When configuring VLAN, go to these sections
for information you are interested in:
l
Introduction
to VLAN
l
Configuring
Basic VLAN Attributes
l
Basic
VLAN Interface Configuration
l
Port-Based
VLAN Configuration
l
MAC
Address-Based VLAN Configuration
l
Protocol-Based
VLAN Configuration
l
Configuring
IP-Subnet-Based VLAN
l
Displaying and Maintaining VLAN
l
VLAN
Configuration Example
1.1 Introduction to VLAN
Ethernet is a network technology based on the
Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the
medium is shared in an Ethernet, network performance may degrade as the number
of hosts on the network is increasing. If the number of the hosts in the
network reaches a certain level, problems caused by collisions, broadcasts, and
so on emerge, which may cause the network operating improperly. In addition to the
function that suppresses collisions (which can also be achieved by
interconnecting LANs), virtual LAN (VLAN) can also isolate broadcast packets. VLAN
divides a LAN into multiple logical LANs with each being a broadcast domain.
Hosts in the same VLAN can communicate with each other like in a LAN. However,
hosts from different VLANs cannot communicate directly. In this way, broadcast
packets are confined to a single VLAN, as illustrated in the following figure.
Figure
1-1 A VLAN diagram
A VLAN is not restricted by physical factors,
that is to say, hosts that reside in different network segments may belong to
the same VLAN, users in a VLAN can be connected to the same switch, or span
across multiple switches or routers.
VLAN technology has the following
advantages:
1)
Broadcast traffic is confined to each VLAN, reducing
bandwidth utilization and improving network performance.
2)
LAN security is improved. Packets in different VLANs
are isolated at Layer 2. That is, users in a VLAN cannot communicate with users
in other VLANs directly, unless routers or Layer 3 switches are used.
3)
A more flexible way to establish virtual
workgroups. With VLAN technology, a virtual workgroup can be created spanning
physical network segments. That is, users from the same workgroup do not have to
be within the same physical area, making network construction and maintenance
much easier and more flexible.
To enable packets being distinguished by
the VLANs they belong to, The VLAN tag fields used to identify VLANs are added
to packets. As common switches operate on the data link layer of the OSI model,
they only process data link layer encapsulation information and the VLAN tag thus
needs to be inserted to the data link layer encapsulation.
The format of the packets carrying the VLAN
tag fields is defined in IEEE 802.1Q, which is issued by IEEE in 1999.
In the header of a traditional Ethernet data
frame, the field following the destination MAC address and the source MAC
address is the Type field, which indicates the upper layer protocol type. Figure 1-2
illustrates the format of a traditional Ethernet frame, where DA stands for
destination MAC address, SA stands for source MAC address, and Type stands for the
upper layer protocol type of the frame.
Figure 1-2 The format of a traditional
Ethernet frame
IEEE802.1Q defines a four-byte VLAN Tag
between the DA&SA field and the Type field to carry VLAN-related
information, as shown in Figure
1-3.
Figure 1-3 The position and the format
of the VLAN Tag
The VLAN Tag comprises four fields: the tag
protocol identifier (TPID) field, the Priority field, the canonical format indicator
(CFI) field, and the VLAN ID field.
l
The TPID field, 16 bits in length and with a
value of 0x8100, indicates that a packet carries a VLAN tag with it.
l
The Priority field, three bits in length,
indicates the 802.1p priority of a packet. For information about packet
priority, refer to the QoS part of the manual.
l
The CFI field, one bit in length, specifies
whether or not the MAC addresses are encapsulated in standard format when
packets are transmitted across different medium. With the field set to 0, MAC
addresses are encapsulated in standard format; with the field set to 1, MAC
addresses are encapsulated in non-standard format. The filed is 0 by default.
l
The VLAN ID field, 12 bits in length and with
its value ranging from 0 to 4095, identifies the ID of the VLAN a packet
belongs to. As VLAN IDs of 0 and 4095 are reserved by the protocol, the value
of this field actually ranges from 1 to 4094.
A network device determines the VLAN to
which a packet belongs to by the VLAN ID field the packet carries. The VLAN Tag
determines the way a packet is processed. For more information, refer to
section Introduction to Port-Based
VLAN.
The frame format
mentioned here is that of Ethernet II. Besides Ethernet II encapsulation, other
types of encapsulation, including 802.2 LLC, 802.2 SNAP, and 802.3 raw are also
supported by Ethernet. The VLAN tag fields are also added to packets adopting
these encapsulation formats for VLAN identification.
Based on how
VLANs are established, VLANs fall into different categories. The following types
are the most commonly used:
l
Port-based
l
MAC address-based
l
Protocol-based
l
IP-subnet-based
l
Policy-based
l
Other types
The S5500-EI series Ethernet switches
support port-based VLAN, MAC address-based VLAN, protocol-based VLAN, and
IP-subnet-based VLAN.
Follow these steps to configure basic VLAN
attributes:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Create VLANs
|
vlan { vlan-id1
[ to vlan-id2 ] | all }
|
Optional
Using this command can create multiple
VLANs in a bulk.
|
|
Enter VLAN view
|
vlan vlan-id
|
Required
If the specified VLAN does not exist, the
command creates the VLAN and then enters its view.
By default, only the default VLAN (that
is, VLAN 1) exists in the system.
|
|
Specify a descriptive string for the VLAN
|
description text
|
Optional
VLAN ID used by default, for example, “VLAN
0001”
|
l
As the default VLAN, VLAN 1 cannot be created or
removed.
l
You cannot manually create or remove reserved
VLANs, which are reserved for specific functions.
l
Dynamic VLANs cannot be removed using the undo
vlan command.
l
If a VLAN has a QoS policy configured, the VLAN
cannot be removed.
l
If a VLAN is configured as a remote-probe VLAN
for remote port mirroring, it cannot be removed using the undo vlan
command unless its remote-probe VLAN configuration is removed.
Hosts of different VLANs cannot communicate
directly. That is, routers or Layer 3 switches are needed for packets to travel
across different VLANs. VLAN interfaces are used to forward VLAN packets on
Layer 3.
VLAN interfaces are Layer 3 virtual
interfaces (which do not exist physically on devices) used for Layer 3 interoperability
between different VLANs. Each VLAN can have one VLAN interface. Packets of a
VLAN can be forwarded on network layer through the corresponding VLAN interface.
As each VLAN forms a broadcast domain, a VLAN can be an IP network segment and
the VLAN interface can be the gateway to enable IP address-based Layer 3
forwarding.
Follow these steps to configure VLAN
interface basic attributes:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN interface or enter VLAN
interface view
|
interface Vlan-interface vlan-interface-id
|
Required
This command leads you to VLAN interface
view if the VLAN interface already exists.
|
|
Configure an IP address for the VLAN
interface
|
ip address
ip-address { mask | mask-length } [ sub ]
|
Optional
Not configured by default
|
|
Specify the descriptive string for the
VLAN interface
|
description text
|
Optional
VLAN interface name is used by default,
for example, “Vlan-interface1 Interface”.
|
|
Bring up the VLAN interface
|
undo shutdown
|
Optional
By default, a VLAN interface is up. The
state of a VLAN interface also depends on the states of the ports in the VLAN.
If all the ports in the VLAN are down, the VLAN interface is down; if one or
more ports in the VLAN are up, the VLAN interface is up.
If a VLAN interface is manually shut
down, the VLAN interface is always down regardless of the states of ports in
the VLAN.
|
Before creating a
VLAN interface, ensure that the corresponding VLAN already exists. Otherwise,
the specified VLAN interface will not be created.
1.4 Port-Based VLAN Configuration
This is the simplest and yet the most
effective way of classifying VLANs. It groups VLAN members by port. After added
to a VLAN, a port can forward the packets of the VLAN.
I. Port link type
Based on the tag handling mode, a port’s
link type can be one of the following three:
l
Access port: the port only belongs to one VLAN,
normally used to connect user device;
l
Trunk port: the port can belong to multiple
VLANs, can receive/send packets for multiple VLANs, normally used to connect network
devices;
l
Hybrid port: the port can belong to multiple
VLANs, can receive or send packets for multiple VLANs, used to connect either user
or network devices;
The differences between Hybrid and Trunk
port:
l
A Hybrid port allows packets of multiple VLANs
to be sent without the Tag label;
l
A Trunk port only allows packets from the
default VLAN to be sent without the Tag label.
II. Default VLAN
You can configure the default VLAN for a
port. By default, VLAN 1 is the default VLAN for all ports. However, this can
be changed as needed.
l
An Access port only belongs to one VLAN. Therefore,
its default VLAN is the VLAN it resides in and cannot be configured.
l
You can configure the default VLAN for the Trunk
port or the Hybrid port as they can both belong to multiple VLANs.
l
After deletion of the default VLAN using the undo
vlan command, the default VLAN for an Access port will revert to VLAN 1,
whereas that for the Trunk or Hybrid port remains, meaning the port can use a
nonexistent VLAN as the default VLAN.
For a port in
automatic voice VLAN mode, do not set the voice VLAN as the default VLAN of the
port. Otherwise, the system prompts error information. For information about
voice VLAN, refer to Voice
VLAN Configuration.
Configured with the default VLAN, a port
handles packets in the following ways:
|
Port type
|
Inbound packets handling
|
Outbound packets handling
|
|
If no tag is carried in the packet
|
If a tag is carried in the packet
|
|
Access Port
|
Tag the packet with the default VLAN ID
|
l
Receive the packet if its VLAN ID is the same
as the default VLAN ID
l
Discard the packet if its VLAN ID is different
from the default VLAN ID
|
Strip the Tag and send the packet as the
VLAN ID is the same with the default VLAN ID
|
|
Trunk port
|
Check whether the default VLAN ID of the
port is in the list of VLANs allowed to pass through the port, if yes, tag
the packet with the default VLAN ID; if no, discard the packet
|
l
Receive the packet if the VLAN ID is in the
list of VLANs allowed to pass through the port
l
Discard the packet if the VLAN ID is not in
the list of VLANs allowed to pass through the port
|
l
Strip the tag and send the packet if the VLAN
ID is the same as the default VLAN ID
l
Keep the tag and send the packet if the VLAN
ID is not the same as the default VLAN ID but allowed to pass through the
port
|
|
Hybrid port
|
Send the packet if the VLAN ID is allowed
to pass through the port. Use the port hybrid vlan command to
configure whether the port keeps or strips the tags when sending packets of a
VLAN (including the default VLAN).
|
1.4.2 Configuring
an Access-Port-Based VLAN
There are two ways to configure Access-port-based
VLAN: one way is to configure in VLAN view, the other way is to configure in Ethernet
port view/port group view.
Follow these steps to configure the Access-port-based
VLAN in VLAN view:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN view
|
vlan vlan-id
|
Required
If the specified VLAN does not exist,
this command be created first creates the VLAN before entering its view.
|
|
Add an Access port to the current VLAN
|
port interface-list
|
Required
By default, system will add all ports to
VLAN 1.
|
Follow these
steps to configure the Access-port-based VLAN in Ethernet port view/port group
view:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view or port group
view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
Use either command
In Ethernet port view, the subsequent
configurations only apply to the current port; In port group view, the
subsequent configurations apply to all ports in the port group.
|
|
Enter port group view
|
port-group
{ manual port-group-name | aggregation agg-id
}
|
|
Configure the port link type as Access
|
port link-type access
|
Optional
The link type of a port is Access by
default.
|
|
Add the current Access port to a
specified VLAN
|
port access vlan vlan-id
|
Optional
By default, all Access ports belong to
VLAN 1.
|
To add an Access
port to a VLAN, make sure the VLAN already exists.
A Trunk port may belong to multiple VLANs,
and you can only perform this configuration in Ethernet port view or port group
view.
Follow these steps to configure the Trunk-port-based
VLAN:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view or port group
view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
Use either command
In Ethernet port view, the subsequent
configurations only apply to the current port; in port group view, the
subsequent configurations apply to all ports in the port group.
|
|
Enter port group view
|
port-group
{ manual port-group-name | aggregation agg-id }
|
|
Configure the port link type as Trunk
|
port link-type trunk
|
Required
|
|
Allow the specified VLANs to pass through
the current Trunk port
|
port trunk permit vlan { vlan-id-list | all }
|
Required
By default, all Trunk ports only allow
packets of VLAN 1 to pass.
|
|
Configure the default VLAN for the Trunk
port
|
port trunk pvid vlan vlan-id
|
Optional
VLAN 1 is the default by default.
|
l
To convert a Trunk port into a Hybrid port (or
vice versa), you need to use the Access port as a medium. For example, the
Trunk port has to be configured as an Access port first and then a Hybrid port.
l
The default VLAN IDs of the Trunk ports on the local
and peer devices must be the same. Otherwise, packets cannot be transmitted
properly.
A Hybrid port may belong to multiple VLANs,
and this configuration can only be performed in Ethernet port view or port
group view.
Follow these steps to configure the
Hybrid-port-based VLAN:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view or port group
view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
Use either command;
In Ethernet port view, the subsequent
configurations only apply to the current port; in port group view, the
subsequent configurations apply to all ports in the port group
|
|
Enter port group view
|
port-group
{ manual port-group-name | aggregation agg-id }
|
|
Configure the port link type as Hybrid
|
port link-type hybrid
|
Required
|
|
Allow the specified VLANs to pass through
the current Hybrid port
|
port hybrid vlan vlan-id-list { tagged | untagged
}
|
Required
By default, all Hybrid ports only allow packets
of VLAN 1 to pass.
|
|
Configure
the default VLAN of the Hybrid port
|
port hybrid
pvid vlan vlan-id
|
Optional
VLAN 1 is
the default by default
|
l
To configure a Trunk port into a Hybrid port (or
vice versa), you need to use the Access port as a medium. For example, the
Trunk port has to be configured as an Access port first and then a Hybrid port.
l
Ensure that the VLANs already exist before
configuring them to pass through a Hybrid port.
l
The default VLAN IDs of the Hybrid ports on the local
and the peer devices must be the same. Otherwise, packets cannot be transmitted
properly.
With MAC address-based VLANs created, the
VLAN to which a packet belongs is determined by its source MAC address, and
packets in a MAC address-based VLAN are forwarded after being tagged with the
tag of the VLAN. This function is usually coupled with the security
technologies (such as 802.1X) to provide secure and flexible network accesses
for terminal devices.
I. MAC address-based VLAN
implementation
With MAC address-based VLANs created on a
port, the port operates as follows:
l
If an untagged packet is received, the port
checks its MAC address VLAN entries for the one that matches the source MAC
address of the packet. If the entry exists, the packet is forwarded based on
the matched VLAN ID and the precedence value; otherwise, the packet is
forwarded based on other match rules.
l
If a tagged packet is received, the port
processes the packet in the same way as it processes port-based VLAN packets,
that is, forwards the packet if the VLAN corresponding to the VLAN tag is
permitted by the port or drops the packet if the VLAN corresponding to the VLAN
tag is not permitted by the port.
II. The ways to create MAC
address-based VLANs
A MAC address-based VLAN can be created in
one of the following two ways.
l
Static configuration (through CLI)
You can associate MAC addresses and VLANs by
using corresponding commands.
l
Auto configuration though the authentication
server (that is, VLAN issuing)
The device associates MAC addresses and
VLANs dynamically based on the information provided by the authentication
server. If a user goes offline, the corresponding MAC address-to-VLAN
association is removed automatically. Auto configuration requires MAC
address-to–VLAN mapping relationship be configured on the authentication
server. For detailed information, refer to 802.1x Configuration.
The two configuration methods can be used
at the same time, that is, you can configure a MAC address-to-VLAN entry on
both the local device and the authentication serer at the same time. Note that
the MAC address-to-VLAN entry configuration takes effect only when the configuration
on the local device is consistent with that on the authentication server.
MAC address-based
VLANs are available only on Hybrid ports.
Follow these steps to configure a MAC
address-based VLAN:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Associate MAC addresses with a VLAN
|
mac-vlan mac-address mac-addr [ mask mac-mask ] vlan vlan-id
[ priority priority ]
|
Required
|
|
Enter Ethernet interface view or port
group view
|
Enter Ethernet interface view
|
interface interface-type interface-number
|
Use either command.
The configuration performed in Ethernet
interface view applies to the current port only; the configuration performed in
port group view applies to all the ports in the port group.
|
|
Enter port group view
|
port-group
{ manual port-group-name | aggregation agg-id
}
|
|
Configure the link type of the port(s) as
hybrid
|
port link-type hybrid
|
Required
|
|
Configure the current hybrid port(s) to permit
packets of specific MAC address-based VLANs
|
port hybrid vlan vlan-id-list { tagged | untagged
}
|
Required
By default, a hybrid port only permits
the packets of VLAN 1.
|
|
Enable MAC address-based VLAN
|
mac-vlan enable
|
Required
Disabled by default
|
|
Configure VLAN matching precedence
|
vlan precedence { mac-vlan | ip-subnet-vlan }
|
Optional
By default, VLANs are preferentially
matched based on MAC addresses.
|
Protocol-based VLANs
are only applicable to Hybrid ports.
In this approach, inbound packets are
assigned with different VLAN IDs based on their protocol type and encapsulation
format. The protocols that can be used to categorize VLANs include: IP, IPX,
and AppleTalk (AT). The encapsulation formats include: Ethernet II, 802.3 raw,
802.2 LLC, and 802.2 SNAP.
A protocol-based VLAN can be defined by a
protocol template, which is determined by encapsulation format and protocol
type. A port can be associated to multiple protocol templates. An untagged packet
(that is, packet carrying no VLAN tag) reaching a port associated with a protocol-based
VLAN will be processed as follows.
l
If the packet matches a protocol template, the packet
will be tagged with the VLAN ID of the protocol-based VLAN defined by the protocol
template.
l
If the packet matches no protocol template, the
packet will be tagged with the default VLAN ID of the port.
The port processes a tagged packet (that
is, a packet carrying a VLAN tag) in the same way as it processes packets of a port-based
VLAN.
l
If the port is configured to permit the VLAN
identified by this VLAN tag, the port forwards the packet.
l
If the port is configured to deny the VLAN
identified by this VLAN tag, the port discards the packet.
This feature is mainly used to bind the
service type with VLAN for ease of management and maintenance.
1.6.2 Configuring
a Protocol-Based VLAN
Follow these steps to configure a protocol-based
VLAN:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN view
|
vlan vlan-id
|
Required
If the specified VLAN does not exist,
this command creates the VLAN and then enters its view.
|
|
Configure the protocol-based VLAN and
specify the protocol template
|
protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 |
ipx { ethernetii | llc | raw |
snap } | mode { ethernetii etype etype-id |
llc { dsap dsap-id [ ssap ssap-id ] |
ssap ssap-id } | snap etype etype-id } }
|
Required
|
|
Exit the VLAN view
|
quit
|
Required
|
|
Enter Ethernet port view or port group
view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
Use either command
In Ethernet port view, the subsequent
configurations only apply to the current port; in port group view, the
subsequent configurations apply to all ports in the port group
|
|
Enter port group view
|
port-group
{ manual port-group-name | aggregation agg-id }
|
|
Configure the port link type as Hybrid
|
port link-type hybrid
|
Required
|
|
Allow the packets of protocol-based VLANs
to pass through the current Hybrid port in untagged way (with the tags of the
packets stripped)
|
port hybrid vlan vlan-id-list untagged
|
Required
|
|
Configure the association between the
Hybrid port and the protocol-based VLAN
|
port hybrid protocol-vlan vlan vlan-id { protocol-index [ to protocol-end
] | all }
|
Required
|
Caution:
l
At present, the AppleTalk-based protocol
template cannot be associated with a port on an S55
