When configuring VLAN, go to these sections
for information you are interested in:
l
Introduction
to VLAN
l
Configuring
Basic VLAN Attributes
l
Basic
VLAN Interface Configuration
l
Port-Based
VLAN Configuration
l
MAC
Address-Based VLAN Configuration
l
Displaying and Maintaining VLAN
l
VLAN
Configuration Example
1.1 Introduction to VLAN
Ethernet is a network technology based on
the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the medium
is shared in an Ethernet, network performance may degrade as the number of
hosts on the network is increasing. If the number of the hosts in the network
reaches a certain level, problems caused by collisions, broadcasts, and so on
emerge, which may cause the network operating improperly. In addition to the
function that suppresses collisions (which can also be achieved by
interconnecting LANs), virtual LAN (VLAN) can also isolate broadcast packets.
VLAN divides a LAN into multiple logical LANs with each being a broadcast
domain. Hosts in the same VLAN can communicate with each other like in a LAN.
However, hosts from different VLANs cannot communicate directly. In this way,
broadcast packets are confined to a single VLAN, as illustrated in the following
figure.
Figure
1-1 A VLAN diagram
A VLAN is not restricted by physical
factors, that is to say, hosts that reside in different network segments may
belong to the same VLAN, users in a VLAN can be connected to the same switch,
or span across multiple switches or routers.
VLAN technology has the following
advantages:
1)
Broadcast traffic is confined to each VLAN,
reducing bandwidth utilization and improving network performance.
2)
LAN security is improved. Packets in different
VLANs are isolated at Layer 2. That is, users in a VLAN cannot communicate with
users in other VLANs directly, unless routers or Layer 3 switches are used.
3)
A more flexible way to establish virtual
workgroups. With VLAN technology, a virtual workgroup can be created spanning
physical network segments. That is, users from the same workgroup do not have
to be within the same physical area, making network construction and
maintenance much easier and more flexible.
To enable packets being distinguished by
the VLANs they belong to, The VLAN tag fields used to identify VLANs are added
to packets. As common switches operate on the data link layer of the OSI model,
they only process data link layer encapsulation information and the VLAN tag
thus needs to be inserted to the data link layer encapsulation.
The format of the packets carrying the VLAN
tag fields is defined in IEEE 802.1Q, which is issued by IEEE in 1999.
In the header of a traditional Ethernet
data frame, the field following the destination MAC address and the source MAC
address is the Type field, which indicates the upper layer protocol type. Figure 1-2
illustrates the format of a traditional Ethernet frame, where DA stands for
destination MAC address, SA stands for source MAC address, and Type stands for
the upper layer protocol type of the frame.
Figure 1-2 The format of a traditional
Ethernet frame
IEEE802.1Q defines a four-byte VLAN Tag
between the DA&SA field and the Type field to carry VLAN-related
information, as shown in Figure
1-3.
Figure 1-3 The position and the format
of the VLAN Tag
The VLAN Tag comprises four fields: the tag
protocol identifier (TPID) field, the Priority field, the canonical format
indicator (CFI) field, and the VLAN ID field.
l
The TPID field, 16 bits in length and with a
value of 0x8100, indicates that a packet carries a VLAN tag with it.
l
The Priority field, three bits in length,
indicates the 802.1p priority of a packet. For information about packet
priority, refer to the QoS part of the manual.
l
The CFI field, one bit in length, specifies
whether or not the MAC addresses are encapsulated in standard format when
packets are transmitted across different medium. With the field set to 0, MAC
addresses are encapsulated in standard format; with the field set to 1, MAC addresses
are encapsulated in non-standard format. The filed is 0 by default.
l
The VLAN ID field, 12 bits in length and with
its value ranging from 0 to 4095, identifies the ID of the VLAN a packet
belongs to. As VLAN IDs of 0 and 4095 are reserved by the protocol, the value
of this field actually ranges from 1 to 4094.
A network device determines the VLAN to
which a packet belongs to by the VLAN ID field the packet carries. The VLAN Tag
determines the way a packet is processed. For more information, refer to
section Introduction to
Port-Based VLAN.
The frame format
mentioned here is that of Ethernet II. Besides Ethernet II encapsulation, other
types of encapsulation, including 802.2 LLC, 802.2 SNAP, and 802.3 raw are also
supported by Ethernet. The VLAN tag fields are also added to packets adopting
these encapsulation formats for VLAN identification.
Based on how VLANs are established, VLANs
fall into different categories. The following types are the most commonly used:
l
Port-based
l
MAC address-based
l
Protocol-based
l
IP-subnet-based
l
Policy-based
l
Other types
The S5500-SI series Ethernet switches support
port-based VLAN and MAC address-based VLAN.
Follow these steps to configure basic VLAN
attributes:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Create VLANs
|
vlan { vlan-id1
[ to vlan-id2 ] | all }
|
Optional
Using this command can create multiple
VLANs in a bulk.
|
|
Enter VLAN view
|
vlan vlan-id
|
Required
If the specified VLAN does not exist, the
command creates the VLAN and then enters its view.
By default, only the default VLAN (that
is, VLAN 1) exists in the system.
|
|
Specify a descriptive string for the VLAN
|
description text
|
Optional
VLAN ID used by default, for example,
“VLAN 0001”
|
l
As the default VLAN, VLAN 1 cannot be created or
removed.
l
You cannot manually create or remove reserved
VLANs, which are reserved for specific functions.
l
Dynamic VLANs cannot be removed using the undo
vlan command.
l
If a VLAN has a QoS policy configured, the VLAN
cannot be removed.
l
If a VLAN is configured as a remote-probe VLAN
for remote port mirroring, it cannot be removed using the undo vlan
command unless its remote-probe VLAN configuration is removed.
Hosts of different VLANs cannot communicate
directly. That is, routers or Layer 3 switches are needed for packets to travel
across different VLANs. VLAN interfaces are used to forward VLAN packets on
Layer 3.
VLAN interfaces are Layer 3 virtual
interfaces (which do not exist physically on devices) used for Layer 3
interoperability between different VLANs. Each VLAN can have one VLAN
interface. Packets of a VLAN can be forwarded on network layer through the
corresponding VLAN interface. As each VLAN forms a broadcast domain, a VLAN can
be an IP network segment and the VLAN interface can be the gateway to enable IP
address-based Layer 3 forwarding.
Follow these steps to configure VLAN
interface basic attributes:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN interface or enter VLAN
interface view
|
interface Vlan-interface vlan-interface-id
|
Required
This command leads you to VLAN interface
view if the VLAN interface already exists.
|
|
Configure an IP address for the VLAN
interface
|
ip address
ip-address { mask | mask-length } [ sub ]
|
Optional
Not configured by default
|
|
Specify the descriptive string for the
VLAN interface
|
description text
|
Optional
VLAN interface name is used by default,
for example, “Vlan-interface1 Interface”.
|
|
Bring up the VLAN interface
|
undo shutdown
|
Optional
By default, a VLAN interface is up. The
state of a VLAN interface also depends on the states of the ports in the
VLAN. If all the ports in the VLAN are down, the VLAN interface is down; if
one or more ports in the VLAN are up, the VLAN interface is up.
If a VLAN interface is manually shut
down, the VLAN interface is always down regardless of the states of ports in
the VLAN.
|
Before creating a
VLAN interface, ensure that the corresponding VLAN already exists. Otherwise,
the specified VLAN interface will not be created.
1.4 Port-Based VLAN Configuration
This is the simplest and yet the most
effective way of classifying VLANs. It groups VLAN members by port. After added
to a VLAN, a port can forward the packets of the VLAN.
I. Port link type
Based on the tag handling mode, a
port’s link type can be one of the following three:
l
Access port: the port only belongs to one VLAN,
normally used to connect user device;
l
Trunk port: the port can belong to multiple
VLANs, can receive/send packets for multiple VLANs, normally used to connect
network devices;
l
Hybrid port: the port can belong to multiple
VLANs, can receive or send packets for multiple VLANs, used to connect either
user or network devices;
The differences between Hybrid and Trunk
port:
l
A Hybrid port allows packets of multiple VLANs
to be sent without the Tag label;
l
A Trunk port only allows packets from the
default VLAN to be sent without the Tag label.
II. Default VLAN
You can configure the default VLAN for a
port. By default, VLAN 1 is the default VLAN for all ports. However, this can
be changed as needed.
l
An Access port only belongs to one VLAN.
Therefore, its default VLAN is the VLAN it resides in and cannot be configured.
l
You can configure the default VLAN for the Trunk
port or the Hybrid port as they can both belong to multiple VLANs.
l
After deletion of the default VLAN using the undo
vlan command, the default VLAN for an Access port will revert to VLAN 1,
whereas that for the Trunk or Hybrid port remains, meaning the port can use a
nonexistent VLAN as the default VLAN.
For a port in
automatic voice VLAN mode, do not set the voice VLAN as the default VLAN of the
port. Otherwise, the system prompts error information. For information about
voice VLAN, refer to Voice
VLAN Configuration.
Configured with the default VLAN, a port
handles packets in the following ways:
|
Port type
|
Inbound packets handling
|
Outbound packets handling
|
|
If no tag is carried in the packet
|
If a tag is carried in the packet
|
|
Access Port
|
Tag the packet with the default VLAN ID
|
l
Receive the packet if its VLAN ID is the same
as the default VLAN ID
l
Discard the packet if its VLAN ID is different
from the default VLAN ID
|
Strip the Tag and send the packet as the
VLAN ID is the same with the default VLAN ID
|
|
Trunk port
|
Check whether the default VLAN ID of the port
is in the list of VLANs allowed to pass through the port, if yes, tag the
packet with the default VLAN ID; if no, discard the packet
|
l
Receive the packet if the VLAN ID is in the
list of VLANs allowed to pass through the port
l
Discard the packet if the VLAN ID is not in
the list of VLANs allowed to pass through the port
|
l
Strip the tag and send the packet if the VLAN
ID is the same as the default VLAN ID
l
Keep the tag and send the packet if the VLAN
ID is not the same as the default VLAN ID but allowed to pass through the
port
|
|
Hybrid port
|
Send the packet if the VLAN ID is allowed
to pass through the port. Use the port hybrid vlan command to
configure whether the port keeps or strips the tags when sending packets of a
VLAN (including the default VLAN).
|
1.4.2 Configuring
an Access-Port-Based VLAN
There are two ways to configure
Access-port-based VLAN: one way is to configure in VLAN view, the other way is
to configure in Ethernet port view/port group view.
Follow these steps to configure the
Access-port-based VLAN in VLAN view:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enter VLAN
view
|
vlan vlan-id
|
Required
If the specified
VLAN does not exist, this command be created first creates the VLAN before
entering its view.
|
|
Add an Access port to the current VLAN
|
port interface-list
|
Required
By default, system will add all ports to
VLAN 1.
|
Follow these steps to configure the
Access-port-based VLAN in Ethernet port view/port group view:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view or port group
view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
Use either command
In Ethernet port view, the subsequent
configurations only apply to the current port; In port group view, the
subsequent configurations apply to all ports in the port group.
|
|
Enter port group view
|
port-group
{ manual port-group-name | aggregation agg-id
}
|
|
Configure the port link type as Access
|
port link-type access
|
Optional
The link type of a port is Access by
default.
|
|
Add the current Access port to a
specified VLAN
|
port access vlan vlan-id
|
Optional
By default, all Access ports belong to
VLAN 1.
|
To add an Access
port to a VLAN, make sure the VLAN already exists.
A Trunk port may belong to multiple VLANs,
and you can only perform this configuration in Ethernet port view or port group
view.
Follow these steps to configure the
Trunk-port-based VLAN:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view or port group
view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
Use either command
In Ethernet port view, the subsequent
configurations only apply to the current port; in port group view, the
subsequent configurations apply to all ports in the port group.
|
|
Enter port group view
|
port-group
{ manual port-group-name | aggregation agg-id }
|
|
Configure the port link type as Trunk
|
port link-type trunk
|
Required
|
|
Allow the specified VLANs to pass through
the current Trunk port
|
port trunk permit vlan { vlan-id-list | all }
|
Required
By default, all Trunk ports only allow
packets of VLAN 1 to pass.
|
|
Configure the default VLAN for the Trunk
port
|
port trunk pvid vlan vlan-id
|
Optional
VLAN 1 is the default by default.
|
l
To convert a Trunk port into a Hybrid port (or
vice versa), you need to use the Access port as a medium. For example, the
Trunk port has to be configured as an Access port first and then a Hybrid port.
l
The default VLAN IDs of the Trunk ports on the
local and peer devices must be the same. Otherwise, packets cannot be
transmitted properly.
A Hybrid port may belong to multiple VLANs,
and this configuration can only be performed in Ethernet port view or port
group view.
Follow these steps to configure the
Hybrid-port-based VLAN:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enter
Ethernet port view or port group view
|
Enter
Ethernet port view
|
interface interface-type interface-number
|
Use either
command;
In
Ethernet port view, the subsequent configurations only apply to the current
port; in port group view, the subsequent configurations apply to all ports in
the port group
|
|
Enter port
group view
|
port-group { manual port-group-name | aggregation agg-id
}
|
|
Configure
the port link type as Hybrid
|
port
link-type hybrid
|
Required
|
|
Allow the
specified VLANs to pass through the current Hybrid port
|
port
hybrid vlan vlan-id-list { tagged
| untagged }
|
Required
By default,
all Hybrid ports only allow packets of VLAN 1 to pass.
|
|
Configure
the default VLAN of the Hybrid port
|
port
hybrid pvid vlan vlan-id
|
Optional
VLAN 1 is
the default by default
|
l
To configure a Trunk port into a Hybrid port (or
vice versa), you need to use the Access port as a medium. For example, the
Trunk port has to be configured as an Access port first and then a Hybrid port.
l
Ensure that the VLANs already exist before
configuring them to pass through a Hybrid port.
l
The default VLAN IDs of the Hybrid ports on the
local and the peer devices must be the same. Otherwise, packets cannot be
transmitted properly.
With MAC address-based VLANs created, the
VLAN to which a packet belongs is determined by its source MAC address, and
packets in a MAC address-based VLAN are forwarded after being tagged with the
tag of the VLAN. This function is usually coupled with the security
technologies (such as 802.1X) to provide secure and flexible network accesses
for terminal devices.
I. MAC address-based VLAN
implementation
With MAC address-based VLANs created on a
port, the port operates as follows:
l
If an untagged packet is received, the port
checks its MAC address VLAN entries for the one that matches the source MAC
address of the packet. If the entry exists, the packet is forwarded based on
the matched VLAN ID and the precedence value; otherwise, the packet is
forwarded based on the default VLAN of the port.
l
If a tagged packet is received, the port
processes the packet in the same way as it processes port-based VLAN packets,
that is, forwards the packet if the VLAN corresponding to the VLAN tag is
permitted by the port or drops the packet if the VLAN corresponding to the VLAN
tag is not permitted by the port.
II. The ways to create MAC
address-based VLANs
A MAC address-based VLAN can be created in
one of the following two ways.
l
Static configuration (through CLI)
You can associate MAC addresses and VLANs
by using corresponding commands.
l
Auto configuration though the authentication
server (that is, VLAN issuing)
The device associates MAC addresses and
VLANs dynamically based on the information provided by the authentication
server. If a user goes offline, the corresponding MAC address-to-VLAN
association is removed automatically. Auto configuration requires MAC
address-to–VLAN mapping relationship be configured on the authentication
server. For detailed information, refer to 802.1x-HABP-MAC Authentication
Configuration.
The two configuration methods can be used
at the same time, that is, you can configure a MAC address-to-VLAN entry on
both the local device and the authentication serer at the same time. Note that
the MAC address-to-VLAN entry configuration takes effect only when the
configuration on the local device is consistent with that on the authentication
server.
MAC address-based
VLANs are available only on Hybrid ports.
Follow these steps to configure a MAC
address-based VLAN:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Associate
MAC addresses with a VLAN
|
mac-vlan
mac-address mac-addr vlan vlan-id
[ priority priority ]
|
Required
|
|
Enter Ethernet interface view or port
group view
|
Enter Ethernet interface view
|
interface interface-type interface-number
|
Use either command.
The configuration performed in Ethernet
interface view applies to the current port only; the configuration performed
in port group view applies to all the ports in the port group.
|
|
Enter port group view
|
port-group
{ manual port-group-name | aggregation agg-id
}
|
|
Configure the link type of the port(s) as
hybrid
|
port link-type hybrid
|
Required
|
|
Configure the current hybrid port(s) to
permit packets of specific MAC address-based VLANs
|
port hybrid vlan vlan-id-list { tagged | untagged
}
|
Required
By default, a hybrid port only permits
the packets of VLAN 1.
|
|
Enable MAC address-based VLAN
|
mac-vlan enable
|
Required
Disabled by default
|
1.6 Displaying
and Maintaining VLAN
|
To do...
|
Use the command…
|
Remarks
|
|
Display the information about specific
VLANs
|
display vlan
[ vlan-id1 [ to vlan-id2 ] | all | dynamic |
reserved | static ]
|
Available in any view
|
|
Display the information about a VLAN
interface
|
display interface
Vlan-interface [ vlan-interface-id ]
|
Available in any view
|
|
Display all the ports with MAC
address-based VLAN enabled.
|
display mac-vlan interface
|
Available in any view
|
|
Display the information about specific
MAC address-to-VLAN entries
|
display mac-vlan { all | dynamic | mac-address mac-addr
| static | vlan vlan-id }
|
Available in any view
|
|
Clear the statistics on a VLAN interface
|
reset counters interface
Vlan-interface [ vlan-interface-id ]
|
Available in user view
|
I. Network requirements
l
Device A connects to Device B through Trunk port
GigabitEthernet 1/0/1;
l
The default VLAN ID of the port is 100;
l
This port allows packets from VLAN 2, VLAN 6
through VLAN 50, and VLAN 100 to pass through.
II. Network diagram
Figure
1-4 Network diagram for port-based VLAN
configuration
III. Configuration procedure
1)
Configure Device A
# Create VLAN 2, VLAN 6 through VLAN 50,
and VLAN 100.
<DeviceA> system-view
[DeviceA] vlan 2
[DeviceA-vlan2] quit
[DeviceA] vlan 100
[DeviceA-vlan100] vlan 6 to 50
Please wait... Done.
# Enter GigabitEthernet 1/0/1 port view.
[DeviceA] interface GigabitEthernet
1/0/1
# Configure GigabitEthernet 1/0/1 as a
Trunk port and configure its default VLAN ID as 100.
[DeviceA-GigabitEthernet1/0/1] port
link-type trunk
[DeviceA-GigabitEthernet1/0/1] port
trunk pvid vlan 100
# Configure GigabitEthernet 1/0/1 to deny
the packets of VLAN 1 (by default, the packets of VLAN 1 are permitted on all
the ports).
[DeviceA-GigabitEthernet1/0/1] undo port
trunk permit vlan 1
# Configure packets from VLAN 2, VLAN 6
through VLAN 50, and VLAN 100 to pass through GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] port
trunk permit vlan 2 6 to 50 100
Please wait... Done.
2)
Configure Device B following similar steps as
that of Device A.
IV. Verification
Verifying the configuration of Device A is
similar to that of Device B. So only Device A is taken for example here.
# Display the information about
GigabitEthernet 1/0/1 of Device A to verify the above configurations.
<DeviceA> display interface
GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state:
UP
IP Packet Frame Type:
PKTFMT_ETHNT_2, Hardware Address: 0011-2233-5577
Description: GigabitEthernet1/0/1
Interface
Loopback is not set
Media type is twisted pair
Port hardware type is 1000_BASE_T
1000Mbps-speed mode, full-duplex
mode
Link speed type is autonegotiation,
link duplex type is autonegotiation
Flow-control is not enabled
The Maximum Frame Length is 9212
Broadcast MAX-ratio: 100%
Unicast MAX-ratio: 100%
Multicast MAX-ratio: 100%
Allow jumbo frame to pass
PVID: 100
Mdi type: auto
Link delay is 0(sec)
Port link-type: trunk
Tagged VLAN ID : 2, 6-50, 100
Untagged VLAN ID : 2, 6-50, 100
Port priority: 0
Last 300 seconds input: 8
packets/sec 1513 bytes/sec 0%
Last 300 seconds output: 1
packets/sec 179 bytes/sec 0%
Input (total): 25504971 packets,
13911485028 bytes
14288575 broadcasts,
11111535 multicasts
Input (normal): 25504971 packets, -
bytes
14288575 broadcasts,
11111535 multicasts
Input: 0 input errors, 0 runts, 0
giants, 0 throttles
0 CRC, 0 frame, - overruns,
0 aborts
- ignored, - parity errors
Output (total): 175995 packets,
31290143 bytes
47 broadcasts, 68494
multicasts, 0 pauses
Output (normal): 175995 packets, -
bytes
47 broadcasts, 68494
multicasts, 0 pauses
Output: 0 output errors, -
underruns, - buffer failures
0 aborts, 0 deferred, 0
collisions, 0 late collisions
0 lost carrier, - no
carrier
The output above shows that:
l
The port is a Trunk port (Port link-type:
trunk).
l
The default VLAN is VLAN 100 (PVID: 100).
l
The port permits packets of VLAN 2, VLAN 6
through VLAN 50, and VLAN 100 (VLAN permitted: 2, 6-50, 100).
So the configuration is successful.
