Enterasys 802.3ad link aggregation

Since we saved some cash by purchasing more 2×2 3705i Enterasys AP’s instead of 3×3 AP’s during our AP upgrades, we were able to purchase a few other items. We picked up three c5g Enterasys 48 port POE switches, gbics, and a few other parts. The first thing I did after we deployed 96 AP’s in our dorm rooms was setup 802.3ad link aggregation with my extra gbic’s from our current N3 chassis to our g3 series switch. Phase two will be to install another DFE blade in the N3 chassis and spread the link aggregation between two DFE blades.

On with the Enterasys Extreme Networks switch commands:

1.) Egress all the proper vlan’s you want trunked across the additional physical port. We will be setting up a lag.0.x port and at that point, the physical port egress no longer matters, but if the lag breaks down for some reason, then the physical port will have the correct vlan’s trunked. You could also ensure that the single port lag command is set, but again I like to have the extra safety precautions in place.

Example ->set vlan egress ->set vlan egress 20 ge.4.24

2.) Egress all the proper vlan’s on the lag port. Use the “show lacp” command to view the available lags and to make sure that lacp is globally enabled.

Example ->set vlan egress
->set vlan egress 20 lag.0.1

3.) Create a unique lacp admin key to statically set which ports will be joined to the lag

Example ->set lacp aadminkey
->set lacp aadminkey lag.0.1 20

4.) Set the aadminkey to the physical port

->set port lacp port ge.4.24 aadminkey 20

5.) Perform the same commands on the other switch that you will be connecting to. The aadminkey can be different on the other switch, but I like to try and use the same admin key on the opposite end if possible. Make sure you also have lacp enabled on the physical interfaces as well.

-> show port lacp port ge.4.24 status detail
wpid-IMG_20140109_143458643.jpg

Extreme Networks Wireless AP3705i deployment

I’m working on deploying 96 wireless access points in our student dorm rooms. We originally started with an initial deployment of 40 wireless access points. We installed the original AP’s in the hallways, but had signal issues due to all the HVAC in the vertical walls. Hallway installation wasn’t the greatest idea to begin with, but at the time of the initial installation we had limited funding to run cables to every suite. In our new deployment, we required that contractors pull cables into certain suites. Each suite houses 4 rooms,so I decided to place an AP in every other room and staggered the AP’s from floor to floor. There wasn’t much HVAC or piping in the horizontal flooring above or below the rooms, so signal penetration worked a lot better between the floors.

ap3705i

For those of you asking why Enterasys (now Extreme Networks), well we’re already an Enterasys shop and house 2 enterasys 5110 wireless 10Gb capable controllers in our data center. Enterasys wireless also has a niche of now being able to push up to L4/QOS policies down to wireless users as they do on their wired gear. This makes redirecting blacklisted users through our NAC system a breeze.

wpid-IMG_20140102_111720.jpg

I also decided to go with the Enterasys ap3705i, which is a 2×2 dual radio mimo wireless access point versus the 3×3 model. We ended up being able to double our AP count because the 3×3 radio was almost double in cost. We typically see around 65% of 1×1 MIMIO mobile devices, so higher AP density just ends up making more sense for us right now.

wpid-IMG_20140102_111734.jpg

Losing control

As server administrators continue migrating to virtualization, network admins lose control. I’m not talking about psychological control, but network resource and management control. Server admins probably feel a sense of freedom. They are probably saying, “Now I don’t have to go and bother those pesky network admins to fire up a new server.” This can decrease the provision time, but this can also cause a very adverse side effect. See, I’m a network administrator and I work with networks all day long. From time to time I dabble in ESX and I also manage and maintain a few Linux and windows servers. However, I’m by no means up to the task of daily server administration. I’m sure I can learn how to administer AD, mail, file shares, and print servers, but that’s not what I do on a daily basis. The same holds true for a server admin. I’m not saying they can’t figure out networking or do the basics, they just don’t do networking every day.

What that means, is that from time to time you end up with virtual switches not configured or optimized properly. Firewall rules are bypassed by server admins with ease. QOS settings are not configured properly. You get the point. You thought the BYOD network was bad, well the wild, wild, west has just infiltrated your server network infrastructure as well. You now have BYOS (bring your own server). How secure are those prebuilt OVA’s? Who really knows?

With all these thoughts and ideas in mind, what are the available options? I have currently been researching how we can regain control within these VM environments. Our current vendor Enterasys, now Extreme Networks provides a method to mac auth all devices seen on the switch port or lag that goes through a VM environment. This allows identification of VM’s with their NAC solution. The Enterasys switch can then apply dynamic policies to each frame coming across the switch port or lag. The default number of polices we can apply at one time is 8 on their S series switch. We would need a license to do 128 per port. Now maybe this is not the best strategy, but it’s one that I know of that can help. You can then create a default policy which blocks whatever you want based on rules up to L4. The server admin would then have to reach out to those good old network admins for correct policy enforcement. Enterasys even has a data center manager esx plugin that can be used to ease management. Now I don’t believe that this is the best solution for all environments, as it has downsides as well. MAC spoofing is one that comes to mind and this setup doesn’t come without cost.

Therefore, the next solution I’m looking into is open vswitch. This would act as a front end add-on piece in ESX as I understand. Other hypervisors already use open vswitch. Using openflow to control traffic qos/policy could be another avenue to maintain network harmony. I will continue my research and will post my findings….

Extreme Networks acquires Enterasys – Comparison

Its official, Extreme Networks has acquired Enterasys Networks. We have lots of Enterasys gear, so we were highly interested to know the path that would be taken after the acquisition. At first, I couldn’t help think if the acquisition was a play for Enterasys patents. However, that’s just pure speculation. We were informed by product management that all existing products would continue to follow the current end of support and end of life cycle, so that’s good news.

Overall, I think that the acquisition will be pretty positive. The current Extreme Networks profile was missing things that Enterasys offered such as their highly customized L2-L4 policy and NAC integration. Extreme also looks like they OEM Motorola wireless and Enterasys has their own wireless portfolio.

The biggest plus will be the extension of the switching/routing lineup. Enterasys had a small gap in their WAN solution. We discovered this when we were looking for a smaller port density WAN 1-10G BGP/OSPF capable router. Extreme networks fills that gap and I’m sure there are many more compliments that I haven’t mentioned.

Extreme Networks overview

The Summit x460 series would have fit the ticket as a smaller device we were looking for when we were planning to replace our old Juniper M7i tank. However, we ended up purchasing a few brocade icx-6610’s. This was a few months back before we heard of the acquisition.

Here’s the lineup of what the current offering looks like from a few vendors that would have meet our requirements at that time:

Vendor

Extreme Summit x460

Brocade icx-6610

Enterasys SSA

10/100/100BASE-T Ports

24 or 48

24 or 48

48

Max 10G

2 or 4 or 6 total (modules)

8 total (lic to unlock)

4

40G

2(summit stacking module)

4(stacking only)

na

Form Factor

Fixed/1RU

Fixed/1RU

Fixed/1RU

Stacking Support

yes

yes

yes

Redundant power

yes/hot swap

yes/hot swap

yes/hot swap

Routing – BGP4

yes (lic to unlock)

yes(lic to unlock)

yes(lic to unlock)

Each vendor may have more of a product lineup, for instance Enterasys does have a 1-Slot chassis S-Series that can provide more options. However we were trying to keep costs down and the move up to the 1-slot chassis increases costs. There are other vendors out there such as juniper, HP, and dell as well. Each has its ups and downs. The Enterasys SSA is built with custom ASICs and some other vendors typically carry the Broadcom chipset. Switching capacity was left out due to the fact that each vendor spec sheet may not compare equally. You can find more details with the links provided below:

http://www.enterasys.com/company/literature/s-ds.pdf

http://www.brocade.com/products/all/switches/product-details/icx-6610-switch/specifications.page

http://www.extremenetworks.com/libraries/products/MSComparisonChart_1636.pdf

Extreme Networks Oneview/NAC

I have finally made it back for another blog entry. I have been pretty busy at work getting ready for the start of the new semester. A few projects that I have been working on include wireless upgrades, multipath bgp, adding a third core, and spending time on documentation.  We are an Enterasys shop, now Extreme Networks. I know, I know, some of you are thinking who’s Enterasys? Well, we have been running their switching, routing, and wireless gear for quite some time now. I remember having equipment that still had the Cabletron label. Enterasys, now Extreme Networks does some pretty cool stuff, so I would recommend that you check them out. Especially if your into all-in-one tools to help assist you.

I figured I would give you a taste of what Extreme Networks Oneview has to offer. We just upgraded to version 5 and there are a lot of cool wireless features that have been added. Check it out.

oneview

The oneview web portal ties in the Extreme Networks NAC (network access control) stats piece as well. As soon as we get netflow going, we will be able to tie in user and netflow data together. Just to give you a little background on Extreme Networks NAC, we can basically apply up to L4 dynamic policy on any of our Extreme Networks edge switching and wireless devices. You can use 802.1x, MAC authentication, or even web registration. If you tie back into AD or LDAP, you can assign different policies based on group policies. You can even fire up the Extreme Networks NAC agent on machines and make sure everyone is up to date on windows updates, anti-virus, or any other service you want to check up on. If they are not compliant, you can just inform on that or you can deny traffic all together. It’s up to you.

NAC