Home > GUI > Configuration > Router Template
|
Router Template
Configure a router template for XR200P, XR600P, and BR200WP routers.
Navigate using the tab icons. Hover over an icon to see the name of the tab.
Configure > Network Policies > policy_name > Router Settings > Device Template > Add > router_model
To configure Extreme Networks routers, select ADD and choose the appropriate device template for the model that you are deploying. In the device template, assign ports with the connection types that you want them to provide: access, 802.1Q, and WAN.
Template Name: Enter a name for the template.
To assign an existing port type:
Highlight one or more ports in the router template, and then select Assign > Choose Existing.
In the dialog box you will see a list of existing port types, identified by an icon. Select the type you want for the selected port or ports:
Access port: 
for a port connected to an individual host
WAN port: 
for a port connected to the WAN
Trunk port: 
for a port connected to a forwarding device such as an AP and switch that supports multiple VLANs
To create a new port type:
In Assign > Create New enter the following in the New Port Type section and then select Save:
Name: Enter a name containing up to 32 characters, including spaces.
Description: Enter an optional description of the port type.
Port Status: Toggle the port status ON to enable the port, or OFF to disable it.
Port Usage: Select Access Port for ports connected to individual hosts, Trunk Port (802.1Q VLAN Tagging) for ports providing network access through forwarding devices such as APs and switches that support multiple VLANs, or WAN Port for a port acting as a backup WAN interface. Then configure parameters for the port type you selected, as describe in the following sections.
Access Port
Configure the following settings for access ports to which individual hosts connect.
Port Usage Settings: Select one of four possibilities for authentication on an access port.
No user authentication and no MAC authentication. This is the default and is common for sites where you know all connections will come from trusted devices so no authentication is necessary. An employee home offices is one example.
User authentication for clients with a RADIUS supplicant running on them but no MAC authentication. Use this option to authenticate users before allowing network access, if you know that permitted devices will have a RADIUS supplicant running on them, and if your infrastructure is set up for RADIUS user authentication.
MAC authentication for clients without a RADIUS supplicant but no user authentication. Use this option to control network access when you know that permitted devices connecting to the port will not have a RADIUS supplicant and your RADIUS infrastructure is set up to authenticate them by MAC address.
User authentication for clients with a RADIUS supplicant or MAC authentication for clients without. This option is useful for situations where you cannot know in advance if a device connected to the access port will have a RADIUS supplicant, perhaps when users at different branch sites connect devices with different RADIUS capabilities to the port.
Access Port: (select)
Wired Connectivity: Toggle OFF to allow clients to connect to the port without requiring user authentication. Toggle ON to enable user authentication through EAP/802.1X and RADIUS. Configure a default RADIUS server group and, if you want different APs to use different RADIUS servers based on their location, select Apply RADIUS server groups to devices via classification and select or configure additional RADIUS server groups.
Note
For information about configuring RADIUS server groups and classification rules, see External RADIUS Server Settings.MAC Authentication: Toggle OFF to allow clients to connect to the port without requiring MAC authentication. Toggle ON to enable device authentication using the MAC address as both user name and password. When a client without a RADIUS supplicant connects, the RADIUS server tries MAC authentication, also referred to as MAB (MAC authentication bypass).
Authentication Protocol: Choose PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), or MS CHAP V2 (Microsoft CHAP Version 2), depending on which protocol the RADIUS authentication server supports. If you are using an Extreme Networks RADIUS server, use the default choice: PAP. For an external RADIUS authentication server, choose the protocol that it supports. The Extreme Networks device functioning as the RADIUS authenticator uses the chosen protocol to authenticate communications between itself and the RADIUS server when submitting client credentials (MAC address) for authentication.
If you already enabled User Authentication on the Wired Connectivity tab and configured one or more RADIUS server groups for it, those servers will also perform MAC authentication. If you enable only MAC authentication on the access port, then you must define a default RADIUS server group and optionally other groups via classification.
Note
For information about configuring RADIUS server groups and classification rules, see External RADIUS Server Settings.Multiple Clients: Select the check box to Allow multiple clients connected to the same port on the same VLAN. Only the first device needs to authenticate successfully for all others to connect as well.
Primary authentication using: When both Wired Connectivity and MAC Authentication are enabled, this option allows you to control which authentication method is attempted first. For example, if you set Primary authentication using 802.1X (the default setting), the RADIUS authentication server first attempts to prompt the client for a user name and password. If the client has a RADIUS supplicant, it must submit a valid user and password to pass authentication. If the client does not have a RADIUS supplicant, the RADIUS server then tries to authenticate the client using the MAC address as both user name and password. If one of the authentication methods succeeds, the client is allowed on the network. If neither succeeds, the client is denied network access. To change the authentication sequence so that MAC authentication is attempted first, selecy Primary authentication using MAC.
User Access Settings
Default User Profile: Set the user profile that you want the router to apply by default to users connecting to the port. Either select 
and choose an existing user profile, or select + and create a new one.
Apply a different user profile to various clients and user groups: Select this check box and add one or more user profiles for different categories of users that you expect to make wired connections to the access port.
If a single device, such as a printer, is always connected to this port, leave the check box cleared and just apply the default user profile for infrastructure devices like printers. If you expect different types of users, such as employees, consultants, and visiting VIPs, to use the port as needed to connect their computers to the network, then select the check box and set up classification rules to govern when to apply different user profiles.
Traffic Filter Management:Select which management and diagnostic services—SSH, Telnet, Ping, and SNMP—to allow access to the mgt0 interface through the access port.
Trunk Port
Configure the following settings for trunk ports connected to network forwarding devices such as switches and APs that support multiple VLANs on trunk ports. Because the intention for this type of port is to connect with other forwarding devices rather than individual hosts, there is no section for authentication.
Trunk Port (802.1Q VLAN Tagging): (select)
VLAN Object: Set the native (untagged) VLAN and all VLANs that you want the port to support.
Native VLAN: The native (untagged) VLAN is the VLAN assigned to frames that do not have any 802.1Q VLAN tags in their headers. By default, Extreme Networks devices use VLAN 1 as the native VLAN.
Allowed VLANs: Enter the VLANs—including the native VLAN—that you want the trunk port to allow. You can list the VLANs individually, separated by commas, or as a range of VLANs using a hyphen. Alternatively, you can enter the word all (the default) in this field to support all existing VLANs previously configured in the network policy.
Note
When you enter all, the router allows all VLANs configured in the network policy, not all VLANs from 1 to 4094. .Traffic Filter Management: Select which management and diagnostic services—SSH, Telnet, Ping, and SNMP—to allow access to the mgt0 interface through the trunk port.
WAN Port
WAN Port: (select)
Because a router WAN port connects to an external network such as the Internet, there are no additional settings for authentication, VLANs, or traffic filters.
Because an XR600P supports multiple PPPoE WAN ports, define multiple PPPoE WAN port priorities as Primary, Backup1, Backup2, or Backup3. Select Save when you are done.
Note
Because the ETH0 and USB ports are always enabled as WAN links, they must be set as primary, backup1, backup2, or backup3. Consequently, you can set one or more Ethernet ports as WAN links.Extreme Networks has tested the following USB modems and approved them for use with XR200P routers:
Skyus DS
Verizon U620L
Verizon Pantech UML290
ConnectedIO LT1000
Although these modems are officially supported, others might work as well. All modems must be plug-and-play because there are currently no configuration options for modems in ExtremeCloud IQ.
This section provides an overview of the port settings and configuration options available from the port settings tabs:
Port Details: View information about the interfaces on the router, add or modify the port type assigned to each interface, and modify the WAN priority settings.
Port Settings: Displays the physical interface names, and allows you to select the transmission types and speeds.
PSE: Choose the PSE (power sourcing equipment) power settings for the router to provide to PDs (powered devices) through the ETH1 and ETH2 ports.
Port Details
The Port Details tab displays the following information:
The ETH0 and USB interfaces are preconfigured as WAN ports and their port type cannot be changed; however, you can change their WAN priorities to determine which of them is primary, backup1, or (if an Ethernet interface was configured as a WAN port, backup2.
You can configure the ETH1 – ETH4 interfaces as access, trunk, or WAN ports. For access ports, you can see the name of the default user profile and the VLAN associated with it. For trunk ports, you can see the native and allowed VLANs.
For all interfaces, you can see if they are enabled or not, and for all Ethernet interfaces, you can see descriptions.
Note
You cannot disable any ports from a device template.Port Settings
The Port Settings tab displays the physical interface names, and allows you to select the transmission types and speeds. For more information, see Router Port Settings.
PSE
On the PSE tab you can set how the ETH1/PoE and ETH2/PoE interfaces provide PoE to PDs such as VoIP phones, wireless access points, and network cameras. These interfaces are IEEE 802.3af and IEEE 802.3at PSE compliant, as described here:
The IEEE 802.3af PoE standard provides up to 12.95 W of DC power to each device (this rate reflects normal power loss through cables). 802.3af meets the power demands of Class 0, 1, 2, and 3 devices.
With 802.3af extended, the maximum power a PoE-enabled interface can deliver is 18 W of DC power.
The IEEE 802.3at PoE standard provides up to 25.5 W of DC power to each device (this rate reflects normal power loss through cables). 802.3at meets the power demands of Class 4 devices.
Note
Cables for powered devices should not exceed a maximum length of 328 feet, (100 meters). If you use cables that exceed this length, the devices might not receive adequate power to operate.The router balances PoE power output automatically. For example, if a device connected to ETH1 requires more power than the port can provide, and if ETH1 has the higher priority, ETH2 shuts down and shifts all remaining power to ETH1. The router generates a log for every shutdown event. Its power budget is 30.8 W.
Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.