03-Layer 2 - LAN Switching Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Series RoutersH3C SR8800Technical DocumentsConfigureConfiguration GuideH3C SR8800 Configuration Guide-Release3347-6W10303-Layer 2 - LAN Switching Configuration Guide
01-VLAN Configuration
Title Size Download
01-VLAN Configuration 273.1 KB

Introduction to VLAN

VLAN overview

Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the medium is shared in an Ethernet, network performance may degrade as the number of hosts on the network is increasing. If the number of the hosts in the network reaches a certain level, problems caused by collisions, broadcasts, and so on emerge, which may cause the network to malfunction. In addition to the function that suppresses collisions (which can also be achieved by interconnecting LANs), virtual LAN (VLAN) can isolate broadcast packets as well. VLAN divides a LAN into multiple logical LANs with each being a broadcast domain. Hosts in the same VLAN can communicate with each other like in a LAN. However, hosts from different VLANs cannot communicate directly. In this way, broadcast packets are confined to a single VLAN, as illustrated in the following figure.

Figure 1 A VLAN diagram

 

A VLAN can span across physical spaces. The hosts that reside in different network segments may belong to the same VLAN, users in a VLAN can be connected to the same switch, or span across multiple switches or routers.

VLAN technology has the following advantages:

·           Broadcast traffic is confined to each VLAN, reducing bandwidth utilization and improving network performance.

·           LAN security is improved. Packets in different VLANs are isolated at Layer 2. That is, users in a VLAN cannot communicate with users in other VLANs directly, unless Layer 3 network devices such as routers are used.

·           A more flexible way to establish virtual workgroups. With VLAN technology, a virtual workgroup can be created spanning physical network segments. That is, users from the same workgroup do not have to be within the same physical area, making network construction and maintenance much easier and more flexible.

VLAN fundamentals

To enable a network device to identify frames of different VLANs, a VLAN tag field is inserted into the data link layer encapsulation.

The format of VLAN-tagged frames is defined in IEEE 802.1Q issued by the Institute of Electrical and Electronics Engineers (IEEE) in 1999.

In the header of a traditional Ethernet data frame, the field following the destination MAC address and the source MAC address is the Type field, which indicates the upper layer protocol type. Figure 2 illustrates the format of a traditional Ethernet frame, where DA stands for destination MAC address, SA stands for source MAC address, and Type refers to the upper layer protocol type of the frame.

Figure 2 The format of a traditional Ethernet frame

 

IEEE 802.1Q defines a four-byte VLAN Tag between the DA&SA field and the Type field to carry VLAN-related information, as shown in Figure 3.

Figure 3 The position and the format of VLAN tag

 

A VLAN tag comprises four fields: the tag protocol identifier (TPID) field, the Priority field, the canonical format indicator (CFI) field, and the VLAN ID field.

·           The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN-tagged.

·           The Priority field, three bits in length, indicates the 802.1p priority of a packet. For more information about packet priority, see ACL and QoS Configuration Guide.

·           The CFI field, one bit in length, specifies whether or not the MAC addresses are encapsulated in standard format when packets are transmitted across different medium. With the field set to 0, MAC addresses are encapsulated in standard format; with the field set to 1, MAC addresses are encapsulated in non-standard format. The filed is 0 by default.

·           The VLAN ID field, 12 bits in length and with its value ranging from 0 to 4095, identifies the ID of the VLAN a packet belongs to. As VLAN IDs of 0 and 4095 are reserved by the protocol, the value of this field actually ranges from 1 to 4094.

A network device determines the VLAN to which a packet belongs by the VLAN ID field the packet carries. The VLAN tag determines the way a packet is processed. For more information, see “Introduction to port-based VLAN.”

 

 

NOTE:

·       The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, other encapsulation formats, including 802.2 LLC, 802.2 SNAP, and 802.3 raw, are also supported by Ethernet. The VLAN tag fields are also added to frames encapsulated in these formats for VLAN identification.

·       For a frame with multiple VLAN tags, the network device handles it according to its outer-most VLAN tag, and transmits its inner VLAN tags as payload.

·       VLAN 4094 is not available when different types of service cards are intermixed.

 

VLAN types

You can implement VLANs based on the following criteria:

·           Port

·           MAC address

Protocols and standards

·           IEEE 802.1Q, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks

Configuring basic VLAN settings

To configure basic VLAN settings:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create VLANs.

vlan { vlan-id1 [ to vlan-id2 ] | all }

Optional.

Use this command to create VLANs in bulk.

3.     Enter VLAN view.

vlan vlan-id

By default, only the default VLAN (that is, VLAN 1) exists in the system.

If the specified VLAN does not exist, this command creates the VLAN first.

4.     Configure the VLAN name.

name text

Optional.

By default, the VLAN ID is used as the name of a VLAN. For example, VLAN 0001.

5.     Specify a descriptive string for the VLAN.

description text

Optional.

By default, the VLAN ID is used as the description. For example, VLAN 0001.

 

 

NOTE:

The router does not support VLAN 4094 when it works in hybrid mode. For more information about system working modes, see Fundamentals Configuration Guide.

 

Configure basic settings of a VLAN interface

VLAN interface overview

For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform layer 3 forwarding. To achieve this, VLAN interfaces are used.

VLAN interfaces are Layer 3 virtual interfaces used for Layer 3 interoperability between different VLANs. Each VLAN corresponds to one VLAN interface. After you assign an IP address to a VLAN interface, this interface can serve as the gateway for the network devices in the VLAN and allows IP address-based Layer 3 forwarding.

Configuration procedure

To perform basic VLAN interface configuration:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a VLAN interface and enter VLAN interface view.

interface vlan-interface vlan-interface-id

This command leads you to VLAN interface view if the VLAN interface already exists.

3.     Configure an IP address for the VLAN interface.

ip address ip-address { mask | mask-length } [ sub ]

Optional.

Not configured by default

4.     Specify the description of the VLAN interface.

description text

Optional.

By default, VLAN interface name is used. For example, Vlan-interface1 Interface.

5.     Set the MTU for the VLAN interface.

mtu size

Optional.

By default, the MTU is 1500 bytes.

6.     Restore the default settings for the VLAN interface.

default

Optional.

7.     Bring up the VLAN interface.

undo shutdown

Optional.

By default, a VLAN interface is up. The VLAN interface is up if one or more ports in the VLAN is up, and goes down if all ports in the VLAN go down.

A VLAN interface shut down with the shutdown command, however, will be in the DOWN (Administratively) state until you bring it up, regardless of how the state of the ports in the VLAN changes.

 

 

NOTE:

Before creating a VLAN interface, make sure that the corresponding VLAN already exists. Otherwise, the specified VLAN interface will not be created.

 

VLAN interface configuration example

Network requirements

As shown in Figure 4, PC A is assigned to VLAN 5. PC B is assigned to VLAN 10. The PCs belong to different IP subnets and cannot communicate with each other.

Configure VLAN interfaces on Router A and configure the PCs to enable Layer 3 communication between the PCs.

Figure 4 Network diagram

 

Configuration procedure

1.      Configure Router A

# Create VLAN 5 and assign GigabitEthernet 3/1/1 to it.

<RouterA> system-view

[RouterA] vlan 5

[RouterA-vlan5] port gigabitethernet 3/1/1

# Create VLAN 10 and assign GigabitEthernet 3/1/2 to it.

[RouterA-vlan5] vlan 10

[RouterA-vlan10] port gigabitethernet 3/1/2

[RouterA-vlan10] quit

# Create VLAN-interface 5 and configure its IP address as 192.168.0.10/24.

[RouterA] interface vlan-interface 5

[RouterA-Vlan-interface5] ip address 192.168.0.10 24

[RouterA-Vlan-interface5] quit

# Create VLAN-interface 10 and configure its IP address as 192.168.1.20/24.

[RouterA] interface vlan-interface 10

[RouterA-Vlan-interface10] ip address 192.168.1.20 24

[RouterA-Vlan-interface10] return

2.      Configure PC A

# Configure the default gateway of the PC as 192.168.0.10.

3.      Configure PC B

# Configure the default gateway of the PC as 192.168.1.20.

Verifying the configurations

1.      The PCs can ping each other.

2.      Display brief information about Layer 3 interfaces on Router A to verify the configuration.

<RouterA> display ip interface brief

*down: administratively down

(s): spoofing

Interface                     Physical Protocol IP Address      Description

Vlan5                         up       up       192.168.0.10    Vlan-inte...

Vlan10                        up       up       192.168.1.20    Vlan-inte...

Configuring port-based VLANs

Introduction to port-based VLAN

Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN.

Port link type

You can configure the link type of a port as access, trunk, or hybrid. The three link types use different VLAN tag handling methods.

·           An access port belongs to only one VLAN and sends traffic untagged. It is typically used to connect a terminal device unable to recognize VLAN tagged-packets or when there is no need to differentiate VLAN members. As shown in Figure 5, because Device A is connected with common PCs that cannot recognize VLAN tagged-packets, you need to configure Device A’s ports that connect the PCs as access ports.

·           A trunk port can carry multiple VLANs to receive and send traffic for them. Except traffic of the port VLAN (PVID), traffic sent through a trunk port will be VLAN tagged. Usually, ports connecting network devices are configured as trunk ports. As shown in Figure 5, because Device A and Device B need to transmit packets of VLAN 2 and VLAN 3, you need to configure the ports connecting Device A and Device B as trunk ports, and assign them to VLAN 2 and VLAN 3.

·           Like a trunk port, a hybrid port can carry multiple VLANs to receive and send traffic for them. Unlike a trunk port, a hybrid port allows traffic of all VLANs to pass through untagged. Usually, hybrid ports are configured to connect network devices whose support for VLAN tagged-packets you are uncertain about. As shown in Figure 5, Device B connects a small-sized LAN in which some PCs belong to VLAN 2 while some other PCs belong to VLAN 3. In this case, you need to configure Device B’s port connecting the LAN as a hybrid port that allows packets of VLAN 2 and VLAN 3 to pass through untagged.

Figure 5 Port link types

 

PVID

You can configure a port VLAN (PVID) for a port. By default, VLAN 1 is the PVID for all ports.

·           An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port. The PVID of the access port changes along with the VLAN to which the port belongs.

·           A trunk or hybrid port can join multiple VLANs, and you can configure a PVID for the port.

·           You can use a nonexistent VLAN as the PVID for a hybrid or trunk port but not for an access port. Therefore, after you remove the VLAN that an access port resides in with the undo vlan command, the PVID of the port changes to VLAN 1. The removal of a VLAN specified as the PVID of a trunk or hybrid port, however, does not affect the setting of the PVID on the port.

 

 

NOTE:

·       It is recommended that you set the same PVID for the local and remote ports.

·       Make sure that a port is assigned to its PVID. Otherwise, when receiving frames tagged with the PVID or untagged frames (including protocol packets such as MSTP BPDUs), the port filters out these frames.

 

Ports of different link types handle frames as follows:

 

Port type

Actions (in the inbound direction)

Actions (in the outbound direction)

Untagged frame

Tagged frame

Access

Tag the frame with the PVID tag.

·       Receive the frame if its VLAN ID is the same as the PVID.

·       Drop the frame if its VLAN ID is different from the PVID.

Remove the VLAN tag and send the frame.

Trunk

Check whether the PVID is permitted on the port:

·       If yes, tag the frame with the PVID tag.

·       If not, drop the frame.

·       Receive the frame if its VLAN is carried on the port.

·       Drop the frame if its VLAN is not carried on the port.

·       Remove the tag and send the frame if the frame carries the PVID tag and the port belongs to the PVID.

·       Send the frame without removing the tag if its VLAN is carried on the port but is different from the default one.

Hybrid

Send the frame if its VLAN is carried on the port. The frame is sent with the VLAN tag removed or intact depending on your configuration with the port hybrid vlan command. This is true of the PVID.

 

Assigning an access port to a VLAN

You can assign an access port to a VLAN in VLAN view, interface view (including Ethernet interface view, Layer 2 aggregate interface view, and Layer 2 VE interface view), or port group view.

To assign one or multiple access ports to a VLAN in VLAN view:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter VLAN view.

vlan vlan-id

If the specified VLAN does not exist, this command creates the VLAN first.

3.     Assign one or multiple access ports to the VLAN.

port interface-list

By default, all ports belong to VLAN 1.

 

To assign an access port (in interface view) or a group of ports (in port group view) to a VLAN:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view or port group view.

·       Enter Ethernet interface view:
interface
interface-type interface-number

·       Enter Layer 2 aggregate interface view:
interface bridge-aggregation
interface-number

·       Enter Layer 2 virtual Ethernet interface view:
interface ve-bridge
interface-number

·       Enter port group view:
port-group
manual port-group-name

Use any one of the commands.

3.     Configure the link type of the port or ports as access.

port link-type access

Optional.

The link type of a port is access by default.

4.     Assign the current access port(s) to a VLAN.

port access vlan vlan-id

Optional.

By default, all access ports belong to VLAN 1.

 

 

NOTE:

·       Before assigning an access port to a VLAN, create the VLAN first.

·       In VLAN view, you can assign only Layer 2 Ethernet interfaces to the current VLAN.

 

Assigning a trunk port to a VLAN

A trunk port can carry multiple VLANs. You can assign it to a VLAN in interface view (including Ethernet interface view, Layer 2 aggregate interface view, and Layer 2 VE interface view) or port group view.

To assign a trunk port to one or multiple VLANs:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view or port group view.

·       Enter Ethernet interface view:
interface
interface-type interface-number

·       Enter Layer 2 aggregate interface view:
interface bridge-aggregation
interface-number

·       Enter Layer 2 virtual Ethernet interface view:
interface ve-bridge
interface-number

·       Enter port group view:
port-group
manual port-group-name

Use any one of the commands.

3.     Configure the link type of the port or ports as trunk.

port link-type trunk

N/A

4.     Assign the trunk port(s) to the specified VLAN(s).

port trunk permit vlan { vlan-id-list | all }

By default, a trunk port carries only VLAN 1.

5.     Configure the PVID of the trunk port(s).

port trunk pvid vlan vlan-id

Optional.

By default, the PVID is VLAN 1.

 

 

NOTE:

·       To change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first.

·       After configuring the PVID for a trunk port, you must use the port trunk permit vlan command to configure the trunk port to allow packets from the PVID to pass through, so that the egress port can forward packets from the PVID.

 

Assigning a hybrid port to a VLAN

A hybrid port can carry multiple VLANs. You can assign it to a VLAN in interface view (including Ethernet interface view, Layer 2 aggregate interface view, and Layer 2 VE interface view) or port group view.

To assign a hybrid port to one or multiple VLANs:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view or port group view.

·       Enter Ethernet interface view:
interface
interface-type interface-number

·       Enter Layer 2 aggregate interface view:
interface bridge-aggregation
interface-number

·       Enter Layer 2 virtual Ethernet interface view:
interface ve-bridge
interface-number

·       Enter port group view:
port-group
manual port-group-name

Use any one of the commands.

3.     Configure the link type of the port(s) as hybrid.

port link-type hybrid

N/A

4.     Assign the hybrid port(s) to the specified VLAN(s).

port hybrid vlan vlan-id-list { tagged | untagged }

By default, a hybrid port only permits the packets of VLAN 1 to pass through untagged.

5.     Configure the PVID of the hybrid port.

port hybrid pvid vlan vlan-id

Optional.

By default, the PVID is VLAN 1.

 

 

NOTE:

·       To change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first.

·       Before assigning a hybrid port to a VLAN, create the VLAN first.

·       After configuring the PVID for a hybrid port, you must use the port hybrid vlan command to configure the hybrid port to allow packets from the PVID to pass through, so that the egress port can forward packets from the PVID.

 

Port-based VLAN configuration example

Network requirements

As shown in Figure 6, Host A and Host C belong to Department A, and access the enterprise network through different routers. Host B and Host D belong to Department B. They also access the enterprise network through different routers.

To ensure communication security and avoid broadcast storms, VLANs are configured in the enterprise network to isolate Layer 2 traffic of different departments. VLAN 100 is assigned to Department A, and VLAN 200 is assigned to Department B.

Make sure that hosts within the same VLAN can communicate with each other, that is, Host A can communicate with Host C, and Host B can communicate with Host D.

Figure 6 Network diagram

 

Configuration procedure

1.      Configure Device A:

# Create VLAN 100, and assign port GigabitEthernet 3/1/1 to VLAN 100.

<DeviceA> system-view

[DeviceA] vlan 100

[DeviceA-vlan100] port gigabitEthernet 3/1/1

[DeviceA-vlan100] quit

# Create VLAN 200, and assign port GigabitEthernet 3/1/2 to VLAN 200.

[DeviceA] vlan 200

[DeviceA-vlan200] port gigabitEthernet 3/1/2

[DeviceA-vlan200] quit

# Configure port GigabitEthernet 3/1/3 as a trunk port, and assign it to VLANs 100 and 200, thus enabling GigabitEthernet 3/1/3 to forward traffic of VLANs 100 and 200 to Device B.

[DeviceA] interface gigabitEthernet 3/1/3

[DeviceA-GigabitEthernet3/1/3] port link-type trunk

[DeviceA-GigabitEthernet3/1/3] port trunk permit vlan 100 200

Please wait... Done.

2.      Configure Device B:

Configure Device B as you configure Device A.

3.      Configure hosts:

Configure Host A and Host C to be on the same network segment, 192.168.100.0/24 for example. Configure Host B and Host D to be on the same network segment, 192.168.200.0/24 for example

Verifying the configurations

1.      Host A and Host C can ping each other successfully, but they both fail to ping Host B. Host B and Host D can ping each other successfully, but they both fail to ping Host A.

2.      Check whether the configuration is successful by displaying relevant VLAN information.

# Display information about VLANs 100 and 200 on Device A:

[DeviceA-GigabitEthernet3/1/3] display vlan 100

 VLAN ID: 100

 VLAN Type: static

 Route Interface: not configured

 Description: VLAN 0100

 Name: VLAN 0100

 Broadcast MAX-ratio: 100%

 Tagged   Ports:

    GigabitEthernet3/1/3

 Untagged Ports:

    GigabitEthernet3/1/1

[DeviceA-GigabitEthernet3/1/3] display vlan 200

 VLAN ID: 200

 VLAN Type: static

 Route Interface: not configured

 Description: VLAN 0200

 Name: VLAN 0200

 Broadcast MAX-ratio: 100%

Tagged   Ports:

    GigabitEthernet3/1/3

 Untagged Ports:

    GigabitEthernet3/1/2

MAC-based VLAN configuration

Introduction to MAC-based VLAN

The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is mostly used in conjunction with security technologies such as 802.1X to provide secure, flexible network access for terminal devices.

Static MAC-based VLAN assignment

Static MAC-based VLAN assignment applies to networks containing a small number of VLAN users. In such a network, you can create a MAC address-to-VLAN map containing multiple MAC address-to-VLAN entries on a port, enable MAC-based VLAN on the port, and assign the port to MAC-based VLANs.

With static MAC-based VLAN assignment configured on a port, the device processes received frames by using the following guidelines:

·           When the port receives an untagged frame, the device looks up the MAC address-to-VLAN map based on the source MAC address of the frame for a match. The device first performs a fuzzy match. In the fuzzy match, the device searches the MAC address-to-VLAN entries whose masks are not all-Fs and performs a logical AND operation on the source MAC address and each mask. If the result of an AND operation matches the corresponding MAC address, the device tags the frame with the corresponding VLAN ID. If the fuzzy match fails, the device performs an exact match. In the exact match, the device searches the MAC address-to-VLAN entries whose masks are all-Fs. If the MAC address of a MAC address-to-VLAN entry matches the source MAC address of the untagged frame, the device tags the frame with the corresponding VLAN ID. If no match is found, the device assigns a VLAN to the frame by using other criteria, such as IP address. If no match is found, the device tags the frame with the PVID of the receiving port and forwards the frame.

·           When the port receives a tagged frame, the port forwards the frame if the VLAN ID of the frame is permitted by the port, or otherwise drops the frame.

Dynamic MAC-based VLAN

You can use dynamic MAC-based VLAN with access authentication (such as 802.1X authentication based on MAC addresses) to implement secure, flexible terminal access. After configuring dynamic MAC-based VLAN on the router, you must configure the MAC address-to-VLAN entries on the access authentication server.

When a user passes authentication of the access authentication server, the router obtains VLAN information from the server, generates a MAC address-to-VLAN entry by using the source MAC address of the user packet and the VLAN information, and assigns the port to the MAC-based VLAN. When the user goes offline, the router automatically deletes the MAC address-to-VLAN entry, and removes the port from the MAC-based VLAN.

 

 

NOTE:

For more information about access authentication, see Security Configuration Guide.

 

Configuring a MAC-based VLAN

 

 

NOTE:

·       The router supports MAC-based VLAN only when its system working mode is SPC.

·       MAC-based VLANs are available only on hybrid ports.

·       Because MAC-based dynamic port assignment is mainly configured on the downlink ports of user access devices, do not enable this function together with link aggregation.

 

To configure static MAC-based VLAN assignment:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Associate MAC addresses with a VLAN.

mac-vlan mac-address mac-address vlan vlan-id [ priority priority ]

N/A

3.     Enter Ethernet interface view or port group view.

·       Enter Ethernet interface view:
interface
interface-type interface-number

·       Enter port group view:
port-group manual
port-group-name

Use either command.

4.     Configure the link type of the port(s) as hybrid.

port link-type hybrid

N/A

5.     Configure the current hybrid port(s) to permit packets of specific MAC-based VLANs to pass through.

port hybrid vlan vlan-id-list { tagged | untagged }

By default, a hybrid port only permits the packets of VLAN 1 to pass through.

6.     Enable the MAC-based VLAN feature.

mac-vlan enable

By default, the MAC-based VLAN feature is disabled.

 

To configure dynamic MAC-based VLAN:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter Ethernet interface view or port group view.

·       Enter Ethernet interface view:
interface
interface-type interface-number

·       Enter port group view:
port-group manual
port-group-name

Use either command.

3.     Configure the link type of the port(s) as hybrid.

port link-type hybrid

N/A

4.     Configure the hybrid port(s) to permit packets from specific MAC-based VLANs to pass through.

port hybrid vlan vlan-id-list { tagged | untagged }

By default, a hybrid port only permits the packets of VLAN 1 to pass through.

5.     Enable the MAC-based VLAN feature.

mac-vlan enable

By default, the MAC-based VLAN feature is disabled.

6.     Configure 802.1X/MAC/portal authentication or any combination.

For more information, see Security Command Reference.

N/A

 

MAC-based VLAN configuration example

 

 

NOTE:

·       The router supports MAC-based VLAN only when its system working mode is SPC.

·       MAC-based VLANs are available only on hybrid ports.

 

Network requirements

As shown in Figure 7,

·           GigabitEthernet 3/1/1 of Device A and Device C are each connected to a meeting room. Laptop 1 (000d-88f8-4e71) and Laptop 2 (0014-222c-aa69) are used for meeting and may be used in any of the two meeting rooms.

·           Laptop 1 and Laptop 2 are owned by different departments. The two departments use VLAN 100 and VLAN 200 respectively.

Configure MAC-based VLAN so that each laptop can access only its own department server no matter which meeting room it is used in.

Figure 7 Network diagram

 

Configuration consideration

·           Create VLANs 100 and 200.

·           Configure the uplink ports of Device A and Device C as trunk ports, and assign them to VLANs 100 and 200.

·           Configure the downlink ports of Device B as trunk ports, and assign them to VLANs 100 and 200. Assign the uplink ports of Device B to VLANs 100 and 200.

·           Associate the MAC address of Laptop 1 with VLAN 100, and the MAC address of Laptop 2 with VLAN 200.

Configuration procedure

1.      Configure Device A:

# Create VLANs 100 and 200.

<DeviceA> system-view

[DeviceA] vlan 100

[DeviceA-vlan100] quit

[DeviceA] vlan 200

[DeviceA-vlan200] quit

# Associate the MAC address of Laptop 1 with VLAN 100, and the MAC address of Laptop 2 with VLAN 200.

[DeviceA] mac-vlan mac-address 000d-88f8-4e71 vlan 100

[DeviceA] mac-vlan mac-address 0014-222c-aa69 vlan 200

# Configure Laptop 1 and Laptop 2 to access the network through GigabitEthernet 3/1/1: Configure GigabitEthernet 3/1/1 as a hybrid port that sends packets of VLANs 100 and 200 untagged, and enable MAC-based VLAN on it.

[DeviceA] interface GigabitEthernet 3/1/1

[DeviceA-GigabitEthernet3/1/1] port link-type hybrid

[DeviceA-GigabitEthernet3/1/1] port hybrid vlan 100 200 untagged

 Please wait... Done.

[DeviceA-GigabitEthernet3/1/1] mac-vlan enable

[DeviceA-GigabitEthernet3/1/1] quit

# Configure the uplink port GigabitEthernet 3/1/2 as a trunk port, and assign it to VLANs 100 and 200, so that the laptops can access Server 1 and Server 2.

[DeviceA] interface GigabitEthernet 3/1/2

[DeviceA-GigabitEthernet3/1/2] port link-type trunk

[DeviceA-GigabitEthernet3/1/2] port trunk permit vlan 100 200

[DeviceA-GigabitEthernet3/1/2] quit

2.      Configure Device B:

# Create VLANs 100 and 200. Assign GigabitEthernet 3/1/13 to VLAN 100, and GigabitEthernet 3/1/14 to VLAN 200.

<DeviceB> system-view

[DeviceB] vlan 100

[DeviceB-vlan100] port GigabitEthernet 3/1/13

[DeviceB-vlan100] quit

[DeviceB] vlan 200

[DeviceB-vlan200] port GigabitEthernet 3/1/14

[DeviceB-vlan200] quit

# Configure GigabitEthernet 3/1/3 and GigabitEthernet 3/1/4 as trunk ports, and assign them to VLANs 100 and 200.

[DeviceB] interface GigabitEthernet 3/1/3

[DeviceB-GigabitEthernet3/1/3] port link-type trunk

[DeviceB-GigabitEthernet3/1/3] port trunk permit vlan 100 200

[DeviceB-GigabitEthernet3/1/3] quit

[DeviceB] interface GigabitEthernet 3/1/4

[DeviceB-GigabitEthernet3/1/4] port link-type trunk

[DeviceB-GigabitEthernet3/1/4] port trunk permit vlan 100 200

[DeviceB-GigabitEthernet3/1/4] quit

3.      Configure Device C:

Configure Device C as you configure Device A.

Verifying the configurations

1.      Laptop 1 can access Server 1 only, and Laptop 2 can access Server 2 only.

2.      On Device A and Device C, you can see that VLAN 100 is associated with the MAC address of Laptop 1, and VLAN 200 is associated with the MAC address of Laptop 2.

[DeviceA] display mac-vlan all

  The following MAC VLAN addresses exist:

  S:Static  D:Dynamic

  MAC ADDR         MASK             VLAN ID   PRIO   STATE

  --------------------------------------------------------

  000d-88f8-4e71   ffff-ffff-ffff   100       0      S

  0014-222c-aa69   ffff-ffff-ffff   200       0      S

 

  Total MAC VLAN address count:2

Configuration guidelines

1.      MAC-based VLAN can be configured only on hybrid ports.

2.      MAC-based VLAN is typically configured on the downlink ports of access layer devices, and hence cannot be configured together with the link aggregation function.

Displaying and maintaining VLANs

 

Task

Command

Remarks

Display VLAN information.

display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | reserved | static ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display VLAN interface information.

display interface [ vlan-interface ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ]

display interface vlan-interface vlan-interface-id [ brief ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display hybrid ports or trunk ports on the router.

display port { hybrid | trunk } [ | { begin | exclude | include } regular-expression ]

Available in any view

Display MAC address-to-VLAN entries.

display mac-vlan { all | dynamic | mac-address mac-address [ mask mac-mask ] | static | vlan vlan-id } [ | { begin | exclude | include } regular-expression ]

Available in any view

Display all interfaces with MAC-based VLAN enabled.

display mac-vlan interface [ | { begin | exclude | include } regular-expression ]

Available in any view

Clear statistics on a port.

reset counters interface vlan-interface [ vlan-interface-id ]

Available in user view

 

 

NOTE:

The reset counters interface command clears statistics on VLAN interfaces. For more information, see Interface Command Reference.