Login
| Title | Size | Downloads |
|---|---|---|
| H3C S3100 Series Ethernet Switches Operation Manual-Release 22XX Series(V1.00)-VLAN Operation.pdf | 301.04 KB |
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-VLAN Operation | 301.04 KB |
Table of Contents
Assigning an Ethernet Port to Specified VLANs
Configuring the Default VLAN ID for a Port
Introduction to MAC-Based VLAN
Approaches to creating MAC address-to-VLAN mappings
Introduction to Protocol-Based VLAN
Encapsulation Format of Ethernet Data
Implementation of Protocol-Based VLAN
Basic VLAN Interface Configuration
Configuring an Access-Port-Based VLAN
Configuring a Hybrid-Port-Based VLAN
Configuring a Trunk-Port-Based VLAN
Displaying and Maintaining Port-Based VLAN
Port-Based VLAN Configuration Example
Troubleshooting Ethernet Port Configuration
MAC-Based VLAN Configuration Task List
Displaying MAC-Based VLAN Configuration
Configuring a Protocol-Based VLAN
Protocol-Based VLAN Configuration Task List
Configuring a Protocol Template for a Protocol-Based VLAN
Associating a Port with a Protocol-Based VLAN
Displaying Protocol-Based VLAN Configuration
Protocol-Based VLAN Configuration Example
This chapter covers these topics:
VLAN Overview
Introduction to VLAN
The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network connection devices, have limited forwarding functions.
l A hub is a physical layer device without the switching function, so it forwards the received packet to all ports except the inbound port of the packet.
l A switch is a link layer device which can forward a packet according to the MAC address of the packet. A switch builds a table of MAC addresses mapped to associated ports with that address and only sends a known MAC’s traffic to one port. When the switch receives a broadcast packet or an unknown unicast packet whose MAC address is not included in the MAC address table of the switch, it will forward the packet to all the ports except the inbound port of the packet.
The above scenarios could result in the following network problems.
l Large quantity of broadcast packets or unknown unicast packets may exist in a network, wasting network resources.
l A host in the network receives a lot of packets whose destination is not the host itself, causing potential serious security problems.
l Related to the point above, someone on a network can monitor broadcast packets and unicast packets and learn of other activities on the network. Then they can attempt to access other resources on the network, whether or not they are authorized to do this.
Isolating broadcast domains is the solution for the above problems. The traditional way is to use routers, which forward packets according to the destination IP address and does not forward broadcast packets in the link layer. However, routers are expensive and provide few ports, so they cannot split the network efficiently. Therefore, using routers to isolate broadcast domains has many limitations.
The Virtual Local Area Network (VLAN) technology is developed for switches to control broadcasts in LANs.
A VLAN can span multiple physical spaces. This enables hosts in a VLAN to be located in different physical locations.
By creating VLANs in a physical LAN, you can divide the LAN into multiple logical LANs, each of which has a broadcast domain of its own. Hosts in the same VLAN communicate in the traditional Ethernet way. However, hosts in different VLANs cannot communicate with each other directly but need the help of network layer devices, such as routers and Layer 3 switches. Figure 1-1 illustrates a VLAN implementation.
Figure 1-1 A VLAN implementation
Advantages of VLANs
Compared with traditional Ethernet technology, VLAN technology delivers the following benefits:
l Confining broadcast traffic within individual VLANs. This saves bandwidth and improves network performance.
l Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2. To enable communication between VLANs, routers or Layer 3 switches are required.
l Flexible virtual workgroup creation. As users from the same workgroup can be assigned to the same VLAN regardless of their physical locations, network construction and maintenance is much easier and more flexible.
VLAN Fundamentals
VLAN tag
To enable a Layer-2 switch to identify frames of different VLANs, a VLAN tag field is inserted into the data link layer encapsulation.
The format of VLAN-tagged frames is defined in IEEE 802.1Q issued by IEEE in 1999.
In the header of a traditional Ethernet data frame, the field after the destination MAC address and the source MAC address (DA&SA) is the Type field indicating the upper layer protocol type, as shown in Figure 1-2.
Figure 1-2 Encapsulation format of traditional Ethernet frames
IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 1-3.
A VLAN tag comprises four fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID.
l The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged. On the H3C series Ethernet switches, the default TPID is 0x8100.
l The 3-bit priority field indicates the 802.1p priority of the frame. Refer to the “QoS” part of this manual for details.
l The 1-bit CFI field specifies whether the MAC addresses are encapsulated in the canonical format for the receiving device to correctly interpret the MAC addresses. Value 0 indicates that the MAC addresses are encapsulated in canonical format; value 1 indicates that the MAC addresses are encapsulated in non-canonical format. The field is set to 0 by default.
l The 12-bit VLAN ID field identifies the VLAN the frame belongs to. The VLAN ID range is 0 to 4095. As 0 and 4095 are reserved by the protocol, a VLAN ID actually ranges from 1 to 4094.
The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, other encapsulation formats such as 802.2 LLC and 802.2 SNAP are also supported by Ethernet. The VLAN tag fields are also added to frames encapsulated in these formats for VLAN identification. Refer to section Encapsulation Format of Ethernet Data for 802.2/802.3 encapsulation format.
VLAN ID identifies the VLAN to which a packet belongs. When a switch receives a packet carrying no VLAN tag, the switch encapsulates a VLAN tag with the default VLAN ID of the inbound port for the packet, and sends the packet to the default VLAN of the inbound port for transmission. For the details about setting the default VLAN of a port, refer to Configuring the Default VLAN ID for a Port.
MAC address learning mechanism of VLANs
Switches make forwarding decisions based on destination MAC addresses. For this purpose, each switch maintains a MAC address table, of which each entry records the MAC address of a terminal connected to the switch and to which port this terminal is connected, assuming that no VLAN is involved. For the ease of management, a MAC learning mechanism is adopted on switches. With this mechanism, a switch can populate its MAC address table automatically by learning the source MAC address of incoming traffic and on which port the traffic is received. When forwarding traffic destined for the learned MAC address, the switch looks up the table and forwards the traffic according to the entry.
After VLANs are configured, a switch adopts one of the following MAC address learning mechanisms:
l Shared VLAN learning (SVL), where the switch records all learned MAC address entries in one MAC address table, regardless of in which VLAN they are learned. This table is called the shared MAC address forwarding table. Packets received in any VLAN on a port are forwarded according to this table.
l Independent VLAN learning (IVL), where the switch maintains an independent MAC address forwarding table for each VLAN. The source MAC address of a packet received in a VLAN on a port is recorded to the MAC address forwarding table of this VLAN only, and packets received in a VLAN are forwarded according to the MAC address forwarding table for the VLAN.
VLAN Interface
Hosts in different VLANs cannot communicate with each other directly unless routers or Layer 3 switches are used to do Layer 3 forwarding. The S3100 series Ethernet switches support VLAN interfaces configuration to forward packets in Layer 3.
VLAN interface is a virtual interface in Layer 3 mode, used to realize the layer 3 communication between different VLANs, and does not exist on a switch as a physical entity. Each VLAN has a VLAN interface, which can forward packets of the local VLAN to the destination IP addresses at the network layer. Normally, since VLANs can isolate broadcast domains, each VLAN corresponds to an IP network segment. And a VLAN interface serves as the gateway of the segment to forward packets in Layer 3 based on IP addresses.
An S3100 series switch can be configured with a single VLAN interface only, and the VLAN must be the management VLAN. For details about the management VLAN, refer to the “Management VLAN Configuration” part of this manual.
VLAN Classification
Depending on how VLANs are established, VLANs fall into the following six categories.
l Port-based VLANs
l MAC address-based VLANs
l Protocol-based VLANs
l IP-subnet-based VLANs
l Policy-based VLANs
l Other types
At present, the S3100 series switches support the port-based and protocol-based VLANs.
Port-Based VLAN
Port-based VLAN technology introduces the simplest way to classify VLANs. You can assign the ports on the device to different VLANs. Thus packets received on a port will be transmitted through the corresponding VLAN only, so as to isolate hosts to different broadcast domains and divide them into different virtual workgroups.
Ports on Ethernet switches have the three link types: access, trunk, and hybrid. For the three types of ports, the process of being added into a VLAN and the way of forwarding packets are different.
Port-based VLANs are easy to implement and manage and applicable to hosts with relatively fixed positions.
Link Types of Ethernet Ports
l An access port can belong to only one VLAN. Usually, ports directly connected to PCs are configured as access ports.
l A trunk port can carry multiple VLANs to receive and send traffic for them. Except traffic of the default VLAN, traffic passes through a trunk port will be VLAN tagged. Usually, ports connecting network devices are configured as trunk ports to allow members of the same VLAN to communicate with each other across multiple network devices.
l Like a trunk port, a hybrid port can carry multiple VLANs to receive and send traffic for them. Unlike a trunk port, a hybrid port allows traffic of all VLANs to pass through VLAN untagged. You can configure a port connected to a network device or user terminal as a hybrid port for access link connectivity or trunk connectivity.
A hybrid port allows the packets of multiple VLANs to be sent untagged, but a trunk port only allows the packets of the default VLAN to be sent untagged.
The three types of ports can coexist on the same device.
Assigning an Ethernet Port to Specified VLANs
You can assign an Ethernet port to a VLAN to forward packets for the VLAN, thus allowing the VLAN on the current switch to communicate with the same VLAN on the peer switch.
An access port can be assigned to only one VLAN, while a hybrid or trunk port can be assigned to multiple VLANs.
Before assigning an access or hybrid port to a VLAN, create the VLAN first.
Configuring the Default VLAN ID for a Port
An access port can belong to only one VLAN. Therefore, the VLAN an access port belongs to is also the default VLAN of the access port. A hybrid/trunk port can belong to multiple VLANs, so you should configure a default VLAN ID for the port.
After a port is added to a VLAN and configured with a default VLAN, the port receives and sends packets in a way related to its link type. For detailed description, refer to the following tables:
Table 1-1 Packet processing of an access port
|
Processing of an incoming packet |
Processing of an outgoing packet |
|
|
For an untagged packet |
For a tagged packet |
|
|
Receive the packet and tag the packet with the default VLAN tag. |
l If the VLAN ID is just the default VLAN ID, receive the packet. l If the VLAN ID is not the default VLAN ID, discard the packet. |
Strip the tag from the packet and send the packet. |
Table 1-2 Packet processing of a trunk port
|
Processing of an incoming packet |
Processing of an outgoing packet |
|
|
For an untagged packet |
For a tagged packet |
|
|
l If the port has already been added to its default VLAN, tag the packet with the default VLAN tag and then forward the packet. l If the port has not been added to its default VLAN, discard the packet. |
l If the VLAN ID is one of the VLAN IDs allowed to pass through the port, receive the packet. l If the VLAN ID is not one of the VLAN IDs allowed to pass through the port, discard the packet. |
l Remove the tag and send the frame if the frame carries the default VLAN tag and the port belongs to the default VLAN. l Send the frame without removing the tag if its VLAN is carried on the port but is different from the default one. |
Table 1-3 Packet processing of a hybrid port
|
Processing of an incoming packet |
Processing of an outgoing packet |
|
|
For an untagged packet |
For a tagged packet |
|
|
l If the port has already been added to its default VLAN, tag the packet with the default VLAN tag and then forward the packet. l If the port has not been added to its default VLAN, discard the packet. |
l If the VLAN ID is one of the VLAN IDs allowed to pass through the port, receive the packet. l If the VLAN ID is not one of the VLAN IDs allowed to pass through the port, discard the packet. |
Send the packet if the VLAN ID is allowed to pass through the port. Use the port hybrid vlan command to configure whether the port keeps or strips off the tags when sending packets of a VLAN (including the default VLAN). |
MAC-Based VLAN
The contents of this section are only applicable to the S3100-EI series among S3100 series switches.
Introduction to MAC-Based VLAN
The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is mostly used in conjunction with security technologies such as 802.1X to provide secure, flexible network access for terminal devices.
MAC-based VLAN implementation
With MAC-based VLAN configured, the device processes received packets as follows:
l When receiving an untagged frame, the device looks up the list of MAC-to-VLAN mappings based on the source MAC address of the frame for a match. The device searches the MAC-to-VLAN mappings whose masks are all-Fs. If the MAC address in a MAC-to-VLAN mapping matches the source MAC address of the untagged frame exactly, the device ends the search and adds a VLAN tag containing the corresponding VLAN ID to the packet. If no match is found, the system looks up other types of VLANs to make the forwarding decision.
l When receiving a tagged frame, the receiving port forwards the frame if it is assigned to the corresponding VLAN or drops the frame if it is not. In this case, port-based VLAN applied.
Approaches to creating MAC address-to-VLAN mappings
In addition to creating MAC address-to-VLAN mappings at the CLI, you can use an authentication server to automatically issue MAC address-to-VLAN mappings.
l Manually Static configuration (through CLI)
You can associate MAC addresses with VLANs by using corresponding commands.
l Automatic configuration through the authentication server (that is, VLAN issuing)
The device associates MAC addresses with VLANs dynamically based on the information provided by the authentication server. If a user goes offline, the corresponding MAC address-to-VLAN association is removed automatically. Automatic configuration requires MAC address-to–VLAN mapping be configured on the authentication server. For detailed information, refer to 802.1X Configuration in the Security Volume.
The two configuration approaches can be used at the same time, that is, you can configure a MAC address-to-VLAN entry on both the local device and the authentication server at the same time. Note that the MAC address-to-VLAN entry configuration takes effect only when the configuration on the local device is consistent with that on the authentication server. Otherwise, the previous configuration takes effect.
Protocol-Based VLAN
The contents of this section are only applicable to the S3100-EI series among S3100 series switches.
Introduction to Protocol-Based VLAN
Protocol-based VLAN is also known as protocol VLAN, which is another way to classify VLANs. Through the protocol-based VLANs, the switch can analyze the received packets carrying no VLAN tag on the port and match the packets with the user-defined protocol template automatically according to different encapsulation formats and the values of specific fields. If a packet is matched, the switch will add a corresponding VLAN tag to it automatically. Thus, data of specific protocol is assigned automatically to the corresponding VLAN for transmission.
This feature is used for binding the ToS provided in the network to VLAN to facilitate management and maintenance.
Encapsulation Format of Ethernet Data
This section introduces the common encapsulation formats of Ethernet data for you to understand the procedure for the switch to identify the packet protocols.
Ethernet II and 802.2/802.3 encapsulation
There are two encapsulation types of Ethernet packets: Ethernet II defined by RFC 894 and 802.2/802.3 defined by RFC 1042. The two encapsulation formats are described in the following figures.
Ethernet II packet:
Figure 1-4 Ethernet II encapsulation format
802.2/802.3 packet:
Figure 1-5 802.2/802.3 encapsulation format
In the two figures, DA and SA refer to the destination MAC address and source MAC address of the packet respectively. The number in the bracket indicates the field length in bytes.
The maximum length of an Ethernet packet is 1500 bytes, that is, 0x05DC in hexadecimal, so the length field in 802.2/802.3 encapsulation is in the range of 0x0000 to 0x05DC.
Whereas, the type field in Ethernet II encapsulation is in the range of 0x0600 to 0xFFFF.
Packets with the value of the type or length field being in the range 0x05DD to 0x05FF are regarded as illegal packets and thus discarded directly.
The switch identifies whether a packet is an Ethernet II packet or an 802.2/802.3 packet according to the ranges of the two fields.
Encapsulation Formats
Table 1-4 lists the encapsulation formats supported by some protocols. In brackets are type values of these protocols.
Table 1-4 Encapsulation formats
|
Encapsulation (left) |
Ethernet II |
802.3 raw |
802.2 LLC |
802.2 SNAP |
|
Protocol (down) |
||||
|
IP (0x0800) |
Supported |
Not supported |
Not supported |
Supported |
|
IPX (0x8137) |
Supported |
Supported |
Supported |
Supported |
|
AppleTalk (0x809B) |
Supported |
Not supported |
Not supported |
Supported |
Implementation of Protocol-Based VLAN
S3100 series Ethernet switches assign the packet to the specific VLAN by matching the packet with the protocol template.
The protocol template is the standard to determine the protocol to which a packet belongs. Protocol templates include standard templates and user-defined templates:
l The standard template adopts the RFC-defined packet encapsulation formats and values of some specific fields as the matching criteria.
l The user-defined template adopts the user-defined encapsulation formats and values of some specific fields as the matching criteria.
After configuring the protocol template, you must add a port to the protocol-based VLAN and associate this port with the protocol template. This port will add VLAN tags to the packets based on protocol types. The port in the protocol-based VLAN must be connected to a client. However, a common client cannot process VLAN-tagged packets. In order that the client can process the packets out of this port, you must configure the port in the protocol-based VLAN as a hybrid port and configure the port to remove VLAN tags when forwarding packets of all VLANs.
When configuring a VLAN, go to these sections for information you are interested in:
l Configuring a Port-Based VLAN
l Configuring a Protocol-Based VLAN
VLAN Configuration
VLAN Configuration Task List
Complete the following tasks to configure VLAN:
|
Task |
Remarks |
|
Required |
|
|
Optional |
|
|
Optional |
Basic VLAN Configuration
Follow these steps to perform basic VLAN configuration:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Create multiple VLANs in batch |
vlan { vlan-id1 to vlan-id2 | all } |
Optional |
|
Create a VLAN and enter VLAN view |
vlan vlan-id |
Required By default, there is only one VLAN, that is, the default VLAN (VLAN 1). |
|
Assign a name for the current VLAN |
name text |
Optional By default, the name of a VLAN is its VLAN ID. VLAN 0001 for example. |
|
Specify the description string of the current VLAN |
description text |
Optional By default, the description string of a VLAN is its VLAN ID. VLAN 0001 for example. |
l VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either.
l The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual.
l When you use the vlan command to create VLANs, if the destination VLAN is an existing dynamic VLAN, it will be transformed into a static VLAN and the switch will output the prompt information.
Basic VLAN Interface Configuration
Configuration prerequisites
Before configuring a VLAN interface, create the corresponding VLAN.
Configuration procedure
l Configuration procedure for the S3100-EI series switches
Follow these steps to perform basic VLAN interface configuration:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a VLAN interface and enter VLAN interface view |
interface Vlan-interface vlan-id |
Required By default, there is no VLAN interface on a switch. |
|
Specify the description string for the current VLAN interface |
description text |
Optional By default, the description string of a VLAN interface is the name of this VLAN interface. Vlan-interface1 Interface for example. |
|
Disable the VLAN interface |
shutdown |
Optional By default, the VLAN interface is enabled. In this case, the VLAN interface’s status is determined by the status of the ports in the VLAN, that is, if all ports of the VLAN are down, the VLAN interface is down (disabled); if one or more ports of the VLAN are up, the VLAN interface is up (enabled). If you disable the VLAN interface, the VLAN interface will always be down, regardless of the status of the ports in the VLAN. |
|
Enable the VLAN Interface |
undo shutdown |
l Configuration procedure for the S3100-SI series switches
Follow these steps to perform basic VLAN interface configuration:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure a specified VLAN to be the management VLAN |
management-vlan vlan-id |
Required By default, VLAN 1 operates as the management VLAN. |
|
Create a VLAN interface and enter VLAN interface view |
interface Vlan-interface vlan-id |
Required By default, there is no VLAN interface on a switch. |
|
Specify the description string for the current VLAN interface |
description text |
Optional By default, the description string of a VLAN interface is the name of this VLAN interface. Vlan-interface1 Interface for example. |
|
Disable the VLAN interface |
shutdown |
Optional By default, the VLAN interface is enabled. In this case, the VLAN interface’s status is determined by the status of the ports in the VLAN, that is, if all ports of the VLAN are down, the VLAN interface is down (disabled); if one or more ports of the VLAN are up, the VLAN interface is up (enabled). If you disable the VLAN interface, the VLAN interface will always be down, regardless of the status of the ports in the VLAN. |
|
Enable the VLAN Interface |
undo shutdown |
l The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN.
l For the S3100-SI series switch, create the VLAN interface for the management VLAN on a switch operating as the management device in a cluster, make sure that the management VLAN ID is consistent with the cluster management VLAN ID configured with the management-vlan vlan-id command. Otherwise, the configuration fails. Refer to the Cluster Operation Manual for detailed introduction to the cluster.
Displaying VLAN Configuration
|
To do... |
Use the command... |
Remarks |
|
Display the VLAN interface information |
display interface Vlan-interface [ vlan-id ] |
Available in any view. |
|
Display the VLAN information |
display vlan [ vlan-id [ to vlan-id ] | all | dynamic | static ] |
Configuring a Port-Based VLAN
Configuring an Access-Port-Based VLAN
There are two ways to configure Access-port-based VLAN: one way is to configure in VLAN view, the other way is to configure in Ethernet port view.
Follow these steps to configure the Access-port-based VLAN in VLAN view:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter VLAN view |
vlan vlan-id |
Required If the specified VLAN does not exist, this command be created first creates the VLAN before entering its view. |
|
Add an Access port to the current VLAN |
port interface-list |
Required By default, system will add all ports to VLAN 1. |
Follow these steps to configure the Access-port-based VLAN in Ethernet port view:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Configure the port link type as Access |
port link-type access |
Optional The link type of a port is Access by default. |
|
Add the current Access port to a specified VLAN |
port access vlan vlan-id |
Optional By default, all Access ports belong to VLAN 1. |
To add an Access port to a VLAN, make sure the VLAN already exists.
Configuring a Hybrid-Port-Based VLAN
A Hybrid port may belong to multiple VLANs, and this configuration can only be performed in Ethernet port view.
Follow these steps to configure the Hybrid-port-based VLAN:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Configure the port link type as Hybrid |
port link-type hybrid |
Required |
|
Allow the specified VLANs to pass through the current Hybrid port |
port hybrid vlan vlan-id-list { tagged | untagged } |
Required By default, all Hybrid ports only allow packets of VLAN 1 to pass. |
|
Configure the default VLAN of the Hybrid port |
port hybrid pvid vlan vlan-id |
Optional VLAN 1 is the default by default |
l To configure a Trunk port into a Hybrid port (or vice versa), you need to use the Access port as a medium. For example, the Trunk port has to be configured as an Access port first and then a Hybrid port.
l Ensure that the VLANs already exist before configuring them to pass through a Hybrid port.
l The default VLAN IDs of the Hybrid ports on the local and the peer devices must be the same. Otherwise, packets cannot be transmitted properly.
Configuring a Trunk-Port-Based VLAN
A Trunk port may belong to multiple VLANs, and you can only perform this configuration in Ethernet port view.
Follow these steps to configure the Trunk-port-based VLAN:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Configure the port link type as Trunk |
port link-type trunk |
Required |
|
Allow the specified VLANs to pass through the current Trunk port |
port trunk permit vlan { vlan-id-list | all } |
Required By default, all Trunk ports only allow packets of VLAN 1 to pass. |
|
Configure the default VLAN for the Trunk port |
port trunk pvid vlan vlan-id |
Optional VLAN 1 is the default by default. |
l To convert a Trunk port into a Hybrid port (or vice versa), you need to use the Access port as a medium. For example, the Trunk port has to be configured as an Access port first and then a Hybrid port.
l The default VLAN IDs of the Trunk ports on the local and peer devices must be the same. Otherwise, packets cannot be transmitted properly.
Displaying and Maintaining Port-Based VLAN
|
To do… |
Use the command… |
Remarks |
|
Display the hybrid or trunk ports |
display port { hybrid | trunk } |
Available in any view. |
Port-Based VLAN Configuration Example
Network requirements
l As shown in Figure 2-1, Switch A and Switch B each connect to a server and a workstation (Host).
l For data security concerns, the two servers are assigned to VLAN 101 with the descriptive string being “DMZ”, and the PCs are assigned to VLAN 201.
l The devices within each VLAN can communicate with each other but that in different VLANs cannot communicate with each other directly.
Network diagram
Figure 2-1 Network diagram for VLAN configuration
Configuration procedure
l Configure Switch A.
# Create VLAN 101, specify its descriptive string as “DMZ”, and add Ethernet1/0/1 to VLAN 101.
<SwitchA> system-view
[SwitchA] vlan 101
[SwitchA-vlan101] description DMZ
[SwitchA-vlan101] port Ethernet 1/0/1
[SwitchA-vlan101] quit
# Create VLAN 201, and add Ethernet1/0/2 to VLAN 201.
[SwitchA] vlan 201
[SwitchA-vlan201] port Ethernet 1/0/2
[SwitchA-vlan201] quit
l Configure Switch B.
# Create VLAN 101, specify its descriptive string as “DMZ”, and add Ethernet1/0/11 to VLAN 101.
<SwitchB> system-view
[SwitchB] vlan 101
[SwitchB-vlan101] description DMZ
[SwitchB-vlan101] port Ethernet 1/0/11
[SwitchB-vlan101] quit
# Create VLAN 201, and add Ethernet1/0/12 to VLAN 201.
[SwitchB] vlan 201
[SwitchB-vlan201] port Ethernet 1/0/12
[SwitchB-vlan201] quit
l Configure the link between Switch A and Switch B.
Because the link between Switch A and Switch B need to transmit data of both VLAN 101 and VLAN 102, you can configure the ports at the end of the link as trunk ports and permit packets of the two VLANs to pass through.
# Configure Ethernet1/0/3 of Switch A.
[SwitchA] interface Ethernet 1/0/3
[SwitchA-Ethernet1/0/3] port link-type trunk
[SwitchA-Ethernet1/0/3] port trunk permit vlan 101
[SwitchA-Ethernet1/0/3] port trunk permit vlan 201
# Configure Ethernet1/0/10 of Switch B.
[SwitchB] interface Ethernet 1/0/10
[SwitchB-Ethernet1/0/10] port link-type trunk
[SwitchB-Ethernet1/0/10] port trunk permit vlan 101
[SwitchB-Ethernet1/0/10] port trunk permit vlan 201
Troubleshooting Ethernet Port Configuration
Symptom: Fail to configure the default VLAN ID of an Ethernet port.
Solution: Take the following steps.
l Use the display interface or display port command to check if the port is a trunk port or a hybrid port.
l If the port is not a trunk or hybrid port, configure it to be a trunk or hybrid port.
l Configure the default VLAN ID of the port.
For information about the display interface command, refer to Port Basic Configuration in this manual.
Configuring a MAC-Based VLAN
l The contents of this section are only applicable to the S3100-EI series among S3100 series switches.
l MAC-based VLANs are available only on hybrid ports.
MAC-Based VLAN Configuration Task List
Complete these tasks to configure MAC-Based VLAN:
|
Task |
Remarks |
|
Required |
|
|
Optional |
Configuring a MAC-Based VLAN
Configuration prerequisites
Create a VLAN before configuring the VLAN as a protocol-based VLAN.
Configuration procedure
Follow these steps to configure a MAC-based VLAN:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Associate MAC addresses with a VLAN |
mac-vlan mac-address mac-address vlan vlan-id [ priority priority ] |
Required |
|
Enter Ethernet interface view |
interface interface-type interface-number |
Required. In Ethernet interface view, the subsequent configurations apply only to the current port. |
|
Configure the link type of the port(s) as hybrid |
port link-type hybrid |
Required |
|
Configure the current hybrid port(s) to permit packets of specific MAC-based VLANs to pass through |
port hybrid vlan vlan-id-list { tagged | untagged } |
Required By default, a hybrid port only permits the packets of VLAN 1 to pass through. |
|
Enable MAC-based VLAN |
mac-vlan enable |
Required Disabled by default |
Displaying MAC-Based VLAN Configuration
|
To do... |
Use the command… |
|
Display MAC address-to-VLAN entries |
display mac-vlan { all | dynamic | static | vlan vlan-id } |
|
Display all interfaces with MAC-based VLAN enabled |
display mac-vlan interface |
Configuring a Protocol-Based VLAN
The contents of this section are only applicable to the S3100-EI series among S3100 series switches.
Protocol-Based VLAN Configuration Task List
Complete these tasks to configure protocol-based VLAN:
|
Task |
Remarks |
|
Required |
|
|
Required |
|
|
Optional |
Configuring a Protocol Template for a Protocol-Based VLAN
Configuration prerequisites
Create a VLAN before configuring the VLAN as a protocol-based VLAN.
Configuration procedure
Follow these steps to configure the protocol template for a VLAN:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter VLAN view |
vlan vlan-id |
— |
|
Configure the protocol template for the VLAN |
protocol-vlan [ protocol-index ] { at | ip | ipx { ethernetii | llc | raw | snap } | mode { ethernetii etype etype-id | llc dsap dsap-id ssap ssap-id | snap etype etype-id } } |
Required By default, no protocol template is configured for the VLAN. |
When configuring a protocol template for a protocol-based VLAN, use the at, ip or ipx keyword to configure a standard template to match AppleTalk, IP, and IPX packets respectively, and use the mode keyword to configure a user-defined template.
l At present, the S3100 series support only the standard templates of AppleTalk and IP, the standard template of IPX encapsulated in Ethernet II format, and the user-defined templates matching the Ethernet II encapsulation format. Protocol templates matching 802.2/802.3 encapsulation formats and their extended encapsulation formats are not supported on the S3100 series currently.
l Because the IP protocol is closely associated with the ARP protocol, you are recommended to configure the ARP protocol type when configuring the IP protocol type and associate the two protocol types with the same port to avoid that ARP packets and IP packets are not assigned to the same VLAN, which will cause IP address resolution failure.
l When you use the mode keyword to configure a user-defined protocol template, if you set the etype-id argument for ethernetii packets to 0x0800, 0x8137, or 0x809B, the matching packets will take the same format as that of the IP, IPX, and AppleTalk packets respectively. To prevent two commands from processing packets of the same protocol type in different ways, the switch will prompt that you cannot set the etype-id argument for Ethernet II packets to 0x0800, 0x8137, or 0x809B.
Associating a Port with a Protocol-Based VLAN
Configuration prerequisites
l The protocol template for the protocol-based VLAN is configured.
l The port is configured as a hybrid port, and the port is configured to remove VLAN tags when it forwards the packets of the protocol-based VLANs.
Configuration procedure
Follow these steps to associate a port with the protocol-based VLAN:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter port view |
interface interface-type interface-number |
— |
|
Associate the port with the specified protocol-based VLAN |
port hybrid protocol-vlan vlan vlan-id { protocol-index [ to protocol-index-end ] | all } |
Required By default, a port is not associated with any protocol-based VLAN. |
Displaying Protocol-Based VLAN Configuration
|
To do... |
Use the command... |
Remarks |
|
Display the information about the protocol-based VLAN |
display vlan [ vlan-id [ to vlan-id ] | all | dynamic | static] |
Available in any view |
|
Display the protocol information and protocol indexes configured on the specified VLAN |
display protocol-vlan vlan { vlan-id [ to vlan-id ] | all } |
|
|
Display the protocol information and protocol indexes configured on the specified port |
display protocol-vlan interface { interface-type interface-number [ to interface-type interface-number ] | all } |
Protocol-Based VLAN Configuration Example
Network requirements
l As shown in Figure 2-2, Workroom connects to the LAN through port Ethernet 1/0/10 on the S3100 switch.
l IP network and AppleTalk network workstations (hosts) coexist in the Workroom.
l The S3100 switch connects to VLAN 100 (using IP network) through Ethernet 1/0/11 and to VLAN 200 (using AppleTalk network) through Ethernet 1/0/12.
l Configure the switch to automatically assign the IP and AppleTalk packets to proper VLANs for transmission, so as to ensure the normal communication between the workstations and servers.
Network diagram
Figure 2-2 Network diagram for protocol-based VLAN configuration
Configuration procedure
# Create VLAN 100 and VLAN 200, and add Ethernet 1/0/11 and Ethernet 1/0/12 to VLAN 100 and VLAN 200 respectively.
<Switch> system-view
[Switch] vlan 100
[Switch-vlan100] port Ethernet 1/0/11
[Switch-vlan100] quit
[Switch] vlan 200
[Switch-vlan200] port Ethernet 1/0/12
# Configure protocol templates for VLAN 200 and VLAN 100, matching AppleTalk protocol and IP protocol respectively.
[Switch-vlan200] protocol-vlan at
[Switch-vlan200] quit
[Switch] vlan 100
[Switch-vlan100] protocol-vlan ip
# To ensure the normal operation of IP network, you need to configure a user-defined protocol template for VLAN 100 to match the ARP protocol (assume Ethernet II encapsulation is adopted here).
[Switch-vlan100] protocol-vlan mode ethernetii etype 0806
# Display the created protocol-based VLANs and the protocol templates.
[Switch-vlan100] display protocol-vlan vlan all
VLAN ID: 100
VLAN Type: Protocol-based VLAN
Protocol Index Protocol Type
0 ip
1 ethernetii etype 0x0806
VLAN ID: 200
VLAN Type: Protocol-based VLAN
Protocol Index Protocol Type
0 at
# Configure Ethernet 1/0/10 as a hybrid port, which removes the VLAN tag of the packets of VLAN 100 and VLAN 200 before forwarding the packets.
[Switch-vlan100] quit
[Switch] interface Ethernet 1/0/10
[Switch-Ethernet1/0/10] port link-type hybrid
[Switch-Ethernet1/0/10] port hybrid vlan 100 200 untagged
# Associate Ethernet 1/0/10 with protocol template 0 and 1 of VLAN 100, and protocol template 0 of VLAN 200.
[Switch-Ethernet1/0/10] port hybrid protocol-vlan vlan 100 0 to 1
[Switch-Ethernet1/0/10] port hybrid protocol-vlan vlan 200 0
# Display the associations between Ethernet 1/0/10 and the VLAN protocol templates to verify your configuration.
[Switch-Ethernet1/0/10] display protocol-vlan interface Ethernet 1/0/10
Interface:Ethernet1/0/10
VLAN ID Protocol-Index Protocol-Type
100 0 ip
100 1 ethernetii etype 0x0806
200 0 at
The above output information indicates that Ethernet 1/0/10 has already been associated with the corresponding protocol templates of VLAN 100 and VLAN 200. Thus, packets from the IP and AppleTalk workstations can be automatically assigned to VLAN 100 and VLAN 200 respectively for transmission by matching the corresponding protocol templates, so as to realize the normal communication between workstations and servers.