Why do I get different output from the show vlan and the show config commands?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I'm trying to get a hold of my new system and coming from a Cisco background it can be kind of difficult at times. This is especially true considering the differences in the way VLANs are handled between Extreme/Enterasys and Cisco. The following is from an Enterasys S4.

I'm trying to piece together where exactly certain VLANs are used or not used and I've noticed an inconsistency. Using the show vlan command I get an output as such:


VLAN : 27 Status : Enabled
FID : 27 Name : 27net
VLAN Type: Permanent Last Change: 2015-07-21 08:02:53
Egress Ports:
lag.0.1;host.0.1
Forbidden Egress Ports:
ge.2.38
Untagged Ports:
None.


Seems pretty useful. However, when compared to the show config vlan command, the egress I get for vlan 27 is as follows:


set vlan egress 27 lag.0.1-2 tagged


Notice, the egress ports are listed differently. Lag.0.2 does not show up in the sh vlan output, and host.0.1 does not show up in the show config vlan output. This is a fairly simple example, other vlans that span many ports have many more inconsistencies across physical port types (ge.x.x, fe.x.x, etc).

Why is this? What information is correct? If the switch reboots will it reload the configuration, assigning different ports to vlans and break the network?
Photo of Terren Crider

Terren Crider

  • 1,448 Points 1k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Daniel Coughlin

Daniel Coughlin, Employee

  • 2,648 Points 2k badge 2x thumb
I would need some more info to really answer this.  The answer can get a little involved depending on spanning tree states, Multiauth configuration, policy etc.  Some general things that will help you out when working with EOS.  Show configuration only shows non default configuration.  Another thing is that ingress and egress are handled separately.  We also can use policy to manipulate vlan and port relationships.
Port status has an effect on the display of the show vlan.  If a port is not forwarding it will not show up in the display.  The show vlan static command will show every port that is configured for that vlan.  Another useful command is show port operstatuscause command to look at port state and why it is in that state.  The command show vlan portinfo is another useful tool to help you sort things out.

good luck and if you get stuck reach out.
Photo of Terren Crider

Terren Crider

  • 1,448 Points 1k badge 2x thumb
Alright, that sheds some more light on what's going on.

S4 Upper(su)->show vlan static 27
VLAN : 27 Status : Enabled
FID : 27 Name : 27net
VLAN Type: Permanent Last Change: 2015-07-21 08:02:53
Egress Ports:
lag.0.1-2
Forbidden Egress Ports:
ge.2.38
Untagged Ports:
None.
S4 Upper(su)->show vlan 27
VLAN : 27 Status : Enabled
FID : 27 Name : 27net
VLAN Type: Permanent Last Change: 2015-07-21 08:02:53
Egress Ports:
lag.0.1;host.0.1
Forbidden Egress Ports:
ge.2.38
Untagged Ports:
None.

So, based on what you've told me and what I see here vlan 27 is not active on lag.0.2 or vice versa? Which could mean there's no active interface on vlan 27 associated with the lag.0.2 port, or that lag.0.2 is down?

And one last thing. vlan 27 is on the forbidden egress list on ge.2.38. Port ge.2.38 is the only port on the switch with a forbidden egress list configured. The documentation says that putting a vlan on a port's forbidden egress list stops that port from participating in those vlans when dynamic requests are sent. Is there any reason to configure a forbidden egress list if there are no dynamic vlan requests? From my understanding, a port will only pass vlan traffic if it is untagged/belongs to its PVID, or if the vlan tag is defined in an egress list, correct?
(Edited)
Photo of Mike D

Mike D, Alum

  • 3,852 Points 3k badge 2x thumb
Which could mean there's no active interface on vlan 27 associated
with the lag.0.2 port, or that lag.0.2 is down
If
lag two is up, you will see an entry in 'show vlan'.  Since there is none,
we can assume lag.0.2 is down or STP blocked.  (Cant think of any other
cases but there may be some)

The "show vlan" command has entries for ports that are actively
egressing a vlan.  
You will find it a very handy command.



*Policy action can result in vlan egress where no obvious port/vlan config
exists.  
*Dynamic egress action can send vlan traffic even if the port is not configured
to egress that vlan.
(dynamic egress: if a tagged pkt enters the port - that tag is added to the
vlan egress for fdb timer interval)
*gvrp/mvrp action can result in vlan egress on a port not specifically
configured to egress

Each of these cases would result in entry into 'show vlan' table output but the
relationship would not be evident in 'show vlan static' table output.

'forbidden' can be used to tune dynamic environments noted above.
  
as an aside we sometimes see 'forbidden' config result from customer's working to fix
data loops 

Regards,
Mike
Photo of Jason Parker

Jason Parker, Employee

  • 2,918 Points 2k badge 2x thumb
Lets look at a few of these
set vlan egress 27 lag.0.1-2 tagged

This one is vlan 27 with tagged packets going out lag.01 and lag.0.2
but what is missing are a few commands such as the ports of the lag that I believe should be there, but this is not a bug, it just looks like someone took a short cut
You could run the command
show lag.0.1 and this would list the ports of  lag.0.1 then I would run the commands
set vlan egress 27 ge.1.2 tagged
set vlan egress 27 ge.2.2 tagged

Once this is done you could run the next command to confirm that the ports of the lag and the lag all have vlan 27 tagged on the egress
show vlan portinfo port ge.1-2.2;lag.0.1
To see if the LAG is up and running
show lacp lag.0.1
The important thing to remember if only one link is up from the start(unless static lag's are configured) then the lag will not form so I would recommend setting the command
set lacp singleportlag enabled as this will allow the single port LAG form