04-Layer 2 - LAN Switching

HomeSupportResource CenterH3C Access Controllers Configuration Guides(E5208P03 E5215P01 R5215P01)-6W10204-Layer 2 - LAN Switching
03-VLAN configuration
Title Size Download
03-VLAN configuration 98.28 KB

Configuring VLANs

Overview

Ethernet is a family of shared-media LAN technologies based on the CSMA/CD mechanism. An Ethernet LAN is both a collision domain and a broadcast domain. Because the medium is shared, collisions and broadcasts are common in an Ethernet LAN. Typically, bridges and Layer 2 switches can reduce collisions in an Ethernet LAN. To confine broadcasts, a Layer 2 switch must use the Virtual Local Area Network (VLAN) technology.

VLANs enable a Layer 2 switch to break a LAN down into smaller broadcast domains, as shown in Figure 1.

Figure 1 A VLAN diagram

 

A VLAN is logically divided on an organizational basis rather than on a physical basis. For example, you can assign all workstations and servers used by a particular workgroup to the same VLAN, regardless of their physical locations. Hosts in the same VLAN can directly communicate with one another. You need a router or a Layer 3 switch for hosts in different VLANs to communicate with one another.

All these VLAN features reduce bandwidth waste, improve LAN security, and enable flexible virtual group creation.

The term "switch" in this document refers to access controllers and access controller modules.

VLAN frame encapsulation

To identify Ethernet frames from different VLANs, IEEE 802.1Q inserts a four-byte VLAN tag between the destination and source MAC address (DA&SA) field and the Type field.

Figure 2 VLAN tag placement and format

 

A VLAN tag includes the following fields:

·     TPID—16-bit tag protocol identifier that indicates whether a frame is VLAN-tagged. By default, the TPID value 0x8100 identifies a VLAN-tagged frame. A device vendor can set the TPID to a different value. For compatibility with a neighbor device, set the TPID value on the device to be the same as the neighbor device.

·     Priority—3-bit long, identifies the 802.1p priority of the frame. For more information, see ACL and QoS Configuration Guide.

·     CFI—1-bit long canonical format indicator that indicates whether the MAC addresses are encapsulated in the standard format when packets are transmitted across different media. Available values include:

¡     0 (default)—The MAC addresses are encapsulated in the standard format.

¡     1—The MAC addresses are encapsulated in a non-standard format.

This field is always set to 0 for Ethernet.

·     VLAN ID—12-bit long, identifies the VLAN to which the frame belongs. The VLAN ID range is 0 to 4095. VLAN IDs 0 and 4095 are reserved, and VLAN IDs 1 to 4094 are user configurable.

The way a network device handles an incoming frame depends on whether the frame has a VLAN tag and the value of the VLAN tag (if any). For more information, see "Introduction."

Ethernet supports encapsulation formats Ethernet II, 802.3/802.2 LLC, 802.3/802.2 SNAP, and 802.3 raw. The Ethernet II encapsulation format is used here. For information about the VLAN tag fields in other frame encapsulation formats, see related protocols and standards.

For a frame that has multiple VLAN tags, the device handles it according to its outermost VLAN tag and transmits its inner VLAN tags as the payload.

Protocols and standards

IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks

Configuring basic VLAN settings

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     (Optional.) Create a VLAN and enter its view, or create a list of VLANs.

vlan { vlan-id1 [ to vlan-id2 ] | all }

By default, only the system default VLAN (VLAN 1) exists.

3.     Enter VLAN view.

vlan vlan-id

To configure a VLAN after you create a list of VLANs, you must perform this step.

4.     Set a name for the VLAN.

name text

By default, the name of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has fewer than four digits, leading zeros are added. For example, the name of VLAN 100 is VLAN 0100.

5.     Set the description for the VLAN.

description text

By default, the description of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has fewer than four digits, leading zeros are added. For example, the default description of VLAN 100 is VLAN 0100.

 

 

NOTE:

·     As the system default VLAN, VLAN 1 cannot be created or deleted.

·     Before you delete a dynamic VLAN or a VLAN locked by an application, you must first remove the configuration from the VLAN.

 

Configuring basic settings of a VLAN interface

Hosts of different VLANs use VLAN interfaces to communicate at Layer 3. VLAN interfaces are virtual interfaces and they do not exist as physical entities on devices. For each VLAN, you can create one VLAN interface and assign an IP address to it. The VLAN interface acts as the gateway of the VLAN to forward packets destined for another IP subnet at Layer 3.

Before you create a VLAN interface for a VLAN, create the VLAN first.

To configure basic settings of a VLAN interface:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a VLAN interface and enter VLAN interface view.

interface vlan-interface interface-number

If the VLAN interface already exists, you enter its view directly.

By default, no VLAN interface is created.

3.     Assign an IP address to the VLAN interface.

ip address ip-address { mask | mask-length } [ sub ]

By default, no IP address is assigned to a VLAN interface.

4.     Set the description for the VLAN interface.

description text

The default setting is the VLAN interface name. For example, Vlan-interface1 Interface.

5.     Set the MTU for the VLAN interface.

mtu size

The default setting is 1500 bytes.

6.     Set the expected bandwidth for the interface.

bandwidth bandwidth-value

By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.

7.     (Optional.) Restore the default settings for the VLAN interface.

default

N/A

8.     (Optional.) Bring up the VLAN interface.

undo shutdown

By default, a VLAN interface is not manually shut down.

 

Configuring port-based VLANs

Introduction

Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it is assigned to the VLAN.

Port link type

You can set the link type of a port to access, trunk, or hybrid. The port link type determines whether the port can be assigned to multiple VLANs. The link types use the following VLAN tag handling methods:

·     Access—An access port can forward packets only from one VLAN and send these packets untagged. An access port is typically used in the following conditions:

¡     Connecting to a terminal device that does not support VLAN packets.

¡     In scenarios that do not distinguish VLANs.

·     Trunk—A trunk port can forward packets from multiple VLANs. Except packets from the port VLAN ID (PVID), packets sent out of a trunk port are VLAN-tagged. Ports connecting network devices are typically configured as trunk ports.

·     Hybrid—A hybrid port can forward packets from multiple VLANs. The tagging status of the packets forwarded by a hybrid port depends on the port configuration.

PVID

The PVID identifies the default VLAN of a port. Untagged packets received on a port are considered as the packets from the port PVID.

When you set the PVID for a port, follow these restrictions and guidelines:

·     An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port.

·     A trunk or hybrid port supports multiple VLANs and the PVID configuration.

·     When you use the undo vlan command to delete the PVID of a port, either of the following events occurs depending on the port link type:

¡     For an access port, the PVID of the port changes to VLAN 1.

¡     For a hybrid or trunk port, the PVID setting of the port does not change.

You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access port.

·     H3C recommends that you set the same PVID for a local port and its peer.

·     To prevent a port from dropping untagged packets or PVID-tagged packets, assign the port to its PVID.

How ports of different link types handle frames

Actions

Access

Trunk

Hybrid

In the inbound direction for an untagged frame

Tags the frame with the PVID tag.

·     If the PVID is permitted on the port, tags the frame with the PVID tag.

·     If not, drops the frame.

In the inbound direction for a tagged frame

·     Receives the frame if its VLAN ID is the same as the PVID.

·     Drops the frame if its VLAN ID is different from the PVID.

·     Receives the frame if its VLAN is permitted on the port.

·     Drops the frame if its VLAN is not permitted on the port.

In the outbound direction

Removes the VLAN tag and sends the frame.

·     Removes the tag and sends the frame if the frame carries the PVID tag and the port belongs to the PVID.

·     Sends the frame without removing the tag if its VLAN is carried on the port but is different from the PVID.

Sends the frame if its VLAN is permitted on the port. The tagging status of the frame depends on the port hybrid vlan command configuration.

 

Assigning an access port to a VLAN

You can assign an access port to a VLAN in VLAN view or interface view.

Make sure the VLAN has been created.

Assign one or multiple access ports to a VLAN in VLAN view

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter VLAN view.

vlan vlan-id

N/A

3.     Assign one or multiple access ports to the VLAN.

port interface-list

By default, all ports belong to VLAN 1.

 

Assign an access port to a VLAN in interface view

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

·     Enter Layer 2 Ethernet interface view:
interface
interface-type interface-number

·     Enter Layer 2 aggregate interface view:
interface bridge-aggregation
interface-number

N/A

3.     Set the port link type to access.

port link-type access

By default, all ports are access ports.

4.     (Optional.) Assign the access port to a VLAN.

port access vlan vlan-id

By default, all access ports belong to VLAN 1.

 

Assigning a trunk port to a VLAN

A trunk port supports multiple VLANs. You can assign it to a VLAN in interface view.

When you assign a trunk port to a VLAN, follow these restrictions and guidelines:

·     To change the link type of a port from trunk to hybrid, set the link type to access first.

·     To enable a trunk port to transmit packets from its PVID, you must assign the trunk port to the PVID by using the port trunk permit vlan command.

To assign a trunk port to one or multiple VLANs:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

·     Enter Layer 2 Ethernet interface view:
interface
interface-type interface-number

·     Enter Layer 2 aggregate interface view:
interface bridge-aggregation
interface-number

N/A

3.     Set the port link type to trunk.

port link-type trunk

By default, all ports are access ports.

4.     Assign the trunk port to the specified VLANs.

port trunk permit vlan { vlan-id-list | all }

By default, a trunk port permits only VLAN 1.

5.     (Optional.) Set the PVID for the trunk port.

port trunk pvid vlan vlan-id

The default setting is VLAN 1.

 

Assigning a hybrid port to a VLAN

A hybrid port supports multiple VLANs. You can assign it to the specified VLANs in interface view. Make sure the VLANs have been created.

When you assign a hybrid port to a VLAN, follow these restrictions and guidelines:

·     To change the link type of a port from trunk to hybrid, set the link type to access first.

·     To enable a hybrid port to transmit packets from its PVID, you must assign the hybrid port to the PVID by using the port hybrid vlan command.

To assign a hybrid port to one or multiple VLANs:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

·     Enter Layer 2 Ethernet interface view:
interface
interface-type interface-number

·     Enter Layer 2 aggregate interface view:
interface bridge-aggregation
interface-number

N/A

3.     Set the port link type to hybrid.

port link-type hybrid

By default, all ports are access ports.

4.     Assign the hybrid port to the specified VLANs.

port hybrid vlan vlan-id-list { tagged | untagged }

By default, the hybrid port is an untagged member of the VLAN to which the port belongs when its link type is access.

5.     (Optional.) Set the PVID for the hybrid port.

port hybrid pvid vlan vlan-id

By default, the PVID of a hybrid port is the ID of the VLAN to which the port belongs when its link type is access.

 

Configuring a VLAN group

A VLAN group includes a set of VLANs.

On an authentication server, a VLAN group name represents a group of authorization VLANs. When an 802.1X user passes authentication, the authentication server assigns a VLAN group name to the device. The device then uses the received VLAN group name to match the locally configured VLAN group names. If a match is found, the device selects a VLAN from the group and assigns the VLAN to the user. For more information about 802.1X authentication, see Security Configuration Guide.

To configure a VLAN group:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a VLAN group and enter VLAN group view.

vlan-group group-name

By default, no VLAN group exists.

3.     Add VLANs to the VLAN group.

vlan-list vlan-id-list

By default, no VLAN exists in a VLAN group.

You can add multiple VLAN lists to a VLAN group.

 

Displaying and maintaining VLANs

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display VLAN interface information.

display interface vlan-interface [ interface-number ] [ brief [ description | down ] ]

Display VLAN information.

display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | static ]

Display brief VLAN information.

display vlan brief

Display VLAN group information.

display vlan-group [ group-name ]

Display hybrid ports or trunk ports on the device.

display port { hybrid | trunk }

Clear statistics on a port.

reset counters interface vlan-interface [ interface-number ]