Extreme Networks EOS 802.3ad link aggregation

Since we saved some cash by purchasing more 2×2 3705i Enterasys Extreme Networks AP’s instead of 3×3 AP’s during our AP upgrades, we were able to purchase a few other items. We picked up three c5g Enterasys Extreme Networks 48 port POE switches, gbics, and a few other parts. The first thing I did after we deployed 96 AP’s in our dorm rooms was setup 802.3ad link aggregation with my extra gbic’s from our current N3 chassis to our g3 series switch. Phase two will be to install another DFE blade in the N3 chassis and spread the link aggregation between two DFE blades.

On with the Enterasys Extreme Networks switch commands:

1.) Egress all the proper vlan’s you want trunked across the additional physical port. We will be setting up a lag.0.x port and at that point, the physical port egress no longer matters, but if the lag breaks down for some reason, then the physical port will have the correct vlan’s trunked. You could also ensure that the single port lag command is set, but again I like to have the extra safety precautions in place.

Example ->set vlan egress ->set vlan egress 20 ge.4.24

2.) Egress all the proper vlan’s on the lag port. Use the “show lacp” command to view the available lags and to make sure that lacp is globally enabled.

Example ->set vlan egress
->set vlan egress 20 lag.0.1

3.) Create a unique lacp admin key to statically set which ports will be joined to the lag

Example ->set lacp aadminkey
->set lacp aadminkey lag.0.1 20

4.) Set the aadminkey to the physical port

->set port lacp port ge.4.24 aadminkey 20

5.) Perform the same commands on the other switch that you will be connecting to. The aadminkey can be different on the other switch, but I like to try and use the same admin key on the opposite end if possible. Make sure you also have lacp enabled on the physical interfaces as well.

-> show port lacp port ge.4.24 status detail
wpid-IMG_20140109_143458643.jpg

Losing control

As server administrators continue migrating to virtualization, network admins lose control. I’m not talking about psychological control, but network resource and management control. Server admins probably feel a sense of freedom. They are probably saying, “Now I don’t have to go and bother those pesky network admins to fire up a new server.” This can decrease the provision time, but this can also cause a very adverse side effect. See, I’m a network administrator and I work with networks all day long. From time to time I dabble in ESX and I also manage and maintain a few Linux and windows servers. However, I’m by no means up to the task of daily server administration. I’m sure I can learn how to administer AD, mail, file shares, and print servers, but that’s not what I do on a daily basis. The same holds true for a server admin. I’m not saying they can’t figure out networking or do the basics, they just don’t do networking every day.

What that means, is that from time to time you end up with virtual switches not configured or optimized properly. Firewall rules are bypassed by server admins with ease. QOS settings are not configured properly. You get the point. You thought the BYOD network was bad, well the wild, wild, west has just infiltrated your server network infrastructure as well. You now have BYOS (bring your own server). How secure are those prebuilt OVA’s? Who really knows?

With all these thoughts and ideas in mind, what are the available options? I have currently been researching how we can regain control within these VM environments. Our current vendor Enterasys, now Extreme Networks provides a method to mac auth all devices seen on the switch port or lag that goes through a VM environment. This allows identification of VM’s with their NAC solution. The Enterasys Extreme Networks switch can then apply dynamic policies to each frame coming across the switch port or lag. The default number of polices we can apply at one time is 8 on their S series switch. We would need a license to do 128 per port. Now maybe this is not the best strategy, but it’s one that I know of that can help. You can then create a default policy which blocks whatever you want based on rules up to L4. The server admin would then have to reach out to those good old network admins for correct policy enforcement. Enterasys even has a data center manager esx plugin that can be used to ease management. Now I don’t believe that this is the best solution for all environments, as it has downsides as well. MAC spoofing is one that comes to mind and this setup doesn’t come without cost.

Therefore, the next solution I’m looking into is open vswitch. This would act as a front end add-on piece in ESX as I understand. Other hypervisors already use open vswitch. Using openflow to control traffic qos/policy could be another avenue to maintain network harmony. I will continue my research and will post my findings….

Extreme Networks acquires Enterasys – Comparison

The Acquisition

Its official, Extreme Networks has acquired Enterasys Networks. We have lots of Enterasys gear, so we were highly interested to know the path that would be taken after the acquisition. At first, I couldn’t help think if the acquisition was a play for Enterasys patents. However, that’s just pure speculation. We were informed by product management that all existing products would continue to follow the current end of support and end of life cycle, so that’s good news.

Overall, I think that the acquisition will be pretty positive. The current Extreme Networks profile was missing things that Enterasys offered such as their highly customized L2-L4 policy and NAC integration. Extreme also looks like they OEM Motorola wireless and Enterasys has their own wireless portfolio.

The biggest plus will be the extension of the switching/routing lineup. Enterasys had a small gap in their WAN solution. We discovered this when we were looking for a smaller port density WAN 1-10G BGP/OSPF capable router. Extreme networks fills that gap and I’m sure there are many more compliments that I haven’t mentioned.

Extreme Networks overview

The Summit x460 series would have fit the ticket as a smaller device we were looking for when we were planning to replace our old Juniper M7i tank. However, we ended up purchasing a few brocade icx-6610’s. This was a few months back before we heard of the acquisition.

Here’s the lineup of what the current offering looks like from a few vendors that would have meet our requirements at that time:

Vendor

Extreme Summit x460

Brocade icx-6610

Enterasys SSA

10/100/100BASE-T Ports

24 or 48

24 or 48

48

Max 10G

2 or 4 or 6 total (modules)

8 total (lic to unlock)

4

40G

2(summit stacking module)

4(stacking only)

na

Form Factor

Fixed/1RU

Fixed/1RU

Fixed/1RU

Stacking Support

yes

yes

yes

Redundant power

yes/hot swap

yes/hot swap

yes/hot swap

Routing – BGP4

yes (lic to unlock)

yes(lic to unlock)

yes(lic to unlock)

Each vendor may have more of a product lineup, for instance Enterasys does have a 1-Slot chassis S-Series that can provide more options. However we were trying to keep costs down and the move up to the 1-slot chassis increases costs. There are other vendors out there such as Juniper, HP, and Dell as well. Each has its ups and downs. The Enterasys SSA is built with custom ASICs and some other vendors typically carry the Broadcom chipset. Switching capacity was left out due to the fact that each vendor spec sheet may not compare equally. You can find more details with the links provided below:

http://www.enterasys.com/company/literature/s-ds.pdf

http://www.brocade.com/products/all/switches/product-details/icx-6610-switch/specifications.page

http://www.extremenetworks.com/libraries/products/MSComparisonChart_1636.pdf