ExtremeCloud™ Quick Reference

Prerequisites
Network Requirements
System Limits
Licensing Grace Period
Creating or Updating Your Account
Using the Deployment Prerequisite Tool
Device Adoption Rules
Connecting Switches
Connecting APs
More Information

Prerequisites

ExtremeCloud lets you configure and monitor your network easily and securely, with zero-touch provisioning.

Note

If you do not plan to use ExtremeCloud, see your device's product-specific Quick Reference instead.

The following prerequisites must be met before you can register your devices:

Purchase and receive a supported device.
Locate the Welcome email with a service contract number.
Note
Former Azara users do not receive or require a contract number.
Forward the Welcome email to your network administrator.
Identify the location and site where the device will be deployed.
Meet the network requirements.
Meet the additional requirements stated in the ExtremeCloud Release Notes.
Note
If your existing network is also using Extreme Networks wireless controllers, you must configure the controllers to accept only the manually approved access points (APs). This action prevents the cloud-enabled APs from connecting to the controller. Note that the AP connection is not predicted in the case of both an on-premise controller and the cloud server accepting an AP.

Network Requirements

You must meet the following network requirements:

Your company has configured one or more DHCP servers that can issue IP addresses and a DNS server address to ExtremeCloud-managed APs, switches, and both wired and wireless users.
HTTPS traffic must be allowed through your firewall on port 443 towards devices.extremenetworks.com for ExtremeCloud-managed APs and switches to connect to ExtremeCloud and receive their configuration, software updates and send analytics.
Make sure your content filter is allowing access to Amazon Web Services (AWS).
Verify that Network Time Protocol (NTP) is allowed out through your firewall on port 123 so that the APs can submit NTP queries to pool.ntp.org to set their clocks.

Each site must have L2 connectivity. The APs within a site operate within a single RF domain and therefore must have L2 connectivity to function properly.
The best practice is to use a single VLAN for all the APs in a site instead of distributing the site's APs over multiple VLANs. If you decide to distribute a site's APs over multiple VLANs, then you must allow either routing or forwarding of SIAPP multicast between those VLANS.

ExtremeCloud-enabled devices need to be able to access several different application servers in order to provide their full functionality. Verify that your firewall is allowing ExtremeCloud-enabled devices behind it to access to the following domains and ports:

Firewall Requirements and Port List

Component		Ports for AP/Cloud Communication
Source	Destination / Domain Name	Protocol	Src Port	Dest Port	Service	Remark	Open Firewall
Admin Console	ezcloudx.com	TCP	Any	443	HTTPS	Access the ExtremeCloud management application.	Required
Admin Console / API integrated systems	api.ezcloudx.com	TCP	Any	443	HTTPS	Application access to the backend services managing ExtremeCloud-enabled devices.	Required
Access Point & Switches	devices.extremenetworks.com	TCP	Any	443	HTTPS	Management Tunnel between AP and ExtremeCloud (configuration, image, statistics, upgrade, traces).	Required
Access Points & Switches	NTP Server	UDP	Any	123	NTP	Clock synchronization.	Required
Access Points	radius.ezcloudx.com	UDP	Any	1812, 1813	RADIUS	The integrated captive portal solution requires a cloud RADIUS lookup for each wireless client authentication using the captive portal.	Required if using the built-in captive portal
Access Points	cp.ezcloudx.com	TCP	Any	443, 80	HTTP, HTTPS	Used by the integrated captive portal solution hosted at cp.ezcloudx.com. Access to the portal is required to ensure wireless clients can authenticate using the captive portal.	Required if using the built-in captive portal
Access Points & Switches	http://aptransient-eu-central-1.s3.eu-central-1.amazonaws.com/	TCP	Any	443	HTTPS	Used by ExtremeCloud-enabled devices that, on command, may upload tech support files to storage managed by this application.	Required
Access Points & Switches	http://extremeimages.s3.amazonaws.com/	TCP	Any	443	HTTPS	Required to successfully upgrade ExtremeCloud managed devices. The IP range for the S3 bucket is: { "ip_prefix": "52.219.72.0/22", "region": "eu-central-1", "service": "S3" }, { "ip_prefix": "52.219.44.0/22", "region": "eu-central-1", "service": "S3" } { "ip_prefix": "52.92.68.0/22", "region": "eu-central-1", "service": "S3" }, { "ip_prefix": "54.231.192.0/20", "region": "eu-central-1", "service": "S3" },	Required
Any	Access Point	TCP	Any	2002, 2003	RCAPD	Collect WireShark traces using AP Real Capture, if enabled.	Optional
WiNG APs	mgmt.devices.extremenetworks.com	TCP	Any	443	HTTPS	Management tunnel between WiNG AP and ExtremeCloud	Required - Allows outbound connections from devices to ExtremeCloud over the various ports listed. This is typically not an issue as these ports are usually open already.

System Limits

The following table shows the system limits:

System Limits for ExtremeCloud

Item	Maximum Number
Accounts per customer	1
Sites per account	2,500
Access points per account	10,000
Switches per account	Unlimited
Access points per site	100 ExtremeWireless / 128 ExtremeWireless WiNG
Switches per site	Unlimited
User per site	2,000
Roles per access point	64
Rules per role	64
Active networks per account	8
Administrator accounts per customer	20
Rate limiters per account	16 (8 inbound and 8 outbound)
Rate limiters per site	16 (8 inbound and 8 outbound)
MAC addresses in a customer blacklist	768

Licensing Grace Period

ExtremeCloud expiring licenses are handled as follows:

90-day warning in the user interface before the license expires:
- Warnings display in the heading of the main dashboard
- View the list of expiring entitlements under Administration > System > Expiring Entitlements
During the 90 days prior to license expiry, ExtremeCloud provides the device with full functionality. After the license expires, the device is not eligible for support and its configuration cannot be changed.
90-day grace period to renew the license after the license expires. The devices are not configurable during the grace period.
After the 90-day grace period expires:
- The device is completely ignored. It cannot be configured, and its statistics and events are discarded.
- Depending on the device model, the device resets to factory default settings. Typically, the device continues to run on the latest image it was upgraded to before the reset.
- All cloud-managed devices will start trying to discover an Extreme Networks cloud manager as if it never had a manager before.

Creating or Updating Your Account

Whether you are creating a new ExtremeCloud Default Administrator account or are adding a device to an existing account, follow these steps:

Locate your Welcome email from Extreme Networks.
Click the activation link in the Welcome email and follow the on-screen instructions.
(Optional) Enable two-step account verification. For more information, see the ExtremeCloud Information Center.

Using the Deployment Prerequisite Tool

An administrator can download and run a prerequisite tool to verify that installation requirements have been met before installing cloud-managed access points and switches at a site. The tool checks requirements specific to ExtremeCloud and performs tasks such as making REST API calls to your REST servers, looking up your FQDNs in DNS, and verifying that your Amazon S3 connection is enabled.

This tool is compatible with Windows, Linux, and Mac OS X devices.

To download and use the prerequisite tool:

Log on to the machine that is on the same subnet that your access points (APs) are deployed on. You will need to run the executable file on this same subnet.
Download the zip file (ezcloud_prerequisite_validation_tool.zip), which contains the tool in the form of binary executable files, a Readme, and a license file. The link to download the zip file is available from the following locations:
- On the ExtremeCloud login screen in the bottom right corner.
  Login Screen
- From the drop-down list located on the top right corner of the user interface, under your user name.
  Drop-down List
Run the binary executable file that is suitable for your operating system. The tool checks the local machine and a summary report is returned. All of the items on the list must pass the test in order to deploy the product. If any item fails, fix it and then repeat this procedure until everything passes. Then proceed with deployment of your devices.
Prerequisite Tool Summary Report

Device Adoption Rules

The device adoption feature simplifies the deployment of access points (APs) and switches by automatically assigning them to a site. A set of rules determines the site assignments when devices are registered for the first time. Without adoption rules, devices must be manually assigned to sites.

To use the adoption rules feature:

Create a site (Configure > Site).
Configure the adoption rules for the site (Configure > Adoption).
Connect the devices to ExtremeCloud.

Connecting ExtremeSwitches

Whether you are using cloud-support ExtremeXOS switches or Extended Edge Switching in your environment, the connection process is the same. Connect all of the switches before you connect the APs. ExtremeCloud-enabled switches are not required to use ExtremeCloud-enabled APs.

Zero Touch Provisioning (ZTP) is provided on all cloud-supported switches.

For Extended Edge Switching, ZTP performs the following tasks automatically:

Determines if the switch is capable of being a CB.
Detects if any BPE are attached.
Enables VPEX mode on the CB.
Assigns the next available slot number to each BPE.
Configures the CB ports where the BPE(s) are connected to be LAGs.
Upgrades the CB and VPEX, when upgrades are available.

To connect switches:

If you plan to use device adoption rules, set up sites with the adoption rules before connecting the devices.
Install the switch hardware and connect the power according to the product-specific Installation Guide.
Connect one of the switch Ethernet payload ports to a network that provides Internet access. The switch should be connected through one of its data plane ports if possible, rather than through its management port.
Note
For an entitled switch to locate and connect to ExtremeCloud, only one port can be connected. After the connection is established, additional ports can be connected.
The switch automatically connects with ExtremeCloud and downloads the firmware image over HTTPS. The switch automatically upgrades its firmware, reconnects to ExtremeCloud and receives a default configuration. All ports, except the management port, are placed on the same untagged management VLAN.
Verify that the management LED indicates that the switch is powered on and has completed its start-up sequence.
Note
The LED should be blinking green slowly at the rate of about once per second.
Log in to your ExtremeCloud administrator account at https://ezcloudx.com. On the first login, the configuration wizard opens. Use the wizard to update the network security key of the predefined wireless network.
Note
Alternatively, you can exit the wizard and configure your own networks. For more information, see the ExtremeCloud Information Center.
From the user interface, select Monitor > Devices > Switches. The status icon changes from gray (Undiscovered) to either green, yellow, or red. As the switch cycles through upgrade and configuration, its state will change color in the user interface several times. The switch is ready to use when the status is either green (in service) or yellow (in service, trouble).
Note
Typically the switch takes a few minutes to connect with ExtremeCloud.
Repeat these steps for all cloud-enabled switches.
Note
If a switch persistently fails or its status remains gray or red for more than 20 minutes, contact Support.

Note
10 Gbps licenses are available to enable 2 or 4 uplink ports for 10Gbps operation. This is a separately licensed feature. To assign licenses to a switch, select Administration > System > Assign Licenses. The Assign Licenses option only displays when unassigned licenses are available.

Connecting APs

If you are using ExtremeWireless WiNG AP7612, AP7632, or AP7662, make sure that your firmware is upgraded to 5.9.2.2 or higher (and 5.9.2.5 is recommended) to connect to ExtremeCloud. For instructions, see this GTAC article: https://gtacknowledge.extremenetworks.com/articles/Solution/ExtremeCloud-WiNG-Access-Points-not-connecting-to-ezcloudx-com or refer to the ExtremeWireless WiNG AP-specific user documentation.

Follow this process to connect the APs to ExtremeCloud:

If you plan to use device adoption rules, set up sites with the adoption rules before connecting the devices.
Connect your AP's LAN 1 or LAN 2 to either a switch that allows the AP to connect to the Internet, or connect to an Ethernet network port with Internet connection. Apply power to the AP using either PoE from the switch or a separate external transformer. For more information, see the product-specific Installation Guide. For product documentation online, visit: https://www.extremenetworks.com/documentation/
The AP discovers ExtremeCloud and gets registered automatically, typically in a few minutes. The default SSID (Staff) is broadcast when the AP connects to the service.

Look at the physical AP and verify that the Radio 1 and Radio 2 LEDs are solid green, which indicates that the AP is activated in the cloud.

The following table shows the LED patterns and the associated status for ExtremeWireless APs when they are connected to cloud management.

LED Patterns for ExtremeWireless APs Connecting with ExtremeCloud

Radio B/G LED (Left)	Radio A LED (Right)	Status LED	AP Detailed State
Off	Off	Blink green	Initialization: Power-on self test (POST)
	Blink green	Blink green	Initialization: Random delay
	Blink green	Blink red	Initialization: No Ethernet
	Solid green	Blink green	Initialization: Vulnerable period (not supported)
	Solid green	Blink red	Reset to factory defaults
Blink green	Off	Blink green or orange	Network discovery: 802.1x authentication
	Off	Blink red	Failed 802.1x authentication
	Blink green	Blink green or orange	Network discovery: DHCP
	Blink green	Blink red	Default IP address
	Solid green	Blink green or orange	Network discovery: discovery/connect
	Solid green	Blink red	Discovery failed
Green - Radio On Off - Radio Off	Green - Radio On Off - Radio Off	Solid green	Connected

The following table shows the LED patterns and the associated status for ExtremeWireless WiNG APs when they are connected to cloud management.

LED Patterns for ExtremeWireless WiNG APs Connecting with ExtremeCloud

Task	5 GHz Activity LED (Amber)	2.4 GHz Activity LED (Green)
Unconfigured Radio	On	On
Normal Operation	If this radio band is enabled: Blinks at 5-second intervals If this radio band is disabled: Off If there is activity on this band: Blinks at 1 time per second	If this radio band is enabled: Blinks at 5-second intervals If this radio band is disabled: Off If there is activity on this band: Blinks at 1 time per second
Firmware Update	On	Off
Locate AP Mode	LEDs blink in an alternating green, red and amber pattern using an irregular blink rate. This LED state in no way resembles normal operating conditions.	LEDs blink in an alternating green, red and amber pattern using an irregular blink rate. This LED state in no way resembles normal operating conditions.

Log in to your administrator account at https://ezcloudx.com. On the first login, the configuration wizard opens. Use the wizard to update the network security key of the predefined wireless network. Alternatively, you can exit the wizard and configure your own networks. For more information, see "How to Set Up Your Network" in the ExtremeCloud Information Center.
Select Monitor > Devices > Access Points and look for the device in your Devices list. If the AP is not listed in your account, this usually indicates there is no subscription coverage for your device. You may need to contact Sales for assistance, for all other inquires contact Support.