VLANs logically divide the LAN into separate broadcast domains without using routers. Switches with VLAN capability allow ports to be configured as access, trunk, or general ports. Access ports belong to one VLAN and use untagged frames. Trunk ports can belong to multiple VLANs and use tagged frames, with a native VLAN using untagged frames. Ingress filtering ensures frames are tagged with an associated VLAN.
2. Transparent Bridge Process
(Unicast)
• Learning – reading the MAC source address and adding it to the
lookup table
• Flooding – sending a packet to all segments (if no entry for
destination MAC)
• Forwarding – “connecting” 2 segments to forward a packet (with a
known destination MAC)
• Filtering – ignoring packets sent on the same node
• Aging – removing “old” entries from the lookup table
3. Transmission Via a Bridge/Switch
NET:1.1.1.1 NET:1.1.1.2
NODE: NODE:
MAC_A MAC_B
Switch/Bridge
SENDER RECEIVER
NODE: MAC_R
PACKET PACKET
p1 p2
MAC Header: MAC Header:
DEST: B DEST: B
SRC : A SRC : A
IP Header: IP Header:
DEST: 1.1.1.2 DEST: 1.1.1.2
SRC: 1.1.1.1 SRC: 1.1.1.1
DATA DATA
VID MAC PORT TIME port MAC TIME
1 A 1 ##:## 1 A ##:##
Marvell Confidential 1 B 2 ##:## 2 B ##:##
4. Virtual LAN (VLAN)
• VLANs logically (software) divide the LAN into separate subgroups - broadcast
domains
• VLAN groups relate users regardless of the physical LAN segment to which the
hosts are attached
• Allows traffic to flow more efficiently within populations of mutual interest
• VLANs allow broadcast domains to be defined without using routers
• Routers are needed for communication between the different VLANs
7. Multiple VLANs on One Device –
One Armed Router
C,D A,B,C, D
A,B,C
Router
Bridge/
Switch
VLAN A VLAN D
VLAN B VLAN C
8. Benefits of VLANs
• Improves network performance
• Reduces the number of routers needed
• Flexible network segmentation (virtual workgroups)
• Simplified administration
• Enhanced network security
• Reduces network solution cost
• Better use of server resources
9. Types of VLANs
• Membership by 802.1Q tag
• Membership by port
• Membership by MAC address
• Membership by protocol (IP, IPX…)
• Membership by subnet
• Membership by application or service (telnet, FTP..)
11. VLAN - Propriety
• VLAN multi switch solutions were propriety and vendor
based:
– Cisco: ISL
– Bay : Lattisspan
– 3Com: VLT
– Cabletron: SecureFast
• Propriety VLAN are a disadvantage for networks that don’t
wish to be vendor dependant
• The IEEE 802.1q standardized VLANs
12. Forwarding a Known Unicast
Frame
VLAN Aware Switch
VLAN Unaware Switch • Determine the VLAN
• Determine the output port associated with the
associated with the received frame
destination address based on • Determine the output
the address table port associated with the
• If associated port is different destination address
from source port, forward the based on the address
frame to the destination port table
• Otherwise – discard the frame • If associated port is not
the source port, and is a
member of the VLAN -
forward the frame
• Otherwise, discard the
frame
13. Forwarding Unknown Unicast and
Multicast Frames
VLAN Aware Switch
VLAN Unaware Switch • Determine the VLAN
• Flood the frame to all ports associated with the received
except the source port frame
• Flood the frame only to ports
that are members of the VLAN,
except the source port
(If Ingress filter is on)
14. VLAN Tagging Methods
• Explicit tagging – VLAN membership is indicated by adding
a tag to each packet
• Implicit tagging - VLAN membership is determined by
examining information that already exists within each
packet:
– Protocol ID (ether type) of the packet
– MAC address (range)
– Etc.
15. Types of devices on VLAN
• VLAN aware device
Understands VLAN membership
(which user belongs to which VLAN) and format
– Making forwarding decisions based on VLAN
association and not only on destination address
– Adding (and removing) explicit VLAN identification
(tagging) to frames (tag aware)
• VLAN unaware device (usually SNMP unmanaged devices)
Does not Understand VLAN membership & format
16. Frames Sent by AwareUnaware
Devices
Types of Devices
Types of Frames
All connected devices
• VLAN unaware device • Untagged frames (implicit)
• VLAN aware device • Tagged frames (explicit)
Other VLAN aware devices
17. Type of Links – Access Link
• Connects VLAN tagged unaware devices to the port of a
VLAN tagged aware switch
• The VLAN switch adds tags to received frames, and
removes tags when transmitting frames
• All frames on access links are untagged
VLAN Access Link
tagged VLAN A
aware VLAN
switch tagged
unaware
18. Types of Links – VLAN Trunk Link
• Attaches 2 VLAN aware switches
(or other VLAN tagged aware devices)
• All frames on VLAN Trunk links must have a special header attached
(tagged frames)
• Allows for multiple VLAN frames to use one link
VLAN VLAN Trunk
tagged
aware Link
switch VLAN VLAN
Trunk tagged
Link VLAN tagged aware
aware switch
Workstation
19. Types of Links – General Link
• Combination of VLAN Trunk and access Links
• Both VLAN aware and unaware devices are connected
• Can have both tagged and untagged frames,
but
all frames sent to a specific VLAN must be either tagged or untagged
VLAN tagged
VLAN B
aware switch
tagged
unaware
General Link Workstation
VLAN tagged VLAN tagged
aware switch aware
Workstation
20. Tagged/Untagged Frames on Links
Types of Links Types of Frames
• Trunked Link • Tagged frame
• General Link
• Access Link • Untagged frames
22. Advantage/Disadvantage of
Tagging
Advantages Disadvantages
• The standard way of VLAN • Tags can be interpreted only
implementation in the networking by VLAN aware devices
devices
• VLAN association rules need to be
• Edge switches must strip tags
applied only once before forwarding them to
• Only edge switches need to know the
VLAN unaware devices
VLAN association rules • Insertion or removal of a tag
• Core switches can get higher requires recalculation of CRC
performance by operating on an • May increase length of frame
explicit VLAN identifier beyond maximum (“old”
• VLAN aware end stations can reduce frame size – 1518 bytes,
load from switches “new” frame size – 1522
bytes)
23. VLAN - Tagged/ Untagged Ports
• The behavior of a specific port added to one or more VLANs depends on the
mode of the port – access, trunk or general.
• A port added to a VLAN on a (VLAN aware) device can be in one of 2 states –
tagged or untagged (for each specific VLAN)
• A certain VLAN can have both tagged and untagged ports
24. Ingress Port behavior
• At the ingress – tagged and untagged VLAN configuration
have the same affect:
– Tagged frames which have a VID matching that of one of the VLANs
defined on the port – are forwarded
– Tagged frames which have a VID that does not match any of the
VLANs defined on the port – are discarded
– Untagged frames are forwarded on the VLAN which is the PVID – and
PVID tag is added to the frames
25. Egress Port behavior
• At the egress – tagged and untagged VLAN port configuration have
different affects:
– Tagged VLANs forward the egress traffic (“out of the device”)
as tagged frames
– Un-tagged VLANs forward the egress traffic (“out of the device”)
as un-tagged frames
26. The VLAN Tag – Ethernet Frame
Destination Source Length
Address Address
TPID TCI
/Type
DATA FSC
2 Bytes 2 Bytes
Tag Protocol Identifier Tag Control Information
TPID TCI
27. The VLAN Tag
Tag Protocol Tag Control
Identifier Information
TPID TCI
2 Bytes 2 Bytes
VLAN protocol Id = 0x8100
Tag Priority CFI VID
3 Bits 1Bit 12 Bits
• Tag priority according to IEEE802.1p
• CFI – Canonical Format Indicator
• VID – VLAN ID
28. Tag Control Information
• Tag Priority –
– “Piggyback” on VLAN TAG
– 7 is the highest priority (0 the default)
• CFI –
– Value 1
VLAN tag extended to include embedded Source Routing
information which will also contain the canonical format of any
embedded MAC address
– Value 0
VLAN tag not extended + any embedded MAC addresses are
in canonical (Little Endian) format
• VLAN ID
– Between 1 to 4094 (0x000 and 0xFFF reserved)
29. VLAN Port Database
PORTS 1 2 3 … 24
VLAN
use tag use tag use tag use tag use tag
1 1 1 1 0 0 x … … 1 0
2 0 x 1 0 1 1 … … 1 1
3 1 0 0 x 0 x … … 0 x
… … … … … … … … … … …
4094 1 1 1 1 0 x … … 1 0
30. Switch Filtering Operation Process
• Ingress
- Takes received frames from a physical port and performs 3 operations:
* Acceptable frame filter
* ingress rules
* ingress filter
• Progress
- Forwarding decision according to database
• Egress
- How to transmit frames through the output ports
31. Switch Filtering Operation
Port 1 Port 1
input output
Port Acceptable Ingress Ingress Forwarding Egress Port
If. Frame Filter Rules Filter Decision Rules If.
Switch
Fabric Port 2
Port 2
output
input
Port Acceptable Ingress Ingress Forwarding Χ Egress Port
If. Frame Filter Rules Filter Decision Rules If.
Port n
Port n output
input Port Acceptable Ingress Ingress Forwarding Egress Port
If. Frame Filter Rules Filter Decision Rules If.
Ingress Progress Egress
32. Switch Filtering - Ingress
• Acceptable Frame Filter
- Admit all / admit only tagged
• Ingress rules
- Tagged frame – according to tag
- Untagged frame – association rules (PVID)
• Ingress Filter (default is on)
- Forwards frames only if the frame’s tag VID is equal to the VID of one of
the VLANs configured on the port
33. Switch Filtering - Process
• Filtering Database
- Either static or dynamic entries
- Either unicast or multicast entries
• Forwarding decisions
- Known MAC addresses
Lookup in MAC address table.
Lookup key is based on both:
VLAN tag and destination MAC address
leading to the required egress port
- Unknown Unicast – initial lookup in MAC forwarding table, when entry
is not found – flooding is performed based on the VLAN Port Table
- Broadcast frame – lookup is done directly at the VLAN Port Table
(flooding to all ports of the VLAN)
34. Switch Filtering - Egress
• Egress Rules Model
- Forwards frames as tagged frames if the egress port is defined as
VLAN tagged (for that specific VLAN)
- Forwards frames as untagged frames if the egress port is defined as
VLAN un-tagged (for that specific VLAN)
35. PSS
ASIC
Fast Forwarding
MAC Table Table
Entry not
found Buffers
Ingress
filtering
Broadcast
to all ports Ports
in the same VLAN 1
VLAN
VLAN 2
Unknown Incoming
destination MAC port
address
36. Filtering Database – MAC Address
Entries
• Dynamic MAC address entries are learned based on the source
MAC of received packets
• Dynamic entries are subject to aging
• Static MAC entries are configured by user, and may be permanent,
erased when rebooting or subject to aging
• Lookup in the MAC Forwarding Table (the Filtering Database) is
based on VID + Destination Port
38. VLAN Overview
• AT- 8000S devices support 256 VLANs which can be
assigned a VID from the full range of 4k VLAN Ids
• Default and the “discard” VLANs (4095), are treated
specially as described.
• Some VLAN IDs may be pre-assigned by the system for
operational usage.
• The number of (VLANs * ports) configured on the system
should be less than or equal to 64K.
39. VLAN Overview
• Note that the system will never send a frame tagged with
VID=1, since the default VLAN can be used (defined) on a
port only if it is set to be that port’s PVID
• Note that by using PVID=4095 the user in effect limits the “allowed
frame types” to “tagged only” for incoming frames.
• Reference: IEEE802.1Q.
41. Access Mode
• Ports set to Access Mode belong to a one VLAN only,
whose VID is the currently set PVID (default =1).
• This implies that the Ports will accept all untagged frames
(and assign them the PVID tag), and all frames tagged with
the VID currently set with the port’s PVID.
• All traffic sent out will be untagged.
• If the current PVID of the port is deleted from the system
or deleted from the port, the Port’s PVID will be set to 1
(That is, the port will be made a member of VLAN#1, the
default VLAN).
42. Access Mode
• Ingress Filtering is always ON for ports in Access Mode.
• Access mode ports are intended to connect end-stations to
the system, especially when the end-stations are incapable
of generating VLAN tags
43. Trunk Mode
• Ports set to Trunk mode can belong to as many VLANs
as desired.
• The port has a native VLAN (PVID) which is untagged,
all other VLANs are tagged
• The ports will accept both tagged and untagged
frames.
• Untagged frames will be classified to the port’s PVID.
44. Trunk Mode
• Ingress filtering is always enabled on Trunk-mode ports.
Incoming tagged frames will undergo Ingress filtering and if
correctly tagged, (tagged with a VID of one of the VLANs to
which the port currently belongs) they will be admitted,
otherwise – they will be discarded
• Egress frames forwarded on to the PVID VLAN will be sent out
un-tagged
• Egress frames sent to all other VLANs active on the port will
be sent tagged.
45. Trunk Mode
• The default PVID (native VLAN) is 1 (the default VLAN).
• If another VID is configures as the port’s PVID, and the
corresponding VLAN is deleted from the port or from the
system, the port’s PVID returns to 1 .
(That is the port will be made a member of the Default VLAN)
• Trunk-mode ports are intended for Switch-to-Switch links,
where usually all traffic is tagged.
46. General Mode
• Ports set to General mode may be members of as many
VLANs as desired.
• Port configured in the general mode can be assigned as
untagged to as many VLANs as desired
• The user can set separately for each VLAN whether it will be
Tagged or Untagged. This setting applies to transmitted
frames.
• The user can configure a PVID. The default PVID is the default
VLAN.
• The PVID can be that of any of the VLANs configured on the
port
(tagged or on tagged) and also VLANs not configured on the
port or even not configured on the device
47. General Mode
• Incoming Tagged frames are classified according to their
TAG and discarded if such a VLAN is not defined on the
port.
• Incoming untagged frames are classified into the VLAN
whose VID is the currently configured PVID, and:
– The frame is accepted if this VID (besides being the PVID) is
defined on the port
– The frame is discarded if this VID is not defined on the port
(although it is the PVID)
• Ingress filtering may be turned OFF on General-mode ports,
if so desired. Ingress filtering is ON by default.
• User can define whether to accepted only tagged frames or
all frame types
49. AT- 8000S VLAN – User Settings
• Device level setting (VLAN database context):
– Creating/deleting VLANs on the system
• VLAN level settings (interface VLAN context)
– Assigning the VLAN a name
– Adding a static MAC entries to one of the VLANs ports
– General interface commands (e.g: ip, igmp, etc - see other
presentations)
• Port level settings (interface Ethernet context)
– Defining the port mode as general, trunk or access (the
default)
– Defining access port’s current VLAN (PVID)
50. AT- 8000S VLAN – User Settings
• Port level settings (cont’)
– Defining the “native” (pvid) Trunk mode port
– Defining the PVID for General mode port
– Adding/removing VLANs on a Trunk/General mode port
– Define VLANs as tagged/untagged on general mode port
– Defining a port as a forbidden port for a certain VLAN
– Control ingress filtering of general mode port (Default=on)
– Defining acceptable frame type for General Port (tagged only
or all)
– Mapping MAC-groups to VID
52. VLAN Configuration - General
• Use the following Global Mode command to enter VLAN
Database mode:
vlan database
• Example:
– Enter VLAN Configuration Mode
console#
console# configure
console(config)# vlan database
console(config-vlan)#
53. Creating VLANs - Configuration
• Use the following VLAN Configuration Mode Command to
create a new VLAN:
vlan vlan-range
• To erase a VLAN use the “no” form of the command:
no vlan vlan-range
• Example – creating VLANS with VID 2,3,100 and 101, and
then erasing VLAN 101
console(config-vlan)# vlan 2,3,100,101
console(config-vlan)# no vlan 101
54. VLAN parameters - Name
• To change a parameter of a specific VLAN enter the
Interface VLAN Configuration Mode for that VLAN:
• Example – assigning the VID=2 the name “success”
(Default name for a VLAN is the vlan tag):
console(config)# interface vlan 2
console(config-if)# name success
console(config-if)#
55. VLAN Port Mode - Configuration
• Use the following Interface Mode Command to define the
“VLAN mode” (access/ general/ trunk) of a certain interface
(Ethernet/Port Channel):
switchport mode { access | trunk | general }
• Use the “no” form of the command to return to default (access
mode):
no switchport mode
Note: Trunk and General Mode port can be changed to Access
Mode only if all VLANs (except for an untagged PVID) were
first removed
56. VLAN Port Mode - Configuration
• Example – defining a port as a General Mode port:
console(config)# interface ethernet 1/e11
console(config-if)# switchport mode general
57. Access Mode Port Configuration
• Use the following Interface Mode command to define a VLAN on a
port in the access mode:
switchport access vlan vlan-id
• Example – defining VLAN 2 on access port 1/e12:
console(config)# interface ethernet 1/e12
console(config-if)# switchport mode access
console(config-if)# switchport access vlan 2
58. Trunk Mode Port Configuration
• Use the following Interface Mode command to add/remove
VLAN(s) to port in the Trunk mode:
switchport trunk allowed vlan {add vlan-list | remove vlan-list}
• Example – adding VLANs 2,3 and 100 on Trunk port 1/e13:
console(config)# interface ethernet 1/e13
console(config-if)# switchport mode trunk
console(config-if)# switchport trunk allowed vlan add 2-3,100
console(config-if)#
59. Trunk Mode Port Configuration
• Use the following command to set the native (PVID) VLAN
on the port:
switchport trunk native vlan vlan-id
• If the port is already a member in the VLAN (not as a
native), it should be first removed from the VLAN
60. Trunk Mode Port Configuration
• Example - native VLAN:
– Defining VID=2 as native VLAN for port 1/e13 and
receiving system error notification
– removing VID=2 from port 1/e13 and then setting it as
the native VLAN
console(config)# interface ethernet 1/e13
console(config-if)# switchport trunk native vlan 2
Port 1/e13: Port is Trunk in VLAN 2.
console(config-if)# switchport trunk allowed vlan remove 2
console(config-if)# switchport trunk native vlan 2
console(config-if)#
61. Trunk Port – tagged/untagged
• Example - VLAN on port untagged on input and untagged on
output:
console(config)# interface ethernet 1/e18
console(config-if)# switchport mode trunk
console(config-if)# switchport trunk native vlan 2
console(config-if)#
• Example - VLAN on port tagged on input and tagged on output:
console(config)# interface ethernet 1/e19
console(config-if)# switchport mode trunk
console(config-if)# switchport trunk allowed vlan add 2
62. General Mode Port Configuration
• Use the following Interface Mode command to add VLAN(s)
to a General Mode port:
switchport general allowed vlan add vlan-list [ tagged | untagged ]
Note!!! default is tagged
• To remove a VLAN(s) from the list:
switchport general allowed vlan remove vlan-list
63. General Mode Port Configuration
• Use the following command to set the PVID of a General
Port:
switchport general pvid vlan-id
• Use the “No” command to revert to the default VLAN
PVID:
no switchport general pvid
Note:
The PVID can be either a VID defined on the port (tagged or
untagged), or a VID not defined on the port or even on the
system
64. General Mode Port Configuration
• Example – General Mode port configuration
– Adding VLANs 2&3 as tagged, and VLAN 100 as untagged to
to general mode port 1/e14
– Defining VID 100 as the PVID
– Reverting to the default PVID (VID=1)
console(config)# interface ethernet 1/e14
console(config-if)# switchport mode general
console(config-if)# switchport general allowed vlan add 2-3 tagged
console(config-if)# switchport general allowed vlan add 100 untagged
console(config-if)# switchport general pvid 100
console(config-if)# no switchport general pvid
65. General Port – tagged/untagged
• Example - VLAN on port UNtagged on input and UNtagged on output:
console(config)# interface ethernet 1/e20
console(config-if)# switchport mode general
console(config-if)# switchport general pvid 2
console(config-if)# switchport general allowed vlan add 2 untagged
• Example - VLAN on port UNtagged on input and tagged on output:
console(config)# interface ethernet 1/e21
console(config-if)# switchport mode general
console(config-if)# switchport general pvid 2
console(config-if)# switchport general allowed vlan add 2 tagged
66. General Port – tagged/untagged
• Example - VLAN on port tagged on input and tagged on
output:
console(config)# interface ethernet 1/e22
console(config-if)# switchport mode general
console(config-if)# switchport general allowed vlan add 2 tagged
• Example - VLAN on port tagged on input and UNtagged on
output:
console(config)# interface ethernet 1/e23
console(config-if)# switchport mode general
console(config-if)# switchport general allowed vlan add 2 untagged
67. General Mode – Ingress Filtering
• Use the following command to disable ingress filtering on a General
Mode VLAN port. Use the “no” form of the command to switch filter
on:
switchport general ingress-filtering disable
no switchport general ingress-filtering disable
68. General Mode – Acceptable Frame
Type
• Use the following Interface Mode command to discard untagged
frames at ingress. Use the no form of the command to allow
untagged frames at ingress (the default):
switchport general acceptable-frame-type tagged-only
no switchport general acceptable-frame-type tagged-only
69. Forbidding VLAN - Configuration
• Use the following Interface Mode command to forbid the
definition of a specific VLAN (statically or dynamically) on a port
(remove option – cancels the restrictions):
switchport forbidden vlan {add vlan-list | remove vlan-list}
• Note that the forbidden VLAN cannot be one that does not exist
on the system, or one already define on the port
console(config)# interface ethernet 1/e21
console(config-if)# switchport forbidden vlan add 2
VLAN 2: Port 1/e21 cannot be Egress and Forbidden.
console(config-if)# switchport forbidden vlan add 55
VLAN 55: VLAN was not created by user.
console(config-if)#
console(config-if)# switchport forbidden vlan add 3
70. VLAN Show Commands
• Use the following EXEC mode command to view entire device VLAN
configuration:
show vlan
• Use the following EXEC mode command to show interfaces belonging to a
specific VLAN on the device:
show vlan {tag vlan-id | name vlan-name}
71. VLAN Show Commands
• Example – Show VLAN device configuration:
console# show vlan
Vlan Name Ports Type Authorization
---- ----------------- --------------------------- ------------ -------------
1 1 1/e(1,10-12,15-24),ch(1-8) other Required
2 success 1/e(2-9,13-14) permanent Required
3 3 1/e(13-14) permanent Required
100 100 1/e(13-14) permanent Required
console#
72. VLAN Show Commands
• Example – Show ports on VLAN with tag=3:
console# show vlan tag 3
Vlan Name Ports Type Authorization
---- ----------------- --------------------------- ------------ -------------
3 3 1/e(13-14) permanent Required
• Example – Show ports on VLAN named success:
console# show vlan name success
Vlan Name Ports Type Authorization
---- ----------------- --------------------------- ------------ -------------
2 success 1/e(2-9,13-14) permanent Required
73. VLAN Show Commands
• Use the following EXEC mode command to show VLAN
configuration (Mode, PVID and configured VLANs) for a
specific port:
show interfaces switchport { ethernet interface | port-
channel port-channel-number }
74. VLAN Show Commands
• Example – VLAN details of port 1/e14:
console# show interfaces switchport ethernet 1/e14
Port : 1/e14
Port Mode: General
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 100 -
Forbidden VLANS:
Port is member in:
Vlan Name Egress rule Port Membership Type Vlan Name
---- -------------------------------- ----------- -------------------- ---- --------------------------------
2 success Tagged Static
3 3 Tagged Static Classification rules:
100 100 Untagged Static Group ID Vlan ID
--- -------- -------
1 4
75. Adding a Static MAC Address
• Use the following VLAN interface mode command to add a
static MAC entry to one of the ports in the VLAN:
bridge address mac-address {ethernet interface | port-channel
port-channel-number} [permanent | delete-on-reset | delete-
on-timeout | secure]
MAC Address format:
H.H.H or H:H:H:H:H:H or H-H-H-H-H-H
• User can define whether the entry will be:
– permanent
– deleted after reset
– aged out on time out – as with dynamic entries
– Secure – entry is deleted if port mode changes to “ unlock”
(used when port is in locked mode)
76. Adding a Static MAC Address
• Note
– The MAC addresses are added per VLAN, and not per device
– The type of entry (permanent secure etc) has to be entered
before interface (if no type is mentioned default is permanent)
– You can configure an address on a port even if it does not
belong to a VLAN
• The “no” form of the command deletes a static MAC entry from the
table:
no bridge address [mac-address]
if no mac-address is specified in the command, all static entries are
erased from the table
77. Example - Static MAC Addresses
• Example – adding 3 static mac entries to VLAN 2:
– One permanent (default)
– One to be deleted on reset
– One (one a secure port) to be deleted when port is unlocked
console(config)# interface vlan 2
console(config-if)# bridge address 00:11:22:33:44:55 ethernet 1/e10
console(config-if)# bridge address 00:11:22:33:44:55 permanent ethernet 1/e8
console(config-if)# bridge address 00:99:88:77:66:55 delete-on-reset ethernet 1/e7
console(config-if)# bridge address 00:99:88:77:44:33 secure ethernet 1/e5
VLAN:2, Port:1/e5 , Mac:00:00:99:88:77:44: : Port is not Locked, can't add Secure Address
Note: the error message
78. Address Table Commands
• Use the following Global mode command to set the MAC table
aging time (10-360 seconds).
bridge aging-time seconds
• Use the “no” format of the command to return to the default
of 300 seconds:
no bridge aging-time
• Use the following EXEC mode command to remove learned
addressed from the table:
clear bridge
79. Address Table Show Commands
• Use the following Privileged EXEC mode command to show
the MAC address table of device :
show bridge address-table
• Use the following Privileged EXEC mode command to show
addresses on specific VLAN:
show bridge address-table vlan vlan [ethernet interface | port-
channel port-channel-number]
• Use the following Privileged EXEC mode command to show
addresses on specific port:
show bridge address-table { ethernet interface | port-channel port-
channel-number} [vlan vlan]
80. Example – Aging & Clear Bridge
• Example – Showing address table, setting aging time to 100,
and clearing bridge from dynamic entries.
console# show bridge address-table console# clear bridge
Aging time is 300 sec console# show bridge address-table
Vlan Mac Address Port Type Aging time is 100 sec
------ --------------------- ------ -------------- Vlan Mac Address Port Type
2 00:10:a4:8f:ba:33 1/e8 dynamic ------ --------------------- ------ --------------
2 00:11:22:33:44:55 1/e8 static 2 00:11:22:33:44:55 1/e8 static
2 00:99:88:77:44:33 1/e6 secure 2 00:99:88:77:44:33 1/e6
secure
2 00:99:88:77:66:55 1/e7 static
2 00:99:88:77:66:55 1/e7 static
console# con
console#
console(config)# bridge aging-time 100
console(config)# exit
81. Address Table Show Commands
• Example – show MAC address entries for a specific port:
console# show bridge address-table ethernet 1/e13
Aging time is 100 sec
Vlan Mac Address Port Type
---- ------------------- ---- ------------
3 00:10:a4:8f:ba:33 1/e13 dynamic
82. Address Table Show Commands
• Example – show MAC addresses for a VLAN:
console# show bridge address-table vlan 2
Aging time is 100 sec
Vlan Mac Address Port Type
------ --------------------- ------ --------------
2 00:11:22:33:44:55 1/e8 static
2 00:99:88:77:44:33 1/e6 secure
2 00:aa:bb:cc:dd:00 1/e9 static
console#
83. Address Table Show Commands
• Use the following Privileged EXEC mode command to show
only static MAC entries:
show bridge address-table static
• Note that this option can be used to show (as in the general
address table show command):
– All static entries on device
– Static entries on VLAN
– Static entries on a certain Interface
– Combination of specific VLAN and interface
84. Bridge (Address Table) Show
Commands
• Example – show device static MAC address entries:
console# show bridge address-table static
Aging time is 100 sec
Vlan Mac Address Port Type
------ --------------------- ------ ----------
2 00:11:22:33:44:55 1/e8 permanent
2 00:99:88:77:44:33 1/e6 secure
2 00:aa:bb:cc:dd:00 1/e9 delete-on-reset
85. Address Table Show Commands
• Use the following Privileged EXEC mode command to show
number of MAC entries:
show bridge address-table count
• Note that this option can be used to show (as in the general
address table show command):
– All static entries on device
– Static entries on VLAN
– Static entries on a certain Interface
– Combination of specific VLAN and interface
86. Bridge (Address Table) Show
Commands
• Example – show device MAC address count:
console# sh bridge address-table count
Gathering data.
Capacity : 8192
Free : 8189
Used :3
Secure : 1
Dynamic : 0
Static : 2
console#
87. Ghost VLAN Settings
Feature Commands Configuring on a Configuring on Deletion
non existent VLAN dynamic VLAN of VLAN
Address Bridge address, bridge Impossible to enter Impossible Entry is
table multicast, bridge the VLAN context. removed.
multicast forward-all,
bridge multicast
forbidden forward-all
VLAN Name Impossible to enter Impossible Entry is
properties VLAN context. removed.
Port switchport access vlan, Not allowed (except Not allowed Entry is
membership switchpoprt trunk allowed PVID of general removed.
in VLAN vlan, switchport trunk mode)
native vlan, switchport
general allowed vlan,
switchport forbidden vlan
IGMP Ip igmp snooping Impossible to enter Impossible Entry is
snooping the VLAN context. removed.
IP Ip address, ip address Impossible to enter Impossible Not
addressing dhcp the VLAN context. allowed
89. Example #1
PVID#100 Port 24
Internet
PVID#2
PVID#3
90. Example #1. Requirements.
• All servers are connected to the dedicated VLAN with VID#100.
• There are two workgroups in the network (correspondently mapped to
two VLANs – VID#2 and VID#3).
• No traffic is allowed between VID#2 and VID#3.
• Traffic from VID#2 and VID#3 is allowed to server and to the Internet.
• No traffic is allowed to/from the Internet from/to the Servers.
• Workstation NICs do not support VLAN tagging.
• Servers and Internet router support VLAN tagging.
91. Example #1 - Implementation.
Port# VLAN# PVID# Port Mode
1-3 2,3 100 Trunk
Tagged
4-13 2, 100 2 General
untagged
14-23 3, 100 3 General
untagged
24 2,3 1 Trunk
Tagged
94. Example #1 - CLI Cont’
console# show vlan
Vlan Name Ports Type Authorization
---- -------------------------------- --------------------------- ------------ ----------------
1 1 1/e(4-24),ch(1-7) other Required
2 2 1/e(1-13,24) permanent Required
3 3 1/e(1-3,14-24) permanent Required
100 100 1/e(1-23) permanent Required
95. Example #1 - CLI Cont’
console# show interfaces switchport ethernet 1/e3
Port : 1/e3
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 100
Port is member in:
Vlan Name Egress rule Port Membership Type
---- -------------------------------- ----------- --------------------
2 2 Tagged Static
3 3 Tagged Static
100 100 Untagged Static
……
96. Example #2.
WEB Server
Windows
LAG#1 Multimedia FTP Server
Server
Layer 2/3/4 switch
AT- 8000S acting
as a L2 switch
…
Layer 2 switch
LAG#2 Layer 2/3/4 switch
97. Example #2 - Requirements.
• All servers are connected to the Layer 2 switch (Server’s
aggregator)
• There are 4 workgroups in the network (correspondently mapped
to 4 VLANs – VID#2 through VID#5).
• No traffic is allowed among VLANs.
• AT- 8000S Device is connected through two L2 LAGs (LAG#1
and LAG#2) to the Layer 2/3/4 switches.
• All VLANs have access to Servers.
• All NICs don’t support VLAN tagging
100. Example #2 - CLI Cont’
console(config-if)# exit
console(config)# interface range ethernet 1/e17-20
console(config-if)# channel-group 1 mode on
15-Jun-2003 11:43:20 %TRUNK-I-PORTADDED: Port 1/e17 added to ch1
15-Jun-2003 11:43:20 %TRUNK-I-PORTADDED: Port 1/e18 added to ch1
15-Jun-2003 11:43:21 %TRUNK-I-PORTADDED: Port 1/e19 added to ch1
15-Jun-2003 11:43:21 %TRUNK-I-PORTADDED: Port 1/e20 added to ch1
15-Jun-2003 11:43:21 %LINK-I-Up: ch1
console(config-if)# exit
console(config)# interface range ethernet 1/e21-24
console(config-if)# channel-group 2 mode on
15-Jun-2003 11:44:13 %TRUNK-I-PORTADDED: Port 1/e21 added to ch2
15-Jun-2003 11:44:13 %LINK-I-Up: ch2
15-Jun-2003 11:44:13 %TRUNK-I-PORTADDED: Port 1/e22 added to ch2
15-Jun-2003 11:44:13 %TRUNK-I-PORTADDED: Port 1/e23 added to ch2
15-Jun-2003 11:44:13 %TRUNK-I-PORTADDED: Port 1/e24 added to ch2
104. General Switch Issues
Problems reported by customers are usually related somehow to
common connectivity issues (two PCs can’t communicate within
the VLAN, PC connected to the device doesn’t have access to the
Internet or to the centrally located database and so on).
The following list presents the typical connectivity problems
within the VLANs
• Port connectivity issues
• Hardware issues
• Configuration issues
– Port configuration issues
– Port mode configuration issues
– Port status issues
– 802.1q
• RSTP/STP issues
• Access Control and Security issues
• LAG issues
• Management issues
105. Possible Problem Solution
problem description
There is no Port within 1. Use show vlan command to check whether the port
traffic through the VLAN belongs to the VLAN.
the port within doesn’t 2. Check whether the port is configured for LAG on
the VLAN transmit data both sides of LAG. If on the other side it is not
configured for LAG, it can cause the RSTP/STP
processes to block the port on the side of LAG.
Use show interface switchport port-channel to check
whether port belongs to LAG or not.
3. Use the show interfaces status command to check
whether there is a mismatch in the port duplex
mode configuration - full duplex side thinks that it
can send whenever it wants to, but the half duplex
side expects packets only at certain times, not at
any time.
4. Use show interfaces status to check whether the
port is disabled by port security. One of the action
modes is “discard-shutdown”. Port security
violation blocks automatically a traffic through the
port.
106. Possible Problem Solution
problem description
There is no Port within the 5. Use show spanning-tree ethernet command to check
traffic through VLAN doesn’t what is the spanning tree port status.
the port within transmit data 6. In RSTP mode, according to the standard, edge
the VLAN ports are not involved in the RSTP processes.
However, if the edge ports received a BPDU (for
some reason) it will participate in the STP and may
be blocked.
Port can’t be Port can’t be 1. Use show interfaces port-channel to check whether
assigned to a assigned to port belongs to LAG or not.
VLAN VLAN neither 2. Use show ip interface to check whether port is
through ASCII dedicated for management (for adding untagged
terminal VLAN).
(telnet) nor 3. Use show interface switchport ethernet to check port
through the properties. Verify that port is not forbidden from
EWS being a member of that VLAN
4. Trunk port’s native VLAN can’t be added as a tagged
VLAN to the port.
5. Use show ports monitor command to check whether
the port is a target (mirror) port.
107. Port Connectivity Troubleshooting
Hardware Problems.
• CLI shows the port state – up and down either via ASCII terminal
or Telnet.
• CLI command “show interface status” - displays current status of
the port.
• A link light doesn’t guarantee that the cable is fully functional.
• Remove the cable from the port and re-insert it – be sure that traps
are sent to the ASCII terminal or telnet terminal.
• Sometimes a cable appears to be seated in the jack, but actually it
is not – unplug the cable and re-insert it.
• If, after all the above mentioned, the port doesn’t come up, it is
recommended to check the cable with the cable tester.
• Another reason to consider is SW shut down of the port (port
security or ACL port disabled option in other types of devices)
108. Troubleshooting Security
Problems
• Unfortunately, security problems in the modern networks are very
common today.
• Network managers are making big efforts to protect networks
from internal and external attacks.
• According to the last researches, over 70% of the intrusions in the
network are internal.
109. Troubleshooting Security Problems
• In addition to the standard list of a well known internal network
intrusions we would like to point out the following ones:
– changes in the running and start-up configurations:
• Port configuration
• IP interface configuration
• RSTP/STP configuration
• VLAN configuration and so on
– changing password for the ASCII terminal and telnet access
– changes in the access control and security
– uploading/downloading new software images
– uploading/downloading new system configurations
– system reload/reboot either through ASCII terminal and
CLI/Debug CLI or telnet
– erasing device configuration
– erasing software image
110. How to Troubleshoot Hackers
Attacks?
• Constantly change passwords and User Names
• Periodically monitor telnet sessions
• Secure the management port, allow management and control
from dedicated PCs only.