Extreme Networks Data Sheet
ExtremeXOS Operating System, Version 12.4
Extreme Networks® has revolutionized the industry by creating the ExtremeXOS modular Operating System (OS)—a highly available and extensible foundation for high-performance networks. ExtremeXOS raises the bar for availabil- ity, critical for offering carrier-grade voice and video services over IP and for supporting mission-critical business applications.
Built-in security capabilities provide network ExtremeXOS® Operating System—a highly available, secure, access control integrated with end-point integrity open and extensible foundation for high-performance Ethernet- checking, identity management, and protection based converged networks. for the network control and management planes.
With an ExtremeXOS OS you can extend the High Availability Architecture capabilities of your network by integrating specialized application appliances such as security • Reduce network downtime using hitless failover devices into the network, providing insight and and module-level software upgrade control at the network, application and user level. • Prevent system corruption using memory protection for processes Architectural Highlights • Avoid system reboots using self-healing process recovery • Memory Protection for Processes • Self-Healing Process Recovery via Process Extensibility Restart or Hitless Failover • Integrate best-of-breed applications to your network with an • Dynamic Loading of New Functionality open, yet secure XML-based Application Programming • Scriptable CLI for Automation and Event Interface (API) Triggered Actions • Integrate Extreme Networks and third-party developed • XML Open APIs for Integrating Third-Party software applications using open standards-based POSIX Applications interfaces • Dual-stack IPv4 and IPv6 Support • Scripting-based device management for incremental configuration deployment and ease of management
Integrated Security • Guard access to the network through authentication, Network Login/802.1x, host integrity checking, and Identity Management • Harden the network infrastructure with Denial of Service (DoS) protection and IP Security against man-in-the-middle and DoS attacks • Secure management using authentication and encryption
The ExtremeXOS OS provides the reliable transport needed for converged network services using a variety of resiliency protocols. Extreme Networks Data Sheet
High Availability Continuous network uptime and predictable service quality is vital for mission-critical applications such as virtualized Data Centers, converged Enterprise campuses, Carrier Ethernet deployments and many others. The high availability of the ExtremeXOS OS creates a resilient infrastructure capable of maximum network integrity for mission-critical applications.
Modular Operating System Graceful restart is a way for OSPF-2, BGP-4 would not re-converge) during the time for and IS-IS protocols to restart without restarting OSPF, BGP or IS-IS. Should route True preemptive scheduling and memory disrupting traffic forwarding. Without updates still exist, graceful restart incremen- protection allow each of the many graceful restart, adjacent routers will tally performs these updates after the applications—such as Open Shortest Path assume that information previously received restart. First (OSPF) and Spanning Tree Protocol from the restarting router is stale and won’t (STP)—to run as separate OS processes be used to forward traffic to that router. If CPU Denial of Service Protection that are protected from each other. This the peer routers support the graceful restart provides increased system integrity and extensions, then the router can restart the A DoS attack is an explicit attempt by an inherently protects against DoS attacks. routing protocol and continue to forward attacker to degrade or disable a switch by traffic correctly. overwhelming the switch’s system resources. The ExtremeXOS OS dramatically CPU DoS protection prevents attacks from increases network availability using Powered by ExtremeXOS, the BlackDiamond crippling the switch. Enhanced CPU DoS process monitoring and restart. Each chassis systems separate the forwarding protection capability from Extreme Networks independent OS process is monitored in function from the control function so that can detect, analyze and respond to threats real time. If a process becomes unrespon- traffic can still be forwarded independently of directed at the switch CPU. The technique sive or stops running, it may be possible to the state of the routing protocol function. uses counters to categorize and monitor automatically restart, or other automatic Routes learned remain in the routing table traffic flow into the switch’s CPU. If the traffic corrective actions such as hitless failover and packets continue to be forwarded. to the CPU exceeds a certain threshold, the to a redundant management module or switch will examine that traffic, determine if a standby stack master can be taken. If the network topology is not changing, the threat exists and activate a dynamic ACL to static routing table remains correct. In most prevent packets of the same type from The modular design of the ExtremeXOS cases, networks can remain stable (i.e. disrupting switch operations. OS allows the upgrading of certain individual software modules, should this be necessary, leading to higher availability in the network (see Figure 1). This includes security stacks such as SSH and SSL as well as the Converged Network 2 • Processes are monitored Analyzer VoIP SLA monitoring agent. 1 Memory protected Application modules and can be restarted or processes under can be added during other action taken if real-time scheduling SSH-2 runtime necessary that cannot impact V1.3.2 Hitless Failover and each other nor kernel • Hitless failover infrastructure for dual Graceful Restart management systems and stacking With dual management modules on BlackDiamond® chassis systems and Third advanced stacking support with Summit® SSH-2 BGP OSPF Party fixed-configuration switches, the V1.3.1 Application ExtremeXOS OS is capable of preserving the state of resiliency and security protocols such as STP, EAPS and Network
Login, thus allowing hitless failover ExtremeXOS Kernel Loadable between management modules/redundant Kernel Module masters in case a module or master fails.
5027-03 Figure 1: ExtremeXOS Modular Design
© 2010 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operating System, v12.4—Page 2 Extreme Networks Data Sheet
Extensibility Dynamically loadable software application modules, CLI scripting and external XML APIs make the ExtremeXOS OS extensible, allowing integration with best-of-breed applications and devices, providing endless possibilities for further expanding the network’s capabilities. Examples include VoIP monitoring and advanced network security.
Dynamic Module Loading appliance can utilize ExtremeXOS to limit concept of open yet secure communications access, control bandwidth or redirect traffic to allow business applications to easily The ExtremeXOS OS provides an infra- from a client that is attempting to connect interact with the network for security policy structure to dynamically load, start and to the network. XML also provides a scalable enforcement, regulatory compliance and gracefully stop new applications. and reliable transport for device configura- performance management, and higher ExtremeXOS embraces POSIX-compliant tion and statistics, for example OSS and security. interfaces that ease the integration of new service provisioning systems in Carrier applications. ExtremeXOS uses this Ethernet deployments. The XML infrastructure is also used by infrastructure to dynamically load ExtremeXOS ScreenPlay™ Web-based Extreme Networks developed functionality This XML infrastructure embraces the management interface. such as SSH/SCP/SSL that is export- controlled, avoiding the requirement for new operating system image installs to gain this functionality. The same infra- structure is also used to integrate third- XML API - Response party developed applications. An example XML API - Request
© 2010 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operating System, v12.4—Page 3 Extreme Networks Data Sheet
Ease of Management Standards-based discovery and traffic flow monitoring provide full visibility into network inventory and traffic. ExtremeXOS Universal Port dramatically simplifies rollout of VoIP via auto-configuration of edge ports and phones.
Link Layer Discovery Protocol sFlow Universal Port (LLDP, IEEE 802.1ab) ExtremeXOS OS’s sFlow® standards-based The unique ExtremeXOS OS Universal Port Today’s networks must incorporate data monitoring support provides Layer 2 – 7 infrastructure is a powerful framework of best-of-breed solutions at every layer of visibility into the network, including event-driven activation of CLI scripts. While the network, regardless of which vendor statistics on which applications are running Universal Port can leverage any system event you choose, allowing you to build a over your network, biggest talkers, etc. log message as an event trigger, the most best-of-breed converged network. popular use cases are time/user/location- With the ever-increasing reliance on network based dynamic security policies as well as The ExtremeXOS OS support of IEEE services for business-critical applications, VoIP auto-configuration. For these applica- 802.1ab standards-based discovery the smallest change in network usage can tions, Universal Port uses standards authenti- protocol provides vendor-independent impact the performance and reliability of a cation (Network Login/802.1x) and discovery device discovery as well as tight integra- network. This has a direct impact on the protocols (LLDP + LLDP-MED) as trigger tion with VoIP infrastructure and phones, ability of a company to conduct key business events. Actions in the form of fully configu- including E911 ECS location, inventory functions and on the cost of maintaining rable CLI scripts can be tied to events on a information and fine-grained PoE budget- network services. Therefore, it is important per-port basis. As such, dynamic security ing and configuration of information such to monitor the network traffic in order to policies, including fine-grained access control as VLANs and QoS tagging. keep the network operating reliably and at via ACLs, can follow a user independently of the right performance level. where he logs into the network. VoIP phones LLDP not only simplifies deployment and and the connecting switch edge port can be locating of access devices, but it can also sFlow is a sampling technology that meets auto-configured for the voice VLAN and QoS. be used as a troubleshooting and firmware the key requirements for a network traffic The switch can receive the exact, fine- management tool. monitoring solution: sFlow provides a grained power budget requirements from the network-wide view of usage and active phones and provision it accordingly. The LLDP is an extensible standard, providing routes. It is a scalable technique for phone can receive the E911 ECS location a framework for industry consortiums to measuring network traffic, collecting, from the switch as well as the call server define application-specific extensions storing, and analyzing traffic data. This address in order to receive additional without causing compatibility issues. The enables tens of thousands of interfaces to be configuration. Deploying VoIP endpoints is as ANSI/TIA-1057 LLDP-Media Endpoint monitored from a single location. easy as opening the package, programming Discovery (LLDP-MED) standard defines the extension and plugging into the network. extensions specifically for VoIP. These sFlow is scalable, thereby enabling it to The following diagram explains the mecha- extensions provide VoIP-specific informa- monitor links of speeds up to 10 Gigabits per nism. Please note that steps 1 and 2 are only tion as well as allow transmission of Second (Gbps) and beyond without done once, using scripting, and then rolled configuration and location information to impacting the performance even of core out to all voice-capable ports. Steps 3 to 5 are VoIP phones. Internet routers and switches, and without the resulting automatic runtime events. adding significant network load. • Network Policy (which VLAN tag, .1p, DSCP, … that the phone should use) • ECS Location ID (for E911 – coordi- nates for street/building/floor ad- dress), compliant with NENA and TIA-TSB-146 directions. The switch advertises a configurable physical location information to the phone • Extended Power-via-MDI (finer grain PoE budget management) • Inventory information such as firmware version, serial number, etc.
LLDP is tightly integrated with the IEEE 802.1x authentication at edge ports. As endpoint devices are first authenticated, the LLDP-provided information is trustable and can be used for automated configura- tion, protecting the network from attacks against automated configuration Figure 4: VoIP Auto Configuration with mechanisms. ExtremeXOS Universal Port
© 2010 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operating System, v12.4—Page 4 Extreme Networks Data Sheet
Integrated Security Security of the entire network infrastructure is protected with the ExtremeXOS OS. Protection at the edge is provided with user authentication, host integrity checking and dynamic user/time/location based security policies. Management traffic is secured through authentication and encryption.
Network Login Extreme Networks pioneered network TLS and TTLS, supporting password- as well The Web-based method is also an excellent access security even before dedicated as certificate-based authentication. way to deploy 802.1x client software and standards’ efforts were in place. Its open, certificates in a secure fashion on any port standards-based approach allows network The Web-based method does not require any without having to open up the network. access control on all edge ports of a specific client-side software (a challenge for Rather than installing an 802.1x client network. Access control works with or 802.1x). Instead the Web-based method uses software before turning on Network Login, without dedicated authentication support standard built-in technologies on clients users can log into the network via the on client devices, such as VoIP phones (DHCP and a Web browser), and therefore is Web-based method, be redirected to an IT and printers. an easy-to-deploy security mechanism for all server to receive instructions how to down- client devices that support these technologies. load and install an 802.1x client and potential- Network Login enforces authentication When an unauthenticated machine’s Web ly additional software. This strategy dramati- before granting access to the network. All browser first requests traffic from any HTTP cally reduces the costs and complexity of a packets sent by a client on the port will not server on the network, Extreme Networks user authentication rollout in your network. get beyond the port to the rest of the switches with Web-based Network Login network until authentication using RADIUS enabled will redirect this traffic to the Network The MAC-based method is targeted for servers occurs. In many cases, the RADIUS Login welcome page. The login welcome page networked devices that do not support any server will interact with central data is fully customizable to allow posting a custom manual authentication methods, such as repositories for user authentication such as page content and graphics, for example guest older VoIP phones or printers, and hence Active Directory or an LDAP directory login information for Internet access via a allows the enforcement of authentication on without putting the burden of the LDAP dedicated guest VLAN and custom logos. all edge ports in a network. protocol into the network infrastructure. As a fallback for mission-critical devices, debugging and simplicity, an authentication database local to the switch can be used as well. ✓ User/Password ✓ VLAN VSA Authentication RADIUS ExtremeXOS Network Login supports multiple supplicants on the same switch Server ✓ User/Password ✓ VLAN VSA edge port, even in separate VLANs. For Local Database example, a VoIP phone can be authenticat- ✓ Port Number ed into the voice VLAN, and a PC connect- ed to the data port of the phone can be Authenticator Network Login Authenticator authenticated into a user-specific VLAN. MAC Mask URL Hijacking Network Login supports three methods: 802.1x 802.1x, Web-based and MAC-based. All MAC Learning Web-based Login methods can be enabled individually or Authentication together to provide smooth implementation SWITCH of a secured network. Supplicants ` ` 802.1x is a standards-based protocol that
requires a special client be installed on the 5247-01 system accessing the network. Over time, 802.1x will be a standard component in PC operating systems as well as networked Figure 5: Network Login devices such as VoIP phones. 802.1x is designed as a secure protocol, and uses a number of different secure authentication techniques. ExtremeXOS supports a variety of these techniques, including MD5, PEAP,
© 2010 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operating System, v12.4—Page 5 Extreme Networks Data Sheet
Integrated Security
Integrated Security comes from for immediate defense. Specific Identity Management Dynamic security policies can be deployed capabilities include: Identity Management allows customers to via RADIUS Vendor Specific Attributes track users who access their network. User (VSAs). As an example, the VLAN for a • Build a trusted network database of identity is captured based on NetLogin given user or device can be dynamically MAC/IP/Port bindings and know where authentication, LLDP discovery and assigned. Network Login optionally will to take action if something goes wrong Kerberos snooping. ExtremeXOS uses the even dynamically create the VLAN if it –– “DHCP Option 82”, adds port + information to then report on the MAC, does not exist on the edge switch, dramati- VLAN ID to DHCP requests VLAN, computer hostname, and port cally reducing the burden of managing location of the user. VLANs. In Extreme Networks implementa- • Enforce DHCP, protect from static IP tion, leveraging the fully configurable –– “Disable ARP Learning”, only learn ExtremeXOS Universal Port infrastructure, via DHCP Secure Management dynamic security policies go far beyond The ExtremeXOS OS provides secure • Protect the network from random just VLAN assignments (see Figure 6). management via SSH2/SCP2/SSL and source address threats SNMPv3, providing authentication and Dynamic policies may also include rate –– DHCP Snooping based “Source IP protection against replay attacks, as well as limiting, QoS and dynamic ACLs. These are Lockdown” automatic ACL data privacy via encryption. applied immediately during the authentica- • Protect network from man-in-the- tion process, without dependency on middle attacks and VoIP call recording Access profiles for device management allow external second-step policy managers. filters to be set on device management, Instead, one central repository (RADIUS or –– “Gratuitous ARP Protection” of accepting connections only from specified LDAP/Active Directory) and a single-step default gateway sources. approach are provided. Dynamic security • Protect network services (DHCP, policies are activated and deactivated DNS, ...) spoofing / rogue servers CPU DoS Protect throttles traffic directed to based on authentication and hosts the switch and can automatically set an ACL connecting or disconnecting from the –– “Trusted DHCP Server” ports for defense, thus protecting the switch from network. As the actual implementation –– “Gratuitous ARP Protection” of DNS, the effects of DoS attacks such as “Ping of of the policy can be changed from port ... Servers Death” and others. This defense mechanism to port, the framework allows for • Protect endpoints/applications from works for all CPU bound traffic—Layer 2, location-based policies. Integration with a spoofing attacks IPv4 and IPv6. timer event provides time based policies, such as disabling wireless access after –– “DHCP secured ARP”—ARP Routing protocols such as OSPF-2 and BGP4 business hours. Validation against DHCP snooping- authenticate via MD5. based internal database MAC Security MAC Security allows the lockdown of a port to a given MAC address and to limit Preparation Operation the number of MAC addresses on a port. 3 This can be used to dedicate ports to 1 User logs on to the network Administrator configures user group policies specific hosts or devices such as VoIP (VLAN, ACLs, port speed, Dot1p priority, etc.) phones or printers and avoid abuse of the then maps policies to user groups port—an interesting capability specifically in environments such as hotels. In addition, an aging timer can be configured User for the MAC lockdown, protecting the network from the effects of attacks using Administrator 4 (often rapidly) changing MAC addresses. RADIUS server pushes user group via Vendor Specific Attributes (VSA) IP Security ExtremeXOS IP security framework protects ` the network infrastructure, network RADIUS Server 5 Switch configures VLAN, services such as DHCP and DNS and EPICenter® Server ACLs, port speed, Dot1p even host computers from spoofing and 2 priority . . . on the port man-in-the-middle attacks. It also provides Administrator pushes policies to switch network protection from statically config- 5118-01 ured and/or spoofed IP addresses as well as building an external trusted database of Figure 6: Universal Port Dynamic Policies MAC/IP/port bindings so that you always know where traffic from a specific address
© 2010 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operating System, v12.4—Page 6 Extreme Networks Data Sheet
Switching: Network Resiliency and Forwarding Control The ExtremeXOS OS provides full flexibility for various network designs through an extensive set of Layer 2 and Layer 3 proto- cols, offering network wide resiliency and forwarding control that scales to large networks.
Layer 2+ single multicast VLAN. If desired, static IGMP SSM mapping allows both IGMPv2 and IGMPv3 membership allows the force-forwarding of in the network, upgrading to the more powerful For network resiliency, ExtremeXOS offers traffic through the network for snappy and secure IGMPv3 where needed. a choice between standard protocols and subscription response and filters provide more advanced Layer 2+ protocols, control over transmitted content. EAPS, Designed for IPv6 optimized for faster resiliency, larger scaling ESRP and VRRP support multiple domains and simpler operation. per port pair and the bandwidth of a blocked IPv6 offers improved network intelligence and a port in one domain can be used by VLANs in considerable number of new capabilities over Spanning Tree Protocol: ExtremeXOS another domain (spatial reuse). In fact, IPv4. However, there are specific challenges supports IEEE 802.1D STP, 802.1w RSTP multiple instances of ESRP in the same VLAN whether choosing to actively participate in the and 802.1s MSTP. In Extreme Multiple even allow direct dual-homed host attach- transition to IPv6 or holding off to further Instance STP mode, ExtremeXOS allows a ment—for example server farms to standby evaluate. Extreme Networks has taken a port or VLAN to belong to multiple STP switches—while utilizing the bandwidth of ground-up approach to addressing these domains and therefore adds significant the standby switch. challenges by designing IPv6 intelligence into flexibility to STP network design, further ExtremeXOS from the beginning. increasing resiliency. The implementation is IPv4 Extreme Networks has built an architecture that also PVST+ compatible and IEEE 802.1Q. meets the performance, flexibility and security ExtremeXOS offers an equally extensive set requirements of IPv6 without compromising Ethernet Automatic Protection Switching of Layer 3 switching features all geared to operational simplicity (see Figure 7). (EAPS, RFC 3619), invented by increasing control and management on very Extreme Networks, is designed to prevent large networks. The switching software Features include Layer 2 and Layer 3 IPv6 loops in a ring topology running Layer 2 implements static routes, RIP, OSPFv2, IS-IS forwarding, routing protocols and tunnels. traffic. Its role is similar to STP, however it and BGP4 for External BGP (EBGP) and ExtremeXOS provides investment protection is able to rapidly converge when a link breaks, Internal BGP (IBGP). and allows a safe and smooth transition by transparently to VoIP calls, independent of tunneling IPv6 traffic across non-IPv6-aware the number of switches in a ring. Timing ExtremeXOS fields a rich set of IP multicast parts of the network. will be sub 50 ms in most deployments. routing protocols, including PIM Dense Mode (PIM/DM), PIM Sparse Mode (PIM/ SM) and ExtremeXOS platforms offer wire-speed Resiliency Features: the Virtual Router PIM Source Specific Multicast (PIM-SSM), ACLs—providing defense and control over the Redundancy Protocol (VRRP) enables a which work hand in hand with the built-in next generation of IP, which is at least partially group of routers to function as a single IGMPv1/v2/v3 support. Multicast source supported by most client and server operating virtual default gateway. Extreme Standby routes can be shared between sites using systems today. Even when operating with IPv4 Router Protocol™ (ESRP) can be implemented MSDP and MBGP, for example, to share only, the ExtremeXOS OS will harden the at both Layers 2 and 3. ESRP tracks link sources of distance learning multicast streams network to attacks using IPv6 transport. connectivity, VLANs, learned routes and in a university backbone network. IGMP v2/v3 ping responses. ESRP can be used as an STP and VRRP substitute, providing simplicity via a single protocol for Layer 2 Unified Access ® Intelligent Core
and Layer 3 redundancy. Multiple instances Data Center of ESRP in the same VLAN allow direct host BlackDiamond 8810 BlackDiamond 20808
attachment to standby switches. Summit X650
Virtual Private LAN Services (VPLS, RFC
Summit® X250 4762) is used for signaling and provisioning BlackDiamond 8810 subscriber VLANs and vMANs over IP network core. Extreme Networks VPLS ` implementation operates seamlessly with Network Management EAPS, ESRP, and STP to provide a connectiv- ity option for delivering fault-tolerant Layer Ethernet Metro The Internet 2 services over a Layer 3 network core. Remote Sites Ethernet Metro To further harden the network resiliency Dual-stack in clients, Unified Access, Intelligent Core and servers, Telnet, SSH, Ping, Traceroute protocols of ExtremeXOS, Extreme Link IPv6 ACLs for Security at the Edge and in the Core Status Monitoring (ELSM) protects the Layer 2+ Infrastructure network and resiliency protocols from the • MLD v1/v2 multicast router requirements • Configured tunnels and 6to4 for v4/v6 interworking • ICMPv6 router requirements with Path and migration effects of unidirectional links to protocols. MTU Discovery • 9k jumbo frames to fully support IPv6 option headers For bandwidth scaling, link aggregation • Protocol-based VLANs (static and dynamic via LACP) utilizes the Layer 3 Routing bandwidth of multiple links. IGMP Snooping • OSPFv3 • RIPng • Static Routes and Multicast VLAN Registration preserve 5248-01 network bandwidth by forwarding only to Figure 7: Edge-to-Core IPv6-Enabled Infrastructure ports and to VLANs with subscribers from a
© 2010 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operating System, v12.4—Page 7 Extreme Networks Data Sheet
Technical Specifications
ExtremeXOS 12.4 • RFC 2668 802.3 MAU MIB • CPU DoS Protection with traffic rate-limiting to • draft-ietf-hubmib-mau-mib-v3-02.txt management CPU Supported Protocols • RFC 1643 Ethernet MIB • Robust against common Network Attacks: Switching • RFC 1493 Bridge MIB ––CERT (http://www.cert.org) • RFC 2096 IPv4 Forwarding Table MIB ––CA-2003-04: “SQL Slammer” • RFC 3619 Ethernet Automatic Protection • RFC 2737 Entity MIB v2 ––CA-2002-36: “SSHredder” Switching (EAPS) and EAPSv2 • RFC 2233 Interface MIB ––CA-2002-03: SNMP vulnerabilities • IEEE 802.1D – 1998 Spanning Tree Protocol (STP) • RFC 3621 PoE-MIB (PoE switches only) ––CA-98-13: tcp-denial-of-service • IEEE 802.1D – 2004 Spanning Tree Protocol • IEEE 802.1ag MIB ––CA-98.01: smurf (STP and RSTP) • Secure Shell (SSH-2) client and server ––CA-97.28:Teardrop_Land -Teardrop and • IEEE 802.1w – 2001 Rapid Reconfiguration for • Secure Copy (SCP-2) client and server “LAND“ attack STP, RSTP • Secure FTP (SFTP) server ––CA-96.26: ping • IEEE 802.1Q – 2003 (formerly IEEE 802.1s) • sFlow version 5 ––CA-96.21: tcp_syn_flooding Multiple Instances of STP, MSTP • Configuration logging ––CA-96.01: UDP_service_denial • EMISTP, Extreme Multiple Instances of • Multiple Images, Multiple Configs ––CA-95.01: IP_Spoofing_Attacks_and_ Spanning Tree Protocol • RFC 3164 BSD Syslog Protocol with Multiple Hijacked_ Terminal_Connections • PVST+, Per VLAN STP (802.1Q interoperable) Syslog Servers ––IP Options Attack • Draft-ietf-bridge-rstpmib-03.txt – Definitions of ––999 Local Messages (criticals stored • Host Attacks Managed Objects for Bridges with Rapid across reboots) ––Teardrop, boink, opentear, jolt2, newtear, Spanning Tree Protocol • Extreme Networks vendor MIBs (includes FDB, nestea, syndrop, smurf, fraggle, papasmurf, • Extreme Standby Router Protocol™ (ESRP) PoE, CPU, Memory MIBs) synk4, raped, winfreeze, ping –f, ping of • IEEE 802.1Q – 1998 Virtual Bridged Local • XML APIs over Telnet/SSH and HTTP/HTTPS death, pepsi5, Latierra, Winnuke, Simping, Area Networks • Web-based device management interface – Sping, Ascend, Stream, Land, Octopus • IEEE 802.3ad Static load sharing configuration ExtremeXOS ScreenPlay™ and LACP based dynamic configuration • IP Route Compression Security, Router Protection • Software Redundant Ports • Stacking – SummitStack™ (Summit products Requires Edge License or above • IEEE 802.1AB – LLDP Link Layer with Advanced Edge License and above only) Discovery Protocol • IP Security – DHCP enforcement via Disable ARP Learning • LLDP Media Endpoint Discovery (LLDP-MED), Security, Switch and ANSI/TIA-1057, draft 08 • IP Security – Gratuitous ARP Protection • Extreme Discovery Protocol (EDP) Network Protection • IP Security – DHCP Secured ARP/ARP Validation • Extreme Loop Recovery Protocol (ELRP) • Secure Shell (SSH-2), Secure Copy (SCP-2) and • Routing protocol MD5 authentication • Extreme Link State Monitoring (ELSM) SFTP client/server with encryption/authentication • IEEE 802.1ag L2 Ping and traceroute, (requires export controlled encryption module) Security Detection and Protection Connectivity Fault Management • SNMPv3 user based security, with encryption/ In Core and Aggregation Products only authentication (see above) • ITU-T Y.1731 Frame delay measurements • CLEAR-Flow, threshold-based alerts • RFC 1492 TACACS+ and actions Management and Traffic Analysis • RFC 2138 RADIUS Authentication • RFC 2139 RADIUS Accounting • RFC 2030 SNTP, Simple Network Time • RFC 3579 RADIUS EAP support for 802.1x IPv4 Host Requirements Protocol v4 • RADIUS Per-command Authentication • RFC 1122 Host Requirements • RFC 854 Telnet client and server • Access Profiles on All Routing Protocols • RFC 768 UDP • RFC 783 TFTP Protocol (revision 2) • Access Policies for Telnet/SSH-2/SCP-2 • RFC 791 IP • RFC 951, 1542 BootP • Network Login – 802.1x, Web and • RFC 792 ICMP • RFC 2131 BOOTP/DHCP relay agent and MAC-based mechanisms • RFC 793 TCP DHCP server • IEEE 802.1x – 2001 Port-Based Network • RFC 826 ARP • RFC 1591 DNS (client operation) Access Control for Network Login • RFC 894 IP over Ethernet • RFC 1155 Structure of Mgmt Information (SMIv1) • Multiple supplicants with multiple VLANs for • RFC 1027 Proxy ARP • RFC 1157 SNMPv1 Network Login (all modes) • RFC 2068 HTTP server • RFC 1212, RFC 1213, RFC 1215 MIB-II, • Fallback to local authentication database • IGMP v1/v2/v3 Snooping with Configurable Ethernet-Like MIB & TRAPs (MAC and Web-based methods) Router Registration Forwarding • RFC 1573 Evolution of Interface • Guest VLAN for 802.1x • IGMP Filters • RFC 1650 Ethernet-Like MIB (update of • RFC 1866 HTML – used for Web-based • PIM Snooping RFC 1213 for SNMPv2) Network Login and ExtremeXOS ScreenPlay • Static IGMP Membership • RFC 1901, 1905 – 1908 SNMP v2c, SMIv2 • SSL/TLS transport – used for Web-based • Multicast VLAN Registration (MVR) and Revised MIB-II Network Login and ExtremeXOS ScreenPlay • RFC 2576 Coexistence between SNMP (requires export controlled encryption module) IPv4 Router Requirements Version 1, Version 2 and Version 3 • MAC Security – Lockdown and Limit Requires Advanced Edge License or above • RFC 2578 – 2580 SMIv2 (update to • IP Security – RFC 3046 DHCP Option 82 with RFC 1902 – 1903) port and VLAN ID • RFC 1812 Requirements for IP Version 4 Routers • RFC 3410 – 3415 SNMPv3, user based • IP Security – Trusted DHCP Server • RFC 1519 CIDR security, encryption and authentication • Layer 2/3/4 Access Control Lists (ACLs) • RFC 1256 IPv4 ICMP Router Discovery (IRDP) • RFC 3826 – The Advanced Encryption • RFC 2267 Network Ingress Filtering • Static Unicast Routes Standard (AES) Cipher Algorithm in the SNMP • RPF (Unicast Reverse Path Forwarding) Control • Static Multicast Routes User-based Security Model via ACLs • RFC 1058 RIP v1 • RFC 1757 RMON 4 groups: Stats, History, • Wire-speed ACLs • RFC 2453 RIP v2 Alarms and Events • Rate Limiting/Shaping by ACLs • Static ECMP • RFC 2021 RMON2 (probe configuration) • IP Broadcast Forwarding Control • RFC 1112 IGMP v1 • RFC 2613 SMON MIB • ICMP and IP-Option Response Control • RFC 2236 IGMP v2 • RFC 2925 Ping/Traceroute MIB • SYN attack protection
© 2010 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operating System, v12.4—Page 8 Extreme Networks Data Sheet
Technical Specifications
IPv4 Router Requirements IPv6 Router Requirements • Draft-ietf-isis-ipv6-06 Routing IPv6 with IS-IS – continued Current support on ExtremeXOS based Summit Current support on Summit series with Core Requires Advanced Edge License or above series, BlackDiamond 8800 series, License or above, BlackDiamond 8800 series, BlackDiamond 10808 series and BlackDiamond 10808 series, and • RFC 3376 IGMP v3 BlackDiamond 12800 series BlackDiamond 12800 series • RFC 2933 IGMP MIB • RFC 2462, IPv6 Stateless Address Auto • Draft-ietf-isis-wg-multi-topology-11 • RFC 2096 IPv4 Forwarding Table MIB Multi Topology (MT) Routing in IS-IS • RFC 1724 RIPv2 MIB configuration – Router Requirements • RFC 3768 VRRPv2 • RFC 1981, Path MTU Discovery for IPv6, • RFC 2787 VRRP MIB August 1996 – Router requirements QoS and VLAN Services • RFC 2328 OSPF v2 (Edge-mode) • RFC 2710, IPv6 Multicast Listener Discovery v1 Quality of Service and Policies • OSPF ECMP (MLDv1) Protocol • IEEE 802.1D – 1998 (802.1p) Packet Priority • OSPF MD5 Authentication • RFC 3810, IPv6 Multicast Listener Discovery v2 • RFC 2474 DiffServ Precedence, including • RFC 1587 OSPF NSSA Option (MLDv2) Protocol 8 queues/port • RFC 1765 OSPF Database Overflow • Static Unicast routes for IPv6 • RFC 2598 DiffServ Expedited Forwarding (EF) • RFC 2370 OSPF Opaque LSA Option • RFC 2080, RIPng • RFC 2597 DiffServ Assured Forwarding (AF) • RFC 3623 OSPF Graceful Restart • Static ECMP • RFC 2475 DiffServ Core and Edge • RFC 1850 OSPFv2 MIB Router Functions • RFC 2362 PIM-SM (Edge-mode) Core Protocols for Layer 2, IPv4 • RFC 2934 PIM MIB and IPv6 VLAN Services: VLANs, vMANs • RFC 3569, draft-ietf-ssm-arch-06.txt PIM-SSM Requires Core License or above • IEEE 802.1Q VLAN Tagging PIM Source Specific Multicast • EAPSv2 Shared Ports – multiple interconnections • IEEE 802.1v: VLAN classification by Protocol • draft-ietf-pim-mib-v2-o1.txt between rings and Port • Mtrace, a “traceroute” facility for IP Multicast: • PIM-DM Draft IETF PIM Dense Mode draft-ietf- • Port-based VLANs draft-ietf-idmr-traceroute-ipm-07 idmr-pim-dm-05.txt, draft-ietf-pim-dm-new- • Protocol-based VLANs • Mrinfo, the multicast router information tool v2-04.txt • MAC-based VLANs based on Appendix-B of draft-ietf-idmr-dvmrp- • RFC 3618 Multicast Source Discovery • Multiple STP domains per VLAN v3-11 Protocol (MSDP) • Upstream Forwarding Only/Disable Flooding • RFC 3446 Anycast RP using PIM and MSDP • RFC 5517 Private VLANs IPv6 Host Requirements • RFC 2740 OSPFv3, OSPF for IPv6 – Current • VLAN Translation Current support on ExtremeXOS based Summit support on Summit series with Core License or • IEEE 802.1ad Provider Bridge Network, virtual series, BlackDiamond 8800 series, above, BlackDiamond 8800 series, MANs (vMANs) BlackDiamond 10808 series and BlackDiamond 10808 series, and • vMAN Ethertype Translation/Secondary vMAN BlackDiamond 12800 series BlackDiamond 12800 series Ethertype • RFC 5095, Internet Protocol, Version 6 • RFC 1771 Border Gateway Protocol 4 • Multicast Support for PVLAN (IPv6) Specification • RFC 1965 Autonomous System Confederations • Multicast Support for VLAN Aggregation • RFC 4861, Neighbor Discovery for IP for BGP • VLAN Aggregation (Requires Advanced Edge Version 6, (IPv6) • RFC 2796 BGP Route Reflection (supersedes License or above) • RFC 2463, Internet Control Message Protocol RFC 1966) Advanced VLAN Services (ICMPv6) for the IPv6 Specification • RFC 1997 BGP Communities Attribute Requires Advanced Edge License or above • RFC 2464, Transmission of IPv6 Packets over • RFC 1745 BGP4/IDRP for IP-OSPF Interaction (BlackDiamond 10808 and Ethernet Networks • RFC 2385 TCP MD5 Authentication for BGPv4 BlackDiamond 12800 series only) • RFC 2465, IPv6 MIB, General Group and • RFC 2439 BGP Route Flap Damping • VLAN Translation in vMAN environments Textual Conventions • RFC 2918 Route Refresh Capability for BGP-4 • vMAN Translation • RFC 2466, MIB for ICMPv6 • RFC 3392 Capabilities Advertisement with BGP-4 • RFC 2462, IPv6 Stateless Address Auto • RFC 4360 BGP Extended Communities Attribute MAC-in-MAC (PBB) configuration – Host Requirements • RFC 4486 Subcodes for BGP Cease Requires MPLS-PBB Feature Pack License • RFC 1981, Path MTU Discovery for IPv6, Notification message • IEEE 802.1ah/D1.2 Provider Backbone August 1996 – Host requirements • draft-ietf-idr-restart-10.txt Graceful Restart Bridges (PBB)/MAC-in-MAC • RFC 3513, Internet Protocol Version 6 (IPv6) Mechanism for BGP Addressing Architecture • RFC 4760 Multiprotocol extensions for BGP-4 MPLS and VPN Services • RFC 1657 BGP-4 MIB • RFC 3587, Global Unicast Address Format Multi-Protocol Label Switching (MPLS) • Draft-ietf-idr-bgp4-mibv2-02.txt – Enhanced • Telnet server over IPv6 transport Requires MPLS-PBB Feature Pack License or BGP-4 MIB • SSH-2 server over IPv6 transport MPLS Feature Pack License • RFC 1195 Use of OSI IS-IS for Routing in TCP/IP • Ping over IPv6 transport • RFC 2961 RSVP Refresh Overhead and Dual Environments (TCP/IP transport only) • Traceroute over IPv6 transport Reduction Extensions • RFC 2763 Dynamic Hostname Exchange • RFC 3031 Multiprotocol Label Mechanism for IS-IS IPv6 Interworking and Migration Switching Architecture • RFC 2966 Domain-wide Prefix Distribution with Current support on ExtremeXOS based Summit • RFC 3032 MPLS Label Stack Encoding Two-Level IS-IS series, BlackDiamond 8800 series, • RFC 3036 Label Distribution Protocol (LDP) • RFC 2973 IS-IS Mesh Groups BlackDiamond 10808 series and • RFC 3209 RSVP-TE: Extensions to RSVP for • RFC 3373 Three-way Handshake for IS-IS BlackDiamond 12800 series LSP Tunnels Point-to-Point Adjacencies • RFC 2893, Configured Tunnels • RFC 3630 Traffic Engineering Extensions • RFC 3784 IS-IS Externs for Traffic Engineering • RFC 3056, 6to4 to OSPFv2 (wide metrics only) • RFC 3811 Definitions of Textual Conventions • Draft-ietf-isis-restart-02 Restart Signaling (TCs) for Multiprotocol Label Switching for IS-IS (MPLS) Management
© 2010 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operating System, v12.4—Page 9 Extreme Networks Data Sheet
Technical Specifications
MPLS and VPN Services • RFC 4379 Detecting Multi-Protocol Label • RFC 5542 Definitions of Textual Conventions continued Switched (MPLS) Data Plane Failures for Pseudowire (PW) Management (LSP Ping) • RFC 5601 Pseudowire (PW) Management Multi-Protocol Label Switching (MPLS) Layer 2 VPNs Information Base (MIB) Requires MPLS-PBB Feature Pack License or • RFC 5602 Pseudowire (PW) over MPLS PSN MPLS Feature Pack License Requires MPLS-PBB Feature Pack License or MPLS Feature Pack License Management Information Base (MIB) • RFC 3812 Multiprotocol Label Switching • RFC 5603 Ethernet Pseudowire (PW) (MPLS) Traffic Engineering (TE) Management • RFC 4447 Pseudowire Setup and Maintenance Using the Label Distribution Protocol (LDP) Management Information Base (MIB) Information Base (MIB) • draft-ietf-l2vpn-vpls-mib-02.txt Virtual • RFC 3813 Multiprotocol Label Switching (MPLS) • RFC 4448 Encapsulation Methods for Transport of Ethernet over MPLS Networks Private LAN Services (VPLS) Management Label Switching Router (LSR) Management Information Base Information Base (MIB) • RFC 4762 Virtual Private LAN Services (VPLS) • RFC 3815 Definitions of Managed Objects for using Label Distribution Protocol (LDP) the Multiprotocol Label Switching (MPLS), Signaling Label Distribution Protocol (LDP) • RFC 5085 Pseudowire Virtual Circuit Connectivity • RFC 4090 Fast Re-route Extensions to Verification (VCCV) RSVP-TE for LSP (Detour Paths) • draft-ietf-bfd-base-09.txt Bidirectional Forwarding Detection
Corporate Europe, Middle East, Africa Asia Pacific Japan and North America and South America Phone +65 6836 5437 Phone +81 3 5842 4011 Extreme Networks, Inc. Phone +31 30 800 5100 3585 Monroe Street www.extremenetworks.com Santa Clara, CA 95051 USA Phone +1 408 579 2800
© 2010 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks logo, BlackDiamond, EPICenter, Extreme Standby Router Protocol, ExtremeXOS ScreenPlay, Summit and SummitStack are either registered trademarks or trademarks of Extreme Networks, Inc. in the United States and/or other countries. sFlow is the property of Inmon Corporation. Specifications are subject to change without notice. 1030_09 06/10