[e-nsp] Extreme newbie questions...
Luis Mercado
lmercado at logicworks.net
Tue Aug 6 16:06:33 EDT 2013
Hi Simon,
[1]
We are using extreme switches mainly for their layer 2 functionality (EAPS) . Quite frankly I don't trust them
as layer III devices. We are using x650s and x460s. I don't have a ospf problem you are having. It sounds like
it is an mtu issue. There are two ways to set the mtu on these. You can set the mtu to a vlan for routing and
you can set it on the port.
configure ip-mtu 1500 vlan test
(I use the default 1500 for routing and 9000 for switching)
or
enable jumbo-frame ports all
configure jumbo-frame-size 9000
[2]
I have not set up rancid on our switches yet but I do have it set to save the config to a tftp server every time I log in.
The script checks the logs for authenticated events and uploads configs and policies to the tftp server. It works!!
At the server I have a script that moves the files from the tftp directory and sorts them into their own directories.
I included all here..
# Module ems configuration.
#
create log filter AAA_Login
create log filter AAA_Loginconfigure
configure log filter AAA_Login add events AAA.authPass
create log target upm Upload_config
enable log target upm Upload_config
configure log target upm Upload_config filter AAA_Login severity Info
# Module upm configuration.
#
create upm profile Upload_config
enable cli scripting
set var CLI.OUT " "
ls
set var cntrl_cfg 1
set var base_list $TCL(join ${CLI.OUT})
set var base_list $TCL(lsort $base_list)
set var base_list $TCL(split $base_list)
delete var "CLI.OUT"
set var CLI.OUT " "
show switch
set var base_list2 $TCL(split ${CLI.OUT} "\n")
set var baseSystemTime $TCL(clock seconds)
set var systemTime $TCL(clock format $baseSystemTime -format {%Y.%m.%d_%H.%M.%S})
#set var systemTime $TCL(clock format $baseSystemTime -format {%m.%d.%Y_%H.%M.%S})
set var systemname $TCL(lindex $base_list2 1)
set var systemname $TCL(string replace $systemname 0 17 {})
delete var "CLI.OUT"
set var filename "$(systemname)_$(systemTime)_"
delete var systemname
delete var systemtype
delete var systemTime
while ($cntrl_cfg == 1) do
set var configcfg $TCL(lsearch -glob $base_list *cfg*)
set var configcfgFile $TCL(lindex $base_list $configcfg)
set var base_list $TCL(lreplace $base_list $configcfg $configcfg deleted)
tftp put 10.252.7.20 vr VR-Mgmt $(configcfgFile) $(filename)$(configcfgFile)
set var cntrl_cfg $TCL(regexp -nocase {cfg} $base_list)
endwhile
set var CLI.OUT " "
ls
set var base_list $TCL(join ${CLI.OUT})
set var base_list $TCL(lsort $base_list)
set var base_list $TCL(split $base_list)
delete var "CLI.OUT"
set var cntrl_cfg 1
while ($cntrl_cfg == 1) do
set var polcfg $TCL(lsearch -glob $base_list *pol*)
set var polcfgFile $TCL(lindex $base_list $polcfg)
set var base_list $TCL(lreplace $base_list $polcfg $polcfg deleted)
tftp put 10.252.7.20 vr VR-Mgmt $(polcfgFile) $(filename)$(polcfgFile)
set var cntrl_cfg $TCL(regexp -nocase {pol} $base_list)
endwhile
upload config 10.252.7.20 $(filename).xsf VR-Mgmt
delete var base_list
delete var configcfg
delete var configcfgFile
delete var cntrl_cfg
delete var base_list2
delete var filename
.
#
The (.) dot above the # sign is necessary.
Here is the crontab script. It grabs the files from the tftp directory and moves them to /switchconfigs (creates a folder per device)
perl -e'$b="/tftpboot/";$e="/switchconfigs";@l=`ls -1 $b|grep -E "cfg|xsf|pol"|grep -v pxelinux`;foreach(@l){chomp($_);next if(!m/^[[:alnum:]\.-]+\_/);split(/_/,$_);`mkdir -p $e/$_[0]` if(!-f"$e/$_[0]");`mv $b\/$_ $e\/$_[0]`;}'
[3]
After you modify the policy file you have to check it and refresh it. (this is the official way to do it)
(this checks the policy for parsing errors) Not that there are different types of policies. If your policy is an access-list you need to append the "access-list" parameter at the end.
check policy mgmt-acl access-list
refresh mgmt-acl test
Be careful when refreshing policies, especially when you have a stack of 4 switches. We've had issues where we refresh a policy and it took down our six node stack.
The best policy is to modify the policy, check it, then remove from the profile (or interface) and readd.
[4]
I have not seen that error.
Regards,
-LM
-----Original Message-----
From: extreme-nsp [mailto:extreme-nsp-bounces at puck.nether.net] On Behalf Of Simon Lockhart
Sent: Tuesday, August 06, 2013 12:25 PM
To: extreme-nsp at puck.nether.net
Subject: [e-nsp] Extreme newbie questions...
Sorry, two emails in the space of 10 minutes...
A few questions from an Extreme newbie :)
1) Is there a BCP for configuring Extreme switches to be "secure"? There's a
few different templates out there for Cisco, which I've based my current
config templates on, but I've not yet stumbled on anything for Extreme.
Anyone aware of anything?
2) Is anyone using Rancid to backup configs off Extreme switches? I've tried
with an X460 (running 15.3.1.4), and Rancid keeps reporting lines coming
and going - as if it's not coping with the paging on a "show config". Any
hints for making it work properly before I start hacking at the Rancid code?
3) I'm configuring ACLs for SSH, telnet, etc, using a policy file, and then
"configure ssh2 access-profile mgmt-acl" in the config. This appears to do
what I expect, but I then can't edit the policy without removing it from the
config, and the policy files aren't easy to paste onto the switch when
building a new config. Is there a better way to do this? (Oh, and Rancid
doesn't seem to backup the policy files)
4) Anyone seen this error message before? "<Erro:MPLS.DPM.UNEX> =>
Unexpected malloc failure at exd_new_hist:321"? I'm getting this logged a
lot on an X460 running MPLS, but it doesn't _appear_ to be affecting
anything. I've got an SR open with Extreme TAC about it, but they're being
surprisingly quiet about it.
Thanks in advance, :)
Simon
_______________________________________________
extreme-nsp mailing list
extreme-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp
More information about the extreme-nsp
mailing list