Layer 2 Basics

ExtremeXOS 15.5 User Guide

120936-00 Rev. 2
Published June 2014

Copyright 20112014 All rights reserved.

Legal Notice
Extreme Networks, Inc., on behalf of or through its wholly-owned subsidiary, Enterasys Networks,
Inc., reserves the right to make changes in specifications and other information contained in this
document and its website without prior notice. The reader should in all cases consult
representatives of Extreme Networks to determine whether any such changes have been made.
The hardware, firmware, software or any specifications described or referred to in this document
are subject to change without notice.

Trademarks
Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of
Extreme Networks, Inc. in the United States and/or other countries.
All other names (including any product names) mentioned in this document are the property of
their respective owners and may be trademarks or registered trademarks of their respective
companies/owners.
For additional information on Extreme Networks trademarks, please see:
www.extremenetworks.com/company/legal/trademarks/

Support
For product support, including documentation, visit: www.extremenetworks.com/support/
For information, contact:
Extreme Networks, Inc.
145 Rio Robles
San Jose, California 95134
USA

Table of Contents
Preface.........................................................................................................................................6
Conventions.............................................................................................................................................................................6
Related Publications............................................................................................................................................................ 7
Providing Feedback to Us................................................................................................................................................ 8
Navigating the ExtremeXOS User Guide...........................................................................................................................9

Chapter 1: VLANs......................................................................................................................10
VLANs Overview................................................................................................................................................................. 10
Configuring VLANs on the Switch..............................................................................................................................19
Displaying VLAN Information.......................................................................................................................................23
Private VLANs......................................................................................................................................................................24
VLAN Translation............................................................................................................................................................... 42
Port-Specific VLAN Tag...................................................................................................................................................51

Chapter 2: VMAN (PBN) .........................................................................................................56

VMAN Overview................................................................................................................................................................. 56
PBBNs....................................................................................................................................................................................... 61
VMAN Configuration Options and Features........................................................................................................ 64
Configuration........................................................................................................................................................................67
Displaying Information.................................................................................................................................................... 70
Configuration Examples................................................................................................................................................... 71

Chapter 3: FDB......................................................................................................................... 74
FDB Contents.......................................................................................................................................................................74
How FDB Entries Get Added....................................................................................................................................... 74
How FDB Entries Age Out............................................................................................................................................. 75
FDB Entry Types.................................................................................................................................................................75
Managing the FDB............................................................................................................................................................. 77
Displaying FDB Entries and Statistics....................................................................................................................... 81
MAC-Based Security..........................................................................................................................................................81
Managing MAC Address Tracking............................................................................................................................. 85

Chapter 4: Layer 2 Basic Commands.................................................................................... 87

clear counters fdb mac-tracking ...............................................................................................................................89
clear counters ports protocol filter...........................................................................................................................90
clear fdb................................................................................................................................................................................... 91
clear l2pt counters vlan................................................................................................................................................... 92
clear l2pt counters vman................................................................................................................................................93
clear l2pt counters vpls................................................................................................................................................... 93
create l2pt profile...............................................................................................................................................................94
configure fdb agingtime................................................................................................................................................. 95
configure fdb mac-tracking ports..............................................................................................................................96
configure fdb static-mac-move packets................................................................................................................ 97
configure l2pt encapsulation dest-mac.................................................................................................................. 98
configure l2pt profile add profile............................................................................................................................... 99
configure l2pt profile delete profile........................................................................................................................ 100
configure port ethertype............................................................................................................................................... 101
configure ports l2pt profile..........................................................................................................................................102
configure ports protocol filter....................................................................................................................................103

Layer 2 Basics

Table of Contents

configure private-vlan add network....................................................................................................................... 104

configure private-vlan add subscriber...................................................................................................................104
configure private-vlan delete..................................................................................................................................... 105
configure protocol add..................................................................................................................................................106
configure protocol delete.............................................................................................................................................108
configure protocol filter................................................................................................................................................ 109
configure vlan add ports private-vlan translated................................................................................................111
configure vlan add ports................................................................................................................................................ 112
configure vlan delete ports........................................................................................................................................... 113
configure vlan description.............................................................................................................................................114
configure vlan ipaddress................................................................................................................................................ 115
configure vlan name......................................................................................................................................................... 117
configure vlan protocol...................................................................................................................................................118
configure vlan tag..............................................................................................................................................................119
configure vlan-translation add loopback-port...................................................................................................120
configure vlan-translation add member-vlan.......................................................................................................121
configure vlan-translation delete loopback-port.............................................................................................. 122
configure vlan-translation delete member-vlan................................................................................................ 123
configure vman add ports cep...................................................................................................................................124
configure vman add ports............................................................................................................................................126
configure vman delete ports.......................................................................................................................................129
configure vman ethertype............................................................................................................................................129
configure vman ports add cvid...................................................................................................................................131
configure vman ports delete cvid.............................................................................................................................132
configure vman protocol...............................................................................................................................................133
configure vman tag......................................................................................................................................................... 134
configure vpls peer l2pt profile..................................................................................................................................135
create fdb mac-tracking entry................................................................................................................................... 136
create fdbentry vlan ports............................................................................................................................................137
create l2pt profile............................................................................................................................................................. 139
create private-vlan...........................................................................................................................................................140
create protocol................................................................................................................................................................... 141
create vlan............................................................................................................................................................................142
create vman.........................................................................................................................................................................144
delete fdb mac-tracking entry................................................................................................................................... 145
delete fdbentry.................................................................................................................................................................. 146
delete l2pt profile............................................................................................................................................................. 146
delete private-vlan........................................................................................................................................................... 147
delete protocol.................................................................................................................................................................. 148
delete vlan............................................................................................................................................................................149
delete vman.........................................................................................................................................................................150
disable dot1p examination inner-tag ports............................................................................................................151
disable fdb static-mac-move...................................................................................................................................... 152
disable flooding ports..................................................................................................................................................... 153
disable learning iparp sender-mac...........................................................................................................................154
disable learning port........................................................................................................................................................155
disable loopback-mode vlan....................................................................................................................................... 156
disable snmp traps fdb mac-tracking.....................................................................................................................157
disable vlan.......................................................................................................................................................................... 158

Layer 2 Basics

Table of Contents

disable vman cep egress filtering ports.................................................................................................................159

enable dot1p examination inner-tag port............................................................................................................. 160
enable fdb static-mac-move........................................................................................................................................ 161
enable flooding ports.......................................................................................................................................................161
enable learning iparp sender-mac............................................................................................................................163
enable learning port........................................................................................................................................................ 164
enable loopback-mode vlan........................................................................................................................................ 165
enable snmp traps fdb mac-tracking..................................................................................................................... 166
enable vlan........................................................................................................................................................................... 166
enable vman cep egress filtering ports................................................................................................................. 167
show fdb mac-tracking configuration....................................................................................................................168
show fdb mac-tracking statistics..............................................................................................................................169
show fdb static-mac-move configuration............................................................................................................170
show fdb stats..................................................................................................................................................................... 171
show fdb................................................................................................................................................................................173
show l2pt profile................................................................................................................................................................176
show l2pt...............................................................................................................................................................................177
show ports protocol filter............................................................................................................................................. 178
show private-vlan <name>.......................................................................................................................................... 180
show private-vlan...............................................................................................................................................................181
show protocol.....................................................................................................................................................................183
show vlan.............................................................................................................................................................................. 185
show vlan description...................................................................................................................................................... 191
show vlan l2pt.....................................................................................................................................................................192
show vman...........................................................................................................................................................................194
show vman eaps................................................................................................................................................................196
show vman ethertype.....................................................................................................................................................197
show vman l2pt................................................................................................................................................................. 198
unconfigure vlan description.....................................................................................................................................200
unconfigure vlan ipaddress......................................................................................................................................... 201
unconfigure vman ethertype..................................................................................................................................... 202

Layer 2 Basics

Preface
Conventions
This section discusses the conventions used in this guide.

Text Conventions
The following tables list text conventions that are used throughout this guide.
Table 1: Notice Icons
Icon

Notice Type

Alerts you to...

Note

Important features or instructions.

Caution

Risk of personal injury, system damage, or loss of data.

Warning

Risk of severe personal injury.

New

This command or section is new for this release.

Table 2: Text Conventions

Convention
Screen displays

Description
This typeface indicates command syntax, or represents information as it appears on
the screen.

The words enter and

type

When you see the word enter in this guide, you must type something, and then press
the Return or Enter key. Do not press the Return or Enter key when an instruction
simply says type.

[Key] names

Key names are written with brackets, such as [Return] or [Esc]. If you must press two
or more keys simultaneously, the key names are linked with a plus sign (+). Example:
Press [Ctrl]+[Alt]+[Del]

Words in italicized type

Italics emphasize a point or denote new terms at the place where they are defined in
the text. Italics are also used when referring to publication titles.

Layer 2 Basics

Preface

Platform-Dependent Conventions
Unless otherwise noted, all information applies to all platforms supported by ExtremeXOS software,
which are the following:

BlackDiamond X8 series switch

BlackDiamond 8800 series switches
Cell Site Routers (E4G-200 and E4G-400)
Summit family switches
SummitStack

When a feature or feature implementation applies to specific platforms, the specific platform is noted in
the heading for the section describing that implementation in the ExtremeXOS command
documentation. In many cases, although the command is available on all platforms, each platform uses
specific keywords. These keywords specific to each platform are shown in the Syntax Description and
discussed in the Usage Guidelines.

Terminology
When features, functionality, or operation is specific to a switch family, the family name is used.
Explanations about features and operations that are the same across all product families simply refer to
the product as the switch.

Related Publications
Documentation for Extreme Networks products is available at: www.extremenetworks.com. The
following is a list of related publications currently available:

ExtremeXOS User Guide

ExtremeXOS Hardware and Software Compatibility Matrix
ExtremeXOS Legacy CLI Quick Reference Guide
ExtremeXOS ScreenPlay User Guide
Using AVB with Extreme Switches

BlackDiamond 8800 Series Switches Hardware Installation Guide

BlackDiamond X8 Switch Hardware Installation Guide
Extreme Networks Pluggable Interface Installation Guide
Summit Family Switches Hardware Installation Guide

Ridgeline Installation and Upgrade Guide

Ridgeline Reference Guide

SDN OpenFlow Implementation Guide

SDN OpenStack Install Guide

Some ExtremeXOS software files have been licensed under certain open source licenses. Information is
available at: www.extremenetworks.com/services/osl-exos.aspx

Layer 2 Basics

Preface

Providing Feedback to Us
We are always striving to improve our documentation and help you work better, so we want to hear
from you! We welcome all feedback but especially want to know about:
Content errors or confusing or conflicting information.
Ideas for improvements to our documentation so you can find the information you need faster.
Broken links or usability issues.
If you would like to provide feedback to the Extreme Networks Information Development team about
this document, please contact us using our short online feedback form. You can also email us directly at
internalinfodev@extremenetworks.com.

Layer 2 Basics

Navigating the ExtremeXOS User Guide

This guide consists of the following eight volumes that contain feature descriptions, conceptual
material, configuration details, command references and examples:
Basic Switch Operation
Policies and Security
Layer 2 Basics
Layer 2 Protocols
Layer 3 Basics
Layer 3 Unicast Protocols
Multicast
Advanced Features

Layer 2 Basics

1 VLANs
VLANs Overview
Configuring VLANs on the Switch
Displaying VLAN Information
Private VLANs
VLAN Translation
Port-Specific VLAN Tag
This chapter contains information about configuring VLANs, displaying VLAN information, private
VLANs, and VLAN translation. In addition, you can learn about the benefits and types of VLANs, along
with valuable information about virtual routers.

VLANs Overview
Setting up Virtual Local Area Networks (VLANs) on the switch eases many time-consuming tasks of
network administration while increasing efficiency in network operations.
Note
The software supports using IPv6 addresses, in addition to IPv4 addresses. You can configure
the VLAN with an IPv4 address, IPv6 address, or both. See IPv6 Unicast Routing for complete
information on using IPv6 addresses.
The term VLAN is used to refer to a collection of devices that communicate as if they were on the same
physical LAN.
Any set of ports (including all ports on the switch) is considered a VLAN. LAN segments are not
restricted by the hardware that physically connects them. The segments are defined by flexible user
groups that you create with the command line interface (CLI).
Note
The system switches traffic within each VLAN using the Ethernet MAC address. The system
routes traffic between two VLANs using the IP addresses.

Benefits
Implementing VLANs on your networks has the following advantages:
VLANs help to control trafficWith traditional networks, broadcast traffic that is directed to all
network devices, regardless of whether they require it, causes congestion. VLANs increase the
efficiency of your network because each VLAN can be set up to contain only those devices that
must communicate with each other.

Layer 2 Basics

10

VLANs

VLANs provide extra securityDevices within each VLAN can communicate only with member
devices in the same VLAN. If a device in VLAN Marketing must communicate with devices in VLAN
Sales, the traffic must cross a routing device.
VLANs ease the change and movement of devicesWith traditional networks, network
administrators spend much of their time dealing with moves and changes. If users move to a
different subnetwork, the addresses of each endstation must be updated manually.

Virtual Routers and VLANs

The ExtremeXOS software supports virtual routers. Each port can belong to multiple virtual routers.
Ports can belong to different VLANs that are in different virtual routers.
Note
You can create virtual routers only on BlackDiamond X8 series switches, BlackDiamond 8000
c-, xl-, and xm-series modules, E4G-200 and E4G-400 cell site routers, and Summit X460,
X480, X670, and X770 switches.
If you do not specify a virtual router when you create a VLAN, the system creates that VLAN in the
default virtual router (VR-Default). The management VLAN is always in the management virtual router
(VR-Mgmt).
After you create virtual routers, the ExtremeXOS software allows you to designate one of these virtual
routers as the domain in which all your subsequent configuration commands, including VLAN
commands, are applied. After you create virtual routers, ensure that you are creating each VLAN in the
desired virtual router domain. Also, ensure that you are in the correct virtual router domain before you
begin modifying each VLAN.
For information on configuring and using virtual routers, see Virtual Routers.

Types of VLANs
This section introduces the following types of VLANs:

Port-Based VLANs
Tagged VLANs
Protocol-Based VLANs
Note
You can have netlogin dynamic VLANs and, on the Summit family of switches and
BlackDiamond 8800 series switches only, netlogin MAC-based VLANs. See Network Login for
complete information on netlogin.

VLANs can be created according to the following criteria:

Physical port
IEEE 802.1Q tag
Ethernet, LLC SAP, or LLC/SNAP Ethernet protocol type
A combination of these criteria

Layer 2 Basics

11

VLANs

Port-Based VLANs
In a port-based VLAN, a VLAN name is given to a group of one or more ports on the switch.
At boot-up, all ports are members of the port-based VLAN default. Before you can add any port to
another port-based VLAN, you must remove it from the default VLAN, unless the new VLAN uses a
protocol other than the default protocol any. An untagged port can be a member of only one portbased VLAN.
On the Extreme Networks switch in the following figure, ports 9 through 14 are part of VLAN Marketing;
ports 25 through 29 are part of VLAN Sales; and ports 21 through 24 and 30 through 32 are in VLAN
Finance.

Figure 1: Example of a Port-Based VLAN on an Extreme Networks Switch

For the members of different IP VLANs to communicate, the traffic must be routed by the switch, even
if the VLANs are physically part of the same I/O module. This means that each VLAN must be
configured as a router interface with a unique IP address.
Spanning Switches with Port-Based VLANs

To create a port-based VLAN that spans two switches, you must do two things:
1

Assign the port on each switch to the VLAN.

Layer 2 Basics

12

VLANs

2 Cable the two switches together using one port on each switch per VLAN.
The following figure illustrates a single VLAN that spans a BlackDiamond switch and another
Extreme Networks switch. All ports on the System 1 switch belong to VLAN Sales. Ports 1 through 29
on the system 2 switch also belong to VLAN Sales. The two switches are connected using slot 8,
port 4 on System 1 (the BlackDiamond switch), and port 29 on system 2 (the other switch).

Figure 2: Single Port-based VLAN Spanning Two Switches

3 To create multiple VLANs that span two switches in a port-based VLAN, a port on System 1 must be
cabled to a port on System 2 for each VLAN you want to have span across the switches.
At least one port on each switch must be a member of the corresponding VLANs as well.
The following figure illustrates two VLANs spanning two switches. On System 2, ports 25 through
29 are part of VLAN Accounting; ports 21 through 24 and ports 30 through 32 are part of VLAN
Engineering. On System 1, all ports on slot 1 are part of VLAN Accounting; all ports on slot 8 are part
of VLAN Engineering.

Figure 3: Two Port-based VLANs Spanning Two Switches

VLAN Accounting spans System 1 and System 2 by way of a connection between System 2, port 29
and System 1, slot 1, port 6. VLAN Engineering spans System 1 and System 2 by way of a connection
between System 2, port 32, and System 1, slot 8, port 6.

Layer 2 Basics

13

VLANs

4 Using this configuration, you can create multiple port-based VLANs that span multiple switches, in a
daisy-chained fashion.
Tagged VLANs
Tagging is a process that inserts a marker (called a tag) into the Ethernet frame. The tag contains the
identification number of a specific VLAN, called the VLANid (valid numbers are 1 to 4094).
Note
The use of 802.1Q tagged packets may lead to the appearance of packets slightly bigger than
the current IEEE 802.3/Ethernet maximum of 1,518 bytes. This may affect packet error
counters in other devices and may also lead to connectivity problems if non-802.1Q bridges
or routers are placed in the path.
Uses of Tagged VLANs

Tagging is most commonly used to create VLANs that span switches.

The switch-to-switch connections are typically called trunks. Using tags, multiple VLANs can span
multiple switches using one or more trunks. In a port-based VLAN, each VLAN requires its own pair of
trunk ports, as shown in the following figure. Using tags, multiple VLANs can span two switches with a
single trunk.
Another benefit of tagged VLANs is the ability to have a port be a member of multiple VLANs. This is
particularly useful if you have a device (such as a server) that must belong to multiple VLANs. The
device must have a Network Interface Card (NIC) that supports IEEE 802.1Q tagging.
A single port can be a member of only one port-based VLAN. All additional VLAN membership for the
port must be accompanied by tags.

Assigning a VLAN Tag

Each VLAN may be assigned an 802.1Q VLAN tag. As ports are added to a VLAN with an 802.1Q tag
defined, you decide whether each port uses tagging for that VLAN. The default mode of the switch is to
have all ports assigned to the VLAN named default with an 802.1Q VLAN tag (VLANid) of 1 assigned.
Not all ports in the VLAN must be tagged. As traffic from a port is forwarded out of the switch, the
switch determines (in real time) if each destination port should use tagged or untagged packet formats
for that VLAN. The switch adds and strips tags, as required, by the port configuration for that VLAN.
Note
Packets arriving tagged with a VLANid that is not configured on a port are discarded.
The following figure illustrates the physical view of a network that uses tagged and untagged traffic.

Layer 2 Basics

14

VLANs

Figure 4: Physical Diagram of Tagged and Untagged Traffic

The following figure is a logical diagram of the same network.

Figure 5: Logical Diagram of Tagged and Untagged Traffic

In the figures above:
The trunk port on each switch carries traffic for both VLAN Marketing and VLAN Sales.
The trunk port on each switch is tagged.
The server connected to port 25 on System 1 has a NIC that supports 802.1Q tagging.
The server connected to port 25 on System 1 is a member of both VLAN Marketing and VLAN Sales.
All other stations use untagged traffic.
As data passes out of the switch, the switch determines if the destination port requires the frames to be
tagged or untagged. All traffic coming from and going to the server is tagged. Traffic coming from and
going to the trunk ports is tagged. The traffic that comes from and goes to the other stations on this
network is not tagged.
Mixing Port-Based and Tagged VLANs

You can configure the switch using a combination of port-based and tagged VLANs. A given port can
be a member of multiple VLANs, with the stipulation that only one of its VLANs uses untagged traffic.

Layer 2 Basics

15

VLANs

In other words, a port can simultaneously be a member of one port-based VLAN and multiple tagbased VLANs.
Note
For the purposes of VLAN classification, packets arriving on a port with an 802.1Q tag
containing a VLANid of 0 are treated as untagged.
Protocol-Based VLANs
Protocol-based VLANs enable you to define a packet filter that the switch uses as the matching criteria
to determine if a particular packet belongs to a particular VLAN.
Protocol-based VLANs are most often used in situations where network segments contain hosts
running multiple protocols. For example, in the following figure, the hosts are running both the IP and
NetBIOS protocols.
The IP traffic has been divided into two IP subnets, 192.207.35.0 and 192.207.36.0. The subnets are
internally routed by the switch. The subnets are assigned different VLAN names, Finance and
Personnel, respectively. The remainder of the traffic belongs to the VLAN named MyCompany. All ports
are members of the VLAN MyCompany.

Figure 6: Protocol-Based VLANs

The following sections provide information on using protocol-based VLANs:
Predefined Protocol Filters on page 16
Defining Protocol Filters on page 17
Configuring a VLAN to Use a Protocol Filter on page 18
Deleting a Protocol Filter on page 18
Predefined Protocol Filters

The following protocol filters are predefined on the switch:

Layer 2 Basics

16

VLANs

IP (IPv4)
IPv6 (11.2 IPv6)
MPLS
IPX
NetBIOS
DECNet
IPX_8022
IPX_SNAP
AppleTalk

Defining Protocol Filters

If necessary, you can define a customized protocol filter by specifying EtherType, Logical Link Control
(LLC), or Subnetwork Access Protocol (SNAP). Up to six protocols can be part of a protocol filter. To
define a protocol filter:
1

Create a protocol using the following command:

create protocol_name

For example: create protocol fred

The protocol name can have a maximum of 32 characters.
2 Configure the protocol using the following command:
configure protocol_name add [etype | llc | snap] hex {[etype | llc | snap]
hex}

Supported protocol types include:

etypeEtherType The values for etype are four-digit hexadecimal numbers taken from a list maintained by
the IEEE. This list can be found at the following URL: http://standards.ieee.org/regauth/
ethertype/index.html.

Note
Protocol-based VLAN for Etype from 0x0000 to 0x05ff are not classifying as per filter.
When traffic arrive with these Etypes, it is classifed to native VLAN rather protocol based
vlan.
llcLLC Service Advertising
Protocol (SAP)
snapEtherType inside an
IEEE SNAP packet
encapsulation

The values for llc are four-digit hexadecimal numbers that are created by
concatenating a two-digit LLC Destination SAP (DSAP) and a two-digit LLC
Source SAP (SSAP).

The values for snap are the same as the values for etype, described
previously. For example:
configure protocol fred add llc feff
configure protocol fred add snap 9999

Layer 2 Basics

17

VLANs

A maximum of 15 protocol filters, each containing a maximum of six protocols, can be defined. No
more than seven protocols can be active and configured for use.
Note
For more information on SNAP for Ethernet protocol types, see TR 11802-5:1997 (ISO/IEC)
[ANSI/IEEE std. 802.1H, 1997 Edition].

Configuring a VLAN to Use a Protocol Filter

To configure a VLAN to use a protocol filter, use the following command:.
configure {vlan} vlan_name protocol protocol_name
Deleting a Protocol Filter

If a protocol filter is deleted from a VLAN, the VLAN is assigned a protocol filter of 'any'. You can
continue to configure the VLAN. However, no traffic is forwarded to the VLAN until a protocol is
assigned to it.
Precedence of Tagged Packets Over Protocol Filters

If a VLAN is configured to accept tagged packets on a particular port, incoming packets that match the
tag configuration take precedence over any protocol filters associated with the VLAN.

Default VLAN
The default switch configuration includes one default VLAN that has the following properties:

The VLAN name is default.

It contains all the ports on a new or initialized switch.
The default VLAN is untagged on all ports. It has an internal VLANid of 1; this value is userconfigurable.

VLAN Names
VLAN names must conform to the guidelines listed in Object Names.
VLAN names can be specified using the [Tab] key for command completion. VLAN names are locally
significant. That is, VLAN names used on one switch are only meaningful to that switch. If another
switch is connected to it, the VLAN names have no significance to the other switch.
Note
We recommend that you use VLAN names consistently across your entire network.
You must use mutually exclusive names for the following:

Layer 2 Basics

18

VLANs

VLANs
VMANs
IPv6 tunnels
SVLANs
CVLANs
BVLANs

Configuring VLANs on the Switch

Refer to the following sections for instruction on configuring VLANs on a switch:
VLAN Configuration Overview on page 19
Creating and Deleting VLANs on page 20
Managing a VLAN IP Address on page 20
Configuring a VLAN Tag on page 20
Adding and Removing Ports from a VLAN on page 20
Adding and Removing VLAN Descriptions on page 21
Renaming a VLAN on page 21
Enabling and Disabling VLANs on page 21
VLAN Configuration Examples on page 22

VLAN Configuration Overview

The following procedure provides an overview of VLAN creation and configuration:
1

Create and name the VLAN.

create vlan vlan_name {tag name} {description vlan-description} {vr name}

2 If needed, assign an IP address and mask (if applicable) to the VLAN as described in Managing a
VLAN IP Address on page 20.
3 If any ports in this VLAN will use a tag, assign a VLAN tag.
configure {vlan} vlan_name tag tag {remote-mirroring}

4 Assign one or more ports to the VLAN.

configure {vlan} vlan_name add ports [port_list | all] {tagged | untagged}
{{stpd} stpd_name} {dot1d | emistp | pvst-plus}}

As you add each port to the VLAN, decide if the port will use an 802.1Q tag.
5 For the management VLAN on the switch, configure the default IP route for virtual router VR-Mgmt.
Note
See IPv4 Unicast Routing for information on configuring default IP routes or adding
secondary IP addresses to VLANs.

Layer 2 Basics

19

VLANs

Creating and Deleting VLANs

To create a VLAN, use the following command:

create vlan vlan_name {tag tag} {description vlan-description} {vr name}

To delete a VLAN, use the following command:

delete vlan vlan_name

Managing a VLAN IP Address

Note
If you plan to use this VLAN as a control VLAN for an EAPS domain, do not assign an IP
address to the VLAN.

Configure an IP address and mask for a VLAN.

configure {vlan} vlan_name ipaddress [ipaddress {ipNetmask} | ipv6-link-local
| {eui64} ipv6_address_mask] +

Note
Each IP address and mask assigned to a VLAN must represent a unique IP subnet. You
cannot configure the same IP subnet on different VLANs on the same virtual router.
The software supports using IPv6 addresses, in addition to IPv4 addresses. You can
configure the VLAN with an IPv4 address, IPv6 address, or both. See IPv6 Unicast Routing
for complete information on using IPv6 addresses.

Remove an IP address and mask for a VLAN.

unconfigure {vlan} vlan_name ipaddress {ipv6_address_mask}

Configuring a VLAN Tag

To configure a VLAN, use the following command:
configure {vlan} vlan_name tag tag {remote-mirroring}

Adding and Removing Ports from a VLAN

To add ports to a VLAN, use the following command:

configure {vlan} vlan_name add ports [port_list | all] {tagged | untagged}
{{stpd} stpd_name} {dot1d | emistp | pvst-plus}}

The system returns the following message if the ports you are adding are already EAPS primary or
EAPS secondary ports:
WARNING: Make sure Vlan1 is protected by EAPS, Adding EAPS ring ports to a
VLAN could cause a loop in the network. Do you really want to add these ports?
(y/n)

Layer 2 Basics

20

VLANs

To remove ports from a VLAN, use the following command:

configure {vlan} vlan_name delete ports [all | port_list]

Adding and Removing VLAN Descriptions

A VLAN description is a string of up to 64 characters that you can configure to describe the VLAN. It is
displayed by several show vlan commands and can be read by using SNMP to access the VLAN's ifAlias
MIB object.

To add a description to a VLAN, use the following command:

configure {vlan} vlan_name description [vlan-description | none]

To remove a description from a VLAN, use the following command

unconfigure {vlan} vlan_name description

Renaming a VLAN
To rename an existing VLAN, use the following command:
configure {vlan} vlan_name name name

The following rules apply to renaming VLANs:

You cannot change the name of the default VLAN.
You cannot create a new VLAN named default.

Enabling and Disabling VLANs

You can enable or disable individual VLANs. The default setting is that all VLANs are enabled.
Consider the following guidelines before you disable a VLAN:

Disabling a VLAN stops all traffic on all ports associated with the specified VLAN.
You cannot disable any VLAN that is running any Layer 2 protocol traffic.
When you attempt to disable a VLAN running Layer 2 protocol traffic (for example, the VLAN
Accounting), the system returns a message similar to the following:
VLAN accounting cannot be disabled because it is actively used by an L2
Protocol

You can disable the default VLAN; ensure that this is necessary before disabling the default VLAN.
You cannot disable the management VLAN.
You cannot bind Layer 2 protocols to a disabled VLAN.
You can add ports to and delete ports from a disabled VLAN.

Disable a VLAN by running:

disable vlan vlan_name

Layer 2 Basics

21

VLANs

2 After you have disabled a VLAN, re-enable that VLAN.

enable vlan vlan_name

VLAN Configuration Examples

Note
To add an untagged port to a VLAN you create, you must first delete that port from the
default VLAN. If you attempt to add an untagged port to a VLAN before deleting it from the
default VLAN, you see the following error message:
Error: Protocol conflict when adding untagged port 1:2. Either add this
port as tagged or assign another protocol to this VLAN.

The following modular switch example creates a port-based VLAN named accounting:
create vlan accounting
configure accounting ipaddress 132.15.121.1
configure default delete port 2:1-2:3,2:6,4:1,4:2
configure accounting add port 2:1-2:3,2:6,4:1,4:2

Note
Because VLAN names are unique, you do not need to enter the keyword vlan after you have
created the unique VLAN name. You can use the VLAN name alone (unless you are also using
this name for another category such as STPD or EAPS, in which case we recommend
including the keyword vlan).
The following stand-alone switch example creates a port-based VLAN named development with an
IPv6 address:
create vlan development
configure development ipaddress 2001:0DB8::8:800:200C:417A/64
configure default delete port 1-3
configure development add port 1-3

The following modular switch example creates a protocol-based VLAN named ipsales.
Slot 5, ports 6 through 8, and slot 6, ports 1, 3, and 4-6 are assigned to the VLAN. In this example, you
can add untagged ports to a new VLAN without first deleting them from the default VLAN, because the
new VLAN uses a protocol other than the default protocol.
create vlan ipsales
configure ipsales protocol ip
configure ipsales add port 5:6-5:8,6:1,6:3-6:6

Layer 2 Basics

22

VLANs

The following modular switch example defines a protocol filter, myprotocol and applies it to the VLAN
named myvlan. This is an example only, and has no real-world application.
create protocol myprotocol
configure protocol myprotocol add etype 0xf0f0
configure protocol myprotocol add etype 0xffff
create vlan myvlan
configure myvlan protocol myprotocol

To disable the protocol-based VLAN (or any VLAN) in the above example, use the following command:
disable vlan myprotocol

To re-enable the VLAN, use the following command:

enable vlan myprotocol

Displaying VLAN Information

To display general VLAN settings and information, use the following commands:

show vlan {virtual-router vr-name}

show vlan vlan_name {ipv4 | ipv6}
show vlan [tag tag | detail] {ipv4 | ipv6}
show vlan description
show vlan {vlan_name} statistics {no-refresh}

Note
To display IPv6 information, you must use either the show vlan detail command or show
vlan command with the name of the specified VLAN.
To display the VLAN information for other ExtremeXOS software features, use the following
commands:

show {vlan} vlan_name dhcp-address-allocation

show {vlan} vlan_name dhcp-config
show {vlan} vlan_name eaps
show {vlan} vlan_name security
show {vlan} vlan_name stpd

You can display additional useful information on VLANs configured with IPv6 addresses by issuing the
command:
show ipconfig ipv6 vlan vlan_name

To isplay protocol information, issue the command:

show protocol {name}

Layer 2 Basics

23

VLANs

Private VLANs
The following sections provide detailed information on private VLANs:
PVLAN Overview on page 24
Configuring PVLANs on page 33
Displaying PVLAN Information on page 36
PVLAN Configuration Example 1 on page 37
PVLAN Configuration Example 2 on page 39

PVLAN Overview
PVLANs offer the following features:

VLAN translation
VLAN isolation
Note
PVLAN features are supported only on the platforms listed for this feature in the license
tables in the Feature License Requirements document.

VLAN Translation in a PVLAN

VLAN translation provides the ability to translate the 802.1Q tags for several VLANs into a single VLAN
tag. VLAN translation is an optional component in a PVLAN.
VLAN translation allows you to aggregate Layer 2 VLAN traffic from multiple clients into a single uplink
VLAN, improving VLAN scaling. The following figure shows an application of VLAN translation.
Note
The VLAN translation feature described in VLAN Translation on page 42 is provided for
those who are already familiar with the ExtremeWare VLAN translation feature. If you have
time to use the PVLAN implementation and do not have scripts that use the ExtremeWare
commands, we suggest that you use the PVLAN feature, as it provides the same functionality
with additional features.

Layer 2 Basics

24

VLANs

Figure 7: VLAN Translation Application

In the figure, VLANs 101, 102, and 103 are subscriber VLANS that carry data traffic while VLANs 201, 202,
and 203 are subscriber VLANs that carry voice traffic. The voice and data traffic are combined on
integrated access devices (IADs) that connect to the VLAN translation switch. Each of the three
clusters of phones and PCs uses two VLANs to separate the voice and data traffic. As the traffic is
combined, the six VLANs are translated into two network VLANs, VLAN1 and VLAN2. This simplifies
administration, and scales much better for large installations.
Conceptually, this is very similar to Layer 3 VLAN aggregation (superVLANS and subVLANs).
The primary differences between these two features are:
VLAN translation is strictly a Layer 2 feature.

VLAN translation does not allow communication between the subscriber VLANs.

VLAN Isolation
VLAN isolation provides Layer 2 isolation between the ports in a VLAN. The following figure shows an
application of VLAN isolation.

Layer 2 Basics

25

VLANs

Figure 8: VLAN Isolation Application

In this figure, ports in the Guest VLAN have access to services on the network VLAN, but Guest VLAN
ports cannot access other Guest VLAN ports over Layer 2 (or the Marketing or Engineering VLANs).
This provides port-to-port security at Layer 2.
PVLAN Components
The following figure shows the logical components that support PVLAN configuration in a switch.

Layer 2 Basics

26

VLANs

Figure 9: Private VLAN Switch Components

There is one network VLAN in each PVLAN. Ports within a network VLAN, called network ports, can
communicate with all VLAN ports in the PVLAN. Network devices that connect to the network VLAN
ports are considered to be on the network side of the switch.
The network VLAN aggregates the uplink traffic from the other VLANS, called subscriber VLANs, for
egress communications on a network VLAN port. A network port can serve only one PVLAN, but it can
serve one or more subscriber VLANs. Ingress communications on the network VLAN port are
distributed to the appropriate subscriber VLANs for distribution to the appropriate ports. Devices that
connect to subscriber VLAN ports are considered to be on the subscriber side of the switch.
Tag translation within the PVLAN is managed at the egress ports. To enable tag translation for uplink
traffic from the subscriber VLANs, you must enable tag translation on the appropriate network VLAN
port. Tag translation is automatically enabled on subscriber VLAN egress ports when the subscriber
VLAN is created and the port is added to the VLAN as tagged. Egress traffic from a subscriber VLAN is
always tagged with the subscriber VLAN tag when the port is configured as tagged.
A non-isolated subscriber VLAN is basically a standard VLAN that can participate in tag translation
through the network VLAN when VLAN translation is enabled on the network VLAN port.
You can choose to not translate tags on a network VLAN port, but this is generally used only for
extending a PVLAN to another switch. A non-isolated subscriber VLAN that does not use tag
translation is functionally equivalent to a regular VLAN, so it is better to create non-isolated VLANs only
when you plan to use tag translation.
Ports in a non-isolated VLAN can communicate with other ports in the same VLAN, ports in the
network VLAN, and destinations on the network side of the switch. As with standard VLANs, nonisolated ports cannot communicate through Layer 2 with ports in other subscriber VLANs.
In the figure above, the Engineering and Marketing VLANs are configured as non-isolated subscriber
VLANs, which means that they act just like traditional VLANs, and they can participate in tag translation
when VLAN translation is enabled on a network VLAN port that leads to network side location.
VLAN isolation within the PVLAN is established by configuring a VLAN to be an isolated subscriber
VLAN and adding ports to the isolated VLAN. Unlike normal VLANs, ports in an isolated VLAN cannot
communicate with other ports in the same VLAN over Layer 2 or Layer 3. The ports in an isolated VLAN

Layer 2 Basics

27

VLANs

can, however, communicate with Layer 2 devices on the network side of the PVLAN through the
network VLAN. When the network VLAN egress port is configured for tag translation, isolated VLAN
ports also participate in uplink tag translation. When isolated subscriber VLAN ports are configured as
tagged, egress packets are tagged with the isolated VLAN tag. As with standard VLANs and nonisolated VLANs, isolated ports cannot communicate through Layer 2 with ports in other subscriber
VLANs.
PVLAN Support over Multiple Switches
A PVLAN can span multiple switches. The following figure shows a PVLAN that is configured to operate
on two switches.

Figure 10: Private VLAN Support on Multiple Switches

A PVLAN can span many switches. For simplicity, the figure above shows only two switches, but you
can extend the PVLAN to additional switches by adding connections between the network VLANs in
each switch. The ports that connect two PVLAN switches must be configured as regular tagged ports.
The network and subscriber VLANs on each switch must be configured with the same tags.
Note
Although using the same VLAN names on all PVLAN switches might make switch
management easier, there is no software requirement to match the VLAN names. Only the
tags must match.
When a PVLAN is configured on multiple switches, the PVLAN switches function as one PVLAN switch.
Subscriber VLAN ports can access the network VLAN ports on any of the PVLAN switches, and nonisolated VLAN ports can communicate with ports in the same VLAN that are located on a different
physical switch. An isolated VLAN can span multiple switches and maintain isolation between the VLAN
ports.
The network and subscriber VLANs can be extended to other switches that are not configured for the
PVLAN (as described in Extending Network and Subscriber VLANs to Other Switches on page 29).
The advantage to extending the PVLAN is that tag translation and VLAN isolation is supported on the
additional switch or switches.

Layer 2 Basics

28

VLANs

Extending Network and Subscriber VLANs to Other Switches

A network or subscriber VLAN can be extended to additional switches without a PVLAN configuration
on the additional switches.
You might want to do this to connect to existing servers, switches, or other network devices. You
probably do not want to use this approach to support clients, as tag translation and VLAN isolation are
not supported unless the PVLAN is configured on all PVLAN switches as described in PVLAN Support
over Multiple Switches on page 28.
The following figure illustrates PVLAN connections to switches outside the PVLAN.

Figure 11: Private VLAN Connections to Switches Outside the PVLAN

In the above figure, Switch 1, Network VLAN Port 21 connects to a Switch 3 port that only supports the
Network VLAN.
In this configuration, the Network VLAN Port 21 on Switch 1 is configured as translated, which
translates subscriber VLAN tags to the network VLAN tag for access to the Network VLAN extension
on Switch 3. Switch 3, Port 24 is configured as tagged and only accepts traffic with the Network VLAN
Tag. Switch 3 serves as an extension of the Network VLAN and can be used to connect to network
devices such as servers or an internet gateway.
Switch 2, port 22 supports the Network, NonIsolated, and Isolated VLANs, but no PVLAN is configured.

Layer 2 Basics

29

VLANs

Because port 22 supports multiple VLANs that are part of the PVLAN, and because these Switch 2
VLANs are not part of the PVLAN, Switch 1, port 24, must be configured as a PVLAN endpoint, which
establishes the PVLAN boundary. Switch 2, port 22, is configured as a regular tagged VLAN port.
For most applications, it would be better to extend the PVLAN to Switch 2 so that the PVLAN features
are available to the Switch 2 VLANs.
The configuration of Switch 2 behaves as follows:
The Switch 2 NonIsolated VLAN ports can communicate with the NonIsolated VLAN ports on
Switch 1, but they cannot participate in VLAN translation.
The Switch 2 Isolated VLAN ports can communicate with other Switch 2 Isolated VLAN ports.
The Switch 2 Isolated VLAN ports cannot participate in VLAN translation.
The Switch 2 Isolated VLAN ports can receive broadcast and multicast info for the Isolated VLAN.
Traffic is allowed from the Switch 1 Isolated VLAN ports to the Switch 2 Isolated VLAN ports.
MAC Address Management in a PVLAN
Each device that connects to a PVLAN must have a unique MAC address within the PVLAN. Each MAC
address learned in a PVLAN requires multiple FDB entries. For example, each MAC address learned in a
non-isolated subscriber VLAN requires two FDB entries, one for the subscriber VLAN and one for the
network VLAN. The additional FDB entries for a PVLAN are marked with the P flag in the show fdb
command display.
The following sections describe the FDB entries created for the PVLAN components and how to
estimate the impact of a PVLAN on the FDB table:
Non-Isolated Subscriber VLAN
Isolated Subscriber VLAN
Network VLAN
Calculating the Total FDB Entries for a PVLAN
Non-Isolated Subscriber VLAN

When a MAC address is learned on a non-isolated subscriber VLAN port, two entries are added to the
FDB table:
MAC address, non-isolated subscriber VLAN tag, and the port number
MAC address, network VLAN tag, port number, and a special flag for tag translation
The network VLAN entry is used when traffic comes in from the network ports destined for an nonisolated port.
Isolated Subscriber VLAN

When a new MAC address is learned on an isolated subscriber VLAN port, two entries are added to the
FDB table:
MAC address, isolated subscriber VLAN tag, port number, and a flag that indicates that the packet
should be dropped
MAC address, network VLAN tag, port number, and a special flag for tag translation
Ports in the isolated VLAN do not communicate with one another.

Layer 2 Basics

30

VLANs

If a port in the isolated VLAN sends a packet to another port in the same VLAN that already has an
entry in the FDB, that packet is dropped. You can verify the drop packet status of an FDB entry by
using the show fdb command. The D flag indicates that packets destined for the listed address are
dropped.
The network VLAN entry is used when traffic comes in from the network ports destined for an isolated
port.
Network VLAN

When a new MAC address is learned on a network VLAN port, the following entry is added to the FDB
table: MAC address, network VLAN tag, and port number.
For every subscriber VLAN belonging to this PVLAN, the following entry is added to the FDB table:
MAC address, subscriber VLAN tag, and port number
Calculating the Total FDB Entries for a PVLAN

The following formula can be used to estimate the maximum number of FDB entries for a PVLAN:
FDBtotal = [(MACnon-iso + MACiso) * 2 + (MACnetwork * (VLANnon-iso + VLANiso + 1))]
The formula components are as follows:
MACnon-iso = number of MAC addresses learned on all the non-isolated subscriber VLANs
MACiso = number of MAC addresses learned on all the isolated subscriber VLANs
MACnetwork = number of MAC addresses learned on the network VLAN
VLANnon-iso = number of non-isolated subscriber VLANs
VLANiso = number of isolated subscriber VLANs
Note
The formula above estimates the worst-case scenario for the maximum number of FDB
entries for a single PVLAN. If the switch supports additional PVLANs, apply the formula to
each PVLAN and add the totals for all PVLANs. If the switch also support standard VLANs,
there will also be FDB entries for the standard VLANs.
Layer 3 Communications
For PVLANs, the default switch configuration controls Layer 3 communications exactly as
communications are controlled in Layer 2.
For example, Layer 3 communications is enabled between ports in a non-isolated subscriber VLAN, and
disabled between ports in an isolated subscriber VLAN. Ports in a non-isolated subscriber VLAN cannot
communicate with ports in other non-isolated subscriber VLANs.
You can enable Layer 3 communications between all ports in a PVLAN. For more information, see
Managing Layer 3 Communications in a PVLAN on page 35.
PVLAN Limitations
The Private VLAN feature has the following limitations:

Layer 2 Basics

31

VLANs

Requires more FDB entries than a standard VLAN.

Within the same VR, VLAN tag duplication is not allowed.
Within the same VR, VLAN name duplication is not allowed.
Each MAC address learned in a PVLAN must be unique. A MAC address cannot exist in two or more
VLANs that belong to the same PVLAN.
MVR cannot be configured on PVLANs.
A VMAN cannot be added to a PVLAN.
A PBB network (BVLAN) cannot be added to a PVLAN.
EAPS control VLANs cannot be either subscriber or network VLANs.
EAPS can only be configured on network VLAN ports (and not on subscriber VLAN ports). To
support EAPS on the network VLAN, you must add all of the VLANs in the PVLAN to the EAPS ring.
STP can only be configured on network VLAN ports (and not on subscriber VLAN ports). To support
STP on the network VLAN, you must add all of the VLANs in the PVLAN to STP.
ESRP can only be configured on network VLAN ports (and not on subscriber VLAN ports). To
support ESRP on the network VLAN, you must add all of the VLANs in the PVLAN to ESRP.
There is no NetLogin support to add ports as translate to the network VLAN, but the rest of
NetLogin and the PVLAN features do not conflict.
IGMP snooping is performed across the entire PVLAN, spanning all the subscriber VLANs, following
the PVLAN rules. For VLANs that are not part of a PVLAN, IGMP snooping operates as normal.
PVLAN and VPLS are not supported on the same VLAN.
When two switches are part of the same PVLAN, unicast and multicast traffic require a tagged trunk
between them that preserves tags (no tag translation).
Subscriber VLANs in a PVLAN cannot exchange multicast data with VLANs outside the PVLAN and
with other PVLANs. However, the network VLAN can exchange multicast data with VLANs outside
the PVLAN and with network VLANs in other PVLANs.
Note
A maximum of 80% of 4K VLANs can be added to a PVLAN. Adding more VLANS will display
the following log error:
<Erro:HAL.VLAN.Error>Slot-<slot>: Failed to add egress vlan translation
entry on port <port> due to Table full.

An additional limitation applies to BlackDiamond 8000 series modules and Summit family switches,
whether or not they are included in a SummitStack. If two or more member VLANs have overlapping
ports (where the same ports are assigned to both VLANs), each additional VLAN member with
overlapping ports must have a dedicated loopback port. To state it another way, one of the VLAN
members with overlapping ports does not require a dedicated loopback port, and the rest of the VLAN
members do require a single, dedicated loopback port within each member VLAN.
Note
There is a limit to the number of unique source MAC addresses on the network VLAN of a
PVLAN that the switch can manage. It is advised not to exceed the value shown in the item
FDB (maximum L2 entries) in the Supported Limits table of the ExtremeXOS Installation
and Release Notes.

Layer 2 Basics

32

VLANs

Configuring PVLANs
The following section describes how to configure a private VLAN.
Creating PVLANs
To create a VLAN, you need to do the following:
1 Create the PVLAN.
2 Add one VLAN to the PVLAN as a network VLAN.
3 Add VLANs to the PVLAN as subscriber VLANs.

To create a PVLAN, use the following command:

create private-vlan name {vr vr_name}

To add a network VLAN to the PVLAN, create and configure a tagged VLAN, and then use the
following command to add that network VLAN:
configure private-vlan name add network vlan_name

To add a subscriber VLAN to the PVLAN, create and configure a tagged VLAN, and then use the
following command to add that subscriber VLAN:
configure private-vlan name add subscriber vlan_name {non-isolated} {loopbackport port}

By default, this command adds an isolated subscriber VLAN. To create a non-isolated subscriber
VLAN, you must include the non-isolated option.
Configuring Network VLAN Ports for VLAN Translation
When subscriber VLAN traffic exits a network VLAN port, it can be untagged, tagged (with the
subscriber VLAN tag), or translated (to the network VLAN tag).
Note
All traffic that exits a subscriber VLAN port uses the subscriber VLAN tag, unless the port is
configured as untagged. There is no need to configure VLAN translation (from network to
subscriber VLAN tag) on subscriber VLAN ports.
1

To configure network VLAN ports for VLAN translation, use the following command and specify the
network VLAN and port numbers:
configure {vlan} vlan_name add ports port_list private-vlan translated

2 If you want to later reconfigure a port that is configured for VLAN translation so that it does not
translate tags, use the following command and specify either the tagged or the untagged option:
configure {vlan} vlan_name add ports [port_list | all] {tagged | untagged}
{{stpd} stpd_name} {dot1d | emistp | pvst-plus}}

Configuring Non-Isolated Subscriber VLAN Ports

The process for configuring non-isolated VLAN ports requires two tasks:

Add a VLAN to the PVLAN as a non-isolated subscriber VLAN.

Layer 2 Basics

33

VLANs

Assign ports to the non-isolated subscriber VLAN.

These tasks can be completed in any order, but they must both be completed before a port can
participate in a PVLAN. When configuration is complete, all egress traffic from the port is translated to
the VLAN tag for that non-isolated VLAN (unless the port is configured as untagged).
Note
To configure VLAN translation for network VLAN ports, see Configuring Network VLAN Ports
for VLAN Translation on page 33.

To add a non-isolated subscriber VLAN to the PVLAN, use the following command:
configure private-vlan name add subscriber vlan_name non-isolated

To add ports to a non-isolated VLAN (before or after it is added to the PVLAN), use the following
command:
configure {vlan} vlan_name add ports [port_list | all] {tagged | untagged}
{{stpd} stpd_name} {dot1d | emistp | pvst-plus}}

If you specify the tagged option, egress traffic uses the non-isolated VLAN tag, regardless of the
network translation configuration on any network port with which these ports communicate. Egress
traffic from a non-isolated VLAN port never carries the network VLAN tag.
Configuring Isolated Subscriber VLAN Ports
When a port is successfully added to an isolated VLAN, the port is isolated from other ports in the same
VLAN, and all egress traffic from the port is translated to the VLAN tag for that VLAN (unless the port
is configured as untagged).
Note
To configure VLAN translation for network VLAN ports, see Configuring Network VLAN Ports
for VLAN Translation on page 33.
The process for configuring ports for VLAN isolation requires two tasks:
Add a VLAN to the PVLAN as an isolated subscriber VLAN.
Assign ports to the isolated subscriber VLAN.
These tasks can be completed in any order, but they must both be completed before a port can
participate in an isolated VLAN.

To add an isolated subscriber VLAN to the PVLAN, use the following command:
configure private-vlan name add subscriber vlan_name

To add ports to an isolated VLAN (before or after it is added to the PVLAN), use the following
command:
configure {vlan} vlan_name add ports [port_list | all] {tagged | untagged}
{{stpd} stpd_name} {dot1d | emistp | pvst-plus}}

If you specify the tagged option, egress traffic uses the isolated VLAN tag, regardless of the network
translation configuration on any network port with which these ports communicate. Egress traffic from
an isolated VLAN port never carries the network VLAN tag.

Layer 2 Basics

34

VLANs

Configuring a PVLAN on Multiple Switches

To create a PVLAN that runs on multiple switches, you must configure the PVLAN on each switch and
set up a connection between the network VLANs on each switch. The ports at each end of the
connection must be configured as tagged ports that do not perform tag translation.
To configure these types of ports, use the following command:
configure {vlan} vlan_name add ports port_list tagged

Configuring a Network or Subscriber VLAN Extension to Another Switch

You can extend a network or subscriber VLAN to another switch without configuring a PVLAN on that
switch. This configuration is introduced in Extending Network and Subscriber VLANs to Other Switches
on page 29.

To configure the port on the switch that is outside of the PVLAN, use the following command:
configure {vlan} vlan_name add ports port_list tagged

Adding a Loopback Port to a Subscriber VLAN

BlackDiamond 8000 series modules and Summit family switches, whether or not included in a
SummitStack, require a loopback port for certain configurations. If two or more subscriber VLANs have
overlapping ports (where the same ports are assigned to both VLANs), each of the subscriber VLANs
with overlapping ports must have a dedicated loopback port.
The loopback port can be added when the subscriber VLAN is added to the PVLAN.
If you need to add a loopback port to an existing subscriber VLAN, use the following command:
configure {vlan} vlan_name vlan-translation add loopback-port port

Managing Layer 3 Communications in a PVLAN

The default configuration for Layer 3 PVLAN communications is described in Layer 3 Communications.
To enable Layer 3 communications between all ports in a PVLAN, use the following command:
configure iparp add proxy [ipNetmask | ip_addr {mask}] {vr vr_name} {mac | vrrp}
{always}

Specify the IP address or subnet specified for the network VLAN in the PVLAN. Use the always option
to ensure that the switch will reply to ARP requests, regardless of the VLAN from which it originated.
Delete PVLANs
To delete an existing PVLAN, use the command:
delete private-vlan name

Layer 2 Basics

35

VLANs

Remove a VLAN from a PVLAN

When you remove a VLAN from a PVLAN, you remove the association between a VLAN and the
PVLAN. Both the VLAN and PVLAN exist after the removal.
To remove a network or subscriber VLAN from a PVLAN, use the following command:
configure private-vlan name delete [network | subscriber] vlan_name

Deleting a Loopback Port from a Subscriber VLAN

To delete a loopback port from a subscriber VLAN, use the command:
configure {vlan} vlan_name vlan-translation delete loopback-port

Displaying PVLAN Information

This section describes how to display private VLAN information.
Displaying Information for all PVLANs
To display information on all the PVLANs configured on a switch, use the command:
show private-vlan

Displaying Information for a Specific PVLAN

To display information about a single PVLANs, use the command:
show {private-vlan} name

Displaying Information for a Network or Subscriber VLAN

To display information about a network or subscriber VLAN, use the command:
show vlan {virtual-router vr-name}

The following flags provide PVLAN specific information:

s flat Identifies a network VLAN port that the system added to a subscriber VLAN. All subscriber VLANs contain
network VLAN ports that are marked with the s flag.
L flag Identifies a subscriber VLAN port that is configured as a loopback port. Loopback ports are supported only
on BlackDiamond 8000 series modules and Summit family switches, whether or not included in a
SummitStack.
t flag Identifies a tagged network VLAN port on which tag translation is enabled. The t flag only appears in the
show vlan display for network VLANs.
e flag Identifies a network VLAN port that is configured as an endpoint. The e flag only appears in the show vlan
display for network VLANs.

Layer 2 Basics

36

VLANs

Displaying PVLAN FDB Entries

To view all FDB entries including those created for a PVLAN, use the command:
show fdb {blackhole {netlogin [all | mac-based-vlans]} | netlogin [all | macbased-vlans] | permanent {netlogin [all | mac-based-vlans]} | mac_addr {netlogin
[all | mac-based-vlans]} | ports port_list {netlogin [all | mac-based-vlans]} |
vlan vlan_name {netlogin [all | mac-based-vlans]} | {{vpls} {vpls_name}}}

The P flag marks additional FDB entries for PVLANs.

PVLAN Configuration Example 1

The following figure shows a PVLAN configuration example for a medical research lab.

Figure 12: PVLAN Configuration Example 1

The medical research lab hosts lots of visiting clients. Each client has their own room, and the lab wants
to grant them access to the internet through a local web proxy server but prevent them from accessing
other visiting clients. There is a lab in the building where many research workstations are located.
Workstations within the lab require access to other lab workstations, the internet, and file servers that
are connected to a switch in another building. Visiting clients should not have access to the Research
VLAN devices or the file servers on the remote switch.
The PVLAN in the following figure contains the following PVLAN components:
Network VLAN named Main, which provides internet access through the proxy web server and
access to file servers on the remote switch.

Layer 2 Basics

37

VLANs

Isolated subscriber VLAN named ClientConnections, which provides internet access for visiting
clients and isolation from other visiting clients, the Research VLAN devices, and the remote file
servers.
Non-isolated subscriber VLAN named Research, which provides internet access and enables
communications between Research VLAN devices and the remote file servers.
The first configuration step is to create and configure the VLANs on the local switch:
create vlan Main
configure vlan Main add port 1:*
configure vlan Main tag 100
create vlan ClientConnections
configure vlan ClientConnections add port 2:*
configure vlan ClientConnections tag 200
create vlan Research
configure vlan Research add port 3:*
configure vlan Research tag 300

2 The remote switch VLAN is configured as follows:

create vlan Main
configure vlan Main add port 1:*
configure vlan Main tag 100

3 The next step is to create the PVLAN on the local switch and configure each of the component
VLANs for the proper role:
create private-vlan MedPrivate
configure private-vlan "MedPrivate" add network "Main"
configure private-vlan "MedPrivate" add subscriber "ClientConnections"
configure private-vlan "MedPrivate" add subscriber "Research" non-isolated

4 The final step is to configure VLAN translation on the local switch so that Research VLAN
workstations can connect to the file servers on the remote switch:
configure Main add ports 1:1 private-vlan translated

5 To view the completed configuration, enter the show private-vlan command as follows:
show private-vlan
------------------------------------------------------------------------------------Name
VID Protocol Addr
Flags
Proto
Ports Virtual
Active router
/Total
------------------------------------------------------------------------------------MedPrivate
VR-Default
Network VLAN:
-main
100 ------------------------------------ANY
2 /48
VR-Default
Non-Isolated Subscriber VLAN:

Layer 2 Basics

38

VLANs

-Research
300 ------------------------------------VR-Default
Isolated Subscriber VLAN:
-ClientConnections 200 --------------------------------VR-Default

ANY

2 /96

ANY

2 /52

PVLAN Configuration Example 2

The following figure shows a PVLAN configuration example for a motel.

Figure 13: PVLAN Configuration Example 2

The motel example in the following figure has guest rooms, a conference room, and their web proxy
server on the first floor, and guest rooms on the second floor. The motel has three Summit switches.

Layer 2 Basics

39

VLANs

There is one on the first floor in a closet, one on the first floor in the conference room, and one on the
second floor.
The PVLAN in the following figure contains the following PVLAN components:
A VLAN called Main that contains the web proxy server.
A VLAN called ConfRoom that contains the ports for the conference room connections.
A VLAN called ClientConnections that contains client PC connections for the guest rooms.
The goals for the motel network are as follows:
Provide internet access for the ConfRoom and ClientConnections VLANs through the web proxy
server.
Prevent communications between the ConfRoom and ClientConnections VLANs.
Enable communications between clients on the ClientConnections VLAN only within the conference
room.
Enable communications between devices on the ConfRoom VLAN.
Prevent communications between the PCs in the ClientConnections VLAN that are not in the
conference room.
Notice the following in the above figure:
The Summit switches in the first floor closet and on the second floor contain the Main VLAN with a
tag of 100. This VLAN is connected via a tagged port between the first and second floor switches.
The Summit in the conference room does not contain the Main VLAN and cannot be a PVLAN
member.
All of the switches have the ClientConnections VLAN, and it uses VLAN tag 200.
All of the switches have the ConfRoom VLAN, and it uses VLAN tag 300.
The Conference Room Summit connects to the rest of the network through a tagged connection to
the Summit in the first floor closet.
Because
the Summit in the first floor closet is a PVLAN member and uses the same port to support

two subscriber VLANs, a loopback port is required in all subscriber VLANs, except the first
configured subscriber VLAN (this applies to all BlackDiamond 8800 series switches and Summit
family switches).
Note
The following examples contain comments that follow the CLI comment character (#). All
text that follows this character is ignored by the switch and can be omitted from the
switch configuration.
The following commands configure the Summit in the first floor closet:
# Create and configure the VLANs.
create vlan Main
configure vlan Main add port 1
configure vlan Main tag 100
configure vlan Main add port 2 tagged
create vlan ClientConnections
configure vlan ClientConnections tag 200
configure vlan ClientConnections add port 5-19
configure vlan ClientConnections add port 20 tagged
create vlan ConfRoom

Layer 2 Basics

40

VLANs

configure vlan ConfRoom tag 300

configure vlan ConfRoom add port 21-30
configure vlan ConfRoom add port 20 tagged
# Create and configure the PVLAN named Motel.
create private-vlan Motel
configure private-vlan Motel add network Main
configure private-vlan Motel add subscriber ClientConnections # isolated
subscriber VLAN
configure private-vlan "Motel" add subscriber "ConfRoom" non-isolated
loopback-port 30
configure private-vlan Motel add subscriber ConfRoom non-isolated
# If you omit the loopback-port command, the above command produces the
following error message:
# Cannot add subscriber because another subscriber vlan is already present on
the same port, assign a loopback port when adding the subscriber vlan to the
private vlan
# show vlan "ConfRoom"
VLAN Interface with name ConfRoom created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 300
Virtual router: VR-Default
IPv6:
None
STPD:
None
Protocol:
Match all unfiltered protocols
Loopback:
Disabled
NetLogin:
Disabled
QosProfile:
None configured
Egress Rate Limit Designated Port: None configured
Private-VLAN Name:
Motel
VLAN Type in Private-VLAN:
Non-Isolated Subscriber
Ports:
13.
(Number of active ports=1)
Untag:
21,
22,
23,
24,
25,
26,
27,
28,
29
Tag:
1s,
2s,
20,
*30L
Flags:
(*) Active, (!) Disabled, (g) Load Sharing port
(b) Port blocked on the vlan, (m) Mac-Based port
(a) Egress traffic allowed for NetLogin
(u) Egress traffic unallowed for NetLogin
(t) Translate VLAN tag for Private-VLAN
(s) Private-VLAN System Port, (L) Loopback port
(x) VMAN Tag Translated port
(G) Multi-switch LAG Group port
# Note that the loopback port is flagged with an "L" and listed as a tagged
port, and the network VLAN ports are flagged with an "s" and listed as tagged
ports.

The following commands configure the Summit on the second floor:

# create and configure the VLANs
create vlan Main
configure vlan Main tag 100
configure vlan Main add port 2 tagged
create vlan ClientConnections
configure vlan ClientConnections tag 200
configure vlan ClientConnections add port 5-20
create vlan ConfRoom

Layer 2 Basics

41

VLANs

configure vlan ConfRoom tag 300

# Create and configure the PVLAN
create private-vlan Motel
configure private-vlan Motel add
configure private-vlan Motel add
subscriber VLAN
configure private-vlan Motel add

named Motel.
network Main
subscriber ClientConnections # isolated
subscriber ConfRoom non-isolated

The following commands configure the Summit in the conference room:

# create and configure the VLANs
create vlan ClientConnections
configure vlan ClientConnections tag 200
configure vlan ClientConnections add port 1-19
configure vlan ClientConnections add port 20 tag
create vlan ConfRoom
configure vlan ConfRoom tag 300
configure vlan ConfRoom add port 21-30
configure vlan ConfRoom add port 20 tag
# The VLANs operate as extensions of the VLANs on the Summit in the first
floor closet. There is no PVLAN configuration on this switch.

VLAN Translation
The VLAN translation feature described in this section provides the same VLAN translation functionality
that is provided for PVLANs. This is described in VLAN Translation in a PVLAN on page 24.
The difference is that this feature is configured with different commands that are compatible with
ExtremeWare.
Note
The VLAN translation feature described in this section is provided for those who are already
familiar with the ExtremeWare VLAN translation commands. If you have not used this feature
in ExtremeWare and do not use any scripts that use the ExtremeWare commands, we
suggest that you use the Private VLAN feature described in Private VLANs on page 24, as it
provides the same functionality with additional features.
The VLAN translation feature is supported only on the platforms listed for this feature in the
license tables in Feature License Requirements
The following figure shows how VLAN translation is configured in the switch.

Layer 2 Basics

42

VLANs

Figure 14: VLAN Translation Switch Configuration

In the above figure, VLAN1 is configured as a translation VLAN . The translation VLAN is equivalent to
the network VLAN in the PVLAN implementation of VLAN translation.
VLANs 101, 102, and 103 are configured as member VLANs of translation VLAN1. The member VLANs
are equivalent to the non-isolated subscriber VLANs in the PVLAN implementation of VLAN translation.
This configuration enables tag translation between the translation VLAN and the member VLANs. All
member VLANs can communicate through the translation VLAN, but they cannot communicate
through Layer 2 with each other.

VLAN Translation Behavior

You should be aware of the behavior of unicast, broadcast, and multicast traffic when using VLAN
translation.
Unicast Traffic
Traffic on the member VLANs can be either tagged or untagged.
Traffic is switched locally between client devices on the same member VLAN as normal. Traffic cannot
be switched between clients on separate member VLANs. Traffic from any member VLAN destined for
the translation VLAN is switched and the VLAN tag is translated appropriately. Traffic from the
translation VLAN destined for any member VLAN is switched and the VLAN tag is translated.
Broadcast Behavior
Broadcast traffic generated on a member VLAN is replicated in every other active port of that VLAN as
normal.

Layer 2 Basics

43

VLANs

In addition, the member VLAN traffic is replicated to every active port in the translation VLAN and the
VLAN tag is translated appropriately. Broadcast traffic generated on the translation VLAN is replicated
to every other active port in this VLAN as usual. The caveat in this scenario is that this traffic is also
replicated to every active port in every member VLAN, with VLAN tag translation. In effect, the
broadcast traffic from the translation VLAN leaks onto all member VLANs.
Multicast Behavior
IGMP snooping can be enabled on member and translation VLANs so that multicast traffic can be
monitored within the network.
IGMP snooping software examines all IGMP control traffic that enters the switch. IGMP control traffic
received on a VLAN translation port is forwarded by the CPU to all other ports in the translation group.
Software VLAN translation is performed on the packets which cross the translation boundary between
member and translation VLANs. The snooping software detects ports joining and leaving multicast
streams. When a VLAN translation port joins a multicast group, an FDB entry is installed only on
receiving a data miss for that group. The FDB entry is added for the requested multicast address and
contains a multicast PTAG. When a VLAN translation port leaves a multicast group, the port is removed
from the multicast list. The last VLAN translation port to leave a multicast group causes the multicast
FDB entry to be removed.

VLAN Translation Limitations

The VLAN translation feature has the following limitations:

Requires more FDB entries than a standard VLAN.

Within the same VR, VLAN tag duplication is not allowed.
Within the same VR, VLAN name duplication is not allowed.
Each MAC address learned in the translation and member VLANs must be unique. A MAC address
cannot exist in two or more VLANs that belong to the same VLAN translation domain.
MVR cannot be configured on translation and member VLANs.
A VMAN cannot be added to translation and member VLANs.
A PBB network (BVLAN) cannot be added to translation and member VLANs.
EAPS control VLANs cannot be either translation or member VLANs.
EAPS can only be configured on translation VLAN ports (and not on member VLAN ports). To
support EAPS on the network VLAN, you must add all of the translation and member VLANs to the
EAPS ring.
STP can only be configured on translation VLAN ports (and not on member VLAN ports). To
support STP on the translation VLAN, you must add the translation VLAN and all of the member
VLANs to STP.
ESRP can only be configured on translation VLAN ports (and not on member VLAN ports). To
support ESRP on the network VLAN, you must add the translation VLAN and all of the member
VLANs to ESRP.
There is no NetLogin support to add ports as translate to the translation VLAN, but the rest of
NetLogin and the PVLAN feature do not conflict.

Layer 2 Basics

44

VLANs

IGMP snooping is performed across the entire VLAN translation domain, spanning all the member
VLANs. For VLANs that are not part of a VLAN translation domain, IGMP snooping operates as
normal.
VLAN translation and VPLS are not supported on the same VLAN.
Member VLANs in a VLAN translation domain cannot exchange multicast data with VLANs outside
the VLAN translation domain. However, the translation VLAN can exchange multicast data with
VLANs outside the VLAN translation domain and with translation VLANs in other VLAN translation
domains.

Interfaces
Use the following information for selecting and configuring VLAN translation interfaces:

A single physical port can be added to multiple member VLANs, using different VLAN tags.
Member VLANs and translation VLANs can include both tagged and untagged ports.

Configuring Translation VLANs

To create a translation VLAN, do the following:
1 Create the VLAN that will become the translation VLAN.
2 Add a tag and ports to the prospective translation VLAN.
3 Add member VLANs to the prospective translation VLAN.
A prospective translation VLAN becomes a translation VLAN when the first member VLAN is added to
it.

To add a member VLAN to a translation VLAN, use the following command:

configure {vlan} vlan_name vlan-translation add member-vlan member_vlan_name
{loopback-port port}

To delete a member VLAN from a translation VLAN, use the following command:
configure {vlan} vlan_name vlan-translation delete member-vlan
[member_vlan_name | all]

To view the translation VLAN participation status of a VLAN, use the following command:
show vlan {virtual-router vr-name}

Displaying Translation VLAN Information

This section describes how to display translation VLAN information.
Displaying Information for a Translation or Member VLAN
To display information about a translation or member VLAN, use the command:
show vlan {virtual-router vr-name}

Layer 2 Basics

45

VLANs

Displaying Translation VLAN FDB Entries

To view all FDB entries including those created for a translation VLAN, use the command:
show fdb {blackhole {netlogin [all | mac-based-vlans]} | netlogin [all | macbased-vlans] | permanent {netlogin [all | mac-based-vlans]} | mac_addr {netlogin
[all | mac-based-vlans]} | ports port_list {netlogin [all | mac-based-vlans]} |
vlan vlan_name {netlogin [all | mac-based-vlans]} | {{vpls} {vpls_name}}}

The T flag marks additional FDB entries for translation VLANs.

VLAN Translation Configuration Examples

The following configuration examples show VLAN translation used in three scenarios:

Basic VLAN Translation on page 46

VLAN Translation with ESRP Redundancy on page 47
VLAN Translation with STP Redundancy on page 49

Basic VLAN Translation

The example in the following figure configures a basic VLAN translation network. This network provides
VLAN translation between four member VLANs and a single translation VLAN.

Figure 15: VLAN Translation Configuration Example

The following configuration commands create the member VLANs:
create vlan v101
configure v101 tag
configure v101 add
create vlan v102
configure v102 tag
configure v102 add
create vlan v103
configure v103 tag
configure v103 add
create vlan v104
configure v104 tag
configure v104 add

Layer 2 Basics

101
ports 1:1 tagged
102
ports 1:1 tagged
103
ports 1:2 tagged
104
ports 1:2 tagged

46

VLANs

The following configuration commands create the translation VLAN and enable VLAN translation:
create vlan v1000
configure v1000 tag 1000
configure v1000 add ports 2:1 tagged
configure v1000 vlan-translation add
configure v1000 vlan-translation add
configure v1000 vlan-translation add
configure v1000 vlan-translation add

member-vlan
member-vlan
member-vlan
member-vlan

v101
v102
v103
v104

The following configuration commands create the translation VLAN and enable VLAN translation on
BlackDiamond X8, BlackDiamond 8000 series modules, and Summit X440, X460, X480, X670, and
X770 series switches:
create vlan v1000
configure v1000 tag 1000
configure v1000 add ports 2:1 tagged
configure v1000 vlan-translation add
configure v1000 vlan-translation add
configure v1000 vlan-translation add
configure v1000 vlan-translation add

member-vlan
member-vlan
member-vlan
member-vlan

v101
v102 loopback-port 1:23
v103
v104 loopback-port 1:24

VLAN Translation with ESRP Redundancy

The example in the following figure configures a VLAN translation network with ESRP redundancy.
The SW2 and SW3 VLAN translation switches are protected by an ESRP control VLAN. The master
ESRP switch performs the translation and provides the connectivity to the backbone. If a failure occurs,
the slave ESRP switch takes over and begins performing the translation.

Figure 16: ESRP Redundancy Configuration Example

Layer 2 Basics

47

VLANs

The following configuration commands create the member VLANs on SW1:

create vlan v101
configure v101 tag
configure v101 add
configure v101 add
configure v101 add
create vlan v102
configure v102 tag
configure v102 add
configure v102 add
configure v102 add
create vlan v103
configure v103 tag
configure v103 add
configure v103 add
configure v103 add
create vlan v104
configure v104 tag
configure v104 add
configure v104 add
configure v104 add

101
ports 1:1 tagged
ports 1:3 tagged
ports 1:4 tagged
102
ports 1:1 tagged
ports 1:3 tagged
ports 1:4 tagged
103
ports 1:2 tagged
ports 1:3 tagged
ports 1:4 tagged
104
ports 1:2 tagged
ports 1:3 tagged
ports 1:4 tagged

The configuration for SW2 and SW3 is identical for this example.
The following configuration commands create the member VLANs on SW2:
create vlan v101
configure v101 tag
configure v101 add
create vlan v102
configure v102 tag
configure v102 add
create vlan v103
configure v103 tag
configure v103 add
create vlan v104
configure v104 tag
configure v104 add

101
ports 1:3 tagged
102
ports 1:3 tagged
103
ports 1:3 tagged
104
ports 1:3 tagged

This set of configuration commands creates the translation VLANs and enables VLAN translation on
SW2:
create vlan v1000
configure v1000 tag 1000
configure v1000 add ports 2:1 tagged
configure v1000 vlan-translation add
configure v1000 vlan-translation add
configure v1000 vlan-translation add
configure v1000 vlan-translation add

Layer 2 Basics

member-vlan
member-vlan
member-vlan
member-vlan

v101
v102
v103
v104

48

VLANs

The final set of configuration commands creates the ESRP control VLAN and enables ESRP protection
on the translation VLAN for SW2:
create vlan evlan
configure evlan add ports 2:2
enable esrp evlan
configure evlan add domain-member v1000

The following configuration commands create the translation VLAN and enable VLAN translation
onVLANs that have overlapping ports:
configure v1000 vlan-translation add member-vlan v102 loopback-port 1:22
configure v1000 vlan-translation add member-vlan v103 loopback-port 1:23
configure v1000 vlan-translation add member-vlan v104 loopback-port 1:24

VLAN Translation with STP Redundancy

The example in the following figure configures a VLAN translation network with redundant paths
protected by STP.
Parallel paths exist from the member VLAN portion of the network to the translation switch. STP
ensures that the main path for this traffic is active and the secondary path is blocked. If a failure occurs
in the main path, the secondary paths are enabled.

Figure 17: STP Redundancy Configuration Example

Layer 2 Basics

49

VLANs

The following configuration commands create the member VLANs and enable STP on SW1:
create vlan v101
configure v101 tag
configure v101 add
configure v101 add
configure v101 add
create vlan v102
configure v102 tag
configure v102 add
configure v102 add
configure v102 add
create vlan v103
configure v103 tag
configure v103 add
configure v103 add
create vlan v104
configure v104 tag
configure v104 add
configure v104 add
create stpd stp1
configure stp1 tag
configure stp1 add
configure stp1 add
configure stp1 add
configure stp1 add
enable stpd stp1

101
ports 1:1 tagged
ports 1:3 tagged
ports 1:4 tagged
102
ports 1:2 tagged
ports 1:3 tagged
ports 1:4 tagged
103
ports 1:3 tagged
ports 1:4 tagged
104
ports 1:3 tagged
ports 1:4 tagged
101
vlan
vlan
vlan
vlan

v101
v102
v103
v104

These configuration commands create the member VLANs and enable STP on SW2:
create vlan v103
configure v103 tag
configure v103 add
configure v103 add
configure v103 add
create vlan v104
configure v104 tag
configure v104 add
configure v104 add
configure v104 add
create vlan v101
configure v101 tag
configure v101 add
configure v101 add
create vlan v102
configure v102 tag
configure v102 add
configure v102 add
create stpd stp1
configure stp1 tag
configure stp1 add
configure stp1 add
configure stp1 add
configure stp1 add
enable stpd stp1

Layer 2 Basics

103
ports 1:1 tagged
ports 1:3 tagged
ports 1:4 tagged
104
ports 1:2 tagged
ports 1:3 tagged
ports 1:4 tagged
101
ports 1:3 tagged
ports 1:4 tagged
102
ports 1:3 tagged
ports 1:4 tagged
101
vlan
vlan
vlan
vlan

v101
v102
v103
v104

50

VLANs

This set of configuration commands creates the member VLANs and enables STP on SW3:
create vlan v101
configure v101 tag
configure v101 add
configure v101 add
create vlan v102
configure v102 tag
configure v102 add
configure v102 add
create vlan v103
configure v103 tag
configure v103 add
configure v103 add
create vlan v104
configure v104 tag
configure v104 add
configure v104 add
create stpd stp1
configure stp1 tag
configure stp1 add
configure stp1 add
configure stp1 add
configure stp1 add
enable stpd stp1

101
ports 1:3 tagged
ports 1:4 tagged
102
ports 1:3 tagged
ports 1:4 tagged
103
ports 1:3 tagged
ports 1:4 tagged
104
ports 1:3 tagged
ports 1:4 tagged
101
vlan
vlan
vlan
vlan

v101
v102
v103
v104

The final set of configuration commands creates the translation VLAN and enables VLAN translation on
SW3:
create vlan v1000
configure v1000 tag 1000
configure v1000 add ports 2:1 tagged
configure v1000 vlan-translation add
configure v1000 vlan-translation add
configure v1000 vlan-translation add
configure v1000 vlan-translation add

member-vlan
member-vlan
member-vlan
member-vlan

v101
v102
v103
v104

The following configuration commands create the translation VLAN and enable VLAN translation on
VLANs that have overlapping ports:
configure v1000 vlan-translation add member-vlan v102 loopback-port 1:22
configure v1000 vlan-translation add member-vlan v103 loopback-port 1:23
configure v1000 vlan-translation add member-vlan v104 loopback-port 1:24

Port-Specific VLAN Tag

The Port-specific VLAN feature adds a layer of specificity between the port tag and the VLAN/VMAN
tag: a port-specific VLAN tag. This feature adds the following functionality to the existing VLAN:

Layer 2 Basics

51

VLANs

Ability to associate a tag to a VLAN port. This tag is used as a filter to accept frames with matching
VID. It is also used as the tag of the outgoing frames.
Ability to add multiple VLAN ports on the same physical port as long as those VLAN ports are
associated with different tags.
Allows the existing untagged and tagged VLAN ports to be part of the VLAN.
Ability to learn MAC address on port, tag and VLAN instead of only on the port.As a consequence of
the previous point, ability to add static MAC address to port, tag and VLAN.
Ability to specify limit-learning and MAC lockdown on a port, tag and VLAN, instead of only on the
port.
Rate limiting and counting of frames with matching VIDs is supported with the existing ACL.

The Port-specific VLAN tag allows tagged VLAN ports to be configured with tag values. When the tag
is not configured, it is implicit that the tag of the tagged port is the tag of the VLAN. We call the tag of
the port the "port tag", and the tag of the VLAN the "base tag". The port tag is used to determine the
eligibility of the frames allowed to be part of the VLAN. Once the frame is admitted to the VLAN port,
the base tag is used. From a functional standpoint, the frame tag is rewritten to the base tag.
The base tag then is translated to the port tag for the outgoing frame.
Note
The port tag is equal to the base tag when the port tag is not specified, so the current VLAN
behavior is preserved.
Untagged VLAN ports also have port tag, which is always the same as the base tag. Outgoing frames
are untagged. The untagged VLAN port always has an implicit port tag thats's always equal to the base
tag. There can be only one untagged VLAN port on a physical port. It receives untagged frames, and
tagged frames, and transmits only untagged frames.
A tagged VLAN port can have a port tag configured, or not. When not configured, the port tag is equal
to the base tag. There can be more than one tagged VLAN port on a physical port. It receives tagged
frames with tag equals to the port tag, and transmits tagged frames with port tag.
When the VLAN is assigned to L2VPN, the base tag is the tag that is carried by the pseudo-wire when
the dot1q include is enabled. It can be viewed that VPLS PW port tag is equal to the base tag. To assign
a VLAN with a port-specific tag to an L2VPN, use the existing configure vpls vpls_name add
service vlan vlan_name command.
Since every tagged VLAN port has different VIDs, forwarding between them on the same physical port
(hairpin switching) is possible. From the external traffic point of view, the frame tags are rewritten from
the receive port tag to the transmit port tag. Since each port tag is a different VLAN port, a frame that
has to be broadcasted to multiple VLAN ports is sent out multiple times with different tags when the
VLAN ports are on the same physical port. Each port + port tag is an individual VLAN port.
MAC addresses are learned on the VLAN port. This means that the port in the FDB entry is the port +
port tag. A unicast frame destined to a MAC address that is in the FDB is sent out of the associated
VLAN port. As mentioned earlier, there is only one MAC addressed learned on the VLAN. If the MAC
address is learned on a different port or a different tag, it is a MAC move. It is transmitted out of the
physical port only on the associated VLAN port tagged with the port tag when the VLAN port is
tagged.

Layer 2 Basics

52

VLANs

When there are multiple tagged VLAN ports on the transmit port, only one frame with the right tag is
transmitted. It is transmitted untagged on an untagged VLAN port. Accordingly, the static MAC
address is configured on a VLAN port. This means that the port tag is specified when the tag is not
equal to the base tag. The command to flush FDB does not need to change. But, a VLAN port-specific
flush needs to be implemented to handle the case when a VLAN port is deleted. This flush is internal
and not available through the CLI.
Per VLAN port (port + tag) rate limiting and accounting is achieve by the existing ACL. Use match
condition vlan-id to match the port VID. You can use action count and byte-count for
accounting. And you can use show access-list counter to view the counters. Action meter can
be used for rate limiting. To create a meter, use the create meter command, and configure the
committed rate and maximum burst size.

Port-Specific Tags in L2VPN

You can assign a VLAN with port specific tag to VPLS/VPWS using the configure vpls vsi add
service vlan vl command. Because this is a single VLAN, the base VID is used when dot1q include
is enable. For example, when VLAN 100 that has ports on Ethernet port 1 with port tag 10 and 11 is
assigned to L2VPN, the tag that is carried by the pseudo wire is 100. The configuration for this example
is as follows:
create
config
config
config

vlan
vlan
vlan
vpls

exchange
exchange
exchange
vsi1 add

tag 100
add ports 1 tagged 10
add ports 1 tagged 11
service vlan exchange

Similarly, the following is an example for VPWS. There can only be a single VLAN port in the VLAN for
assignment to VPWS to be successful:
create vlan exchange tag 100
config vlan exchange add ports 1 tagged 10
config l2vpn vpws pw1 add service vlan exchange

VLAN Port State

VLAN port state is the same as the state of the Ethernet port.
ACLs
You can use the existing match vlan-id ACL to accomplish counting and metering. You can assign the
ACL to both ingress and egress port. The followings are the examples of such configuration. The port 3
tag is 4 and the port 4 tag is 5. These ACLs will match the frame vlan-ID, and the vlan-ID specified in
the match criteria is independent of the port tag.
Content of acl.pol
entry tag_1 {
if {
vlan-id 4;
} then {
packet-count tag_1_num_frames;
meter tag_1_meter;
}
}

Layer 2 Basics

53

VLANs

entry tag_2 {
if {
vlan-id 5;
} then {
byte-count tag_2_num_bytes;
meter tag_2_meter;
}
}
Content of acl_egress.pol
entry tag_1_egr {
if {
vlan-id 4;
} then {
packet-count tag_1_egr_num_frames;
meter tag_1_egr_meter;
}
}
entry tag_2_egr {
if {
vlan-id 5;
} then {
byte-count tag_2_egr_num_bytes;
meter tag_2_egr_meter;
}
}

Configuring Port-Specific VLAN Tags

The following specific commands are modified by the port-specific VLAN tag:
clear fdb: Only clears on physical port or VLAN, not on a vlan port.

delete fdbentry: All or specific MAC address, or specific MAC address on a VLAN.
enable/disable flooding ports: Only on physical port (applies to all VLAN ports).
enable/disable learning: Only on physical port (applies to all VLAN ports on the same
physical port), or on a VLAN (applies to all VLAN ports of the VLAN).
show fdb stats: Only on physical port or VLAN, not on a VLAN port.

Use the following commands to configure Port-specific VLAN tags:

To configure the port-specific tag, use the configure ports port_list {tagged tag}vlan
vlan_name [limit-learning number {action [blackhole | stop-learning]} | locklearning | unlimited-learning | unlocklearning] command.

To specify the port tag when you need to put multiple vlans into a broadcast domain, use the
configure {vlan} vlan_name addports [port_list | all] {tagged{tag} | untagged}
{{stpd} stpd_name} {dot1d | emistp | pvst-plus}} command.

To specify a port tag to delete a VLAN port that has a different tag from the VLAN tag, use the
configure {vlan} vlan_name deleteports [all | port_list {tagged tag}] command.

To display output of a vlan that has a port-specific tag, use the show vlan command.
To display port info that has port-specific tag statistics, use the show port info detail
command.

Layer 2 Basics

54

VLANs

To adds a permanent, static entry to the FDB, use the create fdbentry mac_addr vlan
vlan_name [ports port_list {tagged tag} | blackhole] command.

To show output where the port tag is displayed, use the show fdb command.

Layer 2 Basics

55

2 VMAN (PBN)
VMAN Overview
PBBNs
VMAN Configuration Options and Features
Configuration
Displaying Information
Configuration Examples
The virtual metropolitan area network (VMAN) feature allows you to scale a Layer 2 network and avoid
some of the management and bandwidth overhead required by Layer 3 networks.
Note
If a failover from MSM A to MSM B occurs, VMAN operation is not interrupted. The system has
hitless failovernetwork traffic is not interrupted during a failover.

VMAN Overview
The VMAN feature is defined by the IEEE 802.1ad standard, which is an amendment to the IEEE 802.1Q
VLAN standard.
A VMAN is a virtual Metropolitan Area Network (MAN) that operates over a physical MAN or Provider
Bridged Network (PBN). This feature allows a service provider to create VMAN instances within a MAN
or PBN to support individual customers. Each VMAN supports tagged and untagged VLAN traffic for a
customer, and this traffic is kept private from other customers that use VMANs on the same PBN.
The PBN uses Provider Bridges (PBs) to create a Layer 2 network that supports VMAN traffic. The
VMAN technology is sometimes referred to as VLAN stacking or Q-in-Q.
Note
VMAN is an Extreme Networks term that became familiar to Extreme Networks customers
before the 802.1ad standard was complete. The VMAN term is used in the ExtremeXOS
software and also in this book to support customers who are familiar with this term. The PBN
term is also used in this guide to establish the relationship between this industry standard
technology and the Extreme Networks VMAN feature.
The following figure shows a VMAN, which spans the switches in a PBN.

Layer 2 Basics

56

VMAN (PBN)

Figure 18: VMAN

The entry points to the VMAN are the access ports on the VMAN edge switches. Customer VLAN
(CVLAN) traffic that is addressed to locations at other VMAN access ports enters the ingress access
port, is switched through the VMAN, and exits the egress access port. If you do not configure any frame
manipulation options, the CVLAN frames that exit the VMAN are identical to the frames that entered
the VMAN.
VMAN access ports operate in the following roles:
Customer Network Port (CNP)
Customer Edge Port (CEP, which is also known as Selective Q-in-Q)
The CEP role, which is configured in software as a cep vman port, connects a VMAN to specific CVLANs
based on the CVLAN CVID. The CNP role, which is configured as an untagged vman port, connects a
VMAN to all other port traffic that is not already mapped to the port CEP role. These roles are
described later.
All other VMAN ports (except the access ports) operate as VMAN network ports, which are also known
as Provider Network Ports (PNPs) in the 802.1ad standard. The VMAN network ports connect the PBs
that form the core of the VMAN. During configuration, the VMAN network ports are configured as
tagged VMAN ports.
The following figure shows one VMAN, but a PBN can support multiple VMAN instances, which are
sometimes called VMANs or Service VLANs (SVLANs). VMANs allow you to partition the PBN for
customers in the same way that VLANs allow you to partition a Layer 2 network. For example, you can
use different VMANs to support different customers on the PBN, and the PBN delivers customer traffic
only to the PBN ports that are configured for appropriate VMAN.
A VMAN supports two tags in each Ethernet frame, instead of the single tag supported by a VLAN
Ethernet frame. The inner tag is referred to as the customer tag (C-tag), and this optional tag is based
on the CVLAN tag if the source VLAN is a tagged VLAN. The outer tag is referred to as the service tag
(S-tag) or VMAN tag or SVLAN tag, and it is the tag that defines to which SVLAN a frame belongs. The
following figure shows the frame manipulation that occurs at the VMAN edge switch.

Layer 2 Basics

57

VMAN (PBN)

Figure 19: Tag Usage at the VMAN Access Switch

In the above figure, the switch accepts CVLAN frames on VMAN access ports 1:1 and 1:2. The switch
then adds the S-tag to the frames and switches the frames to network ports 2:1 and 2:2. When the
802.1ad frames reach the PB egress port, the egress switch removes the S-tag, and the CVLAN traffic
exits the egress access port in its original form.
When the switch in the figure above acts as the egress switch for a VMAN, VMAN frames arrive on
network ports 2:1 and 2:2. The switch accepts only those frames with the correct S-tag, removes the Stags, and switches those frames to access ports 1:1 and 1:2. Unless special configuration options are
applied, the egress frames are identical to ingress CVLAN frames. (Configuration options are described
in VMAN Configuration Options and Features on page 64.)
The following figure shows that the S-tags and C-tags used in VMAN frames contain more than just
customer and service VLAN IDs.

Figure 20: S-tag and C-tag Components

Each S-tag and C-tag contains an ethertype, a Class of Service (CoS), and a SVLAN ID (SVID) or CVLAN
ID (CVID). The ethertype is described in Secondary Ethertype Support on page 65, and the CoS is
described in QoS Support on page 66.
The SVID is the VLAN tag you assign to a VMAN when you create it (see the configure vman
vman_name tag tag command. The CVID represents the CVLAN tag for tagged VLAN traffic.
Switch ports support VMAN roles and features, which are described in the following sections:

Layer 2 Basics

58

VMAN (PBN)

Customer Network Ports

Customer Edge Ports
CVID Translation
CVID Egress Filtering

Customer Network Ports

Customer Network Ports (CNPs) are edge switch ports that accept all tagged and untagged CVLAN
traffic and route it over a single VMAN. A CNP is simpler to configure than a CEP, because it supports
one VMAN on a physical port and requires no configuration of CVIDs. The VMAN service provider does
not need to know anything about the CVLAN traffic in the VMAN. The service provider simply manages
the VMAN, and the ingress CVLAN traffic is managed by the customer or another service provider. This
separation of CVLAN and VMAN management reduces the dependence of the separate management
teams on each other, and allows both management teams to make changes independent of the other.
Note
The CNP term is defined in the IEEE 802.1ad standard and is also called a port-based service
interface. The CNP operation is similar to a MEF 13 UNI Type 1.2, and in releases before
ExtremeXOS 12.6, CNPs were known as VMAN access ports or untagged vman ports. With
the addition of CEPs, the term VMAN access port is now a generic term that refers to CNPs
and CEPs.
A PBN can support up to 4094 VMANs, and each VMAN can support up to 4094 CVLANs. Because
each CNP connects to only one VMAN, the maximum number of customer VMANs on an edge switch is
equal to the total number of switch ports minus one, because at least one port is required to serve as
the PNP (Provider Network Port).

Customer Edge Ports

Each CEP supports the configuration of connections or mappings between individual CVLANs and
multiple VMANs.
This provides the following benefits:
Each physical port supports multiple customers (each connecting to a separate VMAN).
Each switch supports many more customer VMANs using CEPs instead of CNPs.
To define the connections between CVLANs and SVLANs, each CEP uses a dedicated CVID map, which
defines the supported CVIDs on the CEP and the destination VMAN for each CVID. For example, you
can configure a CEP to forward traffic from five specific CVLANs to VMAN A and from ten other
specific CVLANs to VMAN B. During VMAN configuration, certain ports are added to the VMAN as
CEPs, and certain CVIDs on those ports are mapped to the VMAN. To enable customer use of a VMAN,

Layer 2 Basics

59

VMAN (PBN)

service providers must communicate the enabled CVIDs to their customers. The customers must use
those CVIDs to access the VMAN.
Note
The CEP term is defined in the IEEE 802.1ad standard and is also called a C-tagged service
interface. The CEP operation is similar to a MEF 13 UNI Type 1.1.

CVID Translation
To support CVLANs that are identified by different CVIDs on different CEPs, some switches support a
feature called CVID translation, which translates the CVID received at the VMAN ingress to a different
CVID for egress from the VMAN (see the following figure).

Figure 21: CVID Translation

You can use a CLI command to configure CVID translation for a single CVID or for a range of CVIDs, and
you can enter multiple commands to define multiple CVIDs and ranges for translation. The commands
can be applied to a single port or a list of ports, and after configuration, the configuration applied to a
port is retained by that port.
Note
CVID translation is available only on the platforms listed for this feature in the Feature License
Requirements document.
CVID translation can reduce the number of CVIDs that can be mapped to VMANs.

CVID Egress Filtering

CVID egress filtering permits the egress from VMAN to CEP of only those frames that contain a CVID
that has been mapped to the source VMAN; all other frames are blocked. For example, Customer Edge
Port A in the following figure is configured to support CVIDs 10-29, and Customer Edge Port B is
configured to support CVIDs 10-19. If CVID egress filtering is enabled on Customer Edge Port B, frames
with CVIDs 20-29 will not be forwarded at the egress of Customer Edge Port B.

Layer 2 Basics

60

VMAN (PBN)

Figure 22: CVID Egress Filtering

You can enable CVID egress filtering for a single CEP or for all CEPs with a CLI command. You can also
repeat the command to enable this feature on multiple CEPs.
Note
CVID egress filtering is available only on the platforms listed for this feature in Feature
License Requirements.
When this feature is enabled, it reduces the maximum number of CVIDs that can be mapped to VMANs.
The control of CVID egress filtering applies to fast-path forwarding. When frames are forwarded
through software, CVID egress filtering is always enabled.

PBBNs
A Provider Backbone Bridge Network (PBBN) enables VMAN (PBN, 802.1ad frames) and customer
VLAN (802.1Q frames) transport over a backbone network such as the internet.
Note
This feature is supported only on the platforms listed for this feature in the license and
feature pack tables in Feature License Requirements.
One application of a PBBN allows an Internet Service Provider (ISP) to create a backbone network over
the internet to support Layer 2 traffic from service providers (SPs). Each service provider buys a PBN
(VMAN) from the ISP and sells VLAN access to customers. The ISP configures the PBBN, each SP
configures their PBN, and each customer configures their VLAN. The PBBN, PBNs, and VLANs are all
isolated. All parties (ISP, SP, and customer) can establish their networks and services with minimal
support from the other parties, and all parties can make most configuration changes independently of
the others.
PBBNs are defined by the IEEE 802.1ah Backbone Bridge standard, which is an amendment to the IEEE
802.1Q VLAN standard. The PBBN technology is sometimes referred to as MAC-in-MAC.
The following figure shows a PBBN, which spans a set of ISP switches that serve as Provider Backbone
Bridges (PBBs).

Layer 2 Basics

61

VMAN (PBN)

PBBN
VMAN

VMAN

VLAN
traffic

VLAN
traffic
Network
ports
(BVLAN)

VLAN
traffic
VMAN
access
ports

VMAN
network
ports

Access
ports
(SVLAN or
CVLAN)

Access
ports
VMAN
(SVLAN or
network
CVLAN)
ports

VLAN
traffic
VMAN
access
ports
vman_0002

Figure 23: PBBN

You can view a PBBN as a Layer 2 network that supports VMAN traffic (PBN 802.1ad frames) and VLAN
traffic (802.1Q frames). The entry points to a PBBN are the access ports on the PBBN edge switches,
which function as Backbone Edge Bridges (BEBs). These ports are designed to receive and transmit
VMAN and Customer VLAN (CVLAN) traffic.
PBBN switches that are not configured with network access ports are called Backbone Core Bridges
(BCBs). BCBs are configured only with network ports and interconnect all the BEBs in the PBBN.
PBBN traffic enters a PBBN access port, is switched through the PBBN, and exits at a PBBN access
port. If you do not configure any frame manipulation options, the frames that exit the PBBN are
identical to the frames that entered the PBBN.
The following figure shows three terms that are used during the configuration of a PBBN: CVLAN,
SVLAN, and BVLAN.
A PBBN is a virtual tunnel. Service VLANs (SVLANs) and CVLANs are defined at the tunnel end points
and define what traffic can enter and exit the tunnel. A BVLAN defines all the switch ports that link the
tunnel endpoints. SVLANs, CVLANs, and BLVANs are configuration entities; they are not actual Layer 2
domains. These configuration entities define the roles of ports within the PBBN. These configuration
entities operate as follows:
When a CVLAN is configured on a port, the port accepts customer VLAN traffic (802.1Q frames) for
the PBBN. After configuration is complete, the customer VLAN domain extends to all BEBs that
have ports configured for the CVLAN. CVLANs are configured only on BlackDiamond 20800 series
switches.
When an SVLAN is configured on a port, the port accepts VMAN traffic (PBN 802.1ad frames) for
the PBBN. After configuration is complete, the VMAN domain extends to all BEBs that have ports
configured for the SVLAN.

Layer 2 Basics

62

VMAN (PBN)

When a backbone VLAN (BVLAN) is configured on a port, the port serves as a network port in the
PBBN core. A BVLAN port forwards PBBN traffic (802.1ah frames) between the BEBs and BCBs in
the PBBN.

When you configure a PBBN, you create and configure SVLANs and CVLANs on the PBBN access
ports, and you configure a BVLAN on each network port. Later in the configuration process, you bind
each SVLAN and CVLAN to a BVLAN to establish the connection between the PBBN access ports and
network ports that establish the BVLAN. The process for binding an SVLAN or CVLAN to a BVLAN
differs between platforms.
You can use any physical topology on the BVLAN. Although you can assign IP addresses to backbone
interfaces to test connectivity, do not enable IP forwarding. The BVLAN must be tagged, and only
tagged ports can be added to the BVLAN.
Note
After you configure a port as part of a BVLAN or SVLAN, you cannot apply any other ACLs to
that port.
To switch a frame through the PBBN, the switch encapsulates VLAN and VMAN frames in 802.1ah
frames as shown in the following figure.

Figure 24: Frame Manipulation Through a PBBN

At the egress port of the PBBN, the system strips off the 802.1ah material, which leaves a VMAN frame
containing an original customer frame with the service provider S-tag. At the end-point of the VMAN,
the system strips off the 802.1ad material, which delivers the original customer VLAN frame to the
designated destination.
Note
There is no interaction between the STPs of the ISP and the subscriber. The subscribers
BPDUs are tunneled through the PBBN on the ISP backbone.

Layer 2 Basics

63

VMAN (PBN)

The following figure shows the contents of an 802.1ah PBBN frame.

Figure 25: 802.1ah PBBN Frame Details

The PBBN-specific frame components are prepended to the 802.1ad VMAN frames and described in the
following sections.

B-tag
The BVLAN tag (B-tag) identifies a specific BVLAN and includes three priority bits for QoS.

B-DA and B-SA

The BVLAN destination MAC address (B-DA) and BVLAN source MAC address (B-SA) are used to
switch frames across the PBBN.

I-tag
The I-tag identifies the service provider in the scope of PBBNs (the BVLAN is the tunnel inside of which
the system uses the I-tag to identify the service provider using the I-tag to S-tag mapping and
replacement).
The additional information in the I-tag allows the PBBN to support many more VMANs than the 4094
supported by the S-tag alone. SVLANs with duplicate S-tags are supported in a PBBN when they are
received on different access ports, as this results in a different I-tag for each VMAN.
Note
For more information on the ethertype, see Secondary Ethertype Support on page 65.

VMAN Configuration Options and Features

ACL Support
The ExtremeXOS software includes VMAN (PBN) Access Control List (ACL) support for controlling
VMAN frames.
VMAN ACLs define a set of match conditions and modifiers that can be applied to VMAN frames. These
conditions allow specific traffic flows to be identified, and the modifiers allow a translation to be
performed on the frames.

Layer 2 Basics

64

VMAN (PBN)

Secondary Ethertype Support

The C-tag and S-tag components that are added to all VMAN (PBN) frames (see the following figure)
include C-ethertype and S-ethertype components that specify an ethertype value for the customer
VLAN and VMAN, respectively.
Note
This feature is supported only on the platforms listed for this feature in the license tables in
Feature License Requirements.
The C-tag and S-tag components that are added to all VMAN (PBN) frames (see the following figure)
include C-ethertype and S-ethertype components that specify an ethertype value for the customer
VLAN and VMAN, respectively. The I-tag used in PBBN frames (see the following figure) also includes
an ethertype value. When a VLAN or VMAN frame passes between two switches, the ethertype is
checked for a match. If the ethertype does not match that of the receiving switch, the frame is
discarded.
The default ethertype values are:
VLAN port (802.1q frames): 0x8100
Primary VMAN port (802.1ad frames): 0x88A8
Secondary VMAN port (802.1ad frames): Not configured

The secondary ethertype support feature applies only to VMANs. The ethertype value for VLAN frames
is standard and cannot be changed.
If your VMAN transits a third-party device (in other words, a device other than an Extreme Networks
device), you must configure the ethertype value on the Extreme Networks device port to match the
ethertype value on the third-party device to which it connects.
The secondary ethertype support feature allows you to define two ethertype values for VMAN frames
and select either of the two values for each port.
For example, you can configure ports that connect to other Extreme Networks devices to use the
default primary ethertype value, and you can configure ports that connect to other equipment to use
the secondary ethertype value, which you can configure to match the requirements of that equipment.
When you create a VMAN, each VMAN port is automatically assigned the primary ethertype value.
After you define a secondary ethertype value, you can configure a port to use the secondary ethertype
value. If two switch ports in the same VMAN use different ethertype values, the switch substitutes the
correct value at each port. For example, for VMAN edge switches and transit switches, the switch
translates an ingress ethertype value to the network port ethertype value before forwarding. For egress
traffic at VMAN edge switches, no translation is required because the switch removes the S-tag before
switching packets to the egress port.
For BlackDiamond 8800 series switches, BlackDiamond X8, SummitStack, and the Summit family of
switches, you can set the primary and secondary ethertypes to any value, provided that the two values
are different.

Layer 2 Basics

65

VMAN (PBN)

QoS Support
The VMAN (PBN) feature interoperates with many of the QoS and HQoS features supported in the
ExtremeXOS software.
One of those features is egress queue selection, which is described in the next section. For more
information on other QoS and HQoS features that work with VMANs, see QoS.

Egress Queue Selection

This feature examines the 802.1p value or Diffserv code point in a VMAN (PBN) S-tag and uses that
value to direct the packet to the appropriate queue on the egress port.
Note
This feature is supported only on the platforms listed for this feature in the license tables in
the Feature License Requirements document.
On some systems (listed in the Feature License Requirements document., you can configure this
feature to examine the values in the C-tag or the S-tag. For instructions on configuring this feature, see
Selecting the Tag used for Egress Queue Selection on page 70.

VMAN Double Tag Support

The VMAN double tag feature adds an optional port CVID parameter to the existing untagged VMAN
port configuration. When present, any untagged packet received on the port will be double tagged
with the configured port CVID and SVID associated with the VMAN. Packets received with a single
CVID on the same port will still have the SVID added. As double tagged packets are received from
tagged VMAN ports and forwarded to untagged VMAN ports, the SVID associated with the VMAN is
stripped. Additionally, the CVID associated with the configured Port CVID is also stripped in the same
operation.
Much like the CVIDs configured as part of the CEP feature, the configured Port CVID is not represented
by a VLAN within EXOS. The implication is that protocols and individual services cannot be applied to
the Port CVID alone. Protocols and services are instead applied to the VMAN and/or port as the VMAN
represents the true layer-2 broadcast domain. Much like regular untagged VMAN ports, MAC FDB
learning occurs on the VMAN, so duplicate MAC addresses received on multiple CVIDs that are mapped
to the same VMAN can be problematic. Even when the additional Port CVID is configured, the port still
has all of the attributes of a regular untagged VMAN port. This means that any single c-tagged packets
received on the same port will have just the SVID associated with the VMAN added to the packet.
Likewise, any egress packet with a CVID other than the configured Port CVID will have the SVID
stripped.
Coexistence with Tagged VLANs Interfaces, CEP VMAN Interfaces, and Tagged VMAN
Interfaces
Since the port-cvid configuration still has the attributes of a regular untagged VMAN, all of the VLAN
and VMAN exclusion and compatibility rules of a regular untagged VMAN port also apply. A list of these
rules is contained in EXOS Selective Q-in-Q.

Layer 2 Basics

66

VMAN (PBN)

Protocol and Feature Interactions

Because this feature leverages existing untagged VMAN port infrastructure, any protocol that works
with a regular untagged VMAN port also works when the optional Port CVID is additionally configured.
Protocols that locally originate control packets, such as STP and ELRP which are used for loop
prevention, transmit packets as natively untagged on the wire when the port is an untagged VMAN
member. EXOS can also receive and process these untagged packets. This makes STP edge safeguard
+ BPDU guard or ELRP effective ways to detect and react to network loops on the device. However,
because control packets are transmitted as untagged upstream, devices may need additional
configuration support to properly detect remote loops not directly attached to the device. Other
effective loop prevention mechanisms work without any interaction with untagged VMAN ports. For
example, turning physical port auto-polarity off will prevent an accidental looped cable from becoming
active. Likewise, storm-control rate limiting of broadcast and flood traffic can be applied in this
environment to minimize the effects of a network loop.
In addition to detecting, preventing, and minimizing the effects of a network loop, user ACLs can be
applied to gain visibility and control of L2, L3, and L4 match criteria, even with double tagged packets.
All applicable ACL action modifiers are available in this environment. IP multicast pruning within a
VMAN can be accomplished via normal IGMP snooping. EXOS supports full IGMP snooping and IP
multicast pruning of single tagged and double tagged packets. However, when an IP address is
configured on the VMAN, the IGMP protocol engine will transmit single tagged packets on tagged
VMAN ports or untagged packets on untagged VMAN ports. Therefore, upstream switch configuration
and support may be necessary to properly propagate group memberships across the network.

Configuration

Configuring VMANs (PBNs)

Guidelines for Configuring VMANs
The following sections provide VMAN configuration guidelines for the supported platforms:

Guidelines for All Platforms

Guidelines for BlackDiamond X8 and 8000 Series Modules and Summit Family Switches

Guidelines for All Platforms

The following are VMAN configuration guidelines for all platforms:

Duplicate customer MAC addresses that ingress from multiple VMAN access ports on the same
VMAN can disrupt the port learning association process in the switch.
VMAN names must conform to the guidelines described in Object Names.
You must use mutually exclusive names for:
VLANs
VMANs
IPv6 tunnels
VMAN ports can belong to load-sharing groups.

Layer 2 Basics

67

VMAN (PBN)

Guidelines for BlackDiamond X8 and 8000 Series Modules and Summit Family Switches

The following are VMAN configuration guidelines for BlackDiamond X8 and 8000 series modules,
SummitStack, and Summit family switches:
You can enable or disable jumbo frames before configuring VMANs. You can enable or disable
jumbo frames on individual ports. See Configuring Ports on a Switch for more information on
configuring jumbo frames.
Spanning
Tree Protocol (STP) operation on CVLAN components in a PEB as described in IEEE

802.1ad is not supported.

The
initial version of this feature does not implement an XML API.

Multiple VMAN roles can be combined on one port with certain VLAN types as shown in the
following table.
Table 3: Port Support for Combined VMAN Roles and VLANs
Platform

Combined
CNP, CEP, and
Tagged
VLAN 1 , 2

Combined
PNP, CNP, and
CEPa, b, 3

Combined PNP Combined PNP

and Tagged
and Untagged
VLAN
VLAN

Summit X440, X460, X480, X60, and X770,

and E4G-200 and E4G-400

X4

BlackDiamond 8500 and 8800 a-, c-, and eseries modules

Xd

BlackDiamond X8, 8900 c-, xl-, and xmseries modules

Xe

Note
If you already configured VLANs and VMANs on the same module or stand-alone switch
using ExtremeXOS 11.4, you cannot change the VMAN ethertype from 0X8100 without first
removing either the VLAN or VMAN configuration.
Procedure for Configuring VMANs
This section describes the procedure for configuring VMANs. Before configuring VMANs, review
Guidelines for Configuring VMANs on page 67. To configure a VMAN, complete the following procedure
at each switch that needs to support the VMAN:

1
2
3
4
1
2
3

Subsets of this group are also supported. That is, any two of these items are supported.
When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged
VLAN are associated with the CNP.
A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected
VMAN ethertype is 0x8100.
If the secondary VMAN ethertype is selected for the port, it must be set to 0x8100.
Subsets of this group are also supported. That is, any two of these items are supported.
When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged
VLAN are associated with the CNP.
A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected
VMAN ethertype is 0x8100.

Layer 2 Basics

68

VMAN (PBN)

If you are configuring a BlackDiamond 8800 series switch, a SummitStack, or a Summit family
switch, enable jumbo frames on the switch.
Note
Because the BlackDiamond 8800 series switches, SummitStack, and the Summit family of
switches enable jumbo frames switch-wide, you must enable jumbo frames before
configuring VMANs on these systems.

2 Create a VMAN using the command:

create vman vman_name vr vr_name

3 Assign a tag value to the VMAN using the command:.

configure vman vman_name tag tag_id

4 To configure PNP ports on a PEB or PB, use the following command with the tagged option:
configure vman vman_name add ports [ all | port_list ] {untagged { port-cvid
port_cvid} | tagged}

5 To configure CNP ports on a PEB, use the following command with the untagged option:
configure vman vman_name add ports [ all | port_list ] {untagged { port-cvid
port_cvid} | tagged}

Note
You must configure CNP ports as untagged, so that the S-tag is stripped from the frame
on egress. If the port-cvid is configured, any untagged packet received on the port will
be double tagged with the configured port CVID and the SVID associated with the VMAN.
Packets received with a single CVID on the same port will still have the SVID added as
usual. As double tagged packets are received from tagged VMAN ports and forwarded to
untagged VMAN ports,the SVID associated with the VMAN is stripped. Additionally, the
CVID associated with the configured port CVID is also stripped in the same operation.
6 To configure CEP ports on a PEB, do the following:
a Use the following command to establish a physical port as a CEP and configure CVID mapping
and translation:
configure vman vman_name add ports port_list cep cvid cvid_range {translate
cvid | cvid_range}}

b Use the following commands to add or delete CVIDs for a CEP and manage CVID mapping and
translation:
configure vman vman_name ports port_list add cvid {cvid | cvid_range}
{translate cvid | cvid_range }
configure vman vman_name ports port_list delete cvid {cvid | cvid_range }

c Use the following commands to manage CVID egress filtering for a CEP:
enable vman cep egress filtering ports {port_list | all}
disable vman cep egress filtering ports {port_list | all}

7 Configure additional VMAN options as described in Configuring VMAN Options on page 70.
8 To configure a VLAN to use a VMAN, configure the VLAN on the switch port at the other end of the
line leading to the VMAN access port.

Layer 2 Basics

69

VMAN (PBN)

Configuring VMAN Options

Configuring the Ethertype for VMAN Ports
The ethertype is a component of VLAN and VMAN frames. It is introduced in Secondary Ethertype
Support on page 65.
Note
This feature is supported only on the platforms listed for this feature in the license tables in
the Feature License Requirements document.
To configure the ethertype for VMAN (PBN) ports, do the following:
1

Configure the primary and secondary (if needed) VMAN ethertype values for the switch using the
following command:
configure vman ethertype hex_value [primary | secondary]

By default, all VMAN ports use the primary ethertype value.

2 If you plan to use a secondary ethertype, select the secondary ethertype for the appropriate VMAN
ports using the following command:
configure port port_list ethertype {primary | secondary}

Selecting the Tag used for Egress Queue Selection

By default, switches that support the enabling and disabling of this feature use the 802.1p value in the
S-tag to direct the packet to the queue on the egress port.
Note
This feature is supported and configurable only on the platforms listed for this feature in the
license tables in the Feature License Requirements document.

Configure egress queue dot1p examination of the C-tag using:

enable dot1p examination inner-tag port [all | port_list]

Return to the default selection of using the 802.1p value in the S-tag using:
disable dot1p examination inner-tag ports [all | port_list]

Note
See QoS for information on configuring and displaying the current 802.1p and DiffServ
configuration for the S-tag 802.1p value. To enable dot1p examination for inner-tag, dot1p
examination for outer-tag must be disabled using the command disable dot1p
examination ports [all | port_list]

Displaying Information

Displaying VMAN Information

Use the following commands to display information on one or all VMANs.

Layer 2 Basics

70

VMAN (PBN)

show {vman} vman_name {ipv4 | ipv6}

show vman [tag tag_id | detail] {ipv4 | ipv6}
show {vman} vman_name eaps

Note
The display for the show vman command is different depending on the platform and
configuration you are using. See the ExtremeXOS Command Reference Guide for complete
information on this command.
You can also display VMAN information, as well as all the VLANs, by issuing the show ports
information detail command. And you can display the VMAN ethernet type and secondary
etherType port_list by using the show vman etherType command

Configuration Examples

VMAN Example, BlackDiamond 8810

The following example shows the steps to configure a VMAN (PBN) on the BlackDiamond 8810 switch
shown in the following figure.

Figure 26: Sample VMAN Configuration on BlackDiamond 8810 Switch

The VMAN is configured from the building to port 1, slot 3 on the BlackDiamond 8810 switch and from
port 2, slot 3 on the BlackDiamond 8810 switch to the BlackDiamond 6808 switch:
enable jumbo frames
create vman vman_tunnel_1
configure vman vman_tunnel_1 tag 100
configure vman vman_tunnel_1 add port 3:1 untagged
configure vman vman_tunnel_1 add port 3:2 tagged
disable dot1p examination port 3:2
enable dot1p examination inner-tag port 3:2

Layer 2 Basics

71

VMAN (PBN)

The following example configuration demonstrates configuring IP multicast routing between VMANs
and VLANs (when VMAN traffic is not double-tagged) on the BlackDiamond 8800 series switch and
the Summit family of switches.
Using this configuration you can use a common uplink to carry both VLAN and VMAN traffic and to
provide multicast services from a VMAN through a separate VLAN (notice that port 1:1 is in both a
VLAN and a VMAN):
enable jumbo-frame ports all
configure vman ethertype 0x8100
create vlan mc_vlan
configure vlan mc_vlan tag 77
create vman vman1
configure vman vman1 tag 88
configure vlan vman1 ipaddress 10.0.0.1/24
configure vlan mc_vlan ipaddress 11.0.0.1/24
enable ipforwarding vman1
enable ipforwarding mc_vlan
enable ipmcforwarding vman1
enable ipmcforwarding mc_vlan
configure vlan mc_vlan add port 1:1 tag
configure vman vman1 add port 1:1 tag
configure vman vman1 add port 2:1, 2:2, 2:3

Note
IGMP reports can be received untagged on ports 2:1, 2:2, and 2:3. Tagged IP multicast data is
received on mc_vlan port 1:1 and is routed using IP multicasting to vman1 ports that subscribe
to the IGMP group.
IGMP snooping (Layer 2 IP multicasting forwarding) does not work on the VMAN ports
because there is no double-tagged IP multicast cache lookup capability from port 1:1.

VMAN CEP Example

The following configuration configures a VMAN CEP to support up to 10 customer VLANs for each of
three VMANs.
create
create
create
config
config
config
config
config
config
config
config
config
enable

Layer 2 Basics

vman
vman
vman
vman
vman
vman
vman
vman
vman
vman
vman
vman
vman

cust1
cust2
cust3
cust1 tag 1000
cust2 tag 1001
cust3 tag 1002
cust1 add port 22 tag
cust2 add port 22 tag
cust3 add port 23 tag
cust1 add port 1 cep cvid 100 - 109
cust2 add port 1 cep cvid 110 - 119
cust3 add port 1 cep cvid 120 - 129
cep egress filtering ports 1

72

VMAN (PBN)

Port 1 serves as the CEP, and egress filtering is enabled on the port. Ports 22 and 23 serve as CNPs,
providing the connection between the CEP port and the rest of each VMAN.

Multiple VMAN Ethertype Example

The following figure shows a switch that is configured to support the primary ethertype on three ports
and the secondary ethertype on a fourth port.
The primary VMAN (PBN) ethertype is changed from the default value, but that is not required.

Figure 27: Multiple VMAN Ethertype Example

The following configuration commands accomplish what is shown in the figure above:
#
#
#
#
#
#
#
#
#
#

configure vman ethertype 0x9100 primary

configure vman ethertype 0x8100 secondary
configure port 2:2 ethertype secondary
create vman vman300
configure vman vman300 tag 300
configure vman vman300 add port 1:1, 2:1, 2:2 tagged
configure vman vman300 add port 1:2 untagged

Layer 2 Basics

73

3 FDB
FDB Contents
How FDB Entries Get Added
How FDB Entries Age Out
FDB Entry Types
Managing the FDB
Displaying FDB Entries and Statistics
MAC-Based Security
Managing MAC Address Tracking
The FDB chapter is intended to help you learn about forwarding databases, adding and displaying
entries and entry types, managing the FDB, and MAC-based security. This chapter also provides
information about MAC Address tracking.
The switch maintains a forwarding database (FDB) of all MAC addresses received on all of its ports. It
uses the information in this database to decide whether a frame should be forwarded or filtered.
Note
See the ExtremeXOS Command Reference Guide for details of the commands related to the
FDB.

FDB Contents
Each Forwarding Database (FDB) entry consists of:

The MAC address of the device

An identifier for the port and VLAN on which it was received
The age of the entry
Flags

Frames destined for MAC addresses that are not in the FDB are flooded to all members of the VLAN.

How FDB Entries Get Added

The MAC entries that are added to the FDB are learned in the following ways:

Source MAC entries are learned from ingress packets on all platforms. This is Layer 2 learning.
On BlackDiamond 8800 series switches, MAC entries can be learned at the hardware level.
Virtual MAC addresses embedded in the payload of IP ARP packets can be learned when this
feature is enabled.
Static entries can be entered using the command line interface (CLI).

Layer 2 Basics

74

FDB

Dynamic entries can be modified using the CLI.

Static entries for switch interfaces are added by the system upon switch boot-up.

The ability to learn MAC addresses can be enabled or disabled on a port-by-port basis. You can also
limit the number of addresses that can be learned, or you can lock down the current entries and
prevent additional MAC address learning.
BlackDiamond 8000 series modules and Summit switches support different FDB table sizes.
On a BlackDiamond 8800 switch with a variety of modules or on a SummitStack with different Summit
switch models, the FDB tables on some modules or switches can be filled before the tables on other
modules or switches. In this situation, when a lower-capacity FDB table cannot accept FDB entries, a
message appears that is similar to the following:
HAL.FDB.Warning> MSM-A: FDB for vlanID1 mac 00:00:03:05:15:04 was not added to
slot 3 - table full.

Note
For information on increasing the FDB table size on BlackDiamond 8900 xl-series modules
and Summit X480 switches, see Increasing the FDB Table Size on page 77. For information
on FDB tables sizes, see the ExtremeXOS Release Notes.

How FDB Entries Age Out

Software Aging Platforms (All Platforms except Summit X480 and
BD8900 xl-series cards)
When a MAC is learned on a VLAN, an FDB entry is created for this MAC VLAN combination.Once an
FDB entry is created, the aging counter in the "show fdb" output increases from 0 to polling inteval.
The hardware is checked every polling interval seconds to see if there is traffic flow from the given
FDB entry.If there is a traffic flow from this MAC, the entry is refreshed and aging counter is reset to 0.
If there is no traffic from that FDB entry during this polling interval, the age gets incremented till the
configured age time (configured by configure fdb agingtime seconds).The entry gets removed
when there is no traffic flow from this FDB entry when the age count reaches the configured age time.
Polling interval = FDB aging time/4 (subject to the minimum and maximum values being 10 and 60
seconds respectively).

Hardware Aging Platforms(Only Summit X480 and BD8900 xl-series

cards)
Aging is controlled entirely by the hardware based on the traffic hit that happens for the individual FDB
entry. The age from show fdb output is alway shown as 0. The entry will be removed when it ages
out.

FDB Entry Types

Layer 2 Basics

75

FDB

Dynamic Entries
A dynamic entry is learned by the switch by examining packets to determine the source MAC address,
VLAN, and port information.
The switch then creates or updates an FDB entry for that MAC address. Initially, all entries in the
database are dynamic, except for certain entries created by the switch at boot-up.
Entries in the database are removed (aged-out) if, after a period of time (aging time), the device has
not transmitted. This prevents the database from becoming full with obsolete entries by ensuring that
when a device is removed from the network, its entry is deleted from the database.
The aging time is configurable, and the aging process operates on the supported platforms as follows:
On all platforms, you can configure the aging time to 0, which prevents the automatic removal of all
dynamic entries.
On BlackDiamond X8 series switches, BlackDiamond 8000 a-, c-, e- and xm-series modules,
E4G-200 and E4G-400 cell site routers, and Summit X440, X460, X670, and X770 series switches,
the aging process takes place in software and the aging time is configurable.
On BlackDiamond 8900 xl-series and Summit X480 switches, the aging process takes place in
hardware and the aging time is based on (but does not match) the configured software aging time.
For more information about setting the aging time, see Configuring the FDB Aging Time on page 79.
Note
If the FDB entry aging time is set to 0, all dynamically learned entries in the database are
considered static, non-aging entries. This means that the entries do not age, but they are still
deleted if the switch is reset.
Dynamic entries are flushed and relearned (updated) when any of the following take place:
A VLAN is deleted.
A VLAN identifier (VLANid) is changed.
A port mode is changed (tagged/untagged).
A port is deleted from a VLAN.
A port is disabled.
A port enters blocking state.
A port goes down (link down).
A non-permanent dynamic entry is initially created when the switch identifies a new source MAC
address that does not yet have an entry in the FDB. The entry can then be updated as the switch
continues to encounter the address in the packets it examines. These entries are identified by the d
flag in the show fdb command output.

Static Entries
A static entry does not age and does not get updated through the learning process.
A static entry is considered permanent because it is retained in the database if the switch is reset or a
power off/on cycle occurs. A static entry is maintained exactly as it was created. Conditions that cause

Layer 2 Basics

76

FDB

dynamic entries to be updated, such as VLAN or port configuration changes, do not affect static
entries.
To create a permanent static FDB entry, see Adding a Permanent Unicast Static Entry on page 78.
If a duplicate MAC address is learned on a port other than the port where the static entry is defined, all
traffic from that MAC address is dropped. By default, the switch does not report duplicate addresses.
However, you can configure the switch to report these duplicate addresses as described in Managing
Reports of Duplicate MAC Addresses for Static Entries on page 80.
A locked static entry is an entry that was originally learned dynamically, but has been made static
(locked) using the MAC address lock-down feature. It is identified by the s, p, and l flags in show
fdb command output and can be deleted using the delete fdbentry command. See MAC Address
Lockdown for more information about this feature.
Note
Static FDB entries created on EAPS- or STP-enabled ports forward traffic irrespective of the
port state. Consequently, you should avoid such a configuration.

Blackhole Entries
A blackhole entry configures the switch to discard packets with a specified MAC destination address.
Blackhole entries are useful as a security measure or in special circumstances where a specific source or
destination address must be discarded. Blackhole entries can be created through the CLI, or they can
be created by the switch when a ports learning limit has been exceeded.
Blackhole entries are treated like permanent entries in the event of a switch reset or power off/on
cycle. Blackhole entries are never aged out of the database.

Private VLAN Entries

A Private VLAN (PVLAN) creates special FDB entries. These are described in MAC Address
Management in a PVLAN on page 30.

Managing the FDB

Increasing the FDB Table Size

BlackDiamond 8900 xl-series modules and Summit X480 switches provide an additional table that can
be configured to support additional FDB table entries with the following command:
configure forwarding external-tables [l3-only {ipv4 | ipv4-and-ipv6 | ipv6} | l2only | acl-only | l2-and-l3 | l2-and-l3-and-acl | l2-and-l3-and-ipmc | none]

Layer 2 Basics

77

FDB

Summit X770 switches provides a Unified Forwarding Table that allows for flexible allocation of entries
to L2 or L3. You can configure this table with the configure forwarding internal-tables [l2and-l3 | more [l2 | l3-and-ipmc]] command.

Adding a Permanent Unicast Static Entry

To add a static entry use the following command:
create fdbentry mac_addr vlan vlan_name [ports port_list | blackhole]

The following example adds a permanent static entry to the FDB:

create fdbentry 00:E0:2B:12:34:56 vlan marketing port 3:4

The permanent entry has the following characteristics:

MAC address is 00:E0:2B:12:34:56.
VLAN name is marketing.
Slot number for this device is 3 (only on modular switches).
Port number for this device is 4.
On Summit family switches, BlackDiamond X8 series switches, and BlackDiamond 8000 series
modules, you can specify multiple ports when you create a unicast static entry. However, all ports in the
list must be on the same SummitStack switch, BlackDiamond X8 series switch or BlackDiamond 8000
series module. When the port list contains ports on different slots, the following error is generated:
Error: Multiple ports must be on the same slot for unicast MAC FDB entries.

Once the multiport static FDB entry is created, any ingress traffic with a destination MAC address
matching the FDB entry is multicasted to each port in the specified list. On Summit family switches and
BlackDiamond 8000 series modules, if the FDB entry is the next hop for an IP adjacency, unicast
routing sends the packet to the first port in the list.
Note
When a multiport list is assigned to a unicast MAC address, load sharing is not supported on
the ports in the multiport list.
Summit family switches, BlackDiamond X8 series switches, and BlackDiamond 8000 series modules do
not support this multiport feature natively using the FDB table. Instead, for each FDB entry of this type,
a series of system ACLs have been installed which match the specified MAC address and VLAN ID, and
override the egress port forwarding list with the supplied list of ports. Multiple ACLs per FDB are
required to handle Layer 2 echo kill by installing a unique ACL per individual port in the list to send
matching traffic to all other ports in the list.
User-configured ACLs take precedence over these FDB-generated ACL rules, and the total number of
rules is determined by the platform.
The hardware ACL limitations for each platform are described in ACLs.

Layer 2 Basics

78

FDB

Adding a Permanent Multicast Static Entry

On BlackDiamond X8 series switches, BlackDiamond 8000 series modules, SummitStack, and Summit
family switches, you can create FDB entries to multicast MAC addresses (that is, 01:00:00:00:00:01)
and list one or more ports.
Use the create fdbentry mac_addr vlan vlan_name [ports port_list | blackhole]
command to enter the multicast FDB address. After traffic with a multicast MAC destination address
enters the switch, that traffic is multicast to all ports on the list.
However, if the MAC address is in the IP multicast range (for example, 01:00:5e:XX:XX:XX), IGMP
snooping rules take precedence over the multicast static FDB entry. Of course, if you disable IGMP
snooping on all VLANs, the static FDB entry forwards traffic.

Configuring the FDB Aging Time

To configure the aging time for dynamic FDB entries, use the following command:.
configure fdb agingtime seconds

If the aging time is set to 0, all aging entries in the database are defined as static, nonaging entries.
This means the entries will not age out, but non-permanent static entries can be deleted if the
switch is reset.
To display the aging time, use the following command:.
show fdb
Note
On BlackDiamond 8900 xl-series and Summit X480 switches, FDB entries are aged in
hardware, the aging time is always displayed as 000, and the h flag is set for entries that
are hardware aged.

Adding Virtual MAC Entries from IP ARP Packets

Generally, the FDB is programmed with the source MAC address of frames that contain an IP ARP
payload. MAC entries present in the ARP payload as Sender-MAC are not learned. When IP ARP
Sender-MAC learning is enabled, the switch learns both the source MAC address and the Sender-MAC
from the ARP payload, and the switch programs these MAC addresses in the FDB.
This feature is useful when you want the switch to learn the Sender-MAC address for a redundant
protocol, such as VRRP. For example, if your network has a gateway with a virtual MAC address, the
switch learns the system MAC address for the gateway. If you enable the IP ARP Sender-MAC learning
feature, the switch also learns the virtual MAC address embedded in IP ARP packets for the gateway IP
address.

To enable the IP ARP sender-MAC learning feature, use the command:

enable learning iparp sender-mac

To view the configuration of this feature, use the command:

show iparp

Layer 2 Basics

79

FDB

To disable this feature, use the command:

disable learning iparp sender-mac

Managing Reports of Duplicate MAC Addresses for Static Entries

By default, if a MAC address that is a duplicate of a static MAC address entry is learned on another port
(other than the port where the static MAC address is configured), traffic from the duplicate address is
silently dropped.

To enable or disable EMS and SNMP reporting of duplicate addresses for static entries, use the
commands:
enable fdb static-mac-move
disable fdb static-mac-move

To control the number of EMS and SNMP reports per second issued, use the commands:
configure fdb static-mac-move packets count

To display the configuration of this feature, use the commands:

show fdb static-mac-move configuration

Clearing FDB Entries

You can clear dynamic and permanent entries using different CLI commands. Clear dynamic FDB
entries by targeting:
Specified MAC addresses
Specified ports
Specified VLANs
All blackhole entries

To clear dynamic entries from the FDB, use the command:

clear fdb {mac_addr | ports port_list | vlan vlan_name | blackhole}

To clear permanent entries from the FDB, use the command:

delete fdbentry [all | mac_address [vlan vlan_name ]

Supporting Remote Mirroring

The remote mirroring feature copies select traffic from select ports and VLANs and sends the copied
traffic to a remote switch for analysis.
The mirrored traffic is sent using a VLAN that is configured for this purpose. For more information, see
MLAG Limitations and Requirements.
Transit switches are the switches between the source switch where ports are mirrored and the
destination switch where the mirrored traffic exits the network to a network analyzer or network
storage device.

Layer 2 Basics

80

FDB

Because the mirrored traffic is an exact copy of the real traffic, a transit switch can learn the MAC
addresses and make incorrect forwarding decisions.

Displaying FDB Entries and Statistics

Display FDB Entries

Display FDB entries using the following command:

show fdb {blackhole {netlogin [all | mac-based-vlans]} | netlogin [all | macbased-vlans] | permanent {netlogin [all | mac-based-vlans]} | mac_addr
{netlogin [all | mac-based-vlans]} | ports port_list {netlogin [all | macbased-vlans]} | vlan vlan_name {netlogin [all | mac-based-vlans]} | {{vpls}
{vpls_name}}}

Note
The MAC-based VLAN netlogin parameter applies only for Summit family switches and
BlackDiamond 8800 series switches. See Network Login for more information.
With no options, this command displays all FDB entries. (The age parameter does not show on the
display for the backup MSM/MM on modular switches; it does show on the display for the primary
MSM/MM.)

Display FDB Statistics

To display FDB statistics, use the command:
show fdb stats {{ports {all | port_list} | vlan {all} | {vlan} vlan_name } {norefresh}}

With no options, this command displays summary FDB statistics.

MAC-Based Security
MAC-based security allows you to control the way the FDB is learned and populated. By managing
entries in the FDB, you can block and control packet flows on a per-address basis.
MAC-based security allows you to limit the number of dynamically-learned MAC addresses allowed per
virtual port. You can also lock the FDB entries for a virtual port, so that the current entries will not
change, and no additional addresses can be learned on the port.
You can also prioritize or stop packet flows based on the source MAC address of the ingress VLAN or
the destination MAC address of the egress VLAN.
Note
For detailed information about MAC-based security, see Security.

Layer 2 Basics

81

FDB

Managing MAC Address Learning

By default, MAC address learning is enabled on all ports. MAC addresses are added to the FDB as
described in How FDB Entries Get Added on page 74.
When MAC address learning is disabled on a port, the switch no longer stores the source address
information in the FDB. However, the switch can still examine the source MAC address for incoming
packets and either forward or drop the packets based on this address. The source address examination
serves as a preprocessor for packets. Forwarded packets are forwarded to other processes, not to
other ports. For example, if the switch forwards a packet based on the source address, the packet can
still be dropped based on the destination address or the egress flooding configuration.
When MAC address learning is disabled, the two supported behaviors are labeled as follows in the
software:
forward-packets
drop-packets
The drop-packets behavior is supported on BlackDiamond 8000 series modules, SummitStack, and
Summit family switches. When the drop-packets option is chosen, EDP packets are forwarded, and all
unicast, multicast, and broadcast packets from a source address not in the FDB are dropped. No further
processing occurs for dropped packets.
The disable learning forward-packets option saves switch resources (FDB space), however, it can
consume network resources when egress flooding is enabled. When egress flooding is disabled or the
drop-packet option is specified, disabling learning adds security by limiting access to only those
devices listed in the FDB.

To disable learning on specified ports, use the command:

disable learning {drop-packets | forward-packets} port [port_list | all]

Note
The drop-packets and forward-packets options are available only on the
BlackDiamond 8800 series switches, SummitStack, and the Summit family switches. If
neither option is specified, the drop-packets behavior is selected.

To enable learning on specified ports, use the command:

enable learning {drop-packets} ports [all | port_list]

Managing Egress Flooding

Egress flooding takes action on a packet based on the packet destination MAC address. By default,
egress flooding is enabled, and any packet for which the destination address is not in the FDB is
flooded to all ports except the ingress port.
You can enhance security and privacy as well as improve network performance by disabling Layer 2
egress flooding on a port, VLAN, or VMAN. This is particularly useful when you are working on an edge

Layer 2 Basics

82

FDB

device in the network. Limiting flooded egress packets to selected interfaces is also known as upstream
forwarding.
Note
Disabling egress flooding can affect many protocols, such as IP and ARP.
The following figure illustrates a case where you want to disable Layer 2 egress flooding on specified
ports to enhance security and network performance.

Figure 28: Upstream Forwarding or Disabling Egress Flooding Example

In this example, the three ports are in an ISP-access VLAN. Ports 1 and 2 are connected to clients 1 and
2, respectively, and port 3 is an uplink to the ISP network. Because clients 1 and 2 are in the same VLAN,
client 1 could possibly learn about the other clients traffic by sniffing client 2s broadcast traffic; client 1
could then possibly launch an attack on client 2.
However, when you disable all egress flooding on ports 1 and 2, this sort of attack is impossible, for the
following reasons:
Broadcast and multicast traffic from the clients is forwarded only to the uplink port.
Any packet with unlearned destination MAC addresses is forwarded only to the uplink port.
One client cannot learn any information from the other client. Because egress flooding is disabled
on the access ports, the only packets forwarded to each access port are those packets that are
specifically targeted for one of the ports. There is no traffic leakage.
In this way, the communication between client 1 and client 2 is controlled. If client 1 needs to
communicate with client 2 and has that IP address, client 1 sends out an ARP request to resolve the IP
address for client 2.
Guidelines for Enabling or Disabling Egress Flooding
The following guidelines apply to enabling and disabling egress flooding:

Egress flooding can be disabled on ports that are in a load-sharing group. In a load-sharing group,
the ports in the group take on the egress flooding state of the master port; each member port of the
load-sharing group has the same state as the master port.
FDB learning takes place on ingress ports and is independent of egress flooding; either can be
enabled or disabled independently.
Disabling unicast (or all) egress flooding to a port also prevents the flooding of packets with
unknown MAC addresses to that port.

Layer 2 Basics

83

FDB

Disabling broadcast (or all) egress flooding to a port also prevents the flooding of broadcast
packets to that port.
For BlackDiamond X-8 and 8800 series switches, SummitStack, and Summit family switches, the
following guidelines apply:
You can enable or disable egress flooding for unicast, multicast, or broadcast MAC addresses, as
well as for all packets on one or more ports.
Disabling multicasting egress flooding does not affect those packets within an IGMP membership
group at all; those packets are still forwarded out.
If IGMP snooping is disabled, multicast packets with static FDB entries are forwarded according
to the FDB entry.

Configuring Egress Flooding

To enable or disable egress flooding on BlackDiamond X8 and 8800 series switches, SummitStack, and
the Summit family switches, use the following commands:
enable flooding [all_cast | broadcast | multicast | unicast] ports [port_list |
all]
disable flooding [all_cast | broadcast | multicast | unicast] ports [port_list |
all]

Displaying Learning and Flooding Settings

To display the status of MAC learning and egress flooding, use the following commands:
show ports {mgmt | port_list | tag tag} information {detail}
show vlan {virtual-router vr-name}
show vman

The flags in the command display indicate the status.

Creating Blackhole FDB Entries

A blackhole FDB entry discards all packets addressed to or received from the specified MAC address. A
significant difference between the above ACL policy and the create fdbentry command blackhole
option is the hardware used to implement the feature. Platforms with limited hardware ACL table sizes
(for example, BlackDiamond 8800 series switches) are able to implement this feature using the FDB
table instead of an ACL table.
To create a blackhole FDB entry, use the command:
create fdbentry mac_addr vlan vlan_name [ports port_list | blackhole]

There is no software indication or notification when packets are discarded because they match
blackhole entries.

Layer 2 Basics

84

FDB

The blackhole option is also supported through access lists.

Note
Blackhole is not supported on port-specific VLAN tags.
For example, the following ACL policy would also blackhole traffic destined to or sourced from a
specific MAC address:
entry blackhole_dest {
if {
ethernet-destination-address 00:00:00:00:00:01;
} then {
deny;
}
}
entry blackhole_source {
if {
ethernet-source-address 00:00:00:00:00:01;
} then {
deny;
}
}

Managing MAC Address Tracking

The MAC address tracking feature tracks FDB add, move, and delete events for specified MAC
addresses and for specified ports.
When MAC address tracking is enabled for a port, this feature applies to all MAC addresses on the port.
When an event occurs for a specified address or port, the software generates an EMS message and can
optionally send an SNMP trap. When MAC address tracking is enabled for a specific MAC address, this
feature updates internal event counters for the address. You can use this feature with the Universal
Port feature to configure the switch in response to MAC address change events (for an example, see
Universal Port).
Note
When a MAC address is configured in the tracking table, but detected on a MAC tracking
enabled port, the per MAC address statistical counters are not updated.
The MAC address tracking feature is always enabled; however, you must configure MAC addresses or
ports before tracking begins. The default configuration contains no MAC addresses in the MAC address
tracking table and disables this feature on all ports.

Adding and Deleting MAC Addresses for Tracking

Use the following commands to add or delete MAC addresses in the MAC address tracking table:
create fdb mac-tracking entry mac_addr

Layer 2 Basics

85

FDB

delete fdb mac-tracking entry [mac_addr | all]

Enabling and Disabling MAC Address Tracking on Ports

Use the following command to enable or disable MAC addresses tracking on specific ports:
configure fdb mac-tracking {[add|delete]} ports [port_list|all]

Enabling and Disabling SNMP Traps for MAC Address Changes

The default switch configuration disables SNMP traps for MAC address changes.
Use the following commands to enable or disable SNMP traps for MAC address tracking events:
enable snmp traps fdb mac-tracking
disable snmp traps fdb mac-tracking

Configuring Automatic Responses to MAC Tracking Events

The EMS messages produced by the MAC address tracking feature can be used to trigger Universal
Port profiles. These are described in Event Management System Triggers.
The subcomponent name for MAC address tracking events is FDB.MACTracking.

Displaying the Tracked MAC Addresses and Tracking Statistics

To display the MAC address tracking feature configuration, including the list of tracked MAC
addresses, use the command:
show fdb mac-tracking configuration

To display the counters for MAC address add, move, and delete events, use the command:
show fdb mac-tracking statistics {mac_addr} {no-refresh}

Clearing the Tracking Statistics Counters

There are several ways to clear the MAC tracking counters:
Use the clear counters command.

Use the 0 key while displaying the counters with the show fdb mac-tracking statistics
{mac_addr} command.

Enter the clear counters fdb mac-tracking [mac_addr | all] command.

Layer 2 Basics

86

4 Layer 2 Basic Commands

clear counters fdb mac-tracking
clear counters ports protocol filter
clear fdb
clear l2pt counters vlan
clear l2pt counters vman
clear l2pt counters vpls
create l2pt profile
configure fdb agingtime
configure fdb mac-tracking ports
configure fdb static-mac-move packets
configure l2pt encapsulation dest-mac
configure l2pt profile add profile
configure l2pt profile delete profile
configure port ethertype
configure ports l2pt profile
configure ports protocol filter
configure private-vlan add network
configure private-vlan add subscriber
configure private-vlan delete
configure protocol add
configure protocol delete
configure protocol filter
configure vlan add ports private-vlan translated
configure vlan add ports
configure vlan delete ports
configure vlan description
configure vlan ipaddress
configure vlan name
configure vlan protocol
configure vlan tag
configure vlan-translation add loopback-port
configure vlan-translation add member-vlan
configure vlan-translation delete loopback-port
configure vlan-translation delete member-vlan
configure vman add ports cep
configure vman add ports
configure vman delete ports

Layer 2 Basics

87

Layer 2 Basic Commands

configure vman ethertype

configure vman ports add cvid
configure vman ports delete cvid
configure vman protocol
configure vman tag
configure vpls peer l2pt profile
create fdb mac-tracking entry
create fdbentry vlan ports
create l2pt profile
create private-vlan
create protocol
create vlan
create vman
delete fdb mac-tracking entry
delete fdbentry
delete l2pt profile
delete private-vlan
delete protocol
delete vlan
delete vman
disable dot1p examination inner-tag ports
disable fdb static-mac-move
disable flooding ports
disable learning iparp sender-mac
disable learning port
disable loopback-mode vlan
disable snmp traps fdb mac-tracking
disable vlan
disable vman cep egress filtering ports
enable dot1p examination inner-tag port
enable fdb static-mac-move
enable flooding ports
enable learning iparp sender-mac
enable learning port
enable loopback-mode vlan
enable snmp traps fdb mac-tracking
enable vlan
enable vman cep egress filtering ports
show fdb mac-tracking configuration
show fdb mac-tracking statistics
show fdb static-mac-move configuration
show fdb stats

Layer 2 Basics

88

Layer 2 Basic Commands

show fdb
show l2pt profile
show l2pt
show ports protocol filter
show private-vlan <name>
show private-vlan
show protocol
show vlan
show vlan description
show vlan l2pt
show vman
show vman eaps
show vman ethertype
show vman l2pt
unconfigure vlan description
unconfigure vlan ipaddress
unconfigure vman ethertype

clear counters fdb mac-tracking

clear counters fdb mac-tracking [mac_addr | all]

Description
Clears the event counters for the FDB MAC-tracking feature.

Syntax Description
mac_addr

Specifies a MAC address, using colon-separated bytes.

all

Clears the counters for all tracked MAC addresses.

Default
N/A.

Usage Guidelines
The clear counters command also clears the counters for all tracked MAC addresses.

Layer 2 Basics

89

Layer 2 Basic Commands

Example
The following example clears the counters for all entries in the MAC address tracking table:
Switch.1 #

clear counters fdb mac-tracking all

History
This command was first available in ExtremeXOS 12.3.

Platform Availability
This command is available on all platforms.

clear counters ports protocol filter

clear counters ports {port_list | all} protocol filter

Description
Clears protocol filtering counters.

Syntax Description
port_list

Specifies the port list is separated by a comma ( , ) or dash ( - ).

all

Specifies all ports

Default
Disabled.

Usage Guidelines
Use this command to clear protocol filtering counters.

Example
The following example clears all protocol filtering counters:
clear counters ports protocol filter

The following example clears protocol filtering counters on ports 1-5:

clear counters ports 1-5 protocol filter

Layer 2 Basics

90

Layer 2 Basic Commands

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

clear fdb
clear fdb {mac_addr | ports port_list | vlan vlan_name | blackhole}

Description
Clears dynamic FDB entries that match the filter.

Syntax Description
mac_addr

Specifies a MAC address, using colon-separated bytes.

port_list

Specifies one or more ports or slots and ports.

vlan_name

Specifies a VLAN name.

blackhole

Specifies the blackhole entries.

Default
All dynamic FDB entries are cleared by default.

Usage Guidelines
This command clears FDB entries based on the specified criteria. When no options are specified, the
command clears all dynamic FDB entries.

Example
The following example clears any FDB entries associated with ports 4:3-4:5 on a modular switch:
clear fdb ports 4:3-4:5

The following example clears any FDB entries associated with VLAN corporate:
clear fdb vlan corporate

History
This command was first available in ExtremeXOS 10.1.

Layer 2 Basics

91

Layer 2 Basic Commands

Platform Availability
This command is available on all platforms.

clear l2pt counters vlan

clear l2pt counters {[vlan | vman] vlan_name {ports port_list}}

Description
Clears L2PT VLAN counters.

Syntax Description
vlan

Optionally clears counters only on a specific VLAN.

vman

Optionally clears counters only on a specific VMAN.

vlan_name

Specifies the VLAN name.

ports port_list

Optionally clears counters only on specific ports of the VLAN/VMAN. The

port list is separated by a comma ( , ) or dash ( - ).

Default
Disabled.

Usage Guidelines
Use this command to clear L2PT VLAN counters.

Example
The following example clears all L2PT counters:
clear l2pt counters

The following example clears L2PT counters on VLAN vlan1:

clear l2pt counters vlan vlan1

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

Layer 2 Basics

92

Layer 2 Basic Commands

clear l2pt counters vman

clear l2pt counters {[vlan | vman] vlan_name {ports port_list}}

Description
Clears L2PT VMAN counters.

Syntax Description
vlan

Optionally clears counters only on a specific VLAN.

vman

Optionally clears counters only on a specific VMAN.

vlan_name

Specifies the VLAN name.

ports port_list

Optionally clears counters only on specific ports of the VLAN/VMAN. The

port list is separated by a comma ( , ) or dash ( - ).

Default
Disabled.

Usage Guidelines
Use this command to clear L2PT VMAN counters.

Example
The following example clears all L2PT counters:
clear l2pt counters

The following example clears L2PT counters on VMAN vlan2:

clear l2pt counters vman vlan2

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

clear l2pt counters vpls

clear l2pt counters {[vpls vpls_name {peer ipaddress} | vpws vpws_name]}

Layer 2 Basics

93

Layer 2 Basic Commands

Description
Clears L2PT counters.

Syntax Description
vpls

Optionally clears counters only on a specific VPLS.

vpls_name

Alpha numeric string identifying VPLS VPN.

peer ipaddress

Optionally clears counters only on a specific peer of the VPLS. The variable
specifies an IPv4 address.

vpws vpws_name

Optionally clears counters only on a specific VPWS. The variable is an

alphanumeric string identifying the VPWS VPN.

Default
Disabled.

Usage Guidelines
Use this command to clear L2PT counters.

Example
The following example clears L2PT counters on peer 1.1.1.1 of VPLS vpls1:
clear l2pt counters vpls vpls1 peer 1.1.1.1

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

create l2pt profile

create l2pt profile profile_name

Description
Creates an L2PT profile.

Layer 2 Basics

94

Layer 2 Basic Commands

Syntax Description
l2pt

Creates a Layer 2 protocol tunneling profile.

profile

Profile that defines L2PT configuration for L2 protocols.

profile_name

Specifies a profile name (maximum 32 characters).

Default
Disabled.

Usage Guidelines
Use this command to create an L2PT profile.

Example
The following example create a new L2PT profile named "my_l2pt_prof":
create l2pt profile my_l2pt_prof

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

configure fdb agingtime

configure fdb agingtime seconds

Description
Configures the FDB aging time for dynamic entries.

Syntax Description
agingtime

If agingtime is set to 0, all aging entries in the database are defined as static,
nonaging entries.

seconds

Specifies the FDB aging time, in seconds. A value of 0 indicates that the entry
should never be aged out. All other platforms support the value 0 (no aging)
and a range of 15 to 1,000,000 seconds.

Layer 2 Basics

95

Layer 2 Basic Commands

Default
N/A.

Usage Guidelines
If the aging time is set to 0 (zero), all dynamic entries in the database become static, nonaging entries.
This means that they do not age out, but non-permanent static entries can be deleted if the switch is
reset.
For all platforms except BlackDiamond 8900 xl-series modules and Summit X480 switches, the
software flushes the FDB table once the aging timeout parameter is reached, even if the switch is
running traffic and populating addresses in the FDB table.
For BlackDiamond 8900 xl-series modules and Summit X480 switches, the hardware flushes the FDB
table at periods based on the configured software aging time. The actual hardware aging time does not
exactly match the software aging time and can be as high as twice the configured software aging time.

Example
The following example sets the FDB aging time to 3,000 seconds:
configure fdb agingtime 3000

History
This command was first available in ExtremeXOS 10.1.

Platform Availability
This command is available on all platforms.

configure fdb mac-tracking ports

configure fdb mac-tracking {[add|delete]} ports [port_list|all]

Description
Enables or disables MAC address tracking for all MAC addresses on the specified ports.

Syntax Description
add

Enables MAC address tracking for the specified ports.

delete

Disables MAC address tracking for the specified ports.

port_list

Specifies a list of ports on which MAC address tracking is to be enabled or

disabled.

all

Specifies that MAC address tracking is to be enabled or disabled on all ports.

Layer 2 Basics

96

Layer 2 Basic Commands

Default
No ports are enabled for MAC address tracking.

Usage Guidelines
MAC address tracking events on enabled ports generate EMS messages and can optionally generate
SNMP traps.
Note
When a MAC address is configured in the tracking table, but detected on a MAC tracking
enabled port, the per MAC address statistical counters are not updated.

Example
The following example enables MAC address tracking for all MAC addresses on port 2:1:
configure fdb mac-tracking add ports 2:1

History
This command was first available in ExtremeXOS 12.4.

Platform Availability
This command is available on all platforms.

configure fdb static-mac-move packets

configure fdb static-mac-move packets count

Description
Configures the number of EMS and SNMP reports that can be generated each second for MAC
addresses that are duplicates of statically configured MAC addresses.

Syntax Description
count

Specifies the number of duplicate MAC address events that are reported each
second. The range is 1 to 25.

Default
2.

Layer 2 Basics

97

Layer 2 Basic Commands

Usage Guidelines
None.

Example
The following example configures the switch to report up to five duplicate MAC address events per
second:
configure fdb static-mac-move packets 5

History
This command was first available in ExtremeXOS 12.7.

Platform Availability
This command is available only on the Summit family switches.

configure l2pt encapsulation dest-mac

configure l2pt encapsulation dest-mac mac_address

Description
Configures the destination address MAC that L2PT encapsulated packets use.

Syntax Description
encapsulation

Specifies Layer 2 protocol tunneling encapsulation.

dest-mac

Specifies the destination MAC address to use for encapsulated PDUs.

mac_addr

Specifies the MAC address.

Default
Usage Guidelines
NA

Example
The following example sets the L2PT destination address MAC to 01:00:00:01:01:02:
configure l2pt encapsulation dest-mac 01:00:00:01:01:02

Layer 2 Basics

98

Layer 2 Basic Commands

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

configure l2pt profile add profile

configure l2pt profile profile_name add protocol filter filter_name {action
[tunnel {cos cos} | encapsulate | none]}

Description
Adds an entry to an L2PT profile.

Syntax Description
profile profile_name

Specifies the profile that defines L2PT configuration for L2 protocols.

add protocol filter

filter_name

Adds the specified Layer 2 protocol filter.

action

Specifies the action to perform on PDUs of the protocol (the default value is
tunnel).

tunnel

Specifies to tunnel PDUs through the network.

cos cos

Specifies to override the class of service for tunneled PDUs, and specifies the
class of service value to use for tunneling PDUs.

encapsulate

Specifies to encapsulate PDUs at egress, and decapsulate L2PT packets at

ingress.

none

Specifies to not participate in tunneling for this protocol.

Default
Disabled.

Usage Guidelines
Use this command to add an entry to an L2PT profile.

Example
The following example adds an entry to my_l2pt_prof to tunnel protocols in "mylistt" at cos 2:
configure l2pt profile my_l2pt_prof add protocol filter mylist action tunnel
cos 2

Layer 2 Basics

99

Layer 2 Basic Commands

The following example adds an entry to my_l2pt_prof to encapsulate/decapsulate protocols in "mylist":

configure l2pt profile my_l2pt_prof add protocol filter mylist action
encapsulate

The following example adds an entry to my_l2pt_prof that is in use by 2 services:

configure l2pt profile my_l2pt_prof add protocol filter mylist

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

configure l2pt profile delete profile

configure l2pt profile profile_name delete protocol filter filter_name

Description
Deletes an entry to an L2PT profile.

Syntax Description
profile profile_name

Specifies the profile that defines L2PT configuration for L2 protocols.

delete protocol filter

filter_name

Deletes the specified Layer 2 protocol filter.

Default
Disabled.

Usage Guidelines
Use this command to delete an entry to an L2PT profile.

Example
The following example deletes the entry for "mylist" from my_l2pt_prof:
configure l2pt profile my_l2pt_prof delete protocol filter mylist

Layer 2 Basics

100

Layer 2 Basic Commands

The following example deletes the entry entry for "mylist" from my_l2pt_prof that is in use by a service:
configure l2pt profile my_l2pt_prof delete protocol filter mylist

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

configure port ethertype

configure port port_list ethertype {primary | secondary}

Description
Assigns the primary or secondary ethertype value to the specified ports.

Syntax Description
port_list

Specifies the list of ports to be configured.

primary

Assigns the primary ethertype value to the specified ports.

secondary

Assigns the secondary ethertype value to the specified ports.

Default
N/A.

Usage Guidelines
None.

Example
The following example configures port 2:1 to use the secondary ethertype:
configure port 2:1 ethertype secondary

History
This command was first available in ExtremeXOS 12.0.

Layer 2 Basics

101

Layer 2 Basic Commands

Platform Availability
This command is available on all platforms.

configure ports l2pt profile

configure [vlan | vman] vlan_name ports port_list l2pt profile [none |
profile_name]

Description
Configures L2PT profiles on service interfaces.

Syntax Description
vlan

Specifies the VLAN configuration.

vman

Specifies the VMAN configuration.

vlan_name

Specifies the VLAN name.

ports port_list

Specifies the port and port list separated by a comma ( , ) or dash ( - ).

profile

Specifies the L2PT profile for the ports.

none

Specifies that no L2PT profile should be bound to the ports (default).

profile_name

Specifies the L2PT profile to be bound to the ports.

Default
Disabled.

Usage Guidelines
Use this command to configure L2PT profiles on service interfaces.

Example
The following example binds my_l2pt_prof with ports 2 and 5 of VMAN cust1:
configure vman cust1 ports 2,5 l2pt profile my_l2pt_prof

The following example binds my_l2pt_prof with ports 2 and 5 of VMAN cust1. Port 5 is not a part of
VMAN cust1:
configure vman cust1 ports 2,5 l2pt profile my_l2pt_prof
Error: Port 5 is not part of the service.

History
This command was first available in ExtremeXOS 15.5.

Layer 2 Basics

102

Layer 2 Basic Commands

Platform Availability
This command is available on all platforms.

configure ports protocol filter

configure ports [port_list | all] protocol filter [none | filter_name]

Description
Configures protocol filtering on a port.

Syntax Description
port_list

Specifies the port list separated by a comma ( , ) or dash ( - ).

all

Specifies all ports.

protocol filter

Specifies the protocol filter.

none

Specifies to not perform protocol filtering on specified ports.

filter_name

Specifies the protocol filter name.

Default
Disabled.

Usage Guidelines
Use this command to configure protocol filtering on a port.

Example
The following example unbinds the L2PT profile from peer 1.1.1.1 of VPLS cust2:
configure l2vpn vpls cust2 peer 1.1.1.1 l2pt profile none

The following example enables filtering of protocols in my_list on port 1:

configure ports 1 protocol filter "my_list"

The following example disables protocol filtering on port 7:

configure ports 7 protocol filter none

History
This command was first available in ExtremeXOS 15.5.

Layer 2 Basics

103

Layer 2 Basic Commands

Platform Availability
This command is available on all platforms.

configure private-vlan add network

configure private-vlan name add network vlan_name

Description
Adds the specified VLAN as the network VLAN on the specified PVLAN.

Syntax Description
name

Specifies the name of the PVLAN to which the VLAN is added.

vlan_name

Specifies a VLAN to add to the PVLAN.

Default
N/A.

Usage Guidelines
The VLAN must be created and configured with a tag before it is added to the PVLAN.

Example
The following example adds VLAN "sharednet" as the network VLAN for the PVLAN named
"companyx":
configure private-vlan companyx add network sharednet

History
This command was first available in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms that support the Private VLAN feature. The features and the
platforms that support them are listed in the Feature License Requirements document.

configure private-vlan add subscriber

configure private-vlan name add subscriber vlan_name {non-isolated} {loopbackport port}

Layer 2 Basics

104

Layer 2 Basic Commands

Description
Adds the specified VLAN as a subscriber VLAN on the specified PVLAN.

Syntax Description
name

Specifies the name of the PVLAN to which the VLAN is added.

vlan_name

Specifies a VLAN to add to the PVLAN.

non-isolated

Configures the subscriber VLAN as a non-isolated subscriber VLAN.

port

Specifies the port that serves as the loopback port.

Default
If the non-isolated option is omitted, this command adds the specified VLAN as an isolated
subscriber VLAN.

Usage Guidelines
The VLAN must be created and configured with a tag before it is added to the PVLAN. If the nonisolated option is omitted, the VLAN is added as an isolated subscriber VLAN. If the non-isolated option
is included, the VLAN is added as an non-isolated subscriber VLAN.
The loopback-port port option is available only on BlackDiamond 8000 series modules and Summit
family switches, whether or not included in a SummitStack. If two or more subscriber VLANs have
overlapping ports (where the same ports are assigned to both VLANs), each of the subscriber VLANs
with overlapping ports must have a dedicated loopback port.

Example
The following example adds VLAN "restricted" as a subscriber VLAN for the PVLAN named
"companyx":
configure private-vlan companyx add subscriber restricted isolated

History
This command was first available in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms that support the Private VLAN feature. For features and the
platforms that support them, see the Feature License Requirements document.

configure private-vlan delete

configure private-vlan name delete [network | subscriber] vlan_name

Layer 2 Basics

105

Layer 2 Basic Commands

Description
Deletes the specified VLAN from the specified PVLAN.

Syntax Description
name

Specifies the name of the PVLAN from which the VLAN is deleted.

network

Specifies that the VLAN to be deleted is a network VLAN.

subscriber

Specifies that the VLAN to be deleted is a subscriber VLAN.

vlan_name

Specifies the VLAN to delete from the PVLAN.

Default
N/A.

Usage Guidelines
This command deletes a VLAN from a PVLAN, but it does not delete the VLAN from the systemit just
breaks the link between the VLAN and the PVLAN. You can use this command to delete both network
and subscriber VLANs.

Example
The following example deletes network VLAN "sharednet "from the PVLAN named "companyx":
configure private-vlan companyx delete network sharednet

History
This command was first available in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms that support the Private VLAN feature. For features and the
platforms that support them, see the Feature License Requirements document.

configure protocol add

configure protocol {filter} filter_name add [etype | llc | snap] hex {[etype |
llc | snap] hex}

Description
Configures a user-defined protocol filter.

Layer 2 Basics

106

Layer 2 Basic Commands

Syntax Description
filter

Configures a protocol filter.

filter_name

Specifies a protocol filter name.

add

Specifies that you add a protocol.

delete

Specifies that you delete a protocol.

etype

Specifies an ethertype protocol.

llc

Specifies LLC protocol.

snap

Specifies SNAP protocol.

hex

Specifies a four-digit hexadecimal number between 0 and FFFF that

represents:
The Ethernet protocol type taken from a list maintained by the IEEE.
The DSAP/SSAP combination created by concatenating a two-digit LLC
Destination SAP (DSAP) and a two-digit LLC Source SAP (SSAP).
The SNAP-encoded Ethernet protocol type.

Default
N/A.

Usage Guidelines
Supported protocol types include:

etypeIEEE Ethertype.
llcLLC Service Advertising Protocol.
snapEthertype inside an IEEE SNAP packet encapsulation.

A maximum of 15 protocol filters, each containing a maximum of six protocols, can be defined.
The protocol filter must already exist before you can use this command. Use the create protocol
command to create the protocol filter.
No more than seven protocols can be active and configured for use.
Note
Protocol-based VLAN for Etype from 0x0000 to 0x05ff are not classifying as per filter. When
traffic arrive with these Etypes, it is classifed to native VLAN rather protocol-based VLAN.

Example
The following example adds MPLS to "my_filter":
configure protocol my_filter add etype 0x8847
configure protocol filter my_filter add etype 0x8847

Layer 2 Basics

107

Layer 2 Basic Commands

The following example deletes MPLS from "my_other_filter":

configure protocol my_other_filter delete etype 0x8847
configure protocol filter my_other_filter delete etype 0x8847

History
This command was first available in ExtremeXOS 10.1.
The filter keyword and options were added in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

configure protocol delete

configure protocol name delete [etype | llc | snap] hex {[etype | llc | snap]
hex} ...

Description
Deletes the specified protocol type from a protocol filter.

Syntax Description
name

Specifies a protocol filter name.

hex

Specifies a four-digit hexadecimal number between 0 and FFFF that

represents:
The Ethernet protocol type taken from a list maintained by the IEEE.
The DSAP/SSAP combination created by concatenating a two-digit LLC
Destination SAP (DSAP) and a two-digit LLC Source SAP (SSAP).
The SNAP-encoded Ethernet protocol type.

Default
N/A.

Usage Guidelines
Supported protocol types include:

etypeIEEE Ethertype.
llcLLC Service Advertising Protocol.
snapEthertype inside an IEEE SNAP packet encapsulation.

Layer 2 Basics

108

Layer 2 Basic Commands

Example
The following example deletes protocol type LLC SAP with a value of FEFF from protocol "fred":
configure protocol fred delete llc feff

History
This command was first available in ExtremeXOS 10.1.

Platform Availability
This command is available on all platforms.

configure protocol filter

configure protocol filter filter_name [add | delete] dest-mac mac_address {[etype
| llc | snap] hex} {field offset offset value value {mask mask}}

Description
Configures the destination address as well as an arbitrary field of the protocol.

Syntax Description
filter_name

Specifies a protocol filter name.

add

Specifies that you add a protocol.

delete

Specifies that you delete a protocol.

dest-mac

Specifies the destination MAC address used by PDUs of the protocol.

mac_address

Specifies the MAC address.

etype

Specifies the EtherType used by PDUs of the protocol.

llc

Specifies the LLC DSAP and SSAP used by PDUs of the protocol.

snap

Specifies the SNAP protocol identifier used by PDUs of the protocol.

hex

Specifies a four-digit hexadecimal number between 0 and FFFF that

represents:
The Ethernet protocol type taken from a list maintained by the IEEE.
The DSAP/SSAP combination created by concatenating a two-digit LLC
Destination SAP (DSAP) and a two-digit LLC Source SAP (SSAP).
The SNAP-encoded Ethernet protocol type.

field

Specifies a field used by PDUs of the protocol.

offset

Specifies the offset of the field from the start of the PDU.

Layer 2 Basics

109

Layer 2 Basic Commands

value value

Specifies the value of the field in hexadecimal (for example, A1:B2:0C.

Maximum 16 bytes).

mask mask

Specifies the mask for the field in hexadecimal (for example, FF:FF:0F.
Maximum 16 bytes).

Default
N/A.

Usage Guidelines
Supported protocol types include:

etypeIEEE Ethertype.
llcLLC Service Advertising Protocol.
snapEthertype inside an IEEE SNAP packet encapsulation.

A maximum of 15 protocol filters, each containing a maximum of six protocols, can be defined.
The protocol filter must already exist before you can use this command. Use the create protocol
command to create the protocol filter.
No more than seven protocols can be active and configured for use.
Note
Protocol-based VLAN for Etype from 0x0000 to 0x05ff are not classifying as per filter. When
traffic arrive with these Etypes, it is classifed to native VLAN rather protocol-based VLAN.

Example
The following example LACP to the protocol list "mylist":
configure protocol mylist add dest-mac 01:80:C2:00:00:02 etype 0x8809 field
offset 14 value
01 mask FF

The following example removes EFM OAM from the protocol list "mylist":
configure protocol filter mylist delete dest-mac 01:80:C2:00:00:02 etype
0x8809 field offset
14 value 03 mask FF

The following example configures a mismatched mask and value:

configure protocol mylist delete dest-mac 01:80:C2:00:00:02 etype 0x8809
field offset 14 value 03 mask FF:FF
Error: The length of the field value is not the same as the field mask.

Layer 2 Basics

110

Layer 2 Basic Commands

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

configure vlan add ports private-vlan translated

Translation from network VLAN tag to each subscriber VLAN tag is done by default in a private VLAN.
configure {vlan} vlan_name add ports port_list private-vlan translated

Description
Adds the specified ports to the specified network VLAN and enables tag translation for all subscriber
VLAN tags to the network VLAN tag.

Syntax Description
vlan_name

Specifies the network VLAN to which the ports are added.

port_list

Specifies the ports to be added to the network VLAN.

Default
N/A.

Usage Guidelines
This command is allowed only when the specified VLAN is configured as a network VLAN on a PVLAN.

Example
The following example adds port 2:1 to VLAN sharednet and enables VLAN translation on that port:
configure sharednet add ports 2:1 private-vlan translated

History
This command was first available in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms that support the Private VLAN feature. For features and the
platforms that support them, see the Feature License Requirements document.

Layer 2 Basics

111

Layer 2 Basic Commands

configure vlan add ports

configure {vlan} vlan_name add ports [port_list | all] {tagged tag | untagged}
{{stpd} stpd_name} {dot1d | emistp | pvst-plus}}

Description
Adds one or more ports in a VLAN.

Syntax Description
vlan_name

Specifies a VLAN name.

port_list

Specifies a list of ports or slots and ports.

all

Specifies all ports.

tagged tag

Specifies the ports should be configured as tagged.

untagged

Specifies the ports should be configured as untagged.

stpd_name

Specifies an STP domain name.

dot1d | emistp | pvst-plus

Specifies the BPDU encapsulation mode for these STP ports.

Default
Untagged.

Usage Guidelines
The VLAN must already exist before you can add (or delete) ports: use the create vlan command to
create the VLAN.
If the VLAN uses 802.1Q tagging, you can specify tagged or untagged port(s). If the VLAN is untagged,
the ports cannot be tagged.
Untagged ports can only be a member of a single VLAN. By default, they are members of the default
VLAN (named Default). In order to add untagged ports to a different VLAN, you must first remove
them from the default VLAN. You do not need to do this to add them to another VLAN as tagged ports.
If you attempt to add an untagged port to a VLAN prior to removing it from the default VLAN, you see
the following error message:
Error: Protocol conflict when adding untagged port 1:2. Either add this port as
tagged or assign another protocol to this VLAN.

Note
This message is not displayed if keyword all is used as port_list.
The ports that you add to a VLAN and the VLAN itself cannot be explicitly assigned to different virtual
routers (VRs). When multiple VRs are defined, consider the following guidelines while adding ports to a
VLAN:

Layer 2 Basics

112

Layer 2 Basic Commands

A VLAN can belong (either through explicit or implicit assignment) to only one VR.
If a VLAN is not explicitly assigned to a VR, then the ports added to the VLAN must be explicitly
assigned to a single VR.
If a VLAN is explicitly assigned to a VR, then the ports added to the VLAN must be explicitly
assigned to the same VR or to no VR.
If a port is added to VLANs that are explicitly assigned to different VRs, the port must be explicitly
assigned to no VR.
Note
User-created VRs are supported only on the platforms listed for this feature in in the
Feature License Requirements document. On switches that do not support user-created
VRs, all VLANs are created in VR-Default and cannot be moved.

Refer to STP Commands for more information on configuring Spanning Tree Domains.
Note
If you use the same name across categories (for example, STPD and EAPS names), we
recommend that you specify the identifying keyword as well as the actual name. If you do not
use the keyword, the system may return an error message.
Beginning with ExtremeXOS 11.4, the system returns the following message if the ports you are adding
are already EAPS primary or EAPS secondary ports:
WARNING: Make sure Vlan1 is protected by EAPS. Adding EAPS ring ports to a VLAN
could cause a loop in the network. Do you really want to add these ports? (y/n)

Example
The following example assigns tagged ports 1:1, 1:2, 1:3, and 1:6 to a VLAN named "accounting":
configure vlan accounting add ports 1:1, 1:2, 1:3, 1:6 tagged

History
This command was first available in ExtremeXOS 10.1.
The tagged keyword was added in ExtremeXOS 15.4.

Platform Availability
This command is available on all platforms.

configure vlan delete ports

configure {vlan} vlan_name delete ports [all | port_list {tagged tag}]

Description
Deletes one or more ports in a VLAN.

Layer 2 Basics

113

Layer 2 Basic Commands

Syntax Description
vlan_name

Specifies a VLAN name.

all

Specifies all ports.

port_list

Specifies a list of ports or slots and ports.

tagged tag

Specifies the port-specific VLAN tag. When there are multiple ports specified
using port_list, the same tag is used for all of them.

Default
When unspecified, the port tag is equal to the VLAN tag.

Usage Guidelines
Specify port tag to delete a VLAN port that has a different tag from the VLAN tag.

Example
The following example removes ports 1:1, 1:2, 4:3, and 5:6 on a modular switch from a VLAN named
accounting:
configure accounting delete port 1:1, 1:2, 4:3, 5:6

The following example deletes a VLAN port with tag 10:

create vlan exchange tag 100
config vlan exchange del ports 3 tag 10

The following example deletes a VLAN port tag of 10 on two ports:

create vlan exchange tag 100
config vlan exchange d ports 3,4 tag 10

History
This command was first available in ExtremeXOS 10.1.

Platform Availability
This command is available on all platforms.

configure vlan description

configure {vlan} vlan_name description [vlan-description | none]

Layer 2 Basics

114

Layer 2 Basic Commands

Description
Configures a description for the specified VLAN.

Syntax Description
vlan_name

Specifies the VLAN name.

vlan-description

Specifies a VLAN description (up to 64 characters) that appears in show vlan

commands and can be read from the ifAlias MIB object for the VLAN.

none

This keyword removes the configured VLAN description.

Default
By default, the VLAN has no description.

Usage Guidelines
The VLAN description must be in quotes if the string contains any space characters. If a VLAN
description is configured for a VLAN that already has a description, the new description replaces the
old description.

Example
The following example assigns the description "Campus A" to VLAN vlan1:
configure vlan vlan1 description Campus A

History
This command was first available in ExtremeXOS 12.4.4.

Platform Availability
This command is available on all platforms.

configure vlan ipaddress

configure {vlan} vlan_name ipaddress [ipaddress {ipNetmask} | ipv6-link-local |
{eui64} ipv6_address_mask]

Description
Assigns an IPv4 address and an optional subnet mask or an IPv6 address to the VLAN. Beginning with
ExtremeXOS 11.2, you can specify IPv6 addresses. You can assign either an IPv4 address, and IPv6

Layer 2 Basics

115

Layer 2 Basic Commands

address, or both to the VLAN. Beginning with ExtremeXOS 11.3, you can use this command to assign an
IP address to a specified VMAN and enable multicasting on that VMAN.
Note
You can also use this command to assign an IP address to a VMAN on all platforms that
support the VMAN feature. For information on which software licenses and platforms support
the VMAN feature, see the Feature License Requirements document.

Syntax Description
vlan_name

Specifies a VLAN name.

ipaddress

Specifies an IPv4 address.

ipNetmask

Specifies an IPv4 subnet mask in dotted-quad notation (for example, 255.255.255.0).

ipv6-link-local

Specifies IPv6 and configures a link-local address generated by combining the

standard link-local prefix with the automatically generated interface in the EUI-64
format. Using this option automatically generates an entire IPv6 address; this address
is only a link-local, or VLAN-based, IPv6 address; that is, ports on the same segment
can communicate using this IP address and do not have to pass through a gateway.

eui64

Specifies IPv6 and automatically generates the interface ID in the EUI-64 format using
the interfaces MAC address. Once you enter this parameter, you must add the
following variables: ipv6_address_mask. Use this option when you want to enter
the 64-bit prefix and use a EUI-64 address for the rest of the IPv6 address.

ipv6_address_mask Specify the IPv6 address in the following format: x:x:x:x:x:x:x:x/prefix length, where
each x is the hexadecimal value of one of the 8 16-bit pieces of the 128-bit wide
address.

Default
N/A.

Usage Guidelines
The VLAN must already exist before you can assign an IP address; use the create vlan command to
create the VLAN (also the VMAN must already exist).
Note
If you plan to use the VLAN as a control VLAN for an EAPS domain, do NOT configure the
VLAN with an IP address. See IP Unicast Commands for information on adding secondary IP
addresses to VLANs.
Beginning with ExtremeXOS 11.2, you can specify IPv6 addresses. See IPv6 Unicast Routing for
information on IPv6 addresses.
Beginning with ExtremeXOS 11.3, you can assign an IP address (including IPv6 addresses) to a VMAN.
Beginning with version 11.4, you can enable multicasting on that VMAN.
To enable multicasting on the specified VMAN once you assigned an IP address, take the following
steps:

Layer 2 Basics

116

Layer 2 Basic Commands

1 Enable IP multicast forwarding.

2 Enable and configure multicasting.

Example
The following examples are equivalent; both assign an IPv4 address of 10.12.123.1 to a VLAN named
"accounting":
configure vlan accounting ipaddress 10.12.123.1/24
configure vlan accounting ipaddress 10.12.123.1 255.255.255.0

The following example assigns a link local IPv6 address to a VLAN named management:
configure vlan accounting ipaddress ipv6-link-local

History
This command was first available in ExtremeXOS 10.1.
The IPv6 parameters were added in ExtremeXOS 11.2.

Platform Availability
This command is available on all platforms.

configure vlan name

configure {vlan} vlan_name name name

Description
Renames a previously configured VLAN.

Syntax Description
vlan_name

Specifies the current (old) VLAN name.

name

Specifies a new name for the VLAN.

Default
N/A.

Usage Guidelines
You cannot change the name of the default VLAN Default.

Layer 2 Basics

117

Layer 2 Basic Commands

For information on VLAN name requirements and a list of reserved keywords, see Object Names.
Note
If you use the same name across categories (for example, STPD and EAPS names), we
recommend that you specify the identifying keyword as well as the actual name. If you do not
use the keyword, the system may return an error message.

Example
The following example renames VLAN vlan1 to engineering:
configure vlan vlan1 name engineering

History
This command was first available in ExtremeXOS 10.1.

Platform Availability
This command is available on all platforms.

configure vlan protocol

configure {vlan} vlan_name protocol {filter}filter_name

Description
Configures a VLAN to use a specific protocol filter.

Syntax Description
vlan_name

Specifies a VLAN name.

protocol

Specifies a protocol filter.

filter

Specifies a protocol filter.

protocol_name

Specifies a protocol filter name. This can be the name of a predefined

protocol filter, or one you define.The following protocol filters are predefined:
IP, IPv6, IPX, NetBIOS, DECNet, IPX_8022, IPX_SNAP, AppleTalk.
Using any indicates that this VLAN should act as the default VLAN for its
member ports.

Default
Protocol any.

Layer 2 Basics

118

Layer 2 Basic Commands

Usage Guidelines
If the keyword any is specified, all packets that cannot be classified into another protocol-based VLAN
are assigned to this VLAN as the default for its member ports.
Use the configure protocol command to define your own protocol filter.

Protocol Filters on BlackDiamond 8800 Series Switches, SummitStack,

and the Summit Family Switches Only
These devices do not forward packets with a protocol-based VLAN set to AppleTalk. To ensure that
AppleTalk packets are forwarded on the device, create a protocol-based VLAN set to any and define
other protocol-based VLANs for other traffic, such as IP traffic. The AppleTalk packets pass on the
any VLAN, and the other protocols pass traffic on their specific protocol-based VLANs.

Example
The following example configures the protocol filter "my_filter" to vlan v1:
configure vlan v1 protocol "my_filter"
configure vlan v1 protocol filter "my_filter"

History
This command was first available in ExtremeXOS 10.1.
The IPv6 parameter was added in ExtremeXOS 11.2.
The filter keyword was added in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

configure vlan tag

configure {vlan} vlan_name tag tag {remote-mirroring}

Description
Assigns a unique 802.1Q tag to the VLAN.

Syntax Description
vlan_name

Specifies a VLAN name.

tag

Specifies a value to use as an 802.1Q tag. The valid range is from 2 to 4095.

remote-mirroring

Specifies that the tagged VLAN is for remote mirroring.

Layer 2 Basics

119

Layer 2 Basic Commands

Default
The default VLAN uses an 802.1Q tag (and an internal VLANid) of 1.

Usage Guidelines
If any of the ports in the VLAN use an 802.1Q tag, a tag must be assigned to the VLAN. The valid range
is from 2 to 4094 (tag 1 is assigned to the default VLAN, and tag 4095 is assigned to the management
VLAN).
The 802.1Q tag is also used as the internal VLANid by the switch.
You can specify a value that is currently used as an internal VLANid on another VLAN; it becomes the
VLANid for the VLAN you specify, and a new VLANid is automatically assigned to the other untagged
VLAN.

Example
The following command assigns a tag (and internal VLANid) of 120 to a VLAN named accounting:
configure accounting tag 120

History
This command was first available in ExtremeXOS 10.1.
The remote-mirroring option was added in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms.

configure vlan-translation add loopback-port

configure {vlan} vlan_name vlan-translation add loopback-port port

Description
Adds the specified port as a loopback port for the specified member VLAN.

Syntax Description
vlan_name

Specifies the name of the member VLAN to which you want to add the
loopback port.

port

Specifies the port that serves as the loopback port.

Layer 2 Basics

120

Layer 2 Basic Commands

Default
N/A.

Usage Guidelines
The loopback-port port option is available only on BlackDiamond 8000 series modules and Summit
family switches, whether or not they are included in a SummitStack. If two or more member VLANs
have overlapping ports (where the same ports are assigned to both VLANs), each of the member
VLANs with overlapping ports must have a dedicated loopback port.
The loopback port can be added to the member VLAN when the member VLAN is created, or you can
use this command to add the loopback port at a later time.

Example
The following example adds port 2:1 as a loopback port for the member VLAN leafvlan:
configure leafvlan vlan-translation add loopback-port 2:1

History
This command was first available in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms that support the VLAN Translation feature. For features and
the platforms that support them, see the Feature License Requirements document.

configure vlan-translation add member-vlan

configure {vlan} vlan_name vlan-translation add member-vlan member_vlan_name
{loopback-port port}

Description
Adds a member VLAN to a translation VLAN.

Syntax Description
vlan_name

Specifies the name of the translation VLAN to which you want to add the
member VLAN.

member_vlan_name

Specifies the member VLAN to be added to the translation VLAN.

port

Specifies the port that serves as the loopback port.

Layer 2 Basics

121

Layer 2 Basic Commands

Default
N/A.

Usage Guidelines
This command configures VLAN tag translation between the two VLANs specified. The member VLAN
is added to the list maintained by translation VLAN. A translation VLAN can have multiple member
VLANs added to it.
The loopback-port port option is available only on BlackDiamond 8000 series modules and Summit
family switches, whether or not they are included in a SummitStack. If two or more member VLANs
have overlapping ports (where the same ports are assigned to both VLANs), each of the member
VLANs with overlapping ports must have a dedicated loopback port.

Example
The following example adds member VLAN leafvlan to the translation VLAN branchvlan:
configure branchvlan vlan-translation add member-vlan leafvlan

History
This command was first available in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms that support the VLAN Translation feature. For features and
the platforms that support them, see the Feature License Requirements document.

configure vlan-translation delete loopback-port

configure {vlan} vlan_name vlan-translation delete loopback-port

Description
Deletes the loopback port from the specified member VLAN.

Syntax Description
vlan_name

Specifies the name of the member VLAN from which you want to delete the
loopback port.

Default
N/A.

Layer 2 Basics

122

Layer 2 Basic Commands

Usage Guidelines
This command disables and deletes the loopback port from the specified member VLAN. This
command does not delete the member VLAN.

Example
The following example deletes the loopback port from the member VLAN leafvlan:
configure leafvlan vlan-translation delete loopback-port

History
This command was first available in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms that support the VLAN Translation feature. For features and
the platforms that support them, see the Feature License Requirements document.

configure vlan-translation delete member-vlan

configure {vlan} vlan_name vlan-translation delete member-vlan [member_vlan_name
| all]

Description
Deletes one or all member VLANs from a translation VLAN.

Syntax Description
vlan_name

Specifies the name of the translation VLAN from which you want to delete
the member VLAN.

member_vlan_name

Specifies the member VLAN to be deleted from the translation VLAN.

all

Deletes all member VLANs from the specified translation VLAN.

Default
N/A.

Usage Guidelines
This command removes the link between the translation VLAN and the specified member VLANs, but it
does not remove the VLANs from the switch.

Layer 2 Basics

123

Layer 2 Basic Commands

Example
The following example deletes member VLAN leafvlan from the translation VLAN branchvlan:
configure branchvlan vlan-translation delete member-vlan leafvlan

History
This command was first available in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms that support the VLAN Translation feature. For features and
the platforms that support them, see the Feature License Requirements document.

configure vman add ports cep

configure vman vman_name add ports port_list cep cvid cvid_first {- cvid_last}
{translate cvid_first_xlate {- cvid_last_xlate}}

Description
Adds one or more switch ports to the specified VMAN as Customer Edge Ports (CEPs), and configures
the CVIDs on those ports to map to the VMAN.

Syntax Description
vman_name

Specifies the VMAN to configure.

port_list

Specifies a list of ports.

cvid_first

Specifies a CVLAN ID (CVID) or the first in a range of CVIDs that the CEP will
accept and map to the specified VMAN. Valid values are 1-4095.

cvid_last

Specifies the last in a range of CVIDs that the CEP will accept and map to the
VMAN. Valid values are 1-4095.

translate

Enables translation of the specified CEP CVID range to the specified VMAN
CVID range.

cvid_first_xlate

Specifies a VMAN CVID or the first in a range of VMAN CVIDs to which the
CEP CVIDs will map. Valid values are 1-4095.

cvid_last_xlate

Specifies the last in a range of VMAN CVIDs to which the CEP CVIDs will map.
Valid values are 1-4095. The number of VMAN CVIDs in this range must equal
the number of CEP CVIDs specified in this command.

Default
N/A.

Layer 2 Basics

124

Layer 2 Basic Commands

Usage Guidelines
If you specify only one CVID or a range of CVIDs without translation, the specified CVIDs are mapped to
the specified VMAN and appear unchanged in the VMAN.
If you specify CVID translation, the CEP CVIDs map to different VMAN CVIDs. The number of CEP
CVIDs specified must equal the number of VMAN CVIDs specified. The first CEP CVID in the specified
range maps to the first CVID in the range specified for the VMAN. The difference between cvid_first
and cvid_first_xlate establishes an offset N that maps CEP CVIDs to VMAN CVIDs. (Offset N =
cvid_first_xlate - cvid_first.) The translated VMAN CVID that corresponds to a CEP CVID can be
determined as follows:
VMAN CVID = CEP CVID + N
Note
CVID translation can reduce the number of CVIDs that can be mapped to VMANs.
After you enable and configure a CEP with this command, you can use the following command to map
additional CVIDs on the port to the VMAN:
configure vman vman_name ports port_list add cvid cvid_first {- cvid_last}
{translate cvid_first_xlate {- cvid_last_xlate}}

When this command specifies multiple ports, each port gets an independent CVID map; the ports do
not share a common map. Changes to the CVID map affect only the ports specified in the configuration
command. For example, consider the following commands:
configure vman vman1 add port 1-2 cep cvid 10 configure vman vman1 port 1 add
cvid 11

After these commands are entered, port 1 maps CVIDs 10 and 11 to VMAN vman1, and port 2 maps only
CVID 10 to vman1.
You can add the same port as a CEP to multiple VMANs. A port can also support multiple VMANs in
different roles as shown in Table 4: Port Support for Combined VMAN Roles and VLANs on page 128.
To view the CEP CVID configuration for a port, use the show vman command.

Example
The following example configures port 1 as a CEP for VMAN vman1 and specifies that CEP CVID 5 maps
to CVID 5 on the VMAN:
configure vman vman1 add port 1 cep cvid 5

The following example configures port 1 as a CEP for VMAN vman1 and enables the port to translate
CEP CVIDs 10-19 to VMAN CVIDs 20-29:
configure vman vman1 add port 1 cep cvid 10 - 19 translate 20 - 29

Layer 2 Basics

125

Layer 2 Basic Commands

History
This command was first available in ExtremeXOS 12.6.

Platform Availability
This command is available on BlackDiamond X8, BlackDiamond 8800 series switches and Summit
family switches
The CVID translation feature is available only on BlackDiamond X8, BlackDiamond 8900 c-, xl-, and xmseries modules and Summit X440, X460, X480, X670 and X770 series switches.

configure vman add ports

configure vman vman-name add ports [ all | port_list ] {untagged {port-cvid
port_cvid} | tagged}

Description
Adds one or more ports to a VMAN.

Syntax Description
vman-name

Specifies the VMAN to configure.

all

Specifies all switch ports.

port_list

Specifies a list of ports.

untagged

Configures the specified ports as Customer Network Ports (CNPs).

tagged

Configures the specified ports as Provider Network Ports (PNPs), which

are also called VMAN network ports.

port_cvid

Port's CVID used for untagged packets. If unspecified, untagged packets

will be single tagged with the VMAN's SVID. If specified, untagged
packets will be double tagged with the VMAN's SVID and the port's
CVID.

Default
If you do not specify a parameter, the default value is untagged, which creates a CNP.

Usage Guidelines
This command adds ports as either CNPs or PNPs. To add a port to a VMAN as a CEP, use the following
command:
configure vman vman_name add ports port_list cep cvid cvid_first {- cvid_last}
{translate cvid_first_xlate {- cvid_last_xlate}}

The VMAN must already exist before you can add (or delete) ports. VMAN ports can belong to loadsharing groups.

Layer 2 Basics

126

Layer 2 Basic Commands

When a port is configured serve as a CNP for one VMAN and A PNP for another VMAN, it inspects the
VMAN ethertype in received packets. Packets with a matching ethertype are treated as tagged and
switched across the associated PNP VMAN. Packets with a non-matching ethertype are treated as
untagged and forwarded into the associated CNP VMAN.
When a port is configured only as a CNP (an untagged VMAN member), whether the VMAN ethertype
is 0x8100 or otherwise, all received packets ingress the associated VMAN regardless of the packet's
tagging.
Note
If you use the same name across categories (for example, STPD and EAPS names), we
recommend that you specify the identifying keyword as well as the actual name. If you do not
use the keyword, the system may return an error message.
The following guidelines apply to all platforms:

5
6
7

You must enable or disable jumbo frames before configuring VMANs. You can enable or disable
jumbo frames on individual ports or modules, or on the entire switch. See Configuring Ports on a
Switch for more information on configuring jumbo frames.
Each port can serve in only one VMAN role per VMAN. When multiple roles are configured on a port,
each role must be configured for a different VMAN.
Multiple VMAN roles can be combined on one port with certain VLAN types as shown in the
following table.

Subsets of this group are also supported. That is, any two of these items are supported.
When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged
VLAN are associated with the CNP.
A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected
VMAN ethertype is 0x8100.

Layer 2 Basics

127

Layer 2 Basic Commands

Table 4: Port Support for Combined VMAN Roles and VLANs

Platform

Combined
CNP, CEP, and
Tagged
VLAN 5 , 6

Combined
PNP, CNP, and
CEPa, b, 7

Combined PNP Combined PNP

and Tagged
and Untagged
VLAN
VLAN

Summit X440, X460, X480, X670 and X770

X8

BlackDiamond 8500 and 8800 c-, and

e-series modules

Xd

BlackDiamond X8 series switches and

BlackDiamond 8900 c-, xl-, and xm-series
modules

Xe

Note
If you already configured VLANs and VMANs on the same module or stand-alone switch
using ExtremeXOS 11.4, you cannot change the VMAN ethertype from 0X8100 without first
removing either the VLAN or VMAN configuration.

Example
The following example assigns ports 1:1, 1:2, 1:3, and 1:6 to a VMAN named accounting:
configure vman accounting add ports 1:1, 1:2, 1:3, 1:6 tag 100

History
This command was first available in ExtremeXOS 11.0.
The svid keyword was added in ExtremeXOS 12.2.

8
5
6
7
5
6
7
5
6
7
5
6
7

If the secondary VMAN ethertype is selected for the port, it must be set to 0x8100.
Subsets of this group are also supported. That is, any two of these items are supported.
When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged
VLAN are associated with the CNP.
A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected
VMAN ethertype is 0x8100.
Subsets of this group are also supported. That is, any two of these items are supported.
When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged
VLAN are associated with the CNP.
A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected
VMAN ethertype is 0x8100.
Subsets of this group are also supported. That is, any two of these items are supported.
When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged
VLAN are associated with the CNP.
A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected
VMAN ethertype is 0x8100.
Subsets of this group are also supported. That is, any two of these items are supported.
When a CNP is combined with a CEP or tagged VLAN, any CVIDs not explicitly configured for a CEP or tagged
VLAN are associated with the CNP.
A PNP (tagged VMAN) and a CNP (untagged VMAN) or CEP cannot be combined on a port for which the selected
VMAN ethertype is 0x8100.

Layer 2 Basics

128

Layer 2 Basic Commands

The cvid keyword was added in ExtremeXOS 15.3.2.

Platform Availability
This command is available on all platforms.

configure vman delete ports

configure vman vman-name delete ports [all | port_list]

Description
Deletes one or more ports from a VMAN.

Syntax Description
vman_name

Specifies a VMAN name.

all

Specifies all ports in the VMAN.

port_list

Specifies a list of ports.

Default
N/A.

Usage Guidelines
The VMAN must already exist before you can delete ports.

Example
The following example deletes ports 1:1, 1:2, 1:3, and 1:6 on a modular switch for a VMAN named
accounting:
configure vman accounting delete ports 1:1, 1:2, 1:3, 1:6

History
This command was first available in ExtremeXOS 11.0.

Platform Availability
This command is available on all platforms.

configure vman ethertype

configure vman ethertype value [primary | secondary]

Layer 2 Basics

129

Layer 2 Basic Commands

Description
Changes the default ethertype for the VMAN header.

Syntax Description
value

Specifies an ethertype value in the format of 0xffff.

primary

Assigns the ethertype as the primary Ethernet value.

secondary

Assigns the ethertype as the secondary Ethernet value.

Default
Ethertype value of 0x88a8 and type primary.

Usage Guidelines
The software supports two VMAN ethertype values: a primary value and a secondary value. By default,
the primary ethertype applies to all VMANs. To use the secondary ethertype, define the ethertype with
this command, and then assign the secondary ethertype to ports with the following command:
configure port port_list ethertype {primary | secondary}

If your VMAN transits a third-party device (other than an Extreme Networks device), you must
configure the ethertype for the VMAN tag as the ethertype that the third-party device uses. If you
configure both primary and secondary ethertypes, you can connect to devices that use either of the
two values assigned.
The system supports all VMAN ethertypes, including the standard ethertype of 0x8100.

Example
The following command changes the VMAN ethertype value to 8100:
configure vman ethertype 0x8100

History
This command was first available in ExtremeXOS 11.0.
Support for a secondary ethertype was added in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms.

Layer 2 Basics

130

Layer 2 Basic Commands

configure vman ports add cvid

configure vman vman_name ports port_list add cvid cvid_first {- cvid_last}
{translate cvid_first_xlate {- cvid_last_xlate}}

Description
Adds one or more CVIDs to a CEP.

Syntax Description
vman_name

Specifies the VMAN to configure.

port_list

Specifies a list of ports.

cvid_first

Specifies a Customer VLAN ID (CVID) or the first in a range of CVIDs that the
CEP will accept and map to the specified VMAN. Valid values are 1-4095.

cvid_last

Specifies the last in a range of CVIDs that the CEP will accept and map to the
VMAN. Valid values are 1-4095.

translate

Enables translation of the specified CEP CVID range to the specified VMAN
CVID range.

cvid_first_xlate

Specifies a VMAN CVID or the first in a range of VMAN CVIDs to which the
CEP CVIDs will map. Valid values are 1-4095.

cvid_last_xlate

Specifies the last in a range of VMAN CVIDs to which the CEP CVIDs will map.
Valid values are 1-4095. The number of VMAN CVIDs in this range must equal
the number of CEP CVIDs specified in this command.

Default
N/A.

Usage Guidelines
Before you can add CVIDs to CEPs, you must configure the target physical ports as CEPs using the
following command:
configure vman vman_name add portsport_list cep cvidcvid_first {- cvid_last}
{translatecvid_first_xlate {-cvid_last_xlate}}

If you specify only one CVID or a range of CVIDs without translation, the specified CVIDs are mapped to
the specified VMAN and appear unchanged in the VMAN.
If you specify CVID translation, the CEP CVIDs map to different VMAN CVIDs. The number of CEP
CVIDs specified must equal the number of VMAN CVIDs specified. The first CEP CVID in the specified
range maps to the first CVID in the range specified for the VMAN. The difference between cvid_first
and cvid_first_xlate establishes an offset N that maps CEP CVIDs to VMAN CVIDs. (Offset N =
cvid_first_xlate - cvid_first.) The translated VMAN CVID that corresponds to a CEP CVID can be
determined as follows:

Layer 2 Basics

131

Layer 2 Basic Commands

VMAN CVID = CEP CVID + N

Note
CVID translation can reduce the number of CVIDs that can be mapped to VMANs.
When this command specifies multiple ports, each port gets an independent CVID map; the ports do
not share a common map. Changes to the CVID map affect only the ports specified in the configuration
command. For example, consider the following commands:
configure vman vman1 add port 1-2 cep cvid 10
configure vman vman1 port 1 add cvid 11

After these commands are entered, port 1 maps CVIDs 10 and 11 to VMAN vman1, and port 2 maps only
CVID 10 to vman1.
To view the CEP CVID configuration for a port, use the show vman command.

Example
The following example adds CVIDs 20-29 to port 1 and VMAN vman1 and enables translation to CVIDs
30-39:
configure vman vman1 port 1 add cvid 20 - 29 translate 30 - 99

History
This command was first available in ExtremeXOS 12.6.

Platform Availability
This command is available on BlackDiamond X8 series switches, BlackDiamond 8800 series switches
and Summit family switches.
The CVID translation feature is available only on BlackDiamond X8 series switches, BlackDiamond 8900
c-, xl-, and xm-series modules and Summit X440, X460, X480, X670 and X770 series switches.

configure vman ports delete cvid

configure vman vman_name ports port_list delete cvid cvid_first {- cvid_last}

Description
Deletes one or more CVIDs from a CEP.

Syntax Description
vman_name

Specifies the VMAN to configure.

port_list

Specifies a list of ports.

Layer 2 Basics

132

Layer 2 Basic Commands

cvid_first

Specifies a CVID or the first in a range of CVIDs that are to be deleted. Valid
values are 1-4095.

cvid_last

Specifies the last in a range of CVIDs that are to be deleted. Valid values are
1-4095.

Default
N/A.

Usage Guidelines
Each CEP has its own CVID map, and this command deletes CVIDs only from the ports specified with
this command.
If all the CVIDs are deleted from a CEP, the CEP is deleted from the VMAN.
To view the CEP CVID configuration for a port, use the show vman command.

Example
The following command deletes CVID 15 on port 1 from VMAN vman1:
configure vman vman1 port 1 delete cvid 15

History
This command was first available in ExtremeXOS 12.6.

Platform Availability
This command is available on BlackDiamond X8 series switches, BlackDiamond 8800 series switches
and Summit family switches.

configure vman protocol

configure vman vman_name protocol {filter}filter_name

Description
Configures a VMAN to use a specific protocol filter.

Syntax Description
vman_name

Specifies a VMAN name.

protocol

Specifies a protocol filter.

Layer 2 Basics

133

Layer 2 Basic Commands

filter

Specifies a protocol filter.

filter_name

Specifies a protocol filter name.

Default
Usage Guidelines
Protocol Filters on BlackDiamond 8800 Series Switches, SummitStack,
and the Summit Family Switches Only
These devices do not forward packets with a protocol-based VLAN set to AppleTalk. To ensure that
AppleTalk packets are forwarded on the device, create a protocol-based VLAN set to any and define
other protocol-based VLANs for other traffic, such as IP traffic. The AppleTalk packets pass on the
any VLAN, and the other protocols pass traffic on their specific protocol-based VLANs.

Example
The following example configures the protocol filter my_filter to vlan v1:
configure vlan v1 protocol my_filter
configure vlan v1 protocol filter my_filter

History
This command was first available in ExtremeXOS 10.1.
The filter keyword was added in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

configure vman tag

configure vman vman_name tag tag

Description
Assigns a tag to a VMAN.

Syntax Description
vman_name

Specifies a VMAN name.

tag

Specifies a value to use as the VMAN tag. The valid range is from 2 to 4094.

Layer 2 Basics

134

Layer 2 Basic Commands

Default
N/A.

Usage Guidelines
Every VMAN requires a unique tag.
You can specify a value that is currently used as an internal VLAN ID on another VLAN; it becomes the
VLAN ID for the VLAN you specify, and a new VLAN ID is automatically assigned to the other untagged
VLAN.

Example
The following example assigns a tag of 120 to a VMAN named "accounting":
configure vman accounting tag 120

History
This command was first available in ExtremeXOS 11.0.

Platform Availability
This command is available on all platforms.

configure vpls peer l2pt profile

configure {l2vpn} vpls vpls_name peer ipaddress l2pt profile [none |
profile_name]

Description
Configures L2PT profiles on service interfaces.

Syntax Description
l2vpn

Specifies the Layer 2 Virtual Private Network.

vplsvpls_name

Specifies Virtual Private LAN Service over MPLS, and the alphanumeric string
identifying the VPLS VPN.

peer ipaddress

Specifies the VPLS peer, and the IPv4 address.

l2pt profile

Specifies Layer 2 protocol tunneling and the L2PT profile for the PW.

none

Specifies that no L2PT profile should be bound to the PW (default).

profile_name

Specifies the L2PT profile to be bound to the PW.

Layer 2 Basics

135

Layer 2 Basic Commands

Default
Disabled.

Usage Guidelines
Use this command to configure L2PT profiles on service interfaces.

Example
The following example unbind the L2PT profile from peer 1.1.1.1 of VPLS cust2:
configure l2vpn vpls cust2 peer 1.1.1.1 l2pt profile none

The following example binds my_l2pt_prof with peer 1.1.1.1 of VPLS cust1. my_l2pt_prof specifies
tunneling actions:
configure l2vpn vpls cust1 peer 1.1.1.1 l2pt profile my_l2pt_prof
Error: Tunnel action may be applied only to ports.

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

create fdb mac-tracking entry

create fdb mac-tracking entry mac_addr

Description
Adds a MAC address to the MAC address tracking table.

Syntax Description
mac_addr

Specifies a device MAC address, using colon-separated bytes.

Default
The MAC address tracking table is empty.

Usage Guidelines
None.

Layer 2 Basics

136

Layer 2 Basic Commands

Example
The following command adds a MAC address to the MAC address tracking table:
create fdb mac-tracking entry 00:E0:2B:12:34:56

History
This command was first available in ExtremeXOS 12.3.

Platform Availability
This command is available on all platforms.

create fdbentry vlan ports

create fdbentry mac_addr vlan vlan_name [ports port_list {tagged tag} |
blackhole]

Description
Creates a permanent static FDB entry.

Syntax Description
mac_addr

Specifies a device MAC address, using colon-separated bytes.

vlan_name

Specifies a VLAN name associated with a MAC address.

port_list

Specifies one or more ports or slots and ports associated with the MAC
address.

tagged tag

Specifies the port-specific VLAN tag. When there are multiple ports specified
in port_list, the same tag is used for all of them.

blackhole

Enables the blackhole option. Any packets with either a source MAC address
or a destination MAC address matching the FDB entry are dropped.

Default
N/A.

Usage Guidelines
Permanent entries are retained in the database if the switch is reset or a power off/on cycle occurs. A
permanent static entry can either be a unicast or multicast MAC address. After they have been created,
permanent static entries stay the same as when they were created. If the same MAC address and VLAN
is encountered on another virtual port that is not included in the permanent MAC entry, it is handled as
a blackhole entry. The static entry is not updated when any of the following take place:

Layer 2 Basics

137

Layer 2 Basic Commands

A VLAN identifier (VLANid) is changed.

A port is disabled.
A port enters blocking state.
A port goes down (link down).

A permanent static FDB entry is deleted when any of the following take place:
A VLAN is deleted.
A port mode is changed (tagged/untagged).
A port is deleted from a VLAN.
Permanent static entries are designated by spm in the flags field of the show fdb output. You can use
the show fdb command to display permanent FDB entries.
If the static entry is for a PVLAN VLAN that requires more than one underlying entry, the system
automatically adds the required entries. For example, if the static entry is for a PVLAN network VLAN,
the system automatically adds all required extra entries for the subscriber VLANs.
You can create FDB entries to multicast MAC addresses and list one or more ports. If more than one
port number is associated with a permanent MAC entry, packets are multicast to the multiple
destinations.
IGMP snooping rules take precedence over static multicast MAC addresses in the IP multicast range
(01:00:5e:xx:xx:xx) unless IGMP snooping is disabled.
Note
When a multiport list is assigned to a unicast MAC address, load sharing is not supported on
the ports in the multiport list.

Example
The following command adds a permanent, static entry to the FDB for MAC address 00 E0 2B 12 34 56,
in VLAN marketing on slot 2, port 4 on a modular switch:
create fdbentry 00:E0:2B:12:34:56 vlan marketing port 2:4

The following example creates a multiport unicast FDB entry, in VLAN black, on slot 1, ports 1, 2, and 4,
on the BlackDiamond 8800 family of switches:
create fdbentry 01:00:00:00:00:01 vlan black port 1:1, 1:2, 1:4

The following example adds a permanent, static entry to the FDB for MAC address 00:01:02:03:04:05,
in VLAN marketing, on a VLAN port that has tag 100 on port 3 on a switch:
create fdbentry 00:01:02:03:04:05 vlan msk ports 3 tag 100

History
This command was first available in ExtremeXOS 10.1.

Layer 2 Basics

138

Layer 2 Basic Commands

The ability to create a multicast FDB with multiple entry ports was added in ExtremeXOS 11.3.
The blackhole option was first available for all platforms in ExtremeXOS 12.1.
The ability to create a unicast FDB with multiple entry ports was available for the BlackDiamond 8000
c-, and e-series modules in ExtremeXOS 12.1. This feature is supported on all later platforms when
introduced.
The tag keyword and example was added in ExtremeXOS 15.4.

Platform Availability
This command is available on all platforms.

create l2pt profile

create l2pt profile profile_name

Description
Creates an L2PT profile.

Syntax Description
l2pt

Creates a Layer 2 protocol tunneling profile.

profile

Profile that defines L2PT configuration for L2 protocols.

profile_name

Specifies a profile name (maximum 32 characters).

Default
Disabled.

Usage Guidelines
Use this command to create an L2PT profile.

Example
The following example create a new L2PT profile named "my_l2pt_prof":
create l2pt profile my_l2pt_prof

History
This command was first available in ExtremeXOS 15.5.

Layer 2 Basics

139

Layer 2 Basic Commands

Platform Availability
This command is available on all platforms.

create private-vlan
create private-vlan name {vr vr_name}

Description
Creates a PVLAN framework with the specified name.

Syntax Description
name

Specifies a name for the new PVLAN.

vr_name

Specifies the VR in which the PVLAN is created.

Default
N/A.

Usage Guidelines
The PVLAN is a framework that links network and subscriber VLANs; it is not an actual VLAN.
A private VLAN name must begin with an alphabetical character and may contain alphanumeric
characters and underscores ( _ ), but it cannot contain spaces. The maximum allowed length for a
name is 32 characters. For private VLAN naming guidelines and a list of reserved names, see Object
Names.
If no VR is specified, the PVLAN is created in the default VR context.

Example
The following example creates a PVLAN named "companyx":
create private-vlan companyx

History
This command was first available in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms that support the Private VLAN feature. For features and the
platforms that support them, see the Feature License Requirements document.

Layer 2 Basics

140

Layer 2 Basic Commands

create protocol
create protocol {filter} filter_name

Description
Creates a user-defined protocol filter.

Syntax Description
filter

Specifies a protocol filter.

filter_name

Specifies a protocol filter name. The protocol filter name can have a maximum
of 31 characters.

Default
N/A.

Usage Guidelines
Protocol-based VLANs enable you to define packet filters that the switch can use as the matching
criteria to determine if a particular packet belongs to a particular VLAN.
After you create the protocol, you must configure it using the configure protocol command. To assign it
to a VLAN, use the configure {vlan} vlan_name protocol {filter}filter_name command.

Example
The following command creates a protocol named "my_filter", and a protocol filter named
"my_other_filter":
create protocol my_filter
create protocol filter my_other_filter

History
This command was first available in ExtremeXOS 10.1.
The filter keyword was added in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

Layer 2 Basics

141

Layer 2 Basic Commands

create vlan
create vlan vlan_name {tag tag } {description vlan-description } {vr name }

Description
Creates a named VLAN.

Syntax Description
vlan_name

Specifies a VLAN name (up to 32 characters).

tag

Specifies a value to use as an 802.1Q tag. The valid range is from 2 to 4095.

vlandescription

Specifies a VLAN description (up to 64 characters) that appears in show vlan

commands and can be read from the ifAlias MIB object for the VLAN.

name

Specifies a VR or virtual routing and forwarding (VRF) instance in which to create the
VLAN.
Note
User-created VRs are supported only on the platforms listed for this feature in
the Feature License Requirements document.. On switches that do not support
user-created VRs, all VLANs are created in VR-Default and cannot be moved.

Default
A VLAN named Default exists on all new or initialized Extreme switches:
It initially contains all ports on a new or initialized switch, except for the management port(s), if
there are any.
It has an 802.1Q tag of 1.
The default VLAN is untagged on all ports.
It uses protocol filter any.
A VLAN named Mgmt exists on switches that have management modules or management ports:
It initially contains the management port(s) the switch.
It is assigned the next available internal VLANid as an 802.1Q tag.
If you do not specify the VR, the VLAN is created in the current VR.
If the VLAN description contains one or more space characters, you must enclose the complete name in
double quotation marks.

Usage Guidelines
A newly-created VLAN has no member ports, is untagged, and uses protocol filter any until you
configure it otherwise. Use the various configure vlan commands to configure the VLAN to your needs.
Internal VLANids are assigned automatically using the next available VLANid starting from the high end
(4094) of the range.

Layer 2 Basics

142

Layer 2 Basic Commands

The VLAN name can include up to 32 characters. VLAN names must begin with an alphabetical letter,
and only alphanumeric, underscore ( _ ), and hyphen (-) characters are allowed in the remainder of the
name. VLAN names cannot match reserved keywords. For more information on VLAN name
requirements and a list of reserved keywords, see Object Names.
Note
If you use the same name across categories (for example, STPD and EAPS names), we
recommend that you specify the identifying keyword as well as the actual name. If you do not
use the keyword, the system may return an error message.
VLAN names are locally significant. That is, VLAN names used on one switch are only meaningful to
that switch. If another switch is connected to it, the VLAN names have no significance to the other
switch.
You must use mutually exclusive names for:

VLANs
VMANs
Ipv6 tunnels
BVLANs
SVLANs
CVLANs
Note
The VLAN description is stored in the ifAlias MIB object.

If you do not specify a VR when you create a VLAN, the system creates that VLAN in the default VR
(VR-Default). The management VLAN is always in the management VR (VR-Mgmt).
Once you create VRs, ExtremeXOS allows you to designate one of these as the domain in which all your
subsequent configuration commands, including VLAN commands, are applied. If you create VRs,
ensure that you are creating the VLANs in the desired virtual-router domain.
Note
User-created VRs are supported only on the platforms listed for this feature in the Feature
License Requirements document.. On switches that do not support user-created VRs, all
VLANs are created in VR-Default and cannot be moved.

Example
The following example creates a VLAN named accounting on the current VR:
create vlan accounting description "Accounting Dept"

History
This command was first available in ExtremeXOS 10.1.
The vr option was added in ExtremeXOS 11.0.

Layer 2 Basics

143

Layer 2 Basic Commands

The vlan-description option was added in ExtremeXOS 12.4.4.

Platform Availability
This command is available on all platforms.

create vman
create vman vman-name {learning-domain} {vr vr_name}

Description
Creates a VMAN.

Syntax Description
vman-name

Specifies a VMAN name using up to 32 characters.

learning-domain

Specifies that this VMAN is a learning domain, which supports inter-VMAN

forwarding.

vr

Specifies a virtual router.

vr_name

Specifies a virtual router name.

Note
User-created VRs are supported only on the platforms listed for
this feature in the Feature License Requirements document.. On
switches that do not support user-created VRs, all VLANs are
created in VR-Default and cannot be moved.

Default
N/A.

Usage Guidelines
For information on VMAN name requirements and a list of reserved keywords, see Object Names. You
must use mutually exclusive names for:

VLANs
VMANs
IPv6 tunnels

The keyword learning-domain enables you to create a VMAN that serves as a learning domain for interVMAN forwarding.
If you do not specify the virtual router, the VMAN is created in the current virtual router. After you
create the VMAN, you must configure the VMAN tag and add the ports that you want.

Layer 2 Basics

144

Layer 2 Basic Commands

Example
The following example creates a VMAN named "fred":
create vman fred

History
This command was first available in ExtremeXOS 11.0.

Platform Availability
This command is available on all platforms.

delete fdb mac-tracking entry

delete fdb mac-tracking entry [mac_addr | all]

Description
Deletes a MAC address from the MAC address tracking table.

Syntax Description
mac_addr

Specifies a device MAC address, using colon-separated bytes.

all

Specifies that all MAC addresses are to be deleted from the MAC address
tracking table.

Default
The MAC address tracking table is empty.

Usage Guidelines
None.

Example
The following example deletes a MAC address from the MAC address tracking table:
delete fdb mac-tracking entry 00:E0:2B:12:34:56

History
This command was first available in ExtremeXOS 12.3.

Layer 2 Basics

145

Layer 2 Basic Commands

Platform Availability
This command is available on all platforms.

delete fdbentry
delete fdbentry [all | mac_address [vlan vlan_name ]

Description
Deletes one or all permanent FDB entries.

Syntax Description
all

Specifies all FDB entries.

mac_address

Specifies a device MAC address, using colon-separated bytes.

vlan_name

Specifies the specific VLAN name.

Default
N/A.

Usage Guidelines
None.

Example
The following example deletes a permanent entry from the FDB:
delete fdbentry 00:E0:2B:12:34:56 vlan marketing

The following example deletes all permanent entries from the FDB:
delete fdbentry all

History
This command was first available in ExtremeXOS 11.0.

Platform Availability
This command is available on all platforms.

delete l2pt profile

delete l2pt profile profile_name

Layer 2 Basics

146

Layer 2 Basic Commands

Description
Deletes an L2PT profile.

Syntax Description
l2pt

Deletes a Layer 2 protocol tunneling profile.

profile

Profile that defines L2PT configuration for L2 protocols.

profile_name

Specifies a profile name (maximum 32 characters).

Default
Disabled.

Usage Guidelines
Use this command to delete an L2PT profile.

Example
The following example deletes my_l2pt_prof that is currently in use by a service:
delete l2pt profile my_l2pt_prof

The following example deletes my_l2pt_prof that is not associated with any service:
delete l2pt profile my_l2pt_prof

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

delete private-vlan
delete private-vlan name

Description
Deletes the PVLAN framework with the specified name.

Layer 2 Basics

147

Layer 2 Basic Commands

Syntax Description
name

Specifies the name of the PVLAN to be deleted.

Default
N/A.

Usage Guidelines
The PVLAN is a framework that links network and subscriber VLANs; it is not an actual VLAN.
This command deletes the PVLAN framework, but it does not delete the associated VLANs. If the ports
in the network VLAN were set to translate, they are changed to tagged.

Example
The following example deletes the PVLAN named "companyx":
delete private-vlan companyx

History
This command was first available in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms that support the Private VLAN feature. For features and the
platforms that support them, see the Feature License Requirements document.

delete protocol
delete protocol {filter}filter_name

Description
Deletes a user-defined protocol.

Syntax Description
filter

Deletes a protocol filter.

filter_name

Specifies a protocol filter name to delete.

Layer 2 Basics

148

Layer 2 Basic Commands

Default
N/A.

Usage Guidelines
If you delete a protocol that is in use by a VLAN, the protocol associated with than VLAN becomes
none.

Example
The following command deletes a protocol named "my_filter" and a protocol filter named
"my_other_filter":
delete protocol my_filter
delete protocol filter my_other_filter

History
This command was first available in ExtremeXOS 10.1.
The filter keyword was added in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

delete vlan
delete vlan vlan_name

Description
Deletes a VLAN.

Syntax Description
vlan_name

Specifies a VLAN name.

Default
N/A.

Layer 2 Basics

149

Layer 2 Basic Commands

Usage Guidelines
If you delete a VLAN that has untagged port members and you want those ports to be returned to the
default VLAN, you must add them back explicitly using the configure svlan delete ports
command.
Note
The default VLAN cannot be deleted. Before deleting an ISC VLAN, you must delete the
MLAG peer.

Example
The following command deletes the VLAN accounting:
delete accounting

History
This command was first available in ExtremeXOS 10.1.

Platform Availability
This command is available on all platforms.

delete vman
delete vman vman-name

Description
Deletes a previously created VMAN.

Syntax Description
vman-name

Specifies a VMAN name.

Default
N/A.

Usage Guidelines
None.

Layer 2 Basics

150

Layer 2 Basic Commands

Example
The following command deletes the VMAN accounting:
delete vman accounting

History
This command was first available in ExtremeXOS 11.0.

Platform Availability
This command is available on all platforms.

disable dot1p examination inner-tag ports

disable dot1p examination inner-tag ports [all | port_list]

Description
Used with VMANs, and instructs the switch to examine the 802.1p value of the outer tag, or added
VMAN header, to determine the correct egress queue on the egress port.

Syntax Description
all

Specifies all ports.

port_list

Specifies a list of ports or slots and ports.

Default
Disabled.

Usage Guidelines
Use this command to instruct the system to refer to the 802.1p value contained in the outer tag, or
VMAN encapsulation tag, when assigning the packet to an egress queue at the egress port of the
VMAN.
Note
See QoS Commands for information on configuring and displaying the current 802.1p and
DiffServ configuration for the inner, or original header, 802.1p value.

Layer 2 Basics

151

Layer 2 Basic Commands

Example
The following example uses the 802.1p value on the outer tag, or VMAN encapsulation, to put the
packet in the egress queue on the VMAN egress port:
disable dot1p examination inner-tag port 3:2

History
This command was first available in ExtremeXOS 11.2.

Platform Availability
This command is available only on the BlackDiamond X8, BlackDiamond 8800 series switches,
SummitStack, and Summit family switches.

disable fdb static-mac-move

disable fdb static-mac-move

Description
Disables EMS and SNMP reporting of discovered MAC addresses that are duplicates of statically
configured MAC addresses.

Syntax Description
This command has no arguments or variables.

Default
Disabled.

Usage Guidelines
None.

Example
The following example disables this feature:
disable fdb static-mac-move

History
This command was first available in ExtremeXOS 12.7.

Layer 2 Basics

152

Layer 2 Basic Commands

Platform Availability
This command is available on Summit family switches.

disable flooding ports

With the BlackDiamond 8800 series switch, SummitStack, and the Summit family of switches, you can
further identify the type of packets for which to block flooding.
disable flooding [all_cast | broadcast | multicast | unicast] ports [port_list |
all]

Description
Disables Layer 2 egress flooding on one or more ports.

Syntax Description
all_cast

Specifies disabling egress flooding for all packets on specified ports.

broadcast

Specifies disabling egress flooding only for broadcast packets.

multicast

Specifies disabling egress flooding only for multicast packets.

unicast

Specifies disabling egress flooding only for unknown unicast packets.

port_list

Specifies one or more ports or slots and ports.

all

Specifies all ports on the switch.

Default
Enabled for all packet types.

Usage Guidelines
Note
If an application requests specific packets on a specific port, those packets are not affected
by the disable flooding ports command.
You might want to disable egress flooding to do the following:
enhance security

enhance privacy
improve network performance

This is particularly useful when you are working on an edge device in the network. The practice of
limiting flooded egress packets to selected interfaces is also known as upstream forwarding.
Note
If you disable egress flooding with static MAC addresses, this can affect many protocols, such
as IP and ARP.

Layer 2 Basics

153

Layer 2 Basic Commands

The following guidelines apply to enabling and disabling egress flooding:

Disabling multicasting egress flooding does not affect those packets within an IGMP membership
group at all; those packets are still forwarded out. If IGMP snooping is disabled, multicast packets
are not flooded.
Egress flooding can be disabled on ports that are in a load-sharing group. In a load-sharing group,
the ports in the group take on the egress flooding state of the master port; each member port of the
load-sharing group has the same state as the master port.
On all platforms FDB learning takes place on ingress ports and is independent of egress flooding;
either can be enabled or disabled independently.
Disabling unicast or all egress flooding to a port also stops packets with unknown MAC addresses to
be flooded to that port.
Disabling broadcast or all egress flooding to a port also stops broadcast packets to be flooded to
that port.

BlackDiamond X8 Series switches, BlackDiamond 8800 family of

switches, SummitStack, and the Summit switch only
You can disable egress flooding for unicast, multicast, or broadcast MAC addresses, as well as for all
packets on the ports of the BlackDiamond 8800 family of switches, SummitStack, and the Summit
switch. The default behavior for the BlackDiamond 8800 family of switches, SummitStack, and the
Summit is enabled egress flooding for all packet types.

Example
The following example disables unicast flooding on ports 10-12 on a Summit series switch:
disable flooding unicast port 10-27

History
This command was first available in ExtremeXOS 11.2.

Platform Availability
This command is available on BlackDiamond X8 and 8800 series switches, SummitStack, and Summit
family switches.

disable learning iparp sender-mac

disable learning iparp {vr vr_name} sender-mac

Description
Disables MAC address learning from the payload of IP ARP packets.

Layer 2 Basics

154

Layer 2 Basic Commands

Syntax Description
vr_name

Specifies a virtual router.

Default
Disabled.

Usage Guidelines
To view the configuration for this feature, use the following command: show iparp

Example
The following example disables MAC address learning from the payload of IP ARP packets:
disable learning iparp sender-mac

History
This command was first available in ExtremeXOS 12.4.

Platform Availability
This command is available on all Summit family switches, SummitStack, and BlackDiamond 8800 series
switches.

disable learning port

disable learning {drop-packets | forward-packets} port [port_list | all]

Description
Disables MAC address learning on one or more ports for security purposes.

Syntax Description
port

Specifies the port.

port_list

Specifies one or more ports or slots and ports.

all

Specifies all slots and ports.

drop-packets

Specifies that packets with unknown source MAC addresses be dropped. If

you do not specify the forward-packets option, this option is used.

forward-packets

Specifies that packets with unknown source MAC addresses be forwarded.

Layer 2 Basics

155

Layer 2 Basic Commands

Default
Enabled.

Usage Guidelines
Use this command in a secure environment where access is granted via permanent forwarding
database (FDB) entries per port.

Example
The following example disables MAC address learning on port 4:3:
disable learning ports 4:3

History
This command was first available in ExtremeXOS 10.1.
The drop packets and forward packets options were added in ExtremeXOS 12.1.

Platform Availability
This command is available on all Summit family switches, SummitStack, and BlackDiamond X8 and
8800 series switches.

disable loopback-mode vlan

disable loopback-mode vlan vlan_name

Description
Disallows a VLAN to be placed in the UP state without an external active port. This allows (disallows)
the VLANs routing interface to become active.

Syntax Description
vlan_name

Specifies a VLAN name.

Default
N/A.

Usage Guidelines
Use this command to specify a stable interface as a source interface for routing protocols. This
decreases the possibility of route flapping, which can disrupt connectivity.

Layer 2 Basics

156

Layer 2 Basic Commands

Example
The following example disallows the VLAN accounting to be placed in the UP state without an external
active port:
disable loopback-mode vlan accounting

History
This command was first available in ExtremeXOS 10.1.

Platform Availability
This command is available on all platforms.

disable snmp traps fdb mac-tracking

disable snmp traps fdb mac-tracking

Description
Disables SNMP trap generation when MAC-tracking events occur for a tracked MAC address.

Syntax Description
This command has no arguments or variables.

Default
Disabled.

Usage Guidelines
None.

Example
The following example disables SNMP traps for MAC-tracking events:
disable snmp traps fdb mac-tracking

History
This command was first available in ExtremeXOS 12.3.

Layer 2 Basics

157

Layer 2 Basic Commands

Platform Availability
This command is available on all platforms.

disable vlan
disable vlan vlan_name

Description
Use this command to disable the specified VLAN.

Syntax Description
vlan_name

Specifies the VLAN you want to disable.

Default
Enabled.

Usage Guidelines
This command allows you to administratively disable specified VLANs. The following guidelines apply
to working with disabling VLANs:
Disabling a VLAN stops all traffic on all ports associated with the specified VLAN.
You cannot disable a VLAN that is running Layer 2 protocol control traffic for protocols such as
EAPS, STP, or ESRP.
When you attempt to disable a VLAN running Layer 2 protocol control traffic, the system returns a
message similar to the following:
VLAN accounting cannot be disabled because it is actively used by an L2
Protocol

You can disable the default VLAN; ensure that this is necessary prior to disabling the default VLAN.
You cannot disable the management VLAN.
You cannot bind Layer 2 protocols to a disabled VLAN.
You can add ports to or delete ports from a disabled VLAN.

Example
The following example disables the VLAN named "accounting":
disable vlan accounting

History
This command was first available in ExtremeXOS 11.4.

Layer 2 Basics

158

Layer 2 Basic Commands

The ability to add ports to a disabled VLAN was added in ExtremeXOS 12.5.

Platform Availability
This command is available on all platforms.

disable vman cep egress filtering ports

disable vman cep egress filtering ports {port_list | all}

Description
Disables the egress filtering of CVIDs that are not configured in the CVID map for a CEP.

Syntax Description
port_list

Specifies a list of ports.

all

Specifies all switch ports.

Default
Egress CVID filtering is disabled.

Usage Guidelines
To view the configuration setting for the egress CVID filtering feature, use the show ports
information command.
Note
When CVID egress filtering is enabled, it reduces the maximum number of CVIDs supported
on a port. The control of CVID egress filtering applies to fast-path forwarding. When frames
are forwarded through software, CVID egress filtering is always enabled.

Example
The following example disables egress CVID filtering on port 1:
disable vman cep egress filtering port 1

History
This command was first available in ExtremeXOS 12.6.

Layer 2 Basics

159

Layer 2 Basic Commands

Platform Availability
This command is available on the BlackDiamond X8, BlackDiamond 8900 c-, xl-, and xm-series
modules. This command is also available on Summit X440, X460, X480, X670 and X770 series
switches.

enable dot1p examination inner-tag port

enable dot1p examination inner-tag port [all | port_list]

Description
Used with VMANs, and instructs the switch to examine the 802.1p value of the inner tag, or header of
the original packet, to determine the correct egress queue on the egress port.

Syntax Description
all

Specifies all ports.

port_list

Specifies a list of ports or slots and ports.

Default
Disabled.

Usage Guidelines
Use this command to instruct the system to refer to the 802.1p value contained in the inner, or original,
tag when assigning the packet to an egress queue at the egress port of the VMAN.
Note
See QoS Commands for information on configuring and displaying the current 802.1p and
DiffServ configuration for the inner, or original header, 802.1p value.

Example
The following example puts the packets in the egress queue of the VMAN egress port according to the
802.1p value on the inner tag:
enable dot1p examination inner-tag port 3:2

History
This command was first available in ExtremeXOS 11.2.

Layer 2 Basics

160

Layer 2 Basic Commands

Platform Availability
This command is available only on the BlackDiamond X8, BlackDiamond 8800 series switches,
SummitStack, and the Summit family of switches.

enable fdb static-mac-move

enable fdb static-mac-move

Description
Enables EMS and SNMP reporting of discovered MAC addresses that are duplicates of statically
configured MAC addresses.

Syntax Description
This command has no arguments or variables.

Default
Disabled.

Usage Guidelines
This command enables reporting only. All packets that arrive from a duplicate MAC address on another
port (other than the statically configured port) are dropped.
The switch reports the source MAC address, port, and VLAN for each duplicate MAC address.

Example
The following command enables this feature:
enable fdb static-mac-move

History
This command was first available in ExtremeXOS 12.7.

Platform Availability
This command is available on Summit family switches.

enable flooding ports

enable flooding [all_cast | broadcast | multicast | unicast] ports [port_list |
all]

Layer 2 Basics

161

Layer 2 Basic Commands

Description
Enables egress flooding on one or more ports. With the BlackDiamond X8, BlackDiamond 8800 series
switches, SummitStack, and the Summit family of switches, you can further identify the type of packets
to flood on the specified ports.

Syntax Description
all_cast

Specifies enabling egress flooding for all packets on specified ports.

broadcast

Specifies enabling egress flooding only for broadcast packets.

Note
This parameter is available only on the BlackDiamond X8, BlackDiamond 8800
series switches, SummitStack, and the Summit family of switches.

multicast

Specifies enabling egress flooding only for multicast packets.

Note
This parameter is available only on the BlackDiamond X8, BlackDiamond 8800
series switches, SummitStack, and the Summit family of switches.

unicast

Specifies enabling egress flooding only for unknown unicast packets.

port_list

Specifies one or more ports or slots and ports.

all

Specifies all ports on the switch.

Default
Enabled for all packet types.

Usage Guidelines
Use this command to re-enable egress flooding that you previously disabled using the disable
flooding ports command.
The following guidelines apply to enabling and disabling egress flooding:
Disabling multicasting egress flooding does not affect those packets within an IGMP membership
group at all; those packets are still forwarded out. If IGMP snooping is disabled, multicast packets
are not flooded.
Egress flooding can be disabled on ports that are in a load-sharing group. If that is the situation, the
ports in the group take on the egress flooding state of the master port; each member port of the
load-sharing group has the same state as the master port.
FDB learning is independent of egress flooding. FDB learning and egress flooding can be enabled or
disabled independently.
Disabling unicast or all egress flooding to a port also stops packets with unknown MAC addresses to
be flooded to that port.

Disabling broadcast or all egress flooding to a port also stops broadcast packets to be flooded to
that port.

Layer 2 Basics

162

Layer 2 Basic Commands

BlackDiamond X8, 8800 series switches, SummitStack, and the Summit

family of switches only
You can disable egress flooding for unicast, multicast, or broadcast MAC addresses, as well as for all
packets on the ports of the BlackDiamond 8800 series switches, SummitStack, and the Summit family
of switches. The default behavior for the BlackDiamond 8800 series switches, SummitStack, and the
Summit family of switches is enabled egress flooding for all packet types.

Example
The following command enables unicast flooding on ports 13-17 on a Summit series switch:
enable flooding unicast port 13-17

History
This command was first available in ExtremeXOS 11.2.

Platform Availability
This command is available on BlackDiamond X8 and BlackDiamond 8800 series switches, SummitStack,
and Summit family switches.

enable learning iparp sender-mac

enable learning iparp {request | reply | both-request-and-reply} {vr vr_name}
sender-mac

Description
Enables MAC address learning from the payload of IP ARP packets.

Syntax Description
request

Enables learning only for IP ARP request packets.

reply

Enables learning only for IP ARP reply packets.

both-request-and-reply

Enables learning for both request and reply packets.

vr_name

Specifies a virtual router.

Default
Disabled.

Usage Guidelines
To view the configuration for this feature, use the following command: show iparp

Layer 2 Basics

163

Layer 2 Basic Commands

Example
The following command enables MAC address learning from the payload of reply IP ARP packets:
enable learning iparp reply sender-mac

History
This command was first available in ExtremeXOS 12.4.

Platform Availability
This command is available on all Summit family switches, SummitStack, and BlackDiamond X8 and
BlackDiamond 8800 series switches.

enable learning port

enable learning {drop-packets} ports [all | port_list]

Description
Enables MAC address learning on one or more ports.

Syntax Description
drop-packets

Forwards EDP packets, and drops all unicast, multicast, and broadcast
packets from a source address not in the FDB. No further processing occurs
for dropped packets.

all

Specifies all ports.

port_list

Specifies one or more ports or slots and ports.

Default
Enabled.

Usage Guidelines
Use this command to enable MAC address learning on one or more ports.

Example
The following example enables MAC address learning on slot 1, ports 7 and 8 on a modular switch:
enable learning ports 1:7-8

Layer 2 Basics

164

Layer 2 Basic Commands

History
This command was first available in ExtremeXOS 10.1.

Platform Availability
This command is available on all Summit family switches, SummitStack, and BlackDiamond X8 and
BlackDiamond 8800 series switches.

enable loopback-mode vlan

enable loopback-mode vlan vlan_name

Description
Allows a VLAN to be placed in the UP state without an external active port. This allows (disallows) the
VLANs routing interface to become active.

Syntax Description
vlan_name

Specifies a VLAN name.

Default
N/A.

Usage Guidelines
Use this command to specify a stable interface as a source interface for routing protocols. This
decreases the possibility of route flapping, which can disrupt connectivity.

Example
The following example allows the VLAN "accounting" to be placed in the UP state without an external
active port:
enable loopback-mode vlan accounting

History
This command was first available in ExtremeXOS 10.1.

Platform Availability
This command is available on all platforms.

Layer 2 Basics

165

Layer 2 Basic Commands

enable snmp traps fdb mac-tracking

enable snmp traps fdb mac-tracking

Description
Enables SNMP trap generation when MAC-tracking events occur for a tracked MAC address.

Syntax Description
This command has no arguments or variables.

Default
Disabled.

Usage Guidelines
None.

Example
The following example enables SNMP traps for MAC-tracking events:
enable snmp traps fdb mac-tracking

History
This command was first available in ExtremeXOS 12.3.

Platform Availability
This command is available on all platforms.

enable vlan
enable vlan vlan_name

Description
Use this command to re-enable a VLAN that you previously disabled.

Syntax Description
vlan_name

Layer 2 Basics

Specifies the VLAN you want to disable.

166

Layer 2 Basic Commands

Default
Enabled.

Usage Guidelines
This command allows you to administratively enable specified VLANs that you previously disabled.

Example
The following example enables the VLAN named "accounting":
enable vlan accounting

History
This command was first available in ExtremeXOS 11.4.

Platform Availability
This command is available on all platforms.

enable vman cep egress filtering ports

enable vman cep egress filtering ports {port_list | all}

Description
Enables the egress filtering of frames based on their CVIDs on ports configured as CEPs.

Syntax Description
port_list

Specifies a list of ports.

all

Specifies all switch ports.

Default
Egress CVID filtering is disabled.

Usage Guidelines
For a given VMAN and a port configured as a CEP for that VMAN, only frames with CVIDs that have
been mapped from the CEP to the VMAN are forwarded from the VMAN and out the CEP.

Layer 2 Basics

167

Layer 2 Basic Commands

To view the configuration setting for the egress CVID filtering feature, use the show ports
information command.
Note
CVID egress filtering is available only on switches that support this feature, and when this
feature is enabled, it reduces the maximum number of CVIDs supported on a port. The
control of CVID egress filtering applies to fast-path forwarding. When frames are forwarded
through software, CVID egress filtering is always enabled.

Example
The following command enables egress CVID filtering on port 1:
enable vman cep egress filtering port 1

History
This command was first available in ExtremeXOS 12.6.

Platform Availability
This command is available on the BlackDiamond X8 series switches and the BlackDiamond 8900 c-, xl-,
and xm-series modules. This command is also available on Summit X440, X460, X480, X670 and X770
series switches.

show fdb mac-tracking configuration

show fdb mac-tracking configuration

Description
Displays configuration information for the MAC address tracking feature.

Syntax Description
This command has no arguments or variables.

Default
The MAC address tracking table is empty.

Usage Guidelines
None.

Layer 2 Basics

168

Layer 2 Basic Commands

Example
The following exmaple displays the contents of the MAC address tracking table:
# show fdb mac-tracking configuration
MAC-Tracking enabled ports: 1-3,10,20
SNMP trap notification
: Enabled
MAC address tracking table (4 entries):
00:30:48:72:ee:88
00:21:9b:0e:ca:32
00:12:48:82:9c:56
00:30:48:84:d4:16

History
This command was first available in ExtremeXOS 12.3.

Platform Availability
This command is available on all platforms.

show fdb mac-tracking statistics

show fdb mac-tracking statistics {mac_addr} {no-refresh}

Description
Displays statistics for the MAC addresses that are being tracked.

Syntax Description
mac_addr

Specifies a MAC address, using colon-separated bytes, for which FDB entries
should be displayed.

no-refresh

Specifies a static snapshot of data instead of the default dynamic display.

Default
N/A.

Usage Guidelines
Use the keys listed below the display to clear the statistics counters or page up or down through the
table entries.

Layer 2 Basics

169

Layer 2 Basic Commands

Example
The following example displays statistics for the entries in the MAC address tracking table:
# show fdb mac-tracking statistics
MAC Tracking Statistics
Fri Mar 20 15:25:01 2009
Add
Move
Delete
MAC Address
events
events
events
=====================================================
00:00:00:00:00:01
0
0
0
00:00:00:00:00:02
0
0
0
00:00:00:00:00:03
0
0
0
00:00:00:00:00:04
0
0
0
00:00:00:00:00:05
0
0
0
00:00:00:00:00:06
0
0
0
00:00:00:00:00:07
0
0
0
00:00:00:00:00:08
0
0
0
00:00:00:00:00:09
0
0
0
00:00:00:00:00:10
0
0
0
00:00:00:00:00:11
0
0
0
00:00:00:00:00:12
0
0
0
00:00:00:00:00:13
0
0
0
00:00:00:00:00:14
0
0
0
00:00:00:00:00:15
0
0
0
00:00:00:00:00:16
0
0
0
00:00:00:00:00:17
0
0
0
00:00:00:00:00:18
0
0
0
=====================================================
0->Clear Counters U->page up D->page down ESC->exit

History
This command was first available in ExtremeXOS 12.3.

Platform Availability
This command is available on all platforms.

show fdb static-mac-move configuration

show fdb static-mac-move configuration

Description
Displays the configuration for the feature that reports the discovery of MAC addresses that are
duplicates of statically configured MAC addresses.

Syntax Description
This command has no arguments or variables.

Layer 2 Basics

170

Layer 2 Basic Commands

Default
N/A.

Usage Guidelines
None.

Example
The following example shows the command display:
# show fdb static-mac-movement configuration
Static MAC Movement Notification: Enabled
MAC learning Packets Count
: 5

History
This command was first available in ExtremeXOS 12.7.

Platform Availability
This command is available on Summit family switches.

show fdb stats

show fdb stats {{ports {all | port_list} | vlan {all} | {vlan} vlan_name } {norefresh}}

Description
Displays FDB entry statistics for the specified ports or VLANs in either a dynamic or a static report.

Syntax Description
all

Requests statistics for all ports or all VLANs.

port_list

Specifies which ports are to be included in the statistics display.

vlan_name

Specifies a single VLAN to be included in the statistics display.

no-refresh

Specifies a static display, which is not automatically updated.

Default
Summary FDB statistics for the switch.

Layer 2 Basics

171

Layer 2 Basic Commands

Usage Guidelines
The dynamic display remains visible and continues to update until you press [Esc].
The show fdb stats command output displays the following information:
Port

When you chose to display statistics for ports, this column displays port
numbers.

Link State

When you chose to display statistics for ports, this column displays the link
states, which are described at the bottom of the display.

VLAN

When you chose to display statistics for VLANs, this column displays VLAN
names.

MAC Addresses

This column displays the total number of MAC addresses for each port or
VLAN.

Dynamic

This column displays the total number of MAC addresses that were learned
dynamically for each port or VLAN.

Static

This column displays the total number of MAC addresses that are configured
on this switch for each port or VLAN.

Dropped

This column displays the total number of dynamic MAC addresses that were
discovered, but not stored in the FDB. Discovered MAC addresses might be
dropped because a configured learning limit is reached, the FDB is in
lockdown, or a port forwarding state is in transition. Some conditions that
lead to dropped MAC addresses can produce log messages or SNMP traps.

Example
The following command example displays summary FDB statistics for the switch:
torino1.1 # show fdb stats
Total: 4 Static: 3 Perm: 3 Dyn: 1 Dropped: 0
FDB Aging time: 300
FDB VPLS Aging time: 300
torino1.2 #

The following command example displays FDB statistics for ports 1 to 16 on slot 1:
# show fdb stats ports 1:1-1:16
FDB Stats
Mon Mar 15 15:30:49 2010
Port
Link
MAC
State
Addresses
Dynamic
Static
Dropped
=======================================================================
1:1
A
2394
2389
5
2
1:2
A
37
37
0
0
1:3
A
122
121
1
452
1:4
R
0
0
0
0
1:5
R
0
0
0
0
1:6
A
43
43
0
0
1:7
A
118
118
0
0
1:8
R
0
0
0
0
1:9
R
0
0
0
0
1:10
A
8
8
0
0
1:11
A
2998
2990
8
1
1:12
A
486
486
0
0

Layer 2 Basics

172

Layer 2 Basic Commands

1:13
R
0
0
0
0
1:14
A
42
42
0
0
1:15
A
795
795
0
0
1:16
A
23
23
0
2
=======================================================================
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
U->page up D->page down ESC->exit

The following command example displays FDB statistics for all VLANs:
# show fdb stats vlan all
FDB Stats
Mon Mar 15 15:30:49 2010
VLAN
MAC Addresses
Dynamic
Static
Dropped
=============================================================================
SV_PPPOE
2394
2389
5
2
NV_PPPOE
122
121
1
452
=============================================================================
U->page up D->page down ESC->exit

History
The dynamic display for this command was first available in ExtremeXOS 12.4.2.

Platform Availability
This command is available on all platforms.

show fdb
show fdb {blackhole {netlogin [all | mac-based-vlans]} | netlogin [all | macbased-vlans] | permanent {netlogin [all | mac-based-vlans]} | mac_addr {netlogin
[all | mac-based-vlans]} | ports port_list {netlogin [all | mac-based-vlans]} |
vlan vlan_name {netlogin [all | mac-based-vlans]} | {{vpls} {vpls_name}}}

Description
Displays FDB entries.

Syntax Description
blackhole

Displays the blackhole entries. (All packets addressed to these entries are
dropped.)

slot

Specifies a slot in the switch.

num_entries

Specifies the maximum number of hardware entries to display. The range is 1

to 25.

netlogin all

Displays all FDBs created as a result of the netlogin process.

Layer 2 Basics

173

Layer 2 Basic Commands

netlogin mac-based-vlans Displays all netlogin MAC-based VLAN FDB entries.

Note
This parameter is supported only for Summit family switches,
SummitStack, and the BlackDiamond 8800 series switches. See
Network Login Commands for more information on netlogin.
permanent

Displays all permanent entries, including the ingress and egress QoS profiles.

mac_addr

Specifies a MAC address, using colon-separated bytes, for which FDB entries
should be displayed.

port_list

Displays the entries for one or more ports or ports and slots.

vlan_name

Displays the entries for a specific VLAN.

vpls_name

Specifies a specific VPLS for which to display entries.

Default
All.

Usage Guidelines
The pulling of MAC addresses for display purposes is given a lower priority to the actual data path
learning. Eventually all the MAC addresses are learned in a quiescent system.
The show fdb command output displays the following information:
Mac

The MAC address that defines the entry.

Vlan

The PVLAN or VLAN for the entry.

Age

The age of the entry, in seconds (does not appear if the keyword permanent
is specified). The age parameter does not display for the backup MSM/MM on
modular switches.On BlackDiamond 8900 xl-series and Summit X480
switches, the Age is always 000 and the h flag is set for entries that are
hardware aged.

Layer 2 Basics

174

Layer 2 Basic Commands

Flags

Flags that define the type of entry:

b - Ingress Blackhole
B - Egress Blackhole
D - Drop entry for an isolated subscriber VLAN
d - Dynamic
h - Aged in hardware (Applies to BlackDiamond 8900 xl-series and
Summit X480 switches)
i - an entry also exists in the IP FDB
l - lockdown MAC
L - lockdown-timeout MAC
m - MAC
M - Mirror
n - NetLogin
o - IEEE 802.1ah backbone MAC
P - PVLAN created entry
p - Permanent
s - Static
v - NetLogin MAC-Based VLAN (only supported on the Summit switch,
SummitStack, and the BlackDiamond 8800 family of switches)
x - an entry also exists in the IPX FDBs.

Port List

The ports on which the MAC address has been learned.

Example
The following example shows how the FDB entries appear for all options except the hardware option:
# show fdb
Mac
Vlan
Age Flags
Port / Virtual Port List
----------------------------------------------------------------------------00:0c:29:4b:34:cf
v101(0101) 0041 d m
D 1:2
00:0c:29:4b:34:cf
v100(0100) 0041 d m
P 1:2
00:0c:29:d2:2d:48
v102(0102) 0045 d m
1:3
00:0c:29:d2:2d:48
v100(0100) 0045 d m
P 1:3
00:0c:29:f1:f2:f5
v100(0100) 0045 d m
1:1
00:0c:29:f1:f2:f5
v102(0102) 0045 d m
P 1:1
00:0c:29:f1:f2:f5
v101(0101) 0045 d m
P 1:1
Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP,
x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress
Blackhole,
b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN
translation,
D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC.
Total: 3 Static: 0 Perm: 0 Dyn: 3 Dropped: 0 Locked: 0 Locked with
Timeout: 0
FDB Aging time: 300
FDB VPLS Aging time: 300

The following example output shows where the port tag is displayed in parentheses:
# show fdb
Mac

Layer 2 Basics

Vlan

Age

Flags

Port / Virtual Port List

175

Layer 2 Basic Commands

----------------------------------------------------------------------------00:00:00:00:04:0a
test(0200) 0057 d m
3(0010)
00:00:00:00:04:0b
test(0200) 0300 d m
3(0011)
00:01:02:03:04:05
test(0200) 0000 spm
3(0010)
Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP,
x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B Egress
Blackhole,
b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T VLAN
translation,
D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC.
Total: 3 Static: 0 Perm: 0 Dyn: 3 Dropped: 0 Locked: 0 Locked
with Timeout: 0
FDB Aging time: 300
FDB VPLS Aging time: 300

History
This command was first available in ExtremeXOS 10.1.
The stats and netlogin parameters were first available in ExtremeXOS 11.3.
The blackhole output under the b and B flags was first available for all platforms in ExtremeXOS 12.1.
The o flag was first available in ExtremeXOS 12.4.

Platform Availability
This command is available on all platforms.

show l2pt profile

show l2pt profile profile_name

Description
Displays the contents of an L2PT profile.

Syntax Description
profile

Displays profile that defines L2PT configuration for L2 protocols.

profile_name

Displays only the specified profile.

Default
Disabled.

Layer 2 Basics

176

Layer 2 Basic Commands

Usage Guidelines
Use this command to display the contents of an L2PT profile.

Example
The following is an example of the command's output:
# show l2pt profile
Profile Name
----------------------------my_l2pt_access_prof
1
my_l2pt_network_prof
encap

Protocol Filter Name

-------------------------------my_list

Action
-----tunnel

CoS
---

my_other_list
mylist

tunnel

my_other_list
encap
my_none_list
# show l2pt profile my_l2pt_access_prof
Profile Name
Protocol Filter Name
----------------------------- -------------------------------my_l2pt_access_prof
my_list
1
my_other_list

none

Action
-----tunnel

CoS
---

tunnel

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

show l2pt
show l2pt

Description
Displays the global parameters for L2PT.

Syntax Description
l2pt

Displays global Layer 2 protocol tunneling parameters.

Default
Disabled.

Layer 2 Basics

177

Layer 2 Basic Commands

Usage Guidelines
Use this command to display the global parameters for L2PT.

Example
The following is an example of the command's output:
# show l2pt
Encapsulation Destination MAC Address: 01:00:00:01:01:02

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

show ports protocol filter

show ports [port_list | all] protocol filter {detail}

Description
Displays the protocol filtering configuration and status.

Syntax Description
port_list

Displays port list, separated by a comma ( , )or dash ( - ).

all

Displays all ports.

detail

Displays detailed configuration and status.

Default
Displays all protocol filters.

Usage Guidelines
Use this command to display the protocol filtering configuration and status.

Example
The following example displays the filtering configuration and status for ports 1-4:
# show ports 1-4 protocol filter
Port Protocol
Destination

Layer 2 Basics

Protocol Id

Field

Field Field

Packets

178

Layer 2 Basic Commands

#
Filter Name Address
---- ----------- ----------------1
my_list
01:80:C2:00:00:02
2300
01:80:C2:00:00:00
01:80:C2:00:00:00
2 lacp
01:80:C2:00:00:02
3 (none)
4 (none)

Type Value Offset Value Mask Filtered

----- ------ ------ ------ ----- ---------etype 0x8902
14
03:04 FF:FF
snap 0x4041
snap 0x4041
etype 0x8902

16
14

5000
01:02> FF:FF> 5000
01
FF
3200

> indicates that the value was truncated to the column size in the output.Use
the
detail option to see the complete value.

The following example displays output for the show ports protocol filter detail
command:
show ports 1-4 protocol filter detail
Port 1
Protocol Filter Name: my_list
Destination Address : 01:80:C2:00:00:02
Protocol Id Type
: etype
Protocol Id Value
: 0x8902
Field Offset
: 14
Field Value
: 03:04
Field Mask
: FF:FF
Packets Filtered
: 2300
Destination Address : 01:80:C2:00:00:00
Protocol Id Type
: snap
Protocol Id Value
: 0x4041
Field Offset
: 16
Field Value
: 01:02:03:04
Field Mask
: FF:FF:FF:FF
Packets Filtered
: 5000
Destination Address : 01:80:C2:00:00:00
Protocol Id Type
: snap
Protocol Id Value
: 0x4041
Field Offset
:
Field Value
:
Field Mask
:
Packets Filtered
: 5000
Port 2
Protocol Filter Name:
Destination Address :
Protocol Id Type
:
Protocol Id Value
:
Field Offset
:
Field Value
:
Field Mask
:
Packets Filtered
:

lacp
01:80:C2:00:00:02
etype
0x8902
14
01
FF
3200

Port 3
Protocol Filter Name: (none)
Port 4

Layer 2 Basics

Protocol Filter Name: (none)

179

Layer 2 Basic Commands

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

show private-vlan <name>

show {private-vlan} name

Description
Displays information about the specified PVLAN.

Syntax Description
name

Specifies the name of the PVLAN to display.

Default
N/A.

Usage Guidelines
If the PVLAN is incomplete because it does not have a network or any subscriber VLAN configured,
[INCOMPLETE] appears next to the PVLAN name.

Example
The following example output displays information for the companyx PVLAN:
* (debug) BD-8808.1 # show private-vlan "Engineering"
------------------------------------------------------------------------------------Name
VID Protocol Addr
Flags
Proto Ports
Virtual
Active router
/Total
------------------------------------------------------------------------------------Engineering
Network VLAN:
-Engr1
10
-------------------------------------ANY
4 /5
VRDefault
Non-Isolated Subscriber VLAN:
-ni1
400 -------------------------------------ANY
1 /1
VRDefault
-ni2
401 ------------------------------------ANY
1 /1
VRDefault

Layer 2 Basics

180

Layer 2 Basic Commands

Isolated Subscriber VLAN:

-i1
500 ------------------------------------ANY
1 /1
VRDefault
------------------------------------------------------------------------------------Flags : (C) EAPS Control vlan, (d) NetLogin Dynamically created VLAN,
(D) VLAN Admin Disabled, (E) ESRP Enabled, (f) IP Forwarding Enabled,
(i) ISIS Enabled, (I) IP Forwarding lpm-routing Enabled, (L) Loopback Enabled,
(l) MPLS Enabled, (m) IPmc Forwarding Enabled, (n) IP Multinetting Enabled,
(N) Network LogIn vlan, (o) OSPF Enabled, (p) PIM Enabled,
(P) EAPS protected vlan, (r) RIP Enabled,
(T) Member of STP Domain, (V) VPLS Enabled, (v) VRRP Enabled

History
This command was first available in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms that support the Private VLAN feature. For features and the
platforms that support them, see the Feature License Requirements document.

show private-vlan
show private-vlan

Description
Displays information about all the PVLANs on the switch.

Syntax Description
This command has no arguments or variables.

Default
N/A.

Usage Guidelines
If the PVLAN is incomplete because it does not have a network or any subscriber VLAN configured,
[INCOMPLETE] appears next to the PVLAN name.

Example
The following example output displays all the PVLANs on the switch:
* (debug) BD-8808.1 # show private-vlan
------------------------------------------------------------------------------

Layer 2 Basics

181

Layer 2 Basic Commands

-------Name
VID Protocol Addr
Flags
Proto Ports
Virtual
Active router
/Total
------------------------------------------------------------------------------------Engineering
Network VLAN:
-Engr1
10
-------------------------------------ANY
4 /5
VRDefault
Non-Isolated Subscriber VLAN:
-ni1
400 -------------------------------------ANY
1 /1
VRDefault
-ni2
401 ------------------------------------ANY
1 /1
VRDefault
Isolated Subscriber VLAN:
-i1
500 ------------------------------------ANY
1 /1
VRDefault
Ops
Network VLAN:
-Ops
20
------------------------------------ANY
2 /2
VRDefault
Non-Isolated Subscriber VLAN:
-OpsNi1
901 ------------------------------------ANY
1 /1
VRDefault
-OpsNi2
902 ------------------------------------ANY
1 /1
VRDefault
-OpsNi3
903 ------------------------------------ANY
1 /1
VRDefault
-OpsNi4
904 ------------------------------------ANY
1 /1
VRDefault
Isolated Subscriber VLAN:
-OpsI0
600 ------------------------------------ANY
1 /1
VRDefault
-OpsI1
601 ------------------------------------ANY
1 /1
VRDefault
-OpsI2
602 ------------------------------------ANY
1 /1
VRDefault
-OpsI3
603 ------------------------------------ANY
1 /1
VRDefault
-OpsI4
604 ------------------------------------ANY
1 /1
VRDefault
Sales [INCOMPLETE]
Network VLAN:
-NONE
Non-Isolated Subscriber VLAN:
-SalesNi1
701 ------------------------------------ANY
1 /1
VRDefault
-SalesNi2
702 ------------------------------------ANY
1 /1
VRDefault
Isolated Subscriber VLAN:
-SalesI0
800 ------------------------------------ANY
1 /1
VRDefault
------------------------------------------------------------------------------------Flags : (C) EAPS Control vlan, (d) NetLogin Dynamically created VLAN,
(D) VLAN Admin Disabled, (E) ESRP Enabled, (f) IP Forwarding Enabled,

Layer 2 Basics

182

Layer 2 Basic Commands

(i) ISIS Enabled, (I) IP Forwarding lpm-routing Enabled, (L) Loopback Enabled,
(l) MPLS Enabled, (m) IPmc Forwarding Enabled, (n) IP Multinetting Enabled,
(N) Network LogIn vlan, (o) OSPF Enabled, (p) PIM Enabled,
(P) EAPS protected vlan, (r) RIP Enabled,
(T) Member of STP Domain, (V) VPLS Enabled, (v) VRRP Enabled
Total number of PVLAN(s) : 3

History
This command was first available in ExtremeXOS 12.1.

Platform Availability
This command is available on all platforms that support the Private VLAN feature. For features and the
platforms that support them, see the Feature License Requirements document.

show protocol
show protocol {filter} {filter_ name} {detail}

Description
Displays protocol filter definitions and the complete protocol configuration.

Syntax Description
filter

Displays a protocol filter.

name

Displays a protocol filter name.

detail

Displays protocol information in detail.

Default
Displays all protocol filters.

Usage Guidelines
Displays the defined protocol filter(s) with the types and values of its component protocols.

Example
The following is an example of the command's output:
# show protocol
Protocol Filter Name
Field
Mask
--------------------

Layer 2 Basics

Protocol

Id

Destination

Field

Field

Type

Value

Address

Offset

Value

--------

------

-----------

-------

------

183

Layer 2 Basic Commands

------IP
0x0800
ANY
ipx
IPv6
lacp
FF
mpls
appletalk
0x809b

etype
etype
ANY
etype
etype
etype

0x0806
0xffff
0x8137
0x86dd
0x8809

etype
snap

0x8847

snap

0x80f3

01:80:C2:00:00:02>

14

01

> indicates that the value was truncated to the column size in the output.
Use the detail option to see the complete value.

The following example displays the show protocol detail command:

show protocol detail
Protocol Filter Name
: appletalk
Protocol Id Type
: snap
Protocol Id Value : 0x809b
Destination Address:
Field Offset
:
Field Value
:
Field Mask
:
Protocol Id Type
: snap
Protocol Id Value : 0x80f3
Destination Address:
Field Offset
:
Field Value
:
Field Mask
:
Protocol Filter Name
:
Protocol Id Type
:
Protocol Id Value :
Destination Address:
Field Offset
:
Field Value
:
Field Mask
:

lacp
etype
0x8809
01:80:C2:00:00:02
14
01
FF

# show protocol filter lacp detail

Protocol Filter Name
: lacp
Protocol Id Type
: etype
Protocol Id Value : 0x8809
Destination Address: 01:80:C2:00:00:02
Field Offset
: 14
Field Value
: 01
Field Mask
: FF

History
This command was first available in ExtremeXOS 10.1.
The filter and detail keywords were added in ExtremeXOS 15.5.

Layer 2 Basics

184

Layer 2 Basic Commands

Platform Availability
This command is available on all platforms.

show vlan
show vlan {virtual-router vr-name}
show {vlan} vlan_name {ipv4 | ipv6}
show vlan [tag tag | detail] {ipv4 | ipv6}
show vlan ports

Description
Displays information about one or all VLANs.

Syntax Description
Specifies a VR name for which to display summary information for all VLANs.
If no VR name is specified, the software displays summary information for all
VLANs in the current VR context.

vr-name

Note
User-created VRs are supported only on the platforms listed for
this feature in the Feature License Requirements document. On
switches that do not support user-created VRs, all VLANs are
created in VR-Default and cannot be moved.
vlan_name

Specifies a VLAN name for which to display detailed VLAN information.

tag

Specifies the 802.1Q tag of a VLAN for which to display detailed VLAN
information.

detail

Specifies that detailed information should be displayed for all VLANs.

ipv4

Specifies IPv4.

ipv6

Specifies IPv6.

ports

Displays VLAN ports information.

Default
Summary information for all VLANs on the device.

Usage Guidelines
Note
To display IPv6 information, you must issue either the show vlan detail command or
show vlan command with the name of the specified VLAN.

Layer 2 Basics

185

Layer 2 Basic Commands

Unlike many other VLAN-related commands, the keyword vlan is required in all forms of this
command except when requesting information for a specific VLAN.
Use the command show vlan to display summary information for all VLANs. It shows various
configuration options as a series of flags (see the example below). VLAN names, descriptions, and
protocol names may be abbreviated in this display.
Use the command show vlan detail to display detailed information for all VLANs. This displays
the same information as for an individual VLAN, but shows every VLAN, one-by-one. After each VLAN
display you can elect to continue or quit.
Protocol none indicates that this VLAN was configured with a user-defined protocol that has
subsequently been deleted.
Note
The BlackDiamond 8800 series switches, SummitStack, and the Summit family of switches
display the Mgmt VLAN in VR-Mgmt.
When an IPv6 address is configured for the VLAN, the system may display one of the following two
address types in parentheses after the IPv6 address:

Tentative
Duplicate
Note
See the appropriate ExtremeXOS User Guide volume for information on IPv6 address types.

You can display additional useful information on VLANs configured with IPv6 addresses by issuing the
show ipconfig ipv6 vlan vlan_name command.

When a displayed VLAN is part of a PVLAN, the display includes the PVLAN name and type (which is
network, non-isolated subscriber, or isolated subscriber).
When the displayed VLAN is configured for VLAN translation, the display provides translation VLAN
information. If the displayed VLAN is a translation VLAN, a list of translation VLAN members appears. If
the displayed VLAN is a member VLAN, the display indicates the translation VLAN to which the
member VLAN belongs.

Example
The following is example output of the show vlan command on a switch where PTP and CES are
configured (for example, an E4G-200 or E4G-400):
E4G-400.15 # sh vlan
------------------------------------------------------------------------------------Name
VID Protocol Addr
Flags
Proto Ports
Virtual
Active router
/Total
-------------------------------------------------------------------------------------

Layer 2 Basics

186

Layer 2 Basic Commands

Default
1
--------------------------------T------- ANY
1 /34
VR-Default
Mgmt
4095 ---------------------------------------- ANY
1 /1
VR-Mgmt
v1
40
1.1.1.51
/24 -fL---------------ek ANY
1 /10
VR-Default
v2
20
1.1.2.52
/24 -f----------------e- ANY
0 /1
VR-Default
------------------------------------------------------------------------------------Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN,
(d) NetLogin Dynamically created VLAN, (D) VLAN Admin Disabled,
(e) CES Configured, (E) ESRP Enabled, (f) IP Forwarding Enabled,
(F) Learning Disabled, (i) ISIS Enabled, (I) Inter-Switch Connection VLAN for
MLAG,
(k) PTP Configured, (l) MPLS Enabled, (L) Loopback Enabled,
(m) IPmc Forwarding Enabled, (M) Translation Member VLAN or Subscriber VLAN,
(n) IP Multinetting Enabled, (N) Network Login VLAN, (o) OSPF Enabled,
(O) Flooding Disabled, (p) PIM Enabled, (P) EAPS protected VLAN,
(r) RIP Enabled, (R) Sub-VLAN IP Range Configured,
(s) Sub-VLAN, (S) Super-VLAN, (t) Translation VLAN or Network VLAN,
(T) Member of STP Domain, (v) VRRP Enabled, (V) VPLS Enabled, (W) VPWS Enabled
Total number of VLAN(s) : 4

The following sample output shows OpenFlow status:

E4G-200.5 # show vlan
-------------------------------------------------------------------------------------------Name
VID Protocol Addr
Flags
Proto
Ports Virtual Active router
/Total
-------------------------------------------------------------------------------------------Default
1
----------------------------------------------ANY
0/0
VR-Default ext 4094 ----------------------------------------------ANY
0 /12
VR-Default Mgmt 4095 ----------------------------------------------ANY
1/1
VR-Mgmt
-------------------------------------------------------------------------------------------Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN,
(d) Dynamically created VLAN, (D) VLAN Admin Disabled,
(e) CES Configured, (E) ESRP Enabled, (f) IP Forwarding Enabled,
(F) Learning Disabled, (i) ISIS Enabled, (I) Inter-Switch Connection
VLAN for MLAG,
(k) PTP Configured, (l) MPLS Enabled, (L) Loopback Enabled,
(m) IPmc Forwarding Enabled, (M) Translation Member VLAN or
Subscriber VLAN,
(n) IP Multinetting Enabled, (N) Network Login VLAN, (o) OSPF
Enabled,
(O) Flooding Disabled, (p) PIM Enabled, (P) EAPS protected VLAN,
(r) RIP Enabled, (R) Sub-VLAN IP Range Configured,
(s) Sub-VLAN, (S) Super-VLAN, (t) Translation VLAN or Network VLAN,

Layer 2 Basics

187

Layer 2 Basic Commands

(T) Member of STP Domain, (v) VRRP Enabled, (V) VPLS Enabled, (W)
VPWS Enabled
(Z) Openflow Enabled
Total number of VLAN(s) : 3

The following sample output shows detailed OpenFlow status:

E4G-200.7 # show vlan detail
VLAN Interface with name Default created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 1
Description:
None
Virtual router: VR-Default
IPv4 Forwarding: Disabled
IPv4 MC Forwarding: Disabled
IPv6 Forwarding: Disabled
IPv6 MC Forwarding: Disabled
IPv6:
None
STPD:
s0(Disabled,Auto-bind)
Protocol:
Match all unfiltered protocols
Loopback:
Disabled
NetLogin:
Disabled
QosProfile:
None configured
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile:
None configured
Ports:
0.
(Number of active ports=0)
#
#
VLAN Interface with name ext created by user
Admin State:
Enabled
Tagging:Untagged (Internal tag 4094)
Description:
None
Virtual router: VR-Default
IPv6 Forwarding: Disabled
IPv6:
None
STPD:
None
Protocol:
Match all unfiltered protocols
Loopback:
Disabled
NetLogin:
Disabled
QosProfile:
None configured
Openflow:
Enabled
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile:
None configured
Ports:
12.
(Number of active ports=0)
Untag:
1,
2,
3,
4,
5,
6,
8,
9,
10,
11,
12
Flags: (*) Active, (!) Disabled, (g) Load Sharing port
(b) Port blocked on the vlan, (m) Mac-Based port
(a) Egress traffic allowed for NetLogin
(u) Egress traffic unallowed for NetLogin
(t) Translate VLAN tag for Private-VLAN
(s) Private-VLAN System Port, (L) Loopback port
(x) VMAN Tag Translated port
(G) Multi-switch LAG Group port
(H) Dynamically added by MVRP
#
#

Layer 2 Basics

7,

188

Layer 2 Basic Commands

VLAN Interface with name Mgmt created by user

Admin State:
Enabled
Tagging:
802.1Q Tag 4095
Description:
Management VLAN
Virtual router: VR-Mgmt
IPv4 Forwarding: Disabled
IPv6 Forwarding: Disabled
IPv6:
None
STPD:
None
Protocol:
Match all unfiltered protocols
Loopback:
Disabled
NetLogin:
Disabled
QosProfile:
None configured
Flood Rate Limit QosProfile:
None configured
Ports:
1.
(Number of active ports=1)
Untag: Mgmt-port on Mgmt is active

The following example displays VLAN ports information:

show vlan ports 1,2,3,4,5,6,7,8,9,10,11,12
-------------------------------------------------------------------------------------------Name
VID
Protocol Addr
Flags
Proto Ports Virtual
Active router
/Total
-------------------------------------------------------------------------------------------ext
4094
----------------------------------------------ANY
0 /12 VR-Default
-------------------------------------------------------------------------------------------Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN,
(d) Dynamically created VLAN, (D) VLAN Admin Disabled,
(e) CES Configured, (E) ESRP Enabled, (f) IP Forwarding Enabled,
(F) Learning Disabled, (i) ISIS Enabled, (I) Inter-Switch Connection VLAN for
MLAG,
(k) PTP Configured, (l) MPLS Enabled, (L) Loopback Enabled,
(m) IPmc Forwarding Enabled, (M) Translation Member VLAN or Subscriber VLAN,
(n) IP Multinetting Enabled, (N) Network Login VLAN, (o) OSPF Enabled,
(O) Flooding Disabled, (p) PIM Enabled, (P) EAPS protected VLAN,
(r) RIP Enabled, (R) Sub-VLAN IP Range Configured,
(s) Sub-VLAN, (S) Super-VLAN, (t) Translation VLAN or Network VLAN,
(T) Member of STP Domain, (v) VRRP Enabled, (V) VPLS Enabled, (W) VPWS
Enabled
(Z) Openflow Enabled
Total number of VLAN(s) : 3 (1 displayed)
show vlan ports 1 detail
VLAN Interface with name ext created by user
Admin State:
Enabled
Tagging:Untagged (Internal tag 4094)
Description:
None
Virtual router: VR-Default
IPv4 Forwarding: Disabled

Layer 2 Basics

189

Layer 2 Basic Commands

IPv4 MC Forwarding: Disabled

IPv6 Forwarding: Disabled
IPv6 MC Forwarding: Disabled
IPv6:
None
STPD:
None
Protocol:
Match all unfiltered protocols
Loopback:
Disabled
NetLogin:
Disabled
QosProfile:
None configured
Openflow:
Enabled Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile:
None configured
Ports:
12.
(Number of active ports=0)
Untag:
1,
2,
3,
4,
5,

Flags:
(b)
(a)
(u)
(t)
(s)
(x)
(G)
(H)

6,

7,

8,
9,
10,
11,
12
(*) Active, (!) Disabled, (g) Load Sharing port

Port blocked on the vlan, (m) Mac-Based port

Egress traffic allowed for NetLogin
Egress traffic unallowed for NetLogin
Translate VLAN tag for Private-VLAN
Private-VLAN System Port, (L) Loopback port
VMAN Tag Translated port
Multi-switch LAG Group port
Dynamically added by MVRP

The following example is the show output of a vlan that has port-specific tag. The tag is displayed in
parentheses.
VLAN Interface with name vl1 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 100
Description:
None
Virtual router:
VR-Default
IPv4 Forwarding:
Disabled
IPv4 MC Forwarding: Disabled
IPv6 Forwarding:
Disabled
IPv6 MC Forwarding: Disabled
IPv6:
None
STPD:
None
Protocol:
Match all unfiltered protocols
Loopback:
Disabled
NetLogin:
Disabled
OpenFlow:
Disabled
QosProfile:
None configured
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile:
None configured
Ports:
8.
(Number of active ports=2)
Untag:
5
Tag:
1,
10,
11
Port-specific Tag:
1(0010),
1(0011),
*3(0101),
*4(0102)
Flags:

(*) Active, (!) Disabled, (g) Load Sharing

port
(b) Port blocked on the vlan, (m) Mac-Based
port

Layer 2 Basics

190

Layer 2 Basic Commands

(a) Egress traffic allowed for NetLogin

(u) Egress traffic unallowed for
NetLogin
(t) Translate VLAN tag for Private-VLAN
(s) Private-VLAN System Port, (L) Loopback
port
(x)
(G)
(H)
(U)
(V)

VMAN Tag Translated port

Multi-switch LAG Group port
Dynamically added by MVRP
Dynamically added uplink port
Dynamically added by VM Tracking

History
This command was first available in ExtremeXOS 10.1.
The IPv6 information was added in ExtremeXOS 11.2.
The netlogin information was added in ExtremeXOS 11.3.
The VR and administratively enabled/disabled information was added in ExtremeXOS 11.4.
The tag option was added in ExtremeXOS 12.4.4.
The OpenFlow status feature was added in ExtremeXOS 15.3.

Platform Availability
This command is available on all platforms.
Information on MAC-based ports is available only on the Summit family of switches, SummitStack, and
the BlackDiamond 8800 series switch.

show vlan description

show vlan description

Description
Displays a list of VLANs and VLAN descriptions.

Syntax Description
This command has no arguments or variables.

Default
N/A.

Layer 2 Basics

191

Layer 2 Basic Commands

Usage Guidelines
None.

Example
The following example displays the descriptions for all VLANs:
# show vlan description
---------------------------------------------------------------------------Name
VID Description
---------------------------------------------------------------------------ctrl1
11
Control Vlan
ctrl2
102 Control Vlan 2
Default
1
v1
60
vlan 1
vplsVlan
3296 L2 VPN to home office
---------------------------------------------------------------------------Total number of VLAN(s) : 5

History
This command was first available in ExtremeXOS 12.4.4.

Platform Availability
This command is available on all platforms.

show vlan l2pt

show [vlan | vman] vlan_name {ports port_list} l2pt {detail}

Description
Displays the L2PT configuration and status of a service.

Syntax Description
vlan

Displays VLAN configuration.

vman

Displays VMAN configuration.

vlan_name

Specifies a VLAN name.

ports port_list

Displays the ports and port list separated by a comma ( , ) or dash ( - ).

detail

Displays the L2PT configuration and status in detail.

Default
Disabled.

Layer 2 Basics

192

Layer 2 Basic Commands

Usage Guidelines
Use this command to display the L2PT configuration and status of a service.

Example
The following is an example of the show vman ports l2pt command:
# show vman cust2 ports 1:2,1:7 l2pt
Interface
--------------1:2
1:7

L2PT Profile Name

-------------------------------my_l2pt_prof
(none)

The following example illustrates the show vman l2pt ports detail command:
show vman cust2 ports 1:2,1:7 l2pt detail
Port 1:2
L2PT Profile Name
: my_l2pt_profile
Protocol Filter Name
: filter1
Destination Address: 01:80:C2:00:00:02
Protocol Id Type
: etype
Protocol Id Value : 0x8902
Field Offset
: 14
Field Value
: 03
Field Mask
: FF
Action
: Tunnel
CoS
: Default
Packets Transmitted: 2300
Packets Received
: 2300
Protocol Filter Name
: filter2
Destination Address: 01:80:C2:00:00:00
Protocol Id Type
: snap
Protocol Id Value : 0x4041
Field Offset
:
Field Value
:
Field Mask
:
Action
: Tunnel
CoS
: 7
Packets Transmitted: 500
Packets Received
: 500
Port 1:7
L2PT Profile Name
: (none)

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

Layer 2 Basics

193

Layer 2 Basic Commands

show vman
show vman show {vman} vman_name {ipv4 | ipv6}
show vman [tag tag | detail] {ipv4 | ipv6}

Description
Displays information about one or all VMANs.
Note
The information displayed for this command depends on the platform and configuration you
are using.

Syntax Description
vman_name

Specifies that information is displayed for the specified VMAN.

tag

Specifies a VMAN using the 802.1Q tag.

detail

Specifies that all information is displayed for each VMAN.

ipv4

Specifies IPv4.

ipv6

Specifies IPv6.

Default
Summary information for all VMANs on the switch.

Usage Guidelines
The information displayed with this command depends on the platform and configuration you are
using.

Example
The following example displays a list of all the VMANs on the switch:
* BD-12804.17 # show vman
------------------------------------------------------------------------------------Name
VID Protocol Addr
Flags
Proto Ports
Virtual
Active router
/Total
------------------------------------------------------------------------------------le1
4091 ------------------ ----------------a
ANY
2 /2
VRDefault
le2
4090 ------------------ ----------------a
ANY
0 /0
VRDefault

Layer 2 Basics

194

Layer 2 Basic Commands

vm1
4089 ------------------ ----------------ANY
0 /0
VRDefault
------------------------------------------------------------------------------------Flags : (a) Learning Domain (C) EAPS Control vlan, (E) ESRP Enabled,
(f) IP Forwarding Enabled, (i) ISIS Enabled, (I) IP Forwarding lpm-routing
Enabled,
(L) Loopback Enabled, (m) IPmc Forwarding Enabled,
(n) IP Multinetting Enabled, (N) Network LogIn vlan,
(o) OSPF Enabled, (p) PIM Enabled,
(P) EAPS protected vlan, (r) RIP Enabled, (T) Member of STP Domain,
(v) VRRP Enabled, (B) 802.1ah Backbone VMAN, (S) 802.1ah Service VMAN
Total number of vman(s) : 3

The following example displays information on a single VMAN named vman1:

# show vman blue
VMAN Interface with name vman1 created by user
Admin State:
Enabled
Tagging:
802.1Q Tag 100
Virtual router: VR-Default
IPv4 Forwarding: Disabled
IPv6 Forwarding: Disabled
IPv6:
None
STPD:
None
Protocol:
Match all unfiltered protocols
Loopback:
Disabled
NetLogin:
Disabled
QosProfile:
None configured
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile:
None configured
Ports:
2.
(Number of active ports=0)
Tag:
*1,
*2
CEP:
*3: CVID 20-29
*4: CVID 10-19 translate 20-29
*5: CVID 10-19 translate 20-29,CVID 30
Flags:
(*) Active, (!) Disabled, (g) Load Sharing port
(b) Port blocked on the vlan, (m) Mac-Based port
(a) Egress traffic allowed for NetLogin
(u) Egress traffic unallowed for NetLogin
(t) Translate VLAN tag for Private-VLAN
(s) Private-VLAN System Port, (L) Loopback port
(x) VMAN Tag Translated port
(G) Multi-switch LAG Group port

The Port CVID output was added in the display of show vman vlan_name | detail in ExtremeXOS
15.3.2:
VMAN Interface with name vm1 created by user
Admin State: Enabled
Tagging:
1000
Description: None
Virtual router: VR-Default
IPv4 Forwarding: Disabled
IPv6 Forwarding: Disabled
IPv6:
None

Layer 2 Basics

802.1Q Tag

195

Layer 2 Basic Commands

STPD:
None
Protocol:
Match all unfiltered protocols
Loopback:
Disabled
NetLogin:
Disabled
QosProfile:
None configured
Egress Rate Limit Designated Port: None configured
Flood Rate Limit QosProfile:
None configured
Ports:
3.
(Number of active ports=3)
Untag:
*21: Port CVID 5,
*24: Port CVID 7,
Tag:
*22
Flags:
(*) Active, (!) Disabled, (g) Load Sharing port
(b) Port blocked on the vlan, (m) Mac-Based port
(a) Egress traffic allowed for NetLogin
(u) Egress traffic unallowed for NetLogin
(t) Translate VLAN tag for Private-VLAN
(s) Private-VLAN System Port, (L) Loopback port
(x) VMAN Tag Translated port
(G) Multi-switch LAG Group port

The show vman detail command shows all the information shown in the show vman vlan_name
command, but displays information for all configured VMANs.

History
This command was first available in ExtremeXOS 11.0.
Information on IEE 802.1ah was added in ExtremeXOS 11.4.
The tag option was added in ExtremeXOS 12.4.4.
Port CVID output was added in ExtremeXOS 15.3.2.

Platform Availability
This command is available on all platforms.
CEP information is displayed only on BlackDiamond X8, BlackDiamond 8800 series switches and
Summit family switches.

show vman eaps

show {vman} vman_name eaps

Description
Displays the EAPS domains to which the VMAN belongs.

Layer 2 Basics

196

Layer 2 Basic Commands

Syntax Description
vman_name

Specifies the name of the VMAN for which EAPS information is to be

displayed.

Default
N/A.

Usage Guidelines
None.

Example
The following example displays a list of EAPS domains for the campus1 VMAN:
show vman campus1 eaps

History
This command was first available in ExtremeXOS 11.0.
Information on IEE 802.1ah was added in ExtremeXOS 11.4.

Platform Availability
This command is available on all platforms.

show vman ethertype

show vman ethertype

Description
Displays the ethertype information and secondary ethertype port_ list for VLANs, VMANs and PBBNs

Syntax Description
This command has no arguments or variables.

Default
N/A.

Layer 2 Basics

197

Layer 2 Basic Commands

Usage Guidelines
None.

Example
The following example shows the command output on switches that support only VMANs:
vMan ethertype: 0x88a8

The following example shows the command output on switches that support PBBNs:
# show vman ethertype
vman ethertype : 0x88a8
bvlan ethertype: 0x88b5

The following example shows the command output when a secondary ethertype is configured with
ports information:
# show vman ethertype
Vman Primary ethertype
Vman Secondary ethertype
BVlan ethertype
Secondary ethertype ports

:
:
:
:

0x9100
0x8100
0x88b5
6:2g 6:3

The letter g in the port list indicates that the port is a LAG/Trunk port, the details of which can be seen
using the show port sharing command.

History
This command was first available in ExtremeXOS 11.0.
Information on IEE 802.1ah was added in ExtremeXOS 11.4.

Platform Availability
This command is available on all platforms.

show vman l2pt

show [vlan | vman] vlan_name {ports port_list} l2pt {detail}

Description
Displays the L2PT configuration and status of a service.

Layer 2 Basics

198

Layer 2 Basic Commands

Syntax Description
vlan

Displays VLAN configuration.

vman

Displays VMAN configuration.

vlan_name

Specifies a VLAN name.

ports port_list

Displays the ports and port list separated by a comma ( , ) or dash ( - ).

detail

Displays the L2PT configuration and status in detail.

Default
Disabled.

Usage Guidelines
Use this command to display the L2PT configuration and status of a service.

Example
The following is an example of the show vman ports l2pt command:
# show vman cust2 ports 1:2,1:7 l2pt
Interface
--------------1:2
1:7

L2PT Profile Name

-------------------------------my_l2pt_prof
(none)

The following example illustrates the show vman l2pt ports detail command:
# show vman cust2 ports 1:2,1:7 l2pt detail
Port 1:2
L2PT Profile Name
: my_l2pt_profile
Protocol Filter Name
: filter1
Destination Address: 01:80:C2:00:00:02
Protocol Id Type
: etype
Protocol Id Value : 0x8902
Field Offset
: 14
Field Value
: 03
Field Mask
: FF
Action
: Tunnel
CoS
: Default
Packets Transmitted: 2300
Packets Received
: 2300
Protocol Filter Name
: filter2
Destination Address: 01:80:C2:00:00:00
Protocol Id Type
: snap
Protocol Id Value : 0x4041
Field Offset
:
Field Value
:
Field Mask
:
Action
: Tunnel
CoS
: 7

Layer 2 Basics

199

Layer 2 Basic Commands

Packets Transmitted: 500

Packets Received
: 500
Port 1:7
L2PT Profile Name

: (none)

History
This command was first available in ExtremeXOS 15.5.

Platform Availability
This command is available on all platforms.

unconfigure vlan description

unconfigure {vlan} vlan_name description

Description
Removes the description for the specified VLAN.

Syntax Description
vlan_name

Specifies the VLAN name.

Default
N/A.

Usage Guidelines
None.

Example
The following example removes the description from VLAN vlan1:
unconfigure vlan vlan1 description

History
This command was first available in ExtremeXOS 12.4.4.

Platform Availability
This command is available on all platforms.

Layer 2 Basics

200

Layer 2 Basic Commands

unconfigure vlan ipaddress

unconfigure {vlan} vlan_name ipaddress {ipv6_address_mask}

Description
Removes the IP address of the VLAN or a VMAN. With no parameters, the command removes the
primary IPv4 address on the specified VLAN. Using the IPv6 parameters, you can remove specified IPv6
addresses from the specified VLAN.

Syntax Description
vlan_name

Specifies a VLAN or VMAN name.

ipv6_address_mask

Specifies an IPv6 address using the format of IPv6-address/prefix-length,

where IPv6 is the 128-bit address and the prefix length specifies the number
of leftmost bits that comprise the prefix.

Default
Removes the primary IPv4 address from the specified VLAN or VMAN.

Usage Guidelines
Note
With IPv6, you cannot remove the last link local IPv6 address until all global IPv6 addresses
are removed. For MLAG configurations, you cannot remove an IP address from a VLAN until
after you delete the MLAG peer.

Example
The following command removes the primary IPv4 address from the VLAN "accounting":
unconfigure vlan accounting ipaddress

The following command removes an IPv6 addresses from the VLAN "finance":
unconfigure vlan finance ipaddress 3ffe::1

History
This command was first available in ExtremeXOS 10.1.
The IPv6 parameters were added in ExtremeXOS 11.2.

Platform Availability
This command is available on all platforms.

Layer 2 Basics

201

Layer 2 Basic Commands

unconfigure vman ethertype

unconfigure vman ethertype {secondary}

Description
Restores the default primary VMAN ethertype value of 0x88A8 or deletes the secondary ethertype
value.

Syntax Description
secondary

Deletes the secondary ethertype value.

Default
If the secondary option is not specified, it restores the default primary VMAN ethertype value of
0x88a8.

Usage Guidelines
When you enter this command without the secondary option, the primary VMAN ethertype returns to
the default value of 0x88A8. If you specify the secondary option, the secondary VMAN ethertype value
is deleted (no value is assigned).
Note
Before unconfiguring the secondary VMAN ethertype, any secondary VMAN port must be
changed to the primary VMAN ethertype; otherwise the command fails.

Example
The following example restores the primary VMAN ethertype to the default value:
unconfigure vman ethertype

The following example deletes the secondary VMAN ethertype:

unconfigure vman ethertype secondary

History
This command was first available in ExtremeXOS 11.0.

Platform Availability
This command is available on all platforms.

Layer 2 Basics

202