I passed the ENA and the seller has offered me the material for the ENS.
Since Extreme has been selling very well at myriadsupply.com we keep investing in the relationship.
So the more you know, the more you sell.
Plus I just like knowledge.
So, to get some practice on XOS.
As you know, you have Ebay. Look for an older model switch or one from a company that upgraded.
The market is not very big for pre-owned networking equipment as companies don't like to buy pre-owned.
They will do that for Cisco for example and we sell a lot of pre-owned Cisco but there is very little
demand for non-Cisco.
The pricing will range from unrealistic sellers who think they can sell a pre-owned switch at 60% of the buy price to people who have no idea of the costs and will sell it to get rid of the space.
So take your time.
The second option is to ask Extreme Networks.
Simply call them and ask for something called the EXOS-SW this is a Virtual Box.
Virtual boxes run on a virtual platform called Oracle VM Virtual box manager.
So you install the Oracle manager, then you create VMs using the EXOS-SW virtual box file.
Then you should be able to practice EXOS.
There is a caveat, the Windows version of the Oracle, doesn't have a virtual switch.
So you can't connect two VMs to each other. So if you have Linux, you are better off.
There is another caveat, this "VM" is limited to 3 ports which should be enough for a lab.
This is to prevent some smart-ass using it as a "free" cloud switch for his cloud network.
ENS will cover.
EAPS - which is the ring technology.
Advanced EAPS
ERPS - which is the non-proprietary method of doing a ring.
CFM - connectivity fault management
MLAG - which you should know as most manufacturers give something like this.
VRRP - which is the IEEE equivalent of HSRP and GLBP
ACLs - well this is not exactly a firewall so limited.
Clear Flow - similar to Netflow/Sflow
RBAC- role based access using LDAP
OSPF
IGMP
PIM.
as you can see no BGP.
It's only 240 pages so let's get on.
EAPS
Eaps is a way of creating a loop.
You take X switches and you set them up in a loop.
So far pretty easy.
Now why use this.
For example if you have a campus of 6 buildings.
This could be an easy way to connect them.
You would only need 12 ports
You wouldn't need a Core.
In case of failure in one switch or link, the data simply goes the other way.
I've seen this in real life and the failover is pretty immediate 50ms so you don't even lose your
phone call. So this is much better than layer 2 STP.
Using Ridgeline which is the GUI product, this is point and click to install.
So this is
1. Loop free- one port on the master is blocked to prevent a loop.
2. sub second recovery. - 50 ms is less than a second.
Licensing - All switches support up to 4 EAPS domains.
If you want more than 4 then you need a CORE license
On the datasheet for XOS you can find the relevant licenses and what they support.
http://www.extremenetworks.com/libraries/products/DSExtXOS_1030.pdf
For this exam.
Edge - access layer
Advanced Edge - better
Core - obviously this is for your Core.
Maximum numbers.
Black diamond 8800 64 rings
Summit Switches 32 rings.
Choosing a Master - since the processing requirements are low, just pick one.
Choosing a secondary port - The secondary port is the one that is blocked.
I would pick one that is a smaller bandwidth.
So, up to 4 domain using the regular license.
One Control VLAN will be set up to monitor the links by sending Eaps and receiving.
{To change this VLAN first deactivate the domain}
To configure.
Node type : Master or Transit
Ports : Primary & Secondary
Control VLAN : pick a number
Hellos will go from the Primary port to the next.
Obviously, don't use the Control VLAN for user traffice.
Obviously, the control VLAN must be a tagged VLAN
Don't use IP addresses
If you are bored you can reverse the direction of the Hello Packets.
configure eaps <easpdomain> hello-pdu-egress [primary-port | secondary port]
HELLO every 1 second valid values are 100ms to 15 sec.
configure eaps <eapsdomain> hellotime <seconds>/<milliseconds>
So when the a link failure is noticed.
Link down.
Both switches will send a notification "link down packet", it will take X time to reach depending on
how wide is the ring and the delay on it.
When it reaches.
The MASTER will send FDB Flush Database packets.
FDB will timer will run for 5 minutes and will affect the ability of TCP to re-transmit packets.
When a link is restored the switches that are showing the link up will send "Pre-forwarding" packets.
This "pre forwarding packet" is also called a "links up" packet.
When the master gets those he will send a "hello", when he gets it back the other side of the loop
he will block the secondary port, send a FDB and then send Hellos every second.
So, master sends hellos all the time.
Link goes down, two guys send "link down".
Master gets link down, unblocks secondary port and sends a FDB flush.
Link goes up later on, two guys send "links up"/"pre-forwarding" packets .
Master gets links up, sends hello.
Master gets his hello, blocks secondary and sends FDB along with the usual hellos.
Traffic goes back to normal.
Configuration.
VLAN
Each VLAN you plan on sending on the ring should be in the EAPS Domain.
Create a control VLAN for each domain, only 2 ports can participate {primary/secondary}
EAPS
create an EAPS domain
Configure one switch as master
Configure primary and secondary ports
add control vlan to the domain
add the protected vlans to the EAPS domain
enable EAPS domain
repeat for each EAPS domain.
enable EAPS globally
So let's try an example.
Create vlan 10,20,30,40,50
Create a control vlan 99
Best practices
Choose primary port from one stack member/line card
Choose secondary port from a different stack member/line card.
Keep port choice consistent if possible to help troubleshooting.
Example by Extreme
Eaps Domain : ed-2
Control vlan : Tag 102 name: ctrl-2
Data vlan : Tag 10 name : data
Primary port 1:1
secondary port 4:1
create eaps <ed-2>
configure eaps <ed-2> mode master # assigns this switch as master
configure eaps <ed-2> primary 1:1 # assigns port 1:1 as the primary port
configure eaps <ed-2> secondary 4:1 #assigns port 4:1 as the secondary port
configure eaps <ed-2> add control <ctrl-2> # sets up the control vlan as <ctrl-2>
configure eaps <ed-2> add protected <data> #sets up the protected vlan as <data>
That is it , now you repeat this on the "transit" nodes simply go.
configure eaps <ed-2> mode transit
Limitations
Black Diamond 8000 = 2000 Vlans per domain.
Summit series = 1000 Vlans per domain.
enable eaps <ed-2> #enables the domain
enable eaps #enables eaps globally.
so, some steps are missing and you will get errors,
before you add the vlan control and protected, you need to create them.
When you enable the eaps domain it will give you a warning saying the eaps in not globally enabled
My show eaps
pri is the primary port , I selected 1sec is the secondary port I selected 2
control vlan I called mine control and the VID is the tag which is 102.
domain ed-2
complete, means the configuration is complete.
CFM down means it is down, since I only have 1 switch.
Eaps enabled = should say YES
now for details
show eaps ed-2
here you can quickly check which port is blocked.
The timer interval , the fail timer {by default 3 hello times}
Some other actions they mention.
Renaming a domain
configure eaps <ed-2> name <ed-2-newname>
Changing ports from 1 to 10 on the primary
disable eaps
unconfigure eaps ed-2 primary 1
configure eaps ed-2 primary 10
enable eaps
so I guess when changing ports, first take down the eaps
So far very simple and an excellent job for the curriculum writer at Extreme.
Advanced EAPS
OK, why do we need advanced EAPS.
Now if you remember out EAPS ring.
One link is being blocked. In this case Summit Stack 2 to Summit Stack 3.
This means that I wasted money.
SFP+ = $1500-$8000 dollars so two optics
Leased line = $$$$ per month.
So I could be wasting a lot of money for a backup link in theory.
Money waste will depend on the link.
So in general, you can set up another EAPS domain and reverse the port selection.
So domain ed-3 will flow the opposite way.
This now utilizes that link which means our utilization of the link has gone up. $$ savings.
Each EAPS domain has
Master node
Control VLAN {unique}
Protected VLANs
Apparently you can set up priorities.
So when a link is failing or recovering, then those domains will have a priority.
For example the VOIP domain.
HIgh and normal.
Normal is fifo or simply normal priority.
configure eaps <ed-2> priority high |normal
this simply gives one domain a priority over the other one.
If you look at the logs, they state that you will be able to see domain ed-2 get a priority and be processed
first. {great}
Now, in their example they are using the Core Chassis without Mlag.
So each chassis is technically a separate switch and therefore each is a switch in the EAPS.
So between Chassis 1 and Chassis 2 the link is "shared" between Eaps ED-2 and Eaps ED-99
Now, you might have configured a protected VLAN 10 around both EAPS rings.
So to prevent loops.
You need to configure one of the Chassis that has the shared links as CONTROLLER
and the other one needs to be PARTNER.
The reason for that is that without that, because the shared link failed you basically get a big loop.
For example the one above
and since Master ED-99 doesn't talk to Master ED-2.
Then you need something to implement a block.
In this case Controller will have a port that is blocked.
So, when a link fails the controller will go into block mode.
So Active-open is for the open port
Blocked is the other port.
When the network is back to normal and he gets the FDB the controller switches back to using the shared port.
create eaps shared-port 4:1 # creating eaps shared port on the port 4:1
create eaps shared-port 4:1 link-id <id> # I guess you need to name the link.
configure eaps shared-port 4:1 mode controller | Partner
show eaps shared-port
If there is no super loop because of the failure of another link, then the EAPS will move both
ports on the controller to ACTIVE-OPEN
Okay, so that was it,.
So the goal here is to remember, no matter what, there should be one blocked port.
If the shared port dies, then we have a super loop, so the controller will block one port.
If the shared port dies and the EAPS domain has a link failure, then i get a loop break anyway.
So both ports on the controller can be up.
ERPS - Ethernet ring protection switching.
this is basically similar to eaps but this uses the IEEE standard.
So, you can get this to work on Cisco / Juniper and others.
Sub 50 ms
Link failure 802.11ag or Y.1731
ERPS included by default, up to 4 ERPS rings.
ERPS is the same asEAPS.
blackdiamond 8000 64 EAPS
Summit 32
Must be Core to run more than 4. So switch must be core capable.
AS usual
RPL owner = Master
PRL port - primary port
EAST is the blocked port.
same as EAPS.
Dont use the ports for anything else
don't give it an IP
tag the vlan control on them.
RPL blocked is sent every 5 seconds.
R-APS is what is sent.
configure erps <erps-ring-2> timer periodic <ms>
I don't know why they needed to add the "periodic".
I mean, keep it consistent please.!!!!!
Data on an R-APS packet.
Request - no, signal fail, manual switch, force switch
RPL blocked y/n
Flush FDB y/n
R-APS Node ID {sender's MAC}
OK, so pretty much the usual.
The link will fail, then the switches who sense this will send "signal failure".
When the RPL onwer transitions by unblocking the RPL link protection ring the RPL will send FDB
When link is restored the guys will send link "idle"
RPL onwer will block the RPL and send "RPL blocked"
When they get that message, they will stop sending this link "idle".
Configuration is the same as the EAPS.
set up VLANs for protection
set up VLAN for control
ERPS ring
RPL owner
east west east=blocked
control VLAN
add protected VLANs
enable ERPS ring
enable ERPS globally.
Configuration
create erps <erps-ring> #ring name
configure erps <erps-ring> ring-ports east 4:1 #secondary
configure erps <erps-ring> ring-ports west 1:1 #primary
configure erps <erps-ring> add control control #adding vlan control
configure erps <erps-ring> add protected data #adding protected vlan DATA.
enable erps <erps-ring
enable erps
ERPSv1 limit is 1000
ERPSv2 limit is 500
renaming a ring is the same
configure erps <erps-ring> name <erps-ring-rename>
changing ports
disable erps <erps-ring>
unconfigure erps <erps-ring> ring-port west <pri_port>
show erps <erps-ring>
CFM connectivity fault management.
This is also called OAM Operation , Administration, Maintenance.
Now, why do you need this.
let's say you have a Switch/Router.
He has two WAN legs,
One goes to ISP1
The second to ISP2.
Well, let's say ISP 3 there at the top middle dies.
How is the switch going to know that ??
So you can avoid that by setting a CFM from L3 switch left to L3 switch right.
This basically monitors the link all the way, so if there is a failure it will treat that interface as down.
So ISP 3 failed.
The CFM check up fails.
So the switch takes interface A and says it is DOWN.
So Maintenance Domain is the level you are looking at.
5-7 is used by customers
3-4 ISP
0-2 are for the operators of the physical lines.
Maintenance association is the VLAN that will have the CFM packets running in it.
MEP maintenance End point. This would be L3 switch left and L3 switch right.
This will send CFM frames over the MA.
MIP maintenance intermediate points. These are passive and respond only to specific CFM messages.
Each Extreme switch can create 8 CFM maintenance domains.
This is built into the BASE license of each device.
CCM continuity Check message- this is the message
Hardware MEP support more frequent.
32 MEP points per switch.
configuration
configure erps <ed-2> cfm md-level <level>
configure erps <ed-2> cfm port east mepid <100>
disable erps before configuring this
show erps ed-2
show cfm
show cfm detail
MLAG
LAG two or more ports from one device.
MLAG two or more ports from two devices.
Dual homing without network loops.
No need for layer 2 STP
Works on layer 2 and layer 3
So in the above example.
Between the core devices you need an ISC vlan.
Each access layer device will connect to each core.
In the above example we are using LAGs 1,2 to 1:1,2:1 are a simple LAG.
As long as one port in the LAG is up, the MLAG will be up.
So in normal, ISC ports are blocked.
Two switches update each other.
Failed state. basically let's say 1:1 and 2:1 have failed, so all the data goes to the right core.
One link fails.
With this the access switch simply uses the right Chassis to send the data.
Link restoration. then it goes back to normal and both links will be active.
To configure this.
Start with the ISC VLAN. This is between the two chassis in the Core.
create vlan ISC #created the name of the vlan
configure vlan ISC tag 101 #tagged the vlan as 101
configure vlan ISC add ports 3:1 tag # told him to use 3:1 port
configure vlan ISC ipaddress 10.1.1.1/24 #gave the port an IP
create mlag peer core
configure mlag peer core ipaddress 10.1.1.2
On the access layer switch.
enable sharing <1> grouping 1-4 # this grouped ports 1-4 as a "shared" <1>
This is the only MLAG configuration on the downstream/access layer device.
On the Core switch
enable sharing <1:1> grouping 1:1,2:1 #MLAG
enable sharing <3:1> grouping 3:1,4:1 # ISC LAG
So the way you build a LAG is
sharing <this must be one of the ports> grouping <port1, port2,port3>
e voila.
you have a MLAG, make sure both devices are the same.
VRRP - Virtual router redundancy protocol
VRRP master is selected on priority or highest IP.
Priorities are 1-254 default is 100
00:00:5E;00;01:VRID is the virtual MAC
So when VRRP master is selected the L3 routing interface transitions to UP
The access layer devices keeps using the same VMAC.
VRRP elections are done, when you lose connection to the MASTER.
This can be because it becomes unavailable or the VRRP is turned off on it.
3* advertisement interval +skew time
By default VRRP preempts so the one with the highest priority will take back over.
configure vrrp vlan vrid dont-preempt will disable this
configure vrrp vlan vrid preempt 60 will wait x amount of time before preempting
configure vrrp vlan vrid add track-ping this checks that a ping works before preempting.
Configuration
create vlan data #vlan being named data
configure vlan data tag 10 #vlan being given a number 10
configure vlan data add ports 1:1 2:1 #basically the two IPs, one for access layer, one for ISL
ISL is inter-switch-links
configure vlan ipaddress 192.168.0.11/24 #the IP address on the switch
enabled ipforwarding vlan data
create vrrp vlan <vlan1> vrid 1 #creates a VRID 1
configure vrrp vlan <vlan1> vrid add 192.168.0.1 #ip address of VIP
configure vrrp vlan <vlan1> vrid priority 200
enable vrrp
show vrrp
Access control lists
Forwarded or permitted
denied or dropped
metered or rate limited.
Static ACL created from the policy file
Dynamic ACL configured from the CLI and stored in the configuration file.
ACL has a unique name
ACL has matches using IF
ACL has action using THEN
ACL Policy is a collection of ACL rules.
ACL Policy = static ACL
Dynamic ACLs
ACL rules are created individually at the CLI
All conditions must be matched .
Ingress, if there are no match conditions then an implicit match occurs.
Egress, if there are no match conditions then no packets will match.
MATCH
MAC address is limited to INGRESS only, you can't use it on Egress.
All the rest are fine.
Source-address
protocol
ports
tcp flag
IGMP, ICMP
IP TOS field delay , cost, reliability.
You can use <>= so source-port >190
Actions
ingress, byte counter
ingress, packet counter
ingress, Mirror the port to somewhere else.
qos profile - forward this to a qos profile.
replace-dscp , replace-dot1p both for qos
log and meter
Action= permit or deny by default it is permit.
Action modifier = a modifying action similar to the list above.
If you want to add a default deny at the end you have to add it manually.
ACLs go on a TCAM.
128,256,512 rules per slice
8 or 16 slices
additional 4 for egress on some switches.
Total number of ACL supported varies by switch.
Wide Key ACL allows 362 bit key match which is great for IPv6 full destination.
Switch can be either wide key or normal.
show access-list usage acl-slice port <1>
I couldn't get this to work as the usage was missing.
show access-list usage acl-rules port <1>
couldn't get this to work either.
Anyway, the theory is that you see the slice usage in the first
then you see the RULE usage in the second one.
apparently if the iprules are similar, then it will be able to shove them all in the same slice.
if they are non-matching, then he will add another slibe.
edit policy denytelnet
this opens up a "vi" window.
you will use i to insert
dd to delete
:wq to save and quit .
when you finish writing the policy.
Simply run a checkup
check policy denytelnet
to apply it use
create access-list denytelnet
configure access-list denytelnet vlan data
this means apply the access-list denytelnet on the VLAN called data.
configure access-list denytelnet ports <portlist>
same thing with a list of ports.
show policy <denytelnet>
show access-list you can see if it is applied to a vlan
Dynamic ACL takes precedence over static ACLs.
create access-list allowtelnet "protocol tcp;destination-port 23" permit
so basically this is a one line policy .
by default it will be permanent, so you can add :"non-permanent" and when you reboot it will go away.
show access-list dynamic
clear flow
Clear-Flow is used for implementing security monitoring and anomaly detection .
This is an extension to the ACL.
ACL rule will count packets of interest.
Clear-flow rule will monitor the counter statistics.
rules can be
monitoring the counter to reach a total - total packets
changes or delta
ratio of one counter to another - tcp syn to tcp ack
ratio of two changes one to another tcp syn rate - tcp ack rate
ACL look at the details in the packets.
Clear-flow rules look at the counter match condition.
delta tcp_syn > 100; period 1 # tcp syn is bigger than 100 for 1 second.
counter tcp_syn >200 # the tcp syn counter passed 200
You can run MATCH ALL or MATCH ANY as opposed to ACLs.
global-rule can count for "many " ports instead of one.
min-value means the counter can't be less than something.
ratio <counterA > <counterB> RO <ratiovalue> #compared counters.
ACTIONS
permit allows in
Deny deny - for example to block ddos
qosprofile change the QoS so if it is above a certain rate then lower it to a lower priority.
syslog message
snmptrap
cli command run a command like send it to a mirror.
Keywords
$policyname $counterName $port $vlan
You can use them so you get more details in your SNMP, trap syslog message.
This is their example.
edit policy clearflow
Basically they have an ACL that will increase a counter.
They also have another ACL that will increate a counter2
then they have a policy where they compare the counter 1 to the counter 2
if this is true then it will send a Syslog
when the conditiion no longer there then it will send a Syslog to say it has been cleared.
once you are done.
check policy clearflow
configure access-list clearflow
enable clear-flow
show clear-flow
this will say how many rules it used.
RBAC
Applies ACLs to users that it gets from the LDAP.
User attribute = > RBAC role => ACL
Kerberos snooping or extracting the user from the kerberos session is used to identify the user.
The switch queries the LDAP for the user attributes.
If the attributes match a configured RBAC role,
the ACL that is assigned to that role will be applied to the users MAC address
Identity management feature collects the information from the Kerberos snooping.
Must be Kerberos version 5.
IPv4 only, no fragments
Layer 2 connection for clients to the snooping switch
Kerberos does not have a logout, so the identity is valid for the time period of the Kerberos timer or aging.
Built in roles or System roles
Authenticated = detected by the kerberos or netlogin snooping
Unauthenticated = failed kerberos ,
Blacklist = denied access MAC,IP,Username == takes precedence
Whitelist = similar to blacklist but less precedence.
Child role inherits the policies of parents.
Only Microsoft AD is supported.
Configuration
We will start with the ID management, this just gives you a allowed,not allowed.
enable identity-management #enable ID management
configured identity-management add ports all # tell the switch which ports to run this on.
configure identity-management kerberos snooping add server #IP of the LDAP
show identity-management #server details
show identity-management entries #details of the users.
*MD5 needs reverse encryption
now we configure the RBAC, which will give you data from the ldap.
configure identity-management ldap add server <myLDAP> client-ip <> vr <> encrypted
configure identity-management ldap bind-user <username> encrypted <password>
this should give you the LDAP and the username and password to access the data.
The vr and client ip just tell the switch which IP and VR to use to reach the LDAP.
edit policy <ACL> #opens the VI window, where you write a normal ACL for example allow an IP
check policy # verify you did not make any typos
create identity-management role <us-users> match-criteria <match_criteria> #map user
configure identity-management role <us-users> add policy <ACL> #adds the acl to the role.
So let's re-review this.
enable ID management
tell it on which ports to run
add the Kerberos server for logon allow,deny
add the ldap server for RBAC
add the user password for RBAC
create an ACL policy - same as usual ACL
create a mapping between the RBAC role and a LDAP attribute.
apply an ACL to the RBAC role.
voila.
Ofcourse, you can do all of this in GUI using the RidgeLine (tm) product that extreme sells. But just in case
the above was the CLI.
Child Role.
You need to specify who is the parent and who is the child
up to 5 levels of hierarchy
Each role can have 8 child roles
so, pretty decent.
Maximum number of ACLs you can apply to a role are 8 .
So 8 * 5 hierarchy levels = 40 ACLs on one guy.
OSPF
Alright, here we are kind of stuck. Extreme assumes you have CCNA level knowledge.
So I'll stick ot the extreme specific parts.
Multicast 224.0.0.5 -ALL , 224.0.0.6 - DR/BDR
hello -> dr election --> lsdb initialize ---> LSDB updates using LSA ----> build routing table ----->forward
enable ipforwarding #turns on layer3
configure ospf routerid 1.1.1.1 #this is the router ID, that you arbitrarily choose if not it will use loopback or highest ip interface.
configure ospf add vlan network1 area 0.0.0.0 #this adds the area as backbone.
for some reason in Extreme, they need the VLAN for the OSPF ? this is odd
as one is layer 2 and the other layer 3.
enable OSPF
show ospf neighbor # will show the up neighbors their state and IP
show iproute origin ospf #shows the iproutes in the iproute table that came from ospf.
show ospf interfaces #this will let you know which interfaces are running hello messages.
you can adjust the cost.
Advanced OSPF.
point to point doesn't use bdr DR
Type 1 = Hello
Type 2 = DDL database description.
Type 3 = LSR request something
Type 4 = LSU update
Type 5 = LSA acknowledgement - ie thanks for the update I got it.
Hello
INIT
2- WAY ;
EXstart forms adjacency
negotiate who is master for this session.
Exchange
loading
exchange done
Full .
show ospf neighbor detail # see the details like the state .
show log match ospf #see related OSPF
configure ospf <vlan> authentication simple-password <password>
LSA 1 router
LSA 2 BDR/DR
LSA 3 summary ABR sent by the ABR to the other area.
LSA 4 ASBR location of an ASBR .
LSA 5 ASexternal locations outside the autonomus area. Type 1 add Type 2 no
LSA 7 this is in the NSSA and used internally in that area.
create ospf area <area-id>
configure ospf add vlan <vlan> area 0.0.0.1
max of 8 OSPF areas.
show ospf lsdb
you can use summary to run route summarization.
ECMP
Equalo cost Multi-Path equal cost routes.
8 by default.
enable iproute sharing.
IP multicast
Layer 2.
To be honest, the explanations are very basic and lacking.
I'd try the CCNA or skip this and wager10% less
PIM
same problem, this is layer 3 multicast.
So use IP techniques to be able to prune flooded traffic .
This basically allows you to span ISPs or layer 3.
enable ipmcforwarding vlan <vlan>
configure pin add vlan <vlan1> dense
enable pim
show igmp snooping # b wi wshow you members that joined.
Sparse mode, uses a concentrated central point device.
BSR bootstrap router sends info to the other guys.
Review questions.
What kind of problem is caused by a loop. - A brocadcast storm.
What is Eaps used for to provide fast protection switching in a ring
Which blocks the secondary port - the master EAPS does this
EAPS elements master, transit, primary , secondary
create eaps domain.
configure the eaps mode
Other.
The exam will ask you some licensing questions.
Like what license you need to use to run OSPF.
I am not sure this is a fair question as OSPF edge can be run with Advanced Edge
OSPF with all options requires the CORE.
I think the spelling are
edge license
advanced edge license
core license
Anyway, I passed so I am guessing the above.
The exam is online and allows you to keep open a few "extreme" documents. Which helps.
All in all, a nice exam. I can't say it will prepare you to run Extreme in your network but it shows
you know networking.
Good luck and if you have any questions let me know.
Saar