1.1 VLAN Overview
The virtual local area network (VLAN)
technology is developed for switches to control broadcast operations in LANs.
By creating VLANs in a physical LAN, you can
divide the LAN into multiple logical LANs, each of which has a broadcast domain
of its own. Hosts in the same VLAN communicate with each other as if they are in
a LAN. However, hosts in different VLANs cannot communicate with each other directly.
Figure 1-1 illustrates a VLAN implementation.
Figure 1-1 A VLAN implementation
A VLAN can span across multiple switches,
or even routers. This enables hosts in a VLAN to be dispersed in a more loose
way. That is, hosts in a VLAN can belong to different physical network segment.
VLAN enjoys the following advantages.
1)
Broadcast domains are confined in VLANs. This
decreases bandwidth utilization and improves network performance.
2)
Network security is improved. VLANs cannot
communicate with each other directly. That is, hosts in different VLANs cannot
communicate with each other directly. To enable communications between
different VLANs, network devices operating on Layer 3 (such as routers or Layer
3 switches) are needed.
3)
Configuration workload is reduced. VLAN can be
used to group specific hosts. When the physical position of a host changes, no
additional network configuration is required if the host still belongs to the
same VLAN.
VLAN standard is described in IEEE 802.1Q,
which is issued by IEEE in 1999.
VLANs fall into the following four categories.
l
Port-based VLAN
l
MAC address-based VLAN
l
Protocol VLAN
l
IP multicast group-based VLAN
Among these VLANs, the members of a
port-based VLAN are defined in terms of switch ports. You can add ports to which
close-related hosts are connected to the same port-based VLAN. This is also the
simplest yet most effective way to create VLANs.
Currently, S3100-SI
series switches only support port-based VLANs.
Table 1-1 Basic VLAN configuration
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN and enter VLAN view
|
vlan vlan-id
|
Required
The vlan-id argument ranges from 1
to 4,094.
|
|
Assign a name for the VLAN
|
name text
|
Optional
By default, the name of a VLAN is its VLAN
ID.
|
|
Provide a description string for the VLAN
|
description text
|
Optional
By default, the description string of a
VLAN is its VLAN ID.
|
Table 1-2 Create
VLANs in batches
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create multiple specified VLANs
|
vlan { vlan-id1
to vlan-id2 | all }
|
Optional
|
I. Configuration prerequisites
Create a VLAN before configuring a VLAN
interface.
II. Configuration procedure
Table 1-3 Basic VLAN interface
configuration
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN interface and enter VLAN
interface view
|
interface Vlan-interface vlan-id
|
Required
The vlan-id argument ranges from 1
to 4,094.
|
|
Specify the description string for the
current VLAN interface
|
description text
|
Optional
By default, the description string of a
VLAN interface is the name of this VLAN interface
|
|
Disable the VLAN interface
|
shutdown
|
Optional
|
|
Enable the VLAN Interface
|
undo shutdown
|
Optional
|
Note that the operation of
enabling/disabling a VLAN interface does not influence the enabling/disabling
states of the Ethernet ports belonging to this VLAN.
By default, a VLAN interface is enabled. In
this scenario, a VLAN interface’s status is determined by the status of
its Ethernet ports, that is, if all the Ethernet ports of the VLAN interface
are down, the VLAN interface is down (disabled); if one or more Ethernet ports
of the VLAN interface are up, the VLAN interface is up (enabled).
If a VLAN interface is disabled, its status
is not determined by the status of its Ethernet ports.
I. Configuration prerequisites
Before configuring a port-based VLAN, you
need to create it first.
II. Configuration procedure
Table 1-4 Configure a port-based VLAN
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN and enter VLAN view
|
vlan vlan-id
|
Required
The vlan-id argument ranges from 1
to 4,094.
|
|
Add specified Ethernet ports to the VLAN
|
port interface-list
|
Required
By default, all the ports belong to the
default VLAN.
|
Caution:
The configuration
listed in Table 1-4 is only applicable to access ports. To add trunk ports and hybrid ports to a VLAN, you can use the port trunk permit vlan and port
hybrid vlan commands in Ethernet port view. Refer to the Port Operation
section in H3C S3100-SI Series Ethernet Switch Operation Manual for
more.
After the above configuration, you can execute
the display command in any view to view the running of the VLAN
configuration, and to verify the effect of the configuration.
Table 1-5 Display the information about specified VLANs
|
Operation
|
Command
|
Description
|
|
Display the information about specified VLANs
|
display vlan
[ vlan-id1 [ to vlan-id2 ] | all | static
| dynamic ]
|
This command can be executed in any view.
|
I. Network requirements
l
Create VLAN 2 and VLAN 3, with the name of VLAN
2 being v2, and the description string being home.
l
Add Ethernet1/0/1 and Ethernet1/0/2 ports to
VLAN 2; add Ethernet1/0/3 and Ethernet1/0/4 ports to VLAN 3.
II. Network diagram
Figure 1-2 Network diagram for VLAN
configuration
III. Configuration procedure
# Create VLAN 2 and enter VLAN view.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] vlan 2
# Set the name of VLAN 2 to v2.
[H3C-vlan2] name v2
# Specify VLAN 2 description string to be home.
[H3C-vlan2] description home
# Add Ethernet1/0/1 and Ethernet1/0/2 ports
to VLAN 2.
[H3C-vlan2] port ethernet1/0/1
ethernet1/0/2
# Create VLAN 3 and enter VLAN view.
[H3C-vlan2] vlan 3
# Add Ethernet1/0/3 and Ethernet1/0/4 ports
to VLAN 3.
[H3C-vlan3] port ethernet1/0/3
ethernet1/0/4
The VLAN-VPN function enables packets to be
transmitted across the operators’ backbone networks with VLAN tags of private
networks encapsulated in those of public networks. In public networks, packets
of this type are transmitted by their outer VLAN tags (that is, the VLAN tags
of public networks). And those of private networks which are encapsulated in
the VLAN tags of public networks are shielded.
Figure 2-1 illustrates the structure of a packet with single VLAN tag.
Figure 2-1
Structure of the packets with single VLAN tag
Figure 2-2 illustrates the structure of a packet with nested VLAN tags.
Figure 2-2
Structure of packets with nested VLAN tags
Compared with MPLS-based Layer 2 VPN,
VLAN-VPN has the following features:
l
It enables Layer 2 VPN tunnels that are simpler.
l
VLAN-VPN can be implemented through manual
configuration, without the support of signaling protocols.
The VLAN-VPN function provides you with the
following benefits:
l
Saves public network VLAN ID resource.
l
You can have VLAN IDs of your own, which is
independent of public network VLAN IDs.
l
Provides simple Layer 2 VPN solutions for
small-sized MANs or intranets.
VLAN-VPN can be implemented by enabling the
VLAN-VPN function on ports.
With the VLAN-VPN function enabled, a
received packet is tagged with the default VLAN tag of the receiving port no
matter whether or not the packet already carries a VLAN tag. If the packet
already carries a VLAN tag, the packet becomes a dual-tagged packet. Otherwise,
the packet becomes a packet carrying the default VLAN tag of the port.
2.2 VLAN-VPN Configuration
l
GARP VLAN registration protocol (GVRP), neighbor
topology discovery protocol (NTDP), spanning tree protocol (STP), 802.1x, and
MAC-authentication are disabled on the port.
l
The port is an access port.
Caution:
l
VLAN-VPN is not applicable to ports with any of
the functions among GVRP, NTDP, STP, 802.1x, and MAC-authentication enabled.
l
By default, STP and NTDP are enabled. You can
disable these two protocols using the stp disable and undo ntdp
enable commands.
Table 2-1 Configure
VLAN-VPN
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Enable VLAN-VPN for the port
|
vlan-vpn enable
|
Required
By default, VLAN-VPN is disabled on a
port.
|
If you use the copy
configuration command to duplicate the configuration of a port to a
VLAN-VPN-enabled port, the configuration of Voice VLAN is not duplicated.
You can verify VLAN-VPN configuration by
executing the display command in any view.
Table 2-2 Display VLAN-VPN configuration
|
Operation
|
Command
|
Description
|
|
Display the VLAN-VPN configuration of all
the ports
|
display port vlan-vpn
|
This command can be executed in any view.
|
2.4 VLAN-VPN Configuration Example
l
Switch A, Switch B, and Switch C are S3100-SI
series switches.
l
Two networks are connected to the Ethernet1/0/1
ports of Switch A and Switch C.
l
Switch B only permits the packets of VLAN 10.
l
It is required that packets of the VLANs other
than VLAN 10 be exchanged between the networks connected to Switch A and Switch
C.
Figure 2-3 Network diagram for VLAN-VPN
configuration
1)
Configure Switch A and Switch C.
As the configuration performed on Switch A
and Switch C is the same, configuration on Switch C is omitted.
# Configure Ethernet1/0/2 port as a trunk
port. Add the port to VLAN 10.
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface Ethernet 1/0/2
[SwitchA-Ethernet1/0/2] port
link-type trunk
[SwitchA-Ethernet1/0/2] port trunk
permit vlan 10
# Enable VLAN-VPN for Ethernet1/0/1 port.
Add the port to VLAN 10.
[SwitchA-Ethernet1/0/2] quit
[SwitchA] interface Ethernet1/0/1
[SwitchA-Ethernet1/0/1] port access vlan
10
[SwitchA-Ethernet1/0/1] stp disable
[SwitchA-Ethernet1/0/1] undo ntdp
enable
[SwitchA-Ethernet1/0/1] vlan-vpn enable
[SwitchA-Ethernet1/0/1] quit
2)
Configure Switch B.
Configure Ethernet1/0/1 port and Ethernet1/0/2
port as trunk ports. Add the two ports to VLAN 10.
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] interface Ethernet 1/0/1
[SwitchB-Ethernet1/0/1] port
link-type trunk
[SwitchB-Ethernet1/0/1] port trunk
permit vlan 10
[SwitchB-Ethernet1/0/1] quit
[SwitchB] interface Ethernet 1/0/2
[SwitchB-Ethernet1/0/2] port
link-type trunk
[SwitchB-Ethernet1/0/2] port trunk
permit vlan 10
The following describes how a packet is forwarded from Switch A to
Switch C.
l
As VLAN-VPN is enabled on Ethernet1/0/1 port of
Switch A, when a packet from the user’s private network reaches
Ethernet1/0/1 port of Switch A, it is tagged with the default VLAN tag of the
port (VLAN 10 tag) and is then forwarded to Ethernet1/0/2 port.
l
When the packet reaches Ethernet1/0/2 port of
Switch B, it is forwarded in VLAN 10 and is passed to Ethernet1/0/1 port.
l
The packet is forwarded from Ethernet1/0/1 port
of Switch B to the network on the other side and reaches Ethernet1/0/2 port of
Switch C. Switch C forwards the packet in VLAN 10 to its Ethernet1/0/1 port. As
Ethernet1/0/1 port is an access port, the outer VLAN tag of the packet is
stripped off and the packet restores the original one.
l
It is the same case when a packet travels from
Switch C to Switch A.
After the configuration, the networks
connecting Switch A and Switch C can receive packets from each other.
