Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on Ethernet networks. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all broadcast traffic is contained within it, as shown in Figure 1.

Figure 1 A VLAN diagram

A VLAN is logically divided on an organizational basis rather than on a physical basis. For example, all workstations and servers used by a particular workgroup can be connected to the same LAN, regardless of their physical locations.

VLAN technology delivers the following benefits:

· Confining broadcast traffic within individual VLANs. This reduces bandwidth waste and improves network performance.

· Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2. To enable communication between VLANs, routers or Layer 3 switches are required.

· Flexible virtual workgroup creation. As users from the same workgroup can be assigned to the same VLAN regardless of their physical locations, network construction and maintenance is much easier and more flexible.

VLAN fundamentals

To enable a switch to identify frames of different VLANs, a VLAN tag field is inserted into the data link layer encapsulation.

The format of VLAN-tagged frames is defined in IEEE 802.1Q issued by the Institute of Electrical and Electronics Engineers (IEEE) in 1999.

In the header of a traditional Ethernet data frame, the field after the destination MAC address and the source MAC address is the Type field indicating the upper layer protocol type, as shown in Figure 2.

Figure 2 Traditional Ethernet frame format

IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 3.

Figure 3 Position and format of VLAN tag

A VLAN tag comprises the following fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID.

· The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN-tagged.

· The 3-bit priority field indicates the 802.1p priority of the frame. For more information about frame priority, see ACL and QoS Configuration Guide.

· The 1-bit CFI field specifies whether the MAC addresses are encapsulated in the standard format when packets are transmitted across different media. Value 0 indicates that MAC addresses are encapsulated in the standard format; value 1 indicates that MAC addresses are encapsulated in a non-standard format. The value of the filed is 0 by default.

· The 12-bit VLAN ID field identifies the VLAN the frame belongs to. The VLAN ID range is 0 to 4095. As 0 and 4095 are reserved by the protocol, a VLAN ID actually ranges from 1 to 4094.

A switch handles an incoming frame depending on whether the frame is VLAN tagged and the value of the VLAN tag, if any. For more information, see “Introduction to port-based VLANs.”

NOTE:

· The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, Ethernet also supports other encapsulation formats, including 802.2 LLC, 802.2 SNAP, and 802.3 raw. The VLAN tag fields are added to frames encapsulated in these formats for VLAN identification.

· When a frame carrying multiple VLAN tags passes through, the switch processes the frame according to its outer VLAN tag and transmits its inner tags as payload.

Types of VLAN

You can implement VLAN based on the following criteria:

· Port

· MAC address

· Protocol

· IP subnet

Protocols and standards

· IEEE 802.1Q, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks

Configuring basic VLAN settings

To configure basic VLAN settings:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create VLANs.	vlan { vlan-id1 [ to vlan-id2 ] \| all }	Optional. You can use this command to create multiple VLANs in bulk.
3. Enter VLAN view.	vlan vlan-id	By default, only the default VLAN (that is, VLAN 1) exists in the system. If the specified VLAN does not exist, this command creates the VLAN first.
4. Configure a name for the VLAN.	name text	Optional. By default, the name of a VLAN is its VLAN ID, for example, VLAN 0001.
5. Configure the description of the current VLAN.	description text	Optional. By default, VLAN ID is used, for example, VLAN 0001.

NOTE:

· As the default VLAN, VLAN 1 cannot be created or removed.

· The switch does not support VLAN 4094 when it works in hybrid mode. For more information about system working modes, see Fundamentals Configuration Guide.

Configuring basic settings of a VLAN interface

VLAN interface overview

For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform layer 3 forwarding. To achieve this, VLAN interfaces are used.

VLAN interfaces are virtual interfaces used for Layer 3 communication between different VLANs. They do not exist as physical entities on switches. For each VLAN, you can create one VLAN interface. You can assign the VLAN interface an IP address and specify it as the gateway of the VLAN to forward traffic destined for an IP network segment different from that of the VLAN.

Configuration procedure

To configure basic settings of a VLAN interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VLAN interface and enter VLAN interface view.	interface vlan-interface vlan-interface-id	If the VLAN interface already exists, you enter its view directly.
3. Assign an IP address to the VLAN interface.	ip address ip-address { mask \| mask-length } [ sub ]	Optional. By default, no IP address is assigned to any VLAN interface.
4. Configure the description of the VLAN interface.	description text	Optional. By default, the VLAN interface name is used, for example, Vlan-interface1 Interface.
5. Set the MTU for the VLAN interface.	mtu size	Optional. The default setting is 1500 bytes.
6. Restore the default settings for the VLAN interface.	default	Optional.
7. Bring up the VLAN interface.	undo shutdown	Optional. By default, a VLAN interface is in the down state. After you bring up a VLAN interface, the VLAN interface is up if one or more ports in the VLAN is up, and goes down if all ports in the VLAN go down. A VLAN interface shut down with the shutdown command, however, will be in the DOWN (Administratively) state until you bring it up, regardless of how the state of the ports in the VLAN changes.

NOTE:

Before creating a VLAN interface for a VLAN, create the VLAN first.

VLAN interface configuration example

Network requirements

As shown in Figure 4, PC A is assigned to VLAN 5. PC B is assigned to VLAN 10. The PCs belong to different IP subnets and cannot communicate with each other.

Configure VLAN interfaces on Switch A and configure the PCs to enable Layer 3 communication between the PCs.

Figure 4 Network diagram

Configuration procedure

1. Configure Switch A:

# Create VLAN 5 and assign GigabitEthernet 3/0/1 to it.

<SwitchA> system-view

[SwitchA] vlan 5

[SwitchA-vlan5] port gigabitethernet 3/0/1

# Create VLAN 10 and assign GigabitEthernet 3/0/2 to it.

[SwitchA-vlan5] vlan 10

[SwitchA-vlan10] port gigabitethernet 3/0/2

[SwitchA-vlan10] quit

# Create VLAN-interface 5 and configure its IP address as 192.168.0.10/24.

[SwitchA] interface vlan-interface 5

[SwitchA-Vlan-interface5] ip address 192.168.0.10 24

[SwitchA-Vlan-interface5] quit

# Create VLAN-interface 10 and configure its IP address as 192.168.1.20/24.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] ip address 192.168.1.20 24

[SwitchA-Vlan-interface10] return

2. Configure PC A:

# Configure the default gateway of the PC as 192.168.0.10.

3. Configure PC B:

# Configure the default gateway of the PC as 192.168.1.20.

Verifying the configuration

1. The PCs can ping each other.

2. Display brief information about Layer 3 interfaces on Switch A to verify the configuration.

<SwitchA> display ip interface brief

*down: administratively down

(s): spoofing

Interface Physical Protocol IP Address Description

Vlan5 up up 192.168.0.10 Vlan-inte...

Vlan10 up up 192.168.1.20 Vlan-inte...

Configuring port-based VLANs

Introduction to port-based VLANs

Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN.

Port link type

You can configure the link type of a port as access, trunk, or hybrid. The link types use the following VLAN tag handling methods:

· An access port belongs to only one VLAN and sends traffic untagged.

It is usually used to connect a terminal device unable to recognize VLAN tagged-packets or when there is no need to separate different VLAN members. As shown in Figure 5, Device A is connected to common PCs that cannot recognize VLAN tagged-packets, and you must configure Device A’s ports that connect the PCs as access ports.

· A trunk port can carry multiple VLANs to receive and send traffic for them.

Except traffic of the port VLAN ID (PVID), traffic sent through a trunk port will be VLAN tagged. Usually, ports connecting network devices are configured as trunk ports. As shown in Figure 5, because Device A and Device B need to transmit packets of VLAN 2 and VLAN 3, you must configure the ports connecting Device A and Device B as trunk ports, and assign them to VLAN 2 and VLAN 3.

· Like a trunk port, a hybrid port can carry multiple VLANs to receive and send traffic for them.

Unlike a trunk port, a hybrid port allows traffic of all VLANs to pass through untagged. Usually, hybrid ports are configured to connect network devices whose support for VLAN tagged-packets you are uncertain about. As shown in Figure 5, Device C connects a small-sized LAN in which some PCs belong to VLAN 2 while some other PCs belong to VLAN 3. In this case, you must configure Device B’s port connecting to Device C as a hybrid port that allows packets of VLAN 2 and VLAN 3 to pass through untagged.

Figure 5 Network diagram

PVID

By default, VLAN 1 is the PVID for all ports. You can configure the PVID for a port as required.

Use the following guidelines when you configure the PVID on a port:

· An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port. The PVID of the access port changes along with the VLAN to which the port belongs.

· A trunk or hybrid port can join multiple VLANs, and you can configure a PVID for the port.

· You can use a nonexistent VLAN as the PVID for a hybrid or trunk port but not for an access port. After you remove the VLAN that an access port resides in with the undo vlan command, the PVID of the port changes to VLAN 1. The removal of the VLAN specified as the PVID of a trunk or hybrid port, however, does not affect the PVID setting on the port.

NOTE:

· H3C recommends that you set the same PVID on local and remote ports.

· Make sure that a port is assigned to its PVID. Otherwise, when receiving frames tagged with the PVID or untagged frames (including protocol packets such as MSTP BPDUs), the port filters out these frames.

The following table shows how ports of different link types handle frames:

Port type	Actions (in the inbound direction)		Actions (in the outbound direction)
Port type	Untagged frame	Tagged frame	Actions (in the outbound direction)
Access	Tag the frame with the PVID.	· Receive the frame if its VLAN ID is the same as the PVID. · Drop the frame if its VLAN ID is different from the PVID.	Remove the PVID and send the frame.
Trunk	Check whether the PVID is permitted on the port: · If yes, tag the frame with the PVID. · If not, drop the frame.	· Receive the frame if its VLAN is carried on the port. · Drop the frame if its VLAN is not carried on the port.	· Remove the tag and send the frame if the frame carries the PVID and the port is assigned to the PVID. · Send the frame without removing the tag if its VLAN is carried on the port but is different from the default one.
Hybrid			Send the frame if its VLAN is carried on the port. The frame is sent with the VLAN tag removed or intact depending on your configuration with the port hybrid vlan command. This is true of the PVID.

Assigning an access port to a VLAN

You can assign an access port to a VLAN in VLAN view, Ethernet interface view, Layer 2 aggregate interface view, or port group view.

To assign one or multiple access ports to a VLAN in VLAN view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VLAN view.	vlan vlan-id	If the specified VLAN does not exist, this command creates the VLAN first.
3. Assign one or a group of access ports to the current VLAN.	port interface-list	By default, all ports belong to VLAN 1.

To assign an access port (in interface view) or multiple access ports (in port group view) to a VLAN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view or port group view.	· Enter Ethernet interface view: interface interface-type interface-number · Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number · Enter port group view: port-group manual port-group-name	N/A
3. Configure the link type of the port or ports as access.	port link-type access	Optional. By default, the link type of a port is access.
4. Assign the current access ports to a VLAN.	port access vlan vlan-id	Optional. By default, all access ports belong to VLAN 1.

NOTE:

· Before assigning an access port to a VLAN, create the VLAN first.

· In VLAN view, you can assign only Layer 2 Ethernet ports to the current VLAN.

Assigning a trunk port to a VLAN

A trunk port can carry multiple VLANs. You can assign it to a VLAN in interface view or port group view.

To assign a trunk port to one or multiple VLANs:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view or port group view.	· Enter Ethernet interface view: interface interface-type interface-number · Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number · Enter port group view: port-group manual port-group-name	N/A
3. Configure the link type of the port or ports as trunk.	port link-type trunk	By default, the link type of a port is access.
4. Assign the trunk ports to the specified VLANs.	port trunk permit vlan { vlan-id-list \| all }	By default, a trunk port carries only VLAN 1.
5. Configure the PVID of the trunk ports.	port trunk pvid vlan vlan-id	Optional. By default, the PVID is VLAN 1.

NOTE:

· To change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first.

· After configuring the PVID for a trunk port, you must use the port trunk permit vlan command to configure the trunk port to allow packets from the PVID to pass through, so that the egress port can forward packets from the PVID.

Assigning a hybrid port to a VLAN

A hybrid port can carry multiple VLANs. You can assign it to a VLAN in interface view or port group view.

To assign a hybrid port to one or multiple VLANs:

Step		Command	Remarks
1. Enter system view.		system-view	N/A
2. Enter interface view or port group view.	· Enter Ethernet interface view: interface interface-type interface-number · Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number · Enter port group view: port-group manual port-group-name		N/A
3. Configure the link type of the ports as hybrid.		port link-type hybrid	By default, the link type of a port is access.
4. Assign the hybrid ports to the specified VLANs.		port hybrid vlan vlan-id-list { tagged \| untagged }	By default, a hybrid port allows only packets of VLAN 1 to pass through untagged.
5. Configure the PVID of the hybrid port.		port hybrid pvid vlan vlan-id	Optional. By default, the PVID is VLAN 1.

NOTE:

· To change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first.

· Before assigning a hybrid port to a VLAN, create the VLAN first.

· After configuring the PVID for a hybrid port, you must use the port hybrid vlan command to configure the hybrid port to allow packets from the PVID to pass through, so that the egress port can forward packets from the PVID.

Port-based VLAN configuration example

Network requirements

As shown in Figure 6, Host A and Host C belong to Department A, and access the enterprise network through different switches. Host B and Host D belong to Department B. They also access the enterprise network through different switches.

To ensure communication security and prevent broadcast storms, VLANs are configured in the enterprise network to isolate Layer 2 traffic of different departments. VLAN 100 is assigned to Department A, and VLAN 200 is assigned to Department B.

Make sure that hosts within the same VLAN can communicate with each other, in other words, Host A can communicate with Host C, and Host B can communicate with Host D.

Figure 6 Network diagram

Configuration procedure

1. Configure Device A

# Create VLAN 100, and assign port GigabitEthernet 3/0/1 to VLAN 100.

<DeviceA> system-view

[DeviceA] vlan 100

[DeviceA-vlan100] port GigabitEthernet 3/0/1

[DeviceA-vlan100] quit

# Create VLAN 200, and assign port GigabitEthernet 3/0/2 to VLAN 200.

[DeviceA] vlan 200

[DeviceA-vlan200] port GigabitEthernet 3/0/2

[DeviceA-vlan200] quit

# Configure port GigabitEthernet 3/0/3 as a trunk port, and assign it to VLANs 100 and 200, thus enabling GigabitEthernet 3/0/3 to forward traffic of VLANs 100 and 200 to Device B.

[DeviceA] interface gigabitethernet 3/0/3

[DeviceA-GigabitEthernet3/0/3] port link-type trunk

[DeviceA-GigabitEthernet3/0/3] port trunk permit vlan 100 200

Please wait... Done.

2. Configure Device B as you configure Device A.

3. Configure Host A and Host C to be on the same network segment, 192.168.100.0/24 for example. Configure Host B and Host D to be on the same network segment, 192.168.200.0/24 for example

Verifying the configuration

1. Host A and Host C can ping each other successfully, but they both fail to ping Host B. Host B and Host D can ping each other successfully, but they both fail to ping Host A.

2. Check whether the configuration is successful by displaying relevant VLAN information.

# Display information about VLANs 100 and 200 on Device A:

[DeviceA-GigabitEthernet3/0/3] display vlan 100

VLAN ID: 100

VLAN Type: static

Route Interface: not configured

Description: VLAN 0100

Name: VLAN 0100

Broadcast MAX-ratio: 100%

Tagged Ports:

GigabitEthernet3/0/3

Untagged Ports:

GigabitEthernet3/0/1

[DeviceA-GigabitEthernet3/0/3] display vlan 200

VLAN ID: 200

VLAN Type: static

Route Interface: not configured

Description: VLAN 0200

Name: VLAN 0200

Broadcast MAX-ratio: 100%

Tagged Ports:

GigabitEthernet3/0/3

Untagged Ports:

GigabitEthernet3/0/2

Configuring MAC-based VLANs

Introduction to MAC-based VLAN

The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is mostly used in conjunction with security technologies such as 802.1X to provide secure, flexible network access for terminal devices.

Static MAC-based VLAN assignment

Static MAC-based VLAN assignment applies to networks containing a small number of VLAN users. In such a network, you can create a MAC address-to-VLAN map containing multiple MAC address-to-VLAN entries on a port, enable the MAC-based VLAN feature on the port, and assign the port to MAC-based VLANs.

With static MAC-based VLAN assignment configured on a port, the device processes received frames by using the following guidelines:

· When the port receives an untagged frame, the device looks up the MAC address-to-VLAN map based on the source MAC address of the frame for a match.

¡ The device first performs a fuzzy match. In the fuzzy match, the device searches the MAC address-to-VLAN entries whose masks are not all-Fs and performs a logical AND operation on the source MAC address and each mask. If the result of an AND operation matches the corresponding MAC address, the device tags the frame with the corresponding VLAN ID.

¡ If the fuzzy match fails, the device performs an exact match. In the exact match, the device searches the MAC address-to-VLAN entries whose masks are all-Fs. If the MAC address of a MAC address-to-VLAN entry matches the source MAC address of the untagged frame, the device tags the frame with the corresponding VLAN ID.

¡ If no match is found, the device assigns a VLAN to the frame by using other criteria, such as IP subnet or protocol, and forwards the frame.

¡ If no VLAN is available, the device tags the frame with the PVID of the receiving port and forwards the frame.

· When the port receives a tagged frame, the port forwards the frame if the VLAN ID of the frame is permitted by the port, or otherwise drops the frame.

Dynamic MAC-based VLAN

You can use dynamic MAC-based VLAN with access authentication (such as 802.1X authentication based on MAC addresses) to implement secure, flexible terminal access. After configuring dynamic MAC-based VLAN on the device, you must configure the username-to-VLAN entries on the access authentication server.

When a user passes authentication of the access authentication server, the device obtains VLAN information from the server, generates a MAC address-to-VLAN entry by using the source MAC address of the user packet and the VLAN information, and assigns the port to the MAC-based VLAN. When the user goes offline, the device automatically deletes the MAC address-to-VLAN entry, and removes the port from the MAC-based VLAN.

NOTE:

For more information about 802.1X, MAC, and portal authentication, see Security Configuration Guide.

Configuring a MAC-based VLAN

NOTE:

· MAC-based VLANs are available only on hybrid ports.

· Because MAC-based dynamic port assignment is mainly configured on the downlink ports of the user access devices, do not enable this function together with link aggregation.

To configure static MAC-based VLAN assignment:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Associate MAC addresses with a VLAN.	mac-vlan mac-address mac-address vlan vlan-id [ priority priority ]	N/A
3. Enter interface view or port group view.	· Enter Ethernet interface view: interface interface-type interface-number · Enter port group view: port-group manual port-group-name	N/A
4. Configure the link type of the ports as hybrid.	port link-type hybrid	By default, the link type of a port is access.
5. Configure the current hybrid ports to permit packets from specific MAC-based VLANs to pass through.	port hybrid vlan vlan-id-list { tagged \| untagged }	By default, a hybrid port only permits the packets of VLAN 1 to pass through.
6. Enable MAC-based VLAN.	mac-vlan enable	By default, MAC-based VLAN is disabled.

To configure dynamic MAC-based VLAN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view or port group view.	· Enter Ethernet interface view: interface interface-type interface-number · Enter port group view: port-group manual port-group-name	N/A
3. Configure the link type of the ports as hybrid.	port link-type hybrid	By default, the link type of a port is access.
4. Configure the hybrid ports to permit packets from specific MAC-based VLANs to pass through.	port hybrid vlan vlan-id-list { tagged \| untagged }	By default, a hybrid port only permits the packets of VLAN 1 to pass through.
5. Enable MAC-based VLAN.	mac-vlan enable	By default, MAC-based VLAN is disabled.
6. Configure 802.1X/MAC/portal authentication.	For more information, see Security Command Reference.	N/A

MAC-based VLAN configuration example

Network requirements

As shown in Figure 7,

· GigabitEthernet 3/0/1 of Device A and Device C are each connected to a meeting room. Laptop 1 and Laptop 2 are used for meeting and may be used in any of the two meeting rooms.

· Laptop 1 and Laptop 2 are owned by different departments. The two departments use VLAN 100 and VLAN 200 respectively.

· The MAC address of Laptop 1 is 000d-88f8-4e71, and that of Laptop 2 is 0014-222c-aa69.

Configure MAC-based VLANs, so that each laptop can access only its own department server no matter which meeting room it is used in.

Figure 7 Network diagram

Configuration consideration

· Create VLANs 100 and 200.

· Configure the uplink ports of Device A and Device C as trunk ports, and assign them to VLANs 100 and 200.

· Configure the downlink ports of Device B as trunk ports, and assign them to VLANs 100 and 200. Assign the uplink ports of Device B to VLANs 100 and 200.

· Associate the MAC address of Laptop 1 with VLAN 100, and the MAC address of Laptop 2 with VLAN 200.

Configuration procedure

1. Configure Device A

# Create VLANs 100 and 200.

<DeviceA> system-view

[DeviceA] vlan 100

[DeviceA-vlan100] quit

[DeviceA] vlan 200

[DeviceA-vlan200] quit

# Associate the MAC address of Laptop 1 with VLAN 100, and the MAC address of Laptop 2 with VLAN 200.

[DeviceA] mac-vlan mac-address 000d-88f8-4e71 vlan 100

[DeviceA] mac-vlan mac-address 0014-222c-aa69 vlan 200

# Configure Laptop 1 and Laptop 2 to access the network through GigabitEthernet 3/0/1: Configure GigabitEthernet 3/0/1 as a hybrid port that sends packets of VLANs 100 and 200 untagged, and enable MAC-based VLAN on it.

[DeviceA] interface gigabitethernet 3/0/1

[DeviceA-GigabitEthernet3/0/1] port link-type hybrid

[DeviceA-GigabitEthernet3/0/1] port hybrid vlan 100 200 untagged

Please wait... Done.

[DeviceA-GigabitEthernet3/0/1] mac-vlan enable

[DeviceA-GigabitEthernet3/0/1] quit

# Configure the uplink port GigabitEthernet 3/0/2 as a trunk port, and assign it to VLANs 100 and 200. so that the laptops can access Server 1 and Server 2.

[DeviceA] interface gigabitethernet 3/0/2

[DeviceA-GigabitEthernet3/0/2] port link-type trunk

[DeviceA-GigabitEthernet3/0/2] port trunk permit vlan 100 200

[DeviceA-GigabitEthernet3/0/2] quit

2. Configure Device B

# Create VLANs 100 and 200. Assign GigabitEthernet 3/0/13 to VLAN 100, and GigabitEthernet 3/0/14 to VLAN 200.

<DeviceB> system-view

[DeviceB] vlan 100

[DeviceB-vlan100] port GigabitEthernet 3/0/13

[DeviceB-vlan100] quit

[DeviceB] vlan 200

[DeviceB-vlan200] port GigabitEthernet 3/0/14

[DeviceB-vlan200] quit

# Configure GigabitEthernet 3/0/3 and GigabitEthernet 3/0/4 as trunk ports, and assign them to VLANs 100 and 200.

[DeviceB] interface gigabitethernet 3/0/3

[DeviceB-GigabitEthernet3/0/3] port link-type trunk

[DeviceB-GigabitEthernet3/0/3] port trunk permit vlan 100 200

[DeviceB-GigabitEthernet3/0/3] quit

[DeviceB] interface gigabitethernet 3/0/4

[DeviceB-GigabitEthernet3/0/4] port link-type trunk

[DeviceB-GigabitEthernet3/0/4] port trunk permit vlan 100 200

[DeviceB-GigabitEthernet3/0/4] quit

3. Configure Device C

Configure Device C as you configure Device A.

Verifying the configuration

1. Laptop 1 can access Server 1 only, and Laptop 2 can access Server 2 only.

2. On Device A and Device C, you can see that VLAN 100 is associated with the MAC address of Laptop 1, and VLAN 200 is associated with the MAC address of Laptop 2.

[DeviceA] display mac-vlan all

The following MAC VLAN addresses exist:

S:Static D:Dynamic

MAC ADDR MASK VLAN ID PRIO STATE

--------------------------------------------------------

000d-88f8-4e71 ffff-ffff-ffff 100 0 S

0014-222c-aa69 ffff-ffff-ffff 200 0 S

Total MAC VLAN address count:2

Configuration guidelines

1. MAC-based VLAN can be configured only on hybrid ports.

2. MAC-based VLAN is typically configured on the downlink ports of access layer switches, and hence cannot be configured together with the link aggregation function.

Configuring protocol-based VLANs

Introduction to protocol-based VLAN

NOTE:

Protocol-based VLAN configuration applies to hybrid ports only.

In this approach, inbound packets are assigned to different VLANs based on their protocol types and encapsulation formats. The protocols that can be used for VLAN assignment include IP, IPX, and AppleTalk (AT). The encapsulation formats include Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP.

A protocol type and an encapsulation format comprise a protocol template. You can create multiple protocol templates for a protocol-based VLAN, and different protocol templates are assigned different protocol-index values. Therefore, a protocol template can be uniquely identified by a protocol-based VLAN ID and a protocol index combined. When you use commands to associate protocol templates with ports, use protocol-based vlan-id + protocol index to specify the protocol templates. An untagged packet reaching a port associated with protocol templates will be processed as follows.

· If the protocol type and encapsulation format carried in the packet matches a protocol template, the packet will be tagged with the VLAN tag corresponding to the protocol template.

· If the packet matches no protocol templates, the packet will be tagged with the PVID of the port.

The port processes a tagged packet as it processes tagged packets of a port-based VLAN.

· If the port is assigned to the VLAN corresponding to the VLAN tag carried in the packet, it forwards the packet.

· If not, it drops the packet.

This feature is mainly used to assign packets of the specific service type to a specific VLAN.

Configuring a protocol-based VLAN

To configure a protocol-based VLAN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VLAN view.	vlan vlan-id	If the specified VLAN does not exist, this command creates the VLAN first.
3. Create a protocol template for the VLAN.	protocol-vlan [ protocol-index ] { at \| ipv4 \| ipv6 \| ipx { ethernetii \| llc \| raw \| snap } \| mode { ethernetii etype etype-id \| llc { dsap dsap-id [ ssap ssap-id ] \| ssap ssap-id } \| snap etype etype-id } }	By default, no protocol template exists.
4. Exit VLAN view.	quit	N/A
5. Enter interface view or port group view.	· Enter Ethernet interface view: interface interface-type interface-number · Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number · Enter port group view: port-group manual port-group-name	Use any command. · In Ethernet interface view, the subsequent configurations apply to the current port. · In port group view, the subsequent configurations apply to all ports in the port group. · In Layer 2 aggregate interface view, the subsequent configurations apply to the Layer 2 aggregate interface and all its member ports.
6. Configure the port link type as hybrid.	port link-type hybrid	N/A
7. Configure current hybrid ports to permit the packets of the specified protocol-based VLANs to pass through.	port hybrid vlan vlan-id-list { tagged \| untagged }	By default, all hybrid ports permit packets of VLAN 1 to pass through only.
8. Associate the hybrid ports with the specified protocol-based VLAN.	port hybrid protocol-vlan vlan vlan-id { protocol-index [ to protocol-end ] \| all }	N/A

Protocol-based VLAN configuration example

Network requirements

In a lab environment as shown in Figure 8, most hosts run the IPv4 protocol, while the rest of the hosts run the IPv6 protocol for teaching purpose. To avoid interference, isolate IPv4 traffic and IPv6 traffic at Layer 2.

Figure 8 Network diagram

Configuration consideration

Create VLANs 100 and 200. Associate VLAN 100 with IPv4, and VLAN 200 with IPv6. Configure protocol-based VLANs to isolate IPv4 traffic and IPv6 traffic at Layer 2.

Configuration procedure

1. Configure Device

# Create VLAN 100, and assign port GigabitEthernet 3/0/11 to VLAN 100.

<Device> system-view

[Device] vlan 100

[Device-vlan100] description protocol VLAN for IPv4

[Device-vlan100] port GigabitEthernet 3/0/11

# Create VLAN 200, and assign port GigabitEthernet 3/0/12 to VLAN 200.

[Device-vlan100] quit

[Device] vlan 200

[Device-vlan200] description protocol VLAN for IPv6

[Device-vlan200] port GigabitEthernet 3/0/12

# Create an IPv6 protocol template in the view of VLAN 200, and an IPv4 protocol template in the view of VLAN 100.

[Device-vlan200] protocol-vlan 1 ipv6

[Device-vlan200] quit

[Device] vlan 100

[Device-vlan100] protocol-vlan 1 ipv4

[Device-vlan100] quit

# Configure port GigabitEthernet 3/0/1 as a hybrid port that forwards packets of VLANs 100 and 200 untagged.

[Device] interface gigabitethernet 3/0/1

[Device-GigabitEthernet3/0/1] port link-type hybrid

[Device-GigabitEthernet3/0/1] port hybrid vlan 100 200 untagged

Please wait... Done.

# Associate port GigabitEthernet 3/0/1 with the IPv4 protocol template of VLAN 100, and the IPv6 protocol template of VLAN 200.

[Device-GigabitEthernet3/0/1] port hybrid protocol-vlan vlan 100 1

[Device-GigabitEthernet3/0/1] port hybrid protocol-vlan vlan 200 1

[Device-GigabitEthernet3/0/1] quit

# Configure GigabitEthernet 3/0/2 as a hybrid port that forwards packets of VLANs 100 and 200 untagged, and associate GigabitEthernet 3/0/2 with the IPv4 protocol template of VLAN 100, and the IPv6 protocol template of VLAN 200.

[Device] interface gigabitethernet 3/0/2

[Device-GigabitEthernet3/0/2] port link-type hybrid

[Device-GigabitEthernet3/0/2] port hybrid vlan 100 200 untagged

Please wait... Done.

[Device-GigabitEthernet3/0/2] port hybrid protocol-vlan vlan 100 1

[Device-GigabitEthernet3/0/2] port hybrid protocol-vlan vlan 200 1

2. Keep the default settings of L2 Switch A and L2 Switch B.

3. Configure IPv4 Host A, IPv4 Host B, and IPv4 Server to be on the same network segment, 192.168.100.0/24 for example, and configure IPv6 Host A, IPv6 Host B, and IPv6 Server to be on the same network segment, 2001::1/64 for example.

Verifying the configuration

1. The hosts and the server in VLAN 100 can ping one another successfully. The hosts and the server in VLAN 200 can ping one another successfully. The hosts/server in VLAN 100 cannot ping the hosts/server in VLAN 200, and vice versa.

2. Display protocol-based VLAN information on Device to check whether the configurations have become valid.

# Display protocol-based VLAN configuration on Device.

[Device-GigabitEthernet3/0/2] display protocol-vlan vlan all

VLAN ID:100

Protocol Index Protocol Type

======================================================

1 ipv4

VLAN ID:200

Protocol Index Protocol Type

======================================================

1 ipv6

# Display protocol-based VLAN information on the ports of Device.

[Device-GigabitEthernet3/0/2] display protocol-vlan interface all

Interface: GigabitEthernet 3/0/1

VLAN ID Protocol Index Protocol Type

======================================================

100 1 ipv4

200 1 ipv6

Interface: GigabitEthernet 3/0/2

VLAN ID Protocol Index Protocol Type

======================================================

100 1 ipv4

200 1 ipv6

Configuration guidelines

Protocol-based VLAN configuration applies to hybrid ports only.

Configuring IP subnet-based VLANs

Introduction to IP subnet-based VLAN

In this approach, packets are assigned to VLANs based on their source IP addresses and subnet masks. A port configured with IP subnet-based VLANs assigns an incoming untagged packet to a VLAN based on the source IP address of the packet.

This feature is used to assign packets from the specified network segment or IP address to a specific VLAN, and is implemented through ACLs and QoS policies. For more information about ACLs and QoS policies, see ACL and QoS Configuration Guide.

Configuring an IP subnet-based VLAN

To configure an IP subnet-based VLAN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VLAN view.	vlan vlan-id	If the specified VLAN does not exist, this command creates the VLAN first.
3. Return to system view.	quit	N/A
4. Enter interface view or port group view.	· Enter Ethernet interface view: interface interface-type interface-number · Enter port group view: port-group manual port-group-name	N/A
5. Configure the link type as hybrid.	port link-type hybrid	By default, the link type of a port is access.
6. Configure the hybrid port or ports to permit the specified IP subnet-based VLANs to pass through.	port hybrid vlan vlan-id-list { tagged \| untagged }	By default, a hybrid port allows only packets from VLAN 1 to pass through untagged.
7. Configure the PVID of the hybrid port or ports.	port hybrid pvid vlan vlan-id	Optional. By default, the PVID of a hybrid port is VLAN 1.
8. Return to system view.	quit	N/A
9. Create an IPv4 basic or advanced ACL and enter its view.	acl number acl-number [ name acl-name ] [ match-order { auto \| config } ]	Only IPv4 basic ACLs (numbering 2000 to 2999) and IPv4 advanced ACLs (numbering 3000 to 3999) are supported.
10. Create an IPv4 ACL rule to match a specific IP subnet.	· Create an IPv4 basic ACL rule: rule [ rule-id ] { deny \| permit } [ fragment \| logging \| counting \| source { sour-addr sour-wildcard \| any } \| time-range time-range-name \| vpn-instance vpn-instance-name ] · Create an IPv4 advanced ACL rule: rule [ rule-id ] { deny \| permit } protocol [ { { ack ack-value \| fin fin-value \| psh psh-value \| rst rst-value \| syn syn-value \| urg urg-value } * \| established } \| destination { dest-addr dest-wildcard \| any } \| destination-port operator port1 [ port2 ] \| dscp dscp \| fragment \| icmp-type { icmp-type icmp-code \| icmp-message } \| logging \| counting \| precedence precedence \| source { sour-addr sour-wildcard \| any } \| source-port operator port1 [ port2 ] \| time-range time-range-name \| tos tos \| vpn-instance vpn-instance-name ] *	Use either command. You must configure at least the source IPv4 address and subnet mask. For more information about the rule command, see ACL and QoS Command Reference.
11. Return to system view.	quit	N/A
12. Create a class.	traffic classifier tcl-name [ operator { and \| or } ]	By default, the operator of a class is AND.
13. Use the IPv4 basic or advanced ACL as the match criteria of the class.	if-match acl { acl-number \| name acl-name }	N/A
14. Configure the class to match ARP packets.	if-match protocol arp	For more information about the if-match command, see ACL and QoS Command Reference.
15. Return to system view.	quit	N/A
16. Create a class.	traffic classifier tcl-name [ operator { and \| or } ]	N/A
17. Use the IPv4 basic or advanced ACL as the match criteria of the class.	if-match acl {acl-number \| name acl-name }	N/A
18. Return to system view.	quit	N/A
19. Create a traffic behavior.	traffic behavior behavior-name	N/A
20. Configure the traffic behavior to mark matching packets with a specific VLAN.	remark service-vlan-id vlan-id-value	N/A
21. Return to system view.	quit	N/A
22. Create a policy and enter policy view.	qos policy policy-name	N/A
23. Associate the classes with the traffic behavior in the policy to transmit ARP packets and IPv4 packets from the specified subnet in the specified VLAN.	classifier tcl-name behavior behavior-name	N/A
24. Return to system view.	quit	N/A
25. Apply the QoS policy.	· (Approach I) Apply the policy to an interface or multiple interfaces: a. Enter interface or port group view: Enter Ethernet interface view: interface interface-type interface-number OR: Enter port group view: port-group manual port-group-name b. qos apply policy policy-name { inbound \| outbound } · (Approach II) Apply the policy to the specified VLANs: qos vlan-policy policy-name vlan vlan-id-list { inbound \| outbound } · (Approach III) Apply the policy globally: qos apply policy policy-name global { inbound \| outbound }	Use any approach. To apply the policy to a Layer 2 aggregate interface, you must apply the policy to every member port of the Layer 2 aggregate interface.

IP subnet-based VLAN configuration example

Network requirements

As shown in Figure 9, PC A and PC B in a lab are located on different IP subnets. PC A and PC B are connected to Switch through L2 Switch. Configure Switch to assign different VLANs and gateways to the PCs by IP subnet.

Figure 9 Network diagram

Configuration considerations

To satisfy the requirements, you can configure IP subnet-based VLANs.

· Create VLAN 10 and VLAN 20.

· Assign users on subnet 1.1.1.0/24 to VLAN 10, and users on 2.1.1.0/24 to VLAN 20.

Configuration procedure

1. Configure Switch

# Create VLAN-interface 10 and VLAN-interface 20. (Details not shown)

# Configure port GigabitEthernet 3/0/1 as a hybrid port to permit packets from VLANs 1, 10, and 20 to pass through untagged, and configure the PVID of the port as 1.

[Switch] interface GigabitEthernet 3/0/1

[Switch-GigabitEthernet3/0/1] port link-type hybrid

[Switch-GigabitEthernet3/0/1] port hybrid vlan 10 20 1 untagged

Please wait... Done.

[Switch-GigabitEthernet3/0/1] port hybrid pvid vlan 1

# Configure ACL 3000 to permit packets from subnet 1.1.1.0/24 to pass through, and ACL 3001 to permit packets from subnet 2.1.1.0/24 to pass through.

[Switch] acl number 3000

[Switch-acl-adv-3000] rule 0 permit ip source 1.1.1.0 0.0.0.255

[Switch-acl-adv-3000] quit

[Switch] acl number 3001

[Switch-acl-adv-3001] rule 0 permit ip source 2.1.1.0 0.0.0.255

[Switch-acl-adv-3001] quit

# Configure a QoS policy named test to transmit ARP and IPv4 packets from subnet 1.1.1.0/24 through VLAN 10 and transmit ARP and IPv4 packets from subnet 2.1.1.0/24 through VLAN 20.

[Switch] traffic classifier 1

[Switch-classifier-1] if-match acl 3000

[Switch-classifier-1] quit

[Switch] traffic classifier 2

[Switch-classifier-2] if-match acl 3000

[Switch-classifier-2] if-match protocol arp

[Switch-classifier-2] quit

[Switch] traffic classifier 3

[Switch-classifier-3] if-match acl 3001

[Switch-classifier-3] quit

[Switch] traffic classifier 4

[Switch-classifier-4] if-match acl 3001

[Switch-classifier-4] if-match protocol arp

[Switch-classifier-4] quit

[Switch] traffic behavior 1

[Switch-behavior-1] remark service-vlan-id 10

[Switch-behavior-1] quit

[Switch] traffic behavior 2

[Switch-behavior-2] remark service-vlan-id 20

[Switch-behavior-2] quit

[Switch] qos policy test

[Switch-qospolicy-test] classifier 1 behavior 1

[Switch-qospolicy-test] classifier 2 behavior 1

[Switch-qospolicy-test] classifier 3 behavior 2

[Switch-qospolicy-test] classifier 4 behavior 2

[Switch-qospolicy-test] quit

# Apply the QoS policy to the incoming packets of port GigabitEthernet 3/0/1.

[Switch] interface GigabitEthernet 3/0/1

[Switch-GigabitEthernet3/0/1] qos apply policy test inbound

Verifying the configuration

Ping the gateway (IP address of VLAN-interface 10, for example, 1.1.1.1) from PC A, and the gateway (IP address of VLAN-interface 20, for example, 2.1.1.1) from PC B.

The ping operations succeed.

[Switch] display arp

Type: S-Static D-Dynamic A-Authorized

IP Address MAC Address VLAN ID Interface Aging Type

1.1.1.100 0000-0000-0001 10 GE3/0/1 N/A D

2.1.1.100 0000-0000-0002 20 GE3/0/1 N/A D

Configuration precautions

IP subnet-based VLANs are only effective to hybrid ports.

Displaying and maintaining VLAN

Task	Command	Remarks
Display VLAN information.	display vlan [ vlan-id1 [ to vlan-id2 ] \| all \| dynamic \| reserved \| static ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display VLAN interface information.	display interface [ vlan-interface ] [ brief [ down ] ] [ \| { begin \| exclude \| include } regular-expression ] display interface vlan-interface vlan-interface-id [ brief ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display hybrid ports or trunk ports on the switch.	display port { hybrid \| trunk } [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display MAC address-to-VLAN entries.	display mac-vlan { all \| dynamic \| mac-address mac-address \| static \| vlan vlan-id } [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display all ports with MAC-based VLAN enabled.	display mac-vlan interface [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display protocol information and protocol indexes of the specified VLANs.	display protocol-vlan vlan { vlan-id [ to vlan-id ] \| all } [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display protocol-based VLAN information on specified ports.	display protocol-vlan interface { interface-type interface-number [ to interface-type interface-number ] \| all } [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Clear statistics on a port.	reset counters interface vlan-interface [ vlan-interface-id ]	Available in user view

Super VLAN configuration

Overview

Super VLAN, also called VLAN aggregation, was introduced to save IP address space.

A super VLAN is associated with multiple sub-VLANs. You can create a VLAN interface for a super VLAN and assign an IP address for the VLAN interface. However, you cannot create a VLAN interface for a sub-VLAN. You cannot assign a physical port to a super VLAN, but you can assign a physical port to a sub-VLAN. All ports of a sub-VLAN use the VLAN interface IP address of the associated super VLAN. Packets cannot be forwarded between sub-VLANs at Layer 2.

To enable Layer 3 communication between sub-VLANs, you should configure the VLAN interface IP address of the associated super VLAN as the gateway IP address. This enables multiple sub-VLANs to share the same gateway address, which saves IP address resources.

After creating a super VLAN and the VLAN interface, enable local proxy Address Resolution Protocol (ARP) on the switch. The super VLAN can use local proxy ARP to forward and process ARP requests and responses and to provide Layer 3 communication between sub-VLANs.

NOTE:

For more information about local proxy ARP, see Layer 3—IP Services Configuration Guide.

Configuring a super VLAN

To configure a super VLAN, complete the following tasks:

1. Configure sub-VLANs.

2. Configure a super VLAN, and associate the super VLAN with the sub-VLANs configured earlier.

3. Configure a VLAN interface for the super VLAN. The VLAN interface enables communication among hosts and sub-VLANs.

Configuring sub-VLANs

To configure a super VLAN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a sub-VLAN and enter VLAN view.	vlan vlan-id	If the specified VLAN already exists, this command enters VLAN view only.

Configuring a super VLAN

To configure a super VLAN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VLAN view.	vlan vlan-id	If the specified VLAN does not exist, this command creates the VLAN first, and then enters VLAN view.
3. Configure the VLAN as a super VLAN.	supervlan	By default, a user-defined VLAN is not a super VLAN.
4. Associate the super VLAN with the specified sub-VLANs.	subvlan vlan-list	VLANs specified by vlan-list must be the sub-VLANs configured earlier.

NOTE:

Do not configure a VLAN as a super VLAN and a sub-VLAN at the same time.

Configure a VLAN interface for the super VLAN

To configure a VLAN interface for the super VLAN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VLAN interface, and enter VLAN interface view.	interface vlan-interface vlan-interface-id	The value of vlan-interface-id must be the ID of the super VLAN.
3. Configure the IP address of the VLAN interface.	ip address ip-address { mask \| mask-length } [ sub ]	By default, the IP address of a VLAN interface is not configured.
4. Enable local proxy ARP.	local-proxy-arp enable	By default, local proxy ARP is disabled.

NOTE:

· Configure the IP address of the VLAN interface with that of the corresponding super VLAN.

· For more information about the local proxy ARP function, see Layer 3—IP Services Configuration Guide. For more information about the local-proxy-arp enable command, see Layer 3—IP Services Command Reference.

· You cannot configure a super VLAN as the guest VLAN for a port, and vice versa. For more information about guest VLANs, see Security Configuration Guide.

· You can configure Layer 2 multicast for a super VLAN, but the configuration is ineffective.

· You can configure DHCP, Layer 3 multicast, and dynamic routing for the VLAN interface of a super VLAN, but these features cannot take effect.

· H3C does not recommend you to configure VRRP for the VLAN interface of a super VLAN, because it affects network performance.

· You cannot create a VLAN interface for a sub-VLAN.

Displaying and maintaining super VLAN

Task	Command	Remarks
Display the mapping between a super VLAN and its sub-VLANs.	display supervlan [ supervlan-id ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view

Super VLAN configuration example

NOTE:

By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in DOWN state. Before configuring these interfaces, use the undo shutdown command to bring them up.

Network requirements

As shown in Figure 10,

· Create super VLAN 10, and configure its VLAN interface IP address as 10.0.0.1/24.

· Create the sub-VLANs VLAN 2, VLAN 3, and VLAN 5.

· Assign GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 to VLAN 2, GigabitEthernet 3/0/3 and GigabitEthernet 3/0/4 to VLAN 3, and GigabitEthernet 3/0/5 and GigabitEthernet 3/0/6 to VLAN 5.

· The sub-VLANs are isolated at Layer 2 but connected at Layer 3.

Figure 10 Network diagram

Configuration procedure

# Create VLAN 10, and configure its VLAN interface IP address as 10.0.0.1/24.

<Sysname> system-view

[Sysname] vlan 10

[Sysname-vlan10] interface vlan-interface 10

[Sysname-Vlan-interface10] ip address 10.0.0.1 255.255.255.0

# Enable local proxy ARP.

[Sysname-Vlan-interface10] local-proxy-arp enable

[Sysname-Vlan-interface10] quit

# Create VLAN 2, and assign ports GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 to it.

[Sysname] vlan 2

[Sysname-vlan2] port gigabitethernet 3/0/1 gigabitethernet 3/0/2

# Create VLAN 3, and assign ports GigabitEthernet 3/0/3 and GigabitEthernet 3/0/4 to it.

[Sysname-vlan2] quit

[Sysname] vlan 3

[Sysname-vlan3] port gigabitethernet 3/0/3 gigabitethernet 3/0/4

# Create VLAN 5, and assign ports GigabitEthernet 3/0/5 and GigabitEthernet 3/0/6 to it.

[Sysname-vlan3] quit

[Sysname] vlan 5

[Sysname-vlan5] port gigabitethernet 3/0/5 gigabitethernet 3/0/6

# Configure VLAN 10 as the super VLAN, and configure VLAN 2, VLAN 3, and VLAN 5 as its sub-VLANs.

[Sysname-vlan5] quit

[Sysname] vlan 10

[Sysname-vlan10] supervlan

[Sysname-vlan10] subvlan 2 3 5

[Sysname-vlan10] quit

[Sysname] quit

Verifying the configuration

# Display information about super VLAN to verify the configuration above.

<Sysname> display supervlan

SuperVLAN ID : 10

SubVLAN ID : 2-3 5

VLAN ID: 10

VLAN Type: static

It is a Super VLAN.

Route Interface: configured

Ip Address: 10.0.0.1

Subnet Mask: 255.255.255.0

Description: VLAN 0010

Name: VLAN 0010

Tagged Ports: none

Untagged Ports: none

VLAN ID: 2

VLAN Type: static

It is a Sub VLAN.

Route Interface: configured

Ip Address: 10.0.0.1

Subnet Mask: 255.255.255.0

Description: VLAN 0002

Name: VLAN 0002

Tagged Ports: none

Untagged Ports:

GigabitEthernet3/0/1 GigabitEthernet3/0/2

VLAN ID: 3

VLAN Type: static

It is a Sub VLAN.

Route Interface: configured

Ip Address: 10.0.0.1

Subnet Mask: 255.255.255.0

Description: VLAN 0003

Name: VLAN 0003

Tagged Ports: none

Untagged Ports:

GigabitEthernet3/0/3 GigabitEthernet3/0/4

VLAN ID: 5

VLAN Type: static

It is a Sub VLAN.

Route Interface: configured

Ip Address: 10.0.0.1

Subnet Mask: 255.255.255.0

Description: VLAN 0005

Name: VLAN 0005

Tagged Ports: none

Untagged Ports:

GigabitEthernet3/0/5 GigabitEthernet3/0/6

Voice VLAN configuration

Overview

As voice communication technologies grow more mature, voice devices are more and more widely deployed, especially on broadband networks, where voice traffic and data traffic often co-exist. Usually, compared to data traffic, voice traffic is given a higher transmission priority for the purpose of reducing transmission delay and packet loss.

A voice VLAN is configured especially for voice traffic. After assigning the ports connecting to voice devices to a voice VLAN, the system automatically configures quality of service (QoS) parameters for voice traffic, thus improving the transmission priority of voice traffic and ensuring voice quality.

NOTE:

Common voice devices include IP phones and integrated access devices (IADs). Only IP phones are used in the voice VLAN configuration examples in this chapter.

OUI addresses

A switch determines whether a received packet is a voice packet by checking its source MAC address. A packet whose source MAC address complies with the voice device’s Organizationally Unique Identifier (OUI) address is regarded as voice traffic.

You can configure the OUI addresses of a device in advance or use the default OUI addresses. Table 1 lists the default OUI address for each vendor’s devices.

Table 1 The default OUI addresses of different vendors

Number	OUI address		Vendor
1		0001-e300-0000		Siemens phone
2		0003-6b00-0000		Cisco phone
3		0004-0d00-0000		Avaya phone
4		00d0-1e00-0000		Pingtel phone
5		0060-b900-0000		Philips/NEC phone
6		00e0-7500-0000		Polycom phone
7		00e0-bb00-0000		3Com phone

NOTE:

· In general, as the first 24 bits of a MAC address (in binary format), an OUI address is a globally unique identifier assigned to a vendor by IEEE. OUI addresses mentioned in this document, however, are different from those in common sense. OUI addresses in this document are used by the system to determine whether a received packet is a voice packet. They are the results of the AND operation of the two arguments mac-address and oui-mask in the voice vlan mac-address command.

· You can remove the default OUI address of a switch manually and then add new ones manually.

Voice VLAN assignment modes

A port can be assigned to a voice VLAN in one of the following two modes:

· In automatic mode, the system matches the source MAC address carried in the untagged packets sent when an IP phone is powered on against the switch’s OUI addresses. If a match is found, the switch automatically assigns the receiving port to the voice VLAN, issues ACL rules, and configures the packet precedence. You can configure voice VLAN aging time on the switch. The switch removes a port from the voice VLAN if no packet is received from the port during the aging time. Assigning/removing ports to/from a voice VLAN are automatically performed by the switch. The automatic mode is suitable for scenarios where PCs and IP phones connected in series access the network through the switch and ports on the switch transmit both voice traffic and data traffic at the same time, as shown in Figure 11. When the voice VLAN works normally, in case of a switch reboot, the switch reassigns ports in automatic voice VLAN assignment mode to the voice VLAN after the reboot, thus ensuring that existing voice connections can work normally. In this case, port assignment to the voice VLAN is not triggered by voice traffic streams.

Figure 11 PCs and IP phones connected in series access the network

· In manual mode, you need to manually assign an IP phone accessing port to a voice VLAN. Then, the switch matches the source MAC addresses carried in the packets against the switch’s OUI addresses. If a match is found, the switch issues ACL rules and configures the packet precedence. In this mode, assigning/removing ports to/from a voice VLAN are performed manually. The manual mode is suitable for scenarios where only IP phones access the network through the switch and ports on the switch only transmit voice traffic, as shown in Figure 12. In this mode, ports assigned to a voice VLAN transmit voice traffic exclusively, which prevents the impact of data traffic on the transmission of voice traffic.

Figure 12 Only IP phones access the network

Both modes forward tagged packets according to their tags.

The following tables list the required configurations on ports of different link types in order for these ports to support tagged or untagged voice traffic sent from IP phones when different voice VLAN assignment modes are configured.

· IP phones send tagged voice traffic

Table 2 Required configurations on ports of different links types in order for the ports to support tagged voice traffic

Port link type	Voice VLAN assignment mode	Support for tagged voice traffic	Configuration requirements
Access	Automatic	No	N/A
Access	Manual	No	N/A
Trunk	Automatic	Yes	The PVID of the port cannot be the voice VLAN.
Trunk	Manual	Yes	The PVID of the port cannot be the voice VLAN. Configure the port to permit packets of its PVID to pass through.
Hybrid	Automatic	Yes	The PVID of the port cannot be the voice VLAN.
Hybrid	Manual	Yes	The PVID of the port cannot be the voice VLAN. Configure the port to permit packets of the voice VLAN to pass through tagged.

· IP phones send untagged voice traffic

When IP phones send untagged voice traffic, you can only configure the voice traffic receiving ports on the switch to operate in manual voice VLAN assignment mode.

Table 3 Required configurations on ports of different links types in order for the ports to support tagged voice traffic

Port link type	Voice VLAN assignment mode	Support for untagged voice traffic	Configuration requirements
Access	Automatic	No	N/A
Access	Manual	Yes	Configure the PVID of the port as the voice VLAN.
Trunk	Automatic	No	N/A
Trunk	Manual	Yes	Configure the PVID of the port as the voice VLAN and assign the port to the voice VLAN.
Hybrid	Automatic	No	N/A
Hybrid	Manual	Yes	Configure the PVID of the port as the voice VLAN and configure the port to permit packets of the voice VLAN to pass through untagged.

CAUTION:

· If an IP phone sends tagged voice traffic and its accessing port is configured with 802.1X authentication and guest VLAN, you should assign different VLAN IDs for the voice VLAN, the PVID of the connecting port, and the 802.1X guest VLAN.

· If an IP phone sends untagged voice traffic, to implement the voice VLAN feature, you must configure the PVID of the IP phone’s accessing port as the voice VLAN. In this case, the 802.1X authentication function cannot be implemented.

NOTE:

· The PVIDs for all ports are VLAN 1. You can configure the PVID of a port and assign a port to certain VLANs by using commands. For more information, see the chapter “Configuring VLANs.”

· Use the display interface command to display the PVID of a port and the VLANs to which the port is assigned.

Security mode and normal mode of voice VLANs

Voice VLAN-enabled ports operate in security mode or normal mode, depending on their inbound packet filtering mechanisms:

· Normal mode—In this mode, voice VLAN-enabled ports receive packets carrying the voice VLAN tag and forward packets in the voice VLAN without checking their source MAC addresses against the OUI addresses configured for the switch. If the PVID of the port is the voice VLAN and the port works in manual VLAN assignment mode, the port forwards all received untagged packets in the voice VLAN. In normal mode, the voice VLANs are vulnerable to traffic attacks. Vicious users may forge a large amount of voice packets and send them to the switch to consume the voice VLAN bandwidth, affecting normal voice communication.

· Security mode—In this mode, only voice packets whose source MAC addresses match the recognizable OUI addresses can pass through the voice VLAN-enabled inbound port, while all other packets are dropped.

In a safe network, you can configure the voice VLANs to operate in normal mode, thus reducing the consumption of system resources due to source MAC addresses checking.

Note:

· H3C does not recommend that you transmit both voice traffic and non-voice traffic in a voice VLAN. If you have to, make sure that the voice VLAN security mode is disabled.

· If you have configured the MAC learning limit, when the number of MAC addresses an interface has learned reaches the limit, the device does not forward the VLAN-tagged packets whose source MAC addresses have not been learned. For more information about the MAC address learning limit, see the chapter “Configuring MAC address tables.”

Table 4 How a voice VLAN-enabled port processes packets in security/normal mode

Voice VLAN mode	Packet type	Packet processing mode
Security mode	Untagged packets	If the source MAC address of a packet matches an OUI address configured for the switch, it is forwarded in the voice VLAN; otherwise, it is dropped.
	Packets carrying the voice VLAN tag
	Packets carrying other tags	Forwarded or dropped depending on whether the port allows packets of these VLANs to pass through
Normal mode	Untagged packets	The port does not check the source MAC addresses of inbound packets. In this way, both voice traffic and non-voice traffic can be transmitted in the voice VLAN.
	Packets carrying the voice VLAN tag
	Packets carrying other tags	Forwarded or dropped depending on whether the port allows packets of these VLANs to pass through

Configuring a voice VLAN

Configuration prerequisites

1. Create a VLAN

Before configuring a VLAN as a voice VLAN, create the VLAN first.

2. Configure QoS priority settings for voice traffic on an interface

Configure QoS priority settings for voice VLAN traffic on an interface before enabling voice VLAN on the interface. If the configuration order is reversed, your priority configuration will fail. For more information, see “Configuring QoS priority settings for voice traffic on an interface.”

3. Configure the voice VLAN assignment mode.

For more information, see “Configuring a port to operate in automatic voice VLAN assignment mode” and “Configuring a port to operate in manual voice VLAN assignment mode.”

NOTE:

· A port can belong to only one voice VLAN at a time.

· Voice VLAN cannot be enabled on member ports of an aggregation group. For more information about link aggregation member ports, see the chapter “Configuring Ethernet link aggregation.”

Configuring QoS priority settings for voice traffic on an interface

In voice VLAN applications, you can improve the quality of voice traffic by configuring the appropriate QoS priority settings, including the Class of Service (CoS) and Differentiated Services Code Point (DSCP) values, for voice traffic. Voice traffic carries its own QoS priority settings. You can configure the switch either to modify or not to modify the QoS priority settings carried by incoming voice traffic.

To configure QoS priority settings for voice traffic:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure QoS priority settings for voice traffic.	· Configure the interface to trust the QoS priority settings in incoming voice traffic, that is, not to modify the CoS and DSCP values marked for incoming traffic of the voice VLAN: voice vlan qos trust · Configure the interface to modify the CoS and DSCP values marked for incoming traffic of the voice VLAN into specified values: voice vlan qos cos-value dscp-value	Use either command. By default, an interface modifies the CoS value and the DSCP value marked for voice VLAN traffic into 6 and 46 respectively. The voice vlan qos command and the voice vlan qos trust command can overwrite each other, whichever is configured last.

NOTE:

Configure the QoS priority settings for voice traffic on an interface before enabling voice VLAN on the interface. If the configuration order is reversed, your priority trust setting will fail.

Configuring a port to operate in automatic voice VLAN assignment mode

NOTE:

· A protocol-based VLAN on a hybrid port can process only untagged inbound packets, whereas the voice VLAN in automatic mode on a hybrid port can process only tagged voice traffic. Therefore, do not configure a VLAN as both a protocol-based VLAN and a voice VLAN. For more information, see the chapter “Configuring VLANs.”

· With MSTP enabled, if a port is blocked in the MST instance (MSTI) of the target MAC-based VLAN, the port drops the received packets, instead of delivering them to the CPU. As a result, the receiving port will not be dynamically assigned to the corresponding VLAN. Do not configure dynamic MAC-based VLAN assignment together with MSTP, because the former is mainly configured on the access side.

· With PVST enabled, if the target MAC-based VLAN is not permitted on a port, the port is placed in the blocked state and drops the received packets, instead of delivering them to the CPU. As a result, the receiving port will not be dynamically assigned to the corresponding VLAN. Do not configure dynamic MAC-based VLAN assignment together with PVST, because the former is mainly configured on the access side.

To set a port to operate in automatic voice VLAN assignment mode:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the voice VLAN aging time.	voice vlan aging minutes	Optional. The default setting is 1440 minutes. The voice VLAN aging time configuration is only applicable on ports in automatic voice VLAN assignment mode.
3. Enable the voice VLAN security mode.	voice vlan security enable	Optional. By default, the voice VLAN security mode is enabled.
4. Add a recognizable OUI address.	voice vlan mac-address oui mask oui-mask [ description text ]	Optional. By default, each voice VLAN has default OUI addresses configured. For the default OUI addresses of different vendors, see Table 1.
5. Enter Ethernet interface view.	interface interface-type interface-number	N/A
6. Configure the port to operate in automatic voice VLAN assignment mode.	voice vlan mode auto	Optional. By default, automatic voice VLAN assignment mode is enabled. The voice VLAN assignment modes on different ports are independent of one another.
7. Enable voice VLAN on the port.	voice vlan vlan-id enable	By default, voice VLAN is disabled.

Configuring a port to operate in manual voice VLAN assignment mode

To set a port to operate in manual voice VLAN assignment mode:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the voice VLAN security mode.	voice vlan security enable	Optional. By default, the voice VLAN security mode is enabled.
3. Add a recognizable OUI address.	voice vlan mac-address oui mask oui-mask [ description text ]	Optional. By default, each voice VLAN has default OUI addresses configured. For the default OUI addresses of different vendors, see Table 1.
4. Enter interface view.	interface interface-type interface-number	N/A
5. Configure the port to operate in manual voice VLAN assignment mode.	undo voice vlan mode auto	By default, a port operates in automatic voice VLAN assignment mode.
6. Assign the access, trunk, or hybrid port in manual voice VLAN assignment mode to the voice VLAN.	For the configuration procedure, see the chapter “Configuring VLANs.”	After you assign an access port to the voice VLAN, the voice VLAN becomes the PVID of the port automatically.
7. Configure the voice VLAN as the PVID of the trunk or hybrid port.	For the configuration procedure, see the chapter “Configuring VLANs.”	Optional. This operation is required for untagged inbound voice traffic and prohibited for tagged inbound voice traffic.
8. Enable voice VLAN on the port.	voice vlan vlan-id enable	N/A

NOTE:

· You can configure different voice VLANs on different ports at the same time. However, one port can be configured with only one voice VLAN, and this voice VLAN must be a static VLAN that already exists on the device.

· Voice VLAN cannot be enabled on the member ports of a link aggregation group. For more information about the member ports, see the chapter “Configuring Ethernet link aggregation.”

· To make voice VLAN take effect on a port that is enabled with voice VLAN and operates in manual voice VLAN assignment mode, you must manually assign the port to the voice VLAN.

Displaying and maintaining voice VLAN

Task	Command	Remarks
Display the voice VLAN state.	display voice vlan state [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display the OUI addresses currently supported by system.	display voice vlan oui [ \| { begin \| exclude \| include } regular-expression ]	Available in any view

Voice VLAN configuration examples

Automatic voice VLAN mode configuration example

Network requirements

As shown in Figure 13, IP phone A (0011-1100-0001) connects to a downstream device named PC A (0022-1100-0002) and to GigabitEthernet 3/0/1 on an upstream device named Switch A; IP phone B (0011-2200-0001) connects to a downstream device named PC B (0022-2200-0002) and to GigabitEthernet 3/0/2 on Switch A.

Switch A uses voice VLAN 2 to transmit voice packets for IP phone A and voice VLAN 3 to transmit voice packets for IP phone B.

Configure GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 to work in automatic voice VLAN assignment mode. In addition, if one of them has not received any voice packet in 30 minutes, the port is removed from the corresponding voice VLAN automatically.

Figure 13 Network diagram

Configuration procedure

# Create VLAN 2 and VLAN 3.

<SwitchA> system-view

[SwitchA] vlan 2 to 3

Please wait... Done.

# Set the voice VLAN aging time to 30 minutes.

[SwitchA] voice vlan aging 30

# Since GigabitEthernet 3/0/1 might receive both voice traffic and data traffic at the same time, to ensure the quality of voice packets and effective bandwidth use, configure voice VLANs to work in security mode, that is, configure the voice VLANs to transmit only voice packets. (Optional. By default, voice VLANs work in security mode.)

[SwitchA] voice vlan security enable

# Configure the allowed OUI addresses as MAC addresses prefixed by 0011-1100-0000 or 0011-2200-0000. In this way, Switch A identifies packets whose MAC addresses match any of the configured OUI addresses as voice packets.

[SwitchA] voice vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 description IP phone A

[SwitchA] voice vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description IP phone B

# Configure GigabitEthernet 3/0/1 as a hybrid port.

[SwitchA] interface gigabitethernet 3/0/1

[SwitchA-GigabitEthernet3/0/1] port link-type hybrid

# Configure GigabitEthernet 3/0/1 to operate in automatic voice VLAN assignment mode. (Optional. By default, a port operates in automatic voice VLAN assignment mode.)

[SwitchA-GigabitEthernet3/0/1] voice vlan mode auto

# Configure VLAN 2 as the voice VLAN for GigabitEthernet 3/0/1.

[SwitchA-GigabitEthernet3/0/1] voice vlan 2 enable

[SwitchA-GigabitEthernet3/0/1] quit

# Configure GigabitEthernet 3/0/2.

[SwitchA] interface gigabitethernet 3/0/2

[SwitchA-GigabitEthernet3/0/2] port link-type hybrid

[SwitchA-GigabitEthernet3/0/2] voice vlan mode auto

[SwitchA-GigabitEthernet3/0/2] voice vlan 3 enable

Verifying the configuration

# Display the OUI addresses, OUI address masks, and description strings supported currently.

<SwitchA> display voice vlan oui

Oui Address Mask Description

0001-e300-0000 ffff-ff00-0000 Siemens phone

0003-6b00-0000 ffff-ff00-0000 Cisco phone

0004-0d00-0000 ffff-ff00-0000 Avaya phone

0011-1100-0000 ffff-ff00-0000 IP phone A

0011-2200-0000 ffff-ff00-0000 IP phone B

0060-b900-0000 ffff-ff00-0000 Philips/NEC phone

00d0-1e00-0000 ffff-ff00-0000 Pingtel phone

00e0-7500-0000 ffff-ff00-0000 Polycom phone

00e0-bb00-0000 ffff-ff00-0000 3com phone

# Display the current states of voice VLANs.

<SwitchA> display voice vlan state

Maximum of Voice VLANs: 128

Current Voice VLANs: 2

Voice VLAN security mode: Security

Voice VLAN aging time: 30 minutes

Voice VLAN enabled port and its mode:

PORT VLAN MODE COS DSCP

--------------------------------------------------------------------

GigabitEthernet3/0/1 2 AUTO 6 46

GigabitEthernet3/0/2 3 AUTO 6 46

Manual voice VLAN assignment mode configuration example

Network requirements

As shown in Figure 14, the IP phones send untagged voice traffic.

Configure GigabitEthernet 3/0/1 as a hybrid port. Create VLAN 2 and configure it as a voice VLAN permitting only voice traffic to pass through. Configure GigabitEthernet 3/0/1 to operate in manual voice VLAN assignment mode. Configure GigabitEthernet 3/0/1 to allow voice traffic with an OUI address of 0011-2200-0000, a mask of ffff-ff00-0000, and a description string of test to be forwarded in the voice VLAN.

Figure 14 Network diagram

Configuration procedure

# Configure the voice VLAN to operate in security mode. (Optional. A voice VLAN operates in security mode by default.)

<SwitchA> system-view

[SwitchA] voice vlan security enable

# Add a recognizable OUI address 0011-2200-0000.

[SwitchA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test

# Create VLAN 2.

[SwitchA] vlan 2

[SwitchA-vlan2] quit

# Configure GigabitEthernet 3/0/1 to operate in manual voice VLAN assignment mode.

[SwitchA] interface gigabitethernet 3/0/1

[SwitchA-GigabitEthernet3/0/1] undo voice vlan mode auto

# Configure GigabitEthernet 3/0/1 as a hybrid port.

[SwitchA-GigabitEthernet3/0/1] port link-type hybrid

# Configure the voice VLAN (VLAN 2) as the PVID of GigabitEthernet 3/0/1 and configure GigabitEthernet 3/0/1 to permit the voice traffic of VLAN 2 to pass through untagged.

[SwitchA-GigabitEthernet3/0/1] port hybrid pvid vlan 2

[SwitchA-GigabitEthernet3/0/1] port hybrid vlan 2 untagged

# Enable voice VLAN on GigabitEthernet 3/0/1.

[SwitchA-GigabitEthernet3/0/1] voice vlan 2 enable

Verifying the configuration

# Display the OUI addresses, OUI address masks, and description strings supported currently.

<SwitchA> display voice vlan oui

Oui Address Mask Description

0001-e300-0000 ffff-ff00-0000 Siemens phone

0003-6b00-0000 ffff-ff00-0000 Cisco phone

0004-0d00-0000 ffff-ff00-0000 Avaya phone

0011-2200-0000 ffff-ff00-0000 test

00d0-1e00-0000 ffff-ff00-0000 Pingtel phone

0060-b900-0000 ffff-ff00-0000 Philips/NEC phone

00e0-7500-0000 ffff-ff00-0000 Polycom phone

00e0-bb00-0000 ffff-ff00-0000 3com phone

# Display the current voice VLAN state.

<SwitchA> display voice vlan state

Maximum of Voice VLANs: 128

Current Voice VLANs: 1

Voice VLAN security mode: Security

Voice VLAN aging time: 1440 minutes

Voice VLAN enabled port and its mode:

PORT VLAN MODE

-----------------------------------------------

GigabitEthernet3/0/1 2 MANUAL

04-Layer 2 - LAN Switching Configuration Guide

Introduction to VLAN

VLAN interface configuration example

Network requirements

Configuration procedure

Verifying the configuration

Introduction to port-based VLANs

Port link type

PVID

Assigning an access port to a VLAN

Network requirements

Configuration procedure

Verifying the configuration

Configuring MAC-based VLANs

Static MAC-based VLAN assignment

Dynamic MAC-based VLAN

Network requirements

Configuration consideration

Configuration procedure

Verifying the configuration

Configuration guidelines

Configuring a protocol-based VLAN

Network requirements

Configuration consideration

Configuration procedure

Verifying the configuration

Configuration guidelines

Configuring IP subnet-based VLANs

Introduction to IP subnet-based VLAN

Network requirements

Configuration considerations

Configuration procedure

Verifying the configuration

Configuration precautions

Configuring sub-VLANs

Configuring a super VLAN

Configure a VLAN interface for the super VLAN

Network requirements

Configuration procedure

Verifying the configuration

Voice VLAN configuration

Overview

Voice VLAN configuration examples

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us