Table of Contents

To set port 8:27 to 100/full

 configure port 8:27 auto off speed 100 duplex full

diagnostics

To view the log…

 show log

To run extended diagnostics (takes switch offline)…

 run diagnostics extended slot backplane

After which you can view the log, replace anything defective, and then to return the switch to normal operation…

 clear log diag-status
 reboot

To set port 49 to auto/auto

 configure port 49 auto on

To show port information

 show port info

To show the mac address table

 show fdb

To show the arp table

 show iparp

To show the switch configuration

 show conf

To disable/enable port 7:22

 disable port 7:22
 enable port 7:22

To set the display string on port 7:20 to "engmail server"

 configure port 7:20 display-string "engmail server"

To create a VLAN named EngMMNet with tag 100, and enable spanning tree on it

 create vlan "EngMMNet"
 config vlan "EngMMNet" tag 100
 configure stpd s0 add vlan "EngMMNet"

To add port 7:24 to VLAN SD2Net without tagging

 configure vlan "SD2Net" add port 7:24 untagged

To delete port 7:24 from VLAN SD2Net

 configure vlan "SD2Net" delete port 7:24

To add port 7:24 to VLAN SD2Net with tagging (for a trunk line)

 configure vlan "SD2Net" add port 7:24 tagged

To activate IP routing for CupidNet with router IP address 129.97.20.1

 config vlan "CupidNet" ipaddress 129.97.20.1 255.255.255.0
 enable ipforwarding "CupidNet"
 configure rip add vlan "CupidNet"
 configure rip "CupidNet" cost 1
 enable rip
 enable irdp vlan "CupidNet"
 config rip rxmode none vlan "CupidNet"
 config rip txmode v2only vlan "CupidNet"

To create a static route to the 68 subnet via 129.97.50.76

 configure iproute add 129.97.68.0 255.255.255.0 129.97.50.76 1

To enable the export of static routes via RIP

 enable rip export static cost 0 tag 0

To enable/disable spanning tree

 enable stpd s0
 disable stpd s0

To disable/enable spanning tree on port 1:4

 disable stpd s0 port 1:4
 enable stpd s0 port 1:4

To restrict port 32 to the single MAC address 00:02:b3:1d:74:91 on CupidNet (works with all ExtremeWare versions)

 create fdbentry 00:02:b3:1d:74:91 vlan CupidNet port 32
 disable learning ports 32

To restrict port 7:24 to a single MAC address on SD2Net(ExtremeWare version 6 only)

 configure vlan "SD2Net" add port 7:24 mac-limit 1

To block all traffic from (and to) MAC address 00:50:BA:C7:2F:94 on CircuitNet

 create fdbentry 00:50:BA:C7:2F:94 CircuitNet blackhole both

*dest-mac* or source-mac can be specified instead of both which allows blocking independently on egress or ingress

To block all traffic from 129.97.20.217

 create access-list blocker1 ip destination any source 129.97.20.217 /32 deny ports any

Use show access-list to see hit counts etc, and delete access-list blocker1 to delete the access list.

To disable access to tcp port 22 (ssh) on host 129.97.50.123 connected to physical port 7:25

 create access-list temp_block_ssh tcp destination any ip-port any source 129.97.50.123/32 ip-port 22 deny ports 7:25  precedence 10

Note: the access-list is applied to an ingress port, the above will allow an initial TCP packet to reach the target, but it will not be able to respond, and thus no TCP handshake will occur.

To forward DHCP on "cupidnet" to 129.97.50.36 and 129.97.50.67

 create udp-profile engcompdhcp
 config engcompdhcp add 67 ipaddress 129.97.50.36
 config engcompdhcp add 67 ipaddress 129.97.50.67
 config cupidnet udp-profile engcompdhcp

To prevent most IP spoofing

 create access-list spoof1 ip destination any source 129.97.0.0/16 permit ports any  precedence 250
 create access-list spoof2 ip destination 129.97.0.0/16 source any permit ports any  precedence 251
 create access-list spoof3 ip destination any source 0.0.0.0/32 permit ports any  precedence 252
 create access-list spoof4 ip destination 224.0.0.0/4 source any permit ports any  precedence 253
 create access-list spoof5 ip destination any source any deny ports any  precedence 254

The above allows IP spoofing onsite (129.97.0.0/16) but prevents spoofed IP from leaving the site, unless it is spoofed from an onsite address. This is probably adequate. More elaborate access lists would be required to keep spoofing local to a subnet.

To get a GBIC port to talk to a BayStack

config port 5:1 auto off duplex full speed 1000