ExtremeCloud™ IQ Agent Support

ExtremeXOS provides support for ExtremeCloud IQ. Currently, device discovery, basic monitoring, and visibility into homogenous stacking are supported. ExtremeXOS also has the ability to configure an optional user-defined virtual router (VR) and address of the server for ExtremeCloud IQ agent to connect to. These values are used instead of any auto-detected values.

In addition, users can configure the IQ Agent HTTP Proxy server IP and port, and define the username and password, if required.

To configure a server VR or address, use the following command:

configure iqagent server [vr [vr-name | none] | ipaddress [fqdn | ip_address| none]]

ExtremeCloud IQ supports BGP Auto-peering (see Auto-peering Introduction).

To configure the HTTP proxy, use the following command:

configure iqagent http-proxy [ipaddress [fqdn | ip_address] port port_number | user user_name password [encrypted encrypted_password | password] | none]

You can enable or disable the IQ Agent with the following commands:
Important

Important

Disabling IQ Agent prevents all access to ExtremeCloud IQ. Any current activity with ExtremeCloud IQ, including remote SSH sessions, are disconnected immediately. Re-enabling IQ Agent can only occur by using the enable command by either console or Telnet or SSH access. Disabling IQ Agent deactivates automatic DHCP access on VLAN Mgmt, which is required for Zero-Touch Provisioning (ZTP).

enable iqagent

disable iqagent

To view information about IQ Agent, use the following command:

show iqagent discovery

For more information about ExtremeCloud IQ, go to https://www.extremenetworks.com/support/documentation/extremecloud-iq/.

Table 1. Supported Platforms
Switch Series Switch Models
ExtremeSwitching X435

X435-8T-4S

X435-8P-4S

X435-8P-2T-W

X435-24T-4S

X435-24P-4S

ExtremeSwitching X440-G2

X440-G2-24P-10GE4

X440-G2-48P-10GE4

X440-G2-12T-10GE4

X440-G2-12P-10GE4

X440-G2-24T-10GE4

X440-G2-48T-10GE4

ExtremeSwitching X450-G2

X450-G2-24P-10GE

X450-G2-48P-10GE

X450-G2-24P-GE4

X450-G2-48P-GE4

ExtremeSwitching X460-G2

X460-G2-24P-10GE4

X460-G2-48P-10GE4

X460-G2-16MP-32P-10GE4

X460-G2-24P-48HP-10GE4

ExtremeSwitching X465

X465-48P

X465-24MU-24W

X465-24W

X465-48W

X465-24MU

ExtremeSwitching 5320

5320-48T-8XE

5320-48P-8XE

5320-24T-8XE

5320-24P-8XE

5320-16P-4XE

5320-16P-4XE-DC

ExtremeSwitching 5420

5420F-8W-16P-4XE

5420F-24P-4XE

5420F-24S-4XE

5420F-24T-4XE

5420F-16MW-32P-4XE

5420F-16W-32P-4XE

5420F-48P-4XE

5420F-48P-4XL

5420F-48T-4XE

5420M-24T-4YE

5420M-24W-4YE

5420M-16MW-32P-4YE

5420M-48T-4YE

5420M-48W-4YE

ExtremeSwitching 5520

5520-24T

5520-24W

5520-48T

5520-48W

5520-12MW-36W

5520-24X

5520-48SE

IQ Agent and ExtremeCloud IQ Communication

After the IQ Agent is enabled, communication forms between the IQ Agent and extremecloudiq.com by secure HTTPS communication using destination TCP port 443. Communication between the IQ Agent and ExtremeCloud IQ occurs every 30 seconds, which includes check-in to ExtremeCloud IQ for actions, and includes CPU, memory, FDB information, Syslog, and ports statistics information. Note that data plane traffic is not sent to ExtremeCloud IQ by the IQ Agent.

Note that Telnet and SSH do not permit access to ‘hivemanager‘ account, which the IQ Agent creates for its own purpose and uses it for all cloud-initiated SSH connections through local host, so logging on to this account through Telnet or SSH is not allowed.

IQ Agents use SNMPv2 (enabled only for internal requests) to monitor the status of the switch.

Distributed Denial of Service Support for IQ Agent

Distributed Denial of Service (DDoS) support for IQ Agent installs a filter on HTTPS L4 ports to set a CPU queue (QoS 5) that separates IQ Agent traffic from other IP exceptions. This new ACL redirects TCP traffic with source port 443 (default HTTPS port) to CPU queue 5. The IQ Agent system ACL is installed or uninstalled along with the L3 Unicast Miss (L3UCMiss) filter.

Automation of this feature is only supported on ExtremeSwitching X695, 5320, 5420, and 5520 series switches.

You can manually install the ACL to redirect IQ Agent traffic to CPU queue 5 on smaller switches with 8 ACL slices (for example, X440-G2, X435, X620) by running the following command:

# configure access-list iqagent.pol any

iqagent.pol:
entry iqagent_cpu5 {
  if {
    protocol tcp;
    source-port 443;
  } then {
    traffic-queue cpu_q_5;
  }
}