ExtremeCloud Quick Reference
Prerequisites
ExtremeCloud lets you configure and monitor your network easily and securely, with zero-touch provisioning.

Note
If you do not plan to use ExtremeCloud, see your device's product-specific Quick Reference instead.The following prerequisites must be met before you can register your devices:
- Purchase and receive a supported device.
- Locate the Welcome email with a
service contract number.
Note
Former Azara users do not receive or require a contract number. - Forward the Welcome email to your network administrator.
- Identify the location and site where the device will be deployed.
- Meet the network requirements.
- Meet the additional requirements stated in the
ExtremeCloud Release Notes.
Note
If your existing network is also using Extreme Networks wireless controllers, you must configure the controllers to accept only the manually approved access points (APs). This action prevents the cloud-enabled APs from connecting to the controller. Note that the AP connection is not predicted in the case of both an on-premise controller and the cloud server accepting an AP.
Network Requirements
- Your company has configured one or more DHCP servers that can issue IP addresses and a DNS server address to ExtremeCloud-managed APs, switches, and both wired and wireless users.
- HTTPS traffic must be allowed through your firewall on port 443 towards devices.extremenetworks.com for ExtremeCloud-managed APs and switches to connect to ExtremeCloud and receive their configuration, software updates and send analytics.
- Make sure your content filter is allowing access to Amazon Web Services (AWS).
- Verify that Network Time Protocol (NTP) is allowed out through your firewall on port 123 so that the APs can submit NTP queries to pool.ntp.org to set their clocks.
- Each site must have L2 connectivity. The APs within a site operate within a single RF domain and therefore must have L2 connectivity to function properly.
- The best practice is to use a single VLAN for all the APs in a site instead of distributing the site's APs over multiple VLANs. If you decide to distribute a site's APs over multiple VLANs, then you must allow either routing or forwarding of SIAPP multicast between those VLANS.
ExtremeCloud-enabled devices need to be able to access several different application servers in order to provide their full functionality. Verify that your firewall is allowing ExtremeCloud-enabled devices behind it to access to the following domains and ports:
Firewall Requirements and Port List
Component | Ports for AP/Cloud Communication | ||||||
---|---|---|---|---|---|---|---|
Source | Destination / Domain Name | Protocol | Src Port | Dest Port | Service | Remark | Open Firewall |
Admin Console | ezcloudx.com | TCP | Any | 443 | HTTPS | Access the ExtremeCloud management application. | Required |
Admin Console / API integrated systems | api.ezcloudx.com | TCP | Any | 443 | HTTPS | Application access to the backend services managing ExtremeCloud-enabled devices. | Required |
Access Point & Switches | devices.extremenetworks.com | TCP | Any | 443 | HTTPS | Management Tunnel between AP and ExtremeCloud (configuration, image, statistics, upgrade, traces). | Required |
Access Points & Switches | NTP Server | UDP | Any | 123 | NTP | Clock synchronization. | Required |
Access Points | radius.ezcloudx.com | UDP | Any | 1812, 1813 | RADIUS | The integrated captive portal solution requires a cloud RADIUS lookup for each wireless client authentication using the captive portal. | Required if using the built-in captive portal |
Access Points | cp.ezcloudx.com | TCP | Any | 443, 80 | HTTP, HTTPS | Used by the integrated captive portal solution hosted at cp.ezcloudx.com. Access to the portal is required to ensure wireless clients can authenticate using the captive portal. | Required if using the built-in captive portal |
Access Points & Switches | http://aptransient-eu-central-1.s3.eu-central-1.amazonaws.com/ | TCP | Any | 443 | HTTPS | Used by ExtremeCloud-enabled devices that, on command, may upload tech support files to storage managed by this application. | Required |
Access Points & Switches | http://extremeimages.s3.amazonaws.com/ | TCP | Any | 443 | HTTPS | Required to successfully upgrade ExtremeCloud managed devices. The IP range for the S3 bucket is: { "ip_prefix": "52.219.72.0/22", "region": "eu-central-1", "service": "S3" }, { "ip_prefix": "52.219.44.0/22", "region": "eu-central-1", "service": "S3" } { "ip_prefix": "52.92.68.0/22", "region": "eu-central-1", "service": "S3" }, { "ip_prefix": "54.231.192.0/20", "region": "eu-central-1", "service": "S3" }, | Required |
Any | Access Point | TCP | Any | 2002, 2003 | RCAPD | Collect WireShark traces using AP Real Capture, if enabled. | Optional |
WiNG APs | mgmt.devices.extremenetworks.com | TCP | Any | 443 | HTTPS |
Management tunnel between WiNG AP and ExtremeCloud |
Required - Allows outbound connections from devices to ExtremeCloud over the various ports listed. This is typically not an issue as these ports are usually open already. |
System Limits
The following table shows the system limits:
System Limits for ExtremeCloud
Item | Maximum Number |
---|---|
Accounts per customer | 1 |
Sites per account | 2,500 |
Access points per account | 10,000 |
Switches per account | Unlimited |
Access points per site | 100 ExtremeWireless / 128 ExtremeWireless WiNG |
Switches per site | Unlimited |
User per site | 2,000 |
Roles per access point | 64 |
Rules per role | 64 |
Active networks per account | 8 |
Administrator accounts per customer | 20 |
Rate limiters per account | 16 (8 inbound and 8 outbound) |
Rate limiters per site | 16 (8 inbound and 8 outbound) |
MAC addresses in a customer blacklist | 768 |
Licensing Grace Period
- 90-day warning in the user
interface before the
license expires:
- Warnings display in the heading of the main dashboard
- View the list of expiring entitlements under
- During the 90 days prior to license expiry, ExtremeCloud provides the device with full functionality. After the license expires, the device is not eligible for support and its configuration cannot be changed.
- 90-day grace period to renew the license after the license expires. The devices are not configurable during the grace period.
- After the 90-day grace period expires:
- The device is completely ignored. It cannot be configured, and its statistics and events are discarded.
- Depending on the device model, the device resets to factory default settings. Typically, the device continues to run on the latest image it was upgraded to before the reset.
- All cloud-managed devices will start trying to discover an Extreme Networks cloud manager as if it never had a manager before.
Creating or Updating Your Account
- Locate your Welcome email from Extreme Networks.
- Click the activation link in the Welcome email and follow the on-screen instructions.
- (Optional) Enable two-step account verification. For more information, see the ExtremeCloud Information Center.
Using the Deployment Prerequisite Tool
An administrator can download and run a prerequisite tool to verify that installation requirements have been met before installing cloud-managed access points and switches at a site. The tool checks requirements specific to ExtremeCloud and performs tasks such as making REST API calls to your REST servers, looking up your FQDNs in DNS, and verifying that your Amazon S3 connection is enabled.
This tool is compatible with Windows, Linux, and Mac OS X devices.
To download and use the prerequisite tool:
- Log on to the machine that is on the same subnet that your access points (APs) are deployed on. You will need to run the executable file on this same subnet.
- Download the zip file
(ezcloud_prerequisite_validation_tool.zip), which contains the tool in the form of binary
executable files, a Readme, and a license file. The link to download the zip file is
available from the following locations:
- On the ExtremeCloud login screen
in the bottom right corner. Login Screen
- From the drop-down list located on
the top right corner of the user interface, under your user name.Drop-down List
- On the ExtremeCloud login screen
in the bottom right corner.
- Run the binary executable file that is
suitable for your operating system. The tool checks the local machine and a summary report
is returned. All of the items on the list must pass the test in order to deploy the
product. If any item fails, fix it and then repeat this procedure until everything passes.
Then proceed with deployment of your devices.Prerequisite Tool Summary Report
Device Adoption Rules
The device adoption feature simplifies the deployment of access points (APs) and switches by automatically assigning them to a site. A set of rules determines the site assignments when devices are registered for the first time. Without adoption rules, devices must be manually assigned to sites.
- Create a site ( ).
- Configure the adoption rules for the site ( ).
- Connect the devices to ExtremeCloud.
Connecting ExtremeSwitches
Whether you are using cloud-support ExtremeXOS switches or Extended Edge Switching in your environment, the connection process is the same. Connect all of the switches before you connect the APs. ExtremeCloud-enabled switches are not required to use ExtremeCloud-enabled APs.
Zero Touch Provisioning (ZTP) is provided on all cloud-supported switches.
- Determines if the switch is capable of being a CB.
- Detects if any BPE are attached.
- Enables VPEX mode on the CB.
- Assigns the next available slot number to each BPE.
- Configures the CB ports where the BPE(s) are connected to be LAGs.
- Upgrades the CB and VPEX, when upgrades are available.
To connect switches:
- If you plan to use device adoption rules, set up sites with the adoption rules before connecting the devices.
- Install the switch hardware and connect the power according to the product-specific Installation Guide.
- Connect one of the switch
Ethernet payload ports to a network that provides Internet access. The switch should be
connected through one of its data plane ports if possible, rather than through its
management port.The switch automatically connects with ExtremeCloud and downloads the firmware image over HTTPS. The switch automatically upgrades its firmware, reconnects to ExtremeCloud and receives a default configuration. All ports, except the management port, are placed on the same untagged management VLAN.
Note
For an entitled switch to locate and connect to ExtremeCloud, only one port can be connected. After the connection is established, additional ports can be connected. - Verify that the management
LED indicates that the switch is powered on and has completed its start-up sequence.
Note
The LED should be blinking green slowly at the rate of about once per second. - Log in to your ExtremeCloud
administrator account at https://ezcloudx.com. On the first login, the configuration wizard opens. Use
the wizard to update the network security key of the predefined wireless network.
Note
Alternatively, you can exit the wizard and configure your own networks. For more information, see the ExtremeCloud Information Center. - From the user interface,
select
Note
Typically the switch takes a few minutes to connect with ExtremeCloud.
. The status icon changes from gray (Undiscovered) to either green, yellow,
or red. As the switch cycles through upgrade and configuration, its state will change
color in the user interface several times. The switch is ready to use when the status is
either green (in service) or yellow (in service, trouble). - Repeat these steps for all
cloud-enabled switches.
Note
If a switch persistently fails or its status remains gray or red for more than 20 minutes, contact Support.Note
10 Gbps licenses are available to enable 2 or 4 uplink ports for 10Gbps operation. This is a separately licensed feature. To assign licenses to a switch, select . The Assign Licenses option only displays when unassigned licenses are available.
Connecting APs
If you are using ExtremeWireless WiNG AP7612, AP7632, or AP7662, make sure that your firmware is upgraded to 5.9.2.2 or higher (and 5.9.2.5 is recommended) to connect to ExtremeCloud. For instructions, see this GTAC article: https://gtacknowledge.extremenetworks.com/articles/Solution/ExtremeCloud-WiNG-Access-Points-not-connecting-to-ezcloudx-com or refer to the ExtremeWireless WiNG AP-specific user documentation.
Follow this process to connect the APs to ExtremeCloud:
- If you plan to use device adoption rules, set up sites with the adoption rules before connecting the devices.
- Connect your AP's LAN 1 or LAN 2 to either a switch that allows the AP to connect to the Internet, or connect to an Ethernet network port with Internet connection. Apply power to the AP using either PoE from the switch or a separate external transformer. For more information, see the product-specific Installation Guide. For product documentation online, visit: https://www.extremenetworks.com/documentation/
- The AP discovers ExtremeCloud and gets registered automatically, typically in a few minutes. The default SSID (Staff) is broadcast when the AP connects to the service.
- Look at the physical AP and verify that
the Radio 1 and Radio 2 LEDs are solid green, which indicates that the AP is activated in
the cloud.
The following table shows the LED patterns and the associated status for ExtremeWireless APs when they are connected to cloud management.
LED Patterns for ExtremeWireless APs Connecting with ExtremeCloud
Radio B/G LED (Left) Radio A LED (Right) Status LED AP Detailed State Off Off Blink green Initialization: Power-on self test (POST) Blink green Blink green Initialization: Random delay Blink red Initialization: No Ethernet Solid green Blink green Initialization: Vulnerable period (not supported) Blink red Reset to factory defaults Blink green Off Blink green or orange Network discovery: 802.1x authentication Blink red Failed 802.1x authentication Blink green Blink green or orange Network discovery: DHCP Blink red Default IP address Solid green Blink green or orange Network discovery: discovery/connect Blink red Discovery failed - Green - Radio On
- Off - Radio Off
- Green - Radio On
- Off - Radio Off
Solid green Connected The following table shows the LED patterns and the associated status for ExtremeWireless WiNG APs when they are connected to cloud management.
LED Patterns for ExtremeWireless WiNG APs Connecting with ExtremeCloud
Task 5 GHz Activity LED (Amber) 2.4 GHz Activity LED (Green) Unconfigured Radio On On Normal Operation - If this radio band is enabled: Blinks at 5-second intervals
- If this radio band is disabled: Off
- If there is activity on this band: Blinks at 1 time per second
- If this radio band is enabled: Blinks at 5-second intervals
- If this radio band is disabled: Off
- If there is activity on this band: Blinks at 1 time per second
Firmware Update On Off Locate AP Mode LEDs blink in an alternating green, red and amber pattern using an irregular blink rate. This LED state in no way resembles normal operating conditions. LEDs blink in an alternating green, red and amber pattern using an irregular blink rate. This LED state in no way resembles normal operating conditions. - Log in to your administrator account at https://ezcloudx.com. On the first login, the configuration wizard opens. Use the wizard to update the network security key of the predefined wireless network. Alternatively, you can exit the wizard and configure your own networks. For more information, see "How to Set Up Your Network" in the ExtremeCloud Information Center.
- Select Devices list. If the AP is not listed in your account, this usually indicates there is no subscription coverage for your device. You may need to contact Sales for assistance, for all other inquires contact Support. and look for the device in your

Note
If an AP persistently fails or its status remains gray or red for more than 20 minutes, contact Support.