[e-nsp] Extreme newbie questions...

Bruno Lebayle lebayle at esrf.fr
Wed Aug 7 01:58:19 EDT 2013


Hell Simon,

On 08/06/2013 06:24 PM, Simon Lockhart wrote:
> Sorry, two emails in the space of 10 minutes...
>
> A few questions from an Extreme newbie :)
>
> 1) Is there a BCP for configuring Extreme switches to be "secure"? There's a
>     few different templates out there for Cisco, which I've based my current
>     config templates on, but I've not yet stumbled on anything for Extreme.
>     Anyone aware of anything?

The VR-Mgmt and a separate out-of-band network where all the management 
ports are connected is pretty secure. When you couple this with an 
access-list for the ssh access, this seems sufficient in my view.

> 2) Is anyone using Rancid to backup configs off Extreme switches? I've tried
>     with an X460 (running 15.3.1.4), and Rancid keeps reporting lines coming
>     and going - as if it's not coping with the paging on a "show config". Any
>     hints for making it work properly before I start hacking at the Rancid code?

We are using Ridgeline (previous Epicenter) management software which 
comes with the automatic tftp of configs. We are also using "expect" 
scripts for various needs, and we could have use them for this purpose 
as well.

> 3) I'm configuring ACLs for SSH, telnet, etc, using a policy file, and then
>     "configure ssh2 access-profile mgmt-acl" in the config. This appears to do
>     what I expect, but I then can't edit the policy without removing it from the
>     config, and the policy files aren't easy to paste onto the switch when
>     building a new config. Is there a better way to do this? (Oh, and Rancid
>     doesn't seem to backup the policy files)

By principle, all policies are on our central servers (easier to grep, 
copy and so on). They are downloaded on the switches using tftp, so we 
don't care of saving the policies on the switch itself.
Ridgeline allows to run commands on sites of switches, which is quite 
convenient for spreading policies.
Once downloaded using tftp, a check is recommended, then a refresh for 
applying the policy on the port's hardware.

> 4) Anyone seen this error message before? "<Erro:MPLS.DPM.UNEX>   =>
>     Unexpected malloc failure at exd_new_hist:321"? I'm getting this logged a
>     lot on an X460 running MPLS, but it doesn't _appear_ to be affecting
>     anything. I've got an SR open with Extreme TAC about it, but they're being
>     surprisingly quiet about it.

Sorry, we don't use MPLS.

Cheers,
Bruno.
_____________________________________________________________________
         o
      o  o  o       Bruno LEBAYLE - Systems and Communications group
   o   o o o   o    E.S.R.F (European Synchrotron Radiation Facility)
     o  ooo  o      6 rue Jules Horowitz BP220 38043 GRENOBLE CEDEX 9
o o o ooooo o o o  phone (33)4-7688-2258
     o  ooo  o      fax   (33)4-7688-2020
   o   o o o   o    email lebayle at esrf.fr
      o  o  o
         o          http://www.esrf.fr
_____________________________________________________________________


More information about the extreme-nsp mailing list