In an industry that’s already defined, Extreme Network’s recent announcement of The Automated Campus is a significant advance in networking. For the first time, all the essential technologies, products, procedures and support are gathered together and integrated. All too often, the piecemeal/piecewise growth strategy typically historically applied in organizational network evolution results in too many tools, procedures, and techniques at work, precluding fast responsiveness, optimal operations staff productivity, and the degree of accuracy and efficiency required to keep end-users productive as well. The most important opportunity today is in boosting both productivity of end-users and network operators. The automated campus must address the productivity of network planners and network operations managers and staff. The often-significant number of elements required in an installation can demand significant staff time and can consequentially have an adverse impact on operating expenses (OpEx). While It is possible to build traditional networks that, when running correctly and optimally, get the job done – unfortunately, they often embody such high operating expenses that cost becomes the overriding factor controlling the evolution of the campus network overall. The Automated Campus will allow XYZ Account to address all these issues and concerns. A key goal here must be, of course, to reduce the number of “moving parts” required to build and operate any campus. Extreme’s strategy for Campus Automation begins with re-thinking the way networks are designed, deployed and managed. Extreme’s Fabric-based networks enable faster configuration and troubleshooting; As a result, there is less opportunity for misconfiguration. Several automation solutions designed to enhance security often force network managers to accept complexity and degraded resilience to secure the network to meet local policies. Should a breach occur, containment to that segment protects even more sensitive parts of the network, resulting in a true dead-end for the hacker. With Extreme’s Automated Campus services can easily be defined and provisioned on-the-fly without disruption. Network operators specify what services are allowed or prohibited across the network.

1. Where Are We Coming From ?
L2 Bridged
Networks
L2 networks did not scale  Why ?
1. The MAC address
L2 addressing = MAC address
The MAC address is a flat address with
no summarization or hierarchy possible
1. No Scalable Control Plane
With no addressing hierarchy possible it
was not possible to have a Link State
Protocol for L2 networks which could
scale
1. No L2 OAM tools
2. Limited Virtualization
Only 802.1Q VLAN tagging

2. SPB Provides Massive Simplification
Extreme L2 SPB Networks
Now a L2 SPB network scales
1.MACinMAC Encapsulation
• IEEE 802.1 ah standard
• Removes current Mac Address Scalability limitations
• Separate Customer vs Backbone demarcation
1.Scalable Control Plane
• IEEE 802.1 aq standard
• uses the IS-IS routing Protocol which works at L2
1.L2 OAM tool
• IEEE 801.ag standard
• Connectivity & Fault Management (CFM)
• Used for OAM
1.Designed for Virtualization
• 802.1ah introduces a Service ID (I-SID) which can
scale to 16 million services
IP/SPB, SPBm/SPBm
Protocol Infrastructure
Ethernet Physical
Infrastructur
e
Horizontally Independent
Connectivity Services independent from Infrastructure
Traditional Protocol Stack

3. 3
Todays Network using STP
Layer 2
Some sort of loop prevention must
be used, i.e. Spanning Tree, and enabled on
all switches
Spanning Tree will block ports based
on cost to root bridge – all available
paths cannot be used
50 MAC addresses
100 MAC addresses learned
on all switches!!
VLAN and port members
must be provisioned on
all switches

4. SPB
No Spanning Tree in SPB core
Customer VLAN & Services provisioned only at edge of network
50 MAC address
50 MAC address
100 MAC address
VLAN provisioning only required at edge of network:
simple as adding a VLAN, local ports, and assigning a
Service Identifier. Customer MAC learning only at Edge
of network, core never learns C-MAC (MAC learning
and flooding only at edge, NOT in core).
Customer MAC learning only at edge of network, core has zero
end user MAC addresses
SPB

5. © 2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.
Layer 2 Forwarding
Technology
ExtremeXOS™
Operation and
Configuration, Version 12.1

6. Slide 6
Student Objectives
Upon completion of this module, you will be able to:
Describe transparent bridging.
Describe the flooding and learning port states.
Describe the forwarding and filtering port state.
Describe the forwarding database.
Identify the various FDB entry types.
Manage forwarding database entries.
Configure egress flooding.
Configure and verify the limit-learning feature.
Configure and verify the lock-learning feature.
Configure the Extreme link status monitor.

7. ISO Seven Layer Reference Model
Slide 7
L7 - APPLICATION
L6 - PRESENTATION
L5 - SESSION
L4 - TRANSPORT
L2 - DATA LINK
L1 - PHYSICAL
L3 - NETWORK
Layer Description
7
Application level access to the
network, file transfer, remote
terminals
6
Translation of data structures
between differing architectures
5
Provides for dialogue control
between processes
4
Provides for end to end
connection between machines
3 Where routing takes place
2
Defines protocols for exchanging
data frames
1
Defines the standards for
physical connections (the wire)

8. Slide 8
Collision Domain
All hosts accessing the same physical media
Host packets capable of colliding with each other
Shared Medium – A common Ethernet cable

9. Slide 9
Carrier Sense Multiple Access with Collision
Detection (CSMA/CD)
Carrier Sense
• Hosts sense if there is any current transmission in progress.
• If there is a transmission in progress, hosts wait until it is finished.
Multiple Access
• Multiple hosts can participate in the same domain / share the same media.
Collision Detection
• Two or more hosts can still transmit at exactly the same instant,
believing the media to be free.
• If a collision occurs:
The host sends a jamming signal to prevent any further transmission.
It waits a random amount of time before trying to retransmit.
• Allowed to retry up to 16 times.

10. Slide 10
Transparent Bridges Used for LAN Segmentation
Bridges widely used to segment Ethernet collision domains
Switches perform the bridge segmentation function in hardware
Before…
IPX
UNIXIPX
UNIX
Excessive
Delays
After…
IPX
IPX
UNIXUNIX
Acceptable
Delays
Low
Utilization
Bridge

11. Slide 11
802.1d Transparent Bridges
Used in Ethernet Networks
A talks to B – Packet remains in 1st collision domain
A talks to C – Bridge forwards packet to 2nd collision domain
A switch performs the bridging function in hardware
MAC Address based lookup table
Collision Domain 2Collision Domain 1
C
DIPX
A
BUNIX
Bridge

12. Slide 12
Ethernet Frames
A bridge learns host locations from Source MAC address.
It makes forwarding decisions based on Destination MAC address.
Ethernet Frame
6 Bytes 6 Bytes 2 Bytes 46 to 1500 Bytes 4 Bytes
Destination
MAC
Source
MAC
Type /
Length
Data
(Payload / Padding)
CRC
64 Bytes Minimum. 1518 Bytes Maximum.

13. Slide 13
Bridge Functions
The bridge can be performing one of four functions:
• Flooding, Learning, Forwarding, Filtering

14. Slide 14
0B
Flooding
In a newly configured network, host “0B” initiates communication
with host “1E”.
Because the destination is unknown, the packet is flooded to all of
the interfaces and host “0B” is learned on the inbound port.
Payload1E 0B T/L CRC
0-300s100:01:30:00:00:0B
TimerPort NumberMAC Address
Forwarding Table
0A 0C
0D
0E
0F
1A
1B
1C
1D
1E
1F
1 3 52 4 6Pad-
ding

15. Slide 15
Forwarding
Host “1E” replies to host “0B”, and the packet is forwarded onto
the destination port learned for “0B”.
At the same time, the MAC address for “1E” is learned and added
to the bridge table.
Payload0B 1E T/L CRC
0-300s600:01:30:00:00:1E
0-300s100:01:30:00:00:0B
TimerPort NumberMAC Address
Forwarding Table
0A
0B
0C
0D
0E
0F
1A
1B
1C
1D
1E
1F
1 3 52 4 6Pad-
ding

16. Slide 16
Filtering
When the destination MAC address matches the inbound port, the
switch drops the packet at the port. This reduces traffic on the
other ports within the broadcast domain (VLAN) and optimizes
performance.
Payload0B 0A T/L CRC
MAC Address Port Number Timer
00:01:30:00:00:0A 1 0-300s
00:01:30:00:00:0B 1 0-300s
Forwarding Table
0A
0B
0C
0D
0E
0F
1A
1B
1C
1D
1E
1F
1 3 52 4 6Pad-
ding

17. Slide 17
Forwarding Database
Maintains a record of the location of each of the host MAC
addresses.
Enables the switch to make forwarding decisions.
Entries are added dynamically by associating the source MAC field
of the Ethernet frame with the port number.
Has statically added entries. The administrator manually enters
MAC and port number fields.
Also known as the bridge table or FDB.

18. Slide 18
Forwarding Database Illustrated
L2 address entries consists of:
• MAC address, Port / Port ID, VLAN ID
FDB

19. © 2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.
Layer 2 Forwarding
Implementation
ExtremeXOS™
Operation and
Configuration, Version 12.1

20. FDB Entry Types
Dynamic entries
• Initially, all entries in the database are dynamic
Static entries
• Non-aging entries
Entries with an aging timer set to zero
• Permanent entries
Entered through the CLI and saved as permanent
Retained in the database after reset/power off
• Black hole entries
Created statically by the administrator
Created automatically by security features such as lock-learning
Configures FDB with specified source and/or destination MAC address to be
discarded
Slide 20

21. © 2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.
Managing FDB
Entries
Displaying, Adding, and Removing
Database Entries

22. Displaying the FDB Table
To display the contents of the layer 2 Forwarding Database, use the
show fdb command:
show fdb
Slide 22
Results show MAC, VLAN, Age, Flags, and Port of each entry.

23. Adding Entries to the FDB
To add a static entry to the FDB, use the create fdbentry command:
create fdbentry <mac_addr> vlan <vlan_name>
[ports <port_list> | blackhole]
• Allows you to add a standard or blackhole entry to the FDB
Examples commands
• Add a permanent static entry to the FDB:
create fdbentry 00:E0:2B:12:34:56 vlan finance port 3:4
• Add a black hole entry to the FDB:
create fdbentry 00:E0:2B:12:34:56 vlan finance blackhole
• Verify the results of the above commands:
show fdb
Slide 23

24. Removing Entries from the FDB
To remove static entries from the FDB, use the delete fdbentry
command:
delete fdbentry [all | <mac_address> [vlan <vlan name>]
To remove dynamic or black hole entries from the FDB, use the
clear fdb command:
clear fdb {<mac_address> | blackhole | ports <portlist> |
vlan <vlan name>}
Examples:
• Remove a permanent entry from the FDB:
delete fdbentry 00:E0:2B:12:34:56 vlan default
• Remove a dynamic entry from the FDB:
clear fdb 00:E0:2B:12:34:56
• To verify the results of the delete fdbentry or clear fdb command:
show fdb
Slide 24

25. © 2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.
Managing FDB
Behavior
Configuring MAC Address Learning
and FDB Aging Time

26. Configuring MAC Address Learning
To control if a switch learns the source addresses of incoming packets,
use the disable / enable learning command.
Determines if the source MAC address of incoming packets will be added
to FDB.
• Defines if incoming packets with unknown source MAC addresses are dropped or
forwarded to the appropriate egress ports.
MAC address learning is enabled by default and is configured on a per-port
basis.
Examples
• To only forward packets with static FDB entries on port 5:
disable learning drop-packets port 5
• To forward all packets received on this port:
disable learning forward-packets port 5
• To view the MAC address learning configuration on port 5. The lowercase m flag
indicates that MAC address learning is enabled.
show ports 5 information
Slide 26

27. Configuring the FDB Aging Time
To configure how long the FDB maintains a dynamic entry in the FDB, use
the configure fdb agingtime command:
configure fdb agingtime <seconds>
• Default: 300 seconds (5 minutes)
• Range: 15 - 1,000,000 seconds
• A value of 0 indicates that entries should never be aged out
• The timer is restarted when a packet with a matching source MAC address is received
on the same port.
Examples
• To change the FDB agetime to an hour:
configure fdb agingtime 3600
• To ensure no entries in the FDB age out:
configure fdb agingtime 0
• To verify the agingtime value:
show fdb
Slide 27

28. © 2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.
Managing Layer 2
Security Features
Configuring Egress Flood Control

29. Describing Layer 2 Security Features
ExtremeXOS has three features that enhance Layer 2 security
• Egress Flood Control
Determines whether broadcast, multicast, or unknown unicast packets are
flooded.
• Limit-Learning
Limits the number of devices that can be learned.
• Lock-Learning
Freezes the FDB entries on a port / VLAN basis.
Once enabled, this feature does not allow new MAC address entries to be added
dynamically.
Configured by port or port / VLAN
• Egress Flooding Control - Port
• limit-learning - Port / VLAN
• lock-learning - Port / VLAN
Slide 29

30. Egress Flood Control
ExtremeXOS enables you to
manage the types of packets that
get flooded out to the network.
Egress flooding takes action on a
packet based on the packet
destination MAC address.
By default, egress flooding is
enabled.
You can enhance security and
privacy as well as improve
network performance by disabling
Layer 2 egress flooding on some
packets.
Slide 30
Disabling multicasting egress flooding does not affect those packets within an IGMP membership group
Client 1 Client 2
Access Link
Port 1
Access Link
Port 2
Uplink
Port 3
EXOS Switch / Access VLAN
ISP FW /
Security Proxy
With all_cast
flooding disabled,
clients will only
see known unicast
packets.

31. Configuring Egress Flood Control
To control egress flooding, use the enable / disable flooding
command with the port option.
Examples
• To disable flooding of unknown unicast packets on port 1:
disable flooding unicast port 1
• To enable flooding of broadcast packets on all ports:
enable flooding broadcast port all
• To verify egress flooding configuration on port 1:
show port 1 info detail
Slide 31
The broadcast, multicast, and unicast parameters are available only on the BlackDiamond 8800 series switches,
SummitStack, and the Summit family of switches.

32. Configuring Limit-Learning
This security feature allows you to limit the number of MAC
addresses that can be dynamically-learned by using the configure
ports command with the limit-learning option:
• Allows the first N number of hosts.
• All hosts thereafter are denied access.
The traffic is blocked as a black hole entry.
Both ingress and egress.
• Based on source MAC address
Examples
• To limit the number of MAC addresses learned on port 1 for VLAN
accounting to three entries:
configure ports 1 vlan accounting learning-limit 3
• To remove the learning limit from port 1 for VLAN accounting:
configure ports 1 vlan accounting unlimited-learnings
Slide 32
FDB
MAC 1
MAC 2
MAC 3
Port 1 limit

33. Configuring Lock-Learning
To lock entries in the FDB, use the configure ports command with
the lock-learning option:
• The entries in the FDB are frozen into a locked static state.
• New dynamic FDB entries are inserted as black hole entries.
• You can either limit dynamic MAC FDB entries, or lock down the current
MAC FDB entries per port/VLAN, but not both.
Examples:
• To lock the FDB entries associated with port 4 and the accounting VLAN:
configure ports 4 vlan accounting
lock-learning
• To unlock the FDB entries associated with port 4
and the accounting VLAN:
configure ports 4 vlan accounting
unlock-learning
Slide 33
Unknown MAC Known MAC

34. Verifying Limit-Learning and Lock-Learning
show fdb
Slide 34

35. Verifying Limit-Learning and Lock-Learning
(continued…)
show vlan default security
Slide 35

36. Extreme Link Status Monitoring (ELSM)
Extreme Networks proprietary protocol that monitors network
health by detecting CPU and remote link failures
Detects switch CPU failures that could result in a ESRP or EAPS
loop in the network
Operates on a point-to-point basis and is configured on both sides
of the peer connections
When ELSM is down, data packets are neither forwarded nor
transmitted out of that port
Slide 36
Hello messages
Hello messages

37. Verifying Extreme Link Status Monitoring
show elsm ports 3
Slide 37
ELSM state can be UP, Down, Down-wait, or Down-stuck

38. Summary
You should now be able to:
Define transparent bridging.
Define the flooding and learning port states.
Define the forwarding and filtering port state.
Define the forwarding database.
Identify the various FDB entry types.
Manage forwarding database entries.
Configure egress flooding.
Configure and verify the limit-learning feature.
Configure and verify the lock-learning feature.
Configure the Extreme link status monitor.
Slide 38

39. Slide 39
Lab
Turn to the Layer 2 Forwarding Lab
in the ExtremeXOS™
Operations and Configuration - Lab Guide Rev. 12.1
and complete the hands-on portion of this module.

40. © 2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.
Review Questions

41. © 2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.
This presentation contains forward-looking statements that involve
risks and uncertainties, including statements regarding our
expectations as to products, trends and our performance. There can be
no assurances that any forward-looking statements will be achieved,
and actual results could differ materially from forecasts and estimates.
For factors that may affect our business and financial results please
refer to our filings with the Securities and Exchange Commission,
including, without limitation, under the captions: “Management’s
Discussion and Analysis of Financial Condition and Results of
Operations,” and “Risk Factors,” which is on file with the Securities
and Exchange Commission (http://www.sec.gov). We undertake no
obligation to update the forward-looking information in this release.

42. © 2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.
The End
© 2008 Extreme Networks, Inc. All rights reserved. ExtremeXOS Operation and Configuration, Version 12.1. Part number DOC-00919.