Layer 2 Basics - Extreme...

Layer 2 BasicsExtremeXOS 15.5 User Guide

120936-00 Rev. 2

Published June 2014

Copyright © 2011–2014 All rights reserved.

Legal NoticeExtreme Networks, Inc., on behalf of or through its wholly-owned subsidiary, Enterasys Networks,Inc., reserves the right to make changes in specifications and other information contained in thisdocument and its website without prior notice. The reader should in all cases consultrepresentatives of Extreme Networks to determine whether any such changes have been made.The hardware, firmware, software or any specifications described or referred to in this documentare subject to change without notice.

TrademarksExtreme Networks and the Extreme Networks logo are trademarks or registered trademarks ofExtreme Networks, Inc. in the United States and/or other countries.All other names (including any product names) mentioned in this document are the property oftheir respective owners and may be trademarks or registered trademarks of their respectivecompanies/owners.For additional information on Extreme Networks trademarks, please see: www.extremenetworks.com/company/legal/trademarks/

SupportFor product support, including documentation, visit: www.extremenetworks.com/support/

For information, contact:Extreme Networks, Inc.145 Rio RoblesSan Jose, California 95134USA

http://extremenetworks.com/company/legal/trademarks

http://www.extremenetworks.com/support/

Table of ContentsPreface.........................................................................................................................................6

Conventions.............................................................................................................................................................................6Related Publications............................................................................................................................................................ 7Providing Feedback to Us................................................................................................................................................ 8

Navigating the ExtremeXOS User Guide...........................................................................................................................9

Chapter 1: VLANs......................................................................................................................10VLANs Overview................................................................................................................................................................. 10Configuring VLANs on the Switch..............................................................................................................................19Displaying VLAN Information.......................................................................................................................................23Private VLANs......................................................................................................................................................................24VLAN Translation............................................................................................................................................................... 42Port-Specific VLAN Tag...................................................................................................................................................51

Chapter 2: VMAN (PBN) .........................................................................................................56VMAN Overview................................................................................................................................................................. 56PBBNs....................................................................................................................................................................................... 61VMAN Configuration Options and Features........................................................................................................ 64Configuration........................................................................................................................................................................67Displaying Information.................................................................................................................................................... 70Configuration Examples................................................................................................................................................... 71

Chapter 3: FDB.........................................................................................................................74FDB Contents.......................................................................................................................................................................74How FDB Entries Get Added....................................................................................................................................... 74How FDB Entries Age Out.............................................................................................................................................75FDB Entry Types.................................................................................................................................................................75Managing the FDB............................................................................................................................................................. 77Displaying FDB Entries and Statistics.......................................................................................................................81MAC-Based Security..........................................................................................................................................................81Managing MAC Address Tracking............................................................................................................................. 85

Chapter 4: Layer 2 Basic Commands....................................................................................87clear counters fdb mac-tracking ...............................................................................................................................89clear counters ports protocol filter...........................................................................................................................90clear fdb................................................................................................................................................................................... 91clear l2pt counters vlan...................................................................................................................................................92clear l2pt counters vman................................................................................................................................................93clear l2pt counters vpls...................................................................................................................................................93create l2pt profile...............................................................................................................................................................94configure fdb agingtime................................................................................................................................................. 95configure fdb mac-tracking ports..............................................................................................................................96configure fdb static-mac-move packets................................................................................................................ 97configure l2pt encapsulation dest-mac.................................................................................................................. 98configure l2pt profile add profile............................................................................................................................... 99configure l2pt profile delete profile........................................................................................................................ 100configure port ethertype............................................................................................................................................... 101configure ports l2pt profile..........................................................................................................................................102configure ports protocol filter....................................................................................................................................103

Layer 2 Basics 3

configure private-vlan add network....................................................................................................................... 104configure private-vlan add subscriber...................................................................................................................104configure private-vlan delete..................................................................................................................................... 105configure protocol add..................................................................................................................................................106configure protocol delete.............................................................................................................................................108configure protocol filter................................................................................................................................................ 109configure vlan add ports private-vlan translated................................................................................................111configure vlan add ports................................................................................................................................................ 112configure vlan delete ports........................................................................................................................................... 113configure vlan description.............................................................................................................................................114configure vlan ipaddress................................................................................................................................................ 115configure vlan name......................................................................................................................................................... 117configure vlan protocol...................................................................................................................................................118configure vlan tag..............................................................................................................................................................119configure vlan-translation add loopback-port...................................................................................................120configure vlan-translation add member-vlan.......................................................................................................121configure vlan-translation delete loopback-port.............................................................................................. 122configure vlan-translation delete member-vlan................................................................................................ 123configure vman add ports cep...................................................................................................................................124configure vman add ports............................................................................................................................................ 126configure vman delete ports.......................................................................................................................................129configure vman ethertype............................................................................................................................................129configure vman ports add cvid................................................................................................................................... 131configure vman ports delete cvid.............................................................................................................................132configure vman protocol...............................................................................................................................................133configure vman tag......................................................................................................................................................... 134configure vpls peer l2pt profile..................................................................................................................................135create fdb mac-tracking entry................................................................................................................................... 136create fdbentry vlan ports............................................................................................................................................137create l2pt profile............................................................................................................................................................. 139create private-vlan...........................................................................................................................................................140create protocol................................................................................................................................................................... 141create vlan............................................................................................................................................................................ 142create vman.........................................................................................................................................................................144delete fdb mac-tracking entry................................................................................................................................... 145delete fdbentry.................................................................................................................................................................. 146delete l2pt profile............................................................................................................................................................. 146delete private-vlan........................................................................................................................................................... 147delete protocol.................................................................................................................................................................. 148delete vlan............................................................................................................................................................................ 149delete vman.........................................................................................................................................................................150disable dot1p examination inner-tag ports............................................................................................................151disable fdb static-mac-move...................................................................................................................................... 152disable flooding ports..................................................................................................................................................... 153disable learning iparp sender-mac...........................................................................................................................154disable learning port........................................................................................................................................................155disable loopback-mode vlan....................................................................................................................................... 156disable snmp traps fdb mac-tracking..................................................................................................................... 157disable vlan.......................................................................................................................................................................... 158

Table of Contents

Layer 2 Basics 4

disable vman cep egress filtering ports.................................................................................................................159enable dot1p examination inner-tag port............................................................................................................. 160enable fdb static-mac-move........................................................................................................................................ 161enable flooding ports....................................................................................................................................................... 161enable learning iparp sender-mac............................................................................................................................163enable learning port........................................................................................................................................................ 164enable loopback-mode vlan........................................................................................................................................ 165enable snmp traps fdb mac-tracking..................................................................................................................... 166enable vlan........................................................................................................................................................................... 166enable vman cep egress filtering ports................................................................................................................. 167show fdb mac-tracking configuration....................................................................................................................168show fdb mac-tracking statistics..............................................................................................................................169show fdb static-mac-move configuration............................................................................................................170show fdb stats..................................................................................................................................................................... 171show fdb................................................................................................................................................................................173show l2pt profile................................................................................................................................................................176show l2pt............................................................................................................................................................................... 177show ports protocol filter............................................................................................................................................. 178show private-vlan <name>.......................................................................................................................................... 180show private-vlan...............................................................................................................................................................181show protocol.....................................................................................................................................................................183show vlan.............................................................................................................................................................................. 185show vlan description...................................................................................................................................................... 191show vlan l2pt.....................................................................................................................................................................192show vman...........................................................................................................................................................................194show vman eaps................................................................................................................................................................196show vman ethertype..................................................................................................................................................... 197show vman l2pt................................................................................................................................................................. 198unconfigure vlan description.....................................................................................................................................200unconfigure vlan ipaddress......................................................................................................................................... 201unconfigure vman ethertype..................................................................................................................................... 202

Table of Contents

Layer 2 Basics 5

Preface

Conventions

This section discusses the conventions used in this guide.

Text Conventions

The following tables list text conventions that are used throughout this guide.

Table 1: Notice IconsIcon Notice Type Alerts you to...

Note Important features or instructions.

Caution Risk of personal injury, system damage, or loss of data.

Warning Risk of severe personal injury.

New This command or section is new for this release.

Table 2: Text ConventionsConvention Description

Screen displaysThis typeface indicates command syntax, or represents information as it appears onthe screen.

The words enter andtype

When you see the word “enter” in this guide, you must type something, and then pressthe Return or Enter key. Do not press the Return or Enter key when an instructionsimply says “type.”

[Key] names Key names are written with brackets, such as [Return] or [Esc]. If you must press twoor more keys simultaneously, the key names are linked with a plus sign (+). Example:Press [Ctrl]+[Alt]+[Del]

Words in italicized type Italics emphasize a point or denote new terms at the place where they are defined inthe text. Italics are also used when referring to publication titles.

Layer 2 Basics 6

Platform-Dependent Conventions

Unless otherwise noted, all information applies to all platforms supported by ExtremeXOS software,which are the following:

• BlackDiamond® X8 series switch

• BlackDiamond 8800 series switches

• Cell Site Routers (E4G-200 and E4G-400)

• Summit® family switches

• SummitStack™

When a feature or feature implementation applies to specific platforms, the specific platform is noted inthe heading for the section describing that implementation in the ExtremeXOS commanddocumentation. In many cases, although the command is available on all platforms, each platform usesspecific keywords. These keywords specific to each platform are shown in the Syntax Description anddiscussed in the Usage Guidelines.

Terminology

When features, functionality, or operation is specific to a switch family, the family name is used.Explanations about features and operations that are the same across all product families simply refer tothe product as the “switch.”

Related PublicationsDocumentation for Extreme Networks products is available at: www.extremenetworks.com. Thefollowing is a list of related publications currently available:

• ExtremeXOS User Guide

• ExtremeXOS Hardware and Software Compatibility Matrix

• ExtremeXOS Legacy CLI Quick Reference Guide

• ExtremeXOS ScreenPlay User Guide

• Using AVB with Extreme Switches

• BlackDiamond 8800 Series Switches Hardware Installation Guide

• BlackDiamond X8 Switch Hardware Installation Guide

• Extreme Networks Pluggable Interface Installation Guide

• Summit Family Switches Hardware Installation Guide

• Ridgeline Installation and Upgrade Guide

• Ridgeline Reference Guide

• SDN OpenFlow Implementation Guide

• SDN OpenStack Install Guide

Some ExtremeXOS software files have been licensed under certain open source licenses. Information isavailable at: www.extremenetworks.com/services/osl-exos.aspx

Preface

Layer 2 Basics 7

http://www.extremenetworks.com/go/documentation

http://www.extremenetworks.com/services/osl-exos.aspx

Providing Feedback to Us

We are always striving to improve our documentation and help you work better, so we want to hearfrom you! We welcome all feedback but especially want to know about:

• Content errors or confusing or conflicting information.

• Ideas for improvements to our documentation so you can find the information you need faster.

• Broken links or usability issues.

If you would like to provide feedback to the Extreme Networks Information Development team aboutthis document, please contact us using our short online feedback form. You can also email us directly at [email protected].

Preface

Layer 2 Basics 8

http://marketing.extremenetworks.com/acton/form/1730/001b:d-0001/0/index.htm

mailto:[email protected]?subject=Feedback

Navigating the ExtremeXOS User Guide

This guide consists of the following eight volumes that contain feature descriptions, conceptualmaterial, configuration details, command references and examples:

• Basic Switch Operation

• Policies and Security

• Layer 2 Basics

• Layer 2 Protocols

• Layer 3 Basics

• Layer 3 Unicast Protocols

• Multicast

• Advanced Features

Layer 2 Basics 9

http://extrcdn.extremenetworks.com/wp-content/uploads/2014/04/Basic_Switch_Operation.pdf

http://extrcdn.extremenetworks.com/wp-content/uploads/2014/04/Policies_and_Security.pdf

http://extrcdn.extremenetworks.com/wp-content/uploads/2014/04/Layer_2_Basics.pdf

http://extrcdn.extremenetworks.com/wp-content/uploads/2014/04/Layer_2_Protocols.pdf

http://extrcdn.extremenetworks.com/wp-content/uploads/2014/04/Layer_3_Basics.pdf

http://extrcdn.extremenetworks.com/wp-content/uploads/2014/04/Layer_3_Unicast_Protocols.pdf

http://extrcdn.extremenetworks.com/wp-content/uploads/2014/04/Multicast.pdf

http://extrcdn.extremenetworks.com/wp-content/uploads/2014/04/Advanced_Features.pdf

1 VLANs

VLANs OverviewConfiguring VLANs on the SwitchDisplaying VLAN InformationPrivate VLANsVLAN TranslationPort-Specific VLAN Tag

This chapter contains information about configuring VLANs, displaying VLAN information, privateVLANs, and VLAN translation. In addition, you can learn about the benefits and types of VLANs, alongwith valuable information about virtual routers.

VLANs Overview

Setting up Virtual Local Area Networks (VLANs) on the switch eases many time-consuming tasks ofnetwork administration while increasing efficiency in network operations.

NoteThe software supports using IPv6 addresses, in addition to IPv4 addresses. You can configurethe VLAN with an IPv4 address, IPv6 address, or both. See IPv6 Unicast Routing for completeinformation on using IPv6 addresses.

The term VLAN is used to refer to a collection of devices that communicate as if they were on the samephysical LAN.

Any set of ports (including all ports on the switch) is considered a VLAN. LAN segments are notrestricted by the hardware that physically connects them. The segments are defined by flexible usergroups that you create with the command line interface (CLI).

NoteThe system switches traffic within each VLAN using the Ethernet MAC address. The systemroutes traffic between two VLANs using the IP addresses.

Benefits

Implementing VLANs on your networks has the following advantages:

• VLANs help to control traffic—With traditional networks, broadcast traffic that is directed to allnetwork devices, regardless of whether they require it, causes congestion. VLANs increase theefficiency of your network because each VLAN can be set up to contain only those devices thatmust communicate with each other.

Layer 2 Basics 10

• VLANs provide extra security—Devices within each VLAN can communicate only with memberdevices in the same VLAN. If a device in VLAN Marketing must communicate with devices in VLANSales, the traffic must cross a routing device.

• VLANs ease the change and movement of devices—With traditional networks, networkadministrators spend much of their time dealing with moves and changes. If users move to adifferent subnetwork, the addresses of each endstation must be updated manually.

Virtual Routers and VLANs

The ExtremeXOS software supports virtual routers. Each port can belong to multiple virtual routers.Ports can belong to different VLANs that are in different virtual routers.

NoteYou can create virtual routers only on BlackDiamond X8 series switches, BlackDiamond 8000c-, xl-, and xm-series modules, E4G-200 and E4G-400 cell site routers, and Summit X460,X480, X670, and X770 switches.

If you do not specify a virtual router when you create a VLAN, the system creates that VLAN in thedefault virtual router (VR-Default). The management VLAN is always in the management virtual router(VR-Mgmt).

After you create virtual routers, the ExtremeXOS software allows you to designate one of these virtualrouters as the domain in which all your subsequent configuration commands, including VLANcommands, are applied. After you create virtual routers, ensure that you are creating each VLAN in thedesired virtual router domain. Also, ensure that you are in the correct virtual router domain before youbegin modifying each VLAN.

For information on configuring and using virtual routers, see Virtual Routers.

Types of VLANs

This section introduces the following types of VLANs:

• Port-Based VLANs

• Tagged VLANs

• Protocol-Based VLANs

NoteYou can have netlogin dynamic VLANs and, on the Summit family of switches andBlackDiamond 8800 series switches only, netlogin MAC-based VLANs. See Network Login forcomplete information on netlogin.

VLANs can be created according to the following criteria:

• Physical port

• IEEE 802.1Q tag

• Ethernet, LLC SAP, or LLC/SNAP Ethernet protocol type

• A combination of these criteria

VLANs

Layer 2 Basics 11

Port-Based VLANs

In a port-based VLAN, a VLAN name is given to a group of one or more ports on the switch.

At boot-up, all ports are members of the port-based VLAN default. Before you can add any port toanother port-based VLAN, you must remove it from the default VLAN, unless the new VLAN uses aprotocol other than the default protocol any. An untagged port can be a member of only one port-based VLAN.

On the Extreme Networks switch in the following figure, ports 9 through 14 are part of VLAN Marketing;ports 25 through 29 are part of VLAN Sales; and ports 21 through 24 and 30 through 32 are in VLANFinance.

Figure 1: Example of a Port-Based VLAN on an Extreme Networks Switch

For the members of different IP VLANs to communicate, the traffic must be routed by the switch, evenif the VLANs are physically part of the same I/O module. This means that each VLAN must beconfigured as a router interface with a unique IP address.

Spanning Switches with Port-Based VLANs

To create a port-based VLAN that spans two switches, you must do two things:

1 Assign the port on each switch to the VLAN.

VLANs

Layer 2 Basics 12

2 Cable the two switches together using one port on each switch per VLAN.

The following figure illustrates a single VLAN that spans a BlackDiamond switch and anotherExtreme Networks switch. All ports on the System 1 switch belong to VLAN Sales. Ports 1 through 29on the system 2 switch also belong to VLAN Sales. The two switches are connected using slot 8,port 4 on System 1 (the BlackDiamond switch), and port 29 on system 2 (the other switch).

Figure 2: Single Port-based VLAN Spanning Two Switches

3 To create multiple VLANs that span two switches in a port-based VLAN, a port on System 1 must becabled to a port on System 2 for each VLAN you want to have span across the switches.

At least one port on each switch must be a member of the corresponding VLANs as well.

The following figure illustrates two VLANs spanning two switches. On System 2, ports 25 through29 are part of VLAN Accounting; ports 21 through 24 and ports 30 through 32 are part of VLANEngineering. On System 1, all ports on slot 1 are part of VLAN Accounting; all ports on slot 8 are partof VLAN Engineering.

Figure 3: Two Port-based VLANs Spanning Two Switches

VLAN Accounting spans System 1 and System 2 by way of a connection between System 2, port 29and System 1, slot 1, port 6. VLAN Engineering spans System 1 and System 2 by way of a connectionbetween System 2, port 32, and System 1, slot 8, port 6.

VLANs

Layer 2 Basics 13

4 Using this configuration, you can create multiple port-based VLANs that span multiple switches, in adaisy-chained fashion.

Tagged VLANs

Tagging is a process that inserts a marker (called a tag) into the Ethernet frame. The tag contains theidentification number of a specific VLAN, called the VLANid (valid numbers are 1 to 4094).

NoteThe use of 802.1Q tagged packets may lead to the appearance of packets slightly bigger thanthe current IEEE 802.3/Ethernet maximum of 1,518 bytes. This may affect packet errorcounters in other devices and may also lead to connectivity problems if non-802.1Q bridgesor routers are placed in the path.

Uses of Tagged VLANs

Tagging is most commonly used to create VLANs that span switches.

The switch-to-switch connections are typically called trunks. Using tags, multiple VLANs can spanmultiple switches using one or more trunks. In a port-based VLAN, each VLAN requires its own pair oftrunk ports, as shown in the following figure. Using tags, multiple VLANs can span two switches with asingle trunk.

Another benefit of tagged VLANs is the ability to have a port be a member of multiple VLANs. This isparticularly useful if you have a device (such as a server) that must belong to multiple VLANs. Thedevice must have a Network Interface Card (NIC) that supports IEEE 802.1Q tagging.

A single port can be a member of only one port-based VLAN. All additional VLAN membership for theport must be accompanied by tags.

Assigning a VLAN Tag

Each VLAN may be assigned an 802.1Q VLAN tag. As ports are added to a VLAN with an 802.1Q tagdefined, you decide whether each port uses tagging for that VLAN. The default mode of the switch is tohave all ports assigned to the VLAN named default with an 802.1Q VLAN tag (VLANid) of 1 assigned.

Not all ports in the VLAN must be tagged. As traffic from a port is forwarded out of the switch, theswitch determines (in real time) if each destination port should use tagged or untagged packet formatsfor that VLAN. The switch adds and strips tags, as required, by the port configuration for that VLAN.

NotePackets arriving tagged with a VLANid that is not configured on a port are discarded.

The following figure illustrates the physical view of a network that uses tagged and untagged traffic.

VLANs

Layer 2 Basics 14

Figure 4: Physical Diagram of Tagged and Untagged Traffic

The following figure is a logical diagram of the same network.

Figure 5: Logical Diagram of Tagged and Untagged Traffic

In the figures above:

• The trunk port on each switch carries traffic for both VLAN Marketing and VLAN Sales.

• The trunk port on each switch is tagged.

• The server connected to port 25 on System 1 has a NIC that supports 802.1Q tagging.

• The server connected to port 25 on System 1 is a member of both VLAN Marketing and VLAN Sales.

• All other stations use untagged traffic.

As data passes out of the switch, the switch determines if the destination port requires the frames to betagged or untagged. All traffic coming from and going to the server is tagged. Traffic coming from andgoing to the trunk ports is tagged. The traffic that comes from and goes to the other stations on thisnetwork is not tagged.

Mixing Port-Based and Tagged VLANs

You can configure the switch using a combination of port-based and tagged VLANs. A given port canbe a member of multiple VLANs, with the stipulation that only one of its VLANs uses untagged traffic.

VLANs

Layer 2 Basics 15

In other words, a port can simultaneously be a member of one port-based VLAN and multiple tag-based VLANs.

NoteFor the purposes of VLAN classification, packets arriving on a port with an 802.1Q tagcontaining a VLANid of 0 are treated as untagged.

Protocol-Based VLANs

Protocol-based VLANs enable you to define a packet filter that the switch uses as the matching criteriato determine if a particular packet belongs to a particular VLAN.

Protocol-based VLANs are most often used in situations where network segments contain hostsrunning multiple protocols. For example, in the following figure, the hosts are running both the IP andNetBIOS protocols.

The IP traffic has been divided into two IP subnets, 192.207.35.0 and 192.207.36.0. The subnets areinternally routed by the switch. The subnets are assigned different VLAN names, Finance andPersonnel, respectively. The remainder of the traffic belongs to the VLAN named MyCompany. All portsare members of the VLAN MyCompany.

Figure 6: Protocol-Based VLANs

The following sections provide information on using protocol-based VLANs:

• Predefined Protocol Filters on page 16

• Defining Protocol Filters on page 17

• Configuring a VLAN to Use a Protocol Filter on page 18

• Deleting a Protocol Filter on page 18

Predefined Protocol Filters

The following protocol filters are predefined on the switch:

VLANs

Layer 2 Basics 16

• IP (IPv4)

• IPv6 (11.2 IPv6)

• MPLS

• IPX

• NetBIOS

• DECNet

• IPX_8022

• IPX_SNAP

• AppleTalk

Defining Protocol Filters

If necessary, you can define a customized protocol filter by specifying EtherType, Logical Link Control(LLC), or Subnetwork Access Protocol (SNAP). Up to six protocols can be part of a protocol filter. Todefine a protocol filter:

1 Create a protocol using the following command:

create protocol_name

For example: create protocol fred

The protocol name can have a maximum of 32 characters.

2 Configure the protocol using the following command:

configure protocol_name add [etype | llc | snap] hex {[etype | llc | snap]

hex}

Supported protocol types include:

etype—EtherType The values for etype are four-digit hexadecimal numbers taken from a list maintained bythe IEEE. This list can be found at the following URL: http://standards.ieee.org/regauth/ethertype/index.html.

NoteProtocol-based VLAN for Etype from 0x0000 to 0x05ff are not classifying as per filter.When traffic arrive with these Etypes, it is classifed to native VLAN rather protocol basedvlan.

llc—LLC Service AdvertisingProtocol (SAP)

The values for llc are four-digit hexadecimal numbers that are created byconcatenating a two-digit LLC Destination SAP (DSAP) and a two-digit LLCSource SAP (SSAP).

snap—EtherType inside anIEEE SNAP packetencapsulation

The values for snap are the same as the values for etype, describedpreviously. For example:

configure protocol fred add llc feffconfigure protocol fred add snap 9999

VLANs

Layer 2 Basics 17

http://standards.ieee.org/regauth/ethertype/index.html

http://standards.ieee.org/regauth/ethertype/index.html

A maximum of 15 protocol filters, each containing a maximum of six protocols, can be defined. Nomore than seven protocols can be active and configured for use.

NoteFor more information on SNAP for Ethernet protocol types, see TR 11802-5:1997 (ISO/IEC)[ANSI/IEEE std. 802.1H, 1997 Edition].

Configuring a VLAN to Use a Protocol Filter

To configure a VLAN to use a protocol filter, use the following command:.

configure {vlan} vlan_name protocol protocol_name

Deleting a Protocol Filter

If a protocol filter is deleted from a VLAN, the VLAN is assigned a protocol filter of 'any'. You cancontinue to configure the VLAN. However, no traffic is forwarded to the VLAN until a protocol isassigned to it.

Precedence of Tagged Packets Over Protocol Filters

If a VLAN is configured to accept tagged packets on a particular port, incoming packets that match thetag configuration take precedence over any protocol filters associated with the VLAN.

Default VLAN

The default switch configuration includes one default VLAN that has the following properties:

• The VLAN name is default.

• It contains all the ports on a new or initialized switch.

• The default VLAN is untagged on all ports. It has an internal VLANid of 1; this value is user-configurable.

VLAN Names

VLAN names must conform to the guidelines listed in Object Names.

VLAN names can be specified using the [Tab] key for command completion. VLAN names are locallysignificant. That is, VLAN names used on one switch are only meaningful to that switch. If anotherswitch is connected to it, the VLAN names have no significance to the other switch.

NoteWe recommend that you use VLAN names consistently across your entire network.

You must use mutually exclusive names for the following:

VLANs

Layer 2 Basics 18

• VLANs

• VMANs

• IPv6 tunnels

• SVLANs

• CVLANs

• BVLANs

Configuring VLANs on the Switch

Refer to the following sections for instruction on configuring VLANs on a switch:

• VLAN Configuration Overview on page 19

• Creating and Deleting VLANs on page 20

• Managing a VLAN IP Address on page 20

• Configuring a VLAN Tag on page 20

• Adding and Removing Ports from a VLAN on page 20

• Adding and Removing VLAN Descriptions on page 21

• Renaming a VLAN on page 21

• Enabling and Disabling VLANs on page 21

• VLAN Configuration Examples on page 22

VLAN Configuration Overview

The following procedure provides an overview of VLAN creation and configuration:

1 Create and name the VLAN.

create vlan vlan_name {tag name} {description vlan-description} {vr name}

2 If needed, assign an IP address and mask (if applicable) to the VLAN as described in Managing aVLAN IP Address on page 20.

3 If any ports in this VLAN will use a tag, assign a VLAN tag.

configure {vlan} vlan_name tag tag {remote-mirroring}

4 Assign one or more ports to the VLAN.

configure {vlan} vlan_name add ports [port_list | all] {tagged | untagged}

{{stpd} stpd_name} {dot1d | emistp | pvst-plus}}

As you add each port to the VLAN, decide if the port will use an 802.1Q tag.

5 For the management VLAN on the switch, configure the default IP route for virtual router VR-Mgmt.

NoteSee IPv4 Unicast Routing for information on configuring default IP routes or addingsecondary IP addresses to VLANs.

VLANs

Layer 2 Basics 19

Creating and Deleting VLANs

• To create a VLAN, use the following command:

create vlan vlan_name {tag tag} {description vlan-description} {vr name}

• To delete a VLAN, use the following command:

delete vlan vlan_name

Managing a VLAN IP Address

NoteIf you plan to use this VLAN as a control VLAN for an EAPS domain, do not assign an IPaddress to the VLAN.

• Configure an IP address and mask for a VLAN.

configure {vlan} vlan_name ipaddress [ipaddress {ipNetmask} | ipv6-link-local

| {eui64} ipv6_address_mask] +

Note

Each IP address and mask assigned to a VLAN must represent a unique IP subnet. Youcannot configure the same IP subnet on different VLANs on the same virtual router.

The software supports using IPv6 addresses, in addition to IPv4 addresses. You canconfigure the VLAN with an IPv4 address, IPv6 address, or both. See IPv6 Unicast Routingfor complete information on using IPv6 addresses.

• Remove an IP address and mask for a VLAN.

unconfigure {vlan} vlan_name ipaddress {ipv6_address_mask}

Configuring a VLAN Tag

To configure a VLAN, use the following command:

configure {vlan} vlan_name tag tag {remote-mirroring}

Adding and Removing Ports from a VLAN

• To add ports to a VLAN, use the following command:



The system returns the following message if the ports you are adding are already EAPS primary orEAPS secondary ports:

WARNING: Make sure Vlan1 is protected by EAPS, Adding EAPS ring ports to a

VLAN could cause a loop in the network. Do you really want to add these ports?

(y/n)

VLANs

Layer 2 Basics 20

• To remove ports from a VLAN, use the following command:

configure {vlan} vlan_name delete ports [all | port_list]

Adding and Removing VLAN Descriptions

A VLAN description is a string of up to 64 characters that you can configure to describe the VLAN. It isdisplayed by several show vlan commands and can be read by using SNMP to access the VLAN's ifAliasMIB object.

• To add a description to a VLAN, use the following command:

configure {vlan} vlan_name description [vlan-description | none]

• To remove a description from a VLAN, use the following command

unconfigure {vlan} vlan_name description

Renaming a VLAN

To rename an existing VLAN, use the following command:

configure {vlan} vlan_name name name

The following rules apply to renaming VLANs:

• You cannot change the name of the default VLAN.

• You cannot create a new VLAN named default.

Enabling and Disabling VLANs

You can enable or disable individual VLANs. The default setting is that all VLANs are enabled.

Consider the following guidelines before you disable a VLAN:

• Disabling a VLAN stops all traffic on all ports associated with the specified VLAN.

• You cannot disable any VLAN that is running any Layer 2 protocol traffic.

When you attempt to disable a VLAN running Layer 2 protocol traffic (for example, the VLANAccounting), the system returns a message similar to the following:

VLAN accounting cannot be disabled because it is actively used by an L2

Protocol

• You can disable the default VLAN; ensure that this is necessary before disabling the default VLAN.

• You cannot disable the management VLAN.

• You cannot bind Layer 2 protocols to a disabled VLAN.

• You can add ports to and delete ports from a disabled VLAN.

1 Disable a VLAN by running:

disable vlan vlan_name

VLANs

Layer 2 Basics 21

2 After you have disabled a VLAN, re-enable that VLAN.

enable vlan vlan_name

VLAN Configuration Examples

NoteTo add an untagged port to a VLAN you create, you must first delete that port from thedefault VLAN. If you attempt to add an untagged port to a VLAN before deleting it from thedefault VLAN, you see the following error message:Error: Protocol conflict when adding untagged port 1:2. Either add this

port as tagged or assign another protocol to this VLAN.

The following modular switch example creates a port-based VLAN named accounting:

create vlan accountingconfigure accounting ipaddress 132.15.121.1configure default delete port 2:1-2:3,2:6,4:1,4:2configure accounting add port 2:1-2:3,2:6,4:1,4:2

NoteBecause VLAN names are unique, you do not need to enter the keyword vlan after you havecreated the unique VLAN name. You can use the VLAN name alone (unless you are also usingthis name for another category such as STPD or EAPS, in which case we recommendincluding the keyword vlan).

The following stand-alone switch example creates a port-based VLAN named development with anIPv6 address:

create vlan developmentconfigure development ipaddress 2001:0DB8::8:800:200C:417A/64configure default delete port 1-3configure development add port 1-3

The following modular switch example creates a protocol-based VLAN named ipsales.

Slot 5, ports 6 through 8, and slot 6, ports 1, 3, and 4-6 are assigned to the VLAN. In this example, youcan add untagged ports to a new VLAN without first deleting them from the default VLAN, because thenew VLAN uses a protocol other than the default protocol.

create vlan ipsalesconfigure ipsales protocol ipconfigure ipsales add port 5:6-5:8,6:1,6:3-6:6

VLANs

Layer 2 Basics 22

The following modular switch example defines a protocol filter, myprotocol and applies it to the VLANnamed myvlan. This is an example only, and has no real-world application.

create protocol myprotocolconfigure protocol myprotocol add etype 0xf0f0configure protocol myprotocol add etype 0xffffcreate vlan myvlanconfigure myvlan protocol myprotocol

To disable the protocol-based VLAN (or any VLAN) in the above example, use the following command:

disable vlan myprotocol

To re-enable the VLAN, use the following command:

enable vlan myprotocol

Displaying VLAN Information

To display general VLAN settings and information, use the following commands:

• show vlan {virtual-router vr-name}

• show vlan vlan_name {ipv4 | ipv6}

• show vlan [tag tag | detail] {ipv4 | ipv6}

• show vlan description

• show vlan {vlan_name} statistics {no-refresh}

NoteTo display IPv6 information, you must use either the show vlan detail command or showvlan command with the name of the specified VLAN.

To display the VLAN information for other ExtremeXOS software features, use the followingcommands:

• show {vlan} vlan_name dhcp-address-allocation

• show {vlan} vlan_name dhcp-config

• show {vlan} vlan_name eaps

• show {vlan} vlan_name security

• show {vlan} vlan_name stpd

You can display additional useful information on VLANs configured with IPv6 addresses by issuing thecommand:

show ipconfig ipv6 vlan vlan_name

To isplay protocol information, issue the command:

show protocol {name}

VLANs

Layer 2 Basics 23

Private VLANs

The following sections provide detailed information on private VLANs:

• PVLAN Overview on page 24

• Configuring PVLANs on page 33

• Displaying PVLAN Information on page 36

• PVLAN Configuration Example 1 on page 37

• PVLAN Configuration Example 2 on page 39

PVLAN Overview

PVLANs offer the following features:

• VLAN translation

• VLAN isolation

NotePVLAN features are supported only on the platforms listed for this feature in the licensetables in the Feature License Requirements document.

VLAN Translation in a PVLAN

VLAN translation provides the ability to translate the 802.1Q tags for several VLANs into a single VLANtag. VLAN translation is an optional component in a PVLAN.

VLAN translation allows you to aggregate Layer 2 VLAN traffic from multiple clients into a single uplinkVLAN, improving VLAN scaling. The following figure shows an application of VLAN translation.

NoteThe VLAN translation feature described in VLAN Translation on page 42 is provided forthose who are already familiar with the ExtremeWare VLAN translation feature. If you havetime to use the PVLAN implementation and do not have scripts that use the ExtremeWarecommands, we suggest that you use the PVLAN feature, as it provides the same functionalitywith additional features.

VLANs

Layer 2 Basics 24

http://extrcdn.extremenetworks.com/wp-content/uploads/2014/04/ExtremeXOS_Feature_License_Requirements.pdf

Figure 7: VLAN Translation Application

In the figure, VLANs 101, 102, and 103 are subscriber VLANS that carry data traffic while VLANs 201, 202,and 203 are subscriber VLANs that carry voice traffic. The voice and data traffic are combined onintegrated access devices (IADs) that connect to the VLAN translation switch. Each of the threeclusters of phones and PCs uses two VLANs to separate the voice and data traffic. As the traffic iscombined, the six VLANs are translated into two network VLANs, VLAN1 and VLAN2. This simplifiesadministration, and scales much better for large installations.

Conceptually, this is very similar to Layer 3 VLAN aggregation (superVLANS and subVLANs).

The primary differences between these two features are:

• VLAN translation is strictly a Layer 2 feature.

• VLAN translation does not allow communication between the subscriber VLANs.

VLAN Isolation

VLAN isolation provides Layer 2 isolation between the ports in a VLAN. The following figure shows anapplication of VLAN isolation.

VLANs

Layer 2 Basics 25

Figure 8: VLAN Isolation Application

In this figure, ports in the Guest VLAN have access to services on the network VLAN, but Guest VLANports cannot access other Guest VLAN ports over Layer 2 (or the Marketing or Engineering VLANs).This provides port-to-port security at Layer 2.

PVLAN Components

The following figure shows the logical components that support PVLAN configuration in a switch.

VLANs

Layer 2 Basics 26

Figure 9: Private VLAN Switch Components

There is one network VLAN in each PVLAN. Ports within a network VLAN, called network ports, cancommunicate with all VLAN ports in the PVLAN. Network devices that connect to the network VLANports are considered to be on the network side of the switch.

The network VLAN aggregates the uplink traffic from the other VLANS, called subscriber VLANs, foregress communications on a network VLAN port. A network port can serve only one PVLAN, but it canserve one or more subscriber VLANs. Ingress communications on the network VLAN port aredistributed to the appropriate subscriber VLANs for distribution to the appropriate ports. Devices thatconnect to subscriber VLAN ports are considered to be on the subscriber side of the switch.

Tag translation within the PVLAN is managed at the egress ports. To enable tag translation for uplinktraffic from the subscriber VLANs, you must enable tag translation on the appropriate network VLANport. Tag translation is automatically enabled on subscriber VLAN egress ports when the subscriberVLAN is created and the port is added to the VLAN as tagged. Egress traffic from a subscriber VLAN isalways tagged with the subscriber VLAN tag when the port is configured as tagged.

A non-isolated subscriber VLAN is basically a standard VLAN that can participate in tag translationthrough the network VLAN when VLAN translation is enabled on the network VLAN port.

You can choose to not translate tags on a network VLAN port, but this is generally used only forextending a PVLAN to another switch. A non-isolated subscriber VLAN that does not use tagtranslation is functionally equivalent to a regular VLAN, so it is better to create non-isolated VLANs onlywhen you plan to use tag translation.

Ports in a non-isolated VLAN can communicate with other ports in the same VLAN, ports in thenetwork VLAN, and destinations on the network side of the switch. As with standard VLANs, non-isolated ports cannot communicate through Layer 2 with ports in other subscriber VLANs.

In the figure above, the Engineering and Marketing VLANs are configured as non-isolated subscriberVLANs, which means that they act just like traditional VLANs, and they can participate in tag translationwhen VLAN translation is enabled on a network VLAN port that leads to network side location.

VLAN isolation within the PVLAN is established by configuring a VLAN to be an isolated subscriberVLAN and adding ports to the isolated VLAN. Unlike normal VLANs, ports in an isolated VLAN cannotcommunicate with other ports in the same VLAN over Layer 2 or Layer 3. The ports in an isolated VLAN

VLANs

Layer 2 Basics 27

can, however, communicate with Layer 2 devices on the network side of the PVLAN through thenetwork VLAN. When the network VLAN egress port is configured for tag translation, isolated VLANports also participate in uplink tag translation. When isolated subscriber VLAN ports are configured astagged, egress packets are tagged with the isolated VLAN tag. As with standard VLANs and non-isolated VLANs, isolated ports cannot communicate through Layer 2 with ports in other subscriberVLANs.

PVLAN Support over Multiple Switches

A PVLAN can span multiple switches. The following figure shows a PVLAN that is configured to operateon two switches.

Figure 10: Private VLAN Support on Multiple Switches

A PVLAN can span many switches. For simplicity, the figure above shows only two switches, but youcan extend the PVLAN to additional switches by adding connections between the network VLANs ineach switch. The ports that connect two PVLAN switches must be configured as regular tagged ports.The network and subscriber VLANs on each switch must be configured with the same tags.

NoteAlthough using the same VLAN names on all PVLAN switches might make switchmanagement easier, there is no software requirement to match the VLAN names. Only thetags must match.

When a PVLAN is configured on multiple switches, the PVLAN switches function as one PVLAN switch.Subscriber VLAN ports can access the network VLAN ports on any of the PVLAN switches, and non-isolated VLAN ports can communicate with ports in the same VLAN that are located on a differentphysical switch. An isolated VLAN can span multiple switches and maintain isolation between the VLANports.

The network and subscriber VLANs can be extended to other switches that are not configured for thePVLAN (as described in Extending Network and Subscriber VLANs to Other Switches on page 29).The advantage to extending the PVLAN is that tag translation and VLAN isolation is supported on theadditional switch or switches.

VLANs

Layer 2 Basics 28

Extending Network and Subscriber VLANs to Other Switches

A network or subscriber VLAN can be extended to additional switches without a PVLAN configurationon the additional switches.

You might want to do this to connect to existing servers, switches, or other network devices. Youprobably do not want to use this approach to support clients, as tag translation and VLAN isolation arenot supported unless the PVLAN is configured on all PVLAN switches as described in PVLAN Supportover Multiple Switches on page 28.

The following figure illustrates PVLAN connections to switches outside the PVLAN.

Figure 11: Private VLAN Connections to Switches Outside the PVLAN

In the above figure, Switch 1, Network VLAN Port 21 connects to a Switch 3 port that only supports theNetwork VLAN.

In this configuration, the Network VLAN Port 21 on Switch 1 is configured as “translated,” whichtranslates subscriber VLAN tags to the network VLAN tag for access to the Network VLAN extensionon Switch 3. Switch 3, Port 24 is configured as tagged and only accepts traffic with the Network VLANTag. Switch 3 serves as an extension of the Network VLAN and can be used to connect to networkdevices such as servers or an internet gateway.

Switch 2, port 22 supports the Network, NonIsolated, and Isolated VLANs, but no PVLAN is configured.

VLANs

Layer 2 Basics 29

Because port 22 supports multiple VLANs that are part of the PVLAN, and because these Switch 2VLANs are not part of the PVLAN, Switch 1, port 24, must be configured as a PVLAN endpoint, whichestablishes the PVLAN boundary. Switch 2, port 22, is configured as a regular tagged VLAN port.

For most applications, it would be better to extend the PVLAN to Switch 2 so that the PVLAN featuresare available to the Switch 2 VLANs.

The configuration of Switch 2 behaves as follows:

• The Switch 2 NonIsolated VLAN ports can communicate with the NonIsolated VLAN ports onSwitch 1, but they cannot participate in VLAN translation.

• The Switch 2 Isolated VLAN ports can communicate with other Switch 2 Isolated VLAN ports.

• The Switch 2 Isolated VLAN ports cannot participate in VLAN translation.

• The Switch 2 Isolated VLAN ports can receive broadcast and multicast info for the Isolated VLAN.

• Traffic is allowed from the Switch 1 Isolated VLAN ports to the Switch 2 Isolated VLAN ports.

MAC Address Management in a PVLAN

Each device that connects to a PVLAN must have a unique MAC address within the PVLAN. Each MACaddress learned in a PVLAN requires multiple FDB entries. For example, each MAC address learned in anon-isolated subscriber VLAN requires two FDB entries, one for the subscriber VLAN and one for thenetwork VLAN. The additional FDB entries for a PVLAN are marked with the P flag in the show fdbcommand display.

The following sections describe the FDB entries created for the PVLAN components and how toestimate the impact of a PVLAN on the FDB table:

• Non-Isolated Subscriber VLAN

• Isolated Subscriber VLAN

• Network VLAN

• Calculating the Total FDB Entries for a PVLAN

Non-Isolated Subscriber VLAN

When a MAC address is learned on a non-isolated subscriber VLAN port, two entries are added to theFDB table:

• MAC address, non-isolated subscriber VLAN tag, and the port number

• MAC address, network VLAN tag, port number, and a special flag for tag translation

The network VLAN entry is used when traffic comes in from the network ports destined for an non-isolated port.

Isolated Subscriber VLAN

When a new MAC address is learned on an isolated subscriber VLAN port, two entries are added to theFDB table:

• MAC address, isolated subscriber VLAN tag, port number, and a flag that indicates that the packetshould be dropped

• MAC address, network VLAN tag, port number, and a special flag for tag translation

Ports in the isolated VLAN do not communicate with one another.

VLANs

Layer 2 Basics 30

If a port in the isolated VLAN sends a packet to another port in the same VLAN that already has anentry in the FDB, that packet is dropped. You can verify the drop packet status of an FDB entry byusing the show fdb command. The D flag indicates that packets destined for the listed address aredropped.

The network VLAN entry is used when traffic comes in from the network ports destined for an isolatedport.

Network VLAN

When a new MAC address is learned on a network VLAN port, the following entry is added to the FDBtable: MAC address, network VLAN tag, and port number.

For every subscriber VLAN belonging to this PVLAN, the following entry is added to the FDB table:MAC address, subscriber VLAN tag, and port number

Calculating the Total FDB Entries for a PVLAN

The following formula can be used to estimate the maximum number of FDB entries for a PVLAN:

FDBtotal = [(MACnon-iso + MACiso) * 2 + (MACnetwork * (VLANnon-iso + VLANiso + 1))]

The formula components are as follows:

• MACnon-iso = number of MAC addresses learned on all the non-isolated subscriber VLANs

• MACiso = number of MAC addresses learned on all the isolated subscriber VLANs

• MACnetwork = number of MAC addresses learned on the network VLAN

• VLANnon-iso = number of non-isolated subscriber VLANs

• VLANiso = number of isolated subscriber VLANs

NoteThe formula above estimates the worst-case scenario for the maximum number of FDBentries for a single PVLAN. If the switch supports additional PVLANs, apply the formula toeach PVLAN and add the totals for all PVLANs. If the switch also support standard VLANs,there will also be FDB entries for the standard VLANs.

Layer 3 Communications

For PVLANs, the default switch configuration controls Layer 3 communications exactly ascommunications are controlled in Layer 2.

For example, Layer 3 communications is enabled between ports in a non-isolated subscriber VLAN, anddisabled between ports in an isolated subscriber VLAN. Ports in a non-isolated subscriber VLAN cannotcommunicate with ports in other non-isolated subscriber VLANs.

You can enable Layer 3 communications between all ports in a PVLAN. For more information, see Managing Layer 3 Communications in a PVLAN on page 35.

PVLAN Limitations

The Private VLAN feature has the following limitations:

VLANs

Layer 2 Basics 31

• Requires more FDB entries than a standard VLAN.

• Within the same VR, VLAN tag duplication is not allowed.

• Within the same VR, VLAN name duplication is not allowed.

• Each MAC address learned in a PVLAN must be unique. A MAC address cannot exist in two or moreVLANs that belong to the same PVLAN.

• MVR cannot be configured on PVLANs.

• A VMAN cannot be added to a PVLAN.

• A PBB network (BVLAN) cannot be added to a PVLAN.

• EAPS control VLANs cannot be either subscriber or network VLANs.

• EAPS can only be configured on network VLAN ports (and not on subscriber VLAN ports). Tosupport EAPS on the network VLAN, you must add all of the VLANs in the PVLAN to the EAPS ring.

• STP can only be configured on network VLAN ports (and not on subscriber VLAN ports). To supportSTP on the network VLAN, you must add all of the VLANs in the PVLAN to STP.

• ESRP can only be configured on network VLAN ports (and not on subscriber VLAN ports). Tosupport ESRP on the network VLAN, you must add all of the VLANs in the PVLAN to ESRP.

• There is no NetLogin support to add ports as translate to the network VLAN, but the rest ofNetLogin and the PVLAN features do not conflict.

• IGMP snooping is performed across the entire PVLAN, spanning all the subscriber VLANs, followingthe PVLAN rules. For VLANs that are not part of a PVLAN, IGMP snooping operates as normal.

• PVLAN and VPLS are not supported on the same VLAN.

• When two switches are part of the same PVLAN, unicast and multicast traffic require a tagged trunkbetween them that preserves tags (no tag translation).

• Subscriber VLANs in a PVLAN cannot exchange multicast data with VLANs outside the PVLAN andwith other PVLANs. However, the network VLAN can exchange multicast data with VLANs outsidethe PVLAN and with network VLANs in other PVLANs.

NoteA maximum of 80% of 4K VLANs can be added to a PVLAN. Adding more VLANS will displaythe following log error:<Erro:HAL.VLAN.Error>Slot-<slot>: Failed to add egress vlan translation

entry on port <port> due to “Table full”.

An additional limitation applies to BlackDiamond 8000 series modules and Summit family switches,whether or not they are included in a SummitStack. If two or more member VLANs have overlappingports (where the same ports are assigned to both VLANs), each additional VLAN member withoverlapping ports must have a dedicated loopback port. To state it another way, one of the VLANmembers with overlapping ports does not require a dedicated loopback port, and the rest of the VLANmembers do require a single, dedicated loopback port within each member VLAN.

NoteThere is a limit to the number of unique source MAC addresses on the network VLAN of aPVLAN that the switch can manage. It is advised not to exceed the value shown in the item“FDB (maximum L2 entries)” in the Supported Limits table of the ExtremeXOS Installationand Release Notes.

VLANs

Layer 2 Basics 32

Configuring PVLANs

The following section describes how to configure a private VLAN.

Creating PVLANs

To create a VLAN, you need to do the following:

1 Create the PVLAN.

2 Add one VLAN to the PVLAN as a network VLAN.

3 Add VLANs to the PVLAN as subscriber VLANs.

• To create a PVLAN, use the following command:

create private-vlan name {vr vr_name}

• To add a network VLAN to the PVLAN, create and configure a tagged VLAN, and then use thefollowing command to add that network VLAN:

configure private-vlan name add network vlan_name

• To add a subscriber VLAN to the PVLAN, create and configure a tagged VLAN, and then use thefollowing command to add that subscriber VLAN:

configure private-vlan name add subscriber vlan_name {non-isolated} {loopback-

port port}

By default, this command adds an isolated subscriber VLAN. To create a non-isolated subscriberVLAN, you must include the non-isolated option.

Configuring Network VLAN Ports for VLAN Translation

When subscriber VLAN traffic exits a network VLAN port, it can be untagged, tagged (with thesubscriber VLAN tag), or translated (to the network VLAN tag).

NoteAll traffic that exits a subscriber VLAN port uses the subscriber VLAN tag, unless the port isconfigured as untagged. There is no need to configure VLAN translation (from network tosubscriber VLAN tag) on subscriber VLAN ports.

1 To configure network VLAN ports for VLAN translation, use the following command and specify thenetwork VLAN and port numbers:

configure {vlan} vlan_name add ports port_list private-vlan translated

2 If you want to later reconfigure a port that is configured for VLAN translation so that it does nottranslate tags, use the following command and specify either the tagged or the untagged option:



Configuring Non-Isolated Subscriber VLAN Ports

The process for configuring non-isolated VLAN ports requires two tasks:

• Add a VLAN to the PVLAN as a non-isolated subscriber VLAN.

VLANs

Layer 2 Basics 33

• Assign ports to the non-isolated subscriber VLAN.

These tasks can be completed in any order, but they must both be completed before a port canparticipate in a PVLAN. When configuration is complete, all egress traffic from the port is translated tothe VLAN tag for that non-isolated VLAN (unless the port is configured as untagged).

NoteTo configure VLAN translation for network VLAN ports, see Configuring Network VLAN Portsfor VLAN Translation on page 33.

• To add a non-isolated subscriber VLAN to the PVLAN, use the following command:

configure private-vlan name add subscriber vlan_name non-isolated

• To add ports to a non-isolated VLAN (before or after it is added to the PVLAN), use the followingcommand:



If you specify the tagged option, egress traffic uses the non-isolated VLAN tag, regardless of thenetwork translation configuration on any network port with which these ports communicate. Egresstraffic from a non-isolated VLAN port never carries the network VLAN tag.

Configuring Isolated Subscriber VLAN Ports

When a port is successfully added to an isolated VLAN, the port is isolated from other ports in the sameVLAN, and all egress traffic from the port is translated to the VLAN tag for that VLAN (unless the portis configured as untagged).

Note

To configure VLAN translation for network VLAN ports, see Configuring Network VLAN Portsfor VLAN Translation on page 33.

The process for configuring ports for VLAN isolation requires two tasks:

• Add a VLAN to the PVLAN as an isolated subscriber VLAN.

• Assign ports to the isolated subscriber VLAN.

These tasks can be completed in any order, but they must both be completed before a port canparticipate in an isolated VLAN.

• To add an isolated subscriber VLAN to the PVLAN, use the following command:

configure private-vlan name add subscriber vlan_name

• To add ports to an isolated VLAN (before or after it is added to the PVLAN), use the followingcommand:



If you specify the tagged option, egress traffic uses the isolated VLAN tag, regardless of the networktranslation configuration on any network port with which these ports communicate. Egress traffic froman isolated VLAN port never carries the network VLAN tag.

VLANs

Layer 2 Basics 34

Configuring a PVLAN on Multiple Switches

To create a PVLAN that runs on multiple switches, you must configure the PVLAN on each switch andset up a connection between the network VLANs on each switch. The ports at each end of theconnection must be configured as tagged ports that do not perform tag translation.

To configure these types of ports, use the following command:

configure {vlan} vlan_name add ports port_list tagged

Configuring a Network or Subscriber VLAN Extension to Another Switch

You can extend a network or subscriber VLAN to another switch without configuring a PVLAN on thatswitch. This configuration is introduced in Extending Network and Subscriber VLANs to Other Switcheson page 29.

• To configure the port on the switch that is outside of the PVLAN, use the following command:

configure {vlan} vlan_name add ports port_list tagged

Adding a Loopback Port to a Subscriber VLAN

BlackDiamond 8000 series modules and Summit family switches, whether or not included in aSummitStack, require a loopback port for certain configurations. If two or more subscriber VLANs haveoverlapping ports (where the same ports are assigned to both VLANs), each of the subscriber VLANswith overlapping ports must have a dedicated loopback port.

The loopback port can be added when the subscriber VLAN is added to the PVLAN.

If you need to add a loopback port to an existing subscriber VLAN, use the following command:

configure {vlan} vlan_name vlan-translation add loopback-port port

Managing Layer 3 Communications in a PVLAN

The default configuration for Layer 3 PVLAN communications is described in Layer 3 Communications.

To enable Layer 3 communications between all ports in a PVLAN, use the following command:

configure iparp add proxy [ipNetmask | ip_addr {mask}] {vr vr_name} {mac | vrrp}

{always}

Specify the IP address or subnet specified for the network VLAN in the PVLAN. Use the always optionto ensure that the switch will reply to ARP requests, regardless of the VLAN from which it originated.

Delete PVLANs

To delete an existing PVLAN, use the command:

delete private-vlan name

VLANs

Layer 2 Basics 35

Remove a VLAN from a PVLAN

When you remove a VLAN from a PVLAN, you remove the association between a VLAN and thePVLAN. Both the VLAN and PVLAN exist after the removal.

To remove a network or subscriber VLAN from a PVLAN, use the following command:

configure private-vlan name delete [network | subscriber] vlan_name

Deleting a Loopback Port from a Subscriber VLAN

To delete a loopback port from a subscriber VLAN, use the command:

configure {vlan} vlan_name vlan-translation delete loopback-port

Displaying PVLAN Information

This section describes how to display private VLAN information.

Displaying Information for all PVLANs

To display information on all the PVLANs configured on a switch, use the command:

show private-vlan

Displaying Information for a Specific PVLAN

To display information about a single PVLANs, use the command:

show {private-vlan} name

Displaying Information for a Network or Subscriber VLAN

To display information about a network or subscriber VLAN, use the command:

show vlan {virtual-router vr-name}

The following flags provide PVLAN specific information:

s flat Identifies a network VLAN port that the system added to a subscriber VLAN. All subscriber VLANs containnetwork VLAN ports that are marked with the s flag.

L flag Identifies a subscriber VLAN port that is configured as a loopback port. Loopback ports are supported onlyon BlackDiamond 8000 series modules and Summit family switches, whether or not included in aSummitStack.

t flag Identifies a tagged network VLAN port on which tag translation is enabled. The t flag only appears in theshow vlan display for network VLANs.

e flag Identifies a network VLAN port that is configured as an endpoint. The e flag only appears in the show vlandisplay for network VLANs.

VLANs

Layer 2 Basics 36

Displaying PVLAN FDB Entries

To view all FDB entries including those created for a PVLAN, use the command:

show fdb {blackhole {netlogin [all | mac-based-vlans]} | netlogin [all | mac-

based-vlans] | permanent {netlogin [all | mac-based-vlans]} | mac_addr {netlogin

[all | mac-based-vlans]} | ports port_list {netlogin [all | mac-based-vlans]} |

vlan vlan_name {netlogin [all | mac-based-vlans]} | {{vpls} {vpls_name}}}

The P flag marks additional FDB entries for PVLANs.

PVLAN Configuration Example 1

The following figure shows a PVLAN configuration example for a medical research lab.

Figure 12: PVLAN Configuration Example 1

The medical research lab hosts lots of visiting clients. Each client has their own room, and the lab wantsto grant them access to the internet through a local web proxy server but prevent them from accessingother visiting clients. There is a lab in the building where many research workstations are located.Workstations within the lab require access to other lab workstations, the internet, and file servers thatare connected to a switch in another building. Visiting clients should not have access to the ResearchVLAN devices or the file servers on the remote switch.

The PVLAN in the following figure contains the following PVLAN components:

• Network VLAN named Main, which provides internet access through the proxy web server andaccess to file servers on the remote switch.

VLANs

Layer 2 Basics 37

• Isolated subscriber VLAN named ClientConnections, which provides internet access for visitingclients and isolation from other visiting clients, the Research VLAN devices, and the remote fileservers.

• Non-isolated subscriber VLAN named Research, which provides internet access and enablescommunications between Research VLAN devices and the remote file servers.

1 The first configuration step is to create and configure the VLANs on the local switch:

create vlan Mainconfigure vlan Main add port 1:*configure vlan Main tag 100create vlan ClientConnectionsconfigure vlan ClientConnections add port 2:*configure vlan ClientConnections tag 200create vlan Researchconfigure vlan Research add port 3:*configure vlan Research tag 300

2 The remote switch VLAN is configured as follows:

create vlan Mainconfigure vlan Main add port 1:*configure vlan Main tag 100

3 The next step is to create the PVLAN on the local switch and configure each of the componentVLANs for the proper role:

create private-vlan MedPrivateconfigure private-vlan "MedPrivate" add network "Main"configure private-vlan "MedPrivate" add subscriber "ClientConnections"configure private-vlan "MedPrivate" add subscriber "Research" non-isolated

4 The final step is to configure VLAN translation on the local switch so that Research VLANworkstations can connect to the file servers on the remote switch:

configure Main add ports 1:1 private-vlan translated

5 To view the completed configuration, enter the show private-vlan command as follows:

show private-vlan--------------------------------------------------------------------------------------Name VID Protocol Addr Flags Proto Ports VirtualActive router/Total--------------------------------------------------------------------------------------MedPrivate VR-DefaultNetwork VLAN:-main 100 ------------------------------------- ANY 2 /48 VR-DefaultNon-Isolated Subscriber VLAN:

VLANs

Layer 2 Basics 38

-Research 300 ------------------------------------- ANY 2 /96 VR-DefaultIsolated Subscriber VLAN:-ClientConnections 200 --------------------------------- ANY 2 /52 VR-Default

PVLAN Configuration Example 2

The following figure shows a PVLAN configuration example for a motel.

Figure 13: PVLAN Configuration Example 2

The motel example in the following figure has guest rooms, a conference room, and their web proxyserver on the first floor, and guest rooms on the second floor. The motel has three Summit switches.

VLANs

Layer 2 Basics 39

There is one on the first floor in a closet, one on the first floor in the conference room, and one on thesecond floor.

The PVLAN in the following figure contains the following PVLAN components:

• A VLAN called Main that contains the web proxy server.

• A VLAN called ConfRoom that contains the ports for the conference room connections.

• A VLAN called ClientConnections that contains client PC connections for the guest rooms.

The goals for the motel network are as follows:

• Provide internet access for the ConfRoom and ClientConnections VLANs through the web proxyserver.

• Prevent communications between the ConfRoom and ClientConnections VLANs.

• Enable communications between clients on the ClientConnections VLAN only within the conferenceroom.

• Enable communications between devices on the ConfRoom VLAN.

• Prevent communications between the PCs in the ClientConnections VLAN that are not in theconference room.

Notice the following in the above figure:

• The Summit switches in the first floor closet and on the second floor contain the Main VLAN with atag of 100. This VLAN is connected via a tagged port between the first and second floor switches.

• The Summit in the conference room does not contain the Main VLAN and cannot be a PVLANmember.

• All of the switches have the ClientConnections VLAN, and it uses VLAN tag 200.

• All of the switches have the ConfRoom VLAN, and it uses VLAN tag 300.

• The Conference Room Summit connects to the rest of the network through a tagged connection tothe Summit in the first floor closet.

• Because the Summit in the first floor closet is a PVLAN member and uses the same port to supporttwo subscriber VLANs, a loopback port is required in all subscriber VLANs, except the firstconfigured subscriber VLAN (this applies to all BlackDiamond 8800 series switches and Summitfamily switches).

NoteThe following examples contain comments that follow the CLI comment character (#). Alltext that follows this character is ignored by the switch and can be omitted from theswitch configuration.

The following commands configure the Summit in the first floor closet:

# Create and configure the VLANs.create vlan Mainconfigure vlan Main add port 1configure vlan Main tag 100configure vlan Main add port 2 taggedcreate vlan ClientConnectionsconfigure vlan ClientConnections tag 200configure vlan ClientConnections add port 5-19configure vlan ClientConnections add port 20 taggedcreate vlan ConfRoom

VLANs

Layer 2 Basics 40

configure vlan ConfRoom tag 300configure vlan ConfRoom add port 21-30configure vlan ConfRoom add port 20 tagged

# Create and configure the PVLAN named Motel.create private-vlan Motelconfigure private-vlan Motel add network Mainconfigure private-vlan Motel add subscriber ClientConnections # isolated subscriber VLANconfigure private-vlan "Motel" add subscriber "ConfRoom" non-isolated loopback-port 30configure private-vlan Motel add subscriber ConfRoom non-isolated# If you omit the loopback-port command, the above command produces the following error message:# Cannot add subscriber because another subscriber vlan is already present on the same port, assign a loopback port when adding the subscriber vlan to the private vlan

# show vlan "ConfRoom"VLAN Interface with name ConfRoom created by userAdmin State: Enabled Tagging: 802.1Q Tag 300Virtual router: VR-DefaultIPv6: NoneSTPD: NoneProtocol: Match all unfiltered protocolsLoopback: DisabledNetLogin: DisabledQosProfile: None configuredEgress Rate Limit Designated Port: None configuredPrivate-VLAN Name: MotelVLAN Type in Private-VLAN: Non-Isolated SubscriberPorts: 13. (Number of active ports=1)Untag: 21, 22, 23, 24, 25, 26, 27,28, 29Tag: 1s, 2s, 20, *30LFlags: (*) Active, (!) Disabled, (g) Load Sharing port(b) Port blocked on the vlan, (m) Mac-Based port(a) Egress traffic allowed for NetLogin(u) Egress traffic unallowed for NetLogin(t) Translate VLAN tag for Private-VLAN(s) Private-VLAN System Port, (L) Loopback port(x) VMAN Tag Translated port(G) Multi-switch LAG Group port# Note that the loopback port is flagged with an "L" and listed as a tagged port, and the network VLAN ports are flagged with an "s" and listed as tagged ports.

The following commands configure the Summit on the second floor:

# create and configure the VLANscreate vlan Mainconfigure vlan Main tag 100configure vlan Main add port 2 taggedcreate vlan ClientConnectionsconfigure vlan ClientConnections tag 200configure vlan ClientConnections add port 5-20create vlan ConfRoom

VLANs

Layer 2 Basics 41

configure vlan ConfRoom tag 300# Create and configure the PVLAN named Motel.create private-vlan Motelconfigure private-vlan Motel add network Mainconfigure private-vlan Motel add subscriber ClientConnections # isolated subscriber VLANconfigure private-vlan Motel add subscriber ConfRoom non-isolated

The following commands configure the Summit in the conference room:

# create and configure the VLANscreate vlan ClientConnectionsconfigure vlan ClientConnections tag 200configure vlan ClientConnections add port 1-19configure vlan ClientConnections add port 20 tagcreate vlan ConfRoomconfigure vlan ConfRoom tag 300configure vlan ConfRoom add port 21-30configure vlan ConfRoom add port 20 tag# The VLANs operate as extensions of the VLANs on the Summit in the first floor closet. There is no PVLAN configuration on this switch.

VLAN Translation

The VLAN translation feature described in this section provides the same VLAN translation functionalitythat is provided for PVLANs. This is described in VLAN Translation in a PVLAN on page 24.

The difference is that this feature is configured with different commands that are compatible withExtremeWare.

Note

The VLAN translation feature described in this section is provided for those who are alreadyfamiliar with the ExtremeWare VLAN translation commands. If you have not used this featurein ExtremeWare and do not use any scripts that use the ExtremeWare commands, wesuggest that you use the Private VLAN feature described in Private VLANs on page 24, as itprovides the same functionality with additional features.

The VLAN translation feature is supported only on the platforms listed for this feature in thelicense tables in Feature License Requirements

The following figure shows how VLAN translation is configured in the switch.

VLANs

Layer 2 Basics 42

Figure 14: VLAN Translation Switch Configuration

In the above figure, VLAN1 is configured as a translation VLAN . The translation VLAN is equivalent tothe network VLAN in the PVLAN implementation of VLAN translation.

VLANs 101, 102, and 103 are configured as member VLANs of translation VLAN1. The member VLANsare equivalent to the non-isolated subscriber VLANs in the PVLAN implementation of VLAN translation.

This configuration enables tag translation between the translation VLAN and the member VLANs. Allmember VLANs can communicate through the translation VLAN, but they cannot communicatethrough Layer 2 with each other.

VLAN Translation Behavior

You should be aware of the behavior of unicast, broadcast, and multicast traffic when using VLANtranslation.

Unicast Traffic

Traffic on the member VLANs can be either tagged or untagged.

Traffic is switched locally between client devices on the same member VLAN as normal. Traffic cannotbe switched between clients on separate member VLANs. Traffic from any member VLAN destined forthe translation VLAN is switched and the VLAN tag is translated appropriately. Traffic from thetranslation VLAN destined for any member VLAN is switched and the VLAN tag is translated.

Broadcast Behavior

Broadcast traffic generated on a member VLAN is replicated in every other active port of that VLAN asnormal.

VLANs

Layer 2 Basics 43

In addition, the member VLAN traffic is replicated to every active port in the translation VLAN and theVLAN tag is translated appropriately. Broadcast traffic generated on the translation VLAN is replicatedto every other active port in this VLAN as usual. The caveat in this scenario is that this traffic is alsoreplicated to every active port in every member VLAN, with VLAN tag translation. In effect, thebroadcast traffic from the translation VLAN leaks onto all member VLANs.

Multicast Behavior

IGMP snooping can be enabled on member and translation VLANs so that multicast traffic can bemonitored within the network.

IGMP snooping software examines all IGMP control traffic that enters the switch. IGMP control trafficreceived on a VLAN translation port is forwarded by the CPU to all other ports in the translation group.Software VLAN translation is performed on the packets which cross the translation boundary betweenmember and translation VLANs. The snooping software detects ports joining and leaving multicaststreams. When a VLAN translation port joins a multicast group, an FDB entry is installed only onreceiving a data miss for that group. The FDB entry is added for the requested multicast address andcontains a multicast PTAG. When a VLAN translation port leaves a multicast group, the port is removedfrom the multicast list. The last VLAN translation port to leave a multicast group causes the multicastFDB entry to be removed.

VLAN Translation Limitations

The VLAN translation feature has the following limitations:

• Requires more FDB entries than a standard VLAN.

• Within the same VR, VLAN tag duplication is not allowed.

• Within the same VR, VLAN name duplication is not allowed.

• Each MAC address learned in the translation and member VLANs must be unique. A MAC addresscannot exist in two or more VLANs that belong to the same VLAN translation domain.

• MVR cannot be configured on translation and member VLANs.

• A VMAN cannot be added to translation and member VLANs.

• A PBB network (BVLAN) cannot be added to translation and member VLANs.

• EAPS control VLANs cannot be either translation or member VLANs.

• EAPS can only be configured on translation VLAN ports (and not on member VLAN ports). Tosupport EAPS on the network VLAN, you must add all of the translation and member VLANs to theEAPS ring.

• STP can only be configured on translation VLAN ports (and not on member VLAN ports). Tosupport STP on the translation VLAN, you must add the translation VLAN and all of the memberVLANs to STP.

• ESRP can only be configured on translation VLAN ports (and not on member VLAN ports). Tosupport ESRP on the network VLAN, you must add the translation VLAN and all of the memberVLANs to ESRP.

• There is no NetLogin support to add ports as translate to the translation VLAN, but the rest ofNetLogin and the PVLAN feature do not conflict.

VLANs

Layer 2 Basics 44

• IGMP snooping is performed across the entire VLAN translation domain, spanning all the memberVLANs. For VLANs that are not part of a VLAN translation domain, IGMP snooping operates asnormal.

• VLAN translation and VPLS are not supported on the same VLAN.

• Member VLANs in a VLAN translation domain cannot exchange multicast data with VLANs outsidethe VLAN translation domain. However, the translation VLAN can exchange multicast data withVLANs outside the VLAN translation domain and with translation VLANs in other VLAN translationdomains.

Interfaces

Use the following information for selecting and configuring VLAN translation interfaces:

• A single physical port can be added to multiple member VLANs, using different VLAN tags.

• Member VLANs and translation VLANs can include both tagged and untagged ports.

Configuring Translation VLANs

To create a translation VLAN, do the following:

1 Create the VLAN that will become the translation VLAN.

2 Add a tag and ports to the prospective translation VLAN.

3 Add member VLANs to the prospective translation VLAN.

A prospective translation VLAN becomes a translation VLAN when the first member VLAN is added toit.

• To add a member VLAN to a translation VLAN, use the following command:

configure {vlan} vlan_name vlan-translation add member-vlan member_vlan_name

{loopback-port port}

• To delete a member VLAN from a translation VLAN, use the following command:

configure {vlan} vlan_name vlan-translation delete member-vlan

[member_vlan_name | all]

• To view the translation VLAN participation status of a VLAN, use the following command:


Displaying Translation VLAN Information

This section describes how to display translation VLAN information.

Displaying Information for a Translation or Member VLAN

To display information about a translation or member VLAN, use the command:


VLANs

Layer 2 Basics 45

Displaying Translation VLAN FDB Entries

To view all FDB entries including those created for a translation VLAN, use the command:





The T flag marks additional FDB entries for translation VLANs.

VLAN Translation Configuration Examples

The following configuration examples show VLAN translation used in three scenarios:

• Basic VLAN Translation on page 46

• VLAN Translation with ESRP Redundancy on page 47

• VLAN Translation with STP Redundancy on page 49

Basic VLAN Translation

The example in the following figure configures a basic VLAN translation network. This network providesVLAN translation between four member VLANs and a single translation VLAN.

Figure 15: VLAN Translation Configuration Example

The following configuration commands create the member VLANs:

create vlan v101configure v101 tag 101configure v101 add ports 1:1 taggedcreate vlan v102configure v102 tag 102configure v102 add ports 1:1 taggedcreate vlan v103configure v103 tag 103configure v103 add ports 1:2 taggedcreate vlan v104configure v104 tag 104configure v104 add ports 1:2 tagged

VLANs

Layer 2 Basics 46

The following configuration commands create the translation VLAN and enable VLAN translation:

create vlan v1000configure v1000 tag 1000configure v1000 add ports 2:1 taggedconfigure v1000 vlan-translation add member-vlan v101configure v1000 vlan-translation add member-vlan v102configure v1000 vlan-translation add member-vlan v103configure v1000 vlan-translation add member-vlan v104

The following configuration commands create the translation VLAN and enable VLAN translation onBlackDiamond X8, BlackDiamond 8000 series modules, and Summit X440, X460, X480, X670, andX770 series switches:

create vlan v1000configure v1000 tag 1000configure v1000 add ports 2:1 taggedconfigure v1000 vlan-translation add member-vlan v101configure v1000 vlan-translation add member-vlan v102 loopback-port 1:23configure v1000 vlan-translation add member-vlan v103configure v1000 vlan-translation add member-vlan v104 loopback-port 1:24

VLAN Translation with ESRP Redundancy

The example in the following figure configures a VLAN translation network with ESRP redundancy.

The SW2 and SW3 VLAN translation switches are protected by an ESRP control VLAN. The masterESRP switch performs the translation and provides the connectivity to the backbone. If a failure occurs,the slave ESRP switch takes over and begins performing the translation.

Figure 16: ESRP Redundancy Configuration Example

VLANs

Layer 2 Basics 47

The following configuration commands create the member VLANs on SW1:

create vlan v101configure v101 tag 101configure v101 add ports 1:1 taggedconfigure v101 add ports 1:3 taggedconfigure v101 add ports 1:4 taggedcreate vlan v102configure v102 tag 102configure v102 add ports 1:1 taggedconfigure v102 add ports 1:3 taggedconfigure v102 add ports 1:4 taggedcreate vlan v103configure v103 tag 103configure v103 add ports 1:2 taggedconfigure v103 add ports 1:3 taggedconfigure v103 add ports 1:4 taggedcreate vlan v104configure v104 tag 104configure v104 add ports 1:2 taggedconfigure v104 add ports 1:3 taggedconfigure v104 add ports 1:4 tagged

The configuration for SW2 and SW3 is identical for this example.

The following configuration commands create the member VLANs on SW2:

create vlan v101configure v101 tag 101configure v101 add ports 1:3 taggedcreate vlan v102configure v102 tag 102configure v102 add ports 1:3 taggedcreate vlan v103configure v103 tag 103configure v103 add ports 1:3 taggedcreate vlan v104configure v104 tag 104configure v104 add ports 1:3 tagged

This set of configuration commands creates the translation VLANs and enables VLAN translation onSW2:


VLANs

Layer 2 Basics 48

The final set of configuration commands creates the ESRP control VLAN and enables ESRP protectionon the translation VLAN for SW2:

create vlan evlanconfigure evlan add ports 2:2enable esrp evlanconfigure evlan add domain-member v1000

The following configuration commands create the translation VLAN and enable VLAN translationonVLANs that have overlapping ports:

configure v1000 vlan-translation add member-vlan v102 loopback-port 1:22configure v1000 vlan-translation add member-vlan v103 loopback-port 1:23configure v1000 vlan-translation add member-vlan v104 loopback-port 1:24

VLAN Translation with STP Redundancy

The example in the following figure configures a VLAN translation network with redundant pathsprotected by STP.

Parallel paths exist from the member VLAN portion of the network to the translation switch. STPensures that the main path for this traffic is active and the secondary path is blocked. If a failure occursin the main path, the secondary paths are enabled.

Figure 17: STP Redundancy Configuration Example

VLANs

Layer 2 Basics 49

The following configuration commands create the member VLANs and enable STP on SW1:

create vlan v101configure v101 tag 101configure v101 add ports 1:1 taggedconfigure v101 add ports 1:3 taggedconfigure v101 add ports 1:4 taggedcreate vlan v102configure v102 tag 102configure v102 add ports 1:2 taggedconfigure v102 add ports 1:3 taggedconfigure v102 add ports 1:4 taggedcreate vlan v103configure v103 tag 103configure v103 add ports 1:3 taggedconfigure v103 add ports 1:4 taggedcreate vlan v104configure v104 tag 104configure v104 add ports 1:3 taggedconfigure v104 add ports 1:4 taggedcreate stpd stp1configure stp1 tag 101configure stp1 add vlan v101configure stp1 add vlan v102configure stp1 add vlan v103configure stp1 add vlan v104enable stpd stp1

These configuration commands create the member VLANs and enable STP on SW2:

create vlan v103configure v103 tag 103configure v103 add ports 1:1 taggedconfigure v103 add ports 1:3 taggedconfigure v103 add ports 1:4 taggedcreate vlan v104configure v104 tag 104configure v104 add ports 1:2 taggedconfigure v104 add ports 1:3 taggedconfigure v104 add ports 1:4 taggedcreate vlan v101configure v101 tag 101configure v101 add ports 1:3 taggedconfigure v101 add ports 1:4 taggedcreate vlan v102configure v102 tag 102configure v102 add ports 1:3 taggedconfigure v102 add ports 1:4 taggedcreate stpd stp1configure stp1 tag 101configure stp1 add vlan v101configure stp1 add vlan v102configure stp1 add vlan v103configure stp1 add vlan v104enable stpd stp1

VLANs

Layer 2 Basics 50

This set of configuration commands creates the member VLANs and enables STP on SW3:

create vlan v101configure v101 tag 101configure v101 add ports 1:3 taggedconfigure v101 add ports 1:4 taggedcreate vlan v102configure v102 tag 102configure v102 add ports 1:3 taggedconfigure v102 add ports 1:4 taggedcreate vlan v103configure v103 tag 103configure v103 add ports 1:3 taggedconfigure v103 add ports 1:4 taggedcreate vlan v104configure v104 tag 104configure v104 add ports 1:3 taggedconfigure v104 add ports 1:4 taggedcreate stpd stp1configure stp1 tag 101configure stp1 add vlan v101configure stp1 add vlan v102configure stp1 add vlan v103configure stp1 add vlan v104enable stpd stp1

The final set of configuration commands creates the translation VLAN and enables VLAN translation onSW3:


The following configuration commands create the translation VLAN and enable VLAN translation onVLANs that have overlapping ports:

configure v1000 vlan-translation add member-vlan v102 loopback-port 1:22configure v1000 vlan-translation add member-vlan v103 loopback-port 1:23configure v1000 vlan-translation add member-vlan v104 loopback-port 1:24

Port-Specific VLAN Tag

The Port-specific VLAN feature adds a layer of specificity between the port tag and the VLAN/VMANtag: a port-specific VLAN tag. This feature adds the following functionality to the existing VLAN:

VLANs

Layer 2 Basics 51

• Ability to associate a tag to a VLAN port. This tag is used as a filter to accept frames with matchingVID. It is also used as the tag of the outgoing frames.

• Ability to add multiple VLAN ports on the same physical port as long as those VLAN ports areassociated with different tags.

• Allows the existing untagged and tagged VLAN ports to be part of the VLAN.

• Ability to learn MAC address on port, tag and VLAN instead of only on the port.As a consequence ofthe previous point, ability to add static MAC address to port, tag and VLAN.

• Ability to specify limit-learning and MAC lockdown on a port, tag and VLAN, instead of only on theport.

• Rate limiting and counting of frames with matching VIDs is supported with the existing ACL.

The Port-specific VLAN tag allows tagged VLAN ports to be configured with tag values. When the tagis not configured, it is implicit that the tag of the tagged port is the tag of the VLAN. We call the tag ofthe port the "port tag", and the tag of the VLAN the "base tag". The port tag is used to determine theeligibility of the frames allowed to be part of the VLAN. Once the frame is admitted to the VLAN port,the base tag is used. From a functional standpoint, the frame tag is rewritten to the base tag.

The base tag then is translated to the port tag for the outgoing frame.

NoteThe port tag is equal to the base tag when the port tag is not specified, so the current VLANbehavior is preserved.

Untagged VLAN ports also have port tag, which is always the same as the base tag. Outgoing framesare untagged. The untagged VLAN port always has an implicit port tag thats's always equal to the basetag. There can be only one untagged VLAN port on a physical port. It receives untagged frames, andtagged frames, and transmits only untagged frames.

A tagged VLAN port can have a port tag configured, or not. When not configured, the port tag is equalto the base tag. There can be more than one tagged VLAN port on a physical port. It receives taggedframes with tag equals to the port tag, and transmits tagged frames with port tag.

When the VLAN is assigned to L2VPN, the base tag is the tag that is carried by the pseudo-wire whenthe dot1q include is enabled. It can be viewed that VPLS PW port tag is equal to the base tag. To assigna VLAN with a port-specific tag to an L2VPN, use the existing configure vpls vpls_name addservice vlan vlan_name command.

Since every tagged VLAN port has different VIDs, forwarding between them on the same physical port(hairpin switching) is possible. From the external traffic point of view, the frame tags are rewritten fromthe receive port tag to the transmit port tag. Since each port tag is a different VLAN port, a frame thathas to be broadcasted to multiple VLAN ports is sent out multiple times with different tags when theVLAN ports are on the same physical port. Each port + port tag is an individual VLAN port.

MAC addresses are learned on the VLAN port. This means that the port in the FDB entry is the port +port tag. A unicast frame destined to a MAC address that is in the FDB is sent out of the associatedVLAN port. As mentioned earlier, there is only one MAC addressed learned on the VLAN. If the MACaddress is learned on a different port or a different tag, it is a MAC move. It is transmitted out of thephysical port only on the associated VLAN port tagged with the port tag when the VLAN port istagged.

VLANs

Layer 2 Basics 52

When there are multiple tagged VLAN ports on the transmit port, only one frame with the right tag istransmitted. It is transmitted untagged on an untagged VLAN port. Accordingly, the static MACaddress is configured on a VLAN port. This means that the port tag is specified when the tag is notequal to the base tag. The command to flush FDB does not need to change. But, a VLAN port-specificflush needs to be implemented to handle the case when a VLAN port is deleted. This flush is internaland not available through the CLI.

Per VLAN port (port + tag) rate limiting and accounting is achieve by the existing ACL. Use matchcondition vlan-id to match the port VID. You can use action count and byte-count foraccounting. And you can use show access-list counter to view the counters. Action meter canbe used for rate limiting. To create a meter, use the create meter command, and configure thecommitted rate and maximum burst size.

Port-Specific Tags in L2VPN

You can assign a VLAN with port specific tag to VPLS/VPWS using the configure vpls vsi addservice vlan vl command. Because this is a single VLAN, the base VID is used when dot1q includeis enable. For example, when VLAN 100 that has ports on Ethernet port 1 with port tag 10 and 11 isassigned to L2VPN, the tag that is carried by the pseudo wire is 100. The configuration for this exampleis as follows:

create vlan exchange tag 100config vlan exchange add ports 1 tagged 10config vlan exchange add ports 1 tagged 11config vpls vsi1 add service vlan exchange

Similarly, the following is an example for VPWS. There can only be a single VLAN port in the VLAN forassignment to VPWS to be successful:

create vlan exchange tag 100config vlan exchange add ports 1 tagged 10config l2vpn vpws pw1 add service vlan exchange

VLAN Port State

VLAN port state is the same as the state of the Ethernet port.

ACLs

You can use the existing match vlan-id ACL to accomplish counting and metering. You can assign theACL to both ingress and egress port. The followings are the examples of such configuration. The port 3tag is 4 and the port 4 tag is 5. These ACLs will match the frame vlan-ID, and the vlan-ID specified inthe match criteria is independent of the port tag.

Content of acl.polentry tag_1 { if { vlan-id 4; } then { packet-count tag_1_num_frames; meter tag_1_meter; }}

VLANs

Layer 2 Basics 53

entry tag_2 { if { vlan-id 5; } then { byte-count tag_2_num_bytes; meter tag_2_meter; }} Content of acl_egress.polentry tag_1_egr { if { vlan-id 4; } then { packet-count tag_1_egr_num_frames; meter tag_1_egr_meter; }} entry tag_2_egr { if { vlan-id 5; } then { byte-count tag_2_egr_num_bytes; meter tag_2_egr_meter; }}

Configuring Port-Specific VLAN Tags

The following specific commands are modified by the port-specific VLAN tag:

• clear fdb: Only clears on physical port or VLAN, not on a vlan port.

• delete fdbentry: All or specific MAC address, or specific MAC address on a VLAN.

• enable/disable flooding ports: Only on physical port (applies to all VLAN ports).

• enable/disable learning: Only on physical port (applies to all VLAN ports on the samephysical port), or on a VLAN (applies to all VLAN ports of the VLAN).

• show fdb stats: Only on physical port or VLAN, not on a VLAN port.

Use the following commands to configure Port-specific VLAN tags:

• To configure the port-specific tag, use the configure ports port_list {tagged tag}vlanvlan_name [limit-learning number {action [blackhole | stop-learning]} | lock-learning | unlimited-learning | unlocklearning] command.

• To specify the port tag when you need to put multiple vlans into a broadcast domain, use theconfigure {vlan} vlan_name addports [port_list | all] {tagged{tag} | untagged}{{stpd} stpd_name} {dot1d | emistp | pvst-plus}} command.

• To specify a port tag to delete a VLAN port that has a different tag from the VLAN tag, use theconfigure {vlan} vlan_name deleteports [all | port_list {tagged tag}] command.

• To display output of a vlan that has a port-specific tag, use the show vlan command.

• To display port info that has port-specific tag statistics, use the show port info detailcommand.

VLANs

Layer 2 Basics 54

• To adds a permanent, static entry to the FDB, use the create fdbentry mac_addr vlanvlan_name [ports port_list {tagged tag} | blackhole] command.

• To show output where the port tag is displayed, use the show fdb command.

VLANs

Layer 2 Basics 55

2 VMAN (PBN)

VMAN OverviewPBBNsVMAN Configuration Options and FeaturesConfigurationDisplaying InformationConfiguration Examples

The virtual metropolitan area network (VMAN) feature allows you to scale a Layer 2 network and avoidsome of the management and bandwidth overhead required by Layer 3 networks.

Note

If a failover from MSM A to MSM B occurs, VMAN operation is not interrupted. The system hashitless failover—network traffic is not interrupted during a failover.

VMAN Overview

The VMAN feature is defined by the IEEE 802.1ad standard, which is an amendment to the IEEE 802.1QVLAN standard.

A VMAN is a virtual Metropolitan Area Network (MAN) that operates over a physical MAN or ProviderBridged Network (PBN). This feature allows a service provider to create VMAN instances within a MANor PBN to support individual customers. Each VMAN supports tagged and untagged VLAN traffic for acustomer, and this traffic is kept private from other customers that use VMANs on the same PBN.

The PBN uses Provider Bridges (PBs) to create a Layer 2 network that supports VMAN traffic. TheVMAN technology is sometimes referred to as VLAN stacking or Q-in-Q.

NoteVMAN is an Extreme Networks term that became familiar to Extreme Networks customersbefore the 802.1ad standard was complete. The VMAN term is used in the ExtremeXOSsoftware and also in this book to support customers who are familiar with this term. The PBNterm is also used in this guide to establish the relationship between this industry standardtechnology and the Extreme Networks VMAN feature.

The following figure shows a VMAN, which spans the switches in a PBN.

Layer 2 Basics 56

Figure 18: VMAN

The entry points to the VMAN are the access ports on the VMAN edge switches. Customer VLAN(CVLAN) traffic that is addressed to locations at other VMAN access ports enters the ingress accessport, is switched through the VMAN, and exits the egress access port. If you do not configure any framemanipulation options, the CVLAN frames that exit the VMAN are identical to the frames that enteredthe VMAN.

VMAN access ports operate in the following roles:

• Customer Network Port (CNP)

• Customer Edge Port (CEP, which is also known as Selective Q-in-Q)

The CEP role, which is configured in software as a cep vman port, connects a VMAN to specific CVLANsbased on the CVLAN CVID. The CNP role, which is configured as an untagged vman port, connects aVMAN to all other port traffic that is not already mapped to the port CEP role. These roles aredescribed later.

All other VMAN ports (except the access ports) operate as VMAN network ports, which are also knownas Provider Network Ports (PNPs) in the 802.1ad standard. The VMAN network ports connect the PBsthat form the core of the VMAN. During configuration, the VMAN network ports are configured astagged VMAN ports.

The following figure shows one VMAN, but a PBN can support multiple VMAN instances, which aresometimes called VMANs or Service VLANs (SVLANs). VMANs allow you to partition the PBN forcustomers in the same way that VLANs allow you to partition a Layer 2 network. For example, you canuse different VMANs to support different customers on the PBN, and the PBN delivers customer trafficonly to the PBN ports that are configured for appropriate VMAN.

A VMAN supports two tags in each Ethernet frame, instead of the single tag supported by a VLANEthernet frame. The inner tag is referred to as the customer tag (C-tag), and this optional tag is basedon the CVLAN tag if the source VLAN is a tagged VLAN. The outer tag is referred to as the service tag(S-tag) or VMAN tag or SVLAN tag, and it is the tag that defines to which SVLAN a frame belongs. Thefollowing figure shows the frame manipulation that occurs at the VMAN edge switch.

VMAN (PBN)

Layer 2 Basics 57

Figure 19: Tag Usage at the VMAN Access Switch

In the above figure, the switch accepts CVLAN frames on VMAN access ports 1:1 and 1:2. The switchthen adds the S-tag to the frames and switches the frames to network ports 2:1 and 2:2. When the802.1ad frames reach the PB egress port, the egress switch removes the S-tag, and the CVLAN trafficexits the egress access port in its original form.

When the switch in the figure above acts as the egress switch for a VMAN, VMAN frames arrive onnetwork ports 2:1 and 2:2. The switch accepts only those frames with the correct S-tag, removes the S-tags, and switches those frames to access ports 1:1 and 1:2. Unless special configuration options areapplied, the egress frames are identical to ingress CVLAN frames. (Configuration options are describedin VMAN Configuration Options and Features on page 64.)

The following figure shows that the S-tags and C-tags used in VMAN frames contain more than justcustomer and service VLAN IDs.

Figure 20: S-tag and C-tag Components

Each S-tag and C-tag contains an ethertype, a Class of Service (CoS), and a SVLAN ID (SVID) or CVLANID (CVID). The ethertype is described in Secondary Ethertype Support on page 65, and the CoS isdescribed in QoS Support on page 66.

The SVID is the VLAN tag you assign to a VMAN when you create it (see the configure vmanvman_name tag tag command. The CVID represents the CVLAN tag for tagged VLAN traffic.

Switch ports support VMAN roles and features, which are described in the following sections:

VMAN (PBN)

Layer 2 Basics 58

• Customer Network Ports

• Customer Edge Ports

• CVID Translation

• CVID Egress Filtering

Customer Network Ports

Customer Network Ports (CNPs) are edge switch ports that accept all tagged and untagged CVLANtraffic and route it over a single VMAN. A CNP is simpler to configure than a CEP, because it supportsone VMAN on a physical port and requires no configuration of CVIDs. The VMAN service provider doesnot need to know anything about the CVLAN traffic in the VMAN. The service provider simply managesthe VMAN, and the ingress CVLAN traffic is managed by the customer or another service provider. Thisseparation of CVLAN and VMAN management reduces the dependence of the separate managementteams on each other, and allows both management teams to make changes independent of the other.

NoteThe CNP term is defined in the IEEE 802.1ad standard and is also called a port-based serviceinterface. The CNP operation is similar to a MEF 13 UNI Type 1.2, and in releases beforeExtremeXOS 12.6, CNPs were known as VMAN access ports or untagged vman ports. Withthe addition of CEPs, the term VMAN access port is now a generic term that refers to CNPsand CEPs.

A PBN can support up to 4094 VMANs, and each VMAN can support up to 4094 CVLANs. Becauseeach CNP connects to only one VMAN, the maximum number of customer VMANs on an edge switch isequal to the total number of switch ports minus one, because at least one port is required to serve asthe PNP (Provider Network Port).

Customer Edge Ports

Each CEP supports the configuration of connections or mappings between individual CVLANs andmultiple VMANs.

This provides the following benefits:

• Each physical port supports multiple customers (each connecting to a separate VMAN).

• Each switch supports many more customer VMANs using CEPs instead of CNPs.

To define the connections between CVLANs and SVLANs, each CEP uses a dedicated CVID map, whichdefines the supported CVIDs on the CEP and the destination VMAN for each CVID. For example, youcan configure a CEP to forward traffic from five specific CVLANs to VMAN A and from ten otherspecific CVLANs to VMAN B. During VMAN configuration, certain ports are added to the VMAN asCEPs, and certain CVIDs on those ports are mapped to the VMAN. To enable customer use of a VMAN,

VMAN (PBN)

Layer 2 Basics 59

service providers must communicate the enabled CVIDs to their customers. The customers must usethose CVIDs to access the VMAN.

NoteThe CEP term is defined in the IEEE 802.1ad standard and is also called a C-tagged serviceinterface. The CEP operation is similar to a MEF 13 UNI Type 1.1.

CVID Translation

To support CVLANs that are identified by different CVIDs on different CEPs, some switches support afeature called CVID translation, which translates the CVID received at the VMAN ingress to a differentCVID for egress from the VMAN (see the following figure).

Figure 21: CVID Translation

You can use a CLI command to configure CVID translation for a single CVID or for a range of CVIDs, andyou can enter multiple commands to define multiple CVIDs and ranges for translation. The commandscan be applied to a single port or a list of ports, and after configuration, the configuration applied to aport is retained by that port.

NoteCVID translation is available only on the platforms listed for this feature in the Feature LicenseRequirements document.

CVID translation can reduce the number of CVIDs that can be mapped to VMANs.

CVID Egress Filtering

CVID egress filtering permits the egress from VMAN to CEP of only those frames that contain a CVIDthat has been mapped to the source VMAN; all other frames are blocked. For example, Customer EdgePort A in the following figure is configured to support CVIDs 10-29, and Customer Edge Port B isconfigured to support CVIDs 10-19. If CVID egress filtering is enabled on Customer Edge Port B, frameswith CVIDs 20-29 will not be forwarded at the egress of Customer Edge Port B.

VMAN (PBN)

Layer 2 Basics 60



Figure 22: CVID Egress Filtering

You can enable CVID egress filtering for a single CEP or for all CEPs with a CLI command. You can alsorepeat the command to enable this feature on multiple CEPs.

NoteCVID egress filtering is available only on the platforms listed for this feature in FeatureLicense Requirements.

When this feature is enabled, it reduces the maximum number of CVIDs that can be mapped to VMANs.The control of CVID egress filtering applies to fast-path forwarding. When frames are forwardedthrough software, CVID egress filtering is always enabled.

PBBNs

A Provider Backbone Bridge Network (PBBN) enables VMAN (PBN, 802.1ad frames) and customerVLAN (802.1Q frames) transport over a backbone network such as the internet.

NoteThis feature is supported only on the platforms listed for this feature in the license andfeature pack tables in Feature License Requirements.

One application of a PBBN allows an Internet Service Provider (ISP) to create a backbone network overthe internet to support Layer 2 traffic from service providers (SPs). Each service provider buys a PBN(VMAN) from the ISP and sells VLAN access to customers. The ISP configures the PBBN, each SPconfigures their PBN, and each customer configures their VLAN. The PBBN, PBNs, and VLANs are allisolated. All parties (ISP, SP, and customer) can establish their networks and services with minimalsupport from the other parties, and all parties can make most configuration changes independently ofthe others.

PBBNs are defined by the IEEE 802.1ah Backbone Bridge standard, which is an amendment to the IEEE802.1Q VLAN standard. The PBBN technology is sometimes referred to as MAC-in-MAC.

The following figure shows a PBBN, which spans a set of ISP switches that serve as Provider BackboneBridges (PBBs).

VMAN (PBN)

Layer 2 Basics 61

PBBN

VMAN

VMAN

vman_0002

Networkports

(BVLAN)

Accessports

(SVLAN orCVLAN)

VMANaccessports

VMANaccessports

VMANnetwork

ports

VMANnetwork

ports

VLANtraffic

VLANtraffic

VLANtraffic

VLANtraffic

Accessports

(SVLAN orCVLAN)

Figure 23: PBBN

You can view a PBBN as a Layer 2 network that supports VMAN traffic (PBN 802.1ad frames) and VLANtraffic (802.1Q frames). The entry points to a PBBN are the access ports on the PBBN edge switches,which function as Backbone Edge Bridges (BEBs). These ports are designed to receive and transmitVMAN and Customer VLAN (CVLAN) traffic.

PBBN switches that are not configured with network access ports are called Backbone Core Bridges(BCBs). BCBs are configured only with network ports and interconnect all the BEBs in the PBBN.

PBBN traffic enters a PBBN access port, is switched through the PBBN, and exits at a PBBN accessport. If you do not configure any frame manipulation options, the frames that exit the PBBN areidentical to the frames that entered the PBBN.

The following figure shows three terms that are used during the configuration of a PBBN: CVLAN,SVLAN, and BVLAN.

A PBBN is a virtual tunnel. Service VLANs (SVLANs) and CVLANs are defined at the tunnel end pointsand define what traffic can enter and exit the tunnel. A BVLAN defines all the switch ports that link thetunnel endpoints. SVLANs, CVLANs, and BLVANs are configuration entities; they are not actual Layer 2domains. These configuration entities define the roles of ports within the PBBN. These configurationentities operate as follows:

• When a CVLAN is configured on a port, the port accepts customer VLAN traffic (802.1Q frames) forthe PBBN. After configuration is complete, the customer VLAN domain extends to all BEBs thathave ports configured for the CVLAN. CVLANs are configured only on BlackDiamond 20800 seriesswitches.

• When an SVLAN is configured on a port, the port accepts VMAN traffic (PBN 802.1ad frames) forthe PBBN. After configuration is complete, the VMAN domain extends to all BEBs that have portsconfigured for the SVLAN.

VMAN (PBN)

Layer 2 Basics 62

• When a backbone VLAN (BVLAN) is configured on a port, the port serves as a network port in thePBBN core. A BVLAN port forwards PBBN traffic (802.1ah frames) between the BEBs and BCBs inthe PBBN.

When you configure a PBBN, you create and configure SVLANs and CVLANs on the PBBN accessports, and you configure a BVLAN on each network port. Later in the configuration process, you bindeach SVLAN and CVLAN to a BVLAN to establish the connection between the PBBN access ports andnetwork ports that establish the BVLAN. The process for binding an SVLAN or CVLAN to a BVLANdiffers between platforms.

You can use any physical topology on the BVLAN. Although you can assign IP addresses to backboneinterfaces to test connectivity, do not enable IP forwarding. The BVLAN must be tagged, and onlytagged ports can be added to the BVLAN.

NoteAfter you configure a port as part of a BVLAN or SVLAN, you cannot apply any other ACLs tothat port.

To switch a frame through the PBBN, the switch encapsulates VLAN and VMAN frames in 802.1ahframes as shown in the following figure.

Figure 24: Frame Manipulation Through a PBBN

At the egress port of the PBBN, the system strips off the 802.1ah material, which leaves a VMAN framecontaining an original customer frame with the service provider S-tag. At the end-point of the VMAN,the system strips off the 802.1ad material, which delivers the original customer VLAN frame to thedesignated destination.

NoteThere is no interaction between the STPs of the ISP and the subscriber. The subscriber’sBPDUs are tunneled through the PBBN on the ISP backbone.

VMAN (PBN)

Layer 2 Basics 63

The following figure shows the contents of an 802.1ah PBBN frame.

Figure 25: 802.1ah PBBN Frame Details

The PBBN-specific frame components are prepended to the 802.1ad VMAN frames and described in thefollowing sections.

B-tagThe BVLAN tag (B-tag) identifies a specific BVLAN and includes three priority bits for QoS.

B-DA and B-SAThe BVLAN destination MAC address (B-DA) and BVLAN source MAC address (B-SA) are used toswitch frames across the PBBN.

I-tagThe I-tag identifies the service provider in the scope of PBBNs (the BVLAN is the tunnel inside of whichthe system uses the I-tag to identify the service provider using the I-tag to S-tag mapping andreplacement).

The additional information in the I-tag allows the PBBN to support many more VMANs than the 4094supported by the S-tag alone. SVLANs with duplicate S-tags are supported in a PBBN when they arereceived on different access ports, as this results in a different I-tag for each VMAN.

NoteFor more information on the ethertype, see Secondary Ethertype Support on page 65.

VMAN Configuration Options and Features

ACL Support

The ExtremeXOS software includes VMAN (PBN) Access Control List (ACL) support for controllingVMAN frames.

VMAN ACLs define a set of match conditions and modifiers that can be applied to VMAN frames. Theseconditions allow specific traffic flows to be identified, and the modifiers allow a translation to beperformed on the frames.

VMAN (PBN)

Layer 2 Basics 64

Secondary Ethertype Support

The C-tag and S-tag components that are added to all VMAN (PBN) frames (see the following figure)include C-ethertype and S-ethertype components that specify an ethertype value for the customerVLAN and VMAN, respectively.

NoteThis feature is supported only on the platforms listed for this feature in the license tables in Feature License Requirements.

The C-tag and S-tag components that are added to all VMAN (PBN) frames (see the following figure)include C-ethertype and S-ethertype components that specify an ethertype value for the customerVLAN and VMAN, respectively. The I-tag used in PBBN frames (see the following figure) also includesan ethertype value. When a VLAN or VMAN frame passes between two switches, the ethertype ischecked for a match. If the ethertype does not match that of the receiving switch, the frame isdiscarded.

The default ethertype values are:

• VLAN port (802.1q frames): 0x8100

• Primary VMAN port (802.1ad frames): 0x88A8

• Secondary VMAN port (802.1ad frames): Not configured

The secondary ethertype support feature applies only to VMANs. The ethertype value for VLAN framesis standard and cannot be changed.

If your VMAN transits a third-party device (in other words, a device other than an Extreme Networksdevice), you must configure the ethertype value on the Extreme Networks device port to match theethertype value on the third-party device to which it connects.

The secondary ethertype support feature allows you to define two ethertype values for VMAN framesand select either of the two values for each port.

For example, you can configure ports that connect to other Extreme Networks devices to use thedefault primary ethertype value, and you can configure ports that connect to other equipment to usethe secondary ethertype value, which you can configure to match the requirements of that equipment.

When you create a VMAN, each VMAN port is automatically assigned the primary ethertype value.After you define a secondary ethertype value, you can configure a port to use the secondary ethertypevalue. If two switch ports in the same VMAN use different ethertype values, the switch substitutes thecorrect value at each port. For example, for VMAN edge switches and transit switches, the switchtranslates an ingress ethertype value to the network port ethertype value before forwarding. For egresstraffic at VMAN edge switches, no translation is required because the switch removes the S-tag beforeswitching packets to the egress port.

For BlackDiamond 8800 series switches, BlackDiamond X8, SummitStack, and the Summit family ofswitches, you can set the primary and secondary ethertypes to any value, provided that the two valuesare different.

VMAN (PBN)

Layer 2 Basics 65

QoS Support

The VMAN (PBN) feature interoperates with many of the QoS and HQoS features supported in theExtremeXOS software.

One of those features is egress queue selection, which is described in the next section. For moreinformation on other QoS and HQoS features that work with VMANs, see QoS.

Egress Queue SelectionThis feature examines the 802.1p value or Diffserv code point in a VMAN (PBN) S-tag and uses thatvalue to direct the packet to the appropriate queue on the egress port.

NoteThis feature is supported only on the platforms listed for this feature in the license tables inthe Feature License Requirements document.

On some systems (listed in the Feature License Requirements document., you can configure thisfeature to examine the values in the C-tag or the S-tag. For instructions on configuring this feature, see Selecting the Tag used for Egress Queue Selection on page 70.

VMAN Double Tag Support

The VMAN double tag feature adds an optional port CVID parameter to the existing untagged VMANport configuration. When present, any untagged packet received on the port will be double taggedwith the configured port CVID and SVID associated with the VMAN. Packets received with a singleCVID on the same port will still have the SVID added. As double tagged packets are received fromtagged VMAN ports and forwarded to untagged VMAN ports, the SVID associated with the VMAN isstripped. Additionally, the CVID associated with the configured Port CVID is also stripped in the sameoperation.

Much like the CVIDs configured as part of the CEP feature, the configured Port CVID is not representedby a VLAN within EXOS. The implication is that protocols and individual services cannot be applied tothe Port CVID alone. Protocols and services are instead applied to the VMAN and/or port as the VMANrepresents the true layer-2 broadcast domain. Much like regular untagged VMAN ports, MAC FDBlearning occurs on the VMAN, so duplicate MAC addresses received on multiple CVIDs that are mappedto the same VMAN can be problematic. Even when the additional Port CVID is configured, the port stillhas all of the attributes of a regular untagged VMAN port. This means that any single c-tagged packetsreceived on the same port will have just the SVID associated with the VMAN added to the packet.Likewise, any egress packet with a CVID other than the configured Port CVID will have the SVIDstripped.

Coexistence with Tagged VLANs Interfaces, CEP VMAN Interfaces, and Tagged VMANInterfaces

Since the port-cvid configuration still has the attributes of a regular untagged VMAN, all of the VLANand VMAN exclusion and compatibility rules of a regular untagged VMAN port also apply. A list of theserules is contained in “EXOS Selective Q-in-Q.”

VMAN (PBN)

Layer 2 Basics 66



Protocol and Feature Interactions

Because this feature leverages existing untagged VMAN port infrastructure, any protocol that workswith a regular untagged VMAN port also works when the optional Port CVID is additionally configured.Protocols that locally originate control packets, such as STP and ELRP which are used for loopprevention, transmit packets as natively untagged on the wire when the port is an untagged VMANmember. EXOS can also receive and process these untagged packets. This makes STP edge safeguard+ BPDU guard or ELRP effective ways to detect and react to network loops on the device. However,because control packets are transmitted as untagged upstream, devices may need additionalconfiguration support to properly detect remote loops not directly attached to the device. Othereffective loop prevention mechanisms work without any interaction with untagged VMAN ports. Forexample, turning physical port auto-polarity off will prevent an accidental looped cable from becomingactive. Likewise, storm-control rate limiting of broadcast and flood traffic can be applied in thisenvironment to minimize the effects of a network loop.

In addition to detecting, preventing, and minimizing the effects of a network loop, user ACLs can beapplied to gain visibility and control of L2, L3, and L4 match criteria, even with double tagged packets.All applicable ACL action modifiers are available in this environment. IP multicast pruning within aVMAN can be accomplished via normal IGMP snooping. EXOS supports full IGMP snooping and IPmulticast pruning of single tagged and double tagged packets. However, when an IP address isconfigured on the VMAN, the IGMP protocol engine will transmit single tagged packets on taggedVMAN ports or untagged packets on untagged VMAN ports. Therefore, upstream switch configurationand support may be necessary to properly propagate group memberships across the network.

Configuration

Configuring VMANs (PBNs)

Guidelines for Configuring VMANs

The following sections provide VMAN configuration guidelines for the supported platforms:

• Guidelines for All Platforms

• Guidelines for BlackDiamond X8 and 8000 Series Modules and Summit Family Switches

Guidelines for All Platforms

The following are VMAN configuration guidelines for all platforms:

• Duplicate customer MAC addresses that ingress from multiple VMAN access ports on the sameVMAN can disrupt the port learning association process in the switch.

• VMAN names must conform to the guidelines described in Object Names.

• You must use mutually exclusive names for:

• VLANs

• VMANs

• IPv6 tunnels

• VMAN ports can belong to load-sharing groups.

VMAN (PBN)

Layer 2 Basics 67

Guidelines for BlackDiamond X8 and 8000 Series Modules and Summit Family Switches

The following are VMAN configuration guidelines for BlackDiamond X8 and 8000 series modules,SummitStack, and Summit family switches:

• You can enable or disable jumbo frames before configuring VMANs. You can enable or disablejumbo frames on individual ports. See Configuring Ports on a Switch for more information onconfiguring jumbo frames.

• Spanning Tree Protocol (STP) operation on CVLAN components in a PEB as described in IEEE802.1ad is not supported.

• The initial version of this feature does not implement an XML API.

• Multiple VMAN roles can be combined on one port with certain VLAN types as shown in thefollowing table.

Table 3: Port Support for Combined VMAN Roles and VLANsPlatform Combined

CNP, CEP, andTaggedVLAN 1 , 2

CombinedPNP, CNP, andCEPa, b, 3

Combined PNPand TaggedVLAN

Combined PNPand UntaggedVLAN

Summit X440, X460, X480, X60, and X770,and E4G-200 and E4G-400

X X X 4 X

BlackDiamond 8500 and 8800 a-, c-, and e-series modules

X X Xd X

BlackDiamond X8, 8900 c-, xl-, and xm-series modules

X X Xe X

NoteIf you already configured VLANs and VMANs on the same module or stand-alone switchusing ExtremeXOS 11.4, you cannot change the VMAN ethertype from 0X8100 without firstremoving either the VLAN or VMAN configuration.

Procedure for Configuring VMANs

This section describes the procedure for configuring VMANs. Before configuring VMANs, review Guidelines for Configuring VMANs on page 67. To configure a VMAN, complete the following procedureat each switch that needs to support the VMAN:

1 Subsets of this group are also supported. That is, any two of these items are supported.2 When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged

VLAN are associated with the CNP.3 A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected

VMAN ethertype is 0x8100.4 If the secondary VMAN ethertype is selected for the port, it must be set to 0x8100.1 Subsets of this group are also supported. That is, any two of these items are supported.2 When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged


VMAN ethertype is 0x8100.

VMAN (PBN)

Layer 2 Basics 68

1 If you are configuring a BlackDiamond 8800 series switch, a SummitStack, or a Summit familyswitch, enable jumbo frames on the switch.

NoteBecause the BlackDiamond 8800 series switches, SummitStack, and the Summit family ofswitches enable jumbo frames switch-wide, you must enable jumbo frames beforeconfiguring VMANs on these systems.

2 Create a VMAN using the command:

create vman vman_name vr vr_name

3 Assign a tag value to the VMAN using the command:.

configure vman vman_name tag tag_id

4 To configure PNP ports on a PEB or PB, use the following command with the tagged option:

configure vman vman_name add ports [ all | port_list ] {untagged { port-cvid

port_cvid} | tagged}

5 To configure CNP ports on a PEB, use the following command with the untagged option:

configure vman vman_name add ports [ all | port_list ] {untagged { port-cvid


NoteYou must configure CNP ports as untagged, so that the S-tag is stripped from the frameon egress. If the port-cvid is configured, any untagged packet received on the port willbe double tagged with the configured port CVID and the SVID associated with the VMAN.Packets received with a single CVID on the same port will still have the SVID added asusual. As double tagged packets are received from tagged VMAN ports and forwarded tountagged VMAN ports,the SVID associated with the VMAN is stripped. Additionally, theCVID associated with the configured port CVID is also stripped in the same operation.

6 To configure CEP ports on a PEB, do the following:

a Use the following command to establish a physical port as a CEP and configure CVID mappingand translation:

configure vman vman_name add ports port_list cep cvid cvid_range {translate

cvid | cvid_range}}

b Use the following commands to add or delete CVIDs for a CEP and manage CVID mapping andtranslation:

configure vman vman_name ports port_list add cvid {cvid | cvid_range}

{translate cvid | cvid_range }

configure vman vman_name ports port_list delete cvid {cvid | cvid_range }

c Use the following commands to manage CVID egress filtering for a CEP:

enable vman cep egress filtering ports {port_list | all}

disable vman cep egress filtering ports {port_list | all}

7 Configure additional VMAN options as described in Configuring VMAN Options on page 70.

8 To configure a VLAN to use a VMAN, configure the VLAN on the switch port at the other end of theline leading to the VMAN access port.

VMAN (PBN)

Layer 2 Basics 69

Configuring VMAN Options

Configuring the Ethertype for VMAN Ports

The ethertype is a component of VLAN and VMAN frames. It is introduced in Secondary EthertypeSupport on page 65.

NoteThis feature is supported only on the platforms listed for this feature in the license tables inthe Feature License Requirements document.

To configure the ethertype for VMAN (PBN) ports, do the following:

1 Configure the primary and secondary (if needed) VMAN ethertype values for the switch using thefollowing command:

configure vman ethertype hex_value [primary | secondary]

By default, all VMAN ports use the primary ethertype value.

2 If you plan to use a secondary ethertype, select the secondary ethertype for the appropriate VMANports using the following command:

configure port port_list ethertype {primary | secondary}

Selecting the Tag used for Egress Queue Selection

By default, switches that support the enabling and disabling of this feature use the 802.1p value in theS-tag to direct the packet to the queue on the egress port.

NoteThis feature is supported and configurable only on the platforms listed for this feature in thelicense tables in the Feature License Requirements document.

• Configure egress queue dot1p examination of the C-tag using:

enable dot1p examination inner-tag port [all | port_list]

• Return to the default selection of using the 802.1p value in the S-tag using:

disable dot1p examination inner-tag ports [all | port_list]

NoteSee QoS for information on configuring and displaying the current 802.1p and DiffServconfiguration for the S-tag 802.1p value. To enable dot1p examination for inner-tag, dot1pexamination for outer-tag must be disabled using the command disable dot1pexamination ports [all | port_list]

Displaying Information

Displaying VMAN Information

Use the following commands to display information on one or all VMANs.

VMAN (PBN)

Layer 2 Basics 70



show {vman} vman_name {ipv4 | ipv6}

show vman [tag tag_id | detail] {ipv4 | ipv6}

show {vman} vman_name eaps

NoteThe display for the show vman command is different depending on the platform andconfiguration you are using. See the ExtremeXOS Command Reference Guide for completeinformation on this command.

You can also display VMAN information, as well as all the VLANs, by issuing the show portsinformation detail command. And you can display the VMAN ethernet type and secondaryetherType port_list by using the show vman etherType command

Configuration Examples

VMAN Example, BlackDiamond 8810

The following example shows the steps to configure a VMAN (PBN) on the BlackDiamond 8810 switchshown in the following figure.

Figure 26: Sample VMAN Configuration on BlackDiamond 8810 Switch

The VMAN is configured from the building to port 1, slot 3 on the BlackDiamond 8810 switch and fromport 2, slot 3 on the BlackDiamond 8810 switch to the BlackDiamond® 6808 switch:

enable jumbo framescreate vman vman_tunnel_1configure vman vman_tunnel_1 tag 100configure vman vman_tunnel_1 add port 3:1 untaggedconfigure vman vman_tunnel_1 add port 3:2 taggeddisable dot1p examination port 3:2enable dot1p examination inner-tag port 3:2

VMAN (PBN)

Layer 2 Basics 71

The following example configuration demonstrates configuring IP multicast routing between VMANsand VLANs (when VMAN traffic is not double-tagged) on the BlackDiamond 8800 series switch andthe Summit family of switches.

Using this configuration you can use a common uplink to carry both VLAN and VMAN traffic and toprovide multicast services from a VMAN through a separate VLAN (notice that port 1:1 is in both aVLAN and a VMAN):

enable jumbo-frame ports allconfigure vman ethertype 0x8100create vlan mc_vlanconfigure vlan mc_vlan tag 77create vman vman1configure vman vman1 tag 88configure vlan vman1 ipaddress 10.0.0.1/24configure vlan mc_vlan ipaddress 11.0.0.1/24enable ipforwarding vman1enable ipforwarding mc_vlanenable ipmcforwarding vman1enable ipmcforwarding mc_vlanconfigure vlan mc_vlan add port 1:1 tagconfigure vman vman1 add port 1:1 tagconfigure vman vman1 add port 2:1, 2:2, 2:3

Note

IGMP reports can be received untagged on ports 2:1, 2:2, and 2:3. Tagged IP multicast data isreceived on mc_vlan port 1:1 and is routed using IP multicasting to vman1 ports that subscribeto the IGMP group.

IGMP snooping (Layer 2 IP multicasting forwarding) does not work on the VMAN portsbecause there is no double-tagged IP multicast cache lookup capability from port 1:1.

VMAN CEP Example

The following configuration configures a VMAN CEP to support up to 10 customer VLANs for each ofthree VMANs.

create vman cust1create vman cust2create vman cust3config vman cust1 tag 1000config vman cust2 tag 1001config vman cust3 tag 1002config vman cust1 add port 22 tagconfig vman cust2 add port 22 tagconfig vman cust3 add port 23 tagconfig vman cust1 add port 1 cep cvid 100 - 109 config vman cust2 add port 1 cep cvid 110 - 119 config vman cust3 add port 1 cep cvid 120 - 129 enable vman cep egress filtering ports 1

VMAN (PBN)

Layer 2 Basics 72

Port 1 serves as the CEP, and egress filtering is enabled on the port. Ports 22 and 23 serve as CNPs,providing the connection between the CEP port and the rest of each VMAN.

Multiple VMAN Ethertype Example

The following figure shows a switch that is configured to support the primary ethertype on three portsand the secondary ethertype on a fourth port.

The primary VMAN (PBN) ethertype is changed from the default value, but that is not required.

Figure 27: Multiple VMAN Ethertype Example

The following configuration commands accomplish what is shown in the figure above:

# configure vman ethertype 0x9100 primary# configure vman ethertype 0x8100 secondary## configure port 2:2 ethertype secondary## create vman vman300# configure vman vman300 tag 300## configure vman vman300 add port 1:1, 2:1, 2:2 tagged# configure vman vman300 add port 1:2 untagged

VMAN (PBN)

Layer 2 Basics 73

3 FDB

FDB ContentsHow FDB Entries Get AddedHow FDB Entries Age OutFDB Entry TypesManaging the FDBDisplaying FDB Entries and StatisticsMAC-Based SecurityManaging MAC Address Tracking

The FDB chapter is intended to help you learn about forwarding databases, adding and displayingentries and entry types, managing the FDB, and MAC-based security. This chapter also providesinformation about MAC Address tracking.

The switch maintains a forwarding database (FDB) of all MAC addresses received on all of its ports. Ituses the information in this database to decide whether a frame should be forwarded or filtered.

NoteSee the ExtremeXOS Command Reference Guide for details of the commands related to theFDB.

FDB Contents

Each Forwarding Database (FDB) entry consists of:

• The MAC address of the device

• An identifier for the port and VLAN on which it was received

• The age of the entry

• Flags

Frames destined for MAC addresses that are not in the FDB are flooded to all members of the VLAN.

How FDB Entries Get Added

The MAC entries that are added to the FDB are learned in the following ways:

• Source MAC entries are learned from ingress packets on all platforms. This is Layer 2 learning.

• On BlackDiamond 8800 series switches, MAC entries can be learned at the hardware level.

• Virtual MAC addresses embedded in the payload of IP ARP packets can be learned when thisfeature is enabled.

• Static entries can be entered using the command line interface (CLI).

Layer 2 Basics 74

• Dynamic entries can be modified using the CLI.

• Static entries for switch interfaces are added by the system upon switch boot-up.

The ability to learn MAC addresses can be enabled or disabled on a port-by-port basis. You can alsolimit the number of addresses that can be learned, or you can lock down the current entries andprevent additional MAC address learning.

BlackDiamond 8000 series modules and Summit switches support different FDB table sizes.

On a BlackDiamond 8800 switch with a variety of modules or on a SummitStack with different Summitswitch models, the FDB tables on some modules or switches can be filled before the tables on othermodules or switches. In this situation, when a lower-capacity FDB table cannot accept FDB entries, amessage appears that is similar to the following:HAL.FDB.Warning> MSM-A: FDB for vlanID1 mac 00:00:03:05:15:04 was not added to

slot 3 - table full.

NoteFor information on increasing the FDB table size on BlackDiamond 8900 xl-series modulesand Summit X480 switches, see Increasing the FDB Table Size on page 77. For informationon FDB tables sizes, see the ExtremeXOS Release Notes.

How FDB Entries Age Out

Software Aging Platforms (All Platforms except Summit X480 andBD8900 xl-series cards)When a MAC is learned on a VLAN, an FDB entry is created for this MAC VLAN combination.Once anFDB entry is created, the aging counter in the "show fdb" output increases from 0 to “polling inteval”.

The hardware is checked every “polling interval” seconds to see if there is traffic flow from the givenFDB entry.If there is a traffic flow from this MAC, the entry is refreshed and aging counter is reset to 0.

If there is no traffic from that FDB entry during this polling interval, the age gets incremented till theconfigured age time (configured by configure fdb agingtime seconds).The entry gets removedwhen there is no traffic flow from this FDB entry when the age count reaches the configured age time.

Polling interval = FDB aging time/4 (subject to the minimum and maximum values being 10 and 60seconds respectively).

Hardware Aging Platforms(Only Summit X480 and BD8900 xl-seriescards)Aging is controlled entirely by the hardware based on the traffic hit that happens for the individual FDBentry. The age from show fdb output is alway shown as 0. The entry will be removed when it agesout.

FDB Entry Types

FDB

Layer 2 Basics 75

Dynamic Entries

A dynamic entry is learned by the switch by examining packets to determine the source MAC address,VLAN, and port information.

The switch then creates or updates an FDB entry for that MAC address. Initially, all entries in thedatabase are dynamic, except for certain entries created by the switch at boot-up.

Entries in the database are removed (aged-out) if, after a period of time (aging time), the device hasnot transmitted. This prevents the database from becoming full with obsolete entries by ensuring thatwhen a device is removed from the network, its entry is deleted from the database.

The aging time is configurable, and the aging process operates on the supported platforms as follows:

• On all platforms, you can configure the aging time to 0, which prevents the automatic removal of alldynamic entries.

• On BlackDiamond X8 series switches, BlackDiamond 8000 a-, c-, e- and xm-series modules,E4G-200 and E4G-400 cell site routers, and Summit X440, X460, X670, and X770 series switches,the aging process takes place in software and the aging time is configurable.

• On BlackDiamond 8900 xl-series and Summit X480 switches, the aging process takes place inhardware and the aging time is based on (but does not match) the configured software aging time.

For more information about setting the aging time, see Configuring the FDB Aging Time on page 79.

NoteIf the FDB entry aging time is set to 0, all dynamically learned entries in the database areconsidered static, non-aging entries. This means that the entries do not age, but they are stilldeleted if the switch is reset.

Dynamic entries are flushed and relearned (updated) when any of the following take place:

• A VLAN is deleted.

• A VLAN identifier (VLANid) is changed.

• A port mode is changed (tagged/untagged).

• A port is deleted from a VLAN.

• A port is disabled.

• A port enters blocking state.

• A port goes down (link down).

A non-permanent dynamic entry is initially created when the switch identifies a new source MACaddress that does not yet have an entry in the FDB. The entry can then be updated as the switchcontinues to encounter the address in the packets it examines. These entries are identified by the “d”flag in the show fdb command output.

Static Entries

A static entry does not age and does not get updated through the learning process.

A static entry is considered permanent because it is retained in the database if the switch is reset or apower off/on cycle occurs. A static entry is maintained exactly as it was created. Conditions that cause

FDB

Layer 2 Basics 76

dynamic entries to be updated, such as VLAN or port configuration changes, do not affect staticentries.

To create a permanent static FDB entry, see Adding a Permanent Unicast Static Entry on page 78.

If a duplicate MAC address is learned on a port other than the port where the static entry is defined, alltraffic from that MAC address is dropped. By default, the switch does not report duplicate addresses.However, you can configure the switch to report these duplicate addresses as described in ManagingReports of Duplicate MAC Addresses for Static Entries on page 80.

A locked static entry is an entry that was originally learned dynamically, but has been made static(locked) using the MAC address lock-down feature. It is identified by the “s,” “p,” and “l” flags in showfdb command output and can be deleted using the delete fdbentry command. See MAC AddressLockdown for more information about this feature.

NoteStatic FDB entries created on EAPS- or STP-enabled ports forward traffic irrespective of theport state. Consequently, you should avoid such a configuration.

Blackhole Entries

A blackhole entry configures the switch to discard packets with a specified MAC destination address.

Blackhole entries are useful as a security measure or in special circumstances where a specific source ordestination address must be discarded. Blackhole entries can be created through the CLI, or they canbe created by the switch when a port’s learning limit has been exceeded.

Blackhole entries are treated like permanent entries in the event of a switch reset or power off/oncycle. Blackhole entries are never aged out of the database.

Private VLAN Entries

A Private VLAN (PVLAN) creates special FDB entries. These are described in MAC AddressManagement in a PVLAN on page 30.

Managing the FDB

Increasing the FDB Table Size

BlackDiamond 8900 xl-series modules and Summit X480 switches provide an additional table that canbe configured to support additional FDB table entries with the following command:

configure forwarding external-tables [l3-only {ipv4 | ipv4-and-ipv6 | ipv6} | l2-

only | acl-only | l2-and-l3 | l2-and-l3-and-acl | l2-and-l3-and-ipmc | none]

FDB

Layer 2 Basics 77

Summit X770 switches provides a Unified Forwarding Table that allows for flexible allocation of entriesto L2 or L3. You can configure this table with the configure forwarding internal-tables [l2-and-l3 | more [l2 | l3-and-ipmc]] command.

Adding a Permanent Unicast Static Entry

To add a static entry use the following command:

create fdbentry mac_addr vlan vlan_name [ports port_list | blackhole]

The following example adds a permanent static entry to the FDB:

create fdbentry 00:E0:2B:12:34:56 vlan marketing port 3:4

The permanent entry has the following characteristics:

• MAC address is 00:E0:2B:12:34:56.

• VLAN name is marketing.

• Slot number for this device is 3 (only on modular switches).

• Port number for this device is 4.

On Summit family switches, BlackDiamond X8 series switches, and BlackDiamond 8000 seriesmodules, you can specify multiple ports when you create a unicast static entry. However, all ports in thelist must be on the same SummitStack switch, BlackDiamond X8 series switch or BlackDiamond 8000series module. When the port list contains ports on different slots, the following error is generated:

Error: Multiple ports must be on the same slot for unicast MAC FDB entries.

Once the multiport static FDB entry is created, any ingress traffic with a destination MAC addressmatching the FDB entry is multicasted to each port in the specified list. On Summit family switches andBlackDiamond 8000 series modules, if the FDB entry is the next hop for an IP adjacency, unicastrouting sends the packet to the first port in the list.

NoteWhen a multiport list is assigned to a unicast MAC address, load sharing is not supported onthe ports in the multiport list.

Summit family switches, BlackDiamond X8 series switches, and BlackDiamond 8000 series modules donot support this multiport feature natively using the FDB table. Instead, for each FDB entry of this type,a series of system ACLs have been installed which match the specified MAC address and VLAN ID, andoverride the egress port forwarding list with the supplied list of ports. Multiple ACLs per FDB arerequired to handle Layer 2 echo kill by installing a unique ACL per individual port in the list to sendmatching traffic to all other ports in the list.

User-configured ACLs take precedence over these FDB-generated ACL rules, and the total number ofrules is determined by the platform.

The hardware ACL limitations for each platform are described in ACLs.

FDB

Layer 2 Basics 78

Adding a Permanent Multicast Static Entry

On BlackDiamond X8 series switches, BlackDiamond 8000 series modules, SummitStack, and Summitfamily switches, you can create FDB entries to multicast MAC addresses (that is, 01:00:00:00:00:01)and list one or more ports.

Use the create fdbentry mac_addr vlan vlan_name [ports port_list | blackhole]command to enter the multicast FDB address. After traffic with a multicast MAC destination addressenters the switch, that traffic is multicast to all ports on the list.

However, if the MAC address is in the IP multicast range (for example, 01:00:5e:XX:XX:XX), IGMPsnooping rules take precedence over the multicast static FDB entry. Of course, if you disable IGMPsnooping on all VLANs, the static FDB entry forwards traffic.

Configuring the FDB Aging Time

• To configure the aging time for dynamic FDB entries, use the following command:.

configure fdb agingtime seconds

If the aging time is set to 0, all aging entries in the database are defined as static, nonaging entries.This means the entries will not age out, but non-permanent static entries can be deleted if theswitch is reset.

• To display the aging time, use the following command:.

show fdb

NoteOn BlackDiamond 8900 xl-series and Summit X480 switches, FDB entries are aged inhardware, the aging time is always displayed as 000, and the h flag is set for entries thatare hardware aged.

Adding Virtual MAC Entries from IP ARP Packets

Generally, the FDB is programmed with the source MAC address of frames that contain an IP ARPpayload. MAC entries present in the ARP payload as Sender-MAC are not learned. When IP ARPSender-MAC learning is enabled, the switch learns both the source MAC address and the Sender-MACfrom the ARP payload, and the switch programs these MAC addresses in the FDB.

This feature is useful when you want the switch to learn the Sender-MAC address for a redundantprotocol, such as VRRP. For example, if your network has a gateway with a virtual MAC address, theswitch learns the system MAC address for the gateway. If you enable the IP ARP Sender-MAC learningfeature, the switch also learns the virtual MAC address embedded in IP ARP packets for the gateway IPaddress.

• To enable the IP ARP sender-MAC learning feature, use the command:

enable learning iparp sender-mac

• To view the configuration of this feature, use the command:

show iparp

FDB

Layer 2 Basics 79

• To disable this feature, use the command:

disable learning iparp sender-mac

Managing Reports of Duplicate MAC Addresses for Static Entries

By default, if a MAC address that is a duplicate of a static MAC address entry is learned on another port(other than the port where the static MAC address is configured), traffic from the duplicate address issilently dropped.

• To enable or disable EMS and SNMP reporting of duplicate addresses for static entries, use thecommands:

enable fdb static-mac-move

disable fdb static-mac-move

• To control the number of EMS and SNMP reports per second issued, use the commands:

configure fdb static-mac-move packets count

• To display the configuration of this feature, use the commands:

show fdb static-mac-move configuration

Clearing FDB Entries

You can clear dynamic and permanent entries using different CLI commands. Clear dynamic FDBentries by targeting:

• Specified MAC addresses

• Specified ports

• Specified VLANs

• All blackhole entries

• To clear dynamic entries from the FDB, use the command:

clear fdb {mac_addr | ports port_list | vlan vlan_name | blackhole}

• To clear permanent entries from the FDB, use the command:

delete fdbentry [all | mac_address [vlan vlan_name ]

Supporting Remote Mirroring

The remote mirroring feature copies select traffic from select ports and VLANs and sends the copiedtraffic to a remote switch for analysis.

The mirrored traffic is sent using a VLAN that is configured for this purpose. For more information, see MLAG Limitations and Requirements.

Transit switches are the switches between the source switch where ports are mirrored and thedestination switch where the mirrored traffic exits the network to a network analyzer or networkstorage device.

FDB

Layer 2 Basics 80

Because the mirrored traffic is an exact copy of the real traffic, a transit switch can learn the MACaddresses and make incorrect forwarding decisions.

Displaying FDB Entries and Statistics

Display FDB Entries

• Display FDB entries using the following command:


based-vlans] | permanent {netlogin [all | mac-based-vlans]} | mac_addr

{netlogin [all | mac-based-vlans]} | ports port_list {netlogin [all | mac-

based-vlans]} | vlan vlan_name {netlogin [all | mac-based-vlans]} | {{vpls}

{vpls_name}}}

NoteThe MAC-based VLAN netlogin parameter applies only for Summit family switches andBlackDiamond 8800 series switches. See Network Login for more information.

With no options, this command displays all FDB entries. (The age parameter does not show on thedisplay for the backup MSM/MM on modular switches; it does show on the display for the primaryMSM/MM.)

Display FDB Statistics

To display FDB statistics, use the command:

show fdb stats {{ports {all | port_list} | vlan {all} | {vlan} vlan_name } {no-

refresh}}

With no options, this command displays summary FDB statistics.

MAC-Based Security

MAC-based security allows you to control the way the FDB is learned and populated. By managingentries in the FDB, you can block and control packet flows on a per-address basis.

MAC-based security allows you to limit the number of dynamically-learned MAC addresses allowed pervirtual port. You can also “lock” the FDB entries for a virtual port, so that the current entries will notchange, and no additional addresses can be learned on the port.

You can also prioritize or stop packet flows based on the source MAC address of the ingress VLAN orthe destination MAC address of the egress VLAN.

NoteFor detailed information about MAC-based security, see Security.

FDB

Layer 2 Basics 81

Managing MAC Address Learning

By default, MAC address learning is enabled on all ports. MAC addresses are added to the FDB asdescribed in How FDB Entries Get Added on page 74.

When MAC address learning is disabled on a port, the switch no longer stores the source addressinformation in the FDB. However, the switch can still examine the source MAC address for incomingpackets and either forward or drop the packets based on this address. The source address examinationserves as a preprocessor for packets. Forwarded packets are forwarded to other processes, not toother ports. For example, if the switch forwards a packet based on the source address, the packet canstill be dropped based on the destination address or the egress flooding configuration.

When MAC address learning is disabled, the two supported behaviors are labeled as follows in thesoftware:

• forward-packets

• drop-packets

The drop-packets behavior is supported on BlackDiamond 8000 series modules, SummitStack, andSummit family switches. When the drop-packets option is chosen, EDP packets are forwarded, and allunicast, multicast, and broadcast packets from a source address not in the FDB are dropped. No furtherprocessing occurs for dropped packets.

The disable learning forward-packets option saves switch resources (FDB space), however, it canconsume network resources when egress flooding is enabled. When egress flooding is disabled or thedrop-packet option is specified, disabling learning adds security by limiting access to only thosedevices listed in the FDB.

• To disable learning on specified ports, use the command:

disable learning {drop-packets | forward-packets} port [port_list | all]

NoteThe drop-packets and forward-packets options are available only on theBlackDiamond 8800 series switches, SummitStack, and the Summit family switches. Ifneither option is specified, the drop-packets behavior is selected.

• To enable learning on specified ports, use the command:

enable learning {drop-packets} ports [all | port_list]

Managing Egress Flooding

Egress flooding takes action on a packet based on the packet destination MAC address. By default,egress flooding is enabled, and any packet for which the destination address is not in the FDB isflooded to all ports except the ingress port.

You can enhance security and privacy as well as improve network performance by disabling Layer 2egress flooding on a port, VLAN, or VMAN. This is particularly useful when you are working on an edge

FDB

Layer 2 Basics 82

device in the network. Limiting flooded egress packets to selected interfaces is also known as upstreamforwarding.

NoteDisabling egress flooding can affect many protocols, such as IP and ARP.

The following figure illustrates a case where you want to disable Layer 2 egress flooding on specifiedports to enhance security and network performance.

Figure 28: Upstream Forwarding or Disabling Egress Flooding Example

In this example, the three ports are in an ISP-access VLAN. Ports 1 and 2 are connected to clients 1 and2, respectively, and port 3 is an uplink to the ISP network. Because clients 1 and 2 are in the same VLAN,client 1 could possibly learn about the other client’s traffic by sniffing client 2’s broadcast traffic; client 1could then possibly launch an attack on client 2.

However, when you disable all egress flooding on ports 1 and 2, this sort of attack is impossible, for thefollowing reasons:

• Broadcast and multicast traffic from the clients is forwarded only to the uplink port.

• Any packet with unlearned destination MAC addresses is forwarded only to the uplink port.

• One client cannot learn any information from the other client. Because egress flooding is disabledon the access ports, the only packets forwarded to each access port are those packets that arespecifically targeted for one of the ports. There is no traffic leakage.

In this way, the communication between client 1 and client 2 is controlled. If client 1 needs tocommunicate with client 2 and has that IP address, client 1 sends out an ARP request to resolve the IPaddress for client 2.

Guidelines for Enabling or Disabling Egress Flooding

The following guidelines apply to enabling and disabling egress flooding:

• Egress flooding can be disabled on ports that are in a load-sharing group. In a load-sharing group,the ports in the group take on the egress flooding state of the master port; each member port of theload-sharing group has the same state as the master port.

• FDB learning takes place on ingress ports and is independent of egress flooding; either can beenabled or disabled independently.

• Disabling unicast (or all) egress flooding to a port also prevents the flooding of packets withunknown MAC addresses to that port.

FDB

Layer 2 Basics 83

• Disabling broadcast (or all) egress flooding to a port also prevents the flooding of broadcastpackets to that port.

• For BlackDiamond X-8 and 8800 series switches, SummitStack, and Summit family switches, thefollowing guidelines apply:

• You can enable or disable egress flooding for unicast, multicast, or broadcast MAC addresses, aswell as for all packets on one or more ports.

• Disabling multicasting egress flooding does not affect those packets within an IGMP membershipgroup at all; those packets are still forwarded out.

• If IGMP snooping is disabled, multicast packets with static FDB entries are forwarded accordingto the FDB entry.

Configuring Egress Flooding

To enable or disable egress flooding on BlackDiamond X8 and 8800 series switches, SummitStack, andthe Summit family switches, use the following commands:

enable flooding [all_cast | broadcast | multicast | unicast] ports [port_list |

all]

disable flooding [all_cast | broadcast | multicast | unicast] ports [port_list |

all]

Displaying Learning and Flooding Settings

To display the status of MAC learning and egress flooding, use the following commands:

show ports {mgmt | port_list | tag tag} information {detail}


show vman

The flags in the command display indicate the status.

Creating Blackhole FDB Entries

A blackhole FDB entry discards all packets addressed to or received from the specified MAC address. Asignificant difference between the above ACL policy and the create fdbentry command blackholeoption is the hardware used to implement the feature. Platforms with limited hardware ACL table sizes(for example, BlackDiamond 8800 series switches) are able to implement this feature using the FDBtable instead of an ACL table.

• To create a blackhole FDB entry, use the command:

create fdbentry mac_addr vlan vlan_name [ports port_list | blackhole]

There is no software indication or notification when packets are discarded because they matchblackhole entries.

FDB

Layer 2 Basics 84

The blackhole option is also supported through access lists.

NoteBlackhole is not supported on port-specific VLAN tags.

For example, the following ACL policy would also blackhole traffic destined to or sourced from aspecific MAC address:

entry blackhole_dest {if {ethernet-destination-address 00:00:00:00:00:01;} then {deny;}}entry blackhole_source {if {ethernet-source-address 00:00:00:00:00:01;} then {deny;}}

Managing MAC Address Tracking

The MAC address tracking feature tracks FDB add, move, and delete events for specified MACaddresses and for specified ports.

When MAC address tracking is enabled for a port, this feature applies to all MAC addresses on the port.

When an event occurs for a specified address or port, the software generates an EMS message and canoptionally send an SNMP trap. When MAC address tracking is enabled for a specific MAC address, thisfeature updates internal event counters for the address. You can use this feature with the UniversalPort feature to configure the switch in response to MAC address change events (for an example, see Universal Port).

NoteWhen a MAC address is configured in the tracking table, but detected on a MAC trackingenabled port, the per MAC address statistical counters are not updated.

The MAC address tracking feature is always enabled; however, you must configure MAC addresses orports before tracking begins. The default configuration contains no MAC addresses in the MAC addresstracking table and disables this feature on all ports.

Adding and Deleting MAC Addresses for Tracking

Use the following commands to add or delete MAC addresses in the MAC address tracking table:

create fdb mac-tracking entry mac_addr

FDB

Layer 2 Basics 85

delete fdb mac-tracking entry [mac_addr | all]

Enabling and Disabling MAC Address Tracking on Ports

Use the following command to enable or disable MAC addresses tracking on specific ports:

configure fdb mac-tracking {[add|delete]} ports [port_list|all]

Enabling and Disabling SNMP Traps for MAC Address Changes

The default switch configuration disables SNMP traps for MAC address changes.

Use the following commands to enable or disable SNMP traps for MAC address tracking events:

enable snmp traps fdb mac-tracking

disable snmp traps fdb mac-tracking

Configuring Automatic Responses to MAC Tracking Events

The EMS messages produced by the MAC address tracking feature can be used to trigger UniversalPort profiles. These are described in Event Management System Triggers.

The subcomponent name for MAC address tracking events is FDB.MACTracking.

Displaying the Tracked MAC Addresses and Tracking Statistics

• To display the MAC address tracking feature configuration, including the list of tracked MACaddresses, use the command:

show fdb mac-tracking configuration

• To display the counters for MAC address add, move, and delete events, use the command:

show fdb mac-tracking statistics {mac_addr} {no-refresh}

Clearing the Tracking Statistics Counters

There are several ways to clear the MAC tracking counters:

• Use the clear counters command.

• Use the 0 key while displaying the counters with the show fdb mac-tracking statistics{mac_addr} command.

• Enter the clear counters fdb mac-tracking [mac_addr | all] command.

FDB

Layer 2 Basics 86

4 Layer 2 Basic Commands

clear counters fdb mac-trackingclear counters ports protocol filterclear fdbclear l2pt counters vlanclear l2pt counters vmanclear l2pt counters vplscreate l2pt profileconfigure fdb agingtimeconfigure fdb mac-tracking portsconfigure fdb static-mac-move packetsconfigure l2pt encapsulation dest-macconfigure l2pt profile add profileconfigure l2pt profile delete profileconfigure port ethertypeconfigure ports l2pt profileconfigure ports protocol filterconfigure private-vlan add networkconfigure private-vlan add subscriberconfigure private-vlan deleteconfigure protocol addconfigure protocol deleteconfigure protocol filterconfigure vlan add ports private-vlan translatedconfigure vlan add portsconfigure vlan delete portsconfigure vlan descriptionconfigure vlan ipaddressconfigure vlan nameconfigure vlan protocolconfigure vlan tagconfigure vlan-translation add loopback-portconfigure vlan-translation add member-vlanconfigure vlan-translation delete loopback-portconfigure vlan-translation delete member-vlanconfigure vman add ports cepconfigure vman add portsconfigure vman delete ports

Layer 2 Basics 87

configure vman ethertypeconfigure vman ports add cvidconfigure vman ports delete cvidconfigure vman protocolconfigure vman tagconfigure vpls peer l2pt profilecreate fdb mac-tracking entrycreate fdbentry vlan portscreate l2pt profilecreate private-vlancreate protocolcreate vlancreate vmandelete fdb mac-tracking entrydelete fdbentrydelete l2pt profiledelete private-vlandelete protocoldelete vlandelete vmandisable dot1p examination inner-tag portsdisable fdb static-mac-movedisable flooding portsdisable learning iparp sender-macdisable learning portdisable loopback-mode vlandisable snmp traps fdb mac-trackingdisable vlandisable vman cep egress filtering portsenable dot1p examination inner-tag portenable fdb static-mac-moveenable flooding portsenable learning iparp sender-macenable learning portenable loopback-mode vlanenable snmp traps fdb mac-trackingenable vlanenable vman cep egress filtering portsshow fdb mac-tracking configurationshow fdb mac-tracking statisticsshow fdb static-mac-move configurationshow fdb stats

Layer 2 Basic Commands

Layer 2 Basics 88

show fdbshow l2pt profileshow l2ptshow ports protocol filtershow private-vlan <name>show private-vlanshow protocolshow vlanshow vlan descriptionshow vlan l2ptshow vmanshow vman eapsshow vman ethertypeshow vman l2ptunconfigure vlan descriptionunconfigure vlan ipaddressunconfigure vman ethertype

clear counters fdb mac-trackingclear counters fdb mac-tracking [mac_addr | all]

DescriptionClears the event counters for the FDB MAC-tracking feature.

Syntax Description

mac_addr Specifies a MAC address, using colon-separated bytes.

all Clears the counters for all tracked MAC addresses.

DefaultN/A.

Usage GuidelinesThe clear counters command also clears the counters for all tracked MAC addresses.


Layer 2 Basics 89

Example

The following example clears the counters for all entries in the MAC address tracking table:

Switch.1 # clear counters fdb mac-tracking all

HistoryThis command was first available in ExtremeXOS 12.3.

Platform AvailabilityThis command is available on all platforms.

clear counters ports protocol filterclear counters ports {port_list | all} protocol filter

DescriptionClears protocol filtering counters.

Syntax Description

port_list Specifies the port list is separated by a comma ( , ) or dash ( - ).

all Specifies all ports

DefaultDisabled.

Usage GuidelinesUse this command to clear protocol filtering counters.

Example

The following example clears all protocol filtering counters:

clear counters ports protocol filter

The following example clears protocol filtering counters on ports 1-5:

clear counters ports 1-5 protocol filter


Layer 2 Basics 90



clear fdbclear fdb {mac_addr | ports port_list | vlan vlan_name | blackhole}

DescriptionClears dynamic FDB entries that match the filter.

Syntax Description

mac_addr Specifies a MAC address, using colon-separated bytes.

port_list Specifies one or more ports or slots and ports.

vlan_name Specifies a VLAN name.

blackhole Specifies the blackhole entries.

DefaultAll dynamic FDB entries are cleared by default.

Usage GuidelinesThis command clears FDB entries based on the specified criteria. When no options are specified, thecommand clears all dynamic FDB entries.

Example

The following example clears any FDB entries associated with ports 4:3-4:5 on a modular switch:

clear fdb ports 4:3-4:5

The following example clears any FDB entries associated with VLAN corporate:

clear fdb vlan corporate



Layer 2 Basics 91


clear l2pt counters vlanclear l2pt counters {[vlan | vman] vlan_name {ports port_list}}

DescriptionClears L2PT VLAN counters.

Syntax Description

vlan Optionally clears counters only on a specific VLAN.

vman Optionally clears counters only on a specific VMAN.

vlan_name Specifies the VLAN name.

ports port_list Optionally clears counters only on specific ports of the VLAN/VMAN. Theport list is separated by a comma ( , ) or dash ( - ).

DefaultDisabled.

Usage GuidelinesUse this command to clear L2PT VLAN counters.

Example

The following example clears all L2PT counters:

clear l2pt counters

The following example clears L2PT counters on VLAN vlan1:

clear l2pt counters vlan vlan1




Layer 2 Basics 92

clear l2pt counters vmanclear l2pt counters {[vlan | vman] vlan_name {ports port_list}}

DescriptionClears L2PT VMAN counters.

Syntax Description

vlan Optionally clears counters only on a specific VLAN.

vman Optionally clears counters only on a specific VMAN.


ports port_list Optionally clears counters only on specific ports of the VLAN/VMAN. Theport list is separated by a comma ( , ) or dash ( - ).

DefaultDisabled.

Usage GuidelinesUse this command to clear L2PT VMAN counters.

Example

The following example clears all L2PT counters:

clear l2pt counters

The following example clears L2PT counters on VMAN vlan2:

clear l2pt counters vman vlan2



clear l2pt counters vplsclear l2pt counters {[vpls vpls_name {peer ipaddress} | vpws vpws_name]}


Layer 2 Basics 93

DescriptionClears L2PT counters.

Syntax Description

vpls Optionally clears counters only on a specific VPLS.

vpls_name Alpha numeric string identifying VPLS VPN.

peer ipaddress Optionally clears counters only on a specific peer of the VPLS. The variablespecifies an IPv4 address.

vpws vpws_name Optionally clears counters only on a specific VPWS. The variable is analphanumeric string identifying the VPWS VPN.

DefaultDisabled.

Usage GuidelinesUse this command to clear L2PT counters.

Example

The following example clears L2PT counters on peer 1.1.1.1 of VPLS vpls1:

clear l2pt counters vpls vpls1 peer 1.1.1.1



create l2pt profilecreate l2pt profile profile_name

DescriptionCreates an L2PT profile.


Layer 2 Basics 94

Syntax Description

l2pt Creates a Layer 2 protocol tunneling profile.

profile Profile that defines L2PT configuration for L2 protocols.

profile_name Specifies a profile name (maximum 32 characters).

DefaultDisabled.

Usage GuidelinesUse this command to create an L2PT profile.

Example

The following example create a new L2PT profile named "my_l2pt_prof":

create l2pt profile my_l2pt_prof



configure fdb agingtimeconfigure fdb agingtime seconds

DescriptionConfigures the FDB aging time for dynamic entries.

Syntax Description

agingtime If agingtime is set to 0, all aging entries in the database are defined as static,nonaging entries.

seconds Specifies the FDB aging time, in seconds. A value of 0 indicates that the entryshould never be aged out. All other platforms support the value 0 (no aging)and a range of 15 to 1,000,000 seconds.


Layer 2 Basics 95

DefaultN/A.

Usage GuidelinesIf the aging time is set to 0 (zero), all dynamic entries in the database become static, nonaging entries.This means that they do not age out, but non-permanent static entries can be deleted if the switch isreset.

For all platforms except BlackDiamond 8900 xl-series modules and Summit X480 switches, thesoftware flushes the FDB table once the aging timeout parameter is reached, even if the switch isrunning traffic and populating addresses in the FDB table.

For BlackDiamond 8900 xl-series modules and Summit X480 switches, the hardware flushes the FDBtable at periods based on the configured software aging time. The actual hardware aging time does notexactly match the software aging time and can be as high as twice the configured software aging time.

Example

The following example sets the FDB aging time to 3,000 seconds:

configure fdb agingtime 3000



configure fdb mac-tracking portsconfigure fdb mac-tracking {[add|delete]} ports [port_list|all]

DescriptionEnables or disables MAC address tracking for all MAC addresses on the specified ports.

Syntax Description

add Enables MAC address tracking for the specified ports.

delete Disables MAC address tracking for the specified ports.

port_list Specifies a list of ports on which MAC address tracking is to be enabled ordisabled.

all Specifies that MAC address tracking is to be enabled or disabled on all ports.


Layer 2 Basics 96

DefaultNo ports are enabled for MAC address tracking.

Usage GuidelinesMAC address tracking events on enabled ports generate EMS messages and can optionally generateSNMP traps.

NoteWhen a MAC address is configured in the tracking table, but detected on a MAC trackingenabled port, the per MAC address statistical counters are not updated.

Example

The following example enables MAC address tracking for all MAC addresses on port 2:1:

configure fdb mac-tracking add ports 2:1



configure fdb static-mac-move packetsconfigure fdb static-mac-move packets count

DescriptionConfigures the number of EMS and SNMP reports that can be generated each second for MACaddresses that are duplicates of statically configured MAC addresses.

Syntax Description

count Specifies the number of duplicate MAC address events that are reported eachsecond. The range is 1 to 25.

Default2.


Layer 2 Basics 97

Usage GuidelinesNone.

Example

The following example configures the switch to report up to five duplicate MAC address events persecond:

configure fdb static-mac-move packets 5


Platform AvailabilityThis command is available only on the Summit family switches.

configure l2pt encapsulation dest-macconfigure l2pt encapsulation dest-mac mac_address

DescriptionConfigures the destination address MAC that L2PT encapsulated packets use.

Syntax Description

encapsulation Specifies Layer 2 protocol tunneling encapsulation.

dest-mac Specifies the destination MAC address to use for encapsulated PDUs.

mac_addr Specifies the MAC address.

Default

Usage GuidelinesNA

Example

The following example sets the L2PT destination address MAC to 01:00:00:01:01:02:

configure l2pt encapsulation dest-mac 01:00:00:01:01:02


Layer 2 Basics 98



configure l2pt profile add profileconfigure l2pt profile profile_name add protocol filter filter_name {action

[tunnel {cos cos} | encapsulate | none]}

DescriptionAdds an entry to an L2PT profile.

Syntax Description

profile profile_name Specifies the profile that defines L2PT configuration for L2 protocols.

add protocol filterfilter_name

Adds the specified Layer 2 protocol filter.

action Specifies the action to perform on PDUs of the protocol (the default value istunnel).

tunnel Specifies to tunnel PDUs through the network.

cos cos Specifies to override the class of service for tunneled PDUs, and specifies theclass of service value to use for tunneling PDUs.

encapsulate Specifies to encapsulate PDUs at egress, and decapsulate L2PT packets atingress.

none Specifies to not participate in tunneling for this protocol.

DefaultDisabled.

Usage GuidelinesUse this command to add an entry to an L2PT profile.

Example

The following example adds an entry to my_l2pt_prof to tunnel protocols in "mylistt" at cos 2:

configure l2pt profile my_l2pt_prof add protocol filter mylist action tunnel cos 2


Layer 2 Basics 99

The following example adds an entry to my_l2pt_prof to encapsulate/decapsulate protocols in "mylist":

configure l2pt profile my_l2pt_prof add protocol filter mylist action encapsulate

The following example adds an entry to my_l2pt_prof that is in use by 2 services:

configure l2pt profile my_l2pt_prof add protocol filter mylist



configure l2pt profile delete profileconfigure l2pt profile profile_name delete protocol filter filter_name

DescriptionDeletes an entry to an L2PT profile.

Syntax Description

profile profile_name Specifies the profile that defines L2PT configuration for L2 protocols.

delete protocol filterfilter_name

Deletes the specified Layer 2 protocol filter.

DefaultDisabled.

Usage GuidelinesUse this command to delete an entry to an L2PT profile.

Example

The following example deletes the entry for "mylist" from my_l2pt_prof:

configure l2pt profile my_l2pt_prof delete protocol filter mylist


Layer 2 Basics 100

The following example deletes the entry entry for "mylist" from my_l2pt_prof that is in use by a service:

configure l2pt profile my_l2pt_prof delete protocol filter mylist



configure port ethertypeconfigure port port_list ethertype {primary | secondary}

DescriptionAssigns the primary or secondary ethertype value to the specified ports.

Syntax Description

port_list Specifies the list of ports to be configured.

primary Assigns the primary ethertype value to the specified ports.

secondary Assigns the secondary ethertype value to the specified ports.

DefaultN/A.


Example

The following example configures port 2:1 to use the secondary ethertype:

configure port 2:1 ethertype secondary



Layer 2 Basics 101


configure ports l2pt profileconfigure [vlan | vman] vlan_name ports port_list l2pt profile [none |

profile_name]

DescriptionConfigures L2PT profiles on service interfaces.

Syntax Description

vlan Specifies the VLAN configuration.

vman Specifies the VMAN configuration.


ports port_list Specifies the port and port list separated by a comma ( , ) or dash ( - ).

profile Specifies the L2PT profile for the ports.

none Specifies that no L2PT profile should be bound to the ports (default).

profile_name Specifies the L2PT profile to be bound to the ports.

DefaultDisabled.

Usage GuidelinesUse this command to configure L2PT profiles on service interfaces.

Example

The following example binds my_l2pt_prof with ports 2 and 5 of VMAN cust1:

configure vman cust1 ports 2,5 l2pt profile my_l2pt_prof

The following example binds my_l2pt_prof with ports 2 and 5 of VMAN cust1. Port 5 is not a part ofVMAN cust1:

configure vman cust1 ports 2,5 l2pt profile my_l2pt_profError: Port 5 is not part of the service.



Layer 2 Basics 102


configure ports protocol filter

configure ports [port_list | all] protocol filter [none | filter_name]

DescriptionConfigures protocol filtering on a port.

Syntax Description

port_list Specifies the port list separated by a comma ( , ) or dash ( - ).

all Specifies all ports.

protocol filter Specifies the protocol filter.

none Specifies to not perform protocol filtering on specified ports.

filter_name Specifies the protocol filter name.

DefaultDisabled.

Usage GuidelinesUse this command to configure protocol filtering on a port.

Example

The following example unbinds the L2PT profile from peer 1.1.1.1 of VPLS cust2:

configure l2vpn vpls cust2 peer 1.1.1.1 l2pt profile none

The following example enables filtering of protocols in my_list on port 1:

configure ports 1 protocol filter "my_list"

The following example disables protocol filtering on port 7:

configure ports 7 protocol filter none



Layer 2 Basics 103


configure private-vlan add networkconfigure private-vlan name add network vlan_name

DescriptionAdds the specified VLAN as the network VLAN on the specified PVLAN.

Syntax Description

name Specifies the name of the PVLAN to which the VLAN is added.

vlan_name Specifies a VLAN to add to the PVLAN.

DefaultN/A.

Usage GuidelinesThe VLAN must be created and configured with a tag before it is added to the PVLAN.

Example

The following example adds VLAN "sharednet" as the network VLAN for the PVLAN named"companyx":

configure private-vlan companyx add network sharednet


Platform AvailabilityThis command is available on all platforms that support the Private VLAN feature. The features and theplatforms that support them are listed in the Feature License Requirements document.

configure private-vlan add subscriberconfigure private-vlan name add subscriber vlan_name {non-isolated} {loopback-

port port}


Layer 2 Basics 104


DescriptionAdds the specified VLAN as a subscriber VLAN on the specified PVLAN.

Syntax Description

name Specifies the name of the PVLAN to which the VLAN is added.

vlan_name Specifies a VLAN to add to the PVLAN.

non-isolated Configures the subscriber VLAN as a non-isolated subscriber VLAN.

port Specifies the port that serves as the loopback port.

DefaultIf the non-isolated option is omitted, this command adds the specified VLAN as an isolatedsubscriber VLAN.

Usage GuidelinesThe VLAN must be created and configured with a tag before it is added to the PVLAN. If the non-isolated option is omitted, the VLAN is added as an isolated subscriber VLAN. If the non-isolated optionis included, the VLAN is added as an non-isolated subscriber VLAN.

The loopback-port port option is available only on BlackDiamond 8000 series modules and Summitfamily switches, whether or not included in a SummitStack. If two or more subscriber VLANs haveoverlapping ports (where the same ports are assigned to both VLANs), each of the subscriber VLANswith overlapping ports must have a dedicated loopback port.

Example

The following example adds VLAN "restricted" as a subscriber VLAN for the PVLAN named"companyx":

configure private-vlan companyx add subscriber restricted isolated


Platform AvailabilityThis command is available on all platforms that support the Private VLAN feature. For features and theplatforms that support them, see the Feature License Requirements document.

configure private-vlan deleteconfigure private-vlan name delete [network | subscriber] vlan_name


Layer 2 Basics 105


DescriptionDeletes the specified VLAN from the specified PVLAN.

Syntax Description

name Specifies the name of the PVLAN from which the VLAN is deleted.

network Specifies that the VLAN to be deleted is a network VLAN.

subscriber Specifies that the VLAN to be deleted is a subscriber VLAN.

vlan_name Specifies the VLAN to delete from the PVLAN.

DefaultN/A.

Usage GuidelinesThis command deletes a VLAN from a PVLAN, but it does not delete the VLAN from the system—it justbreaks the link between the VLAN and the PVLAN. You can use this command to delete both networkand subscriber VLANs.

Example

The following example deletes network VLAN "sharednet "from the PVLAN named "companyx":

configure private-vlan companyx delete network sharednet



configure protocol add

configure protocol {filter} filter_name add [etype | llc | snap] hex {[etype |

llc | snap] hex}

DescriptionConfigures a user-defined protocol filter.


Layer 2 Basics 106


Syntax Description

filter Configures a protocol filter.

filter_name Specifies a protocol filter name.

add Specifies that you add a protocol.

delete Specifies that you delete a protocol.

etype Specifies an ethertype protocol.

llc Specifies LLC protocol.

snap Specifies SNAP protocol.

hex Specifies a four-digit hexadecimal number between 0 and FFFF thatrepresents:

• The Ethernet protocol type taken from a list maintained by the IEEE.

• The DSAP/SSAP combination created by concatenating a two-digit LLCDestination SAP (DSAP) and a two-digit LLC Source SAP (SSAP).

• The SNAP-encoded Ethernet protocol type.

DefaultN/A.

Usage GuidelinesSupported protocol types include:

• etype—IEEE Ethertype.

• llc—LLC Service Advertising Protocol.

• snap—Ethertype inside an IEEE SNAP packet encapsulation.

A maximum of 15 protocol filters, each containing a maximum of six protocols, can be defined.

The protocol filter must already exist before you can use this command. Use the create protocolcommand to create the protocol filter.

No more than seven protocols can be active and configured for use.

NoteProtocol-based VLAN for Etype from 0x0000 to 0x05ff are not classifying as per filter. Whentraffic arrive with these Etypes, it is classifed to native VLAN rather protocol-based VLAN.

Example

The following example adds MPLS to "my_filter":

configure protocol “my_filter” add etype 0x8847configure protocol filter “my_filter” add etype 0x8847


Layer 2 Basics 107

The following example deletes MPLS from "my_other_filter":

configure protocol “my_other_filter” delete etype 0x8847configure protocol filter “my_other_filter” delete etype 0x8847


The filter keyword and options were added in ExtremeXOS 15.5.


configure protocol delete

configure protocol name delete [etype | llc | snap] hex {[etype | llc | snap]

hex} ...

DescriptionDeletes the specified protocol type from a protocol filter.

Syntax Description

name Specifies a protocol filter name.





DefaultN/A.






Layer 2 Basics 108

Example

The following example deletes protocol type LLC SAP with a value of FEFF from protocol "fred":

configure protocol fred delete llc feff



configure protocol filter

configure protocol filter filter_name [add | delete] dest-mac mac_address {[etype

| llc | snap] hex} {field offset offset value value {mask mask}}

DescriptionConfigures the destination address as well as an arbitrary field of the protocol.

Syntax Description


add Specifies that you add a protocol.

delete Specifies that you delete a protocol.

dest-mac Specifies the destination MAC address used by PDUs of the protocol.

mac_address Specifies the MAC address.

etype Specifies the EtherType used by PDUs of the protocol.

llc Specifies the LLC DSAP and SSAP used by PDUs of the protocol.

snap Specifies the SNAP protocol identifier used by PDUs of the protocol.





field Specifies a field used by PDUs of the protocol.

offset Specifies the offset of the field from the start of the PDU.


Layer 2 Basics 109

value value Specifies the value of the field in hexadecimal (for example, A1:B2:0C.Maximum 16 bytes).

mask mask Specifies the mask for the field in hexadecimal (for example, FF:FF:0F.Maximum 16 bytes).

DefaultN/A.





A maximum of 15 protocol filters, each containing a maximum of six protocols, can be defined.

The protocol filter must already exist before you can use this command. Use the create protocolcommand to create the protocol filter.

No more than seven protocols can be active and configured for use.

NoteProtocol-based VLAN for Etype from 0x0000 to 0x05ff are not classifying as per filter. Whentraffic arrive with these Etypes, it is classifed to native VLAN rather protocol-based VLAN.

Example

The following example LACP to the protocol list "mylist":

configure protocol “mylist” add dest-mac 01:80:C2:00:00:02 etype 0x8809 field offset 14 value 01 mask FF

The following example removes EFM OAM from the protocol list "mylist":

configure protocol filter “mylist” delete dest-mac 01:80:C2:00:00:02 etype 0x8809 field offset 14 value 03 mask FF

The following example configures a mismatched mask and value:

configure protocol “mylist” delete dest-mac 01:80:C2:00:00:02 etype 0x8809 field offset 14 value 03 mask FF:FFError: The length of the field value is not the same as the field mask.


Layer 2 Basics 110



configure vlan add ports private-vlan translatedTranslation from network VLAN tag to each subscriber VLAN tag is done by default in a private VLAN.

configure {vlan} vlan_name add ports port_list private-vlan translated

DescriptionAdds the specified ports to the specified network VLAN and enables tag translation for all subscriberVLAN tags to the network VLAN tag.

Syntax Description

vlan_name Specifies the network VLAN to which the ports are added.

port_list Specifies the ports to be added to the network VLAN.

DefaultN/A.

Usage GuidelinesThis command is allowed only when the specified VLAN is configured as a network VLAN on a PVLAN.

Example

The following example adds port 2:1 to VLAN sharednet and enables VLAN translation on that port:

configure sharednet add ports 2:1 private-vlan translated




Layer 2 Basics 111


configure vlan add portsconfigure {vlan} vlan_name add ports [port_list | all] {tagged tag | untagged}


DescriptionAdds one or more ports in a VLAN.

Syntax Description


port_list Specifies a list of ports or slots and ports.


tagged tag Specifies the ports should be configured as tagged.

untagged Specifies the ports should be configured as untagged.

stpd_name Specifies an STP domain name.

dot1d | emistp | pvst-plus Specifies the BPDU encapsulation mode for these STP ports.

DefaultUntagged.

Usage GuidelinesThe VLAN must already exist before you can add (or delete) ports: use the create vlan command tocreate the VLAN.

If the VLAN uses 802.1Q tagging, you can specify tagged or untagged port(s). If the VLAN is untagged,the ports cannot be tagged.

Untagged ports can only be a member of a single VLAN. By default, they are members of the defaultVLAN (named Default). In order to add untagged ports to a different VLAN, you must first removethem from the default VLAN. You do not need to do this to add them to another VLAN as tagged ports.If you attempt to add an untagged port to a VLAN prior to removing it from the default VLAN, you seethe following error message:

Error: Protocol conflict when adding untagged port 1:2. Either add this port as

tagged or assign another protocol to this VLAN.

NoteThis message is not displayed if keyword all is used as port_list.

The ports that you add to a VLAN and the VLAN itself cannot be explicitly assigned to different virtualrouters (VRs). When multiple VRs are defined, consider the following guidelines while adding ports to aVLAN:


Layer 2 Basics 112

• A VLAN can belong (either through explicit or implicit assignment) to only one VR.

• If a VLAN is not explicitly assigned to a VR, then the ports added to the VLAN must be explicitlyassigned to a single VR.

• If a VLAN is explicitly assigned to a VR, then the ports added to the VLAN must be explicitlyassigned to the same VR or to no VR.

• If a port is added to VLANs that are explicitly assigned to different VRs, the port must be explicitlyassigned to no VR.

NoteUser-created VRs are supported only on the platforms listed for this feature in in the Feature License Requirements document. On switches that do not support user-createdVRs, all VLANs are created in VR-Default and cannot be moved.

Refer to STP Commands for more information on configuring Spanning Tree Domains.

NoteIf you use the same name across categories (for example, STPD and EAPS names), werecommend that you specify the identifying keyword as well as the actual name. If you do notuse the keyword, the system may return an error message.

Beginning with ExtremeXOS 11.4, the system returns the following message if the ports you are addingare already EAPS primary or EAPS secondary ports:

WARNING: Make sure Vlan1 is protected by EAPS. Adding EAPS ring ports to a VLAN

could cause a loop in the network. Do you really want to add these ports? (y/n)

Example

The following example assigns tagged ports 1:1, 1:2, 1:3, and 1:6 to a VLAN named "accounting":

configure vlan accounting add ports 1:1, 1:2, 1:3, 1:6 tagged


The tagged keyword was added in ExtremeXOS 15.4.


configure vlan delete portsconfigure {vlan} vlan_name delete ports [all | port_list {tagged tag}]

DescriptionDeletes one or more ports in a VLAN.


Layer 2 Basics 113


Syntax Description




tagged tag Specifies the port-specific VLAN tag. When there are multiple ports specifiedusing port_list, the same tag is used for all of them.

DefaultWhen unspecified, the port tag is equal to the VLAN tag.

Usage GuidelinesSpecify port tag to delete a VLAN port that has a different tag from the VLAN tag.

Example

The following example removes ports 1:1, 1:2, 4:3, and 5:6 on a modular switch from a VLAN namedaccounting:

configure accounting delete port 1:1, 1:2, 4:3, 5:6

The following example deletes a VLAN port with tag 10:

create vlan exchange tag 100config vlan exchange del ports 3 tag 10

The following example deletes a VLAN port tag of 10 on two ports:

create vlan exchange tag 100config vlan exchange d ports 3,4 tag 10



configure vlan descriptionconfigure {vlan} vlan_name description [vlan-description | none]


Layer 2 Basics 114

DescriptionConfigures a description for the specified VLAN.

Syntax Description


vlan-description Specifies a VLAN description (up to 64 characters) that appears in show vlancommands and can be read from the ifAlias MIB object for the VLAN.

none This keyword removes the configured VLAN description.

DefaultBy default, the VLAN has no description.

Usage GuidelinesThe VLAN description must be in quotes if the string contains any space characters. If a VLANdescription is configured for a VLAN that already has a description, the new description replaces theold description.

Example

The following example assigns the description "Campus A" to VLAN vlan1:

configure vlan vlan1 description “Campus A”

HistoryThis command was first available in ExtremeXOS 12.4.4.


configure vlan ipaddressconfigure {vlan} vlan_name ipaddress [ipaddress {ipNetmask} | ipv6-link-local |

{eui64} ipv6_address_mask]

DescriptionAssigns an IPv4 address and an optional subnet mask or an IPv6 address to the VLAN. Beginning withExtremeXOS 11.2, you can specify IPv6 addresses. You can assign either an IPv4 address, and IPv6


Layer 2 Basics 115

address, or both to the VLAN. Beginning with ExtremeXOS 11.3, you can use this command to assign anIP address to a specified VMAN and enable multicasting on that VMAN.

NoteYou can also use this command to assign an IP address to a VMAN on all platforms thatsupport the VMAN feature. For information on which software licenses and platforms supportthe VMAN feature, see the Feature License Requirements document.

Syntax Description


ipaddress Specifies an IPv4 address.

ipNetmask Specifies an IPv4 subnet mask in dotted-quad notation (for example, 255.255.255.0).

ipv6-link-local Specifies IPv6 and configures a link-local address generated by combining thestandard link-local prefix with the automatically generated interface in the EUI-64format. Using this option automatically generates an entire IPv6 address; this addressis only a link-local, or VLAN-based, IPv6 address; that is, ports on the same segmentcan communicate using this IP address and do not have to pass through a gateway.

eui64 Specifies IPv6 and automatically generates the interface ID in the EUI-64 format usingthe interface’s MAC address. Once you enter this parameter, you must add thefollowing variables: ipv6_address_mask. Use this option when you want to enterthe 64-bit prefix and use a EUI-64 address for the rest of the IPv6 address.

ipv6_address_mask Specify the IPv6 address in the following format: x:x:x:x:x:x:x:x/prefix length, whereeach x is the hexadecimal value of one of the 8 16-bit pieces of the 128-bit wideaddress.

DefaultN/A.

Usage GuidelinesThe VLAN must already exist before you can assign an IP address; use the create vlan command tocreate the VLAN (also the VMAN must already exist).

NoteIf you plan to use the VLAN as a control VLAN for an EAPS domain, do NOT configure theVLAN with an IP address. See IP Unicast Commands for information on adding secondary IPaddresses to VLANs.

Beginning with ExtremeXOS 11.2, you can specify IPv6 addresses. See IPv6 Unicast Routing forinformation on IPv6 addresses.

Beginning with ExtremeXOS 11.3, you can assign an IP address (including IPv6 addresses) to a VMAN.Beginning with version 11.4, you can enable multicasting on that VMAN.

To enable multicasting on the specified VMAN once you assigned an IP address, take the followingsteps:


Layer 2 Basics 116


1 Enable IP multicast forwarding.

2 Enable and configure multicasting.

Example

The following examples are equivalent; both assign an IPv4 address of 10.12.123.1 to a VLAN named"accounting":

configure vlan accounting ipaddress 10.12.123.1/24configure vlan accounting ipaddress 10.12.123.1 255.255.255.0

The following example assigns a link local IPv6 address to a VLAN named management:

configure vlan accounting ipaddress ipv6-link-local


The IPv6 parameters were added in ExtremeXOS 11.2.


configure vlan nameconfigure {vlan} vlan_name name name

DescriptionRenames a previously configured VLAN.

Syntax Description

vlan_name Specifies the current (old) VLAN name.

name Specifies a new name for the VLAN.

DefaultN/A.

Usage GuidelinesYou cannot change the name of the default VLAN “Default.”


Layer 2 Basics 117

For information on VLAN name requirements and a list of reserved keywords, see Object Names.


Example

The following example renames VLAN vlan1 to engineering:

configure vlan vlan1 name engineering



configure vlan protocol

configure {vlan} vlan_name protocol {filter}filter_name

DescriptionConfigures a VLAN to use a specific protocol filter.

Syntax Description


protocol Specifies a protocol filter.

filter Specifies a protocol filter.

protocol_name Specifies a protocol filter name. This can be the name of a predefinedprotocol filter, or one you define.The following protocol filters are predefined:IP, IPv6, IPX, NetBIOS, DECNet, IPX_8022, IPX_SNAP, AppleTalk.Using any indicates that this VLAN should act as the default VLAN for itsmember ports.

DefaultProtocol any.


Layer 2 Basics 118

Usage GuidelinesIf the keyword any is specified, all packets that cannot be classified into another protocol-based VLANare assigned to this VLAN as the default for its member ports.

Use the configure protocol command to define your own protocol filter.

Protocol Filters on BlackDiamond 8800 Series Switches, SummitStack,and the Summit Family Switches OnlyThese devices do not forward packets with a protocol-based VLAN set to AppleTalk. To ensure thatAppleTalk packets are forwarded on the device, create a protocol-based VLAN set to “any” and defineother protocol-based VLANs for other traffic, such as IP traffic. The AppleTalk packets pass on the“any” VLAN, and the other protocols pass traffic on their specific protocol-based VLANs.

Example

The following example configures the protocol filter "my_filter" to vlan v1:

configure vlan v1 protocol "my_filter"configure vlan v1 protocol filter "my_filter"


The IPv6 parameter was added in ExtremeXOS 11.2.

The filter keyword was added in ExtremeXOS 15.5.


configure vlan tagconfigure {vlan} vlan_name tag tag {remote-mirroring}

DescriptionAssigns a unique 802.1Q tag to the VLAN.

Syntax Description


tag Specifies a value to use as an 802.1Q tag. The valid range is from 2 to 4095.

remote-mirroring Specifies that the tagged VLAN is for remote mirroring.


Layer 2 Basics 119

DefaultThe default VLAN uses an 802.1Q tag (and an internal VLANid) of 1.

Usage GuidelinesIf any of the ports in the VLAN use an 802.1Q tag, a tag must be assigned to the VLAN. The valid rangeis from 2 to 4094 (tag 1 is assigned to the default VLAN, and tag 4095 is assigned to the managementVLAN).

The 802.1Q tag is also used as the internal VLANid by the switch.

You can specify a value that is currently used as an internal VLANid on another VLAN; it becomes theVLANid for the VLAN you specify, and a new VLANid is automatically assigned to the other untaggedVLAN.

Example

The following command assigns a tag (and internal VLANid) of 120 to a VLAN named accounting:

configure accounting tag 120


The remote-mirroring option was added in ExtremeXOS 12.1.


configure vlan-translation add loopback-portconfigure {vlan} vlan_name vlan-translation add loopback-port port

DescriptionAdds the specified port as a loopback port for the specified member VLAN.

Syntax Description

vlan_name Specifies the name of the member VLAN to which you want to add theloopback port.



Layer 2 Basics 120

DefaultN/A.

Usage GuidelinesThe loopback-port port option is available only on BlackDiamond 8000 series modules and Summitfamily switches, whether or not they are included in a SummitStack. If two or more member VLANshave overlapping ports (where the same ports are assigned to both VLANs), each of the memberVLANs with overlapping ports must have a dedicated loopback port.

The loopback port can be added to the member VLAN when the member VLAN is created, or you canuse this command to add the loopback port at a later time.

Example

The following example adds port 2:1 as a loopback port for the member VLAN leafvlan:

configure leafvlan vlan-translation add loopback-port 2:1


Platform AvailabilityThis command is available on all platforms that support the VLAN Translation feature. For features andthe platforms that support them, see the Feature License Requirements document.

configure vlan-translation add member-vlanconfigure {vlan} vlan_name vlan-translation add member-vlan member_vlan_name

{loopback-port port}

DescriptionAdds a member VLAN to a translation VLAN.

Syntax Description

vlan_name Specifies the name of the translation VLAN to which you want to add themember VLAN.

member_vlan_name Specifies the member VLAN to be added to the translation VLAN.



Layer 2 Basics 121


DefaultN/A.

Usage GuidelinesThis command configures VLAN tag translation between the two VLANs specified. The member VLANis added to the list maintained by translation VLAN. A translation VLAN can have multiple memberVLANs added to it.

The loopback-port port option is available only on BlackDiamond 8000 series modules and Summitfamily switches, whether or not they are included in a SummitStack. If two or more member VLANshave overlapping ports (where the same ports are assigned to both VLANs), each of the memberVLANs with overlapping ports must have a dedicated loopback port.

Example

The following example adds member VLAN leafvlan to the translation VLAN branchvlan:

configure branchvlan vlan-translation add member-vlan leafvlan



configure vlan-translation delete loopback-portconfigure {vlan} vlan_name vlan-translation delete loopback-port

DescriptionDeletes the loopback port from the specified member VLAN.

Syntax Description

vlan_name Specifies the name of the member VLAN from which you want to delete theloopback port.

DefaultN/A.


Layer 2 Basics 122


Usage GuidelinesThis command disables and deletes the loopback port from the specified member VLAN. Thiscommand does not delete the member VLAN.

Example

The following example deletes the loopback port from the member VLAN leafvlan:

configure leafvlan vlan-translation delete loopback-port



configure vlan-translation delete member-vlanconfigure {vlan} vlan_name vlan-translation delete member-vlan [member_vlan_name

| all]

DescriptionDeletes one or all member VLANs from a translation VLAN.

Syntax Description

vlan_name Specifies the name of the translation VLAN from which you want to deletethe member VLAN.

member_vlan_name Specifies the member VLAN to be deleted from the translation VLAN.

all Deletes all member VLANs from the specified translation VLAN.

DefaultN/A.

Usage GuidelinesThis command removes the link between the translation VLAN and the specified member VLANs, but itdoes not remove the VLANs from the switch.


Layer 2 Basics 123


Example

The following example deletes member VLAN leafvlan from the translation VLAN branchvlan:

configure branchvlan vlan-translation delete member-vlan leafvlan



configure vman add ports cepconfigure vman vman_name add ports port_list cep cvid cvid_first {- cvid_last}

{translate cvid_first_xlate {- cvid_last_xlate}}

DescriptionAdds one or more switch ports to the specified VMAN as Customer Edge Ports (CEPs), and configuresthe CVIDs on those ports to map to the VMAN.

Syntax Description

vman_name Specifies the VMAN to configure.

port_list Specifies a list of ports.

cvid_first Specifies a CVLAN ID (CVID) or the first in a range of CVIDs that the CEP willaccept and map to the specified VMAN. Valid values are 1-4095.

cvid_last Specifies the last in a range of CVIDs that the CEP will accept and map to theVMAN. Valid values are 1-4095.

translate Enables translation of the specified CEP CVID range to the specified VMANCVID range.

cvid_first_xlate Specifies a VMAN CVID or the first in a range of VMAN CVIDs to which theCEP CVIDs will map. Valid values are 1-4095.

cvid_last_xlate Specifies the last in a range of VMAN CVIDs to which the CEP CVIDs will map.Valid values are 1-4095. The number of VMAN CVIDs in this range must equalthe number of CEP CVIDs specified in this command.

DefaultN/A.


Layer 2 Basics 124


Usage GuidelinesIf you specify only one CVID or a range of CVIDs without translation, the specified CVIDs are mapped tothe specified VMAN and appear unchanged in the VMAN.

If you specify CVID translation, the CEP CVIDs map to different VMAN CVIDs. The number of CEPCVIDs specified must equal the number of VMAN CVIDs specified. The first CEP CVID in the specifiedrange maps to the first CVID in the range specified for the VMAN. The difference between cvid_firstand cvid_first_xlate establishes an offset N that maps CEP CVIDs to VMAN CVIDs. (Offset N =cvid_first_xlate - cvid_first.) The translated VMAN CVID that corresponds to a CEP CVID can bedetermined as follows:

VMAN CVID = CEP CVID + N

NoteCVID translation can reduce the number of CVIDs that can be mapped to VMANs.

After you enable and configure a CEP with this command, you can use the following command to mapadditional CVIDs on the port to the VMAN:

configure vman vman_name ports port_list add cvid cvid_first {- cvid_last}


When this command specifies multiple ports, each port gets an independent CVID map; the ports donot share a common map. Changes to the CVID map affect only the ports specified in the configurationcommand. For example, consider the following commands:

configure vman vman1 add port 1-2 cep cvid 10 configure vman vman1 port 1 addcvid 11

After these commands are entered, port 1 maps CVIDs 10 and 11 to VMAN vman1, and port 2 maps onlyCVID 10 to vman1.

You can add the same port as a CEP to multiple VMANs. A port can also support multiple VMANs indifferent roles as shown in Table 4: Port Support for Combined VMAN Roles and VLANs on page 128.

To view the CEP CVID configuration for a port, use the show vman command.

Example

The following example configures port 1 as a CEP for VMAN vman1 and specifies that CEP CVID 5 mapsto CVID 5 on the VMAN:

configure vman vman1 add port 1 cep cvid 5

The following example configures port 1 as a CEP for VMAN vman1 and enables the port to translateCEP CVIDs 10-19 to VMAN CVIDs 20-29:

configure vman vman1 add port 1 cep cvid 10 - 19 translate 20 - 29


Layer 2 Basics 125


Platform AvailabilityThis command is available on BlackDiamond X8, BlackDiamond 8800 series switches and Summitfamily switches

The CVID translation feature is available only on BlackDiamond X8, BlackDiamond 8900 c-, xl-, and xm-series modules and Summit X440, X460, X480, X670 and X770 series switches.

configure vman add ports

configure vman vman-name add ports [ all | port_list ] {untagged {port-cvid


DescriptionAdds one or more ports to a VMAN.

Syntax Description

vman-name Specifies the VMAN to configure.

all Specifies all switch ports.


untagged Configures the specified ports as Customer Network Ports (CNPs).

tagged Configures the specified ports as Provider Network Ports (PNPs), whichare also called VMAN network ports.

port_cvid Port's CVID used for untagged packets. If unspecified, untagged packetswill be single tagged with the VMAN's SVID. If specified, untaggedpackets will be double tagged with the VMAN's SVID and the port'sCVID.

DefaultIf you do not specify a parameter, the default value is untagged, which creates a CNP.

Usage GuidelinesThis command adds ports as either CNPs or PNPs. To add a port to a VMAN as a CEP, use the followingcommand:

configure vman vman_name add ports port_list cep cvid cvid_first {- cvid_last}


The VMAN must already exist before you can add (or delete) ports. VMAN ports can belong to load-sharing groups.


Layer 2 Basics 126

When a port is configured serve as a CNP for one VMAN and A PNP for another VMAN, it inspects theVMAN ethertype in received packets. Packets with a matching ethertype are treated as tagged andswitched across the associated PNP VMAN. Packets with a non-matching ethertype are treated asuntagged and forwarded into the associated CNP VMAN.

When a port is configured only as a CNP (an untagged VMAN member), whether the VMAN ethertypeis 0x8100 or otherwise, all received packets ingress the associated VMAN regardless of the packet'stagging.


The following guidelines apply to all platforms:

• You must enable or disable jumbo frames before configuring VMANs. You can enable or disablejumbo frames on individual ports or modules, or on the entire switch. See Configuring Ports on aSwitch for more information on configuring jumbo frames.

• Each port can serve in only one VMAN role per VMAN. When multiple roles are configured on a port,each role must be configured for a different VMAN.

• Multiple VMAN roles can be combined on one port with certain VLAN types as shown in thefollowing table.

5 Subsets of this group are also supported. That is, any two of these items are supported.6 When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged




Layer 2 Basics 127

Table 4: Port Support for Combined VMAN Roles and VLANsPlatform Combined

CNP, CEP, andTaggedVLAN 5 , 6

CombinedPNP, CNP, andCEPa, b, 7

Combined PNPand TaggedVLAN

Combined PNPand UntaggedVLAN

Summit X440, X460, X480, X670 and X770 X X X 8 X

BlackDiamond 8500 and 8800 c-, ande-series modules

X X Xd X

BlackDiamond X8 series switches andBlackDiamond 8900 c-, xl-, and xm-seriesmodules

X X Xe X

NoteIf you already configured VLANs and VMANs on the same module or stand-alone switchusing ExtremeXOS 11.4, you cannot change the VMAN ethertype from 0X8100 without firstremoving either the VLAN or VMAN configuration.

Example

The following example assigns ports 1:1, 1:2, 1:3, and 1:6 to a VMAN named accounting:

configure vman accounting add ports 1:1, 1:2, 1:3, 1:6 tag 100


The svid keyword was added in ExtremeXOS 12.2.

8 If the secondary VMAN ethertype is selected for the port, it must be set to 0x8100.5 Subsets of this group are also supported. That is, any two of these items are supported.6 When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged


VMAN ethertype is 0x8100.5 Subsets of this group are also supported. That is, any two of these items are supported.6 When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged








Layer 2 Basics 128

The cvid keyword was added in ExtremeXOS 15.3.2.


configure vman delete portsconfigure vman vman-name delete ports [all | port_list]

DescriptionDeletes one or more ports from a VMAN.

Syntax Description

vman_name Specifies a VMAN name.

all Specifies all ports in the VMAN.


DefaultN/A.

Usage GuidelinesThe VMAN must already exist before you can delete ports.

Example

The following example deletes ports 1:1, 1:2, 1:3, and 1:6 on a modular switch for a VMAN namedaccounting:

configure vman accounting delete ports 1:1, 1:2, 1:3, 1:6



configure vman ethertypeconfigure vman ethertype value [primary | secondary]


Layer 2 Basics 129

DescriptionChanges the default ethertype for the VMAN header.

Syntax Description

value Specifies an ethertype value in the format of 0xffff.

primary Assigns the ethertype as the primary Ethernet value.

secondary Assigns the ethertype as the secondary Ethernet value.

DefaultEthertype value of 0x88a8 and type primary.

Usage GuidelinesThe software supports two VMAN ethertype values: a primary value and a secondary value. By default,the primary ethertype applies to all VMANs. To use the secondary ethertype, define the ethertype withthis command, and then assign the secondary ethertype to ports with the following command:

configure port port_list ethertype {primary | secondary}

If your VMAN transits a third-party device (other than an Extreme Networks device), you mustconfigure the ethertype for the VMAN tag as the ethertype that the third-party device uses. If youconfigure both primary and secondary ethertypes, you can connect to devices that use either of thetwo values assigned.

The system supports all VMAN ethertypes, including the standard ethertype of 0x8100.

Example

The following command changes the VMAN ethertype value to 8100:

configure vman ethertype 0x8100


Support for a secondary ethertype was added in ExtremeXOS 12.1.



Layer 2 Basics 130

configure vman ports add cvidconfigure vman vman_name ports port_list add cvid cvid_first {- cvid_last}


DescriptionAdds one or more CVIDs to a CEP.

Syntax Description



cvid_first Specifies a Customer VLAN ID (CVID) or the first in a range of CVIDs that theCEP will accept and map to the specified VMAN. Valid values are 1-4095.

cvid_last Specifies the last in a range of CVIDs that the CEP will accept and map to theVMAN. Valid values are 1-4095.

translate Enables translation of the specified CEP CVID range to the specified VMANCVID range.

cvid_first_xlate Specifies a VMAN CVID or the first in a range of VMAN CVIDs to which theCEP CVIDs will map. Valid values are 1-4095.

cvid_last_xlate Specifies the last in a range of VMAN CVIDs to which the CEP CVIDs will map.Valid values are 1-4095. The number of VMAN CVIDs in this range must equalthe number of CEP CVIDs specified in this command.

DefaultN/A.

Usage GuidelinesBefore you can add CVIDs to CEPs, you must configure the target physical ports as CEPs using thefollowing command:

configure vman vman_name add portsport_list cep cvidcvid_first {- cvid_last}

{translatecvid_first_xlate {-cvid_last_xlate}}

If you specify only one CVID or a range of CVIDs without translation, the specified CVIDs are mapped tothe specified VMAN and appear unchanged in the VMAN.

If you specify CVID translation, the CEP CVIDs map to different VMAN CVIDs. The number of CEPCVIDs specified must equal the number of VMAN CVIDs specified. The first CEP CVID in the specifiedrange maps to the first CVID in the range specified for the VMAN. The difference between cvid_firstand cvid_first_xlate establishes an offset N that maps CEP CVIDs to VMAN CVIDs. (Offset N =cvid_first_xlate - cvid_first.) The translated VMAN CVID that corresponds to a CEP CVID can bedetermined as follows:


Layer 2 Basics 131

VMAN CVID = CEP CVID + N

NoteCVID translation can reduce the number of CVIDs that can be mapped to VMANs.

When this command specifies multiple ports, each port gets an independent CVID map; the ports donot share a common map. Changes to the CVID map affect only the ports specified in the configurationcommand. For example, consider the following commands:

configure vman vman1 add port 1-2 cep cvid 10configure vman vman1 port 1 add cvid 11

After these commands are entered, port 1 maps CVIDs 10 and 11 to VMAN vman1, and port 2 maps onlyCVID 10 to vman1.


Example

The following example adds CVIDs 20-29 to port 1 and VMAN vman1 and enables translation to CVIDs30-39:

configure vman vman1 port 1 add cvid 20 - 29 translate 30 - 99


Platform AvailabilityThis command is available on BlackDiamond X8 series switches, BlackDiamond 8800 series switchesand Summit family switches.

The CVID translation feature is available only on BlackDiamond X8 series switches, BlackDiamond 8900c-, xl-, and xm-series modules and Summit X440, X460, X480, X670 and X770 series switches.

configure vman ports delete cvidconfigure vman vman_name ports port_list delete cvid cvid_first {- cvid_last}

DescriptionDeletes one or more CVIDs from a CEP.

Syntax Description




Layer 2 Basics 132

cvid_first Specifies a CVID or the first in a range of CVIDs that are to be deleted. Validvalues are 1-4095.

cvid_last Specifies the last in a range of CVIDs that are to be deleted. Valid values are1-4095.

DefaultN/A.

Usage GuidelinesEach CEP has its own CVID map, and this command deletes CVIDs only from the ports specified withthis command.

If all the CVIDs are deleted from a CEP, the CEP is deleted from the VMAN.


Example

The following command deletes CVID 15 on port 1 from VMAN vman1:

configure vman vman1 port 1 delete cvid 15


Platform AvailabilityThis command is available on BlackDiamond X8 series switches, BlackDiamond 8800 series switchesand Summit family switches.

configure vman protocol

configure vman vman_name protocol {filter}filter_name

DescriptionConfigures a VMAN to use a specific protocol filter.

Syntax Description


protocol Specifies a protocol filter.


Layer 2 Basics 133



Default

Usage Guidelines

Protocol Filters on BlackDiamond 8800 Series Switches, SummitStack,and the Summit Family Switches OnlyThese devices do not forward packets with a protocol-based VLAN set to AppleTalk. To ensure thatAppleTalk packets are forwarded on the device, create a protocol-based VLAN set to “any” and defineother protocol-based VLANs for other traffic, such as IP traffic. The AppleTalk packets pass on the“any” VLAN, and the other protocols pass traffic on their specific protocol-based VLANs.

Example

The following example configures the protocol filter “my_filter” to vlan v1:

configure vlan v1 protocol “my_filter”configure vlan v1 protocol filter “my_filter”




configure vman tagconfigure vman vman_name tag tag

DescriptionAssigns a tag to a VMAN.

Syntax Description


tag Specifies a value to use as the VMAN tag. The valid range is from 2 to 4094.


Layer 2 Basics 134

DefaultN/A.

Usage GuidelinesEvery VMAN requires a unique tag.

You can specify a value that is currently used as an internal VLAN ID on another VLAN; it becomes theVLAN ID for the VLAN you specify, and a new VLAN ID is automatically assigned to the other untaggedVLAN.

Example

The following example assigns a tag of 120 to a VMAN named "accounting":

configure vman accounting tag 120



configure vpls peer l2pt profileconfigure {l2vpn} vpls vpls_name peer ipaddress l2pt profile [none |

profile_name]

DescriptionConfigures L2PT profiles on service interfaces.

Syntax Description

l2vpn Specifies the Layer 2 Virtual Private Network.

vplsvpls_name Specifies Virtual Private LAN Service over MPLS, and the alphanumeric stringidentifying the VPLS VPN.

peer ipaddress Specifies the VPLS peer, and the IPv4 address.

l2pt profile Specifies Layer 2 protocol tunneling and the L2PT profile for the PW.

none Specifies that no L2PT profile should be bound to the PW (default).

profile_name Specifies the L2PT profile to be bound to the PW.


Layer 2 Basics 135

DefaultDisabled.

Usage GuidelinesUse this command to configure L2PT profiles on service interfaces.

Example

The following example unbind the L2PT profile from peer 1.1.1.1 of VPLS cust2:

configure l2vpn vpls cust2 peer 1.1.1.1 l2pt profile none

The following example binds my_l2pt_prof with peer 1.1.1.1 of VPLS cust1. my_l2pt_prof specifiestunneling actions:

configure l2vpn vpls cust1 peer 1.1.1.1 l2pt profile my_l2pt_profError: Tunnel action may be applied only to ports.



create fdb mac-tracking entrycreate fdb mac-tracking entry mac_addr

DescriptionAdds a MAC address to the MAC address tracking table.

Syntax Description

mac_addr Specifies a device MAC address, using colon-separated bytes.

DefaultThe MAC address tracking table is empty.



Layer 2 Basics 136

Example

The following command adds a MAC address to the MAC address tracking table:

create fdb mac-tracking entry 00:E0:2B:12:34:56



create fdbentry vlan portscreate fdbentry mac_addr vlan vlan_name [ports port_list {tagged tag} |

blackhole]

DescriptionCreates a permanent static FDB entry.

Syntax Description


vlan_name Specifies a VLAN name associated with a MAC address.

port_list Specifies one or more ports or slots and ports associated with the MACaddress.

tagged tag Specifies the port-specific VLAN tag. When there are multiple ports specifiedin port_list, the same tag is used for all of them.

blackhole Enables the blackhole option. Any packets with either a source MAC addressor a destination MAC address matching the FDB entry are dropped.

DefaultN/A.

Usage GuidelinesPermanent entries are retained in the database if the switch is reset or a power off/on cycle occurs. Apermanent static entry can either be a unicast or multicast MAC address. After they have been created,permanent static entries stay the same as when they were created. If the same MAC address and VLANis encountered on another virtual port that is not included in the permanent MAC entry, it is handled asa blackhole entry. The static entry is not updated when any of the following take place:


Layer 2 Basics 137

• A VLAN identifier (VLANid) is changed.

• A port is disabled.

• A port enters blocking state.

• A port goes down (link down).

A permanent static FDB entry is deleted when any of the following take place:

• A VLAN is deleted.

• A port mode is changed (tagged/untagged).

• A port is deleted from a VLAN.

Permanent static entries are designated by spm in the flags field of the show fdb output. You can usethe show fdb command to display permanent FDB entries.

If the static entry is for a PVLAN VLAN that requires more than one underlying entry, the systemautomatically adds the required entries. For example, if the static entry is for a PVLAN network VLAN,the system automatically adds all required extra entries for the subscriber VLANs.

You can create FDB entries to multicast MAC addresses and list one or more ports. If more than oneport number is associated with a permanent MAC entry, packets are multicast to the multipledestinations.

IGMP snooping rules take precedence over static multicast MAC addresses in the IP multicast range(01:00:5e:xx:xx:xx) unless IGMP snooping is disabled.

NoteWhen a multiport list is assigned to a unicast MAC address, load sharing is not supported onthe ports in the multiport list.

Example

The following command adds a permanent, static entry to the FDB for MAC address 00 E0 2B 12 34 56,in VLAN marketing on slot 2, port 4 on a modular switch:

create fdbentry 00:E0:2B:12:34:56 vlan marketing port 2:4

The following example creates a multiport unicast FDB entry, in VLAN black, on slot 1, ports 1, 2, and 4,on the BlackDiamond 8800 family of switches:

create fdbentry 01:00:00:00:00:01 vlan black port 1:1, 1:2, 1:4

The following example adds a permanent, static entry to the FDB for MAC address 00:01:02:03:04:05,in VLAN marketing, on a VLAN port that has tag 100 on port 3 on a switch:

create fdbentry 00:01:02:03:04:05 vlan msk ports 3 tag 100



Layer 2 Basics 138

The ability to create a multicast FDB with multiple entry ports was added in ExtremeXOS 11.3.

The blackhole option was first available for all platforms in ExtremeXOS 12.1.

The ability to create a unicast FDB with multiple entry ports was available for the BlackDiamond 8000c-, and e-series modules in ExtremeXOS 12.1. This feature is supported on all later platforms whenintroduced.

The tag keyword and example was added in ExtremeXOS 15.4.


create l2pt profilecreate l2pt profile profile_name

DescriptionCreates an L2PT profile.

Syntax Description

l2pt Creates a Layer 2 protocol tunneling profile.



DefaultDisabled.

Usage GuidelinesUse this command to create an L2PT profile.

Example

The following example create a new L2PT profile named "my_l2pt_prof":

create l2pt profile my_l2pt_prof



Layer 2 Basics 139


create private-vlancreate private-vlan name {vr vr_name}

DescriptionCreates a PVLAN framework with the specified name.

Syntax Description

name Specifies a name for the new PVLAN.

vr_name Specifies the VR in which the PVLAN is created.

DefaultN/A.

Usage GuidelinesThe PVLAN is a framework that links network and subscriber VLANs; it is not an actual VLAN.

A private VLAN name must begin with an alphabetical character and may contain alphanumericcharacters and underscores ( _ ), but it cannot contain spaces. The maximum allowed length for aname is 32 characters. For private VLAN naming guidelines and a list of reserved names, see ObjectNames.

If no VR is specified, the PVLAN is created in the default VR context.

Example

The following example creates a PVLAN named "companyx":

create private-vlan companyx




Layer 2 Basics 140


create protocol

create protocol {filter} filter_name

DescriptionCreates a user-defined protocol filter.

Syntax Description


filter_name Specifies a protocol filter name. The protocol filter name can have a maximumof 31 characters.

DefaultN/A.

Usage GuidelinesProtocol-based VLANs enable you to define packet filters that the switch can use as the matchingcriteria to determine if a particular packet belongs to a particular VLAN.

After you create the protocol, you must configure it using the configure protocol command. To assign itto a VLAN, use the configure {vlan} vlan_name protocol {filter}filter_name command.

Example

The following command creates a protocol named "my_filter", and a protocol filter named"my_other_filter":

create protocol “my_filter”create protocol filter “my_other_filter”





Layer 2 Basics 141

create vlancreate vlan vlan_name {tag tag } {description vlan-description } {vr name }

DescriptionCreates a named VLAN.

Syntax Description

vlan_name Specifies a VLAN name (up to 32 characters).

tag Specifies a value to use as an 802.1Q tag. The valid range is from 2 to 4095.

vlan-description

Specifies a VLAN description (up to 64 characters) that appears in show vlancommands and can be read from the ifAlias MIB object for the VLAN.

name Specifies a VR or virtual routing and forwarding (VRF) instance in which to create theVLAN.

NoteUser-created VRs are supported only on the platforms listed for this feature inthe Feature License Requirements document.. On switches that do not supportuser-created VRs, all VLANs are created in VR-Default and cannot be moved.

DefaultA VLAN named Default exists on all new or initialized Extreme switches:

• It initially contains all ports on a new or initialized switch, except for the management port(s), ifthere are any.

• It has an 802.1Q tag of 1.

• The default VLAN is untagged on all ports.

• It uses protocol filter any.

A VLAN named Mgmt exists on switches that have management modules or management ports:

• It initially contains the management port(s) the switch.

• It is assigned the next available internal VLANid as an 802.1Q tag.

If you do not specify the VR, the VLAN is created in the current VR.

If the VLAN description contains one or more space characters, you must enclose the complete name indouble quotation marks.

Usage GuidelinesA newly-created VLAN has no member ports, is untagged, and uses protocol filter any until youconfigure it otherwise. Use the various configure vlan commands to configure the VLAN to your needs.

Internal VLANids are assigned automatically using the next available VLANid starting from the high end(4094) of the range.


Layer 2 Basics 142


The VLAN name can include up to 32 characters. VLAN names must begin with an alphabetical letter,and only alphanumeric, underscore ( _ ), and hyphen (-) characters are allowed in the remainder of thename. VLAN names cannot match reserved keywords. For more information on VLAN namerequirements and a list of reserved keywords, see Object Names.


VLAN names are locally significant. That is, VLAN names used on one switch are only meaningful tothat switch. If another switch is connected to it, the VLAN names have no significance to the otherswitch.

You must use mutually exclusive names for:

• VLANs

• VMANs

• Ipv6 tunnels

• BVLANs

• SVLANs

• CVLANs

NoteThe VLAN description is stored in the ifAlias MIB object.

If you do not specify a VR when you create a VLAN, the system creates that VLAN in the default VR(VR-Default). The management VLAN is always in the management VR (VR-Mgmt).

Once you create VRs, ExtremeXOS allows you to designate one of these as the domain in which all yoursubsequent configuration commands, including VLAN commands, are applied. If you create VRs,ensure that you are creating the VLANs in the desired virtual-router domain.

NoteUser-created VRs are supported only on the platforms listed for this feature in the FeatureLicense Requirements document.. On switches that do not support user-created VRs, allVLANs are created in VR-Default and cannot be moved.

Example

The following example creates a VLAN named accounting on the current VR:

create vlan accounting description "Accounting Dept"


The vr option was added in ExtremeXOS 11.0.


Layer 2 Basics 143



The vlan-description option was added in ExtremeXOS 12.4.4.


create vmancreate vman vman-name {learning-domain} {vr vr_name}

DescriptionCreates a VMAN.

Syntax Description

vman-name Specifies a VMAN name using up to 32 characters.

learning-domain Specifies that this VMAN is a learning domain, which supports inter-VMANforwarding.

vr Specifies a virtual router.

vr_name Specifies a virtual router name.

NoteUser-created VRs are supported only on the platforms listed forthis feature in the Feature License Requirements document.. Onswitches that do not support user-created VRs, all VLANs arecreated in VR-Default and cannot be moved.

DefaultN/A.

Usage GuidelinesFor information on VMAN name requirements and a list of reserved keywords, see Object Names. Youmust use mutually exclusive names for:

• VLANs

• VMANs

• IPv6 tunnels

The keyword learning-domain enables you to create a VMAN that serves as a learning domain for inter-VMAN forwarding.

If you do not specify the virtual router, the VMAN is created in the current virtual router. After youcreate the VMAN, you must configure the VMAN tag and add the ports that you want.


Layer 2 Basics 144


Example

The following example creates a VMAN named "fred":

create vman fred



delete fdb mac-tracking entrydelete fdb mac-tracking entry [mac_addr | all]

DescriptionDeletes a MAC address from the MAC address tracking table.

Syntax Description


all Specifies that all MAC addresses are to be deleted from the MAC addresstracking table.



Example

The following example deletes a MAC address from the MAC address tracking table:

delete fdb mac-tracking entry 00:E0:2B:12:34:56



Layer 2 Basics 145


delete fdbentrydelete fdbentry [all | mac_address [vlan vlan_name ]

DescriptionDeletes one or all permanent FDB entries.

Syntax Description

all Specifies all FDB entries.

mac_address Specifies a device MAC address, using colon-separated bytes.

vlan_name Specifies the specific VLAN name.

DefaultN/A.


Example

The following example deletes a permanent entry from the FDB:

delete fdbentry 00:E0:2B:12:34:56 vlan marketing

The following example deletes all permanent entries from the FDB:

delete fdbentry all



delete l2pt profiledelete l2pt profile profile_name


Layer 2 Basics 146

DescriptionDeletes an L2PT profile.

Syntax Description

l2pt Deletes a Layer 2 protocol tunneling profile.



DefaultDisabled.

Usage GuidelinesUse this command to delete an L2PT profile.

Example

The following example deletes my_l2pt_prof that is currently in use by a service:

delete l2pt profile my_l2pt_prof

The following example deletes my_l2pt_prof that is not associated with any service:

delete l2pt profile my_l2pt_prof



delete private-vlandelete private-vlan name

DescriptionDeletes the PVLAN framework with the specified name.


Layer 2 Basics 147

Syntax Description

name Specifies the name of the PVLAN to be deleted.

DefaultN/A.

Usage GuidelinesThe PVLAN is a framework that links network and subscriber VLANs; it is not an actual VLAN.

This command deletes the PVLAN framework, but it does not delete the associated VLANs. If the portsin the network VLAN were set to translate, they are changed to tagged.

Example

The following example deletes the PVLAN named "companyx":

delete private-vlan companyx



delete protocol

delete protocol {filter}filter_name

DescriptionDeletes a user-defined protocol.

Syntax Description

filter Deletes a protocol filter.

filter_name Specifies a protocol filter name to delete.


Layer 2 Basics 148


DefaultN/A.

Usage GuidelinesIf you delete a protocol that is in use by a VLAN, the protocol associated with than VLAN becomesnone.

Example

The following command deletes a protocol named "my_filter" and a protocol filter named"my_other_filter":

delete protocol “my_filter”delete protocol filter “my_other_filter”




delete vlan

delete vlan vlan_name

DescriptionDeletes a VLAN.

Syntax Description


DefaultN/A.


Layer 2 Basics 149

Usage GuidelinesIf you delete a VLAN that has untagged port members and you want those ports to be returned to thedefault VLAN, you must add them back explicitly using the configure svlan delete portscommand.

Note

The default VLAN cannot be deleted. Before deleting an ISC VLAN, you must delete theMLAG peer.

Example

The following command deletes the VLAN accounting:

delete accounting



delete vmandelete vman vman-name

DescriptionDeletes a previously created VMAN.

Syntax Description

vman-name Specifies a VMAN name.

DefaultN/A.



Layer 2 Basics 150

Example

The following command deletes the VMAN accounting:

delete vman accounting



disable dot1p examination inner-tag portsdisable dot1p examination inner-tag ports [all | port_list]

DescriptionUsed with VMANs, and instructs the switch to examine the 802.1p value of the outer tag, or addedVMAN header, to determine the correct egress queue on the egress port.

Syntax Description



DefaultDisabled.

Usage GuidelinesUse this command to instruct the system to refer to the 802.1p value contained in the outer tag, orVMAN encapsulation tag, when assigning the packet to an egress queue at the egress port of theVMAN.

NoteSee QoS Commands for information on configuring and displaying the current 802.1p andDiffServ configuration for the inner, or original header, 802.1p value.


Layer 2 Basics 151

Example

The following example uses the 802.1p value on the outer tag, or VMAN encapsulation, to put thepacket in the egress queue on the VMAN egress port:

disable dot1p examination inner-tag port 3:2


Platform AvailabilityThis command is available only on the BlackDiamond X8, BlackDiamond 8800 series switches,SummitStack, and Summit family switches.

disable fdb static-mac-movedisable fdb static-mac-move

DescriptionDisables EMS and SNMP reporting of discovered MAC addresses that are duplicates of staticallyconfigured MAC addresses.

Syntax DescriptionThis command has no arguments or variables.

DefaultDisabled.


Example

The following example disables this feature:

disable fdb static-mac-move



Layer 2 Basics 152

Platform AvailabilityThis command is available on Summit family switches.

disable flooding portsWith the BlackDiamond 8800 series switch, SummitStack, and the Summit family of switches, you canfurther identify the type of packets for which to block flooding.

disable flooding [all_cast | broadcast | multicast | unicast] ports [port_list |

all]

Description

Disables Layer 2 egress flooding on one or more ports.

Syntax Description

all_cast Specifies disabling egress flooding for all packets on specified ports.

broadcast Specifies disabling egress flooding only for broadcast packets.

multicast Specifies disabling egress flooding only for multicast packets.

unicast Specifies disabling egress flooding only for unknown unicast packets.


all Specifies all ports on the switch.

DefaultEnabled for all packet types.

Usage Guidelines

NoteIf an application requests specific packets on a specific port, those packets are not affectedby the disable flooding ports command.

You might want to disable egress flooding to do the following:

• enhance security

• enhance privacy

• improve network performance

This is particularly useful when you are working on an edge device in the network. The practice oflimiting flooded egress packets to selected interfaces is also known as upstream forwarding.

NoteIf you disable egress flooding with static MAC addresses, this can affect many protocols, suchas IP and ARP.


Layer 2 Basics 153


• Disabling multicasting egress flooding does not affect those packets within an IGMP membershipgroup at all; those packets are still forwarded out. If IGMP snooping is disabled, multicast packetsare not flooded.

• Egress flooding can be disabled on ports that are in a load-sharing group. In a load-sharing group,the ports in the group take on the egress flooding state of the master port; each member port of theload-sharing group has the same state as the master port.

• On all platforms FDB learning takes place on ingress ports and is independent of egress flooding;either can be enabled or disabled independently.

• Disabling unicast or all egress flooding to a port also stops packets with unknown MAC addresses tobe flooded to that port.

• Disabling broadcast or all egress flooding to a port also stops broadcast packets to be flooded tothat port.

BlackDiamond X8 Series switches, BlackDiamond 8800 family ofswitches, SummitStack, and the Summit switch onlyYou can disable egress flooding for unicast, multicast, or broadcast MAC addresses, as well as for allpackets on the ports of the BlackDiamond 8800 family of switches, SummitStack, and the Summitswitch. The default behavior for the BlackDiamond 8800 family of switches, SummitStack, and theSummit is enabled egress flooding for all packet types.

Example

The following example disables unicast flooding on ports 10-12 on a Summit series switch:

disable flooding unicast port 10-27


Platform AvailabilityThis command is available on BlackDiamond X8 and 8800 series switches, SummitStack, and Summitfamily switches.

disable learning iparp sender-macdisable learning iparp {vr vr_name} sender-mac

DescriptionDisables MAC address learning from the payload of IP ARP packets.


Layer 2 Basics 154

Syntax Description

vr_name Specifies a virtual router.

DefaultDisabled.

Usage GuidelinesTo view the configuration for this feature, use the following command: show iparp

Example

The following example disables MAC address learning from the payload of IP ARP packets:

disable learning iparp sender-mac


Platform AvailabilityThis command is available on all Summit family switches, SummitStack, and BlackDiamond 8800 seriesswitches.

disable learning portdisable learning {drop-packets | forward-packets} port [port_list | all]

DescriptionDisables MAC address learning on one or more ports for security purposes.

Syntax Description

port Specifies the port.


all Specifies all slots and ports.

drop-packets Specifies that packets with unknown source MAC addresses be dropped. Ifyou do not specify the forward-packets option, this option is used.

forward-packets Specifies that packets with unknown source MAC addresses be forwarded.


Layer 2 Basics 155

DefaultEnabled.

Usage GuidelinesUse this command in a secure environment where access is granted via permanent forwardingdatabase (FDB) entries per port.

Example

The following example disables MAC address learning on port 4:3:

disable learning ports 4:3


The drop packets and forward packets options were added in ExtremeXOS 12.1.

Platform AvailabilityThis command is available on all Summit family switches, SummitStack, and BlackDiamond X8 and8800 series switches.

disable loopback-mode vlandisable loopback-mode vlan vlan_name

DescriptionDisallows a VLAN to be placed in the UP state without an external active port. This allows (disallows)the VLANs routing interface to become active.

Syntax Description


DefaultN/A.

Usage GuidelinesUse this command to specify a stable interface as a source interface for routing protocols. Thisdecreases the possibility of route flapping, which can disrupt connectivity.


Layer 2 Basics 156

Example

The following example disallows the VLAN accounting to be placed in the UP state without an externalactive port:

disable loopback-mode vlan accounting





DescriptionDisables SNMP trap generation when MAC-tracking events occur for a tracked MAC address.


DefaultDisabled.


Example

The following example disables SNMP traps for MAC-tracking events:




Layer 2 Basics 157


disable vlandisable vlan vlan_name

DescriptionUse this command to disable the specified VLAN.

Syntax Description

vlan_name Specifies the VLAN you want to disable.

DefaultEnabled.

Usage GuidelinesThis command allows you to administratively disable specified VLANs. The following guidelines applyto working with disabling VLANs:

• Disabling a VLAN stops all traffic on all ports associated with the specified VLAN.

• You cannot disable a VLAN that is running Layer 2 protocol control traffic for protocols such asEAPS, STP, or ESRP.

When you attempt to disable a VLAN running Layer 2 protocol control traffic, the system returns amessage similar to the following:

VLAN accounting cannot be disabled because it is actively used by an L2

Protocol

• You can disable the default VLAN; ensure that this is necessary prior to disabling the default VLAN.

• You cannot disable the management VLAN.

• You cannot bind Layer 2 protocols to a disabled VLAN.

• You can add ports to or delete ports from a disabled VLAN.

Example

The following example disables the VLAN named "accounting":

disable vlan accounting



Layer 2 Basics 158

The ability to add ports to a disabled VLAN was added in ExtremeXOS 12.5.


disable vman cep egress filtering portsdisable vman cep egress filtering ports {port_list | all}

DescriptionDisables the egress filtering of CVIDs that are not configured in the CVID map for a CEP.

Syntax Description



DefaultEgress CVID filtering is disabled.

Usage GuidelinesTo view the configuration setting for the egress CVID filtering feature, use the show portsinformation command.

NoteWhen CVID egress filtering is enabled, it reduces the maximum number of CVIDs supportedon a port. The control of CVID egress filtering applies to fast-path forwarding. When framesare forwarded through software, CVID egress filtering is always enabled.

Example

The following example disables egress CVID filtering on port 1:

disable vman cep egress filtering port 1



Layer 2 Basics 159

Platform AvailabilityThis command is available on the BlackDiamond X8, BlackDiamond 8900 c-, xl-, and xm-seriesmodules. This command is also available on Summit X440, X460, X480, X670 and X770 seriesswitches.

enable dot1p examination inner-tag portenable dot1p examination inner-tag port [all | port_list]

DescriptionUsed with VMANs, and instructs the switch to examine the 802.1p value of the inner tag, or header ofthe original packet, to determine the correct egress queue on the egress port.

Syntax Description



DefaultDisabled.

Usage GuidelinesUse this command to instruct the system to refer to the 802.1p value contained in the inner, or original,tag when assigning the packet to an egress queue at the egress port of the VMAN.

NoteSee QoS Commands for information on configuring and displaying the current 802.1p andDiffServ configuration for the inner, or original header, 802.1p value.

Example

The following example puts the packets in the egress queue of the VMAN egress port according to the802.1p value on the inner tag:

enable dot1p examination inner-tag port 3:2



Layer 2 Basics 160

Platform AvailabilityThis command is available only on the BlackDiamond X8, BlackDiamond 8800 series switches,SummitStack, and the Summit family of switches.



DescriptionEnables EMS and SNMP reporting of discovered MAC addresses that are duplicates of staticallyconfigured MAC addresses.


DefaultDisabled.

Usage GuidelinesThis command enables reporting only. All packets that arrive from a duplicate MAC address on anotherport (other than the statically configured port) are dropped.

The switch reports the source MAC address, port, and VLAN for each duplicate MAC address.

Example

The following command enables this feature:




enable flooding ports

enable flooding [all_cast | broadcast | multicast | unicast] ports [port_list |

all]


Layer 2 Basics 161

DescriptionEnables egress flooding on one or more ports. With the BlackDiamond X8, BlackDiamond 8800 seriesswitches, SummitStack, and the Summit family of switches, you can further identify the type of packetsto flood on the specified ports.

Syntax Description

all_cast Specifies enabling egress flooding for all packets on specified ports.

broadcast Specifies enabling egress flooding only for broadcast packets.

NoteThis parameter is available only on the BlackDiamond X8, BlackDiamond 8800series switches, SummitStack, and the Summit family of switches.

multicast Specifies enabling egress flooding only for multicast packets.

NoteThis parameter is available only on the BlackDiamond X8, BlackDiamond 8800series switches, SummitStack, and the Summit family of switches.

unicast Specifies enabling egress flooding only for unknown unicast packets.


all Specifies all ports on the switch.

DefaultEnabled for all packet types.

Usage GuidelinesUse this command to re-enable egress flooding that you previously disabled using the disableflooding ports command.


• Disabling multicasting egress flooding does not affect those packets within an IGMP membershipgroup at all; those packets are still forwarded out. If IGMP snooping is disabled, multicast packetsare not flooded.

• Egress flooding can be disabled on ports that are in a load-sharing group. If that is the situation, theports in the group take on the egress flooding state of the master port; each member port of theload-sharing group has the same state as the master port.

• FDB learning is independent of egress flooding. FDB learning and egress flooding can be enabled ordisabled independently.

• Disabling unicast or all egress flooding to a port also stops packets with unknown MAC addresses tobe flooded to that port.

• Disabling broadcast or all egress flooding to a port also stops broadcast packets to be flooded tothat port.


Layer 2 Basics 162

BlackDiamond X8, 8800 series switches, SummitStack, and the Summitfamily of switches onlyYou can disable egress flooding for unicast, multicast, or broadcast MAC addresses, as well as for allpackets on the ports of the BlackDiamond 8800 series switches, SummitStack, and the Summit familyof switches. The default behavior for the BlackDiamond 8800 series switches, SummitStack, and theSummit family of switches is enabled egress flooding for all packet types.

Example

The following command enables unicast flooding on ports 13-17 on a Summit series switch:

enable flooding unicast port 13-17


Platform AvailabilityThis command is available on BlackDiamond X8 and BlackDiamond 8800 series switches, SummitStack,and Summit family switches.

enable learning iparp sender-macenable learning iparp {request | reply | both-request-and-reply} {vr vr_name}

sender-mac

DescriptionEnables MAC address learning from the payload of IP ARP packets.

Syntax Description

request Enables learning only for IP ARP request packets.

reply Enables learning only for IP ARP reply packets.

both-request-and-reply Enables learning for both request and reply packets.

vr_name Specifies a virtual router.

DefaultDisabled.

Usage GuidelinesTo view the configuration for this feature, use the following command: show iparp


Layer 2 Basics 163

Example

The following command enables MAC address learning from the payload of reply IP ARP packets:

enable learning iparp reply sender-mac


Platform AvailabilityThis command is available on all Summit family switches, SummitStack, and BlackDiamond X8 andBlackDiamond 8800 series switches.

enable learning portenable learning {drop-packets} ports [all | port_list]

DescriptionEnables MAC address learning on one or more ports.

Syntax Description

drop-packets Forwards EDP packets, and drops all unicast, multicast, and broadcastpackets from a source address not in the FDB. No further processing occursfor dropped packets.



DefaultEnabled.

Usage GuidelinesUse this command to enable MAC address learning on one or more ports.

Example

The following example enables MAC address learning on slot 1, ports 7 and 8 on a modular switch:

enable learning ports 1:7-8


Layer 2 Basics 164


Platform AvailabilityThis command is available on all Summit family switches, SummitStack, and BlackDiamond X8 andBlackDiamond 8800 series switches.

enable loopback-mode vlanenable loopback-mode vlan vlan_name

DescriptionAllows a VLAN to be placed in the UP state without an external active port. This allows (disallows) theVLANs routing interface to become active.

Syntax Description


DefaultN/A.

Usage GuidelinesUse this command to specify a stable interface as a source interface for routing protocols. Thisdecreases the possibility of route flapping, which can disrupt connectivity.

Example

The following example allows the VLAN "accounting" to be placed in the UP state without an externalactive port:

enable loopback-mode vlan accounting




Layer 2 Basics 165



DescriptionEnables SNMP trap generation when MAC-tracking events occur for a tracked MAC address.


DefaultDisabled.


Example

The following example enables SNMP traps for MAC-tracking events:




enable vlanenable vlan vlan_name

DescriptionUse this command to re-enable a VLAN that you previously disabled.

Syntax Description

vlan_name Specifies the VLAN you want to disable.


Layer 2 Basics 166

DefaultEnabled.

Usage GuidelinesThis command allows you to administratively enable specified VLANs that you previously disabled.

Example

The following example enables the VLAN named "accounting":

enable vlan accounting



enable vman cep egress filtering portsenable vman cep egress filtering ports {port_list | all}

DescriptionEnables the egress filtering of frames based on their CVIDs on ports configured as CEPs.

Syntax Description



DefaultEgress CVID filtering is disabled.

Usage GuidelinesFor a given VMAN and a port configured as a CEP for that VMAN, only frames with CVIDs that havebeen mapped from the CEP to the VMAN are forwarded from the VMAN and out the CEP.


Layer 2 Basics 167

To view the configuration setting for the egress CVID filtering feature, use the show portsinformation command.

NoteCVID egress filtering is available only on switches that support this feature, and when thisfeature is enabled, it reduces the maximum number of CVIDs supported on a port. Thecontrol of CVID egress filtering applies to fast-path forwarding. When frames are forwardedthrough software, CVID egress filtering is always enabled.

Example

The following command enables egress CVID filtering on port 1:

enable vman cep egress filtering port 1


Platform AvailabilityThis command is available on the BlackDiamond X8 series switches and the BlackDiamond 8900 c-, xl-,and xm-series modules. This command is also available on Summit X440, X460, X480, X670 and X770series switches.

show fdb mac-tracking configurationshow fdb mac-tracking configuration

DescriptionDisplays configuration information for the MAC address tracking feature.





Layer 2 Basics 168

Example

The following exmaple displays the contents of the MAC address tracking table:

# show fdb mac-tracking configurationMAC-Tracking enabled ports: 1-3,10,20SNMP trap notification : EnabledMAC address tracking table (4 entries):00:30:48:72:ee:8800:21:9b:0e:ca:3200:12:48:82:9c:5600:30:48:84:d4:16



show fdb mac-tracking statisticsshow fdb mac-tracking statistics {mac_addr} {no-refresh}

DescriptionDisplays statistics for the MAC addresses that are being tracked.

Syntax Description

mac_addr Specifies a MAC address, using colon-separated bytes, for which FDB entriesshould be displayed.

no-refresh Specifies a static snapshot of data instead of the default dynamic display.

DefaultN/A.

Usage GuidelinesUse the keys listed below the display to clear the statistics counters or page up or down through thetable entries.


Layer 2 Basics 169

Example

The following example displays statistics for the entries in the MAC address tracking table:

# show fdb mac-tracking statisticsMAC Tracking Statistics Fri Mar 20 15:25:01 2009Add Move DeleteMAC Address events events events=====================================================00:00:00:00:00:01 0 0 000:00:00:00:00:02 0 0 000:00:00:00:00:03 0 0 000:00:00:00:00:04 0 0 000:00:00:00:00:05 0 0 000:00:00:00:00:06 0 0 000:00:00:00:00:07 0 0 000:00:00:00:00:08 0 0 000:00:00:00:00:09 0 0 000:00:00:00:00:10 0 0 000:00:00:00:00:11 0 0 000:00:00:00:00:12 0 0 000:00:00:00:00:13 0 0 000:00:00:00:00:14 0 0 000:00:00:00:00:15 0 0 000:00:00:00:00:16 0 0 000:00:00:00:00:17 0 0 000:00:00:00:00:18 0 0 0=====================================================0->Clear Counters U->page up D->page down ESC->exit



show fdb static-mac-move configurationshow fdb static-mac-move configuration

DescriptionDisplays the configuration for the feature that reports the discovery of MAC addresses that areduplicates of statically configured MAC addresses.



Layer 2 Basics 170

DefaultN/A.


Example

The following example shows the command display:

# show fdb static-mac-movement configurationStatic MAC Movement Notification: EnabledMAC learning Packets Count : 5



show fdb statsshow fdb stats {{ports {all | port_list} | vlan {all} | {vlan} vlan_name } {no-

refresh}}

DescriptionDisplays FDB entry statistics for the specified ports or VLANs in either a dynamic or a static report.

Syntax Description

all Requests statistics for all ports or all VLANs.

port_list Specifies which ports are to be included in the statistics display.

vlan_name Specifies a single VLAN to be included in the statistics display.

no-refresh Specifies a static display, which is not automatically updated.

DefaultSummary FDB statistics for the switch.


Layer 2 Basics 171

Usage GuidelinesThe dynamic display remains visible and continues to update until you press [Esc].

The show fdb stats command output displays the following information:

Port When you chose to display statistics for ports, this column displays portnumbers.

Link State When you chose to display statistics for ports, this column displays the linkstates, which are described at the bottom of the display.

VLAN When you chose to display statistics for VLANs, this column displays VLANnames.

MAC Addresses This column displays the total number of MAC addresses for each port orVLAN.

Dynamic This column displays the total number of MAC addresses that were learneddynamically for each port or VLAN.

Static This column displays the total number of MAC addresses that are configuredon this switch for each port or VLAN.

Dropped This column displays the total number of dynamic MAC addresses that werediscovered, but not stored in the FDB. Discovered MAC addresses might bedropped because a configured learning limit is reached, the FDB is inlockdown, or a port forwarding state is in transition. Some conditions thatlead to dropped MAC addresses can produce log messages or SNMP traps.

Example

The following command example displays summary FDB statistics for the switch:

torino1.1 # show fdb statsTotal: 4 Static: 3 Perm: 3 Dyn: 1 Dropped: 0FDB Aging time: 300FDB VPLS Aging time: 300torino1.2 #

The following command example displays FDB statistics for ports 1 to 16 on slot 1:

# show fdb stats ports 1:1-1:16FDB Stats Mon Mar 15 15:30:49 2010Port Link MACState Addresses Dynamic Static Dropped=======================================================================1:1 A 2394 2389 5 21:2 A 37 37 0 01:3 A 122 121 1 4521:4 R 0 0 0 01:5 R 0 0 0 01:6 A 43 43 0 01:7 A 118 118 0 01:8 R 0 0 0 01:9 R 0 0 0 01:10 A 8 8 0 01:11 A 2998 2990 8 11:12 A 486 486 0 0


Layer 2 Basics 172

1:13 R 0 0 0 01:14 A 42 42 0 01:15 A 795 795 0 01:16 A 23 23 0 2=======================================================================Link State: A-Active, R-Ready, NP-Port Not Present, L-LoopbackU->page up D->page down ESC->exit

The following command example displays FDB statistics for all VLANs:

# show fdb stats vlan allFDB Stats Mon Mar 15 15:30:49 2010VLAN MAC Addresses Dynamic Static Dropped=============================================================================SV_PPPOE 2394 2389 5 2NV_PPPOE 122 121 1 452=============================================================================U->page up D->page down ESC->exit

HistoryThe dynamic display for this command was first available in ExtremeXOS 12.4.2.


show fdbshow fdb {blackhole {netlogin [all | mac-based-vlans]} | netlogin [all | mac-




DescriptionDisplays FDB entries.

Syntax Description

blackhole Displays the blackhole entries. (All packets addressed to these entries aredropped.)

slot Specifies a slot in the switch.

num_entries Specifies the maximum number of hardware entries to display. The range is 1to 25.

netlogin all Displays all FDBs created as a result of the netlogin process.


Layer 2 Basics 173

netlogin mac-based-vlans Displays all netlogin MAC-based VLAN FDB entries.

NoteThis parameter is supported only for Summit family switches,SummitStack, and the BlackDiamond 8800 series switches. See Network Login Commands for more information on netlogin.

permanent Displays all permanent entries, including the ingress and egress QoS profiles.

mac_addr Specifies a MAC address, using colon-separated bytes, for which FDB entriesshould be displayed.

port_list Displays the entries for one or more ports or ports and slots.

vlan_name Displays the entries for a specific VLAN.

vpls_name Specifies a specific VPLS for which to display entries.

DefaultAll.

Usage GuidelinesThe pulling of MAC addresses for display purposes is given a lower priority to the actual data pathlearning. Eventually all the MAC addresses are learned in a quiescent system.

The show fdb command output displays the following information:

Mac The MAC address that defines the entry.

Vlan The PVLAN or VLAN for the entry.

Age The age of the entry, in seconds (does not appear if the keyword permanentis specified). The age parameter does not display for the backup MSM/MM onmodular switches.On BlackDiamond 8900 xl-series and Summit X480switches, the Age is always 000 and the h flag is set for entries that arehardware aged.


Layer 2 Basics 174

Flags Flags that define the type of entry:

• b - Ingress Blackhole

• B - Egress Blackhole

• D - Drop entry for an isolated subscriber VLAN

• d - Dynamic

• h - Aged in hardware (Applies to BlackDiamond 8900 xl-series andSummit X480 switches)

• i - an entry also exists in the IP FDB

• l - lockdown MAC

• L - lockdown-timeout MAC

• m - MAC

• M - Mirror

• n - NetLogin

• o - IEEE 802.1ah backbone MAC

• P - PVLAN created entry

• p - Permanent

• s - Static

• v - NetLogin MAC-Based VLAN (only supported on the Summit switch,SummitStack, and the BlackDiamond 8800 family of switches)

• x - an entry also exists in the IPX FDBs.

Port List The ports on which the MAC address has been learned.

Example

The following example shows how the FDB entries appear for all options except the hardware option:

# show fdbMac Vlan Age Flags Port / Virtual Port List-----------------------------------------------------------------------------00:0c:29:4b:34:cf v101(0101) 0041 d m D 1:200:0c:29:4b:34:cf v100(0100) 0041 d m P 1:200:0c:29:d2:2d:48 v102(0102) 0045 d m 1:300:0c:29:d2:2d:48 v100(0100) 0045 d m P 1:300:0c:29:f1:f2:f5 v100(0100) 0045 d m 1:100:0c:29:f1:f2:f5 v102(0102) 0045 d m P 1:100:0c:29:f1:f2:f5 v101(0101) 0045 d m P 1:1Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP,x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole,b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation,D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC.Total: 3 Static: 0 Perm: 0 Dyn: 3 Dropped: 0 Locked: 0 Locked with Timeout: 0FDB Aging time: 300FDB VPLS Aging time: 300

The following example output shows where the port tag is displayed in parentheses:

# show fdbMac Vlan Age Flags Port / Virtual Port List


Layer 2 Basics 175

-----------------------------------------------------------------------------00:00:00:00:04:0a test(0200) 0057 d m 3(0010)00:00:00:00:04:0b test(0200) 0300 d m 3(0011)00:01:02:03:04:05 test(0200) 0000 spm 3(0010)

Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP, x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole, b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T – VLAN translation, D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC. Total: 3 Static: 0 Perm: 0 Dyn: 3 Dropped: 0 Locked: 0 Locked with Timeout: 0 FDB Aging time: 300 FDB VPLS Aging time: 300


The stats and netlogin parameters were first available in ExtremeXOS 11.3.

The blackhole output under the b and B flags was first available for all platforms in ExtremeXOS 12.1.

The o flag was first available in ExtremeXOS 12.4.


show l2pt profileshow l2pt profile profile_name

DescriptionDisplays the contents of an L2PT profile.

Syntax Description

profile Displays profile that defines L2PT configuration for L2 protocols.

profile_name Displays only the specified profile.

DefaultDisabled.


Layer 2 Basics 176

Usage GuidelinesUse this command to display the contents of an L2PT profile.

Example

The following is an example of the command's output:

# show l2pt profile Profile Name Protocol Filter Name Action CoS----------------------------- -------------------------------- ------ ---my_l2pt_access_prof my_list tunnel 1 my_other_list tunnel 7my_l2pt_network_prof mylist encap my_other_list encap my_none_list none

# show l2pt profile my_l2pt_access_prof Profile Name Protocol Filter Name Action CoS----------------------------- -------------------------------- ------ ---my_l2pt_access_prof my_list tunnel 1 my_other_list tunnel 7



show l2ptshow l2pt

DescriptionDisplays the global parameters for L2PT.

Syntax Description

l2pt Displays global Layer 2 protocol tunneling parameters.

DefaultDisabled.


Layer 2 Basics 177

Usage GuidelinesUse this command to display the global parameters for L2PT.

Example


# show l2ptEncapsulation Destination MAC Address: 01:00:00:01:01:02



show ports protocol filtershow ports [port_list | all] protocol filter {detail}

DescriptionDisplays the protocol filtering configuration and status.

Syntax Description

port_list Displays port list, separated by a comma ( , )or dash ( - ).

all Displays all ports.

detail Displays detailed configuration and status.

DefaultDisplays all protocol filters.

Usage GuidelinesUse this command to display the protocol filtering configuration and status.

Example

The following example displays the filtering configuration and status for ports 1-4:

# show ports 1-4 protocol filter Port Protocol Destination Protocol Id Field Field Field Packets


Layer 2 Basics 178

# Filter Name Address Type Value Offset Value Mask Filtered---- ----------- ----------------- ----- ------ ------ ------ ----- ----------1 my_list 01:80:C2:00:00:02 etype 0x8902 14 03:04 FF:FF 2300 01:80:C2:00:00:00 snap 0x4041 5000 01:80:C2:00:00:00 snap 0x4041 16 01:02> FF:FF> 50002 lacp 01:80:C2:00:00:02 etype 0x8902 14 01 FF 32003 (none)4 (none)

> indicates that the value was truncated to the column size in the output.Use the“detail” option to see the complete value.

The following example displays output for the show ports protocol filter detailcommand:

show ports 1-4 protocol filter detailPort 1 Protocol Filter Name: my_list Destination Address : 01:80:C2:00:00:02 Protocol Id Type : etype Protocol Id Value : 0x8902 Field Offset : 14 Field Value : 03:04 Field Mask : FF:FF Packets Filtered : 2300 Destination Address : 01:80:C2:00:00:00 Protocol Id Type : snap Protocol Id Value : 0x4041 Field Offset : 16 Field Value : 01:02:03:04 Field Mask : FF:FF:FF:FF Packets Filtered : 5000 Destination Address : 01:80:C2:00:00:00 Protocol Id Type : snap Protocol Id Value : 0x4041 Field Offset : Field Value : Field Mask : Packets Filtered : 5000

Port 2 Protocol Filter Name: lacp Destination Address : 01:80:C2:00:00:02 Protocol Id Type : etype Protocol Id Value : 0x8902 Field Offset : 14 Field Value : 01 Field Mask : FF Packets Filtered : 3200

Port 3 Protocol Filter Name: (none)

Port 4 Protocol Filter Name: (none)


Layer 2 Basics 179



show private-vlan <name>show {private-vlan} name

DescriptionDisplays information about the specified PVLAN.

Syntax Description

name Specifies the name of the PVLAN to display.

DefaultN/A.

Usage GuidelinesIf the PVLAN is incomplete because it does not have a network or any subscriber VLAN configured,[INCOMPLETE] appears next to the PVLAN name.

Example

The following example output displays information for the companyx PVLAN:

* (debug) BD-8808.1 # show private-vlan "Engineering"--------------------------------------------------------------------------------------Name VID Protocol Addr Flags Proto Ports VirtualActive router/Total--------------------------------------------------------------------------------------EngineeringNetwork VLAN:-Engr1 10 -------------------------------------- ANY 4 /5 VR-DefaultNon-Isolated Subscriber VLAN:-ni1 400 -------------------------------------- ANY 1 /1 VR-Default-ni2 401 ------------------------------------- ANY 1 /1 VR-Default


Layer 2 Basics 180

Isolated Subscriber VLAN:-i1 500 ------------------------------------- ANY 1 /1 VR-Default--------------------------------------------------------------------------------------Flags : (C) EAPS Control vlan, (d) NetLogin Dynamically created VLAN,(D) VLAN Admin Disabled, (E) ESRP Enabled, (f) IP Forwarding Enabled,(i) ISIS Enabled, (I) IP Forwarding lpm-routing Enabled, (L) Loopback Enabled,(l) MPLS Enabled, (m) IPmc Forwarding Enabled, (n) IP Multinetting Enabled,(N) Network LogIn vlan, (o) OSPF Enabled, (p) PIM Enabled,(P) EAPS protected vlan, (r) RIP Enabled,(T) Member of STP Domain, (V) VPLS Enabled, (v) VRRP Enabled



show private-vlanshow private-vlan

DescriptionDisplays information about all the PVLANs on the switch.


DefaultN/A.

Usage GuidelinesIf the PVLAN is incomplete because it does not have a network or any subscriber VLAN configured,[INCOMPLETE] appears next to the PVLAN name.

Example

The following example output displays all the PVLANs on the switch:

* (debug) BD-8808.1 # show private-vlan------------------------------------------------------------------------------


Layer 2 Basics 181


--------Name VID Protocol Addr Flags Proto Ports VirtualActive router/Total--------------------------------------------------------------------------------------EngineeringNetwork VLAN:-Engr1 10 -------------------------------------- ANY 4 /5 VR-DefaultNon-Isolated Subscriber VLAN:-ni1 400 -------------------------------------- ANY 1 /1 VR-Default-ni2 401 ------------------------------------- ANY 1 /1 VR-DefaultIsolated Subscriber VLAN:-i1 500 ------------------------------------- ANY 1 /1 VR-DefaultOpsNetwork VLAN:-Ops 20 ------------------------------------- ANY 2 /2 VR-DefaultNon-Isolated Subscriber VLAN:-OpsNi1 901 ------------------------------------- ANY 1 /1 VR-Default-OpsNi2 902 ------------------------------------- ANY 1 /1 VR-Default-OpsNi3 903 ------------------------------------- ANY 1 /1 VR-Default-OpsNi4 904 ------------------------------------- ANY 1 /1 VR-DefaultIsolated Subscriber VLAN:-OpsI0 600 ------------------------------------- ANY 1 /1 VR-Default-OpsI1 601 ------------------------------------- ANY 1 /1 VR-Default-OpsI2 602 ------------------------------------- ANY 1 /1 VR-Default-OpsI3 603 ------------------------------------- ANY 1 /1 VR-Default-OpsI4 604 ------------------------------------- ANY 1 /1 VR-DefaultSales [INCOMPLETE]Network VLAN:-NONENon-Isolated Subscriber VLAN:-SalesNi1 701 ------------------------------------- ANY 1 /1 VR-Default-SalesNi2 702 ------------------------------------- ANY 1 /1 VR-DefaultIsolated Subscriber VLAN:-SalesI0 800 ------------------------------------- ANY 1 /1 VR-Default--------------------------------------------------------------------------------------Flags : (C) EAPS Control vlan, (d) NetLogin Dynamically created VLAN,(D) VLAN Admin Disabled, (E) ESRP Enabled, (f) IP Forwarding Enabled,


Layer 2 Basics 182

(i) ISIS Enabled, (I) IP Forwarding lpm-routing Enabled, (L) Loopback Enabled,(l) MPLS Enabled, (m) IPmc Forwarding Enabled, (n) IP Multinetting Enabled,(N) Network LogIn vlan, (o) OSPF Enabled, (p) PIM Enabled,(P) EAPS protected vlan, (r) RIP Enabled,(T) Member of STP Domain, (V) VPLS Enabled, (v) VRRP EnabledTotal number of PVLAN(s) : 3



show protocolshow protocol {filter} {filter_ name} {detail}

DescriptionDisplays protocol filter definitions and the complete protocol configuration.

Syntax Description

filter Displays a protocol filter.

name Displays a protocol filter name.

detail Displays protocol information in detail.

DefaultDisplays all protocol filters.

Usage GuidelinesDisplays the defined protocol filter(s) with the types and values of its component protocols.

Example


# show protocolProtocol Filter Name Protocol Id Destination Field Field Field Type Value Address Offset Value Mask-------------------- -------- ------ ----------- ------- ------


Layer 2 Basics 183


-------IP etype 0x0800 etype 0x0806 ANY ANY 0xffff ipx etype 0x8137 IPv6 etype 0x86dd lacp etype 0x8809 01:80:C2:00:00:02> 14 01 FFmpls etype 0x8847 appletalk snap 0x809b snap 0x80f3

> indicates that the value was truncated to the column size in the output.Use the “detail” option to see the complete value.

The following example displays the show protocol detail command:

show protocol detailProtocol Filter Name : appletalk Protocol Id Type : snap Protocol Id Value : 0x809b Destination Address: Field Offset : Field Value : Field Mask : Protocol Id Type : snap Protocol Id Value : 0x80f3 Destination Address: Field Offset : Field Value : Field Mask :

Protocol Filter Name : lacp Protocol Id Type : etype Protocol Id Value : 0x8809 Destination Address: 01:80:C2:00:00:02 Field Offset : 14 Field Value : 01 Field Mask : FF # show protocol filter “lacp” detailProtocol Filter Name : lacp Protocol Id Type : etype Protocol Id Value : 0x8809 Destination Address: 01:80:C2:00:00:02 Field Offset : 14 Field Value : 01 Field Mask : FF


The filter and detail keywords were added in ExtremeXOS 15.5.


Layer 2 Basics 184


show vlanshow vlan {virtual-router vr-name}

show {vlan} vlan_name {ipv4 | ipv6}

show vlan [tag tag | detail] {ipv4 | ipv6}

show vlan ports

DescriptionDisplays information about one or all VLANs.

Syntax Description

vr-name Specifies a VR name for which to display summary information for all VLANs.If no VR name is specified, the software displays summary information for allVLANs in the current VR context.

NoteUser-created VRs are supported only on the platforms listed forthis feature in the Feature License Requirements document. Onswitches that do not support user-created VRs, all VLANs arecreated in VR-Default and cannot be moved.

vlan_name Specifies a VLAN name for which to display detailed VLAN information.

tag Specifies the 802.1Q tag of a VLAN for which to display detailed VLANinformation.

detail Specifies that detailed information should be displayed for all VLANs.

ipv4 Specifies IPv4.


ports Displays VLAN ports information.

DefaultSummary information for all VLANs on the device.

Usage Guidelines

NoteTo display IPv6 information, you must issue either the show vlan detail command orshow vlan command with the name of the specified VLAN.


Layer 2 Basics 185


Unlike many other VLAN-related commands, the keyword vlan is required in all forms of thiscommand except when requesting information for a specific VLAN.

Use the command show vlan to display summary information for all VLANs. It shows variousconfiguration options as a series of flags (see the example below). VLAN names, descriptions, andprotocol names may be abbreviated in this display.

Use the command show vlan detail to display detailed information for all VLANs. This displaysthe same information as for an individual VLAN, but shows every VLAN, one-by-one. After each VLANdisplay you can elect to continue or quit.

Protocol none indicates that this VLAN was configured with a user-defined protocol that hassubsequently been deleted.

NoteThe BlackDiamond 8800 series switches, SummitStack, and the Summit family of switchesdisplay the Mgmt VLAN in VR-Mgmt.

When an IPv6 address is configured for the VLAN, the system may display one of the following twoaddress types in parentheses after the IPv6 address:

• Tentative

• Duplicate

NoteSee the appropriate ExtremeXOS User Guide volume for information on IPv6 address types.

You can display additional useful information on VLANs configured with IPv6 addresses by issuing theshow ipconfig ipv6 vlan vlan_name command.

When a displayed VLAN is part of a PVLAN, the display includes the PVLAN name and type (which isnetwork, non-isolated subscriber, or isolated subscriber).

When the displayed VLAN is configured for VLAN translation, the display provides translation VLANinformation. If the displayed VLAN is a translation VLAN, a list of translation VLAN members appears. Ifthe displayed VLAN is a member VLAN, the display indicates the translation VLAN to which themember VLAN belongs.

Example

The following is example output of the show vlan command on a switch where PTP and CES areconfigured (for example, an E4G-200 or E4G-400):

E4G-400.15 # sh vlan--------------------------------------------------------------------------------------Name VID Protocol Addr Flags Proto Ports VirtualActive router/Total--------------------------------------------------------------------------------------


Layer 2 Basics 186

Default 1 --------------------------------T------- ANY 1 /34 VR-DefaultMgmt 4095 ---------------------------------------- ANY 1 /1 VR-Mgmtv1 40 1.1.1.51 /24 -fL---------------ek ANY 1 /10 VR-Defaultv2 20 1.1.2.52 /24 -f----------------e- ANY 0 /1 VR-Default--------------------------------------------------------------------------------------Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN,(d) NetLogin Dynamically created VLAN, (D) VLAN Admin Disabled,(e) CES Configured, (E) ESRP Enabled, (f) IP Forwarding Enabled,(F) Learning Disabled, (i) ISIS Enabled, (I) Inter-Switch Connection VLAN forMLAG,(k) PTP Configured, (l) MPLS Enabled, (L) Loopback Enabled,(m) IPmc Forwarding Enabled, (M) Translation Member VLAN or Subscriber VLAN,(n) IP Multinetting Enabled, (N) Network Login VLAN, (o) OSPF Enabled,(O) Flooding Disabled, (p) PIM Enabled, (P) EAPS protected VLAN,(r) RIP Enabled, (R) Sub-VLAN IP Range Configured,(s) Sub-VLAN, (S) Super-VLAN, (t) Translation VLAN or Network VLAN,(T) Member of STP Domain, (v) VRRP Enabled, (V) VPLS Enabled, (W) VPWS EnabledTotal number of VLAN(s) : 4

The following sample output shows OpenFlow status:

E4G-200.5 # show vlan --------------------------------------------------------------------------------------------- Name VID Protocol Addr Flags Proto Ports Virtual Active router /Total --------------------------------------------------------------------------------------------- Default 1 ----------------------------------------------- ANY 0/0 VR-Default ext 4094 ----------------------------------------------- ANY 0 /12 VR-Default Mgmt 4095 ----------------------------------------------- ANY 1/1 VR-Mgmt --------------------------------------------------------------------------------------------- Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN, (d) Dynamically created VLAN, (D) VLAN Admin Disabled, (e) CES Configured, (E) ESRP Enabled, (f) IP Forwarding Enabled, (F) Learning Disabled, (i) ISIS Enabled, (I) Inter-Switch Connection VLAN for MLAG, (k) PTP Configured, (l) MPLS Enabled, (L) Loopback Enabled, (m) IPmc Forwarding Enabled, (M) Translation Member VLAN or Subscriber VLAN, (n) IP Multinetting Enabled, (N) Network Login VLAN, (o) OSPF Enabled, (O) Flooding Disabled, (p) PIM Enabled, (P) EAPS protected VLAN, (r) RIP Enabled, (R) Sub-VLAN IP Range Configured, (s) Sub-VLAN, (S) Super-VLAN, (t) Translation VLAN or Network VLAN,


Layer 2 Basics 187

(T) Member of STP Domain, (v) VRRP Enabled, (V) VPLS Enabled, (W) VPWS Enabled (Z) Openflow Enabled

Total number of VLAN(s) : 3

The following sample output shows detailed OpenFlow status:

E4G-200.7 # show vlan detail VLAN Interface with name Default created by user Admin State: Enabled Tagging: 802.1Q Tag 1 Description: None Virtual router: VR-Default IPv4 Forwarding: Disabled IPv4 MC Forwarding: Disabled IPv6 Forwarding: Disabled IPv6 MC Forwarding: Disabled IPv6: None STPD: s0(Disabled,Auto-bind) Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 0. (Number of active ports=0)

##VLAN Interface with name ext created by user Admin State: Enabled Tagging:Untagged (Internal tag 4094) Description: None Virtual router: VR-Default IPv6 Forwarding: Disabled IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Openflow: Enabled Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 12. (Number of active ports=0) Untag: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 Flags: (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (x) VMAN Tag Translated port (G) Multi-switch LAG Group port (H) Dynamically added by MVRP# #


Layer 2 Basics 188

VLAN Interface with name Mgmt created by user Admin State: Enabled Tagging: 802.1Q Tag 4095 Description: Management VLAN Virtual router: VR-Mgmt IPv4 Forwarding: Disabled IPv6 Forwarding: Disabled IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Flood Rate Limit QosProfile: None configured Ports: 1. (Number of active ports=1) Untag: Mgmt-port on Mgmt is active

The following example displays VLAN ports information:

show vlan ports 1,2,3,4,5,6,7,8,9,10,11,12 --------------------------------------------------------------------------------------------- Name VID Protocol Addr Flags Proto Ports Virtual Active router /Total --------------------------------------------------------------------------------------------- ext 4094 ----------------------------------------------- ANY 0 /12 VR-Default --------------------------------------------------------------------------------------------- Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN, (d) Dynamically created VLAN, (D) VLAN Admin Disabled, (e) CES Configured, (E) ESRP Enabled, (f) IP Forwarding Enabled, (F) Learning Disabled, (i) ISIS Enabled, (I) Inter-Switch Connection VLAN for MLAG, (k) PTP Configured, (l) MPLS Enabled, (L) Loopback Enabled, (m) IPmc Forwarding Enabled, (M) Translation Member VLAN or Subscriber VLAN, (n) IP Multinetting Enabled, (N) Network Login VLAN, (o) OSPF Enabled, (O) Flooding Disabled, (p) PIM Enabled, (P) EAPS protected VLAN, (r) RIP Enabled, (R) Sub-VLAN IP Range Configured, (s) Sub-VLAN, (S) Super-VLAN, (t) Translation VLAN or Network VLAN, (T) Member of STP Domain, (v) VRRP Enabled, (V) VPLS Enabled, (W) VPWS Enabled (Z) Openflow Enabled

Total number of VLAN(s) : 3 (1 displayed)

show vlan ports 1 detail VLAN Interface with name ext created by user Admin State: Enabled Tagging:Untagged (Internal tag 4094) Description: None Virtual router: VR-Default IPv4 Forwarding: Disabled


Layer 2 Basics 189

IPv4 MC Forwarding: Disabled IPv6 Forwarding: Disabled IPv6 MC Forwarding: Disabled IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Openflow: Enabled Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 12. (Number of active ports=0) Untag: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 Flags: (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (x) VMAN Tag Translated port (G) Multi-switch LAG Group port (H) Dynamically added by MVRP

The following example is the show output of a vlan that has port-specific tag. The tag is displayed inparentheses.

VLAN Interface with name vl1 created by user Admin State: Enabled Tagging: 802.1Q Tag 100 Description: None Virtual router: VR-Default IPv4 Forwarding: Disabled IPv4 MC Forwarding: Disabled IPv6 Forwarding: Disabled IPv6 MC Forwarding: Disabled IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled OpenFlow: Disabled QosProfile: None configured Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 8. (Number of active ports=2) Untag: 5 Tag: 1, 10, 11 Port-specific Tag: 1(0010), 1(0011), *3(0101), *4(0102)

Flags: (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port


Layer 2 Basics 190

(a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (x) VMAN Tag Translated port (G) Multi-switch LAG Group port (H) Dynamically added by MVRP (U) Dynamically added uplink port (V) Dynamically added by VM Tracking


The IPv6 information was added in ExtremeXOS 11.2.

The netlogin information was added in ExtremeXOS 11.3.

The VR and administratively enabled/disabled information was added in ExtremeXOS 11.4.

The tag option was added in ExtremeXOS 12.4.4.

The OpenFlow status feature was added in ExtremeXOS 15.3.


Information on MAC-based ports is available only on the Summit family of switches, SummitStack, andthe BlackDiamond 8800 series switch.

show vlan descriptionshow vlan description

DescriptionDisplays a list of VLANs and VLAN descriptions.


DefaultN/A.


Layer 2 Basics 191


Example

The following example displays the descriptions for all VLANs:

# show vlan description----------------------------------------------------------------------------Name VID Description----------------------------------------------------------------------------ctrl1 11 Control Vlanctrl2 102 Control Vlan 2Default 1v1 60 vlan 1vplsVlan 3296 L2 VPN to home office----------------------------------------------------------------------------Total number of VLAN(s) : 5



show vlan l2ptshow [vlan | vman] vlan_name {ports port_list} l2pt {detail}

DescriptionDisplays the L2PT configuration and status of a service.

Syntax Description

vlan Displays VLAN configuration.

vman Displays VMAN configuration.


ports port_list Displays the ports and port list separated by a comma ( , ) or dash ( - ).

detail Displays the L2PT configuration and status in detail.

DefaultDisabled.


Layer 2 Basics 192

Usage GuidelinesUse this command to display the L2PT configuration and status of a service.

Example

The following is an example of the show vman ports l2pt command:

# show vman cust2 ports 1:2,1:7 l2pt

Interface L2PT Profile Name--------------- --------------------------------1:2 my_l2pt_prof1:7 (none)

The following example illustrates the show vman l2pt ports detail command:

show vman cust2 ports 1:2,1:7 l2pt detailPort 1:2 L2PT Profile Name : my_l2pt_profile Protocol Filter Name : filter1 Destination Address: 01:80:C2:00:00:02 Protocol Id Type : etype Protocol Id Value : 0x8902 Field Offset : 14 Field Value : 03 Field Mask : FF Action : Tunnel CoS : Default Packets Transmitted: 2300 Packets Received : 2300 Protocol Filter Name : filter2 Destination Address: 01:80:C2:00:00:00 Protocol Id Type : snap Protocol Id Value : 0x4041 Field Offset : Field Value : Field Mask : Action : Tunnel CoS : 7 Packets Transmitted: 500 Packets Received : 500 Port 1:7 L2PT Profile Name : (none)




Layer 2 Basics 193

show vman

show vman show {vman} vman_name {ipv4 | ipv6}

show vman [tag tag | detail] {ipv4 | ipv6}

DescriptionDisplays information about one or all VMANs.

NoteThe information displayed for this command depends on the platform and configuration youare using.

Syntax Description

vman_name Specifies that information is displayed for the specified VMAN.

tag Specifies a VMAN using the 802.1Q tag.

detail Specifies that all information is displayed for each VMAN.



DefaultSummary information for all VMANs on the switch.

Usage GuidelinesThe information displayed with this command depends on the platform and configuration you areusing.

Example

The following example displays a list of all the VMANs on the switch:

* BD-12804.17 # show vman--------------------------------------------------------------------------------------Name VID Protocol Addr Flags Proto Ports VirtualActive router/Total--------------------------------------------------------------------------------------le1 4091 ------------------ ----------------a ANY 2 /2 VR-Defaultle2 4090 ------------------ ----------------a ANY 0 /0 VR-Default


Layer 2 Basics 194

vm1 4089 ------------------ ----------------- ANY 0 /0 VR-Default--------------------------------------------------------------------------------------Flags : (a) Learning Domain (C) EAPS Control vlan, (E) ESRP Enabled,(f) IP Forwarding Enabled, (i) ISIS Enabled, (I) IP Forwarding lpm-routing Enabled,(L) Loopback Enabled, (m) IPmc Forwarding Enabled,(n) IP Multinetting Enabled, (N) Network LogIn vlan,(o) OSPF Enabled, (p) PIM Enabled,(P) EAPS protected vlan, (r) RIP Enabled, (T) Member of STP Domain,(v) VRRP Enabled, (B) 802.1ah Backbone VMAN, (S) 802.1ah Service VMANTotal number of vman(s) : 3

The following example displays information on a single VMAN named vman1:

# show vman blueVMAN Interface with name vman1 created by userAdmin State: Enabled Tagging: 802.1Q Tag 100Virtual router: VR-DefaultIPv4 Forwarding: DisabledIPv6 Forwarding: DisabledIPv6: NoneSTPD: NoneProtocol: Match all unfiltered protocolsLoopback: DisabledNetLogin: DisabledQosProfile: None configuredEgress Rate Limit Designated Port: None configuredFlood Rate Limit QosProfile: None configuredPorts: 2. (Number of active ports=0)Tag: *1, *2CEP: *3: CVID 20-29 *4: CVID 10-19 translate 20-29 *5: CVID 10-19 translate 20-29,CVID 30Flags: (*) Active, (!) Disabled, (g) Load Sharing port(b) Port blocked on the vlan, (m) Mac-Based port(a) Egress traffic allowed for NetLogin(u) Egress traffic unallowed for NetLogin(t) Translate VLAN tag for Private-VLAN(s) Private-VLAN System Port, (L) Loopback port(x) VMAN Tag Translated port(G) Multi-switch LAG Group port

The Port CVID output was added in the display of show vman vlan_name | detail in ExtremeXOS15.3.2:

VMAN Interface with name vm1 created by user Admin State: Enabled Tagging: 802.1Q Tag 1000 Description: None Virtual router: VR-Default IPv4 Forwarding: Disabled IPv6 Forwarding: Disabled IPv6: None


Layer 2 Basics 195

STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 3. (Number of active ports=3) Untag: *21: Port CVID 5, *24: Port CVID 7, Tag: *22 Flags: (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (x) VMAN Tag Translated port (G) Multi-switch LAG Group port

The show vman detail command shows all the information shown in the show vman vlan_namecommand, but displays information for all configured VMANs.


Information on IEE 802.1ah was added in ExtremeXOS 11.4.

The tag option was added in ExtremeXOS 12.4.4.

Port CVID output was added in ExtremeXOS 15.3.2.


CEP information is displayed only on BlackDiamond X8, BlackDiamond 8800 series switches andSummit family switches.

show vman eaps

show {vman} vman_name eaps

DescriptionDisplays the EAPS domains to which the VMAN belongs.


Layer 2 Basics 196

Syntax Description

vman_name Specifies the name of the VMAN for which EAPS information is to bedisplayed.

DefaultN/A.


Example

The following example displays a list of EAPS domains for the campus1 VMAN:

show vman campus1 eaps




show vman ethertypeshow vman ethertype

DescriptionDisplays the ethertype information and secondary ethertype port_ list for VLANs, VMANs and PBBNs


DefaultN/A.


Layer 2 Basics 197


Example

The following example shows the command output on switches that support only VMANs:

vMan ethertype: 0x88a8

The following example shows the command output on switches that support PBBNs:

# show vman ethertypevman ethertype : 0x88a8bvlan ethertype: 0x88b5

The following example shows the command output when a secondary ethertype is configured withports information:

# show vman ethertypeVman Primary ethertype : 0x9100Vman Secondary ethertype : 0x8100BVlan ethertype : 0x88b5Secondary ethertype ports : 6:2g 6:3

The letter g in the port list indicates that the port is a LAG/Trunk port, the details of which can be seenusing the show port sharing command.




show vman l2pt

show [vlan | vman] vlan_name {ports port_list} l2pt {detail}

DescriptionDisplays the L2PT configuration and status of a service.


Layer 2 Basics 198

Syntax Description

vlan Displays VLAN configuration.

vman Displays VMAN configuration.


ports port_list Displays the ports and port list separated by a comma ( , ) or dash ( - ).

detail Displays the L2PT configuration and status in detail.

DefaultDisabled.

Usage GuidelinesUse this command to display the L2PT configuration and status of a service.

Example

The following is an example of the show vman ports l2pt command:

# show vman cust2 ports 1:2,1:7 l2pt

Interface L2PT Profile Name--------------- --------------------------------1:2 my_l2pt_prof1:7 (none)

The following example illustrates the show vman l2pt ports detail command:

# show vman cust2 ports 1:2,1:7 l2pt detailPort 1:2 L2PT Profile Name : my_l2pt_profile Protocol Filter Name : filter1 Destination Address: 01:80:C2:00:00:02 Protocol Id Type : etype Protocol Id Value : 0x8902 Field Offset : 14 Field Value : 03 Field Mask : FF Action : Tunnel CoS : Default Packets Transmitted: 2300 Packets Received : 2300 Protocol Filter Name : filter2 Destination Address: 01:80:C2:00:00:00 Protocol Id Type : snap Protocol Id Value : 0x4041 Field Offset : Field Value : Field Mask : Action : Tunnel CoS : 7


Layer 2 Basics 199

Packets Transmitted: 500 Packets Received : 500 Port 1:7 L2PT Profile Name : (none)



unconfigure vlan descriptionunconfigure {vlan} vlan_name description

DescriptionRemoves the description for the specified VLAN.

Syntax Description


DefaultN/A.


Example

The following example removes the description from VLAN vlan1:

unconfigure vlan vlan1 description




Layer 2 Basics 200

unconfigure vlan ipaddressunconfigure {vlan} vlan_name ipaddress {ipv6_address_mask}

DescriptionRemoves the IP address of the VLAN or a VMAN. With no parameters, the command removes theprimary IPv4 address on the specified VLAN. Using the IPv6 parameters, you can remove specified IPv6addresses from the specified VLAN.

Syntax Description

vlan_name Specifies a VLAN or VMAN name.

ipv6_address_mask Specifies an IPv6 address using the format of IPv6-address/prefix-length,where IPv6 is the 128-bit address and the prefix length specifies the numberof leftmost bits that comprise the prefix.

DefaultRemoves the primary IPv4 address from the specified VLAN or VMAN.

Usage Guidelines

NoteWith IPv6, you cannot remove the last link local IPv6 address until all global IPv6 addressesare removed. For MLAG configurations, you cannot remove an IP address from a VLAN untilafter you delete the MLAG peer.

Example

The following command removes the primary IPv4 address from the VLAN "accounting":

unconfigure vlan accounting ipaddress

The following command removes an IPv6 addresses from the VLAN "finance":

unconfigure vlan finance ipaddress 3ffe::1


The IPv6 parameters were added in ExtremeXOS 11.2.



Layer 2 Basics 201

unconfigure vman ethertypeunconfigure vman ethertype {secondary}

DescriptionRestores the default primary VMAN ethertype value of 0x88A8 or deletes the secondary ethertypevalue.

Syntax Description

secondary Deletes the secondary ethertype value.

DefaultIf the secondary option is not specified, it restores the default primary VMAN ethertype value of0x88a8.

Usage GuidelinesWhen you enter this command without the secondary option, the primary VMAN ethertype returns tothe default value of 0x88A8. If you specify the secondary option, the secondary VMAN ethertype valueis deleted (no value is assigned).

NoteBefore unconfiguring the secondary VMAN ethertype, any secondary VMAN port must bechanged to the primary VMAN ethertype; otherwise the command fails.

Example

The following example restores the primary VMAN ethertype to the default value:

unconfigure vman ethertype

The following example deletes the secondary VMAN ethertype:

unconfigure vman ethertype secondary




Layer 2 Basics 202

Layer 2 Basics - Extreme...

Documents

Transcript of Layer 2 Basics - Extreme...