ExtremeXOS® User Guide

for Version 32.3

9037672-00 Rev AA
December 2022
LACP Configuring Slots and Ports on a Switch

The “local-slot” distribution mode is useful for reducing the fabric bandwidth load of a switch.

In many SummitStack hardware configurations, the “local-slot” distribution mode will minimize the
switching latency of packets distributed to a LAG. Note that some modules may not provide the
minimum possible latency due to the details of the switch’s fabric connections. Some ExtremeSwitching
switches have more than one switching ASIC and “local-slot” distribution may still involve inter-ASIC
switching through local fabric links.

Distribution Port Lists

The “port-lists” distribution mode provides the ability to configure one or more LAG member ports to
be eligible for unicast LAG distribution on each slot in the switch. If a slot does not have a distribution
port list configured or if none of the configured member ports is active in the LAG, then all active
member ports are eligible for unicast distribution.

The “port-lists” distribution mode may be specified during LAG creation with the configure
sharing port slot slot distribution-list [port_list | add port_list |
all] CLI command. It may also be configured dynamically with the configure sharing port
slot slot distribution-list [port_list | add port_list | all]command. The
use of the “port-lists” distribution mode should be taken into consideration when adding ports to a LAG
with the “configure sharing” CLI command. Any newly added port on a LAG will not be available for
unicast distribution unless it is also added to the distribution port list of at least one slot.

LACP
You can run the Link Aggregation Control Protocol (LACP) on Extreme Networks devices. LACP enables
dynamic load sharing and hot standby for link aggregation links, in accordance with the IEEE 802.3ad
standard. All third-party devices supporting LACP run with Extreme Networks devices.

The addition of LACP provides the following enhancements to static load sharing, or link aggregation:
• Automatic configuration
• Rapid configuration and reconfiguration
• Deterministic behavior
• Low risk of duplication or misordering

After you enable load-sharing, the LACP protocol is enabled by default. You configure dynamic link
aggregation by first assigning a primary, or logical, port to the group, or LAG and then specifying the
other ports you want in the LAG.

LACP, using an automatically generated key, determines which links can aggregate. Each link can
belong to only one LAG. LACP determines which links are available. The communicating systems
negotiate priority for controlling the actions of the entire trunk (LAG), using LACP, based on the lowest
system MAC number. You can override this automatic prioritization by configuring the system priority
for each LAG.

After you enable and configure LACP, the system sends PDUs (LACPDUs) on the LAG ports. The
LACPDUs inform the remote system of the identity of the sending system, the automatically generated
key of the link, and the desired aggregation capabilities of the link. If a key from a particular system
on a given link matches a key from that system on another link, those links are aggregatable. After the

248 ExtremeXOS® User Guide for version 32.3

Configuring Slots and Ports on a Switch Displaying Switch Load Sharing

enable sharing 5 grouping 5-8 health-check

enable loopback-mode v1
configure v1 add port 5
configure sharing health-check member-port 5 add track-tcp 192.168.1.101 tcp-port 8080
configure sharing health-check member-port 6 add track-tcp 192.168.1.102 tcp-port 8080
configure sharing health-check member-port 7 add track-tcp 192.168.1.103 tcp-port 8080
configure sharing health-check member-port 8 add track-tcp 192.168.1.104 tcp-port 8080

Displaying Switch Load Sharing

You can display static and dynamic load sharing. In the link aggregation displays, the types are shown
by the following aggregation controls:
• Static link aggregation—static
• Link Aggregation Control Protocol—LACP
• Health check link aggregation—hlth-chk

• To verify your configuration, use the following command:

show ports sharing
• Verify LACP configuration, use the following command:
show lacp
• To display information for the specified LAG, use the following command:
show lacp lag group-id {detail}
• To display LACP information for a port that is a member of a LAG, use the following command:
show lacp member-port port {detail}

Refer to Displaying Port Information on page 302 for information on displaying summary load-
sharing information.
• To clear the counters, use the following command:
clear lacp counters
• To display the LACP counters, use the following command:
You can display the LACP counters for all member ports in the system by using:
show lacp counters
• To display information for a health check LAG, use the following command:
show sharing health-check

MLAG

MLAG Overview
The MLAG feature allows you to combine ports on two switches to form a single logical connection to
another network device. The other network device can be either a server or a switch that is separately
configured with a regular LAG (or appropriate server port teaming) to form the port aggregation.

The following diagram displays the elements in a basic MLAG configuration:

ExtremeXOS® User Guide for version 32.3 259

Universal Port
Profile Types on page 378
Dynamic Profile Trigger Types on page 380
How Device-detect Profiles Work on page 383
How User Authentication Profiles Work on page 384
Profile Configuration Guidelines on page 385
Collecting Information from Supplicants on page 391
Supplicant Configuration Parameters on page 392
Universal Port Configuration Overview on page 392
Using Universal Port in an LDAP or Active Directory Environment on page 394
Configuring Universal Port Profiles and Triggers on page 395
Managing Profiles and Triggers on page 397
Sample Universal Port Configurations on page 400

Universal Port is a flexible framework that enables automatic switch configuration in response to special
events such as:
• User login and logoff
• Device connection to or disconnection from a port
• Time of day
• EMS event messages

Note
The Universal Port feature is supported only on the platforms listed for this feature in the
license tables in the ExtremeXOS 32.3 Feature License Requirements document.

The primary component of the Universal Port feature is the profile, which is a special form of command
script that runs when triggered by the events mentioned above.

Profiles execute commands and use variables as do the scripts described in Using CLI Scripting on page
422. The primary difference is that a profile can be executed manually or automatically in response to
switch events.

Note
The term profile is distinct from the term policy because a policy is only one particular
application of a profile.

ExtremeXOS® User Guide for version 32.3 377

Benefits VLANs

Benefits
Implementing VLANs on your networks has the following advantages:
• VLANs help to control traffic—With traditional networks, broadcast traffic that is directed to all
network devices, regardless of whether they require it, causes congestion. VLANs increase the
efficiency of your network because each VLAN can be set up to contain only those devices that
must communicate with each other.
• VLANs provide extra security—Devices within each VLAN can communicate only with member
devices in the same VLAN. If a device in VLAN Marketing must communicate with devices in VLAN
Sales, the traffic must cross a routing device.
• VLANs ease the change and movement of devices—With traditional networks, network
administrators spend much of their time dealing with moves and changes. If users move to a
different subnetwork, the addresses of each endstation must be updated manually.

Virtual Routers and VLANs

The ExtremeXOS software supports virtual routers. Each port can belong to multiple virtual router
(VR)s. Ports can belong to different VLANs that are in different virtual routers.

If you do not specify a virtual router when you create a VLAN, the system creates that VLAN in the
default virtual router (VR-Default). The management VLAN is always in the management virtual router
(VR-Mgmt).

After you create virtual routers, the ExtremeXOS software allows you to designate one of these
virtual routers as the domain in which all your subsequent configuration commands, including VLAN
commands, are applied. After you create virtual routers, ensure that you are creating each VLAN in the
desired virtual router domain. Also, ensure that you are in the correct virtual router domain before you
begin modifying each VLAN.

For information on configuring and using virtual routers, see Virtual Routers on page 688.

Types of VLANs
This section introduces the following types of VLANs:
• Port-Based VLANs
• Tagged VLANs
• Protocol-Based VLANs
• XNV Dynamic VLAN on page 650

Note
You can have netlogin dynamic VLANs and netlogin MAC-based VLANs. See Network Login
on page 851 for complete information on netlogin.

VLANs can be created according to the following criteria:

• Physical port
• IEEE 802.1Q tag
• Ethernet, LLC SAP, or LLC/SNAP Ethernet protocol type
• A combination of these criteria

556 ExtremeXOS® User Guide for version 32.3

VLANs Types of VLANs

4. Using this configuration, you can create multiple port-based VLANs that span multiple switches, in a
daisy-chained fashion.

Tagged VLANs
Tagging is a process that inserts a marker (called a tag) into the Ethernet frame. The tag contains the
identification number of a specific VLAN, called the VLANid (valid numbers are 1 to 4094).

Note
The use of 802.1Q tagged packets may lead to the appearance of packets slightly bigger
than the current IEEE 802.3/Ethernet maximum of 1,518 bytes. This may affect packet error
counters in other devices and may also lead to connectivity problems if non-802.1Q bridges or
routers are placed in the path.

Uses of Tagged VLANs

Tagging is most commonly used to create VLANs that span switches.

The switch-to-switch connections are typically called trunks. Using tags, multiple VLANs can span
multiple switches using one or more trunks. In a port-based VLAN, each VLAN requires its own pair of
trunk ports, as shown in Figure 68 on page 560. Using tags, multiple VLANs can span two switches
with a single trunk.

Another benefit of tagged VLANs is the ability to have a port be a member of multiple VLANs. This
is particularly useful if you have a device (such as a server) that must belong to multiple VLANs. The
device must have a Network Interface Card (NIC) that supports IEEE 802.1Q tagging.

A single port can be a member of only one port-based VLAN. All additional VLAN membership for the
port must be accompanied by tags.

Assigning a VLAN Tag

Each VLAN may be assigned an 802.1Q VLAN tag. As ports are added to a VLAN with an 802.1Q tag
defined, you decide whether each port uses tagging for that VLAN. The default mode of the switch is to
have all ports assigned to the VLAN named default with an 802.1Q VLAN tag (VLANid) of 1 assigned.

Not all ports in the VLAN must be tagged. As traffic from a port is forwarded out of the switch, the
switch determines (in real time) if each destination port should use tagged or untagged packet formats
for that VLAN. The switch adds and strips tags, as required, by the port configuration for that VLAN.

Note
Packets arriving tagged with a VLANid that is not configured on a port are discarded.

Figure 68 illustrates the physical view of a network that uses tagged and untagged traffic.

ExtremeXOS® User Guide for version 32.3 559

Private VLANs VLANs

• show vlan description

• show vlan {vlan_name | vlan_list} statistics {no-refresh | refresh }

Note
To display IPv6 information, you must use either the show vlan detail command or show
vlan command with the name of the specified VLAN.

To display the VLAN information for other ExtremeXOS software features, use the following commands:
• show {vlan} vlan_name dhcp-address-allocation
• show {vlan} vlan_name dhcp-config
• show {vlan} vlan_name eaps
• show {vlan} vlan_name security
• show {vlan} {vlan_name | vlan_list} stpd

You can display additional useful information on VLANs configured with IPv6 addresses by issuing the
command:

show ipconfig ipv6 vlan vlan_name

To isplay protocol information, issue the command:

show protocol {name}

Private VLANs
The following sections provide detailed information on private VLANs:
• PVLAN Overview on page 570
• Configuring PVLANs on page 578
• Displaying PVLAN Information on page 582
• PVLAN Configuration Example 1 on page 583
• PVLAN Configuration Example 2 on page 584

PVLAN Overview
PVLANs offer the following features:
• VLAN translation
• VLAN isolation

Note
PVLAN features are supported only on the platforms listed for this feature in the ExtremeXOS
32.3 Feature License Requirements document.

VLAN Translation in a PVLAN

VLAN translation provides the ability to translate the 802.1Q tags for several VLANs into a single VLAN
tag. VLAN translation is an optional component in a PVLAN.

570 ExtremeXOS® User Guide for version 32.3

Per VLAN Spanning Tree STP

Per VLAN Spanning Tree

Switching products that implement Per VLAN Spanning Tree (PVST) have been in existence for many
years and are widely deployed.

To support STP configurations that use PVST, ExtremeXOS has an operational mode called PVST+.

Note
In this document, PVST and PVST+ are used interchangeably. PVST+ is an enhanced version of
PVST that is interoperable with 802.1Q STP. The following discussions are in regard to PVST+,
if not specifically mentioned.

STPD VLAN Mapping

Each VLAN participating in PVST+ must be in a separate STPD, and the VLAN number (VLAN ID) must
be the same as the STPD identifier (STPD ID).

As a result, PVST+ protected VLANs cannot be partitioned.

This fact does not exclude other non-PVST+ protected VLANs from being grouped into the same STPD.
A protected PVST+ VLAN can be joined by multiple non-PVST+ protected VLANs to be in the same
STPD.

Note
When PVST+ is used to interoperate with other networking devices, each VLAN participating
in PVST+ must be in a separate STP domain.

Native VLAN
In PVST+, the native VLAN must be peered with the default VLAN on Extreme Networks devices, as
both are the only VLANs allowed to send and receive untagged packets on the physical port.

Third-party PVST+ devices send VLAN 1 packets in a special manner. ExtremeXOS does not support
PVST+ for VLAN 1. Therefore, when the switch receives a packet for VLAN 1, the packet is dropped.

When a PVST+ instance is disabled, the fact that PVST+ uses a different packet format raises an issue.
If the STPD also contains ports not in PVST+ mode, the flooded packet has an incompatible format with
those ports. The packet is not recognized by the devices connected to those ports.

Rapid Spanning Tree Protocol

The Rapid Spanning Tree Protocol (RSTP), originally in the IEEE 802.1w standard and now part of
the IEEE 802.1D-2004 standard, provides an enhanced spanning tree algorithm that improves the
convergence speed of bridged networks.

RSTP takes advantage of point-to-point links in the network and actively confirms that a port can safely
transition to the forwarding state without relying on any timer configurations. If a network topology
change or failure occurs, RSTP rapidly recovers network connectivity by confirming the change locally
before propagating that change to other devices across the network. For broadcast links, there is no
difference in convergence time between STP and RSTP.

1280 ExtremeXOS® User Guide for version 32.3

Multiple Spanning Tree Protocol STP

802.1w mode and the bridge receives an 802.1D BPDU on a port. The receiving port starts the protocol
migration timer and remains in 802.1D mode until the bridge stops receiving 802.1D BPDUs. Each time
the bridge receives an 802.1D BPDU, the timer restarts. When the port migration timer expires, no more
802.1D BPDUs have been received, and the bridge returns to its configured setting, which is 802.1w
mode.

Multiple Spanning Tree Protocol

The MSTP, based on IEEE 802.1Q-2003 (formerly known as IEEE 802.1s), allows the bundling of multiple
VLANs into one spanning tree topology.

This concept is not new to Extreme Networks. Like MSTP, Extreme Networks proprietary EMISTP
implementation can achieve the same capabilities of sharing a virtual network topology among multiple
VLANs; however, MSTP overcomes some of the challenges facing EMISTP, including enhanced loop
protection mechanisms and new capabilities to achieve better scaling.

MSTP logically divides a Layer 2 network into regions. Each region has a unique identifier and contains
multiple spanning tree instances (MSTIs). An MSTI is a spanning tree domain that operates within and
is bounded by a region. MSTIs control the topology inside the regions. The Common and Internal
Spanning Tree (CIST) is a single spanning tree domain that interconnects MSTP regions. The CIST is
responsible for creating a loop-free topology by exchanging and propagating BPDUs across regions to
form a Common Spanning Tree (CST).

MSTP uses RSTP as its converging algorithm and is interoperable with the legacy STP protocols: STP
(802.1D) and RSTP (802.1w).

MSTP has three major advantages over 802.1D, 802.1w, and other proprietary implementations:
• To save control path bandwidth and provide improved scalability, MSTP uses regions to localize
BPDU traffic. BPDUs containing information about MSTIs contained within an MSTP region do not
cross that region’s boundary.
• A single BPDU transmitted from a port can contain information for up to 64 STPDs. MSTP BPDU
processing utilizes less resources compared to 802.1D or 802.1w where one BPDU corresponds to
one STPD.
• In a typical network, a group of VLANs usually share the same physical topology. Dedicating a
spanning tree per VLAN like PVST+ is CPU intensive and does not scale very well. MSTP makes it
possible for a single STPD to handle multiple VLANs.

MSTP Concepts

MSTP Regions
An MSTP network consists of either individual MSTP regions connected to the rest of the network with
802.1D and 802.1w bridges or as individual MSTP regions connected to each other.

An MSTP region defines the logical boundary of the network. With MSTP, you can divide a large network
into smaller areas similar to an OSPF (Open Shortest Path First) area or a BGP (Border Gateway
Protocol) Autonomous System, which contain a group of switches under a single administration. Each
MSTP region has a unique identifier and is bound together by one CIST that spans the entire network. A
bridge participates in only one MSTP region at a time.

1292 ExtremeXOS® User Guide for version 32.3