Port-Specific VLAN Tag

The Port-specific VLAN (Virtual LAN) feature adds a layer of specificity between the port tag and the VLAN/VMAN tag: a port-specific VLAN tag. This feature adds the following functionality to the existing VLAN:
  • Ability to associate a tag to a VLAN port. This tag is used as a filter to accept frames with matching VID. It is also used as the tag of the outgoing frames.
  • Ability to add multiple VLAN ports on the same physical port as long as those VLAN ports are associated with different tags.
  • Allows the existing untagged and tagged VLAN ports to be part of the VLAN.
  • Ability to learn MAC address on port, tag and VLAN instead of only on the port.As a consequence of the previous point, ability to add static MAC address to port, tag and VLAN.
  • Ability to specify limit-learning and MAC lockdown on a port, tag and VLAN, instead of only on the port.
  • Rate limiting and counting of frames with matching VIDs is supported with the existing ACL (Access Control List).

The Port-specific VLAN tag allows tagged VLAN ports to be configured with tag values. When the tag is not configured, it is implicit that the tag of the tagged port is the tag of the VLAN. We call the tag of the port the "port tag", and the tag of the VLAN the "base tag". The port tag is used to determine the eligibility of the frames allowed to be part of the VLAN. Once the frame is admitted to the VLAN port, the base tag is used. From a functional standpoint, the frame tag is rewritten to the base tag.

The base tag then is translated to the port tag for the outgoing frame.
Note

Note

The port tag is equal to the base tag when the port tag is not specified, so the current VLAN behavior is preserved.

Untagged VLAN ports also have port tag, which is always the same as the base tag. Outgoing frames are untagged. The untagged VLAN port always has an implicit port tag thats's always equal to the base tag. There can be only one untagged VLAN port on a physical port. It receives untagged frames, and tagged frames, and transmits only untagged frames.

A tagged VLAN port can have a port tag configured, or not. When not configured, the port tag is equal to the base tag. There can be more than one tagged VLAN port on a physical port. It receives tagged frames with tag equals to the port tag, and transmits tagged frames with port tag.

When the VLAN is assigned to L2VPN, the base tag is the tag that is carried by the pseudo-wire when the dot1q include is enabled. It can be viewed that VPLS PW port tag is equal to the base tag. To assign a VLAN with a port-specific tag to an L2VPN, use the existing configure vpls vpls_name add service vlan vlan_name command.

Since every tagged VLAN port has different VIDs, forwarding between them on the same physical port (hairpin switching) is possible. From the external traffic point of view, the frame tags are rewritten from the receive port tag to the transmit port tag. Since each port tag is a different VLAN port, a frame that has to be broadcasted to multiple VLAN ports is sent out multiple times with different tags when the VLAN ports are on the same physical port. Each port + port tag is an individual VLAN port.

MAC addresses are learned on the VLAN port. This means that the port in the FDB (forwarding database) entry is the port + port tag. A unicast frame destined to a MAC address that is in the FDB is sent out of the associated VLAN port. As mentioned earlier, there is only one MAC addressed learned on the VLAN. If the MAC address is learned on a different port or a different tag, it is a MAC move. It is transmitted out of the physical port only on the associated VLAN port tagged with the port tag when the VLAN port is tagged.

When there are multiple tagged VLAN ports on the transmit port, only one frame with the right tag is transmitted. It is transmitted untagged on an untagged VLAN port. Accordingly, the static MAC address is configured on a VLAN port. This means that the port tag is specified when the tag is not equal to the base tag. The command to flush FDB does not need to change. But, a VLAN port-specific flush needs to be implemented to handle the case when a VLAN port is deleted. This flush is internal and not available through the CLI.

Per VLAN port (port + tag) rate limiting and accounting is achieve by the existing ACL. Use match condition vlan-id to match the port VID. You can use action count and byte-count for accounting. And you can use show access-list counter to view the counters. Action meter can be used for rate limiting. To create a meter, use the create meter command, and configure the committed rate and maximum burst size.

Supported Platforms

Port-Specific VLAN Tag is supported on the following platforms:
  • Summit X460-G2 (supported from ExtremeXOS 15.6)
  • Summit X670-G2 (supported from ExtremeXOS 15.6)
  • Summit X770
  • ExtremeSwitching X870
  • ExtremeSwitching X690