Configuring Layer 2 Features

Configuring Tagged and Untagged VLANs

Creating untagged VLANs is useful for connecting the switch to devices without support for IEEE 802.1Q VLAN tags. You can configure ports to map untagged packets to a VLAN.

Reserved VLANs and VLAN 0 and 1

The VLAN identifier is a 12-bit field in the header of each packet. Therefore, the maximum number of VLANs you can define is 4091. Netvisor OS switches reserve VLANs 0, 1, 4093, 4094, and 4095 for internal use.VLAN 0 is not a standard VLAN in . It is used to represent all untagged or non-VLAN traffic. VLAN 1 is the default untagged traffic VLAN. Untagged traffic can be mapped to any VLAN, but by default, it is mapped to VLAN 1.

 

WARNING!

 If you create a VLAN with scope fabric and untag all ports, you can cause problems with the fabric communication.

 

Informational Note:

The untagged VLAN feature is not the same as the default VLAN using the IEEE 802.1Q tag 1.

 

1. To create a VLAN on the current switch, with the identifier 595, use the following command:

CLI network-admin@switch > vlan-create id 595 name VLAN595 scope local

By default, all ports are trunked on the new VLAN. If you want to specify ports that are trunked, use the optional parameter, ports, with a comma separated list of ports, or specify a range of ports.

In some cases, you may not want the VLAN created on all ports. You can specify none to apply the VLAN to internal ports only.

CLI network-admin@switch > vlan-create id 35 scope fabric ports none

CLI network-admin@switch > vlan-show

switch:            pubdev01

id:                35

nvid:              a000030:23

scope:             fabric

name:              vlan-35

active:            yes

stats:             yes

vrg:               0:0

ports:             65-72,255

untagged-ports:    none

active-edge-ports: none

switch:            pubdev02

 

To map ports on different switches into the scope fabric VLAN, use the following command:

CLI network-admin@switch > vlan-port-add switch switch-name ports

To modify a VLAN name, use the vlan-modify command to modify VLAN 25 description from blue to red:

CLI network-admin@switch > vlan-modify id 25 description blue

To modify the port list, use the vlan-port-add and the vlan-port-remove commands. If you want to remove a VLAN with the scope, fabric, you need to specify the switch name.

2. To display the VLANs configured on the switch, use the vlan-show command.

CLI network-admin@switch > vlan-show format all layout vertical

switch:            pubdev01

id:                1

nvid:              a000030:1

scope:             local

name:              default-1

active:            yes

stats:             yes

vrg:               0:0

ports:             1-72,128,255

untagged-ports:    1-72,128,255

active-edge-ports: 31,45-46,66,128

active-edge-ports: 65,128-129

switch:            pubdev02

id:                1

nvid:              a000024:1

scope:             local

name:              default-1

active:            yes

stats:             yes

vrg:               0:0

ports:             1-72,128-129,255

untagged-ports:    1-72,128-129,255

 

3. To configure ports 17 and 18 to accept untagged packets and map them to VLAN 595, use the following command:

CLI network-admin@switch > vlan-port-add vlan-id 595 ports 17,18 untagged

Displaying VLAN Statistics

You can display network traffic statistics per VLAN using the vlan-stats-show command. This may be useful when troubleshooting network issues.

CLI network-admin@switch > vlan-stats-show format all layout vertical

switch:       pubdev03

time:         10:51:02

vlan:         1

vnet:

ibytes:       36.2T

ipkts:        89.0G

idrops-bytes: 119M

idrops-pkts:  313K

obytes:       0

opkts:        0

odrops-bytes: 0

odrops-pkts:  0

switch:       pubdev03

time:         10:51:02

vlan:         35

vnet:

ibytes:       10.8K

ipkts:        154

idrops-bytes: 0

idrops-pkts:  0

obytes:       0

opkts:        0

odrops-bytes: 0

odrops-pkts:  0

switch:       pubdev02

time:         10:51:02

vlan:         1

vnet:

ibytes:       34.9T

ipkts:        84.6G

idrops-bytes: 3.03M

idrops-pkts:  5.69K

obytes:       0

opkts:        0

odrops-bytes: 0

odrops-pkts:  0

 

The output displays the following information:

Configuring Rapid Spanning Tree Protocol (RSTP)

Rapid Spanning Tree Protocol (RSTP) is a standard inter-switch protocol to ensure that an ad hoc network topology is loop-free at Layer 2, on a per-VLAN basis. If your network connections form loops and STP is disabled, packets re-circulate between the switches, causing a degradation of network performance. If you are certain that your network connections are loop-free, you do not need to enable RSTP. A drawback of STP is that it does not allow for Layer 2 multipathing and can result in sub-optimal utilization of available network links. Therefore, a fabric of switches does not run RSTP within the boundaries of the fabric. The use of RSTP is recommended for ad hoc networks that interoperate in a heterogeneous, multi-vendor switch environment.

To build a loop-free topology, switches (“bridges”) have to determine the root bridge and compute the port roles, root, designated, or blocked. To do this, the bridges use special data frames called Bridge Protocol Data Units (BPDUs) to exchange information about bridge IDs and root path costs. BPDUs are exchanged regularly, typically at two second intervals, and enable switches to keep track of network topology changes and to start and stop forwarding on ports as required. Hosts should not send BPDUs to their switch ports and to avoid malfunctioning or malicious hosts from doing so, the switch can filter or block BPDUs. If you enable BPDU filtering on a port, BPDUs received on that port are dropped but other traffic is forwarded as usual. If you enable BPDU blocking on a port, BPDUs received on that port are dropped and the port is shut down.

 

Rapid Spanning Tree Protocol is also supported by modifying an RSTP port and configuring it as an edge port.


 

Informational Note:  RSTP is enabled on the switch by default.

Before you begin, view the status of STP on the switch by using the following command:

CLI network-admin@switch > stp-show

switch:             tac-1

enable:             yes

stp-mode:           rstp

bpdus-bridge-ports: yes

bridge-id:          3a:7f:b1:43:8a:0f

bridge-priority:    32768

hello-time:         2

forwarding-delay:   15

max-age:            20

cluster-mode:       master

 

 

1. To disable STP, use the following command:

CLI network-admin@switch > stp-modify disable

2. To display the STP state, use the following command:

CLI network-admin@switch > stp-state-show

switch:           Leaf01

vlan:             1

ports:            none

instance-id:      1

name:             stg-default

bridge-id:        66:0e:94:65:e1:ef

bridge-priority:  8193

root-id:          64:0e:94:c0:06:4b

root-priority:    4097

root-port:        128

hello-time:       2

forwarding-delay: 15

max-age:          20

disabled:         none

learning:         none

forwarding:       25-28,128-129

discarding:       none

edge:             25-28

designated:       25-28,129

alternate:        none

backup:           none

 

 

To display information about STP on ports, use the stp-port-show command:

CLI network-admin@switch > stp-port-show

switch   port block filter edge bpdu-guard root-guard priority cost

-------- ---- ----- ------ ---- ---------- ---------- -------- ----

draco01  1    off   off    no   no         no         128      500  

draco01  2    off   off    no   no         no         128      2000

draco01  3    off   off    no   no         no         128      2000

draco01  4    off   off    no   no         no         128      2000

draco01  5    off   off    no   no         no         128      500  

draco01  6    off   off    no   no         no         128      500  

draco01  7    off   off    no   no         no         128      2000

draco01  8    off   off    no   no         no         128      2000

draco01  9    off   off    no   no         no         128      2000

draco01  10   off   off    no   no         no         128      500

 

3. To filter BPDUs on port 17, use the following command:

CLI network-admin@switch > stp-port-modify port 17 filter

4. To block BPDUs on port 17 and shut down the port if BPDUs are received on the port, use the following command:

CLI network-admin@switch > stp-port-modify port 17 block

5. To stop blocking BPDUs on port 17, use the following command:

CLI network-admin@switch > stp-port-modify port 17 no-block

6. You can disable STP on a port or a group of ports. If the devices connected to the switch ports are hosts and not downstream switches, or you know that a loop is not possible, then disable STP and the port is enabled much faster when the switch restarts.

7. To enable RSTP on port 35, use the following command:

CLI network-admin@switch > stp-port-modify port 35 edge

8. To enable STP, use the following command:

CLI network-admin@switch > stp-modify enable

Fast Failover for STP and Cluster

Previously, cluster STP operation does not support fast failover because the STP state machine state is not shared between the two nodes. As a result, when the master fails, the slave will recompute its STP state from scratch. When the cluster comes online, the cluster will recompute the STP state from scratch. This causes topology changes which cause traffic loss until the STP converges. Fast failure is now supported by default.

New show commands are available for this feature:

stp-state-show

stp-port-state-show

CLI network-admin@switch > stp-state-show

switch:           Leaf-1

vlan:             1

ports:            none

instance-id:      1

name:             stg-default

bridge-id:        66:0e:94:d5:b0:cc

bridge-priority:  32769

root-id:          66:0e:94:35:c2:ce

root-priority:    32769

root-port:        128

hello-time:       2

forwarding-delay: 15

max-age:          20

disabled:         none

learning:         none

forwarding:       none

discarding:       none

edge:             none

designated:       none

alternate:        none

backup:           none

 

STP parameters such as bridge-priority, port cost values configured before upgrading to  2.4.0 are set to default values after upgrade to .4.0. You must reconfigure STP after upgrading the software.

Multiple Spanning Tree Protocol (MSTP)


 

Informational Note:  This feature is not supported on the F64 platform.


Multiple Spanning Tree Protocol as defined in IEEE802.1s or IEEE802.1Q-2005 provides the ability to manage multiple VLANs from a single Multiple Spanning Tree (MST) instance. MST allows the formation of MST regions that can run multiple MST instances (MSTIs). Multiple regions and other STP bridges are interconnected using one single common spanning tree (CST).

MSTP regions are be defined to be a collection of switches that must have the same VLANs on all of the switches. Each MST region must a root bridge. The root bridge may not reside outside of the region. MST for a single region is supported. This enables multiple MST instances within a single region.

The following commands support the configuration of MST instances on a local switch:

 

CLI network-admin@switch > mst-config-create

instance-id id

Specify the ID as a number between 0 and 63 for MST configuration.

vlans vlan-list

Specify the list of VLANs associated with the MST configuration 

bridge-priority bridge-priority-number

Specify the bridge priority number for MST. 

 

Additional commands for MST include the following:

To configure MST, use the following commands:

CLI network-admin@switch > mst-config-create instance-id 1-63 vlans vlan-list bridge-priority 4096

The bridge priority is a value from 0 to 65536, with a default value of 0. The value increments by 4096 each time. For example, the values can be 0, 4096, 8192, up to 65536.

 

About Port Hairpinning 

Port hairpinning allows Layer 2 bridged traffic to exit out of the same switch-port that it arrived on. This is useful because it supports hosting containers with Single Root I/O Virtualization (SR-IOV) network interfaces and classifies traffic going towards the applications.

This feature also allows the first-hop switch to enforce policies and security rules in hardware, through vflows, and may be used where a Netvisor OS-enabled switch is used to micro-segment traffic, such as whitelists

You can use this feature when modifying a port configuration and when creating or modifying a trunk configuration with link aggregation.


 

Informational Note:  If you configure this feature on a port that is not connected to a server, it may cause network issues.

The following types of traffic to bridge back:

To enable this feature, use the following command:

CLI network-admin@switch > port-config-modify port port-list reflect

To disable this feature:

CLI network-admin@switch > port-config-modify port port-list no-reflect

Command Options

The following options for the port-config-modify command are:

CLI network-admin@switch > port-config-modify

port-config-modify

modifies a port configuration

reflect|noreflect

enables or disables physical port reflection

CLI network-admin@switch > port-config-show

port-config-show

displays information about port configurations

reflect|noreflect

indicates if physical port reflection is enabled or not

The following hairpinning options for the trunk-create, trunk-modify, and trunk-show commands are:

CLI network-admin@switch > trunk-create

trunk-create

create a trunk configuration for link aggregation

reflect|noreflect

enables or disables physical port reflection

CLI network-admin@switch > trunk-modify

trunk-modify

modify a trunk configuration for link aggregation

reflect|noreflect

indicates if physical port reflection is enabled or not

CLI network-admin@switch > trunk-show

trunk-show

display trunk configuration

reflect|noreflect

indicates if physical port reflection is enabled or not

Topic Feedback

Was this topic useful to you? Please provide feedback to improve the content.