Layer 2 Basics. ExtremeXOS 15.5 User Guide. 120936-00 Rev. 2

Layer 2 Basics ExtremeXOS 15.5 User Guide 120936-00 Rev. 2 Published June 2014

Copyright 2011 2014 All rights reserved. Legal Notice Extreme Networks, Inc., on behalf of or through its wholly-owned subsidiary, Enterasys Networks, Inc., reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information on Extreme Networks trademarks, please see: www.extremenetworks.com/company/legal/trademarks/ Support For product support, including documentation, visit: www.extremenetworks.com/support/ For information, contact: Extreme Networks, Inc. 145 Rio Robles San Jose, California 95134 USA

Table of Contents Preface...6 Conventions...6 Related Publications... 7 Providing Feedback to Us... 8 Navigating the ExtremeXOS User Guide...9 Chapter 1: VLANs...10 VLANs Overview... 10 Configuring VLANs on the Switch...19 Displaying VLAN Information...23 Private VLANs...24 VLAN Translation... 42 Port-Specific VLAN Tag...51 Chapter 2: VMAN (PBN)...56 VMAN Overview... 56 PBBNs... 61 VMAN Configuration Options and Features... 64 Configuration...67 Displaying Information... 70 Configuration Examples... 71 Chapter 3: FDB... 74 FDB Contents...74 How FDB Entries Get Added... 74 How FDB Entries Age Out...75 FDB Entry Types...75 Managing the FDB... 77 Displaying FDB Entries and Statistics...81 MAC-Based Security...81 Managing MAC Address Tracking... 85 Chapter 4: Layer 2 Basic Commands...87 clear counters fdb mac-tracking...89 clear counters ports protocol filter...90 clear fdb... 91 clear l2pt counters vlan...92 clear l2pt counters vman...93 clear l2pt counters vpls...93 create l2pt profile...94 configure fdb agingtime... 95 configure fdb mac-tracking ports...96 configure fdb static-mac-move packets... 97 configure l2pt encapsulation dest-mac... 98 configure l2pt profile add profile... 99 configure l2pt profile delete profile... 100 configure port ethertype... 101 configure ports l2pt profile...102 configure ports protocol filter...103 Layer 2 Basics 3

Table of Contents configure private-vlan add network... 104 configure private-vlan add subscriber...104 configure private-vlan delete... 105 configure protocol add...106 configure protocol delete...108 configure protocol filter...109 configure vlan add ports private-vlan translated...111 configure vlan add ports... 112 configure vlan delete ports... 113 configure vlan description...114 configure vlan ipaddress... 115 configure vlan name... 117 configure vlan protocol...118 configure vlan tag...119 configure vlan-translation add loopback-port...120 configure vlan-translation add member-vlan...121 configure vlan-translation delete loopback-port... 122 configure vlan-translation delete member-vlan... 123 configure vman add ports cep...124 configure vman add ports...126 configure vman delete ports...129 configure vman ethertype...129 configure vman ports add cvid...131 configure vman ports delete cvid...132 configure vman protocol...133 configure vman tag... 134 configure vpls peer l2pt profile...135 create fdb mac-tracking entry... 136 create fdbentry vlan ports...137 create l2pt profile... 139 create private-vlan...140 create protocol... 141 create vlan...142 create vman...144 delete fdb mac-tracking entry... 145 delete fdbentry... 146 delete l2pt profile... 146 delete private-vlan... 147 delete protocol... 148 delete vlan...149 delete vman...150 disable dot1p examination inner-tag ports...151 disable fdb static-mac-move... 152 disable flooding ports...153 disable learning iparp sender-mac...154 disable learning port...155 disable loopback-mode vlan... 156 disable snmp traps fdb mac-tracking...157 disable vlan... 158 Layer 2 Basics 4

Table of Contents disable vman cep egress filtering ports...159 enable dot1p examination inner-tag port... 160 enable fdb static-mac-move... 161 enable flooding ports...161 enable learning iparp sender-mac...163 enable learning port... 164 enable loopback-mode vlan... 165 enable snmp traps fdb mac-tracking... 166 enable vlan... 166 enable vman cep egress filtering ports... 167 show fdb mac-tracking configuration...168 show fdb mac-tracking statistics...169 show fdb static-mac-move configuration...170 show fdb stats... 171 show fdb...173 show l2pt profile...176 show l2pt...177 show ports protocol filter... 178 show private-vlan <name>... 180 show private-vlan...181 show protocol...183 show vlan... 185 show vlan description...191 show vlan l2pt...192 show vman...194 show vman eaps...196 show vman ethertype...197 show vman l2pt... 198 unconfigure vlan description...200 unconfigure vlan ipaddress... 201 unconfigure vman ethertype... 202 Layer 2 Basics 5

Preface Conventions This section discusses the conventions used in this guide. Text Conventions The following tables list text conventions that are used throughout this guide. Table 1: Notice Icons Icon Notice Type Alerts you to... Note Important features or instructions. Caution Risk of personal injury, system damage, or loss of data. Warning Risk of severe personal injury. New This command or section is new for this release. Table 2: Text Conventions Convention Screen displays Description This typeface indicates command syntax, or represents information as it appears on the screen. The words enter and type [Key] names Words in italicized type When you see the word enter in this guide, you must type something, and then press the Return or Enter key. Do not press the Return or Enter key when an instruction simply says type. Key names are written with brackets, such as [Return] or [Esc]. If you must press two or more keys simultaneously, the key names are linked with a plus sign (+). Example: Press [Ctrl]+[Alt]+[Del] Italics emphasize a point or denote new terms at the place where they are defined in the text. Italics are also used when referring to publication titles. Layer 2 Basics 6

Preface Platform-Dependent Conventions Unless otherwise noted, all information applies to all platforms supported by ExtremeXOS software, which are the following: BlackDiamond X8 series switch BlackDiamond 8800 series switches Cell Site Routers (E4G-200 and E4G-400) Summit family switches SummitStack When a feature or feature implementation applies to specific platforms, the specific platform is noted in the heading for the section describing that implementation in the ExtremeXOS command documentation. In many cases, although the command is available on all platforms, each platform uses specific keywords. These keywords specific to each platform are shown in the Syntax Description and discussed in the Usage Guidelines. Terminology When features, functionality, or operation is specific to a switch family, the family name is used. Explanations about features and operations that are the same across all product families simply refer to the product as the switch. Related Publications Documentation for Extreme Networks products is available at: www.extremenetworks.com. The following is a list of related publications currently available: ExtremeXOS User Guide ExtremeXOS Hardware and Software Compatibility Matrix ExtremeXOS Legacy CLI Quick Reference Guide ExtremeXOS ScreenPlay User Guide Using AVB with Extreme Switches BlackDiamond 8800 Series Switches Hardware Installation Guide BlackDiamond X8 Switch Hardware Installation Guide Extreme Networks Pluggable Interface Installation Guide Summit Family Switches Hardware Installation Guide Ridgeline Installation and Upgrade Guide Ridgeline Reference Guide SDN OpenFlow Implementation Guide SDN OpenStack Install Guide Some ExtremeXOS software files have been licensed under certain open source licenses. Information is available at: www.extremenetworks.com/services/osl-exos.aspx Layer 2 Basics 7

Preface Providing Feedback to Us We are always striving to improve our documentation and help you work better, so we want to hear from you! We welcome all feedback but especially want to know about: Content errors or confusing or conflicting information. Ideas for improvements to our documentation so you can find the information you need faster. Broken links or usability issues. If you would like to provide feedback to the Extreme Networks Information Development team about this document, please contact us using our short online feedback form. You can also email us directly at internalinfodev@extremenetworks.com. Layer 2 Basics 8

Navigating the ExtremeXOS User Guide This guide consists of the following eight volumes that contain feature descriptions, conceptual material, configuration details, command references and examples: Basic Switch Operation Policies and Security Layer 2 Basics Layer 2 Protocols Layer 3 Basics Layer 3 Unicast Protocols Multicast Advanced Features Layer 2 Basics 9

1 VLANs VLANs Overview Configuring VLANs on the Switch Displaying VLAN Information Private VLANs VLAN Translation Port-Specific VLAN Tag This chapter contains information about configuring VLANs, displaying VLAN information, private VLANs, and VLAN translation. In addition, you can learn about the benefits and types of VLANs, along with valuable information about virtual routers. VLANs Overview Setting up Virtual Local Area Networks (VLANs) on the switch eases many time-consuming tasks of network administration while increasing efficiency in network operations. Note The software supports using IPv6 addresses, in addition to IPv4 addresses. You can configure the VLAN with an IPv4 address, IPv6 address, or both. See IPv6 Unicast Routing for complete information on using IPv6 addresses. The term VLAN is used to refer to a collection of devices that communicate as if they were on the same physical LAN. Any set of ports (including all ports on the switch) is considered a VLAN. LAN segments are not restricted by the hardware that physically connects them. The segments are defined by flexible user groups that you create with the command line interface (CLI). Note The system switches traffic within each VLAN using the Ethernet MAC address. The system routes traffic between two VLANs using the IP addresses. Benefits Implementing VLANs on your networks has the following advantages: VLANs help to control traffic With traditional networks, broadcast traffic that is directed to all network devices, regardless of whether they require it, causes congestion. VLANs increase the efficiency of your network because each VLAN can be set up to contain only those devices that must communicate with each other. Layer 2 Basics 10

VLANs VLANs provide extra security Devices within each VLAN can communicate only with member devices in the same VLAN. If a device in VLAN Marketing must communicate with devices in VLAN Sales, the traffic must cross a routing device. VLANs ease the change and movement of devices With traditional networks, network administrators spend much of their time dealing with moves and changes. If users move to a different subnetwork, the addresses of each endstation must be updated manually. Virtual Routers and VLANs The ExtremeXOS software supports virtual routers. Each port can belong to multiple virtual routers. Ports can belong to different VLANs that are in different virtual routers. Note You can create virtual routers only on BlackDiamond X8 series switches, BlackDiamond 8000 c-, xl-, and xm-series modules, E4G-200 and E4G-400 cell site routers, and Summit X460, X480, X670, and X770 switches. If you do not specify a virtual router when you create a VLAN, the system creates that VLAN in the default virtual router (VR-). The management VLAN is always in the management virtual router (VR-Mgmt). After you create virtual routers, the ExtremeXOS software allows you to designate one of these virtual routers as the domain in which all your subsequent configuration commands, including VLAN commands, are applied. After you create virtual routers, ensure that you are creating each VLAN in the desired virtual router domain. Also, ensure that you are in the correct virtual router domain before you begin modifying each VLAN. For information on configuring and using virtual routers, see Virtual Routers. Types of VLANs This section introduces the following types of VLANs: Port-Based VLANs Tagged VLANs Protocol-Based VLANs Note You can have netlogin dynamic VLANs and, on the Summit family of switches and BlackDiamond 8800 series switches only, netlogin MAC-based VLANs. See Network Login for complete information on netlogin. VLANs can be created according to the following criteria: Physical port IEEE 802.1Q tag Ethernet, LLC SAP, or LLC/SNAP Ethernet protocol type A combination of these criteria Layer 2 Basics 11

VLANs Port-Based VLANs In a port-based VLAN, a VLAN name is given to a group of one or more ports on the switch. At boot-up, all ports are members of the port-based VLAN default. Before you can add any port to another port-based VLAN, you must remove it from the default VLAN, unless the new VLAN uses a protocol other than the default protocol any. An untagged port can be a member of only one portbased VLAN. On the Extreme Networks switch in the following figure, ports 9 through 14 are part of VLAN Marketing; ports 25 through 29 are part of VLAN Sales; and ports 21 through 24 and 30 through 32 are in VLAN Finance. Figure 1: Example of a Port-Based VLAN on an Extreme Networks Switch For the members of different IP VLANs to communicate, the traffic must be routed by the switch, even if the VLANs are physically part of the same I/O module. This means that each VLAN must be configured as a router interface with a unique IP address. Spanning Switches with Port-Based VLANs To create a port-based VLAN that spans two switches, you must do two things: 1 Assign the port on each switch to the VLAN. Layer 2 Basics 12

VLANs 2 Cable the two switches together using one port on each switch per VLAN. The following figure illustrates a single VLAN that spans a BlackDiamond switch and another Extreme Networks switch. All ports on the System 1 switch belong to VLAN Sales. Ports 1 through 29 on the system 2 switch also belong to VLAN Sales. The two switches are connected using slot 8, port 4 on System 1 (the BlackDiamond switch), and port 29 on system 2 (the other switch). Figure 2: Single Port-based VLAN Spanning Two Switches 3 To create multiple VLANs that span two switches in a port-based VLAN, a port on System 1 must be cabled to a port on System 2 for each VLAN you want to have span across the switches. At least one port on each switch must be a member of the corresponding VLANs as well. The following figure illustrates two VLANs spanning two switches. On System 2, ports 25 through 29 are part of VLAN Accounting; ports 21 through 24 and ports 30 through 32 are part of VLAN Engineering. On System 1, all ports on slot 1 are part of VLAN Accounting; all ports on slot 8 are part of VLAN Engineering. Figure 3: Two Port-based VLANs Spanning Two Switches VLAN Accounting spans System 1 and System 2 by way of a connection between System 2, port 29 and System 1, slot 1, port 6. VLAN Engineering spans System 1 and System 2 by way of a connection between System 2, port 32, and System 1, slot 8, port 6. Layer 2 Basics 13

VLANs 4 Using this configuration, you can create multiple port-based VLANs that span multiple switches, in a daisy-chained fashion. Tagged VLANs Tagging is a process that inserts a marker (called a tag) into the Ethernet frame. The tag contains the identification number of a specific VLAN, called the VLANid (valid numbers are 1 to 4094). Note The use of 802.1Q tagged packets may lead to the appearance of packets slightly bigger than the current IEEE 802.3/Ethernet maximum of 1,518 bytes. This may affect packet error counters in other devices and may also lead to connectivity problems if non-802.1q bridges or routers are placed in the path. Uses of Tagged VLANs Tagging is most commonly used to create VLANs that span switches. The switch-to-switch connections are typically called trunks. Using tags, multiple VLANs can span multiple switches using one or more trunks. In a port-based VLAN, each VLAN requires its own pair of trunk ports, as shown in the following figure. Using tags, multiple VLANs can span two switches with a single trunk. Another benefit of tagged VLANs is the ability to have a port be a member of multiple VLANs. This is particularly useful if you have a device (such as a server) that must belong to multiple VLANs. The device must have a Network Interface Card (NIC) that supports IEEE 802.1Q tagging. A single port can be a member of only one port-based VLAN. All additional VLAN membership for the port must be accompanied by tags. Assigning a VLAN Tag Each VLAN may be assigned an 802.1Q VLAN tag. As ports are added to a VLAN with an 802.1Q tag defined, you decide whether each port uses tagging for that VLAN. The default mode of the switch is to have all ports assigned to the VLAN named default with an 802.1Q VLAN tag (VLANid) of 1 assigned. Not all ports in the VLAN must be tagged. As traffic from a port is forwarded out of the switch, the switch determines (in real time) if each destination port should use tagged or untagged packet formats for that VLAN. The switch adds and strips tags, as required, by the port configuration for that VLAN. Note Packets arriving tagged with a VLANid that is not configured on a port are discarded. The following figure illustrates the physical view of a network that uses tagged and untagged traffic. Layer 2 Basics 14

VLANs Figure 4: Physical Diagram of Tagged and Untagged Traffic The following figure is a logical diagram of the same network. Figure 5: Logical Diagram of Tagged and Untagged Traffic In the figures above: The trunk port on each switch carries traffic for both VLAN Marketing and VLAN Sales. The trunk port on each switch is tagged. The server connected to port 25 on System 1 has a NIC that supports 802.1Q tagging. The server connected to port 25 on System 1 is a member of both VLAN Marketing and VLAN Sales. All other stations use untagged traffic. As data passes out of the switch, the switch determines if the destination port requires the frames to be tagged or untagged. All traffic coming from and going to the server is tagged. Traffic coming from and going to the trunk ports is tagged. The traffic that comes from and goes to the other stations on this network is not tagged. Mixing Port-Based and Tagged VLANs You can configure the switch using a combination of port-based and tagged VLANs. A given port can be a member of multiple VLANs, with the stipulation that only one of its VLANs uses untagged traffic. Layer 2 Basics 15

VLANs In other words, a port can simultaneously be a member of one port-based VLAN and multiple tagbased VLANs. Note For the purposes of VLAN classification, packets arriving on a port with an 802.1Q tag containing a VLANid of 0 are treated as untagged. Protocol-Based VLANs Protocol-based VLANs enable you to define a packet filter that the switch uses as the matching criteria to determine if a particular packet belongs to a particular VLAN. Protocol-based VLANs are most often used in situations where network segments contain hosts running multiple protocols. For example, in the following figure, the hosts are running both the IP and NetBIOS protocols. The IP traffic has been divided into two IP subnets, 192.207.35.0 and 192.207.36.0. The subnets are internally routed by the switch. The subnets are assigned different VLAN names, Finance and Personnel, respectively. The remainder of the traffic belongs to the VLAN named MyCompany. All ports are members of the VLAN MyCompany. Figure 6: Protocol-Based VLANs The following sections provide information on using protocol-based VLANs: Predefined Protocol Filters on page 16 Defining Protocol Filters on page 17 Configuring a VLAN to Use a Protocol Filter on page 18 Deleting a Protocol Filter on page 18 Predefined Protocol Filters The following protocol filters are predefined on the switch: Layer 2 Basics 16

VLANs IP (IPv4) IPv6 (11.2 IPv6) MPLS IPX NetBIOS DECNet IPX_8022 IPX_SNAP AppleTalk Defining Protocol Filters If necessary, you can define a customized protocol filter by specifying EtherType, Logical Link Control (LLC), or Subnetwork Access Protocol (SNAP). Up to six protocols can be part of a protocol filter. To define a protocol filter: 1 Create a protocol using the following command: create protocol_name For example: create protocol fred The protocol name can have a maximum of 32 characters. 2 Configure the protocol using the following command: configure protocol_name add [etype llc snap] hex {[etype llc snap] hex} Supported protocol types include: etype EtherType The values for etype are four-digit hexadecimal numbers taken from a list maintained by the IEEE. This list can be found at the following URL: http://standards.ieee.org/regauth/ ethertype/index.html. Note Protocol-based VLAN for Etype from 0x0000 to 0x05ff are not classifying as per filter. When traffic arrive with these Etypes, it is classifed to native VLAN rather protocol based vlan. llc LLC Service Advertising Protocol (SAP) snap EtherType inside an IEEE SNAP packet encapsulation The values for llc are four-digit hexadecimal numbers that are created by concatenating a two-digit LLC Destination SAP (DSAP) and a two-digit LLC Source SAP (SSAP). The values for snap are the same as the values for etype, described previously. For example: configure protocol fred add llc feff configure protocol fred add snap 9999 Layer 2 Basics 17

VLANs A maximum of 15 protocol filters, each containing a maximum of six protocols, can be defined. No more than seven protocols can be active and configured for use. Note For more information on SNAP for Ethernet protocol types, see TR 11802-5:1997 (ISO/IEC) [ANSI/IEEE std. 802.1H, 1997 Edition]. Configuring a VLAN to Use a Protocol Filter To configure a VLAN to use a protocol filter, use the following command:. configure {vlan} vlan_name protocol protocol_name Deleting a Protocol Filter If a protocol filter is deleted from a VLAN, the VLAN is assigned a protocol filter of 'any'. You can continue to configure the VLAN. However, no traffic is forwarded to the VLAN until a protocol is assigned to it. Precedence of Tagged Packets Over Protocol Filters If a VLAN is configured to accept tagged packets on a particular port, incoming packets that match the tag configuration take precedence over any protocol filters associated with the VLAN. VLAN The default switch configuration includes one default VLAN that has the following properties: The VLAN name is default. It contains all the ports on a new or initialized switch. The default VLAN is untagged on all ports. It has an internal VLANid of 1; this value is userconfigurable. VLAN Names VLAN names must conform to the guidelines listed in Object Names. VLAN names can be specified using the [Tab] key for command completion. VLAN names are locally significant. That is, VLAN names used on one switch are only meaningful to that switch. If another switch is connected to it, the VLAN names have no significance to the other switch. Note We recommend that you use VLAN names consistently across your entire network. You must use mutually exclusive names for the following: Layer 2 Basics 18

VLANs VLANs VMANs IPv6 tunnels SVLANs CVLANs BVLANs Configuring VLANs on the Switch Refer to the following sections for instruction on configuring VLANs on a switch: VLAN Configuration Overview on page 19 Creating and Deleting VLANs on page 20 Managing a VLAN IP Address on page 20 Configuring a VLAN Tag on page 20 Adding and Removing Ports from a VLAN on page 20 Adding and Removing VLAN Descriptions on page 21 Renaming a VLAN on page 21 Enabling and Disabling VLANs on page 21 VLAN Configuration Examples on page 22 VLAN Configuration Overview The following procedure provides an overview of VLAN creation and configuration: 1 Create and name the VLAN. create vlan vlan_name {tag name} {description vlan-description} {vr name} 2 If needed, assign an IP address and mask (if applicable) to the VLAN as described in Managing a VLAN IP Address on page 20. 3 If any ports in this VLAN will use a tag, assign a VLAN tag. configure {vlan} vlan_name tag tag {remote-mirroring} 4 Assign one or more ports to the VLAN. configure {vlan} vlan_name add ports [port_list all] {tagged untagged} {{stpd} stpd_name} {dot1d emistp pvst-plus}} As you add each port to the VLAN, decide if the port will use an 802.1Q tag. 5 For the management VLAN on the switch, configure the default IP route for virtual router VR-Mgmt. Note See IPv4 Unicast Routing for information on configuring default IP routes or adding secondary IP addresses to VLANs. Layer 2 Basics 19

VLANs Creating and Deleting VLANs To create a VLAN, use the following command: create vlan vlan_name {tag tag} {description vlan-description} {vr name} To delete a VLAN, use the following command: delete vlan vlan_name Managing a VLAN IP Address Note If you plan to use this VLAN as a control VLAN for an EAPS domain, do not assign an IP address to the VLAN. Configure an IP address and mask for a VLAN. configure {vlan} vlan_name ipaddress [ipaddress {ipnetmask} ipv6-link-local {eui64} ipv6_address_mask] + Note Each IP address and mask assigned to a VLAN must represent a unique IP subnet. You cannot configure the same IP subnet on different VLANs on the same virtual router. The software supports using IPv6 addresses, in addition to IPv4 addresses. You can configure the VLAN with an IPv4 address, IPv6 address, or both. See IPv6 Unicast Routing for complete information on using IPv6 addresses. Remove an IP address and mask for a VLAN. unconfigure {vlan} vlan_name ipaddress {ipv6_address_mask} Configuring a VLAN Tag To configure a VLAN, use the following command: configure {vlan} vlan_name tag tag {remote-mirroring} Adding and Removing Ports from a VLAN To add ports to a VLAN, use the following command: configure {vlan} vlan_name add ports [port_list all] {tagged untagged} {{stpd} stpd_name} {dot1d emistp pvst-plus}} The system returns the following message if the ports you are adding are already EAPS primary or EAPS secondary ports: WARNING: Make sure Vlan1 is protected by EAPS, Adding EAPS ring ports to a VLAN could cause a loop in the network. Do you really want to add these ports? (y/n) Layer 2 Basics 20

VLANs To remove ports from a VLAN, use the following command: configure {vlan} vlan_name delete ports [all port_list] Adding and Removing VLAN Descriptions A VLAN description is a string of up to 64 characters that you can configure to describe the VLAN. It is displayed by several show vlan commands and can be read by using SNMP to access the VLAN's ifalias MIB object. To add a description to a VLAN, use the following command: configure {vlan} vlan_name description [vlan-description none] To remove a description from a VLAN, use the following command unconfigure {vlan} vlan_name description Renaming a VLAN To rename an existing VLAN, use the following command: configure {vlan} vlan_name name name The following rules apply to renaming VLANs: You cannot change the name of the default VLAN. You cannot create a new VLAN named default. Enabling and Disabling VLANs You can enable or disable individual VLANs. The default setting is that all VLANs are enabled. Consider the following guidelines before you disable a VLAN: Disabling a VLAN stops all traffic on all ports associated with the specified VLAN. You cannot disable any VLAN that is running any Layer 2 protocol traffic. When you attempt to disable a VLAN running Layer 2 protocol traffic (for example, the VLAN Accounting), the system returns a message similar to the following: VLAN accounting cannot be disabled because it is actively used by an L2 Protocol You can disable the default VLAN; ensure that this is necessary before disabling the default VLAN. You cannot disable the management VLAN. You cannot bind Layer 2 protocols to a disabled VLAN. You can add ports to and delete ports from a disabled VLAN. 1 Disable a VLAN by running: disable vlan vlan_name Layer 2 Basics 21

VLANs 2 After you have disabled a VLAN, re-enable that VLAN. enable vlan vlan_name VLAN Configuration Examples Note To add an untagged port to a VLAN you create, you must first delete that port from the default VLAN. If you attempt to add an untagged port to a VLAN before deleting it from the default VLAN, you see the following error message: Error: Protocol conflict when adding untagged port 1:2. Either add this port as tagged or assign another protocol to this VLAN. The following modular switch example creates a port-based VLAN named accounting: create vlan accounting configure accounting ipaddress 132.15.121.1 configure default delete port 2:1-2:3,2:6,4:1,4:2 configure accounting add port 2:1-2:3,2:6,4:1,4:2 Note Because VLAN names are unique, you do not need to enter the keyword vlan after you have created the unique VLAN name. You can use the VLAN name alone (unless you are also using this name for another category such as STPD or EAPS, in which case we recommend including the keyword vlan). The following stand-alone switch example creates a port-based VLAN named development with an IPv6 address: create vlan development configure development ipaddress 2001:0DB8::8:800:200C:417A/64 configure default delete port 1-3 configure development add port 1-3 The following modular switch example creates a protocol-based VLAN named ipsales. Slot 5, ports 6 through 8, and slot 6, ports 1, 3, and 4-6 are assigned to the VLAN. In this example, you can add untagged ports to a new VLAN without first deleting them from the default VLAN, because the new VLAN uses a protocol other than the default protocol. create vlan ipsales configure ipsales protocol ip configure ipsales add port 5:6-5:8,6:1,6:3-6:6 Layer 2 Basics 22

VLANs The following modular switch example defines a protocol filter, myprotocol and applies it to the VLAN named myvlan. This is an example only, and has no real-world application. create protocol myprotocol configure protocol myprotocol add etype 0xf0f0 configure protocol myprotocol add etype 0xffff create vlan myvlan configure myvlan protocol myprotocol To disable the protocol-based VLAN (or any VLAN) in the above example, use the following command: disable vlan myprotocol To re-enable the VLAN, use the following command: enable vlan myprotocol Displaying VLAN Information To display general VLAN settings and information, use the following commands: show vlan {virtual-router vr-name} show vlan vlan_name {ipv4 ipv6} show vlan [tag tag detail] {ipv4 ipv6} show vlan description show vlan {vlan_name} statistics {no-refresh} Note To display IPv6 information, you must use either the show vlan detail command or show vlan command with the name of the specified VLAN. To display the VLAN information for other ExtremeXOS software features, use the following commands: show {vlan} vlan_name dhcp-address-allocation show {vlan} vlan_name dhcp-config show {vlan} vlan_name eaps show {vlan} vlan_name security show {vlan} vlan_name stpd You can display additional useful information on VLANs configured with IPv6 addresses by issuing the command: show ipconfig ipv6 vlan vlan_name To isplay protocol information, issue the command: show protocol {name} Layer 2 Basics 23

VLANs Private VLANs The following sections provide detailed information on private VLANs: PVLAN Overview on page 24 Configuring PVLANs on page 33 Displaying PVLAN Information on page 36 PVLAN Configuration Example 1 on page 37 PVLAN Configuration Example 2 on page 39 PVLAN Overview PVLANs offer the following features: VLAN translation VLAN isolation Note PVLAN features are supported only on the platforms listed for this feature in the license tables in the Feature License Requirements document. VLAN Translation in a PVLAN VLAN translation provides the ability to translate the 802.1Q tags for several VLANs into a single VLAN tag. VLAN translation is an optional component in a PVLAN. VLAN translation allows you to aggregate Layer 2 VLAN traffic from multiple clients into a single uplink VLAN, improving VLAN scaling. The following figure shows an application of VLAN translation. Note The VLAN translation feature described in VLAN Translation on page 42 is provided for those who are already familiar with the ExtremeWare VLAN translation feature. If you have time to use the PVLAN implementation and do not have scripts that use the ExtremeWare commands, we suggest that you use the PVLAN feature, as it provides the same functionality with additional features. Layer 2 Basics 24

VLANs Figure 7: VLAN Translation Application In the figure, VLANs 101, 102, and 103 are subscriber VLANS that carry data traffic while VLANs 201, 202, and 203 are subscriber VLANs that carry voice traffic. The voice and data traffic are combined on integrated access devices (IADs) that connect to the VLAN translation switch. Each of the three clusters of phones and PCs uses two VLANs to separate the voice and data traffic. As the traffic is combined, the six VLANs are translated into two network VLANs, VLAN1 and VLAN2. This simplifies administration, and scales much better for large installations. Conceptually, this is very similar to Layer 3 VLAN aggregation (supervlans and subvlans). The primary differences between these two features are: VLAN translation is strictly a Layer 2 feature. VLAN translation does not allow communication between the subscriber VLANs. VLAN Isolation VLAN isolation provides Layer 2 isolation between the ports in a VLAN. The following figure shows an application of VLAN isolation. Layer 2 Basics 25

VLANs Figure 8: VLAN Isolation Application In this figure, ports in the Guest VLAN have access to services on the network VLAN, but Guest VLAN ports cannot access other Guest VLAN ports over Layer 2 (or the Marketing or Engineering VLANs). This provides port-to-port security at Layer 2. PVLAN Components The following figure shows the logical components that support PVLAN configuration in a switch. Layer 2 Basics 26

VLANs Figure 9: Private VLAN Switch Components There is one network VLAN in each PVLAN. Ports within a network VLAN, called network ports, can communicate with all VLAN ports in the PVLAN. Network devices that connect to the network VLAN ports are considered to be on the network side of the switch. The network VLAN aggregates the uplink traffic from the other VLANS, called subscriber VLANs, for egress communications on a network VLAN port. A network port can serve only one PVLAN, but it can serve one or more subscriber VLANs. Ingress communications on the network VLAN port are distributed to the appropriate subscriber VLANs for distribution to the appropriate ports. Devices that connect to subscriber VLAN ports are considered to be on the subscriber side of the switch. Tag translation within the PVLAN is managed at the egress ports. To enable tag translation for uplink traffic from the subscriber VLANs, you must enable tag translation on the appropriate network VLAN port. Tag translation is automatically enabled on subscriber VLAN egress ports when the subscriber VLAN is created and the port is added to the VLAN as tagged. Egress traffic from a subscriber VLAN is always tagged with the subscriber VLAN tag when the port is configured as tagged. A non-isolated subscriber VLAN is basically a standard VLAN that can participate in tag translation through the network VLAN when VLAN translation is enabled on the network VLAN port. You can choose to not translate tags on a network VLAN port, but this is generally used only for extending a PVLAN to another switch. A non-isolated subscriber VLAN that does not use tag translation is functionally equivalent to a regular VLAN, so it is better to create non-isolated VLANs only when you plan to use tag translation. Ports in a non-isolated VLAN can communicate with other ports in the same VLAN, ports in the network VLAN, and destinations on the network side of the switch. As with standard VLANs, nonisolated ports cannot communicate through Layer 2 with ports in other subscriber VLANs. In the figure above, the Engineering and Marketing VLANs are configured as non-isolated subscriber VLANs, which means that they act just like traditional VLANs, and they can participate in tag translation when VLAN translation is enabled on a network VLAN port that leads to network side location. VLAN isolation within the PVLAN is established by configuring a VLAN to be an isolated subscriber VLAN and adding ports to the isolated VLAN. Unlike normal VLANs, ports in an isolated VLAN cannot communicate with other ports in the same VLAN over Layer 2 or Layer 3. The ports in an isolated VLAN Layer 2 Basics 27

VLANs can, however, communicate with Layer 2 devices on the network side of the PVLAN through the network VLAN. When the network VLAN egress port is configured for tag translation, isolated VLAN ports also participate in uplink tag translation. When isolated subscriber VLAN ports are configured as tagged, egress packets are tagged with the isolated VLAN tag. As with standard VLANs and nonisolated VLANs, isolated ports cannot communicate through Layer 2 with ports in other subscriber VLANs. PVLAN Support over Multiple Switches A PVLAN can span multiple switches. The following figure shows a PVLAN that is configured to operate on two switches. Figure 10: Private VLAN Support on Multiple Switches A PVLAN can span many switches. For simplicity, the figure above shows only two switches, but you can extend the PVLAN to additional switches by adding connections between the network VLANs in each switch. The ports that connect two PVLAN switches must be configured as regular tagged ports. The network and subscriber VLANs on each switch must be configured with the same tags. Note Although using the same VLAN names on all PVLAN switches might make switch management easier, there is no software requirement to match the VLAN names. Only the tags must match. When a PVLAN is configured on multiple switches, the PVLAN switches function as one PVLAN switch. Subscriber VLAN ports can access the network VLAN ports on any of the PVLAN switches, and nonisolated VLAN ports can communicate with ports in the same VLAN that are located on a different physical switch. An isolated VLAN can span multiple switches and maintain isolation between the VLAN ports. The network and subscriber VLANs can be extended to other switches that are not configured for the PVLAN (as described in Extending Network and Subscriber VLANs to Other Switches on page 29). The advantage to extending the PVLAN is that tag translation and VLAN isolation is supported on the additional switch or switches. Layer 2 Basics 28

VLANs Extending Network and Subscriber VLANs to Other Switches A network or subscriber VLAN can be extended to additional switches without a PVLAN configuration on the additional switches. You might want to do this to connect to existing servers, switches, or other network devices. You probably do not want to use this approach to support clients, as tag translation and VLAN isolation are not supported unless the PVLAN is configured on all PVLAN switches as described in PVLAN Support over Multiple Switches on page 28. The following figure illustrates PVLAN connections to switches outside the PVLAN. Figure 11: Private VLAN Connections to Switches Outside the PVLAN In the above figure, Switch 1, Network VLAN Port 21 connects to a Switch 3 port that only supports the Network VLAN. In this configuration, the Network VLAN Port 21 on Switch 1 is configured as translated, which translates subscriber VLAN tags to the network VLAN tag for access to the Network VLAN extension on Switch 3. Switch 3, Port 24 is configured as tagged and only accepts traffic with the Network VLAN Tag. Switch 3 serves as an extension of the Network VLAN and can be used to connect to network devices such as servers or an internet gateway. Switch 2, port 22 supports the Network, NonIsolated, and Isolated VLANs, but no PVLAN is configured. Layer 2 Basics 29

VLANs Because port 22 supports multiple VLANs that are part of the PVLAN, and because these Switch 2 VLANs are not part of the PVLAN, Switch 1, port 24, must be configured as a PVLAN endpoint, which establishes the PVLAN boundary. Switch 2, port 22, is configured as a regular tagged VLAN port. For most applications, it would be better to extend the PVLAN to Switch 2 so that the PVLAN features are available to the Switch 2 VLANs. The configuration of Switch 2 behaves as follows: The Switch 2 NonIsolated VLAN ports can communicate with the NonIsolated VLAN ports on Switch 1, but they cannot participate in VLAN translation. The Switch 2 Isolated VLAN ports can communicate with other Switch 2 Isolated VLAN ports. The Switch 2 Isolated VLAN ports cannot participate in VLAN translation. The Switch 2 Isolated VLAN ports can receive broadcast and multicast info for the Isolated VLAN. Traffic is allowed from the Switch 1 Isolated VLAN ports to the Switch 2 Isolated VLAN ports. MAC Address Management in a PVLAN Each device that connects to a PVLAN must have a unique MAC address within the PVLAN. Each MAC address learned in a PVLAN requires multiple FDB entries. For example, each MAC address learned in a non-isolated subscriber VLAN requires two FDB entries, one for the subscriber VLAN and one for the network VLAN. The additional FDB entries for a PVLAN are marked with the P flag in the show fdb command display. The following sections describe the FDB entries created for the PVLAN components and how to estimate the impact of a PVLAN on the FDB table: Non-Isolated Subscriber VLAN Isolated Subscriber VLAN Network VLAN Calculating the Total FDB Entries for a PVLAN Non-Isolated Subscriber VLAN When a MAC address is learned on a non-isolated subscriber VLAN port, two entries are added to the FDB table: MAC address, non-isolated subscriber VLAN tag, and the port number MAC address, network VLAN tag, port number, and a special flag for tag translation The network VLAN entry is used when traffic comes in from the network ports destined for an nonisolated port. Isolated Subscriber VLAN When a new MAC address is learned on an isolated subscriber VLAN port, two entries are added to the FDB table: MAC address, isolated subscriber VLAN tag, port number, and a flag that indicates that the packet should be dropped MAC address, network VLAN tag, port number, and a special flag for tag translation Ports in the isolated VLAN do not communicate with one another. Layer 2 Basics 30

VLANs If a port in the isolated VLAN sends a packet to another port in the same VLAN that already has an entry in the FDB, that packet is dropped. You can verify the drop packet status of an FDB entry by using the show fdb command. The D flag indicates that packets destined for the listed address are dropped. The network VLAN entry is used when traffic comes in from the network ports destined for an isolated port. Network VLAN When a new MAC address is learned on a network VLAN port, the following entry is added to the FDB table: MAC address, network VLAN tag, and port number. For every subscriber VLAN belonging to this PVLAN, the following entry is added to the FDB table: MAC address, subscriber VLAN tag, and port number Calculating the Total FDB Entries for a PVLAN The following formula can be used to estimate the maximum number of FDB entries for a PVLAN: FDBtotal = [(MACnon-iso + MACiso) * 2 + (MACnetwork * (VLANnon-iso + VLANiso + 1))] The formula components are as follows: MACnon-iso = number of MAC addresses learned on all the non-isolated subscriber VLANs MACiso = number of MAC addresses learned on all the isolated subscriber VLANs MACnetwork = number of MAC addresses learned on the network VLAN VLANnon-iso = number of non-isolated subscriber VLANs VLANiso = number of isolated subscriber VLANs Note The formula above estimates the worst-case scenario for the maximum number of FDB entries for a single PVLAN. If the switch supports additional PVLANs, apply the formula to each PVLAN and add the totals for all PVLANs. If the switch also support standard VLANs, there will also be FDB entries for the standard VLANs. Layer 3 Communications For PVLANs, the default switch configuration controls Layer 3 communications exactly as communications are controlled in Layer 2. For example, Layer 3 communications is enabled between ports in a non-isolated subscriber VLAN, and disabled between ports in an isolated subscriber VLAN. Ports in a non-isolated subscriber VLAN cannot communicate with ports in other non-isolated subscriber VLANs. You can enable Layer 3 communications between all ports in a PVLAN. For more information, see Managing Layer 3 Communications in a PVLAN on page 35. PVLAN Limitations The Private VLAN feature has the following limitations: Layer 2 Basics 31

VLANs Requires more FDB entries than a standard VLAN. Within the same VR, VLAN tag duplication is not allowed. Within the same VR, VLAN name duplication is not allowed. Each MAC address learned in a PVLAN must be unique. A MAC address cannot exist in two or more VLANs that belong to the same PVLAN. MVR cannot be configured on PVLANs. A VMAN cannot be added to a PVLAN. A PBB network (BVLAN) cannot be added to a PVLAN. EAPS control VLANs cannot be either subscriber or network VLANs. EAPS can only be configured on network VLAN ports (and not on subscriber VLAN ports). To support EAPS on the network VLAN, you must add all of the VLANs in the PVLAN to the EAPS ring. STP can only be configured on network VLAN ports (and not on subscriber VLAN ports). To support STP on the network VLAN, you must add all of the VLANs in the PVLAN to STP. ESRP can only be configured on network VLAN ports (and not on subscriber VLAN ports). To support ESRP on the network VLAN, you must add all of the VLANs in the PVLAN to ESRP. There is no NetLogin support to add ports as translate to the network VLAN, but the rest of NetLogin and the PVLAN features do not conflict. IGMP snooping is performed across the entire PVLAN, spanning all the subscriber VLANs, following the PVLAN rules. For VLANs that are not part of a PVLAN, IGMP snooping operates as normal. PVLAN and VPLS are not supported on the same VLAN. When two switches are part of the same PVLAN, unicast and multicast traffic require a tagged trunk between them that preserves tags (no tag translation). Subscriber VLANs in a PVLAN cannot exchange multicast data with VLANs outside the PVLAN and with other PVLANs. However, the network VLAN can exchange multicast data with VLANs outside the PVLAN and with network VLANs in other PVLANs. Note A maximum of 80% of 4K VLANs can be added to a PVLAN. Adding more VLANS will display the following log error: <Erro:HAL.VLAN.Error>Slot-<slot>: Failed to add egress vlan translation entry on port <port> due to Table full. An additional limitation applies to BlackDiamond 8000 series modules and Summit family switches, whether or not they are included in a SummitStack. If two or more member VLANs have overlapping ports (where the same ports are assigned to both VLANs), each additional VLAN member with overlapping ports must have a dedicated loopback port. To state it another way, one of the VLAN members with overlapping ports does not require a dedicated loopback port, and the rest of the VLAN members do require a single, dedicated loopback port within each member VLAN. Note There is a limit to the number of unique source MAC addresses on the network VLAN of a PVLAN that the switch can manage. It is advised not to exceed the value shown in the item FDB (maximum L2 entries) in the Supported Limits table of the ExtremeXOS Installation and Release Notes. Layer 2 Basics 32

VLANs Configuring PVLANs The following section describes how to configure a private VLAN. Creating PVLANs To create a VLAN, you need to do the following: 1 Create the PVLAN. 2 Add one VLAN to the PVLAN as a network VLAN. 3 Add VLANs to the PVLAN as subscriber VLANs. To create a PVLAN, use the following command: create private-vlan name {vr vr_name} To add a network VLAN to the PVLAN, create and configure a tagged VLAN, and then use the following command to add that network VLAN: configure private-vlan name add network vlan_name To add a subscriber VLAN to the PVLAN, create and configure a tagged VLAN, and then use the following command to add that subscriber VLAN: configure private-vlan name add subscriber vlan_name {non-isolated} {loopbackport port} By default, this command adds an isolated subscriber VLAN. To create a non-isolated subscriber VLAN, you must include the non-isolated option. Configuring Network VLAN Ports for VLAN Translation When subscriber VLAN traffic exits a network VLAN port, it can be untagged, tagged (with the subscriber VLAN tag), or translated (to the network VLAN tag). Note All traffic that exits a subscriber VLAN port uses the subscriber VLAN tag, unless the port is configured as untagged. There is no need to configure VLAN translation (from network to subscriber VLAN tag) on subscriber VLAN ports. 1 To configure network VLAN ports for VLAN translation, use the following command and specify the network VLAN and port numbers: configure {vlan} vlan_name add ports port_list private-vlan translated 2 If you want to later reconfigure a port that is configured for VLAN translation so that it does not translate tags, use the following command and specify either the tagged or the untagged option: configure {vlan} vlan_name add ports [port_list all] {tagged untagged} {{stpd} stpd_name} {dot1d emistp pvst-plus}} Configuring Non-Isolated Subscriber VLAN Ports The process for configuring non-isolated VLAN ports requires two tasks: Add a VLAN to the PVLAN as a non-isolated subscriber VLAN. Layer 2 Basics 33

VLANs Assign ports to the non-isolated subscriber VLAN. These tasks can be completed in any order, but they must both be completed before a port can participate in a PVLAN. When configuration is complete, all egress traffic from the port is translated to the VLAN tag for that non-isolated VLAN (unless the port is configured as untagged). Note To configure VLAN translation for network VLAN ports, see Configuring Network VLAN Ports for VLAN Translation on page 33. To add a non-isolated subscriber VLAN to the PVLAN, use the following command: configure private-vlan name add subscriber vlan_name non-isolated To add ports to a non-isolated VLAN (before or after it is added to the PVLAN), use the following command: configure {vlan} vlan_name add ports [port_list all] {tagged untagged} {{stpd} stpd_name} {dot1d emistp pvst-plus}} If you specify the tagged option, egress traffic uses the non-isolated VLAN tag, regardless of the network translation configuration on any network port with which these ports communicate. Egress traffic from a non-isolated VLAN port never carries the network VLAN tag. Configuring Isolated Subscriber VLAN Ports When a port is successfully added to an isolated VLAN, the port is isolated from other ports in the same VLAN, and all egress traffic from the port is translated to the VLAN tag for that VLAN (unless the port is configured as untagged). Note To configure VLAN translation for network VLAN ports, see Configuring Network VLAN Ports for VLAN Translation on page 33. The process for configuring ports for VLAN isolation requires two tasks: Add a VLAN to the PVLAN as an isolated subscriber VLAN. Assign ports to the isolated subscriber VLAN. These tasks can be completed in any order, but they must both be completed before a port can participate in an isolated VLAN. To add an isolated subscriber VLAN to the PVLAN, use the following command: configure private-vlan name add subscriber vlan_name To add ports to an isolated VLAN (before or after it is added to the PVLAN), use the following command: configure {vlan} vlan_name add ports [port_list all] {tagged untagged} {{stpd} stpd_name} {dot1d emistp pvst-plus}} If you specify the tagged option, egress traffic uses the isolated VLAN tag, regardless of the network translation configuration on any network port with which these ports communicate. Egress traffic from an isolated VLAN port never carries the network VLAN tag. Layer 2 Basics 34

VLANs Configuring a PVLAN on Multiple Switches To create a PVLAN that runs on multiple switches, you must configure the PVLAN on each switch and set up a connection between the network VLANs on each switch. The ports at each end of the connection must be configured as tagged ports that do not perform tag translation. To configure these types of ports, use the following command: configure {vlan} vlan_name add ports port_list tagged Configuring a Network or Subscriber VLAN Extension to Another Switch You can extend a network or subscriber VLAN to another switch without configuring a PVLAN on that switch. This configuration is introduced in Extending Network and Subscriber VLANs to Other Switches on page 29. To configure the port on the switch that is outside of the PVLAN, use the following command: configure {vlan} vlan_name add ports port_list tagged Adding a Loopback Port to a Subscriber VLAN BlackDiamond 8000 series modules and Summit family switches, whether or not included in a SummitStack, require a loopback port for certain configurations. If two or more subscriber VLANs have overlapping ports (where the same ports are assigned to both VLANs), each of the subscriber VLANs with overlapping ports must have a dedicated loopback port. The loopback port can be added when the subscriber VLAN is added to the PVLAN. If you need to add a loopback port to an existing subscriber VLAN, use the following command: configure {vlan} vlan_name vlan-translation add loopback-port port Managing Layer 3 Communications in a PVLAN The default configuration for Layer 3 PVLAN communications is described in Layer 3 Communications. To enable Layer 3 communications between all ports in a PVLAN, use the following command: configure iparp add proxy [ipnetmask ip_addr {mask}] {vr vr_name} {mac vrrp} {always} Specify the IP address or subnet specified for the network VLAN in the PVLAN. Use the always option to ensure that the switch will reply to ARP requests, regardless of the VLAN from which it originated. Delete PVLANs To delete an existing PVLAN, use the command: delete private-vlan name Layer 2 Basics 35

VLANs Remove a VLAN from a PVLAN When you remove a VLAN from a PVLAN, you remove the association between a VLAN and the PVLAN. Both the VLAN and PVLAN exist after the removal. To remove a network or subscriber VLAN from a PVLAN, use the following command: configure private-vlan name delete [network subscriber] vlan_name Deleting a Loopback Port from a Subscriber VLAN To delete a loopback port from a subscriber VLAN, use the command: configure {vlan} vlan_name vlan-translation delete loopback-port Displaying PVLAN Information This section describes how to display private VLAN information. Displaying Information for all PVLANs To display information on all the PVLANs configured on a switch, use the command: show private-vlan Displaying Information for a Specific PVLAN To display information about a single PVLANs, use the command: show {private-vlan} name Displaying Information for a Network or Subscriber VLAN To display information about a network or subscriber VLAN, use the command: show vlan {virtual-router vr-name} The following flags provide PVLAN specific information: s flat Identifies a network VLAN port that the system added to a subscriber VLAN. All subscriber VLANs contain network VLAN ports that are marked with the s flag. L flag Identifies a subscriber VLAN port that is configured as a loopback port. Loopback ports are supported only on BlackDiamond 8000 series modules and Summit family switches, whether or not included in a SummitStack. t flag Identifies a tagged network VLAN port on which tag translation is enabled. The t flag only appears in the show vlan display for network VLANs. e flag Identifies a network VLAN port that is configured as an endpoint. The e flag only appears in the show vlan display for network VLANs. Layer 2 Basics 36

VLANs Displaying PVLAN FDB Entries To view all FDB entries including those created for a PVLAN, use the command: show fdb {blackhole {netlogin [all mac-based-vlans]} netlogin [all macbased-vlans] permanent {netlogin [all mac-based-vlans]} mac_addr {netlogin [all mac-based-vlans]} ports port_list {netlogin [all mac-based-vlans]} vlan vlan_name {netlogin [all mac-based-vlans]} {{vpls} {vpls_name}}} The P flag marks additional FDB entries for PVLANs. PVLAN Configuration Example 1 The following figure shows a PVLAN configuration example for a medical research lab. Figure 12: PVLAN Configuration Example 1 The medical research lab hosts lots of visiting clients. Each client has their own room, and the lab wants to grant them access to the internet through a local web proxy server but prevent them from accessing other visiting clients. There is a lab in the building where many research workstations are located. Workstations within the lab require access to other lab workstations, the internet, and file servers that are connected to a switch in another building. Visiting clients should not have access to the Research VLAN devices or the file servers on the remote switch. The PVLAN in the following figure contains the following PVLAN components: Network VLAN named Main, which provides internet access through the proxy web server and access to file servers on the remote switch. Layer 2 Basics 37

VLANs Isolated subscriber VLAN named ClientConnections, which provides internet access for visiting clients and isolation from other visiting clients, the Research VLAN devices, and the remote file servers. Non-isolated subscriber VLAN named Research, which provides internet access and enables communications between Research VLAN devices and the remote file servers. 1 The first configuration step is to create and configure the VLANs on the local switch: create vlan Main configure vlan Main add port 1:* configure vlan Main tag 100 create vlan ClientConnections configure vlan ClientConnections add port 2:* configure vlan ClientConnections tag 200 create vlan Research configure vlan Research add port 3:* configure vlan Research tag 300 2 The remote switch VLAN is configured as follows: create vlan Main configure vlan Main add port 1:* configure vlan Main tag 100 3 The next step is to create the PVLAN on the local switch and configure each of the component VLANs for the proper role: create private-vlan MedPrivate configure private-vlan "MedPrivate" add network "Main" configure private-vlan "MedPrivate" add subscriber "ClientConnections" configure private-vlan "MedPrivate" add subscriber "Research" non-isolated 4 The final step is to configure VLAN translation on the local switch so that Research VLAN workstations can connect to the file servers on the remote switch: configure Main add ports 1:1 private-vlan translated 5 To view the completed configuration, enter the show private-vlan command as follows: show private-vlan ---------------------------------------------------------------------------- ---------- Name VID Protocol Addr Flags Proto Ports Virtual Active router /Total ---------------------------------------------------------------------------- ---------- MedPrivate VR- Network VLAN: -main 100 ------------------------------------- ANY 2 /48 VR- Non-Isolated Subscriber VLAN: Layer 2 Basics 38

VLANs -Research 300 ------------------------------------- ANY 2 /96 VR- Isolated Subscriber VLAN: -ClientConnections 200 --------------------------------- ANY 2 /52 VR- PVLAN Configuration Example 2 The following figure shows a PVLAN configuration example for a motel. Figure 13: PVLAN Configuration Example 2 The motel example in the following figure has guest rooms, a conference room, and their web proxy server on the first floor, and guest rooms on the second floor. The motel has three Summit switches. Layer 2 Basics 39

VLANs There is one on the first floor in a closet, one on the first floor in the conference room, and one on the second floor. The PVLAN in the following figure contains the following PVLAN components: A VLAN called Main that contains the web proxy server. A VLAN called ConfRoom that contains the ports for the conference room connections. A VLAN called ClientConnections that contains client PC connections for the guest rooms. The goals for the motel network are as follows: Provide internet access for the ConfRoom and ClientConnections VLANs through the web proxy server. Prevent communications between the ConfRoom and ClientConnections VLANs. Enable communications between clients on the ClientConnections VLAN only within the conference room. Enable communications between devices on the ConfRoom VLAN. Prevent communications between the PCs in the ClientConnections VLAN that are not in the conference room. Notice the following in the above figure: The Summit switches in the first floor closet and on the second floor contain the Main VLAN with a tag of 100. This VLAN is connected via a tagged port between the first and second floor switches. The Summit in the conference room does not contain the Main VLAN and cannot be a PVLAN member. All of the switches have the ClientConnections VLAN, and it uses VLAN tag 200. All of the switches have the ConfRoom VLAN, and it uses VLAN tag 300. The Conference Room Summit connects to the rest of the network through a tagged connection to the Summit in the first floor closet. Because the Summit in the first floor closet is a PVLAN member and uses the same port to support two subscriber VLANs, a loopback port is required in all subscriber VLANs, except the first configured subscriber VLAN (this applies to all BlackDiamond 8800 series switches and Summit family switches). Note The following examples contain comments that follow the CLI comment character (#). All text that follows this character is ignored by the switch and can be omitted from the switch configuration. The following commands configure the Summit in the first floor closet: # Create and configure the VLANs. create vlan Main configure vlan Main add port 1 configure vlan Main tag 100 configure vlan Main add port 2 tagged create vlan ClientConnections configure vlan ClientConnections tag 200 configure vlan ClientConnections add port 5-19 configure vlan ClientConnections add port 20 tagged create vlan ConfRoom Layer 2 Basics 40

VLANs configure vlan ConfRoom tag 300 configure vlan ConfRoom add port 21-30 configure vlan ConfRoom add port 20 tagged # Create and configure the PVLAN named Motel. create private-vlan Motel configure private-vlan Motel add network Main configure private-vlan Motel add subscriber ClientConnections # isolated subscriber VLAN configure private-vlan "Motel" add subscriber "ConfRoom" non-isolated loopback-port 30 configure private-vlan Motel add subscriber ConfRoom non-isolated # If you omit the loopback-port command, the above command produces the following error message: # Cannot add subscriber because another subscriber vlan is already present on the same port, assign a loopback port when adding the subscriber vlan to the private vlan # show vlan "ConfRoom" VLAN Interface with name ConfRoom created by user Admin State: Enabled Tagging: 802.1Q Tag 300 Virtual router: VR- IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Egress Rate Limit Designated Port: None configured Private-VLAN Name: Motel VLAN Type in Private-VLAN: Non-Isolated Subscriber Ports: 13. (Number of active ports=1) Untag: 21, 22, 23, 24, 25, 26, 27, 28, 29 Tag: 1s, 2s, 20, *30L Flags: (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (x) VMAN Tag Translated port (G) Multi-switch LAG Group port # Note that the loopback port is flagged with an "L" and listed as a tagged port, and the network VLAN ports are flagged with an "s" and listed as tagged ports. The following commands configure the Summit on the second floor: # create and configure the VLANs create vlan Main configure vlan Main tag 100 configure vlan Main add port 2 tagged create vlan ClientConnections configure vlan ClientConnections tag 200 configure vlan ClientConnections add port 5-20 create vlan ConfRoom Layer 2 Basics 41

VLANs configure vlan ConfRoom tag 300 # Create and configure the PVLAN named Motel. create private-vlan Motel configure private-vlan Motel add network Main configure private-vlan Motel add subscriber ClientConnections # isolated subscriber VLAN configure private-vlan Motel add subscriber ConfRoom non-isolated The following commands configure the Summit in the conference room: # create and configure the VLANs create vlan ClientConnections configure vlan ClientConnections tag 200 configure vlan ClientConnections add port 1-19 configure vlan ClientConnections add port 20 tag create vlan ConfRoom configure vlan ConfRoom tag 300 configure vlan ConfRoom add port 21-30 configure vlan ConfRoom add port 20 tag # The VLANs operate as extensions of the VLANs on the Summit in the first floor closet. There is no PVLAN configuration on this switch. VLAN Translation The VLAN translation feature described in this section provides the same VLAN translation functionality that is provided for PVLANs. This is described in VLAN Translation in a PVLAN on page 24. The difference is that this feature is configured with different commands that are compatible with ExtremeWare. Note The VLAN translation feature described in this section is provided for those who are already familiar with the ExtremeWare VLAN translation commands. If you have not used this feature in ExtremeWare and do not use any scripts that use the ExtremeWare commands, we suggest that you use the Private VLAN feature described in Private VLANs on page 24, as it provides the same functionality with additional features. The VLAN translation feature is supported only on the platforms listed for this feature in the license tables in Feature License Requirements The following figure shows how VLAN translation is configured in the switch. Layer 2 Basics 42

VLANs Figure 14: VLAN Translation Switch Configuration In the above figure, VLAN1 is configured as a translation VLAN. The translation VLAN is equivalent to the network VLAN in the PVLAN implementation of VLAN translation. VLANs 101, 102, and 103 are configured as member VLANs of translation VLAN1. The member VLANs are equivalent to the non-isolated subscriber VLANs in the PVLAN implementation of VLAN translation. This configuration enables tag translation between the translation VLAN and the member VLANs. All member VLANs can communicate through the translation VLAN, but they cannot communicate through Layer 2 with each other. VLAN Translation Behavior You should be aware of the behavior of unicast, broadcast, and multicast traffic when using VLAN translation. Unicast Traffic Traffic on the member VLANs can be either tagged or untagged. Traffic is switched locally between client devices on the same member VLAN as normal. Traffic cannot be switched between clients on separate member VLANs. Traffic from any member VLAN destined for the translation VLAN is switched and the VLAN tag is translated appropriately. Traffic from the translation VLAN destined for any member VLAN is switched and the VLAN tag is translated. Broadcast Behavior Broadcast traffic generated on a member VLAN is replicated in every other active port of that VLAN as normal. Layer 2 Basics 43

VLANs In addition, the member VLAN traffic is replicated to every active port in the translation VLAN and the VLAN tag is translated appropriately. Broadcast traffic generated on the translation VLAN is replicated to every other active port in this VLAN as usual. The caveat in this scenario is that this traffic is also replicated to every active port in every member VLAN, with VLAN tag translation. In effect, the broadcast traffic from the translation VLAN leaks onto all member VLANs. Multicast Behavior IGMP snooping can be enabled on member and translation VLANs so that multicast traffic can be monitored within the network. IGMP snooping software examines all IGMP control traffic that enters the switch. IGMP control traffic received on a VLAN translation port is forwarded by the CPU to all other ports in the translation group. Software VLAN translation is performed on the packets which cross the translation boundary between member and translation VLANs. The snooping software detects ports joining and leaving multicast streams. When a VLAN translation port joins a multicast group, an FDB entry is installed only on receiving a data miss for that group. The FDB entry is added for the requested multicast address and contains a multicast PTAG. When a VLAN translation port leaves a multicast group, the port is removed from the multicast list. The last VLAN translation port to leave a multicast group causes the multicast FDB entry to be removed. VLAN Translation Limitations The VLAN translation feature has the following limitations: Requires more FDB entries than a standard VLAN. Within the same VR, VLAN tag duplication is not allowed. Within the same VR, VLAN name duplication is not allowed. Each MAC address learned in the translation and member VLANs must be unique. A MAC address cannot exist in two or more VLANs that belong to the same VLAN translation domain. MVR cannot be configured on translation and member VLANs. A VMAN cannot be added to translation and member VLANs. A PBB network (BVLAN) cannot be added to translation and member VLANs. EAPS control VLANs cannot be either translation or member VLANs. EAPS can only be configured on translation VLAN ports (and not on member VLAN ports). To support EAPS on the network VLAN, you must add all of the translation and member VLANs to the EAPS ring. STP can only be configured on translation VLAN ports (and not on member VLAN ports). To support STP on the translation VLAN, you must add the translation VLAN and all of the member VLANs to STP. ESRP can only be configured on translation VLAN ports (and not on member VLAN ports). To support ESRP on the network VLAN, you must add the translation VLAN and all of the member VLANs to ESRP. There is no NetLogin support to add ports as translate to the translation VLAN, but the rest of NetLogin and the PVLAN feature do not conflict. Layer 2 Basics 44

VLANs IGMP snooping is performed across the entire VLAN translation domain, spanning all the member VLANs. For VLANs that are not part of a VLAN translation domain, IGMP snooping operates as normal. VLAN translation and VPLS are not supported on the same VLAN. Member VLANs in a VLAN translation domain cannot exchange multicast data with VLANs outside the VLAN translation domain. However, the translation VLAN can exchange multicast data with VLANs outside the VLAN translation domain and with translation VLANs in other VLAN translation domains. Interfaces Use the following information for selecting and configuring VLAN translation interfaces: A single physical port can be added to multiple member VLANs, using different VLAN tags. Member VLANs and translation VLANs can include both tagged and untagged ports. Configuring Translation VLANs To create a translation VLAN, do the following: 1 Create the VLAN that will become the translation VLAN. 2 Add a tag and ports to the prospective translation VLAN. 3 Add member VLANs to the prospective translation VLAN. A prospective translation VLAN becomes a translation VLAN when the first member VLAN is added to it. To add a member VLAN to a translation VLAN, use the following command: configure {vlan} vlan_name vlan-translation add member-vlan member_vlan_name {loopback-port port} To delete a member VLAN from a translation VLAN, use the following command: configure {vlan} vlan_name vlan-translation delete member-vlan [member_vlan_name all] To view the translation VLAN participation status of a VLAN, use the following command: show vlan {virtual-router vr-name} Displaying Translation VLAN Information This section describes how to display translation VLAN information. Displaying Information for a Translation or Member VLAN To display information about a translation or member VLAN, use the command: show vlan {virtual-router vr-name} Layer 2 Basics 45

VLANs Displaying Translation VLAN FDB Entries To view all FDB entries including those created for a translation VLAN, use the command: show fdb {blackhole {netlogin [all mac-based-vlans]} netlogin [all macbased-vlans] permanent {netlogin [all mac-based-vlans]} mac_addr {netlogin [all mac-based-vlans]} ports port_list {netlogin [all mac-based-vlans]} vlan vlan_name {netlogin [all mac-based-vlans]} {{vpls} {vpls_name}}} The T flag marks additional FDB entries for translation VLANs. VLAN Translation Configuration Examples The following configuration examples show VLAN translation used in three scenarios: Basic VLAN Translation on page 46 VLAN Translation with ESRP Redundancy on page 47 VLAN Translation with STP Redundancy on page 49 Basic VLAN Translation The example in the following figure configures a basic VLAN translation network. This network provides VLAN translation between four member VLANs and a single translation VLAN. Figure 15: VLAN Translation Configuration Example The following configuration commands create the member VLANs: create vlan v101 configure v101 tag 101 configure v101 add ports 1:1 tagged create vlan v102 configure v102 tag 102 configure v102 add ports 1:1 tagged create vlan v103 configure v103 tag 103 configure v103 add ports 1:2 tagged create vlan v104 configure v104 tag 104 configure v104 add ports 1:2 tagged Layer 2 Basics 46

VLANs The following configuration commands create the translation VLAN and enable VLAN translation: create vlan v1000 configure v1000 tag 1000 configure v1000 add ports 2:1 tagged configure v1000 vlan-translation add member-vlan v101 configure v1000 vlan-translation add member-vlan v102 configure v1000 vlan-translation add member-vlan v103 configure v1000 vlan-translation add member-vlan v104 The following configuration commands create the translation VLAN and enable VLAN translation on BlackDiamond X8, BlackDiamond 8000 series modules, and Summit X440, X460, X480, X670, and X770 series switches: create vlan v1000 configure v1000 tag 1000 configure v1000 add ports 2:1 tagged configure v1000 vlan-translation add member-vlan v101 configure v1000 vlan-translation add member-vlan v102 loopback-port 1:23 configure v1000 vlan-translation add member-vlan v103 configure v1000 vlan-translation add member-vlan v104 loopback-port 1:24 VLAN Translation with ESRP Redundancy The example in the following figure configures a VLAN translation network with ESRP redundancy. The SW2 and SW3 VLAN translation switches are protected by an ESRP control VLAN. The master ESRP switch performs the translation and provides the connectivity to the backbone. If a failure occurs, the slave ESRP switch takes over and begins performing the translation. Figure 16: ESRP Redundancy Configuration Example Layer 2 Basics 47

VLANs The following configuration commands create the member VLANs on SW1: create vlan v101 configure v101 tag 101 configure v101 add ports 1:1 tagged configure v101 add ports 1:3 tagged configure v101 add ports 1:4 tagged create vlan v102 configure v102 tag 102 configure v102 add ports 1:1 tagged configure v102 add ports 1:3 tagged configure v102 add ports 1:4 tagged create vlan v103 configure v103 tag 103 configure v103 add ports 1:2 tagged configure v103 add ports 1:3 tagged configure v103 add ports 1:4 tagged create vlan v104 configure v104 tag 104 configure v104 add ports 1:2 tagged configure v104 add ports 1:3 tagged configure v104 add ports 1:4 tagged The configuration for SW2 and SW3 is identical for this example. The following configuration commands create the member VLANs on SW2: create vlan v101 configure v101 tag 101 configure v101 add ports 1:3 tagged create vlan v102 configure v102 tag 102 configure v102 add ports 1:3 tagged create vlan v103 configure v103 tag 103 configure v103 add ports 1:3 tagged create vlan v104 configure v104 tag 104 configure v104 add ports 1:3 tagged This set of configuration commands creates the translation VLANs and enables VLAN translation on SW2: create vlan v1000 configure v1000 tag 1000 configure v1000 add ports 2:1 tagged configure v1000 vlan-translation add member-vlan v101 configure v1000 vlan-translation add member-vlan v102 configure v1000 vlan-translation add member-vlan v103 configure v1000 vlan-translation add member-vlan v104 Layer 2 Basics 48

VLANs The final set of configuration commands creates the ESRP control VLAN and enables ESRP protection on the translation VLAN for SW2: create vlan evlan configure evlan add ports 2:2 enable esrp evlan configure evlan add domain-member v1000 The following configuration commands create the translation VLAN and enable VLAN translation onvlans that have overlapping ports: configure v1000 vlan-translation add member-vlan v102 loopback-port 1:22 configure v1000 vlan-translation add member-vlan v103 loopback-port 1:23 configure v1000 vlan-translation add member-vlan v104 loopback-port 1:24 VLAN Translation with STP Redundancy The example in the following figure configures a VLAN translation network with redundant paths protected by STP. Parallel paths exist from the member VLAN portion of the network to the translation switch. STP ensures that the main path for this traffic is active and the secondary path is blocked. If a failure occurs in the main path, the secondary paths are enabled. Figure 17: STP Redundancy Configuration Example Layer 2 Basics 49

VLANs The following configuration commands create the member VLANs and enable STP on SW1: create vlan v101 configure v101 tag 101 configure v101 add ports 1:1 tagged configure v101 add ports 1:3 tagged configure v101 add ports 1:4 tagged create vlan v102 configure v102 tag 102 configure v102 add ports 1:2 tagged configure v102 add ports 1:3 tagged configure v102 add ports 1:4 tagged create vlan v103 configure v103 tag 103 configure v103 add ports 1:3 tagged configure v103 add ports 1:4 tagged create vlan v104 configure v104 tag 104 configure v104 add ports 1:3 tagged configure v104 add ports 1:4 tagged create stpd stp1 configure stp1 tag 101 configure stp1 add vlan v101 configure stp1 add vlan v102 configure stp1 add vlan v103 configure stp1 add vlan v104 enable stpd stp1 These configuration commands create the member VLANs and enable STP on SW2: create vlan v103 configure v103 tag 103 configure v103 add ports 1:1 tagged configure v103 add ports 1:3 tagged configure v103 add ports 1:4 tagged create vlan v104 configure v104 tag 104 configure v104 add ports 1:2 tagged configure v104 add ports 1:3 tagged configure v104 add ports 1:4 tagged create vlan v101 configure v101 tag 101 configure v101 add ports 1:3 tagged configure v101 add ports 1:4 tagged create vlan v102 configure v102 tag 102 configure v102 add ports 1:3 tagged configure v102 add ports 1:4 tagged create stpd stp1 configure stp1 tag 101 configure stp1 add vlan v101 configure stp1 add vlan v102 configure stp1 add vlan v103 configure stp1 add vlan v104 enable stpd stp1 Layer 2 Basics 50

VLANs This set of configuration commands creates the member VLANs and enables STP on SW3: create vlan v101 configure v101 tag 101 configure v101 add ports 1:3 tagged configure v101 add ports 1:4 tagged create vlan v102 configure v102 tag 102 configure v102 add ports 1:3 tagged configure v102 add ports 1:4 tagged create vlan v103 configure v103 tag 103 configure v103 add ports 1:3 tagged configure v103 add ports 1:4 tagged create vlan v104 configure v104 tag 104 configure v104 add ports 1:3 tagged configure v104 add ports 1:4 tagged create stpd stp1 configure stp1 tag 101 configure stp1 add vlan v101 configure stp1 add vlan v102 configure stp1 add vlan v103 configure stp1 add vlan v104 enable stpd stp1 The final set of configuration commands creates the translation VLAN and enables VLAN translation on SW3: create vlan v1000 configure v1000 tag 1000 configure v1000 add ports 2:1 tagged configure v1000 vlan-translation add member-vlan v101 configure v1000 vlan-translation add member-vlan v102 configure v1000 vlan-translation add member-vlan v103 configure v1000 vlan-translation add member-vlan v104 The following configuration commands create the translation VLAN and enable VLAN translation on VLANs that have overlapping ports: configure v1000 vlan-translation add member-vlan v102 loopback-port 1:22 configure v1000 vlan-translation add member-vlan v103 loopback-port 1:23 configure v1000 vlan-translation add member-vlan v104 loopback-port 1:24 Port-Specific VLAN Tag The Port-specific VLAN feature adds a layer of specificity between the port tag and the VLAN/VMAN tag: a port-specific VLAN tag. This feature adds the following functionality to the existing VLAN: Layer 2 Basics 51

VLANs Ability to associate a tag to a VLAN port. This tag is used as a filter to accept frames with matching VID. It is also used as the tag of the outgoing frames. Ability to add multiple VLAN ports on the same physical port as long as those VLAN ports are associated with different tags. Allows the existing untagged and tagged VLAN ports to be part of the VLAN. Ability to learn MAC address on port, tag and VLAN instead of only on the port.as a consequence of the previous point, ability to add static MAC address to port, tag and VLAN. Ability to specify limit-learning and MAC lockdown on a port, tag and VLAN, instead of only on the port. Rate limiting and counting of frames with matching VIDs is supported with the existing ACL. The Port-specific VLAN tag allows tagged VLAN ports to be configured with tag values. When the tag is not configured, it is implicit that the tag of the tagged port is the tag of the VLAN. We call the tag of the port the "port tag", and the tag of the VLAN the "base tag". The port tag is used to determine the eligibility of the frames allowed to be part of the VLAN. Once the frame is admitted to the VLAN port, the base tag is used. From a functional standpoint, the frame tag is rewritten to the base tag. The base tag then is translated to the port tag for the outgoing frame. Note The port tag is equal to the base tag when the port tag is not specified, so the current VLAN behavior is preserved. Untagged VLAN ports also have port tag, which is always the same as the base tag. Outgoing frames are untagged. The untagged VLAN port always has an implicit port tag thats's always equal to the base tag. There can be only one untagged VLAN port on a physical port. It receives untagged frames, and tagged frames, and transmits only untagged frames. A tagged VLAN port can have a port tag configured, or not. When not configured, the port tag is equal to the base tag. There can be more than one tagged VLAN port on a physical port. It receives tagged frames with tag equals to the port tag, and transmits tagged frames with port tag. When the VLAN is assigned to L2VPN, the base tag is the tag that is carried by the pseudo-wire when the dot1q include is enabled. It can be viewed that VPLS PW port tag is equal to the base tag. To assign a VLAN with a port-specific tag to an L2VPN, use the existing configure vpls vpls_name add service vlan vlan_name command. Since every tagged VLAN port has different VIDs, forwarding between them on the same physical port (hairpin switching) is possible. From the external traffic point of view, the frame tags are rewritten from the receive port tag to the transmit port tag. Since each port tag is a different VLAN port, a frame that has to be broadcasted to multiple VLAN ports is sent out multiple times with different tags when the VLAN ports are on the same physical port. Each port + port tag is an individual VLAN port. MAC addresses are learned on the VLAN port. This means that the port in the FDB entry is the port + port tag. A unicast frame destined to a MAC address that is in the FDB is sent out of the associated VLAN port. As mentioned earlier, there is only one MAC addressed learned on the VLAN. If the MAC address is learned on a different port or a different tag, it is a MAC move. It is transmitted out of the physical port only on the associated VLAN port tagged with the port tag when the VLAN port is tagged. Layer 2 Basics 52

VLANs When there are multiple tagged VLAN ports on the transmit port, only one frame with the right tag is transmitted. It is transmitted untagged on an untagged VLAN port. Accordingly, the static MAC address is configured on a VLAN port. This means that the port tag is specified when the tag is not equal to the base tag. The command to flush FDB does not need to change. But, a VLAN port-specific flush needs to be implemented to handle the case when a VLAN port is deleted. This flush is internal and not available through the CLI. Per VLAN port (port + tag) rate limiting and accounting is achieve by the existing ACL. Use match condition vlan-id to match the port VID. You can use action count and byte-count for accounting. And you can use show access-list counter to view the counters. Action meter can be used for rate limiting. To create a meter, use the create meter command, and configure the committed rate and maximum burst size. Port-Specific Tags in L2VPN You can assign a VLAN with port specific tag to VPLS/VPWS using the configure vpls vsi add service vlan vl command. Because this is a single VLAN, the base VID is used when dot1q include is enable. For example, when VLAN 100 that has ports on Ethernet port 1 with port tag 10 and 11 is assigned to L2VPN, the tag that is carried by the pseudo wire is 100. The configuration for this example is as follows: create vlan exchange tag 100 config vlan exchange add ports 1 tagged 10 config vlan exchange add ports 1 tagged 11 config vpls vsi1 add service vlan exchange Similarly, the following is an example for VPWS. There can only be a single VLAN port in the VLAN for assignment to VPWS to be successful: create vlan exchange tag 100 config vlan exchange add ports 1 tagged 10 config l2vpn vpws pw1 add service vlan exchange VLAN Port State VLAN port state is the same as the state of the Ethernet port. ACLs You can use the existing match vlan-id ACL to accomplish counting and metering. You can assign the ACL to both ingress and egress port. The followings are the examples of such configuration. The port 3 tag is 4 and the port 4 tag is 5. These ACLs will match the frame vlan-id, and the vlan-id specified in the match criteria is independent of the port tag. Content of acl.pol entry tag_1 { if { vlan-id 4; } then { packet-count tag_1_num_frames; meter tag_1_meter; } } Layer 2 Basics 53

VLANs entry tag_2 { if { vlan-id 5; } then { byte-count tag_2_num_bytes; meter tag_2_meter; } } Content of acl_egress.pol entry tag_1_egr { if { vlan-id 4; } then { packet-count tag_1_egr_num_frames; meter tag_1_egr_meter; } } entry tag_2_egr { if { vlan-id 5; } then { byte-count tag_2_egr_num_bytes; meter tag_2_egr_meter; } } Configuring Port-Specific VLAN Tags The following specific commands are modified by the port-specific VLAN tag: clear fdb: Only clears on physical port or VLAN, not on a vlan port. delete fdbentry: All or specific MAC address, or specific MAC address on a VLAN. enable/disable flooding ports: Only on physical port (applies to all VLAN ports). enable/disable learning: Only on physical port (applies to all VLAN ports on the same physical port), or on a VLAN (applies to all VLAN ports of the VLAN). show fdb stats: Only on physical port or VLAN, not on a VLAN port. Use the following commands to configure Port-specific VLAN tags: To configure the port-specific tag, use the configure ports port_list {tagged tag}vlan vlan_name [limit-learning number {action [blackhole stop-learning]} locklearning unlimited-learning unlocklearning] command. To specify the port tag when you need to put multiple vlans into a broadcast domain, use the configure {vlan} vlan_name addports [port_list all] {tagged{tag} untagged} {{stpd} stpd_name} {dot1d emistp pvst-plus}} command. To specify a port tag to delete a VLAN port that has a different tag from the VLAN tag, use the configure {vlan} vlan_name deleteports [all port_list {tagged tag}] command. To display output of a vlan that has a port-specific tag, use the show vlan command. To display port info that has port-specific tag statistics, use the show port info detail command. Layer 2 Basics 54

VLANs To adds a permanent, static entry to the FDB, use the create fdbentry mac_addr vlan vlan_name [ports port_list {tagged tag} blackhole] command. To show output where the port tag is displayed, use the show fdb command. Layer 2 Basics 55

2 VMAN (PBN) VMAN Overview PBBNs VMAN Configuration Options and Features Configuration Displaying Information Configuration Examples The virtual metropolitan area network (VMAN) feature allows you to scale a Layer 2 network and avoid some of the management and bandwidth overhead required by Layer 3 networks. Note If a failover from MSM A to MSM B occurs, VMAN operation is not interrupted. The system has hitless failover network traffic is not interrupted during a failover. VMAN Overview The VMAN feature is defined by the IEEE 802.1ad standard, which is an amendment to the IEEE 802.1Q VLAN standard. A VMAN is a virtual Metropolitan Area Network (MAN) that operates over a physical MAN or Provider Bridged Network (PBN). This feature allows a service provider to create VMAN instances within a MAN or PBN to support individual customers. Each VMAN supports tagged and untagged VLAN traffic for a customer, and this traffic is kept private from other customers that use VMANs on the same PBN. The PBN uses Provider Bridges (PBs) to create a Layer 2 network that supports VMAN traffic. The VMAN technology is sometimes referred to as VLAN stacking or Q-in-Q. Note VMAN is an Extreme Networks term that became familiar to Extreme Networks customers before the 802.1ad standard was complete. The VMAN term is used in the ExtremeXOS software and also in this book to support customers who are familiar with this term. The PBN term is also used in this guide to establish the relationship between this industry standard technology and the Extreme Networks VMAN feature. The following figure shows a VMAN, which spans the switches in a PBN. Layer 2 Basics 56

VMAN (PBN) Figure 18: VMAN The entry points to the VMAN are the access ports on the VMAN edge switches. Customer VLAN (CVLAN) traffic that is addressed to locations at other VMAN access ports enters the ingress access port, is switched through the VMAN, and exits the egress access port. If you do not configure any frame manipulation options, the CVLAN frames that exit the VMAN are identical to the frames that entered the VMAN. VMAN access ports operate in the following roles: Customer Network Port (CNP) Customer Edge Port (CEP, which is also known as Selective Q-in-Q) The CEP role, which is configured in software as a cep vman port, connects a VMAN to specific CVLANs based on the CVLAN CVID. The CNP role, which is configured as an untagged vman port, connects a VMAN to all other port traffic that is not already mapped to the port CEP role. These roles are described later. All other VMAN ports (except the access ports) operate as VMAN network ports, which are also known as Provider Network Ports (PNPs) in the 802.1ad standard. The VMAN network ports connect the PBs that form the core of the VMAN. During configuration, the VMAN network ports are configured as tagged VMAN ports. The following figure shows one VMAN, but a PBN can support multiple VMAN instances, which are sometimes called VMANs or Service VLANs (SVLANs). VMANs allow you to partition the PBN for customers in the same way that VLANs allow you to partition a Layer 2 network. For example, you can use different VMANs to support different customers on the PBN, and the PBN delivers customer traffic only to the PBN ports that are configured for appropriate VMAN. A VMAN supports two tags in each Ethernet frame, instead of the single tag supported by a VLAN Ethernet frame. The inner tag is referred to as the customer tag (C-tag), and this optional tag is based on the CVLAN tag if the source VLAN is a tagged VLAN. The outer tag is referred to as the service tag (S-tag) or VMAN tag or SVLAN tag, and it is the tag that defines to which SVLAN a frame belongs. The following figure shows the frame manipulation that occurs at the VMAN edge switch. Layer 2 Basics 57

VMAN (PBN) Figure 19: Tag Usage at the VMAN Access Switch In the above figure, the switch accepts CVLAN frames on VMAN access ports 1:1 and 1:2. The switch then adds the S-tag to the frames and switches the frames to network ports 2:1 and 2:2. When the 802.1ad frames reach the PB egress port, the egress switch removes the S-tag, and the CVLAN traffic exits the egress access port in its original form. When the switch in the figure above acts as the egress switch for a VMAN, VMAN frames arrive on network ports 2:1 and 2:2. The switch accepts only those frames with the correct S-tag, removes the S- tags, and switches those frames to access ports 1:1 and 1:2. Unless special configuration options are applied, the egress frames are identical to ingress CVLAN frames. (Configuration options are described in VMAN Configuration Options and Features on page 64.) The following figure shows that the S-tags and C-tags used in VMAN frames contain more than just customer and service VLAN IDs. Figure 20: S-tag and C-tag Components Each S-tag and C-tag contains an ethertype, a Class of Service (CoS), and a SVLAN ID (SVID) or CVLAN ID (CVID). The ethertype is described in Secondary Ethertype Support on page 65, and the CoS is described in QoS Support on page 66. The SVID is the VLAN tag you assign to a VMAN when you create it (see the configure vman vman_name tag tag command. The CVID represents the CVLAN tag for tagged VLAN traffic. Switch ports support VMAN roles and features, which are described in the following sections: Layer 2 Basics 58

VMAN (PBN) Customer Network Ports Customer Edge Ports CVID Translation CVID Egress Filtering Customer Network Ports Customer Network Ports (CNPs) are edge switch ports that accept all tagged and untagged CVLAN traffic and route it over a single VMAN. A CNP is simpler to configure than a CEP, because it supports one VMAN on a physical port and requires no configuration of CVIDs. The VMAN service provider does not need to know anything about the CVLAN traffic in the VMAN. The service provider simply manages the VMAN, and the ingress CVLAN traffic is managed by the customer or another service provider. This separation of CVLAN and VMAN management reduces the dependence of the separate management teams on each other, and allows both management teams to make changes independent of the other. Note The CNP term is defined in the IEEE 802.1ad standard and is also called a port-based service interface. The CNP operation is similar to a MEF 13 UNI Type 1.2, and in releases before ExtremeXOS 12.6, CNPs were known as VMAN access ports or untagged vman ports. With the addition of CEPs, the term VMAN access port is now a generic term that refers to CNPs and CEPs. A PBN can support up to 4094 VMANs, and each VMAN can support up to 4094 CVLANs. Because each CNP connects to only one VMAN, the maximum number of customer VMANs on an edge switch is equal to the total number of switch ports minus one, because at least one port is required to serve as the PNP (Provider Network Port). Customer Edge Ports Each CEP supports the configuration of connections or mappings between individual CVLANs and multiple VMANs. This provides the following benefits: Each physical port supports multiple customers (each connecting to a separate VMAN). Each switch supports many more customer VMANs using CEPs instead of CNPs. To define the connections between CVLANs and SVLANs, each CEP uses a dedicated CVID map, which defines the supported CVIDs on the CEP and the destination VMAN for each CVID. For example, you can configure a CEP to forward traffic from five specific CVLANs to VMAN A and from ten other specific CVLANs to VMAN B. During VMAN configuration, certain ports are added to the VMAN as CEPs, and certain CVIDs on those ports are mapped to the VMAN. To enable customer use of a VMAN, Layer 2 Basics 59

VMAN (PBN) service providers must communicate the enabled CVIDs to their customers. The customers must use those CVIDs to access the VMAN. Note The CEP term is defined in the IEEE 802.1ad standard and is also called a C-tagged service interface. The CEP operation is similar to a MEF 13 UNI Type 1.1. CVID Translation To support CVLANs that are identified by different CVIDs on different CEPs, some switches support a feature called CVID translation, which translates the CVID received at the VMAN ingress to a different CVID for egress from the VMAN (see the following figure). Figure 21: CVID Translation You can use a CLI command to configure CVID translation for a single CVID or for a range of CVIDs, and you can enter multiple commands to define multiple CVIDs and ranges for translation. The commands can be applied to a single port or a list of ports, and after configuration, the configuration applied to a port is retained by that port. Note CVID translation is available only on the platforms listed for this feature in the Feature License Requirements document. CVID translation can reduce the number of CVIDs that can be mapped to VMANs. CVID Egress Filtering CVID egress filtering permits the egress from VMAN to CEP of only those frames that contain a CVID that has been mapped to the source VMAN; all other frames are blocked. For example, Customer Edge Port A in the following figure is configured to support CVIDs 10-29, and Customer Edge Port B is configured to support CVIDs 10-19. If CVID egress filtering is enabled on Customer Edge Port B, frames with CVIDs 20-29 will not be forwarded at the egress of Customer Edge Port B. Layer 2 Basics 60

VMAN (PBN) Figure 22: CVID Egress Filtering You can enable CVID egress filtering for a single CEP or for all CEPs with a CLI command. You can also repeat the command to enable this feature on multiple CEPs. Note CVID egress filtering is available only on the platforms listed for this feature in Feature License Requirements. When this feature is enabled, it reduces the maximum number of CVIDs that can be mapped to VMANs. The control of CVID egress filtering applies to fast-path forwarding. When frames are forwarded through software, CVID egress filtering is always enabled. PBBNs A Provider Backbone Bridge Network (PBBN) enables VMAN (PBN, 802.1ad frames) and customer VLAN (802.1Q frames) transport over a backbone network such as the internet. Note This feature is supported only on the platforms listed for this feature in the license and feature pack tables in Feature License Requirements. One application of a PBBN allows an Internet Service Provider (ISP) to create a backbone network over the internet to support Layer 2 traffic from service providers (SPs). Each service provider buys a PBN (VMAN) from the ISP and sells VLAN access to customers. The ISP configures the PBBN, each SP configures their PBN, and each customer configures their VLAN. The PBBN, PBNs, and VLANs are all isolated. All parties (ISP, SP, and customer) can establish their networks and services with minimal support from the other parties, and all parties can make most configuration changes independently of the others. PBBNs are defined by the IEEE 802.1ah Backbone Bridge standard, which is an amendment to the IEEE 802.1Q VLAN standard. The PBBN technology is sometimes referred to as MAC-in-MAC. The following figure shows a PBBN, which spans a set of ISP switches that serve as Provider Backbone Bridges (PBBs). Layer 2 Basics 61

VMAN (PBN) PBBN VMAN VMAN VLAN traffic VLAN traffic VMAN access ports VMAN network ports Access ports (SVLAN or CVLAN) Network ports (BVLAN) Access ports (SVLAN or CVLAN) VMAN network ports VMAN access ports VLAN traffic VLAN traffic vman_0002 Figure 23: PBBN You can view a PBBN as a Layer 2 network that supports VMAN traffic (PBN 802.1ad frames) and VLAN traffic (802.1Q frames). The entry points to a PBBN are the access ports on the PBBN edge switches, which function as Backbone Edge Bridges (BEBs). These ports are designed to receive and transmit VMAN and Customer VLAN (CVLAN) traffic. PBBN switches that are not configured with network access ports are called Backbone Core Bridges (BCBs). BCBs are configured only with network ports and interconnect all the BEBs in the PBBN. PBBN traffic enters a PBBN access port, is switched through the PBBN, and exits at a PBBN access port. If you do not configure any frame manipulation options, the frames that exit the PBBN are identical to the frames that entered the PBBN. The following figure shows three terms that are used during the configuration of a PBBN: CVLAN, SVLAN, and BVLAN. A PBBN is a virtual tunnel. Service VLANs (SVLANs) and CVLANs are defined at the tunnel end points and define what traffic can enter and exit the tunnel. A BVLAN defines all the switch ports that link the tunnel endpoints. SVLANs, CVLANs, and BLVANs are configuration entities; they are not actual Layer 2 domains. These configuration entities define the roles of ports within the PBBN. These configuration entities operate as follows: When a CVLAN is configured on a port, the port accepts customer VLAN traffic (802.1Q frames) for the PBBN. After configuration is complete, the customer VLAN domain extends to all BEBs that have ports configured for the CVLAN. CVLANs are configured only on BlackDiamond 20800 series switches. When an SVLAN is configured on a port, the port accepts VMAN traffic (PBN 802.1ad frames) for the PBBN. After configuration is complete, the VMAN domain extends to all BEBs that have ports configured for the SVLAN. Layer 2 Basics 62

VMAN (PBN) When a backbone VLAN (BVLAN) is configured on a port, the port serves as a network port in the PBBN core. A BVLAN port forwards PBBN traffic (802.1ah frames) between the BEBs and BCBs in the PBBN. When you configure a PBBN, you create and configure SVLANs and CVLANs on the PBBN access ports, and you configure a BVLAN on each network port. Later in the configuration process, you bind each SVLAN and CVLAN to a BVLAN to establish the connection between the PBBN access ports and network ports that establish the BVLAN. The process for binding an SVLAN or CVLAN to a BVLAN differs between platforms. You can use any physical topology on the BVLAN. Although you can assign IP addresses to backbone interfaces to test connectivity, do not enable IP forwarding. The BVLAN must be tagged, and only tagged ports can be added to the BVLAN. Note After you configure a port as part of a BVLAN or SVLAN, you cannot apply any other ACLs to that port. To switch a frame through the PBBN, the switch encapsulates VLAN and VMAN frames in 802.1ah frames as shown in the following figure. Figure 24: Frame Manipulation Through a PBBN At the egress port of the PBBN, the system strips off the 802.1ah material, which leaves a VMAN frame containing an original customer frame with the service provider S-tag. At the end-point of the VMAN, the system strips off the 802.1ad material, which delivers the original customer VLAN frame to the designated destination. Note There is no interaction between the STPs of the ISP and the subscriber. The subscriber s BPDUs are tunneled through the PBBN on the ISP backbone. Layer 2 Basics 63

VMAN (PBN) The following figure shows the contents of an 802.1ah PBBN frame. Figure 25: 802.1ah PBBN Frame Details The PBBN-specific frame components are prepended to the 802.1ad VMAN frames and described in the following sections. B-tag The BVLAN tag (B-tag) identifies a specific BVLAN and includes three priority bits for QoS. B-DA and B-SA The BVLAN destination MAC address (B-DA) and BVLAN source MAC address (B-SA) are used to switch frames across the PBBN. I-tag The I-tag identifies the service provider in the scope of PBBNs (the BVLAN is the tunnel inside of which the system uses the I-tag to identify the service provider using the I-tag to S-tag mapping and replacement). The additional information in the I-tag allows the PBBN to support many more VMANs than the 4094 supported by the S-tag alone. SVLANs with duplicate S-tags are supported in a PBBN when they are received on different access ports, as this results in a different I-tag for each VMAN. Note For more information on the ethertype, see Secondary Ethertype Support on page 65. VMAN Configuration Options and Features ACL Support The ExtremeXOS software includes VMAN (PBN) Access Control List (ACL) support for controlling VMAN frames. VMAN ACLs define a set of match conditions and modifiers that can be applied to VMAN frames. These conditions allow specific traffic flows to be identified, and the modifiers allow a translation to be performed on the frames. Layer 2 Basics 64

VMAN (PBN) Secondary Ethertype Support The C-tag and S-tag components that are added to all VMAN (PBN) frames (see the following figure) include C-ethertype and S-ethertype components that specify an ethertype value for the customer VLAN and VMAN, respectively. Note This feature is supported only on the platforms listed for this feature in the license tables in Feature License Requirements. The C-tag and S-tag components that are added to all VMAN (PBN) frames (see the following figure) include C-ethertype and S-ethertype components that specify an ethertype value for the customer VLAN and VMAN, respectively. The I-tag used in PBBN frames (see the following figure) also includes an ethertype value. When a VLAN or VMAN frame passes between two switches, the ethertype is checked for a match. If the ethertype does not match that of the receiving switch, the frame is discarded. The default ethertype values are: VLAN port (802.1q frames): 0x8100 Primary VMAN port (802.1ad frames): 0x88A8 Secondary VMAN port (802.1ad frames): Not configured The secondary ethertype support feature applies only to VMANs. The ethertype value for VLAN frames is standard and cannot be changed. If your VMAN transits a third-party device (in other words, a device other than an Extreme Networks device), you must configure the ethertype value on the Extreme Networks device port to match the ethertype value on the third-party device to which it connects. The secondary ethertype support feature allows you to define two ethertype values for VMAN frames and select either of the two values for each port. For example, you can configure ports that connect to other Extreme Networks devices to use the default primary ethertype value, and you can configure ports that connect to other equipment to use the secondary ethertype value, which you can configure to match the requirements of that equipment. When you create a VMAN, each VMAN port is automatically assigned the primary ethertype value. After you define a secondary ethertype value, you can configure a port to use the secondary ethertype value. If two switch ports in the same VMAN use different ethertype values, the switch substitutes the correct value at each port. For example, for VMAN edge switches and transit switches, the switch translates an ingress ethertype value to the network port ethertype value before forwarding. For egress traffic at VMAN edge switches, no translation is required because the switch removes the S-tag before switching packets to the egress port. For BlackDiamond 8800 series switches, BlackDiamond X8, SummitStack, and the Summit family of switches, you can set the primary and secondary ethertypes to any value, provided that the two values are different. Layer 2 Basics 65

VMAN (PBN) QoS Support The VMAN (PBN) feature interoperates with many of the QoS and HQoS features supported in the ExtremeXOS software. One of those features is egress queue selection, which is described in the next section. For more information on other QoS and HQoS features that work with VMANs, see QoS. Egress Queue Selection This feature examines the 802.1p value or Diffserv code point in a VMAN (PBN) S-tag and uses that value to direct the packet to the appropriate queue on the egress port. Note This feature is supported only on the platforms listed for this feature in the license tables in the Feature License Requirements document. On some systems (listed in the Feature License Requirements document., you can configure this feature to examine the values in the C-tag or the S-tag. For instructions on configuring this feature, see Selecting the Tag used for Egress Queue Selection on page 70. VMAN Double Tag Support The VMAN double tag feature adds an optional port CVID parameter to the existing untagged VMAN port configuration. When present, any untagged packet received on the port will be double tagged with the configured port CVID and SVID associated with the VMAN. Packets received with a single CVID on the same port will still have the SVID added. As double tagged packets are received from tagged VMAN ports and forwarded to untagged VMAN ports, the SVID associated with the VMAN is stripped. Additionally, the CVID associated with the configured Port CVID is also stripped in the same operation. Much like the CVIDs configured as part of the CEP feature, the configured Port CVID is not represented by a VLAN within EXOS. The implication is that protocols and individual services cannot be applied to the Port CVID alone. Protocols and services are instead applied to the VMAN and/or port as the VMAN represents the true layer-2 broadcast domain. Much like regular untagged VMAN ports, MAC FDB learning occurs on the VMAN, so duplicate MAC addresses received on multiple CVIDs that are mapped to the same VMAN can be problematic. Even when the additional Port CVID is configured, the port still has all of the attributes of a regular untagged VMAN port. This means that any single c-tagged packets received on the same port will have just the SVID associated with the VMAN added to the packet. Likewise, any egress packet with a CVID other than the configured Port CVID will have the SVID stripped. Coexistence with Tagged VLANs Interfaces, CEP VMAN Interfaces, and Tagged VMAN Interfaces Since the port-cvid configuration still has the attributes of a regular untagged VMAN, all of the VLAN and VMAN exclusion and compatibility rules of a regular untagged VMAN port also apply. A list of these rules is contained in EXOS Selective Q-in-Q. Layer 2 Basics 66

VMAN (PBN) Protocol and Feature Interactions Because this feature leverages existing untagged VMAN port infrastructure, any protocol that works with a regular untagged VMAN port also works when the optional Port CVID is additionally configured. Protocols that locally originate control packets, such as STP and ELRP which are used for loop prevention, transmit packets as natively untagged on the wire when the port is an untagged VMAN member. EXOS can also receive and process these untagged packets. This makes STP edge safeguard + BPDU guard or ELRP effective ways to detect and react to network loops on the device. However, because control packets are transmitted as untagged upstream, devices may need additional configuration support to properly detect remote loops not directly attached to the device. Other effective loop prevention mechanisms work without any interaction with untagged VMAN ports. For example, turning physical port auto-polarity off will prevent an accidental looped cable from becoming active. Likewise, storm-control rate limiting of broadcast and flood traffic can be applied in this environment to minimize the effects of a network loop. In addition to detecting, preventing, and minimizing the effects of a network loop, user ACLs can be applied to gain visibility and control of L2, L3, and L4 match criteria, even with double tagged packets. All applicable ACL action modifiers are available in this environment. IP multicast pruning within a VMAN can be accomplished via normal IGMP snooping. EXOS supports full IGMP snooping and IP multicast pruning of single tagged and double tagged packets. However, when an IP address is configured on the VMAN, the IGMP protocol engine will transmit single tagged packets on tagged VMAN ports or untagged packets on untagged VMAN ports. Therefore, upstream switch configuration and support may be necessary to properly propagate group memberships across the network. Configuration Configuring VMANs (PBNs) Guidelines for Configuring VMANs The following sections provide VMAN configuration guidelines for the supported platforms: Guidelines for All Platforms Guidelines for BlackDiamond X8 and 8000 Series Modules and Summit Family Switches Guidelines for All Platforms The following are VMAN configuration guidelines for all platforms: Duplicate customer MAC addresses that ingress from multiple VMAN access ports on the same VMAN can disrupt the port learning association process in the switch. VMAN names must conform to the guidelines described in Object Names. You must use mutually exclusive names for: VLANs VMANs IPv6 tunnels VMAN ports can belong to load-sharing groups. Layer 2 Basics 67

VMAN (PBN) Guidelines for BlackDiamond X8 and 8000 Series Modules and Summit Family Switches The following are VMAN configuration guidelines for BlackDiamond X8 and 8000 series modules, SummitStack, and Summit family switches: You can enable or disable jumbo frames before configuring VMANs. You can enable or disable jumbo frames on individual ports. See Configuring Ports on a Switch for more information on configuring jumbo frames. Spanning Tree Protocol (STP) operation on CVLAN components in a PEB as described in IEEE 802.1ad is not supported. The initial version of this feature does not implement an XML API. Multiple VMAN roles can be combined on one port with certain VLAN types as shown in the following table. Table 3: Port Support for Combined VMAN Roles and VLANs Platform Summit X440, X460, X480, X60, and X770, and E4G-200 and E4G-400 BlackDiamond 8500 and 8800 a-, c-, and e- series modules BlackDiamond X8, 8900 c-, xl-, and xmseries modules Combined CNP, CEP, and Tagged VLAN 1, 2 Combined PNP, CNP, and CEPa, b, 3 Combined PNP and Tagged VLAN Combined PNP and Untagged VLAN X X X 4 X X X Xd X X X Xe X Note If you already configured VLANs and VMANs on the same module or stand-alone switch using ExtremeXOS 11.4, you cannot change the VMAN ethertype from 0X8100 without first removing either the VLAN or VMAN configuration. Procedure for Configuring VMANs This section describes the procedure for configuring VMANs. Before configuring VMANs, review Guidelines for Configuring VMANs on page 67. To configure a VMAN, complete the following procedure at each switch that needs to support the VMAN: 1 Subsets of this group are also supported. That is, any two of these items are supported. 2 When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged VLAN are associated with the CNP. 3 A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected VMAN ethertype is 0x8100. 4 If the secondary VMAN ethertype is selected for the port, it must be set to 0x8100. 1 Subsets of this group are also supported. That is, any two of these items are supported. 2 When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged VLAN are associated with the CNP. 3 A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected VMAN ethertype is 0x8100. Layer 2 Basics 68

VMAN (PBN) 1 If you are configuring a BlackDiamond 8800 series switch, a SummitStack, or a Summit family switch, enable jumbo frames on the switch. Note Because the BlackDiamond 8800 series switches, SummitStack, and the Summit family of switches enable jumbo frames switch-wide, you must enable jumbo frames before configuring VMANs on these systems. 2 Create a VMAN using the command: create vman vman_name vr vr_name 3 Assign a tag value to the VMAN using the command:. configure vman vman_name tag tag_id 4 To configure PNP ports on a PEB or PB, use the following command with the tagged option: configure vman vman_name add ports [ all port_list ] {untagged { port-cvid port_cvid} tagged} 5 To configure CNP ports on a PEB, use the following command with the untagged option: configure vman vman_name add ports [ all port_list ] {untagged { port-cvid port_cvid} tagged} Note You must configure CNP ports as untagged, so that the S-tag is stripped from the frame on egress. If the port-cvid is configured, any untagged packet received on the port will be double tagged with the configured port CVID and the SVID associated with the VMAN. Packets received with a single CVID on the same port will still have the SVID added as usual. As double tagged packets are received from tagged VMAN ports and forwarded to untagged VMAN ports,the SVID associated with the VMAN is stripped. Additionally, the CVID associated with the configured port CVID is also stripped in the same operation. 6 To configure CEP ports on a PEB, do the following: a b Use the following command to establish a physical port as a CEP and configure CVID mapping and translation: configure vman vman_name add ports port_list cep cvid cvid_range {translate cvid cvid_range}} Use the following commands to add or delete CVIDs for a CEP and manage CVID mapping and translation: configure vman vman_name ports port_list add cvid {cvid cvid_range} {translate cvid cvid_range } c configure vman vman_name ports port_list delete cvid {cvid cvid_range } Use the following commands to manage CVID egress filtering for a CEP: enable vman cep egress filtering ports {port_list all} disable vman cep egress filtering ports {port_list all} 7 Configure additional VMAN options as described in Configuring VMAN Options on page 70. 8 To configure a VLAN to use a VMAN, configure the VLAN on the switch port at the other end of the line leading to the VMAN access port. Layer 2 Basics 69

VMAN (PBN) Configuring VMAN Options Configuring the Ethertype for VMAN Ports The ethertype is a component of VLAN and VMAN frames. It is introduced in Secondary Ethertype Support on page 65. Note This feature is supported only on the platforms listed for this feature in the license tables in the Feature License Requirements document. To configure the ethertype for VMAN (PBN) ports, do the following: 1 Configure the primary and secondary (if needed) VMAN ethertype values for the switch using the following command: configure vman ethertype hex_value [primary secondary] By default, all VMAN ports use the primary ethertype value. 2 If you plan to use a secondary ethertype, select the secondary ethertype for the appropriate VMAN ports using the following command: configure port port_list ethertype {primary secondary} Selecting the Tag used for Egress Queue Selection By default, switches that support the enabling and disabling of this feature use the 802.1p value in the S-tag to direct the packet to the queue on the egress port. Note This feature is supported and configurable only on the platforms listed for this feature in the license tables in the Feature License Requirements document. Configure egress queue dot1p examination of the C-tag using: enable dot1p examination inner-tag port [all port_list] Return to the default selection of using the 802.1p value in the S-tag using: disable dot1p examination inner-tag ports [all port_list] Note See QoS for information on configuring and displaying the current 802.1p and DiffServ configuration for the S-tag 802.1p value. To enable dot1p examination for inner-tag, dot1p examination for outer-tag must be disabled using the command disable dot1p examination ports [all port_list] Displaying Information Displaying VMAN Information Use the following commands to display information on one or all VMANs. Layer 2 Basics 70

VMAN (PBN) show {vman} vman_name {ipv4 ipv6} show vman [tag tag_id detail] {ipv4 ipv6} show {vman} vman_name eaps Note The display for the show vman command is different depending on the platform and configuration you are using. See the ExtremeXOS Command Reference Guide for complete information on this command. You can also display VMAN information, as well as all the VLANs, by issuing the show ports information detail command. And you can display the VMAN ethernet type and secondary ethertype port_list by using the show vman ethertype command Configuration Examples VMAN Example, BlackDiamond 8810 The following example shows the steps to configure a VMAN (PBN) on the BlackDiamond 8810 switch shown in the following figure. Figure 26: Sample VMAN Configuration on BlackDiamond 8810 Switch The VMAN is configured from the building to port 1, slot 3 on the BlackDiamond 8810 switch and from port 2, slot 3 on the BlackDiamond 8810 switch to the BlackDiamond 6808 switch: enable jumbo frames create vman vman_tunnel_1 configure vman vman_tunnel_1 tag 100 configure vman vman_tunnel_1 add port 3:1 untagged configure vman vman_tunnel_1 add port 3:2 tagged disable dot1p examination port 3:2 enable dot1p examination inner-tag port 3:2 Layer 2 Basics 71

VMAN (PBN) The following example configuration demonstrates configuring IP multicast routing between VMANs and VLANs (when VMAN traffic is not double-tagged) on the BlackDiamond 8800 series switch and the Summit family of switches. Using this configuration you can use a common uplink to carry both VLAN and VMAN traffic and to provide multicast services from a VMAN through a separate VLAN (notice that port 1:1 is in both a VLAN and a VMAN): enable jumbo-frame ports all configure vman ethertype 0x8100 create vlan mc_vlan configure vlan mc_vlan tag 77 create vman vman1 configure vman vman1 tag 88 configure vlan vman1 ipaddress 10.0.0.1/24 configure vlan mc_vlan ipaddress 11.0.0.1/24 enable ipforwarding vman1 enable ipforwarding mc_vlan enable ipmcforwarding vman1 enable ipmcforwarding mc_vlan configure vlan mc_vlan add port 1:1 tag configure vman vman1 add port 1:1 tag configure vman vman1 add port 2:1, 2:2, 2:3 Note IGMP reports can be received untagged on ports 2:1, 2:2, and 2:3. Tagged IP multicast data is received on mc_vlan port 1:1 and is routed using IP multicasting to vman1 ports that subscribe to the IGMP group. IGMP snooping (Layer 2 IP multicasting forwarding) does not work on the VMAN ports because there is no double-tagged IP multicast cache lookup capability from port 1:1. VMAN CEP Example The following configuration configures a VMAN CEP to support up to 10 customer VLANs for each of three VMANs. create vman cust1 create vman cust2 create vman cust3 config vman cust1 tag 1000 config vman cust2 tag 1001 config vman cust3 tag 1002 config vman cust1 add port 22 tag config vman cust2 add port 22 tag config vman cust3 add port 23 tag config vman cust1 add port 1 cep cvid 100-109 config vman cust2 add port 1 cep cvid 110-119 config vman cust3 add port 1 cep cvid 120-129 enable vman cep egress filtering ports 1 Layer 2 Basics 72

VMAN (PBN) Port 1 serves as the CEP, and egress filtering is enabled on the port. Ports 22 and 23 serve as CNPs, providing the connection between the CEP port and the rest of each VMAN. Multiple VMAN Ethertype Example The following figure shows a switch that is configured to support the primary ethertype on three ports and the secondary ethertype on a fourth port. The primary VMAN (PBN) ethertype is changed from the default value, but that is not required. Figure 27: Multiple VMAN Ethertype Example The following configuration commands accomplish what is shown in the figure above: # configure vman ethertype 0x9100 primary # configure vman ethertype 0x8100 secondary # # configure port 2:2 ethertype secondary # # create vman vman300 # configure vman vman300 tag 300 # # configure vman vman300 add port 1:1, 2:1, 2:2 tagged # configure vman vman300 add port 1:2 untagged Layer 2 Basics 73

3 FDB FDB Contents How FDB Entries Get Added How FDB Entries Age Out FDB Entry Types Managing the FDB Displaying FDB Entries and Statistics MAC-Based Security Managing MAC Address Tracking The FDB chapter is intended to help you learn about forwarding databases, adding and displaying entries and entry types, managing the FDB, and MAC-based security. This chapter also provides information about MAC Address tracking. The switch maintains a forwarding database (FDB) of all MAC addresses received on all of its ports. It uses the information in this database to decide whether a frame should be forwarded or filtered. Note See the ExtremeXOS Command Reference Guide for details of the commands related to the FDB. FDB Contents Each Forwarding Database (FDB) entry consists of: The MAC address of the device An identifier for the port and VLAN on which it was received The age of the entry Flags Frames destined for MAC addresses that are not in the FDB are flooded to all members of the VLAN. How FDB Entries Get Added The MAC entries that are added to the FDB are learned in the following ways: Source MAC entries are learned from ingress packets on all platforms. This is Layer 2 learning. On BlackDiamond 8800 series switches, MAC entries can be learned at the hardware level. Virtual MAC addresses embedded in the payload of IP ARP packets can be learned when this feature is enabled. Static entries can be entered using the command line interface (CLI). Layer 2 Basics 74

FDB Dynamic entries can be modified using the CLI. Static entries for switch interfaces are added by the system upon switch boot-up. The ability to learn MAC addresses can be enabled or disabled on a port-by-port basis. You can also limit the number of addresses that can be learned, or you can lock down the current entries and prevent additional MAC address learning. BlackDiamond 8000 series modules and Summit switches support different FDB table sizes. On a BlackDiamond 8800 switch with a variety of modules or on a SummitStack with different Summit switch models, the FDB tables on some modules or switches can be filled before the tables on other modules or switches. In this situation, when a lower-capacity FDB table cannot accept FDB entries, a message appears that is similar to the following: HAL.FDB.Warning> MSM-A: FDB for vlanid1 mac 00:00:03:05:15:04 was not added to slot 3 - table full. Note For information on increasing the FDB table size on BlackDiamond 8900 xl-series modules and Summit X480 switches, see Increasing the FDB Table Size on page 77. For information on FDB tables sizes, see the ExtremeXOS Release Notes. How FDB Entries Age Out Software Aging Platforms (All Platforms except Summit X480 and BD8900 xl-series cards) When a MAC is learned on a VLAN, an FDB entry is created for this MAC VLAN combination.once an FDB entry is created, the aging counter in the "show fdb" output increases from 0 to polling inteval. The hardware is checked every polling interval seconds to see if there is traffic flow from the given FDB entry.if there is a traffic flow from this MAC, the entry is refreshed and aging counter is reset to 0. If there is no traffic from that FDB entry during this polling interval, the age gets incremented till the configured age time (configured by configure fdb agingtime seconds).the entry gets removed when there is no traffic flow from this FDB entry when the age count reaches the configured age time. Polling interval = FDB aging time/4 (subject to the minimum and maximum values being 10 and 60 seconds respectively). Hardware Aging Platforms(Only Summit X480 and BD8900 xl-series cards) Aging is controlled entirely by the hardware based on the traffic hit that happens for the individual FDB entry. The age from show fdb output is alway shown as 0. The entry will be removed when it ages out. FDB Entry Types Layer 2 Basics 75

FDB Dynamic Entries A dynamic entry is learned by the switch by examining packets to determine the source MAC address, VLAN, and port information. The switch then creates or updates an FDB entry for that MAC address. Initially, all entries in the database are dynamic, except for certain entries created by the switch at boot-up. Entries in the database are removed (aged-out) if, after a period of time (aging time), the device has not transmitted. This prevents the database from becoming full with obsolete entries by ensuring that when a device is removed from the network, its entry is deleted from the database. The aging time is configurable, and the aging process operates on the supported platforms as follows: On all platforms, you can configure the aging time to 0, which prevents the automatic removal of all dynamic entries. On BlackDiamond X8 series switches, BlackDiamond 8000 a-, c-, e- and xm-series modules, E4G-200 and E4G-400 cell site routers, and Summit X440, X460, X670, and X770 series switches, the aging process takes place in software and the aging time is configurable. On BlackDiamond 8900 xl-series and Summit X480 switches, the aging process takes place in hardware and the aging time is based on (but does not match) the configured software aging time. For more information about setting the aging time, see Configuring the FDB Aging Time on page 79. Note If the FDB entry aging time is set to 0, all dynamically learned entries in the database are considered static, non-aging entries. This means that the entries do not age, but they are still deleted if the switch is reset. Dynamic entries are flushed and relearned (updated) when any of the following take place: A VLAN is deleted. A VLAN identifier (VLANid) is changed. A port mode is changed (tagged/untagged). A port is deleted from a VLAN. A port is disabled. A port enters blocking state. A port goes down (link down). A non-permanent dynamic entry is initially created when the switch identifies a new source MAC address that does not yet have an entry in the FDB. The entry can then be updated as the switch continues to encounter the address in the packets it examines. These entries are identified by the d flag in the show fdb command output. Static Entries A static entry does not age and does not get updated through the learning process. A static entry is considered permanent because it is retained in the database if the switch is reset or a power off/on cycle occurs. A static entry is maintained exactly as it was created. Conditions that cause Layer 2 Basics 76

FDB dynamic entries to be updated, such as VLAN or port configuration changes, do not affect static entries. To create a permanent static FDB entry, see Adding a Permanent Unicast Static Entry on page 78. If a duplicate MAC address is learned on a port other than the port where the static entry is defined, all traffic from that MAC address is dropped. By default, the switch does not report duplicate addresses. However, you can configure the switch to report these duplicate addresses as described in Managing Reports of Duplicate MAC Addresses for Static Entries on page 80. A locked static entry is an entry that was originally learned dynamically, but has been made static (locked) using the MAC address lock-down feature. It is identified by the s, p, and l flags in show fdb command output and can be deleted using the delete fdbentry command. See MAC Address Lockdown for more information about this feature. Note Static FDB entries created on EAPS- or STP-enabled ports forward traffic irrespective of the port state. Consequently, you should avoid such a configuration. Blackhole Entries A blackhole entry configures the switch to discard packets with a specified MAC destination address. Blackhole entries are useful as a security measure or in special circumstances where a specific source or destination address must be discarded. Blackhole entries can be created through the CLI, or they can be created by the switch when a port s learning limit has been exceeded. Blackhole entries are treated like permanent entries in the event of a switch reset or power off/on cycle. Blackhole entries are never aged out of the database. Private VLAN Entries A Private VLAN (PVLAN) creates special FDB entries. These are described in MAC Address Management in a PVLAN on page 30. Managing the FDB Increasing the FDB Table Size BlackDiamond 8900 xl-series modules and Summit X480 switches provide an additional table that can be configured to support additional FDB table entries with the following command: configure forwarding external-tables [l3-only {ipv4 ipv4-and-ipv6 ipv6} l2- only acl-only l2-and-l3 l2-and-l3-and-acl l2-and-l3-and-ipmc none] Layer 2 Basics 77

FDB Summit X770 switches provides a Unified Forwarding Table that allows for flexible allocation of entries to L2 or L3. You can configure this table with the configure forwarding internal-tables [l2- and-l3 more [l2 l3-and-ipmc]] command. Adding a Permanent Unicast Static Entry To add a static entry use the following command: create fdbentry mac_addr vlan vlan_name [ports port_list blackhole] The following example adds a permanent static entry to the FDB: create fdbentry 00:E0:2B:12:34:56 vlan marketing port 3:4 The permanent entry has the following characteristics: MAC address is 00:E0:2B:12:34:56. VLAN name is marketing. Slot number for this device is 3 (only on modular switches). Port number for this device is 4. On Summit family switches, BlackDiamond X8 series switches, and BlackDiamond 8000 series modules, you can specify multiple ports when you create a unicast static entry. However, all ports in the list must be on the same SummitStack switch, BlackDiamond X8 series switch or BlackDiamond 8000 series module. When the port list contains ports on different slots, the following error is generated: Error: Multiple ports must be on the same slot for unicast MAC FDB entries. Once the multiport static FDB entry is created, any ingress traffic with a destination MAC address matching the FDB entry is multicasted to each port in the specified list. On Summit family switches and BlackDiamond 8000 series modules, if the FDB entry is the next hop for an IP adjacency, unicast routing sends the packet to the first port in the list. Note When a multiport list is assigned to a unicast MAC address, load sharing is not supported on the ports in the multiport list. Summit family switches, BlackDiamond X8 series switches, and BlackDiamond 8000 series modules do not support this multiport feature natively using the FDB table. Instead, for each FDB entry of this type, a series of system ACLs have been installed which match the specified MAC address and VLAN ID, and override the egress port forwarding list with the supplied list of ports. Multiple ACLs per FDB are required to handle Layer 2 echo kill by installing a unique ACL per individual port in the list to send matching traffic to all other ports in the list. User-configured ACLs take precedence over these FDB-generated ACL rules, and the total number of rules is determined by the platform. The hardware ACL limitations for each platform are described in ACLs. Layer 2 Basics 78

FDB Adding a Permanent Multicast Static Entry On BlackDiamond X8 series switches, BlackDiamond 8000 series modules, SummitStack, and Summit family switches, you can create FDB entries to multicast MAC addresses (that is, 01:00:00:00:00:01) and list one or more ports. Use the create fdbentry mac_addr vlan vlan_name [ports port_list blackhole] command to enter the multicast FDB address. After traffic with a multicast MAC destination address enters the switch, that traffic is multicast to all ports on the list. However, if the MAC address is in the IP multicast range (for example, 01:00:5e:XX:XX:XX), IGMP snooping rules take precedence over the multicast static FDB entry. Of course, if you disable IGMP snooping on all VLANs, the static FDB entry forwards traffic. Configuring the FDB Aging Time To configure the aging time for dynamic FDB entries, use the following command:. configure fdb agingtime seconds If the aging time is set to 0, all aging entries in the database are defined as static, nonaging entries. This means the entries will not age out, but non-permanent static entries can be deleted if the switch is reset. To display the aging time, use the following command:. show fdb Note On BlackDiamond 8900 xl-series and Summit X480 switches, FDB entries are aged in hardware, the aging time is always displayed as 000, and the h flag is set for entries that are hardware aged. Adding Virtual MAC Entries from IP ARP Packets Generally, the FDB is programmed with the source MAC address of frames that contain an IP ARP payload. MAC entries present in the ARP payload as Sender-MAC are not learned. When IP ARP Sender-MAC learning is enabled, the switch learns both the source MAC address and the Sender-MAC from the ARP payload, and the switch programs these MAC addresses in the FDB. This feature is useful when you want the switch to learn the Sender-MAC address for a redundant protocol, such as VRRP. For example, if your network has a gateway with a virtual MAC address, the switch learns the system MAC address for the gateway. If you enable the IP ARP Sender-MAC learning feature, the switch also learns the virtual MAC address embedded in IP ARP packets for the gateway IP address. To enable the IP ARP sender-mac learning feature, use the command: enable learning iparp sender-mac To view the configuration of this feature, use the command: show iparp Layer 2 Basics 79

FDB To disable this feature, use the command: disable learning iparp sender-mac Managing Reports of Duplicate MAC Addresses for Static Entries By default, if a MAC address that is a duplicate of a static MAC address entry is learned on another port (other than the port where the static MAC address is configured), traffic from the duplicate address is silently dropped. To enable or disable EMS and SNMP reporting of duplicate addresses for static entries, use the commands: enable fdb static-mac-move disable fdb static-mac-move To control the number of EMS and SNMP reports per second issued, use the commands: configure fdb static-mac-move packets count To display the configuration of this feature, use the commands: show fdb static-mac-move configuration Clearing FDB Entries You can clear dynamic and permanent entries using different CLI commands. Clear dynamic FDB entries by targeting: Specified MAC addresses Specified ports Specified VLANs All blackhole entries To clear dynamic entries from the FDB, use the command: clear fdb {mac_addr ports port_list vlan vlan_name blackhole} To clear permanent entries from the FDB, use the command: delete fdbentry [all mac_address [vlan vlan_name ] Supporting Remote Mirroring The remote mirroring feature copies select traffic from select ports and VLANs and sends the copied traffic to a remote switch for analysis. The mirrored traffic is sent using a VLAN that is configured for this purpose. For more information, see MLAG Limitations and Requirements. Transit switches are the switches between the source switch where ports are mirrored and the destination switch where the mirrored traffic exits the network to a network analyzer or network storage device. Layer 2 Basics 80

FDB Because the mirrored traffic is an exact copy of the real traffic, a transit switch can learn the MAC addresses and make incorrect forwarding decisions. Displaying FDB Entries and Statistics Display FDB Entries Display FDB entries using the following command: show fdb {blackhole {netlogin [all mac-based-vlans]} netlogin [all macbased-vlans] permanent {netlogin [all mac-based-vlans]} mac_addr {netlogin [all mac-based-vlans]} ports port_list {netlogin [all macbased-vlans]} vlan vlan_name {netlogin [all mac-based-vlans]} {{vpls} {vpls_name}}} Note The MAC-based VLAN netlogin parameter applies only for Summit family switches and BlackDiamond 8800 series switches. See Network Login for more information. With no options, this command displays all FDB entries. (The age parameter does not show on the display for the backup MSM/MM on modular switches; it does show on the display for the primary MSM/MM.) Display FDB Statistics To display FDB statistics, use the command: show fdb stats {{ports {all port_list} vlan {all} {vlan} vlan_name } {norefresh}} With no options, this command displays summary FDB statistics. MAC-Based Security MAC-based security allows you to control the way the FDB is learned and populated. By managing entries in the FDB, you can block and control packet flows on a per-address basis. MAC-based security allows you to limit the number of dynamically-learned MAC addresses allowed per virtual port. You can also lock the FDB entries for a virtual port, so that the current entries will not change, and no additional addresses can be learned on the port. You can also prioritize or stop packet flows based on the source MAC address of the ingress VLAN or the destination MAC address of the egress VLAN. Note For detailed information about MAC-based security, see Security. Layer 2 Basics 81

FDB Managing MAC Address Learning By default, MAC address learning is enabled on all ports. MAC addresses are added to the FDB as described in How FDB Entries Get Added on page 74. When MAC address learning is disabled on a port, the switch no longer stores the source address information in the FDB. However, the switch can still examine the source MAC address for incoming packets and either forward or drop the packets based on this address. The source address examination serves as a preprocessor for packets. Forwarded packets are forwarded to other processes, not to other ports. For example, if the switch forwards a packet based on the source address, the packet can still be dropped based on the destination address or the egress flooding configuration. When MAC address learning is disabled, the two supported behaviors are labeled as follows in the software: forward-packets drop-packets The drop-packets behavior is supported on BlackDiamond 8000 series modules, SummitStack, and Summit family switches. When the drop-packets option is chosen, EDP packets are forwarded, and all unicast, multicast, and broadcast packets from a source address not in the FDB are dropped. No further processing occurs for dropped packets. The disable learning forward-packets option saves switch resources (FDB space), however, it can consume network resources when egress flooding is enabled. When egress flooding is disabled or the drop-packet option is specified, disabling learning adds security by limiting access to only those devices listed in the FDB. To disable learning on specified ports, use the command: disable learning {drop-packets forward-packets} port [port_list all] Note The drop-packets and forward-packets options are available only on the BlackDiamond 8800 series switches, SummitStack, and the Summit family switches. If neither option is specified, the drop-packets behavior is selected. To enable learning on specified ports, use the command: enable learning {drop-packets} ports [all port_list] Managing Egress Flooding Egress flooding takes action on a packet based on the packet destination MAC address. By default, egress flooding is enabled, and any packet for which the destination address is not in the FDB is flooded to all ports except the ingress port. You can enhance security and privacy as well as improve network performance by disabling Layer 2 egress flooding on a port, VLAN, or VMAN. This is particularly useful when you are working on an edge Layer 2 Basics 82

FDB device in the network. Limiting flooded egress packets to selected interfaces is also known as upstream forwarding. Note Disabling egress flooding can affect many protocols, such as IP and ARP. The following figure illustrates a case where you want to disable Layer 2 egress flooding on specified ports to enhance security and network performance. Figure 28: Upstream Forwarding or Disabling Egress Flooding Example In this example, the three ports are in an ISP-access VLAN. Ports 1 and 2 are connected to clients 1 and 2, respectively, and port 3 is an uplink to the ISP network. Because clients 1 and 2 are in the same VLAN, client 1 could possibly learn about the other client s traffic by sniffing client 2 s broadcast traffic; client 1 could then possibly launch an attack on client 2. However, when you disable all egress flooding on ports 1 and 2, this sort of attack is impossible, for the following reasons: Broadcast and multicast traffic from the clients is forwarded only to the uplink port. Any packet with unlearned destination MAC addresses is forwarded only to the uplink port. One client cannot learn any information from the other client. Because egress flooding is disabled on the access ports, the only packets forwarded to each access port are those packets that are specifically targeted for one of the ports. There is no traffic leakage. In this way, the communication between client 1 and client 2 is controlled. If client 1 needs to communicate with client 2 and has that IP address, client 1 sends out an ARP request to resolve the IP address for client 2. Guidelines for Enabling or Disabling Egress Flooding The following guidelines apply to enabling and disabling egress flooding: Egress flooding can be disabled on ports that are in a load-sharing group. In a load-sharing group, the ports in the group take on the egress flooding state of the master port; each member port of the load-sharing group has the same state as the master port. FDB learning takes place on ingress ports and is independent of egress flooding; either can be enabled or disabled independently. Disabling unicast (or all) egress flooding to a port also prevents the flooding of packets with unknown MAC addresses to that port. Layer 2 Basics 83

FDB Disabling broadcast (or all) egress flooding to a port also prevents the flooding of broadcast packets to that port. For BlackDiamond X-8 and 8800 series switches, SummitStack, and Summit family switches, the following guidelines apply: You can enable or disable egress flooding for unicast, multicast, or broadcast MAC addresses, as well as for all packets on one or more ports. Disabling multicasting egress flooding does not affect those packets within an IGMP membership group at all; those packets are still forwarded out. If IGMP snooping is disabled, multicast packets with static FDB entries are forwarded according to the FDB entry. Configuring Egress Flooding To enable or disable egress flooding on BlackDiamond X8 and 8800 series switches, SummitStack, and the Summit family switches, use the following commands: enable flooding [all_cast broadcast multicast unicast] ports [port_list all] disable flooding [all_cast broadcast multicast unicast] ports [port_list all] Displaying Learning and Flooding Settings To display the status of MAC learning and egress flooding, use the following commands: show ports {mgmt port_list tag tag} information {detail} show vlan {virtual-router vr-name} show vman The flags in the command display indicate the status. Creating Blackhole FDB Entries A blackhole FDB entry discards all packets addressed to or received from the specified MAC address. A significant difference between the above ACL policy and the create fdbentry command blackhole option is the hardware used to implement the feature. Platforms with limited hardware ACL table sizes (for example, BlackDiamond 8800 series switches) are able to implement this feature using the FDB table instead of an ACL table. To create a blackhole FDB entry, use the command: create fdbentry mac_addr vlan vlan_name [ports port_list blackhole] There is no software indication or notification when packets are discarded because they match blackhole entries. Layer 2 Basics 84

FDB The blackhole option is also supported through access lists. Note Blackhole is not supported on port-specific VLAN tags. For example, the following ACL policy would also blackhole traffic destined to or sourced from a specific MAC address: entry blackhole_dest { if { ethernet-destination-address 00:00:00:00:00:01; } then { deny; } } entry blackhole_source { if { ethernet-source-address 00:00:00:00:00:01; } then { deny; } } Managing MAC Address Tracking The MAC address tracking feature tracks FDB add, move, and delete events for specified MAC addresses and for specified ports. When MAC address tracking is enabled for a port, this feature applies to all MAC addresses on the port. When an event occurs for a specified address or port, the software generates an EMS message and can optionally send an SNMP trap. When MAC address tracking is enabled for a specific MAC address, this feature updates internal event counters for the address. You can use this feature with the Universal Port feature to configure the switch in response to MAC address change events (for an example, see Universal Port). Note When a MAC address is configured in the tracking table, but detected on a MAC tracking enabled port, the per MAC address statistical counters are not updated. The MAC address tracking feature is always enabled; however, you must configure MAC addresses or ports before tracking begins. The default configuration contains no MAC addresses in the MAC address tracking table and disables this feature on all ports. Adding and Deleting MAC Addresses for Tracking Use the following commands to add or delete MAC addresses in the MAC address tracking table: create fdb mac-tracking entry mac_addr Layer 2 Basics 85

FDB delete fdb mac-tracking entry [mac_addr all] Enabling and Disabling MAC Address Tracking on Ports Use the following command to enable or disable MAC addresses tracking on specific ports: configure fdb mac-tracking {[add delete]} ports [port_list all] Enabling and Disabling SNMP Traps for MAC Address Changes The default switch configuration disables SNMP traps for MAC address changes. Use the following commands to enable or disable SNMP traps for MAC address tracking events: enable snmp traps fdb mac-tracking disable snmp traps fdb mac-tracking Configuring Automatic Responses to MAC Tracking Events The EMS messages produced by the MAC address tracking feature can be used to trigger Universal Port profiles. These are described in Event Management System Triggers. The subcomponent name for MAC address tracking events is FDB.MACTracking. Displaying the Tracked MAC Addresses and Tracking Statistics To display the MAC address tracking feature configuration, including the list of tracked MAC addresses, use the command: show fdb mac-tracking configuration To display the counters for MAC address add, move, and delete events, use the command: show fdb mac-tracking statistics {mac_addr} {no-refresh} Clearing the Tracking Statistics Counters There are several ways to clear the MAC tracking counters: Use the clear counters command. Use the 0 key while displaying the counters with the show fdb mac-tracking statistics {mac_addr} command. Enter the clear counters fdb mac-tracking [mac_addr all] command. Layer 2 Basics 86

4 Layer 2 Basic Commands clear counters fdb mac-tracking clear counters ports protocol filter clear fdb clear l2pt counters vlan clear l2pt counters vman clear l2pt counters vpls create l2pt profile configure fdb agingtime configure fdb mac-tracking ports configure fdb static-mac-move packets configure l2pt encapsulation dest-mac configure l2pt profile add profile configure l2pt profile delete profile configure port ethertype configure ports l2pt profile configure ports protocol filter configure private-vlan add network configure private-vlan add subscriber configure private-vlan delete configure protocol add configure protocol delete configure protocol filter configure vlan add ports private-vlan translated configure vlan add ports configure vlan delete ports configure vlan description configure vlan ipaddress configure vlan name configure vlan protocol configure vlan tag configure vlan-translation add loopback-port configure vlan-translation add member-vlan configure vlan-translation delete loopback-port configure vlan-translation delete member-vlan configure vman add ports cep configure vman add ports configure vman delete ports Layer 2 Basics 87

configure vman ethertype configure vman ports add cvid configure vman ports delete cvid configure vman protocol configure vman tag configure vpls peer l2pt profile create fdb mac-tracking entry create fdbentry vlan ports create l2pt profile create private-vlan create protocol create vlan create vman delete fdb mac-tracking entry delete fdbentry delete l2pt profile delete private-vlan delete protocol delete vlan delete vman disable dot1p examination inner-tag ports disable fdb static-mac-move disable flooding ports disable learning iparp sender-mac disable learning port disable loopback-mode vlan disable snmp traps fdb mac-tracking disable vlan disable vman cep egress filtering ports enable dot1p examination inner-tag port enable fdb static-mac-move enable flooding ports enable learning iparp sender-mac enable learning port enable loopback-mode vlan enable snmp traps fdb mac-tracking enable vlan enable vman cep egress filtering ports show fdb mac-tracking configuration show fdb mac-tracking statistics show fdb static-mac-move configuration show fdb stats Layer 2 Basics 88

show fdb show l2pt profile show l2pt show ports protocol filter show private-vlan <name> show private-vlan show protocol show vlan show vlan description show vlan l2pt show vman show vman eaps show vman ethertype show vman l2pt unconfigure vlan description unconfigure vlan ipaddress unconfigure vman ethertype clear counters fdb mac-tracking clear counters fdb mac-tracking [mac_addr all] Description Clears the event counters for the FDB MAC-tracking feature. Syntax Description mac_addr all Specifies a MAC address, using colon-separated bytes. Clears the counters for all tracked MAC addresses. N/A. Usage Guidelines The clear counters command also clears the counters for all tracked MAC addresses. Layer 2 Basics 89

Example The following example clears the counters for all entries in the MAC address tracking table: Switch.1 # clear counters fdb mac-tracking all History This command was first available in ExtremeXOS 12.3. Platform Availability This command is available on all platforms. clear counters ports protocol filter clear counters ports {port_list all} protocol filter Description Clears protocol filtering counters. Syntax Description port_list Specifies the port list is separated by a comma (, ) or dash ( - ). all Specifies all ports Disabled. Usage Guidelines Use this command to clear protocol filtering counters. Example The following example clears all protocol filtering counters: clear counters ports protocol filter The following example clears protocol filtering counters on ports 1-5: clear counters ports 1-5 protocol filter Layer 2 Basics 90

History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. clear fdb clear fdb {mac_addr ports port_list vlan vlan_name blackhole} Description Clears dynamic FDB entries that match the filter. Syntax Description mac_addr port_list vlan_name blackhole Specifies a MAC address, using colon-separated bytes. Specifies one or more ports or slots and ports. Specifies a VLAN name. Specifies the blackhole entries. All dynamic FDB entries are cleared by default. Usage Guidelines This command clears FDB entries based on the specified criteria. When no options are specified, the command clears all dynamic FDB entries. Example The following example clears any FDB entries associated with ports 4:3-4:5 on a modular switch: clear fdb ports 4:3-4:5 The following example clears any FDB entries associated with VLAN corporate: clear fdb vlan corporate History This command was first available in ExtremeXOS 10.1. Layer 2 Basics 91

Platform Availability This command is available on all platforms. clear l2pt counters vlan clear l2pt counters {[vlan vman] vlan_name {ports port_list}} Description Clears L2PT VLAN counters. Syntax Description vlan vman vlan_name ports port_list Optionally clears counters only on a specific VLAN. Optionally clears counters only on a specific VMAN. Specifies the VLAN name. Optionally clears counters only on specific ports of the VLAN/VMAN. The port list is separated by a comma (, ) or dash ( - ). Disabled. Usage Guidelines Use this command to clear L2PT VLAN counters. Example The following example clears all L2PT counters: clear l2pt counters The following example clears L2PT counters on VLAN vlan1: clear l2pt counters vlan vlan1 History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. Layer 2 Basics 92

clear l2pt counters vman clear l2pt counters {[vlan vman] vlan_name {ports port_list}} Description Clears L2PT VMAN counters. Syntax Description vlan vman vlan_name ports port_list Optionally clears counters only on a specific VLAN. Optionally clears counters only on a specific VMAN. Specifies the VLAN name. Optionally clears counters only on specific ports of the VLAN/VMAN. The port list is separated by a comma (, ) or dash ( - ). Disabled. Usage Guidelines Use this command to clear L2PT VMAN counters. Example The following example clears all L2PT counters: clear l2pt counters The following example clears L2PT counters on VMAN vlan2: clear l2pt counters vman vlan2 History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. clear l2pt counters vpls clear l2pt counters {[vpls vpls_name {peer ipaddress} vpws vpws_name]} Layer 2 Basics 93

Description Clears L2PT counters. Syntax Description vpls vpls_name peer ipaddress vpws vpws_name Optionally clears counters only on a specific VPLS. Alpha numeric string identifying VPLS VPN. Optionally clears counters only on a specific peer of the VPLS. The variable specifies an IPv4 address. Optionally clears counters only on a specific VPWS. The variable is an alphanumeric string identifying the VPWS VPN. Disabled. Usage Guidelines Use this command to clear L2PT counters. Example The following example clears L2PT counters on peer 1.1.1.1 of VPLS vpls1: clear l2pt counters vpls vpls1 peer 1.1.1.1 History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. create l2pt profile create l2pt profile profile_name Description Creates an L2PT profile. Layer 2 Basics 94

Syntax Description l2pt profile profile_name Creates a Layer 2 protocol tunneling profile. Profile that defines L2PT configuration for L2 protocols. Specifies a profile name (maximum 32 characters). Disabled. Usage Guidelines Use this command to create an L2PT profile. Example The following example create a new L2PT profile named "my_l2pt_prof": create l2pt profile my_l2pt_prof History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. configure fdb agingtime configure fdb agingtime seconds Description Configures the FDB aging time for dynamic entries. Syntax Description agingtime seconds If agingtime is set to 0, all aging entries in the database are defined as static, nonaging entries. Specifies the FDB aging time, in seconds. A value of 0 indicates that the entry should never be aged out. All other platforms support the value 0 (no aging) and a range of 15 to 1,000,000 seconds. Layer 2 Basics 95

N/A. Usage Guidelines If the aging time is set to 0 (zero), all dynamic entries in the database become static, nonaging entries. This means that they do not age out, but non-permanent static entries can be deleted if the switch is reset. For all platforms except BlackDiamond 8900 xl-series modules and Summit X480 switches, the software flushes the FDB table once the aging timeout parameter is reached, even if the switch is running traffic and populating addresses in the FDB table. For BlackDiamond 8900 xl-series modules and Summit X480 switches, the hardware flushes the FDB table at periods based on the configured software aging time. The actual hardware aging time does not exactly match the software aging time and can be as high as twice the configured software aging time. Example The following example sets the FDB aging time to 3,000 seconds: configure fdb agingtime 3000 History This command was first available in ExtremeXOS 10.1. Platform Availability This command is available on all platforms. configure fdb mac-tracking ports configure fdb mac-tracking {[add delete]} ports [port_list all] Description Enables or disables MAC address tracking for all MAC addresses on the specified ports. Syntax Description add delete port_list all Enables MAC address tracking for the specified ports. Disables MAC address tracking for the specified ports. Specifies a list of ports on which MAC address tracking is to be enabled or disabled. Specifies that MAC address tracking is to be enabled or disabled on all ports. Layer 2 Basics 96

No ports are enabled for MAC address tracking. Usage Guidelines MAC address tracking events on enabled ports generate EMS messages and can optionally generate SNMP traps. Note When a MAC address is configured in the tracking table, but detected on a MAC tracking enabled port, the per MAC address statistical counters are not updated. Example The following example enables MAC address tracking for all MAC addresses on port 2:1: configure fdb mac-tracking add ports 2:1 History This command was first available in ExtremeXOS 12.4. Platform Availability This command is available on all platforms. configure fdb static-mac-move packets configure fdb static-mac-move packets count Description Configures the number of EMS and SNMP reports that can be generated each second for MAC addresses that are duplicates of statically configured MAC addresses. Syntax Description count Specifies the number of duplicate MAC address events that are reported each second. The range is 1 to 25. 2. Layer 2 Basics 97

Usage Guidelines None. Example The following example configures the switch to report up to five duplicate MAC address events per second: configure fdb static-mac-move packets 5 History This command was first available in ExtremeXOS 12.7. Platform Availability This command is available only on the Summit family switches. configure l2pt encapsulation dest-mac configure l2pt encapsulation dest-mac mac_address Description Configures the destination address MAC that L2PT encapsulated packets use. Syntax Description encapsulation dest-mac mac_addr Specifies Layer 2 protocol tunneling encapsulation. Specifies the destination MAC address to use for encapsulated PDUs. Specifies the MAC address. Usage Guidelines NA Example The following example sets the L2PT destination address MAC to 01:00:00:01:01:02: configure l2pt encapsulation dest-mac 01:00:00:01:01:02 Layer 2 Basics 98

History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. configure l2pt profile add profile configure l2pt profile profile_name add protocol filter filter_name {action [tunnel {cos cos} encapsulate none]} Description Adds an entry to an L2PT profile. Syntax Description profile profile_name add protocol filter filter_name action tunnel cos cos encapsulate none Specifies the profile that defines L2PT configuration for L2 protocols. Adds the specified Layer 2 protocol filter. Specifies the action to perform on PDUs of the protocol (the default value is tunnel). Specifies to tunnel PDUs through the network. Specifies to override the class of service for tunneled PDUs, and specifies the class of service value to use for tunneling PDUs. Specifies to encapsulate PDUs at egress, and decapsulate L2PT packets at ingress. Specifies to not participate in tunneling for this protocol. Disabled. Usage Guidelines Use this command to add an entry to an L2PT profile. Example The following example adds an entry to my_l2pt_prof to tunnel protocols in "mylistt" at cos 2: configure l2pt profile my_l2pt_prof add protocol filter mylist action tunnel cos 2 Layer 2 Basics 99

The following example adds an entry to my_l2pt_prof to encapsulate/decapsulate protocols in "mylist": configure l2pt profile my_l2pt_prof add protocol filter mylist action encapsulate The following example adds an entry to my_l2pt_prof that is in use by 2 services: configure l2pt profile my_l2pt_prof add protocol filter mylist History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. configure l2pt profile delete profile configure l2pt profile profile_name delete protocol filter filter_name Description Deletes an entry to an L2PT profile. Syntax Description profile profile_name delete protocol filter filter_name Specifies the profile that defines L2PT configuration for L2 protocols. Deletes the specified Layer 2 protocol filter. Disabled. Usage Guidelines Use this command to delete an entry to an L2PT profile. Example The following example deletes the entry for "mylist" from my_l2pt_prof: configure l2pt profile my_l2pt_prof delete protocol filter mylist Layer 2 Basics 100

The following example deletes the entry entry for "mylist" from my_l2pt_prof that is in use by a service: configure l2pt profile my_l2pt_prof delete protocol filter mylist History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. configure port ethertype configure port port_list ethertype {primary secondary} Description Assigns the primary or secondary ethertype value to the specified ports. Syntax Description port_list primary secondary Specifies the list of ports to be configured. Assigns the primary ethertype value to the specified ports. Assigns the secondary ethertype value to the specified ports. N/A. Usage Guidelines None. Example The following example configures port 2:1 to use the secondary ethertype: configure port 2:1 ethertype secondary History This command was first available in ExtremeXOS 12.0. Layer 2 Basics 101

Platform Availability This command is available on all platforms. configure ports l2pt profile configure [vlan vman] vlan_name ports port_list l2pt profile [none profile_name] Description Configures L2PT profiles on service interfaces. Syntax Description vlan Specifies the VLAN configuration. vman Specifies the VMAN configuration. vlan_name Specifies the VLAN name. ports port_list Specifies the port and port list separated by a comma (, ) or dash ( - ). profile Specifies the L2PT profile for the ports. none Specifies that no L2PT profile should be bound to the ports (default). profile_name Specifies the L2PT profile to be bound to the ports. Disabled. Usage Guidelines Use this command to configure L2PT profiles on service interfaces. Example The following example binds my_l2pt_prof with ports 2 and 5 of VMAN cust1: configure vman cust1 ports 2,5 l2pt profile my_l2pt_prof The following example binds my_l2pt_prof with ports 2 and 5 of VMAN cust1. Port 5 is not a part of VMAN cust1: configure vman cust1 ports 2,5 l2pt profile my_l2pt_prof Error: Port 5 is not part of the service. History This command was first available in ExtremeXOS 15.5. Layer 2 Basics 102

Platform Availability This command is available on all platforms. configure ports protocol filter configure ports [port_list all] protocol filter [none filter_name] Description Configures protocol filtering on a port. Syntax Description port_list Specifies the port list separated by a comma (, ) or dash ( - ). all protocol filter none filter_name Specifies all ports. Specifies the protocol filter. Specifies to not perform protocol filtering on specified ports. Specifies the protocol filter name. Disabled. Usage Guidelines Use this command to configure protocol filtering on a port. Example The following example unbinds the L2PT profile from peer 1.1.1.1 of VPLS cust2: configure l2vpn vpls cust2 peer 1.1.1.1 l2pt profile none The following example enables filtering of protocols in my_list on port 1: configure ports 1 protocol filter "my_list" The following example disables protocol filtering on port 7: configure ports 7 protocol filter none History This command was first available in ExtremeXOS 15.5. Layer 2 Basics 103

Platform Availability This command is available on all platforms. configure private-vlan add network configure private-vlan name add network vlan_name Description Adds the specified VLAN as the network VLAN on the specified PVLAN. Syntax Description name vlan_name Specifies the name of the PVLAN to which the VLAN is added. Specifies a VLAN to add to the PVLAN. N/A. Usage Guidelines The VLAN must be created and configured with a tag before it is added to the PVLAN. Example The following example adds VLAN "sharednet" as the network VLAN for the PVLAN named "companyx": configure private-vlan companyx add network sharednet History This command was first available in ExtremeXOS 12.1. Platform Availability This command is available on all platforms that support the Private VLAN feature. The features and the platforms that support them are listed in the Feature License Requirements document. configure private-vlan add subscriber configure private-vlan name add subscriber vlan_name {non-isolated} {loopbackport port} Layer 2 Basics 104

Description Adds the specified VLAN as a subscriber VLAN on the specified PVLAN. Syntax Description name vlan_name non-isolated port Specifies the name of the PVLAN to which the VLAN is added. Specifies a VLAN to add to the PVLAN. Configures the subscriber VLAN as a non-isolated subscriber VLAN. Specifies the port that serves as the loopback port. If the non-isolated option is omitted, this command adds the specified VLAN as an isolated subscriber VLAN. Usage Guidelines The VLAN must be created and configured with a tag before it is added to the PVLAN. If the nonisolated option is omitted, the VLAN is added as an isolated subscriber VLAN. If the non-isolated option is included, the VLAN is added as an non-isolated subscriber VLAN. The loopback-port port option is available only on BlackDiamond 8000 series modules and Summit family switches, whether or not included in a SummitStack. If two or more subscriber VLANs have overlapping ports (where the same ports are assigned to both VLANs), each of the subscriber VLANs with overlapping ports must have a dedicated loopback port. Example The following example adds VLAN "restricted" as a subscriber VLAN for the PVLAN named "companyx": configure private-vlan companyx add subscriber restricted isolated History This command was first available in ExtremeXOS 12.1. Platform Availability This command is available on all platforms that support the Private VLAN feature. For features and the platforms that support them, see the Feature License Requirements document. configure private-vlan delete configure private-vlan name delete [network subscriber] vlan_name Layer 2 Basics 105

Description Deletes the specified VLAN from the specified PVLAN. Syntax Description name network subscriber vlan_name Specifies the name of the PVLAN from which the VLAN is deleted. Specifies that the VLAN to be deleted is a network VLAN. Specifies that the VLAN to be deleted is a subscriber VLAN. Specifies the VLAN to delete from the PVLAN. N/A. Usage Guidelines This command deletes a VLAN from a PVLAN, but it does not delete the VLAN from the system it just breaks the link between the VLAN and the PVLAN. You can use this command to delete both network and subscriber VLANs. Example The following example deletes network VLAN "sharednet "from the PVLAN named "companyx": configure private-vlan companyx delete network sharednet History This command was first available in ExtremeXOS 12.1. Platform Availability This command is available on all platforms that support the Private VLAN feature. For features and the platforms that support them, see the Feature License Requirements document. configure protocol add configure protocol {filter} filter_name add [etype llc snap] hex {[etype llc snap] hex} Description Configures a user-defined protocol filter. Layer 2 Basics 106

Syntax Description filter filter_name add delete etype llc snap hex Configures a protocol filter. Specifies a protocol filter name. Specifies that you add a protocol. Specifies that you delete a protocol. Specifies an ethertype protocol. Specifies LLC protocol. Specifies SNAP protocol. Specifies a four-digit hexadecimal number between 0 and FFFF that represents: The Ethernet protocol type taken from a list maintained by the IEEE. The DSAP/SSAP combination created by concatenating a two-digit LLC Destination SAP (DSAP) and a two-digit LLC Source SAP (SSAP). The SNAP-encoded Ethernet protocol type. N/A. Usage Guidelines Supported protocol types include: etype IEEE Ethertype. llc LLC Service Advertising Protocol. snap Ethertype inside an IEEE SNAP packet encapsulation. A maximum of 15 protocol filters, each containing a maximum of six protocols, can be defined. The protocol filter must already exist before you can use this command. Use the create protocol command to create the protocol filter. No more than seven protocols can be active and configured for use. Note Protocol-based VLAN for Etype from 0x0000 to 0x05ff are not classifying as per filter. When traffic arrive with these Etypes, it is classifed to native VLAN rather protocol-based VLAN. Example The following example adds MPLS to "my_filter": configure protocol my_filter add etype 0x8847 configure protocol filter my_filter add etype 0x8847 Layer 2 Basics 107

The following example deletes MPLS from "my_other_filter": configure protocol my_other_filter delete etype 0x8847 configure protocol filter my_other_filter delete etype 0x8847 History This command was first available in ExtremeXOS 10.1. The filter keyword and options were added in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. configure protocol delete configure protocol name delete [etype llc snap] hex {[etype llc snap] hex}... Description Deletes the specified protocol type from a protocol filter. Syntax Description name hex Specifies a protocol filter name. Specifies a four-digit hexadecimal number between 0 and FFFF that represents: The Ethernet protocol type taken from a list maintained by the IEEE. The DSAP/SSAP combination created by concatenating a two-digit LLC Destination SAP (DSAP) and a two-digit LLC Source SAP (SSAP). The SNAP-encoded Ethernet protocol type. N/A. Usage Guidelines Supported protocol types include: etype IEEE Ethertype. llc LLC Service Advertising Protocol. snap Ethertype inside an IEEE SNAP packet encapsulation. Layer 2 Basics 108

Example The following example deletes protocol type LLC SAP with a value of FEFF from protocol "fred": configure protocol fred delete llc feff History This command was first available in ExtremeXOS 10.1. Platform Availability This command is available on all platforms. configure protocol filter configure protocol filter filter_name [add delete] dest-mac mac_address {[etype llc snap] hex} {field offset offset value value {mask mask}} Description Configures the destination address as well as an arbitrary field of the protocol. Syntax Description filter_name add delete dest-mac mac_address etype llc snap hex field offset Specifies a protocol filter name. Specifies that you add a protocol. Specifies that you delete a protocol. Specifies the destination MAC address used by PDUs of the protocol. Specifies the MAC address. Specifies the EtherType used by PDUs of the protocol. Specifies the LLC DSAP and SSAP used by PDUs of the protocol. Specifies the SNAP protocol identifier used by PDUs of the protocol. Specifies a four-digit hexadecimal number between 0 and FFFF that represents: The Ethernet protocol type taken from a list maintained by the IEEE. The DSAP/SSAP combination created by concatenating a two-digit LLC Destination SAP (DSAP) and a two-digit LLC Source SAP (SSAP). The SNAP-encoded Ethernet protocol type. Specifies a field used by PDUs of the protocol. Specifies the offset of the field from the start of the PDU. Layer 2 Basics 109

value value mask mask Specifies the value of the field in hexadecimal (for example, A1:B2:0C. Maximum 16 bytes). Specifies the mask for the field in hexadecimal (for example, FF:FF:0F. Maximum 16 bytes). N/A. Usage Guidelines Supported protocol types include: etype IEEE Ethertype. llc LLC Service Advertising Protocol. snap Ethertype inside an IEEE SNAP packet encapsulation. A maximum of 15 protocol filters, each containing a maximum of six protocols, can be defined. The protocol filter must already exist before you can use this command. Use the create protocol command to create the protocol filter. No more than seven protocols can be active and configured for use. Note Protocol-based VLAN for Etype from 0x0000 to 0x05ff are not classifying as per filter. When traffic arrive with these Etypes, it is classifed to native VLAN rather protocol-based VLAN. Example The following example LACP to the protocol list "mylist": configure protocol mylist add dest-mac 01:80:C2:00:00:02 etype 0x8809 field offset 14 value 01 mask FF The following example removes EFM OAM from the protocol list "mylist": configure protocol filter mylist delete dest-mac 01:80:C2:00:00:02 etype 0x8809 field offset 14 value 03 mask FF The following example configures a mismatched mask and value: configure protocol mylist delete dest-mac 01:80:C2:00:00:02 etype 0x8809 field offset 14 value 03 mask FF:FF Error: The length of the field value is not the same as the field mask. Layer 2 Basics 110

History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. configure vlan add ports private-vlan translated Translation from network VLAN tag to each subscriber VLAN tag is done by default in a private VLAN. configure {vlan} vlan_name add ports port_list private-vlan translated Description Adds the specified ports to the specified network VLAN and enables tag translation for all subscriber VLAN tags to the network VLAN tag. Syntax Description vlan_name port_list Specifies the network VLAN to which the ports are added. Specifies the ports to be added to the network VLAN. N/A. Usage Guidelines This command is allowed only when the specified VLAN is configured as a network VLAN on a PVLAN. Example The following example adds port 2:1 to VLAN sharednet and enables VLAN translation on that port: configure sharednet add ports 2:1 private-vlan translated History This command was first available in ExtremeXOS 12.1. Platform Availability This command is available on all platforms that support the Private VLAN feature. For features and the platforms that support them, see the Feature License Requirements document. Layer 2 Basics 111

configure vlan add ports configure {vlan} vlan_name add ports [port_list all] {tagged tag untagged} {{stpd} stpd_name} {dot1d emistp pvst-plus}} Description Adds one or more ports in a VLAN. Syntax Description vlan_name port_list all tagged tag untagged stpd_name dot1d emistp pvst-plus Specifies a VLAN name. Specifies a list of ports or slots and ports. Specifies all ports. Specifies the ports should be configured as tagged. Specifies the ports should be configured as untagged. Specifies an STP domain name. Specifies the BPDU encapsulation mode for these STP ports. Untagged. Usage Guidelines The VLAN must already exist before you can add (or delete) ports: use the create vlan command to create the VLAN. If the VLAN uses 802.1Q tagging, you can specify tagged or untagged port(s). If the VLAN is untagged, the ports cannot be tagged. Untagged ports can only be a member of a single VLAN. By default, they are members of the default VLAN (named ). In order to add untagged ports to a different VLAN, you must first remove them from the default VLAN. You do not need to do this to add them to another VLAN as tagged ports. If you attempt to add an untagged port to a VLAN prior to removing it from the default VLAN, you see the following error message: Error: Protocol conflict when adding untagged port 1:2. Either add this port as tagged or assign another protocol to this VLAN. Note This message is not displayed if keyword all is used as port_list. The ports that you add to a VLAN and the VLAN itself cannot be explicitly assigned to different virtual routers (VRs). When multiple VRs are defined, consider the following guidelines while adding ports to a VLAN: Layer 2 Basics 112

A VLAN can belong (either through explicit or implicit assignment) to only one VR. If a VLAN is not explicitly assigned to a VR, then the ports added to the VLAN must be explicitly assigned to a single VR. If a VLAN is explicitly assigned to a VR, then the ports added to the VLAN must be explicitly assigned to the same VR or to no VR. If a port is added to VLANs that are explicitly assigned to different VRs, the port must be explicitly assigned to no VR. Note User-created VRs are supported only on the platforms listed for this feature in in the Feature License Requirements document. On switches that do not support user-created VRs, all VLANs are created in VR- and cannot be moved. Refer to STP Commands for more information on configuring Spanning Tree Domains. Note If you use the same name across categories (for example, STPD and EAPS names), we recommend that you specify the identifying keyword as well as the actual name. If you do not use the keyword, the system may return an error message. Beginning with ExtremeXOS 11.4, the system returns the following message if the ports you are adding are already EAPS primary or EAPS secondary ports: WARNING: Make sure Vlan1 is protected by EAPS. Adding EAPS ring ports to a VLAN could cause a loop in the network. Do you really want to add these ports? (y/n) Example The following example assigns tagged ports 1:1, 1:2, 1:3, and 1:6 to a VLAN named "accounting": configure vlan accounting add ports 1:1, 1:2, 1:3, 1:6 tagged History This command was first available in ExtremeXOS 10.1. The tagged keyword was added in ExtremeXOS 15.4. Platform Availability This command is available on all platforms. configure vlan delete ports configure {vlan} vlan_name delete ports [all port_list {tagged tag}] Description Deletes one or more ports in a VLAN. Layer 2 Basics 113

Syntax Description vlan_name all port_list tagged tag Specifies a VLAN name. Specifies all ports. Specifies a list of ports or slots and ports. Specifies the port-specific VLAN tag. When there are multiple ports specified using port_list, the same tag is used for all of them. When unspecified, the port tag is equal to the VLAN tag. Usage Guidelines Specify port tag to delete a VLAN port that has a different tag from the VLAN tag. Example The following example removes ports 1:1, 1:2, 4:3, and 5:6 on a modular switch from a VLAN named accounting: configure accounting delete port 1:1, 1:2, 4:3, 5:6 The following example deletes a VLAN port with tag 10: create vlan exchange tag 100 config vlan exchange del ports 3 tag 10 The following example deletes a VLAN port tag of 10 on two ports: create vlan exchange tag 100 config vlan exchange d ports 3,4 tag 10 History This command was first available in ExtremeXOS 10.1. Platform Availability This command is available on all platforms. configure vlan description configure {vlan} vlan_name description [vlan-description none] Layer 2 Basics 114

Description Configures a description for the specified VLAN. Syntax Description vlan_name vlan-description none Specifies the VLAN name. Specifies a VLAN description (up to 64 characters) that appears in show vlan commands and can be read from the ifalias MIB object for the VLAN. This keyword removes the configured VLAN description. By default, the VLAN has no description. Usage Guidelines The VLAN description must be in quotes if the string contains any space characters. If a VLAN description is configured for a VLAN that already has a description, the new description replaces the old description. Example The following example assigns the description "Campus A" to VLAN vlan1: configure vlan vlan1 description Campus A History This command was first available in ExtremeXOS 12.4.4. Platform Availability This command is available on all platforms. configure vlan ipaddress configure {vlan} vlan_name ipaddress [ipaddress {ipnetmask} ipv6-link-local {eui64} ipv6_address_mask] Description Assigns an IPv4 address and an optional subnet mask or an IPv6 address to the VLAN. Beginning with ExtremeXOS 11.2, you can specify IPv6 addresses. You can assign either an IPv4 address, and IPv6 Layer 2 Basics 115

address, or both to the VLAN. Beginning with ExtremeXOS 11.3, you can use this command to assign an IP address to a specified VMAN and enable multicasting on that VMAN. Note You can also use this command to assign an IP address to a VMAN on all platforms that support the VMAN feature. For information on which software licenses and platforms support the VMAN feature, see the Feature License Requirements document. Syntax Description vlan_name ipaddress Specifies a VLAN name. Specifies an IPv4 address. ipnetmask Specifies an IPv4 subnet mask in dotted-quad notation (for example, 255.255.255.0). ipv6-link-local eui64 ipv6_address_mask Specifies IPv6 and configures a link-local address generated by combining the standard link-local prefix with the automatically generated interface in the EUI-64 format. Using this option automatically generates an entire IPv6 address; this address is only a link-local, or VLAN-based, IPv6 address; that is, ports on the same segment can communicate using this IP address and do not have to pass through a gateway. Specifies IPv6 and automatically generates the interface ID in the EUI-64 format using the interface s MAC address. Once you enter this parameter, you must add the following variables: ipv6_address_mask. Use this option when you want to enter the 64-bit prefix and use a EUI-64 address for the rest of the IPv6 address. Specify the IPv6 address in the following format: x:x:x:x:x:x:x:x/prefix length, where each x is the hexadecimal value of one of the 8 16-bit pieces of the 128-bit wide address. N/A. Usage Guidelines The VLAN must already exist before you can assign an IP address; use the create vlan command to create the VLAN (also the VMAN must already exist). Note If you plan to use the VLAN as a control VLAN for an EAPS domain, do NOT configure the VLAN with an IP address. See IP Unicast Commands for information on adding secondary IP addresses to VLANs. Beginning with ExtremeXOS 11.2, you can specify IPv6 addresses. See IPv6 Unicast Routing for information on IPv6 addresses. Beginning with ExtremeXOS 11.3, you can assign an IP address (including IPv6 addresses) to a VMAN. Beginning with version 11.4, you can enable multicasting on that VMAN. To enable multicasting on the specified VMAN once you assigned an IP address, take the following steps: Layer 2 Basics 116

1 Enable IP multicast forwarding. 2 Enable and configure multicasting. Example The following examples are equivalent; both assign an IPv4 address of 10.12.123.1 to a VLAN named "accounting": configure vlan accounting ipaddress 10.12.123.1/24 configure vlan accounting ipaddress 10.12.123.1 255.255.255.0 The following example assigns a link local IPv6 address to a VLAN named management: configure vlan accounting ipaddress ipv6-link-local History This command was first available in ExtremeXOS 10.1. The IPv6 parameters were added in ExtremeXOS 11.2. Platform Availability This command is available on all platforms. configure vlan name configure {vlan} vlan_name name name Description Renames a previously configured VLAN. Syntax Description vlan_name name Specifies the current (old) VLAN name. Specifies a new name for the VLAN. N/A. Usage Guidelines You cannot change the name of the default VLAN. Layer 2 Basics 117

For information on VLAN name requirements and a list of reserved keywords, see Object Names. Note If you use the same name across categories (for example, STPD and EAPS names), we recommend that you specify the identifying keyword as well as the actual name. If you do not use the keyword, the system may return an error message. Example The following example renames VLAN vlan1 to engineering: configure vlan vlan1 name engineering History This command was first available in ExtremeXOS 10.1. Platform Availability This command is available on all platforms. configure vlan protocol configure {vlan} vlan_name protocol {filter}filter_name Description Configures a VLAN to use a specific protocol filter. Syntax Description vlan_name protocol filter protocol_name Specifies a VLAN name. Specifies a protocol filter. Specifies a protocol filter. Specifies a protocol filter name. This can be the name of a predefined protocol filter, or one you define.the following protocol filters are predefined: IP, IPv6, IPX, NetBIOS, DECNet, IPX_8022, IPX_SNAP, AppleTalk. Using any indicates that this VLAN should act as the default VLAN for its member ports. Protocol any. Layer 2 Basics 118

Usage Guidelines If the keyword any is specified, all packets that cannot be classified into another protocol-based VLAN are assigned to this VLAN as the default for its member ports. Use the configure protocol command to define your own protocol filter. Protocol Filters on BlackDiamond 8800 Series Switches, SummitStack, and the Summit Family Switches Only These devices do not forward packets with a protocol-based VLAN set to AppleTalk. To ensure that AppleTalk packets are forwarded on the device, create a protocol-based VLAN set to any and define other protocol-based VLANs for other traffic, such as IP traffic. The AppleTalk packets pass on the any VLAN, and the other protocols pass traffic on their specific protocol-based VLANs. Example The following example configures the protocol filter "my_filter" to vlan v1: configure vlan v1 protocol "my_filter" configure vlan v1 protocol filter "my_filter" History This command was first available in ExtremeXOS 10.1. The IPv6 parameter was added in ExtremeXOS 11.2. The filter keyword was added in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. configure vlan tag configure {vlan} vlan_name tag tag {remote-mirroring} Description Assigns a unique 802.1Q tag to the VLAN. Syntax Description vlan_name Specifies a VLAN name. tag Specifies a value to use as an 802.1Q tag. The valid range is from 2 to 4095. remote-mirroring Specifies that the tagged VLAN is for remote mirroring. Layer 2 Basics 119

The default VLAN uses an 802.1Q tag (and an internal VLANid) of 1. Usage Guidelines If any of the ports in the VLAN use an 802.1Q tag, a tag must be assigned to the VLAN. The valid range is from 2 to 4094 (tag 1 is assigned to the default VLAN, and tag 4095 is assigned to the management VLAN). The 802.1Q tag is also used as the internal VLANid by the switch. You can specify a value that is currently used as an internal VLANid on another VLAN; it becomes the VLANid for the VLAN you specify, and a new VLANid is automatically assigned to the other untagged VLAN. Example The following command assigns a tag (and internal VLANid) of 120 to a VLAN named accounting: configure accounting tag 120 History This command was first available in ExtremeXOS 10.1. The remote-mirroring option was added in ExtremeXOS 12.1. Platform Availability This command is available on all platforms. configure vlan-translation add loopback-port configure {vlan} vlan_name vlan-translation add loopback-port port Description Adds the specified port as a loopback port for the specified member VLAN. Syntax Description vlan_name port Specifies the name of the member VLAN to which you want to add the loopback port. Specifies the port that serves as the loopback port. Layer 2 Basics 120

N/A. Usage Guidelines The loopback-port port option is available only on BlackDiamond 8000 series modules and Summit family switches, whether or not they are included in a SummitStack. If two or more member VLANs have overlapping ports (where the same ports are assigned to both VLANs), each of the member VLANs with overlapping ports must have a dedicated loopback port. The loopback port can be added to the member VLAN when the member VLAN is created, or you can use this command to add the loopback port at a later time. Example The following example adds port 2:1 as a loopback port for the member VLAN leafvlan: configure leafvlan vlan-translation add loopback-port 2:1 History This command was first available in ExtremeXOS 12.1. Platform Availability This command is available on all platforms that support the VLAN Translation feature. For features and the platforms that support them, see the Feature License Requirements document. configure vlan-translation add member-vlan configure {vlan} vlan_name vlan-translation add member-vlan member_vlan_name {loopback-port port} Description Adds a member VLAN to a translation VLAN. Syntax Description vlan_name member_vlan_name port Specifies the name of the translation VLAN to which you want to add the member VLAN. Specifies the member VLAN to be added to the translation VLAN. Specifies the port that serves as the loopback port. Layer 2 Basics 121

N/A. Usage Guidelines This command configures VLAN tag translation between the two VLANs specified. The member VLAN is added to the list maintained by translation VLAN. A translation VLAN can have multiple member VLANs added to it. The loopback-port port option is available only on BlackDiamond 8000 series modules and Summit family switches, whether or not they are included in a SummitStack. If two or more member VLANs have overlapping ports (where the same ports are assigned to both VLANs), each of the member VLANs with overlapping ports must have a dedicated loopback port. Example The following example adds member VLAN leafvlan to the translation VLAN branchvlan: configure branchvlan vlan-translation add member-vlan leafvlan History This command was first available in ExtremeXOS 12.1. Platform Availability This command is available on all platforms that support the VLAN Translation feature. For features and the platforms that support them, see the Feature License Requirements document. configure vlan-translation delete loopback-port configure {vlan} vlan_name vlan-translation delete loopback-port Description Deletes the loopback port from the specified member VLAN. Syntax Description vlan_name Specifies the name of the member VLAN from which you want to delete the loopback port. N/A. Layer 2 Basics 122

Usage Guidelines This command disables and deletes the loopback port from the specified member VLAN. This command does not delete the member VLAN. Example The following example deletes the loopback port from the member VLAN leafvlan: configure leafvlan vlan-translation delete loopback-port History This command was first available in ExtremeXOS 12.1. Platform Availability This command is available on all platforms that support the VLAN Translation feature. For features and the platforms that support them, see the Feature License Requirements document. configure vlan-translation delete member-vlan configure {vlan} vlan_name vlan-translation delete member-vlan [member_vlan_name all] Description Deletes one or all member VLANs from a translation VLAN. Syntax Description vlan_name member_vlan_name all Specifies the name of the translation VLAN from which you want to delete the member VLAN. Specifies the member VLAN to be deleted from the translation VLAN. Deletes all member VLANs from the specified translation VLAN. N/A. Usage Guidelines This command removes the link between the translation VLAN and the specified member VLANs, but it does not remove the VLANs from the switch. Layer 2 Basics 123

Example The following example deletes member VLAN leafvlan from the translation VLAN branchvlan: configure branchvlan vlan-translation delete member-vlan leafvlan History This command was first available in ExtremeXOS 12.1. Platform Availability This command is available on all platforms that support the VLAN Translation feature. For features and the platforms that support them, see the Feature License Requirements document. configure vman add ports cep configure vman vman_name add ports port_list cep cvid cvid_first {- cvid_last} {translate cvid_first_xlate {- cvid_last_xlate}} Description Adds one or more switch ports to the specified VMAN as Customer Edge Ports (CEPs), and configures the CVIDs on those ports to map to the VMAN. Syntax Description vman_name port_list cvid_first cvid_last translate cvid_first_xlate cvid_last_xlate Specifies the VMAN to configure. Specifies a list of ports. Specifies a CVLAN ID (CVID) or the first in a range of CVIDs that the CEP will accept and map to the specified VMAN. Valid values are 1-4095. Specifies the last in a range of CVIDs that the CEP will accept and map to the VMAN. Valid values are 1-4095. Enables translation of the specified CEP CVID range to the specified VMAN CVID range. Specifies a VMAN CVID or the first in a range of VMAN CVIDs to which the CEP CVIDs will map. Valid values are 1-4095. Specifies the last in a range of VMAN CVIDs to which the CEP CVIDs will map. Valid values are 1-4095. The number of VMAN CVIDs in this range must equal the number of CEP CVIDs specified in this command. N/A. Layer 2 Basics 124

Usage Guidelines If you specify only one CVID or a range of CVIDs without translation, the specified CVIDs are mapped to the specified VMAN and appear unchanged in the VMAN. If you specify CVID translation, the CEP CVIDs map to different VMAN CVIDs. The number of CEP CVIDs specified must equal the number of VMAN CVIDs specified. The first CEP CVID in the specified range maps to the first CVID in the range specified for the VMAN. The difference between cvid_first and cvid_first_xlate establishes an offset N that maps CEP CVIDs to VMAN CVIDs. (Offset N = cvid_first_xlate - cvid_first.) The translated VMAN CVID that corresponds to a CEP CVID can be determined as follows: VMAN CVID = CEP CVID + N Note CVID translation can reduce the number of CVIDs that can be mapped to VMANs. After you enable and configure a CEP with this command, you can use the following command to map additional CVIDs on the port to the VMAN: configure vman vman_name ports port_list add cvid cvid_first {- cvid_last} {translate cvid_first_xlate {- cvid_last_xlate}} When this command specifies multiple ports, each port gets an independent CVID map; the ports do not share a common map. Changes to the CVID map affect only the ports specified in the configuration command. For example, consider the following commands: configure vman vman1 add port 1-2 cep cvid 10 configure vman vman1 port 1 add cvid 11 After these commands are entered, port 1 maps CVIDs 10 and 11 to VMAN vman1, and port 2 maps only CVID 10 to vman1. You can add the same port as a CEP to multiple VMANs. A port can also support multiple VMANs in different roles as shown in Table 4: Port Support for Combined VMAN Roles and VLANs on page 128. To view the CEP CVID configuration for a port, use the show vman command. Example The following example configures port 1 as a CEP for VMAN vman1 and specifies that CEP CVID 5 maps to CVID 5 on the VMAN: configure vman vman1 add port 1 cep cvid 5 The following example configures port 1 as a CEP for VMAN vman1 and enables the port to translate CEP CVIDs 10-19 to VMAN CVIDs 20-29: configure vman vman1 add port 1 cep cvid 10-19 translate 20-29 Layer 2 Basics 125

History This command was first available in ExtremeXOS 12.6. Platform Availability This command is available on BlackDiamond X8, BlackDiamond 8800 series switches and Summit family switches The CVID translation feature is available only on BlackDiamond X8, BlackDiamond 8900 c-, xl-, and xmseries modules and Summit X440, X460, X480, X670 and X770 series switches. configure vman add ports configure vman vman-name add ports [ all port_list ] {untagged {port-cvid port_cvid} tagged} Description Adds one or more ports to a VMAN. Syntax Description vman-name all port_list untagged tagged port_cvid Specifies the VMAN to configure. Specifies all switch ports. Specifies a list of ports. Configures the specified ports as Customer Network Ports (CNPs). Configures the specified ports as Provider Network Ports (PNPs), which are also called VMAN network ports. Port's CVID used for untagged packets. If unspecified, untagged packets will be single tagged with the VMAN's SVID. If specified, untagged packets will be double tagged with the VMAN's SVID and the port's CVID. If you do not specify a parameter, the default value is untagged, which creates a CNP. Usage Guidelines This command adds ports as either CNPs or PNPs. To add a port to a VMAN as a CEP, use the following command: configure vman vman_name add ports port_list cep cvid cvid_first {- cvid_last} {translate cvid_first_xlate {- cvid_last_xlate}} The VMAN must already exist before you can add (or delete) ports. VMAN ports can belong to loadsharing groups. Layer 2 Basics 126

When a port is configured serve as a CNP for one VMAN and A PNP for another VMAN, it inspects the VMAN ethertype in received packets. Packets with a matching ethertype are treated as tagged and switched across the associated PNP VMAN. Packets with a non-matching ethertype are treated as untagged and forwarded into the associated CNP VMAN. When a port is configured only as a CNP (an untagged VMAN member), whether the VMAN ethertype is 0x8100 or otherwise, all received packets ingress the associated VMAN regardless of the packet's tagging. Note If you use the same name across categories (for example, STPD and EAPS names), we recommend that you specify the identifying keyword as well as the actual name. If you do not use the keyword, the system may return an error message. The following guidelines apply to all platforms: You must enable or disable jumbo frames before configuring VMANs. You can enable or disable jumbo frames on individual ports or modules, or on the entire switch. See Configuring Ports on a Switch for more information on configuring jumbo frames. Each port can serve in only one VMAN role per VMAN. When multiple roles are configured on a port, each role must be configured for a different VMAN. Multiple VMAN roles can be combined on one port with certain VLAN types as shown in the following table. 5 Subsets of this group are also supported. That is, any two of these items are supported. 6 When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged VLAN are associated with the CNP. 7 A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected VMAN ethertype is 0x8100. Layer 2 Basics 127

Table 4: Port Support for Combined VMAN Roles and VLANs Platform Combined CNP, CEP, and Tagged VLAN 5, 6 Combined PNP, CNP, and CEPa, b, 7 Combined PNP and Tagged VLAN Summit X440, X460, X480, X670 and X770 X X X 8 X BlackDiamond 8500 and 8800 c-, and e-series modules BlackDiamond X8 series switches and BlackDiamond 8900 c-, xl-, and xm-series modules X X Xd X X X Xe X Combined PNP and Untagged VLAN Note If you already configured VLANs and VMANs on the same module or stand-alone switch using ExtremeXOS 11.4, you cannot change the VMAN ethertype from 0X8100 without first removing either the VLAN or VMAN configuration. Example The following example assigns ports 1:1, 1:2, 1:3, and 1:6 to a VMAN named accounting: configure vman accounting add ports 1:1, 1:2, 1:3, 1:6 tag 100 History This command was first available in ExtremeXOS 11.0. The svid keyword was added in ExtremeXOS 12.2. 8 If the secondary VMAN ethertype is selected for the port, it must be set to 0x8100. 5 Subsets of this group are also supported. That is, any two of these items are supported. 6 When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged VLAN are associated with the CNP. 7 A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected VMAN ethertype is 0x8100. 5 Subsets of this group are also supported. That is, any two of these items are supported. 6 When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged VLAN are associated with the CNP. 7 A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected VMAN ethertype is 0x8100. 5 Subsets of this group are also supported. That is, any two of these items are supported. 6 When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged VLAN are associated with the CNP. 7 A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected VMAN ethertype is 0x8100. 5 Subsets of this group are also supported. That is, any two of these items are supported. 6 When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged VLAN are associated with the CNP. 7 A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected VMAN ethertype is 0x8100. Layer 2 Basics 128

The cvid keyword was added in ExtremeXOS 15.3.2. Platform Availability This command is available on all platforms. configure vman delete ports configure vman vman-name delete ports [all port_list] Description Deletes one or more ports from a VMAN. Syntax Description vman_name all port_list Specifies a VMAN name. Specifies all ports in the VMAN. Specifies a list of ports. N/A. Usage Guidelines The VMAN must already exist before you can delete ports. Example The following example deletes ports 1:1, 1:2, 1:3, and 1:6 on a modular switch for a VMAN named accounting: configure vman accounting delete ports 1:1, 1:2, 1:3, 1:6 History This command was first available in ExtremeXOS 11.0. Platform Availability This command is available on all platforms. configure vman ethertype configure vman ethertype value [primary secondary] Layer 2 Basics 129

Description Changes the default ethertype for the VMAN header. Syntax Description value primary secondary Specifies an ethertype value in the format of 0xffff. Assigns the ethertype as the primary Ethernet value. Assigns the ethertype as the secondary Ethernet value. Ethertype value of 0x88a8 and type primary. Usage Guidelines The software supports two VMAN ethertype values: a primary value and a secondary value. By default, the primary ethertype applies to all VMANs. To use the secondary ethertype, define the ethertype with this command, and then assign the secondary ethertype to ports with the following command: configure port port_list ethertype {primary secondary} If your VMAN transits a third-party device (other than an Extreme Networks device), you must configure the ethertype for the VMAN tag as the ethertype that the third-party device uses. If you configure both primary and secondary ethertypes, you can connect to devices that use either of the two values assigned. The system supports all VMAN ethertypes, including the standard ethertype of 0x8100. Example The following command changes the VMAN ethertype value to 8100: configure vman ethertype 0x8100 History This command was first available in ExtremeXOS 11.0. Support for a secondary ethertype was added in ExtremeXOS 12.1. Platform Availability This command is available on all platforms. Layer 2 Basics 130

configure vman ports add cvid configure vman vman_name ports port_list add cvid cvid_first {- cvid_last} {translate cvid_first_xlate {- cvid_last_xlate}} Description Adds one or more CVIDs to a CEP. Syntax Description vman_name port_list cvid_first cvid_last translate cvid_first_xlate cvid_last_xlate Specifies the VMAN to configure. Specifies a list of ports. Specifies a Customer VLAN ID (CVID) or the first in a range of CVIDs that the CEP will accept and map to the specified VMAN. Valid values are 1-4095. Specifies the last in a range of CVIDs that the CEP will accept and map to the VMAN. Valid values are 1-4095. Enables translation of the specified CEP CVID range to the specified VMAN CVID range. Specifies a VMAN CVID or the first in a range of VMAN CVIDs to which the CEP CVIDs will map. Valid values are 1-4095. Specifies the last in a range of VMAN CVIDs to which the CEP CVIDs will map. Valid values are 1-4095. The number of VMAN CVIDs in this range must equal the number of CEP CVIDs specified in this command. N/A. Usage Guidelines Before you can add CVIDs to CEPs, you must configure the target physical ports as CEPs using the following command: configure vman vman_name add portsport_list cep cvidcvid_first {- cvid_last} {translatecvid_first_xlate {-cvid_last_xlate}} If you specify only one CVID or a range of CVIDs without translation, the specified CVIDs are mapped to the specified VMAN and appear unchanged in the VMAN. If you specify CVID translation, the CEP CVIDs map to different VMAN CVIDs. The number of CEP CVIDs specified must equal the number of VMAN CVIDs specified. The first CEP CVID in the specified range maps to the first CVID in the range specified for the VMAN. The difference between cvid_first and cvid_first_xlate establishes an offset N that maps CEP CVIDs to VMAN CVIDs. (Offset N = cvid_first_xlate - cvid_first.) The translated VMAN CVID that corresponds to a CEP CVID can be determined as follows: Layer 2 Basics 131

VMAN CVID = CEP CVID + N Note CVID translation can reduce the number of CVIDs that can be mapped to VMANs. When this command specifies multiple ports, each port gets an independent CVID map; the ports do not share a common map. Changes to the CVID map affect only the ports specified in the configuration command. For example, consider the following commands: configure vman vman1 add port 1-2 cep cvid 10 configure vman vman1 port 1 add cvid 11 After these commands are entered, port 1 maps CVIDs 10 and 11 to VMAN vman1, and port 2 maps only CVID 10 to vman1. To view the CEP CVID configuration for a port, use the show vman command. Example The following example adds CVIDs 20-29 to port 1 and VMAN vman1 and enables translation to CVIDs 30-39: configure vman vman1 port 1 add cvid 20-29 translate 30-99 History This command was first available in ExtremeXOS 12.6. Platform Availability This command is available on BlackDiamond X8 series switches, BlackDiamond 8800 series switches and Summit family switches. The CVID translation feature is available only on BlackDiamond X8 series switches, BlackDiamond 8900 c-, xl-, and xm-series modules and Summit X440, X460, X480, X670 and X770 series switches. configure vman ports delete cvid configure vman vman_name ports port_list delete cvid cvid_first {- cvid_last} Description Deletes one or more CVIDs from a CEP. Syntax Description vman_name port_list Specifies the VMAN to configure. Specifies a list of ports. Layer 2 Basics 132

cvid_first cvid_last Specifies a CVID or the first in a range of CVIDs that are to be deleted. Valid values are 1-4095. Specifies the last in a range of CVIDs that are to be deleted. Valid values are 1-4095. N/A. Usage Guidelines Each CEP has its own CVID map, and this command deletes CVIDs only from the ports specified with this command. If all the CVIDs are deleted from a CEP, the CEP is deleted from the VMAN. To view the CEP CVID configuration for a port, use the show vman command. Example The following command deletes CVID 15 on port 1 from VMAN vman1: configure vman vman1 port 1 delete cvid 15 History This command was first available in ExtremeXOS 12.6. Platform Availability This command is available on BlackDiamond X8 series switches, BlackDiamond 8800 series switches and Summit family switches. configure vman protocol configure vman vman_name protocol {filter}filter_name Description Configures a VMAN to use a specific protocol filter. Syntax Description vman_name protocol Specifies a VMAN name. Specifies a protocol filter. Layer 2 Basics 133

filter filter_name Specifies a protocol filter. Specifies a protocol filter name. Usage Guidelines Protocol Filters on BlackDiamond 8800 Series Switches, SummitStack, and the Summit Family Switches Only These devices do not forward packets with a protocol-based VLAN set to AppleTalk. To ensure that AppleTalk packets are forwarded on the device, create a protocol-based VLAN set to any and define other protocol-based VLANs for other traffic, such as IP traffic. The AppleTalk packets pass on the any VLAN, and the other protocols pass traffic on their specific protocol-based VLANs. Example The following example configures the protocol filter my_filter to vlan v1: configure vlan v1 protocol my_filter configure vlan v1 protocol filter my_filter History This command was first available in ExtremeXOS 10.1. The filter keyword was added in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. configure vman tag configure vman vman_name tag tag Description Assigns a tag to a VMAN. Syntax Description vman_name Specifies a VMAN name. tag Specifies a value to use as the VMAN tag. The valid range is from 2 to 4094. Layer 2 Basics 134

N/A. Usage Guidelines Every VMAN requires a unique tag. You can specify a value that is currently used as an internal VLAN ID on another VLAN; it becomes the VLAN ID for the VLAN you specify, and a new VLAN ID is automatically assigned to the other untagged VLAN. Example The following example assigns a tag of 120 to a VMAN named "accounting": configure vman accounting tag 120 History This command was first available in ExtremeXOS 11.0. Platform Availability This command is available on all platforms. configure vpls peer l2pt profile configure {l2vpn} vpls vpls_name peer ipaddress l2pt profile [none profile_name] Description Configures L2PT profiles on service interfaces. Syntax Description l2vpn vplsvpls_name peer ipaddress l2pt profile none profile_name Specifies the Layer 2 Virtual Private Network. Specifies Virtual Private LAN Service over MPLS, and the alphanumeric string identifying the VPLS VPN. Specifies the VPLS peer, and the IPv4 address. Specifies Layer 2 protocol tunneling and the L2PT profile for the PW. Specifies that no L2PT profile should be bound to the PW (default). Specifies the L2PT profile to be bound to the PW. Layer 2 Basics 135

Disabled. Usage Guidelines Use this command to configure L2PT profiles on service interfaces. Example The following example unbind the L2PT profile from peer 1.1.1.1 of VPLS cust2: configure l2vpn vpls cust2 peer 1.1.1.1 l2pt profile none The following example binds my_l2pt_prof with peer 1.1.1.1 of VPLS cust1. my_l2pt_prof specifies tunneling actions: configure l2vpn vpls cust1 peer 1.1.1.1 l2pt profile my_l2pt_prof Error: Tunnel action may be applied only to ports. History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. create fdb mac-tracking entry create fdb mac-tracking entry mac_addr Description Adds a MAC address to the MAC address tracking table. Syntax Description mac_addr Specifies a device MAC address, using colon-separated bytes. The MAC address tracking table is empty. Usage Guidelines None. Layer 2 Basics 136

Example The following command adds a MAC address to the MAC address tracking table: create fdb mac-tracking entry 00:E0:2B:12:34:56 History This command was first available in ExtremeXOS 12.3. Platform Availability This command is available on all platforms. create fdbentry vlan ports create fdbentry mac_addr vlan vlan_name [ports port_list {tagged tag} blackhole] Description Creates a permanent static FDB entry. Syntax Description mac_addr vlan_name port_list tagged tag blackhole Specifies a device MAC address, using colon-separated bytes. Specifies a VLAN name associated with a MAC address. Specifies one or more ports or slots and ports associated with the MAC address. Specifies the port-specific VLAN tag. When there are multiple ports specified in port_list, the same tag is used for all of them. Enables the blackhole option. Any packets with either a source MAC address or a destination MAC address matching the FDB entry are dropped. N/A. Usage Guidelines Permanent entries are retained in the database if the switch is reset or a power off/on cycle occurs. A permanent static entry can either be a unicast or multicast MAC address. After they have been created, permanent static entries stay the same as when they were created. If the same MAC address and VLAN is encountered on another virtual port that is not included in the permanent MAC entry, it is handled as a blackhole entry. The static entry is not updated when any of the following take place: Layer 2 Basics 137

A VLAN identifier (VLANid) is changed. A port is disabled. A port enters blocking state. A port goes down (link down). A permanent static FDB entry is deleted when any of the following take place: A VLAN is deleted. A port mode is changed (tagged/untagged). A port is deleted from a VLAN. Permanent static entries are designated by spm in the flags field of the show fdb output. You can use the show fdb command to display permanent FDB entries. If the static entry is for a PVLAN VLAN that requires more than one underlying entry, the system automatically adds the required entries. For example, if the static entry is for a PVLAN network VLAN, the system automatically adds all required extra entries for the subscriber VLANs. You can create FDB entries to multicast MAC addresses and list one or more ports. If more than one port number is associated with a permanent MAC entry, packets are multicast to the multiple destinations. IGMP snooping rules take precedence over static multicast MAC addresses in the IP multicast range (01:00:5e:xx:xx:xx) unless IGMP snooping is disabled. Note When a multiport list is assigned to a unicast MAC address, load sharing is not supported on the ports in the multiport list. Example The following command adds a permanent, static entry to the FDB for MAC address 00 E0 2B 12 34 56, in VLAN marketing on slot 2, port 4 on a modular switch: create fdbentry 00:E0:2B:12:34:56 vlan marketing port 2:4 The following example creates a multiport unicast FDB entry, in VLAN black, on slot 1, ports 1, 2, and 4, on the BlackDiamond 8800 family of switches: create fdbentry 01:00:00:00:00:01 vlan black port 1:1, 1:2, 1:4 The following example adds a permanent, static entry to the FDB for MAC address 00:01:02:03:04:05, in VLAN marketing, on a VLAN port that has tag 100 on port 3 on a switch: create fdbentry 00:01:02:03:04:05 vlan msk ports 3 tag 100 History This command was first available in ExtremeXOS 10.1. Layer 2 Basics 138

The ability to create a multicast FDB with multiple entry ports was added in ExtremeXOS 11.3. The blackhole option was first available for all platforms in ExtremeXOS 12.1. The ability to create a unicast FDB with multiple entry ports was available for the BlackDiamond 8000 c-, and e-series modules in ExtremeXOS 12.1. This feature is supported on all later platforms when introduced. The tag keyword and example was added in ExtremeXOS 15.4. Platform Availability This command is available on all platforms. create l2pt profile create l2pt profile profile_name Description Creates an L2PT profile. Syntax Description l2pt profile profile_name Creates a Layer 2 protocol tunneling profile. Profile that defines L2PT configuration for L2 protocols. Specifies a profile name (maximum 32 characters). Disabled. Usage Guidelines Use this command to create an L2PT profile. Example The following example create a new L2PT profile named "my_l2pt_prof": create l2pt profile my_l2pt_prof History This command was first available in ExtremeXOS 15.5. Layer 2 Basics 139

Platform Availability This command is available on all platforms. create private-vlan create private-vlan name {vr vr_name} Description Creates a PVLAN framework with the specified name. Syntax Description name vr_name Specifies a name for the new PVLAN. Specifies the VR in which the PVLAN is created. N/A. Usage Guidelines The PVLAN is a framework that links network and subscriber VLANs; it is not an actual VLAN. A private VLAN name must begin with an alphabetical character and may contain alphanumeric characters and underscores ( _ ), but it cannot contain spaces. The maximum allowed length for a name is 32 characters. For private VLAN naming guidelines and a list of reserved names, see Object Names. If no VR is specified, the PVLAN is created in the default VR context. Example The following example creates a PVLAN named "companyx": create private-vlan companyx History This command was first available in ExtremeXOS 12.1. Platform Availability This command is available on all platforms that support the Private VLAN feature. For features and the platforms that support them, see the Feature License Requirements document. Layer 2 Basics 140

create protocol create protocol {filter} filter_name Description Creates a user-defined protocol filter. Syntax Description filter filter_name Specifies a protocol filter. Specifies a protocol filter name. The protocol filter name can have a maximum of 31 characters. N/A. Usage Guidelines Protocol-based VLANs enable you to define packet filters that the switch can use as the matching criteria to determine if a particular packet belongs to a particular VLAN. After you create the protocol, you must configure it using the configure protocol command. To assign it to a VLAN, use the configure {vlan} vlan_name protocol {filter}filter_name command. Example The following command creates a protocol named "my_filter", and a protocol filter named "my_other_filter": create protocol my_filter create protocol filter my_other_filter History This command was first available in ExtremeXOS 10.1. The filter keyword was added in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. Layer 2 Basics 141

create vlan create vlan vlan_name {tag tag } {description vlan-description } {vr name } Description Creates a named VLAN. Syntax Description vlan_name Specifies a VLAN name (up to 32 characters). tag Specifies a value to use as an 802.1Q tag. The valid range is from 2 to 4095. vlandescription name Specifies a VLAN description (up to 64 characters) that appears in show vlan commands and can be read from the ifalias MIB object for the VLAN. Specifies a VR or virtual routing and forwarding (VRF) instance in which to create the VLAN. Note User-created VRs are supported only on the platforms listed for this feature in the Feature License Requirements document.. On switches that do not support user-created VRs, all VLANs are created in VR- and cannot be moved. A VLAN named exists on all new or initialized Extreme switches: It initially contains all ports on a new or initialized switch, except for the management port(s), if there are any. It has an 802.1Q tag of 1. The default VLAN is untagged on all ports. It uses protocol filter any. A VLAN named Mgmt exists on switches that have management modules or management ports: It initially contains the management port(s) the switch. It is assigned the next available internal VLANid as an 802.1Q tag. If you do not specify the VR, the VLAN is created in the current VR. If the VLAN description contains one or more space characters, you must enclose the complete name in double quotation marks. Usage Guidelines A newly-created VLAN has no member ports, is untagged, and uses protocol filter any until you configure it otherwise. Use the various configure vlan commands to configure the VLAN to your needs. Internal VLANids are assigned automatically using the next available VLANid starting from the high end (4094) of the range. Layer 2 Basics 142

The VLAN name can include up to 32 characters. VLAN names must begin with an alphabetical letter, and only alphanumeric, underscore ( _ ), and hyphen (-) characters are allowed in the remainder of the name. VLAN names cannot match reserved keywords. For more information on VLAN name requirements and a list of reserved keywords, see Object Names. Note If you use the same name across categories (for example, STPD and EAPS names), we recommend that you specify the identifying keyword as well as the actual name. If you do not use the keyword, the system may return an error message. VLAN names are locally significant. That is, VLAN names used on one switch are only meaningful to that switch. If another switch is connected to it, the VLAN names have no significance to the other switch. You must use mutually exclusive names for: VLANs VMANs Ipv6 tunnels BVLANs SVLANs CVLANs Note The VLAN description is stored in the ifalias MIB object. If you do not specify a VR when you create a VLAN, the system creates that VLAN in the default VR (VR-). The management VLAN is always in the management VR (VR-Mgmt). Once you create VRs, ExtremeXOS allows you to designate one of these as the domain in which all your subsequent configuration commands, including VLAN commands, are applied. If you create VRs, ensure that you are creating the VLANs in the desired virtual-router domain. Note User-created VRs are supported only on the platforms listed for this feature in the Feature License Requirements document.. On switches that do not support user-created VRs, all VLANs are created in VR- and cannot be moved. Example The following example creates a VLAN named accounting on the current VR: create vlan accounting description "Accounting Dept" History This command was first available in ExtremeXOS 10.1. The vr option was added in ExtremeXOS 11.0. Layer 2 Basics 143

The vlan-description option was added in ExtremeXOS 12.4.4. Platform Availability This command is available on all platforms. create vman create vman vman-name {learning-domain} {vr vr_name} Description Creates a VMAN. Syntax Description vman-name learning-domain vr vr_name Specifies a VMAN name using up to 32 characters. Specifies that this VMAN is a learning domain, which supports inter-vman forwarding. Specifies a virtual router. Specifies a virtual router name. Note User-created VRs are supported only on the platforms listed for this feature in the Feature License Requirements document.. On switches that do not support user-created VRs, all VLANs are created in VR- and cannot be moved. N/A. Usage Guidelines For information on VMAN name requirements and a list of reserved keywords, see Object Names. You must use mutually exclusive names for: VLANs VMANs IPv6 tunnels The keyword learning-domain enables you to create a VMAN that serves as a learning domain for inter- VMAN forwarding. If you do not specify the virtual router, the VMAN is created in the current virtual router. After you create the VMAN, you must configure the VMAN tag and add the ports that you want. Layer 2 Basics 144

Example The following example creates a VMAN named "fred": create vman fred History This command was first available in ExtremeXOS 11.0. Platform Availability This command is available on all platforms. delete fdb mac-tracking entry delete fdb mac-tracking entry [mac_addr all] Description Deletes a MAC address from the MAC address tracking table. Syntax Description mac_addr all Specifies a device MAC address, using colon-separated bytes. Specifies that all MAC addresses are to be deleted from the MAC address tracking table. The MAC address tracking table is empty. Usage Guidelines None. Example The following example deletes a MAC address from the MAC address tracking table: delete fdb mac-tracking entry 00:E0:2B:12:34:56 History This command was first available in ExtremeXOS 12.3. Layer 2 Basics 145

Platform Availability This command is available on all platforms. delete fdbentry delete fdbentry [all mac_address [vlan vlan_name ] Description Deletes one or all permanent FDB entries. Syntax Description all mac_address vlan_name Specifies all FDB entries. Specifies a device MAC address, using colon-separated bytes. Specifies the specific VLAN name. N/A. Usage Guidelines None. Example The following example deletes a permanent entry from the FDB: delete fdbentry 00:E0:2B:12:34:56 vlan marketing The following example deletes all permanent entries from the FDB: delete fdbentry all History This command was first available in ExtremeXOS 11.0. Platform Availability This command is available on all platforms. delete l2pt profile delete l2pt profile profile_name Layer 2 Basics 146

Description Deletes an L2PT profile. Syntax Description l2pt profile profile_name Deletes a Layer 2 protocol tunneling profile. Profile that defines L2PT configuration for L2 protocols. Specifies a profile name (maximum 32 characters). Disabled. Usage Guidelines Use this command to delete an L2PT profile. Example The following example deletes my_l2pt_prof that is currently in use by a service: delete l2pt profile my_l2pt_prof The following example deletes my_l2pt_prof that is not associated with any service: delete l2pt profile my_l2pt_prof History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. delete private-vlan delete private-vlan name Description Deletes the PVLAN framework with the specified name. Layer 2 Basics 147

Syntax Description name Specifies the name of the PVLAN to be deleted. N/A. Usage Guidelines The PVLAN is a framework that links network and subscriber VLANs; it is not an actual VLAN. This command deletes the PVLAN framework, but it does not delete the associated VLANs. If the ports in the network VLAN were set to translate, they are changed to tagged. Example The following example deletes the PVLAN named "companyx": delete private-vlan companyx History This command was first available in ExtremeXOS 12.1. Platform Availability This command is available on all platforms that support the Private VLAN feature. For features and the platforms that support them, see the Feature License Requirements document. delete protocol delete protocol {filter}filter_name Description Deletes a user-defined protocol. Syntax Description filter filter_name Deletes a protocol filter. Specifies a protocol filter name to delete. Layer 2 Basics 148

N/A. Usage Guidelines If you delete a protocol that is in use by a VLAN, the protocol associated with than VLAN becomes none. Example The following command deletes a protocol named "my_filter" and a protocol filter named "my_other_filter": delete protocol my_filter delete protocol filter my_other_filter History This command was first available in ExtremeXOS 10.1. The filter keyword was added in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. delete vlan delete vlan vlan_name Description Deletes a VLAN. Syntax Description vlan_name Specifies a VLAN name. N/A. Layer 2 Basics 149

Usage Guidelines If you delete a VLAN that has untagged port members and you want those ports to be returned to the default VLAN, you must add them back explicitly using the configure svlan delete ports command. Note The default VLAN cannot be deleted. Before deleting an ISC VLAN, you must delete the MLAG peer. Example The following command deletes the VLAN accounting: delete accounting History This command was first available in ExtremeXOS 10.1. Platform Availability This command is available on all platforms. delete vman delete vman vman-name Description Deletes a previously created VMAN. Syntax Description vman-name Specifies a VMAN name. N/A. Usage Guidelines None. Layer 2 Basics 150

Example The following command deletes the VMAN accounting: delete vman accounting History This command was first available in ExtremeXOS 11.0. Platform Availability This command is available on all platforms. disable dot1p examination inner-tag ports disable dot1p examination inner-tag ports [all port_list] Description Used with VMANs, and instructs the switch to examine the 802.1p value of the outer tag, or added VMAN header, to determine the correct egress queue on the egress port. Syntax Description all port_list Specifies all ports. Specifies a list of ports or slots and ports. Disabled. Usage Guidelines Use this command to instruct the system to refer to the 802.1p value contained in the outer tag, or VMAN encapsulation tag, when assigning the packet to an egress queue at the egress port of the VMAN. Note See QoS Commands for information on configuring and displaying the current 802.1p and DiffServ configuration for the inner, or original header, 802.1p value. Layer 2 Basics 151

Example The following example uses the 802.1p value on the outer tag, or VMAN encapsulation, to put the packet in the egress queue on the VMAN egress port: disable dot1p examination inner-tag port 3:2 History This command was first available in ExtremeXOS 11.2. Platform Availability This command is available only on the BlackDiamond X8, BlackDiamond 8800 series switches, SummitStack, and Summit family switches. disable fdb static-mac-move disable fdb static-mac-move Description Disables EMS and SNMP reporting of discovered MAC addresses that are duplicates of statically configured MAC addresses. Syntax Description This command has no arguments or variables. Disabled. Usage Guidelines None. Example The following example disables this feature: disable fdb static-mac-move History This command was first available in ExtremeXOS 12.7. Layer 2 Basics 152

Platform Availability This command is available on Summit family switches. disable flooding ports With the BlackDiamond 8800 series switch, SummitStack, and the Summit family of switches, you can further identify the type of packets for which to block flooding. disable flooding [all_cast broadcast multicast unicast] ports [port_list all] Description Disables Layer 2 egress flooding on one or more ports. Syntax Description all_cast broadcast multicast unicast port_list all Specifies disabling egress flooding for all packets on specified ports. Specifies disabling egress flooding only for broadcast packets. Specifies disabling egress flooding only for multicast packets. Specifies disabling egress flooding only for unknown unicast packets. Specifies one or more ports or slots and ports. Specifies all ports on the switch. Enabled for all packet types. Usage Guidelines Note If an application requests specific packets on a specific port, those packets are not affected by the disable flooding ports command. You might want to disable egress flooding to do the following: enhance security enhance privacy improve network performance This is particularly useful when you are working on an edge device in the network. The practice of limiting flooded egress packets to selected interfaces is also known as upstream forwarding. Note If you disable egress flooding with static MAC addresses, this can affect many protocols, such as IP and ARP. Layer 2 Basics 153

The following guidelines apply to enabling and disabling egress flooding: Disabling multicasting egress flooding does not affect those packets within an IGMP membership group at all; those packets are still forwarded out. If IGMP snooping is disabled, multicast packets are not flooded. Egress flooding can be disabled on ports that are in a load-sharing group. In a load-sharing group, the ports in the group take on the egress flooding state of the master port; each member port of the load-sharing group has the same state as the master port. On all platforms FDB learning takes place on ingress ports and is independent of egress flooding; either can be enabled or disabled independently. Disabling unicast or all egress flooding to a port also stops packets with unknown MAC addresses to be flooded to that port. Disabling broadcast or all egress flooding to a port also stops broadcast packets to be flooded to that port. BlackDiamond X8 Series switches, BlackDiamond 8800 family of switches, SummitStack, and the Summit switch only You can disable egress flooding for unicast, multicast, or broadcast MAC addresses, as well as for all packets on the ports of the BlackDiamond 8800 family of switches, SummitStack, and the Summit switch. The default behavior for the BlackDiamond 8800 family of switches, SummitStack, and the Summit is enabled egress flooding for all packet types. Example The following example disables unicast flooding on ports 10-12 on a Summit series switch: disable flooding unicast port 10-27 History This command was first available in ExtremeXOS 11.2. Platform Availability This command is available on BlackDiamond X8 and 8800 series switches, SummitStack, and Summit family switches. disable learning iparp sender-mac disable learning iparp {vr vr_name} sender-mac Description Disables MAC address learning from the payload of IP ARP packets. Layer 2 Basics 154

Syntax Description vr_name Specifies a virtual router. Disabled. Usage Guidelines To view the configuration for this feature, use the following command: show iparp Example The following example disables MAC address learning from the payload of IP ARP packets: disable learning iparp sender-mac History This command was first available in ExtremeXOS 12.4. Platform Availability This command is available on all Summit family switches, SummitStack, and BlackDiamond 8800 series switches. disable learning port disable learning {drop-packets forward-packets} port [port_list all] Description Disables MAC address learning on one or more ports for security purposes. Syntax Description port port_list all drop-packets forward-packets Specifies the port. Specifies one or more ports or slots and ports. Specifies all slots and ports. Specifies that packets with unknown source MAC addresses be dropped. If you do not specify the forward-packets option, this option is used. Specifies that packets with unknown source MAC addresses be forwarded. Layer 2 Basics 155

Enabled. Usage Guidelines Use this command in a secure environment where access is granted via permanent forwarding database (FDB) entries per port. Example The following example disables MAC address learning on port 4:3: disable learning ports 4:3 History This command was first available in ExtremeXOS 10.1. The drop packets and forward packets options were added in ExtremeXOS 12.1. Platform Availability This command is available on all Summit family switches, SummitStack, and BlackDiamond X8 and 8800 series switches. disable loopback-mode vlan disable loopback-mode vlan vlan_name Description Disallows a VLAN to be placed in the UP state without an external active port. This allows (disallows) the VLANs routing interface to become active. Syntax Description vlan_name Specifies a VLAN name. N/A. Usage Guidelines Use this command to specify a stable interface as a source interface for routing protocols. This decreases the possibility of route flapping, which can disrupt connectivity. Layer 2 Basics 156

Example The following example disallows the VLAN accounting to be placed in the UP state without an external active port: disable loopback-mode vlan accounting History This command was first available in ExtremeXOS 10.1. Platform Availability This command is available on all platforms. disable snmp traps fdb mac-tracking disable snmp traps fdb mac-tracking Description Disables SNMP trap generation when MAC-tracking events occur for a tracked MAC address. Syntax Description This command has no arguments or variables. Disabled. Usage Guidelines None. Example The following example disables SNMP traps for MAC-tracking events: disable snmp traps fdb mac-tracking History This command was first available in ExtremeXOS 12.3. Layer 2 Basics 157

Platform Availability This command is available on all platforms. disable vlan disable vlan vlan_name Description Use this command to disable the specified VLAN. Syntax Description vlan_name Specifies the VLAN you want to disable. Enabled. Usage Guidelines This command allows you to administratively disable specified VLANs. The following guidelines apply to working with disabling VLANs: Disabling a VLAN stops all traffic on all ports associated with the specified VLAN. You cannot disable a VLAN that is running Layer 2 protocol control traffic for protocols such as EAPS, STP, or ESRP. When you attempt to disable a VLAN running Layer 2 protocol control traffic, the system returns a message similar to the following: VLAN accounting cannot be disabled because it is actively used by an L2 Protocol You can disable the default VLAN; ensure that this is necessary prior to disabling the default VLAN. You cannot disable the management VLAN. You cannot bind Layer 2 protocols to a disabled VLAN. You can add ports to or delete ports from a disabled VLAN. Example The following example disables the VLAN named "accounting": disable vlan accounting History This command was first available in ExtremeXOS 11.4. Layer 2 Basics 158

The ability to add ports to a disabled VLAN was added in ExtremeXOS 12.5. Platform Availability This command is available on all platforms. disable vman cep egress filtering ports disable vman cep egress filtering ports {port_list all} Description Disables the egress filtering of CVIDs that are not configured in the CVID map for a CEP. Syntax Description port_list all Specifies a list of ports. Specifies all switch ports. Egress CVID filtering is disabled. Usage Guidelines To view the configuration setting for the egress CVID filtering feature, use the show ports information command. Note When CVID egress filtering is enabled, it reduces the maximum number of CVIDs supported on a port. The control of CVID egress filtering applies to fast-path forwarding. When frames are forwarded through software, CVID egress filtering is always enabled. Example The following example disables egress CVID filtering on port 1: disable vman cep egress filtering port 1 History This command was first available in ExtremeXOS 12.6. Layer 2 Basics 159

Platform Availability This command is available on the BlackDiamond X8, BlackDiamond 8900 c-, xl-, and xm-series modules. This command is also available on Summit X440, X460, X480, X670 and X770 series switches. enable dot1p examination inner-tag port enable dot1p examination inner-tag port [all port_list] Description Used with VMANs, and instructs the switch to examine the 802.1p value of the inner tag, or header of the original packet, to determine the correct egress queue on the egress port. Syntax Description all port_list Specifies all ports. Specifies a list of ports or slots and ports. Disabled. Usage Guidelines Use this command to instruct the system to refer to the 802.1p value contained in the inner, or original, tag when assigning the packet to an egress queue at the egress port of the VMAN. Note See QoS Commands for information on configuring and displaying the current 802.1p and DiffServ configuration for the inner, or original header, 802.1p value. Example The following example puts the packets in the egress queue of the VMAN egress port according to the 802.1p value on the inner tag: enable dot1p examination inner-tag port 3:2 History This command was first available in ExtremeXOS 11.2. Layer 2 Basics 160

Platform Availability This command is available only on the BlackDiamond X8, BlackDiamond 8800 series switches, SummitStack, and the Summit family of switches. enable fdb static-mac-move enable fdb static-mac-move Description Enables EMS and SNMP reporting of discovered MAC addresses that are duplicates of statically configured MAC addresses. Syntax Description This command has no arguments or variables. Disabled. Usage Guidelines This command enables reporting only. All packets that arrive from a duplicate MAC address on another port (other than the statically configured port) are dropped. The switch reports the source MAC address, port, and VLAN for each duplicate MAC address. Example The following command enables this feature: enable fdb static-mac-move History This command was first available in ExtremeXOS 12.7. Platform Availability This command is available on Summit family switches. enable flooding ports enable flooding [all_cast broadcast multicast unicast] ports [port_list all] Layer 2 Basics 161

Description Enables egress flooding on one or more ports. With the BlackDiamond X8, BlackDiamond 8800 series switches, SummitStack, and the Summit family of switches, you can further identify the type of packets to flood on the specified ports. Syntax Description all_cast broadcast Specifies enabling egress flooding for all packets on specified ports. Specifies enabling egress flooding only for broadcast packets. Note This parameter is available only on the BlackDiamond X8, BlackDiamond 8800 series switches, SummitStack, and the Summit family of switches. multicast Specifies enabling egress flooding only for multicast packets. Note This parameter is available only on the BlackDiamond X8, BlackDiamond 8800 series switches, SummitStack, and the Summit family of switches. unicast port_list all Specifies enabling egress flooding only for unknown unicast packets. Specifies one or more ports or slots and ports. Specifies all ports on the switch. Enabled for all packet types. Usage Guidelines Use this command to re-enable egress flooding that you previously disabled using the disable flooding ports command. The following guidelines apply to enabling and disabling egress flooding: Disabling multicasting egress flooding does not affect those packets within an IGMP membership group at all; those packets are still forwarded out. If IGMP snooping is disabled, multicast packets are not flooded. Egress flooding can be disabled on ports that are in a load-sharing group. If that is the situation, the ports in the group take on the egress flooding state of the master port; each member port of the load-sharing group has the same state as the master port. FDB learning is independent of egress flooding. FDB learning and egress flooding can be enabled or disabled independently. Disabling unicast or all egress flooding to a port also stops packets with unknown MAC addresses to be flooded to that port. Disabling broadcast or all egress flooding to a port also stops broadcast packets to be flooded to that port. Layer 2 Basics 162

BlackDiamond X8, 8800 series switches, SummitStack, and the Summit family of switches only You can disable egress flooding for unicast, multicast, or broadcast MAC addresses, as well as for all packets on the ports of the BlackDiamond 8800 series switches, SummitStack, and the Summit family of switches. The default behavior for the BlackDiamond 8800 series switches, SummitStack, and the Summit family of switches is enabled egress flooding for all packet types. Example The following command enables unicast flooding on ports 13-17 on a Summit series switch: enable flooding unicast port 13-17 History This command was first available in ExtremeXOS 11.2. Platform Availability This command is available on BlackDiamond X8 and BlackDiamond 8800 series switches, SummitStack, and Summit family switches. enable learning iparp sender-mac enable learning iparp {request reply both-request-and-reply} {vr vr_name} sender-mac Description Enables MAC address learning from the payload of IP ARP packets. Syntax Description request reply both-request-and-reply vr_name Enables learning only for IP ARP request packets. Enables learning only for IP ARP reply packets. Enables learning for both request and reply packets. Specifies a virtual router. Disabled. Usage Guidelines To view the configuration for this feature, use the following command: show iparp Layer 2 Basics 163

Example The following command enables MAC address learning from the payload of reply IP ARP packets: enable learning iparp reply sender-mac History This command was first available in ExtremeXOS 12.4. Platform Availability This command is available on all Summit family switches, SummitStack, and BlackDiamond X8 and BlackDiamond 8800 series switches. enable learning port enable learning {drop-packets} ports [all port_list] Description Enables MAC address learning on one or more ports. Syntax Description drop-packets all port_list Forwards EDP packets, and drops all unicast, multicast, and broadcast packets from a source address not in the FDB. No further processing occurs for dropped packets. Specifies all ports. Specifies one or more ports or slots and ports. Enabled. Usage Guidelines Use this command to enable MAC address learning on one or more ports. Example The following example enables MAC address learning on slot 1, ports 7 and 8 on a modular switch: enable learning ports 1:7-8 Layer 2 Basics 164

History This command was first available in ExtremeXOS 10.1. Platform Availability This command is available on all Summit family switches, SummitStack, and BlackDiamond X8 and BlackDiamond 8800 series switches. enable loopback-mode vlan enable loopback-mode vlan vlan_name Description Allows a VLAN to be placed in the UP state without an external active port. This allows (disallows) the VLANs routing interface to become active. Syntax Description vlan_name Specifies a VLAN name. N/A. Usage Guidelines Use this command to specify a stable interface as a source interface for routing protocols. This decreases the possibility of route flapping, which can disrupt connectivity. Example The following example allows the VLAN "accounting" to be placed in the UP state without an external active port: enable loopback-mode vlan accounting History This command was first available in ExtremeXOS 10.1. Platform Availability This command is available on all platforms. Layer 2 Basics 165

enable snmp traps fdb mac-tracking enable snmp traps fdb mac-tracking Description Enables SNMP trap generation when MAC-tracking events occur for a tracked MAC address. Syntax Description This command has no arguments or variables. Disabled. Usage Guidelines None. Example The following example enables SNMP traps for MAC-tracking events: enable snmp traps fdb mac-tracking History This command was first available in ExtremeXOS 12.3. Platform Availability This command is available on all platforms. enable vlan enable vlan vlan_name Description Use this command to re-enable a VLAN that you previously disabled. Syntax Description vlan_name Specifies the VLAN you want to disable. Layer 2 Basics 166

Enabled. Usage Guidelines This command allows you to administratively enable specified VLANs that you previously disabled. Example The following example enables the VLAN named "accounting": enable vlan accounting History This command was first available in ExtremeXOS 11.4. Platform Availability This command is available on all platforms. enable vman cep egress filtering ports enable vman cep egress filtering ports {port_list all} Description Enables the egress filtering of frames based on their CVIDs on ports configured as CEPs. Syntax Description port_list all Specifies a list of ports. Specifies all switch ports. Egress CVID filtering is disabled. Usage Guidelines For a given VMAN and a port configured as a CEP for that VMAN, only frames with CVIDs that have been mapped from the CEP to the VMAN are forwarded from the VMAN and out the CEP. Layer 2 Basics 167

To view the configuration setting for the egress CVID filtering feature, use the show ports information command. Note CVID egress filtering is available only on switches that support this feature, and when this feature is enabled, it reduces the maximum number of CVIDs supported on a port. The control of CVID egress filtering applies to fast-path forwarding. When frames are forwarded through software, CVID egress filtering is always enabled. Example The following command enables egress CVID filtering on port 1: enable vman cep egress filtering port 1 History This command was first available in ExtremeXOS 12.6. Platform Availability This command is available on the BlackDiamond X8 series switches and the BlackDiamond 8900 c-, xl-, and xm-series modules. This command is also available on Summit X440, X460, X480, X670 and X770 series switches. show fdb mac-tracking configuration show fdb mac-tracking configuration Description Displays configuration information for the MAC address tracking feature. Syntax Description This command has no arguments or variables. The MAC address tracking table is empty. Usage Guidelines None. Layer 2 Basics 168

Example The following exmaple displays the contents of the MAC address tracking table: # show fdb mac-tracking configuration MAC-Tracking enabled ports: 1-3,10,20 SNMP trap notification : Enabled MAC address tracking table (4 entries): 00:30:48:72:ee:88 00:21:9b:0e:ca:32 00:12:48:82:9c:56 00:30:48:84:d4:16 History This command was first available in ExtremeXOS 12.3. Platform Availability This command is available on all platforms. show fdb mac-tracking statistics show fdb mac-tracking statistics {mac_addr} {no-refresh} Description Displays statistics for the MAC addresses that are being tracked. Syntax Description mac_addr no-refresh Specifies a MAC address, using colon-separated bytes, for which FDB entries should be displayed. Specifies a static snapshot of data instead of the default dynamic display. N/A. Usage Guidelines Use the keys listed below the display to clear the statistics counters or page up or down through the table entries. Layer 2 Basics 169

Example The following example displays statistics for the entries in the MAC address tracking table: # show fdb mac-tracking statistics MAC Tracking Statistics Fri Mar 20 15:25:01 2009 Add Move Delete MAC Address events events events ===================================================== 00:00:00:00:00:01 0 0 0 00:00:00:00:00:02 0 0 0 00:00:00:00:00:03 0 0 0 00:00:00:00:00:04 0 0 0 00:00:00:00:00:05 0 0 0 00:00:00:00:00:06 0 0 0 00:00:00:00:00:07 0 0 0 00:00:00:00:00:08 0 0 0 00:00:00:00:00:09 0 0 0 00:00:00:00:00:10 0 0 0 00:00:00:00:00:11 0 0 0 00:00:00:00:00:12 0 0 0 00:00:00:00:00:13 0 0 0 00:00:00:00:00:14 0 0 0 00:00:00:00:00:15 0 0 0 00:00:00:00:00:16 0 0 0 00:00:00:00:00:17 0 0 0 00:00:00:00:00:18 0 0 0 ===================================================== 0->Clear Counters U->page up D->page down ESC->exit History This command was first available in ExtremeXOS 12.3. Platform Availability This command is available on all platforms. show fdb static-mac-move configuration show fdb static-mac-move configuration Description Displays the configuration for the feature that reports the discovery of MAC addresses that are duplicates of statically configured MAC addresses. Syntax Description This command has no arguments or variables. Layer 2 Basics 170

N/A. Usage Guidelines None. Example The following example shows the command display: # show fdb static-mac-movement configuration Static MAC Movement Notification: Enabled MAC learning Packets Count : 5 History This command was first available in ExtremeXOS 12.7. Platform Availability This command is available on Summit family switches. show fdb stats show fdb stats {{ports {all port_list} vlan {all} {vlan} vlan_name } {norefresh}} Description Displays FDB entry statistics for the specified ports or VLANs in either a dynamic or a static report. Syntax Description all port_list vlan_name no-refresh Requests statistics for all ports or all VLANs. Specifies which ports are to be included in the statistics display. Specifies a single VLAN to be included in the statistics display. Specifies a static display, which is not automatically updated. Summary FDB statistics for the switch. Layer 2 Basics 171

Usage Guidelines The dynamic display remains visible and continues to update until you press [Esc]. The show fdb stats command output displays the following information: Port Link State VLAN MAC Addresses Dynamic Static Dropped When you chose to display statistics for ports, this column displays port numbers. When you chose to display statistics for ports, this column displays the link states, which are described at the bottom of the display. When you chose to display statistics for VLANs, this column displays VLAN names. This column displays the total number of MAC addresses for each port or VLAN. This column displays the total number of MAC addresses that were learned dynamically for each port or VLAN. This column displays the total number of MAC addresses that are configured on this switch for each port or VLAN. This column displays the total number of dynamic MAC addresses that were discovered, but not stored in the FDB. Discovered MAC addresses might be dropped because a configured learning limit is reached, the FDB is in lockdown, or a port forwarding state is in transition. Some conditions that lead to dropped MAC addresses can produce log messages or SNMP traps. Example The following command example displays summary FDB statistics for the switch: torino1.1 # show fdb stats Total: 4 Static: 3 Perm: 3 Dyn: 1 Dropped: 0 FDB Aging time: 300 FDB VPLS Aging time: 300 torino1.2 # The following command example displays FDB statistics for ports 1 to 16 on slot 1: # show fdb stats ports 1:1-1:16 FDB Stats Mon Mar 15 15:30:49 2010 Port Link MAC State Addresses Dynamic Static Dropped ======================================================================= 1:1 A 2394 2389 5 2 1:2 A 37 37 0 0 1:3 A 122 121 1 452 1:4 R 0 0 0 0 1:5 R 0 0 0 0 1:6 A 43 43 0 0 1:7 A 118 118 0 0 1:8 R 0 0 0 0 1:9 R 0 0 0 0 1:10 A 8 8 0 0 1:11 A 2998 2990 8 1 1:12 A 486 486 0 0 Layer 2 Basics 172

1:13 R 0 0 0 0 1:14 A 42 42 0 0 1:15 A 795 795 0 0 1:16 A 23 23 0 2 ======================================================================= Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback U->page up D->page down ESC->exit The following command example displays FDB statistics for all VLANs: # show fdb stats vlan all FDB Stats Mon Mar 15 15:30:49 2010 VLAN MAC Addresses Dynamic Static Dropped ============================================================================= SV_PPPOE 2394 2389 5 2 NV_PPPOE 122 121 1 452 ============================================================================= U->page up D->page down ESC->exit History The dynamic display for this command was first available in ExtremeXOS 12.4.2. Platform Availability This command is available on all platforms. show fdb show fdb {blackhole {netlogin [all mac-based-vlans]} netlogin [all macbased-vlans] permanent {netlogin [all mac-based-vlans]} mac_addr {netlogin [all mac-based-vlans]} ports port_list {netlogin [all mac-based-vlans]} vlan vlan_name {netlogin [all mac-based-vlans]} {{vpls} {vpls_name}}} Description Displays FDB entries. Syntax Description blackhole slot Displays the blackhole entries. (All packets addressed to these entries are dropped.) Specifies a slot in the switch. num_entries Specifies the maximum number of hardware entries to display. The range is 1 to 25. netlogin all Displays all FDBs created as a result of the netlogin process. Layer 2 Basics 173

netlogin mac-based-vlans Displays all netlogin MAC-based VLAN FDB entries. Note This parameter is supported only for Summit family switches, SummitStack, and the BlackDiamond 8800 series switches. See Network Login Commands for more information on netlogin. permanent mac_addr port_list vlan_name vpls_name Displays all permanent entries, including the ingress and egress QoS profiles. Specifies a MAC address, using colon-separated bytes, for which FDB entries should be displayed. Displays the entries for one or more ports or ports and slots. Displays the entries for a specific VLAN. Specifies a specific VPLS for which to display entries. All. Usage Guidelines The pulling of MAC addresses for display purposes is given a lower priority to the actual data path learning. Eventually all the MAC addresses are learned in a quiescent system. The show fdb command output displays the following information: Mac Vlan Age The MAC address that defines the entry. The PVLAN or VLAN for the entry. The age of the entry, in seconds (does not appear if the keyword permanent is specified). The age parameter does not display for the backup MSM/MM on modular switches.on BlackDiamond 8900 xl-series and Summit X480 switches, the Age is always 000 and the h flag is set for entries that are hardware aged. Layer 2 Basics 174

Flags Port List Flags that define the type of entry: b - Ingress Blackhole B - Egress Blackhole D - Drop entry for an isolated subscriber VLAN d - Dynamic h - Aged in hardware (Applies to BlackDiamond 8900 xl-series and Summit X480 switches) i - an entry also exists in the IP FDB l - lockdown MAC L - lockdown-timeout MAC m - MAC M - Mirror n - NetLogin o - IEEE 802.1ah backbone MAC P - PVLAN created entry p - Permanent s - Static v - NetLogin MAC-Based VLAN (only supported on the Summit switch, SummitStack, and the BlackDiamond 8800 family of switches) x - an entry also exists in the IPX FDBs. The ports on which the MAC address has been learned. Example The following example shows how the FDB entries appear for all options except the hardware option: # show fdb Mac Vlan Age Flags Port / Virtual Port List ----------------------------------------------------------------------------- 00:0c:29:4b:34:cf v101(0101) 0041 d m D 1:2 00:0c:29:4b:34:cf v100(0100) 0041 d m P 1:2 00:0c:29:d2:2d:48 v102(0102) 0045 d m 1:3 00:0c:29:d2:2d:48 v100(0100) 0045 d m P 1:3 00:0c:29:f1:f2:f5 v100(0100) 0045 d m 1:1 00:0c:29:f1:f2:f5 v102(0102) 0045 d m P 1:1 00:0c:29:f1:f2:f5 v101(0101) 0045 d m P 1:1 Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP, x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole, b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation, D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC. Total: 3 Static: 0 Perm: 0 Dyn: 3 Dropped: 0 Locked: 0 Locked with Timeout: 0 FDB Aging time: 300 FDB VPLS Aging time: 300 The following example output shows where the port tag is displayed in parentheses: # show fdb Mac Vlan Age Flags Port / Virtual Port List Layer 2 Basics 175

----------------------------------------------------------------------------- 00:00:00:00:04:0a test(0200) 0057 d m 3(0010) 00:00:00:00:04:0b test(0200) 0300 d m 3(0011) 00:01:02:03:04:05 test(0200) 0000 spm 3(0010) Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP, x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole, b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T VLAN translation, D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC. Total: 3 Static: 0 Perm: 0 Dyn: 3 Dropped: 0 Locked: 0 Locked with Timeout: 0 FDB Aging time: 300 FDB VPLS Aging time: 300 History This command was first available in ExtremeXOS 10.1. The stats and netlogin parameters were first available in ExtremeXOS 11.3. The blackhole output under the b and B flags was first available for all platforms in ExtremeXOS 12.1. The o flag was first available in ExtremeXOS 12.4. Platform Availability This command is available on all platforms. show l2pt profile show l2pt profile profile_name Description Displays the contents of an L2PT profile. Syntax Description profile profile_name Displays profile that defines L2PT configuration for L2 protocols. Displays only the specified profile. Disabled. Layer 2 Basics 176

Usage Guidelines Use this command to display the contents of an L2PT profile. Example The following is an example of the command's output: # show l2pt profile Profile Name Protocol Filter Name Action CoS ----------------------------- -------------------------------- ------ --- my_l2pt_access_prof my_list tunnel 1 my_other_list tunnel 7 my_l2pt_network_prof mylist encap my_other_list encap my_none_list none # show l2pt profile my_l2pt_access_prof Profile Name Protocol Filter Name Action CoS ----------------------------- -------------------------------- ------ --- my_l2pt_access_prof my_list tunnel 1 my_other_list tunnel 7 History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. show l2pt show l2pt Description Displays the global parameters for L2PT. Syntax Description l2pt Displays global Layer 2 protocol tunneling parameters. Disabled. Layer 2 Basics 177

Usage Guidelines Use this command to display the global parameters for L2PT. Example The following is an example of the command's output: # show l2pt Encapsulation Destination MAC Address: 01:00:00:01:01:02 History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. show ports protocol filter show ports [port_list all] protocol filter {detail} Description Displays the protocol filtering configuration and status. Syntax Description port_list Displays port list, separated by a comma (, )or dash ( - ). all detail Displays all ports. Displays detailed configuration and status. Displays all protocol filters. Usage Guidelines Use this command to display the protocol filtering configuration and status. Example The following example displays the filtering configuration and status for ports 1-4: # show ports 1-4 protocol filter Port Protocol Destination Protocol Id Field Field Field Packets Layer 2 Basics 178

# Filter Name Address Type Value Offset Value Mask Filtered ---- ----------- ----------------- ----- ------ ------ ------ ----- ---------- 1 my_list 01:80:C2:00:00:02 etype 0x8902 14 03:04 FF:FF 2300 01:80:C2:00:00:00 snap 0x4041 5000 01:80:C2:00:00:00 snap 0x4041 16 01:02> FF:FF> 5000 2 lacp 01:80:C2:00:00:02 etype 0x8902 14 01 FF 3200 3 (none) 4 (none) > indicates that the value was truncated to the column size in the output.use the detail option to see the complete value. The following example displays output for the show ports protocol filter detail command: show ports 1-4 protocol filter detail Port 1 Protocol Filter Name: my_list Destination Address : 01:80:C2:00:00:02 Protocol Id Type : etype Protocol Id Value : 0x8902 Field Offset : 14 Field Value : 03:04 Field Mask : FF:FF Packets Filtered : 2300 Destination Address : 01:80:C2:00:00:00 Protocol Id Type : snap Protocol Id Value : 0x4041 Field Offset : 16 Field Value : 01:02:03:04 Field Mask : FF:FF:FF:FF Packets Filtered : 5000 Destination Address : 01:80:C2:00:00:00 Protocol Id Type : snap Protocol Id Value : 0x4041 Field Offset : Field Value : Field Mask : Packets Filtered : 5000 Port 2 Port 3 Protocol Filter Name: lacp Destination Address : 01:80:C2:00:00:02 Protocol Id Type : etype Protocol Id Value : 0x8902 Field Offset : 14 Field Value : 01 Field Mask : FF Packets Filtered : 3200 Protocol Filter Name: (none) Port 4 Protocol Filter Name: (none) Layer 2 Basics 179

History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. show private-vlan <name> show {private-vlan} name Description Displays information about the specified PVLAN. Syntax Description name Specifies the name of the PVLAN to display. N/A. Usage Guidelines If the PVLAN is incomplete because it does not have a network or any subscriber VLAN configured, [INCOMPLETE] appears next to the PVLAN name. Example The following example output displays information for the companyx PVLAN: * (debug) BD-8808.1 # show private-vlan "Engineering" ------------------------------------------------------------------------------ -------- Name VID Protocol Addr Flags Proto Ports Virtual Active router /Total ------------------------------------------------------------------------------ -------- Engineering Network VLAN: -Engr1 10 -------------------------------------- ANY 4 /5 VR- Non-Isolated Subscriber VLAN: -ni1 400 -------------------------------------- ANY 1 /1 VR- -ni2 401 ------------------------------------- ANY 1 /1 VR- Layer 2 Basics 180

Isolated Subscriber VLAN: -i1 500 ------------------------------------- ANY 1 /1 VR- ------------------------------------------------------------------------------ -------- Flags : (C) EAPS Control vlan, (d) NetLogin Dynamically created VLAN, (D) VLAN Admin Disabled, (E) ESRP Enabled, (f) IP Forwarding Enabled, (i) ISIS Enabled, (I) IP Forwarding lpm-routing Enabled, (L) Loopback Enabled, (l) MPLS Enabled, (m) IPmc Forwarding Enabled, (n) IP Multinetting Enabled, (N) Network LogIn vlan, (o) OSPF Enabled, (p) PIM Enabled, (P) EAPS protected vlan, (r) RIP Enabled, (T) Member of STP Domain, (V) VPLS Enabled, (v) VRRP Enabled History This command was first available in ExtremeXOS 12.1. Platform Availability This command is available on all platforms that support the Private VLAN feature. For features and the platforms that support them, see the Feature License Requirements document. show private-vlan show private-vlan Description Displays information about all the PVLANs on the switch. Syntax Description This command has no arguments or variables. N/A. Usage Guidelines If the PVLAN is incomplete because it does not have a network or any subscriber VLAN configured, [INCOMPLETE] appears next to the PVLAN name. Example The following example output displays all the PVLANs on the switch: * (debug) BD-8808.1 # show private-vlan ------------------------------------------------------------------------------ Layer 2 Basics 181

-------- Name VID Protocol Addr Flags Proto Ports Virtual Active router /Total ------------------------------------------------------------------------------ -------- Engineering Network VLAN: -Engr1 10 -------------------------------------- ANY 4 /5 VR- Non-Isolated Subscriber VLAN: -ni1 400 -------------------------------------- ANY 1 /1 VR- -ni2 401 ------------------------------------- ANY 1 /1 VR- Isolated Subscriber VLAN: -i1 500 ------------------------------------- ANY 1 /1 VR- Ops Network VLAN: -Ops 20 ------------------------------------- ANY 2 /2 VR- Non-Isolated Subscriber VLAN: -OpsNi1 901 ------------------------------------- ANY 1 /1 VR- -OpsNi2 902 ------------------------------------- ANY 1 /1 VR- -OpsNi3 903 ------------------------------------- ANY 1 /1 VR- -OpsNi4 904 ------------------------------------- ANY 1 /1 VR- Isolated Subscriber VLAN: -OpsI0 600 ------------------------------------- ANY 1 /1 VR- -OpsI1 601 ------------------------------------- ANY 1 /1 VR- -OpsI2 602 ------------------------------------- ANY 1 /1 VR- -OpsI3 603 ------------------------------------- ANY 1 /1 VR- -OpsI4 604 ------------------------------------- ANY 1 /1 VR- Sales [INCOMPLETE] Network VLAN: -NONE Non-Isolated Subscriber VLAN: -SalesNi1 701 ------------------------------------- ANY 1 /1 VR- -SalesNi2 702 ------------------------------------- ANY 1 /1 VR- Isolated Subscriber VLAN: -SalesI0 800 ------------------------------------- ANY 1 /1 VR- ------------------------------------------------------------------------------ -------- Flags : (C) EAPS Control vlan, (d) NetLogin Dynamically created VLAN, (D) VLAN Admin Disabled, (E) ESRP Enabled, (f) IP Forwarding Enabled, Layer 2 Basics 182

(i) ISIS Enabled, (I) IP Forwarding lpm-routing Enabled, (L) Loopback Enabled, (l) MPLS Enabled, (m) IPmc Forwarding Enabled, (n) IP Multinetting Enabled, (N) Network LogIn vlan, (o) OSPF Enabled, (p) PIM Enabled, (P) EAPS protected vlan, (r) RIP Enabled, (T) Member of STP Domain, (V) VPLS Enabled, (v) VRRP Enabled Total number of PVLAN(s) : 3 History This command was first available in ExtremeXOS 12.1. Platform Availability This command is available on all platforms that support the Private VLAN feature. For features and the platforms that support them, see the Feature License Requirements document. show protocol show protocol {filter} {filter_ name} {detail} Description Displays protocol filter definitions and the complete protocol configuration. Syntax Description filter name detail Displays a protocol filter. Displays a protocol filter name. Displays protocol information in detail. Displays all protocol filters. Usage Guidelines Displays the defined protocol filter(s) with the types and values of its component protocols. Example The following is an example of the command's output: # show protocol Protocol Filter Name Protocol Id Destination Field Field Field Type Value Address Offset Value Mask -------------------- -------- ------ ----------- ------- ------ Layer 2 Basics 183

------- IP etype 0x0800 etype 0x0806 ANY ANY 0xffff ipx etype 0x8137 IPv6 etype 0x86dd lacp etype 0x8809 01:80:C2:00:00:02> 14 01 FF mpls etype 0x8847 appletalk snap 0x809b snap 0x80f3 > indicates that the value was truncated to the column size in the output. Use the detail option to see the complete value. The following example displays the show protocol detail command: show protocol detail Protocol Filter Name : appletalk Protocol Id Type : snap Protocol Id Value : 0x809b Destination Address: Field Offset : Field Value : Field Mask : Protocol Id Type : snap Protocol Id Value : 0x80f3 Destination Address: Field Offset : Field Value : Field Mask : Protocol Filter Name : lacp Protocol Id Type : etype Protocol Id Value : 0x8809 Destination Address: 01:80:C2:00:00:02 Field Offset : 14 Field Value : 01 Field Mask : FF # show protocol filter lacp detail Protocol Filter Name : lacp Protocol Id Type : etype Protocol Id Value : 0x8809 Destination Address: 01:80:C2:00:00:02 Field Offset : 14 Field Value : 01 Field Mask : FF History This command was first available in ExtremeXOS 10.1. The filter and detail keywords were added in ExtremeXOS 15.5. Layer 2 Basics 184

Platform Availability This command is available on all platforms. show vlan show vlan {virtual-router vr-name} show {vlan} vlan_name {ipv4 ipv6} show vlan [tag tag detail] {ipv4 ipv6} show vlan ports Description Displays information about one or all VLANs. Syntax Description vr-name Specifies a VR name for which to display summary information for all VLANs. If no VR name is specified, the software displays summary information for all VLANs in the current VR context. Note User-created VRs are supported only on the platforms listed for this feature in the Feature License Requirements document. On switches that do not support user-created VRs, all VLANs are created in VR- and cannot be moved. vlan_name tag detail ipv4 ipv6 ports Specifies a VLAN name for which to display detailed VLAN information. Specifies the 802.1Q tag of a VLAN for which to display detailed VLAN information. Specifies that detailed information should be displayed for all VLANs. Specifies IPv4. Specifies IPv6. Displays VLAN ports information. Summary information for all VLANs on the device. Usage Guidelines Note To display IPv6 information, you must issue either the show vlan detail command or show vlan command with the name of the specified VLAN. Layer 2 Basics 185

Unlike many other VLAN-related commands, the keyword vlan is required in all forms of this command except when requesting information for a specific VLAN. Use the command show vlan to display summary information for all VLANs. It shows various configuration options as a series of flags (see the example below). VLAN names, descriptions, and protocol names may be abbreviated in this display. Use the command show vlan detail to display detailed information for all VLANs. This displays the same information as for an individual VLAN, but shows every VLAN, one-by-one. After each VLAN display you can elect to continue or quit. Protocol none indicates that this VLAN was configured with a user-defined protocol that has subsequently been deleted. Note The BlackDiamond 8800 series switches, SummitStack, and the Summit family of switches display the Mgmt VLAN in VR-Mgmt. When an IPv6 address is configured for the VLAN, the system may display one of the following two address types in parentheses after the IPv6 address: Tentative Duplicate Note See the appropriate ExtremeXOS User Guide volume for information on IPv6 address types. You can display additional useful information on VLANs configured with IPv6 addresses by issuing the show ipconfig ipv6 vlan vlan_name command. When a displayed VLAN is part of a PVLAN, the display includes the PVLAN name and type (which is network, non-isolated subscriber, or isolated subscriber). When the displayed VLAN is configured for VLAN translation, the display provides translation VLAN information. If the displayed VLAN is a translation VLAN, a list of translation VLAN members appears. If the displayed VLAN is a member VLAN, the display indicates the translation VLAN to which the member VLAN belongs. Example The following is example output of the show vlan command on a switch where PTP and CES are configured (for example, an E4G-200 or E4G-400): E4G-400.15 # sh vlan ------------------------------------------------------------------------------ -------- Name VID Protocol Addr Flags Proto Ports Virtual Active router /Total ------------------------------------------------------------------------------ -------- Layer 2 Basics 186

1 --------------------------------T------- ANY 1 /34 VR- Mgmt 4095 ---------------------------------------- ANY 1 /1 VR-Mgmt v1 40 1.1.1.51 /24 -fl---------------ek ANY 1 /10 VR- v2 20 1.1.2.52 /24 -f----------------e- ANY 0 /1 VR- ------------------------------------------------------------------------------ -------- Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN, (d) NetLogin Dynamically created VLAN, (D) VLAN Admin Disabled, (e) CES Configured, (E) ESRP Enabled, (f) IP Forwarding Enabled, (F) Learning Disabled, (i) ISIS Enabled, (I) Inter-Switch Connection VLAN for MLAG, (k) PTP Configured, (l) MPLS Enabled, (L) Loopback Enabled, (m) IPmc Forwarding Enabled, (M) Translation Member VLAN or Subscriber VLAN, (n) IP Multinetting Enabled, (N) Network Login VLAN, (o) OSPF Enabled, (O) Flooding Disabled, (p) PIM Enabled, (P) EAPS protected VLAN, (r) RIP Enabled, (R) Sub-VLAN IP Range Configured, (s) Sub-VLAN, (S) Super-VLAN, (t) Translation VLAN or Network VLAN, (T) Member of STP Domain, (v) VRRP Enabled, (V) VPLS Enabled, (W) VPWS Enabled Total number of VLAN(s) : 4 The following sample output shows OpenFlow status: E4G-200.5 # show vlan ------------------------------------------------------------------------------ --------------- Name VID Protocol Addr Flags Proto Ports Virtual Active router /Total ------------------------------------------------------------------------------ --------------- 1 ----------------------------------------------- ANY 0/0 VR- ext 4094 ----------------------------------------------- ANY 0 /12 VR- Mgmt 4095 ----------------------------------------------- ANY 1/1 VR-Mgmt ------------------------------------------------------------------------------ --------------- Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN, (d) Dynamically created VLAN, (D) VLAN Admin Disabled, (e) CES Configured, (E) ESRP Enabled, (f) IP Forwarding Enabled, (F) Learning Disabled, (i) ISIS Enabled, (I) Inter-Switch Connection VLAN for MLAG, (k) PTP Configured, (l) MPLS Enabled, (L) Loopback Enabled, (m) IPmc Forwarding Enabled, (M) Translation Member VLAN or Subscriber VLAN, (n) IP Multinetting Enabled, (N) Network Login VLAN, (o) OSPF Enabled, (O) Flooding Disabled, (p) PIM Enabled, (P) EAPS protected VLAN, (r) RIP Enabled, (R) Sub-VLAN IP Range Configured, (s) Sub-VLAN, (S) Super-VLAN, (t) Translation VLAN or Network VLAN, Layer 2 Basics 187

(T) Member of STP Domain, (v) VRRP Enabled, (V) VPLS Enabled, (W) VPWS Enabled (Z) Openflow Enabled Total number of VLAN(s) : 3 The following sample output shows detailed OpenFlow status: E4G-200.7 # show vlan detail VLAN Interface with name created by user Admin State: Enabled Tagging: 802.1Q Tag 1 Description: None Virtual router: VR- IPv4 Forwarding: Disabled IPv4 MC Forwarding: Disabled IPv6 Forwarding: Disabled IPv6 MC Forwarding: Disabled IPv6: None STPD: s0(disabled,auto-bind) Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 0. (Number of active ports=0) # # VLAN Interface with name ext created by user Admin State: Enabled Tagging:Untagged (Internal tag 4094) Description: None Virtual router: VR- IPv6 Forwarding: Disabled IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Openflow: Enabled Egress Rate Limit Designated Port: None configured # # Flood Rate Limit QosProfile: None configured Ports: 12. (Number of active ports=0) Untag: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 Flags: (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (x) VMAN Tag Translated port (G) Multi-switch LAG Group port (H) Dynamically added by MVRP Layer 2 Basics 188

VLAN Interface with name Mgmt created by user Admin State: Enabled Tagging: 802.1Q Tag 4095 Description: Management VLAN Virtual router: VR-Mgmt IPv4 Forwarding: Disabled IPv6 Forwarding: Disabled IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Flood Rate Limit QosProfile: None configured Ports: 1. (Number of active ports=1) Untag: Mgmt-port on Mgmt is active The following example displays VLAN ports information: show vlan ports 1,2,3,4,5,6,7,8,9,10,11,12 ------------------------------------------------------------------------------ --------------- Name VID Protocol Addr Flags Proto Ports Virtual Active router /Total ------------------------------------------------------------------------------ --------------- ext 4094 ----------------------------------------------- ANY 0 /12 VR- ------------------------------------------------------------------------------ --------------- Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN, (d) Dynamically created VLAN, (D) VLAN Admin Disabled, (e) CES Configured, (E) ESRP Enabled, (f) IP Forwarding Enabled, (F) Learning Disabled, (i) ISIS Enabled, (I) Inter-Switch Connection VLAN for MLAG, (k) PTP Configured, (l) MPLS Enabled, (L) Loopback Enabled, (m) IPmc Forwarding Enabled, (M) Translation Member VLAN or Subscriber VLAN, (n) IP Multinetting Enabled, (N) Network Login VLAN, (o) OSPF Enabled, (O) Flooding Disabled, (p) PIM Enabled, (P) EAPS protected VLAN, (r) RIP Enabled, (R) Sub-VLAN IP Range Configured, (s) Sub-VLAN, (S) Super-VLAN, (t) Translation VLAN or Network VLAN, (T) Member of STP Domain, (v) VRRP Enabled, (V) VPLS Enabled, (W) VPWS Enabled (Z) Openflow Enabled Total number of VLAN(s) : 3 (1 displayed) show vlan ports 1 detail VLAN Interface with name ext created by user Admin State: Enabled Tagging:Untagged (Internal tag 4094) Description: None Virtual router: VR- IPv4 Forwarding: Disabled Layer 2 Basics 189

IPv4 MC Forwarding: Disabled IPv6 Forwarding: Disabled IPv6 MC Forwarding: Disabled IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Openflow: Enabled Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 12. (Number of active ports=0) Untag: 1, 2, 3, 4, 5, 6, 7, Flags: 8, 9, 10, 11, 12 (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (x) VMAN Tag Translated port (G) Multi-switch LAG Group port (H) Dynamically added by MVRP The following example is the show output of a vlan that has port-specific tag. The tag is displayed in parentheses. VLAN Interface with name vl1 created by user Admin State: Enabled Tagging: 802.1Q Tag 100 Description: None Virtual router: VR- IPv4 Forwarding: Disabled IPv4 MC Forwarding: Disabled IPv6 Forwarding: Disabled IPv6 MC Forwarding: Disabled IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled OpenFlow: Disabled QosProfile: None configured Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 8. (Number of active ports=2) Untag: 5 Tag: 1, 10, 11 Port-specific Tag: 1(0010), 1(0011), *3(0101), *4(0102) port port Flags: (*) Active, (!) Disabled, (g) Load Sharing (b) Port blocked on the vlan, (m) Mac-Based Layer 2 Basics 190

NetLogin port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback (x) VMAN Tag Translated port (G) Multi-switch LAG Group port (H) Dynamically added by MVRP (U) Dynamically added uplink port (V) Dynamically added by VM Tracking History This command was first available in ExtremeXOS 10.1. The IPv6 information was added in ExtremeXOS 11.2. The netlogin information was added in ExtremeXOS 11.3. The VR and administratively enabled/disabled information was added in ExtremeXOS 11.4. The tag option was added in ExtremeXOS 12.4.4. The OpenFlow status feature was added in ExtremeXOS 15.3. Platform Availability This command is available on all platforms. Information on MAC-based ports is available only on the Summit family of switches, SummitStack, and the BlackDiamond 8800 series switch. show vlan description show vlan description Description Displays a list of VLANs and VLAN descriptions. Syntax Description This command has no arguments or variables. N/A. Layer 2 Basics 191

Usage Guidelines None. Example The following example displays the descriptions for all VLANs: # show vlan description ---------------------------------------------------------------------------- Name VID Description ---------------------------------------------------------------------------- ctrl1 11 Control Vlan ctrl2 102 Control Vlan 2 1 v1 60 vlan 1 vplsvlan 3296 L2 VPN to home office ---------------------------------------------------------------------------- Total number of VLAN(s) : 5 History This command was first available in ExtremeXOS 12.4.4. Platform Availability This command is available on all platforms. show vlan l2pt show [vlan vman] vlan_name {ports port_list} l2pt {detail} Description Displays the L2PT configuration and status of a service. Syntax Description vlan Displays VLAN configuration. vman Displays VMAN configuration. vlan_name Specifies a VLAN name. ports port_list Displays the ports and port list separated by a comma (, ) or dash ( - ). detail Displays the L2PT configuration and status in detail. Disabled. Layer 2 Basics 192

Usage Guidelines Use this command to display the L2PT configuration and status of a service. Example The following is an example of the show vman ports l2pt command: # show vman cust2 ports 1:2,1:7 l2pt Interface L2PT Profile Name --------------- -------------------------------- 1:2 my_l2pt_prof 1:7 (none) The following example illustrates the show vman l2pt ports detail command: show vman cust2 ports 1:2,1:7 l2pt detail Port 1:2 L2PT Profile Name : my_l2pt_profile Protocol Filter Name : filter1 Destination Address: 01:80:C2:00:00:02 Protocol Id Type : etype Protocol Id Value : 0x8902 Field Offset : 14 Field Value : 03 Field Mask : FF Action : Tunnel CoS : Packets Transmitted: 2300 Packets Received : 2300 Protocol Filter Name : filter2 Destination Address: 01:80:C2:00:00:00 Protocol Id Type : snap Protocol Id Value : 0x4041 Field Offset : Field Value : Field Mask : Action : Tunnel CoS : 7 Packets Transmitted: 500 Packets Received : 500 Port 1:7 L2PT Profile Name : (none) History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. Layer 2 Basics 193

show vman show vman show {vman} vman_name {ipv4 ipv6} show vman [tag tag detail] {ipv4 ipv6} Description Displays information about one or all VMANs. Note The information displayed for this command depends on the platform and configuration you are using. Syntax Description vman_name tag detail ipv4 ipv6 Specifies that information is displayed for the specified VMAN. Specifies a VMAN using the 802.1Q tag. Specifies that all information is displayed for each VMAN. Specifies IPv4. Specifies IPv6. Summary information for all VMANs on the switch. Usage Guidelines The information displayed with this command depends on the platform and configuration you are using. Example The following example displays a list of all the VMANs on the switch: * BD-12804.17 # show vman ------------------------------------------------------------------------------ -------- Name VID Protocol Addr Flags Proto Ports Virtual Active router /Total ------------------------------------------------------------------------------ -------- le1 4091 ------------------ ----------------a ANY 2 /2 VR- le2 4090 ------------------ ----------------a ANY 0 /0 VR- Layer 2 Basics 194

vm1 4089 ------------------ ----------------- ANY 0 /0 VR- ------------------------------------------------------------------------------ -------- Flags : (a) Learning Domain (C) EAPS Control vlan, (E) ESRP Enabled, (f) IP Forwarding Enabled, (i) ISIS Enabled, (I) IP Forwarding lpm-routing Enabled, (L) Loopback Enabled, (m) IPmc Forwarding Enabled, (n) IP Multinetting Enabled, (N) Network LogIn vlan, (o) OSPF Enabled, (p) PIM Enabled, (P) EAPS protected vlan, (r) RIP Enabled, (T) Member of STP Domain, (v) VRRP Enabled, (B) 802.1ah Backbone VMAN, (S) 802.1ah Service VMAN Total number of vman(s) : 3 The following example displays information on a single VMAN named vman1: # show vman blue VMAN Interface with name vman1 created by user Admin State: Enabled Tagging: 802.1Q Tag 100 Virtual router: VR- IPv4 Forwarding: Disabled IPv6 Forwarding: Disabled IPv6: None STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 2. (Number of active ports=0) Tag: *1, *2 CEP: *3: CVID 20-29 *4: CVID 10-19 translate 20-29 *5: CVID 10-19 translate 20-29,CVID 30 Flags: (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (x) VMAN Tag Translated port (G) Multi-switch LAG Group port The Port CVID output was added in the display of show vman vlan_name detail in ExtremeXOS 15.3.2: VMAN Interface with name vm1 created by user Admin State: Enabled Tagging: 802.1Q Tag 1000 Description: None Virtual router: VR- IPv4 Forwarding: Disabled IPv6 Forwarding: Disabled IPv6: None Layer 2 Basics 195

STPD: None Protocol: Match all unfiltered protocols Loopback: Disabled NetLogin: Disabled QosProfile: None configured Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports: 3. (Number of active ports=3) Untag: *21: Port CVID 5, *24: Port CVID 7, Tag: *22 Flags: (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (x) VMAN Tag Translated port (G) Multi-switch LAG Group port The show vman detail command shows all the information shown in the show vman vlan_name command, but displays information for all configured VMANs. History This command was first available in ExtremeXOS 11.0. Information on IEE 802.1ah was added in ExtremeXOS 11.4. The tag option was added in ExtremeXOS 12.4.4. Port CVID output was added in ExtremeXOS 15.3.2. Platform Availability This command is available on all platforms. CEP information is displayed only on BlackDiamond X8, BlackDiamond 8800 series switches and Summit family switches. show vman eaps show {vman} vman_name eaps Description Displays the EAPS domains to which the VMAN belongs. Layer 2 Basics 196

Syntax Description vman_name Specifies the name of the VMAN for which EAPS information is to be displayed. N/A. Usage Guidelines None. Example The following example displays a list of EAPS domains for the campus1 VMAN: show vman campus1 eaps History This command was first available in ExtremeXOS 11.0. Information on IEE 802.1ah was added in ExtremeXOS 11.4. Platform Availability This command is available on all platforms. show vman ethertype show vman ethertype Description Displays the ethertype information and secondary ethertype port_ list for VLANs, VMANs and PBBNs Syntax Description This command has no arguments or variables. N/A. Layer 2 Basics 197

Usage Guidelines None. Example The following example shows the command output on switches that support only VMANs: vman ethertype: 0x88a8 The following example shows the command output on switches that support PBBNs: # show vman ethertype vman ethertype : 0x88a8 bvlan ethertype: 0x88b5 The following example shows the command output when a secondary ethertype is configured with ports information: # show vman ethertype Vman Primary ethertype : 0x9100 Vman Secondary ethertype : 0x8100 BVlan ethertype : 0x88b5 Secondary ethertype ports : 6:2g 6:3 The letter g in the port list indicates that the port is a LAG/Trunk port, the details of which can be seen using the show port sharing command. History This command was first available in ExtremeXOS 11.0. Information on IEE 802.1ah was added in ExtremeXOS 11.4. Platform Availability This command is available on all platforms. show vman l2pt show [vlan vman] vlan_name {ports port_list} l2pt {detail} Description Displays the L2PT configuration and status of a service. Layer 2 Basics 198

Syntax Description vlan Displays VLAN configuration. vman Displays VMAN configuration. vlan_name Specifies a VLAN name. ports port_list Displays the ports and port list separated by a comma (, ) or dash ( - ). detail Displays the L2PT configuration and status in detail. Disabled. Usage Guidelines Use this command to display the L2PT configuration and status of a service. Example The following is an example of the show vman ports l2pt command: # show vman cust2 ports 1:2,1:7 l2pt Interface L2PT Profile Name --------------- -------------------------------- 1:2 my_l2pt_prof 1:7 (none) The following example illustrates the show vman l2pt ports detail command: # show vman cust2 ports 1:2,1:7 l2pt detail Port 1:2 L2PT Profile Name : my_l2pt_profile Protocol Filter Name : filter1 Destination Address: 01:80:C2:00:00:02 Protocol Id Type : etype Protocol Id Value : 0x8902 Field Offset : 14 Field Value : 03 Field Mask : FF Action : Tunnel CoS : Packets Transmitted: 2300 Packets Received : 2300 Protocol Filter Name : filter2 Destination Address: 01:80:C2:00:00:00 Protocol Id Type : snap Protocol Id Value : 0x4041 Field Offset : Field Value : Field Mask : Action : Tunnel CoS : 7 Layer 2 Basics 199

Packets Transmitted: 500 Packets Received : 500 Port 1:7 L2PT Profile Name : (none) History This command was first available in ExtremeXOS 15.5. Platform Availability This command is available on all platforms. unconfigure vlan description unconfigure {vlan} vlan_name description Description Removes the description for the specified VLAN. Syntax Description vlan_name Specifies the VLAN name. N/A. Usage Guidelines None. Example The following example removes the description from VLAN vlan1: unconfigure vlan vlan1 description History This command was first available in ExtremeXOS 12.4.4. Platform Availability This command is available on all platforms. Layer 2 Basics 200

unconfigure vlan ipaddress unconfigure {vlan} vlan_name ipaddress {ipv6_address_mask} Description Removes the IP address of the VLAN or a VMAN. With no parameters, the command removes the primary IPv4 address on the specified VLAN. Using the IPv6 parameters, you can remove specified IPv6 addresses from the specified VLAN. Syntax Description vlan_name ipv6_address_mask Specifies a VLAN or VMAN name. Specifies an IPv6 address using the format of IPv6-address/prefix-length, where IPv6 is the 128-bit address and the prefix length specifies the number of leftmost bits that comprise the prefix. Removes the primary IPv4 address from the specified VLAN or VMAN. Usage Guidelines Note With IPv6, you cannot remove the last link local IPv6 address until all global IPv6 addresses are removed. For MLAG configurations, you cannot remove an IP address from a VLAN until after you delete the MLAG peer. Example The following command removes the primary IPv4 address from the VLAN "accounting": unconfigure vlan accounting ipaddress The following command removes an IPv6 addresses from the VLAN "finance": unconfigure vlan finance ipaddress 3ffe::1 History This command was first available in ExtremeXOS 10.1. The IPv6 parameters were added in ExtremeXOS 11.2. Platform Availability This command is available on all platforms. Layer 2 Basics 201

unconfigure vman ethertype unconfigure vman ethertype {secondary} Description Restores the default primary VMAN ethertype value of 0x88A8 or deletes the secondary ethertype value. Syntax Description secondary Deletes the secondary ethertype value. If the secondary option is not specified, it restores the default primary VMAN ethertype value of 0x88a8. Usage Guidelines When you enter this command without the secondary option, the primary VMAN ethertype returns to the default value of 0x88A8. If you specify the secondary option, the secondary VMAN ethertype value is deleted (no value is assigned). Note Before unconfiguring the secondary VMAN ethertype, any secondary VMAN port must be changed to the primary VMAN ethertype; otherwise the command fails. Example The following example restores the primary VMAN ethertype to the default value: unconfigure vman ethertype The following example deletes the secondary VMAN ethertype: unconfigure vman ethertype secondary History This command was first available in ExtremeXOS 11.0. Platform Availability This command is available on all platforms. Layer 2 Basics 202