108 Configuring and managing ports and VLANsNN47250-500 (320657-F Version 02.01)To completely remove VLAN ecru, type the following command:WSS# clear vlan ecruThis may disrupt user connectivity. Do you wish to continue? (y/n) [n]ysuccess: change accepted.Changing tunneling affinityTo change the tunneling affinity, use the following command:set vlan vlan-id tunnel-affinity numSpecify a value from 1 through 10. The default is 5.Restricting layer 2 forwarding among clientsBy default, clients within a VLAN are able to communicate with one another directly at Layer 2. You canenhance network security by restricting Layer 2 forwarding among clients in the same VLAN. When yourestrict Layer 2 forwarding in a VLAN, WSS Software allows Layer 2 forwarding only between a client and aset of MAC addresses, generally the VLAN’s default routers. Clients within the VLAN are not permitted tocommunicate among themselves directly. To communicate with another client, the client must use one of thespecified default routers.To restrict Layer 2 forwarding in a VLAN, use the following command:set security l2-restrict vlan vlan-id[mode {enable | disable}] [permit-mac mac-addr [mac-addr]]You can specify multiple addresses by listing them on the same command line or by entering multiplecommands.Restriction of client traffic does not begin until you enable the permitted MAC list. Use the mode enableoption with this command.To change a MAC address, use the clear security l2-restrict command to remove it, then use the set securityl2-restrict command to add the correct address.clear security l2-restrict vlan vlan-id[permit-mac mac-addr [mac-addr] | all]Note. You cannot remove the default VLAN (VLAN 1). However, you can add andremove ports. You can also rename the default VLAN, but Nortel recommends against it.Note. For networks with IP-only clients, you can restrict client-to-client forwarding usingACLs. (See “Restricting client-to-client forwarding among IP-only clients” (page 441).)