Header Only - DO NOT REMOVE - Extreme Networks

How to configure a mac based VLAN on X670G2 Running 15.6.2.12


I need to configure mac based vlans on the G2 switch such that multiple vlans all share the same port. I am connecting 32 individual single devices to each of 32 (P1-P32) ports on the switch and the traffic to and from from each of them must flow through a single common port "P33" on the switch . All the traffic flows from the devices source and dest mac addresses are unique. Hence, this will be 32 mac based vlans, each with 2 mac addresses in each vlan. Putting all these ports on a common vlan is not option since flooding cross device cannot occur.
I read the manuals and the blog resource pages.

I followed this guide https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-t...

And it does not work.

I also followed this excellent example:

http://extremeconcepts.blogspot.com/2009/07/mac-based-local-network-login.html

And it does not work.

when I do a show port (P1-P32) I see all my traffic arriving on the switch ports, however, nothing is ever forwarded out the common port P33. Anything on P33 in turn is never forward out P1-P33

As soon as I disable netlogin mac the original default allows traffic to flow, but this is not what I want. Flooding on all ports is not an option.

Here is an example playing reducing it down to three ports and a few macs, and two vlans. The one I configure at the bottom is "test_mac2" using ports 13 and 15 and two mac addresses 8a:1f and 35:17

When I do a show netlogin vlan it shows no client macs are authenticated. Traffic is flowing at 5MBs into port 15 with a source address of 8a1f and a dest of 35:17
show port shows the counts rolling. Nothing is forwarded. I am assuming that authentication local and local user is sufficient and no radius is required.

I also tried the following but it did not work:

*X670G2-48x-4q.13 # configure netlogin ports 13 allow egress-traffic all_cast
* X670G2-48x-4q.14 # configure netlogin ports 14 allow egress-traffic all_cast
* X670G2-48x-4q.15 # configure netlogin ports 15 allow egress-traffic all_cast
* X670G2-48x-4q.16 # show ports 13 statistics
* X670G2-48x-4q.17 # show ports 14 statistics


X670G2-48x-4q.74 # show netlogin mac
NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based ENABLED
NetLogin VLAN : "test_mac2"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Disabled
Dynamic VLAN Uplink Ports : None

------------------------------------------------
MAC Mode Global Configuration
------------------------------------------------

MAC Address/Mask Password (encrypted) Port(s)
-------------------- ------------------------------ ------------------------
00:17:10:0C:8A:1F/48 13, 15
00:17:10:0C:8A:2F/48 13-14
00:17:10:12:35:17/48 any
00:17:10:12:35:18/48 13-14
00:17:10:12:35:76/48 any

00:17:10:12:35:79/48 any
00:17:10:12:8A:1F/48 13, 15

* X670G2-48x-4q.76 # show netlogin vlan test_mac2
Number of Clients Authenticated : 0
* X670G2-48x-4q.77 #

20 configure netlogin vlan test_mac2
21 enable netlogin mac
22 configure netlogin mac authentication database-order local
23 configure netlogin add mac-list 00:17:10:0c:8a:1f port 15
24 configure netlogin add mac-list 00:17:10:12:35:17 port 15
25 configure netlogin add mac-list 00:17:10:12:35:17 port 13,15
26 configure netlogin add mac-list 00:17:10:0c:8a:1f port 13,15
27 configure netlogin add mac-list 00:17:10:12:35:17 port 13,15
28 enable netlogin ports 13,15
29 enable netlogin ports 13,15 mac
30 configure netlogin ports 13,15 mode port-based-vlans
31 create netlogin local-user 0017100c8a1f vlan-vsa test_mac2
32 history
33 create netlogin local-user 001710123517 vlan-vsa test_mac2
34 create netlogin local-user 0017100c8a1f vlan-vsa test_mac2
35 show netlogin mac

show port 15 stat

Port Statistics Fri Mar 24 00:30:45 2017Port Link Tx Pkt Tx Byte Rx Pkt Rx Byte Rx Pkt Rx Pkt
State Count Count Count Count Bcast Mcast
================================================================================
15 A 7696022 2630778938 38179081 9149666765 0 179897

================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present L-Loopback

0->Clear Counters U->page up D->page down ESC->exit

The following counts are frozen and only run if I disable netlogin mac

X670G2-48x-4q.79 # show port 13 statPort Statistics Fri Mar 24 00:33:15 2017
Port Link Tx Pkt Tx Byte Rx Pkt Rx Byte Rx Pkt Rx Pkt
State Count Count Count Count Bcast Mcast
================================================================================
13 A 16378096 4711644410 15813 2849038 6 670

4 replies

Userlevel 6
Hi Glenn,

If the clients are not authenticated, the data traffic will not flow through the ports. This is expected behaviour.
Let us focus on getting the clients authenticated with the local database.

EXOS uses mac-address in Block letters as user name and password for the client authentication.

So, this command needs a change.
create netlogin local-user 0017100c8a1f vlan-vsa test_mac2
Example:

create netlogin local-user 0050B60193ED 0050B60193ED

[/code]https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-the-local-database[/code]The above link will guide you through all the steps for the netlogin.

Once the clients are in authenticated state, check and let us know if that meets your requirement.

Hope this helps!
Prashanth KG wrote:

Hi Glenn,

If the clients are not authenticated, the data traffic will not flow through the ports. This is expected behaviour.
Let us focus on getting the clients authenticated with the local database.

EXOS uses mac-address in Block letters as user name and password for the client authentication.

So, this command needs a change.
create netlogin local-user 0017100c8a1f vlan-vsa test_mac2
Example:

create netlogin local-user 0050B60193ED 0050B60193ED

[/code]https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-the-local-database[/code]The above link will guide you through all the steps for the netlogin.

Once the clients are in authenticated state, check and let us know if that meets your requirement.

Hope this helps!

Hi. Thanks for such a quick response!

I agree with the auth being the #1 issue to get past. That part of the guide you mention I already used above as indicated but with lower case, but that said I did remove the local user and run the commands with all upper case on the second mac address and there is no change.

84 create netlogin local-user 0017100C8A1F vlan-vsa test_mac2
85 create netlogin local-user 001710123517 001710123517
86 show netlogin mac
87 show port 13 status
88 show port 13
89 show port 13 statistics
90 show port 15 statistics

I might clear out all the config on the switch and try over again.

There are no other settings besides what was in that guide link...don't have to (re) set egress unicast or multicast or port address learning...or anything else?

What bothers me the most is the fact that when I do this I do *not* see the ports 13 and 15 listed on vlan test_mac2 but still on Default. And I see nothing in show fdb for them. See here below>>>>>

* X670G2-48x-4q.101 # show netlogin
NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based ENABLED
NetLogin VLAN : "test_mac2"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Disabled
Dynamic VLAN Uplink Ports : None
------------------------------------------------
Web-based Mode Global Configuration
------------------------------------------------
Base-URL : network-access.com
Default-Redirect-Page : ENABLED; http://www.extremenetworks.com
Logout-privilege : YES
Netlogin Session-Refresh : ENABLED; 3 minute(s) 0 second(s)
Refresh failures allowed : 0
Reauthenticate on refresh: Disabled
Authentication Database : Radius, Local-User database
Proxy Ports : 80(http),443(https)
------------------------------------------------
------------------------------------------------
802.1x Mode Global Configuration
Press to continue or to quit:[60;D------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
EAPOL MPDU version to transmit : v1
Authentication Database : Radius
------------------------------------------------
------------------------------------------------
MAC Mode Global Configuration
------------------------------------------------
MAC Address/Mask Password (encrypted) Port(s)
-------------------- ------------------------------ ------------------------
00:17:10:0C:8A:1F/48 13, 15
00:17:10:0C:8A:2F/48 13-14
00:17:10:12:35:17/48 13, 15
00:17:10:12:35:18/48 13-14
00:17:10:12:35:76/48 any
00:17:10:12:35:79/48 any
Press to continue or to quit:[60;D00:17:10:12:8A:1F/48 13, 15
Re-authentication period : 0 (Re-authentication disabled)
Authentication Database : Local-User database
------------------------------------------------
Port: 13, Vlan: Default, State: Enabled, Authentication: mac-based
Guest Vlan : Disabled
Authentication Failure Vlan : Disabled
Authentication Service-Unavailable Vlan : Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:17:10:12:35:17 0.0.0.0 No MAC 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Port: 14, Vlan: Default, State: Enabled, Authentication: mac-based
Guest Vlan : Disabled
Authentication Failure Vlan : Disabled
Authentication Service-Unavailable Vlan : Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:17:10:0c:8a:2f 0.0.0.0 No MAC 0
Press to continue or to quit:[60;D-----------------------------------------------
(B) - Client entry Blackholed in FDB
Port: 15, Vlan: Default, State: Enabled, Authentication: mac-based
Guest Vlan : Disabled
Authentication Failure Vlan : Disabled
Authentication Service-Unavailable Vlan : Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:17:10:0c:8a:1f 0.0.0.0 No MAC 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB

AND HERE for fdb>>>>>>>>>>>>>>>>>>>>>>

* X670G2-48x-4q.101 # show fdb
Mac Vlan Age Flags Port / Virtual Port List
------------------------------------------------------------------------------
Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP,
x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole,
b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation,
D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC,
S - Software Controlled Deletion, r - MSRP,
R - TRILL Rbridge, Z - OpenFlow
Total: 0 Static: 0 Perm: 0 Dyn: 0 Dropped: 0 Locked: 0 Locked with Timeout: 0
FDB Aging time: 300
* X670G2-48x-4q.102 #
Userlevel 7
Hi,

if the plan is to have all clients not able to see each other and only use a defined port for communication, on a single switch, Port Isolation is maybe a better option?

You would add all the ports to the same vlan and use Port Isolation so that they do not see one another, and only the uplink port would be allowed.
Grosjean, Stephane wrote:

Hi,

if the plan is to have all clients not able to see each other and only use a defined port for communication, on a single switch, Port Isolation is maybe a better option?

You would add all the ports to the same vlan and use Port Isolation so that they do not see one another, and only the uplink port would be allowed.

Hi,

I think what you are referring to would be pairs of 2 within the same vlan? I am going in a star config to and from many P1-P32 to one...P33 but that said I am going to take a look at your suggestion and see if it can isolate multiple port pairs with a single overlapping/common port in each pair. If that is do able then that might solve my problem.

Reply