Home > GUI > Devices > Router Port Settings

Router Port Settings

Router Port Settings

Configure Extreme NetworksXR200P, XR600P, and BR200WP router port settings, port details, and PSE settings. Create and enable new Ethernet and USB port types for a router.

Navigation

Navigate using the tab icons. Hover over an icon to see the name of the tab.

Manage  > Devices > router_name  > Configuration > Port Configuration

In this window, you can view and configure ports for routers that have connected to ExtremeCloud IQ. You can also create and enable a new router port types.

For any changes that you make here, after you select Save, you can update your device directly by selecting the Update Now button at the top right.

Device Template

At the top of this window, you will see a graphic representation of the ports on the router. Hover over any port to see its settings, which were configured within the network policy assigned to this router. You can modify these port settings in the Port Details tab.

Below the device template there are three tabs: Port Details, Port Settings, and PSE. These tabs are described below.

Port Details Tab

In the Port Details tab, you can see the following information about the interfaces in the device template:

The ETH0 and USB interfaces are preconfigured as WAN ports and their port type cannot be changed; however, you can change their WAN priorities to determine which of them is primary, backup1, or (if an Ethernet interface was configured as a WAN port, backup2.

You can configure the ETH1 – ETH4 interfaces as access, trunk, or WAN ports. For access ports, you can see the name of the default user profile and the VLAN associated with it. For trunk ports, you can see the native and allowed VLANs.

For all interfaces, you can see if they are enabled or not, and for all the Ethernet interfaces, you can see descriptions.

Note

You cannot disable any ports from a device template.

The port details include:

If you make any changes in the Port Details tab, select Save.

Create a New Port Type

Select Assign > Create New enter the following in the New Port Type section and then select Save:

Access Port

Configure the following settings for access ports to which individual hosts connect.

Port Usage Settings

Access Port: Select the Access Port button.

Authentication:

There are four possibilities for authentication on an access port:

• No user authentication and no MAC authentication. This is the default and is common for sites where you know all connections will come from trusted devices so no authentication is necessary. An employee home offices is one example.
• User authentication for clients with a RADIUS supplicant running on them but no MAC authentication. Use this option when you want to authenticate users before allowing network access, you know that permitted devices will have a RADIUS supplicant running on them, and your infrastructure is set up for user authentication with RADIUS.
• MAC authentication for clients without a RADIUS supplicant but no user authentication. Use this option to control network access when you know that permitted devices connecting to the port will not have a RADIUS supplicant and your RADIUS infrastructure is set up to authenticate them by MAC address.
• User authentication for clients with a RADIUS supplicant or MAC authentication for clients without. This option is useful for situations where you cannot know in advance if a device connected to the access port will have a RADIUS supplicant, perhaps when users at different branch sites connect devices with different RADIUS capabilities to the port.

Explanations for these authentication options and other port usage settings are provided below.

Wired Connectivity

Toggle OFF to allow clients to connect to the port without requiring user authentication.

Toggle ON to enable user authentication through EAP/802.1X and RADIUS. Configure a default RADIUS server group and, if you want different APs to use different RADIUS servers based on their location, select Apply RADIUS server groups to devices via classification and select or configure additional RADIUS server groups.

Note

For information about configuring RADIUS server groups and classification rules, see External RADIUS Server Settings.

MAC Authentication

Toggle OFF to allow clients to connect to the port without requiring MAC authentication.

Toggle ON to enable device authentication using its MAC address as both user name and password. When a client without a RADIUS supplicant connects, the RADIUS server tries MAC authentication, also referred to as MAB (MAC authentication bypass).

Authentication Protocol: Choose PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), or MS CHAP V2 (Microsoft CHAP Version 2), depending on which protocol the RADIUS authentication server supports. If you are using an Extreme Networks RADIUS server, use the default choice: PAP. For an external RADIUS authentication server, choose the protocol that it supports. The Extreme Networks device functioning as the RADIUS authenticator uses the chosen protocol to authenticate communications between itself and the RADIUS server when submitting client credentials (its MAC address) for authentication.

If you already enabled User Authentication on the Wired Connectivity tab and configured one or more RADIUS server groups for that, those will also be the servers for MAC authentication. If you are enabling only MAC authentication on the access port, then you must define a default RADIUS server group and optionally other groups via classification.

Note

For information about configuring RADIUS server groups and classification rules, see External RADIUS Server Settings.

Apply RADIUS server groups to devices via classification: After setting a default RADIUS server group, select this check box to use device classification to assign different RADIUS server groups to Extreme Networks devices at various locations.

Multiple Clients: If you want to allow multiple client devices to connect to the port through a hub, select the check box for Allow multiple clients connected to the same port on the same VLAN. However, be aware that only the first one needs to authenticate successfully for all others to connect as well. To cancel this action, clear the check box.

Primary authentication using: When both Wired Connectivity and MAC Authentication are enabled, this option allows you to control which authentication method is attempted first. For example, if you set Primary authentication using 802.1X (the default setting), the RADIUS authentication server first attempts to prompt the client for a user name and password. If the client has a RADIUS supplicant, it will have to submit a valid user and password to pass the authentication check. If the client does not have a RADIUS supplicant, the RADIUS server then tries to authenticate the client using its MAC address as both user name and password. If one of the authentication methods succeeds, the client is allowed on the network. If neither succeeds, the client is denied network access.

If you want to change the authentication sequence so that MAC authentication is attempted first, set Primary authentication using MAC.

User Access Settings

Default User Profile: Set the user profile that you want the router to apply by default to users connecting to the port. Either select and select an existing user profile, or select + and create a new one (see User Profile Settings).

Traffic Filter Management

Select which management and diagnostic services—SSH, Telnet, Ping, and SNMP—to allow access to the mgt0 interface through the access port.

Trunk Port

Configure the following settings for trunk ports connected to network forwarding devices such as switches and APs that support multiple VLANs on trunk ports. Because the intention of this type of port is to connect with other forwarding devices rather than individual hosts, there is no section for authentication.

Trunk Port (802.1Q VLAN Tagging): (select)

VLAN Object: Set the native (untagged) VLAN and all VLANs that you want the port to support.

Native VLAN: The native (untagged) VLAN is the VLAN assigned to frames that do not have any 802.1Q VLAN tags in their headers. By default, Extreme Networks devices use VLAN 1 as the native VLAN.

Allowed VLANs: Enter the VLANs—including the native VLAN—that you want the trunk port to allow. You can list the VLANs individually, separated by commas, or as a range of VLANs using a hyphen. Alternatively, you can enter the word all into this field to support all existing VLANs previously configured in the network policy. (The default is all.)

Note

When you enter all, the router does not allow all VLANs from 1 to 4094. Instead it allows all VLANs configured in the network policy.

Traffic Filter Management: Select which management and diagnostic services—SSH, Telnet, Ping, and SNMP—to allow access to the mgt0 interface through the trunk port.

WAN Port

Because a WAN port connects to an external network such as the Internet, there are no additional settings for authentication, VLANs, or traffic filters.

WAN Port: (select)

Note

Because the ETH0 and USB ports are always enabled as WAN links, they must be set as primary backup1, or backup2. Consequently, you can set one additional Ethernet port as a WAN link.

Port Settings Tab

The Port Settings tab shows the transmission type (auto, half-duplex, or full duplex) and the speed settings (auto, 10 Mbps, 100 Mbps, 1000 Mbps) for the Ethernet ports. You can change these settings here. The transmission types are described below:

Transmission Type: To configure the router to negotiate the optimal transmission type, choose Auto. To configure the router to support concurrent bidirectional data transmission, choose Full-Duplex. To configure the router to support data transmission in onedirection at a time, choose Half-Duplex. By default, routers automatically negotiate the transmission type.

Note

If you set the transmission type as Full-Duplex or Half-Duplex, you must also set the speed to 10, 100, or 1000 Mbps. If either the transmission type or speed is set as Auto, the router will automatically negotiate both the transmission type and speed.

Speed: Set the connection speed between the LAN interface on the AP and the Ethernet port on the forwarding device to which the AP is cabled. To configure the AP to negotiate the optimal transmission speed with the other device, choose Auto. To set a specific speed, choose either 10 Mbps, 100 Mbps, or 1000 Mbps. By default, routers automatically negotiate the transmission speed.

Note

If you set the speed to 10, 100, or 1000 Mbps, you must also set the transmission type as Full-Duplex or Half-Duplex. If you set either as Auto, the router will automatically negotiate both the transmission type and speed.

PSE Tab

On the PSE tab you can set how the ETH1/PoE and ETH2/PoE interfaces provide PoE (Power over Ethernet) to PDs (powered devices) such as VoIP phones, wireless access points, and network cameras. These interfaces are IEEE802.3af and IEEE802.3at PSE (Power Sourcing Equipment) compliant, as described here:

• The IEEE 802.3af PoE standard provides up to 12.95 W of DC power to each device (this rate reflects normal power loss through cables). 802.3af meets the power demands of Class 0, 1, 2, and 3 devices.
• With 802.3af extended, the maximum power a PoE-enabled interface can deliver is 18 W of DC power.
• The IEEE 802.3at PoE standard provides up to 25.5 W of DC power to each device (this rate reflects normal power loss through cables). 802.3at meets the power demands of Class 4 devices.

Note

Cables for powered devices should not exceed a maximum length of 328 feet, (100 meters). If you use cables that exceed this length, the devices might not receive adequate power to operate.

The router balances PoE power output automatically. For example, if a device connected to ETH1 requires more power than the port can provide, and if ETH1 has the higher priority, ETH2 shuts down and shifts all remaining power to ETH1. The router generates a log for every shutdown event. Its power budget is 30.8 W.

Add and Modify Port Types

ExtremeCloud IQ includes predefined Ethernet and USB port types, which cannot be edited.

When you have configured or modified the Ethernet or USB port type, select Saveto save your changes and return to the Port Configuration window.

Add and Modify User Profiles

ExtremeCloud IQ includes predefined internal and guest profiles, which cannot be edited. Administrators can create custom internal and guest profiles, which can be added and modified in User Profile Settings.

Select Save.

Revert Interface Settings to the Network Policy Settings

At the end of each interface row, there is a Revert icon. If there are any changes to that row, select to display the Revert dialog box. Select Revert to return the interface row settings to those defined in the network policy.

Configure a USB Modem

A USB modem is a popular choice for a backup WAN. Extreme Networks has tested the following USB modems and approved them for use with XR200P, XR600P, and BR200WP routers:

• Skyus DS
• Verizon U620L
• Verizon Pantech UML290
• ConnectedIO LT1000

Although these modems are officially supported, others might work as well. You can upload a modem definition file for modems that are not on this list.

You can configure USB modem mobile carrier settings, including APN, dialup command, user name, and password, as follows:

Revert USB Modem to the Network Policy Definition

At the end of the USB row, there is a Revert icon. Select this icon to display the Revert dialog box. Select Revert to return the USB row settings to those defined in the network policy.

Note

The advanced modem settings are not changed by reverting the USB row settings to those defined in the network policy.