Extreme Networks XOS Commands

List of the handy commands for the XOS in the Extreme Networks SummitX switches family. Documentation sources for Extreme Networks XOS based switches.

• EXOS Documentation

Keep in mind that all changes have to be saved to system configuration file by 'save' command, otherwise will be lost.

Basic commands

Some generic linux commands can be used:

$ ls
$ top
$ vi

List version of the current XOS image

$ show version image

Displays detailed informations about ports including VLAN membership

$ show ports 48 info detail

Show all VLANs configured at port 2

$ show vlan ports 2

Manage VLANs

Create new VLAN

$ create vlan vlan_4_staff description text tag 4

Add port(s) to VLAN

$ configure vlan_4_staff add ports 25-25 tagged (or untagged)

List of all vlans and associated ports

$ show configuration vlan

Kills system chosen system process

$ terminate process _processname_

Display the SNMP settings configured on the switch

$ show management

Use the vlan only for IPv4 protocol

$ configure vlan <vlan> protocol ipv4

Show port by VLAN tag

$ show ports no-refresh tag X

Show MAC database

$ show fdb <VLANName> | include "String"

Blocking access by MAC address

Block MAC address

$ create fdbentry aa:bb:cc:dd:ee:ff vlan "VLAN_NAME" blackhole

Unblock MAC address

$ delete fdbentry aa:bb:cc:dd:ee:ff vlan "VLAN_NAME" blackhole

Find MAC to IP

This works only on L3 boxes

$ show iparp <vlan>
$ show iparp <MAC>

IP interfaces statistics

Show information and statistics about interfaces (vlan, ipv4, ipv6, vr)

$ show ipstats

User account management

Create new account with admin privileges

$ create account admin <username>

and enter your password twice. To login by SSH key create new key and assign it to the existing user account:

$ create sshd2 user-key <keyname> <raw key base64 without comments>
$ configure sshd2 user-key <keyname> add user <username>

DHCP Snooping

To enable dhcp snooping filtering on a specific port and vlan:

$ enable ip-security dhcp-snooping vlan vxxx port 1 violation-action drop-packet block-port duration 600 snmp-trap

To show which ports are blocked:

$ show ip-security dhcp-snooping violations vxxx

Access Lists Configuration

To edit access policy felk-kn run internal vi editor:

$ edit policy felk-kn

Sample policy code

entry one {
  if {
    source-address 147.32.80.0/21;
  }
  then {
    permit;
  }
}

entry two {
  if {
    source-address 10.32.0.0/16;
  }
  then {
    permit;
  }
}

entry three {
  if {
    source-address 2001:718:2:1600::/56;
  }
  then {
    permit;
  }
}

entry Telnet_Allow {
  if match any {
    source-address 192.168.1.0 /24;
    source-address 192.168.2.0 /24;
  } then {
    permit;
  }
}

Check written code against semantic errors:

$ check policy felk-kn

Assign it to the service, vlan, port:

$ conf ssh2 access-profile felk-kn

Reload policy

$ refresh policy felk-kn

Upgrade XOS image with ssh module

$ use image secondary
$ download image <IPaddress> <ImageName>.xos vr "VR-Default" primary
$ download image <IPaddress> <ModuleName>-ssh.xmod vr "VR-Default" primary

Confirm installation with "Yes", wait

$ use image <TargetPartition>
$ reboot

When installing only SSH, there is no need to restart switch:

# download image <IPaddress> <ModuleName>-ssh.xmod vr "VR-Default" primary
# run update
# enable ssh

LACP configuration

# enable sharing <MasterPort> grouping <Port,List> lacp
# configure sharing <MasterPort> add ports <SlavePorts>
# configure sharing <MasterPort> lacp activity-mode active

Time, SNTP and timezone configuration

To configure proper timezone for CET and CEST

# configure timezone name CET 60 autodst name CEST  begins every last sunday march at 2 0 ends every last sunday october at 3 0

SNTP client with primary and secondary server

# enable sntp-client
# configure sntp-client primary <IPAddress> vr <VRName>
# configure sntp-client secondary <IPAddress> vr <VRName>

Log handling

To filter some not wanted messages from log

configure log filter DefaultFilter add exclude events exsshd.RejctConnAccessDeny 

IPv6 Address and routing

Basic setup

$ configure "v91_139dcgi1" ipaddress 2001:718:2:1691::1/64
$ enable ipforwarding ipv6 "v91_139dcgi1"

Router Advertisement

$ configure "v91_139dcgi1" router-discovery add prefix 2001:718:2:1691::/64
$ configure "v91_139dcgi1" router-discovery add dnssl felk.cvut.cz
$ configure "v91_139dcgi1" router-discovery add rdnss 2001:718:2:1611:0:1:0:90
$ enable router-discovery "v91_139dcgi1"

Universal port and events

SummitX440-L2 switches are little crappy because Universal Port profiles, etc. are not supported at L2.

Here we configure the UPM to have a liberal execution time.

$ configure upm profile loginbackup maximum execution-time 1000
$ create log target upm loginbackup
$ create log filter autologfilter

This will trigger on any AAA.logout event

$ configure log filter autologfilter add event AAA.AuthPass
$ configure log target upm loginbackup filter autologfilter
$ enable log target upm loginbackup
$ enable upm profile loginbackup

SNMP

configure snmp sysName "xxx"
configure snmp sysLocation "xxx"
configure snmp sysContact "xxx"
configure snmpv3 add community $MyRWCommunity$ name $MyName$ user v1v2c_rw 
configure snmpv3 add community $MyROCommunity$ name $MyName$ user v1v2c_ro 
configure snmpv3 add target-addr v1v2cNotifyTAddr1 param v1v2cNotifyParam1 ipaddress 172.30.0.6 transport-port 162 tag-list defaultNotify 
configure snmpv3 add target-params v1v2cNotifyParam1 user v1v2cNotifyUser1 mp-model snmpv2c sec-model snmpv2c sec-level noauth 

disable snmpv3 default-group
disable snmpv3 default-user

configure snmp access-profile mgmt-acl readwrite

entry ManagementACL {
        if match any {
                source-address 172.30.0.0/16;
                source-address 172.20.0.0/16;
                source-address 192.168.0.0/23;
        } then {
                permit;
        }
}