Enterasys Securestack C3
One of the Force10_S50s failed (flapping all its links uncontrollably), so an Enterasys Securestack C3G124-48P has been acquired from eBay.
Quick specs:
- 48 1000baseT ports
- 4 SFP ports that can assume the roles of 1000baseT ports 45-48
- 2 proprietary stacking ports in the back
- DB-9 (DE-9, actually) serial console port on the front wired as DTE. Use a standard null modem cable to talk to this.
This switch is Broadcom based.
Wiping the existing config
Attach a console cable, run terminal program, set port to 9600-8n1, no carrier detect, no flow control. Power on the switch and let it boot completely. Follow the process as documented at https://community.extremenetworks.com/extreme/topics/password_recovery_for_the_securestack_series-1jwf24 to reset the switch's passwords:
- While the switch is operational, press and hold the Reset button for five seconds, then release.
- A "Password Reset button has been pressed" message will display on the cli console and in the current.log (5487).
- The admin, rw, and ro login passwords will be reset to <enter>; and with C2 f/w 3.01.45 and higher, the boot menu password will be reset to the default value of "administrator" (5551).
From here, log in to the console as the rw user. Its password is now blank. Issuing the clear config command will do the expected (wipe the saved configuration) and reboot the switch. The reset button is small and unlabeled, located on the back of the chassis, to the right of one of the stacking connectors.
Basic setup
Configuration of these switches is somewhat different than the Cisco IOS influenced setup of most other managed switches on the market. Changes are made through a series of set commands. Look for a manual called the "SecureStack C3 Stackable Switches Configuration Guide" with Google for information. We'll highlight changes made in this wiki page. Command line tab completion and "?" inline help work as in most other switches.
change factory default passwords
Log in to the switch as a user with super-user privileges. (Super users can make config changes as well as administer switch users.) The factory default super user account is admin. Listing user accounts:
C3(su)->show system login Password history size: 0 Password aging : disabled Username Access State admin super-user enabled ro read-Only enabled rw read-write enabled C3(su)->
And changing a user's password:
C3(su)->set system login admin super-user enable password newpassword C3(su)->
Repeat for the other user accounts:
C3(su)->set system login rw read-write enable password newpassword C3(su)->set system login ro read-only enable password newpassword C3(su)->
Assign an IP address to the switch
I like to put my switches' management IPs at the top of the range for each of the subnets they are on. 172.16.0.0/24 is the main inside subnet here. So log in to the switch as rw or similar and give it an IP like so:
C3(rw)->set ip address 172.16.0.254 mask 255.255.255.0 C3(rw)->
Checking its IP address is similar:
C3(rw)->show ip address Name Address Mask ------------ ------------- ----------------- host 172.16.0.254 255.255.255.0 C3(rw)->
Except: You really want to put an IP address on VLAN 1 instead. See below for how that works. Static IP for the switch management works just fine here for now.
Or set it to be a DHCP client
C3(rw)->set ip protocol dhcp Changing protocol mode will reset ip configuration. Are you sure you want to continue? (y/n)y C3(rw)->save config Saving Configuration to stacking members C3(rw)->
Naturally, the DHCP server's config needs some updates to include this device.
You do want it to have a static IP, right?
If you're weird like me and do a lot of static DHCP reservations (hey, it let's you easily change things like your DNS and NTP servers), you'll want the switch's MAC address. Find it like so:
C3(rw)->show mac type mgmt MAC Address FID Port Type ----------------- ---- ------------- -------- 00-1F-45-85-17-38 1 host Management C3(rw)->
And update the DHCPD config appropriately.
IPv6, anyone?
C3(rw)->set ipv6 enable C3(rw)->show ipv6 address Name IPv6 Address ----- ---------------------------------------- host FE80::21F:45FF:FE85:1738/64 C3(rw)->
Pinging that from a host system works as expected:
adj@stuff-puter:~$ ping6 -c 3 fe80::21f:45ff:fe85:1738%eth0 PING fe80::21f:45ff:fe85:1738%eth0(fe80::21f:45ff:fe85:1738) 56 data bytes 64 bytes from fe80::21f:45ff:fe85:1738: icmp_seq=1 ttl=64 time=0.906 ms 64 bytes from fe80::21f:45ff:fe85:1738: icmp_seq=2 ttl=64 time=1.08 ms 64 bytes from fe80::21f:45ff:fe85:1738: icmp_seq=3 ttl=64 time=0.735 ms --- fe80::21f:45ff:fe85:1738%eth0 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.735/0.908/1.083/0.142 ms adj@stuff-puter:~$
Turn on ye olde SSH server
RS-232 is so 1960s...
C3(rw)->set ssh enabled SSH hostkey generation initiated. Process should complete in 60 seconds. C3(rw)->
My SSH client (Debian 7 (openssh-client 1:6.0p1-4+deb7u2)) is unable to negotiate a cipher and MAC spec that work with this switch. Selecting them on the command line as follows works, though:
adj@sacredchao:~$ ssh -c aes128-cbc -m hmac-sha1 rw@theswitchdnsname
And it works over IPv6, too:
adj@sacredchao:~$ ssh -c aes128-cbc -m hmac-sha1 rw@fe80::21f:45ff:fe85:1738%br0 rw@fe80::21f:45ff:fe85:1738%br0's password: Enterasys SecureStack C3 Command Line Interface Enterasys Networks, Inc. 50 Minuteman Rd. Andover, MA 01810-1008 U.S.A. Phone: +1 978 684 1000 E-mail: support@enterasys.com WWW: http://www.enterasys.com (c) Copyright Enterasys Networks, Inc. 2011 Chassis Serial Number: 10300519225N Chassis Firmware Revision: 05.02.18.0002 C3(rw)->
configuration backup
The low-tech way
Just get a screen capture:
C3(rw)->set length 0 C3(rw)->show config This command shows non-default configurations only. Use 'show config all' to show both default and non-default configurations. begin ! #***** NON-DEFAULT CONFIGURATION ***** ! ! #Router Configuration #arp ! #arpinspection ! [and so on, through all the config sections]
Note here that all of the set ... commands can be pasted back into the switch to rebuild the configuration.
Higher tech: using TFTP
Since the switch has an IP address, let's make a copy of its configuration over the network:
First step, make a copy of the current config and save it on the switch:
C3(su)->show config all outfile configs/2015-05-21T2230.cfg Overwrite existing file (y/n) [n]?y C3(su)->
Next, save it to a writeable TFTP server somewhere convenient:
C3(su)->copy configs/2015-05-21T2230.cfg tftp://tftp_server_IP_or_name/2015-05-21T2230.cfg File transfer operation completed successfully. C3(rw)->
This may require some work on the TFTP server end. On Debian 7, running tftpd-hpa, the target file must already exist and be world-writeable
christening
Names are nice shorthand for "Enterasys Securestack C3G124-48P serial number 10300519225N located at elevation 45 in the first rack in the basement data center." We'll call this one thelowerenterasysswitch (which is not much better, really. But illustrative.)
C3(rw)->set system name "thelowerenterasysswitch"
LLDP -- who's that talking on my ports?
Enable LLDP on all ports:
C3(rw)->set lldp port status both ge.1.1-48 C3(rw)->save config
LLDP is an IEEE protocol. Cisco has its own equivalent called Cisco Discovery Protocol or CDP. (The Enterasys (now Extreme Networks) folks will tell you it started as "Cabletron Discovery Protocol" and Cisco licensed it long ago. Regardless, they do pretty much the same thing.) Let's see who is plugged in:
C3(rw)->show neighbors Port Device ID Port ID Type Network Address --------------------------------------------------------------------------------- ge.1.2 theciscowap GigabitEthernet0 ciscodp 172.16.0.252 ge.1.16 thekitchenciscow GigabitEthernet0 ciscodp 172.16.0.253 ge.1.16 00:27:13:65:A7:31 00-26-C6-6A-DD-84 lldp 10.255.224.8 ge.1.32 SEP000CCE91C797 Port 1 ciscodp 172.16.0.24 C3(rw)->
Note that port ge.1.16 has 2 neighbors. The first is the Cisco wireless access point running CDP, and the second is a wifi client running LLDP. SEP000CCE91C797 on port ge.1.32 is a Cisco VoIP phone that's getting its power from the switch. Power over Ethernet (PoE) will be discussed in another section.
VLANs
SecureStack C3 switches (or stack of C3s switches) support up to 1000 VLANs.
create a new VLAN (and add some settings)
C3(rw)->set vlan create 900
It is also possible to create ranges of VLANs in one go:
C3(rw)->set vlan create 200-299
human meaningful description for a VLAN
C3(rw)->set vlan name 900 "Chop down the biggest tree in the forest with a ... herring!!!" Name must be 32 characters or less. C3(rw)->set vlan name 900 "Bring us a shrubbery!" C3(rw)->show vlan 900 VLAN: 900 NAME: Bring us a shrubbery! VLAN Type: Permanent Egress Ports None. Forbidden Egress Ports None. Untagged ports None. C3(rw)->
Tagged frames must flow!
Set all ports on stack unit 1 to carry VLAN 900 tagged on all ports:
C3(rw)->set vlan egress 900 ge.1.1-48 tagged C3(rw)->
How that looks when the switch is running:
C3(rw)->show vlan 900 VLAN: 900 NAME: Bring us a shrubbery! VLAN Type: Permanent Egress Ports ge.1.2, ge.1.7, ge.1.16, ge.1.32, ge.1.34 Forbidden Egress Ports None. Untagged ports None. C3(rw)->
The listed egress ports are only those that are currently up. Plug another link partner in on a new port and that port will be listed as an egress port, too.
untagged frames must flow (too)
Use this to set the untagged ingress VLAN ID for a range of ports:
C3(rw)->set port vlan ge.1.17-24 100
The PVID is used to classify untagged frames as they
ingress into a given port. Would you like to add the selected
port(s) to this VLAN's untagged egress list and remove them
from all other VLANs untagged egress list (y/n) [n]?
NOTE: Choosing 'y' will not remove the port(s) from previously
configured tagged egress lists.y
C3(rw)->show vlan portinfo port ge.1.17
Port VLAN Ingress Egress
Filter Vlan
-----------------------------------------------------------------
ge.1.17 100 N untagged: 100
C3(rw)->show vlan portinfo vlan 100
Port VLAN Ingress Egress
Filter Vlan
-----------------------------------------------------------------
ge.1.17 100 N untagged: 100
ge.1.18 100 N untagged: 100
ge.1.19 100 N untagged: 100
ge.1.20 100 N untagged: 100
ge.1.21 100 N untagged: 100
ge.1.22 100 N untagged: 100
ge.1.23 100 N untagged: 100
ge.1.24 100 N untagged: 100
C3(rw)->
delete a VLAN
Pretty simple, really:
C3(rw)->clear vlan 900 C3(rw)->show vlan 900 Vlan number 900 does not exist on this device. C3(rw)->
this one also takes VLAN ranges instead of just a single VLAN number or name
Layer 3 (IP) services for the VLANs
Wherein we create VLAN 100, configure some ports to carry it, and set up DHCP relaying from those ports to the main DHCP server.
C3(rw)->set vlan create 100 C3(rw)->set vlan name 100 "SNOWMAN server mgt 172.20.0.0/24" C3(rw)->set vlan egress 100 ge.1.17-24 untagged C3(rw)->set vlan egress 100 ge.1.48 tagged
That's all there is to the Layer 2 configuration. The switch knows about VLAN 100. It's untagged on ports ge.1.17 through ge.1.24. And it's tagged on port ge.1.48, which is this switch's connection to the rest of the network.
This next block gets interesting. We go from command syntax that is Enterasys style (set blah ...) to something that looks like a Cisco IOS switch:
C3(rw)->router C3(rw)->router>enable C3(rw)->router#configure Enter configuration commands: C3(rw)->router(Config)#interface vlan 100 C3(rw)->router(Config-if(Vlan 100))#ip helper-address 172.16.0.1 C3(rw)->router(Config-if(Vlan 100))#ip address 172.20.0.254 255.255.255.0 C3(rw)->router(Config-if(Vlan 100))#no shutdown C3(rw)->router(Config-if(Vlan 100))#exit C3(rw)->router(Config)#exit
So, set up a Layer 3 (IPv4) interface on VLAN 100, tell it the DHCP helper is 172.16.0.1, give it an IP address of 172.20.0.254/24, enable it (they come shut down by default), and leave configuration mode.
C3(rw)->router#exit C3(rw)->router>exit C3(rw)->save config Saving Configuration to stacking members C3(rw)->
And no we're back at the Enterasys CLI. Relevant sections of the switch config:
C3(rw)->show config vlan This command shows non-default configurations only. Use 'show config all' to show both default and non-default configurations. begin ! #***** NON-DEFAULT CONFIGURATION ***** ! ! #vlan set vlan create 100 set vlan name 100 "SNOWMAN server mgt 172.20.0.0/24" set vlan egress 100 ge.1.48 tagged set vlan egress 100 ge.1.17-24 untagged ! end C3(rw)->show config router This command shows non-default configurations only. Use 'show config all' to show both default and non-default configurations. begin ! #***** NON-DEFAULT CONFIGURATION ***** ! ! #Router Configuration router enable configure interface vlan 100 no shutdown ip address 172.20.0.254 255.255.255.0 ip helper-address 172.16.0.1 exit exit exit exit end C3(rw)->
And that should be it, right? Well, no, it isn't. Remember how the switch has an IP on the default VLAN, too? The layer 3 router can't do anything with that. We need to get it an IP on VLAN 1 so that the DHCP relaying can work:
C3(rw)->set ip protocol none
Changing protocol mode will reset ip configuration.
Are you sure you want to continue? (y/n)y
C3(rw)->router
C3(rw)->router>enable
C3(rw)->router#configure terminal
Enter configuration commands:
C3(rw)->router(Config)#interface vlan 1
C3(rw)->router(Config-if(Vlan 1))#ip address 172.16.0.254 255.255.255.0
C3(rw)->router(Config-if(Vlan 1))#no shutdown
C3(rw)->router(Config-if(Vlan 1))#exit
C3(rw)->router(Config)#exit
C3(rw)->router#show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, IA - OSPF interarea
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2
* - candidate default, U - per user static route
C 172.16.0.0/24 [0/1] directly connected, Vlan 1
C 172.20.0.0/24 [0/1] directly connected, Vlan 100
C3(rw)->router#exit
C3(rw)->router>exit
C3(rw)->show ip route
INET route table
Destination Gateway Flags Use If Metric
127.0.0.1 127.0.0.1 UH 0 lo0 5
172.16.0.0/24 127.0.0.1 UC 1 rt2 5
172.16.0.254 127.0.0.1 UH 0 lo0 5
172.20.0.0/24 127.0.0.1 UC 0 rt1 5
172.20.0.254 127.0.0.1 UH 0 lo0 5
INET6 route table
Destination Gateway Flags Use If Metric
::1 ::1 UH 0 lo0 5
FE80::21F:45FF:FE85:1738%host ::1 UH 0 lo0 5
C3(rw)->
Added bonus here: the switch hasn't pulled a default route from the DHCP server any more.
What time is it? It's time for lunch!
(Bubble Guppies on Nickelodeon TV network for kids.)
Configure switch to set its clock against an NTP reference.
C3(rw)->set sntp client unicast C3(rw)->set sntp server 172.16.0.1 precedence 1 C3(rw)->set sntp server 172.16.0.65 precedence 2 C3(rw)->show sntp SNTP Version: 3 Current Time: THU JUN 25 16:14:25 2015 Timezone: offset from UTC is 0 hours and 0 minutes Client Mode: unicast Broadcast Count: 0 Poll Interval: 9 (512 seconds) Poll Retry: 1 Poll Timeout: 5 seconds SNTP Poll Requests: 1 Last SNTP Update: THU JUN 25 16:13:26 2015 Last SNTP Request: THU JUN 25 09:17:52 2015 Last SNTP Status: Success SNTP-Server Precedence Status ------------------------------------------- 172.16.0.1 1 Active 172.16.0.65 2 Active C3(rw)->
port descriptions
Port aliases seem to be the equivalent of other switch vendors' port descriptions:
C3(rw)->set port alias ge.1.1 'PE 1950 s/t FD5RMF1 dedicated DRAC connection' C3(rw)->show port alias ge.1.1 Port ge.1.1 PE 1950 s/t FD5RMF1 dedicated DRAC connection C3(rw)->
Let's span our trees!
The various IEEE spanning tree protocols (802.1D Spanning Tree Protocol (STP), 802.1w Rapid Spanning Tree Protocol (RSTP), and 802.1s Multiple Spanning Tree Protocol (MSTP), prevent loops in an multi-switch Ethernet environment.
Turn on Multiple Spanning Tree Protocol (802.1s)
C3(rw)->set spantree version mstp
Yeah, this needs a great deal of filling out. Sorry.