then select the check boxes next to the desired ports. Note You must choose a minimum of one port on each device.
417
9 Click Next. The Connection Type tab appears. 10 In the Connection type list, select either http or https. 11 Click Next. The Results tab appears. Your monitored device(s) and port(s) appear in the Results pane. 12 Click Finish.
Disabling Monitoring
You can disable monitoring on selected edge switches. When you do this, all identity related configurations are removed, including roles, LDAP settings, attached roles-policies, and Black List and White List entries that exist. Disabling monitoring on a switch does not remove the settings from the Ridgeline database; this allows you to reapply them later, if needed. To enable monitoring, see Enabling Monitoring on Devices and Ports on page 415. To disable monitoring on a switch: 1 In the navigation pane, click Network User Devices. 2 On the Network-Users Devices tab, select the devices on which you want to disable monitoring by clicking their check boxes. 3 Click Disable User Monitoring. 4 When prompted, confirm the deletion.
Editing Monitored Device Ports

To edit ports that are being monitored on a device: 1 In the navigation pane, click Network User Devices. 2 On the Network-Users Devices tab, select a device by clicking its check box.
418
3 On the Network-Users Devices tab, click Edit Ports. The Edit Ports of Network-Users devices dialog box appears (see the following figure).
Figure 270: Edit Ports of Network-Users Devices Dialog Box 4 On the Monitor Ports tab, make your revised selections for which ports to monitor. To select all ports for a device, click the check box next to the device; to select individual ports, click the plus sign (+) next to the device to display its individual ports. 5 Click Next. The Connection Type tab appears. 6 Select either HTTP or HTTPS as the protocol to use for user identity management. 7 Click Next. The Results tab appears displaying the success or failure of your redeployment of monitoring on ports. Click a row in the Results table, to see more details. 8 Click Finish.
Enabling Role-based Access Control on New Devices

To disable role-based access control, see Disabling Role-based Access Control on page 421. To enable role-based access control on new devices: 1 In the navigation pane, click Network User Devices. 2 Click the Role-Based-Access-Control Devices tab.
419
3 Click Enable Role Access. The Enable Role-Based Access Control dialog box appears (see the following figure).
Figure 271: Enable Role-Based Access Control Dialog Box 4 On the Network-users Devices tab, select the device on which you want to enable role-based access control. Note Devices that are unavailable (grayed out) and not selected (checked) do not support this feature. Devices that are already selected (checked) have role-based access control already enabled.
420
5 To change the client IP address for communicating with the directory server(s):
To make changes, click Next The Advanced Settings tab appears (see the following figure). To skip making changes, go to Step 11.
Figure 272: Enable Role-Based Access Control Dialog BoxAdvanced Settings Tab 6 Select the directory server to modify, by selecting its name in the Directory Server Name list. 7 Select a device to change the client IP address for by clicking its check box in the first table under Communicating with the Directory Server. 8 In the second table, select the client IP address that you want to change to. 9 Click Save. 10 Repeat Steps 6 through 9 as needed. 11 Click Finish. 12 You are warned that existing ID management configurations on the device will be lost. Click OK.
Disabling Role-based Access Control

To enable role-based access control, see Enabling Role-based Access Control on New Devices on page 419. To disable role-based access control: 1 2 3 4 5 In the navigation pane, click Network User Devices. Click the Role-Based-Access-Control Devices tab. Select the device to disable role-based access control from by clicking its check box. Click Disable Role Access. When prompted, confirm your selection by clicking Yes. All the role, LDAP, and role-policy associations are removed from the devices.
421
Creating Roles
You can configure role-based access control in Ridgeline. Start by defining a network user role (see Creating New Roles on page 422), which includes defining match criteria for users and groups of users that need to access information on the network. You also set priorities for these roles.
A role can: Be independent of a parent or a child. Have children. Have only one parent.
Creating New Roles

You can define network-wide roles and specify the match criteria for assigning a device to that role as well as define the role priority. You can create roles in a hierarchy to place a user under a role. To create a role hierarchy, define one or more roles as child roles of what becomes parent role. Ridgeline supports a maximum of five children levels. A parent role can have up to eight children, but a child cannot have more than one parent. Multiple inheritances are not allowed. In a hierarchy, only policies are inherited, and the match criteria from parent roles is not inherited. Ridgeline allows a maximum of 64 roles and each role name can have a maximum of 32 characters. Priorities can have values from 1 to 255. One (1) is the highest priority The priority of the role determines the role to which a user is mapped. The default priority is 255. A device is assigned the lesser priority role value whenever there is a conflict. If both roles have equal priority or the default priority, the last role created is assigned the higher priority. After a role is created you can edit it (see Editing Roles on page 428) or delete it (see Deleting Roles on page 428). To add a new role: 1 In the navigation pane, click Roles.
422
2 On the Roles tab, click New Role. The New Role dialog box appears (see the following figure).
Figure 273: New Role Dialog Box 3 Type a the role name and an optional description in the Name and Description boxes. Note A role name can have a maximum of 32 characters and can contain only alphabetic characters, hyphens, and underscores. All other special characters are invalid. A role name cannot have spaces, begin with a number, be assigned to a an existing name, be authenticated and unauthenticated. 4 Set a priority using the Priority slider. 5 If desired, set other role(s) as children to this role: a Click Edit. The Edit Children roles dialog box appears b Select the desired roles to set as children by clicking their check boxes. c Click OK. The children roles appear in the Child Roles box. 6 To set which devices and users get assigned this role, define match criteria for the role: Note If you want to create a role with the same or similar conditions of an already existing role, you can do this quickly by selecting the existing role from the Copy Conditions From list. The match conditions area displays the conditions of the selected role. You can edit these conditions if desired (see the following substeps) or skip to Step 7.
423
a Choose a condition from the list. The conditions listed are:

Match Criteria Location Company Country Department Employee ID State Title E-mail Device Model Device Capability Device Manufacture Name MAC MAC OUI IP Address User Name Role Type LDAP LDAP LDAP LDAP LDAP LDAP LDAP LDAP LLDPRequires EXOS version 12.7.1 or later on target switch LLDPRequires EXOS version 12.7.1 or later on target switch LLDPRequires EXOS version 12.7.1 or later on target switch User-definedRequires EXOS version 12.7.1 or later on target switch User-definedRequires EXOS version 12.7.1 or later on target switch User-definedRequires EXOS version 12.7.1 or later on target switch User-definedRequires EXOS version 12.7.1 or later on target switch
b Choose the operator in the middle column: Equals, Not Equals, Contains. a Type a value for the match criteria in the third column. a To add additional match conditions, click Add. A new row appears. Repeat Step 5. Note You can add a maximum of 16 conditions. Note To remove a match condition, click next to the match condition.
7 Click OK. The list under the Roles tab displays the new role.
Creating Child Roles

To create role as a child of another role: 1 In the navigation pane, click Roles. 2 On the Roles tab, select the role to be the parent by selecting the role's check box.
424
3 Click New Child Role. The Create Child Role dialog box appears (see the following figure).
Figure 274: Create Child Role Dialog Box In Parent Role, the selected role parent appears (see figure). 4 Type a the role name and an optional description in the Name and Description boxes. Note A role name can have a maximum of 32 characters and can contain only alphabetic characters, hyphens, and underscores. All other special characters are invalid. A role name cannot have spaces, begin with a number, be assigned to a an existing name, be authenticated and unauthenticated. 5 Set a priority using the Priority slider. 6 If desired, set other role(s) as children to this role: a Click Edit. The Edit Children roles dialog box appears b Select the desired roles to set as children by clicking their check boxes. c Click OK. The children roles appear in the Child Roles box. 7 To set which devices and users get assigned this role, define match criteria for the role. You can manually define these conditions or you can copy them:
From the parent roleSelect the Inherit Parent Criteria check box. From other rolesSelect a role from the Copy Conditions From list.
The match conditions area displays the conditions from the selected role. You can edit these conditions if desired (see the following substeps) or skip to Step 8.
425
a Choose a condition from the list. The conditions listed are:

Match Criteria Location Company Country Department Employee ID State Title E-mail Device Model Device Capability Device Manufacture Name MAC MAC OUI IP Address User Name Role Type LDAP LDAP LDAP LDAP LDAP LDAP LDAP LDAP LLDPRequires EXOS version 12.7.1 or later on target switch LLDPRequires EXOS version 12.7.1 or later on target switch LLDPRequires EXOS version 12.7.1 or later on target switch User-definedRequires EXOS version 12.7.1 or later on target switch User-definedRequires EXOS version 12.7.1 or later on target switch User-definedRequires EXOS version 12.7.1 or later on target switch User-definedRequires EXOS version 12.7.1 or later on target switch
b Choose the operator in the middle column: Equals, Not Equals, Contains. a Type a value for the match criteria in the third column. a To add additional match conditions, click Add. A new row appears. Repeat Step 5. Note You can add a maximum of 16 conditions. To remove a match condition, click to the match condition. 8 Click OK. The list under the Roles tab displays the new role. next
Creating LLDP Roles

The creation of LLDP roles feature requires that the target switches to be upgraded to ExtremeXOS 12.7.1 or later. Be sure that the switches you have selected for role-based access control are running ExtremeXOS 12.7.1 or later. You can define Link Layer Discovery Protocol (LLDP) roles with the following LLDP attributes: Device Capability Device Model Device Manufacturer Name LLDP attributes are mapped to devices as identities. The following table shows the valid attributes and descriptions of the LLDP match-criteria attributes.
426
Table 25: Identity Management LLDP Attributes

Attribute Name Device Capability Attribute Value bridge docsis cable device other repeater reserved router telephone station only WLAN access point model name manufacturers name Value Type String
Device Model Device Manufacturer Name
String String
To create an LLDP role: Follow the procedure for either creating a role (see Creating New Roles on page 422) or creating a child role (see Creating Child Roles on page 424). 2 Select one or more of the LLDP attributes in the match conditions area listed in the table above. 3 Click OK. 1
Creating User-Defined Roles

The creation of user-defined roles feature requires that the target switches to be upgraded to EXOS 12.7.1 or later. You can define roles based on predefined attributes. The following table shows the valid predefined attributes and descriptions of the user-defined match-criteria attributes. Table 26: Identity Management User-Defined Role Attributes
Attribute Name MAC MAC OUI IP Address Username Attribute Value mac-addr mac-addr ip-addr user-name Value Type String String String String
Identity management checks with the directory server to verify that the username attribute is a valid User Name. To create a user-defined role: Follow the procedure for either creating a role (see Creating New Roles on page 422) or creating a child role (see Creating Child Roles on page 424). 2 Select one or more of the user-defined attributes in the match conditions area listed in the table above. 3 Click OK. 1
427
Configuring White List and Black List Entries

A maximum of 512 entries are allowed in each list. Child roles cannot be created under the White or Black List roles. The configuration of White Lists and Black Lists requires that the target switches are running ExtremeXOS 12.7.1 or later. To configure White List entries: 1 2 3 4 In the navigation pane, click Roles. Click either the White List or the Black List tab, as desired. Click New Entry. The New Entry dialog box appears. Click Add and select MAC Address, IP Address, subnet, or User Name from the list and enter the properly formatted value for MAC address, IP address, or User Name. 5 Click OK. The new entry appears in the White or Black List.
Deleting Roles
When you delete a role definition, the changes are attached on all switches enabled with Identity Management. To delete a role: 1 2 3 4 In the navigation pane, click Roles. On the Roles tab, select the desired role to delete by clicking its check box. Click Delete. When prompted to confirm the deletion, click Yes.
Editing Roles
You can edit role parameters and priority for parent-child relationships. Editing a role automatically attaches it to the corresponding updated roles for all the switches that are enabled with Identity Management. You can change a parent role to that of a child role or move an existing child role to a different existing parent role. To edit a role: 1 In the navigation pane, click Roles. 2 On the Roles tab, select a role to edit by clicking its check box.
428
3 Click Edit Role. The Edit roles dialog box appears (see the following figure).
Figure 275: Edit Roles Dialog 4 You can change the following: Select a different parent role from the Parent Role list. To select different children roles, click Edit. The Edit children roles dialog box appears. Select different child roles, and then click OK. Set a different priority by moving the Priority slider. 5 Click OK.
Refreshing Users and Roles

You can refresh the role of a user in all of its active locations, refresh the roles of all active users, or refresh all active users under a given role. The refresh users and roles feature requires that the target switches are running ExtremeXOS 12.7.1 or later, and switches must be enabled for role-based access control. To refresh selected users for all locations: 1 In the navigation pane, click Roles. 2 On the Roles tab, select a role by clicking it check box, and then click Refresh Roles/Uses. 3 A message appears indicating the results of the refresh. Review, and then click Close.
429
Viewing Roles
To view created roles: 1 In the navigation pane, click the Roles tab. 2 Click the Roles tab. The existing roles appear in a hierarchy (see the following figure). Parent roles have plus signs (+) next to them that you can click to show their child roles.
Figure 276: Roles Tab
For each role the following information is shown: NameThe role's name. PriorityThe priority assigned to the role. Priorities can have values from 1 to 255. One (1) is the highest priority The priority of the role determines the role to which a user is mapped. The default priority is 255. A device is assigned the lesser priority role value whenever there is a conflict. If both roles have equal priority or the default priority, the last role created is assigned the higher priority. AttachedWhether or not the role is attached. For a selected role, detailed information appears in the details pane (see Viewing Role Details on page 430).
Viewing Role Details

Details about the role are displayed on the bottom pane of the Roles tab (see Viewing Roles on page 430). See the following figure. The details pane displays the role name, description, priority, parent, children, and the last time the role was refreshed. The Match Criteria tab shows the conditions for the role. The Policies tab shows the attached role policies in the order that they apply.
430
Figure 277: Roles Tab with Details Pane

You can attach a policy to a VPP (see Attaching Policies to VPPs) or a role. You must attach policies to roles before you can attach roles to switches. To attach roles with policies: 1 In the navigation pane, click Policies. 2 Select a policy to a attach to a role by selecting its check box. You can only attach policy to roles that are of the type "role" (see Step 5 in Creating New Policies on page 109).
431
3 Click Attach to Role. The Attach Policies To Roles dialog box appears (see the following figure).
Figure 278: Attach Policies To Roles Dialog BoxAttach Policies Tab 4 Select a role from the Role Name list. 5 Move policies from the Available Policies pane to the Selected Policies pane. 6 Click Next. The Results tab appears (see the following figure).
432
Detaching a Role from a Policy

Ridgeline does not allow you to delete a policy if it is attached to a role or VM. To detach a policy from a role, see Detaching Policies from Roles on page 118.
Deleting a Policy Attached to a Role

After you have detached a policy from a role (see Detaching a Role from a Policy on page 433), you can delete the policy. To delete a policy: 1 2 3 4 In the navigation pane, click Policies. Select the policy that you want to delete by clicking its check box. Click Delete. When prompted, confirm the deletion.
Error and Results Handling

Error and Results status conditions are displayed in the: The Role-Based-Access-Control Devices tab, under the Network Users Devices in the navigation pane. This tab displays the current status and configuration state of each identity managed device, indicating whether the device is In Sync or Out of Sync (see the following figure). The Audit Log displays detailed deployment status of each deployment action, whether triggered through user action or through automatic device restoration. Configuration errors that occur during deployment are automatically corrected through the device restoration mechanism. The device restoration mechanism is activated whenever the HTTP status on the switch changes (for example, switch reboot).
Figure 280: Role-Based-Access-Control Devices Tab
Configuring Directory Servers

You can specify LDAP server settings for up to eight servers. Ridgeline maintains network wide LDAP configurations that ensure all Identity Management enabled edge switches have the same configuration settings.
433
The following LDAP Client configurations are optional on the switch: Client IP addressVLAN IP address through which the switch can connect to LDAP servers Client VRVirtual routers through which the switch can connect to an LDAP server Although these settings are optional, you can override them. With multiple LDAP server configurations, EXOS selects the active LDAP server based on the following logic: The first configured server is initially contacted and marked as the Active server. If this server times out, the second server is contacted. If the connection succeeds, the second server is marked Active and all further LDAP requests are sent to the second server and so on. Configuring LDAP server settings internally, deploys the settings to all Identity Management enabled switches. If you add LDAP server settings without Identity Management enabled switches, later when you enable Identity Management, Ridgeline uses the configured server settings for deployment.
Viewing Directory Servers

To view configured servers and directory credentials, in the navigation pane, click Network User Devices, and then click the Directory Servers tab:
Adding New Directory Servers

To add a directory server from servers discovered in the network: 1 In the navigation pane, click Network User Devices. 2 Click the Directory Servers tab.
434
3 Click New. The New Directory Server dialog box appears (see the following figure).
Figure 281: New Directory Server Dialog Box 4 You can add servers by: To select from a list of an existing servers, click I want to select from servers discovered in the network (see first figure). To provide the information about a server yourself, click I want to provide the server details (see second figure). 5 Click Next. The Add Server tab appears (see the following figures). The tab appears differently depending on your selection in Step 4.
Figure 282: New Directory Server Dialog BoxAdd Servers Tab (Select Server)
435
Figure 283: New Directory Server Dialog BoxAdd Servers Tab (Provide Server Information) 6 If you want to select a server, select a server in the list by clicking its check box and select the security mechanism by making a selection from the Security Mechanism list. Note If you need to change the server name or security mechanism, make the desired changes, and then click Save. 7 If you want to provide server details for an existing server, enter the details of the server, including the server name, IP address or DNS name, Port number, and security mechanism. 8 Click the Next. The Results tab appears showing the success or failure of adding the directory server.
Deleting Directory Servers

To delete a directory server: 1 In the navigation pane, click Network User Devices. 2 Click the Directory Servers tab. 3 Select a server in the list by clicking its check box. 4 Click Delete. 5 When prompted, confirm the deletion.
Managing Global Settings

Ridgelines global settings let you change: Directory server settings (see Changing Directory Server Settings on page 437)
436
ACL-source-address type for role-based-access-control devices (see Changing ACL-SourceAddress Type on page 437) Kerberos age-out times (see Changing Kerberos-Age-Out-Time Settings on page 438)
Access Global settings from the Global Settings tab under Network User Devices in the navigation pane (see the following figure)
Figure 284: Global Settings Tab
Changing Directory Server Settings

To customize your username and password to access all directory servers: 1 In the navigation pane, click Network User Devices. 2 Click the Global Settings tab. 3 Click Edit Directory-Server Settings. The Edit Directory Server Setting dialog box appears (see the following figure).
Figure 285: Edit Directory-Server Settings Dialog Box 4 Change the Base DN if desired. 5 Type a different name in the Username box if desired. 6 Type a new password and re-enter it in the Password and Confirm Password boxes. 7 Click OK to apply the changes to the directory server.
Changing ACL-Source-Address Type

To change the ACL-source-address type as an IP address or a MAC address:
437
1 In the navigation pane, click Network User Devices. 2 Click the Global Settings tab. 3 Click ACL Soure-Address Type. The Edit ACL Source Address Type dialog box appears (see the following figure).
Figure 286: Edit ACL Source Address Type Dialog Box 4 Under ACL Type, select: IPChoose this if you have devices running ExtremeXOS 12.5, or 12.6, or both. MACChoose this if all role-based-access-control devices are running ExtremeXOS 12.6. If the devices do not meet the criterion, this option unavailable. 5 Click OK.
Changing Kerberos-Age-Out-Time Settings

Kerberos is a configuration on the device to control the life cycle of network identities that are identified through Kerberos authentication mechanism. Kerberos-age-out-time settings let you make changes to the amount of time after which inactive or active Kerberos users are deleted from the device. To set the Kerberos-age-out-time: 1 In the navigation pane, click Network User Devices. 2 Click the Global Settings tab. 3 Click Edit Kerberos Time Settings. The Edit Kerberos Time Settings dialog box appears (see the following figure).
Figure 287: Edit Kerberos Time Settings Dialog Box 4 Set the duration of the age-out timer, by typing a value in Aging Time. This timer controls when all inactive users are deleted from the device. 5 For Force-Aging Time (The amount of time after which all users, active and inactive, are deleted from the device), choose one of the following:
NeverNo time limit. InType the time limit in the Minutes box.
The range for both aging time and force aging time is 1 to 65535 minutes.
438
6 Click OK.
Viewing Network User Information

After Identity Management is enabled on the switches you want to monitor, and you have configured Ridgeline to monitor them, you can view user and device information on the: Ridgeline home page (dashboards reports) (see Modifying the Contents of the Ridgeline Home Page on page 12) Identity views (see Active Identities on page 439).
Active Identities
The Active Identities lists all of the users and devices connected to the switches that have Identity Management enabled and are being monitored by Ridgeline. To view active and inactive users, in the navigation pane, click Active Identities. The Active Identities has two tabs: Active Users and ThreatsLists the currently active users (see Active Users and Threats Tab on page 439). Inactive and Active UsersLists the inactive users, the users that have disconnected from the monitored switches, and users who failed authorization (see Inactive and Active Users Tab on page 440). Active Users and Threats Tab The following figure shows the Active users and threats tab under Active Identities.
Figure 288: Active Users and Threats Tab The Active Users and Threats tab shows the following information.
439
Security Threat
Shows the worst threat state that corresponds to the identity. Threats are indicated as protection unsuccessful, protection successful, or undo protection successful, the identity threat icon changes to reflect the new threat state. The login name of the human user, or None if it is a device user, along with an icon indicating the status of the user. The status icon can be one of the following: or or or or or or or or or or The user is active. The last known status of the user is active. The user was unable to log into the network. The user is inactive. Ridgeline has stopped monitoring the switch where the user is connected.
User Name
Role Log On Time
Role to which the user is attached. For XOS devices running 12.4 or earlier, the Role shows Unknown. Date and time the user logged on to the network. If the switch is running ExtremeXOS 12.3 or earlier, no information is shown and the switch cannot be added to the monitoring list. The port number on the switch where the user connected to the network. The MAC address of the user. The IP address of the switch where the user connected to the network. The IP address assigned to the user. NetBIOS host name. This information is filled only for users identified through Kerberos. For others, it will display N/A. Date and time the user attempted to log in and encountered an authentication failure. If authentication did not fail for the user, this is N/A. Status of the user. This can be one of the following: active, inactive, last known: active, failed log on, inactive user, or stopped monitoring. The name and status of the switch where the user connected to the network. If the switch is running ExtremeXOS 12.3 or earlier, this is shown as Unavailable. Type of user, either Human or Device. The name of the port where the user connected to the network. The device groups the user belongs to, if any. Date and time when information about the user was last received by Ridgeline. The last time Ridgeline polled for information about the user, whether successful or not.
Port Number User's MAC Address Device IP Address User's IP Address Host Name Authentication Method Status Device Name User Type Port Name Member Of Last Updated Last Attempt To Update
Inactive and Active Users Tab The following figure shows the Inactive and Active Users tab under Active Identities.
440
Figure 289: Inactive and Active Users Tab The Inactive and Active Users tab shows the users and devices that are currently logged on, as well as historical information about users and devices that are no longer connected.
Security Threat Shows the worst threat state that corresponds to the identity. Threats are indicated as protection unsuccessful, protection successful, or undo protection successful, the identity threat icon changes to reflect the new threat state. The login name of the human user, or None if it is a device user, along with an icon indicating the status of the user. The status icon can be one of the following: or or or or or Role Log On Time Port Number User's MAC Address Device IP Address User's IP Address Host Name Status Authentication Failed or or or or or The user is active. The last known status of the user is active. The user was unable to log into the network. The user is inactive. Ridgeline has stopped monitoring the switch where the user is connected.
User Name
Role to which the user is attached. For XOS devices running 12.4 or earlier, the Role shows Unknown. Date and time the user logged on to the network. If the switch is running ExtremeXOS 12.3 or earlier, this is shown as Unavailable. Port number on the switch where the user connected to the network. MAC address of the user. IP address of the switch where the user connected to the network. IP address assigned to the user. NetBIOS host name. This information is filled only for users identified through Kerberos. For others, it will display N/A. Status of the user. This can be one of the following: active, inactive, last known: active, failed log on, inactive user, or stopped monitoring. Date and time the user attempted to log in and encountered an authentication failure. If authentication did not fail for the user, this is N/A.
441
Log Off Time User Type Authentication Method Detected by Kerberos Domain Name Device Name Port Name Last attempt to Update Member Of Last Updated
Date and time the user logged off. Type of user, either Human or Device. Authentication method used to gain access to the network. Whether Kerberos snooping was used to obtain information about the user. The domain of the user. If the user was detected by Kerberos, then this is N/A. Name and status of the switch where the user connected to the network. If the switch is running ExtremeXOS 12.3 or earlier, this is shown as Unavailable. Name of the port where the user connected to the network. Last time Ridgeline polled for information about the user, whether successful or not. The device groups the user belongs to, if any. Date and time when information about the user was last received by Ridgeline.
Displaying Network User Details To display details about a specific user or device, under Active Identities, click a row in the table. Information about the selected user or device appears in the details pane. If you double-click the row, the user or device details appear in a separate window (see the following figure).
Figure 290: Network User Details Window The Details window shows the following information:
442
Security Threat
Shows the worst threat state that corresponds to the identity. Threats are indicated as protection unsuccessful, protection successful, or undo protection successful, the identity threat icon changes to reflect the new threat state. The login name of the human user, or None if it is a device user, along with an icon indicating the status of the user. The status icon can be one of the following: or or or or or or or or or or The user is active. The last known status of the user is active. The user was unable to log into the network. The user is inactive. Ridgeline has stopped monitoring the switch where the user is connected.
User Name
Role Status Log On Time Authentication Failed Log Off Time
Role to which the user is attached. For XOS devices running 12.4 or earlier, the Role shows Unknown. Status of the user. This can be one of the following: active, inactive, last known: active, failed log on, inactive user, or stopped monitoring. Date and time the user logged on to the network. Date and time the user attempted to log in and encountered an authentication failure. If authentication did not fail for the user, this is N/A. Date and time the user logged out of the network. If the user is currently logged in, this is N/A. If Ridgeline was not monitoring the switch when the user logged out, then this is Unknown. The MAC address of the user. The authentication method used to gain access to the network. Whether Kerberos snooping was used to obtain information about the user. The domain of the user. If the user was detected by Kerberos, then this is N/A. The name and status of the switch where the user connected to the network. The IP address of the switch where the user connected to the network. The port number on the switch where the user connected to the network. The name of the port where the user connected to the network. Date and time when information about the user was last received by Ridgeline. The last time Ridgeline polled for information about the user, whether successful or not. The device groups the user belongs to, if any. Type of user, either Human or Device.
User's MAC Address Authentication Method Detected by Kerberos Domain Name Device Name Device IP Address Port Number Port Name Last Updated Last Attempt to Update: Member Of User Type Device Type Device Status Host Name LLDP Capability
NetBIOS host name. This information is filled only for users identified through Kerberos. For others, it will display N/A. The LLDP capability of the device user. This can be one of the following: Avaya phone, General telephone, Router, Bridge, Repeater, WLAN access point, DOCSIS cable service, Station only, or Other.
Device Model Name Device Manufacture Name
443
The window also includes the following information about the VLAN(s) that the user is part of: VLAN Tag VLAN Name Users IP address The VLAN tag value (if any) or Untagged The VLAN name. The IP address assigned to the user on the VLAN.
Displaying Identity Management Reports

Using information gathered from Identity Management records, Ridgeline can generate the following reports: Most logons by username Most logon failure by username Most logons by device IP address Most logon failures by device IP address Most logon by users MAC address Most logon failures by users MAC address All logins, authorization failures, and logouts in the last 24 hours To view reports, click Reports , click Network Users, and then click the individual reports (see the following figure). For more information about Network Users reports, see Network Users Reports on page 468.
Figure 291: Ridgeline Reports For additional information about reports, refer to Ridgeline Reports.
444
24 Managing Network Security

Security Overview Management Access Security Monitoring Switch Configuration Changes Using the MAC Address Finder Using Alarms to Monitor Potential Security Issues Device Syslog History Network Access Security with VLANs
This chapter describes how you can use the features of Ridgeline to help you ensure the security of your network.
Security Overview
Network security is one of the most important aspects of any enterprise-class network. Security provides authentication and authorization for both access to the network and management access to the network devices. Network administrators must protect their networks from unauthorized external access as well as from internal access to sensitive company information. Extreme Networks products incorporate multiple security features, such as IP access control lists (ACLs) and virtual LANs (VLANs), to protect enterprise networks from unauthorized access. Ridgeline provides multiple features that control and monitor the security features on Extreme Networks products. Using Ridgeline, you can set up VLANs (see Creating VLANs on page 123), and monitor security aspects of your network (see Using the Network Security Manager on page 446).
Management Access Security

Along with securing the traffic on your network, you must set up your network switches to allow only authorized access to the switch configuration and traffic monitoring capabilities. This requires securing the switch to allow only authenticated, authorized access, and securing the management traffic between the switch and the administrators host to ensure confidentiality. Ridgeline provides authentication and authorization for logon to Ridgeline itself, so you can control who can access Ridgeline and what functions they are allowed to perform. You can provide read-only access to selected functions for some users, so they can monitor the network but not make any configuration changes, while allowing other users to make changes to device configurations, policy settings, etc. (see User Administration on page 341). By default, Ridgeline communicates with devices for configuration changes using Telnet and TFTP. You can optionally configure Ridgeline to use Secure Telnet (SSH) and Secure FTP to execute configuration commands and to upload and download configuration files on your Extreme Networks switches (see Configuring Default Access Parameters on page 54).
Managing Network Security
Finally, you can secure the communication between Ridgeline clients and the Ridgeline server itself by using SSH (HTTPS) instead of the standard HTTP protocol, which is the default.
Using the Network Security Manager

Ridgelines Network Security Manager identifies security violations in the network, finds the applicable information about the malicious user from the Identity Manager and carries out the required protective actions. Identity management displays the interface that displays threat icons that alert the network administrator of a threat and provides threat information. Currently, Ridgeline uses McAfee Network Security Manager platform to handle threat traps. For additional information, see: Network Security Manager requirements Recognizing network security threats Clearing a threat Network Security Manager Requirements To use this feature, a switch must be managed by Ridgeline and must be licensed with the Security Feature Pack license. Ridgelines Network Security Manager requires its Identity Management feature to: Provide the switch IP address to Ridgelines Network Security Manager that uses it to perform a switch eligibility check. Add an icon to the Identity Management users table that shows the affected user. Performs the predefined actions based on the Threat type. Display detailed information about the threat. Display the top ten identities correlated to threats received from network security managers (NSMs). Clear a threat from the Active Users and Threats tab under Active Identities. Undo protection of an identityRaises a new threat cleared alarm. Correlate security events, threats, and information received from network service providers (NSPs) to identities and display them in the Active users and threats tab. Threat Types and Corresponding Pre-defined Alarms Ridgeline has pre-defined alarms that support the following traps:
Trap Name ivSignatureAlert Pre-defined Ridgeline Alarms
Exploit attack DoS attack Reconnaissance attack Policy violationBased on the value of the VARBIND ivAlertCategory
ivPortScanAlert
Port scan alert
446
ivHostSweepAlert ivSignatureAlertIPPairBased
Host sweep alert
Exploit attack DoS attack Reconnaissance attack Policy violationBased on the value of the VARBIND ivAlertCategory
ivFileAVAlert
Virus Attack
Predefined Alarms in Ridgeline The following predefined alarms are supported by Ridgeline:
S number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Alarm Name Port Scan Alert Port Scan Alert Cleared Host Sweep Alert Host Sweep Alert Cleared Exploit Alert Exploit Alert Cleared DoSandDDoS Alert DoSandDDoS Alert Cleared Reconnaissance Alert Reconnaissance Alert Cleared Policy Violation Alert Policy Violation Alert Cleared Virus Alert Virus Alert Cleared Purpose To indicate a port scan attack. Alarm indicates port scan attack cleared. To indicate host sweep attack. Alarm indicates host sweep attack cleared. To indicate Exploit attack. Alarm indicates Exploit alert cleared. To indicate DoS and DDoS Attack. DoS and DDoS Attack cleared. Alarm for Reconnaissance attack. Reconnaissance attack cleared. Policy violation attack. Policy violation attack is cleared. Virus attack related alert. Virus alert cleared.
Enabling and Disabling Threat Traps You enable and disable threat traps by using Ridgelines Alarm Manager, see Overview of the Ridgeline Alarm Manager on page 237. Ridgeline Protective Actions The Alarm Manager triggers the execution of predefined scripts to take protective action and notify the Security Manager. Protective action also records inactive users. If an inactive user has more than one record, the latest record is valid.
447
Recognizing Network Security Threats Any time an identity is associated with a threat, Ridgelines Identity Management feature displays icons that indicate the severity of the threat, rogue users, port number, IP addresses, and other pertinent information. To access information about threats, in the navigation pane, click Active Identities, and then click the Active Users and Threats tab (see the figure below). The Security Threat column displays an icon for each identity associated with a threat state. Threat icons are different colors that indicate the nature of the threat:
Cleared No threat New threat Protection unsuccessful Undo protection unsuccessful Protection successful
The Security Threat column shows the security threat state that corresponds to the identity. When threats are indicated as protection unsuccessful, protection successful, or undo protection successful, the Identity Management Users table identity threat icon changes to reflect the new state. The state undo protection successful automatically changes to cleared state when undo protection is successful. Ridgeline monitors the network service providers to retrieve current threat status. If errors occur during enforcement or during conditions where the threat no longer exists, but continues to be reported by the Network Security Manager, you can remove actions using the undo protection action (see Triggering the Undo Protection Action on page 449) or clearing the threat (see Clearing a Threat on page 450).
Figure 292: Active Users and Threats Tab
448
You can also view the inactive and active users table by clicking the Inactive and Active Users tab (see the following figure).
Figure 293: Inactive and Active Users Tab Triggering the Undo Protection Action Note Undo protection is only available for threats in the Protection successful state. 1 In the navigation pane, click Active Identities. 2 Click the Active Users and Threats tab.
449
3 Double-click a threat record from the table with Security Threat as Protection successful. The Active Users and Threats Details Window appears (see the following figure)
Figure 294: Active Users and Threats Details Window 4 On the menu, click Edit > Undo protection. This raises a new threat cleared alarm, changing the threat state to Cleared. If undo protection action is unsuccessful, manually remove the deployed ACLs from the switch. Ridgeline does not automatically remove the deployed ACLs. 5 Click File > Close to close the window. Clearing a Threat Note You can manually clear a threat only if it is in the Undo protection unsuccessful state. To clear a threat: 1 In the navigation pane, click Active Identities. 2 Click the Active Users and Threats tab.
450
3 Double-click the threat management row that you want with Security Threat that is Undo protection unsuccessful (see the following figure). The Active Users and Threats Details window appears (see the following figure).
Figure 295: Threat User Details 4 On the menu, click Edit > Clear. The threat icon for the identity is removed indicating there is no longer a threat. 5 Click File > Close to close the window. Viewing Threat Information on the Dashboard If desired, you can add either, or both, of the following threat reports to the dashboard on the Ridgeline home page: Threats by type in the last 24 hours (report icon = Threats/Type) Threats by user name in the last 24 hours (report icon = Threats/User Name) For information about how to add these reports to the dashboard, see Modifying the Contents of the Ridgeline Home Page on page 12.
Using RADIUS for Ridgeline User Authentication

Fundamental to the security of your network is controlling who has access to Ridgeline itself, and what actions different Ridgeline users can perform. Ridgeline provides a built-in authentication and authorization mechanism through the user IDs, passwords, and user roles (see Overview of User Administration on page 339). By default, Ridgeline authenticates users using its own internal mechanism, based on the user names and passwords configured in Ridgeline administration. However, for more robust authentication, or to avoid maintaining multiple sets of authentication information, Ridgeline can function as a RADIUS client (see RADIUS Administration on page 348). Enabling Ridgeline as a RADIUS client lets Ridgeline use an external RADIUS server to authenticate users attempting to login to the Ridgeline server. At a minimum, the RADIUS servers Service type
451
attribute must be configured to specify the type of user to be authenticated. A more useful implementation is to configure the external RADIUS server to return user role information along with the user authentication. For information about configuring an external RADIUS server, see Configuring an External RADIUS Server for Ridgeline User Authentication on page 452 Configuring an External RADIUS Server for Ridgeline User Authentication Ridgeline uses administrator roles to determine who can access and control your Extreme Networks network equipment through Ridgeline. A users role determines what actions the administrative user is allowed to perform, through Ridgeline or directly on the switch. When users are authenticated through Ridgelines built-in logon process, Ridgeline knows what role each user is assigned and grants access accordingly. If users are going to be authenticated by an external RADIUS authentication service, then that service needs to provide role information along with the users authentication status: If you are using only the predefined roles that are built into Ridgeline, you can configure the RADIUS server with a Service Type attribute to specify one of the built-in administrator roles. If you have created your own custom roles, you can set a Vendor-Specific Attribute (VSA) to send the appropriate role information along with the authentication status of the user. To set up your RADIUS server to provide authentication and authorization for Ridgeline users: 1 Configure Ridgeline to act as a RADIUS client (see Enabling RADIUS for Ridgeline on page 349). 2 In your authentication database, create a group for each administrative role you plan to use in Ridgeline, and then configure the appropriate users with the appropriate group membership. For example, if you want to authenticate both Ridgeline admin and manager users, you must create a group for each one. 3 Within the RADIUS server: Add Ridgeline as a RADIUS client. Create Remote Access Policies for each Ridgeline role, and associate each policy with the appropriate Active Directory group. For example, if you plan to have both Ridgeline admin and manager users, you must create a Remote Access Policy for each one, and then associate each policy with the appropriate group. Edit each Remote Access Policy to configure it with the appropriate Service Type attribute value or VSA for the appropriate Ridgeline role. For a detailed examples of configuring Ridgeline and your RADIUS server to provide user authentication, see: Example: Setting up a VSA to Return Ridgeline Role Information on page 452 Example: Setting the Service Type for a Built-in Ridgeline Role on page 453 Example: Setting up a VSA to Return Ridgeline Role Information The following is an example of how to set up the VSA in Windows 2000 for a custom (user-defined) role named AlarmsOnly. Note that you must have an administrator or super-user role in Ridgeline to perform these steps.
452
This assumes that Ridgeline has been configured as a RADIUS client in Ridgeline administration, and on the RADIUS server. (See External RADIUS Server Setup on page 554 for a detailed walk-through example of how to configure and external RADIUS server for Ridgeline authentication.) In Ridgeline administration, create a role named AlarmsOnly (see Adding or Modifying Roles on page 346). 2 From the Internet Authentication Service (IAS), add or edit a Remote Access Policy. Set up the policy conditions as appropriate. Remote access policies are a set of conditions and connection parameters that are used to grant users remote access permissions and connection usage. 3 Click Edit Profile to edit the remote access policy. Click the Advanced tab and add a VendorSpecific attribute. Setup the attribute with the following values: 1
Vendor code: 1916 Vendor-assigned attribute number: 210 Attribute format: String Attribute value: AlarmsOnly
Once this has been set up, for all users logging in to Ridgeline who match the conditions defined in the remote access policy, a VSA with value AlarmsOnly is passed to Ridgeline. Ridgeline then applies the user role AlarmsOnly to those users to provide feature access as defined by that role. Example: Setting the Service Type for a Built-in Ridgeline Role If you plan to use an external RADIUS server to authenticate Ridgeline users, but you do not want to configure your RADIUS server with a VSA to pass role information (see Example: Setting up a VSA to Return Ridgeline Role Information on page 452), then you must configure your RADIUS servers Service type attribute (in the Remote Access Policy for the users who should have access to Ridgeline) to specify the type of Ridgeline user to be authenticated:
For Users with Role Admin Manager Monitor To disable authentication Set the Service Type to... 6 5 1 "Disabled"
If you do not change from the default (which is to disable authentication), no Ridgeline users can be authenticated. If you set this Service Type in your standard Remote Access Policy, only one type of user can be authenticated using this method. To allow the authentication of multiple types of Ridgeline users, follow the instructions in the this example: Example: Setting up a VSA to Return Ridgeline Role Information, or see the detailed example in Configuring RADIUS for Ridgeline Authentication.
453
Securing Management Traffic

Management traffic between a management program like Ridgeline and the managed network devices can reveal confidential information about your network if this traffic is transmitted without security. Two possibilities for encrypting this traffic when accessing network devices are using: SNMPv3 SSH Using SNMPv3 for Secure Management SNMPv3 is a series RFCs (RFC 2273 through RFC 2275) defined by IETF to provide management capabilities that guarantee authentication, message integrity, and confidentiality of management traffic. SNMPv3 includes the option to encrypt traffic between the agent (residing on the network device) and the management application (Ridgeline). This prevents unauthorized eavesdropping on sensitive management data. You can add SNMPv3 devices to your Ridgeline inventory by: Discovering devices Adding devices manually If you change the contact password or SNMP community string, Ridgeline prompts you to change these settings on the device as well as in the Ridgeline database. If you choose not to change the settings on the device, you need to configure them manually on each device before Ridgeline can access them. If you change the SNMPv3 settings, you also need to Telnet to the device and change those settings locally. If you have both SNMPv1 and SNMPv3 on a device, Ridgeline makes it easy to switch between one and the other. This means that if you have enabled SNMPv3 on your devices, and then find it necessary to return to SNMPv1 for any reason, you can do so with minimal effort (see Modifying Communications Settings on page 51). Using SSHv2 to Access Network Devices Extreme Networks products support the secure shell 2 (SSHv2) protocol to encrypt traffic between the switch management port and Ridgeline. This protects sensitive data from being intercepted or altered by unauthorized access. You configure SSHv2 for Ridgeline in Ridgeline Administration (see Device Properties on page 355). When SSH is enabled for a device, Ridgeline also uses Secure FTP (SFTP) for file transfers to and from that device. To enable SSH on a device from Ridgeline: 1 The device must be running a version of ExtremeWare or ExtremeXOS that supports SSH. This requires a special license due to export restrictions. Refer to the appropriate ExtremeWare or ExtremeXOS documentation for licensing information. 2 Install the Ridgeline SSH Enabling Module. This is an SSH enabling key that can be obtained from Extreme Networks.
454
a To receive the Ridgeline SSH enabler key, fill out the End-User Certification Form at: www.extremenetworks.com/apps/Ridgeline/ssh.asp b After the form is submitted, Extreme Networks reviews the request and respond within two business days. c If your request is approved, an e-mail is sent with the information needed to obtain the sshenabler key file. d Place the ssh-enabler key file in your existing Ridgeline installation directory. This unlocks the Ridgeline SSH-2 features. 3 Enable SSH on the devices that you want Ridgeline to communicate with using SSH rather than Telnet: a In Ridgeline, on the menu, click Device > Modify Communications Settings. b Select the devices you want to configure for SSH.
Figure 296: Configuring Devices to Use SSH for Communication c Select SSH, and select Enabled from the list. d Click OK to have this setting take effect. Note If the SSH enabler module is not installed, you cannot configure SSH on any devices; the SSH setting is still disabled. Ridgeline now uses SSH instead of regular Telnet for direct communications with the device, including Netlogin and polling for the FDB from the Extreme Networks switches. It also uses SFTP for file transfers such as uploading or downloading configuration files to the device.
455
Securing Ridgeline Client-Server Traffic

By default, Ridgeline server communication to its clients is unencrypted. You can secure this communication through SSH tunneling. This requires installing and running an SSH client (PuTTY is recommended) on the same system as the Ridgeline client, and installing and running an SSH server (OpenSSH is recommended) on the same system where the Ridgeline server resides. Tunneled communication is accomplished through port forwarding. To configure SSH tunneling between the Ridgeline server and client: 1 2 3 4 5 Install PuTTY on the Ridgeline client system. Configure the PuTTY client with a Ridgeline session connecting to the Ridgeline server host. Install an SSH server on the system with the Ridgeline server (if it is not already installed). Configure any firewall software to allow SSH connects. Initiate Ridgeline server/client communication: a Make sure the SSH server is running on the server system. b Start the SSH client on the client system. c Log on the Ridgeline client with the URL http://localhost:8080/ (not the host where the Ridgeline server is actually located). PuTTY is now set up to port forward all traffic going to the local host on port 8080. When PuTTY sees a connection request to the local host on port 8080, PuTTY encrypts the information and sends it across the encrypted tunnel to the server. To see a detailed example of setting this up in the Windows environment, see Using SSH for Secure Communication.
Monitoring Switch Configuration Changes

Fundamental to securing your network is verifying that no configuration changes have occurred that may have a detrimental effect on network security. Something as simple as changing passwords can introduce a weakness in your security design for the network. The Ridgeline Configuration Manager provides several features that you can use to monitor the integrity of your device configurations: Baselines: You can save baseline configurations for each of your devices. Not only do these provide a known-good backup if needed, but Ridgeline can then compare these to your regularly-scheduled configuration archive files to determine if any configuration changes have been made. If it detects changes, Ridgeline inspects the Syslog file for the device to identify any entries that are related to the configuration changes observed in the archived configuration file (see Creating or Changing Baseline Configurations on page 285). Backups: Regularly archiving your device configuration files provides a backup in case a configuration is accidentally or intentionally changed (see Backing up Configuration Files Manually or by Scheduling for a Device or Device Group on page 276). Diff feature: The Configuration Managers Diff feature lets you compare two saved configuration files, or compare a saved configuration file against the baseline configuration for the device to see
456
the differences between the two files (see Viewing and Comparing Configuration Files for Devices on page 270).
Using the MAC Address Finder

You may need to track down a specific host on your enterprise network. This host may be involved in malicious activity, be a compromised source for virus infections, be using excessive bandwidth, or have network problems. Ridgeline provides the IP/MAC Address Finder tool to locate any MAC address on your network (see Overview of the IP/MAC Address Finder on page 333). Ridgeline provides two ways to find a MAC address in your enterprise network. If you have MAC Address Polling enabled, you can use a database search that searches the MAC FDB information learned by Ridgeline's MAC Address Poller. The MAC Address Poller maintains a database on the Ridgeline server of all MAC addresses associated with edge ports. An edge port is identified by the absence of Extreme Discovery Protocol (EDP) or Link Layer Discovery Protocol (LLDP) packets on a port. You can additionally disable MAC Address Polling on specific ports and switches. This is useful for disabling polling on trunk ports on third-party switches (which Ridgeline identifies as edge ports, as they do not use EDP or LLDP). The MAC Address Poller determines the set of MAC address on the edge ports via the FDB database on the switch. It also keeps track of the IP address(es) associated with the MAC address using the IP ARP cache on the switch. The database search is faster than the network search, although the database may be less up-to-date, as a full MAC address poll cycle can take a reasonably long time. However, if you want to identify the switch port where the host is connecting to the network, then a database search has the advantage of automatically ignoring trunk ports. Ridgeline also provides a full network search to search the forwarding database (FDB) and IP ARP cache on selected switches. A network search has the advantage of searching the most up-to-date source of data. However, the network search is slower because it must contact each switch directly. It also does not always report the correct IP address associated with a MAC address/VLAN port when the MAC address is mapped to multiple IP addresses on the switch. If you want to determine how a MAC address is propagating through the network aggregation layer, you should use a network search.
Using Alarms to Monitor Potential Security Issues

The Ridgeline Alarm Manager allows you to create custom alarm conditions on any supported MIB object known to Ridgeline. Using the Alarm Manager, you can set up alarms for alerting you to critical security problems within your network. An example of this would be creating an alarm to notify you of a potential Denial of Service (DoS) attack. A DoS attack occurs when a critical network or computing resource is overwhelmed so that legitimate requests for service cannot succeed. In its simplest form, a DoS attack is indistinguishable from normal heavy traffic. Extreme Networks switches are not vulnerable to this simple attack because they are designed to process packets in hardware at wire speed. However, there are some operations in any
457
switch or router that are more costly than others, and although normal traffic is not a problem, exception traffic must be handled by the switchs CPU in software. Some packets that the switch processes in the CPU software include: Learning new traffic Routing and control protocols including ICMP, BGP and OSPF Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, etc.) Other packets directed to the switch that must be discarded by the CPU If any one of these functions is overwhelmed, the CPU may become too busy to service other functions and switch performance suffers. Even with very fast CPUs, there will always be ways to overwhelm the CPU by with packets requiring costly processing. DoS Protection is designed to help prevent this degraded performance by attempting to characterize the problem and filter out the offending traffic so that other functions can continue. When a flood of packets is received from the switch, DoS Protection counts these packets. When the packet count nears the alert threshold, packets headers are saved. If the threshold is reached, then these headers are analyzed, and a hardware access control list (ACL) is created to limit the flow of these packets to the CPU. With the ACL in place, the CPU has the capacity to process legitimate traffic and continue other services. Once DoS Protection is set up on the switches, you could define an alarm for the traps DOS Threshold cleared and DOS Threshold reached, and have it take an action such as an e-mail notification or sending a page to a network administrator. For information about configuring DoS Protection on your Extreme Network switches, see the ExtremeXOS Concepts Guide. Another example would be to detect a TCP SYN flood as indicating a potential DoS attack. A SYN flood occurs when a malicious entity sends a flood of TCP SYN packets to a host. For each of these SYN requests, the host reserves system resources for the potential TCP connection. If many of these SYN packets are received, the victim host runs out of resources, effectively denying service to any legitimate TCP connection. Using the Alarm Manager, you can detect a potential SYN flood by defining a threshold alarm, using a delta rising threshold rule on the TCP-MIB object tcpPassiveOpens. If this MIB object rises quickly in a short delta period, the system may be under a DoS attack.
Device Syslog History

Syslog messages report important information about events in your network. Each Extreme Networks product acts as a syslog client, sending syslog messages to configured syslog servers. These messages include information that reveals the security status of your network. Using syslog messages, you can track events in your network that may affect security. Make sure Ridgeline is configured as a Syslog server on the devices you want to monitor. The Syslog server function within Ridgeline is enabled through the Ridgeline Administration feature (see Device Properties).
458
Ridgeline creates a dynamic log of syslog messages in the Reports feature. Use this log to scan for critical security events such as: Table 27: Security-Based Syslog Messages
Error Message Explanation
<CRIT:IPHS> Possible spoofing You have a duplicate IP address on the network (same as an address on a local interface). attack
or The IP source address equals a local interface on the router and the packet needs to go up the IP stack i.e., multicast/broadcast. In the BlackDiamond, if a multicast packet is looped back from the switch fabric, this message appears. A logon attempt failed for an administrative user attempting to connect to a device using telnet. A card has been removed from the device. This is a possible breach of physical security if this is an unauthorized removal.
USER: Login failed for user through telnet SYST: card.c 1000: Card 3 (type=2) is removed.
A duplicate MAC address appeared on the network. This is a possible <WARN:KERN> fdbCreatePermEntry: Duplicate client spoofing attempt. entry found mac 00:40:26:75:06:c9, vlan 4095
Network Access Security with VLANs

Network administrators need to prevent unauthorized access to their network to protect sensitive corporate data as well as to guarantee network availability. To achieve this, you need to combine edge security features such as firewalls with network controls such as IP access lists and network segmentation using VLANs. Unauthorized access attempts can originate from hosts external to your network as well as from benign or malicious attempts from within your network that can disrupt or overload your enterprise network. Using Ridgeline, you can configure VLANs to segment your physical LAN into multiple isolated LANs to separate departmental or sensitive traffic within your enterprise network. VLANs segment your physical LAN into independent logical LANs that can be used to isolate critical segments of your network or network traffic from one another. Using VLANs, you can create autonomous logical segments on your network for different business needs, such as creating a Marketing VLAN, a Finance VLAN, and a Human Resources VLAN. All the hosts for marketing personnel reside on the Marketing VLAN, while all the hosts for finance personnel reside on the Finance VLAN. This isolates marketing and finance traffic and resources, preventing any unauthorized access to financial information from any other group. VLANs work by assigning a unique VLAN ID to each VLAN, and then assigning hosts to the appropriate VLAN. All traffic from that host is tagged with the VLAN ID, and directed through the network based on that VLAN ID. In the marketing and finance example, each department can be on the same physical LAN, but each is tagged with a different VLAN ID. Marketing traffic going through the same physical LAN switches do not reach Finance hosts because they exist on a separate VLAN.
459
Extreme Networks switches can support a maximum of 4095 VLANs. VLANs on Extreme Networks switches can be created according to the following criteria: Physical port 802.1Q tag Protocol sensitivity using Ethernet, LLC SAP, or LLC/SNAP Ethernet protocol filters A combination of these criteria For a more detailed explanation of VLANs, see the ExtremeXOS Concepts Guide. You can create VLANs in Ridgeline using Ridgelines network resource provisioning feature or through scripts. You can monitor the VLANs in your network from Ridgeline Main View or device groups. For more information about how Ridgeline can help you manage the VLANs on your network, see Creating VLANs on page 123.
460
25 Ridgeline Reports
Reports Overview Accessing Ridgeline Reports The Extreme Networks eSupport Export Report Network Status Summary Report Network Users Reports Devices Reports Slots, Stacks and Ports Reports EAPS Reports Log Reports Client Reports MIB Poller Tools Ridgeline Server Reports Adding User-Defined Reports to the Reports Menu Printing Reports Exporting Reports
This chapter describes the predefined reports provided by the Ridgeline Reports feature and covers the following topics: Accessing Reports from Ridgeline or from a browser The Network Summary Report, which is also displayed on the Ridgeline Home page Exporting Ridgeline data for use by the Extreme Networks Technical Assistance Center Viewing predefined Ridgeline status reports from a browser
Reports Overview
The Ridgeline software provides a series of HTML-based reports that present a wide variety of information about your network and the devices Ridgeline is managing. These reports can be accessed from Ridgeline or they can be accessed separately from a standard web browser (see Accessing Ridgeline Reports on page 462). The Ridgeline reports do not require Java capability, and thus can be accessed from browsers that cannot run the full Ridgeline user interface. These reports load quickly, even over a dial-up connection, and can also be printed. Some of these reports are actually tools to access information helpful for debugging problems with Ridgeline or the devices it is managing. With the exception of the Network Summary Report, Ridgelines HTML reports always appear in a browser window, even if you are logged into Ridgeline. See Browser Requirements for Reports in the
Ridgeline Reports
Ridgeline Installation and Upgrade Guide or the Ridgeline Release Notes for a list of supported browsers. The browser configured as the default for your system is the one that is used. The Network Summary Report also appears on the Ridgeline home page (see The Ridgeline Home Page on page 11).
Accessing Ridgeline Reports

1 You can access the Ridgeline reports two ways: From Ridgeline, in the navigation pane, click Reports. From a browser, without logging into Ridgeline.
To access the Ridgeline reports from a browser: Start a web browser, and enter the following URL: http://<host>:<port>/ In the URL, replace <host> with the IP address of the Ridgeline server. Replace <port> with the TCP port number that you assigned to the Ridgeline Web Server during installation (by default this is port 8080). 2 On the Ridgeline Welcome page, click Log onto Reports only on the bottom, left of the page. 3 Type your logon credentials on the Extreme Network Report Logon page; use the same username and password that you use to log on to the Ridgeline.
Reports Available in Ridgeline

The Ridgeline provides the following reports and tools:
Report Category Report Name Main Extreme eSupport Export Description Exports Ridgeline data for use by Extreme Network's technical support. Accessible from the Main reports page. See The Extreme Networks eSupport Export Report on page 466. Summary status of the network, as well as version and patch information about the Ridgeline server. Shows status of distributed servers, if applicable. See Network Status Summary Report on page 466.
Network Summary
Network Summary Report
462
Ridgeline Reports
Report Category Report Name Network Users Network Users Report
Description Information about the users logged on to the network, including: Logons by username Logon failures by username Logons by device IP address Logon failures by device IP address Logons by user's MAC address Logon failures by users MAC address Threats by type Threats by username See Network Users Reports on page 468.
Devices
Device Inventory Report by Device Group (see Devices by Group Table on page 469) and Device Type (see Devices by Type Table on page 469): By Device (see Device Summary on page 469) Device Details (see Device Details Report on page 470) Power Over Ethernet (see Power over Ethernet Report on page 472) Power Over Ethernet Details (see Power Over Ethernet Details Report on page 472) ReachNXT Devices Report
Overview of devices known to Ridgeline, by Device Group. From this report you can access the Device Details report, and additional subreports such as PoE information for devices that support those features.
Status of ReachNXT devices connected to switches known to Ridgeline. See ReachNXT Devices on page 474. Status of devices by device group. From here you can access status of individual devices (alarms, not responding etc.). See Device Status Report on page 474. Inventory of cards (by type) installed in devices in the Ridgeline database. The Card Summary Report shows details about cards of a given type. From there you can view details about the device hosting the card. The Empty Slots report shows empty slots by device.
Device Status Report by Device Group By Device (see Device Details Report on page 470) Slots, Stacks and Slot Inventory, by Card Type (see Slot Ports Inventory on page 476 ) Card Summaryby Card or All Cards (see Card Summary Report on page 477) Device Details (see Device Details Report on page 470) Slot Details (see Card Details Report on page 477) Empty Slots Report (see Empty Slots Report on page 478)
Stack Inventory (see Stack Inventory Reports Inventory of stacking devices. From this report you can on page 479) access Device Details for the stacking device, or Stack Stack Summary (see Stack Summary Report Details. on page 479) Device Details (see Device Details Report on page 470) Stack Details (see Stack Details Report on page 480) Interface Report Inventory of all ports on devices in the database. See Interface Report on page 482.
463
Ridgeline Reports
Report Category Report Name Unused Port Report By Device
Description Summary of inactive ports by device including location, with subreports (by device) showing length of inactivity, VLAN membership etc. See Unused Ports Report on page 483. Summary of EAPS domains known to Ridgeline. See EAPS Summary on page 485. EAPS-related Trap and Syslog entries for devices configured for EAPS. See EAPS Log Report on page 485. Ridgeline alarm log (more information available through Alarm Log Browser feature). See Alarm Log Report on page 486. Ridgeline event log entries. See Event Log on page 487. Syslog entries. See Syslog (System Log) on page 488. Log of configuration management actions (config file uploads/downloads) and results. See The Configuration Management Activity Log on page 489. List of network login activity by device. See Client Reports on page 491. Displays data in a MIB collection. Users with an Administrator role can start or stop a collection. See The MIB Poller Summary on page 505. Provides an interface to query for the value of specific MIB variables. This is available only to users with an Administrator role. See The MIB Query Tool on page 509. Shows a variety of status information about the Ridgeline server. See Server State Summary Report on page 494. Tools to aid in analyzing Ridgeline performance. These are available only to users with an Administrator role. See Debug Ridgeline on page 496.
EAPS
EAPS Summary EAPS Log
Logs
Alarm
Event Syslog Config Mgmt
Client Reports
Network Login
MIB Poller Tools MIB Poller Summary
MIB Query
Ridgeline Server Server State Summary
Debug Ridgeline
Selecting Predefined Ridgeline Reports

The Reports browser interface initially shows the Ridgeline Reports Main page (see the following figure). The Main page includes: Report selector (left pane)Click a category (for example, Network Users, Devices, etc.) to show the available reports for that category. List of reports categories (center pane)The center of the page lists all of the report categories with a brief description of each.
464
Ridgeline Reports
Figure 297: Ridgeline Reports Main Page To view a report, click the report name in the left pane. The report appears in the center pane.
Filtering Reports
Some reports provide filtering, to limit what data appears in the report. To create a filter, select the values to use in the filter from the drop-down lists at the top of the report. The variables you can choose are based on the columns in the report, and vary by report. In some reports, you filter each column by a selected value. In other reports, you select a column name, a comparison operator, and then the value to be used for comparison. In these reports you may often concatenate two conditional statements with a logical operator ("and" or "or") The Alarm Log report is an example of this type of filter specification, as shown below.
Figure 298: Report Filtering for the Alarm Log Report The comparison operators are:
> (greater than) < (less than) <= (greater than or equal) >= (less than or equal)
465
Ridgeline Reports
!= (not equal) = (equal) starts with ends with contains
If the column values are strings, the comparisons are made alphabetically (Mary is greater than Joe; Mary is also greater than Many). Note You can copy and paste a value from the report into a comparison field. To use a second condition to your filter, choose one of the logical operators And or Or.
And Or NIL Include a row in the report only if both conditions are true. Include the row if either one (or both) of the conditions are true. Ignore the second conditional clause of this filter
If you do not want to include a second condition, do not select any values for those fields. Click Submit to run the filtered report. Click Reset to return the filter to its default values.
Sorting Reports
Some reports allow you to sort by columns. Click a column heading to sort the report based on the contents of the column. Clicking once sorts the report in ascending alphabetic or numeric order; clicking a second time reverses the sort order.
The Extreme Networks eSupport Export Report

This report is generated by Ridgeline on request, for use by Extreme Network's technical support. It exports detailed information to a file is csv format. To create an eSupport report, select a device group from the drop-down list, and then click Export. An Excel spreadsheet opens with the report information.
Network Status Summary Report

The Network Status Summary Report (see the following figure) summarizes the status of the devices that Ridgeline is monitoring. The main report page appears when you first log on to Ridgeline. The Network Status Summary Report displays information about the overall health of the network. It also displays information on the current version of the Ridgeline software running on the Ridgeline service and compares the current version to the latest available version.
466
Ridgeline Reports
Figure 299: Network Status Summary Report This summary shows the following statistics: Down or unreachable devicesThe number of devices known to the Ridgeline server that are not responding to Ridgeline queries. Marginal-condition devicesThe number of devices reported to be in marginal condition (such as a problem with the fan, temperature, or power). Unmanaged devicesThe number of devices that are offline for planned service. Unacknowledged critical alarms in the last 24 hoursThe number of critical alarms in the last 24 hours that have not been acknowledged. Critical or worse syslog message in th last 24 hoursThe number of syslog messages with a priority of critical or worse that occurred in the last 24 hours. The Network Status Summary Report also lists the current version of Ridgeline software running on your machine. Note To verify the latest Ridgeline software version, Ridgeline must access the Extreme Networks website at www.extremenetworks.com. If your network uses a firewall, you can configure HTTP proxy device and port in the Administration feature (see External Connections Properties on page 354).
The Distributed Server Summary

If you are running in a Distributed server configuration, a Distributed Server summary appears below the Network Summary. Each row in the summary provides the status of one of the Ridgeline server group members. It provides the following information about each server:
467
Ridgeline Reports
Server
The server name. Clicking on the server name initiates the Dynamic Reports feature for that server. You can then run any of the available HTML reports. A link that can launch a client connection to the server. Clicking on the Client link launches a client that attempts to connect to that server. The number of devices managed by the server that are up. The number of devices managed by the server that are down. The number of critical alarms that have occurred on devices managed by the server. The date and time of the last update of the server summary information for this server. The status of the server (whether it is responding to the periodic poll).
Launch Client Devices Up Devices Down Critical Alarms Last Update Server Status
Network Users Reports

Network Users Reports provide information about the users logged on to the network, including: Logons by usernameList of user names logged on to the network in the past 24 hours and the total number of successful logon attempts corresponding to the specific user are listed. Logon failures by usernameList of user names logged on to the network in the past 24 hours and the total number of logon attempts that failed corresponding to the specific user are listed. Logons by device IP addressList of IPs logged on to the network in the past 24 hours and the total number of successful logon attempts corresponding to the specific IP are listed. Logon failures by device IP addressList of user names logged on to the network in the past 24 hours and the total number of logon attempts that failed corresponding to the specific IP are listed. Logons by user's MAC addressList of MAC addresses from which he user logged on to the network in the past 24 hours and the total number of successful logon attempts corresponding to the specific user are listed. Logon failures by users MAC addressList of MAC addresses from which the user logged on to the network in the past 24 hours and the total number of logon attempts that failed corresponding to the specific user are listed. Threats by typeThreat (either attack/violations/virus alert) count categorized by the type of threats that occurred in the network in the last 24 hours. Threats by usernameNumber of threats which occurred in the network in the last 24 hours are listed by specific user name.
Devices Reports
Click the Devices link to display links to the Device Reports. These reports provide a variety of status information about the devices being managed by Ridgeline: Device Inventory ReachNXT devices Device Status
468
Ridgeline Reports
Device Inventory Report

To view a list of device groups and devices known to the Ridgeline software, click Devices > Device Inventory.
Figure 300: Device Inventory Reports The initial display presents summaries at the device group (see Devices by Group Table on page 469) and the device type level (see Devices by Type Table on page 469). Devices by Group Table The Devices by Group table displays the following information:
Device Group Description Quantity Name of the device group Description of the group as kept in the Ridgeline device inventory Number of devices in the group
Clicking a device group in the table produces the Device Summary report (see Device Summary on page 469). Devices by Type Table The Devices by Type table displays the following information:
Device Type Quantity Type of device Number of devices of this type known to Ridgeline
Clicking a device group in the table produces the Device Summary report (see Device Summary on page 469). Device Summary The Device Summary displays the following information about each device:
469
Ridgeline Reports
Clicking an IP address in the tables produces the Device Details report (see Device Details Report on page 470). Figure 301: Device Summary
Device Group(s) Name IP Address All Ridgeline Device groups to which it belongs (this is displayed only if you select All Devices) Name of the device from the sysName variable IP address of the device Click the IP address to display a table with detailed configuration and status information. This is the same information you can view in the Ridgeline Inventory. Device model Device location from the sysLocation variable Media access control address of the device Device serial number Software version currently running on the device, if known When you add a device into the inventory, you can provide additional information about the device. You can view or change this information later in the Device Panel dialog box (see Device Inventory View on page 38).
Model Location MAC Serial Number Current Image Additional Info
Device Details Report The Device Details report shows information about an individual device. If the device includes a PoE blade, you can view a report about that feature (see Device Details Report on page 470).
470
Ridgeline Reports
Figure 302: Device Details Reports This report shows the following information:
Serial Number IP Address Device Group(s) Device Type Name Description Location Contact Boot Time Software Version Primary Image Secondary Image Status Fan Status Power Status Device serial number IP address of the device Device Groups to which this device belongs The device type The name given to the device The description provided for the device The location information for the device The contact information for the device Time of the most recent boot. The version of software currently running on the device The version of software saved as the Primary Image The version of software saved as the Secondary Image Device Status: OK, or marginal Status of fans: OK, marginal, or If there are multiple fans, each is listed (fan 1, fan 2 etc.) Status of power supply modules: OK, marginal, or If there are multiple modules, each is listed (power 1, power 2 etc.)
471
Ridgeline Reports
Power over Ethernet Report The Power Over Ethernet report shows information about the PoE configuration of the device. To view a detailed report on PoE ports, click the Power Over Ethernet Port Details (see Power Over Ethernet Details Report on page 472).
Figure 303: Power over Ethernet Report The report shows the following information about the PoE configuration: Device-level information:
Configuration Power Supply Mode Disconnect Precedence Whether PoE is enabled for the switch. (Enabled or Disabled) The configured power-supply mode: Redundant, Load-Sharing, or N/A (if only one power supply is installed). The method used to determine which port to disconnect when power drain exceeds the power budget: lowest-priority (next port connected causes a shutdown of the lowest priority port) deny-port (next port that attempts to connect is denied power, regardless of priority) The threshold for power utilization compared to the configured maximum for either the allocated power budget per slot, or for system level allocation.
Usage Threshold (%)
PoE Power Source:

Group Index Maximum Power (Watts) Measured Power (Watts) Operational Status The index for the specific power source The maximum power available from the source The current measured power from the source Operational Status of the power supply (on, off, faulty)
Power Over Ethernet Details Report This report shows power details for each port on the device.
472
Ridgeline Reports
Figure 304: Power over Ethernet Details Report (partial) This report shows the following information:
Port Num Measured Power (mW) Operational Max Power (mW) Reserved Power (mW) Port Type PoE status Operation Status Classification Priority Violation Precedence Port number Measured power on this port Maximum power limit on this port Reserved power limit on this port The user-defined port type Whether power is enabled on this port (Enabled or Disabled) Status of the port (disabled, searching, delivering power, fault, test, other fault) Class association for this port (0,1,2,3,4) Port priority for purposes of power management The limit used to determine power level violation (advertised class, operator limit, max advertised operator, or none)
473
Ridgeline Reports
ReachNXT Devices
The ReachNXT Devices report provides information about the ReachNXT devices connected to ports on switches managed by Ridgeline.
Figure 305: ReachNXT Devices Report The ReachNXT report displays the following information:
Device name Device IP address Port Number Model number Serial number MAC address Software version Description Uplink Port The name of the switch where the ReachNXT device is connected. The IP address of the switch where the ReachNXT device is connected. The number of the port connected to the ReachNXT device. The model number of the ReachNXT device. The serial number of the ReachNXT device. The MAC address of the ReachNXT device. The version of software the ReachNXT device is running. Description of the ReachNXT device, if configured. The uplink port used by the ReachNXT device to connect to the switch
Device Status Report

To view device status information, click the Devices > Device Status. You can use this report and its sub-reports to determine status and failure log information for the devices known to Ridgeline.
474
Ridgeline Reports
Figure 306: Device Status The Device Status report displays the following information:
Group Description Alarms in last 24 hours Devices not Responding Devices Marginal Devices Offline Devices Up Name of the device group Description of the group as kept in the Ridgeline device inventory Total alarms for all devices in the device group Number of devices in the group that are not responding Number of devices in the group whose operation is marginal Number of devices in the group that are offline Number of devices in the group that are up
Click a Device Group name in the Group column to display the Device Status Report for the devices in the group shows example output.
Figure 307: Device Status (Group detail) The Group Device Status report shows the following information:
Device Name IP Status Last Failure Down Period (d:h:m:s) Boot Time Alarms in last 24 Hours Name of the device from the sysName variable IP address of the device The status of the device: operational, offline, marginal, and not responding Time at which the most recent device failure occurred, expressed in the local time zone of the Ridgeline server Length of time the device was unreachable, reported in days:hours:minutes:seconds Time when the device was last booted, expressed in the local time zone of the Ridgeline server Number of alarms in the last 24 hours from this device
475
Ridgeline Reports
Slots, Stacks and Ports Reports

The Slots, Stacks, and Port reports category show information about the slots (module cards) installed in the Extreme devices managed by Ridgeline, or about stacking devices known to Ridgeline. These reports also provide information about the ports on those devices or modules: Slot Inventory Stack Inventory Interface Report Unused Port
Slot Inventory
Click Slots, Stacks, Ports > Slot Inventory to view the Slot Inventory Reports showing an inventory of the slots and module cards known to Ridgeline. Click a Card Type to view a Card Summary Report for an individual card type (see Card Summary Report on page 477). Click All Cards (at the bottom of the list) to view a Card Summary report showing all cards known to Ridgeline. Click Empty Slots (also at the bottom of the list) to view a report on the empty slots detected by Ridgeline (see Empty Slots Report on page 478).
Figure 308: Slot Inventory Report The Slot Inventory report shows the following information:
Card Types Quantity Type of module cards and empty slots known to Ridgeline Number of modules of a given type. For All Cards, this is the total number of cards in all modular devices known to Ridgeline. For Empty Slots, this is the total number of empty slots detected among the modular devices known to Ridgeline.
476
Ridgeline Reports
Card Summary Report From the Slot Inventory report (see Slot Inventory on page 476), click a Card Type or All Cards to display the Card Summary report for the modules known to Ridgeline. The following figure shows an example of output that appears if you select All Cards. The information shown for an individual card type is the same, except that the Card Type column is not included.
Figure 309: All Cards Card Summary Each Card Summary report displays the following information about each module:
Device Group(s) Device Name Device Address Device Location Card Type Slot Name Card Serial Number Name of all the device groups of which the device is a member Name of the device (where the card resides) from the sysName variable IP address of the device Device location from the sysLocation variable Type of module card (this is displayed only if you select All Cards) Number or letter of the slot where the module card is installed Module card serial number
If you have selected an individual card type, this report shows only modules of the selected type. If you have selected All Cards, the report shows all cards in any of the devices known to Ridgeline. Clicking an IP address displays a device details report (see Device Details Report on page 470). Clicking a Slot Name displays a Card Details report (see Card Details Report on page 477).
Card Details Report
Clicking a Slot Name from the Card Summary Report (see Card Summary Report on page 477) displays the Card Details Report. The Card Details Report shows the following information:
477
Ridgeline Reports
Device Group(s) Device Name Device Address Device Location Device Current Image Slot Type Slot Name Slot Alias Slot Serial Number Slot Primary Image Slot Secondary Image Slot Current Image Slot Boot ROM Slot MSM Mode
The device group. Name of the device. Device IP address. The location information for the device The version and type of the operating system software currently running on the device. The type of module. The name of the slot (for example, Slot-8)
The serial number of the module in the slot. The type and version of the operating system software for the module on the primary hard drive. The type and version of the operating system software for the module on the secondary hard drive. The type and version of the operating system software for the module currently running for the module. The BootROM version installed on the module. The mode that the MSM module is operating in. When there are two MSM modules one is the "Master," and the other is the "Slave." For non-MSM slots, the value is "Not Applicable." Whether or not the slot is operational.
Slot State
Empty Slots Report From the Slot Inventory report (see Slot Inventory on page 476), click Empty Slots to display the Empty Slots summary report for the empty slots known to Ridgeline.
Figure 310: Empty Slots Summary The Empty Slots summary report displays the following information about the empty slots:
Device Group Device Name Device Address Device Location Empty Slots Name of the device group Name of the device from the sysName variable IP address of the device Device location from the sysLocation variable Number or letter of the empty slot(s) on the device
478
Ridgeline Reports
Clicking an IP address displays a device details report (see Device Details Report on page 470).
Stack Inventory Reports

Click Slots, Stacks, and Ports > Stack Inventory to view the basic Stack Inventory report showing an inventory of the stacking devices known to Ridgeline. Click a Stack Device to view a Stack Summary report for an individual stack device (see Stack Summary Report on page 479). Click All Stacks (at the bottom of the list) to view a Stack Summary report showing all stack devices known to Ridgeline.
Figure 311: Stack Inventory The Stack Inventory report shows the following information about module card types and empty slots:
Stack Devices Quantity Type of stacking device Number of devices of a certain type. All Stacks shows total number of stacking devices known to Ridgeline.
Stack Summary Report From the Stack Inventory report (see Stack Inventory Reports on page 479) click a Stack Device type or All Stacks to display the Stack Summary report for the stack devices known to Ridgeline. The following figure shows an example of output that appears if you select All Stacks. The information shown for an individual stack device type is the same, except that the Card Type column does not appear. Clicking a Device Address displays a Stack Details report (see Stack Details Report on page 480).
479
Ridgeline Reports
Figure 312: All Stacks Card Summary Each Stack Summary displays the following information about the device:
Device Group(s) Device Name Device Address Device Location Card Type Slot Name Card Serial Number Name of all the device groups of which the device (stack master) is a member. Name of the device from the sysName variable IP address of the device (link to the Device Details report) Device location from the sysLocation variable Type of stack device (this is displayed only if you select All Stacks) Name of the stacking device, linked to the Stack Details report for the device Stack Device serial number
If you have selected an individual stack device type, this report shows only modules of the selected type. If you have selected All Stacks, the report shows all stacking devices known to Ridgeline. Stack Details Report Clicking a Device Address from the Stack Summary report (see Stack Summary Report on page 479) displays the Stack Details report for the selected device. The following figure shows an example of output.
480
Ridgeline Reports
Figure 313: Stack Details Report Each Stack Details report displays the following information about the stack device:
Device Group(s) Device Name Device Address Device Location Device Current Image Slot Type Slot Name Slot Alias Slot Serial Number Slot Primary Image Slot Secondary Image Slot Current Image Slot BootROM Stack Device serial number The version of software saved as the Primary Image in the stack device The version of software saved as the Secondary Image in the stack device The version of software currently running in the stack device The BootROM version in the stack device. Name of all the device groups of which the device (stack master) is a member. Name of the device from the sysName variable IP address of the stack master device Device location from the sysLocation variable Version of image running on the master device Type of module card (this is displayed only if you select All Cards) Name of the stacking device, linked to the Stack Details report for the device
481
Ridgeline Reports
Slot MSM Mode Slot State
The mode that the MSM module is operating in. When there are two MSM modules one is the "Master," and the other is the "Slave." For non-MSM slots, the value is "Not Applicable." Whether the slot is operational or not.
Interface Report
To view a report on the status of every port known to the Ridgeline software, click Slots, Stacks, and Ports > Interface Report. The following figure shows an example of output.
Figure 314: Interface Report The Interface Report shows the following information for each interface includes:
IP Address Port Port Name Admin Status Oper Status Configured Speed/Type IP address of the interface Port number of the interface Port name of the interface Interface administrative status (enabled/disabled) Operational status of the interface (ready/active) Nominal (configured) speed of the interface
482
Ridgeline Reports
Actual Speed/Type FDB Polling
Actual speed of the interface Whether the port is being actively polled as an edge port, or is not being polled. If the port is not polled, the reason is included (Device Not Supported, Inactive Port, Not Supported, Polling Disabled For Port, or Uplink Port)
You can filter the ports that are displayed in the report. For more information about filtering, see Using Report Filtering
Unused Ports Report

To see inactive ports for a particular device, click the Slots, Stacks, and Ports > Unused Ports. The following figure shows example output.
Figure 315: Unused Ports Report You can filter the report by selecting the following:
VLAN Device Group Inactive Days Inactive Hours Select all VLANs or the name of a particular VLAN Select all groups or the name of a particular device group Enter the number of days of inactivity for the requested port(s) Enter the number of hours of inactivity for the requested port(s)
When you complete your selections, click Submit. The report can be saved in csv or xml format, or shown in a single page. The Unused Ports report displays the following information:
483
Ridgeline Reports
Device Name IP Address Inactive Ports Total Inactive Ports Groups
Name of the device on which the port resides IP Address of the device on which the port resides Inactive ports on the device The total number of inactive ports on the device. The total number of inactive ports for all devices in the report is displayed at the bottom of the report. Device groups to which this device belongs
Click an entry in the Inactive Ports column to open the Unused Port Reports detail; the following figure shows a portion of example output.
Figure 316: Unused Ports Report: detail You can filter the report by specifying the VLAN, the device group, and the time frame (inactive days, inactive hours). The Unused Port Reports detail displays the following information:
Port Number Port Name Inactive Time Vlan Name Physical Type Number of the unused port An optional name (text string) configured for the port Length of time this port has been inactive Name of the VLAN to which this port belongs Type of port
EAPS Reports
There are two reports available under EAPS: EAPS Summary report EAPS Log report The EAPS Summary report is also available by: In the navigation pane, click Main View, click the EAPS tab, and then click EAPS Summary Report.
484
Ridgeline Reports
EAPS Summary
To view the EAPS Summary report, click EAPS > EAPS Summary. The EAPS Summary report provides a brief overview of the status of the EAPS domains known to Ridgeline. The report shows: The total number of EAPS domains known to Ridgeline The number of Domains currently in an error state The number of domain failures that have occurred in the last 24 hours.
Figure 317: The EAPS Summary Report
EAPS Log Report

To view the EAPS Log report, click EAPS > EAPS Log. The EAPS Log report shows the EAPS traps or EAPS-related syslog entries that have occurred for devices that meet the specified filter criteria. By default, all devices, traps and syslog entries are shown. You can filter for the following: IP addressmust be exact, wildcards are not supported. Event type(trap or syslog entries): you can enter any keywords that may appear under the Type column as part of the description of the trap or syslog entry. Specific varbindsenter a keyword that matches the varbind you want to find, such as extremeEapsLastStatusChange.
Events that occurred within a certain time frame.
485
Ridgeline Reports
Figure 318: EAPS Log Report The EAPS Log report displays the following information:
Time Source Type Varbinds Time the event occurred, expressed in the local time zone of the Ridgeline server IP address of the device and port number (if applicable) that generated the event Event type (for example, SNMP Trap) Variable data transmitted with a trap
Log Reports
Four reports are provided under Logs: Alarm Event
Syslog Configuration Management Activity
Alarm Log Report

To see all the entries in the Ridgeline Alarm Log, click Logs > Alarm. The following figure shows a portion of an example output.
486
Ridgeline Reports
Figure 319: Alarm Log Report The log can be saved in csv or xml format, or the entire report can be shown in a new page by clicking show all. Note If the Ridgeline database has a large number of alarms, the show all option can take a very long time to complete. The Alarm Log report displays the following information:
Time Name Severity Source Category Acked Event # Time the alarm occurred, expressed in the local time zone of the Ridgeline server) Name of the alarm Severity level of the alarm IP address of the device that generated the alarm Category that the alarm is classified under Whether the alarm has been acknowledged (0 is acknowledged, 1 is not acknowledged) Event ID of the alarm (assigned by the Ridgeline server when the alarm is received)
You can filter on any of the variables shown in the report. For more information about filtering, see Using Report Filtering.
Event Log
To view all the entries in the Ridgeline Event Log, click Log > Event. The following figure shows a portion of example output.
487
Ridgeline Reports
Figure 320: Event Log Report The Event Log report shows the following information:
Time Source Type Varbinds Count Time the event occurred, expressed in the local time zone of the Ridgeline server IP address of the device and port number (if applicable) that generated the event Event type (for example, SNMP Trap) Variable data transmitted with a trap Number of consecutive events (if the same trap occurs at the same time and is received multiple times, only one event is created and the count displays the number of traps)
You can filter the Event Log report. For further information about filtering, see Using Report Filtering. You can filter on any of the variables shown in the report.
Syslog (System Log)

To see all the entries in the system log, click the Log > Syslog. The following figure shows a portion of example output.
488
Ridgeline Reports
Figure 321: Syslog (portion) The Syslog report displays the following information:
Event # Time Source Facility Severity Message Event ID of the syslog entry (assigned by the Ridgeline server when the syslog is received) Time the syslog is received by Ridgeline, expressed in the local time zone of the Ridgeline server IP address of the device that generated the syslog entry Syslog facility Syslog severity level Error message text
You can filter the events that are displayed by constructing a conditional filter using the fields at the top of the page. For more information about filtering, see Using Report Filtering.
The Configuration Management Activity Log

To view the Configuration Management Activity Log, click Log > Config Mgmt. The Configuration Management Activity Log tracks all the configuration operations performed through Ridgeline uploading and downloading of configuration files. The following figure shows a portion of example output.
489
Ridgeline Reports
Figure 322: Configuration Management Activity Log (portion) The Configuration Management Activity Log displays the following information:
Time Device Activity Descr Time at which the configuration activity occurred, expressed in the local time zone of the Ridgeline server IP address of the device on which the action was taken The action that was attempted A message describing the reason for the status (the error message if the action could not be completed. and the configuration file path.
You can filter the events that are displayed by constructing a conditional filter using the fields at the top of the page. For more information about filtering, see Using Report Filtering.
490
Ridgeline Reports
Client Reports
Five reports are provided under Client Reports: Network Login Current Clients Client History Spoofed Clients Unconnected Clients
Network Login Report

To view the Network Login Report, click Client Reports > Network Login. The Network Login Report provides information about 802.1x and HTTP logon activity. The HTTP network log is Extreme-specific. The following figure shows example output.
Figure 323: Network Login Report The Network Login Report displays the following information:
Device Name IP Address Network Login Activity Name of the device IP address of the device 802.1x network login activity that has occurred on this device
Current Wireless Clients Report

To view the Current Client Report, click Client Reports > Current Clients. The Current Client Report lists all wireless clients, regardless of their states, that are currently in the network as seen by the wireless ports (see the following figure).
491
Ridgeline Reports
Figure 324: Current Wireless Clients Report
Current Wireless Client History Report

To view the Client History Report, click Client Reports > Client History. The Client History Report displays the history of all client logons, logoffs, authentication failures, and age-out activity. You can use this report to track users roaming from one interface to another (see the following figure).
Figure 325: Current Wireless Client History Report
Spoofed Wireless Clients Report

To view the Spoofed Clients Report, click Client Reports > Spoofed Clients. The Spoofed Clients Report shows when the network detects two or more client stations with the same MAC address that are all in the data forwarding state on different wireless interfaces. The client might be using another clients MAC address in an unauthorized way; such a client is known as a spoofing wireless client. The Spoofed Client Report displays information on these clients (see the following figure).
492
Ridgeline Reports
Figure 326: Spoofed Wireless Clients Report
Unconnected Clients Report

To view the Unconnected Clients Report, click Client Reports > Unconnected Clients. The Unconnected Clients Report helps diagnose why a client cannot connect to the network by listing clients that are not currently in the data forwarding state. This report can also show any client trying to access your network maliciously (see the following figure).
Figure 327: Unconnected Clients Report
MIB Poller Tools

The MIB Poller Tools are advanced administrator tools that you can use to collect history for MIB variables of interest, or to do a one-time get of specific MIB variables. The MIB Poller can be used to collect MIB variable data periodically. That data can later be exported to a text file that can be imported into programs like Microsoft Excel for historical trending analysis. Users who do not have an administrator or super-user role can view the MIB Collection Poller Summary, and can view detailed information about any MIB collections which have been implemented by a Ridgeline administrator or super-user. However, only users with an administrator or super-user role can start or stop the collection process, or can load an XML file to define a collection. The MIB Poller Tools are described in: MIB Poller MIB Query
Ridgeline Server Reports

The Ridgeline Server reports includes both the Server State Summary report (see Server State Summary Report on page 494), which provides a large amount of information about the Ridgeline
493
Ridgeline Reports
server and its activity, and a set of administrator tools, Debug Ridgeline (see Debug Ridgeline on page 496), available only to users with an administrator or super-user role, that are useful in analyzing Ridgeline performance or activity questions. If you do not have an administrator or super-user role, the Ridgeline debugging tools are not available.
Server State Summary Report

To view the Server State Summary Report, click Ridgeline Server > Server State Summary. The Server State Summary Report displays statistics about configured servers, SNMP activity, thread and SNMP session pools, database activity, the ports used by the Ridgeline server, and Ridgeline licenses (see the following figure).
Figure 328: Server State Summary Report (top half) The report presents information in multiple tables. The first table in the report shows the status of the various Ridgeline subsystems:
Subsystem Configuration Current Status The name of the subsystem (TFTP Server, Internal Syslog Server, Internal RADIUS Server, MAC Poller) Whether the subsystem is enabled or disabled Whether the subsystem is running or stopped
The second table shows statistics about the MAC/FDB Poller:

Poller Statistics Last Poll Completed Last Poll Duration Average Duration The time at which the last complete polling cycle finished The length of time it took to perform the last complete FDB polling cycle The average length of time it has taken to perform a complete FDB polling cycle
494
Ridgeline Reports
The third table in the report provides the number of operations that have occurred in the last minute, the last hour, and the last day (24 hours) for the following operations:
SNMP Queries Database Commits Client Requests Trap Requests Syslog Messages Number of SNMP queries performed by the Ridgeline server Number of database commits performed by the Ridgeline server Number of data requests to the Ridgeline server by all connected clients Number of trap PDUs received by the Ridgeline server Number of syslog messages received by the Ridgeline server
The fourth table in the report shows scalability statistics for the thread pool and the SNMP session pool:
Thread Pool Statistics column
Pool Size Default Allocation Size Currently In Use Maximum In Use at Once Total # of Requests Total # of Wait For Thread Percentage Wait per Request
Thread pool size for the threads that are used to perform server operations (for example, reading data from a device or configuring the devices) Number of threads used to perform a single operation (for example, running a Ridgeline script across a number of devices) Number of threads currently in use Maximum number of threads that are in use at one time Total number of times a thread is requested to perform an operation in the server Total number of times the server has to wait for a thread to become available Percentage of total wait versus total request for threads
SNMP Session Pool Statistics column
Pool Size Default Allocation Size Currently In Use Maximum In Use at Once Total # of Requests Total # of Wait For Thread Percentage Wait per Request
Maximum number of allowed SNMP access sessions to the devices Not applicable Number of SNMP access sessions currently in use Not applicable Total number of times an SNMP object is requested to perform an operation in the server Total number of times the server has to wait for an SNMP object to become available Percentage of total wait versus total number of requests for SNMP objects
The fifth table in the report shows the ports currently in use by the Ridgeline server:
Web Server Trap Receiver Radius Server Port currently used by the Ridgeline web server Port currently used by the Ridgeline server to receive traps Port currently used by the RADIUS server
495
Ridgeline Reports
Telnet Database
Port currently used for Telnet Port currently used for Ridgeline database communication
The last table shows the Ridgeline licenses currently installed, along with their Access Keys (which can be used to obtain a license key from Extreme):
License Status Access Key The type of license (Base-50, Add 50 Devices Upgrade, Security Feature Pack, SSH) Whether this license category is enabled or disabled. The access key for the license (used to obtain a license key from Extreme). See the Ridgeline Release Notes or the Ridgeline Installation and Upgrade Note for instructions on requesting and installing a license key.
If you have administrator or super-user level access to Ridgeline, you can use Ridgeline administration to change the web Server, trap receiver, RADIUS, and telnet ports used by Ridgeline. For more information about changing ports, see Device Properties on page 355. To change the database (and other) ports, see Reconfiguring Ridgeline Ports.
Debug Ridgeline
The Debug Ridgeline report is not really a report, but rather tools to allow a user with an administrator or super-user role to set certain options for the purpose of analyzing Ridgeline performance. If you do not have administrator or super-user role access, you do not see this feature under Ridgeline Server > Debug Ridgeline.. The tools for debugging Ridgeline are described in Using the Ridgeline Debugging Tools on page 511.
Adding User-Defined Reports to the Reports Menu

To add a new user-defined report to the report menu, copy the HTML file into the <Ridgeline_install_dir >\jboss\standalone\deployments\extreme.war \userdefinedreports directory. The Ridgeline server automatically creates a link on the Reports menu for files in the userdefined directory. It use the report file names as the report names. They appear below the heading User Defined Reports at the bottom of the left-hand panel of the Reports page. The file names must meet the following conditions: Have .html as the extension. (.htm is not supported). Cannot have spaces. If you want to create a set of hierarchical reports, you can create a subdirectory under the userdefinedreports folder to contain subordinate HTML files that should not have a direct link from the Reports menu. If you put files into the userdefinedreports folder that were originally in the <Ridgeline_install_dir >\jboss\standalone\deployments\user.war\reports
496
Ridgeline Reports
\html folder, be sure you also copy the report stylesheet (reportstylesheet.css) into the userdefinedreports directory.
Printing Reports
Ridgeline reports can be printed with your web browsers print function. To print a report, use the web browsers Print button. You can also click show all to print all data from a large .html page.
Exporting Reports
You can export certain Ridgeline reports to either .csv or .xml format. Exporting reports allows you to use various software programs to manipulate the data. The following reports can be exported: Device Reports (Device Inventory) Card Report (Slot Inventory) EAPS Log Report
Report on Device Ports (Interface Reports) Unused Ports Network Login Report Alarm Log Event Log Report Syslog Report Config Management Log Report
From the Reports main page, you can generate a report to be used by Extreme Networks' technical support by selecting the device group from the drop-down list, and then clicking Export.
497
26 Enhancing Ridgeline
Performance
Monitoring and Tuning Ridgeline Performance Tuning the Alarm System Using the MIB Poller Tools Reconfiguring Ridgeline Ports Using the Ridgeline Debugging Tools
This chapter describes how to tune Ridgeline performance and features to more effectively manage your network. It also describes some advanced features that are available to a Ridgeline administrator (a user with an Administrator role) to help analyze Ridgeline or Extreme device operation. These include:
Monitoring and tuning Ridgeline performance Tuning the alarm system Using Device Groups to facilitate workflow Using the Ridgeline MIB Poller tools to maintain MIB variable history Reconfiguring Ridgeline ports Using the Ridgeline debugging tools
Monitoring and Tuning Ridgeline Performance

If you are using Ridgeline to manage a very large number of devices in a large network, you may encounter times when the performance of the system can seem slow. There are a many factors that can affect the performance of Ridgeline. Some of these you can affect with settings in Ridgeline. In other cases, you may be able to affect the overall performance of the system by considering how you manage specific devices in your network. The following factors can affect Ridgeline performance: The amount of alarm processing the system is processing. See Tuning the Alarm System. The frequency and timeouts for SNMP polling and MAC polling (if you have it enabled). See Polling Types and Frequencies on page 499. The processor power and amount of memory available on the system running the Ridgeline server. See Performance of the Ridgeline Server on page 500. The size of the worker thread and the maximum number of SNMP sessions that can be running (see Performance of the Ridgeline Server on page 500).
Enhancing Ridgeline Performance
Disabling Ridgeline Management for a Device

If a device is scheduled to be taken down for maintenance, you can disable Ridgeline management for the device. Ridgeline does not attempt to poll or sync with the device and ignores all traps from the device while it is unmanaged by Ridgeline. This means that any events caused by the maintenance activities do not cause alarms in Ridgeline.
To disable Ridgeline management for a device, in the navigation pane, click Main View or the desired device group, select the device, and then click Device > Managing > Off. Note that this does not physically change the device; it just sets Ridgeline to ignore the device as if it were offline. To enable Ridgeline management for the device when it is again reachable, in the navigation pane, click Main View or the desired device group, select the device, and then click Device > Managing > On.
For devices that simply take a long time to sync or to poll on a detail poll cycle, you can reduce the impact by reducing the Detail Poll frequency (lengthening the time between polls) for those devices. The default Detail polling frequency is 3 hours for chassis devices and 7 hours for edge devices.
Polling Types and Frequencies

When you log on to Ridgeline, it by default attempts to sync all the devices it is managing, to bring its database up-to-date. For devices that are down (and not marked offline in Ridgeline) Ridgeline attempts to sync the device and waits until the device times out. Further, a sync does a Detail Poll, so that for a large network with many devices with very complex configurations (for example, a large number of VLANs), the sync operation can take a significant amount of time. Ridgeline does several types of polling, using SNMP or Telnet, for the information it needs: SNMP polling MAC address polling Telnet polling SNMP Polling Ridgeline does two types of polls for device information using SNMP.
A global heartbeat poll that gets basic information about device reachability. The poll frequency is 10 minutes for all devices regardless of type. A device-specific detail poll, that polls for more detailed information about the device configuration, such as software version, BootROM version, VLANs configured on the device, etc. This poll can take much longer to complete, so this type of polling is done less frequently, and is configurable on each device individually in Ridgeline. The default poll interval for this type of polling is every 60 minutes for core (chassis) devices and every 90 minutes for edge devices.
The global basic information poll frequency can be changed through the Ridgeline Administration, under the SNMP Server Properties (see SNMP Properties on page 352). Any changes affect all devices in the Ridgeline database. You can also change the timeout and number of retries. Increasing the global SNMP polling interval can reduce the load on your server and your network, at the expense of the timeliness of device state information.
499
You can change the Detail Device Poll interval by,in the navigation pane, clicking Main View or the desired device group, clicking Device > Modify Communications Settings, and then changing the Poll Interval value. You can also make this change in the Add Devices dialog box). Changes here affect only the devices selected for modification. MAC Address Polling Ridgeline provides an option for doing Telnet-based polling of switch FDBs to gather MAC address information about edge ports. This feature is disabled by default. If enabled, its frequency can be modified to reduce the load on the overall system and the network. MAC address polling is enabled or disabled globally through the MAC Polling Server Properties in Ridgeline Administration. If enabled, MAC address polling can then be enabled on a per-device basis. Through the MAC Polling Server Properties (see MAC Polling Properties), you set the amount of load, which determines the amount of elapsed time between sets of FDB polling requests. A complete MAC address polling cycle consists of multiple groups of requests, until all devices with MAC address polling enabled have been polled. You can use the Ridgeline Server State Summary Report (see Server State Summary Report) to see the MAC address polling frequency based on the current setting of the MAC Polling server properties. The Server State Summary report tells you how long it took to complete the most recent polling cycle, as well as the average time it has taken to perform a complete polling cycle. Based on this data you can determine if you need to adjust the MAC Polling System Load factor. Telnet Polling Telnet polling is used for MAC address polling, for retrieving Netlogin information, and for retrieving Alpine power supply IDs. You cannot modify its frequency other than as discussed for MAC polling (see MAC Address Polling on page 500). You can disable Telnet polling entirely, however, in the Devices area of Server Properties in the Ridgeline Administration (see Device Properties on page 355). If you disable Telnet Polling, MAC address polling is also disabled.
Performance of the Ridgeline Server

Performance of the Ridgeline server itself is affected by the number of devices you are managing as well as the resources of the system on which the Ridgeline server is running. You can use the Windows Task Manager or a tool such as top in Linux (available as downloadable freeware) to determine how much memory and processor the Ridgeline server is consuming. The larger the set of devices Ridgeline tries to manage, the more resources it requires. You should ensure that you have adequate processing power and enough memory to allow Ridgeline to run without extensive swapping. The Ridgeline Release Notes provide information on the system requirements for the Ridgeline server. If Ridgeline server performance is slow, you can look at the Thread Pool Statistics using the Ridgeline Server State Summary Report (see Server State Summary Report on page 494). Specifically, if the
500
Percentage Wait per Request statistic is high (greater than 20%) you can consider increasing the maximum thread pool size. You can make this change in the scalability properties under Ridgeline Administration (see Scalability Properties on page 356). You should increase the Thread Pool Size by between 25% to 50%. Do not increase it beyond 100 as an upper limit.
Tuning the Alarm System

Alarm activity (processing traps and executing alarm actions) can consume a fairly significant amount of system resources if you have a large number of devices in your network, with many alarms enabled and scoped on all devices. Therefore, tuning the alarm system can have a significant impact on the overall performance of the Ridgeline server. The steps you can take to help tune your Ridgeline servers alarm system include: Disabling alarms you do not care about (see Disabling Unnecessary Alarms on page 501) Scoping alarms so they only function on for devices you care about (see Limiting the Scope of Alarms on page 502) Identifying individual devices that generate a lot of alarm activity, and either correcting the situation that may be producing these alarms, or removing the device from the scope of alarms that are not necessary for the device
Disabling Unnecessary Alarms

There are several situations where you may want to disable alarms that are unnecessary and are consuming system resources. One immediate place to look is at the alarms that are predefined in the Ridgeline database. Some alarms are set in the Ridgeline database These alarms are enabled by default, and scoped for all devices and ports If there are any alarms that you know are not of interest, you can disable the alarm as a whole through the Alarm Manager. For example, if you are not concerned about SNMP security you can disable the Authentication Failure alarm. If your network connectivity tends to be problematic or you have very slow devices, you may want to disable the SNMP unreachable alarm. To disable an alarm: 1 In the navigation pane, click Alarm Manager. 2 Click the Alarm And Event Definitions tab. 3 Select the desired alarm from the list by clicking its check box.
501
4 Click the Enable/Disable. The green check mark in the Enabled column changes to a red "X". Note that disabling alarms that are not likely to occur does not have much performance impact. For example, if you do not use ESRP, the disabling the ESRP State Change alarm is not likely to have an impact, as those alarms should never occur. However, if you do use ESRP, but do not want to know about state changes, disabling that alarm could have some performance impact. One way to determine which alarms could be disabled for maximum performance impact is to look at the alarms that actually do occur within your network. You can use look at the historical alarms list to show you which alarms occur in your network (see The Cleared Alarms and Events Tab on page 252). Click the Name column heading to sort the list. This groups all occurrences of a given alarm together. Using this list you can see which alarms occur in your network, and the volume of alarms generated for each type of event. Another possibility is that a specific device is generating a large number of alarms. If this is the case, you may be able to eliminate some of this load by either reconfiguring, maintaining, or repairing the device to eliminate the fault, or by changing the scope of one or more alarms to remove the problematic device from the alarm scope. By removing a device from the alarm scope, Ridgeline ignores traps for the device, and does not trigger an alarm even though the device itself may still generate those trap events.
Limiting the Scope of Alarms

One way to potentially reduce the load created by alarm processing is to use the alarm profile scope to limit an alarm to only selected devices. For example, you may want to create link down and link up alarms to monitor the status of certain critical links in your network, but ignore such events on noncritical links. When you create an alarm profile, the default scope is to all devices and all ports. You can choose to exclude certain devices and device groups. The Scope tab of the Add Alarm Profile or Edit Alarm Profile dialog boxes let you specify a scope for the alarm actions. To change the alarm scope for an existing alarm profile: 1 In the navigation pane, click Alarm Manager. 2 Click the Profiles tab. 3 Select the alarm you want to scope by clicking its check box. 4 Click Edit Profile. 5 Click the Scope tab 6 Select the Scope on all specific devices and ports check box. 7 Under Available Devices, select the devices and device groups that you want to exclude from the profile, and then click Add. 8 Click OK
Using the MIB Poller Tools

The MIB Poller Tools, found in the Reports feature, can be used to collect and inspect data from any MIB variables supported by the devices on your network. These tools allow you to retrieve data that is
502
not available through Ridgelines reports or other status displays, and to accumulate historical data for MIB variables of interest. The collected data can then be exported as a comma-separated text file which can be imported into another program such as a spreadsheet for analysis. You must have an administrator or super-user role to set up and initiate MIB collection or query actions, However, users with other roles can view the results of a collection that has been initiated by an administrator or super-user. There are two separate tools available for retrieving MIB variable data: The MIB Poller Summary displays a MIB collection, or allows an Administrator to load a MIB collection XML file to initiate MIB collection activity. A MIB collection is a historical log of MIB values as defined in the collections.xml file. In a running collection, Ridgeline polls specified devices, retrieves the values of specified MIB variables and saves them in the Ridgeline database. The OIDs and devices to be polled, the poll interval, number of polling cycles and the amount of polled data to be stored is all defined in the Administrator-created collections.xml file. For more information, see The MIB Poller Summary on page 505. The MIB Query tool allows an Administrator to create a one-time MIB query request to retrieve the value of specific variables from a set of specified devices. This is a one-time query, and does not poll repeatedly or store the data it retrieves. For more information, see The MIB Query Tool on page 509. The MIB Query tool is accessible only to users who have an administrator or super-user role.
Defining a MIB Collection

A MIB Collection is defined in an XML file named collections.xml that is stored in the Ridgeline \jboss\standalone\deployments\user.war\collections folder of the Ridgeline installation. You can specify both scalar and tabular OIDs. You must also specify the set of devices (by IP address) that should be polled for this data, and provide some additional properties such as the polling interval. The collections.xml file must have the following format:
<?xml version="1.0" encoding="utf-8" ?> <collections> <collection name=" pollingIntervalInSecs=" initialState=" saveData=" maxPollsPerDevice=" deletePercentage=" <table> <oid name=" </table>
503
<table> <oid name=" <oid name=" </table> <scalar> <oid name=" <oid name=" </scalar> <scope ipAddress=" <scope ipAddress="234.234.234.234" /> </collection> </collections> Within the outermost collections statement, you can define multiple individual collections, each bracketed with <collection name= ... > </collection> The collection properties must be defined in the collection statement at the beginning of each collection definition: Table 28: Control properties for a MIB collection specification
name pollingIntervalInSecs initialState saveData maxPollsPerDevice deletePercentage A name for the collection, between 1 255 characters. The interval at which Ridgeline should poll for the variables defined in this collection, between 1 2147483 seconds. Whether this collection should start running immediately upon loading (values are running and stopped) Whether the collected data should be saved to the Ridgeline database (yes or no) The maximum number of poll result sets that should be saved in the database, between 1 2147483647 polls. The percentage of the saved data that should be deleted when the file reaches its specified limit.
Table OIDs are defined in <oid... > statements, included between <table> and </table> statements. OIDs from different tables must be put in separate <table> statements. The label portion of the statement appears in the MIB Collections Detail report, and as a heading in the exported data file. Scalar OIDs are defined in <oid... > statements included between a <scalar> and </scalar> statement. The devices that should be polled are specified by IP address in <scope ipAddress ...> statements, one for each IP address. The completed file must be named collections.xml, and placed in the user/collections directory. The Reload button in the MIB Poller Summary report will load the collections.xml specification, and begin the collection process if the initialState property specifies running.
504
To see an example of an actual collections.xml file, see Viewing the XML Collection Definition on page 508.
The MIB Poller Summary

If a collection.xml file has been loaded, the MIB Poller Summary shows the names of the collections defined in the xml file, along with their status (running or stopped). The following figure shows the summary for a set of three collections.
Figure 329: The MIB Poller Collection Summary From this page, any user can view the details of the collection, view information about the devices on which data is being collected, view the xml file that defines the collections, and export the current results of the collection. A Ridgeline Administrator can start or stop polling for any or all of the collections, and can reload the collections.xml file. Loading, Starting and Stopping a Collection If a file named collections.xml exists in the Ridgeline servers \jboss\standalone \deployments\user.war\collections folder when the Ridgeline server is started, the collection definitions in the file are loaded automatically. Polling for the collections starts if the initialState property specifies that the collection should be running. If the Ridgeline server is already running when the collections.xml file is placed in the collections directory, then you must click Reload to load the collection definitions. Once you have loaded the collections.xml file, the collections defined in that file continues to be maintained, either running or stopped, until they are replaced by reloading the collections.xml
505
file which has been modified to specify a different set of collections, or until the collections.xml file is removed from the collections directory. You can stop the polling process for a running collection by selecting its check box, and then clicking Stop. To start a stopped collection, select the collection, and then click Start. You can select all the collections in the table by selecting the check box in the column heading. The MIB Collection Detail Report To view the details of a collection, click the collection name, which links to the MIB Collection Detail report for the collection. The following is an example of a Collection Detail Report.
Figure 330: MIB Collection Detail Report The top area of the MIB Collection Detail Report shows the properties of the collection, as defined in the collections.xml file:
506
Collection Name Polling Interval Save Polled Data Scope Status Startup State Poll Saving Limit
The name of the collection The polling interval, in seconds Whether the polled data is being saved in the database (Yes or No) The devices on which polling for this data is being conducted The status of the collection (running or stopped) Whether the poll should be started automatically when it is loaded (running) or should be left in the stopped state The lower boundary of the number of poll results that will be saved in the database. This value is calculated by taking the maximum number of saved polls multiplied by the delete percentage. The actual number of poll data sets in the database at any given time will be somewhere between this value and the maximum poll saving limit. A limit on the number of polls that should be performed. Currently this is always None, the number of polling cycles cannot be limited at this time.
Poll Limit
The two tables below show the scalar and tabular MIB variables (OIDs) for which polling is done. Each variable is identified by its OID and the data label that was provided in the xml file. The MIB Poller Detail Report The MIB Poller Detail report shows the status of the collection for each device in the collection scope.
Figure 331: MIB Collection Detail Report This report shows the following information:
Device Status Message The name of the device. This is also functions as a link to the Device Details report for the device The status of the collection on this device (running, stopped, or error) A message, if appropriate, explaining the status (such as an error message).
To export results for a device, select the device's check box, and then click Export. You can select all devices by selecting the check box in the table column header.
507
Viewing the XML Collection Definition To view the collection definitions, click Show XML in the MIB Collection Poller Summary. This displays the XML that defines the currently loaded collections. The following figure shows an example of the XML for a collection definition.
Figure 332: A MIB Collection definition shown in XML Exporting the Collected Data One of the main purposes for collecting historical MIB data over time is to allow analysis to identify trends or patterns that may provide insights into your network usage. To do this, you need to export the collected MIB data so it can be used by other analysis tools. The MIB Poller Tool allows you to export data as comma separated text and save it to a file. You can export the data from either the MIB Collection Poller Summary report, or from the MIB Poller Poling Detail Report. From the MIB Poller Summary report (see The MIB Poller Summary on page 505), you can export the results for an entire collection: Click Export in the row for the collection whose data you want to export. This exports the results for all devices in the collection into a single text file, and places the text file into a archive (zip) file. From the MIB Poller Polling Detail report (see The MIB Poller Detail Report on page 507) you can export the results for individual devices in a collection. Select the check boxes, and then click Export. This exports the results for the selected devices into a single text file, and places the text file into a archive (zip) file. Once exported, the text file can be imported into another application, such as a spreadsheet, for analysis.
508
The MIB Query Tool

The MIB Query Tool lets you retrieve the values of MIB variables on a one-time basis. It does not do any repeated polling, and does not store the results.
Figure 333: MIB Query Example To perform a MIB query: In the first box, type the IP addresses of the devices from which you want to get data. In the second box, type any scalar MIB OIDs you want to retrieve. In the third box, type any Table-based MIB OIDs. Entries must be one item per line. Click Submit to execute the query. The results are returned in XML format in the reports window.
Figure 334: The results of a MIB Query
Reconfiguring Ridgeline Ports

You can change the default ports used by Ridgeline if they conflict with ports already used by other programs on your system. Note The Port Configuration Utility (in Ridgeline 3.0) used to change default ports for the database and web servers is no longer available. Use the procedure below to change default ports. The ridgeline-ports.properties file shows Ridgelines default ports and the location of all files that set each default port. The ports shown in this file, and their default settings, are:
jboss.database.port=10553 radius.port=10559
509
bindingservice.beans.boss.port.111=1056010567, 1056910571 jboss.remoting.port=10555 epicenter.web.port=8080 jboss.webserver.port=8443 agent.port=10556 tcp.port=56983 trap.receiver.port=10550 syslog.port=514 Use the Ridgeline client to set the default ports for the trap receiver and syslog sever. See Server Properties Administration. To change a default port: 1 Stop Ridgeline services (server and database engine). See the Ridgeline Installation and Upgrade Guide. 2 Find the port number in the ridgeline-ports.properties file. The ridgeline-ports.properties file is located at:
Windows: \Program Files\Extreme Networks\Ridgeline4.0 Linux: \opt\ExtremeNetworks\Ridgeline4.0
3 For each file listed under locations for that port: a Open the file in a text editor. b Search for the port number and change it. c Save and close the file. Note Do not add any extra spaces when editing these files. 4 Restart Ridgeline services (server and database engine). See the Ridgeline Installation and Upgrade Guide. For an example of this procedure, see Example on page 510.
Example
The following shows an example of the procedure for changing the ports used by Ridgeline that are conflicting with other programs (see Reconfiguring Ridgeline Ports on page 509). Port=8443 is conflicting with other programs. The ridgeline-ports.properties file shows:
# locations: # jboss/server/deploy/jbossweb.sar/server.xml # jboss/server/ridgeline/deploy/epicenter.ear/xos.war/WEB-INF/wsdl/ event.wsdl # jboss/server/ridgeline/deploy/epicenter.ear/nms.war/WEB-INF/wsdl/ nms.wsdl https.port=8443
510
Open each of the three files indicated (server.xml, event.wsdl, nms.wsdl), search for port 8443, change it, and then save each file. If this procedure does not solve your problems, call your Extreme Network's Technical Support representative for help.
Using the Ridgeline Debugging Tools

The Ridgeline debugging tools are available through the Reports feature for users with an administrator or super-user role. You should not attempt to use any of these tools except under the direction of Extreme Network's Technical Assistance Center personnel. This report provides links to the following tools: Set logging level: lets you set the Server Side Client Debug Level, and the Server Debug Level. This page also shows you the debug Telnet port number (see the following figure). Check server internals: This creates a report of server internal status (see the following figure). Query Database: Lets you enter an SQL query against the Ridgeline database. This is for use only at the direction of Extreme Technical Assistance Center personnel (see the following figures of query and output).
Figure 335: Debug Configuration
Figure 336: Ridgeline Server Internals
511
Figure 337: Ridgeline Database Query
Figure 338: Ridgeline Database Query Report Output
512
A Configuring Devices for Use With

Ridgeline
Configuring Ridgeline as a Syslog Receiver Setting Ridgeline as a Trap Receiver The Ridgeline Third-party Device Integration Framework
Configuring devices for use with Ridgeline describes: Configuring certain features on Extreme and third-party devices to enable Ridgeline features relative to those devices. Configuring an external RADIUS server for use with Ridgeline.
Configuring Ridgeline as a Syslog Receiver

To receive Syslog messages, the Syslog receiver function of Ridgeline must be enabled, and remote logging must be enabled with Ridgeline configured as a Syslog receiver on the devices from which you want to receive Syslog messages. The Syslog server function within Ridgeline can be enabled through the Ridgeline Administration feature (see Device Properties). On the device side, remote logging must be enabled, and the switch must be configured to log to the Ridgeline server. The default on Extreme switches is for logging to be disabled. You must use the CLI to configure logging on your switches. To enable remote logging on an Extreme switch, enter the command:
To configure the Ridgeline server as a Syslog server, enter the ExtremeWare command: config syslog < You must enter the IP address of the Ridgeline server, and a facility level, which can be local0 through local7. For more information on these commands, see the ExtremeWare or ExtremeXOS documentation. You can also include a severity in the config syslog command, which filters log messages before they are sent to the Ridgeline Syslog server. The Ridgeline Syslog server then filters the incoming messages based on the severity you set using the Accept SysLog messages with Min Severity property setting in Ridgeline Administration.
Configuring Devices for Use With Ridgeline
Setting Ridgeline as a Trap Receiver

When Extreme devices are added to the Ridgeline inventory, they are automatically configured to send traps to the Ridgeline server. However, third-party devices are not automatically configured to do so. If you want alarms to function for third-party devices, you must manually configure the devices to send traps to the Ridgeline server. The following information is required to set up Ridgeline as a trap receiver:
The IP address of the system where the Ridgeline server is running. The Ridgeline server trap port. By default this is 10550. (This port is set by the System Trap Receiver Port property. For information about how to set this property, see SNMP Properties on page 352. The Ridgeline server community string. This is a string in the form: ST.< value of IP address >.< value of trap port > The value of the IP address is the decimal equivalent of the hex value of the IP address. For example, if the IP address of the Ridgeline server is 10.0.4.1, you calculate the decimal equivalent:
Convert each quad of the IP address to its hex equivalent:

Decimal 10 0 4 1 Hex a 00 04 01
2 Convert the hex value a000401 into a decimal value, in this case 167773185 . 3 Put the three components together to form the community string: ST.167773185.10550 You can find and verify the value of the community string by using Telnet to log on to an Extreme Networks device that is being managed by Ridgeline, and using the ExtremeXOS or ExtremeWare CLI command show management to display the list of trap receivers configured for that device. The Ridgeline server, and its community string, should be included in this list. To receive RMON traps, ensure that RMON is enabled on the device. For Extreme devices, you can do this through the ExtremeXOS or ExtremeWare command enable rmon.
The Ridgeline Third-party Device Integration Framework

Ridgeline's third-party device integration framework provides a generic mechanism for adding thirdparty device support with a minimum of configuration changes. The Ridgeline integration framework enables extensive support to discover any device running an agent that supports MIB-2:
514
Basic feature support, including front and back panel views if available Third-party device trap support Integrating third-party proprietary device-related tools
Through this framework, integration of third-party devices is accomplished independently of Ridgeline product releases. The integration is achieved by adding or editing XML, text and images files to accomplish different levels of integration. Each aspect of device integration can be performed independently; that is, you can integrate a device into Ridgeline but choose not to integrate trap support in the Alarm Manager, for example. Caution The device integration process may require editing of certain Ridgeline files that can affect the functionality of the Ridgeline server. In some cases, editing these files incorrectly may prevent the Ridgeline server from running. It is strongly recommended that you attempt device integration under the supervision of Extreme Networks support personnel.
Ridgeline Inventory Integration

The basic features of Ridgeline inventory integration include: The ability to discover the device when the MIB-2 option in Discovery is selected. The device image can be viewed (front panel, and back panel if appropriate). Device information like OID, device name, IP address, MAC address, device type, device group should be presented. Should be able to modify the device contact username and password from Ridgeline. To accomplish this integration: 1 Create an Abstract Library Type (ATL) file (an XML file) and save it in the\Program Files \Extreme Networks\Ridgeline 4.0\jboss\standalone\deployments \extreme.war\ATL\DeviceTypes directory.
2 Create a folder in the Program Files\Extreme Networks\Ridgeline 4.0\jboss \standalone\deployments\extreme.war\gifs directory which is named with the OID of the new Device Type. 3 Create GIF-format (Compuserve Graphics Interchange Format) images for the device, and place these in the OID folder created previously. 4 Create a deviceInfo.txt file for the device and place this in the OID folder created previously. 5 If it does not already exist, create a device icon gif file, named to match the file name provided in the imageIconsFileName tag in the ATL XML file, and add this to the dpsimages.zip file (found in the Program Files\Extreme Networks\Ridgeline 4.0\jboss\standalone \deployments\extreme.war\gifs directory. The Abstract Type Library XML File The Abstract Type Library is a repository for information about the types of devices Ridgeline can recognize. For each device type, an XML file is placed in the jboss\standalone\deployments
515
\extreme.war\ATL\DeviceTypes directory. (There are also ATL subdiretories for Interface Types and Slot Types). XML files in the ATL are organized in a hierarchy, with properties of the device types and devices specified at various levels in this hierarchy. The figure below shows portions of the general hierarchy. When Ridgeline discovers a device, it navigates this hierarchy searching for a match that will provide the properties for the device. XML files for third-party devices extend and further specify properties unique to each device type and device. Extreme Networks devices are also recognized through this same ATL mechanism. When Ridgeline discovers a device, it searches this hierarchy for a match to the device or device type that will provide the properties for the device.
All Devices Extreme.xml
3rd Party.xml 3Com.xml
Extreme Summit
Extreme Unmanaged
3Com_SuperStackerII_1100.xml Summit_48.xml Summit_WM.xml
Summit_WM_100.xml
Summit_WM_1000.xml
Figure 339: ATL XML file hierarchy The 3COM SuperStacker II 1000 is an example of how a third-party device is integrated into Ridgeline for Telnet functionality. There are actually three 3COM devices integrated into Ridgeline, all of which share a number of properties. Therefore, these properties are specified in the 3com.xml file, which is referenced as the parent in the 3Com_SuperstackerII_1100.xml file. The key attributes in an ATL XML file are: Table 29: Attributes Used in an ATL File
TAG Device Type Attribute Name Version Parent Value The name of the device type of the device. This is the main Tag in the file. Must be specified as 1 The parent XML file. For an individual device model, this may be the device type XML file (e.g. in the 3Com_SuperstackerII_1100.xml file, the parent is 3Com.xml). For a device type XML file, such as the 3COM.xml file, the parent is 3rdParty.xml. Contains the sysObjectId tag The OID value of the device, or the enterprise OID (if a device type)
Identity SysobjectID
516
Table 29: Attributes Used in an ATL File (continued)

TAG Attribute Protocol Attributes Value Use SNMP as the default value This contains the properties that define the features and capabilities of the third-party device, such as enabling Telnet. These are described later in this section. Provides the name of the image that is displayed in the navigation pane for the device. This image must be present in the dpsimages.zip file found in the jboss\standalone\deployments \extreme.war\gifs directory. Device vendor name.
ImageIconsFilename
Vendor
The following are examples of the 3Com_SuperstackerII_1100.xml file and its parent, 3Com.xml. The 3Com.xml file: <?xml version="1.0" encoding="utf-8" ?> <deviceType name="3Com" version="1" parent="3rd Party"> <identity> <sysObjectID protocol="SNMP">43</sysObjectID> </identity> <attributes> <vendor>3Com</vendor> <imageIconsFileName>3comicons.gif</imageIconsFileName> <CLI.LOGIN_PROMPT> login: </CLI.LOGIN_PROMPT> <CLI.PASSWORD_PROMPT> password: </CLI.PASSWORD_PROMPT> <CLI.SHELL_PROMPT> [#>$] </CLI.SHELL_PROMPT> <CLI.MORE_PROMPT> Press|to continue or|to quit: </CLI.MORE_PROMPT> </attributes> </deviceType> The 3Com_SuperstackerII_1100.xml file: <?xml version="1.0" encoding="utf-8" ? > <deviceType name="Super Stacker II 1100" version="1" parent="3Com"> <identity> <sysObjectID protocol="SNMP">43.10.27.4.1.2.1</sysObjectID> </identity> <attributes> <TELNET> true </TELNET> </attributes> </deviceType> Note that in the 3Com.xml file, the sysObjectID is the enterprise OID for 3COM; in the 3Com_SuperstackerII_1100.xml file, it is the OID of the specific 3Com device. Many of the
517
attributes in the 3Com.xml file are related to integration into Telnet. These are discussed in Telnet Integration. The OID folder Device images displayed in inventory and on topology maps, are located in the jboss\standalone \deployments\extreme.war\gifs directory, under directories named by the OID of the device. There are typically three files in these subdirectories: DeviceView.gif, the image (front panel or front and back panel) displayed in the inventory.
MapView.gif, the small image that appears in the topology maps. DeviceInfo.txt, a file that defines the device type, fallback OID (the OID of the next higher level), and other information.
The DeviceInfo.txt file must always be present. The two gif files may or may not be present; if they are not, the gif file specified for the parent OID is used. In fact, for the 3Com SuperStacker II 1100 (directory OID_43.10.27.4.1.2.1), only the DeviceView image is provided. For the MapView image, the generic 3COM image provided in the parent OID directory (OID_43). The DeviceInfo.txt must contain at a minimum the following tags: <?xml version="1.0"?> <ConfigFile> <FallbackOID> Parent SysOID </FallbackOID> <DeviceType> Device Name </DeviceType> </ConfigFile> For the 3Com SuperStacker II 1100 (OID_43.10.27.4.1.2.1) the DeviceInfo.txt file contains these entries: <?xml version="1.0"?> <ConfigFile> <FallbackOID>43</FallbackOID> <DeviceType>3Com Super Stack II Switch 1100 24-port</DeviceType> </ConfigFile> DeviceInfo.txt The file for the parent, OID_43 contains the following entries: <?xml version="1.0"?> <ConfigFile> <FallbackOID>UnknownDevice</FallbackOID> <DeviceType>Generic 3Com</DeviceType> </ConfigFile> Depending on the type of device, other information may also be included. In general, features like Port Location (the ability to click on a port to view port statistics) are not supported for third-party devices.
518
The dpsimages.zip File The dpsimages.zip file contains the images used in Ridgeline inventory. If you are adding a completely new device or device type with its own unique image, you must add that image to this file. The image itself can be the same as the MapView.gif image you added into the OID folder (see The OID folder), but it must be named to match the name specified in the imageIconsFileName tag in the XML file for the device or device type (see Telnet Integration). For example, the dpsimages.zip file included the file 3comicons.gif, which matches the name specified in the 3Com.xml file: <imageIconsFileName>3comicons.gif</imageIconsFileName> If individual devices do not require unique icons, this can be specified in the parent XML file (for the device type) and can be left out of the XML files for individual devices of that type.
Telnet Integration
Ridgeline's third-party integration framework can be used to provide auto-logon when a user (with the appropriate role/permissions) connects to the device from the Ridgeline Telnet window. Telnet integration involves adding some additional tags to the ATL XML file for the device or device type. The following tags can be used to specify Telnet features: Table 30: Tags used for Telnet Integration
TAG CLI.LOGIN_PROMPT Value A value (string) to be displayed as the prompt during login to the device. A value (string) to be displayed as the password prompt during login to the device. Provide the pattern that matches the CLI prompt, for example: summit450# Comments If the device normally displays a specific login prompt, you can enter it here to provide the same interface when logging in from Ridgeline. This tag is required if the device supports Telnet. Similar to the login prompt; you can enter the same prompt used by the device. This tag is optional. Specify the format of the device CLI prompt. You can specify multiple patterns, such as \S[ ][#>] [Test] [Ridgeline] $ This tag is required for Telnet support.
CLI.PASSWORD_PROMPT
CLI.SHELL_PROMPT
CLI.MORE_PROMPT
Provide the pattern that This tag is optional. matches the prompt used by the device to prompt when paging is enabled on the device.
The 3Com.xml file provides an example of the prompts used for Telnet integration: <?xml version="1.0" encoding="utf-8" ?> <deviceType name="3Com"
519
version="1" parent="3rd Party"> <identity> <sysObjectID protocol="SNMP">43</sysObjectID> </identity> <attributes> <vendor>3Com</vendor> <imageIconsFileName>3comicons.gif</imageIconsFileName> <CLI.LOGIN_PROMPT> login: </CLI.LOGIN_PROMPT> <CLI.PASSWORD_PROMPT> password: </CLI.PASSWORD_PROMPT> <CLI.SHELL_PROMPT> [#>$] </CLI.SHELL_PROMPT> <CLI.MORE_PROMPT> Press|to continue or|to quit: </CLI.MORE_PROMPT> </attributes> </deviceType> Note that in the case of 3COM, the Telnet integration is handled at the device type level, since it is the same for all the 3COM devices. Therefore, it is not duplicated in each device ATL XML file, but handled one at the device type (enterprise) level.
Integrating Alarms
Alarm Integration for a third-party device enables Ridgeline users to create alarms based on trap events from the third-party device. To integrate third-party alarms: 1 Add the trap OID for each event to the events.xml file. 2 Place the necessary MIBs in the jboss\standalone\deployments\extreme.war \thirdPartyMibs directory. 3 Specify the third-party MIB filenames in the miblist.txt file in the extreme.war directory. 4 Restart the Ridgeline server. 5 Configure each third-party device to send traps to Ridgeline (see Setting Ridgeline as a Trap Receiver. Once this is done, the third-party event(s) should be selectable from the Name list under Raise alarm when this event is received on the New or Modify Alarm Definition dialog box in the Alarm Manager (see Creating New Alarm Definitions. Alarms can then be defined to take actions upon the occurrence of these events. Editing the Events.xml file Caution Make a backup copy of the events.xml file before editing this file, and make changes carefully. Do not edit the existing entries in this file. Errors in this file may prevent the Ridgeline server from starting up. The Events.xml file is located in the Program Files\Extreme Networks\Ridgeline 4.0\jboss\standalone\deployments\extreme.war directory. Each event entry in the
520
Events.xml file is composed of the Type, SubType, TypeName and SubTypeName, followed by a SNMP V1 or V2 Mapping OID. Table 31: Components of the an Events.xml event entry
Attribute Type Value(s) A non-negative number for a SNMP v1 trap (same as the generic type value of the v1 trap) -2 for an SNMP v2 trap -3 for a syslog event -1 for a Ridgeline event Comments Identifies the type of event (SNMP v1 or v2 trap or and Ridgeline or syslog event. A trap that can be sent as either a v1 or v2 trap should be represented as v1 trap.
SubType
For v1 traps, this should be the same as Together with the Type, uniquely identifies an event. the specific type value For syslog events, this should be the same as the priority value of the syslog message. SNMP trap, Ridgeline, or syslog The name of the specific event, e.g. link down The type of the event. For third-party integration this would be SNMP trap. Together with the Type name, it forms the event name e.g. SNMP trap link down
TypeName SubTypeName
The following is a sample entry for an SNMP V1 trap: <Event Type="6" SubType="117" TypeName="SNMP Trap" SubTypeName="Cisco config changed"> <SNMP_V1_Mapping OID=".1.3.6.1.4.1.9.9.43.2" Generic="6" Specific="1"/> </Event> Adding MIBs to Ridgeline To incorporate MIBs into Ridgeline: 1 Place the MIB file(s) into the Program Files\Extreme Networks\Ridgeline 4.0\jboss \standalone\deployments\extreme.war\thirdPartyMibs directory. The MIB file name must match the MIB definition name. The MIB file names do not need to include file extensions. If they do not have file extensions, .mib is appended to the file name internally. However, if you do provide an extension, it must be .mib or .MIB. 2 Add the MIB file names to the miblist.txt file found in the extreme.war directory. Add any new entries to the end of the file only, do not add them in between existing entries. Make sure each entry is unique. Make sure each MIB file name matches the MIB definition name. 3 Restart the Ridgeline server to have these changes take effect.
Starting Third-Party Programs from Ridgeline

Ridgeline can start an external program for a third-party device under the following conditions:
521
Ridgeline and the third-party program client and server are installed on the same system. Ridgeline and the third-party client are installed on the same system. Ridgeline is installed on one system, and a remote (web-based) third-party client and server is installed on a different system.
The third-party application must be added to the Tool.xml file located in the Program Files \Extreme Networks\Ridgeline 4.0\jboss\standalone\deployments\extreme.war \ATL\DeviceTypes directory. The format of the entry in the XML file is (using the Summit WM as an example):
<?xml version="1.0" encoding="UTF-8"?> <tools> <tool oid="Summit WM" description="Summit WM launch tool" name="Launch Summit WM"> <contents> https://$deviceIP:5825 </contents> <variable/> <role roleid="3 2 1"/> <context type="device"/> </tool> </tools> After you have integrated the third-party program, you can start the third-party program from Ridgeline by clicking Tools > Applications.
522
B Using SSH for Secure

Communication
Tunneling Setup Example
This section describes in detail how to set up secure tunneling between the Ridgeline server and Ridgeline clients. It describes the following steps: Tunneling Setup Example Step 1: Install PuTTY on the Ridgeline Client Step 2: Configure the PuTTY Client Step 3: Installing OpenSSH Server Step 4: Configure Microsoft Firewall to Allow SSH Connects
Step 5: Initiate Ridgeline Server/Client Communication
By default, communication between the Ridgeline server and its clients is unencrypted. This means the traffic between client and server could easily be captured, including passwords, statistics, and device configurations. PuTTY is used in conjunction with Ridgeline to encrypt (tunnel) communication between a Ridgeline server and clients. PuTTY is a free implementation of an SSH application. PuTTY uses port forwarding to tunnel this traffic. Port forwarding allows data from unsecured applications to be encrypted over a secured tunnel. This section describes in detail a step-by-step example of setting up a PuTTY client on a Windowbased Ridgeline client system. It also describes the installation and configuration of the OpenSSH server on a Windows-based server system where the Ridgeline server is installed.
Tunneling Setup Example

Note In this example, it is assumed that an SSH server needs to be installed on the same machine as the Ridgeline server. If an SSH server is already installed on the system where the Ridgeline server resides, you can skip steps 3 and 4 of the following procedure. The Ridgeline client uses three main ports, 8080, 10555, and 1063, when communicating with the server. This example shows configuring these ports for port forwarding. To configure SSH tunneling between the Ridgeline server and client: 1 Step 1: Installing PuTTY on the Ridgeline Client on page 524. 2 Step 2: Configuring the PuTTY Client on page 524.
Using SSH for Secure Communication
3 Step 3: Installing OpenSSH Server on page 528. 4 Step 4: Configuring Microsoft Firewall to Allow SSH Connects on page 533. 5 Step 5: Initiating Ridgeline Server/Client Communication on page 535.
Step 1: Installing PuTTY on the Ridgeline Client

PuTTY is a free SSH application that you can download from: www.chiark.greenend.org.uk/~sgtatham/ putty/download.html Download the file putty.exe. This program is not compressed (zipped) and does not require installation. You must download this program to each Ridgeline client with which you want to set up secure clientserver communication.
Step 2: Configuring the PuTTY Client

1 Configure the Session settings: In the Category pane, click Session (see the figure below). Use the following settings: Saved Sessionsa name for the session, such as "Network Manager." Host Namethe host name or IP address of the Ridgeline server (192.168.10.199 in the example). ProtocolSSH. Port22.
524
Figure 340: The Session Settings 2 Configure the PuTTY SSH options. In the Category pane, click SSH, and then under Preferred SSH protocol version, click 2 (see the following figure).
Figure 341: The Basic SSH Settings
525
3 Under SSH, click X11. In the X display location box, type localhost:0 (see the following figure).
Figure 342: SSH X11 Forwarding 4 Under SSH, click Tunnels (see the following figure).
Figure 343: SSH Tunneling Settings 5 Click Local. 6 In the Source port box, type the HTTP port number you configured when you installed Ridgeline (by default, this is port 8080). 7 In the Destination box, type localhost:<port>, where <port> is the HTTP port you configured at installation (8080 by default).
526
8 Click Add. The source and destination HTTP ports are added to the Forwarded ports box. 9 Click Local again. 10 In the Source port box, type the port number Ridgeline uses as its Telnet port. To determine the port Ridgeline is using as its Telnet port: a In the navigation pane, click Reports. b Click Ridgeline Server > Debug Ridgeline. (You must have Ridgeline administrator or super-user rights to do this). c Click Set logging level. The Debug Configuration page appears, and the Telnet port appears. This is the port you should configure in PuTTY. 11 In the Destination box, type localhost:<port> where <port> is the Ridgeline Telnet port. Click Add. The source and destination HTTP ports are added to the Forwarded ports box. Click Local again. In the Source port box, type the EJB remoting port number, which by default is 10555. In the Destination box, type localhost:<port>, where <port> is the EJB remoting port number, which by default is 10555. 16 In the Category pane, click Session, and then click Save (see the following figure). 12 13 14 15
527
Figure 344: Saving the Session Profile
Step 3: Installing OpenSSH Server

This procedure demonstrates the installation of the OpenSSH server on the Ridgeline server. If there is an SSH server already running on the Ridgeline server, skip this procedure. 1 Create a folder c:\cygwin. 2 Next, download the file setup.exe from www.cygwin.com/ and store it in the folder c:\cygwin. 3 Double-click the setup.exe file in the c:\cygwin directory. The first Cygwin Setup -Choose Installation Type dialog box appears (see the following figure).
528
Figure 345: Choose Installation Type 4 Click Install from Internet, and then click Next. The Choose Installation Directory dialog box appears:
Figure 346: Choose Installation Directory 5 In the Root Directory box, type C:\cygwin, which is where the OpenSSH will be installed. Under Install For, click All Users so all users have access the SSH server. Click Next. The Select Local Package Directory dialog box appears.
529
Figure 347: Select Local Package Directory 6 In the Local Package Directory box, type C:\cygwin, and then click Next. 7 When the Select Packages dialog box appears (see the following figure). Click View for a full view.
Figure 348: Select Packages 8 Scroll through the list until you find OpenSSH, and then click the word skip so that an X appears in Column B.
530
9 Scroll through the list until you find cygrunsrv, click the word skip so that an X appears in Column B.
10 Click Next to begin the installation. 11 Right-click My Computer, and then click Properties. 12 Click the Advanced tab, and then click Environment Variables. This displays the Environment Variables dialog box:
Figure 349: Adding a System Variable for Cygwin 13 Under System variables, click New to add a new entry to the system variables: Variable name: = CYGWIN Variable value: = ntsec tty Click OK. The new entry appears in the Systems variables table (see the following figure).
531
Figure 350: System Variable for Cygwin Successfully Added 14 From the Environment Variables dialog box, scroll through the System variables list, click Path, and then click Edit.
Figure 351: Path Variable 15 Type ;c:\cygwin\bin to the end of the existing variable string.
532
Figure 352: Modifying the Path Click OK. 16 Double-click the Cygwin icon to open a cygwin window. A black window appears.
Figure 353: Configuring the SSH Server Through Cygwin 17 At the prompt, type ssh-host-config. When the following message prompts appear: privilege separation be used, type yes.
local user, type yes. install sshd as a service, type yes. CYGWIN=, type ntsec tty.
18 When the script finishes, while in the (black) cygwin window, start the sshd service by typing net start sshd.
Step 4: Configuring Microsoft Firewall to Allow SSH Connects

By default the Window's firewall blocks incoming SSH (port 22) connections. This procedure explains how to permit port 22 through the Window's firewall on the Ridgeline server machine. If there is an SSH server already running on your server, skip this procedure.
533
To configure the Windows firewall to allow SSH connections: 1 Open the Windows Control Panel, and then double-click the Windows Firewall icon:
The Windows Firewall dialog box appears:
Figure 354: Configuring the Windows Firewall to Allow Port 22 Connections 2 Click the Exceptions tab, and then click Add Port. The Add a Port window appears:
534
Figure 355: Add a Port Window 3 In the Name box, type SSH. 4 In the Port number, type 22. 5 Click TCP. 6 Click OK. The Window's firewall is now configured to allow SSH connections.
Step 5: Initiating Ridgeline Server/Client Communication

To establish an encrypted tunnel between the Ridgeline server and client: 1 Start the PuTTY program (double-click putty.exe) and select the Ridgeline session. 2 Enter your SSH username and password. This creates an SSH session between the client and server.
535
Figure 356: Creating an SSH session for Ridgeline 3 Log on to Ridgeline using the following URL: http://localhost:8080/ 4 Click the Log on to Ridgeline link, enter your Ridgeline username and password, and then click Log on. PuTTY is now set up to port forward all traffic going to the local host on port 8080. When PuTTY receives a connection request to the local host on port 8080, PuTTY encrypts the information and sends it across the encrypted tunnel to the server.
536
C Event Types for Alarms

SNMP Trap Events RMON Rising and Falling Trap Events Ridgeline Events
This section describes the events that can be detected through the Ridgeline alarm system. Many of the events defined below are standard traps applicable to all MIB-2 devices managed by the Ridgeline server. SNMP Trap Events RMON Rising and Falling Trap Events Ridgeline Events Note Extreme Networks proprietary traps are identified as such. For Extreme Networks devices, the level of support in ExtremeWare and ExtremeXOS is also indicated.
SNMP Trap Events

Table 32: SNMP Trap Events
Event Authentication Failed BGP Backward Transition Definition This trap indicates that a SNMP request with an invalid community string is issued to the device. This event is generated when the BGP FSM moves from a higher numbered state to a lower numbered state. ExtremeWare/ ExtremeXOS Version ExtremeWare All/ ExtremeXOS 11.2 ExtremeWare 6.1.5 Not supported in ExtremeXOS
BGP Established
This event is generated when the BGP FSM enters the ESTABLISHED ExtremeWare 6.1.5 state. Not supported in ExtremeXOS Extreme Networks proprietary trap. Indicates that the number of prefixes received over this peer session has reached the maximum configured limit. (BGP4-V2) Extreme Networks proprietary trap. Indicates that the number of prefixes received over this peer session has reached the threshold limit. (BGP4-V2) EXOS 10.1
BGP M2 Max Exceeded
BGP M2 Threshold Reached
EXOS 10.1
BGP Prefix Max Exceeded Extreme Networks proprietary trap. Indicates that the number of prefixes received over this peer session has reached the maximum configured limit.
ExtremeWare 6.2.2 Not supported in ExtremeXOS
Event Types for Alarms
Table 32: SNMP Trap Events (continued)

Event BGP Prefix Reached Threshold CPU Health Check Failed CPU Utilization Falling Threshold CPU Utilization Rising Threshold Cold Start Definition Extreme Networks proprietary trap. Indicates that the number of prefixes received over this peer session has reached the threshold limit. Extreme Networks proprietary trap. Indicates that the CPU Health Check has failed. Extreme Networks proprietary trap. CPU Utilization Falling Trap is generated when the extremeCpuAggregateUtilization falls below 80% of the extremeCpuUtilRisingThreshold. Extreme Networks proprietary trap. CPU Utilizations Rising trap is generated when the value of extremeCpuAggregateUtilization touches/crosses extremeCpuUtilRisingThreshold. This trap indicates that the device is rebooted by power recycling. Extreme switches always send out this trap after a reboot. Extreme Networks proprietary trap. Generated with the DOS threshold is cleared. Extreme Networks proprietary trap. Generated when the DOS threshold is crossed for any of the ports. ExtremeWare 6.2 Not supported in ExtremeXOS ExtremeWare 6.2 Not supported in ExtremeXOS ExtremeWare All/ Not supported in ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeWare/ ExtremeXOS Version ExtremeWare 6.2.2 Not supported in ExtremeXOS
DOS Threshold Cleared
DOS Threshold Reached
Dsx1 Line Status Change
Extreme Networks proprietary trap. Indicates that the DS1 line status ExtremeWare change for the specified interface has been detected. 6.1.8b66/ Not supported in ExtremeXOS Extreme Networks proprietary trap. Indicates that the wanDsx1LossOfMasterClock event for the specified interface has been detected. Extreme Networks proprietary trap. Indicates that the wanDsx1NoLossOfMasterClock event for the specified interface has been detected. Extreme Networks proprietary trap. Indicates that the T3 line status change for the specified interface has been detected. ExtremeWare 6.1.8b66 Not supported in ExtremeXOS ExtremeWare 6.1.8b66 Not supported in ExtremeXOS ExtremeWare 6.1.8b66 Not supported in ExtremeXOS ExtremeWare 6.1.8b66 Not supported in ExtremeXOS ExtremeWare 6.1.8b66 Not supported in ExtremeXOS ExtremeXOS ExtremeXOS
Dsx1 Loss of Master Clock
Dsx1 No Loss of Master Clock Dsx3 Line Status Change
Dsx3 Loss of Master Clock Extreme Networks proprietary trap. Indicates that the wanDsx3LossOfMasterClock event for the specified interface has been detected. Dsx3 No Loss of Master Clock EAPS Configuration change EAPS Last status change Extreme Networks proprietary trap. Indicates that the wanDsx3NoLossOfMasterClock event for the specified interface has been detected. Extreme Networks proprietary trap. Indicates that a change to the EAPS configuration has been detected. Extreme Networks proprietary trap. Indicates that the last EAPS update included a status change.
538

Event EAPS Primary or secondary port status change Definition Extreme Networks proprietary trap. Indicates that the status of the primary or secondary ring port in an EAPS domain has changed. ExtremeWare/ ExtremeXOS Version ExtremeXOS
EAPS Root blocker status Extreme Networks proprietary trap. Indicates that the EAPS root change blocker state has changed. EAPS Fail Timer Expired Flag Cleared EAPS Fail Timer Expired Flag Set EAPS Link Down Ring Complete Extreme Networks proprietary trap. Generated when the EAPS domains fail timer is cleared.
ExtremeXOS ExtremeXOS 10.1
Extreme Networks proprietary trap. Generated when the EAPS ExtremeXOS 10.1 domains fail timer expires for the first time, while its state is NOT the failed state. Extreme Networks proprietary trap. Indicates that a transit that is in a ExtremeXOS 10.1 Link Down state has received a Health-Check-Pdu from the Master indicating that the link is complete. This indicates a problem with the transit switch that has issued this trap. Extreme Networks proprietary trap. Generated when an EAPS domain has a state change. Extreme Networks proprietary trap. A new neighbor has been discovered through the Extreme Discovery Protocol (EDP). Extreme Networks proprietary trap. No EDP updates have been received from this neighbor within the configured time-out period, and this neighbor entry has been aged out by the device. An EGP neighbor, for which the device is an EGP peer, is down and the peer relationship no longer exists. An Extreme Networks switch never sends out this trap. ExtremeXOS 10.1 ExtremeWare 6.1 ExtremeXOS 10.1 ExtremeWare 6.1 ExtremeXOS 10.1 None
EAPS State Change EDP Neighbor Added EDP Neighbor Removed
EGPNbrLoss
ELRP VLAN Loop Detected ESRP Master Re-election After MSM Failover
Extreme Networks proprietary trap. Generated when the ELRP client ExtremeWare 7.3 detects a loop in the VLAN. Not supported in ExtremeXOS Extreme Networks proprietary trap. Indicates this device was elected master when the previous master node failed to resume normal Not supported in operation within the reelect timeout after performing a hitless MSM ExtremeXOS failover. Extreme Networks proprietary trap. Indicates that the ESRP state (master or slave) of a VLAN has changed on the device. Extreme Networks proprietary trap. Indicates that the ESRP state (master or slave) of a VLAN has changed on the device. Extreme Networks proprietary trap. Generated when the DOS threshold is cleared (if enhanced DOS protection is enabled). ExtremeWare 6.0 Not supported in ExtremeXOS ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS
ESRP State Change
ESRP State Change for ExtremeXOS Enhanced DOS Threshold Cleared Enhanced DOS Threshold Reached Entity MIB Changed
Extreme Networks proprietary trap. Generated when the DOS ExtremeWare 7.3 threshold is crossed for any of the ports (if enhanced DOS protection Not supported in is enabled). ExtremeXOS Indicates a change has been made to a row in a table in the Entity MIB (a row has been added, deleted, or modified). ExtremeWare 7.3
539

Event Extreme SentriantAG alarm Extreme SentriantNG alarm Fan Failed Definition Extreme Networks proprietary trap. Indicates that a SentriantAG Network Access Control (NAC) device generated an alarm. Extreme Networks proprietary trap. Indicates that a SentriantNG network security device generated an alarm. Extreme Networks proprietary trap. This trap indicates one or more of the cooling fans inside the device has failed. A fan OK trap will be sent once the fan has attained normal operation. This trap is sent repetitively every 30 seconds until all the fans are back to normal condition. ExtremeWare/ ExtremeXOS Version ExtremeXOS ExtremeXOS All
Fan OK Health Check Failed Id Manager Memory Usage Level Critical Id Manager Memory Usage Level Normal Id Manager Memory Usage Level High Id Manager Memory Usage Level Maximum Invalid Login
Extreme Networks proprietary trap. This trap indicates that a fan has All transitioned out of a failure state and is now operating correctly. Extreme Networks proprietary trap. The CPU HealthCheck has failed. ExtremeWare 6.1.9 ExtremeXOS 10.1 Extreme Networks proprietary trap. The amount of memory used by the Identity Management feature has reached a critical level. Extreme Networks proprietary trap. The amount of memory used by the Identity Management feature has reached a normal level. Extreme Networks proprietary trap. The amount of memory used by the Identity Management feature has reached a high level. Extreme Networks proprietary trap. The amount of memory used by the Identity Management feature has reached a maximum level. ExtremeXOS 12.4 ExtremeXOS 12.4 ExtremeXOS 12.4 ExtremeXOS 12.4
Extreme Networks proprietary trap. This trap indicates that a user All attempted to login to console or by Telnet but was refused access due to incorrect username or password. The trap is issued after three consecutive failure of log in. Indicates that a link is transitioning to the down state from a previous All active state. Indicates that a port is transitioning from the down state to another (active) state. Extreme Networks proprietary trap. Generated on a port for which lock-learning has been configured, when a new MAC address is learned on that port. Extreme Networks proprietary trap. Generated when a MAC address is learned on a port on which it is not authorized. This happens when the MAC address is statically configured as a 'secure mac' on some other port(s). Extreme Networks proprietary trap. Generated when a new MAC address exceeding the limit is learned on a port on which limitlearning has been configured. Extreme Networks proprietary trap. An MSM Failover occurred. Indicates the PSE Threshold usage indication off, the usage power is below the threshold. At least 500 msec must elapse between notifications being emitted by the same object instance. All ExtremeWare 7.0 SR1 Not supported in ExtremeXOS ExtremeWare 7.0 SR1 Not supported in ExtremeXOS ExtremeWare 7.0 SR1 Not supported in ExtremeXOS ExtremeXOS 10.1 ExtremeXOS 11.1
Link Down Link Up MAC Address Detected On Locked Port MAC Address Detected On Unauthorized Port
MAC Address Learning Limit Exceeded MSM Failover Occurred Main Power Usage Off
540

Event Main Power Usage On Definition Indicates the PSE threshold usage indication is on, and the usage power is above the threshold. At least 500 msec must elapse between notifications being emitted by the same object instance. Extreme Networks proprietary trap. Generated upon authentication failure for a netlogin supplicant. Extreme Networks proprietary trap. Generated when a netlogin supplicant passes authentication and logs in successfully into the network. Extreme Networks proprietary trap. Generated when an authenticated and logged in netlogin supplicant logs out. An ospfIfAuthFailure trap signifies that a packet has been received on a non-virtual interface from a router whose authentication key or authentication type conflicts with this routers authentication key or authentication type. ExtremeWare/ ExtremeXOS Version ExtremeXOS 11.1
Netlogin Authentication Failure Netlogin User Login
Not supported in ExtremeXOS Not supported in ExtremeXOS Not supported in ExtremeXOS ExtremeWare 6.1.9 ExtremeXOS 10.1
Netlogin User Logout OSPF Interface Authentication Failure
OSPF Interface Config Error
An ospfIfConfigError trap signifies that a packet has been received ExtremeWare 6.1.9 on a non-virtual interface from a router whose configuration ExtremeXOS 10.1 parameters conflict with this routers configuration parameters. Note that the event optionMismatch should cause a trap only if it prevents an adjacency from forming. An ospfIfRxBadPacket trap signifies that an OSPF packet has been received on a non-virtual interface that cannot be parsed. An ospfIfStateChange trap signifies that there has been a change in the state of a non-virtual OSPF interface. This trap should be generated when the interface state regresses (e.g., goes from Dr to Down) or progresses to a terminal state (i.e., Point-to-Point, DR Other, Dr, or Backup). ExtremeWare 6.1.9 ExtremeXOS 10.1 ExtremeWare 6.1.9 ExtremeXOS 10.1
OSPF Interface Receive Bad Packet OSPF Interface State Change
OSPF LSDB Approaching Overflow OSPF LSDB Overflow OSPF Max_Age LSA OSPF Neighbor State Change
An ospfLsdbApproachingOverflow trap signifies that the number of ExtremeWare 6.1.9 LSAs in the routers link-state database has exceeded ninety percent ExtremeXOS 10.1 of ospfExtLsdbLimit. An ospfLsdbOverflow trap signifies that the number of LSAs in the routers link-state database has exceeded ospfExtLsdbLimit. An ospfMaxAgeLsa trap signifies that one of the LSA in the routers link-state database has aged to MaxAge. ExtremeWare 6.1.9 ExtremeXOS 10.1 ExtremeWare 6.1.9 ExtremeXOS 10.1
An ospfNbrStateChange trap signifies that there has been a change ExtremeWare 6.1.9 in the state of a non- virtual OSPF neighbor. This trap should be ExtremeXOS 10.1 generated when the neighbor state regresses (e.g., goes from Attempt or Full to 1-Way or Down) or progresses to a terminal state (e.g., 2-Way or Full). When an neighbor transitions from or to Full on non-broadcast multi-access and broadcast networks, the trap should be generated by the designated router. A designated router transitioned to Down will be noted by ospfIfStateChange.
541

Event OSPF Originate LSA Definition ExtremeWare/ ExtremeXOS Version
An ospfOriginateLsa trap signifies that a new LSA has been ExtremeWare 6.1.9 originated by this router. This trap should not be invoked for simple ExtremeXOS 10.1 refreshes of LSAs (which happens every 30 minutes), but instead will only be invoked when an LSA is (re)originated due to a topology change. Additionally, this trap does not include LSAs that are being flushed because they have reached MaxAge. An ospfTxRetransmit trap signifies than an OSPF packet has been retransmitted on a non- virtual interface. All packets that may be retransmitted are associated with an LSDB entry. The LS type, LS ID, and Router ID are used to identify the LSDB entry. An ospfVirtIfAuthFailure trap signifies that a packet has been received on a virtual interface from a router whose authentication key or authentication type conflicts with this routers authentication key or authentication type. ExtremeWare 6.1.9 ExtremeXOS 10.1
OSPF TX_Retransmit
OSPF Virtual Interface Authentication Failure
ExtremeWare 6.1.9 ExtremeXOS 10.1
OSPF Virtual Interface Config Error
An ospfVirtIfConfigError trap signifies that a packet has been ExtremeWare 6.1.9 received on a virtual interface from a router whose configuration ExtremeXOS 10.1 parameters conflict with this routers configuration parameters. Note that the event optionMismatch should cause a trap only if it prevents an adjacency from forming. An ospfVirtIfRxBadPacket trap signifies that an OSPF packet has been received on a virtual interface that cannot be parsed. ExtremeWare 6.1.9 ExtremeXOS 10.1
OSPF Virtual Interface Receive Bad Packet OSPF Virtual Interface State Change
An ospfVirtIfStateChange trap signifies that there has been a change ExtremeWare 6.1.9 in the state of an OSPF virtual interface. This trap should be ExtremeXOS 10.1 generated when the interface state regresses (e.g., goes from Pointto-Point to Down) or progresses to a terminal state (i.e., Point-toPoint). An ospfVirtIfTxRetransmit trap signifies than an OSPF packet has been retransmitted on a virtual interface. All packets that may be retransmitted are associated with an LSDB entry. The LS type, LS ID, and Router ID are used to identify the LSDB entry. An ospfVirtNbrStateChange trap signifies that there has been a change in the state of an OSPF virtual neighbor. This trap should be generated when the neighbor state regresses (e.g., goes from Attempt or Full to 1-Way or Down) or progresses to a terminal state (e.g., Full). Extreme Networks proprietary trap. Indicates the on board temperature sensor has reported an overheat condition. This indicates the temperature has reached the Overheat threshold. The switch will continue to function until it reaches its shutdown threshold. The system will then shutdown until the unit has sufficiently cooled such that operation may begin again. A cold start trap will be issued when the unit has come back on line. This trap is sent repetitively every 30 seconds until the temperature goes back to normal. ExtremeWare 6.1.9 ExtremeXOS 10.1
OSPF Virtual Interface TX Retransmit
OSPF Virtual Neighbor State Change
ExtremeWare 6.1.9 ExtremeXOS 10.1
Overheat
All
542

Event Ping Probe Failed Definition ExtremeWare/ ExtremeXOS Version
Generated when a probe failure is detected when the corresponding ExtremeWare 6.1.9 pingCtlTrapGeneration object is set to probeFailure(0) subject to the Not supported in value of pingCtlTrapProbeFailureFilter. The object ExtremeXOS pingCtlTrapProbeFailureFilter can be used to specify the number of successive probe failures that are required before this notification can be generated. Generated at the completion of a ping test when the corresponding pingCtlTrapGeneration object is set to testCompletion(4). Generated when a ping test is determined to have failed when the corresponding pingCtlTrapGeneration object is set to testFailure(1). In this instance pingCtlTrapTestFailureFilter should specify the number of probes in a test required to have failed in order to consider the test as failed. Extreme Networks proprietary trap. Indicates a change in the PoE PSU for the slot. ExtremeWare 6.1.9 Not supported in ExtremeXOS ExtremeWare 6.1.9 Not supported in ExtremeXOS
Ping Test Completed
Ping Test Failed
PoE PSU Status Changed Port Diagnostics
Not supported in ExtremeXOS
Extreme Networks proprietary trap. Indicates the status of ExtremeWare 7.3 Diagnostics for a port. The status indicates whether Diagnostics for a Not supported in particular port failed. ExtremeXOS Extreme Networks proprietary trap. This trap indicates that one or All more sources of power have failed. Presumably a redundant powersupply has taken over. This trap is sent repetitively every 30 seconds until all the power supplies are back to normal condition. Extreme Networks proprietary trap. This trap indicates that one or more previously bad sources of power have come back to life without causing the device to restart. Extreme Networks proprietary trap. This trap indicated a failed processor on a module is detected. Indicates a change in the power delivery status of the PSE port (whether the port is delivering power or not. This notification should be sent on every status change except in the searching mode. At least 500 msec must elapse between notifications emitted by the same object instance. ExtremeXOS 11.1 All
Power Supply Failed
Power Supply OK
Processor State Change Trap Pse Port On/Off
Redundant Power Supply Extreme Networks proprietary trap. This trap indicates that the Failed attached redundant power supply device is indicating an alarm condition. This trap is sent repetitively every 30 seconds until the redundant power supply is back to normal condition. Redundant Power Supply Extreme Networks proprietary trap. This trap indicates that the OK attached redundant power supply device is no longer indicating an alarm condition. SLB Unit Added Extreme Networks proprietary trap. Indicates that the server load balancer has activated a group of virtual servers that it normally would not activate. This may be due to the failure of another server load balancer.
ExtremeWare All/ Not supported in EXOS ExtremeWare All/ Not supported in EXOS ExtremeWare 6.1 Not supported in ExtremeXOS
543

Event SLB Unit Removed Definition Extreme Networks proprietary trap. Indicates that the server load balancer has deactivated a group of virtual servers that it normally has active. This indicates that something is wrong in the server load balancer; for example, its ping check may be failing. ExtremeWare/ ExtremeXOS Version ExtremeWare 6.1 Not supported in ExtremeXOS
STP New Root
Extreme Networks proprietary trap. Indicates that the sending agent ExtremeWare 6.2.2 has become the new root of the Spanning Tree; the trap is sent by a ExtremeXOS 10.1 bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. Extreme Networks proprietary trap. A topologyChange trap is sent ExtremeWare 6.2.2 by a bridge when any of its configured ports transitions from the ExtremeXOS 10.1 Learning state to the Forwarding state, or from the Forwarding state to the Blocking state. The trap is not sent if a newRoot trap is sent for the same transition. Extreme Networks proprietary trap. This trap indicates that the value ExtremeWare All/ of the extremeSlotModuleState for the specified extremeSlotNumber ExtremeXOS 11.1 has changed. Extreme Networks proprietary trap. This trap indicates that the value All of one of the object identifiers (or the value of an object below that in the MIB tree) defined in the extremeSmartTrapRulesTable has changed, and hence a new entry has been created in the extremeSmartTrapInstanceTable. Such a trap is sent at most once every thirty seconds if one or more entry was created in the last thirty seconds. Extreme Networks proprietary trap. Indicates the on board ExtremeWare 7.4 temperature sensor for a stacking member has reported an overheat ExtremeXOS 12.0 condition. This indicates the temperature has reached the Overheat threshold. Extreme Networks proprietary trap. Generated when the operational ExtremeWare 7.4 status of the stacking member changes. ExtremeXOS 12.0 Extreme Networks proprietary trap. Generated when the operational ExtremeWare 7.4 status of the stacking port changes. ExtremeXOS 12.0 Extreme Networks proprietary trap. Indicates that an alarm was generated based on the state of the tunnel connection between a SummitWM device and an Altitude AP. Extreme Networks proprietary trap. Indicates that the log file on a SummitWM device has changed. ExtremeXOS
STP Topology Change
Slot Change
Smarttrap
Stack Member Overheat
Stack Member Status Changed Stacking Port Status Changed SummitWM Altitude Tunnel Alarm SummitWM Log Change UPM Profile Execution Warm Start Wireless AP Added
ExtremeXOS
Extreme Networks proprietary trap. Generated when a UPM profile is ExtremeXOS executed on an Extreme Networks device. Trap indicates that the device has been rebooted without power recycling. An Extreme switch never sends out this trap. Extreme Networks proprietary trap. Generated when a new AP is added to the scan results table. Generated only if the value of extremeWirelessScanSendAPAddedTrap is true. All ExtremeWare 7.3 Not supported in ExtremeXOS
544

Event Wireless AP Removed Definition Extreme Networks proprietary trap. Generated when an AP is removed from the scan results table. Generated only if the value of extremeWirelessScanSendAPRemovededTrap is true. ExtremeWare/ ExtremeXOS Version ExtremeWare 7.3 Not supported in ExtremeXOS
Wireless AP Updated
Extreme Networks proprietary trap. Generated when the IEs ExtremeWare 7.3 recorded for an AP in the scan results table change. Generated only if Not supported in the value of extremeWirelessScanSendAPUpdatedTrap is true. ExtremeXOS Extreme Networks proprietary trap. Generated when a client associates to an interface that is web based network login enabled. Extreme Networks proprietary trap. Generated when a client is aged out of the table. ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeWare 7.3 Not supported in ExtremeXOS
Wireless Client Netlogin Client Associated Wireless Client Station Aged Out
Wireless Counter Measure Extreme Networks proprietary trap. Generated when counter Started measures are started on a wireless interface. Wireless Counter Measure Extreme Networks proprietary trap. Generated when counter Stopped measures are stopped on a wireless interface. Wireless Off Channel Scan Extreme Networks proprietary trap. Generated when an off-channel Finished scan finishes running. Wireless Off Channel Scan Extreme Networks proprietary trap. Generated when an off-channel Started scan starts running. Wireless Port Boot Failed
Extreme Networks proprietary trap. Sent by the platform if a wireless ExtremeWare 7.3 port fails to boot too many times. Not supported in ExtremeXOS Extreme Networks proprietary trap. Generated when a wireless port moves into enabled, disabled, or online state. ExtremeWare 7.3 Not supported in ExtremeXOS
Wireless Port State Changed Wireless Probe Info Added Wireless Probe Info Removed lldp Remote Table Changed
Extreme Networks proprietary trap. Generated when a new station is ExtremeWare 7.3 added to the probe info table. Generated only if the value of Not supported in extremeWirelessProbeInfoSendAddedTrap is true. ExtremeXOS Extreme Networks proprietary trap. Generated when a station is removed from the probe info table. Generated only if the value of extremeWirelessProbeInfoSendRemovedTrap is true. A lldpRemTablesChange notification is sent when the value of lldpStatsRemTableLastChangeTime changes. It can be utilized by an NMS to trigger LLDP remote systems table maintenance polls. Note that transmission of lldpRemTablesChange notifications are throttled by the agent, as specified by the 'lldpNotificationInterval' object. ExtremeWare 7.3 Not supported in ExtremeXOS ExtremeXOS 11.4
545
Configuring SNMP Trap Events

Several SNMP events require configuration on the switch before they can be used in Ridgeline alarm definitions. If these SNMP events are not configured on the switch, no trap events are generated, and no Ridgeline alarms for those events can occur. The Ping and OSPF traps are examples of this. To configure the switch to send one of these traps, you must use a tool that allows you to set the value of the appropriate SNMP variable. SNMPc can be used for this. The following information assumes that you have a thorough understanding of SNMP and an appropriate SNMP utility. For details of the variable settings, see the appropriate MIBs: Ping MIB: pingmib.mib (RFC 2925) OSPF v2 MIB: RFC 1850 or RFC 1850t Table 33: Trap Variable Configuration
Trap Ping Probe Failed Variables set pingCtlTrapGeneration bit 0 ON to enable trap. set pingCtlTrapProbeFailureFilter to specify the number of successive probe failures that must occur to generate a Probe Failed trap. Ping Test Failed set pingCtlTrapGeneration bit 1 ON to enable trap. set pingCtlTrapTestFailureFilter to specify the number of successive test failures that must occur to generate a Test Failed trap. Ping Test Completed OSPF Virtual Interface State Change OSPF Neighbor State Change OSPF Virtual Neighbor State Change OSPF Interface Config Error OSPF Virtual Interface Config Error OSPF Interface Authentication Failure OSPF Virtual Interface Authentication Failure OSPF Interface Receive Bad Packet OSPF Virtual Interface Receive Bad Packet OSPF TX_Retransmit OSPF Virtual Interface TX Retransmit OSPF Originate LSA OSPF Max_Age LSA OSPF LSDB Overflow OSPF LSDB Approaching Overflow OSPF Interface State Change set pingCtlTrapGeneration bit 2 ON to enable the trap. set ospfSetTrap bit 1 ON set ospfSetTrap bit 2 ON set ospfSetTrap bit 3 ON set ospfSetTrap bit 4 ON set ospfSetTrap bit 5 ON set ospfSetTrap bit 6 ON set ospfSetTrap bit 7 ON set ospfSetTrap bit 8 ON set ospfSetTrap bit 9 ON set ospfSetTrap bit 10 ON set ospfSetTrap bit 11 ON set ospfSetTrap bit 12 ON set ospfSetTrap bit 13 ON set ospfSetTrap bit 14 ON set ospfSetTrap bit 15 ON set ospfSetTrap bit 16 ON
546
RMON Rising and Falling Trap Events

An RMON rising trap indicates that the value of the monitored variable has risen to or above the rising threshold value. RMON rules need to be configured on a device for it to send out this trap. An RMON falling trap indicates that the value of the monitored variable has fallen to or below the falling threshold value. RMON rules need to be configured on a device for it to send out this trap. For more information, see Threshold Configuration.
Ridgeline Events
A Ridgeline event is generated by the Ridgeline server based on the results of its periodic polling. In some cases, a Ridgeline event may result from the same condition that could generate an SNMP or other trap. A Ridgeline event has the advantage that it guarantees that the condition will be detected (by polling) even if the corresponding trap is missed. Table 34: Ridgeline Events, Detected Through Polling
Event Configuration Upload Failed Definition The Ridgeline server generates this event when it fails to upload configuration information from a device. This event occurs ONLY when the upload is attempted from Ridgeline, not if it was attempted from Telnet, ExtremeWare Vista or any other method. The Ridgeline server generates this event when it successfully uploads configuration from a device. This event occurs ONLY when the upload is done from Ridgeline, not from Telnet, ExtremeWare Vista or any other method. The Ridgeline server generates this event when it encounters a problem configuring policies on a device using ACL and QoS. The Ridgeline server generates this event for a device when it detects a device reboot (cold start or warm start). Unlike the cold start or warm start SNMP trap, Ridgeline generates this event by polling the device. For Extreme Networks devices only. The Ridgeline server generates this event in one of two situations: If the server detects an infinite loop while walking the devices SNMP MIB (may occur with ExtremeWare 4.1.19b2). If the device has a bad serial number reported through SNMP (may occur with ExtremeWare 6.2.1 on the BlackDiamond 6816). For Extreme Networks devices only. The Ridgeline server generates this event for an Extreme device when it detects, via polling, a transition from fan OK to fan failed condition on the device. Unlike the SNMP Fan Failed trap event, this event is generated only once, based on a state transition. As an alternative, you can detect a Fan Failed condition by using the SNMP Fan Failed trap, which will be generated every 30 seconds until the condition is corrected. The Ridgeline server generates this event when the number of traps received from managed devices exceeds the threshold set in the Scalability properties page in Ridgeline Administration. The Ridgeline server generates this event when the state of communication with the device transitions from unreachable to reachable.
Configuration Upload OK
Device Policy Configuration Device Reboot
Device Warning from Ridgeline
Fan Failed
High Trap Count
HTTP Reachable
547
Table 34: Ridgeline Events, Detected Through Polling (continued)

Event HTTP Unreachable Definition The Ridgeline server generates this event when it fails to communicate with a device following a previously successful communication. In other words, this event is generated when the state of communication with the device transitions from reachable to unreachable. For Extreme Networks devices only. The Ridgeline server generates this event for an Extreme device when it detects that a one-time ELRP packet transmission is no longer valid for the VLAN on which it was sent. For Extreme Networks devices only. The Ridgeline server generates this event for an Extreme device when it detects a transition from normal temperature to overheat condition on the device. Unlike the SNMP overheat trap event, this event is based on a state transition, and will be generated only once. As an alternative, you can detect an Overheat condition by using the SNMP Overheat trap, which will be generated every 30 seconds until the condition is corrected. For Extreme Networks devices only. The Ridgeline server generates this event if the device reports a power supply failure. The Ridgeline server generates this event when an access point has been detected that is not in the Safe list. The Ridgeline server generates this event when the state of communication with the device transitions from unreachable to reachable. The Ridgeline server generates this event when it fails to communicate with a device following a previously successful communication. In other words, this event is generated when the state of communication with the device transitions from reachable to unreachable. The Ridgeline server generates this event when it has detected that a stack member is down. The Ridgeline server generates this event when it has detected that a stack link is down. The Ridgeline server generates this event if the server receives syslog messages at a rate that exceeds the user-defined limit set in Ridgeline Administration via the Scalability Properties. For more information, see Server Properties Administration.
One-Shot Event No Longer Valid
Overheat
Power Supply Failed Rogue Access Point Found SNMP Reachable SNMP Unreachable
Stack Member Down Stacking Link Down Syslog Flood
548
D Ridgeline Backup
Ridgeline Log Backups Backing up the Ridgeline Database Installing a Backup Database
This appendix: Describes the Ridgeline Alarm Log and Event Log backup files. Describes the Ridgeline database backup tool, DBBackupToolThe backup utility makes a backup copy of all data in the database. Backing up your database regularly ensures that you will not need to re-enter or recreate all the switch, VLAN, Topology, and Alarm information in the event that the database is corrupted or destroyed.
Ridgeline Log Backups

Both the Ridgeline Event Log and Alarm Log files are kept in tables in the Ridgeline database. These tables can contain approximately 50,000 and 12,000 entries, respectively. When the Ridgeline server starts, it checks hourly to determine if either of these logs has reached its maximum size. When one reaches 115% of its maximum, Ridgeline moves the oldest 10% of the entries to a backup file, and clears those entries from the table. Each primary backup file is in turn backed up to a secondary file when it reaches its maximum size of approximately 30MB for Event_Log.txt and 6MB for Alarm_Log.txt. When the primary file becomes full for the second time, the secondary backup file will be overwritten with the new contents of the primary backup file. If you want to maintain a complete set of log file backups over time, you should save the *_Log.txt and *_Log.old files periodically. Table 35: Log Files
Log Alarm log Event log Location For Windows: <install_dir>/ user, where <install_dir> is the root directory of the Ridgeline install, by default \Program Primary Backup File Name Secondary Backup File (Maximum File Size) Name Alarm_Log.txt (Maximum size = 6MB) Event_Log.txt (Maximum size = 30MB) Alarm_Log.old Event_Log.old
Files\Extreme Networks \Ridgeline4.0. For Linux: <install_dir>/ deploy/user.war, where <install_dir> is the root
directory of the Ridgeline install, by default /opt/
ExtremeNetworks/ Ridgeline4.0.
Ridgeline Backup
Backing up the Ridgeline Database

Note Do not stop the Ridgeline server to perform daily backups of the database. This action is not necessary and prevents the alarm and event logs from truncating. The backup utility makes a backup copy of all data in the database. Access the Backup utility from the MS-DOS or Linux command line using the DBBackupTool.exe file or DBBackupTool, respectively. To back up the Ridgeline database: In the command prompt in the following location, enter the command DBBackupTool backup "<backup_folder_name>"}:
For Windows:<install_dir>\database\bin\ For Linux: <install_dir>/database/bin/
Where <install_dir> is the directory where the Ridgeline software is installed. Substitute the actual directory name in the command. The backup is created in the location <backup_folder_name>/mm_dd_yy_hh_mm_ss_backup. For example: <Ridgeline_4.0_Installation>/database/backup/ 09_04_13_13_44_22_backup. To restore a backup of the database, see Installing a Backup Database on page 550.
Installing a Backup Database

1 Follow the instructions for your operating system in the Ridgeline Installation and Upgrade Guide to shut down the Ridgeline software. 2 In the command prompt in the indicated location, enter the command DBBackupTool restore "<backup_folder_name>". For example: DBBackupTool restore "<backup_location>\09_04_13_13_44_22_backup". For Windows:<install_dir>\database\bin\DBBackupTool.exe For Linux: <install_dir>/database/bin/DBBackupTool Where <install_dir> is the directory where the Ridgeline software is installed. 3 Follow the instructions in the Ridgeline Installation and Upgrade Guide for your operating system to restart the Ridgeline software.
550
E Ridgeline Utilities
Package Debug Info Utility Resetting the Admin User Password
This appendix describes several utilities, scripts, and commands shipped with the Ridgeline software and installed on the Ridgeline server.
Package Debug Info Utility

The Package Debug Info function collects information about the Ridgeline server that can be used to help debug problems with the server. You run it from the command line (or from the Start Menu in Windows). The utility can be used while the Ridgeline server is running or when it is stopped. The Package Debug Info command create a zip file that contains copies of the various log files, properties files, and other server debug information. By default the resulting file is named Ridgeline_debug_info_<timestamp >.zip and is placed in the top-level Ridgeline server installation directory. To run the Package Debug Info command, go to <Ridgeline_install_dir >/bin and run PackageDebugInfo.exe (PackageDebugInfo.bin in Linux). You can specify a directory and a base file name as arguments to the PackageDebugInfo command:
Use -output-file <FileName> to change the name of the file. (If you specify your own file name, no timestamp is appended. Use -output-dir <DirectoryName> to change the name of the directory where the file will be placed. Use -help for command help.
When the command has finished, a message in the command window indicates where the resulting zip file has been placed (by default, it placed in the Ridgeline installation directory.) The package file is named Ridgeline_Debug_Info_<date>_<time>.zip. For example, a Ridgeline info file created on October 1, 2010 at 3:00 PM is named Ridgeline_Debug_Info_20101001_1500.zip. A log file containing details of the packaging process, PackageDebugInfo.log is placed in the <Ridgeline_install_dir >/logs directory. The zip file contains copies of the existing log, property and debug files for the Ridgeline server as well as information the server keeps about any connected clients. This information can help Extreme Networks technical support staff solve problems you are experiencing with your Ridgeline server.
Ridgeline Utilities
Resetting the Admin User Password

If you have changed the admin user password (see Changing Your Password if You Have Super-User or Administrator Rights on page 343) and can't remember it and want to reset it back to the factory default, you can use the Server Setup Utility. 1 On the Ridgeline serrver computer, click Start > All Programs > Extreme Networks > Ridgeline 4.0 > Server setup utility. The Ridgeline Server Setup Utility dialog box appears (see the following figure).
Figure 357: Ridgeline Server Setup Utility Dialog Box (Settings Tab) 2 Click the "admin" password tab (see the following figure).
Figure 358: Ridgeline Server Setup Utility Dialog Box ("admin" password Tab)
552
Ridgeline Utilities
3 Click Reset "admin" password. If Ridgeline is setup as a RADIUS client, this is disabled. Authentication now occurs using the local repository.
553
F Configuring RADIUS for Ridgeline

Authentication
External RADIUS Server Setup
This appendix describes in detail how to set up an external RADIUS server to provide authentication services for Ridgeline users when Ridgeline is configured to act as a RADIUS client.
External RADIUS Server Setup

The following example is a step-by-step example using Microsoft Active Directory and Internet Authentication Service. This example also leads you through the process of setting up a VSA for passing role information.
Step 1. Create an Active Directory User Group for Ridgeline Users on page 554 Step 2. Associate Users with the Ridgeline Group on page 555 Step 3. Enable Ridgeline as a RADIUS Client on page 558 Step 4. Create a Remote Access Policy for Ridgeline Users on page 560 Step 5. Edit the Remote Access Policy to add a VSA on page 565 Step 6. Configure Ridgeline as a RADIUS Client on page 570
Step 1. Create an Active Directory User Group for Ridgeline Users

Within Active Directory, create one or more user groups. If you have multiple roles within Ridgeline, and you want to authenticate users for any of those roles, you need a group for each Ridgeline role. 1 To add a group, select the appropriate domain under Active Directory Users and Computers, click Users, and then click New > Group (see the following figure).
Configuring RADIUS for Ridgeline Authentication
Figure 359: Adding a Group 2 3 4 5 6 Type the same group name in each of the two Group Name boxes. Under Group scope, click Global. Under Group type, click Security. Click OK. If you want to authenticate Ridgeline users with more than one role, repeat these steps to create a group that corresponds to each Ridgeline role you use. For example, if you want to authenticate users with an Admin role and users with a Monitor role, you would create a group for each role type such as NMS-Admin and NMS-Monitor.
Go to Step 2. Associate Users with the Ridgeline Group on page 555.
Step 2. Associate Users with the Ridgeline Group

If necessary, create one or more new users: 1 To add a new user, click Users, and then click New > User.
Associate each user with the appropriate Ridgeline-related group, based on the role you want that user to have within Ridgeline. 2 In the Users list, right-click a user name. The user's Properties dialog box appears (see the following figure).
555
Figure 360: The Properties Dialog Box for a User Name 3 Click the Member Of tab, and then click Add (see the following figure).
556
Figure 361: The Member Of Tab 4 In the Enter the object names to select box, type the name of the Ridgeline-related group this user should be associated with (see the following figure). Click OK to continue.
Figure 362: Adding a Group for the User 5 Click the Dial-in tab, and then click Allow access and the No Callback (see the following figure). Click OK to continue.
557
Figure 363: The Dial-in Tab Configuration Go to Step 3. Enable Ridgeline as a RADIUS Client on page 558.
Step 3. Enable Ridgeline as a RADIUS Client

Within the Internet Authentication Service, enable Ridgeline as a RADIUS client. 1 Under the Internet Authentication Service, click RADIUS Clients, and then click New > RADIUS Client. 2 Type a name for the RADIUS client in the Friendly name box, and type the IP address or host name of the Ridgeline server in the Client address box (see the following figure).
558
Figure 364: Adding a RADIUS Client to IAS 3 Click Next to continue. 4 From the Client-Vendor list, select RADIUS Standard, and type the shared secret in the Shared Secret and Confirm shared secret boxes (see the following figure). You must use this same shared secret when you configure Ridgeline as a RADIUS client.
Figure 365: Setting the shared secret for a RADIUS client 5 Click Finish. The new Ridgeline client appears in the list of RADIUS Clients under the Internet Authentication Service (see the following figure) .
559
Figure 366: Verify the RADIUS client in IAS Go to Step 4. Create a Remote Access Policy for Ridgeline Users on page 560.
Step 4. Create a Remote Access Policy for Ridgeline Users

Create a Microsoft Internet Authentication Remote Access Policy for each type of Ridgeline role that you plan to use within Ridgeline. For each different role (predefined roles such as Admin or Manager, or user-defined roles) a Remote Access Policy is needed, configured with the role information that must be transmitted to Ridgeline along with the users authentication status. To create a Remote Access Policy: 1 Under the Internet Authentication Service, right-click the Remote Access Policies folder, and then click New > Remote Access Policy.
The New Remote Access Policy wizard starts. 2 Click New to continue. 3 Type a name in the Policy name box (see the following figure). If you need to create multiple policies, each must have a unique name, such as NMS-Admin and NMS-Monitor. 4 Click Next.
560
Figure 367: Configuring a Remote Access Policy 5 To configure the access method, click Ethernet, then click Next to continue (see the following figure).
The User or Group Access dialog box appears (see the following figure). This is where you associate a group with this policy. Figure 368: Selecting the Access Method for Network Access
561
Figure 369: The User or Group Access selection 6 Click Group, then click Add.... The Select Groups dialog box appears (see the following figure).
Figure 370: The Select Groups Window 7 Click Locations. The Locations dialog box appears (see the following figure).
562
Figure 371: The Locations Window 8 Select the appropriate domain (the ebcdemo.com domain in this example) where your Ridgeline groups were created. Click OK to continue. This returns you to the Select Groups dialog box, with the selected domain displayed (see the following figure).
Figure 372: The Select Groups Window after Setting the Location 9 Type the name of the group that you want to associate with this remote access policy. Click OK to continue. The User or Group Access dialog box re-appears (see the following figure), with the domain and group you specified shown in the Group name list.
563
Figure 373: The User or Group Access Window after Selecting the Domain and Group 10 Click Next to continue. 11 Select the Authentication Method to be used (see the following figure). From the Type list, select MD5-Challenge, and then click Next.
Figure 374: Setting the Authentication Method for the Policy 12 Click Finish in the final dialog box to complete your configuration of the remote access policy. Go to Step 5. Edit the Remote Access Policy to add a VSA on page 565.
564
Step 5. Edit the Remote Access Policy to add a VSA

Edit each new Remote Access Policy to add a Vendor Specific Attribute (VSA) or to set the Service Type attribute value. If you are using just the standard Ridgeline built-in roles (Super-User, Admin, Manager, Monitor) you can simply set the service type attribute. If you have added administrator roles in Ridgeline, and want to authorize users with those you want to use, create a VSA to pass the role information to Ridgeline. This example shows how to create a VSA to pass role information. To create a VSA: 1 Select the Remote Access Policy you want to edit. Right-click the policy name (see the following figure), and then click Properties.
Figure 375: Selecting a Remote Access Policy to Edit The Properties dialog box appears (see the following figure).
565
Figure 376: The Properties Dialog Box for a Remote Access Policy 2 Remove the NAS-Port-Type matches Ethernet policy: click NAS-Port-Type matches Ethernet , and then click Remove. 3 Click Windows-Group matches EBCDEMO\Ridgeline policy, and then click Edit Profile. The Edit Dial-in Profile dialog box appears (see the following figure).
566
Figure 377: The Edit Dial-in Profile Window, Authentication Tab 4 Click the Authentication tab, and then click Unencrypted authentication (PAP,SPAP). 5 Click EAPS Methods. The Select EAPS Providers dialog box appears (see the following figure).
Figure 378: The Select EAPS Providers Dialog Box 6 Remove the MD-5 Challenge method: Click MD5-Challenge, and then click Remove. 7 Click OK. This returns you to the Edit Dial-in Profile dialog box. 8 Click the Advanced Tab, and then click Add The Add Attribute dialog box appears (see the following figure).
567
Figure 379: The Add Attribute Dialog Box 9 Click Vendor-Specific, and then click Add. The Multivalued Attribute Information dialog box appears (see the following figure).
Figure 380: The Multivalued Attribute Information Window 10 Click Add. The Vendor-Specific Attribute Information dialog box appears. This is where you add the Ridgeline VSA settings.
568
Figure 381: The Vendor-Specific Attribute Information Window 11 Click Enter Vendor Code, and then type 1916 as the vendor code. 12 Click Yes. It conforms. 13 Click Configure Attribute. The Configure VSA dialog box appears (see the following figure).
Figure 382: Configuring the VSA 14 Type 210 in the Vendor-assigned attribute number box. 15 In the Attribute format list, select String. 16 In the Attribute value box, type an attribute value that matches one of the Ridgeline role names; either a predefines role name, such as Administrator or Monitor, or a user-defined role name. If the attribute value does not match a role, the user defaults to the Monitor role only. Ridgeline roles can be found by in the navigation pane clicking Ridgeline Users And Servers, and then clicking Open Roles tab (see Role Administration on page 344). 17 Click OK to continue. 18 The new attribute appears in the Multivalued Attribute Information window as Vendor code: 1916 with the value set to the role name you entered (Administrator in this example).
569
19 Click OK to continue. 20 In the Edit Dial-in Profile dialog box, click OK again. A warning appears (see the following figure). Click No.
Figure 383: Warning after editing the Remote Access Policy profile The VSA is now configured for this remote access policy. Go to Step 6. Configure Ridgeline as a RADIUS Client on page 570.
Step 6. Configure Ridgeline as a RADIUS Client

Once Ridgeline is configured in IAS as a RADIUS client, you must configure it as a RADIUS client through Ridgeline Administration. 1 In the navigation pane, click Ridgeline Users And Servers, and then click Open RADIUS tab (see the following figure).
Figure 384: RADIUS Administration Window 2 Click Enable system as a RADIUS client. 3 Under Primary RADIUS Server, enter the host name or IP address of your RADIUS server in the Name/Address box. 4 Enter the RADIUS server port in the Port box. 5 Enter the shared secret you used when you set Ridgeline as a RADIUS client in IAS in the Secret box. 6 If you have a secondary RADIUS server, enter that information under Secondary RADIUS Server as well. 7 Click Apply to have this take effect.
570
G Troubleshooting
Troubleshooting Aids About Ridgeline Window Enabling the Java Console Ridgeline Client Issues Ridgeline Database Ridgeline Server Issues VLAN Management Alarm System Ridgeline Inventory Printing Reports Configuration Manager
This appendix describes how to resolve problems you may encounter with Ridgeline.
Troubleshooting Aids
If you are having problems with Ridgeline, there are several things you can do to help prevent or diagnose problems. One of the first things you should do is run the Package Debug Info command. This command packages the various log, property, syslog and other debugging information files and archives them into a zip file. You can e-mail this file to Extreme Networks Technical Support to provide them with detailed information on the state of the Ridgeline server. You can run this command while the server is running, or while the server is stopped. To run the Package Debug Info command, go to <Ridgeline_install_dir >/bin and run (double-click) PackageDebugInfo.exe (PackageDebugInfo.bin in Linux); or click Start > All Programs > Extreme Networks > Ridgeline 4.0 > Package debug Info. In this case, a DOS window appears that displays the progress of the commands as they are executed. For more information about using this command, see Package Debug Info Utility.
About Ridgeline Window

At any time while logged in to Ridgeline, you can capture debugging information by going to the About Ridgeline window:
In Ridgeline, click Help > About Ridgeline, and then click Details.
Troubleshooting
You can then copy and paste the output information into a text file to send to Extreme Networks Technical Support.
Enabling the Java Console

To facilitate problem diagnosis, you can attempt to duplicate the problem with the Java Console enabled. To enable the Java Console on a Windows systems: 1 2 3 4 5 6 Go to the Windows Control Panel. Click the Java icon to start the Java Control Panel. Click the Advanced tab Expand the Java console setting. Click Show console. Click Apply. On Linux systems, start the Java Control Panel (run ControlPanel, located at <JAVA_INSTALL_DIR>/jre/bin) and follow the procedure above. The next time you start the Ridgeline client, the Java Console starts automatically. Note Running with the Java Console displayed may reduce the performance of the Ridgeline client. There is limited space for Java Console messages; once the console log file is filled, no more messages are recorded. If you are trying to duplicate a problem, clear the Java Console log file periodically by clicking the Clear button at the bottom of the window. You can close the Java Console by clicking the Close button at the bottom of the window. However, once it is closed, it can only be restarted by closing and restarting the browser.
Ridgeline Client Issues

Problem: Client stops responding during a procedure that adds, deletes, modifies, updates devices. It is recommended that you select 50 or fewer devices at a time when adding, deleting, modifying, or updating devices. To recover, use Task Manager to exit the client, if necessary, and then restart the client. If the operation that you were performing failed, perform the operation again, selecting 50 or fewer devices at a time. Problem: Unable to connect to the Ridgeline server. Verify that the Ridgeline Server process is running. Verify that the server is running on the specified port. If the server is running and you are using the correct port, the Ridgeline Welcome page appears.
572
Troubleshooting
If you are running Ridgeline on Windows and connecting to Ridgeline from the same system as the Ridgeline server, you can also use the server setup utility to determine the port on which the Ridgeline server is running. Click Start > All Programs > Extreme Networks > Ridgeline 4.0 > Server setup utility. The Ridgelines HTTP port box shows the current server port. Problem: Colors in client interface are incorrect (Windows 2003, Windows XP). The Color Palette must be set for 65536 colors (or True Color). If your display is set for only 256 colors, the colors in Ridgeline may be incorrect. To change the color palette: Click Start, and then Control Panel. Double-click the Display icon in the Control Panel. Click the Settings tab. In the Color quality list, click the appropriate setting. Problem: Browser does not display the Ridgeline Welcome page. Verify the version of the browser you are using. See the system requirements in the Ridgeline Installation and Upgrade Guide or the Ridgeline Release Notes shipped with the software. Problem: Browser client software starts and allows you to log on, but data is missing or other problems occur. Remove the Ridgeline application from the Java Cache. 1 In Windows, click Start, and then click Control Panel. 2 Double-click the Java Control Panel icon. If it is not visible, type Java Control Panel in the search box. 3 On the General tab, under Temporary Internet Files, click View. 4 Select the Ridgeline application in the list and delete it. 5 Click Close. 6 Click OK.
Ridgeline Database
Problem: Database server does not restart after incorrect shutdown If the Ridgeline server is shut down incorrectly, the database may be left in an invalid state. In this case, an Assertion failed error may occur when attempting to restart the server. To recover the database, see Installing a Backup Database on page 550.
Ridgeline Server Issues

Problem: Cannot communicate with a specific switch Verify that the switch is running ExtremeWare software version 6.2 or later.
573
Troubleshooting
Ping the switch's IP address to verify availability of a route. Use the ping command from a MS DOS or Linux command shell. If the switch is using SNMPv1, verify that the read and write community strings used in Ridgeline match those configured on the switch. If the switch is using SNMPv3, verify that the SNMPv3 parameters configured in Ridgeline match those on the switch. Problem: Need to change SNMP polling interval, SNMP request time-out, or number of SNMP request retries You can change the default values for the SNMP polling interval, the SNMP request time-out, or the number of SNMP request retries, through the Ridgeline Administration Server Properties page. For more information about modifying these properties, see SNMP Properties. For instructions on stopping and starting the Ridgeline server, see the Ridgeline Installation and Upgrade Guide. Problem: Need to change the Telnet or HTTP port numbers used to communicate with managed devices You can change the port numbers for all managed switches through the Ridgeline Administration Server Properties page (see Device Properties). Problem: Telnet polling messages can fill up a devices syslog file The Ridgeline server uses Telnet polling to retrieve certain switch information such as Netlogins, FDB data (if FDB polling is enabled) and power supply information. By default, Ridgeline does status polls every five minutes and detailed polls once every 90 minutes. Each telnet login and logout message is logged to the switchs log file, and eventually fills up the log. In addition, in some cases Ridgeline needs to disable CLI paging so the poller can retrieve the full results of some CLI commands. An entry is created in the switch log for each disable clipaging command, which can also contribute to filling up the log. There are several things you can do to alleviate this problem:
Periodically clear the switchs log file using the ExtremeXOS CLI clear log command. Telnet login and logout messages are Informational level messages. Disable device Telnet polling by clearing the Poll Devices Using Telnet property in the Devices list on the Server Properties page of Ridgeline Administration (see Device Properties). However, if you do this, Ridgeline will not be able to do edge port polling through the MAC Address Poller, and will not be able to get Netlogin information, or Alpine power supply IDs. Increase the polling interval for all Ridgeline polling by changing the value of the SNMP Poll Interval property in the SNMP properties list of the Ridgeline Administration feature (see SNMP Properties). Note that this changes the interval for all SNMP polling as well as Telnet polling. You can set up event filtering to exclude logon/logout events or clipaging enable/disable events from the log: With ExtremeXOS 11.2 and later you can set up filters to suppress the log entries generated by Ridgeline logon and logout of the switch. Use of these filters is based on the assumption that one can trust a logon from the system on which Ridgeline is installed, and from the account Ridgeline uses to log on to the device.
574
Troubleshooting
To set up this filter you use the following four commands, where <EPIC_account > is the account name used by Ridgeline to login to the switch, and < EPIC_ip_addr > is the IP address of the system where the Ridgeline server is installed:
configure log filter DefaultFilter add exclude event aaa.authPass strict-match string <EPIC_account> configure log filter DefaultFilter add exclude event aaa.authPass strict-match string <EPIC_ip_addr> configure log filter DefaultFilter add exclude event aaa.logout strict-match string <EPIC_account> configure log filter DefaultFilter add exclude event aaa.logout strict-match string <EPIC_ip_addr> For example, to set up the filter for a Ridgeline server with IP address 10.255.48.40, and using account name admin to logon to the switch, you enter the following:
configure log filter DefaultFilter strict-match string admin configure log filter DefaultFilter strict-match string 10.255.48.40 configure log filter DefaultFilter strict-match string admin configure log filter DefaultFilter strict-match string 10.255.48.40
add exclude event aaa.authPass add exclude event aaa.authPass add exclude event aaa.logout add exclude event aaa.logout
You can also create a filter to exclude the clipaging commands from the log. An example of such a command in ExtremeWare 7.3.3 or ExtremeWare 7.5 is: configure log filter DefaultFilter add exclude events All match string <EPIC_ip_addr> <EPIC_account>: disable clipaging session For example, to set up the filter for a Ridgeline server with IP address 10.255.48.40, and using account name admin to logon to the switch, you enter the following: configure log filter DefaultFilter add exclude events All match string 10.255.48.40 admin: disable clipaging session Problem: Traps may be dropped during a trap storm' The Ridgeline server limits its processing of traps to be able to reliably handle trap storms from a single or multiple devices. Ridgeline limits its trap processing to 20 traps every 28 seconds from an individual device, and a total of 275 traps every 55 seconds system-wide. Any traps that occur beyond these limits are discarded, but are noted in the epicenter_server.log file. Exceeding the first limit (>20 traps in 28 seconds) is rare, and should be considered abnormal behavior in the managed device. If you are managing a large number of devices, you may reach the total (275) limit in normal circumstances. If you are managing more than 1,000 devices, it is recommended that you increase the total number of traps to 500.
575
Troubleshooting
The trap processing limits can be changed through server properties in the Ridgeline Administration feature (see Scalability Properties). Problem: Ridgeline is not receiving traps If the IP address of an Ridgeline host is changed via DHCP while Ridgeline is running, the system does not receive traps. To fix the problem, you can do a manual sync on all devices, or restart the Ridgeline server. Problem: On a Windows system with multiple NICs, Ridgeline may not receive traps or be able to upload or download configuration files or images In Windows, in a multiple NIC cards environment, the IP address that Ridgeline gets as the primary IP address is determined by the order in which the network connection is listed in the Adapters and Bindings tab in Advanced Settings, and may not be the NIC that is actually connected to the management network. There is no guarantee that the primary IP address that gets registered as a trap receiver on a switch is the IP address of the NIC that Ridgeline actually uses to communicate. You may be able to work around this by changing the order of the IP addresses in the Adapters and Bindings tab in the select the primary IP address for Ridgeline to use: 1 2 3 4 5 Click Start and then click Control Panel. Double-click Network Connections. Click Advanced > Advanced Settings. The Advanced Settings dialog box appears. Click the Adapters and Bindings tab, which shows the connections listed in order. Select the connection you want Ridgeline to use, use the up and down arrow buttons at the right to move it to the top of the list, and then click OK. 6 Restart the Ridgeline server.
VLAN Management
Problem: Multiple VLANs have the same name. A VLAN is defined by the name, its tag value, and its protocol filter definition. Ridgeline allows multiple VLANs of the same name if one of the defining characteristics of one VLAN is different from the other. Problem: Multiple protocols have the same name. Ridgeline allows multiple protocols of the same name if one of the defining characteristics of one protocol is different from the other. Problem: Can only access one of the IP addresses on a VLAN configured with a secondary IP address. Ridgeline does not currently support secondary IP addressing for a VLAN.
Alarm System
Problem: Device is in a fault state that should generate a trap or syslog message, and an alarm is defined to detect it, but the alarm does not appear in the Ridgeline Alarm Manager.
576
Troubleshooting
There are several possible reasons this can occur. Check the following: Make sure that the alarm is defined and enabled. Check that the device is in the alarm scope. Check that SNMP traps are enabled on the device. For a non-Extreme device, make sure you have set Ridgeline as a trap receiver on the device (see Setting Ridgeline as a Trap Receiver on page 514). For an RMON alarm, make sure you have RMON enabled on the device. For Syslog messages, make sure that you have the Ridgeline Syslog server enabled, and that remote logging is enabled on the device with Ridgeline set as a Syslog receiver. The number of traps received by the Ridgeline server may exceed the number of traps it can handle in a given time period, resulting in some traps being dropped (see Ridgeline Server Issues on page 573). You can change the limits for the number of traps the server should accept (per minute and per 1/2 minute) in the Ridgeline Administration feature (see SNMP Properties). Problem: A program specified as an action for an alarm (in the "Run this program, using these system variables as parameters" box) does not get executed. It includes output to the desktop among its functions. You must specifically allow output to the desktop (see Configuring the Ridgeline Server to Allow Output to the Desktop on page 577). To specify a batch file that outputs to the desktop, you must specify the .bat file within a DOS cmd command:cmd /c start <file.bat> where <file.bat> is the batch file you want to run. Problem: E-mail alarm actions generate too much text for a text pager. You can use the Send a short email to this address check box to send an abbreviated message appropriate for a text pager or cell phone. The short email provides only very basic alarm information. For more information about using the email options as an alarm action, see Defining Alarm Profiles on page 262.
Configuring the Ridgeline Server to Allow Output to the Desktop

If a program specified as an action for an alarm (in the Run this program, using these system variables as parameters box) includes output to the desktop among its functions, you need to configure the Ridgeline server to allow this. Note Configuring the Ridgeline server requires starting and stopping the server. For detailed information about how to start/stop the Ridgeline server, see the Ridgeline Installation and Upgrade Guide. 1 Stop the Ridgeline server. 2 After the Ridgeline server has stopped, right-click the server, and then click Properties. The Ridgeline 4.0 Server Properties dialog box appears. 3 Click the Log On tab.
577
Troubleshooting
4 5 6 7
Click Local System account. Click theAllow service to interact with desktop check box. Click OK. Restart the Ridgeline server.
Ridgeline Inventory
Problem: Multiple switches have the same name. This is because the sysName of those switches is the same. Typically, Extreme Networks switches are shipped with the sysName set to the type of the switch Summit48, Summit1i, Alpine3808, etc., depending on the type of switch. You can change the way names appear through the Device Tree UI property in the Ridgeline Administration feature (see Other Properties ). You can display devices by name or by IP address and name. Problem: Discovery does not display the MAC address for some devices in discovery results list. In addition, the device is not added to the inventory (primarily happens with workstations). If the MAC address is not found in the first instance of ifPhysAddress, it is not displayed in the discovery results table. However, when the device is selected to be added to the Ridgeline inventory, Ridgeline searches all the ifPhysAddress entries for the device, and uses the MAC address found in this manner. If no MAC address is found in any ifPhysAddress entry, the device is not be added to the Ridgeline database. Problem: Receiving an SNMP not responding error when attempting to add a switch to Ridgeline after rebooting the switch. If a switch has recently been powered on, it may take some time (several minutes) before the device is completely initialized. This is especially true of chassis devices with many blades, or devices with a large number of VLANs configured on the device. It the device has not completed its initialization, Ridgeline may return an error when adding the device. Wait until the device has finished initializing and try adding it again. Problem: The Device Inventory panel shows incorrect information, and the device image is not displayed correctly. This can be caused by a device IP address that is in conflict with another device on the network (a duplicate IP address). Remove the problem device from the Ridgeline inventory, and add it in again with the correct IP address.
Printing
Problem: When printing a topology map from the browser client, or a printing report, the browser can appear to freeze.
578
Troubleshooting
Printing a report or a topology map can cause the browser utilization to become very high (approaching 100%) and can spool a very large amount of memory. There is no current solution other than to wait, and the process will eventually finish.
Reports
Problem: After viewing reports, adding a user-defined report does not appear in the list of reports on the main reports page. The Reports page updates the list of reports when the page is loaded. To update the list, refresh the browser page. Problem: Reports cannot be started. Due to a problem with Windows, sometimes reports cannot be started from the Ridgeline client. To work around this problem, you can either set your browser home page to blank, or you can run the Reports feature directly from the browser: 1 Enter the following URL of the Ridgeline server in the browser: http://< host >:< port >/ In the URL, replace < host > with the name of the system where the Ridgeline server is running. Replace < port > with the TCP port number that you assigned to the Ridgeline server during installation. Do not use localhost as the < host >. 2 On the Ridgeline Welcome page, click the Log on to Reports only. 3 Type your logon credentials into the Username and Password boxes.
Problem: Failed to connect to device communicator session message appears when attempting to deploy a configuration to a managed device. This error messages appears when Ridgeline cannot gain Telnet/SSH access to the device with the username/password it has been configured to use: In the navigation pane, click Main View or the device group with the desired device in it. Select the device in the devices table by selecting its check box. Click Device > Modify Communications Settings. The Modify Communications Settings dialog box appears. On the Basic Information tab, check entries in the Device Login and Device Password boxes to ensure that they match what is actually configured on the device.
579

Ridgeline Reference

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Ridgeline Reference

Transféré par

Droits d'auteur :

Formats disponibles

Ridgeline 4.

0 Service Pack 1 Reference Guide

Chapter 1: Getting Started with Ridgeline 11

Chapter 2: Managing Your Network Inventory 18

Chapter 3: Organizing Devices and Ports Into Groups 60

Chapter 4: Using Map Views 71

Chapter 5: Provisioning Network Resources 85

Chapter 6: Configuring and Monitoring Ethernet Services 89

Chapter 7: Policies 107

Ridgeline 4.0 Service Pack 1 Reference Guide

Chapter 8: Managing and Monitoring VLANs 122

Chapter 9: Managing and Monitoring VMANs (PBNs) 142

Chapter 10: Managing Multi-Switch Link Aggregation Groups 154

Chapter 11: Managing Virtual Machines 163

Chapter 12: Managing and Monitoring EAPS Domains 190

Chapter 13: Managing PBB Networks with Ridgeline 209

Chapter 14: Managing and Monitoring VPLS Domains 224

Chapter 15: The Ridgeline Alarm Manager 237

Ridgeline 4.0 Service Pack 1 Reference Guide

Chapter 16: Configuration Manager 267

Chapter 17: Firmware Manager 289

Chapter 18: Creating and Executing Ridgeline Scripts 303

Chapter 19: Using the Ridgeline Audit Log 329

Chapter 20: Using the IP/MAC Address Finder 333

Chapter 21: Administering Ridgeline 339

Ridgeline 4.0 Service Pack 1 Reference Guide

Chapter 22: Using the Universal Port Manager 369

Chapter 23: Using Identity Management 411

Chapter 24: Managing Network Security 445

Chapter 25: Ridgeline Reports 461

Ridgeline 4.0 Service Pack 1 Reference Guide

Printing Reports 497 Exporting Reports 497

Chapter 26: Enhancing Ridgeline Performance 498

Appendix A: Configuring Devices for Use With Ridgeline 513

Appendix B: Using SSH for Secure Communication 523

Appendix C: Event Types for Alarms 537

Appendix D: Ridgeline Backup 549

Appendix E: Ridgeline Utilities 551

Appendix F: Configuring RADIUS for Ridgeline Authentication 554

Appendix G: Troubleshooting 571

Ridgeline 4.0 Service Pack 1 Reference Guide

Using Ridgeline Publications Online

Ridgeline 4.0 Service Pack 1 Reference Guide

Risk of personal injury, system damage, or loss of data.

Risk of severe personal injury.

Table 2: Text Conventions

Words in bold type Words in italic type

Ridgeline 4.0 Service Pack 1 Reference Guide

Ridgeline 4.0 Service Pack 1 Reference Guide

1 Getting Started with Ridgeline

The Ridgeline Home Page

Getting Started with Ridgeline

Modifying the Contents of the Ridgeline Home Page

Ridgeline 4.0 Service Pack 1 Reference Guide

Getting Started with Ridgeline

Ridgeline Window Behavior

3Ribbon 4Map view

6Device details pane

Ridgeline 4.0 Service Pack 1 Reference Guide

Getting Started with Ridgeline

Displays a snapshot of the device alarms information:

Opening Ridgeline Components in Docked or Floating Windows

Docking Detail Windows into the Main Window

Ridgeline 4.0 Service Pack 1 Reference Guide