1.1 VLAN Overview
The traditional Ethernet is a flat network,
where all hosts are in the same broadcast domain and connected with each other
through hubs or switches. The hub is a physical layer device without the
switching function, so it forwards the received packet to all ports. The switch
is a link layer device which can forward the packet according to the MAC
address of the packet. However, when the switch receives a broadcast packet or an
unknown unicast packet whose MAC address is not included in the MAC address
table of the switch, it will forward the packet to all the ports except the
inbound port of the packet. In this case, a host in the network receives a lot
of packets whose destination is not the host itself. Thus, plenty of bandwidth
resources are wasted, causing potential serious security problems.
The traditional way to isolate broadcast
domains is to use routers. However, routers are expensive and provide few
ports, so they cannot subnet the network particularly.
The virtual local area network (VLAN)
technology is developed for switches to control broadcast in LANs.
By creating VLANs in a physical LAN, you can
divide the LAN into multiple logical LANs, each of which has a broadcast domain
of its own. Hosts in the same VLAN communicate with each other as if they are in
a LAN. However, hosts in different VLANs cannot communicate with each other directly.
Figure 1-1 illustrates a VLAN implementation.
Figure 1-1
A VLAN implementation
A VLAN can span across multiple switches,
or even routers. This enables hosts in a VLAN to be dispersed in a looser way.
That is, hosts in a VLAN can belong to different physical network segment.
Compared with the traditional Ethernet, VLAN
enjoys the following advantages.
l
Broadcasts are confined to VLANs. This decreases
bandwidth utilization and improves network performance.
l
Network security is improved. VLANs cannot
communicate with each other directly. That is, a host in a VLAN cannot access
resources in another VLAN directly, unless routers or Layer 3 switches are used.
l
Network configuration workload for the host is
reduced. VLAN can be used to group specific hosts. When the physical position
of a host changes within the range of the VLAN, you need not change its network
configuration.
VLAN tags in the packets are necessary for
the switch to identify packets of different VLANs. The switch works at Layer 2
(Layer 3 switches are not discussed in this chapter) and it can identify the
data link layer encapsulation of the packet only, so you can add the VLAN tag
field into only the data link layer encapsulation if necessary.
In 1999, IEEE issues the IEEE 802.1Q
protocol to standardize VLAN implementation, defining the structure of VLAN-tagged
packets.
In traditional Ethernet data frames, the
type field of the upper layer protocol is encapsulated after the destination
MAC address and source MAC address, as shown in Figure
1-2
Figure 1-2 Encapsulation format of
traditional Ethernet frames
In Figure 1-2 DA refers to the destination MAC address, SA refers to the source MAC address, and Type refers to the protocol type of the packet. IEEE 802.1Q protocol defines that a 4-byte VLAN tag is encapsulated after the destination
MAC address and source MAC address to show the information about VLAN.
Figure 1-3 Format of VLAN tag
As shown in Figure
1-3, a VLAN tag contains four fields, including TPID, priority, CFI, and VLAN ID.
l
TPID is a 16-bit field, indicating that this
data frame is VLAN-tagged. By default, it is 0x8100 in H3C series Ethernet
switches.
l
Priority is a 3-bit field, referring to 802.1p
priority. Refer to section “QoS & QoS profile” for details.
l
CFI is a 1-bit field, indicating whether the MAC
address is encapsulated in the standard format in different transmission media.
This field is not described in detail in this chapter.
l
VLAN ID is a 12-bit field, indicating the ID of
the VLAN to which this packet belongs. It is in the range of 0 to 4,095.
Generally, 0 and 4,095 is not used, so the field is in the range of 1 to 4,094.
VLAN ID identifies the VLAN to which a
packet belongs. When the switch receives a packet carrying no VLAN tag, it will
encapsulate a VLAN tag with the default VLAN ID of the inbound port for the
packet, and the packet will be assigned to the default VLAN of the inbound port
for transmission. For the details about setting the default VLAN of a port,
refer to section “Port Basic Configuration” in H3C S3100-52P
Ethernet Switch Operation Manual.
Port-based VLAN technology introduces the
simplest way to classify VLANs. You can isolate the hosts and divide them into
different virtual workgroups through assigning the ports on the device
connecting to hosts to different VLANs.
This way is easy to implement and manage
and it is applicable to hosts with relatively fixed positions.
Chapter
2 VLAN Configuration
Table 2-1 Basic VLAN configuration
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create multiple VLANs in batch
|
vlan { vlan-id1
to vlan-id2 | all }
|
Optional
|
|
Create a VLAN and enter VLAN view
|
vlan vlan-id
|
Required
The vlan-id argument ranges from 1
to 4,094.
|
|
Assign a name for the current VLAN
|
name text
|
Optional
By default, the name of a VLAN is its VLAN
ID.
|
|
Specify the description string of the current
VLAN
|
description text
|
Optional
By default, the description string of a
VLAN is its VLAN ID.
|
Caution:
When you use the vlan
command to create VLANs, if the destination VLAN is an existing dynamic VLAN,
it will be transformed into a static VLAN and the switch will output the prompt
information.
I. Configuration prerequisites
Create a VLAN before configuring a VLAN
interface.
II. Configuration procedure
Table 2-2
Basic VLAN interface configuration
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN interface and enter VLAN
interface view
|
interface Vlan-interface vlan-id
|
Required
The vlan-id argument ranges from 1
to 4,094.
|
|
Specify the description string for the
current VLAN interface
|
description text
|
Optional
By default, the description string of a
VLAN interface is the name of this VLAN interface
|
|
Disable the VLAN interface
|
shutdown
|
Optional
|
|
Enable the VLAN Interface
|
undo shutdown
|
Optional
|
Note that the operation of
enabling/disabling a VLAN interface does not influence the enabling/disabling
states of the Ethernet ports belonging to this VLAN.
By default, the VLAN interface’s
management state is enabled. In this case, the physical state of the VLAN
interface is affected by the ports state in the VLAN. When all the Ethernet
ports of a VLAN are down, the VLAN interface of the VLAN is down, that is, the
VLAN interface is disabled; when one or more Ethernet ports of a VLAN are up,
the VLAN interface of the VLAN is up, that is, the VLAN interface is enabled.
If you disable the VLAN interface’s
management state, the VLAN interface will always be down, regardless of the
states of the ports in the VLAN.
Caution:
H3C S3100-52P
Ethernet switch supports only one VLAN interface. And the VLAN where the VLAN
interface resides must be the management VLAN of the switch.
For detail, refer
to the section "Management VLAN Configuration – Operation" in H3C
S3100-52P Ethernet Switch Operation Manual.
2.1.3 Displaying VLAN Configuration
After the configuration above, you can
execute the display command in any view to display the running status
after the configuration, so as to verify the configuration.
Table 2-3
Display VLAN configuration
|
Operation
|
Command
|
Description
|
|
Display the VLAN interface information
|
display interface
Vlan-interface [ vlan-id ]
|
You can execute the display
command in any view.
|
|
Display the VLAN information
|
display vlan
[ vlan-id [ to vlan-id ] | all | dynamic |
static ]
|
I. Configuration prerequisites
Create a VLAN before configuring a
port-based VLAN.
II. Configuration procedure
Table 2-4 Configure
a port-based VLAN
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN view
|
vlan vlan-id
|
—
|
|
Add Ethernet ports to the specific VLAN
|
port interface-list
|
Required
By default, all the ports belong to the
default VLAN
|
Caution:
The commands above
are effective for access ports only. If you want to add trunk ports or hybrid
ports to a VLAN, you can use the port trunk permit vlan command or the port
hybrid vlan command in Ethernet port view. For the configuration procedure,
refer to the section "Port Basic Configuration – Operation" in H3C
S3100-52P Ethernet Switch Operation Manual.
I. Network requirements
l
Create VLAN 2 and VLAN 3 and specify the
description string of VLAN 2 as home;
l
Add Ethernet1/0/1 and Ethernet1/0/2 to VLAN 2
and add Ethernet1/0/3 and Ethernet1/0/4 to VLAN 3.
II. Network diagram
Figure
2-1 Network diagram for VLAN configuration
III. Configuration procedure
# Create VLAN 2 and enter its view.
<H3C> system-view
[H3C] vlan 2
# Specify the description string of VLAN 2 as
home.
[H3C-vlan2] description home
# Add Ethernet1/0/1 and Ethernet1/0/2 ports
to VLAN 2.
[H3C-vlan2] port Ethernet 1/0/1
Ethernet 1/0/2
# Create VLAN 3 and enter its view.
[H3C-vlan2] vlan 3
# Add Ethernet1/0/3 and Ethernet1/0/4 ports
to VLAN 3.
[H3C-vlan3]
port Ethernet 1/0/3 Ethernet 1/0/4
