Intro To VOSS & Fabric v0.2
Intro To VOSS & Fabric v0.2
Intro To VOSS & Fabric v0.2
Stéphane Grosjean
Principal SE, EMEA Southern, France
1 Disclaimer.....................................................................................4
1.1 References .................................................................................................................................... 4
2 Introduction .................................................................................5
2.1 Network Diagram .......................................................................................................................... 5
2.2 Basic Settings ................................................................................................................................ 5
2.2.1 Access to the Switch ............................................................................................................. 5
2.2.2 Setting an IP address ............................................................................................................. 6
2.2.3 Setting a Default Route ......................................................................................................... 6
2.2.4 Shut/No Shut of a Port .......................................................................................................... 7
2.2.5 Setting the SysName ............................................................................................................. 7
2.2.6 Enabling IP Management Access .......................................................................................... 7
2.2.7 Save the Config ..................................................................................................................... 9
2.2.8 Reset to Factory Default a Switch ......................................................................................... 9
2.2.9 Create a VLAN ....................................................................................................................... 9
2.2.10 Adding/Removing ports to a VLAN ..................................................................................... 10
2.2.11 Tagging Ports on VLANs ...................................................................................................... 11
2.2.12 Displaying the Configuration............................................................................................... 11
2.2.13 Time and Timezones ........................................................................................................... 11
2.2.14 Changing Password ............................................................................................................. 12
2.2.15 SNMP Configuration............................................................................................................ 12
2.2.16 Software Upgrade ............................................................................................................... 13
2.2.17 Installing a License .............................................................................................................. 15
2.2.18 Web Server.......................................................................................................................... 15
2.3 Connecting an EXOS switch to a VOSS switch............................................................................. 16
Page |4
1 Disclaimer
This document is internal only and shouldn’t be used externally by any means. This is not an
official document from Extreme Networks and cannot be used to validate any design, feature or
scalability. This is an informational document only.
1.1 References
The following documents were used extensively in the preparation of this document:
Page |5
2 Introduction
This document is targeted for the SE’s with no experience on VSP platforms, nor VOSS and as
such Fabric Connect. Its goal is to give a quick and easy view on how to performs basic
configurations on VSP, then setup a simple Extreme Fabric Connect network and finally have a
preview on Fabric Attach in EXOS.
We are using for this document the following products: three VSP 4450, one x440-G2 and one
x460-G2. They are interconnected in a daisy-chain fashion.
For the purpose of this document, the three VSP 4450 are running VOSS 6.1.50.0, the X460-G2 is
running EXOS 22.3.1.4-patch1-4 and the X440-G2 is running EXOS 22.4.0.35, to demo the future
Fabric Attach feature.
Let’s describe how to access and configure some basic parameters using VOSS CLI.
Default credentials are either rw/rw or rwa/rwa, depending on the privilege you need. Both
grants a read-write access, but rwa also allows for security configuration modification. There are
several other logon credentials (ro, l1, l2, l3) but with more limited privilege.
You can connect in console using a standard cable, similar to those used for EXOS products, using
the usual settings 9600 8N1.
Please note that the first time you connect to a VSP, you’ll need console access as telnet, web or
ssh are disabled by default.
Page |6
Login: rwa
Password: ***
If you connect in console before booting up the switch, you will see a lot of interesting hardware
information during the boot.
By default, every ports are part of vlan 1 (default) and are shutdown. Depending on the platform,
a dedicated management port can be available. As an example, the VSP 4450 has no dedicated
management port.
To configure an IP address, we need to enter configuration mode, in a similar way than Cisco’s
IOS.
VSP4K02_BB:1>en
VSP4K02_BB:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
VSP4K02_BB:1(config)#
We’ll start by setting an IP address on the default VLAN, as we’ll use it for our management
access.
VSP4K02_BB:1(config)#interface vlan 1
VSP4K02_BB:1(config-if)#ip address 192.168.254.112/24
VSP4K02_BB:1(config-if)#exit
Configuring a static route needs to be done in two commands: one to set the weight / preference
of the route and one to enable it.
Page |7
If the route is Up, you can see it in the routing table, otherwise you need to specifically display
the static routes configured (show ip route static).
VSP4K02_BB:1(config-if)#show ip route
=====================================================================================================
IP Route - GlobalRouter
=====================================================================================================
NH INTER
DST MASK NEXT VRF/ISID COST FACE PROT AGE TYPE PRF
-----------------------------------------------------------------------------------------------------
0.0.0.0 0.0.0.0 192.168.254.1 GlobalRouter 1 1 STAT 0 IB 5
192.168.254.0 255.255.255.0 192.168.254.112 - 1 1 LOC 0 DB 0
2 out of 2 Total Num of Route Entries, 2 Total Num of Dest Networks displayed.
--------------------------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Route,
U=Unresolved Route, N=Not in HW, F=Replaced by FTN, V=IPVPN Route, S=SPBM Route
PROTOCOL Legend:
v=Inter-VRF route redistributed
If you have connectivity issue, always check that your port is enabled.
The prompt can be modified in several ways, either via the prompt CLI command or by
configuring the SysName.
By default, no IP management access is enabled. These options are in the boot flags settings.
There the admin can choose which protocol to activate.
Page |8
We just have to specify the daemon we want to start. Let’s enable telnetd.
Telnet access is now enabled and allowed. To check the current boot flags configuration in use,
you can use the show boot config flags CLI command. Below example is from a default
configuration with telnetd manually enabled.
Page |9
There are two ways to save the configuration: using the write mem CLI or simply the save
config CLI command.
BEB1:1(config)#save config
CP-1: Save config to file /intflash/config.cfg successful.
BEB1:1(config)#
In the case you need to reset a switch to its factory default configuration, you need to enable a
boot config flag, then reboot the switch.
By default, only VLAN 1 is defined on the switch. To create a new VLAN, simply use the vlan
create CLI command.
=================================================================================================
Vlan Basic
=================================================================================================
VLAN MSTP
ID NAME TYPE INST_ID PROTOCOLID SUBNETADDR SUBNETMASK VRFID
-------------------------------------------------------------------------------------------------
1 Default byPort 0 none N/A N/A 0
42 MyVlan byPort 0 none N/A N/A 0
P a g e | 10
BEB1:1(config)#
Once a VLAN has been created, you can add ports to it.
======================================================================================
Vlan Port
======================================================================================
VLAN PORT ACTIVE STATIC NOT_ALLOW
ID MEMBER MEMBER MEMBER MEMBER
--------------------------------------------------------------------------------------
1 1/1,1/13-1/50 1/1,1/13-1/50
42 1/8-1/9 1/8-1/9
======================================================================================
Vlan Port
======================================================================================
VLAN PORT ACTIVE STATIC NOT_ALLOW
ID MEMBER MEMBER MEMBER MEMBER
--------------------------------------------------------------------------------------
1 1/1,1/13-1/50 1/1,1/13-1/50
42 1/9 1/9
While the vlan members add and vlan members remove CLI commands are straightforward,
there’s another CLI command available to move port to a VLAN: vlan member <vid>
<portlist>. Depending on the platform OS (VOSS or BOSS), its behavior will differ.
On VOSS (VSP), if the port specified in the CLI command is tagged and already member of a VLAN,
that port will be added to the new VLAN and will remain on the other VLAN: this is an add
behavior. However, if the port was NOT tagged and was a member of a VLAN, that port is
removed from the previous VLAN and added to the new VLAN: this is a move behavior.
P a g e | 11
On BOSS, care must be taken as the behavior is ALWAYS a move, which could result in very
unpleasant effect when manually configuring uplinks. If you want to add a VLAN to that uplink,
using this command would remove it from all the existing VLANs configured…
The following CLI command to tag or untag a port is available on both VOSS and BOSS, but is
mainly used for BOSS:
As expected, the configuration is viewable with the typical show running-config CLI
command. A module parameter allows to display a specific part of the configuration.
BEB2:1(config)#show run
Preparing to Display Configuration...
#
# Sun Jul 04 02:19:26 1971 UTC
# box type : VSP-4450GSX-PWR+
# software version : 6.0.1.1
# cli mode : ACLI
#
[…]
You can verify and modify the time on the switch with the clock command.
BEB2:1(config)#show clock
P a g e | 12
BEB2:1(config)#show clock
You can change the default password of any account (if you are connected in rwa privilege) with
the following CLI command.
Aside from the sys name CLI command that we already see, SNMP configuration happens with
the snmp-server CLI command. You need to have a rwa privilege to configure it.
BEB2:1(config)#snmp-server ?
Modify SNMP settings
authentication-trap Enable generation of authentication traps
community Set community table
contact Text for mib object sysContact
force-iphdr-sender Set same snmp and ip sender flag
force-trap-sender Set snmp trap sender ip
group Set snmp v3 group access table
host Specify hosts to receive SNMP notifications
location Text for mib object sysLocation
P a g e | 13
There are several ways to upgrade the software on a VSP platform. One way is to use the USB
port available on the switch.
We need to copy the files to the switch, then activate it and reboot.
BEB2:1#ls /usb
[09/26/17 14:02:44] Slot 1 : IMAGE SYNC: Running pre-install script for image version
VOSS4K.6.1.50.0.GA
[09/26/17 14:02:44] Slot 1 : IMAGE SYNC: Kernel image is consistent
P a g e | 14
After the reboot, you can commit the upgrade if everything is working as expected.
Login: rwa
Password: ***
BEB2:1>en
BEB2:1#software commit
Executing software commit for version VOSS4K.6.1.50.0.GA.
Software commit successful
To use SCP or TFTP instead of the USB, you first need to enable the required protocol, then use
the copy command with the necessary IP address of the server.
BEB1:1#copy ?
running-config Running configuration
WORD<1-255> Source filename, a.b.c.d:<file> | x:x:x:x:x:x:x:x:<file> | /intflash/<file> |
/usb/<file>
BEB1:1#copy 192.168.254.10:VOSS4K.6.0.1.1.tgz ?
WORD<1-255> Destination filename, a.b.c.d:<file> | x:x:x:x:x:x:x:x:<file> | /intflash/<file> |
/usb/<file>
BEB1:1#copy 192.168.254.10:VOSS4K.6.0.1.1.tgz /intflash/VOSS4K.6.0.1.1.tgz
P a g e | 15
Some features may require a license to be configured. To install a license, you need to copy the
license file (xml format) to the switch, then load it.
BEB1:1(config)#copy 192.168.254.10:license_VSP_4000_6CA84974AA00.xml
/intflash/license_VSP_4000_6CA84974AA00.xml
BEB1:1(config)#load-license
BEB1:1(config)#show license
************************************************************************
Features requiring a Premier license:
- Layer 3 VSNs
- MACsec
- Distributed Virtual Routing(DvR)
- VXLAN GATEWAY
- >24 VRFs
- CHEF
Enterprise Device Manager (EDM) is the included web server in VOSS. It’s disabled by default. To enable
it, simply use the following CLI command:
BEB1:1(config)#web-server enable
You can then log in via your favorite web browser in HTTPS, using the following default credential:
Login: admin
Password: password
P a g e | 16
Here’s a quick example of the behaviors with tagged/untagged frames, when connecting an
EXOS-based switch to a VOSS-based switch.
On EXOS, you configure the 802.1Q tag on the VLAN, and you add a port either as a tagged
member or untagged member to a range of VLANs. A physical port can be tagged in many VLANs
and untagged in one VLAN at the same time (assuming the typical, and default, port-based VLAN
configuration). A tagged frame ingressing a port is discarded if that port doesn’t belong to the
corresponding VLAN as a tagged member. An untagged frame ingressing a port is discarded if
that port is not an untagged member of a VLAN.
On VOSS, you enable 802.1Q on the interface (encapsulation dot1q) and you specify if that port
is a tagged member of VLANs or not. You can also specify the default VLAN for that port, to accept
untagged frames ingressing that port on a specific VLAN. Several configuration options allow you
to control either you want, or not, to accept these frames. Below is a snippet of the settings
available for an interface.
P a g e | 17
Let’s have an example. We have a X440-G2 facing a VSP 4450. Port 9 on the X440-G2 is in VLAN
42, that can reach another switch beyond the VSP, also in that same VLAN 42. Both ends have an
IP to check connectivity.
P a g e | 18
Let’s now configure port 9 as a tagged member of VLAN 42 on the X440-G2, without changing
the VSP 4450 configuration.
P a g e | 19
We still can ping the other end. Let’s now enable on the VSP 4450 the untagged-frames-
discard parameter.
P a g e | 20
First step is to create the Fabric itself. We need to enable SPBm and IS-IS and the two B-VIDs for
SPBm to use.
Note: SPBm standard allows for up to 16 B-VIDs. Current implementation supports for 2. These
two B-VIDs will create two ECT - two paths – for load-balancing the traffic inside the Fabric. As a
best practice, it is recommended to use B-VIDs 4051 and 4052. L2VSN will be load-balanced
between these two paths based on their I-SID value.
BEB1:1(config)#spbm
BEB1:1(config)#router isis
BEB1:1(config-isis)#
BEB1:1(config-isis)#spbm 1
BEB1:1(config-isis)#spbm 1 b-vid 4051,4052 primary 4051
BEB1:1(config-isis)#spbm 1 nick-name f.00.10
BEB1:1(config-isis)#manual-area 30.0000
BEB1:1(config-isis)#
BEB1:1(config-isis)#exit
BEB1:1(config)#
BEB1:1(config)#interface gigabitEthernet 1/11
BEB1:1(config-if)#isis
BEB1:1(config-if)#isis spbm 1
BEB1:1(config-if)#isis enable
P a g e | 21
BEB1:1(config-if)#
BEB1:1(config-if)#exit
BEB1:1(config)#
BEB1:1(config)#vlan create 4051 type spbm-bvlan
BEB1:1(config)#vlan create 4052 type spbm-bvlan
BEB1:1(config)#router isis enable
The first command enables SPBm on the switch. Then we activate SPBm support in the ISIS
router: this is where we have to specify the SPBm instance, the B-VIDs and the area. Current
implementation supports a single SPBm instance, which should be the same throughout the
Fabric Connect network. Likewise, a single ISIS area is supported and should be the same in the
Fabric Connect network.
The second phase of the configuration is on the interface level. We need to create an ISIS circuit,
then enable the SPBm instance and the ISIS circuit on that interface.
The last phase of the configuration is to create the necessary BVLAN for SPBm and enable globally
the ISIS router.
BCB:1(config)#spbm
BCB:1(config)#router isis
BCB:1(config-isis)#spbm 1
BCB:1(config-isis)#spbm 1 b-vid 4051,4052 primary 4051
BCB:1(config-isis)#spbm 1 nick-name f.00.11
BCB:1(config-isis)#manual-area 30.0000
BCB:1(config-isis)#exit
BCB:1(config)#interface gigabitEthernet 1/11
BCB:1(config-if)#isis
BCB:1(config-if)#isis spbm 1
BCB:1(config-if)#isis enable
BCB:1(config-if)#exit
BCB:1(config)#interface gigabitEthernet 1/12
BCB:1(config-if)#isis
BCB:1(config-if)#isis spbm 1
BCB:1(config-if)#isis enable
BCB:1(config-if)#exit
BCB:1(config)#vlan create 4051 type spbm-bvlan
BCB:1(config)#vlan create 4052 type spbm-bvlan
BCB:1(config)#router isis enable
P a g e | 22
BEB2:1(config)#spbm
BEB2:1(config)#router isis
BEB2:1(config-isis)#spbm 1
BEB2:1(config-isis)#spbm 1 b-vid 4051,4052 primary 4051
BEB2:1(config-isis)#spbm 1 nick-name f.00.12
BEB2:1(config-isis)#manual-area 30.0000
BEB2:1(config-isis)#exit
BEB2:1(config)#interface gigabitEthernet 1/12
BEB2:1(config-if)#isis
BEB2:1(config-if)#isis spbm 1
BEB2:1(config-if)#isis enable
BEB2:1(config-if)#exit
BEB2:1(config)#vlan create 4051 type spbm-bvlan
BEB2:1(config)#vlan create 4052 type spbm-bvlan
BEB2:1(config)#router isis enable
We can have a look at the ISIS interfaces state and ISIS adjacencies, to verify that everything
seems normal. Let’s have a look on BEB1.
=================================================================================================
ISIS Interfaces
=================================================================================================
IFIDX TYPE LEVEL OP-STATE ADM-STATE ADJ UP-ADJ SPBM-L1-METRIC
-------------------------------------------------------------------------------------------------
Port1/11 pt-pt Level 1 UP UP 1 1 10
--------------------------------------------------------------------------------
1 out of 1 Total Num of ISIS interfaces
--------------------------------------------------------------------------------
=================================================================================================
ISIS Adjacencies
=================================================================================================
INTERFACE L STATE UPTIME PRI HOLDTIME SYSID HOST-NAME
-------------------------------------------------------------------------------------------------
Port1/11 1 UP 00:35:15 127 23 1461.2fed.d265 BCB
--------------------------------------------------------------------------------
1 out of 1 interfaces have formed an adjacency
--------------------------------------------------------------------------------
P a g e | 23
=================================================================================================
ISIS Interfaces
=================================================================================================
IFIDX TYPE LEVEL OP-STATE ADM-STATE ADJ UP-ADJ SPBM-L1-METRIC
-------------------------------------------------------------------------------------------------
Port1/11 pt-pt Level 1 UP UP 1 1 10
Port1/12 pt-pt Level 1 UP UP 1 1 10
--------------------------------------------------------------------------------
2 out of 2 Total Num of ISIS interfaces
--------------------------------------------------------------------------------
=================================================================================================
ISIS Adjacencies
=================================================================================================
INTERFACE L STATE UPTIME PRI HOLDTIME SYSID HOST-NAME
-------------------------------------------------------------------------------------------------
Port1/11 1 UP 00:38:08 127 26 6ca8.4974.af65 BEB2
Port1/12 1 UP 00:39:07 127 21 6ca8.4974.aa65 BEB1
--------------------------------------------------------------------------------
2 out of 2 interfaces have formed an adjacency
--------------------------------------------------------------------------------
Having a look at the ISIS LSDB, we can see the two B-VIDs per node.
==================================================================================
ISIS LSDB
==================================================================================
LSP ID LEVEL LIFETIME SEQNUM CHKSUM HOST-NAME
----------------------------------------------------------------------------------
1461.2fed.d265.00-00 1 716 0x8 0x2b08 BCB
1461.2fed.d265.00-01 1 716 0x7 0x9469 BCB
6ca8.4974.aa65.00-00 1 1193 0x14 0xd40e BEB1
6ca8.4974.aa65.00-01 1 1193 0x13 0x8b50 BEB1
6ca8.4974.af65.00-00 1 773 0x8 0xfbe4 BEB2
6ca8.4974.af65.00-01 1 773 0x7 0xc21c BEB2
----------------------------------------------------------------------------------
Level-1 : 6 out of 6 Total Num of LSP Entries
Level-2 : 0 out of 0 Total Num of LSP Entries
----------------------------------------------------------------------------------
This ISIS LSDB must be the same on every node of the Fabric.
P a g e | 24
Now that the SPBm infrastructure has been built, we can start to provision it with services. As a
start, we’ll configure a L2VSN. This configuration happens only at the edge. In our example, that
will be on both BEB switches (BEB1 and BEB2).
We are using a C-VLAN UNI type in this example, as this is certainly the most common use-case.
======================================================================================
Vlan Port
======================================================================================
VLAN PORT ACTIVE STATIC NOT_ALLOW
ID MEMBER MEMBER MEMBER MEMBER
--------------------------------------------------------------------------------------
1 1/1,1/13-1/50 1/1,1/13-1/50
42 1/9 1/9
An I-SID is coded on 24 bits, allowing to up to roughly 16.7M unique IDs. We can pick any value
for our L2VSN.
P a g e | 25
Note: It’s not entirely true to say we can pick any I-SID value. For multicast traffic, Fabric Connect
will automatically use I-SID from the value 16,000,000 and above. We must not use that range
for our services.
=============================================================================
Vlan I-SID
=============================================================================
VLAN_ID I-SID
-----------------------------------------------------------------------------
1
42 12000555
4051
4052
We create VLAN 42 also on BEB2, then associate it to the same I-SID to create our L2VSN.
=============================================================================
Vlan I-SID
=============================================================================
VLAN_ID I-SID
-----------------------------------------------------------------------------
1
42 12000555
4051
4052
P a g e | 26
Let’s now verify that the L2VSN is correctly configured and ready.
=============================================================================
SPBM ISID INFO
=============================================================================
ISID SOURCE NAME VLAN SYSID TYPE HOST_NAME
-----------------------------------------------------------------------------
12000555 f.00.10 4051 6ca8.4974.aa65 discover BEB1
12000555 f.00.12 4051 6ca8.4974.af65 config BEB2
-----------------------------------------------------------------------------
Total number of SPBM ISID entries configured: 1
-----------------------------------------------------------------------------
Total number of SPBM ISID entries discovered: 1
-----------------------------------------------------------------------------
Total number of SPBM ISID entries: 2
-----------------------------------------------------------------------------
=============================================================================
SPBM ISID INFO
=============================================================================
ISID SOURCE NAME VLAN SYSID TYPE HOST_NAME
-----------------------------------------------------------------------------
12000555 f.00.10 4051 6ca8.4974.aa65 config BEB1
12000555 f.00.12 4051 6ca8.4974.af65 discover BEB2
-----------------------------------------------------------------------------
Total number of SPBM ISID entries configured: 1
-----------------------------------------------------------------------------
Total number of SPBM ISID entries discovered: 1
-----------------------------------------------------------------------------
Total number of SPBM ISID entries: 2
-----------------------------------------------------------------------------
We connect two EXOS switches on both ends, in VLAN 42, and ping from one EXOS switch to the
other, across our Fabric Connect network to check if our L2VSN is working as expected.
Note: We are using VLAN 42 on each side, as this is more logical, but the VLAN that connects to
the service is only of local significance. We could use a different VLAN on one end, just the service
has to be common.
P a g e | 27
Once we make sure the ports are enabled, we can try to ping from the x460-G2 to the X440-G2.
Looking at BEB1, we can check the FDB table to see how it is populated.
=============================================================================
Vlan Fdb
=============================================================================
VLAN MAC SMLT
ID STATUS ADDRESS INTERFACE REMOTE TUNNEL
-----------------------------------------------------------------------------
42 learned 00:04:96:98:9c:3d Port-1/9 false -
42 learned 00:04:96:9e:68:24 Port-1/11 false BEB2
42 learned 00:e0:2b:00:00:01 Port-1/9 false -
P a g e | 28
=============================================================================
Vlan Fdb Extn
=============================================================================
VLAN ID AGING-TIME(Seconds)
-----------------------------------------------------------------------------
42 300
If we look at the remote mac addresses learnt, we can find BEB2 mac address as the destination.
==============================================================================================================
Vlan Remote Mac Table
==============================================================================================================
VLAN STATUS MAC-ADDRESS DEST-MAC BVLAN DEST-SYSNAME PORTS SMLTREMOTE
--------------------------------------------------------------------------------------------------------------
42 learned 00:04:96:9e:68:24 6c:a8:49:74:af:65 4051 BEB2 1/11 false
--------------------------------------------------------------------------------------------------------------
1 of 1 matching entries out of total of 1 Remote Mac entries in all fdb(s) displayed.
Note: On EXOS, the ports have been added to VLAN 42 as untagged port (default if not specified
in the command line). On the BEB switches, the configuration must be aligned to allow the
communication.
We are enhancing the service layer of our Fabric Connect with L3 services. We will create two
VRFs on both sides of the Fabric, to interconnect different IPv4 subnets.
Note: L3VSN requires a Premier license. For this example, only the BEB switches need that license
level, not the BCB. Of course, if the BCB would become a BEB at a later time, or if some other
features requiring a license were to be configured on it, it would need that license level as well.
The current list of features requiring a Premier license is the following:
- Layer 3 VSNs
- MACsec
- Distributed Virtual Routing(DvR)
- VXLAN GATEWAY
- >24 VRFs
- CHEF
P a g e | 29
We are going to create a VRF green and a VRF gold, then redistribute direct routes into the Fabric
and enable routing for each VRF. Once again, configuration happens on the BEB switches only.
Note: This example illustrates a multi-tenant architecture with VRFs. We could also work in a
single routing table and not use any VRF, with the IP Shortcut feature.
We need to create VLANs 101 & 201 between the X460-G2 and BEB1, with the correct IPv4
addressing, and VLANs 102 & 202 between the X440-G2 and BEB2. We also have to configure
some static routes on both EXOS switches to test reachability. For reference, the configuration
on EXOS side is as follows:
P a g e | 30
With L3VSN, we have to enable IP services on the BEB switches. We need to configure a loopback
interface, define it as the source address for our ISIS router and enable IP for SPBm.
BEB1:1(config)#interface loopback 1
BEB1:1(config-if)#ip address 172.16.0.1/32
BEB1:1(config-if)#exit
BEB1:1(config)#
BEB1:1(config)#router isis
BEB1:1(config-isis)#ip-source-address 172.16.0.1
BEB1:1(config-isis)#spbm 1 ip enable
BEB1:1(config-isis)#exit
Similarly, on BEB2:
BEB2:1(config)#interface loopback 1
BEB2:1(config-if)#ip address 1 172.16.0.2/32
BEB2:1(config-if)#exit
BEB2:1(config)#
BEB2:1(config)#router isis
BEB2:1(config-isis)#ip-source-address 172.16.0.2
BEB2:1(config-isis)#spbm 1 ip enable
BEB2:1(config-isis)#exit
We can check that IP support is now enabled for Extreme Fabric Connect.
=================================================================================================
ISIS SPBM Info
=================================================================================================
SPBM B-VID PRIMARY NICK LSDB IP IPV6 MULTICAST SPB-PIM-GW
INSTANCE VLAN NAME TRAP
-------------------------------------------------------------------------------------------------
1 4051-4052 4051 f.00.12 disable enable disable disable disable
=================================================================================================
ISIS SPBM SMLT Info
=================================================================================================
SPBM SMLT-SPLIT-BEB SMLT-VIRTUAL-BMAC SMLT-PEER-SYSTEM-ID
INSTANCE
-------------------------------------------------------------------------------------------------
1 primary 00:00:00:00:00:00
--------------------------------------------------------------------------------
Total Num of SPBM instances: 1
--------------------------------------------------------------------------------
P a g e | 31
When configuring the VRF green, we have to configure it as a L3VSN using the ipvpn keyword,
configure a unique I-SID that must be shared between all BEB nodes having the same VRF, and
enable the L3VSN capability.
Then we have to redistribute to ISIS the routing protocols we need. In our example, we are just
going to redistribute direct routes.
WARNING: Routes will not be injected until apply command is issued after
enable command
BEB1:1(router-vrf)#isis redistribute direct metric 1
BEB1:1(router-vrf)#isis redistribute direct enable
BEB1:1(router-vrf)#exit
BEB1:1(config)#
BEB1:1(config)#isis apply redistribute direct vrf green
Nothing has to be configured on the BCB switch. We just have to configure the other BEB switch,
BEB2, in a similar way than BEB1. We have to make sure to use the same ISID for the green VRF
on that node too.
P a g e | 32
WARNING: Routes will not be injected until apply command is issued after
enable command
BEB2:1(router-vrf)#isis redistribute direct metric 1
BEB2:1(router-vrf)#isis redistribute direct enable
BEB2:1(router-vrf)#exit
BEB2:1(config)#isis apply redistribute direct vrf green
We can now verify reachability by trying to ping the X460-G2 interface in that VRF green from
the X440-G2.
P a g e | 33
2 out of 2 Total Num of Route Entries, 2 Total Num of Dest Networks displayed.
--------------------------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Route,
U=Unresolved Route, N=Not in HW, F=Replaced by FTN, V=IPVPN Route, S=SPBM Route
PROTOCOL Legend:
v=Inter-VRF route redistributed
BEB1:1(config)#
BEB1:1(config)#show ip ipvpn vrf green
WARNING: Routes will not be injected until apply command is issued after
enable command
BEB1:1(router-vrf)#isis redistribute direct metric 1
BEB1:1(router-vrf)#isis redistribute direct enable
BEB1:1(router-vrf)#
BEB1:1(router-vrf)#exit
BEB1:1(config)#
BEB1:1(config)#isis apply redistribute direct vrf gold
P a g e | 34
Likewise, on BEB2:
WARNING: Routes will not be injected until apply command is issued after
enable command
BEB2:1(router-vrf)#isis redistribute direct metric 1
BEB2:1(router-vrf)#isis redistribute direct enable
BEB2:1(router-vrf)#
BEB2:1(router-vrf)#exit
BEB2:1(config)#
BEB2:1(config)#isis apply redistribute direct vrf gold
P a g e | 35
2 out of 2 Total Num of Route Entries, 2 Total Num of Dest Networks displayed.
--------------------------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Route,
U=Unresolved Route, N=Not in HW, F=Replaced by FTN, V=IPVPN Route, S=SPBM Route
PROTOCOL Legend:
v=Inter-VRF route redistributed
Configuration of the Multicast services requires to enable multicast support on SPBm, on the
required VRF and at the vlan interface level. IGMPv2 is enabled by default at the interface level.
We’ll add IP Multicast support in VRF green.
BEB1 Configuration:
BEB1:1(config)#router isis
BEB1:1(config-isis)#spbm 1 multicast enable
BEB1:1(config-isis)#exit
BEB1:1(config)#
BEB1:1(config)#router vrf green
BEB1:1(router-vrf)#mvpn enable
BEB1:1(router-vrf)#exit
BEB1:1(config)#
BEB1:1(config)#interface vlan 101
BEB1:1(config-if)#ip spb-multicast enable
BEB1:1(config-if)#exit
BEB2 Configuration:
BEB2:1(config)#router isis
BEB2:1(config-isis)#spbm 1 multicast enable
BEB2:1(config-isis)#exit
BEB2:1(config)#
BEB2:1(config)#router vrf green
BEB2:1(router-vrf)#mvpn enable
BEB2:1(router-vrf)#exit
BEB2:1(config)#
BEB2:1(config)#interface vlan 102
BEB2:1(config-if)#ip spb-multicast enable
BEB2:1(config-if)#exit
P a g e | 36
=================================================================================================
ISIS SPBM Info
=================================================================================================
SPBM B-VID PRIMARY NICK LSDB IP IPV6 MULTICAST SPB-PIM-GW
INSTANCE VLAN NAME TRAP
-------------------------------------------------------------------------------------------------
1 4051-4052 4051 f.00.10 disable enable disable enable disable
=================================================================================================
ISIS SPBM SMLT Info
=================================================================================================
SPBM SMLT-SPLIT-BEB SMLT-VIRTUAL-BMAC SMLT-PEER-SYSTEM-ID
INSTANCE
-------------------------------------------------------------------------------------------------
1 primary 00:00:00:00:00:00
--------------------------------------------------------------------------------
Total Num of SPBM instances: 1
--------------------------------------------------------------------------------
Fabric Attach is targeted, on EXOS, for release 22.4 that should be available Q4CY17. In this
document we are using a beta code of EXOS 22.4. Some outputs, CLI commands and eventually
some behaviors may change until GA.
On EXOS, Fabric Attach is available in Proxy or Client mode when working with Extreme Fabric
Connect.
Mapping of VLAN to NSI can be either static (via CLI) or dynamic (Radius, Netlogin,
UPM/Scripting). Some enhancements should be made for EXOS 22.5, such as Policy support.
Note: NSI stands for Network Service Identifier. This is a value coded on 24 bits that can represent
either an I-SID or a VNI. Only the Fabric Attach (FA) Server knows how to handle that value, not
the Client/Proxy. As such, FA Client/Proxy do not know if they are connected to Extreme Fabric
Connect or an IP “BGP” Fabric, and they don’t need to.
We are connecting our X440-G2 to BEB2 to illustrate the Fabric Attach feature.
P a g e | 37
Note: Fabric Attach uses LLDP to signal messages between Server and Proxy. This communication
is bi-directional: The Proxy transmits mapping requests to the Server, then the Server responds
with an Accept/Reject status. As a result, there may be a delay before the status changes for a
new configuration, depending on the LLDP transmit interval configured on the switches. By
default, VOSS has a 30 seconds transmit interval while EXOS uses a 120 seconds transmit interval.
We have to configure the FA Server feature on BEB2 globally and on the interface level as well.
BEB2:1(config)#fa enable
BEB2:1(config)#show fa
=============================================================================
Fabric Attach Configuration
=============================================================================
FA Service : enabled
FA Element Type : server
FA Assignment Timeout : 240
FA Discovery Timeout : 240
FA Provision Mode : spbm
BEB2:1(config)#
BEB2:1(config)#interface gigabitEthernet 1/5
BEB2:1(config-if)#fa enable
BEB2:1(config-if)#no fa message-authentication
BEB2:1(config-if)#no shut
BEB2:1(config-if)#exit
BEB2:1(config)#
BEB2:1(config)#show fa interface port 1/5
=============================================================================
Fabric Attach Interfaces
=============================================================================
P a g e | 38
-----------------------------------------------------------------------------
1 out of 1 Total Num of fabric attach interfaces displayed
-----------------------------------------------------------------------------
Because the FA Proxy/Client feature in EXOS 22.4 will not support TLV authentication, we must
disable that capability in the VOSS FA Server configuration, as TLV authentication is automatically
enabled on VOSS.
Note: FA Server is enabled globally by default on VOSS, but FA is not enabled on UNI ports.
We create a new VLAN on our EXOS switch, and we assign statically that new VLAN to an NSI. We
don’t need to add port 5 (which is facing port 1/5 on BEB2 with FA Server enabled), it will be
automatically added once an NSI or ISID is configured on that VLAN.
* (Demo) X440G2-24p-10G4.1
# create vlan 1337
* (Demo) X440G2-24p-10G4.3
# config vlan 1337 add nsi 1234567
* (Demo) X440G2-24p-10G4.4
#
* (Demo) X440G2-24p-10G4.4
# show fabric attach neighbors
Mgmt Auto
System Id Port Type VLAN Tag Provision
----------------------------- ------- ---------------- ---- --- --------------
6c-a8-49-74-af-00-00-00-00-c4 5 Server (No Auth) None Mix Disabled
* (Demo) X440G2-24p-10G4.5 #
* (Demo) X440G2-24p-10G4.5 # show vlan 1337 fabric attach mappings
VLAN VLAN Name Type ISID/NSI Status
---- -------------------------------- ------- -------- --------
1337 VLAN_1337 static 1234567 Accepted
* (Demo) X440G2-24p-10G4.6 #
BEB2:1(config)#show fa assignment
======================================================================================
Fabric Attach Assignment Map
======================================================================================
Interface I-SID Vlan State Origin
--------------------------------------------------------------------------------------
P a g e | 39
--------------------------------------------------------------------------------
1 out of 1 Total Num of fabric attach assignment mappings displayed
--------------------------------------------------------------------------------
BEB2:1(config)#
BEB2:1(config)#show fa elements
======================================================================================
Fabric Attach Discovery Elements
======================================================================================
MGMT ELEM ASGN
PORT TYPE VLAN STATE SYSTEM ID AUTH AUTH
--------------------------------------------------------------------------------------
1/5 proxyNoAuth 0 T / D 00:04:96:9e:68:24:00:01:00:05 NA NA
======================================================================================
Fabric Attach Authentication Detail
======================================================================================
ELEM OPER ASGN OPER
PORT AUTH STATUS AUTH STATUS
--------------------------------------------------------------------------------------
1/5 successNoAuth successNoAuth
Auth Legend:
AP= Authentication Pass, AF= Authentication Fail,
NA= Not Authenticated, N= None
--------------------------------------------------------------------------------
1 out of 1 Total Num of fabric attach discovery elements displayed
--------------------------------------------------------------------------------
BEB2:1(config)#
BEB2:1(config)#show fa interface
======================================================================================
Fabric Attach Interfaces
======================================================================================
INTERFACE SERVER MGMT MGMT MSG AUTH MSG AUTH
STATUS ISID CVID STATUS KEY
--------------------------------------------------------------------------------------
Port1/5 enabled 0 0 disabled ****
--------------------------------------------------------------------------------
1 out of 1 Total Num of fabric attach interfaces displayed
--------------------------------------------------------------------------------
BEB2:1(config)#
BEB2:1(config)#show i-sid elan
======================================================================================
Isid Info
======================================================================================
ISID ISID PORT MLT ORIGIN
P a g e | 40
We create VLAN 1337 on the X460-G2 as well and add port 9 as a tagged member of it.
Adding a laptop to the X440-G2 in VLAN 1337, with an IP of 10.13.37.10/24, we can check
connectivity from the X460-G2.
P a g e | 41
As of EXOS 22.4, Radius, Netlogin or UPM (with Python scripting for example) can be configured
to provide a mapping but that is on a per-user basis, while FA mappings are per VLAN. So care
must be taken to not create misconfiguration due to different mappings for the same VLAN.
Let’s illustrate that, using UPM with Python scripting. We can configure UPM to trigger a Python
script when a device is detected by LLDP, and trigger another script when a device is undetected.
For simplicity, we are building a simple JSON database in our script that will match the device we
are going to connect to the switch. That Python script is doing some checks, to avoid basic
misconfiguration and errors, but could be enhanced to do further checking before applying the
configuration (is the port already in some other VLANs, etc.).
- EzFA.py to provision a new device detected by LLDP, and recorded in our DB, able to
configure the switch entirely if the destination VLAN is not already present.
- Remove-vlan.py to clear the configuration of the port when a previously detected device
is not present anymore. That script is rather “brutal” as it will remove the port from every
VLANs it is in.
EzFA.py:
import sys
import exsh
import json
# check if the vid in argument already exists and has an NSI configured
# requires EXOS 22.4 or above
# returns 0 if the vid has no nsi configured (ie vid is not found in that list)
# otherwise returns the nsi value
def check_nsi(vid):
reply = exsh.clicmd('debug cfgmgr show next lldp.faMapping', capture=True)
reply_json = json.loads(str(reply))
data = reply_json.get('data')
if data:
for row in data:
vlan = row.get("vlanId")
P a g e | 42
if vlan == str(vid):
return row.get("nsi")
return 0
def main():
port = sys.argv[1]
device_mac = sys.argv[2]
if find_vlan(vid):
sw_nsi = check_nsi(vid)
if sw_nsi:
if sw_nsi != nsi:
exsh.clicmd('create log message \"Error: new device on port {}. VLAN {}
already exists and is associated to a different NSI value!\"'.format(port, vid))
break
else:
exsh.clicmd('config vlan {} add port {} {}'.format(vid, port, tag))
else:
exsh.clicmd('config vlan {} add nsi {}'.format(vid, nsi))
exsh.clicmd('config vlan {} add port {} {}'.format(vid, port, tag))
else:
exsh.clicmd('create vlan {}'.format(vid))
exsh.clicmd('config vlan {} add nsi {}'.format(vid, nsi))
exsh.clicmd('config vlan {} add port {} {}'.format(vid, port, tag))
if __name__ == '__main__':
try:
main()
except SystemExit:
pass
remove-vlan.py:
import sys
import exsh
import json
def remove_vlan(port):
P a g e | 43
def main():
port = sys.argv[1]
remove_vlan(port)
if __name__ == '__main__':
try:
main()
except SystemExit:
pass
Below is the necessary UPM configuration to trigger the python scripts. We are limiting UPM on
ports 15 to 20 of the switch.
We are connecting a device (a Cisco C2960) to port 19 on the X440-G2. The X440-G2 is acting as
a FA Proxy. The Cisco switch is configured for LLDP and has an IP address of 10.13.37.20/24 in
VLAN 1337. Once connected, we can see UPM has detected it and executed our Python script.
P a g e | 44
The VLAN has been configured and the new device added to it.
Reachability is achieved.
======================================================================================
Vlan Fdb
======================================================================================
VLAN MAC SMLT
ID STATUS ADDRESS INTERFACE REMOTE TUNNEL
--------------------------------------------------------------------------------------
1337 learned 00:04:96:98:9c:3d Port-1/9 false -
1337 learned 00:1d:71:a9:b1:99 Port-1/11 false BEB2
1337 learned 00:1d:71:a9:b1:c2 Port-1/11 false BEB2