1.1 VLAN Overview
The traditional Ethernet is a flat network,
where all hosts are in the same broadcast domain and connected with each other through
hubs or switches. The hub is a physical layer device without the switching
function, so it forwards the received packet to all ports. The switch is a link
layer device which can forward the packet according to the MAC address of the
packet. However, when the switch receives a broadcast packet or an unknown
unicast packet whose MAC address is not included in the MAC address table of
the switch, it will forward the packet to all the ports except the inbound port
of the packet. In this case, a host in the network receives a lot of packets
whose destination is not the host itself. Thus, plenty of bandwidth resources
are wasted, causing potential serious security problems.
The traditional way to isolate broadcast
domains is to use routers. However, routers are expensive and provide few
ports, so they cannot subnet the network particularly.
The virtual local area network (VLAN)
technology is developed for switches to control broadcast in LANs.
By creating VLANs in a physical LAN, you
can divide the LAN into multiple logical LANs, each of which has a broadcast
domain of its own. Hosts in the same VLAN communicate with each other as if
they are in a LAN. However, hosts in different VLANs cannot communicate with
each other directly. Figure 1-1 illustrates a VLAN
implementation.
Figure 1-1
A VLAN implementation
A VLAN can span across multiple switches,
or even routers. This enables hosts in a VLAN to be dispersed in a looser way.
That is, hosts in a VLAN can belong to different physical network segment.
Compared with the traditional Ethernet,
VLAN enjoys the following advantages.
1)
Broadcasts are confined to VLANs. This decreases
bandwidth utilization and improves network performance.
2)
Network security is improved. VLANs cannot
communicate with each other directly. That is, a host in a VLAN cannot access
resources in another VLAN directly, unless routers or Layer 3 switches are
used.
3)
Network configuration workload for the host is
reduced. VLAN can be used to group specific hosts. When the physical position
of a host changes within the range of the VLAN, you need not change its network
configuration.
VLAN tags in the packets are necessary for
the switch to identify packets of different VLANs. The switch works at Layer 2
(Layer 3 switches are not discussed in this chapter) and it can identify the
data link layer encapsulation of the packet only, so you can add the VLAN tag
field into only the data link layer encapsulation if necessary.
In 1999, IEEE issues the IEEE 802.1Q protocol
to standardize VLAN implementation, defining the structure of VLAN-tagged
packets.
In traditional Ethernet data frames, the
type field of the upper layer protocol is encapsulated after the destination
MAC address and source MAC address, as shown in Figure
1-2
Figure 1-2 Encapsulation format of
traditional Ethernet frames
In Figure 1-2
DA refers to the destination MAC address, SA refers to the source MAC address,
and Type refers to the protocol type of the packet. IEEE 802.1Q protocol
defines that a 4-byte VLAN tag is encapsulated after the destination MAC
address and source MAC address to show the information about VLAN.
Figure 1-3 Format of VLAN tag
As shown in Figure
1-3, a VLAN tag contains four fields, including TPID, priority, CFI, and
VLAN ID.
l
TPID is a 16-bit field, indicating that this
data frame is VLAN-tagged. By default, it is 0x8100 in H3C series Ethernet
switches.
l
Priority is a 3-bit field, referring to 802.1p
priority. Refer to section “QoS & QoS profile” for details.
l
CFI is a 1-bit field, indicating whether the MAC
address is encapsulated in the standard format in different transmission media.
This field is not described in detail in this chapter.
l
VLAN ID is a 12-bit field, indicating the ID of
the VLAN to which this packet belongs. It is in the range of 0 to 4,095.
Generally, 0 and 4,095 is not used, so the field is in the range of 1 to 4,094.
VLAN ID identifies the VLAN to which a
packet belongs. When the switch receives an un-VLAN-tagged packet, it will
encapsulate a VLAN tag with the default VLAN ID of the inbound port for the
packet, and the packet will be assigned to the default VLAN of the inbound port
for transmission. For the details about setting the default VLAN of a port,
refer to section “Port Basic Configuration” in H3C S7500 Series
Ethernet Switches – Operation Manual.
Port-based VLAN technology introduces the simplest
way to classify VLANs. You can isolate the hosts and divide them into different
virtual workgroups through assigning the ports on the device connecting to
hosts to different VLANs.
This way is easy to implement and manage
and it is applicable to hosts with relatively fixed positions.
Protocol-based VLAN is also known as
protocol VLAN, which is another way to classify VLANs besides port-based VLAN.
Through the protocol-based VLANs, the switch can analyze the received
un-VLAN-tagged packets on the port and match the packets with the user-defined
protocol template automatically according to different encapsulation formats
and the values of the special fields. If a packet is matched, the switch will
add a corresponding VLAN tag to it automatically. Thus, the data of the
specific protocol is assigned automatically to the corresponding VLAN for
transmission.
This feature is used for binding the ToS
provided in the network to VLAN to facilitate management and maintenance.
This section introduces the common
encapsulation formats of Ethernet data for you to understand well the procedure
for the switch to identify the packet protocols.
I. Ethernet II and 802.3
encapsulation
In the link layer, there are two main
packet encapsulation types: Ethernet II and 802.3, whose encapsulation formats
are described in the following figures.
Ethernet II packet:
Figure
1-4 Ethernet II encapsulation format
802.3 standard packet:
Figure
1-5 802.3 standard encapsulation format
In the two figures, DA and SA refer to the
destination MAC address and source MAC address of the packet respectively. The
number in the bracket indicates the field length in bits.
The maximum length of an Ethernet packet is
1500 bytes, that is, 5DC in hexadecimal, so the length field in 802.3
encapsulation is in the range of 0x0000 to 0x05DC.
Whereas, the type field in Ethernet II
encapsulation is in the range of 0x0600 to 0xFFFF.
The switch identifies whether a packet is
an Ethernet II packet or an 802.3 packet according to the ranges of the two
fields.
II. Encapsulation
formats of 802.3 packets
802.3 packets are encapsulated in the
following three formats:
l
802.3 raw encapsulation: only the length field
is encapsulated after the source and destination address field, followed by the
upper layer data. The type field is not included.
Figure
1-6 802.3 raw encapsulation format
Only the IPX protocol supports 802.3 raw
encapsulation format currently. This format is identified by the two bytes whose
value is 0xFFFF after the length field.
l
802.2 logical link control (LLC) encapsulation:
the length field, the destination service access point (DASP) field, the source
service access point (SSAP) field and the control field are encapsulated after
the source and destination address field.
Figure
1-7 802.2 LLC encapsulation format
The DSAP field and the SSAP field in the
LLC part are used to identify the upper layer protocol. For example, the two
fields are both 0xE0, meaning that the upper layer protocol is IPX protocol.
l
802.2 sub-network access protocol (SNAP)
encapsulation: the length field, the DSAP filed, the SSAP field, the control
field, the OUI field and the PID field are encapsulated according to 802.3
standard packets.
Figure
1-8 802.2 SNAP encapsulation format
In 802.2 SNAP encapsulation format, the
values of the DSAP field and the SSAP field are always AA, and the value of the
control field is always 3.
The switch differentiates between 802.2 LLC
encapsulation and 802.2 SNAP encapsulation according to the values of the DSAP
field and the SSAP field.
When the
OUI is 00-00-00 in 802.2 SNAP encapsulation, the PID field has the same meaning
as the type field in Ethernet II encapsulation, which both refer to globally
unique protocol number. Such encapsulation is also known as SNAP RFC1042
encapsulation, which is standard SNAP encapsulation. The SNAP encapsulation
mentioned in this chapter refers to SNAP RFC 1042 encapsulation.
Figure
1-9 Procedure for the switch to judge packet
protocol
Table
1-1 Encapsulation formats
|
Protocol
Encapsulation
|
Ethernet II
|
802.3 raw
|
802.2 LLC
|
802.2 SNAP
|
Type value
|
|
IP
|
Supported
|
Not supported
|
Not supported
|
Supported
|
0x0800
|
|
IPX
|
Supported
|
Supported
|
Supported
|
Supported
|
0x8137
|
|
AppleTalk
|
Supported
|
Not supported
|
Not supported
|
Supported
|
0x809B
|
S7500 series Ethernet switches assign the packet
to the specific VLAN by matching the packet with the protocol template.
The protocol template is the standard to
determine the protocol to which a packet belongs. Protocol templates include
standard templates and user-defined templates:
l
The standard template adopts the RFC-defined
packet encapsulation formats and values of some specific fields as the matching
criteria.
l
The user-defined template adopts the
user-defined encapsulation formats and values of some specific fields as the
matching criteria.
After configuring the protocol template,
you must add a port to the protocol-based VLAN and associate this port with the
protocol template. This port will add VLAN tags to the packets based on
protocol types. The port in the protocol-based VLAN must be connected to a
client. However, a common client cannot process VLAN-tagged packets. In order
that the client can process the packets out of this port, you must configure
the port in the protocol-based VLAN as a hybrid port and configure the port to
remove VLAN tags when forwarding packets of all VLANs.
For the
operation of removing VLAN tags when the hybrid port sends packets, refer to
the section “Port Basic Configuration” in this manual.
Chapter 2 VLAN Configuration
Table 2-1 Basic
VLAN configuration
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN and enter VLAN view
|
vlan vlan-id
|
Required
The vlan-id argument ranges
from 1 to 4,094.
|
|
Assign a name for the current VLAN
|
name string
|
Optional
By default, the name of a VLAN is its
VLAN ID.
|
|
Specify the description string of the
current VLAN
|
description string
|
Optional
By default, the description string of
a VLAN is its VLAN ID.
|
You can use the following command to set
the maximum volume of allowed broadcast traffic through a VLAN. When the actual
broadcast traffic exceeds the specified value, the system will discard the
extra packets so that the bandwidth occupied by broadcast traffic can be kept
within a specific ratio. In this way, the system can suppress broadcast storm,
avoid network congestion and ensure normal network operation.
Table 2-2
Configure VLAN broadcast storm suppression
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
-
|
|
Enter VLAN view
|
vlan vlan-id
|
-
|
|
Set VLAN broadcast storm suppression
|
broadcast-suppression { ratio | pps pps
}
|
|
A VLAN only supports one broadcast storm
suppression mode at one time. If you configure broadcast storm suppression
modes multiple times for a VLAN, the latest configuration will overwrite the
previous configuration.
The boards of S7500 series switches support
different broadcast storm suppression modes, as listed in Table 2-3.
Table 2-3 Broadcast storm suppression
modes and board types
|
Broadcast storm suppression mode
|
A-type board
|
Non-A-type board
|
|
VLAN pps suppression
|
Supported
|
Not supported
|
|
VLAN bandwidth ratio suppression
|
Supported
|
Not supported
|
A-type
boards include LS81FT48A, LS81FM24A, LS81FS24A, LS81GB8UA, LS81GT8UA, iSalience
I, Salience I and Salience II.
I. Configuration
prerequisites
Create a VLAN before configuring a VLAN
interface.
II. Configuration
procedure
Table
2-4 Basic VLAN interface configuration
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN interface and enter
VLAN interface view
|
interface Vlan-interface vlan-id
|
Required
The vlan-id argument ranges
from 1 to 4,094.
|
|
Specify the description string for
the current VLAN interface
|
description text
|
Optional
By default, the description string of
a VLAN interface is the name of this VLAN interface
|
|
Disable the VLAN interface
|
shutdown
|
Optional
|
|
Enable the VLAN Interface
|
undo shutdown
|
Optional
|
Note that the operation of
enabling/disabling a VLAN interface does not influence the enabling/disabling
states of the Ethernet ports belonging to this VLAN.
By default, a VLAN interface is enabled. In
this scenario, the VLAN interface’s status is determined by the status of
its ports, that is, if all the ports of the VLAN interface are down, the VLAN
interface is down (disabled); if one or more ports of the VLAN interface are
up, the VLAN interface is up (enabled).
If a VLAN interface is disabled, its status
is not determined by the status of its ports.
After the configuration above, you can
execute the display command in any view to display the running status
after the configuration, so as to verify the configuration.
Table
2-5 Display VLAN configuration
|
Operation
|
Command
|
Description
|
|
Display the VLAN interface
information
|
display interface Vlan-interface [ vlan-id ]
|
You can execute the display
command in any view.
|
|
Display the VLAN information
|
display vlan [ vlan-id [ to vlan-id ] | all
| static | dynamic ]
|
I. Configuration
prerequisites
Create a VLAN before configuring a
port-based VLAN.
II. Configuration
procedure
Table 2-6 Configure a port-based VLAN
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN view
|
vlan vlan-id
|
—
|
|
Add Ethernet ports to the specific
VLAN
|
port interface-list
|
Required
By default, all the ports belong to
the default VLAN
|
Caution:
The commands
above are effective for access ports only. If you want to add trunk ports or
hybrid ports to a VLAN, you can use the port trunk permit vlan command
or the port hybrid vlan command only in Ethernet port view. For the
configuration procedure, refer to the Port Basic Configuration part in H3C
S7500 Series Ethernet Switches – Operation Manual.
I. Configuration
requirements
l
Create VLAN 2 and VLAN 3 and specify the
description string of VLAN 2 as home;
l
Add Ethernet1/0/1 and Ethernet1/0/2 to VLAN 2
and add Ethernet1/0/3 and Ethernet1/0/4 to VLAN 3.
II. Network diagram
Figure
2-1 Network diagram for VLAN configuration
III. Configuration
procedure
# Create VLAN 2 and enter its view.
<H3C> system-view
[H3C] vlan 2
# Specify the description string of VLAN 2
as home.
[H3C-vlan2] description home
# Add Ethernet1/0/1 and Ethernet1/0/2 ports
to VLAN 2.
[H3C-vlan2] port Ethernet1/0/1
Ethernet1/0/2
# Create VLAN 3 and enter its view.
[H3C-vlan2] vlan 3
# Add Ethernet1/0/3 and Ethernet1/0/4 ports
to VLAN 3.
[H3C-vlan3] port Ethernet1/0/3
Ethernet1/0/4
I. Configuration
prerequisites
Create a VLAN before configuring a
protocol-based VLAN.
II. Configuration procedure
Table
2-7 Create protocol types of VLANs
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN view
|
vlan vlan-id
|
Required
|
|
Create the protocol template for the
VLAN
|
protocol-vlan [ protocol-index ] { at | ip [ ip-address [ net-mask ] ] |
ipx { ethernetii | llc | raw |
snap } | mode { ethernetii [etype etype-id]
| llc { dsap dsap-id [ ssap ssap-id] | ssap
ssap-id } | snap [etype etype-id] }}
|
Required
|
When you are creating protocol templates for
protocol-based VLANs, the at, ip and ipx keywords are used
to create standard templates, and the mode keyword is used to create
user-defined templates.
Caution:
In a VLAN, it is not allowed to configure two templates with the
same protocol type and encapsulation format. If any parameter in a user-defined
template has the same value as the corresponding parameter in the standard
template, the user-defined template and the standard template cannot be
configured in the same VLAN.
Pay attention to the following notices about the template
configuration:
l
It is not allowed to configure both ipx llc standard
template and LLC user-defined template in the same VLAN.
l
It is not allowed to configure both ipx raw standard
template and LLC user-defined template whose dsap and ssap are
both ff in the same VLAN.
l
It is not allowed to configure both ipx
ethernetii standard template and EthernetII user-defined template whose etype
is 8137 in the same VLAN.
l
It is not allowed to configure both ipx snap
standard template and SNAP user-defined template whose etype is 8137 in
the same VLAN.
l
When the values of the dsap-id and ssap-id
arguments are AA, the packet encapsulation type is not llc but snap.
To avoid template conflict, the system disable the value AA for the dsap-id and
ssap-id arguments when you configure LLC user-defined template.
In addition, pay
attention to the following notices about IP template:
l
If a packet can match both Ipv4-based VLAN and
the VLAN based on other protocol, Ipv4-based VLAN takes higher priority.
l
ip [ ip-address [ net-mask ] ] defines
IPv4-based VLAN. If you want to define the VLANs based on IP or other
encapsulation formats, use mode { ethernetii [ etype etype-id
] } and snap [ etype etype-id ], in which, etype-id
is 0x0800.
I. Configuration
prerequisites
l
The protocol template for the protocol-based
VLAN is created
l
The port is configured as a hybrid port, and the
port is configured to remove VLAN tags when it forwards the packets of the
protocol-based VLANs.
II. Configuration
procedure
Table
2-8 Associate a port with the protocol-based VLAN
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter port view
|
interface interface-type interface-number
|
Required
|
|
Associate a port with the
protocol-based VLAN
|
port hybrid protocol-vlan vlan vlan-id { protocol-index [ to protocol-end
] | all }
|
Required
|
Caution:
l For the operation of adding a port to the VLAN in the untag way,
refer to the Port Basic Configuration Operation part in this manual.
l For the same VLAN, it is not allowed to configure the same protocol
type and encapsulation format. Between different VLANs, the same protocol type
and encapsulation format can be configured, but cannot be distributed to the
same port. Even the user-defined template and standard template with the same
encapsulation format cannot be distributed to the same port.
l If protocol has been distributed to a VLAN, the VLAN cannot be
removed.
l If a protocol of a VLAN has been distributed to a port, the VLAN
cannot be removed from the port.
l If a protocol of a VLAN has been distributed to a port, the protocol
cannot be removed from the VLAN.
You can perform the following configuration
in system view.
Table 2-9 Create/Remove protocol-based
VLAN on specific board
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
-
|
|
Create protocol-based VLAN on specific
board
|
protocol-vlan vlan vlan-id { protocol-index [ to protocol-end
] | all } { slot slot-number | mainboard }
|
Required
|
Caution:
l It is necessary to add those ports that require protocol in the board
to the protocol-based VLAN.
l Currently, only non-A-type boards, including service board and main
control board, support this command.
l If a protocol-based VLAN has been associated with a board, the VLAN
cannot be removed.
l If a protocol in a VLAN has been associated with a board, the
protocol cannot be removed from the VLAN.
Table 2-10
shows the supported protocol-based VLAN creation commands on different boards.
Table 2-10 Protocol-based VLAN creation commands on different boards
|
Command description
|
A-type board
|
Non-A-type board
|
|
Create protocol-based VLAN on specific
board in system view.
|
Not
supported
|
Supported
(only for all IP protocols and subnet IP protocols.
|
|
Create protocol-based VLAN on specific port in Ethernet
port view.
|
Supported
|
Supported (exclude all IP protocols and subnet IP
protocols.
|
A-type boards
include LS81FT48A, LS81FM24A, LS81FS24A, LS81GB8UA, LS81GT8UA, iSalience I,
Salience I and Salience II.
After the configuration above, you can
execute the display command in any view to display the running status,
so as to verify the configuration.
Table
2-11 Display VLAN configuration
|
Operation
|
Command
|
Description
|
|
Display the information about the
protocol-based VLAN
|
display
vlan [ vlan-id [ to vlan-id
] | all | static | dynamic ]
|
You cam execute the display
command in any view
|
|
Display the protocol information and protocol
indexes configured on the specified VLAN
|
display protocol-vlan vlan { vlan-id
[ to vlan-id ] | all }
|
|
Display the protocol information and
protocol indexes configured on the specified port
|
display protocol-vlan interface { interface-type interface-number [ to interface-type
interface-number ] | all }
|
|
Display protocol-based VLAN
information on specific board
|
display protocol-vlan slot { slot-number [ to slot-number ] | all }
|
I. Standard-template-protocol-based
VLAN configuration example
1)
Network requirements
l
Create VLAN 5 and configure it to be a
protocol-based VLAN, with the protocol-index being 1 and the protocol being IP.
l
Associate Ethernet1/0/5 port with the
protocol-based VLAN to enable IP packets received by this port to be tagged
with the tag of VLAN 5 and be transmitted in VLAN 5.
2)
Configuration procedure
# Create VLAN 5 and enter its view.
<H3C> system-view
[H3C] vlan 5
[H3C-vlan5]
# Configure the protocol-index to be 1, and
the associated protocol to be IP.
[H3C-vlan5] protocol-vlan 1 ip
# Enter Ethernet1/0/5 port view.
[H3C-vlan5] interface Ethernet 1/0/5
# Configure the port to be a hybrid port.
[H3C-Ethernet1/0/5] port link-type
hybrid
# Add the port to VLAN 5 and add VLAN 5 to
the untagged VLAN list of the port.
[H3C-Ethernet1/0/5] port hybrid vlan
5 untagged
# Associate the port with protocol-index 1.
[H3C-Ethernet1/0/5] port hybrid
protocol-vlan vlan 5 1
