Table of Contents

Chapter 1 VLAN Configuration. 1-1

1.1 Introduction to VLAN. 1-1

1.1.1 VLAN Overview. 1-1

1.1.2 VLAN Fundamental 1-2

1.1.3 VLAN Classification. 1-3

1.2 Configuring Basic VLAN Attributes. 1-4

1.3 Configuring VLAN Interface Basic Attributes. 1-4

1.4 Configuring the Port-Based VLAN. 1-5

1.4.1 Introduction to the Port-Based VLAN. 1-5

1.4.2 Assigning an Access Port to a VLAN. 1-7

1.4.3 Assigning a Trunk Port to a VLAN. 1-8

1.4.4 Assigning a Hybrid Port to a VLAN. 1-9

1.5 Configuring the Protocol-Based VLAN. 1-10

1.5.1 Introduction to the Protocol-Based VLAN. 1-10

1.5.2 Configuring the Protocol-Based VLAN. 1-11

1.6 Displaying and Maintaining VLAN. 1-12

1.7 VLAN Configuration Examples. 1-13

1.7.1 Port-Based VLAN Configuration Example. 1-13

1.7.2 Protocol-Based VLAN Configuration Example. 1-13

Chapter 2 Super VLAN Configuration. 2-1

2.1 Introduction to Super VLAN. 2-1

2.2 Configuring Super VLAN. 2-1

2.3 Displaying Super VLAN. 2-3

2.4 Super VLAN Configuration Example. 2-3

Chapter 3 Isolate-User VLAN Configuration. 3-1

3.1 Introduction to Isolate-User-VLAN. 3-1

3.2 Configuring Isolate-User-VLAN. 3-2

3.3 Displaying and Maintaining Isolate-User-VLAN. 3-3

3.4 Isolate-User-VLAN Configuration Example. 3-3

 

Chapter 1  VLAN Configuration

When configuring VLAN, go to these sections for information you are interested in:

l           Introduction to VLAN

l           Configuring Basic VLAN Attributes

l           Configuring VLAN Interface Basic Attributes

l           Configuring the Port-Based VLAN

l           Configuring the Protocol-Based VLAN

l           Displaying and Maintaining VLAN

l           VLAN Configuration Examples

1.1  Introduction to VLAN

1.1.1  VLAN Overview

The communication medium is shared in Ethernet. If the number of the hosts in the network reaches a certain level, problems caused by collisions, broadcasts, and so on emerge, resulting in improper network operation. Interconnecting LANs can suppress collisions but cannot isolate broadcast packets. Therefore, VLAN (virtual LAN) is developed to solve these problems. VLAN divides a LAN into multiple logical LANs with each being a broadcast domain. Hosts in the same VLAN can communicate with each other like in a LAN. However, hosts from different VLANs cannot communicate directly. In this way, broadcast packets are confined to a single VLAN, as illustrated in the following figure.

Figure 1-1 A VLAN diagram

A VLAN is not restricted by physical factors, that is to say, hosts that reside in different network segments may belong to the same VLAN; a VLAN can be with the same switch, or span across multiple switches or routers.

VLAN technology has the following advantages:

l           Broadcast traffic is confined to each VLAN, reducing bandwidth utilization and improving network performance.

l           LAN security is improved. Packets in different VLANs cannot communicate with each other directly. That is, users in a VLAN cannot interact directly with users in other VLANs, unless routers or Layer 3 switches are used.

l           A more flexible way to establish virtual working groups. With VLAN technology, clients can be allocated to different working groups, and users from the same group do not have to be within the same physical area, making network construction and maintenance much easier and more flexible.

1.1.2  VLAN Fundamental

To enable switches to identify packets of different VLANs, the VLAN tag field is inserted into the data link layer encapsulation of packets.

The format of the packets carrying the VLAN tag field is defined in IEEE 802.1Q, which was issued in 1999.

In the header of a traditional Ethernet packet, the field following the destination MAC address and the source MAC address is protocol type, which indicates the upper layer protocol type. Figure 1-2 illustrates the format of a traditional Ethernet packet, where DA stands for destination MAC address, SA stands for source MAC address, and Type stands for upper layer protocol type.

Figure 1-2 The format of a traditional Ethernet packet

IEEE 802.1Q defines a four-byte VLAN Tag field between the DA&SA field and the Type field to carry VLAN-related information, as shown in Figure 1-3.

Figure 1-3 The position and the format of the VLAN Tag field

The VLAN Tag field comprises four sub-fields: the TPID field, the Priority field, the CFI field, and the VLAN ID field.

l           The tag protocol identifier (TPID) field, 16 bits in length, indicates that this data frame is VLAN-tagged. IEEE 802.1Q defines the value of this filed as 0x8100.

l           The Priority field, three bits in length, indicates the 802.1p priority of a packet. For information about packet priority, refer to QoS Configuration in the QoS ACL Volume.

l           The canonical format indicator (CFI) field, one bit in length, specifies whether or not the MAC addresses are encapsulated in the standard format when packets are transmitted across different medium. The value 0 indicates MAC addresses are encapsulated in the standard format, and the value 1 indicates MAC addresses are encapsulated in a non-standard format.

l           The VLAN ID field, 12 bits in length and with its value ranging from 0 to 4095, identifies the ID of the VLAN a packet belongs to. As VLAN IDs of 0 and 4095 are reserved by the protocol, the actual value of this field ranges from 1 to 4094.

A network device determines the VLAN to which a packet belongs to by the VLAN ID field the packet carries. The VLAN Tag determines the way a packet is processed. For more information, refer to section Introduction to the Port-Based VLAN.

 

 

1.1.3  VLAN Classification

VLANs can be classified into different categories. The following four types are the most commonly used:

l           Port-based

l           MAC address-based

l           IP-subnet-based

l           Protocol-based

 

 

The following contents introduce the configuration of port-based VLANs and protocol-based VLANs respectively.

1.2  Configuring Basic VLAN Attributes

Follow these steps to configure basic VLAN attributes:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create VLANs	vlan { vlan-id1 [ to vlan-id2 ] | all }	Optional Using this command can create multiple VLANs.
Enter VLAN view	vlan vlan-id	Required The VLAN must be created first before entering its view; otherwise, using the command creates a VLAN and enters its view. By default, the system has only one default VLAN (VLAN 1).
Specify a description string for the VLAN	description text	Optional VLAN ID is used by default, for example, “VLAN 0001”.

 

 

1.3  Configuring VLAN Interface Basic Attributes

For devices in different VLANs to communicate, a router or a routing switch must be used to forward packets for them at Layer 3. On a routing switch, a type of virtual interface, VLAN interfaces, are used for this purpose.

Each VLAN can have one VLAN interface. Packets of a VLAN can be forwarded on network layer through the corresponding VLAN interface. As each VLAN forms a broadcast domain, a VLAN can be an IP network segment and the VLAN interface can be the gateway to enable IP address-based Layer 3 forwarding.

Follow these steps to configure VLAN interface basic attributes:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create a VLAN interface or enter VLAN interface view	interface vlan-interface vlan-interface-id	Required This command leads you to VLAN interface view if the VLAN interface already exists.
Configure an IP address for the VLAN interface	ip address ip-address { mask | mask-length } [ sub ]	Optional Not configured by default
Specify the descriptive character string for the VLAN interface	description text	Optional VLAN interface name used by default
Bring up the VLAN interface	undo shutdown	Optional By default, a VLAN interface is up. The state of a VLAN interface also depends on the states of the ports in the VLAN. If all the ports in the VLAN are down, the VLAN interface is down; if one or more ports in the VLAN are up, the VLAN interface is up. If a VLAN interface is administratively shut down, the VLAN interface is always down regardless of the states of ports in the VLAN.

 

 

1.4  Configuring the Port-Based VLAN

1.4.1  Introduction to the Port-Based VLAN

This is the simplest and yet the most effective way of classifying VLANs. It groups VLAN members by port. After added to a VLAN, a port can forward the packets of the VLAN.

I. Port link type

Based on the tag handling mode, a port’s link type can be one of the following three:

l           Access: an Access port only belongs to one VLAN, normally used to connect user device;

l           Trunk: a trunk port can belong to multiple VLANs, can receive and send packets of multiple VLANs, normally used to connect network devices;

l           Hybrid: a hybrid port can belong to multiple VLANs, can receive and send packets of multiple VLANs, used to connect either user or network devices;

The differences between hybrid and trunk ports:

l           A hybrid port allows packets of multiple VLANs to be sent without the VLAN tag;

l           A trunk port only allows packets from the default VLAN to be sent without the VLAN tag.

II. Default VLAN

You can configure the default VLAN for a port. By default, VLAN 1 is the default VLAN for all ports. However, this can be changed as needed.

l           An Access port only belongs to one VLAN. Therefore, its default VLAN is the VLAN it belongs to and cannot be configured.

l           You can configure the default VLAN for the trunk port or the hybrid port as they can both belong to multiple VLANs.

l           If the VLAN removed through the undo vlan command is the default VLAN of a port, the default VLAN for an Access port reverts to VLAN 1, whereas that for the trunk or hybrid port keeps unchanged, meaning a trunk or hybrid port can use a nonexistent VLAN as the default VLAN.

Configured with the link type and default VLAN, a port handles packets in different ways, as described in the following table:

Port type	Inbound packets handling		Outbound packets handling
	For an untagged packet	For a tagged packet
Access port	Tag the packet with the default VLAN ID	l      Receive the packet if its VLAN ID is the same as the default VLAN ID. l      Drop the packet if its VLAN ID is different from the default VLAN ID.	Remove the VLAN tag and forward the packet.
Trunk port	Check whether the default VLAN is permitted to pass through. If yes, tag the packet with the default VLAN tag; otherwise, drop the packet.	l      Receive the packet if its VLAN is permitted to pass through. l      Drop the packet if its VLAN is not permitted to pass through.	l      Remove the tag and forward the packet if its VLAN ID is the same as the default VLAN ID. l      Keep the tag and forward the packet if the packet is permitted to pass through even though its VLAN ID is not the same as the default VLAN ID.
Hybrid port			Send the packet if the VLAN ID is allowed on the port. You can use the port hybrid vlan command to configure whether the port keeps or strips the tags when sending the packets of the VLAN.

 

1.4.2  Assigning an Access Port to a VLAN

You can assign an access port to a VLAN either in VLAN view or in Ethernet interface view or port group view.

Follow these steps to configure the Access-port-based VLAN in VLAN view:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter VLAN view	vlan vlan-id	Required The VLAN must be created first before entering its view
Add an Access port to the current VLAN	port interface-list	Required By default, the system will add all ports to VLAN 1

 

Follow these steps to assign a port (in Ethernet interface view) or a group of ports (in port group view) to a VLAN:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Enter Ethernet interface view or port group view	Enter Ethernet interface view	interface interface-type interface-number	Use either command. Under Ethernet interface view, the subsequent configurations only apply to the current port; under port group view, the subsequent configurations apply to all ports in the port group.
	Enter port group view	port-group { manual port-group-name | aggregation agg-id }
Configure the port link type as Access		port link-type access	Optional The link type of a port is Access by default.
Add the current Access port to a specified VLAN		port access vlan vlan-id	Optional By default, the system will add all ports to VLAN 1.

 

 

1.4.3  Assigning a Trunk Port to a VLAN

A trunk port may belong to multiple VLANs, and you can only perform this configuration in Ethernet interface view or port group view.

Follow these steps to configure the trunk-port-based VLAN:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Enter Ethernet interface view or port group view	Enter Ethernet interface view	interface interface-type interface-number	Use either command Under Ethernet interface view, the subsequent configurations only apply to the current port; under port group view, the subsequent configurations apply to all ports in the port group
	Enter port group view	port-group { manual port-group-name | aggregation agg-id }
Configure the port link type as trunk		port link-type trunk	Required
Allow a specified VLAN to pass through the current trunk port		port trunk permit vlan { vlan-id-list | all }	Required By default, all trunk ports belong to VLAN 1 only
Configure the default VLAN for the trunk port		port trunk pvid vlan vlan-id	Optional VLAN 1 is the default by default

 

 

1.4.4  Assigning a Hybrid Port to a VLAN

A hybrid port may belong to multiple VLANs, and this configuration can only be performed in Ethernet interface view or port group view.

Follow these steps to configure the Hybrid-port-based VLAN:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Enter Ethernet interface view or port group view	Enter Ethernet interface view	interface interface-type interface-number	Use either command; Under Ethernet interface view, the subsequent configurations only apply to the current port; under port group view, the subsequent configurations apply to all ports in the port group
	Enter port group view	port-group { manual port-group-name | aggregation agg-id }
Configure the port link type as Hybrid		port link-type hybrid	Required
Allow a specified VLAN to pass through the current hybrid port		port hybrid vlan vlan-id-list { tagged | untagged }	Required By default, all hybrid ports belong to VLAN 1
Configure the default VLAN of the hybrid port		port hybrid pvid vlan vlan-id	Optional VLAN 1 is the default by default

 

 

1.5  Configuring the Protocol-Based VLAN

1.5.1  Introduction to the Protocol-Based VLAN

In this approach, inbound packets are assigned with different VLAN IDs based on their protocol type and encapsulation format. The protocols that can be used to categorize VLANs include: IP, IPX, and AppleTalk (AT). The encapsulation formats include: Ethernet II, 802.3, 802.3 raw, 802.2 LLC, and 802.2 SNAP.

A protocol-based VLAN can be defined by a protocol template, which is determined by the encapsulation format and protocol type. A port can be associated to multiple protocol templates. An untagged packet (that is, packet carrying no VLAN tag) reaching a port associated with a protocol-based VLAN will be processed as follows.

l           If the packet matches a protocol template, the packet will be tagged with the VLAN ID of the protocol-based VLAN defined by the protocol template, and then sent to the specified VLAN.

l           If the packet matches no protocol template, the packet will be tagged with the default VLAN ID of the port.

A tagged packet (that is, a packet carrying VLAN tags) reaching the port is processed in the same way as that of port-based VLAN.

l           If the port is configured to permit packets with the VLAN tag, the packet is forwarded.

l           If the port is configured to deny packets with the VLAN tag, the packet is dropped.

This feature is mainly used to bind the service type with VLAN for ease of management and maintenance.

1.5.2  Configuring the Protocol-Based VLAN

 

 

Follow these steps to configure a protocol-based VLAN:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Enter VLAN view		vlan vlan-id	Required For a nonexistent VLAN, this command will create a VLAN and enter its view.
Configure the protocol based VLAN and specify the protocol template		protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii | llc | raw | snap } | mode { ethernetii etype etype-id | llc { dsap dsap-id [ ssap ssap-id ] | ssap ssap-id } | snap etype etype-id } }	Required
Return to system view		quit	—
Enter Ethernet interface view or port group view	Enter Ethernet interface view	interface interface-type interface-number	Use either command. Under Ethernet interface view, the subsequent configurations only apply to the current port; under port group view, the subsequent configurations apply to all ports in the port group.
	Enter port group view	port-group { manual port-group-name | aggregation agg-id }
Configure the port link type as hybrid		port link-type hybrid	Required
Allow specified VLANs to pass through the current hybrid port		port hybrid vlan vlan-id-list { tagged | untagged }	Required
Configure the association between the hybrid port and the protocol-based VLAN		port hybrid protocol-vlan vlan vlan-id { protocol-index [ to protocol-end ] | all }	Required

 

 

1.6  Displaying and Maintaining VLAN

To do...	Use the command…	Remarks
Display VLAN information	display vlan [ vlan-id1 [ to vlan-id2 ] | all | static | dynamic | reserved ]	Available in any view
Display VLAN interface information	display interface vlan-interface [ vlan-interface-id ]	Available in any view
Display information about the protocol-based VLAN configured on the specified VLANs	display protocol-vlan vlan { vlan-id [ to vlan-id ] | all }	Available in any view
Display the protocol information and protocol indexes configured on the specified interfaces	display protocol-vlan interface { interface-type interface-number [ to interface-type interface-number ] | all }	Available in any view

 

1.7  VLAN Configuration Examples

1.7.1  Port-Based VLAN Configuration Example

I. Network requirements

l           Switch A connects to Switch B through trunk port Ethernet 1/1/1;

l           The default VLAN ID of the trunk port is 100;

l           The trunk port allows packets from VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass.

II. Network diagram

Figure 1-4 Network diagram for port-based VLAN configuration

III. Configuration procedure

Configure Switch A:

# Create VLAN 100.

<SysnameA> system-view

[SysnameA] vlan 100

[SysnameA-vlan100] quit

# Enter Ethernet interface view of Ethernet 1/1/1.

[SysnameA] interface ethernet 1/1/1

# Configure Ethernet 1/1/1 as a trunk port and configure its default VLAN ID as 100.

[SysnameA-Ethernet1/1/1] port link-type trunk

[SysnameA-Ethernet1/1/1] port trunk pvid vlan 100

# Configure Ethernet 1/1/1 to permit packets from VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass.

[SysnameA-Ethernet1/1/1] port trunk permit vlan 2 6 to 50 100

Configuration on Switch B is the same as that on Switch A.

1.7.2  Protocol-Based VLAN Configuration Example

I. Network requirements

l           Switch A connects to Switch B through hybrid port Ethernet 1/1/1, and accesses to an IP network through port Ethernet 1/1/2.

l           Switch B is a common switch, which connect with multiple hosts for different applications.

l           Through protocol-based VLAN configuration, make Ethernet 1/1/1 to forward the received IPv4 packets to VLAN 2, and IPv6 packets to VLAN 6.

II. Network diagram

Figure 1-5 Network diagram for protocol-based VLAN configuration

III. Configuration procedure

# Create VLAN 2 and VLAN 6 and configure them as protocol-based VLANs.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] protocol-vlan ipv4

[Sysname-vlan2] quit

[Sysname] vlan 6

[Sysname-vlan6] protocol-vlan ipv6

[Sysname-vlan6] quit

# Configure Ethernet 1/1/1 and Ethernet 1/1/2 as hybrid ports which permit packets of VLAN 2 and VLAN 6 to pass, and associate Ethernet 1/1/1 with the protocol-based VLANs.

[Sysname] interface ethernet 1/1/1

[Sysname-Ethernet1/1/1] port link-type hybrid

[Sysname-Ethernet1/1/1] port hybrid vlan 2 6 untagged

[Sysname-Ethernet1/1/1] port hybrid protocol-vlan vlan 2 all

[Sysname-Ethernet1/1/1] port hybrid protocol-vlan vlan 6 all

[Sysname-Ethernet1/1/1] quit

[Sysname] interface ethernet 1/1/2

[Sysname-Ethernet1/1/2] port link-type hybrid

[Sysname-Ethernet1/1/2] port hybrid vlan 2 6 tagged

 

Chapter 2  Super VLAN Configuration

When configuring super VLAN, go to these sections for information you are interested in:

l           Introduction to Super VLAN

l           Configuring Super VLAN

l           Displaying Super VLAN

l           Super VLAN Configuration Example

2.1  Introduction to Super VLAN

Super VLAN, also called VLAN aggregation, is a collection of sub VLANs, each being a distinct broadcast domains isolated at Layer 2.

You can create a virtual interface with an IP address for a super VLAN but not for the sub VLANs in it. When users in a sub VLAN need to communicate with each other, they use the IP address of the virtual interface of the super VLAN as the IP address of the gateway. As the IP address is shared by all sub VLANs, IP addresses are saved.

For different sub VLANs to communicate with one another at Layer 3, or for a sub VLAN to communicate with other networks, you can enable proxy ARP. The super VLAN can use proxy ARP to forward and process ARP requests and responses so that the isolated sub VLANs can communicate with each other at Layer 3. By default, proxy ARP is disabled in a sub VLAN.

 

 

2.2  Configuring Super VLAN

Follow these steps to configure super VLAN:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter VLAN view	vlan vlan-id	—
Configure the VLAN as a super VLAN	supervlan	Required
Correlate the super VLAN with its sub-VLAN(s)	subvlan vlan-list	Required The specified sub-VLANs must have existed.
Return to system view	quit	—
Enter VLAN interface view	interface vlan-interface vlan-interface-id	—
Configure the IP address of the VLAN interface	ip address ip-address { mask | mask-length } [ sub ]	Required By default, the IP address of a VLAN interface is not configured
Enable local proxy ARP	local-proxy-arp enable	Required Disabled by default

 

 

 

2.3  Displaying Super VLAN

To do…	Use the command…	Remarks
Display the mapping between a super VLAN and its sub-VLAN(s)	display supervlan [ supervlan-id ]	Available in any view

 

2.4  Super VLAN Configuration Example

I. Network requirements

l           Create super VLAN 10, and configure the VLAN interface IP address of the super VLAN as 10.0.0.1/24.

l           Create the sub-VLANs: VLAN 2, VLAN 3, and VLAN 5.

l           Ports Ethernet 0/1/1 and Ethernet 0/1/2 belong to VLAN 2, Ethernet 0/1/3 and Ethernet 0/1/4 belong to VLAN 3, and Ethernet 0/1/5 and Ethernet 0/1/6 belong to VLAN 5.

l           Through configuration, the sub-VLANs are isolated at Layer 2 but connected at Layer 3.

II. Network diagram

Figure 2-1 Network diagram for super-VLAN configuration

III. Configuration procedure

# Create VLAN 10, configure its VLAN interface address as 10.0.0.1/24.

<Sysname> system-view

[Sysname] vlan 10

[Sysname-vlan10] quit

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ip address 10.0.0.1 255.255.255.0

# Enable local proxy ARP.

[Sysname-Vlan-interface10] local-proxy-arp enable

[Sysname-Vlan-interface10] quit

# Create VLAN 2, add ports Ethernet 0/1/1 and Ethernet 0/1/2 to it.

[Sysname] vlan 2

[Sysname-vlan2] port ethernet 0/1/1 ethernet 0/1/2

# Create VLAN 3, add ports Ethernet 0/1/3 and Ethernet 0/1/4 to it.

[Sysname-vlan2] vlan 3

[Sysname-vlan3] port ethernet 0/1/3 ethernet 0/1/4

# Create VLAN 5, add ports Ethernet 0/1/5 and Ethernet 0/1/6 to it.

[Sysname-vlan3] vlan 5

[Sysname-vlan5] port ethernet 0/1/5 ethernet 0/1/6

# Specify VLAN 10 as the super VLAN, and VLAN 2, VLAN 3, and VLAN 5 as the sub-VLANs.

[Sysname-vlan5] vlan 10

[Sysname-vlan10] supervlan

[Sysname-vlan10] subvlan 2 3 5

 

Chapter 3  Isolate-User VLAN Configuration

When configuring Isolate-user VLAN, go to these sections for information you are interested in:

l           Introduction to Isolate-User-VLAN

l           Configuring Isolate-User-VLAN

l           Displaying and Maintaining Isolate-User-VLAN

l           Isolate-User-VLAN Configuration Example

3.1  Introduction to Isolate-User-VLAN

The isolate-user-VLAN adopts a two-tier VLAN structure. In this approach, two types of VLANs, isolate-user-VLAN and secondary VLAN, are configured on the same device.

l           The isolate-user-VLAN is mainly used for upstream data exchange. An isolate-user-VLAN can have multiple secondary VLANs associated to it. The upstream device only knows the isolate-user-VLAN, how the secondary VLANs are working is not its concern. In this way, network configurations are simplified and VLAN resources are saved.

l           Secondary VLANs are used for connecting users. Secondary VLANs are isolated from each other on Layer 2.

l           One isolate-user-VLAN can have multiple secondary VLANs, which are invisible to the corresponding upstream device.

As illustrated in Figure 3-1, the isolate-user-VLAN function is enabled on Switch B. VLAN 10 is the isolate-user-VLAN, and VLAN 2, VLAN 5, and VLAN 8 are secondary VLANs that are mapped to VLAN 10 and invisible to Switch A. To realize the Layer 3 connectivity between the secondary VLANs (VLAN 2, VLAN 5, and VLAN 8) that are under the same isolate-user-VLAN (VLAN 10), the following two methods can be used:

l           Configure a VLAN interface and the VLAN interface IP address for each secondary VLAN on Switch B.

l           Configure the local proxy ARP function on the upper layer device (Switch A). For detailed information about proxy ARP, refer to ARP Configuration in the IP Services Volume.

Figure 3-1 Network diagram for Isolate-user-VLAN configuration

3.2  Configuring Isolate-User-VLAN

Configure the isolate-user-VLAN through the following steps:

1)         Create the isolate-user-VLAN;

2)         Create the secondary VLAN;

3)         Add ports to the isolate-user-VLAN ( note that the ports cannot be trunk ports) and ensure that at least one port has the isolate-user-VLAN as its default VLAN;

4)         Add ports to the secondary VLAN ( note that the ports cannot be trunk ports) and ensure that at least one port has the secondary VLAN as its default VLAN;

5)         Configure the mapping between the isolate-user-VLAN and the secondary VLAN.

Follow these steps to configure isolate-user-VLAN:

To do...			Use the command	Remarks
Enter system view			system-view	—
Create a VLAN (or enter VLAN view)			vlan vlan-id	—
Configure the VLAN as an isolate-user-VLAN			isolate-user-vlan enable	Required
Quit to system view			quit	—
Add ports to the isolate-user-VLAN and ensure that at least one port has the isolate-user-VLAN as its default VLAN		Access port	Refer to section Assigning an Access Port to a VLAN	Required to choose either
		Hybrid port	Refer to section Assigning a Hybrid Port to a VLAN
Quit to system view			quit	—
Create the secondary VLAN			vlan vlan-id	—
Quit to system view			quit	—
Add ports to the secondary VLAN and ensure that at least one port has the secondary VLAN as its default VLAN	Access port		Refer to Assigning an Access Port to a VLAN	Required to choose either
	Hybrid port		Refer to Assigning a Hybrid Port to a VLAN
Quit to system view			quit	—
Configure the mapping between the isolate-user-VLAN and secondary VLAN			isolate-user-vlan isolate-user-vlan-id secondary secondary-vlan-id [ to secondary-vlan-id ]	Required

 

 

3.3  Displaying and Maintaining Isolate-User-VLAN

To do...	Use the command...	Remarks
Display the mapping between an isolate-user-vlan and its secondary VLAN(s)	display isolate-user-vlan [ isolate-user-vlan-id ]	Available in any view

 

3.4  Isolate-User-VLAN Configuration Example

I. Network requirements

l           Switch A is connected to Switch B and Switch C;

l           On Switch B, VLAN 5 is configured as an isolate-user-VLAN, which includes an upstream port Ethernet 1/1/5 and two secondary VLANs VLAN 2 and VLAN 3. VLAN 2 has Ethernet 1/1/2 and VLAN 3 has Ethernet 1/1/3.

l           On Switch C, VLAN 6 is configured as an isolate-user-VLAN, which includes an upstream port Ethernet 1/1/5 and two secondary VLANs VLAN 3 and VLAN 4. VLAN 3 has Ethernet 1/1/3 and VLAN 4 has Ethernet 1/1/2.

l           Through the configuration, for Switch A, Switch B only has one VLAN (VLAN 5) and Switch C only has one VLAN (VLAN 6).

II. Network diagram

Figure 3-2 Isolate-User-VLAN configuration diagram

III. Configuration procedure

The following are the configuration procedures for Switch B and Switch C.

1)         Configure Switch B

# Configure the isolate-user-VLAN.

<SysnameB> system-view

[SysnameB] vlan 5

[SysnameB-vlan5] isolate-user-vlan enable

[SysnameB-vlan5] port ethernet1/1/5

[SysnameB-vlan5] quit

# Configure the secondary VLANs.

[SysnameB] vlan 3

[SysnameB-vlan3] port ethernet1/1/3

[SysnameB-vlan3] quit

[SysnameB] vlan 2

[SysnameB-vlan2] port ethernet1/1/2

[SysnameB-vlan2] quit

# Establish the mapping between the isolate-user-VLAN and the secondary VLANs.

[SysnameB] isolate-user-vlan 5 secondary 2 to 3

[SysnameB] quit

2)         Configure Switch C

# Configure the isolate-user-VLAN.

<SysnameC> system-view

[SysnameC] vlan 6

[SysnameC-vlan6] isolate-user-vlan enable

[SysnameC-vlan6] port ethernet1/1/5

[SysnameC-vlan6] quit

# Configure the secondary VLANs.

[SysnameC] vlan 3

[SysnameC-vlan3] port ethernet1/1/3

[SysnameC-vlan3] quit

[SysnameC] vlan 2

[SysnameC-vlan2] port ethernet1/1/2

# Establish the mapping between the isolate-user-vlan and the secondary VLANs.

[SysnameC-vlan2] quit

[SysnameC] isolate-user-vlan 6 secondary 2 to 3

IV. Verification

# Display the isolate-user-VLAN configuration on Switch B.

<SysnameB> display isolate-user-vlan

 Isolate-user-VLAN VLAN ID : 5

 Secondary VLAN ID : 2-3

 

 VLAN ID: 5

 VLAN Type: static

 Isolate-user-VLAN type : isolate-user-VLAN

 Route Interface: not configured

 Description: VLAN 0005

Tagged   Ports: none

 Untagged Ports:

    Ethernet1/1/2            Ethernet1/1/3            Ethernet1/1/5

 VLAN ID: 2

 VLAN Type: static

 Isolate-user-VLAN type : secondary

Route Interface: not configured

 Description: VLAN 0002

Tagged   Ports: none

 Untagged Ports:

    Ethernet1/1/2            Ethernet1/1/5

 

 VLAN ID: 3

 VLAN Type: static

 Isolate-user-VLAN type : secondary

 Route Interface: not configured

 Description: VLAN 0003

Tagged   Ports: none

 Untagged Ports:

    Ethernet1/1/3            Ethernet1/1/5

The isolate-user-VLAN configuration on Switch C is similar to that on Switch B.