How to configure a mac based VLAN on X670G2 Running 15.6.2.12

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
I need to configure mac based vlans on the G2 switch such that multiple vlans all share the same port. I am connecting 32 individual single devices to each of 32 (P1-P32) ports on the switch and the traffic to and from from each of them must flow through a single common port "P33" on the switch . All the traffic flows from the devices source and dest mac addresses are unique. Hence, this will be 32 mac based vlans, each with 2 mac addresses in each vlan. Putting all these ports on a common vlan is not  option since flooding cross device cannot occur.
I read the manuals and the blog resource pages.

I followed this guide https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-t...

And it does not work.

I also followed this excellent example:

http://extremeconcepts.blogspot.com/2009/07/mac-based-local-network-login.html

And it does not work.

when I do a show port (P1-P32) I see all my traffic arriving on the switch ports, however, nothing is ever forwarded out the common port P33. Anything on P33 in turn is never forward out P1-P33 


As soon as I disable netlogin mac the original default allows traffic to flow, but this is not what I want. Flooding on all ports is not an option.

Here is an example playing reducing it down to three ports and a few macs, and two vlans. The one I configure at the bottom is "test_mac2" using ports 13 and 15 and two mac addresses 8a:1f and 35:17

When I do a show netlogin vlan it shows no client macs are authenticated. Traffic is flowing at 5MBs into port 15 with a source address of 8a1f and a dest of 35:17
show port shows the counts rolling. Nothing is forwarded. I am assuming that authentication local and local user is sufficient and no radius is required.

I also tried the following but it did not work:

*X670G2-48x-4q.13 # configure netlogin ports 13 allow egress-traffic all_cast
* X670G2-48x-4q.14 # configure netlogin ports 14 allow egress-traffic all_cast
* X670G2-48x-4q.15 # configure netlogin ports 15 allow egress-traffic all_cast
* X670G2-48x-4q.16 # show ports 13 statistics
* X670G2-48x-4q.17 # show ports 14 statistics 


 X670G2-48x-4q.74 # show netlogin mac
NetLogin Authentication Mode : web-based DISABLED;  802.1x DISABLED;  mac-based ENABLED
NetLogin VLAN                : "test_mac2"
NetLogin move-fail-action    : Deny
NetLogin Client Aging Time   : 5 minutes
Dynamic VLAN Creation        : Disabled
Dynamic VLAN Uplink Ports    : None

------------------------------------------------
          MAC Mode Global Configuration
------------------------------------------------

MAC Address/Mask      Password (encrypted)            Port(s)
--------------------  ------------------------------  ------------------------
00:17:10:0C:8A:1F/48  <not configured>                13, 15                   
00:17:10:0C:8A:2F/48  <not configured>                13-14                    
00:17:10:12:35:17/48  <not configured>                any
00:17:10:12:35:18/48  <not configured>                13-14                    
00:17:10:12:35:76/48  <not configured>                any

00:17:10:12:35:79/48  <not configured>                any
00:17:10:12:8A:1F/48  <not configured>                13, 15   


* X670G2-48x-4q.76 # show netlogin vlan test_mac2
Number of Clients Authenticated  : 0
* X670G2-48x-4q.77 # 


        20  configure netlogin vlan test_mac2
        21  enable netlogin mac
        22  configure netlogin mac authentication database-order local
        23  configure netlogin add mac-list 00:17:10:0c:8a:1f port 15
        24  configure netlogin add mac-list 00:17:10:12:35:17 port 15
        25  configure netlogin add mac-list 00:17:10:12:35:17 port 13,15
        26  configure netlogin add mac-list 00:17:10:0c:8a:1f port 13,15
        27  configure netlogin add mac-list 00:17:10:12:35:17 port 13,15
        28  enable netlogin ports 13,15
        29  enable netlogin ports 13,15 mac
        30  configure netlogin ports 13,15 mode port-based-vlans 
        31  create netlogin local-user 0017100c8a1f vlan-vsa test_mac2
        32  history
        33  create netlogin local-user 001710123517 vlan-vsa test_mac2 
        34  create netlogin local-user 0017100c8a1f vlan-vsa test_mac2
        35  show netlogin mac


show port 15 stat

Port Statistics                                      Fri Mar 24 00:30:45 2017Port      Link     Tx Pkt       Tx Byte       Rx Pkt       Rx Byte Rx Pkt Rx Pkt
          State    Count        Count         Count        Count    Bcast  Mcast
================================================================================
15        A       7696022   2630778938     38179081   9149666765        0   179897


================================================================================
          > indicates Port Display Name truncated past 8 characters
          Link State: A-Active, R-Ready, NP-Port Not Present L-Loopback

          0->Clear Counters  U->page up  D->page down ESC->exit


The following counts are frozen and only run if I disable netlogin mac

 X670G2-48x-4q.79 # show port 13 statPort Statistics                                      Fri Mar 24 00:33:15 2017
Port      Link     Tx Pkt       Tx Byte       Rx Pkt       Rx Byte Rx Pkt Rx Pkt
          State    Count        Count         Count        Count    Bcast  Mcast
================================================================================
13        A      16378096   4711644410        15813      2849038        6      670
Photo of glenn bronson

glenn bronson

  • 90 Points 75 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi Glenn,

If the clients are not authenticated, the data traffic will not flow through the ports. This is expected behaviour.
Let us focus on getting the clients authenticated with the local database.

EXOS uses mac-address in Block letters as user name and password for the client authentication.

So, this command needs a change.
create netlogin local-user 0017100c8a1f vlan-vsa test_mac2
Example:


create netlogin local-user 0050B60193ED 0050B60193ED

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-the-local-database
The above link will guide you through all the steps for the netlogin.

Once the clients are in authenticated state, check and let us know if that meets your requirement.

Hope this helps!
Photo of glenn bronson

glenn bronson

  • 90 Points 75 badge 2x thumb
Hi. Thanks for such a quick response!

I agree with the auth being the #1 issue to get past. That part of the guide you mention I already used above as indicated but with lower case, but that said I did remove the local user and run the commands with all upper case on the second mac address and there is no change.

        84  create netlogin local-user 0017100C8A1F vlan-vsa test_mac2
        85  create netlogin local-user 001710123517 001710123517
        86  show netlogin mac
        87  show port 13 status
        88  show port 13
        89  show port 13 statistics
        90  show port 15 statistics


I might clear out all the config on the switch and try over again.

There are no other settings besides what was in that guide link...don't have to (re) set egress unicast or multicast or port address learning...or anything else?

What bothers me the most is the fact that when I do this I do *not* see the ports 13 and 15 listed on vlan test_mac2 but still on Default. And I see nothing in show fdb for them. See here below>>>>>

* X670G2-48x-4q.101 # show netlogin
NetLogin Authentication Mode : web-based DISABLED;  802.1x DISABLED;  mac-based ENABLED
NetLogin VLAN                : "test_mac2"
NetLogin move-fail-action    : Deny
NetLogin Client Aging Time   : 5 minutes
Dynamic VLAN Creation        : Disabled
Dynamic VLAN Uplink Ports    : None
------------------------------------------------
        Web-based Mode Global Configuration
------------------------------------------------
Base-URL                 : network-access.com
Default-Redirect-Page    : ENABLED; http://www.extremenetworks.com
Logout-privilege         : YES
Netlogin Session-Refresh : ENABLED; 3 minute(s) 0 second(s)
Refresh failures allowed : 0
Reauthenticate on refresh: Disabled
Authentication Database  : Radius, Local-User database
Proxy Ports              : 80(http),443(https)
------------------------------------------------
------------------------------------------------
        802.1x Mode Global Configuration
Press <SPACE> to continue or <Q> to quit:[60;D------------------------------------------------
Quiet Period   : 60
Supplicant Response Timeout : 30
Re-authentication period : 3600
Max Re-authentications  : 3
RADIUS server timeout  : 30
EAPOL MPDU version to transmit : v1
Authentication Database  : Radius
------------------------------------------------
------------------------------------------------
          MAC Mode Global Configuration
------------------------------------------------
MAC Address/Mask      Password (encrypted)            Port(s)
--------------------  ------------------------------  ------------------------
00:17:10:0C:8A:1F/48  <not configured>                13, 15                  
00:17:10:0C:8A:2F/48  <not configured>                13-14                   
00:17:10:12:35:17/48  <not configured>                13, 15                  
00:17:10:12:35:18/48  <not configured>                13-14                   
00:17:10:12:35:76/48  <not configured>                any
00:17:10:12:35:79/48  <not configured>                any
Press <SPACE> to continue or <Q> to quit:[60;D00:17:10:12:8A:1F/48  <not configured>                13, 15                  
Re-authentication period : 0 (Re-authentication disabled)
Authentication Database  : Local-User database
------------------------------------------------
Port: 13,  Vlan: Default,  State: Enabled,  Authentication: mac-based
Guest Vlan <Not Configured>: Disabled
Authentication Failure Vlan <Not Configured>: Disabled
Authentication Service-Unavailable Vlan <Not Configured>: Disabled
MAC                IP address       Authenticated     Type    ReAuth-Timer   User         
00:17:10:12:35:17  0.0.0.0          No                MAC     0             
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Port: 14,  Vlan: Default,  State: Enabled,  Authentication: mac-based
Guest Vlan <Not Configured>: Disabled
Authentication Failure Vlan <Not Configured>: Disabled
Authentication Service-Unavailable Vlan <Not Configured>: Disabled
MAC                IP address       Authenticated     Type    ReAuth-Timer   User         
00:17:10:0c:8a:2f  0.0.0.0          No                MAC     0             
Press <SPACE> to continue or <Q> to quit:[60;D-----------------------------------------------
(B) - Client entry Blackholed in FDB
Port: 15,  Vlan: Default,  State: Enabled,  Authentication: mac-based
Guest Vlan <Not Configured>: Disabled
Authentication Failure Vlan <Not Configured>: Disabled
Authentication Service-Unavailable Vlan <Not Configured>: Disabled
MAC                IP address       Authenticated     Type    ReAuth-Timer   User         
00:17:10:0c:8a:1f  0.0.0.0          No                MAC     0             
-----------------------------------------------
(B) - Client entry Blackholed in FDB


AND HERE for fdb>>>>>>>>>>>>>>>>>>>>>>


* X670G2-48x-4q.101 # show fdb
Mac                     Vlan       Age  Flags         Port / Virtual Port List
------------------------------------------------------------------------------
Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP,
        x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole,
        b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation,
        D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC,
        S - Software Controlled Deletion, r - MSRP,
        R - TRILL Rbridge, Z - OpenFlow
Total: 0 Static: 0  Perm: 0  Dyn: 0  Dropped: 0  Locked: 0  Locked with Timeout: 0
FDB Aging time: 300
* X670G2-48x-4q.102 #
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,562 Points 10k badge 2x thumb
Hi,

if the plan is to have all clients not able to see each other and only use a defined port for communication, on a single switch, Port Isolation is maybe a better option?

You would add all the ports to the same vlan and use Port Isolation so that they do not see one another, and only the uplink port would be allowed.
Photo of glenn bronson

glenn bronson

  • 90 Points 75 badge 2x thumb
Hi,

I think what you are referring to would be pairs of 2 within the same vlan? I am going in a star config to and from many P1-P32 to one...P33 but that said I am going to take a look at your suggestion and see if it can isolate multiple port pairs with a single overlapping/common port in each pair. If that is do able then that might solve my problem.